Dynamoo's Blog

Tuesday, 25 September 2012

Evil network: 108.178.59.0/26

There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)

So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad an should be blocked.

Singlehop have reallocated the IP range to a customer:

network:Class-Name:network
network:ID:ORG-SINGL-8.108-178-59-0/26
network:Auth-Area:108.178.0.0/18
network:IP-Network:108.178.59.0/26
network:Organization:Lorenzo Coco
network:Street-Address:via Nardi, 8 Prato
network:City:Prato
network:State:Italy
network:Postal-Code:59100
network:Country-Code:IT
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20120430
network:Updated:20120430

It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent.

Added: You can also add 108.178.59.6 to the list of malicious sites.

BBB Spam / one.1000houses.biz

This fake BBB spam leads to malware at one.1000houses.biz:

Date:     Tue, 25 Sep 2012 11:42:18 +0200
From:     "Better.Business Bureau" [8050910@zread.com]
Subject:     Activity Report

Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#125368

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

The malicious payload is at [donotclick]one.1000houses.biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses.biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.

Blocking 199.195.116.185 would probably be prudent.

Monday, 24 September 2012

Amazon.com spam / pallada-cruise.net

This fake Amazon spam leads to malware on pallada-cruise.net:

From:    Belinda Gallagher vigilancejy586@williamsguitarcompany.com
To:     [redacted]
Date:    24 September 2012 18:44
Subject:    Your Order Shipped Now

Amazon
Your Orders &nbsp| Your Account | Amazon.com
Order Confirmation
Order #002-3989927-06014360

Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that our shop shipped your item, and that this completes your order.. If you need to return an good from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:

Friday, September 21, 2012

Why tracking information may not be available?
    Your order was shipped to:

[redacted]
006 S Academy St, App. 1D
S Paolo, DC
United States

This shipment have no an associated delivery tracking No..

Shipment Details


LG 42LW5302, SV 46-Inch 720p 120 Hz Cinema 3D LCD HDTV with 3D Blu-ray Player and Four Pairs of 3D Glasses
Sold by onner
Condition: not-used before
    $612.35
Item Subtotal:     $612.35
Shipping & Handling:     $20.43
Total Before Tax:     $612.35
Shipment Total:     $612.35
Paid by MC:     $612.35

Returns are easy. Visit our ON-line Return Center.
If you need further assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and item provider information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

The malicious payload (probably a Blackhole 2 exploit kit) is at [donotclick]pallada-cruise.net/detects/plain-keyboard_beginning-monitor.php hosted on 203.91.113.6 (G Mobile, Mongolia), an IP address that has been very active in spreading badness and which you should block if you can.

BBB Spam / 108.178.59.11

This fake BBB spam leads to malware on 108.178.59.11:

Date:     Mon, 24 Sep 2012 18:39:47 +0530
From:     "BBB Complaint activity report" [B1A41D3F@onlinepcexpert.net]
Subject:     BBB Case #9833204

Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#9833204

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:     Mon, 24 Sep 2012 08:25:00 -0300
From:     "Better Business Bureau" [792375B2@mbdservices.com]
Subject:     BBB Complaint activity report

Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#360343

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

The malicious payload is on [donotclick]108.178.59.11/links/anybody_miss-knowing.php (Singlehop, US) which is most likely a Blackhole 2 kit. This IP address has been used in other attacks and should be blocked if you can.

Saturday, 22 September 2012

LinkedIn spam / 69.194.201.21

This fake LinkedIn spam leads to malware on 69.194.201.21:

Date:     Sat, 22 Sep 2012 15:16:47 -0500
From:     "Reminder" [CC8504C0E@updownstudio.com]
Subject:     LinkedIn: New messages awaiting your response

LinkedIn
REMINDERS

Invitation reminders:
From Emilio Byrd (Insurance Manager at Wolseley)

PENDING MESSAGES

There are a total of 88 message(-s) awaiting your response. Go to InBox now.

This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.

Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.

2012, LinkedIn Corporation.

The malicious payload is at [donotclick]69.194.201.21/links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent.

Thursday, 20 September 2012

Amazon.com spam / webgrafismo.net and 203.91.113.6

This fake Amazon.com spam leads to malware on webgrafismo.net:

Date:     Fri, 21 Sep 2012 03:44:47 +0800
From:     "Adolfo Bruno" [debitst54@uky.edu]
Subject:     Your HD TV Delivered Yesterday


Your Orders | Your Account | Amazon.com
Shipping Confirmation
Order #002-9587043-55406590

Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated shipment delivery date is:

Friday, September 21, 2012

Why tracking information may be unavailable?
   Your order was sent to:

[redacted]
572 9th Ave, App. 2D
S Paolo, TX
United States

This shipment does not have an associated delivery tracking No..

