Sponsored by..

Tuesday, 30 October 2012

Craiglist spam / fionadix.ru

This fake Craiglist spam leads to malware on fionadix.ru:


Date:      Tue, 30 Oct 2012 06:26:07 +0600
From:      Tai Seals [AntonyHaugland@fibermail.hu]
Subject:      POST/EDIT/DELETE : "tattoos tattoos tattoos" (talent)


IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:

    PUBLISH YOUR AD
    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
    VERIFY YOUR EMAIL ADDRESS
    DELETE YOUR AD

If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!

==========



Date:      Tue, 30 Oct 2012 06:23:41 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      POST/EDIT/DELETE : "Appliance repair" (financial)

IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:

    PUBLISH YOUR AD
    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
    VERIFY YOUR EMAIL ADDRESS
    DELETE YOUR AD

If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!


The malicious payload is at [donotclick]fionadix.ru:8080/forum/links/column.php (report here) hosted on some familiar IPs:
68.67.42.41 (Fibrenoire, Canada)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, United States)

Additional name server IPs:
50.22.102.132 (Softlayer, United States)
62.76.186.190 (Clodo-Cloud, Russia)
84.22.100.108 (Cyberbunker, Netherlands)
213.251.171.30 (OVH, France)

Plain list for copy-and-pasting:
50.22.102.132
62.76.186.190
68.67.42.41
84.22.100.108
203.80.16.81
209.51.221.247
213.251.171.30
manekenppa.ru
kiladopje.ru
lemonadiom.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
windowonu.ru
panalkinew.ru
fionadix.ru

reedcouk.com fake job offer / Fort Huachuca hacked?

This fake job offer from "reedcouk.com" is trying to recruit people for money laundering or other criminal activities, it is not from the real reed.co.uk. However, part of the infrastructure supporting this scam appears to belong the the US military.

From:     sales@[victimdomain].com
To:     sales@[victimdomain].com
Date:     30 October 2012 22:33
Subject:     Employment opportunity

I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.

If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.

Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is 2000 GBP per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (UK time).

Region: United Kingdom.

Please note that there are no startup fees or deposits to start working for us.

To request an application form, schedule your interview and receive more information about this position
please reply to Bob@reedcouk.com with your personal identification number for this position IDNO: 0797
The spam appears to come "from" the recipients own email address (here's why). The bogus domain reedcouk.com is registered as follows:

   Lavern E. Davis
   Lavern Davis info@reedcouk.com
   816-680-7849 fax: 816-680-7331
   4218 White Oak Drive
   Strasburg MO 64090
   us


The domain was registered on 30th October 2012 (today!) via BIZCN.COM, a crime-friendly domain registrar in China. Mail for this domain is handled by a server at 46.249.46.161 (Serverius, Netherlands) which is also ns1.zupyx.net, one of the nameservers for the fake reedcouk.com domain. Who owns zupyx.net? That looks like another fake registration:

      Vivian L Resnick
      221 Shaker Road
      Northfield, NH 03276-4444
      US
      Phone: +1.6032868211
      Email: clinicadelta@aol.com


zupyx.net was only registered on 19th September 2012. But the plot thickens if we look at ns2.zupyx.net (the other namesever being used by reedcouk.com) we can see that it is hosted on 132.79.132.67 which appears to be a hacked US military server at Fort Huachuca:

NetRange:       132.79.0.0 - 132.79.255.255
CIDR:           132.79.0.0/16
OriginAS:      
NetName:        NGB-NGNET
NetHandle:      NET-132-79-0-0-1
Parent:         NET-132-0-0-0-0
NetType:        Direct Assignment
RegDate:        1990-03-05
Updated:        2008-12-24
Ref:            http://whois.arin.net/rest/net/NET-132-79-0-0-1

OrgName:        Headquarters, USAISC
OrgId:          HEADQU-3
Address:        NETC-ANC CONUS TNOSC
City:           Fort Huachuca
StateProv:      AZ
PostalCode:     85613
Country:        US
RegDate:        1990-03-26
Updated:        2011-08-17
Ref:            http://whois.arin.net/rest/org/HEADQU-3

OrgTechHandle: REGIS10-ARIN
OrgTechName:   Registration
OrgTechPhone:  +1-800-365-3642
OrgTechEmail:  registra@nic.mil
OrgTechRef:    http://whois.arin.net/rest/poc/REGIS10-ARIN


You have to bear in mind that this military installation deals with military intelligence.. although you can be pretty certain that whatever server is running this bogus nameserver is public facing only. Hopefully.

