Sponsored by..

Friday, 12 July 2013

"TAX Return Reminder" / cpa.state.tx.us.tax-returns.mattwaltererie.net

This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie.net:

--- Version 1 --------------------

Date:      Fri, 12 Jul 2013 14:35:31 +0300
From:      DO.NOT.REPLY@REMINDER.STATE.TX.US.GOV
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=035549412645

For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.


--- Version 2 --------------------


Date:      Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From:      tax.help@STATE.TX.GOV.US
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.

A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=488702484517

For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.
Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate hacked site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie.net/news/tax_refund-caseid7436463593.php?[snip] (example 1, example 2) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).

cpa.state.tx.us.tax-returns.mattwaltererie.net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

The domain mattwaltererie.net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from).

      Marilyn Clark
      13578 Calderon Rd
      SAN DIEGO, CA 92129
      US
      Phone: +1.7143435399
      Email: tekassis@usa.com


Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251
americanexpress.com.krasalco.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
datapadsinthi.net
delines.ru
ehnihenransivuennd.net
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gebelikokulu.net
gentonoesleep.com
getstatsp.ru
gondamtvibnejnepl.net
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
linkedin.com-update-report.taltondark.net
m.krasalco.com
magiklovsterd.net
mattwaltererie.net
nvufvwieg.com
offeringshowt.com
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
sendkick.com
streetgreenlj.com
taltondark.net
tor-connect-secure.com
treehouse-dreams.net
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com




Thursday, 11 July 2013

Malware sites to block 11/7/13

I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run using a hijacked 1&1 account, and VirusTotal thinks that the server is pretty darned evil. A quick poke at this box shows that has a number of multihomed malicious and C&C domains.

Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability. Various domains are used for botnets, including some Bitcoin miners. There may be some formerly legitimate domains in this mix, but given the compromised nature of the servers I would not trust them.

37.123.112.147 (UK2.NET, UK)
37.123.113.7 (UK2.NET, UK)
68.169.38.143 (Westhost Inc, US)
68.169.42.177 (Westhost Inc, US)
74.208.133.134 (1&1, US)
85.25.86.198 (Intergenia AG, Germany)
109.123.95.8 (UK2.NET, UK)
188.138.89.106 (Intergenia AG, Germany)
212.53.167.13 (FASTCOM IP Net, Poland)
212.227.53.20 (1&1, Germany)
212.227.252.92 (1&1, Germany)
213.165.71.238 (1&1, Germany)
217.160.173.154 (1&1, Germany)

Recommended blocklist:
37.123.112.147
37.123.113.7
68.169.38.143
68.169.42.177
74.208.133.134
85.25.86.198
109.123.95.8
188.138.89.106
212.53.167.13
212.227.53.20
212.227.252.92
213.165.71.238
217.160.173.154
bayrische-kampfplantage.de
f.eastmoon.pl
final.toles.org
final.twiaci.com
fujimoto-group.jp
gigasbh.org
gigasphere.su
jobs.4zox.com
ks-reifenservice.de
mh-wellnesscoach.de
mikimouse.net
move-aube.fr
naturalcuresdoc.com
naturalcuresdocanswers.com
newbigjob.de
p15114714.pureserver.info
s.richlab.pl
secure.redirectsite.net
soulvampire-ice.de
streetdanceroom.de
tests.gigasbh.org
toles.org
treibholzundmeer.de
try.aktivoxigen.com
wireless-work.su
xixbh.com
xixbh.net
xray868.server4you.de
xxxxxxxxxxxxxxx.kei.su

"WTX Media INC" spam / dajizzum.com

This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum.com:

From: Rebecca Media [mailto:support@rebeccacella.com]
Sent: 11 July 2013 07:46
To: [redacted]
Subject: Subscription Details

We hereby inform you that your subscription has been activated, your login information is as follows:

Username: IX9322130
Password: X#(@kIE04N
Login Key: 839384

Please do not share the login information with anyone as this account is only for your use, sharing the account will result in account termination without a refund.
The credit card on file submited by you will be billed within 24 hours, in the amount of 499.00 GBP, amount equal to one year unlimited subscription.
Your bank statement will show up as being billed by "WTX Media INC".

