Sponsored by..

Tuesday, 6 November 2012

"Scan from a Xerox WorkCentre Pro" / peneloipin.ru

This fake printer spam leads to malware on peneloipin.ru:

From: Keshawn Burns [mailto:MaribelParchment@hotmail.com]
Sent: 06 November 2012 05:09
Subject: Scan from a Xerox WorkCentre Pro #47938830

Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.

Sent by: Keshawn
Number of Images: 5
Attachment File Type: .HTML [Internet Explorer file]

Xerox WorkCentre Location: machine location not set
 The attachment contains some obfuscated Javascript that redirects the visitor to a malicious payload on [donotclick]peneloipin.ru:8080/forum/links/column.php hosted on some IPs that have been used several times before for malware:

65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)

The following malicious domains are also hosted on the same servers:
forumibiza.ru
kiladopje.ru
donkihotik.ru
lemonadiom.ru
peneloipin.ru
panacealeon.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
panalkinew.ru
fionadix.ru


SMS Spam: "Records passed to us show you're entitled to a refund approximately £2130"

More SMS spam from.. well, I think the ICO will shortly reveal who. It's not just a spam, but it's also a scam because the spammers are attempting to persuade you to make fraudulent claims. Not everyone is eligible for a PPI refund, and I'm certainly not.. no "records" exist, it's just a scammy sales pitch. Avoid.

Records passed to us show you're entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

In this case, the sender's number is +447585858897, although it will change as it gets blocked by the networks.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Monday, 5 November 2012

Fake statistics domains lead to malware

The following fake "statistics" domains lead to malware. All have been registered very recently in the past few days and are used as a redirector to other exploit kits. Perhaps they are actually performing black hat statistical tracking. Blocking them (or the associated IPs) would be wise.

bilingstats.org
bombast-atse.org
bombastatse.org
ceastats.org
colinstats.org
expertstats.org
informazionestatistica.org
melestats.org
nonolite.org
statisticaeconomica.org
statspps.org
superbombastatse.org
topbombastatse.org
ufficiostatistica.org

Hosting IPs:
31.193.133.212 (Simply Transit, UK)
91.186.19.42 (Simply Transit, UK)
95.211.180.143 (Leaseweb, Netherlands)

Sunday, 4 November 2012

Something evil on 31.193.12.3

These are fake AVs and drive-by downloads mostly, some seem to promoted through low-grade banner ads, all hosted on 31.193.12.3 (Burstnet, UK) and suballocated to:

person:          Olexii Kovalenko
address:         Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
phone:           +1 570 343 2200
fax-no:          +1 570 343 9533
nic-hdl:         OK2455-RIPE
source:          RIPE # Filtered
mnt-by:          mnt-burst-au
mnt-by:          mnt-burst-mu


The registration for the .asia and .eu domains is consistent in the ones I have checked:

Registrant ID:DI_23063626
Registrant Name:Javier
Registrant Organization:n/a
Registrant Address:Nevskaya street 41
Registrant Address2:
Registrant Address3:
Registrant City:Belgorad
Registrant State/Province:Belgorodskaya oblast
Registrant Country/Economy:RU
Registrant Postal Code:494980
Registrant Phone:+007.9487728744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:007uyfo007@mail.ru


I've broken the list into three parts, it's a bit messy sorry..

The first part are a bunch of short domains used with subdomains to create a malicious payload:
List 1:
a1ft.asia
a3ew.asia
ah2b.asia
av5n.asia
c2wj.asia
cj4d.asia
ck3l.asia
bs3d.asia
d4xi.asia
d8dx.asia
dj7k.asia
dk3i.asia
ef1r.asia
f4dw.asia
fj2j.asia
fm5h.asia
g2wy.asia
g4av.asia
gi4b.asia
h2ju.asia
j2qd.asia
j5hn.asia
ja6l.asia
k3lr.asia
l3gv.asia
m1eb.asia
m1eq.asia
m4nj.asia
n0un.asia
n3mi.asia
nw2r.asia
p0rv.asia
p0ry.asia
pq8c.asia
q2hm.asia
q2hv.asia
q3bz.asia
qk3x.asia
r4dx.asia
s6wm.asia
t5ha.asia
t5hj.asia
t5zb.asia
u7bo.asia
uh7f.asia
v8ul.asia
ve4z.asia
w3wc.asia
w3wz.asia
w2jf.asia
x6fr.asia
x8ru.asia
y1uh.asia
y6np.asia
z1ha.asia
jp5s.info
pe5a.info
gw1c.eu

