Sponsored by..

Tuesday, 18 September 2012

IRS spam / xlzones.com

More IRS themed spam, this time leading to malware on xlzones.com:

From: Internal Revenue Service [mailto:papillaq9@wonderware.com]
Sent: 18 September 2012 15:22
Subject: Your IRS federal tax payment has not been accepted
Importance: High


Your Federal Tax transaction (ID: 1550573369185), recently sent from your bank account was returned by The Electronic Federal Tax Payment System.
Not Accepted Tax transfer
Tax Transaction ID:     1550573369185
Reason ID    See details in the report below
Income Tax Transaction Report    tax_report_1550573369185.doc (Microsoft Word Document)

Internal Revenue Service P.O. Box 996 Davis 99627 NY 

The malicious payload can be found at [donotclick]xlzones.com/detects/char-storing-hate.php and [donotclick]xlzones.com/maintain/java.jar (report here) hosted on the familiar IP address of 203.91.113.6 (G Mobile, Mongolia). Block this IP if you can.. also beware of these other malicious domains on the same server:
centennialfield.net
blue-lotusgrove.net
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
thebummwrap.net
bode-sales.net
cat-mails.net
xlzones.com

"Photos" spam / diareuomop.ru

This spam leads to malware ondiareuomop.ru:

From: Carleen Garrett
Sent: Tuesday, September 18, 2012 3:17:33 PM
Subject: Photos

Hi,
as promised your photos - http://flyershot.com/gallery.htm
The payload is at [donotclick]diareuomop.ru:8080/forum/links/column.php hosted on the following IPs:
50.56.92.47
203.80.16.81
46.51.218.71

These IPs are a subset of the ones found here. Block 'em if you can.


Monday, 17 September 2012

Intuit.com spam / kerneloffce.ru

This fake Intuit.com spam attempts to load malware from kerneloffce.ru:


Date:      Mon, 17 Sep 2012 08:54:50 -0600
From:      "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject:      Your Intuit.com software order.
Attachments:     Intuit_Order_A49436.htm

Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION

Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.


The malicious payload is at kerneloffce.ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked. The following domains and IP addresses are all related:

moskowpulkavo.ru
omahabeachs.ru
kerneloffce.ru
46.51.218.71
50.56.92.47
62.76.188.246
62.76.190.50
87.120.41.155
91.194.122.8
132.248.49.112
178.63.51.54
203.80.16.81

IRS Spam / virtual-geocaching.net

This spam leads to malware on virtual-geocaching.net:

Date:      Mon, 17 Sep 2012 11:28:14 -0600
From:      Internal Revenue Service [tangierss4@porterorlin.com]
Subject:      IRS report of not approved tax transfer

Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.

Not Accepted Tax transaction
Tax Transaction ID:     30062091798009
Reason of rejection     See details in the report below
Federal Tax Transaction Report     tax_report_30062091798009.doc (Microsoft Word Document)

Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA 
The malicious payload is at [donotclick]virtual-geocaching.net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others.

IRS spam / thebummwrap.net

This fake IRS spam leads to malware on thebummwrap.net:

From: Internal Revenue Service [mailto:fascinatesh07@deltamar.net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted


Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID:     60498447771657
Rejection code    See details in the report below
Income Tax Transaction Report    tax_report_60498447771657.doc (Microsoft Word Document)

Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI


The malicious payload is at [donotclick]thebummwrap.net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes.

At the moment, the following sites seem to be active on the server, all can be assumed to be malicious.

thebummwrap.net
centennialfield.net
blue-lotusgrove.net
afgreenwich.net
bode-sales.net
cat-mails.net
nitor-solutions.net

Spam with numbers and "hi" in it..

There seems to be a lot of this about today..

Date:      Mon, 17 Sep 2012 08:39:16 -0300
Subject:      Re: 89898877282500

Hi
The numbers vary in each email, from single digits to quite long sequences. The body text is always "Hi", nothing appears to be hidden or malicious in any way. One characteristic is that the recipient is not usually the one in the "To" field as the spam is using the BCC field to suppress recipients.


The emails are not harmful, but obviously there is something going on. One possibility is that this is a probing attack, where an outside source is attempting to enumerate live mailboxes or collate server responses for further use. A short email like this will get passed through many spam filters, so (for example) it could be that the attacker is looking for SMTP responses that indicate a real mailbox to spam again later rather than a dead one.