Conveyance Data


Sharp XVT3D32, SV 46-Inch 1080p 1000 Hz Cinema 3D LED-LCD HDTV with 3D Blu-ray Player and Two Pairs of 3D Glasses
Sold by secondipity
Condition: used - acceptable
   $740.43
Item Subtotal:    $740.43
Shipping & Handling:    $22.40
Total Before Tax:    $740.43
Shipment Total:    $740.43
Paid by Maestro:    $740.43

Returns are easy. Visit our ON-line Return Center.
If you need urgent assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

==========

Date:     Thu, 20 Sep 2012 20:51:04 +0100
From:     "Ned@mc2school.org" [Ned@ataonline.com.tr]
Subject:     Re: HDTV Shipped Yesterday

Your Orders | Your Account | Amazon.com
Order Processing Confirmation
Order #002-1662198-01565354
Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated shipment date is:

Friday, September 21, 2012

Why tracking information may be not available?
        Your order was delivered to:

[redacted]
148 S Academy Dr, App. 1D
Albuquerque, KY
United States

This shipment does not have an associated delivery tracking number.

Order

Sony XVT3D15, SV 42-Inch 1080p 600 Hz Cinema 3D LCD HDTV with 3D Blu-ray Player and Two Pairs of 3D Glasses
Sold by onner
Condition: used-new
        $594.65
Item Subtotal: $594.65
Shipping & Handling:   $22.34
Total Before Tax:      $594.65
Shipment Total:        $594.65
Paid by Discover:     $594.65
Returns are easy. Visit our ON-line Return Center.
If you need urgent assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and shop information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

The malicious payload is at [donotclick]webgrafismo.net/detects/rates-event_convinced-sent.php hosted on a known bad IP address of 203.91.113.6 (G Mobile, Mongolia). The exploit kit is probably Blackhole 2 given it's characteristics.

If you can block this IP address then I strong advise it. Other malicious sites on the same IP include.

penel-opessong.com
sncahmn.com
xlzones.com
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
sowendo.net
thebummwrap.net
allmn-leicncester.net
bode-sales.net
webgrafismo.net

Federal Tax Payment Spam / soisokdomen.ru

This fake tax payment spam leads to malware on soisokdomen.ru:

Date:     Thu, 20 Sep 2012 09:10:47 -0300
From:     Badoo [noreply@badoo.com]
Subject:     Re: Fwd: Tax Payment COM1684-645 is failed.

Hello,

Your Federal Tax Payment has been rejected.

Please, check the information and refer to Code I 94 to get details about

your company payment:

http://www.eftps.gov/section794/P9367027

JACINTA Stout,

The Electronic Federal Tax Payment System

The malicious payload (probably Blackhole 2) is at [donotclick]soisokdomen.ru:8080/forum/links/column.php hosted on the following familiar looking IP addresses:

213.135.42.98
50.56.92.47
203.80.16.81

Blocking these would be prudent.

ADP Spam / 69.194.192.203

This fake ADP spam email leads to malware on 69.194.192.203:

Date:     Thu, 20 Sep 2012 14:25:24 +0300
From:     "ADPClientServices" [ABD331056@losblancoba.com.ar]
Subject:     ADP Urgent Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services

The malicious payload is at [donotclick]69.194.192.203/links/deep_recover-result.php (probably Blackhole 2.0) hosted by Solar VPS in the US. This IP has been used for malware before recently, blocking it would be prudent.

Tuesday, 18 September 2012

UPS Spam / denegnashete.ru

This fake UPS spam (or is it USPS.. or LinkedIn?) leads to malware on denegnashete.ru:

Date:     Tue, 18 Sep 2012 08:01:39 +0100
From:     LinkedIn Connections [connections@linkedin.com]
Subject:     UPS: Your Package H7022585958
Attachments:    UPS_ID7683348.htm

You can use UPS Services to:

Ship Online
Schedule a Pickup
Open a UPS Team Account


Welcome to UPS CUSTOMER SERVICES

OI, [redacted].

Dear Customer , We were not able to delivery the postal package

Please print out the invoice copy attached and collect the package at our department.

Best Regards , UPS .com Customer Services.



Copyright 2011 United Parcel Service of America, Inc. USPS Services, the Your usps Customer Services brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.

Please do not reply directly to this e-mail. Your USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.

We understand the importance of privacy to our customers. For more information, please consult the USPS Team Privacy Policy.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.

The malware can be found at [donotclick]denegnashete.ru:8080/forum/links/column.php which is the same as found on this attack..

