Sponsored by..

Wednesday, 19 December 2012

Facebook spam / 46.249.58.211 and 84.200.77.218

There are various Facebook spams doing the rounds pointing to a variety of malware sites on 46.249.58.211 and 84.200.77.218, for example:

From: FB.Team
Sent: 19 December 2012 14:30
Subject: Re-activate account

Hi [redacted],
Your account has been blocked due to spam activity.
To verify account, please follow this link:
http://www.facebook.com/confirmemail.php?e=[redacted]

You may be asked to enter this confirmation code: [redacted]
The Facebook Team

Didn't sign up for Facebook? Please let us know. 
46.249.58.211 (Serverius Holding, Netherlands)
newmeeting2012.asia
datingbest2012.asia
dating-2013.asia
new-dating2013.asia
mobimemcashnesh.com
domainssguibulkniner.com
innersdomainsinser.com
domainssinglsdoms.com
site-dating-2012.info
best-dating-2012.info
new-dating-2012.info
greatdating-2012.info
newdatingworld2012.info
site-dating2012.info
sitedating2012.info
freshdating2012.info
cooldating2012.info
greatdating2012.info
latestdating2012.info
datingcool2012.info
newdatingafter2012.info
datingbest2012.info
fresh-dating-2013.info
greatdating-2013.info
moderndating2013.info
latestdating2013.info
newdatingafter2013.info
shareself.info
searchersstippich.info
adeptsponsorlin.info
domssvorastwo.info
domainsqiprnodes.info
searchersnextdoms.info
lubertylibcenterns.info
netsplacesformss.info
domainssinglssunss.info
domainssinglsnetss.info
omnihiteuropapluss.info
domainderight.info
domainsreidstable.net
mobimemcashnesh.net
namessguibulk.net
adeptsponsorlin.net
domssvorastwo.net
domainssguibulk9r.net
domainssidorsneeds.net
searchersnextdoms.net
domainssinglssunss.net
bursttsnetsbest.net

84.200.77.218 (Misterhost, Germany)
namesstressadd.com
bitnovembersgate.com
domainssinglgirs.com
left4deadfi3.info
importslatenot.info
monchianolist.info
left4deadfi3.net
gamesduoswin9.net
domainsstressadd.net
oregonsitynet.net

GFI have some more details on this one here.

Malware sites to block 19/12/12

This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).

This is a screenshot of the fake AV in action:


From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:

report.q7ws17sk1ywsk79g.com
report.7ws17sku7myws931u.com
report.u79i1qgmywskuo9o.com

There's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent [1] [2] [3] but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:

inetnum:        46.105.131.120 - 46.105.131.127
netname:        marysanders1
descr:          marysanders1net
country:        IE
org:            ORG-OH5-RIPE
admin-c:        OTC9-RIPE
tech-c:         OTC9-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered


I suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go.com registered in China which has been fingered as an attack site before (e.g. here, click at your own risk). I would recommend blocking the entire 46.105.131.120/29 to be on the safe side.

The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo.com, ez.lv and zyns.com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches.

79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.

Recommended blocklist:
46.105.131.120/29
82.103.140.100
79.133.196.97/27
mooo.com
ez.lv
zyns.com

Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here.

