Pizza spam / gimalayad.ru

Cheese Lover's Pizza with no cheese?! Chicken pizza with three lots of extra ham?? This spam actually leads to malware on gimalayad.ru:

Date:      Wed, 6 Mar 2013 12:22:04 +0330
From:      Tagged [Tagged@taggedmail.com]
Subject:      Fwd: Order confirmation

You??™ve just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Bacon Pieces
- Ham
- Bacon Pieces
- Jalapenos
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Chicken Supreme with extras:
- Ham
- Ham
- Ham
- Jalapenos
- Green Peppers
- Diced Tomatoes
- Extra Cheese
- Extra Sauce
Pizza Hawaiian Luau with extras:
- Ham
- Green Peppers
- Jalapenos
- Pineapple
- Extra Cheese
- No Sauce
Pizza Pepperoni Lover's with extras:
- Beef
- Ham
- Green Peppers
- Onions
- Green Peppers
- Extra Cheese
- Easy On Sauce
Pizza Spicy Sicilian with extras:
- Chicken
- Ham
- Bacon Pieces
- Pineapple
- Easy On Cheese
- Easy On Sauce
Drinks
- Grolsch x 6
- 7up x 3
- Budweiser x 4
- Carling x 2
Total Charge:    232.33$



If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don??™t do that shortly, the order will be confirmed and delivered to you.


With respect to you
ALBERTO`s Pizzeria

================================


Date:      Wed, 6 Mar 2013 09:16:56 +0100
From:      "Xanga" [noreply@xanga.com]
Subject:      Re: Fwd: Order confirmation

You??™ve just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Beef
- Pepperoni
- Diced Tomatoes
- Easy On Cheese
- Extra Sauce
Pizza Italian Trio with extras:
- Beef
- Black Olives
- Black Olives
- Onions
- Extra Cheese
- Extra Sauce
Pizza Triple Meat Italiano with extras:
- Bacon Pieces
- Ham
- Onions
- Green Peppers
- Diced Tomatoes
- Extra Cheese
- Extra Sauce
Drinks
- Simply Orange x 4
- Fanta x 2
- 7up x 2
- Heineken x 2
- Lift x 5
- Pepsi x 4
- Budweiser x 4
Total Charge:    242.67$



If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don??™t do that shortly, the order will be confirmed and delivered to you.


With Respect
PIERO`s Pizzeria

The malicious payload is at [donotclick]gimalayad.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:


41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
forum-la.ru
gosbfosod.ru
giliaonso.ru
forum-ny.ru
ginagion.ru
gimalayad.ru

BT Business Direct Order Spam / ginagion.ru

This fake BT spam leads to malware on ginagion.ru:

From: Bebo Service [mailto:service=noreply.bebo.com@bebo.com] On Behalf Of Bebo Service
Sent: 05 March 2013 21:22
Subject: BT Business Direct Order


Notice of delivery

Hi,

We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.

Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.

***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***

We've despatched...

..using the attached shipment details...
Courier     Ref     Carriage method
Royal Mail     FM320725534     1-3 Days

Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.

For information on how track your delivery, please follow to attached file.

Important information for Yodel deliveries:

If your consignment number starts with 3S3996956 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.

The malicious payload is at [donotclick]ginagion.ru:8080/forum/links/column.php (report here) hosted on:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
gosbfosod.ru
giliaonso.ru
forum-ny.ru
ginagion.ru

Sendspace spam / forumkianko.ru

This fake Sendspace spam leads to malware on forumkianko.ru:

Date:      Tue, 5 Mar 2013 06:52:10 +0100
From:      AyanaLinney@[redacted]
Subject:      You have been sent a file (Filename: [redacted]-51153.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]forumkianko.ru:8080/forum/links/column.php (report here) hosted on:
 
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)

These IPs are the same as used in this attack.

"Scan from a Hewlett-Packard ScanJet" spam / giliaonso.ru

This fake HP printer spam leads to malware on giliaonso.ru:

Date:      Tue, 5 Mar 2013 12:53:40 +0500
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments:     HP_Scan.htm

Attached document was scanned and sent

to you using a HP A-16292P.

SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment leads to malware on [donotclick]giliaonso.ru:8080/forum/links/column.php (report here) hosted on the following IPs:

46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)

Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131
forum-la.ru
forumla.ru
forumilllionois.ru
forumny.ru
forum-la.ru
forumla.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
giliaonso.ru

Something evil on 5.9.196.3 and 5.9.196.6

Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama.nl/relay.php) leading to two identified malware landing pages:

[donotclick]kisielius.surfwing.me/world/explode_conscious-scandal.jar (report here)
[donotclick]alkalichlorideasenteeseen.oyunhan.net/world/romance-apparatus_clinical_repay.php (report here)

Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan.net
kisielius.surfwing.me
dificilmentekvelijitten.surfwing.me
kisielius.surfwing.me
befool-immatriculation.nanovit.me
locoburgemeester.toys2bsold.com
ratiocination-wselig.smithsisters.us

A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb.com

Blocking these domains completely is probably a good idea:
oyunhan.net
surfwing.me
nanovit.me
toys2bsold.com
smithsisters.us
creatinaweb.com

5.9.196.0/28 is a Hetzner IP allocated to:

inetnum:        5.9.196.0 - 5.9.196.15
netname:        PQCSERVICE-LLC
descr:          pqcservice llc
country:        DE
admin-c:        VS4214-RIPE
tech-c:         VS4214-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Vadim Sheyin
address:        pqcservice llc
address:        Universitetskaya 2a
address:        61091 Kharkov
address:        UKRAINE
phone:          +380506268399
nic-hdl:        VS4214-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered

I haven't seen anything of value in this /28, blocking it may be prudent.

"British Airways E-ticket receipts" spam / forum-la.ru

This fake British Airways spam leads to malware on forum-la.ru:

From:     LiveJournal.com [do-not-reply@livejournal.com]
Date:     4 March 2013 12:17
Subject:     British Airways E-ticket receipts

e-ticket receipt
Booking reference: 9AZ3049885
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la.ru:8080/forum/links/column.php (report here) hosted on:
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)


Blocklist:
198.104.62.49
210.71.250.131
forumla.ru
forumny.ru
forum-la.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru

dealerbid.co.uk spam

This spam uses an email address ONLY used to sign up for dealerbid.co.uk

From:     HM Revenue & Customs [enroll@hmrc.gov.uk]
Date:     4 March 2013 13:37
Subject:     HMRC Tax Refund ID: 3976244

Dear Taxpayer,

After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.

 A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.

 Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).

Kind regards,

 Paul McWeeney
 Head of Consumer Sales and Service

The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:

everybodyonline.co.uk
uk-car-discount.co.uk

The email address has been stolen from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run.

It looks like I am not the only person to notice this same problem..

UPDATE 1: dealerbid.co.uk are investigating this issue.
UPDATE 2: it happened again.
UPDATE 3: there's no evidence of malware on 78.136.27.79, everybodyonline.co.uk or uk-car-discount.co.uk as far as I can see. I guess it may have been an open relay. If you are blacklisting these for malware that I suggest you un-blacklist them. (2013-09-25)

eFax spam / forumla.ru

This fake eFax spam leads to malware on forumla.ru:

Date:      Mon, 4 Mar 2013 08:53:20 +0300
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 646370000]

You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.

* The reference number for this fax is [eFAX-336705661].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]forumla.ru:8080/forum/links/column.php (report here) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumla.ru

Delta Airlines spam / inanimateweaknesses.net and complainpaywall.net

This fake Delta Airlines spam leads to malware on inanimateweaknesses.net and complainpaywall.net:

From: DELTA CONFIRMATION [mailto:cggQozvOc@sutaffu.co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary

Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries

Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta.com/itineraries.

Take control and make changes to your itineraries at delta.com/itineraries.

Speed through the airport. Check-in online for your flight.

