Sponsored by..

Saturday, 22 September 2012

LinkedIn spam / 69.194.201.21

This fake LinkedIn spam leads to malware on 69.194.201.21:

Date:      Sat, 22 Sep 2012 15:16:47 -0500
From:      "Reminder" [CC8504C0E@updownstudio.com]
Subject:      LinkedIn: New messages awaiting your response

LinkedIn
REMINDERS

Invitation reminders:
From Emilio Byrd (Insurance Manager at Wolseley)


PENDING MESSAGES

There are a total of 88 message(-s) awaiting your response. Go to InBox now.

This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.

Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.

2012, LinkedIn Corporation.

The malicious payload is at [donotclick]69.194.201.21/links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent.

Thursday, 20 September 2012

Amazon.com spam / webgrafismo.net and 203.91.113.6


This fake Amazon.com spam leads to malware on webgrafismo.net:


Date:      Fri, 21 Sep 2012 03:44:47 +0800
From:      "Adolfo Bruno" [debitst54@uky.edu]
Subject:      Your HD TV Delivered Yesterday

  
Your Orders | Your Account | Amazon.com
Shipping Confirmation
Order #002-9587043-55406590

Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated shipment delivery date is:

Friday, September 21, 2012

Why tracking information may be unavailable?
    Your order was sent to:

[redacted]
572 9th Ave, App. 2D
S Paolo, TX
United States

This shipment does not have an associated delivery tracking No..

Conveyance Data
  

Sharp XVT3D32, SV 46-Inch 1080p 1000 Hz Cinema 3D LED-LCD HDTV with 3D Blu-ray Player and Two Pairs of 3D Glasses
Sold by secondipity
Condition: used - acceptable
    $740.43
Item Subtotal:     $740.43
Shipping & Handling:     $22.40
Total Before Tax:     $740.43
Shipment Total:     $740.43
Paid by Maestro:     $740.43

Returns are easy. Visit our ON-line Return Center.
If you need urgent assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

==========

Date:      Thu, 20 Sep 2012 20:51:04 +0100
From:      "Ned@mc2school.org" [Ned@ataonline.com.tr]
Subject:      Re: HDTV Shipped Yesterday

Your Orders | Your Account | Amazon.com                                          
Order Processing Confirmation                                          
Order #002-1662198-01565354                                                                      
Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated  shipment date is:

Friday, September 21, 2012

Why tracking information may  be not available?
        Your order  was delivered to:

[redacted]
148 S Academy Dr, App. 1D
Albuquerque, KY
United States

This shipment does not have an associated delivery  tracking number.                          

Order                                   

Sony  XVT3D15, SV 42-Inch 1080p 600 Hz Cinema 3D  LCD HDTV  with 3D Blu-ray Player and  Two Pairs of 3D Glasses
Sold by  onner
Condition:  used-new
        $594.65
Item Subtotal: $594.65
Shipping & Handling:   $22.34
Total Before Tax:      $594.65
Shipment Total:        $594.65                                            
Paid by  Discover:     $594.65                                                          
Returns are easy. Visit our ON-line Return Center.
If you need  urgent assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and shop information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.                     
                                                                                         
The malicious payload is at [donotclick]webgrafismo.net/detects/rates-event_convinced-sent.php hosted on a known bad IP address of 203.91.113.6 (G Mobile, Mongolia). The exploit kit is probably Blackhole 2 given it's characteristics.



If you can block this IP address then I strong advise it. Other malicious sites on the same IP include.

penel-opessong.com
sncahmn.com
xlzones.com
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
sowendo.net
thebummwrap.net
allmn-leicncester.net
bode-sales.net
webgrafismo.net

Federal Tax Payment Spam / soisokdomen.ru

This fake tax payment spam leads to malware on soisokdomen.ru:

Date:      Thu, 20 Sep 2012 09:10:47 -0300
From:      Badoo [noreply@badoo.com]
Subject:      Re: Fwd: Tax Payment COM1684-645 is failed.

Hello,



Your Federal Tax Payment has been rejected.

Please, check the information and refer to Code I 94 to get details about

your company payment:



http://www.eftps.gov/section794/P9367027



JACINTA Stout,

The Electronic Federal Tax Payment System
The malicious payload (probably Blackhole 2) is at [donotclick]soisokdomen.ru:8080/forum/links/column.php hosted on the following familiar looking IP addresses:

213.135.42.98
50.56.92.47
203.80.16.81


Blocking these would be prudent.



ADP Spam / 69.194.192.203

This fake ADP spam email leads to malware on 69.194.192.203:


Date:      Thu, 20 Sep 2012 14:25:24 +0300
From:      "ADPClientServices" [ABD331056@losblancoba.com.ar]
Subject:      ADP Urgent Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services

The malicious payload is at [donotclick]69.194.192.203/links/deep_recover-result.php (probably Blackhole 2.0) hosted by Solar VPS in the US. This IP has been used for malware before recently, blocking it would be prudent.