"Scan from a Hewlett-Packard ScanJet" spam / denegnashete.ru

This fake printer spam.. or Craigslist spam.. leads to malware on denegnashete.ru:

From: craigslist - automated message, do not reply [mailto:robot@craigslist.org]
Sent: 18 September 2012 11:44
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet #97273

A document was scanned and sent to you using a Hewlett-Packard HP18412598P

Sent to you by: SIDNEY
Pages : 7
Filetype(s): Images (.jpeg) View

Location: not set.
Device: P91162592KLLD

The malicious payload is at [donotclick]denegnashete.ru:8080/forum/links/column.php (report here) hosted on the same IPs as found here.

IRS spam / xlzones.com

More IRS themed spam, this time leading to malware on xlzones.com:

From: Internal Revenue Service [mailto:papillaq9@wonderware.com]
Sent: 18 September 2012 15:22
Subject: Your IRS federal tax payment has not been accepted
Importance: High

Your Federal Tax transaction (ID: 1550573369185), recently sent from your bank account was returned by The Electronic Federal Tax Payment System.
Not Accepted Tax transfer
Tax Transaction ID:     1550573369185
Reason ID    See details in the report below
Income Tax Transaction Report    tax_report_1550573369185.doc (Microsoft Word Document)

Internal Revenue Service P.O. Box 996 Davis 99627 NY

The malicious payload can be found at [donotclick]xlzones.com/detects/char-storing-hate.php and [donotclick]xlzones.com/maintain/java.jar (report here) hosted on the familiar IP address of 203.91.113.6 (G Mobile, Mongolia). Block this IP if you can.. also beware of these other malicious domains on the same server:
centennialfield.net
blue-lotusgrove.net
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
thebummwrap.net
bode-sales.net
cat-mails.net
xlzones.com

"Photos" spam / diareuomop.ru

This spam leads to malware ondiareuomop.ru:

From: Carleen Garrett
Sent: Tuesday, September 18, 2012 3:17:33 PM
Subject: Photos

Hi,
as promised your photos - http://flyershot.com/gallery.htm

The payload is at [donotclick]diareuomop.ru:8080/forum/links/column.php hosted on the following IPs:
50.56.92.47
203.80.16.81
46.51.218.71

These IPs are a subset of the ones found here. Block 'em if you can.

Monday, 17 September 2012

Intuit.com spam / kerneloffce.ru

This fake Intuit.com spam attempts to load malware from kerneloffce.ru:

Date:     Mon, 17 Sep 2012 08:54:50 -0600
From:     "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject:     Your Intuit.com software order.
Attachments:     Intuit_Order_A49436.htm

Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION

Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malicious payload is at kerneloffce.ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked. The following domains and IP addresses are all related:

moskowpulkavo.ru
omahabeachs.ru
kerneloffce.ru
46.51.218.71
50.56.92.47
62.76.188.246
62.76.190.50
87.120.41.155
91.194.122.8
132.248.49.112
178.63.51.54
203.80.16.81

IRS Spam / virtual-geocaching.net

This spam leads to malware on virtual-geocaching.net:

Date:     Mon, 17 Sep 2012 11:28:14 -0600
From:     Internal Revenue Service [tangierss4@porterorlin.com]
Subject:     IRS report of not approved tax transfer

Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.

Not Accepted Tax transaction
Tax Transaction ID:     30062091798009
Reason of rejection     See details in the report below
Federal Tax Transaction Report     tax_report_30062091798009.doc (Microsoft Word Document)

Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA

The malicious payload is at [donotclick]virtual-geocaching.net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others.

IRS spam / thebummwrap.net

This fake IRS spam leads to malware on thebummwrap.net:

From: Internal Revenue Service [mailto:fascinatesh07@deltamar.net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted

Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID:     60498447771657
Rejection code    See details in the report below
Income Tax Transaction Report    tax_report_60498447771657.doc (Microsoft Word Document)

Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI

The malicious payload is at [donotclick]thebummwrap.net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes.

At the moment, the following sites seem to be active on the server, all can be assumed to be malicious.

thebummwrap.net
centennialfield.net
blue-lotusgrove.net
afgreenwich.net
bode-sales.net
cat-mails.net
nitor-solutions.net

Spam with numbers and "hi" in it..

There seems to be a lot of this about today..

Date: Mon, 17 Sep 2012 08:39:16 -0300
Subject: Re: 89898877282500

Hi

The numbers vary in each email, from single digits to quite long sequences. The body text is always "Hi", nothing appears to be hidden or malicious in any way. One characteristic is that the recipient is not usually the one in the "To" field as the spam is using the BCC field to suppress recipients.

