Sponsored by..

Tuesday, 16 October 2012

Wire Transfer spam / hotsecrete.net

This fake wire transfer spam leads to malware on hotsecrete.net:

From: Federal Information System [mailto:highjackingucaf10@atainvest.com]
Sent: 16 October 2012 15:59
Subject: Wire Transfer accepted

We have successfully done the following transfer:
________________________________________
Item #: 35043728
Amount: $16,861.99
To: Anthony Glover
Fee: 29.00
Send on Date: 10/16/2012
Service: Domestic Wire
________________________________________

If there is a problem with processing your request we would report to you both by email and on the Manage Accounts tab. You can always check your transfer status via this link Sincerely,
Federal Reserve Bank Automate Notify System
________________________________________


*********************************************


Email Preferences
This is a service warning from Federal Reserve Bank. Please note that you may receive notification note in accordance with your service agreements, whether or not you elect to receive promotional email.
=============================================
Federal Reserve Bank Email, 8th Floor, 170 Seashore Tryon, Ave., Charlotte, TX 89936-0001
Federal Reserve Bank.


The malicious payload is found at [donotclick]hotsecrete.net/detects/exclude-offices_details_warm.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP address that you should block.

LinkedIn spam / 74.91.112.86

This fake LinkedIn spam leads to malware on 74.91.112.86:

From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]
Sent: 16 October 2012 13:50
To: [redacted]
Subject: New invitation is waiting for your response

Hi [redacted],


David sent you an invitation to connect 13 days ago. How would you like to respond?

       
Accept    Ignore Privately


Hilton Suarez

Precision Castparts (Distributor Sales Manager EMEA)

You are receiving Invitation emails. Unsubscribe.

This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is on [donotclick]74.91.112.86/links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there).


Monday, 15 October 2012

Facebook spam / o.anygutterkings.com

This fake Facebook spam leads to malware on o.anygutterkings.com:


Date:      Mon, 15 Oct 2012 20:02:21 +0200
From:      "FB Account"
Subject:      Facebook account

facebook    
Hi [redacted],
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before
Kind regards,

The Facebook Team
   
Sign in to Facebook and start connecting
Sign in


Please use the link below to resume your account :
http://www.facebook.com/home.php
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
Other subjects are: "Account blocked" and "Account activated"

The payload is at [donotclick]o.anygutterkings.com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)

Intuit spam / navisiteseparation.net

This fake Intuit spam leads to malware on navisiteseparation.net:


Date:      Mon, 15 Oct 2012 15:20:13 -0300
From:      "Intuit GoPayment" [crouppywo4@deltamar.net]
Subject:      Welcome - you're accepted for Intuit GoPayment

       
.
Congratulations!
GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
GoPayment
Account Number:     XXXXXXXXXXXXXX55
Email Address:     [redacted]
   
PLEASE NOTE :
    Associated charges for this service may be applied now.
Next step: View or confirm your Access ID



This is {LET:User ID lets you:
Review your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll


The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.



Verify Access ID
Get started:



Step 1: If you have not still, download the Intuit software.



Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.



Easy Manage Your Intuit GoPayment Account

The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
Please don't reply to this message. auto informer system unable to accept incoming messages.
System Terms & Agreements     � 2008-2012 Intuit, INC. All rights reserved.


Sample subjects:

  • Congrats - you're accepted for Intuit GoPayment Merchant 
  • Congratulations - you're approved for Intuit Merchant 
  • Congrats - you're approved for GoPayment Merchant 
  • Welcome - you're accepted for Intuit GoPayment 
The malicious payload is at  [donotclick]navisiteseparation.net/detects/processing-details_requested.php  hosted on 183.81.133.121 (Vodafone, Fiji). The good news is that the domain has been suspended by the registrar, but that IP address has been used many times recently and should be blocked if you can.


"Copies of Policies" spam / linkrdin.ru

Another "Copies of Policies" spam, this time leading to malware on linkrdin.ru:

From: [support@victimdomain.com]
Date: 15 October 2012 07:15
Subject: RE: SANTOS - Copies of Policies.


Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,
and a copy of the most recent schedule.

The malicious payload is on [donotclick]linkrdin.ru:8080/forum/links/column.php (report here) hosted on the same IPs as this spam:

68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)

Friday, 12 October 2012

Wire Transfer spam / geforceexlusive.ru

This fake wire transfer spam leads to malware on geforceexlusive.ru:

From: Xanga [mailto:noreply@xanga.com]
Sent: 12 October 2012 11:27
Subject: Fwd: Wire Transfer Confirmation (FED_6537H57898)

Dear Bank Account Operator,
WIRE TRANSFER: WRE-282857636652198
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]geforceexlusive.ru:8080/forum/links/column.php hosted on the following IPs:

68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)

These IPs are worth blocking as they will probably also be used in future attacks.




ADP spam / 184.164.151.54

Yet more ADP-themed spam, this time leading to malware on 184.164.151.54:

Date:      Fri, 12 Oct 2012 14:48:18 +0530
From:      "ADPClientServices" [ADPClientServices@adp.com]
Subject:      ADP Urgent Notification

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services

The malicious payload is at [donotclick]184.164.151.54/links/rules_familiar-occurred.php (hosted by the ironically named Secured Servers LLC in the US aka Jolly Works hosting of the Philippines).

ADP Spam / 198.143.159.108

Yet more fake ADP spam (there has been a lot over the past 24 hours) is being pushed out. This time there's a malicious payload at [donotclick]198.143.159.108/links/rules_familiar-occurred.php (Singlehop, US).

Avoid.

Thursday, 11 October 2012

"Copies of Policies" spam / windowsmobilever.ru

This slightly odd spam leads to malware on windowsmobilever.ru:


Date:      Thu, 11 Oct 2012 10:55:37 -0500
From:      "Amazon.com" [account-update@amazon.com]
Subject:      RE: DONNIE - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

DONNIE LOCKWOOD,

==========

Date:      Thu, 11 Oct 2012 12:26:25 -0300
From:      accounting@[redacted]
Subject:      RE: MARGURITE - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

MARGURITE Moss,

Anyone who clicks on the link will end up on an exploit kit at [donotclick]windowsmobilever.ru:8080/forum/links/column.php (report here) hosted on:

68.67.42.41 (Fibrenoire , Canada)
203.80.16.81 (MYREN, Malaysia)

These two IPs are currently involved in several malicious spam runs and should be blocked if you can.

ADP Spam / 108.61.57.66

There's masses of ADP-themed spam today. Here is another one:

Date:      Thu, 11 Oct 2012 14:53:17 -0200
From:      "ADP.Message" [986E3877@dixys.com]
Subject:      ADP Generated Message

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.

If you have any questions, please contact your administrator for assistance.


---------------------------------------------------------------------

Digital Certificate About to Expire

---------------------------------------------------------------------

The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.

Days left before expiration: 3

Expiration date: Oct 14 23:59:59 GMT-03:59 2012

---------------------------------------------------------------------

Renewing Your Digital Certificate

--------------------------------------------------------------------

1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp

2. Follow the instructions on the screen.

3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.

In this case the malicious payload is at [donotclick]108.61.57.66/links/assure_numb_engineers.php  hosted by Choopa LLC in the US. The IP is probably worth blocking to be on the safe side.

LinkedIn spam / inklingads.biz

The bad guys are very busy today with all sorts of spam campaigns, including lots of messages as below pointing to malware on

From: LinkedIn Notification [mailto:hewedngq6@omahahen.org]
Sent: 11 October 2012 15:59
Subject: LinkedIn Reminder
Importance: High

LinkedIn
REMINDERS
Invite events:
From Thaddeus Sosa ( Your servant)

PENDING EVENTS
There are a total of 3 messages awaiting your action. See your InBox immediately.
Don't wish to get email info letters? Adjust your notifications settings.
LinkedIn values your privacy. In no circumstances has LinkedIn made your notifications email acceptable to any third-party LinkedIn member without your permission. 2010, LinkedIn Corporation.
The malicious payload is on [donotclick]inklingads.biz/detects/invite-request_checking.php hosted on 183.81.133.121 (Vodafone, Fiji)

ADP spam / 4.wapin.in and 173.224.209.165:

This fake ADP spam leads to malware on 4.wapin.in:

From: ADP.Security [mailto:5BC4F06B@act4kids.net]
Sent: 11 October 2012 14:22
Subject: ADP: Urgent Notification

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.