Subdomains in use:
be-ttraccker
dipppboxx
dippbboxx
diiipp-box
diippss-box
faat-llood
fatssllooads
fiilespooisk1
fiilepoiick
filles-looads
fileloood
file-looadds
files-loooads
ffilelooadd
ffile-poiick
ffiles-poiick1
filles-poiick
fille-poiick
ffilespooiisk
fillepoiick
fileppooiisk
filespooiisk
file-ppooiisk
file-pooiisk
files-poiiick
filess-poiick
file-poiicck
filles-pooisk
fiiles-poiisk1
files-poooiisk1
files-pooiiisk1
files-poooisk1
files-pooiick
fiiles-pooiisk
filespooiissk
file-pooiick
files-poiickk
file-poooiisk
files-ppoiick
geettefiiiles1
geetefiiless
geetteffiiles1
gette-fillees1
geette-fiilees1
geetee-fiiles
gette-fillees
getsefilles
getssatfiles
geettefiilees
ggets-filles
j-t0rrreentt1
jjt0rreentts
l0adss-ffiles
l0adss-ffile
l0addes-flilee
l0addesflilee
l0addes-fillee
l0adds-fiile
load-fiilles
load-fiilee
load-fiille
loaddfiiles
qipsefilles
qiips-fiiles1
qips-fiilee
qippfiile1
qippsfiiles1
qip-ffiile1
hhiitfiles1

This list are domains detected through passive DNS detection:
List 2:
babyload.asia
beastlyload.asia
bestialload.asia
childlikeload.asia
childlyload.asia
deliveryload.asia
infantload.asia
inwardload.asia
perfectload.asia
ptload.asia
singleload.asia
soleload.asia   
sparingload.asia
supernalload.asia
alonefile.asia
animalfile.asia
childishfile.asia
festivefile.asia
finefile.asia
infantilefile.asia
innerfile.asia
largestfile.asia
sacredfile.asia
alertloads.asia
artloads.asia
artisticalloads.asia
animateloads.asia
chronicloads.asia
excitableloads.asia
friendlessloads.asia
licitloads.asia
lonelyloads.asia
lovingloads.asia
nakedloads.asia
primalloads.asia
primevalloads.asia
stateloads.asia
vivaciousloads.asia
vivirloads.asia
activefiles.asia
alertfiles.asia
alivefiles.asia
artfiles.asia
artisticalfiles.asia
drawnfiles.asia
looadfilees.asia
primevalfiles.asia
quickfiles.asia
savagefiles.asia
arimara1.org.ua
arimara3.org.ua
akciya.pp.ua
lis4.biz.ua
affectionateload.org
file-load.net
gbait.com
tevon.tk
joload.mooo.com
loadfile.us.to
8-loaadiing.info
agents-load1.info
ageentoloods.info
lloadfi1es.info
resonantfile.info
stabilitytrojanssaver.info
v-x.info
windowsinspectionon-line.info
lodifiles.eu
alfabiblioteka.ru
book-darom.ru
detki-travel.ru
haxo.ru
loads-filse.ru
lptds.ru
megaload2filebaza.ru
j-torents.ru
jumpcat.ru
u8l.ru
zona-trafika.ru

Finally, this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment.

Many of these domains show as evil in Google's Safe Browsing Diagnostics (example) and I can file zero legitimate domains on this IP.

Friday, 2 November 2012

Wire Transfer spam / webmoniacs.ru

This fake wire transfer spam leads to malware on webmoniacs.ru:


Date:      Fri, 2 Nov 2012 06:23:10 +0700
From:      "service@paypal.com" [service@paypal.com]
Subject:      RE: Wire Transfer cancelled

Dear Sirs,

The Wire transfer was canceled by the other bank.