Tuesday, 18 September 2012

UPS Spam / denegnashete.ru

This fake UPS spam (or is it USPS.. or LinkedIn?) leads to malware on denegnashete.ru:


Date:      Tue, 18 Sep 2012 08:01:39 +0100
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      UPS: Your Package H7022585958
Attachments:     UPS_ID7683348.htm


You can use UPS Services to:

Ship Online
Schedule a Pickup
Open a UPS Team Account
      

Welcome to UPS CUSTOMER SERVICES

OI, [redacted].

Dear Customer , We were not able to delivery the postal package

Please print out the invoice copy attached and collect the package at our department.

Best Regards , UPS .com Customer Services.
  
      

Copyright 2011 United Parcel Service of America, Inc. USPS Services, the Your usps Customer Services brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.

Please do not reply directly to this e-mail. Your USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.

We understand the importance of privacy to our customers. For more information, please consult the USPS Team Privacy Policy.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.

The malware can be found at [donotclick]denegnashete.ru:8080/forum/links/column.php which is the same as found on this attack..   


"Scan from a Hewlett-Packard ScanJet" spam / denegnashete.ru

This fake printer spam.. or Craigslist spam.. leads to malware on denegnashete.ru:

From: craigslist - automated message, do not reply [mailto:robot@craigslist.org]
Sent: 18 September 2012 11:44
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet #97273

A document was scanned and sent to you using a Hewlett-Packard HP18412598P


Sent to you by: SIDNEY
Pages : 7
Filetype(s): Images (.jpeg) View

Location: not set.
Device: P91162592KLLD

The malicious payload is at [donotclick]denegnashete.ru:8080/forum/links/column.php (report here) hosted on the same IPs as found here.

IRS spam / xlzones.com

More IRS themed spam, this time leading to malware on xlzones.com:

From: Internal Revenue Service [mailto:papillaq9@wonderware.com]
Sent: 18 September 2012 15:22
Subject: Your IRS federal tax payment has not been accepted
Importance: High


Your Federal Tax transaction (ID: 1550573369185), recently sent from your bank account was returned by The Electronic Federal Tax Payment System.
Not Accepted Tax transfer
Tax Transaction ID:     1550573369185
Reason ID    See details in the report below
Income Tax Transaction Report    tax_report_1550573369185.doc (Microsoft Word Document)

Internal Revenue Service P.O. Box 996 Davis 99627 NY 

The malicious payload can be found at [donotclick]xlzones.com/detects/char-storing-hate.php and [donotclick]xlzones.com/maintain/java.jar (report here) hosted on the familiar IP address of 203.91.113.6 (G Mobile, Mongolia). Block this IP if you can.. also beware of these other malicious domains on the same server:
centennialfield.net
blue-lotusgrove.net
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
thebummwrap.net
bode-sales.net
cat-mails.net
xlzones.com

"Photos" spam / diareuomop.ru

This spam leads to malware ondiareuomop.ru:

From: Carleen Garrett
Sent: Tuesday, September 18, 2012 3:17:33 PM
Subject: Photos

Hi,
as promised your photos - http://flyershot.com/gallery.htm
The payload is at [donotclick]diareuomop.ru:8080/forum/links/column.php hosted on the following IPs:
50.56.92.47
203.80.16.81
46.51.218.71

These IPs are a subset of the ones found here. Block 'em if you can.


Monday, 17 September 2012

Intuit.com spam / kerneloffce.ru

This fake Intuit.com spam attempts to load malware from kerneloffce.ru:


Date:      Mon, 17 Sep 2012 08:54:50 -0600
From:      "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject:      Your Intuit.com software order.
Attachments:     Intuit_Order_A49436.htm

Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION

Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.


The malicious payload is at kerneloffce.ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked. The following domains and IP addresses are all related:

moskowpulkavo.ru
omahabeachs.ru
kerneloffce.ru
46.51.218.71
50.56.92.47
62.76.188.246
62.76.190.50
87.120.41.155
91.194.122.8
132.248.49.112
178.63.51.54
203.80.16.81

IRS Spam / virtual-geocaching.net

This spam leads to malware on virtual-geocaching.net:

Date:      Mon, 17 Sep 2012 11:28:14 -0600
From:      Internal Revenue Service [tangierss4@porterorlin.com]
Subject:      IRS report of not approved tax transfer

Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.