82.103.140.100
www2.x49v36a57puq66.ez.lv
www2.tpzqzg4k2scre0.mooo.com
www2.afc5l4vfohgsz0.mooo.com
www2.f4t9jm7x21.mooo.com
www2.q9iuiwcoq2uvy-2.mooo.com
www2.wwml9bvprhllq2.mooo.com
www2.cjpujub6n0e5u2.mooo.com
www2.t-hih2cnpkpjy2.mooo.com
www2.afbsv8ooj-3.mooo.com
www2.yhqgj6kntn9ru3.mooo.com
www2.q-5f75azo15f214.mooo.com
www2.pbsx2znwccc9a4.mooo.com
www2.wa9bb2z4r3ojz-5.mooo.com
www2.abjbxt7a65.mooo.com
www2.fmrmta0nhmql95.mooo.com
www2.xkpcakk8fnvp95.mooo.com
www2.l6gbfb6l5.mooo.com
www2.ewl91b7p86.mooo.com
www2.uwgsohupxy1de6.mooo.com
www2.g-gq0soprruf5h6.mooo.com
www2.m7yzf62rp6.mooo.com
www2.vov9fsmlyq9257.mooo.com
www2.r2qrxdwo979vj7.mooo.com
www2.j9qm7o00stdyx7.mooo.com
www2.laysltotae8xd8.mooo.com
www2.wp0poz3aq7a7q8.mooo.com
www2.lisbp4cv0v6w09.mooo.com
www2.a50oup6hw0u9c9.mooo.com
www2.pa68ewk9fuqoe9.mooo.com
www2.ohcaob1cffx4l9.mooo.com
www2.g-gysij61cwkkr9.mooo.com
www2.j-8pdx3cfjxgba.mooo.com
www2.h-3aq08aicxn2c.mooo.com
www2.i-7w3rj3j54msmc.mooo.com
www2.j94ysol4em1jd.mooo.com
www2.b5nxk76wnd.mooo.com
www2.r-72i3awaqe.mooo.com
www2.e1k6twcnwqkueh.mooo.com
www2.l00mfws4y9p7ci.mooo.com
www2.l-30w3ulnwvj0qi.mooo.com
www2.z9tbs222g9unk.mooo.com
www2.g-3hww04s0mv5mn.mooo.com
www2.d-9w6t7gvgqm1o.mooo.com
www2.v3sinde9go.mooo.com
www2.l926nykwyj27mo.mooo.com
www2.e8dp78999hr5u.mooo.com
www2.y-8ppqnq8kglsou.mooo.com
www2.k79jcizh268qu.mooo.com
www2.v-9ifaa40v4bu1w.mooo.com
www2.p-2l65dl6w.mooo.com
www2.w15s6udfkhp5ry.mooo.com
www2.jjiqnfn6gj5ht-0.ez.lv
www2.z1jdd6o1e1kss0.ez.lv
www2.h-ccawkohe3qpi3.ez.lv
www2.hzyr7bh8gok2p4.ez.lv
www2.djti1cxaiz9wk5.ez.lv
www2.i-lojtegi396u5.ez.lv
www2.zgurkoad-7.ez.lv
www2.z26df3ueq3j2t7.ez.lv
www2.u263xcu8.ez.lv
www2.kyumtava8e6qv-9.ez.lv
www2.vn6wbwn7abt319.ez.lv
www2.w-5e04vjusiibj9.ez.lv
www2.n9vrk7p00g.ez.lv
www2.t3fjazatb9yov.ez.lv

79.133.196.103
www1.d6kpgdkvrolql3.zyns.com
www1.v7cqv8zdy4pjn5.mooo.com
www1.gno1meqrlspf5-0.zyns.com
www1.ibtu6x7oi3278-0.zyns.com
www1.b95ixcr30.zyns.com
www1.z-xq6xi2p7yx60.zyns.com
www1.p-aijej0.zyns.com
www1.jzyycis0.zyns.com
www1.u1wfjjs0.zyns.com
www1.h7xwv84x1huu0.zyns.com
www1.o-3xvokohw0.zyns.com
www1.fetmg6oukfvvw0.zyns.com
www1.wxe3vgvuk6th-1.zyns.com
www1.nuiq1hvmga2d11.zyns.com
www1.w5ndppqbx3p21.zyns.com
www1.u8r2a5xfb0xp51.zyns.com
www1.gbrl4es5xro4b1.zyns.com
www1.z-gfckpx0nst8c1.zyns.com
www1.ma5x4qfhh1.zyns.com
www1.ps61hen1.zyns.com
www1.cvhc6cr1.zyns.com
www1.ucfjffrizboz1.zyns.com
www1.vlza5kzj32.zyns.com
www1.cutyfk82tkfc52.zyns.com
www1.p3gn08hp62.zyns.com
www1.xa9xfs70sn92.zyns.com
www1.tt4h8odbcfxtq2.zyns.com
www1.j8qi8gl3d5jpv2.zyns.com
www1.iatjl4x2.zyns.com
www1.zqclyyon8-3.zyns.com
www1.c4w46c-3.zyns.com
www1.iu3b7pys9yah23.zyns.com
www1.veduncogo0u683.zyns.com
www1.bq1la1lcr3.zyns.com
www1.sm30hwbrxb5az3.zyns.com
www1.osxzdpb-4.zyns.com
www1.e1xyho-4.zyns.com
www1.h5yqudc184.zyns.com
www1.bctzuagte4.zyns.com
www1.gr56vr5wxvg7n4.zyns.com
www1.m5sfchcmj27cq4.zyns.com
www1.l1rtz0zaj4fnq4.zyns.com
www1.y-4an259ivs7vq4.zyns.com
www1.t8lkv8y4.zyns.com
www1.ycj49f-5.zyns.com
www1.o31omt35.zyns.com
www1.w032ang27l9d55.zyns.com
www1.x-96pxhseft8vo5.zyns.com
www1.p8yzcs8ch-6.zyns.com
www1.dhapuz06.zyns.com
www1.k-1m2fwr1zkha6.zyns.com
www1.rqc6n0zob6.zyns.com
www1.uicqviiewuukp6.zyns.com
www1.y4fyk9kw4e0lu6.zyns.com
www1.nbv4tzxo9452-7.zyns.com
www1.a6f4udb912c49-7.zyns.com
www1.ao3r3psunacd-7.zyns.com
www1.b7k6w2pnmz127.zyns.com
www1.i-vmtcr70kg2up7.zyns.com
www1.j-2qw3j92dq8x7.zyns.com
www1.yhxt4s4j78ry7.zyns.com
www1.frmbxxqc875pj-8.zyns.com
www1.axttts-8.zyns.com
www1.w-5z76xligg58.zyns.com
www1.scowhjo755l6d8.zyns.com
www1.br3u9dxxar5td8.zyns.com
www1.y5nxjxm8.zyns.com
www1.b6bu6gh1zcp8.zyns.com
www1.tnluwilt6mp2-9.zyns.com
www1.nnn17u67qzt219.zyns.com
www1.agdd43g049.zyns.com
www1.bcg6p4ctazktc9.zyns.com
www1.yoioas053gtbe9.zyns.com
www1.a-rra5zgikgcf9.zyns.com
www1.sx5egikt2kmqf9.zyns.com
www1.du3ikfh9.zyns.com
www1.f-5uhlm9.zyns.com
www1.xfrqbmljcp48n9.zyns.com
www1.r-aaqewzo8mp9.zyns.com
www1.jllt99r0v9.zyns.com
www1.uyi3rupgv9pdw9.zyns.com
www1.g8z0v3j7gwd7of.zyns.com
www1.v-1ou2ri1zrg0qf.zyns.com
www1.j02zhivh.zyns.com
www1.m0xqnb0l4j.zyns.com
www1.p5yte9ud3fbxbj.zyns.com
www1.o-2kuc2s8nkirik.zyns.com
www1.c58qlq5xcj0jrl.zyns.com
www1.v6r445h3ffl3m.zyns.com
www1.y-1gh1dkd6m.zyns.com
www1.b5sfmondbm.zyns.com
www1.d0mprkrn.zyns.com
www1.m8gnbsm902rx1p.zyns.com
www1.q-1nvlobckqmv9q.zyns.com
www1.j8o4hnar.zyns.com
www1.a4d2od4p7wyxas.zyns.com
www1.w2up72la0jj4fs.zyns.com
www1.p-7mmwht.zyns.com
www1.b-8zowxdx7c9mt.zyns.com
www1.x6nal9syket14u.zyns.com
www1.q7l2p44v81oyxw.zyns.com
www1.x-1qeru80ijr0yw.zyns.com
www1.k2o7ux378x.zyns.com
www1.y-34sc9n3kutsy.zyns.com
www1.q3nxdktdixzfzy.zyns.com
www1.t7nh3q177z.zyns.com