Canceled transaction:

FED REFERENCE NUMBER: 628591160ACH34584

Transaction Report: View



The Federal Reserve Wire Network
The malicious payload is at [donotclick]webmoniacs.ru:8080/forum/links/column.php hosted on:
65.99.223.24 (RimuHosting, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

The following IPs and domain are all connected and should be blocked:
50.22.102.132
62.76.186.190
65.99.223.24
68.67.42.41
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
203.80.16.81
209.51.221.247
213.251.171.30
denegnashete.ru
dianadrau.ru
donkihotik.ru
fidelocastroo.ru
finitolaco.ru
fionadix.ru
forumibiza.ru
kiladopje.ru
lemonadiom.ru
manekenppa.ru
panacealeon.ru
panalkinew.ru
pionierspokemon.ru
ponowseniks.ru
rumyniaonline.ru
webmoniacs.ru
windowonu.ru

Intuit spam / savedordercommunicates.info

This fake Intuit spam leads to malware on savedordercommunicates.info:


Date:      Sat, 3 Nov 2012 02:11:17 +0800
From:      "Intuit Information System" [roughervm73@biolconseils.ch]
Subject:      Notification Only: Transaction Received by Intuit

Direct Deposit Service Message
Communicatory Only

We rejected your payroll on November 1, 2012 at 626 AM Central Time.

    Money would be left from the account No. ending in: XXX1 on November 2, 2012.
    quantum to be left: $7 639.16
    Paychecks would be deferred to your staff' accounts on: November, 2, 2012
    Go to web site by clicking here to Overview Transaction

Funds are typically withdrawn before usual banking hours so please make sure you have sufficient Funds accessible by 12 a.m. on the date Finances are to be gone away.

Intuit must complete your payroll by 4 p.m. Eastern time, two banking days before your paycheck date or your customers will not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve link.

Thank you for your business.

Regards,
Intuit Payroll Services

An substantial information regarding latest Refused Transactions is waiting for you.

Please DO NOT reply to this message. automative notification system not configured to accept incoming messages..

Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries.

Intuit Inc. Customer Care
87566

San Paolo City, AZ 15203

The malicious payload is at [donotclick]savedordercommunicates.info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich.org. Blocking this IP would be wise.


Thursday, 1 November 2012

Discover card spam / netgear-india.net

This fake Discover Card spam leads to malware on netgear-india.net:

From: Discover Account Notes [mailto:no-reply@notify.discover.com]
Sent: Thu 01/11/2012 15:32
Subject: Great Details Changes in your Discover card Account Terms

Account Services  |   Customer Care Services           
Account ending in XXX1          
  
An substantial communication regarding latest Declined Transfers is waiting for you.   
     
Log In to Read Information  
    
Honored Discover Client,
 
There is an serious message waiting for you from Discover® card. Please read the message mindfully and keep it with your file.

To ensure optimal privacy, please log in to view your message at Discover.com.
 

Please click on this link if you have forgotten your UserID or Password.
 

Add information@service.discover.com to your address book to ensure delivery of these notifications.

VITAL NOTE

This message was delivered to [redacted] for Discover debit card account number ending with XXX1.

You are receiving this e-mail because you have account at Discover.com.

Log in to change your e-mail address or overview your account e-mail options.

If you have any questions about your account, please Login to leave us a message securely and we would be glad to support you.

Please DO NOT reply to this message. auto informer system cannot accept incoming email.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Banking Ltd.
P.O. Box 84265
Salt Lake City, SC 76433
2012 Discover Bank, Member FDIC
[redacted]

========

From: Discover Account Notes [mailto:donotreply@service.discover.com]
Sent: Thu 01/11/2012 16:36
Subject: Substantial Information about your Discover Account

Account Center   |   Customer Center         
               Account ending in XXX9        

 
An significant message regarding latest Approved Activity is waiting for you.
   
Log In to Overview Details  
    
Respective Cardholder,
  
There is an important message waiting for you from Discover® card. Please read the message carefully and keep it with your archive.