If you have any other ideas, then please share them in the Comments :)

Thursday, 13 September 2012

ADP spam / 46.249.37.122

This fake ADP spam tries to load malware from 46.249.37.122:

From: ADP_Online_Invoice_DoNotReply@adp.com ADP_Online_Invoice_DoNotReply@adp.com
Date: 13 September 2012 14:29
Subject: ADP Invoice Reminder

Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

Total amount due by September 13, 2012

$17202.04

If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

Questions about your bill?

Contact David Nieto by Secure Mail.

Note: This is an automated email. Please do not reply. 

After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122/links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case.

Tuesday, 11 September 2012

US Airways spam / blue-lotusgrove.net

A couple of samples of a fake US Airways spam email leading to malware on blue-lotusgrove.net:


Date:      Tue, 11 Sep 2012 15:32:42 -0300
From:      "US Airways - Reservations" [reservations@myusairways.com]
Subject:      Please confirm your US Airways online registration.
   
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). Then, all you need to do is print your boarding pass and proceed to the gate.

Confirmation code: 592499

Check-in online: Online reservation details

Flight

6840    
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 9/12/2012    

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

==========


Date:      Tue, 11 Sep 2012 23:29:14 +0700
From:      "US Airways - Reservations" [intuitpayroll@e.payroll.intuit.com]
Subject:      US Airways online check-in.

you {l2} check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying {l3}). {l4}, all you {l5} to do is print your boarding pass and {l6} to the gate.

confirmation code: {digit}

check-in online: online reservation details

flight

{digit}    
departure city and time

washington, dc (dca) 10:00pm

depart date: 9/12/2012    


we are committed to protecting your privacy. your information is kept private and confidential. for information about our privacy policy visit usairways.com.

us airways, 111 w. rio salado pkwy, tempe, az 85281 , copyright us airways , all rights reserved.

The malicious payload is at [donotclick]blue-lotusgrove.net/main.php?page=559e008e5ed98bf7 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack. The following domains are on the same server, they can all be considered to be malicious:


padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
dushare.net
blue-lotusgrove.net
nitor-solutions.net
gsigallery.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz

Friday, 7 September 2012

FedEx spam / dushare.net and gsigallery.net

Two fake FedEx campaigns today, with a format similar to the one found here but with different payload sites of dushare.net and gsigallery.net

In the first case, the malicious payload is at [donotclick]dushare.net/main.php?page=c82ec1c8d6998cf0 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is at [donotclick]gsigallery.net/main.php?page=2bfd5695763b6536 (report here) also hosted on 203.91.113.6.

The following domains are on the same server and should also be treated as being suspect.

padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
obweesysho.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz
dushare.net
gsigallery.net

FedEx spam / studiomonahan.net

This somewhat mangled looking fake FedEx spam leads to malware on studiomonahan.net:


Date:      Thu, 6 Sep 2012 11:00:28 -0600
From:      BillingOnline@fedex.com
Subject:      Your Fedex invoice is ready to be paid now.

       
    FedEx Billing Online - Ready for Payment

        fedex.com        
       

<td wid="th="10"" rowspan="2">

Hello [redacted]
You have a new not paid bill from FedEx that is ready for payment.

The following ivoice(s) are ready for your review :

<table border-top="1px solid #000" solid="" #000"="" border-left="1px solid #ccc" border="-bottom="1px" height="55" width="473">
<td= class="resultstableheader">
Invoice Number
7215-17193


To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo

Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo


Thank you,
Revenue Services
FedEx


   


    This message has been sent by an auto responder system. Please do not reply to this message.

The content of this message is protected by copyright and trademark laws under U.S. and international law.
Review our privacy policy. All rights reserved.

Subjects spotted so far include:

Pay your Fedex invoice online.
Your Fedex invoice is ready to be paid now.
Please pay your outstanding Fedex invoice.
Your Fedex invoice is ready.


The malicious payload is found at [donotclick]studiomonahan.net/main.php?page=2bfd5695763b6536 (report here) hosted on 206.253.164.43 (Hostigation, US). The server contains the following suspect domains which should also be blocked:

fireinthesgae.pl
joncarterlope.pl
storuofginezi.com
usagetorrenen.com
dinitrolkalor.com
comercicalinz.com
studiomonahan.net
globusbusworld.su
jordanpowelove.su
appropriatenew.su
cdfilmcounderw.su
studiomonahan.net

Wednesday, 5 September 2012

Nokia Lumia 920

This is nice. If you've been waiting a long time for Nokia to come up with something competitive in the smartphone market then the wait might be over, because the Lumia 920 is certainly as good as the best of them.