Tuesday, 18 December 2012

LinkedIn spam / apensiona.ru

This fake LinkedIn spam leads to malware on apensiona.ru:

From: messages-noreply@bounce.linkedin.com on behalf of LinkedIn Connections
Sent: Tue 18/12/2012 14:01
Subject: Join my network on LinkedIn


LinkedIn
Hien Lawson has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn.

- Hien Lawson


Accept
 View invitation from Hien Lawson 

WHY MIGHT CONNECTING WITH Hien Lawson BE A GOOD IDEA?

Hien Lawson's connections could be useful to you

After accepting Hien Lawson's invitation, check Hien Lawson's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
2012, LinkedIn Corporation 

The malicious payload is at [donotclick]apensiona.ru:8080/forum/links/column.php (the same payload as here) although this time the IPs have changed to:

109.235.71.144 (Serveriai, Lithunia)
176.31.111.198 (OVH, France)
217.112.40.69 (Utransit , UK)

Here's a plain list if you want to block the lot:
109.235.71.144
176.31.111.198
217.112.40.69

Blocking emails from linkedin.com at your perimeter might also be a good idea.

UPS (or is it USPS) spam / apensiona.ru

Spammers often get UPS and the USPS mixed up. They're not the same thing at all. And this one throws FilesTube into the mix as well. Anyway, this fake UPS / USPS / FilesTube spam leads to malware on apensiona.ru:

From: FilesTube [mailto:filestube@filestube.com]
Sent: 17 December 2012 06:01
Subject: Your Tracking Number H7300014839


USPS Customer Services for big savings!
Can't see images? CLICK HERE.

UPS - UPS TEAM 60 >>


Already Have
an Account?   


Enjoy all UPS has to offer by linking your My UPS profile to your account.   



Link Your
Account Now >>
       


UPS - UPS .com Customer Services

Good Evening, [redacted].

DEAR USER , Recipient's address is wrong

Track your Shipment now!

With Respect To You , Your UPS .com Customer Services.

                       
Shipping
    Tracking
    Calculate Time & Cost
    Open an Account

                       


@ 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.

This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS Team marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.