To ensure optimal privacy, please sign in to read your data at Discover.com.

Please visit discover.com if you have forgotten your Login ID or Password.

Add discover@information.discover.com to your trusted emails to ensure delivery of these messages.

VITAL NOTIFICATION

This e-mail was sent to [redacted] for Discover card account No. ending with XXX9.

You are receiving this e-mail because you member of Discover.com.

Log in to change your e-mail address or view your account e-mail settings.

If you have any questions about your account, please Enter your account to leave us a message securely and we would be blissful to help you.

Please don't reply to this message. auto-notification system cannot accept incoming mail.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Banking Llc.
P.O. Box 85486
Seashore City, NV 91138
2012 Discover Bank, Member FDIC
[redacted]

The malicious payload is at [donotclick]netgear-india.net/detects/discover-important_message.php hosted on 183.180.134.217 (RAT CO, Japan). The following domains are on that same IP, and judging by the registration details they should also be considered as malicious:
itracrions.pl
radiovaweonearch.com
steamedboasting.info
solla.at
netgear-india.net
puzzledbased.net
stempare.net
questionscharges.net
bootingbluray.net

Wednesday, 31 October 2012

HP ScanJet spam / donkihotik.ru

This fake printer message leads to malware on donkihotik.ru:


Date:      Wed, 31 Oct 2012 05:06:42 +0300
From:      LinkedIn Connections
Subject:      Re: Fwd:Scan from a HP ScanJet #26531
Attachments:     HP-Scan-44974.htm

Attached document was scanned and sent



to you using a Hewlett-Packard Officejet PRO.

Sent: by Bria
Image(s) : 6
Attachment: Internet Explorer file [.htm]

Hewlett-Packard Officejet Location: machine location not set

The malicious payload is at [donotclick]donkihotik.ru:8080/forum/links/column.php which is hosted on the same IP addresses as this attack yesterday.

"Your Apple ID has been disabled" phish

I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam email (this one, for example).

From:     Apple no_reply@macapple.com
Reply-To:     no_reply@macapple.com
Date:     31 October 2012 06:08
Subject:     Your Apple ID has been disabled
    
Apple ID Support

Dear [redacted] ,

This Apple ID has been disabled!


For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.


To verify your Apple ID, we recommend that you go to:
       
Verify Now >
The phish is hosted at [donotclick]app.apple.com.proiectmaxim.ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name..


It just goes to show that the bad guys will try to phish anything these days..

Tuesday, 30 October 2012

Craiglist spam / fionadix.ru

This fake Craiglist spam leads to malware on fionadix.ru:


Date:      Tue, 30 Oct 2012 06:26:07 +0600
From:      Tai Seals [AntonyHaugland@fibermail.hu]
Subject:      POST/EDIT/DELETE : "tattoos tattoos tattoos" (talent)


IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:

    PUBLISH YOUR AD
    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
    VERIFY YOUR EMAIL ADDRESS
    DELETE YOUR AD

If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!

==========



Date:      Tue, 30 Oct 2012 06:23:41 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      POST/EDIT/DELETE : "Appliance repair" (financial)

IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:

    PUBLISH YOUR AD
    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
    VERIFY YOUR EMAIL ADDRESS
    DELETE YOUR AD

If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!


The malicious payload is at [donotclick]fionadix.ru:8080/forum/links/column.php (report here) hosted on some familiar IPs:
68.67.42.41 (Fibrenoire, Canada)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, United States)

Additional name server IPs:
50.22.102.132 (Softlayer, United States)
62.76.186.190 (Clodo-Cloud, Russia)
84.22.100.108 (Cyberbunker, Netherlands)
213.251.171.30 (OVH, France)

Plain list for copy-and-pasting:
50.22.102.132
62.76.186.190
68.67.42.41
84.22.100.108
203.80.16.81
209.51.221.247
213.251.171.30
manekenppa.ru
kiladopje.ru
lemonadiom.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
windowonu.ru
panalkinew.ru
fionadix.ru

reedcouk.com fake job offer / Fort Huachuca hacked?