This IP address also hosts a suspicious domain called trabalharpt.com:

   Samantha K. Haley
   Samantha Haley info@trabalharpt.com
   +1.8127473193 fax: +1.8127473193
   778 Heliport Loop
   Blue Ash IN 45242
   us

Again, this is registered through BIZCN.COM in China, and was only registered one week ago on 24th October 2012. There's no reason for a domain like this to be hosted on what appears to be a US military server.

There are probably some other bad domains being supported by these nameservers, but I haven't been able to identify them yet.

Friday, 26 October 2012

"Your Photos" spam / manekenppa.ru

This fake "photos" spam leads to malware on manekenppa.ru:

From: Acacia@redacted.com [mailto:Acacia@redacted.com]
Sent: 26 October 2012 10:14
Subject: Your Photos

Hi,
I have attached your photos to the mail (Open with Internet Explorer).

In this case there is an attachment called Image_DIG691233.htm that leads to a malware laden page at [donotclick]manekenppa.ru:8080/forum/links/column.php hosted on some familiar looking IPs:

79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

We've seen these IPs before and they are well worth blocking.

ADP Spam / steamedboasting.info

This fake ADP spam leads to malware on steamedboasting.info:

From: ClientService@adp.com [mailto:ClientService@adp.com]
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification


ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344
The malicious payload is at [donotclick]steamedboasting.info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting.info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).

This is an alternative variant with the same malicious payload:


Date:      Fri, 26 Oct 2012 16:32:10 +0530
From:      "noreply@adp.com" [noreply@adp.com]
Subject:      ADP Prompt Communication


ADP Speedy Notification

Reference #: 27585

Dear ADP Client October, 25 2012

Your Transaction Statement(s) have been put onto the web site:

Web site link

Please see the following notes:

• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).

?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.

This message was sent to operating users in your company that approach ADP Netsecure.

As always, thank you for choosing ADP as your business partner!

Ref: 27585 [redacted]



apl.de.ap spam

I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east.

Although those look like tinyurl links, they're not.. they go through a redirector at ykadl.net on 109.236.88.71, the same IP used to send the spam.

The WHOIS details for the spammer domain are:

Technical Name:                Domain Admin
Technical Company:        Create-Send.net
Technical Address:        57 Kingsway Avenue
Technical Address:        Auckland
Technical Address:       
Technical Address:        Auckland
Technical Address:        Na
Technical Address:        1010
Technical Address:        New Zealand
Technical Email:        info@create-send.net
Technical Tel:                +64.279237205


Anyway, here's the spam in case you really want to buy tickets from a shady bunch of spammers..

From:     DNA alex@ykadl.net
Reply-To:     DNA [alex@ykadl.net]
Date:     26 October 2012 04:48
Subject:     Black Eyed Peas/ APL DE AP in Dubai
Signed by:     ykadl.net

BLACK EYE PEAS founding member APL DE AP heads to Dubai

BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.

Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.

APL DE AP and the other members of the Black Eyed Peas have been on a hiatus from the band for the last year.In 2011 The Black Eyed Peas were ranked 12th on the Billboard's Decade-End Chart Artist of the Decade, the group performed in February 2011 at the halftime show of Super Bowl XLV.