Your USPS .us Customer Services, 8 Glenlake Parkway, NE - Atlanta, GA 30585
Attn: Customer Communications Department
The malicious payload is at [donotclick]apensiona.ru:8080/forum/links/column.php which is hosted on 217.112.40.69 (Utransit, claims to be from the UK but probably Russia). The following malicious domains are also on that IP address:

pelamutrika.ru
antariktika.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
aviaonlolsio.ru
dimarikanko.ru
adanagenro.ru
aofngppahgor.ru
apolinaklsit.ru
apensiona.ru

Monday, 17 December 2012

pillscarehealthcare.com spam

There has been a massive amount of pharma spam pointing to pillscarehealthcare.com over the past 48 hours or so. Here are some examples:


Date:      Mon, 17 Dec 2012 02:47:56 +0000 (GMT)
From:      "Account Info Change" [tyjinc@palmerlakearttour.com]
To:      [redacted]
Subject:      Updated information

    Updated information

Hello,

The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.

This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.

Thanks,
Customer Support

==================


Date:      Mon, 17 Dec 2012 01:22:56 -0700
From:      "Angela Snider" [directsales@tyroo.com]
To:      [redacted]
Subject:      Pending ticket status

Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or close the ticket here
Go To Profile
   
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.


==================


Date:      Sat, 15 Dec 2012 21:37:47 -0700
From:      "Alexis Houston" [cmassuda@agf.com.br]
To:      [redacted]
Subject:      Pending ticket notification

Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
Go To Profile
   
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.

==================


Date:      Sat, 15 Dec 2012 07:06:30 -0800
From:      "Account Sender Mail" [daresco@excite.com]
To:      [redacted]
Subject:      Account is now available

    Login unavailable due to maintenance ([redacted])

Hello,

Your Account is now available.

Our systems were unavailable due to maintenance and upgrading system. We apologizes for any inconvenience and appreciates the patience while this critical maintenance was performed. If you still face the problem then it would be better if you contact our team.

Access Your Account

Hope this information helps you.

Thanks,
Support team

==================

From: Kennedi Marquez [mailto:cwtroutn@naturalskincarereviews.info]
Sent: 17 December 2012 11:18
Subject: Updated information


    Updated information

Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.

This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.

Thanks,
Customer Support
This appears to be punting fake drugs rather than malware. pillscarehealthcare.com is hosted on 95.58.254.74 (Kazakh Telecom, Kazakhstan). In my opinion blocking 95.58.254.0/24 will probably do you no harm. These other fake pharma web sites can be found on the same IP address:


retailersviagrasale.nl
tabdisease.nl
viagralberta.com
medmedsepub.com
tabletlevitripad.com
newpharmsale.com
pillscarehealthcare.com
qrigzh.themedsdrugstore.com
medsmedicinedisease.com
pillsmedicinedrug.com
medmedsceccoli.com
garciniaherbal.com
medicinepharmedical.com
viagraherbalflavor.com
drugenericsmeds.com
petraeuslismeds.com
patientsmedicinepills.com
tabpatients.com
tabhealthpatients.com
cialispetraeus.com
dietwifat.com
viagradiet.com
weightprescriptiondiet.com
kidneyprescriptiondiet.com
www.welnesskidney.com
www.medicaremedsromney.com
herbalapple.at
levitratcu.at
welnessgenerics.net
romneyrx.net
pillspharmamedicine.ru
pillsdrugstoredrugstore.ru
parisdrugstore.ru
pharmacypresciption.ru
pillpharmacydrugs.ru
controlpills.ru
drugtorefitnesspills.ru
pharmacypillstreatments.ru
drugstorehealthcarerx.ru
drugstorehealthrx.ru
drugstoretabsrx.ru
pharmacymedsrx.ru
fitnessdrugstorepharmacy.ru
dosehealthpharmacy.ru
medicinerxpharmacy.ru
caprxpharmacy.ru
cappharmacypharmacy.ru


2001 Trailer Recut

This is a kind of parody.. what would happen if 2001: A Space Odyssey was being promoted via a modern blockbuster-style parody today? Actually.. I think it looks freakin' awesome:



[Via]

Friday, 14 December 2012

Changelog spam / aviaonlolsio.ru

This fake Changelog spam leads to malware on aviaonlolsio.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Earlean Gardner via LinkedIn
Sent: 13 December 2012 20:22
Subject: Re: Changelog as promised (upd.)