If you have any questions or issues with your login as well as requests to upgrade or cancel your membership please contact us using the form at:

[donotclick]www.rebeccacella.com/wp-content/plugins/subscribe/


Any feedback is appreciated as we strive to improve our services constantly.
WTX Media Team
The link in the email goes through a legitimate but hacked website (rebeccacella.com) and lands on a malware landing page at [donotclick]dajizzum.com/team/administration/admin4_colon/fedora.php?view=44 (report here) which contains an exploit kit.

dajizzum.com is hosted on 109.123.100.219 (UK2.NET, UK) which appears to be a hijacked server. At the moment I can only see that one site hosted on this box, but blacklisting the IP as a precaution may be wise.

The spam originates from another malware server on 188.138.89.106 (more of this later) but it appears to use a compromised 1&1 account as the spamvertised domain, sender's address and SMTP relay of 212.227.29.10 all belong to that provider.

Wednesday, 10 July 2013

Visa spam / estateandpropertty.com and clik-kids.com

This fake Visa spam attempts to lead to malware on estateandpropertty.com:

Date:      Wed, 10 Jul 2013 13:20:38 -0300 [12:20:38 EDT]
From:      Visa [policemank3@newsletters.visabusinessnewsmail.org]
Reply-To:      flintierv34@complains.visabusinessnewsmail.org
Subject:      Update Your Business Visa Card Information


Your Visa Business card has been limited. Please update your information to reactivate your account.

Please proceed the link: http://visabusiness.com/fraud/warning_mail=81413185766854518964...96368, update necessary information and view further information that caused us to set a limit.
Your Case ID is: NW61826321176497

Look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.

This added security is to prevent any additional fraudulent charges from taking place on your account.


Notice: This Visa communication is furnished to you solely in your capacity as a customer of Visa Inc. (or its authorized agent) or a participant in the Visa payments system. By accepting this Visa communication, you acknowledge that the information contained herein (the "Information") is confidential and subject to the confidentiality restrictions contained in Visa's operating regulations, which limit your use of the Information. You agree to keep the Information confidential and not to use the Information for any purpose other than in your capacity as a customer of Visa Inc. or a participant in the Visa payments system. The Information may only be disseminated within your organization on a need-to-know basis to enable your participation in the Visa payments system.

Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. This information may change from time to time. Please contact your Visa representative to verify current information. Visa is not responsible for errors in this publication. The Visa Non-Disclosure Agreement can be obtained from your Visa Account Manager or the nearest Visa Office.

This message was sent to you by Visa, P.O. Box 8999, San Francisco, CA 94128. Please click here to unsubscribe. 
The link in the email goes through a legitimate hacked site and then attemped t to go to a malware page at [donotclick]estateandpropertty.com/news/visa-report.php (report here) but it appears the registrar has nuked the domain, so the spammers have switched the link to [donotclick]clik-kids.com/news/visa-report.php (report here) instead. IPs involved are:

46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
77.240.118.69 (Acens Technlogies, Spain)
150.244.233.146 (Universidad Autonoma De Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

Recommended blocklist:
46.45.182.27
77.240.118.69
150.244.233.146
203.236.232.42
209.222.67.251
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
aniolyfarmacij.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
chinadollars.net
clik-kids.com
com.amazon.com.first4supplies.net
condalinneuwu5.ru
condalnua745746.ru
datapadsinthi.net
delines.ru
eftps.gov.charismasalonme.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gentonoesleep.com
getstatsp.ru
gnanisienviwjunlp.ru
gondamtvibnejnepl.net
grivnichesvkisejj50.ru
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
m.krasalco.com
magiklovsterd.net
meynerlandislaw.net
nvufvwieg.com
offeringshowt.com
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
reports0701.net
reveck.com
salesplaytime.net
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
streetgreenlj.com
tor-connect-secure.com
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com

Something evil on 199.231.93.182

199.231.93.182 (Webline Service, US suballocated to "Alex Capersov") is hosting a number of exploits [1] [2] being used in injection attacks. In the sample I saw, code had been injected into the legitimate site englishrussia.com possibly through a traffic exchanger.