✻TICKETS COST 165AED for this fabulous International Star event with full bar facilities, waiter service and live food stations.✻

TICKETS ARE NOW AVAILABLE ON:

✻TIMEOUT***TICKETINGCO***MARHABA***PLATINUM✻

TIMEOUT * http://tinyurl.com/bvrtjxx

PLATINUM LIST * http://tinyurl.com/cs8wdox

TICKETINGCO * http://tinyurl.com/cctq2s8

✻ FOR VIP TABLE RESERVATIONS CALL 050 1428363✻
For more info@dnapre.com✻21+ ✻ ID required ✻ Couples & mixed groups preferred.✻ Normal club policies apply ✻

✻THIS WILL BE A SELLOUT EVENT. Get your Tickets fast.✻

Share This
UnsubscribeForward to a Friend

inserted image

inserted image

Click here to opt-out

Thursday, 25 October 2012

"End of Aug. Statement required" spam / kiladopje.ru

This spam leads to malware on kiladopje.ru:

From: ZaireLomay@mail.com [mailto:ZaireLomay@mail.com]
Sent: 24 October 2012 20:58
Subject: Re: FW: End of Aug. Statement required

Hi,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards
In this case, there's an attachment called Invoices-23-2012.htm with some obfuscated Javascript to direct visitors to a malware laden page at [donotclick]kiladopje.ru:8080/forum/links/column.php hosted on:

79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

The following IPs and domains are all related and should be blocked if you can:
68.67.42.41
72.18.203.140
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247
fidelocastroo.ru
finitolaco.ru
kennedyana.ru
kiladopje.ru
lemonadiom.ru
leprasmotra.ru
ponowseniks.ru
secondhand4u.ru
windowonu.ru

Wednesday, 24 October 2012

BBB Spam / samplersmagnifyingglass.net

This fake BBB spam leads to malware on samplersmagnifyingglass.net:

Date:      Wed, 24 Oct 2012 22:10:18 +0430
From:      "Better Business Bureau" [noreply@bbb.org]
Subject:      Better Business Beareau Appeal #42790699

Attention: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.

Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.

On a website above please enter your complain id: 42790699 to review it.

We are looking forward to hearing from you.
-----------------------------------

Faithfully,

Rebecca Wilcox

Dispute advisor
Better Business Bureau
The malicious payload is on [donotclick]samplersmagnifyingglass.net/detects/confirming_absence_listing.php hosted on 183.81.133.121, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking.

Some other domains also associated with this IP are:
the-mesgate.net
hotsecrete.net
agmnxsmn.com
art-london.net
asmsxcm.com
buzziskin.net
ifmncmn.com
stafffire.net
sxmnmn.com
tizarrefetishkin.com

Wire Transfer spam / ponowseniks.ru

This fake wire transfer spam leads to malware on ponowseniks.ru:

Date:      Wed, 24 Oct 2012 04:26:12 -0500
From:      FedEx [info@emails.fedex.com]
Subject:      Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 9649AA02)
Attachments:     Report_Trans99252.htm

Dear Bank Operator,



WIRE TRANSFER: FEDW-30126495944197210



STATUS: REJECTED



You can find details in the attached file.(Internet Explorer format)
The .htm attachment attempts to redirect the user to a malicious page at [donotclick]ponowseniks.ru:8080/forum/links/column.php  hosted on some familar IP addresses:

202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)


Contract spam / fidelocastroo.ru

This fake contact spam leads to malware on fidelocastroo.ru:

Date:      Tue, 23 Oct 2012 12:33:51 -0800
From:      "Wilburn TIMMONS" [HIWilburn@hotmail.com]
Subject:      Fw: Contract from Wilburn
Attachments:     Contract_Scan_DS23656.htm

Hello,



In the attached file I am transferring you the Translation of the Job Contract that I have just received today. I am really sorry for the delay.