Hi,
as promised - View

I. SWEET

====================


Date:      Fri, 14 Dec 2012 05:22:54 +0700
From:      "Kaiya HIGGINS" [fwGpEzHIGGINS@hotmail.com]
Subject:      Re: Fwd: Changelog as promised(updated)

Hi,

as promised chnglog updated - View

I. HIGGINS

The malicious payload is at [donotclick]aviaonlolsio.ru:8080/forum/links/column.php hosted on the same IPs as used in this attack:

75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)

The following malicious domains are on those same IPs:

ahiontota.ru
aliamognoa.ru
amnaosogo.ru
anifkailood.ru
aofngppahgor.ru
aseniakrol.ru
aviaonlolsio.ru
awoeionfpop.ru
dimarikanko.ru
pelamutrika.ru
pitoniamason.ru
podarunoki.ru
publicatorian.ru

Citibank spam / 6.bbnsmsgateway.com

This fake Citibank spam leads to malware on 6.bbnsmsgateway.com:

Date:      Fri, 14 Dec 2012 19:27:56 +0530
From:      Citi Cards [citicards@info.citibank.com]
Subject:      Your Citi Credit Card Statement

Add citicards@info.citibank.com to your address book to ensure delivery.

Your Account: Important Notification
   
Your Citi Credit Card statement is ready to view online

   
Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:

Statement Date:     December 13, 2012
Statement Balance:     -$4,873.54
Minimum Payment Due:     $578.00
Payment Due Date:     Tue, January 01, 2013


Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

To set up alerts sign on to www.citicards.com and go to Account Profile.

Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.

(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

The malicious payload is at [donotclick]6.bbnsmsgateway.com/string/obscure-logs-useful.php hosted on 192.155.81.9 (Linode, US). There are probably some other bad domains on this server, so blocking access to that IP could be prudent.

Citibank spam / 4.whereintrentinoaltoadige.com

This fake Citibank spam leads to malware on 4.whereintrentinoaltoadige.com:

Date:      Fri, 14 Dec 2012 13:54:14 +0200
From:      Citi Cards [citicards@info.citibank.com]
Subject:      Your Citi Credit Card Statement

Add citicards@info.citibank.com to your address book to ensure delivery.

Your Account: Important Notification
   
Your Citi Credit Card statement is ready to view online

   
Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:

Statement Date:     December 13, 2012
Statement Balance:     -$4,550.67
Minimum Payment Due:     $764.00
Payment Due Date:     Tue, January 01, 2013


Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

To set up alerts sign on to www.citicards.com and go to Account Profile.

Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
   
   
View Your Account         Pay Your Bill         Contact Us


Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.

(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

====================

Alternative mid-sections:

Statement Date:     December 13, 2012
Statement Balance:     -$8,902.58
Minimum Payment Due:     $211.00
Payment Due Date:     Tue, January 01, 2013

Statement Date:     December 13, 2012
Statement Balance:     -$9,905.95
Minimum Payment Due:     $535.00
Payment Due Date:     Tue, January 01, 2013 
The malicious payload is at [donotclick]4.whereintrentinoaltoadige.com/string/obscure-logs-useful.php hosted on 198.74.54.28 (Linode, US).

The following malicious domains are also on the same server:
4.whereinpuglia.com
4.whereinsicilia.com
4.whereinliguria.com
4.whereintoscana.com
4.whereinsardegna.com
4.whereinmolise.com
4.whereinpiemonte.com
4.whereinmilan.com
4.whereinlazio.com
4.whereinlombardy.com
4.whereinitaly.com
4.whereinsicily.com
4.whereintrentinoaltoadige.com
4.whereintoscana.com

Something evil on 87.229.26.138

This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example).

There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.

The registration details are probably fake, but for the record the .eu domains are registered to:
Juha Salonen
Lukiokatu 23
13430 Hameenlinna
Hameenlinna
Finland
salonen_juha@yahoo.com


The .in domains are registered to:
Puk T Lapkanen
Puruntie 33
LAPPEENRANTA
53200
FI
+358.443875638
puklapkanen@yahoo.com


If you can block the IP address then it will be the simplest option as there are rather a lot of domains here:

krvrkh.in
pmkvyh.in
hqzzpk.in
wkhmyk.in
ymjjjm.in
lupszm.in
gguwvn.in
znztip.in
onylkp.in
jlqrnp.in
yyssyr.in
nxwktt.in
zpjhjv.in
zjmnwv.in
ypmptx.in
humswz.in

quoorh.eu
zxlngj.eu
lxtnmm.eu
lrqjrn.eu
knxhsn.eu
pzgztn.eu
wokjpq.eu
lkowgs.eu
hiikrs.eu
knvutt.eu
smqtnu.eu
tmkvmv.eu
ihltwv.eu
prhhvw.eu
sowxyw.eu
utppry.eu