Check-in

Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ---------------- ------ ------ -------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH

Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH

Check your flight information online at delta.com/itineraries

The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report  here) or [donotclick]complainpaywall.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.


Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page.

Casino-themed Blackhole sites

Here's a a couple of URLs that looks suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:

[donotclick]888casino-luckystar.net/discussing/sizes_agreed.php
[donotclick]555slotsportal.org/discussing/alternative_distance.php
[donotclick]555slotsportal.net/shrift.php
[donotclick]555slotsportal.net/discussing/alternative_distance.php
[donotclick]555slotsportal.me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez.biz/discussing/alternative_distance.php

You can find a sample report here.  Let's dig a little deeper into that IP address.

inetnum:        130.185.105.0 - 130.185.105.127
netname:        Creative-Telematics-Trade
descr:          Creative Telematics & Trade s.r.o.
country:        CZ
admin-c:        AT1717-RIPE
tech-c:         AT1717-RIPE
status:         ASSIGNED PA
mnt-by:         XIRRA
source:         RIPE # Filtered

person:         Alexey Terentyev
address:        Czech Republic
address:        Praha 1, Na Prikope 10
address:        11000 Praha Czech Republi
address:        CZ
phone:          +420 228880161
fax-no:         +420 227204027
abuse-mailbox:  abuses@nkvdteam.ru
nic-hdl:        AT1717-RIPE
mnt-by:         NETDIRECT-MNT
source:         RIPE # Filtered

route:          130.185.105.0/24
descr:          XIRRA-NET
origin:         AS51191
mnt-by:         XIRRA
source:         RIPE # Filtered

"Alexey Terentyev" isn't a very Czech name, and neitgher is the domain name of nkvdteam.ru.. wait.. NKVD? You have to have a certain mind-set to call yourself that I guess..

So what can we find hosted on 130.185.105.74?

cams4xonline.me
555slotsportal.me
888casino-luckystar.me
klom555slots.me
zitex555slots.me
555slotsgamestoday.me
sexstreamsmatez.me
cams4xonline.org
555slotsportal.org
ttlxpoker.org
555pokerstreamx.org
sexstreamsmatez.org
555slotsportal.com
888casino-luckystar.com
ttlxpoker.com
888slotmachines.com
klom555slots.com
555slotsgamestoday.com
sexstreamsmatez.com
cams4xonline.info
555slotsportal.info
888casino-luckystar.info
ttlxpoker.info
klom555slots.info
zitex555slots.info
555slotsgamestoday.info
sexstreamsmatez.info
cams4xonline.net
555slotsportal.net
ttlxpoker.net
zitex555slots.net
daisy555slots.net
555slotsgamestoday.net
sexstreamsmatez.net
555slotsportal.biz
888casino-luckystar.biz
ttlxpoker.biz
muxxx4cams.biz
zitex555slots.biz
555slotsgamestoday.biz
sexstreamsmatez.biz

I'm going to suggest that there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too.

usanewwork.com fake job offer

This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:

Date:      Thu, 28 Feb 2013 14:57:55 -0600
From:      andrzej.wojnarowski@[victimdomain]
Subject:      There is a vacancy of a Regional manager in USA:

If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.

If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:

Please email us for details: Paulette@usanewwork.com

In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):

   Sarah Shepard info@usanewwork.com
   360-860-3630 fax: 360-860-3321
   4478 Pratt Avenue
   Tukwila WA 98168
   us

The domain was only registered two days ago on 28/2/13.


The nameservers ns1.stageportal.net and ns2.stageportal.net are shared by several other domains offering similar fake jobs:

arbeitsagentura.com
stepstonede.com
europswork.com
usanewwork.com
euroconsaltinn.com
europsconsult.com
stageportal.net

IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)

This job offer is best avoided unless you like prison food.