Best regards,

Wilburn TIMMONS, secretary
The .htm attachment contains obfuscated javascript that attempts to direct the visitor to a malicious [donotclick]fidelocastroo.ru:8080/forum/links/column.php. This domain name has been used in several recent attacks and is currently multihomed on some familiar IP addresses:

202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)



Tuesday, 23 October 2012

Intuit spam / montrealhotpropertyguide.com

This fake Intuit spam leads to malware on montrealhotpropertyguide.com:


Date:      Tue, 23 Oct 2012 14:45:14 +0200
From:      "Intuit QuickBooks Customer Service" [35378B458@aubergedesbichonnieres.com]
Subject:      Intuit QuickBooks Order


   
Dear [redacted],



Thank you for placing an order with Intuit QuickBooks!

We have received your payment information and it is currently being processed.
   
   
    ORDER INFORMATION    
       
Order #:    366948851674
Order Date:    Oct 22, 2012

[ View order ]

Qty     Item     Price
1     Intuit QuickBooks Pro Download 2 2012     $183.96***

   
Subtotal:
Sales Tax:
Total for this Order:
   
$183.96
$0.00
$183.96
*Appropriate credit will be applied to your account.



Please Note: Sales tax calculations are estimated. The final sales tax calculation will comply with local regulations.

       
    NEED HELP?    
       

Questions about your order? Please visit Customer Service.

       
       
           
Join Us On Facebook
           
           
           
           
Close More Sales
           

           
           
Save Time
           
           
           
   


Privacy | Legal | Contact Us | About Intuit

You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.



If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.



Please note: This email was sent from an auto-notification system that cannot accept incoming email. Please do not reply to this message.



� 2012 Intuit Inc. or its affiliates. All rights reserved.

The malicious payload is on [donotclick]montrealhotpropertyguide.com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US).

NACHA spam / bwdlpjvehrka.ddns.info

This fake NACHA spam leads to malware on bwdlpjvehrka.ddns.info:

Date:      Tue, 23 Oct 2012 05:44:05 +0200
From:      "noreply@direct.nacha.org"
Subject:      Notification about the rejected Direct Deposit payment

Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::

Details

Please contact your financial institution to acquire the new version of the software.

Sincerely yours

ACH Network Rules Department
NACHA | The Electronic Payments Association

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
The malicious payload is at [donotclick]bwdlpjvehrka.ddns.info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move.

President of French Polynesia (presidence.pf) hacked?

presidence.pf is the web site of the President of French Polynesia, it is hosted on 202.3.245.13 by the Tahitian ISP MANA (along with an alternative domain of presid.pf).

Unfortunately, that's not the only thing lurking on 202.3.245.13. Yesterday I spotted an exploit kit on the same IP, probably Blackhole 2. An examination of the server shows the presence of the following malicious domains on the same IP:

fidelocastroo.ru
secondhand4u.ru
windowonu.ru


There's no evidence that the websites presidence.pf or presid.pf are dangerous, but there are other web sites on the same server which certainly do appear to be quite toxic..

Now, French Polynesia isn't the biggest place in the world, but it's the first time I've seen the site of a president of anywhere potentially compromised in this way.

Monday, 22 October 2012

"Copies of Policies" spam / fidelocastroo.ru

This spam leads to malware on fidelocastroo.ru:

Date:      Mon, 22 Oct 2012 08:05:10 -0500
From:      Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
Subject:      RE: Charley - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.


Charley HEALY,

The malicious payload is on [donotclick]fidelocastroo.ru:8080/forum/links/column.php hosted on the following IPs:

68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (Interneto Vizija, Lithunia)
190.10.14.196 (RACSA, Costa Rica)
202.3.245.13 (MANA, French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)

Plain list for copy and pasting:
68.67.42.41
79.98.27.9
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247

Blocking these IPs should prevent any other attacks on the same server.


Scam: tsnetint.com and tsnetint.org

Another episode in a long-running domain scam, which attempts to get you to buy worthless domain names by scaremongering. In this case the fake company is called "Kenal investment Co. Ltd" (there are several legitimate firms with a similar name). If you get one of these, ignore it and don't give the scammers any money.

The domains quoted are tsnetint.com and tsnetint.org and the originating IP is 117.27.141.168, all hosted in deepest China.