The following domains are all hosted on or are associated with this IP. There's a shorter list at the bottom of the post without the subdomains that you might want to use as a blocklist.

afxcccck.namesjustnowsdossier.org
asddfs.bobsfuddscontrolls.info
asdfg.moneynoobslabs.biz
asfdasdf.netsristingboss.pw
assdfsa.monsterskillsd.biz
azvvbxe3.locksdayswongs.biz
bazdoacagiu.com
bobsfuddscontrolls.com
bobsfuddscontrolls.info
bulkoziedname.ws
buttonsyourece.biz
buttonsyourece.info
ddscontrolls.biz
ddscontrolls.info
ddsfsfaall.nameswwioodoo.net
ds34faall.nameswwioodoo.net
dsccfksd.namesselwarsducks.com
dsfkcxcd.namesselwarsducks.com
dsfrrds.originalsolldsbeps.biz
dsfsdf.namesselwarsducks.biz
dsfsdf.netsristingboss.pw
dsskkk.nameswwisconsinoodoo.com
dsszzsekkk.nameswwisconsinoodoo.com
dvldp.locksdayswongs.biz
dvxxdckv.sitesjustnowsdossier.biz
fdgrthhsdffd.lardobur.biz
fgdksd.bobsfuddscontrolls.biz
fgdsdfksd.bobsfuddscontrolls.biz
fsaal.ddscontrolls.biz
fsasdfal.ddscontrolls.biz
ksdvss.buttonsyourece.biz
ksvfss.buttonsyourece.biz
moneynoobslabs.biz
moneynoobslabs.info
namesjustnowsdossier.info
namesjustnowsdossier.net
namesjustnowsdossier.org
namesselwarsducks.biz
popalardo.net
popalardobur.net
sasdfsa.monsterskillsd.biz
sddffqrr.yourddscontrolls.biz
sddsfsd.domslingsfine.net
sdffaa.siteswollshertuners.com
sdfgsslsdf.bobsfuddscontrolls.com
sdflfdsdf.bobsfuddscontrolls.com
sdflsdf.bobsfuddscontrolls.com
sdfsd.domslingsfine.net
sfsbfa.ddscontrolls.info
sfsfa.ddscontrolls.info
simplibigidealog.ws
sitesjustnowsdossier.biz
ssdfsdfsa.monsterskillsd.biz
twoandhalfyear.ws
worrds.originalsolldsbeps.biz
yourddscontrolls.biz

Recommended blocklist:
bazdoacagiu.com
bobsfuddscontrolls.biz
bobsfuddscontrolls.com
bobsfuddscontrolls.info
bulkoziedname.ws
buttonsyourece.biz
buttonsyourece.info
ddscontrolls.biz
ddscontrolls.info
domslingsfine.net
lardobur.biz
locksdayswongs.biz
moneynoobslabs.biz
moneynoobslabs.info
monsterskillsd.biz
namesjustnowsdossier.info
namesjustnowsdossier.net
namesjustnowsdossier.org
namesselwarsducks.biz
namesselwarsducks.com
nameswwioodoo.net
nameswwisconsinoodoo.com
netsristingboss.pw
originalsolldsbeps.biz
popalardo.net
popalardobur.net
simplibigidealog.ws
sitesjustnowsdossier.biz
siteswollshertuners.com
twoandhalfyear.ws
yourddscontrolls.biz


Tuesday, 9 July 2013

"Payment File Successfully Processed" spam / autorize.net.models-and-kits.net

This spam leads to malware on autorize.net.models-and-kits.net:

Date:      Tue, 9 Jul 2013 15:36:42 -0500
From:      batchprovider@eftps.gov
Subject:      Payment File Successfully Processed

*** PLEASE DO NOT REPLY TO THIS MESSAGE***

Dear Batch Provider,

This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358

Detailed information is available by logging into the Batch Provider software by clicking this link and performing a Sync request.
Thank You,
EFTPS

Contact Us: EFTPS Batch Provider Customer Service
at this link
A sender's email address of batchprovider@email.eftpsmail.gov is seen in another sample. The link goes through a legitimate hacked site and ends up an a malware laden page at [donotclick]autorize.net.models-and-kits.net/news/shortest-caused-race.php (report here) hosted on:

77.240.118.69 (Acens Technlogies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (UniNet, Thailand)

All these IPs and more can be found in this recommended blocklist. Out of these four IPs we can see the following malicious domains which should also be blocked if you can't block the IPs themselves..

77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
aniolyfarmacij.com
autorize.net.models-and-kits.net
charismasalonme.net
chinadollars.net
com.amazon.com.first4supplies.net
condalinneuwu5.ru
condalnua745746.ru
eftps.gov.charismasalonme.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
fulty.net
gnanisienviwjunlp.ru
gondamtvibnejnepl.net
grivnichesvkisejj50.ru
m.krasalco.com
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
quipbox.com
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Update: a different spam is also circulating with the same payload:


Date:      Tue, 9 Jul 2013 06:56:26 -0800
From:      "Authorize . Net" [emailreceipts@news.authorizemail.net]
Subject:      Successful Credit Card Settlement Report.

Your Authorize.Net ID is: 1263577
Dear [redacted],

The following is your Credit Card settlement report for Sunday, July 09, 2013.

Transaction Volume Statistics for Settlement Batch dated 9-Jul-2013 11:0:55 PDT:
Batch ID: 668271114
Business Day: 09-Jul-2013
Net Batch Total: 9,917.74 (USD)
Number of Charge Transactions: 99
Amount of Charge Transactions: 9,917.74
Number of Refund Transactions: 7
Amount of Refund Transactions: 105.64

Warning! Your Batch limits for July exceeded!
To view details, please click here to log into the Merchant Interface.

If you have any questions regarding this settlement report, please contact your bank or you can contact Customer Support at this link.

Thank You,
Authorize.Net

*** You received this email because you chose to be a Credit Card Report recipient. You may change your email options by logging into the Merchant Interface. Click on Settings and Profile in the Main Menu, and select Manage Contacts from the General section. To edit a contact, click the Edit link next to the contact that you would like to edit. Under Email Types, select or deselect the Email types you would like to receive. Click Submit to save any changes. Please do not reply to this email.



Xerox WorkCentre (or is it HP Digital Device?) spam / SCAN_129_07082013_18911.zip

This fake printer spam has a malicious attachment:

Date:      Mon, 8 Jul 2013 12:20:24 -0500 [07/08/13 13:20:24 EDT]
From:      HP Digital Device [HP.Digital8@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [victimdomain]
Number of Images: 8
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: OM7IEQ4M22

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
In this case there is an attachment SCAN_129_07082013_18911.zip containing an executable file SCAN_129_07082013_18911.exe (note that the date is encoded into the file). VirusTotal detections are 26/47 and identify it as a generic downloader, Comodo CAMAS reports that it is a Pony downloader that attempts to contact 2ndtimearoundweddingphotography.com which appears to be a hijacked GoDaddy domain.

As is common at the moment, there are a bunch of related hacked GoDaddy domains on a random (non-GoDaddy) server, in this case 64.94.100.116 (the somewhat notorious Nuclear Fallout Enterprises). All these domains should be treated as malicious according to reports from URLquery and VirusTotal.

gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com

The ThreatTrack report reveals more details [pdf] including the subsequent download locations as does the ThreatExpert report.