---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.

Days left before expiration: 3
Expiration date: Oct 14 23:59:59 GMT-03:59 2012

---------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp

2. Follow the instructions on the screen.

3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.
The malicious payload is on [donotclick]4.wapin.in/links/assure_numb_engineers.php hosted on 198.136.53.39 (Comforthost, US).

Another variant of this goes to  [donotclick]173.224.209.165/links/assure_numb_engineers.php (Psychz Networks, US)

Blackhole sites to block 11/10/12

A bunch of sites are active today with the Blackhole exploit kit.. here are the ones seen so far:

183.81.133.121
198.136.53.39
173.255.223.77
64.247.188.141
inklingads.biz

The delivery mechanisms are fake LinkedIn and eFax messages. Block those IPs if you can.

eFax spam / 173.255.223.77 and chase.swf

Two different eFax spam runs seem to be going on at the same time:
From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
Sent: 11 October 2012 12:58
Subject: eFax notification



You have received a 50 page(-s) fax at Thu, 11 Oct 2012 07:58:06 -0400.
* The reference number for this fax is [2EA33CF].
Click the following link to view this message:
https://www.efaxcorporate.com/corp/twa/View?returnPageKey=2EA33CF
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!


© 2012 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate Customer Agreement.

==========



From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
Sent: 11 October 2012 12:51
Subject: eFax: You have received new fax



You have received a 34 page(-s) fax at Thu, 11 Oct 2012 13:50:54 +0200.
* The reference number for this fax is [97ECE658].
Click the following link to view this message:
https://www.efaxcorporate.com/corp/twa/View?returnPageKey=97ECE658
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!


© 2012 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate Customer Agreement.


One leads to a malicious landing page at [donotclick]173.255.223.77/links/assure_numb_engineers.php hosted by Linode in the US.

The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44 which is not good. That looks a bit like this:

{html}
{body}
{object width='255' height='57'}
 {param name='movie' value='infected.swf'} {/param}
 {param name='allowScriptAccess' value='sameDomain'} {/param}
 {embed width='255' height='57'
  src='hxxp:||[redacted].com/chase.swf' name='BridgeMovie'
  allowScriptAccess='sameDomain' type='application/x-shockwave-flash' }
 {/embed}
{/object}
{/body}
{/html}


Beats me what it is. Probably nothing good though...

ppinomore.com PPI SMS spam

These PPI spammers are at it again, this time promoting a website ppinomore.com.

URGENT you are owed £3350 for the PPI you took out, time is running out to claim, please visit www.ppinomore.com to claim, thank you. To opt out reply STOP.

The sending number is +447787446160 although this will change at they get blocked for spamming. If you have any more numbers, then please considered adding them in the Comments section.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

The thing with these spam PPI messages is that they are also a scam. I don't have any mis-sold PPI, so I'm not eligible for anything, but it seems that the spammers are encouraging you to make a fraudulent claim, which is a criminal offence.