This fake job offer from "reedcouk.com" is trying to recruit people for money laundering or other criminal activities, it is not from the real reed.co.uk. However, part of the infrastructure supporting this scam appears to belong the the US military.

From:     sales@[victimdomain].com
To:     sales@[victimdomain].com
Date:     30 October 2012 22:33
Subject:     Employment opportunity

I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.

If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.

Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is 2000 GBP per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (UK time).

Region: United Kingdom.

Please note that there are no startup fees or deposits to start working for us.

To request an application form, schedule your interview and receive more information about this position
please reply to Bob@reedcouk.com with your personal identification number for this position IDNO: 0797
The spam appears to come "from" the recipients own email address (here's why). The bogus domain reedcouk.com is registered as follows:

   Lavern E. Davis
   Lavern Davis info@reedcouk.com
   816-680-7849 fax: 816-680-7331
   4218 White Oak Drive
   Strasburg MO 64090
   us


The domain was registered on 30th October 2012 (today!) via BIZCN.COM, a crime-friendly domain registrar in China. Mail for this domain is handled by a server at 46.249.46.161 (Serverius, Netherlands) which is also ns1.zupyx.net, one of the nameservers for the fake reedcouk.com domain. Who owns zupyx.net? That looks like another fake registration:

      Vivian L Resnick
      221 Shaker Road
      Northfield, NH 03276-4444
      US
      Phone: +1.6032868211
      Email: clinicadelta@aol.com


zupyx.net was only registered on 19th September 2012. But the plot thickens if we look at ns2.zupyx.net (the other namesever being used by reedcouk.com) we can see that it is hosted on 132.79.132.67 which appears to be a hacked US military server at Fort Huachuca:

NetRange:       132.79.0.0 - 132.79.255.255
CIDR:           132.79.0.0/16
OriginAS:      
NetName:        NGB-NGNET
NetHandle:      NET-132-79-0-0-1
Parent:         NET-132-0-0-0-0
NetType:        Direct Assignment
RegDate:        1990-03-05
Updated:        2008-12-24
Ref:            http://whois.arin.net/rest/net/NET-132-79-0-0-1

OrgName:        Headquarters, USAISC
OrgId:          HEADQU-3
Address:        NETC-ANC CONUS TNOSC
City:           Fort Huachuca
StateProv:      AZ
PostalCode:     85613
Country:        US
RegDate:        1990-03-26
Updated:        2011-08-17
Ref:            http://whois.arin.net/rest/org/HEADQU-3

OrgTechHandle: REGIS10-ARIN
OrgTechName:   Registration
OrgTechPhone:  +1-800-365-3642
OrgTechEmail:  registra@nic.mil
OrgTechRef:    http://whois.arin.net/rest/poc/REGIS10-ARIN


You have to bear in mind that this military installation deals with military intelligence.. although you can be pretty certain that whatever server is running this bogus nameserver is public facing only. Hopefully.

This IP address also hosts a suspicious domain called trabalharpt.com:

   Samantha K. Haley
   Samantha Haley info@trabalharpt.com
   +1.8127473193 fax: +1.8127473193
   778 Heliport Loop
   Blue Ash IN 45242
   us

Again, this is registered through BIZCN.COM in China, and was only registered one week ago on 24th October 2012. There's no reason for a domain like this to be hosted on what appears to be a US military server.

There are probably some other bad domains being supported by these nameservers, but I haven't been able to identify them yet.

Friday, 26 October 2012

"Your Photos" spam / manekenppa.ru

This fake "photos" spam leads to malware on manekenppa.ru:

From: Acacia@redacted.com [mailto:Acacia@redacted.com]
Sent: 26 October 2012 10:14
Subject: Your Photos

Hi,
I have attached your photos to the mail (Open with Internet Explorer).

In this case there is an attachment called Image_DIG691233.htm that leads to a malware laden page at [donotclick]manekenppa.ru:8080/forum/links/column.php hosted on some familiar looking IPs:

79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

We've seen these IPs before and they are well worth blocking.

ADP Spam / steamedboasting.info

This fake ADP spam leads to malware on steamedboasting.info:

From: ClientService@adp.com [mailto:ClientService@adp.com]
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification


ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344
The malicious payload is at [donotclick]steamedboasting.info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting.info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).