[donotclick]lacasadelmovilusado.com/bts1.exe
[donotclick]common.karsak.com.tr/FzPfH6.exe
[donotclick]ftp.vickibettger.com/oEoASW64.exe
[donotclick]qualitydoorblog.com/qbSTq.exe

This second file has a much lower detection rate at VirusTotal of just 3/47 (and they are all generic at that). The ThreatExpert report [pdf] gives more details of the malware plus some connection attempts, and Anubis reports something similar. They all appear to be dynamic ADSL addresses and probably not worth trying to block.

64.136.115.72
66.63.204.26
68.7.103.29
76.226.114.217
77.30.83.91
78.131.54.252
84.59.131.0
85.107.90.53
87.18.47.40
90.189.37.85
94.240.240.106
95.246.170.150
107.217.117.139
108.234.133.110
180.247.156.110
181.67.52.88
190.202.83.105
200.91.49.183
201.209.58.176
212.71.16.46
217.132.249.173
221.215.31.50

Recommended blocklist:
gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com
bobkahnvideo.com
lacasadelmovilusado.com
common.karsak.com.tr
ftp.vickibettger.com
qualitydoorblog.com
64.94.100.116
198.173.93.218
212.58.2.22

Monday, 8 July 2013

sendgrid.me / amazonaws.com spam

This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid.me) and leads to malware hosted on Amazon's cloud service, amazonaws.com. There is no body text in the spam, just an image designed to look like a downloadable document.

from:     [victim] via sendgrid.me
date:     8 July 2013 19:08
subject:     Urgent 6:08 PM 244999
Signed by:     sendgrid.me

The email appears to originate from 138.91.78.32 which is a Microsoft IP, so that part of the mail header might be faked. It certainly comes through 208.117.55.132 (o1.f.az.sendgrid.net)

The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick]s3.amazonaws.com/ft556/Document_948357853____.exe [https] (VirusTotal report) which then downloads a further executable from [donotclick]s3.amazonaws.com/mik49/ss32.exe [http] (VirusTotal report) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe.

ThreatExpert reports that the downloader (the first executable) is hardened against VM-based analysis:
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).
Anubis, Comodo CAMAS, Malwr and ThreatTrack give various clues as to what the downloader is doing.

The second part (ss32.exe) attempts to lookup a server called mssql.maurosouza9899.kinghost.net 177.185.196.130 (IPV6 Internet Ltda, Brazil) according to CAMAS and Anubis identifies an attempted connection to bit.ly/15aDtjB  which attempts to connect to an unregistered domain of www.mdaijdasid.com (report here). Malwr gives some further information on system changes as does ThreatTrack. ThreatExpert reports seeing Themida again.

Quite what the second part of the malware does is unclear, and it may simply be that the mdaijdasid.com hasn't been registered quite yet but will be later. VirusTotal does report some other badness on 177.185.196.130 so this is probably worth blocking.

Recommended blocklist:
177.185.196.130
mssql.maurosouza9899.kinghost.net
mdaijdasid.com
s3.amazonaws.com/mik49/
s3.amazonaws.com/ft556/
bit.ly/15aDtjB

Amex spam / americanexpress.com.krasalco.com

This fake Amex spam leads to malware on americanexpress.com.krasalco.com:

    
From: American Express [mailto:AmericanExpress@emalsrv.aexpmail.org]
Sent: 08 July 2013 15:00
Subject: Account Alert: A Payment Was Received


Check your account balance online at any time


   

    Hello, [redacted]
            



________________________________________    View Account

Make a Payment

   
Manage Alerts Preferences





Payment Received   

________________________________________    Check Balance



   
   
       
We received a payment for your Card account.

     Date Received:
         Mon, Jul 08, 2013
     Payment Amount:
         $2,511.92

Payments received after 8PM MST may not be credited until the next day. Please allow 24-48 hours for your payment to appear online.

Thank you for your Cardmembership.

American Express Customer Care

Was this e-mail helpful? Please click here to give us your feedback.

