Date: Mon, 11 Feb 2013 06:13:52 -0700The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with these other fake pharma sites:
From: "Brinda Wimberly" [noreply@mdsconsulting.be]
Subject: Support Center
Welcome to Help Support Center
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
See All tickets
Go To Profile
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
Date: Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]In this case there was a ZIP file called 048575623_02082013.zip (this may vary) with an attachment 048575623_02082013.exe designed to look like a PDF file.
From: "ops_invoice@adp.com" [ops_invoice@adp.com]
Subject: ADP Payroll Invoice for week ending 02/08/2013 - 01647
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.
Date: Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From: Better Business Bureau [notify@bbb.org]
Subject: BBB details about your cliente's pretense ID 43C796S77
Better Business Bureau ©
Start With Trust ©
Thu, 7 Feb 2013
RE: Issue No. 43C796S77
[redacted]
The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.
We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.
We awaits to your prompt response.
Best regards
Luis Davis
Dispute Advisor
Better Business Bureau
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 23501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
This spam attempts to load malware from live-satellite-view.net, but fails because at the moment the domain isn't registered. However, you can expect them to try again.. so watch out for emails like this.From: FFIEC [mailto:complaints@ffiec.gov]The attempted download is from [donotclick]live-satellite-view.net/detects/advanced_selected_determines_comparison.php although it fails to resolve. Perhaps the registrar nuked the domain? However, it is possible to tell that the nameservers were ns1.http-page.net and ns2.http-page.net, and up investigate it turns out that all the following IPs and domains are related and should be treated as malicious:
Sent: 06 February 2013 16:17
Subject: FFIEC Occasion No. 77715
This summons is meant to make advise of file # 77715 which is opened and under interrogative with FFIEC following a accusation of your Financial Institution regarding suspect financial activity on your account.
A hard copy of this judicial process will be delivered to your business address.
Our institution will forward information to competent government agencies following this accusation.
Information and contacts regarding your Occasion file # can be found at
Occasion Number: 77715
Observed by
Federal Financial Institution Examination Council
Emily Gray
From: VictimI've seen another variant with a reply address of Delores@inukjob.com. In all these cases, the email appears to come from the victim (here's why). Let's dig a little deeper into the domain. It turns out that it is registered by scam-friendly Chinese registrar BIZCN.COM.
To: Victim
Date: 6 February 2013 09:16
Subject: Looking for remote assistants, paid $ 100 per hour helping other people
Good afternoon!
Is it possible for you to spare a few hours a week to the new occupation, which would increase your wages in 2-3 times, without investing a penny? While you are looking for the trick in this offer, hundreds of your compatriots have already been reaping the benefits of working with us.
This is not a financial pyramid or marketing of any kind. It's about doing simple assignments, not exceed the limits of morals or ethics.
Your gender, age, employment do not matter - the main factors are your diligence and conscientiousness.
Lots of our employees began with a part-time employment and combined with other jobs, but two weeks later,
most of them devoted themselves to our job.
We are in all respects ready to remove all your doubts and help you to understand all details.
Position is called the "Regional Manager".
Functional duties:
- to represent the interests of foreign companies in the region (For example: providing your address for correspondence.)
- to take control of transactions between the company and the client in your area.
For more information, please, email us attaching your CV, the country and city of residence.
It will considerably increase your chances for employment. Email: Kelsey@inukjob.com
Best Regards,
PR Manager
Date: 7 February 2013 16:53
Subject: You can earn an additional $ 200 per day helping your communi
I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.
If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.
Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is 2000 GBP per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (UK time).
Region: United Kingdom.
Please note that there are no startup fees or deposits to start working for us.
To request an application form, schedule your interview and receive more information about this position
please reply to Rene@inukjob.com with your personal identification number for this position IDNO: 6376
Date: Tue, 5 Feb 2013 18:32:06 +0100The malicious payload should be at [donotclick]salam-tv.com/detects/visit_putts.php but at the moment this domain doesn't seem to be resolving properly. A bit of digging around shows that it may be hosted on 198.144.191.50 (Chicago VPS, US) and the following malicious domains can be traced to that IP address:
From: "Amazon.com Orders" [no-reply@amazon.com]
Subject: Your Amazon.com order receipt.
Click here if the e-mail below is not displayed correctly.
Follow us:
Your Amazon.com Today's Deals See All Departments
Dear Amazon.com Customer,
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Details:
E-mail Address: [redacted]
Billing Address:
1170 CROSSING CRK N Rd.
Fort Wayne OH 49476-1748
United States
Phone: 1- 749-787-0001
Order Grand Total: $ 91.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: C59-2302433-5787713
Subtotal of items: $ 91.99
------
Total before tax: $ 91.99
Tax Collected: $0.00
------
Grand Total: $ 90.00
Gift Certificates: $ 1.99
------
Total for this Order: $ 91.99
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.