So who is behind ppinomore.com? It has anonymous WHOIS details so no clue there. They claim their address is in Pakistan:
PPI-Today
586, Park Towers,
Block 26, P.E.C.H.S.,
Shahrah-e-Faisal,
Karachi

And they're not regulated by anyone..
ppinomore is a marketing agent. Our partners are regulated by the Ministry of Justice in respect of regulated claims management activities - their authorisation number is available on request and their registration is recorded on the Ministry of Justice website 

So who are their partners. Of note, the ppinomore.com site is hosted on 217.23.12.215 which is hosted by Worldstream in the Netherlands, but actually allocated to a scam/spam friendly outfit called YoHost . The following sites are on the same server:

antismsspam.com
birthdaywishlist.net
buyfacebookfriends.info
claimsdirects.com
cpamatch.net
downloads4.biz
easyexplorer.net
englandinsolvency.com
filewizard.net
flywith.org
glasgowtrustdeeds.com
guystube.net
homeworkers.tv
ineedajob.tv
jizzin.me
kimdotcom.biz
liquidationadvice.info
megahost.tv
memorysticks.tv
monstercv.tv
mortgagecharges.info
myppi.org
numbergenerator.info
phoneapps.tv
ppinomore.com
ppinow.org
prepaidcards.tv
protectedtrustdeeds.tv
referafriend.info
rofl.hk
scotlandtrustdeeds.info
scottishdebtinfo.com
scottishtrustdeed.info
smsoptout.com
streamingloads.com
surveymonster.info
textforgold.com
transfermypension.info
txtforloans.com
whatsbetterapp.com
yadoo.tv

Some of these look quite interesting.. they're also using SMS and PPI themed sites. Almost all the sites have anonymous WHOIS details.. apart from myppi.org that is..

Domain ID:D166396094-LROR
Domain Name:MYPPI.ORG
Created On:21-Aug-2012 10:52:54 UTC
Last Updated On:21-Aug-2012 10:52:55 UTC
Expiration Date:21-Aug-2013 10:52:54 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CR122029936
Registrant Name:john mcneish
Registrant Organization:surveycentre
Registrant Street1:flat 3 11a whitworth street
Registrant Street2:opal house
Registrant Street3:
Registrant City:manchester
Registrant State/Province:lancashire
Registrant Postal Code:m1 3gw
Registrant Country:GB
Registrant Phone:+1.614083744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:gary@tetr.us
Admin ID:CR122029938
Admin Name:john mcneish
Admin Organization:surveycentre
Admin Street1:flat 3 11a whitworth street
Admin Street2:opal house
Admin Street3:
Admin City:manchester
Admin State/Province:lancashire
Admin Postal Code:m1 3gw
Admin Country:GB
Admin Phone:+1.614083744
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:gary@tetr.us
Tech ID:CR122029937
Tech Name:john mcneish
Tech Organization:surveycentre
Tech Street1:flat 3 11a whitworth street
Tech Street2:opal house
Tech Street3:
Tech City:manchester
Tech State/Province:lancashire
Tech Postal Code:m1 3gw
Tech Country:GB
Tech Phone:+1.614083744
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:gary@tetr.us
Name Server:NS19.DOMAINCONTROL.COM
Name Server:NS20.DOMAINCONTROL.COM


John McNeish? So why is his email address gary@tetr.us then? Probably because this is really Gary McNeish who has been involved in offshore SMS spamming before.

So, is Gary McNeish responsible for the ppinomore.com SMS spam? It could just be a coincidence that a server stuffed with dodgy finance and marketing sites contains both a site belonging to Gary McNeish and these ppinomore.com scammers, after all there's no indication that this is actually Gary McNeish's server, just that he has a site on it.

Still, hopefully the recently announced ICO crackdown on SMS spammers might have a positive effect.

Update:
Here is another link between ppinomore.com and Gary McNeish's myppi.org - if you search for the text "ppinomore is a marketing agent. Our partners are regulated by the Ministry of Justice" on Google, it also appears on myppi.org:


Funnily enough, the content for myppi.org has changed to some search engine called "Yadoo" since it was indexed by Google. It must just be a coincidence that the ppinomore text appeared on Mr McNeish's site, yes?

The following numbers also seem to be in use for this spam:
+447867368703
+447780458447 

Please add any more in the comments, thanks!

Sophos: "Your phone number may not be as private on Facebook as you think - and how to fix it"

From Sophos.. another good reason not to use Facebook.

So, as well as leaking email addresses through a reverse lookup, Facebook also does a reverse lookup for telephone numbers. What could possibly go wrong?

