151.248.123.170 (Reg.ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain.com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame.com/xlawr/next/requirements_anonymous_ordinary.php (report here but times out) which from the URL looks very much like a BlackHole Exploit kit.
This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach.
These are the domains I can see:
41y7kr.servehttp.com
96ztorwy89.serveblog.net
aehwmcqgx.myddns.com
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
b57idtwn.servehalflife.com
bjtujinsl.changeip.org
bu3l0d4s.serveftp.com
bunahyfba.dns04.com
c9c7gldpp.serveblog.net
cigtdye.changeip.org
cuhadjcnyl.myfw.us
d15txn.servepics.com
db0umfdoap.servegame.com
dzrdmz.youdontcare.com
fapqdfckws.serveusers.com
fdozwnqdb.4mydomain.com
fdqeeo.freeddns.com
fxtloji.serveusers.com
geiuut.itemdb.com
grtyxl.xxuz.com
gxodzugrgq.mypicture.info
hgibkcayvxc.myfw.us
hrxivk.ddns.us
hyjantahjuc.myfw.us
hzfkim.ns01.info
idapjl.port25.biz
igwvypnsne.ftpserver.biz
jghdbtvxgj.ns3.name
jjjpbhx.4pu.com
jziirhsxi.dns04.com
keuiawjhbb.itemdb.com
kptslcbrbg.dsmtp.com
lgjkvp.ddns.us
motxke.dns04.com
mzfpmox.mysecondarydns.com
ngt5lcgnp.3utilities.com
objdjjhjpw.port25.biz
ozcffpa.jetos.com
ppmvfcrlw.youdontcare.com
ptdvlxyn.dsmtp.com
qcoidxrbod.ns02.us
rpsbccts.jetos.com
simiawbsilu.myfw.us
smysfr.ddns.ms
sufgrgzpj.ns3.name
swsdsr.mypicture.info
tbrfrz.lflinkup.net
toqmibzken.dynamicdns.biz
uouxhr.serveusers.com
uv985f.no-ip.info
vnlvrwkat.port25.biz
voc0cjieh.servehttp.com
vvecozzd.ns3.name
w5zik4js.sytes.net
wenrtsjzbc.myfw.us
yupbgt.4pu.com
zenj6u.no-ip.org
zjbihpktdn.myfw.us
This is what I recommend that you block:
151.248.123.170
3utilities.com
4mydomain.com
4pu.com
changeip.org
ddns.ms
ddns.us
dns04.com
dsmtp.com
dynamicdns.biz
freeddns.com
ftpserver.biz
itemdb.com
jetos.com
lflinkup.net
myddns.com
myfw.us
mypicture.info
mysecondarydns.com
no-ip.info
no-ip.org
ns01.info
ns02.us
ns3.name
port25.biz
serveblog.net
serveftp.com
servegame.com
servehalflife.com
servehttp.com
servepics.com
serveusers.com
sytes.net
xxuz.com
youdontcare.com
Wednesday, 3 April 2013
Something evil on 151.248.123.170
Labels:
Blackhole,
Injection Attacks,
Malware,
Russia,
Viruses
Tuesday, 2 April 2013
And this is why people don't trust lawyers..
You may or not have heard of Prenda Law.. it's a US law firm that has been pursuing alleged movie downloaders for copyright violations. But it won't reveal who it's clients are, leading to allegations that Prenda is up to some shenanigans.
Anyway.. it's a fascinating story even for non-lawyers, but it all came to a head when a judge dragged them into court and asked them to explain themselves. And they took the fifth. Ken at Popehat writes about the latest episode in this saga here.. but you've just got to love the summary of just how scandalous this is part way down:
I mean.. holy crap. It's worth reading that again just to understand what some lawyers are prepared to sink to. Their mothers must be very proud of them.
Anyway.. it's a fascinating story even for non-lawyers, but it all came to a head when a judge dragged them into court and asked them to explain themselves. And they took the fifth. Ken at Popehat writes about the latest episode in this saga here.. but you've just got to love the summary of just how scandalous this is part way down:
In effect, the responsible lawyers for a law firm conducting litigation before a court have refused to explain that litigation to the court on the grounds that doing so could expose them to criminal prosecution.