If you'd like to stop receiving this alert, simply click here.
   
   




Like Us on Facebook


Follow Us on Twitter


Subscribe to our channel


Share with Foursquare friends

   
       
    Contact Us
|    Privacy Statement
|    Add us to your address book


Your Cardmember information is included in the upper-right corner to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us via customer service.

© 2013 American Express. All rights reserved.

AU0S0RF76947278       


The link in the email goes through a legitimate hacked site to end up on a malicious landing page at [donoclick]americanexpress.com.krasalco.com/news/slightly_some_movie.php (report here) hosted on the following IPs:

77.240.118.69 (Acens Technologies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (Uninet, Thailand)

Blocklist:
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
americanexpress.com.krasalco.com
aniolyfarmacij.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
grivnichesvkisejj50.ru
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Friday, 5 July 2013

EBC "Password Reset Confirmation" spam / paynotice07.net

This fake password reset spam leads to malware on paynotice07.net:

From: EBC_EBC1961Registration@ebank6.secureaps.com
Sent: 05 July 2013 12:27
Subject: Password Reset Confirmation


Your Online Bankking password was successfully changed on 07/05/2013. If you did not make this change, or if you have any questions, please contact EBC Technical Support using this link.

Support is available Monday - Friday, 8 AM to 8 PM CST.

This is an automated message, please do not reply. Your message will not be received.
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************ 
The link goes through a legitimate hacked site and ends up on a payload at [donotclick]paynotice07.net/news/must-producing.php (report here) hosted on the following IPs:

189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
202.28.69.195 (Walailuk University, Thailand)

Blocklist:
189.84.25.188
202.28.69.195
afabind.com
aniolyfarmacij.com
condalinneuwu5.ru
condalnua745746.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
gnanisienviwjunlp.ru
grivnichesvkisejj50.ru
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com

Thursday, 4 July 2013

Mystery spam leads to Emailmovers Ltd (emailmovers.com / emvrs.co)

Some time ago I received a spam sent to a scraped email address promoting email marketing services (i.e. spam) which features fake contact details and a carefully anonymised web site at prospectdirect.org that shielded the identity of the spammers.

So who was behind this spam? Well, the easiest way to find out was to pretend to be interested. I filled in the contact form on the site and eventually got a reply from an outfit called Email Movers Ltd. Now, let's be clear - I don't know 100% that Email Movers were responsible for sending the original spam, but somehow my "lead" ended up with this UK-based marketing company.

The enquiry I made was about PPI leads, the mainstay of many sleazy marketing outfits.  The response I got was as follows:

From:     Jonathan Coleman [jonathan.coleman@emailmovers.com]
Date:     23 May 2013 11:06
Subject:     RE - PPI Leads

Hi [redacted],

Thank you for your enquiry. We have excellent PPI data consisting of over 1 million contacts.

The database consists of UK consumers who have taken out a loan within the last 6 years with a payment protection policy attached to the loan. We have called each consumer from a 300 seat call centre in order to verify these details. The flat file we used in order to contact these consumers was originally one of the country’s largest loan packagers completion files.


Available:
Data Name
Home address
Postcode
Landline telephone number
Mobile telephone number

Selections:
Available 300+ selections available via our syndicated multiple overlay platform.
Example selections include:
Credit rating
Credit history
Credit ac
-----------------------------------------------------------------

The data doesn't get released, we will conduct the email broadcast for you. Min order value applies, no less than 50 000 records and it is £1650. Other volumes are priced as following:

50,000 at £1650 + VAT
100,000 at £1990 + VAT
250,000 at £2700 + VAT
500,000 at £4300 + VAT
1 Million at £8000 + VAT

What do you think?