Not Accepted Tax transaction
Tax Transaction ID:     30062091798009
Reason of rejection     See details in the report below
Federal Tax Transaction Report     tax_report_30062091798009.doc (Microsoft Word Document)

Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA 
The malicious payload is at [donotclick]virtual-geocaching.net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others.

IRS spam / thebummwrap.net

This fake IRS spam leads to malware on thebummwrap.net:

From: Internal Revenue Service [mailto:fascinatesh07@deltamar.net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted


Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID:     60498447771657
Rejection code    See details in the report below
Income Tax Transaction Report    tax_report_60498447771657.doc (Microsoft Word Document)

Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI


The malicious payload is at [donotclick]thebummwrap.net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes.

At the moment, the following sites seem to be active on the server, all can be assumed to be malicious.

thebummwrap.net
centennialfield.net
blue-lotusgrove.net
afgreenwich.net
bode-sales.net
cat-mails.net
nitor-solutions.net

Spam with numbers and "hi" in it..

There seems to be a lot of this about today..

Date:      Mon, 17 Sep 2012 08:39:16 -0300
Subject:      Re: 89898877282500

Hi
The numbers vary in each email, from single digits to quite long sequences. The body text is always "Hi", nothing appears to be hidden or malicious in any way. One characteristic is that the recipient is not usually the one in the "To" field as the spam is using the BCC field to suppress recipients.


The emails are not harmful, but obviously there is something going on. One possibility is that this is a probing attack, where an outside source is attempting to enumerate live mailboxes or collate server responses for further use. A short email like this will get passed through many spam filters, so (for example) it could be that the attacker is looking for SMTP responses that indicate a real mailbox to spam again later rather than a dead one.





If you have any other ideas, then please share them in the Comments :)

Thursday, 13 September 2012

ADP spam / 46.249.37.122

This fake ADP spam tries to load malware from 46.249.37.122:

From: ADP_Online_Invoice_DoNotReply@adp.com ADP_Online_Invoice_DoNotReply@adp.com
Date: 13 September 2012 14:29
Subject: ADP Invoice Reminder

Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

Total amount due by September 13, 2012

$17202.04

If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

Questions about your bill?

Contact David Nieto by Secure Mail.

Note: This is an automated email. Please do not reply. 

After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122/links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case.

Tuesday, 11 September 2012

US Airways spam / blue-lotusgrove.net

A couple of samples of a fake US Airways spam email leading to malware on blue-lotusgrove.net:


Date:      Tue, 11 Sep 2012 15:32:42 -0300
From:      "US Airways - Reservations" [reservations@myusairways.com]
Subject:      Please confirm your US Airways online registration.
   
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). Then, all you need to do is print your boarding pass and proceed to the gate.

Confirmation code: 592499

Check-in online: Online reservation details

Flight

6840    
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 9/12/2012    

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

==========


Date:      Tue, 11 Sep 2012 23:29:14 +0700
From:      "US Airways - Reservations" [intuitpayroll@e.payroll.intuit.com]
Subject:      US Airways online check-in.

you {l2} check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying {l3}). {l4}, all you {l5} to do is print your boarding pass and {l6} to the gate.

confirmation code: {digit}

check-in online: online reservation details

flight

{digit}    
departure city and time

washington, dc (dca) 10:00pm

depart date: 9/12/2012    


we are committed to protecting your privacy. your information is kept private and confidential. for information about our privacy policy visit usairways.com.

us airways, 111 w. rio salado pkwy, tempe, az 85281 , copyright us airways , all rights reserved.

The malicious payload is at [donotclick]blue-lotusgrove.net/main.php?page=559e008e5ed98bf7 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack. The following domains are on the same server, they can all be considered to be malicious:


padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
dushare.net
blue-lotusgrove.net
nitor-solutions.net
gsigallery.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz

Friday, 7 September 2012

FedEx spam / dushare.net and gsigallery.net

Two fake FedEx campaigns today, with a format similar to the one found here but with different payload sites of dushare.net and gsigallery.net

In the first case, the malicious payload is at [donotclick]dushare.net/main.php?page=c82ec1c8d6998cf0 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is at [donotclick]gsigallery.net/main.php?page=2bfd5695763b6536 (report here) also hosted on 203.91.113.6.

The following domains are on the same server and should also be treated as being suspect.

padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
obweesysho.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz
dushare.net
gsigallery.net

FedEx spam / studiomonahan.net

This somewhat mangled looking fake FedEx spam leads to malware on studiomonahan.net:


Date:      Thu, 6 Sep 2012 11:00:28 -0600
From:      BillingOnline@fedex.com
Subject:      Your Fedex invoice is ready to be paid now.

       
    FedEx Billing Online - Ready for Payment

        fedex.com        
       

<td wid="th="10"" rowspan="2">

Hello [redacted]
You have a new not paid bill from FedEx that is ready for payment.