I mean.. holy crap. It's worth reading that again just to understand what some lawyers are prepared to sink to. Their mothers must be very proud of them.
Sendspace spam / imbrigilia.ru
This fake Sendspace spam leads to malware on imbrigilia.ru:
The malicious payload is at [donotclick]imbrigilia.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34
humaniopa.ru
hiskinta.ru
illuminataf.ru
izamalok.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanovoposel.ru
hohohomaza.ru
imbrigilia.ru
Date: Tue, 2 Apr 2013 03:57:26 +0000
From: "JOSIE HARMON" [HARMON_JOSIE@hotmail.com]
Subject: You have been sent a file (Filename: [redacted]-7191.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-463168.pdf, (172.5 KB) waiting to be downloaded at sendspace.(It was sent by JOSIE HARMON).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]imbrigilia.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34
humaniopa.ru
hiskinta.ru
illuminataf.ru
izamalok.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanovoposel.ru
hohohomaza.ru
imbrigilia.ru
"End of Aug. Statement Required" spam / ivanovoposel.ru
This spam leads to malware on ivanovoposel.ru:
NORIKO Richmond
Raiden MORRISON
Attachments:
Invoice_U13726798.htm
Invoice_U453718.htm
Invoice_U913687.htm
The attachment leads to malware on [donotclick]ivanovoposel.ru:8080/forum/links/column.php (report here) hosted on:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34
humaniopa.ru
hiskinta.ru
illuminataf.ru
izamalok.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanovoposel.ru
hohohomaza.ru
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedInAlternate names:
Sent: 02 April 2013 10:15
Subject: Re: FW: End of Aug. Statement Reqiured
Hallo,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
Regards
SHONTA SCHMITT
NORIKO Richmond
Raiden MORRISON
Attachments:
Invoice_U13726798.htm
Invoice_U453718.htm
Invoice_U913687.htm
The attachment leads to malware on [donotclick]ivanovoposel.ru:8080/forum/links/column.php (report here) hosted on:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)
Blocklist:
80.246.62.143
94.103.45.34
humaniopa.ru
hiskinta.ru
illuminataf.ru
izamalok.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanovoposel.ru
hohohomaza.ru
"Russian Hackers" spam / kidala.info / hack-sell.su
These spam messages appear to be promoting the underground websites kidala.info and hack-sell.su, both of which appear to be engaged in hacking, crimeware and fraud. But is there something else going on here?
(Note that the emails may appear to be "from" your own account or someone in your own organisation. Don't worry, you have not been hacked.. forging an email address is trivially easy (described here).
But there's something unusual because these spams are being sent repeatedly to SpamCop.net email addresses, and I haven't seen them anywhere else. So why send spam emails to people who are very likely to file an abuse complaint.. unless you want the recipient to file an abuse complaint, that is.
This sort of attack pattern looks like a Joe Job, perhaps from a rival to these two underground forums. Targeting addresses that will likely file a complaint is a sort of reverse listwashing, and the pattern of repeated emails to the same address is also a Joe Job characteristic. And the thing about underground forums.. well, they don't tend to spam at all because they like to remain under the radar.
The sites don't appear to be hosting malware, if you've accidentally clicked through then there you are probably OK, although both sites look like they are down at the moment. There may well be more Joe Jobs after this one though, so don't be surprised if more rubbish floods your inbox.
Update: these subject lines are in use at the moment..
Best crack phorum so far!
Best hack conference so far!
Need buy some abuseimmune servers?
Need buy some injects?
Need buy some loads?
Need buy some socks?
Need buy some traffic?
Russian bad boys forum here, come join!
Russian hackers has anything you need.
Russian hackers has you neo!
Russian mafia has you...
Russian hackers mafia OWNS YOU!
Superior crack site so far!
World baddest hackers join us here
World Best hack website here
World Superior hack conference here
Date: Tue, 2 Apr 2013 18:07:48 +0700 [07:07:48 EDT]
Subject: Russian hackers has you neo!
Russian hackers has you neo!
kidala dot info
or this kidala.info
==========================
Date: Tue, 2 Apr 2013 17:17:29 +0700 [06:17:29 EDT]
Subject: Russian hackers has you neo!