From:     bertram bertram@tsnetint.com
Date:     22 October 2012 06:02
Subject:     Confirmation of Registration

(Letter to the President or Brand Owner, thanks)

Dear President,

We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on October  19, 2012 that a company claimed Kenal investment Co. Ltd were applying to register "dynamoo" as their Net Brand and some domain names through our firm.

Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for Kenal investment Co. Ltd. Looking forward to your prompt reply.

Best Regards,

Bertram  Hong

Registration Dept.

Office:Tel: 86 2885915586 || Fax: +86 2885912116
Address:9/F Libao building No,62 Kehua North Road,Wuhou District,Chengdu City,China
P Please consider the environment before you print this e-mail

Saturday, 20 October 2012

Wowcher and motors.co.uk. Is this spam?

Wowcher are a site trying to emulate Groupon, owned by Associated Newspapers, who also own the Daily Mail ("the newspaper that supported Hitler"*). I've never used their site, and I wouldn't bother given their history of dodgy promotions.

Wowcher have a history of questionable advertising (see here and here for example), so it's not exactly something I would sign up for. However, Wowcher conclude the email with something rather misleading.


You are receiving this email because you have used our services in the past.
If you no longer wish to receive these e-mails, you can unsubscribe from this list.

Have I used their services in the past? No. Definitely not. So where did Wowcher get my email address? Simple - it was passed to them by a website called motors.co.uk. How do I know this? Because I use a unique email address for every service I sign up for, making it easy to trace this sort of activity.

Motors.co.uk is part of a company called Manheim.. but they used to belong to the same company that owns the Daily Mail. They make a business out of all sorts of automotive trades. I signed up with them about two-and-a-half years ago. Until now, the only email I have ever received from them has been on-topic, but I haven't actually seen an email of any type for a long time.

So.. it should be a simple job to log into motors.co.uk and check my marketing preferences. Well.. I tried, and the login didn't work. So.. perhaps I forgot my password. That's easy enough to reset.. but there's a catch.

Oh. Sorry, the email address you entered doesn't appear to be in our records. That's kind of odd, because it certainly appeared in their records enough for them to use it for Wowcher.

Now, motors.co.uk have a privacy policy which gives the game away. It says:

By using the Site, you agree that we may disclose your personal information to any company within the Daily Mail and General Trust plc group of companies

So, the Daily Mail group owns Wowcher, and they got the email from motors.co.uk. And quite annoyingly, the motors.co.uk privacy policy in 2010 does also say that they will pass your email address on to the Daily Mail without asking for any further permission. It's annoying, but it does mean that it isn't spam. I guess I will be clicking that "unsubscribe" link then.

* And OK, the Daily Mail may have supported Hitler between the wars. But it was also instrumental in achieving some sort of justice for Stephen Lawrence. So not all bad then.

Friday, 19 October 2012

LinkedIn spam / cowonhorse.co

This fake LinkedIn spam leads to malware on cowonhorse.co:

From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
Sent: Fri 19/10/2012 10:29
Subject: Invitation

Hi [redacted], 

User sent you an invitation to connect 6 days ago. How would you like to respond? 

Accept  Ignore Privately

Estelle Garrison 
Interpublic Group (Executive Director Marketing PPS)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

==========

From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
Sent: Fri 19/10/2012 11:39
Subject: New invitation

Hi [redacted], 

User sent you an invitation to connect 14 days ago. How would you like to respond? 

Accept  Ignore Privately
  
Carol Parks 
Automatic Data Processing (Divisional Finance Director)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

==========

From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
Sent: Fri 19/10/2012 12:28
Subject: Invitation

Hi [redacted], 

User sent you an invitation to connect 6 days ago. How would you like to respond? 

Accept  Ignore Privately

Rupert Nielsen 
O'Reilly Automotive (Head of Non-Processing Infrastructure)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

The malicious payload is on [donotclick]cowonhorse.co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before. In my opinion, blocking ALL emails that appear to be from LinkedIn would probably benefit your business.