This is an alternative variant with the same malicious payload:


Date:      Fri, 26 Oct 2012 16:32:10 +0530
From:      "noreply@adp.com" [noreply@adp.com]
Subject:      ADP Prompt Communication


ADP Speedy Notification

Reference #: 27585

Dear ADP Client October, 25 2012

Your Transaction Statement(s) have been put onto the web site:

Web site link

Please see the following notes:

• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).

?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.

This message was sent to operating users in your company that approach ADP Netsecure.

As always, thank you for choosing ADP as your business partner!

Ref: 27585 [redacted]



apl.de.ap spam

I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east.

Although those look like tinyurl links, they're not.. they go through a redirector at ykadl.net on 109.236.88.71, the same IP used to send the spam.

The WHOIS details for the spammer domain are:

Technical Name:                Domain Admin
Technical Company:        Create-Send.net
Technical Address:        57 Kingsway Avenue
Technical Address:        Auckland
Technical Address:       
Technical Address:        Auckland
Technical Address:        Na
Technical Address:        1010
Technical Address:        New Zealand
Technical Email:        info@create-send.net
Technical Tel:                +64.279237205


Anyway, here's the spam in case you really want to buy tickets from a shady bunch of spammers..

From:     DNA alex@ykadl.net
Reply-To:     DNA [alex@ykadl.net]
Date:     26 October 2012 04:48
Subject:     Black Eyed Peas/ APL DE AP in Dubai
Signed by:     ykadl.net

BLACK EYE PEAS founding member APL DE AP heads to Dubai

BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.

Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.

APL DE AP and the other members of the Black Eyed Peas have been on a hiatus from the band for the last year.In 2011 The Black Eyed Peas were ranked 12th on the Billboard's Decade-End Chart Artist of the Decade, the group performed in February 2011 at the halftime show of Super Bowl XLV.

✻TICKETS COST 165AED for this fabulous International Star event with full bar facilities, waiter service and live food stations.✻

TICKETS ARE NOW AVAILABLE ON:

✻TIMEOUT***TICKETINGCO***MARHABA***PLATINUM✻

TIMEOUT * http://tinyurl.com/bvrtjxx

PLATINUM LIST * http://tinyurl.com/cs8wdox

TICKETINGCO * http://tinyurl.com/cctq2s8

✻ FOR VIP TABLE RESERVATIONS CALL 050 1428363✻
For more info@dnapre.com✻21+ ✻ ID required ✻ Couples & mixed groups preferred.✻ Normal club policies apply ✻

✻THIS WILL BE A SELLOUT EVENT. Get your Tickets fast.✻

Share This
UnsubscribeForward to a Friend

inserted image

inserted image

Click here to opt-out

Thursday, 25 October 2012

"End of Aug. Statement required" spam / kiladopje.ru

This spam leads to malware on kiladopje.ru:

From: ZaireLomay@mail.com [mailto:ZaireLomay@mail.com]
Sent: 24 October 2012 20:58
Subject: Re: FW: End of Aug. Statement required

Hi,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards
In this case, there's an attachment called Invoices-23-2012.htm with some obfuscated Javascript to direct visitors to a malware laden page at [donotclick]kiladopje.ru:8080/forum/links/column.php hosted on:

79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

The following IPs and domains are all related and should be blocked if you can:
68.67.42.41
72.18.203.140
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247
fidelocastroo.ru
finitolaco.ru
kennedyana.ru
kiladopje.ru
lemonadiom.ru
leprasmotra.ru
ponowseniks.ru
secondhand4u.ru
windowonu.ru

Wednesday, 24 October 2012

BBB Spam / samplersmagnifyingglass.net

This fake BBB spam leads to malware on samplersmagnifyingglass.net:

Date:      Wed, 24 Oct 2012 22:10:18 +0430
From:      "Better Business Bureau" [noreply@bbb.org]
Subject:      Better Business Beareau Appeal #42790699

Attention: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.

Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.

On a website above please enter your complain id: 42790699 to review it.