Need buy some shells?
http://kidala.info
==========================
Date: Tue, 2 Apr 2013 16:27:24 +0700 [05:27:24 EDT]
Subject: Russian hackers has anything you need.
World Best hack conference hereurl here: kidala.info
==========================
Date: Tue, 2 Apr 2013 12:30:09 +0530 [03:00:09 EDT]
Subject: World Interesting hack site here
Hi Manurl here: http://hack-sell.su
==========================
Date: Tue, 2 Apr 2013 02:58:24 +0200 [04/01/13 20:58:24 EDT]
Subject: Russian hackers mafia OWNS YOU!
Russian mafia has you...
hack-sell.su
or this hack-sell dot su
==========================
Subject: Russian bad boys forum here, come join!
World baddest hackers join us hereurl here: hack-sell .su
==========================
Date: Mon, 1 Apr 2013 16:01:59 -0400 [04/01/13 16:01:59 EDT]
Subject: Russian hackers has anything you need.
Prime hack portal here!
hack-sell dot su
or this hack-sell dot su
(Note that the emails may appear to be "from" your own account or someone in your own organisation. Don't worry, you have not been hacked.. forging an email address is trivially easy (described here).
But there's something unusual because these spams are being sent repeatedly to SpamCop.net email addresses, and I haven't seen them anywhere else. So why send spam emails to people who are very likely to file an abuse complaint.. unless you want the recipient to file an abuse complaint, that is.
This sort of attack pattern looks like a Joe Job, perhaps from a rival to these two underground forums. Targeting addresses that will likely file a complaint is a sort of reverse listwashing, and the pattern of repeated emails to the same address is also a Joe Job characteristic. And the thing about underground forums.. well, they don't tend to spam at all because they like to remain under the radar.
The sites don't appear to be hosting malware, if you've accidentally clicked through then there you are probably OK, although both sites look like they are down at the moment. There may well be more Joe Jobs after this one though, so don't be surprised if more rubbish floods your inbox.
Update: these subject lines are in use at the moment..
Best crack phorum so far!
Best hack conference so far!
Need buy some abuseimmune servers?
Need buy some injects?
Need buy some loads?
Need buy some socks?
Need buy some traffic?
Russian bad boys forum here, come join!
Russian hackers has anything you need.
Russian hackers has you neo!
Russian mafia has you...
Russian hackers mafia OWNS YOU!
Superior crack site so far!
World baddest hackers join us here
World Best hack website here
World Superior hack conference here
Friday, 29 March 2013
"Please respond - overdue payment" spam / INVOICE_28781731.zip
Date: Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports a callback to topcancernews.com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack. Looking for that IP in your logs might show if any of your clients.
From: Victor_Lindsey@key.com
Subject: Please respond - overdue payment
Please find attached your invoices for the past months. Remit the payment by 02/04/2013
as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Victor Lindsey
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer. Thank you.
Labels:
Canada,
EXE-in-ZIP,
Malware,
Spam,
Viruses
Thursday, 28 March 2013
ADP Spam / ipiniadto.ru
This fake ADP spam leads to malware on ipiniadto.ru:
Date: Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]The malicious landing page and recommended blocklist are the same as for this parallel attack also running today.
From: Bebo Service [service@noreply.bebo.com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 120327398
Thu, 28 Mar 2013 04:22:48 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 975316004
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
Facebook spam / ipiniadto.ru
The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto.ru:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
heepsteronst.ru
hillairusbomges.ru
hillaryklinton.ru
hinakinioo.ru
hiskinta.ru
hjuiopsdbgp.ru
hohohomaza.ru
hondatravel.ru
humaniopa.ru
humarikanec.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru
ipiniadto.ru
Date: Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]The malicious payload is at [donotclick]ipiniadto.ru:8080/forum/links/column.php (report here) hosted on the same IPs as used in this attack:
From: FilesTube [filestube@filestube.com]
Subject: You have notifications pending
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
heepsteronst.ru
hillairusbomges.ru
hillaryklinton.ru
hinakinioo.ru
hiskinta.ru
hjuiopsdbgp.ru
hohohomaza.ru
hondatravel.ru
humaniopa.ru
humarikanec.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru
ipiniadto.ru
Changelog spam / Changelog_Urgent_N992.doc.exe
From: Logistics Express [admin@ups.com]
Subject: Re: Changelog 2011 update
Hi,
as promised changelog,
Michaud Abran
VirusTotal detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports the creation of a file C:\Documents and Settings\User\Application Data\KB00085031.exe which is pretty distinctive.