Perhaps the interesting thing is Windows Phone 8, based on the same core as the desktop version. It holds out the promise of eventual Active Directory integration and easier management for corporates. And it's a lot, lot sexier than a BlackBerry.

[via]

"Records passed to us show you're entitled to a refund.." SMS Spam (again)

These spammers are at it again:
Records passed to us show you're entitled to a refund approximately £2560 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

The sending number is +447876628983 (although they will change this). Bearing in mind that I have never been mis-sold PPI, I can pretty much disregard this as a scam. Except, rather more seriously the implication is that the spammers are prepared to submit a fraudulent refund claim on your behalf, which is something rather more serious.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Fake HMRC spam leads to multi-phish

Here's something I haven't seen before.. it starts with an email:

From: HM Revenue & Customs [mailto:refund.request@hmrc.gov.uk]
Sent: 05 September 2012 14:27
Subject: Tax Refund Alert - Action Required



How to complain, ask for a review or make an appeal
Review process update
Review process - the first 12 months. Find out more
Claim Your Tax Refund Online
We identified an error in the calculation of your tax from the last payment, amounting to £ 859.00. In order for us to return the excess payment, we need to confirm a few extra details after which the funds will be credited to your specified bank account. Please click "Refund Me Now" below to claim your refund:
Refund Me Now
We are here to ensure the correct tax is paid at the right time, whether this relates to payment of taxes received by the department or entitlement to benefits paid.
Best Regards,
HM Revenue & Customs Refund Department
•    See also
•    Appeal and review news
•    Working and paying tax
•    Pensioners
•    Find a form
•    Complaints factsheet C/FS (PDF 67K)
•    Feedback

HM Revenue and Customs are the UK tax collecting agency, so this is basically a tax refund. The link goes to a somewhat authentic looking page.

The phishing site in this case is in Korea (durideco.co.kr in this case). The interesting part is the drop-down menu in the middle that the victim is meant to use to select their bank. There are 17 different UK banks to choose from. Each one leads to an individual phishing page for each bank, for example:


or


I won't bother pasting all the pictures here, but some of the pages are very good and a few don't work at all (e.g. Northern Rock, which doesn't really exist any more).

This is quite a clever approach. Normally a phishing email is a "one bank per phish" affair.. it's no use sending someone a Barclays phish if they're with HSBC. In this case pretty much all the major UK banks are covered in one email which is really quite sneaky..

Something evil on 195.225.55.130

These domains are pushing some sort of malware or other (possibly fake antivirus). It's hard to tell exactly what nastiness is here, but given that these are all recently registered domains with fake WHOIS details then it's certainly not going to be anything good.

Whatever it is, it seems to be promoted via spam and requires the correct User Agents and Referrer data to trigger. Sites are hosted on 195.225.55.130 (Dako Systems, Netherlands)

spokanesimplified.org
safetygold.org
businsideessfolowinggate.org
reservetri.org
cardreform.org
swapopen.org
businessfolowingdoor.org
smokersinsurancelinesguns.org
smokerslifeonlinesguns.org
smokerslifeoverlinesguns.org
livesstorytiderss.org
wiredesert.org
mylittallbeizz.org
gunslinzmouses.info
criticstocks.info
largusliananumbers.info
livesstorytiders.info
mailhostsboot.info

Tuesday, 4 September 2012

LinkedIn spam / 108.178.59.26 and myasuslaptop.com

This fake LinkedIn spam leads to malware on 108.178.59.26 and myasuslaptop.com:

Date:      Tue, 04 Sep 2012 10:43:03 +0100
From:      "noreply" [noreply@linkedin.com]
Subject:      Link LinkedIn Mail

LinkedIn
REMINDERS

Invitation reminders:
• From Charlie Alexander (Mexico Key Account Director at Quanta)


PENDING MESSAGES

• There are a total of 5 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.


The malicious payload (report here) is at [donotclick]108.178.59.26/bv6rcs3v1ithi.php?w=6de4412e62fd13be (Singlehop, US) in a block 108.178.59.0/26 suballocated to a person in Italy.  A further malicious download is attempted from [donotclick]myasuslaptop.com/updateflashplayer.exe which appears to be a legitimate (but hacked site).

My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff..

Tuesday, 28 August 2012

"QuickBooks Security Update" spam / roadmateremove.org

This fake Intuit spam leads to malware on roadmateremove.org:


Date:      Tue, 28 Aug 2012 11:04:30 -0400
From:      "Intuit Payroll Services" [intuitpayroll@e.payroll.intuit.com]
Subject:      QuickBooks Security Update

You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST™) after 31th of August, 2012.