Thursday, 18 October 2012

Adbobe CS4 spam / leprasmotra.ru

This fake Adobe spam leads to malware on leprasmotra.ru:

Date:      Thu, 18 Oct 2012 10:00:26 -0300
From:      "service@paypal.com" [service@paypal.com]
Subject:      Order N04833

Good morning,

You can download your Adobe CS4 License here -

We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.

Thank you for buying Adobe InDesign CS4 software.

Adobe Systems Incorporated

The malicious payload is at [donotclick]leprasmotra.ru:8080/forum/links/column.php hosted on:

72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)

Blocking access to those IPs is recommended.

NY Traffic Ticket spam / kennedyana.ru

This fake Traffic Ticket spam leads to malware on kennedyana.ru:

Date:      Wed, 17 Oct 2012 03:59:44 +0600
From:      sales1@[redacted]
To:      [redacted]
Subject:      Fwd: NY TRAFFIC TICKET

New-York Department of Motor Vehicles

TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS

Time: 5:16 AM

Date of Offense: 21/01/2012



SPEED OVER 50 ZONE

TO PLEAD CLICK HERE AND FILL OUT THE FORM

The malicious payload is on [donotclick]kennedyana.ru:8080/forum/links/column.php hosted on the following IPs:

68.67.42.41 (Fibrenoire, Canada)
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)



Wednesday, 17 October 2012

LinkedIn spam / 64.111.24.162

This fake LinkedIn spam leads to malware on 64.111.24.162:

From: LinkedIn.Invitations [mailto:8B44145D0@bhuna.net]
Sent: 17 October 2012 10:06
Subject: New invitation is waiting for your response


Hi [redacted],


User sent you an invitation to connect 6 days ago. How would you like to respond?

       
Accept    Ignore Privately

   
    
Alexis Padilla

C.H. Robinson Worldwide (Sales Director)


You are receiving Invitation emails. Unsubscribe.

This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is at [donotclick]64.111.24.162/links/assure_numb_engineers.php allocated to Data 102 in the US and then suballocated to:



network:Network-Name:Buzy Bee Hosting /27
network:IP-Network:64.111.24.160/27
network:IP-Network-Block:64.111.24.160 - 64.111.24.191
network:Org-Name:Buzy Bee Hosting
network:Street-Address:1451 North Challenger Dr
network:City:Pueblo West
network:State:CO
network:Postal-Code:81007
network:Country-Code:US



Blocking the IP (and possibly the /27 block) is probably wise.


Amazon.com spam / sdqhfckuri.ddns.info and ultjiyzqsh.ddns.info

This fake Amazon.com spam leads to malware on sdqhfckuri.ddns.info and ultjiyzqsh.ddns.info:

From: Amazon.Com [mailto:pothooknw@tcsn.net]
Sent: 17 October 2012 06:54
Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
Importance: High


Gift Cards
|     Your Orders
|     Amazon.com


Shipping Confirmation
Order #272-3140048-4213404


Hello,
Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Your estimated delivery date is:
Tuesday, October 9, 2012


Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.

Shipment Details

Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
Sold by Amazon.com LLC (Amazon.com)     $109.95

Item Subtotal:     $109.95
Shipping & Handling:     $0.00
Total Before Tax:     $109.95
Shipment Total:     $109.95
Paid by Visa:     $109.95

Returns are easy. Visit our Online Return Center.
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
The malicious payload is at [donotclick]sdqhfckuri.ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh.ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).

Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.

Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either.

Some other subjects seen:
Your Amazon.com order of "Citizen Men's BL2774-05L Eco-Drive Perpetual Calendar Chronograph Watch" has shipped!
Your Amazon.com order of "Casio Men's PAG165-0CR Pathfinder Triple Sensor Multi-Function Sport Watch" has shipped!
Your Amazon.com order of "G-Shock GA-386-1A8 Big Combi Military Series Watch" has shipped!
our Amazon.com order of "Fossil Men's FS2362 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!
Your Amazon.com order of "Timex Ironman Men's Road Trainer Heart Rate Monitor Watch, Black/Orange, Full Size" has shipped!