The emails are not harmful, but obviously there is something going on. One possibility is that this is a probing attack, where an outside source is attempting to enumerate live mailboxes or collate server responses for further use. A short email like this will get passed through many spam filters, so (for example) it could be that the attacker is looking for SMTP responses that indicate a real mailbox to spam again later rather than a dead one.

If you have any other ideas, then please share them in the Comments :)

Thursday, 13 September 2012

ADP spam / 46.249.37.122

This fake ADP spam tries to load malware from 46.249.37.122:

From: ADP_Online_Invoice_DoNotReply@adp.com ADP_Online_Invoice_DoNotReply@adp.com
Date: 13 September 2012 14:29
Subject: ADP Invoice Reminder

Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

Total amount due by September 13, 2012

$17202.04

If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

Questions about your bill?

Contact David Nieto by Secure Mail.

Note: This is an automated email. Please do not reply.

After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122/links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case.

Tuesday, 11 September 2012

US Airways spam / blue-lotusgrove.net

A couple of samples of a fake US Airways spam email leading to malware on blue-lotusgrove.net:

Date:     Tue, 11 Sep 2012 15:32:42 -0300
From:     "US Airways - Reservations" [reservations@myusairways.com]
Subject:     Please confirm your US Airways online registration.

You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). Then, all you need to do is print your boarding pass and proceed to the gate.

Confirmation code: 592499

Check-in online: Online reservation details

Flight

6840
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 9/12/2012

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

==========

Date:     Tue, 11 Sep 2012 23:29:14 +0700
From:     "US Airways - Reservations" [intuitpayroll@e.payroll.intuit.com]
Subject:     US Airways online check-in.

you {l2} check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying {l3}). {l4}, all you {l5} to do is print your boarding pass and {l6} to the gate.

confirmation code: {digit}

check-in online: online reservation details

flight

{digit}
departure city and time

washington, dc (dca) 10:00pm

depart date: 9/12/2012

we are committed to protecting your privacy. your information is kept private and confidential. for information about our privacy policy visit usairways.com.

us airways, 111 w. rio salado pkwy, tempe, az 85281 , copyright us airways , all rights reserved.

The malicious payload is at [donotclick]blue-lotusgrove.net/main.php?page=559e008e5ed98bf7 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack. The following domains are on the same server, they can all be considered to be malicious:

padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
dushare.net
blue-lotusgrove.net
nitor-solutions.net
gsigallery.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz

Friday, 7 September 2012

FedEx spam / dushare.net and gsigallery.net

Two fake FedEx campaigns today, with a format similar to the one found here but with different payload sites of dushare.net and gsigallery.net

In the first case, the malicious payload is at [donotclick]dushare.net/main.php?page=c82ec1c8d6998cf0 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is at [donotclick]gsigallery.net/main.php?page=2bfd5695763b6536 (report here) also hosted on 203.91.113.6.

The following domains are on the same server and should also be treated as being suspect.

padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
obweesysho.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz
dushare.net
gsigallery.net

FedEx spam / studiomonahan.net

This somewhat mangled looking fake FedEx spam leads to malware on studiomonahan.net:

Date:     Thu, 6 Sep 2012 11:00:28 -0600
From:     BillingOnline@fedex.com
Subject:     Your Fedex invoice is ready to be paid now.


    FedEx Billing Online - Ready for Payment

        fedex.com


<td wid="th="10"" rowspan="2">

Hello [redacted]
You have a new not paid bill from FedEx that is ready for payment.

The following ivoice(s) are ready for your review :

<table border-top="1px solid #000" solid="" #000"="" border-left="1px solid #ccc" border="-bottom="1px" height="55" width="473">
<td= class="resultstableheader">
Invoice Number
7215-17193

To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo

Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo

Thank you,
Revenue Services
FedEx



    This message has been sent by an auto responder system. Please do not reply to this message.

The content of this message is protected by copyright and trademark laws under U.S. and international law.
Review our privacy policy. All rights reserved.

Subjects spotted so far include:

Pay your Fedex invoice online.
Your Fedex invoice is ready to be paid now.
Please pay your outstanding Fedex invoice.
Your Fedex invoice is ready.

The malicious payload is found at [donotclick]studiomonahan.net/main.php?page=2bfd5695763b6536 (report here) hosted on 206.253.164.43 (Hostigation, US). The server contains the following suspect domains which should also be blocked:

fireinthesgae.pl
joncarterlope.pl
storuofginezi.com
usagetorrenen.com
dinitrolkalor.com
comercicalinz.com
studiomonahan.net
globusbusworld.su
jordanpowelove.su
appropriatenew.su
cdfilmcounderw.su
studiomonahan.net