The following ivoice(s) are ready for your review :

<table border-top="1px solid #000" solid="" #000"="" border-left="1px solid #ccc" border="-bottom="1px" height="55" width="473">
<td= class="resultstableheader">
Invoice Number
7215-17193


To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo

Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo


Thank you,
Revenue Services
FedEx


   


    This message has been sent by an auto responder system. Please do not reply to this message.

The content of this message is protected by copyright and trademark laws under U.S. and international law.
Review our privacy policy. All rights reserved.

Subjects spotted so far include:

Pay your Fedex invoice online.
Your Fedex invoice is ready to be paid now.
Please pay your outstanding Fedex invoice.
Your Fedex invoice is ready.


The malicious payload is found at [donotclick]studiomonahan.net/main.php?page=2bfd5695763b6536 (report here) hosted on 206.253.164.43 (Hostigation, US). The server contains the following suspect domains which should also be blocked:

fireinthesgae.pl
joncarterlope.pl
storuofginezi.com
usagetorrenen.com
dinitrolkalor.com
comercicalinz.com
studiomonahan.net
globusbusworld.su
jordanpowelove.su
appropriatenew.su
cdfilmcounderw.su
studiomonahan.net

Wednesday, 5 September 2012

Nokia Lumia 920

This is nice. If you've been waiting a long time for Nokia to come up with something competitive in the smartphone market then the wait might be over, because the Lumia 920 is certainly as good as the best of them.

Perhaps the interesting thing is Windows Phone 8, based on the same core as the desktop version. It holds out the promise of eventual Active Directory integration and easier management for corporates. And it's a lot, lot sexier than a BlackBerry.

[via]

"Records passed to us show you're entitled to a refund.." SMS Spam (again)

These spammers are at it again:
Records passed to us show you're entitled to a refund approximately £2560 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

The sending number is +447876628983 (although they will change this). Bearing in mind that I have never been mis-sold PPI, I can pretty much disregard this as a scam. Except, rather more seriously the implication is that the spammers are prepared to submit a fraudulent refund claim on your behalf, which is something rather more serious.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Fake HMRC spam leads to multi-phish

Here's something I haven't seen before.. it starts with an email:

From: HM Revenue & Customs [mailto:refund.request@hmrc.gov.uk]
Sent: 05 September 2012 14:27
Subject: Tax Refund Alert - Action Required



How to complain, ask for a review or make an appeal
Review process update
Review process - the first 12 months. Find out more
Claim Your Tax Refund Online
We identified an error in the calculation of your tax from the last payment, amounting to £ 859.00. In order for us to return the excess payment, we need to confirm a few extra details after which the funds will be credited to your specified bank account. Please click "Refund Me Now" below to claim your refund:
Refund Me Now
We are here to ensure the correct tax is paid at the right time, whether this relates to payment of taxes received by the department or entitlement to benefits paid.
Best Regards,
HM Revenue & Customs Refund Department
•    See also
•    Appeal and review news
•    Working and paying tax
•    Pensioners
•    Find a form
•    Complaints factsheet C/FS (PDF 67K)
•    Feedback

HM Revenue and Customs are the UK tax collecting agency, so this is basically a tax refund. The link goes to a somewhat authentic looking page.

The phishing site in this case is in Korea (durideco.co.kr in this case). The interesting part is the drop-down menu in the middle that the victim is meant to use to select their bank. There are 17 different UK banks to choose from. Each one leads to an individual phishing page for each bank, for example:


or


I won't bother pasting all the pictures here, but some of the pages are very good and a few don't work at all (e.g. Northern Rock, which doesn't really exist any more).

This is quite a clever approach. Normally a phishing email is a "one bank per phish" affair.. it's no use sending someone a Barclays phish if they're with HSBC. In this case pretty much all the major UK banks are covered in one email which is really quite sneaky..

Something evil on 195.225.55.130

These domains are pushing some sort of malware or other (possibly fake antivirus). It's hard to tell exactly what nastiness is here, but given that these are all recently registered domains with fake WHOIS details then it's certainly not going to be anything good.

Whatever it is, it seems to be promoted via spam and requires the correct User Agents and Referrer data to trigger. Sites are hosted on 195.225.55.130 (Dako Systems, Netherlands)

spokanesimplified.org
safetygold.org
businsideessfolowinggate.org
reservetri.org
cardreform.org
swapopen.org
businessfolowingdoor.org
smokersinsurancelinesguns.org
smokerslifeonlinesguns.org
smokerslifeoverlinesguns.org
livesstorytiderss.org
wiredesert.org
mylittallbeizz.org
gunslinzmouses.info
criticstocks.info
largusliananumbers.info
livesstorytiders.info
mailhostsboot.info