Well, until somebody figures out how to write a script to harvest the phone numbers automatically, that is..

Added: oh look, somebody did it already.

Wednesday, 10 October 2012

Chase credit card spam / 2.cmisd.org

Another fake Chase credit card spam (like this one), this time leading to malware on 2.cmisd.org:

Date:      Wed, 10 Oct 2012 12:21:48 -0500
From:      "Chase.Alert" [CB22FC0@abbottfire.com]
Subject:      Credit card report

This is an Alert to help you manage your credit card account.

As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 236.77 at Amazon Store has been authorized on Wed, 10 Oct 2012 12:21:48 -0500.

Do not reply to this Alert.

If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/cl/smessage/alert_id=90A4F

To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.

There are lots of variants, e.g.:

As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 566.48 at eStore has been authorized on Wed, 10 Oct 2012 17:28:38 +0100.

As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 989.65 at Google Store has been authorized on Wed, 10 Oct 2012 11:18:13 -0500.

As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 518.21 at eStore has been authorized on Wed, 10 Oct 2012 08:42:53 -0700.

As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 763.93 at UNKNOWN has been authorized on Wed, 10 Oct 2012 17:42:24 +0200.
In this case the malicious payload is at [donotclick]2.cmisd.org/links/assure_numb_engineers.php hosted on 75.98.171.60 (A2 Hosting, US). Blocking access to that IP would probably be wise.

LinkedIn spam / viewsonicone.ru

This fake LinkedIn spam leads to malware on viewsonicone.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Connections
Sent: 10 October 2012 09:46
Subject: Nayeli is now part of your network. Keep connecting...

 [redacted]. Congratulations!
You and Nayeli are now connected.

    Nayeli Deaton

--
Chad   

2012, LinkedIn Corporation
The link goes through some obfuscated javascript (report here) to lead to [donotclick]viewsonicone.ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire Internet, Canada)
178.79.146.49 (Linode, UK)
203.80.16.81 (MYREN, Malaysia)

All these IPs and domains are potentially malicious and should be blocked if you can do it:
68.67.42.41
178.79.146.49
203.80.16.81
rumyniaonline.ru
sonatanamore.ru
onlinebayunator.ru
uzoshkins.ru
limonadiksec.ru
ioponeslal.ru
pionierspokemon.ru
appleonliner.ru
lenindeads.ru
viewsonicone.ru

NACHA spam / formexiting.net

This fake NACHA spam leads to malware on formexiting.net:

From: The Electronic Payments Association [mailto:underlining34@anbid.com.br]
Sent: 10 October 2012 15:59
Subject: Rejected ACH transaction
Importance: High


The ACH transaction (ID: 9536860209937), recently issued from your bank account (by one of your account members), was reversed by the recepient's financial institution.
Canceled request
Transaction ID:     9536860209937
Reason of rejection    Review details in the statement below
Transaction Report    report_9536860209937.doc (Microsoft Office Word Document)


17390 Seaside Valley Drive, Suite 101
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association

The malicious payload is on [donotclick]formexiting.net/detects/review_reject_reason.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP that you should consider blocking.

Chase credit cards spam / 3.azwap.de

This fake Chase spam leads to malware on 3.azwap.de:

Date:      Wed, 10 Oct 2012 11:48:49 -0300
From:      "Chase.com" [noreply@sprint.com]
Subject:      Chase: your credit cars account

This is an Alert to help you manage your credit card account.


As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 233.30 at Apple Store has been authorized on Wed, 10 Oct 2012 11:48:49 -0300.


Do not reply to this Alert.


If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/secure_m/id=34F4A5C



To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.

The malicious payload is at [donotclick]3.azwap.de/links/assure_numb_engineers.php hosted on 69.194.194.229 (Solar VPS, US)

Another sample email:

 This is an Alert to help you manage your credit card account.

As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 669.84 at eStore has been authorized on Wed, 10 Oct 2012 11:31:42 -0400.

Do not reply to this Alert.

If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/customer_login/u=83669F

To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.