anshg.quoorh.eu
hjzg.quoorh.eu
utkvvk.quoorh.eu
krqm.quoorh.eu
rueyn.quoorh.eu
cdnro.quoorh.eu
xdxp.quoorh.eu
qrhxp.quoorh.eu
vtr.quoorh.eu
zrlrrs.quoorh.eu
dvyy.quoorh.eu
vymf.zxlngj.eu
xjpf.zxlngj.eu
xxvcj.zxlngj.eu
radcm.zxlngj.eu
lixcmn.zxlngj.eu
nnn.zxlngj.eu
hwpdq.zxlngj.eu
akiy.zxlngj.eu
mvtrn.lxtnmm.eu
ygz.lxtnmm.eu
hkauh.lrqjrn.eu
aqsf.knxhsn.eu
mqjpl.pzgztn.eu
wmmj.wokjpq.eu
plfztn.wokjpq.eu
fyqwrv.wokjpq.eu
prz.wokjpq.eu
ygh.lkowgs.eu
jasiv.hiikrs.eu
gechga.knvutt.eu
dxcypc.knvutt.eu
pod.knvutt.eu
sie.knvutt.eu
pdlgf.knvutt.eu
qvxqj.knvutt.eu
xdp.knvutt.eu
ikp.knvutt.eu
foxq.knvutt.eu
snt.knvutt.eu
wou.knvutt.eu
env.knvutt.eu
xor.knvutt.eu
pllrcn.knvutt.eu
stgc.smqtnu.eu
uknqc.smqtnu.eu
ynkf.smqtnu.eu
sgph.smqtnu.eu
sgo.smqtnu.eu
nlcowd.tmkvmv.eu
amp.tmkvmv.eu
wbs.tmkvmv.eu
uvpne.ihltwv.eu
vfjrn.ihltwv.eu
zlpttn.ihltwv.eu
xlt.ihltwv.eu
kcvvct.prhhvw.eu
kda.sowxyw.eu
kvb.sowxyw.eu
jbjol.sowxyw.eu
hegr.sowxyw.eu
maizss.sowxyw.eu
jfeu.sowxyw.eu
ozku.sowxyw.eu
rgpxz.sowxyw.eu
houqw.utppry.eu

Thursday, 13 December 2012

"Copies of Policies" spam / awoeionfpop.ru:

This spam leads to malware on awoeionfpop.ru:

Date:      Thu, 13 Dec 2012 09:08:32 -0400
From:      "Myspace" [noreply@message.myspace.com]
Subject:      Fwd: Deshaun - Copies of Policies

Unfortunately, I cannot obtain electronic copies of the SPII policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Deshaun ZAMORA,
The malicious payload is at [donotclick]awoeionfpop.ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:


75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)

The following domains are also on these IPs:
pelamutrika.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
amnaosogo.ru
dimarikanko.ru
aofngppahgor.ru
awoeionfpop.ru

Citibank spam / eaglepointecondo.biz

This fake Citibank spam leads to malware on eaglepointecondo.biz:


Date:      Thu, 13 Dec 2012 16:59:14 +0400
From:      "Citi Alerts" [lubumbashiny63@bankofdeerfield.com]
Subject:      Account Operation Alert

EMAIL SAFETY AREA    
       
ATM/Credit card ending in: XXX8    
       
Notifications System
   
Wire Transaction Issued

Ultimate Savings Account (USA) XXXXXXXXX5
Amount Withdrawn: $4,564.61
Date: 12/12/12


Sign In to Abort Details
   
Wire Transaction Issued

Ultimate Savings Account (USA) XXXXXXXXX5
Amount Debited: $.24
Date: 12/12/12

Login to Overview Operation
   
ABOUT THIS MESSAGE

Please DO NOT reply to this message. auto-notification system can't accept incoming mail.
   
Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

====================

From: Citibank - Alerts [mailto:enormityyf10@iztzg.hr]
Sent: 13 December 2012 12:50
Subject: Account Operation Alert
Importance: High

EMAIL SAFETY AREA
        
ATM/Credit card ending in: XXX6   
 
Notifications System

Bill Payment

Checking XXXXXXXXX7
Amount Withdrawn: $5,951.56
Date: 12/12/12

Visit this link to Cancel Detailed information

Bill Payment

Checking XXXXXXXXX7
Amount Debited: $.14
Date: 12/12/12

Login to Review Operation

ABOUT THIS MESSAGE

Please don't reply to this message. auto informer system unable to accept incoming mail.    
            
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

====================

From: Citibank - Service [mailto:goaliesj79@wonderware.com]
Sent: 13 December 2012 12:59
Subject: Account Alert
Importance: High

EMAIL SAFETY ZONE

ATM/Debit card ending in: XXX8      

Alerting System

Withdraw Message

Savings Account XXXXXXXXX4
Amount Debited: $1,218.42
Date: 12/12/12

Login to Abort Operation

Withdraw Message

Savings Account XXXXXXXXX4
Amount Withdrawn: $.42
Date: 12/12/12

Sign In to Overview Operation

ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system not configured to accept incoming mail.       
              
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

The malicious payload is on [donotclick]eaglepointecondo.biz/detects/operation_alert_login.php hosted on 59.57.247.185 in China, the same IP has been used several times for evil recently and you should block it if you can.