You can update Intuit Security Tool here.

After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly.

This email was sent from an auto-notification system that can't accept incoming email. Please don't reply to this message.

You have received this business communication as part of our efforts to fulfill your request or service your account.
You may receive this and other business communications from us even if you have opted out of marketing messages.

Terms, conditions, pricing, features, and service options are subject to change. View our complete Terms of Service.


The malicious payload is at [donotclick]roadmateremove.org/main.php?page=9bb4aab85fa703f5 (report here) hosted on 89.248.231.122 (Mastak Telecom / JSC Quickline, Russia) along with these other malicious sites:

roadmateremove.org
restoreairpowered.net
allhugedeals.net
classic-poems.net

You can pretty safely assume that 89.248.231.122 is a bad server and should be blocked.

Monday, 27 August 2012

"Federal Tax Payment" spam / videomanipulationccflbacklit.pro

This spam attempts to load malware from videomanipulationccflbacklit.pro although at the moment the domain is not resolving:

Date:      Mon, 27 Aug 2012 18:15:37 +0300
From:      "Internal Revenue Service" [irs@service.govdelivery.com]
Subject:      Federal Tax transaction canceled

Your Tax transaction (ID: 849395748011), recently sent from your checking account was canceled by the your financial institution.

Rejected Tax transfer
Tax Transaction ID:     849395748011
Return Reason     See details in the report below
FederalTax Transaction Report     tax_report_849395748011.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========

Date:      Mon, 27 Aug 2012 16:41:45 +0200
From:      "Internal Revenue Service" [irs@service.govdelivery.com]
Subject:      Rejected Federal Tax payment

Your Tax transaction (ID: 13394702616857), recently initiated from your bank account was returned by the your Bank.

Rejected Tax transfer
Tax Transaction ID:     13394702616857
Reason for rejection     See details in the report below
Tax Transaction Report     tax_report_13394702616857.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========


Date:      Mon, 27 Aug 2012 16:41:35 +0200
From:      "Internal Revenue Service" [support@govdelivery.com]
Subject:      Federal Tax payment canceled

Your Tax transaction (ID: 7227784606474), recently initiated from your bank account was returned by the The Electronic Federal Tax Payment System.

Rejected Tax transfer
Tax Transaction ID:     7227784606474
Reason for rejection     See details in the report below
FederalTax Transaction Report     tax_report_7227784606474.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

I've seen a few .pro domains in spam recently, but they seem to get shut down quite quickly. I thought this TLD was meant to have more careful vetting?

Malware sites to block 27/8/12

A small bunch of IPs and domains spotted in recent malicious spam campaigns that you might want to block..

24.171.200.91
50.116.38.138
89.248.231.122
109.164.221.176
173.234.9.17
184.107.119.39
199.167.138.113
200.29.107.84
allbooksbest.com
allhugedeals.net
basicsmarkeddown.pro
bikeslam.net
classic-poems.net
markelink.net
market-panel.net

Friday, 17 August 2012

UPS "End of Aug. Stat. Required" Spam / panalki.ru

This fake UPS spam leads to malware on panalki.ru:

Date:      Fri, 17 Aug 2012 06:50:08 -0400
From:      "Global Express" [ups-services@ups.com]
Subject:      Re: FW: End of Aug. Stat. Required
Attachments:     Invoices-26-2012.htm

Hallo,

as reqeusted I give you inovices issued to you per july.

Regards

The malicious payload is at [donotclick]panalki.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on a bunch of familiar looking IP addresses which should be blocked if you can.

50.56.92.47 (Slicehost, US)
190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)


Thursday, 16 August 2012

"Scan from a Hewlett-Packard ScanJet" spam / anapoli.ru

More fake printer spam, this time leading to malware on anapoli.ru:


Date:      Thu, 16 Aug 2012 12:20:25 +0500
From:      Mariah Gunn via LinkedIn [member@linkedin.com]
Subject:      Fwd: Scan from a Hewlett-Packard ScanJet #88682504
Attachments:     HP_scanDoc.htm

Attached document was scanned and sent



to you using a Hewlett-Packard HP 90027P.

SENT BY : SAVANNAH
PAGES : 1
FILETYPE: .HTML [Internet Explorer File]
The malicious payload is on [donotclick]anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on a bunch of familiar looking IP addresses:
50.56.92.47 (Slicehost, US)
190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)