� 2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 466 Sally Ave. N., Seattle, MA 71168-8282. Reference: 25090571
Please note that this message was sent to the following e-mail address: [redacted]
From: Hugh Crouch [tacticallyf44@riceco.com]The email originates from 31.25.91.159 in the Islamic Republic of Iran, spamvertising a site at www.xn--80aakfmpm2afbm.xn--p1ai (yes, that's a valid international domain name) hosted on 111.123.180.11 in China. In all likelihood, Phytiva and its parent company The X-Change Corporation (stock ticker XCHC) are almost definitely nothing to do with this rather odd spam. Avoid.
Date: 4 February 2013 12:39
Subject: RE: Targeting the global Cosmoceutical market
US leading biotech company is please to introduce a newly launched brand - a hybrid of a proven, existing product line that has been well-managed and conservatively-run for over a decade with a hemp-based product line, utilizing the unique and potent benefits of the plants. Revolutionary formulations target not just the symptom, but also the cause. The plant is the ideal basis for healing solutions and has been utilized for centuries, as skin responds extremely well to its properties.
Its newest Plant based Product lines that have identified over a dozen ailments that we believe that the products will be the superior choice on the market. These ailments include cancer, arthritis, influenza, HIV/ AIDS, PTSD and many more.
We are looking for leading beauty and health care investors. If you are dedicated to making difference in people”s lives, we need your help now more than ever before toprovide excellent and efficient medical and health care for our future researches.
For more information, please visit
You can unsubscribe from all our future email communications at
Date: Mon, 4 Feb 2013 01:01:46 -0600 (CST)There's no surprise to see that the IP address of the spamvertised site is 92.48.119.139 (Simply Transit, UK) along with the following other possibly spammy sites:
From: StumbleUpon [no-reply@stumblemail.com]
Subject: Update: Changes to Your Email Settings
Hi [redacted],
This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've created a bunch of new notification options that allow you to have more control over what types of emails you'll receive from us. These new notification options are not compatible with the old settings, so your settings have been reset. We apologize for any inconvenience, and want to make sure we only send you the emails you want to receive.
Now what? Please click here to head over to your email settings and update your preferences, so we know exactly what emails you'd like to receive from StumbleUpon.
Want to receive all notifications about shares from friends, recommended Stumbles, and more? Great, you don't have to do anything at all!
Thanks for Stumbling,
The StumbleUpon Team
P.S. Haven't signed in for a while and can't remember your password? You can reset it here by entering the email address used in this email.
Please don't reply to this message - for all questions, check out our Help Center. To visit your email settings, please click here.
StumbleUpon | 301 Brannan Street, 6th Floor, San Francisco, CA 94107
Here's a tersely-worded Photos spam leading to malware on eghirhiam.ru:Subject: PhotosAs is usually the case, the malware bounces through a legitimate hacked site and in this case ends up at [donotclick]eghirhiam.ru:8080/forum/links/public_version.php (report here) hosted on:
Good day,
your photos here http://www.jonko.com/photos.htm
Date: Wed, 30 Jan 2013 16:16:32 +0200The link in the email goes through a legitimate hacked site (in this case [donotclick]www.edenespinosa.com/track.php?fdic) to the amusingly named [donotclick]1wstdfgh.organiccrap.com/closest/984y3fh8u3hfu3jcihei.php (report here) hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US) which hosts the following suspect domains that you might want to block:
From: "Тимур.Носков@fdic.gov" [midshipmanc631@buprousa.com]
Subject: Important notice from FDIC
Attention!
Due to the adoption of a new security system, that is aimed at diminishing the number of cases of fraud and scams, all your ACH and WIRE transactions will be temporarily blocked until your security version meets the new requirements.. In order to restore your ability to make transactions, you are required to install a special security software. Please use the link below to download and install all the necessary files.
We apologize for causing you troubles by this measure.
If you need any assistance, please do not hesitate to contact us.
Sincerely yours,
Federal Deposit Insurance Corporation
Security Department
From: Grand Palace Slots [no-reply@tsm-forum.net]
Date: 30 January 2013 10:39
Subject: Try to play slots - 10$ free
Mailed-By: tsm-forum.net
Feel the unique excitement of playing at the world's premiere games!
Grand Palace gives you welcome package for slots up to 8,000$! What a fantastic offer, straight from the heart of World's gaming leader!
This is a great offer, especially when you see what else Grand Palace has to offer:
- US players welcome
- more than 100 fun games, realistic graphics
- the most secure and up-to-date software
- professional support staff to help you with whatever you might need, any time of the day or night!
And in the end we want to give you 10$ absolutelly free! (Use code CASH10)
Hurry up! Your free Grand Palace cash is waiting! Play Today!
http://www.igrandpalacegold.com
=========================================================
Click here to opt out of this email:
http://unsubscribe.igrandpalacegold.com
Date: Mon, 28 Jan 2013 17:30:50 +0100
From: "Facebook" [addlingabn2@bmatter.com]
Subject: Most recent events on Facebook
Hi [redacted],
You have disabled your Facebook account. You can reveal your account whenever you wish by logging into Facebook with your old login email address and password. After that you will be able to enjoy the site in the same way as before.
Kind regards,
The Facebook Team
Log in to Facebook and start connecting
Sign in
Please use the link below to resume your account :
http://www.facebook.com/resume/
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 419 P.O Box 10007 Palo Alto CA 94301