If your email filter supports it, I strongly recommend that you configure it to block EXE-in-ZIP files as they are malicious in the vast majority of cases.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
"Scan from a Xerox W. Pro" spam / ilianorkin.ru
This fake printer spam leads to malware on ilianorkin.ru:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hondatravel.ru
hillaryklinton.ru
hinakinioo.ru
hjuiopsdbgp.ru
hillairusbomges.ru
heepsteronst.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru
From: officejet@[victimdomain]The malicious payload is at [donotclick]ilianorkin.ru:8080/forum/links/column.php (report here) hosted on:
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307
A Document was sent to you using a XEROX WorkJet PRO 481864299.
SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)
Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hondatravel.ru
hillaryklinton.ru
hinakinioo.ru
hjuiopsdbgp.ru
hillairusbomges.ru
heepsteronst.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru
Labels:
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
Wednesday, 27 March 2013
NACHA spam / mgithessia.biz
This fake NACHA spam leads to malware on mgithessia.biz:
DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).
Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
mgithessia.biz
justintvfreefall.org
From: "Олег.Тихонов@direct.nacha.org" [mailto:universe87@mmsrealestate.com]The malicious payload is at [donotclick]mgithessia.biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this.
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High
To whom it may concern:
We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::
Click here for more information
Please consult with your financial institution to obtain the updated version of the software.
Kind regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894
DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).
Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
mgithessia.biz
justintvfreefall.org
"British Airways E-ticket receipts" spam / illuminataf.ru
This fake airline ticket spam leads to malware on illuminataf.ru:
The attackment E-Ticket-Receipt.htm (which has a poor detection rate) leads to a malicious payload at [donotclick]illuminataf.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)
Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
heepsteronst.ru
hjuiopsdbgp.ru
hondatravel.ru
illuminataf.ru
iliminattii.ru
Date: Wed, 27 Mar 2013 03:23:05 +0100
From: "Xanga" [noreply@xanga.com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-Receipt.htm
e-ticket receipt
Booking reference: JQ15191488
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 51298446. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The attackment E-Ticket-Receipt.htm (which has a poor detection rate) leads to a malicious payload at [donotclick]illuminataf.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)
Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
heepsteronst.ru
hjuiopsdbgp.ru
hondatravel.ru
illuminataf.ru
iliminattii.ru
Tuesday, 26 March 2013
"NY TRAFFIC TICKET" spam / hondatravel.ru
I haven't seen this type of spam for a while, but here it is.. leading to malware on hondatravel.ru:
Date: Wed, 27 Mar 2013 04:24:14 +0330The malicious payload appears to be identical to this spam run earlier today.
From: "LiveJournal.com" [do-not-reply@livejournal.com]
Subject: Fwd: Re: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 2:15 AM
Date of Offense: 28/07/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM
Wire Transfer spam / hondatravel.ru
This fake Wire Transfer spam leads to malware on hondatravel.ru:
The malicious payload is at [donotclick]hondatravel.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
These IPs were seen earlier with this attack.
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 26 March 2013 11:52
Subject: Re: Wire Transfer Confirmation (FED_4402D79813)
Dear Bank Account Operator,
WIRE TRANSFER: FED68081773954793456
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]hondatravel.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
These IPs were seen earlier with this attack.