For the record, these are the other registrant details.

stageportal.net:

      LAUREEN FREEMAN
      7538 TRADE ST.
      SAN DIEGO, CA 92121
      US
      Phone: +1.8585668488
      Email: wondermitch@hotmail.com

arbeitsagentura.com:

   Michael B. Jackson
   Michael Jackson info@arbeitsagentura.com
   909-542-7178 fax: 909-542-7311
   3832 Gordon Street
   Pomona CA 91766
   us

stepstonede.com:

   John L. Irizarry
   John Irizarry info@stepstonede.com
   858-450-8875 fax: 858-450-8811
   4808 Hamill Avenue
   San Diego CA 92123
   us

europswork.com:

   Connie J. Grooms
   Connie Grooms info@europswork.com
   626-448-5229 fax: 626-448-5211
   2815 Woodstock Drive
   El Monte CA 91731
   us

euroconsaltinn.com:

   Mamie W. Murray
   Mamie Murray info@euroconsaltinn.com
   920-245-0475 fax: 920-245-0411
   3390 Rockford Mountain Lane
   West Allis WI 53227
   us

europsconsult.com:

   Regina P. Clay
   Regina Clay info@europsconsult.com
   212-241-1581 fax: 212-241-1211
   408 Bell Street
   New York NY 10029
   us

"Contract of 09.07.2011" spam / forumny.ru

This contracts-themed spam leads to malware on forumny.ru:

Date:      Thu, 28 Feb 2013 11:43:15 +0400
From:      "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:      Fw: Contract of 09.07.2011
Attachments:     Contract_Scan_IM0826.htm

Dear Sirs,

In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.

Best regards,

SHERLENE DARBY, secretary

The attachment Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny.ru:8080/forum/links/column.php (report here) on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
carmennavarro.es
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
filialkas.ru
finalions.ru
forumbmwr.ru
forumkinza.ru
forumligandaz.ru
forummersedec.ru
forummoskowciti.ru
forumny.ru
forumrogario.ru
forumusaaa.ru
forumvvz.ru
fuigadosi.ru
fzukungda.ru

"Follow this link" spam / sidesgenealogist.org

This rather terse spam appears to leads to an exploit kit on sidesgenealogist.org:

From: Josefina Underwood [mailto:hdFQe@heathrowexpress.com]
Sent: 27 February 2013 16:43
Subject: Follow this link

I have found it http://www.eurosaudi.com/templates/beez/wps.php?v20120226

Sincerely yours,
Sara Walton

The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist.org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here that indicates an exploit kit.

The malware is hosted on 188.93.210.226 (Logol.ru, Russia). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:

reinstalltwomonthold.org
nephewremovalonly.org
scriptselse.org
everflowinggopayment.net

"End of Aug. Statement" spam / forumusaaa.ru

This invoice-themed spam leads to malware on forumusaaa.ru:

Date:      Thu, 28 Feb 2013 06:04:08 +0530
From:      "Lisa HAGEN" [WilsonVenditti@ykm.com.tr]
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoice_JAN-2966.htm

Good day,

as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards

Lisa HAGEN

The malware is hosted at [donotclick]forumusaaa.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumligandaz.ru
forumvvz.ru
forumusaaa.ru

US Airways spam / berrybots.net

This very details but fake US Airways spam leads to malware on berrybots.net:

Date:      Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
From:      bursarp1@email-usairways.com
Subject:      Your US Airways trip