Citi Cards spam / 6.bbnface.com and 6.mamaswishes.com

This fake Citi Cards spam leads to malware on 6.bbnface.com and 6.mamaswishes.com:


Date:      Thu, 13 Dec 2012 11:59:33 +0300
From:      Citi Cards [citicards@info.citibank.com]
Subject:      Your Citi Credit Card Statement
   

Add citicards@info.citibank.com to your address book to ensure delivery.

Your Account: Important Notification
   
Your Citi Credit Card statement is ready to view online

   
Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:

Statement Date:     December 13, 2012
Statement Balance:     -$8,803.77
Minimum Payment Due:     $750.00
Payment Due Date:     Tue, January 01, 2013


Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

To set up alerts sign on to www.citicards.com and go to Account Profile.

Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.

(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

============================


Date:      Thu, 13 Dec 2012 10:30:55 +0200
From:      Citi Cards [citicards@info.citibank.com]
Subject:      Your Citi Credit Card Statement
   

Add citicards@info.citibank.com to your address book to ensure delivery.

Your Account: Important Notification
   
Your Citi Credit Card statement is ready to view online

   
Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:

Statement Date:     December 13, 2012
Statement Balance:     -$5,319.77
Minimum Payment Due:     $506.00
Payment Due Date:     Tue, January 01, 2013


Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

To set up alerts sign on to www.citicards.com and go to Account Profile.

Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.

(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface.com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes.com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent.

Update: the following domains appears to be on this server:
6.bbnface.com
6.mamasauction.com
6.bbnfaces.com
6.mamaswishes.com
6.bbnfaces.net
6.mamaswishes.net

Wednesday, 12 December 2012

Citibank spam / platinumbristol.net

This fake Citibank spam leads to malware on platinumbristol.net:

From:     citibankonline@serviceemail1.citibank.com via pado.com.br
Date:     12 December 2012 15:38
Subject:     Account Alert
Mailed-by:     pado.com.br

Citi    
Email Security Zone     EMAIL SECURITY AREA    
   
ATM/Credit card ending in: XXX7      
 
Alerting System
   
Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX2
Amount Debited: $2,973.22
Date: 12/12/12

Log In to Overview Transaction
       
Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX2
Amount Credited: $.97
Date: 12/12/12

Visit this link to Overview Detailed information
   
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auomatic informational system unable to accept incoming messages.
              
Citibank, N.A. Member FDIC.
Å  2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

========================

From:     citibankonline@serviceemail5.citibank.com via clickz.com
Date:     12 December 2012 15:39
Subject:     Account Notify
Mailed-by:     clickz.com

Citi    
Email Security Zone     EMAIL SAFETY AREA      
            
ATM/Debit card ending in: XXX7      
 
Alerting System

Money Transfer Report

Savings Account XXXXXXXXX8
Amount Withdrawn: $3,620.11
Date: 12/12/12

Visit this link to Cancel Details

Money Transfer Report

Savings Account XXXXXXXXX8
Amount Withdrawn: $.38
Date: 12/12/12

Sign In to Overview Details

ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system unable to accept incoming messages.
      
Citibank, N.A. Member FDIC.
© 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc. 

========================

Date:      Wed, 12 Dec 2012 23:16:15 +0700
From:      alets-no-reply@serviceemail6.citibank.com
Subject:      Account Insufficient funds

EMAIL SAFETY ZONE    
       
ATM/Debit card ending in: XXX0    
       
Notifications System
   
Transaction Announcement

Ultimate Savings Account (USA) XXXXXXXXX4
Amount Debited: $4,222.19
Date: 12/12/12

Login to Abort Detailed information

Transaction Announcement

Ultimate Savings Account (USA) XXXXXXXXX4
Amount Credited: $.41
Date: 12/12/12

Go to web site by clicking here to See Operation

ABOUT THIS MESSAGE

Please Not try to reply to this message. automative notification system cannot accept incoming mail.
   
Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

========================


Date:      Wed, 12 Dec 2012 20:07:46 +0400
From:      citibankonline@serviceemail8.citibank.com
Subject:      Account Operation Alert

EMAIL SECURITY ZONE    
       
Credit card ending in: XXX0    
       
Notifications System
   
Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX3
Amount Credited: $5,970.51
Date: 12/12/12

Click Here to Review Transaction

Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX3
Amount Withdrawn: $.11
Date: 12/12/12

Sign In to View Operation

ABOUT THIS MESSAGE

Please don't reply to this message. auomatic informational system cannot accept incoming mail.
   
Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
The malicious payload is at [donotclick]platinumbristol.net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.

I can see the following evil domains on that same server:
eaglepointecondo.org
sessionid0147239047829578349578239077.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
eaglepointecondo.co
naky.net
ygsecured.ru
romoviebabenki.ru
robertokarlosskiy.su
platinumbristol.net

Happy 12:12 12/12/12

Happy 12:12 12/12/12! Well, if you are in the GMT time zone anyway..