We are looking forward to hearing from you.
-----------------------------------

Faithfully,

Rebecca Wilcox

Dispute advisor
Better Business Bureau
The malicious payload is on [donotclick]samplersmagnifyingglass.net/detects/confirming_absence_listing.php hosted on 183.81.133.121, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking.

Some other domains also associated with this IP are:
the-mesgate.net
hotsecrete.net
agmnxsmn.com
art-london.net
asmsxcm.com
buzziskin.net
ifmncmn.com
stafffire.net
sxmnmn.com
tizarrefetishkin.com

Wire Transfer spam / ponowseniks.ru

This fake wire transfer spam leads to malware on ponowseniks.ru:

Date:      Wed, 24 Oct 2012 04:26:12 -0500
From:      FedEx [info@emails.fedex.com]
Subject:      Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 9649AA02)
Attachments:     Report_Trans99252.htm

Dear Bank Operator,



WIRE TRANSFER: FEDW-30126495944197210



STATUS: REJECTED



You can find details in the attached file.(Internet Explorer format)
The .htm attachment attempts to redirect the user to a malicious page at [donotclick]ponowseniks.ru:8080/forum/links/column.php  hosted on some familar IP addresses:

202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)


Contract spam / fidelocastroo.ru

This fake contact spam leads to malware on fidelocastroo.ru:

Date:      Tue, 23 Oct 2012 12:33:51 -0800
From:      "Wilburn TIMMONS" [HIWilburn@hotmail.com]
Subject:      Fw: Contract from Wilburn
Attachments:     Contract_Scan_DS23656.htm

Hello,



In the attached file I am transferring you the Translation of the Job Contract that I have just received today. I am really sorry for the delay.

Best regards,

Wilburn TIMMONS, secretary
The .htm attachment contains obfuscated javascript that attempts to direct the visitor to a malicious [donotclick]fidelocastroo.ru:8080/forum/links/column.php. This domain name has been used in several recent attacks and is currently multihomed on some familiar IP addresses:

202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)



Tuesday, 23 October 2012

Intuit spam / montrealhotpropertyguide.com

This fake Intuit spam leads to malware on montrealhotpropertyguide.com:


Date:      Tue, 23 Oct 2012 14:45:14 +0200
From:      "Intuit QuickBooks Customer Service" [35378B458@aubergedesbichonnieres.com]
Subject:      Intuit QuickBooks Order


   
Dear [redacted],



Thank you for placing an order with Intuit QuickBooks!

We have received your payment information and it is currently being processed.
   
   
    ORDER INFORMATION    
       
Order #:    366948851674
Order Date:    Oct 22, 2012

[ View order ]

Qty     Item     Price
1     Intuit QuickBooks Pro Download 2 2012     $183.96***

   
Subtotal:
Sales Tax:
Total for this Order:
   
$183.96
$0.00
$183.96
*Appropriate credit will be applied to your account.



Please Note: Sales tax calculations are estimated. The final sales tax calculation will comply with local regulations.

       
    NEED HELP?    
       

Questions about your order? Please visit Customer Service.

       
       
           
Join Us On Facebook
           
           
           
           
Close More Sales
           

           
           
Save Time
           
           
           
   


Privacy | Legal | Contact Us | About Intuit

You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.



If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.



Please note: This email was sent from an auto-notification system that cannot accept incoming email. Please do not reply to this message.



� 2012 Intuit Inc. or its affiliates. All rights reserved.

The malicious payload is on [donotclick]montrealhotpropertyguide.com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US).

NACHA spam / bwdlpjvehrka.ddns.info

This fake NACHA spam leads to malware on bwdlpjvehrka.ddns.info:

Date:      Tue, 23 Oct 2012 05:44:05 +0200
From:      "noreply@direct.nacha.org"
Subject:      Notification about the rejected Direct Deposit payment

Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::

Details

Please contact your financial institution to acquire the new version of the software.

Sincerely yours

ACH Network Rules Department
NACHA | The Electronic Payments Association

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
The malicious payload is at [donotclick]bwdlpjvehrka.ddns.info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move.