Labels:
Endurance International Group,
Malware,
RU:8080,
Spam,
Viruses
UPS spam / Label_8827712794.zip
This fake UPS spam has a malicious EXE-in-ZIP attachment:
The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46. ThreatExpert reports that the malware is a Pony downloader which tries to phone home to:
aseforum.ro (199.19.212.149 / Vexxhost, Canada)
23.localizetoday.com (192.81.131.18 / Linode, US)
Assuming that all domains on those are malicious, this is a partial blocklist:
192.81.131.18
199.19.212.149
aseforum.ro
htlounge.com
htlounge.net
topcancernews.com
23.localizetoday.com
23.localizedonline.com
23.localizedonline.net
Date: Tue, 26 Mar 2013 20:54:54 +0600 [10:54:54 EDT]
From: UPS Express Services [service-notification@ups.com]
Subject: UPS - Your package is available for pickup ( Parcel 4HS287FD )
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (UPS , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies. Thank You
The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46. ThreatExpert reports that the malware is a Pony downloader which tries to phone home to:
aseforum.ro (199.19.212.149 / Vexxhost, Canada)
23.localizetoday.com (192.81.131.18 / Linode, US)
Assuming that all domains on those are malicious, this is a partial blocklist:
192.81.131.18
199.19.212.149
aseforum.ro
htlounge.com
htlounge.net
topcancernews.com
23.localizetoday.com
23.localizedonline.com
23.localizedonline.net
eFax Corporate spam / hjuiopsdbgp.ru
This fake eFax spam leads to malware on hjuiopsdbgp.ru:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
hjuiopsdbgp.ru
heepsteronst.ru
Date: Tue, 26 Mar 2013 06:23:36 +0800The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp.ru:8080/forum/links/column.php (report here) hosted on the following IPs:
From: LinkedIn [welcome@linkedin.com]
Subject: Efax Corporate
Attachments: Efax_Pages.htm
Fax Message [Caller-ID: 378677295]
You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.
* The reference number for this fax is [eFAX-677484317].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
hjuiopsdbgp.ru
heepsteronst.ru
DHL Spam / LABEL-ID-NY26032013-GFK73.zip
This DHL-themed spam contains a malicious attachment.
Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).
VirusTotal detections for this malware are low (7/46). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.
Update: Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here.
Date: Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
From: Bart Whitt - DHL regional manager [reports@dhl.com]
Subject: DHL delivery report NY20032013-GFK73
Web Version | Update preferences | Unsubscribe
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global
Edit your subscription | Unsubscribe
Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).
VirusTotal detections for this malware are low (7/46). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.
Update: Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here.
NACHA spam / breathtakingundistinguished.biz
This fake NACHA spam leads to malware on breathtakingundistinguished.biz:
The malicious payload is at [donotclick]breathtakingundistinguished.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:
necessarytimealtering.biz
hitwiseintelligence.biz
breathtakingundistinguished.biz
From: "Гена.Симонов@direct.nacha.org" [mailto:corruptnessljx953@bsilogistik.com]
Sent: 25 March 2013 22:26
Subject: Re: Your Direct Deposit disallowance
Importance: High
Attn: Accounting Department
We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:
Click here for more information
Please consult with your financial institution to acquire the updated version of the software.
Yours truly,
ACH Network Rules Department
NACHA - The Electronic Payments Association
19681 Sunrise Valley Drive, Suite 275
Herndon, VA 20135
Phone: 703-561-1796 Fax: 703-787-1698
The malicious payload is at [donotclick]breathtakingundistinguished.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:
necessarytimealtering.biz
hitwiseintelligence.biz
breathtakingundistinguished.biz
Monday, 25 March 2013
"Copies of policies" spam / heepsteronst.ru
This spam leads to malware on heepsteronst.ru:
The malicious payload is at [donotclick]heepsteronst.ru:8080/forum/links/column.php (report here). The IP addresses used are the same ones as used in this attack.
Date: Mon, 25 Mar 2013 06:20:54 -0500 [07:20:54 EDT]
From: Ashley Madison [donotreply@ashleymadison.com]
Subject: RE: DEBBRA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DEBBRA Barnard,
The malicious payload is at [donotclick]heepsteronst.ru:8080/forum/links/column.php (report here). The IP addresses used are the same ones as used in this attack.
"Scan from a HP ScanJet" spam / humaniopa.ru
This fake printer spam leads to malware on humaniopa.ru:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
hohohomaza.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
humaniopa.ru
humarikanec.ru
Date: Mon, 25 Mar 2013 03:57:54 -0500The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa.ru:8080/forum/links/column.php (report here) hosted on:
From: LinkedIn Connections [connections@linkedin.com]
Subject: Scan from a HP ScanJet #928909620
Attachments: Scanned_Document.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 98278P.
Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)
Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
hohohomaza.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
humaniopa.ru
humarikanec.ru
Labels:
Endurance International Group,
GoDaddy,
Leaseweb,
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
Subscribe to:
Posts (Atom)