Jonathan Coleman

Senior Account Manager

D: +44 (0)1723 800022
T: +44 (0)845 226 7181
   

Trusted email validation Try Email Inspector  |   Targeted Marketing at a click Try Countrunner

Emailmovers Ltd, Pindar House, Thornburgh Road, Scarborough, North Yorkshire, YO11 3UY UK

Registered in England No. 5046417. Registered office: Medina House, No 2 Station Avenue, Bridlington, YO16 4LZ. United Kingdom.
View email disclaimer

This email comes from an emailmovers.com address with a link to a website emvrs.co. The email originates from a Google IP, so no real clue as to its origin.

Emailmovers have been around for quite a while, but they had attracted quite a lot of adverse comments for spam [1] [2] [3] [4] [5] [6] [7] [8] [9]. They have quite a lot of websites too, in addition to emailmovers.com and emvrs.co, but one in particular caught my eye.. the domain emailinspector.co.uk which is an "email validation" service. Check out the last paragraph in particular:
Email databases decay at an alarming rate. It is imperative to keep your data as accurate and as clean as possible to maintain a good sender reputation and improve the deliverability of your email list.

Email Inspector is a revolutionary new way of updating and cleansing your email addresses without risking blacklisting your IP. This online service allows you to upload bulk lists of email addresses to check for bounces, wrong addresses and duplicates and leaves you with a clean and up-to-date list that is ready for use.

We can also take your database in-house for further analysis to strip out known complainers and run it against our master spam trap file in our full bureau service.


There's another word for this process.. ListWashing. Legitimate mailing lists should never contain spamtrap data, this is only of use if dealing with scraped or malware-harvested email addresses. Exactly what sort of customers is Emailmovers after with a service like this?

The company QuotesPlease Ltd appears to be largely the same operation, with the same personnel and at the same address.

They own several other domains, at least one of which (email-databases.com) has been hacked (see report), also bizibuy.com has been compromised and defaced. theemailexpert.com has also been defaced recently. I don't know if those server contained any personally identifiable data or not.

Perhaps Emailmovers contracted out the lead generation to another party and buy those leads in good faith. I'm sure you can make up your own mind as to how likely that is.

These following domains all appear to belong to Emailmovers Ltd or QuotesPlease Ltd, do with them what you want:
5mins.co.uk
5mins.info
5minsmail.com
5mins-mail.com
5minsmail.net
5mins-mail.net
5mins-mail.org
5mins-ppm.com
5mins-update.com
b2bcompanylist.com
b2bemaillistsuk.com
b2bmailinglistsuk.com
b2bmarketingcompanieslist.com
bestemailmarketinglists.com
bizibuy.biz
bizibuy.com
businessmailinglistsuk.com
callmovers.co.uk
coastline-gallery.com
companiesthatsellemaillists.com
consumeremaillistsuk.com
countrunner.com
dataseeder.com
dataseeder.net
dataseeder.org
emailappending-emailmovers.com
emailcleansing.com
email-databases.com
emailinspector.info
emailinspector.net
emailinspector.org
emailliststobuy.com
emailmarketingconsultancy.com
emailmarketingconsultation.com
emailmovers.com
emm-mail.org
emm-news.com
ems300live.com
emvrs.co
enudge.com
freewordpresstemplates.biz
grannymave.co.uk
likemovers.com
mailinglistuk.com
onlinebusinessecards.com
quotesplease.co.uk
seedalert.com
socialmediaslot.com
theemailexpert.com
ukconsumeremaildatabase.com
ukconsumeremaillist.com
ukemaildata.com
workmug.com

Added: these following domains are also in use for the inital spam, plus there are more details on the comments section:
parkconnect.net
simplequotes.net

Added (II):  some more domains these spammers use can be found here.

Tuesday, 2 July 2013

Babylon and the 3954 Trojans, or the Whore of Babylon.com

"Babylon and the 3954 Trojans" sounds like a swords and sandals epic, but unfortunately it's just another example of crapware gone wild. Perhaps "The Whore of Babylon.com" is more apt though.

At the heart of Babylon.com's business is a marginally useful "free" translation application plus some paid add-ons. You know, the sort of thing that Google Translate does, except that the Babylon.com whores itself out and installs a load of crapware onto your computer when it does so.