Confirmation code:   B339AO Date issued:   Tuesday, February 26, 2013 [redacted] Scan at any US Airways kiosk to check in Passenger summary Passenger name Frequent flyer # (Airline) Ticket number Special needs Angel Morris 40614552582 (US)   22401837506661     Robert White   12938253579871      Fly details Download to Outlook Depart:    Philadelphia, PA  (PHL) Chicago, IL (O'Hare)  (ORD) Date: Thursday, February 28, 2013 Flight #/ Carrier Depart Arrive Travel time Meal Aircraft Cabin Seats 8766    09:38 AM   PHL 10:56 AM   ORD 2h 18m A320 Coach 236E 236A Return:    Chicago, IL (O'Hare)  (ORD) Philadelphia, PA   (PHL) Date: Wednesday, March 06, 2013 Flight #/ Carrier Depart Arrive Travel time Meal Aircraft Cabin Seats 4394    11:55 AM   ORD 02:49 PM  PHL 1h 54m A320 Coach 10A 10B   US Airways Total travel cost (2 passengers) 2 Adults   $667.35 USD  Taxes and fees  $95.25 USD  Fare total $754.61 USD    Total   $751.62 USD Charged to ************XXX7 (Credit or Debit Card) Helpful links Manage your reservation Join Dividend Miles Airport information Baggage policies TSA regulations Inflight internet Seated in an exit row? Read about checking in. Bags Pay for your checked bags when you check in online or at the airport! Read more about bags. Carry ons* Carry-on bag Personal item All flights Checked bags (each way/per person)* 1st bag 2nd bag U.S. / Canada / Latin America / Caribbean / Bermuda / South America (except Brazil) Transatlantic Transpacific / Brazil (except Hawaii) *Carry-ons can be up to 40 lbs and up to 45 inches and a personal item is a handbag, briefcase or laptop bag. **1st & 2nd checked bags can be up to 50 lbs and 62 inches except Brazil where you're allowed up to 70 lbs. Europe fees apply for travel to/from Asia through Europe. Baggage fees are non-refundable. 1st, 2nd and 3rd checked bag fees waived Gold, Platinum and Chairman's Preferred members Star Alliance Gold status members 1st and 2nd checked bag fees waived (Overweight / oversize fees still apply) Confirmed First Class and Envoy passengers Active U.S. military with ID on personal travel Active U.S. military with ID and dependents traveling with them on orders Unaccompanied minors (with US Airways unaccompanied minor paid assistance) 1st checked bag fees waived (Overweight / oversize fees still apply) Silver Preferred members Star Alliance Silver status members Other guidelines: Overweight/oversize fees and fees for 3 or more bags apply. Read all baggage policies. If you're traveling with an infant, the child is allowed 1 fully collapsible stroller or 1 child restraint device or car seat (no charge). If you're traveling internationally with an infant in lap, your child is also allowed 1 checked bag (checked bag fees apply - max 62 in/157 cm and 50 lbs/23 kg). If one or more of your flights is on a partner airline, please check with the other airline for information on optional fees. Terms & conditions Ticket is non-transferable. You must contact US Airways on or before your scheduled departure to cancel any or all of your flights. If you don't, your entire itinerary will be cancelled and there may be no remaining value to use toward another ticket. Any change to this reservation, including flights, dates, or cities, is subject to a fee per passenger (according to the rules of the original fare). The new itinerary will be priced at the lowest available published fare at the time of change, which may result in a fare increase. Ticket expires one year from original date of issue. Unflown value expires one year from original date of issue. Read more about all US Airways taxes and fees. You have 24 hours to cancel your reservation for a full refund. Please view this link. Checked baggage fees may apply. Air transportation on US Airways is subject to the US Airways Contract of Carriage. View this document in PDF format. Security regulations may require us to disclose to government agencies the data you provide to us in connection with this reservation. Changes to the country of origin are not permitted, except for changes between the United States and U.S. territories. Send US your compliments and/or complaints.

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com. Please do not reply to this email, it is not monitored. If you'd like to contact us, please visit our website.

Picture version (click to enlarge):

The malicious payload is at [donotclick]berrybots.net/detects/circulation-comparatively.php (report here) hosted on:118.97.77.122 (PT Telkon, Jakarta)
147.91.83.31 (AMRES, Serbia)
195.88.139.78 (Neiron Systems, Ukraine)

Recommended blocklist:
118.97.77.122
147.91.83.31
195.88.139.78
greatfallsma.com
lazaro-sosa.com
yoga-thegame.net
dekolink.net
saberdelvino.net
berrybots.net

Intuit spam / forumligandaz.ru

This fake Intuit spam leads to malware on forumligandaz.ru:

Date:      Tue, 26 Feb 2013 01:27:09 +0330
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.

    Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
    amount to be seceded: 3373 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]forumligandaz.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumvvz.ru
forumligandaz.ru

Facebook spam / lazaro-sosa.com

This fake Facebook spam leads to malware on lazaro-sosa.com:

Date:      Tue, 26 Feb 2013 14:26:20 +0200
From:      "Facebook" [twiddlingv29@informer.facebook.com]
Subject:      Brian Parker commented your photo.

facebook
   
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.

Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307

The malicious payload is at [donotclick]lazaro-sosa.com/detects/queue-breaks-many_suffering.php (report here) hosted on:

118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)

Blocking these IPs is probably prudent.

"TrustKeeper Vulnerabilities Scan Information" spam / saberdelvino.net

Well this is new.. this "TrustKeeper Vulnerabilities Scan Information" spam leads to an exploit kit on saberdelvino.net:

From: Trustwave [porosity@e.trustwave.com]
Date: 25 February 2013 17:09
Subject: TrustKeeper Vulnerabilities Scan Information

To view this email as a web page, go here.

view email in a web browser
[redacted]
 

This is an auto-generated report to notice you that the scheduled TrustKeeper vulnerability scan of YOUR NETWORK SYSTEMS has completed and is not compliant.

IMPORTANT: During the scan, TrustKeeper Identified  some Vulnerabilities. Trustwave strongly recommends you review these findings as your overall PCI DSS compliance status may be affected.

TrustKeeper generated a vulnerability scan report. You may view these results by accessing TrustKeeper at:

    https://secure.trustwave.com
    User Name:[redacted]

You will receive an e-mail confirmation when the scan completes and your results are available.   Please note that this can take up to three days.

Note: If you monitor your network for activity, note that the TrustKeeper scan may originate from IP addresses in these ranges:

206.10.209.0/24
62.36.233.0/24

TrustKeeper is a certified remote assessment and compliance solution created by Trustwave and designed to help merchants meet the PCI DSS and achieve compliance with the associated programs of Visa®, MasterCard®, American Express®, Discover®, and other credit card associations. The TrustKeeper solution is an integrated easy-to-use tool that removes the challenge of navigating the complex PCI DSS requirements and provides a "one stop shop" for merchants to certify compliance.    

PLEASE DON'T REPLY TO THIS MESSAGE VIA EMAIL.
This mail is sent by an automated message system and the reply will not be received. Thank you for using TrustKeeper.

This email was sent to: [redacted]

This email was sent by: Trustwave
80 West Madison Street, Suite 1080, Chicago, IL, 60707, USA

We respect your right to privacy - view our policy
   

MANAGE SUBSCRIPTIONS           |            UPDATE PROFILE              |          ONE-CLICK UNSUBSCRIBE

The malicious payload is at [donotclick]saberdelvino.net/detects/random-ship-members-daily.php (report here) hosted on the following IPs:

118.97.77.122 (PT Telekon, Indonesia)
176.120.38.238 (Langate, Ukraine)

Blocklist:
118.97.77.122
176.120.38.238
greatfallsma.com
yoga-thegame.net
dekolink.net
saberdelvino.net
betheroot.net

LinkedIn spam / greatfallsma.com and yoga-thegame.net

This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma.com:

From: LinkedIn [mailto:papersv@informer.linkedin.com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending

See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
 
This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
 
© 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063

Another example:

Date:      Fri, 22 Feb 2013 18:21:25 +0200
From:      "LinkedIn" [noblest00@info.linkedin.com]
Subject:      Reminder about link requests pending

�����

[redacted]
See who requested link with you on LinkedIn

Now it's easy to connect with people you email
Continue
   
This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
� 2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043

The malicious payload is at [donotclick]greatfallsma.com/detects/impossible_appearing_timing.php (report here) hosted on:

50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)

These are the same two servers used in this attack, blocking them would probably be a good idea.

UPDATE: the malicious domain yoga-thegame.net is also on the same servers (report here)