Tuesday, 11 December 2012

Changelog spam / aseniakrol.ru

This spam leads to malware on aseniakrol.ru:

Date:      Tue, 11 Dec 2012 10:46:43 -0300
From:      Tarra Comer via LinkedIn [member@linkedin.com]
Subject:      Re: Your Changelog UPDATED

Hi,

as promised your changelog - View

I. Easley
The malicious payload is at [donotclick]aseniakrol.ru:8080/forum/links/column.php hosted on a bunch of IPs that have been used for malware before:

202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)

Monday, 10 December 2012

AICPA spam / eaglepointecondo.org

Yet another fake AICPA spam run today with a slightly different domain from before, now on eaglepointecondo.org:


Date:      Mon, 10 Dec 2012 18:51:38 +0100
From:      "AICPA" [info@aicpa.org]
Subject:      Tax return assistance fraud.

You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having any issues reading this email? Overview it in your favorite browser.

Suspension of CPA license due to income tax indictment

Valued AICPA participant,

We have been notified of your potential participation in income tax refund shady transactions for one of your customers. In concordance with AICPA Bylaw Head # 740 your Certified Public Accountant status can be terminated in case of the act of submitting of a phony or fraudulent tax return for your client or employer.

Please be informed of the complaint below and respond to it within 7 work days. The refusal to respond within this period will finish in cancellation of your Accountant status.

Delation.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===================


Date:      Mon, 10 Dec 2012 14:50:40 -0300
From:      "AICPA" [noreply@aicpa.org]
Subject:      Your accountant license can be end off.

You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having problems reading this email? Review it in your browser.

Suspension of Accountant status due to tax return fraud prosecution

Respected AICPA member,

We have received a complaint about your alleged participation in income tax return fraudulent activity for one of your employees. In accordance with AICPA Bylaw Section No. 500 your Certified Public Accountant license can be terminated in case of the event of presenting of a false or fraudulent tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 3 work days. The rejection to provide the clarifications within this time-frame would abide in end off of your Certified Accountant Career.

SubmittedReport.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

In this case the malicious payload is at [donotclick]eaglepointecondo.org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today.

AICPA spam / eaglepointecondo.co

This fake AICPA spam leads to malware on eaglepointecondo.co:


Date:      Mon, 10 Dec 2012 19:29:21 +0400
From:      "AICPA" [alerts@aicpa.org]
Subject:      Income fake tax return accusations.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having difficulties reading this email? Take a look at it in your browser.

Termination of Public Account Status due to income tax fraud allegations

Respected accountant officer,

We have received a denouncement about your probable interest in income tax return swindle for one of your customers. In concordance with AICPA Bylaw Head # 500 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a faked or fraudulent income tax return for your client or employer.

Please be notified below and provide explanation of this issue to it within 21 business days. The rejection to provide elucidation within this period would finish in end off of your CPA license.

SubmittedReport.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The malicious payload is at [donotclick]eaglepointecondo.co/detects/denouncement-reports.php hosted on 59.57.247.185 in China, which has been used a few times recently for malware distribution.



The following malicious domains appear to be on the same server:
moid.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
zindt.net
naky.net
svictrorymedia.ru
ygsecured.ru
romoviebabenki.ru
addon.su
robertokarlosskiy.su
eaglepointecondo.co

"You have been sent a file" Sendspace spam / anifkailood.ru:

This fake Sendspace spam leads to malware on anifkailood.ru:


Date:      Mon, 10 Dec 2012 06:01:01 -0500
From:      "Octavio BOWMAN" [AdlaiBaldacci@telefonica.net]
Subject:      You have been sent a file (Filename: [redacted]-722.pdf)


Sendspace File Delivery Notification:

You've got a file called [redacted]-018.pdf, (767.2 KB) waiting to be downloaded at sendspace.(It was sent by Octavio BOWMAN).





You can use the following link to retrieve your file:

Download Link



The file may be available for a limited time only.



Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------



Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]anifkailood.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)

Plain list:
202.180.221.186
212.162.52.180
212.162.56.210




Friday, 7 December 2012

Sendspace "You have been sent a file" spam / pelamutrika.ru

This fake Sendspace spam leads to malware on pelamutrika.ru:


Date:      Fri, 7 Dec 2012 10:53:57 +0200
From:      Badoo [noreply@badoo.com]
Subject:      You have been sent a file (Filename: [victimname]-64.pdf)

Sendspace File Delivery Notification:

You've got a file called [victimname]-792244.pdf, (337.19 KB) waiting to be downloaded at sendspace.(It was sent by CHASSIDY PROCTOR).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]pelamutrika.ru:8080/forum/links/column.php hosted on the following familiar IP addresses which you should definitely try to block:

202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)