According to Google's Safe Browsing Diagnostics, the site somehow squeezes in nearly 4000 trojans (viruses) into the site. No, we don't know how that is possible, but this is what Google says:

Safe Browsing

Diagnostic page for babylon.com

What is the current listing status for babylon.com?
This site is not currently listed as suspicious.
What happened when Google visited this site?
Of the 1546 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-07-02, and the last time suspicious content was found on this site was on 2013-07-02.Malicious software includes 3954 trojan(s).
This site was hosted on 13 network(s) including AS32475 (SINGLEHOP), AS2914 (NTT), AS28666 (HOSTLOCATION).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, babylon.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 0 domain(s), including .

Quite why Google hasn't blacklisted it is a mystery. VirusTotal's prognosis is pretty horrible, with malware detected by most products.. but the way the checksums keep changing does make it look like Babylon.com keep changing the binaries, perhaps to avoid detection. The latest version of the software has a much lower detection rate.

To be fair, Babylon do mention in their terms of use that they will fill your computer with crap and pass your data on to others.

Babylon does not give, sell, rent, share, or trade any identifiable personal information regarding our Users to any third party, with the exception of third-party contractors and service providers who work with Babylon to provide the Service and who are strictly prohibited from later use of the information to which they may have access. Babylon may share non-personal aggregate or summary information regarding its Users with partners or other third parties. We can - and you authorize us to - disclose personal information to local, state, or federal law enforcement officials when required to do so by public authorities or when we believe in good faith that the law requires such disclosure. Please read Babylon's Privacy Policy, available here, for a detailed description of Babylon's privacy policy.

You acknowledge and agree that Babylon may process information gathered from different Users visiting the Website or using or downloading material from the Service for the purpose of building a profile of User interests and activities. Based on this profile, Babylon may send you advertisements, offers and content, and provide you with the full benefits of the Service. Additionally, you further acknowledge and agree that Babylon, through its affiliated third party's component named Wizebar (the name of such component may change from time to time) embodied within Babylon Toolbar (the "Component"), may trace, process and trade workstation's visiting websites data with its affiliated third party contractors and/or service providers, which may, following the receipt of such workstation's visiting websites data, store such information in their data base; and thereafter send each workstation relevant advertisements and/or offers from third parties; all according to each workstation's visiting websites data profile. During the downloading process of the Component, which is bundled within the Babylon Toolbar, User shall be notified that following the downloading of the Babylon Toolbar, his/her workstation may receive relevant advertisements and offers of services in accordance with his/her workstation's visiting websites date profile. User is free, at all times, to opt-out from his/her workstation receiving such advertisements and offers of services by taking the following alternative steps:

1. Uncheck the box of receipt of such advertisements and offers; or
2. Remove the Babylon toolbar from the Add/remove dialog on the operating system; or
3. Disable receipt of such services by following the "Disable Page" on the Babylon toolbar.  
Did you read all of that? No, probably neither does anybody else. Which explains why system administrators keep finding the damned product installed on their machines, adware and all. This piece of software even has its own Wikipedia entry covering malware issues. Do you really want your users to go anywhere near this site?

As far as I can tell, at the moment the Babylon software is downloaded from the following IPs which you may want to block (all operated by Singlehop):
69.175.87.109
81.93.185.144
81.93.185.145
173.236.48.139
173.236.91.147
184.154.40.59
184.154.151.19
198.143.175.67
216.104.42.91

The following domains are also related to Babylon and its associated adware, again you may want to block these:
babylon.com
babylon-services.com
dl.babylon.com
dl.babylon-services.com
dl.cdn-services.com
buenosearch.com
claro-search.com
dalesearch.com
delta-search.com
golsearch.com
holasearch.com
myfreegame.net
search-goal.com
searchgol.com
soft-downloads.net
software-files.net
tera-search.com
uno-search.com

There's nothing wrong with companies wanting to make some money out of products that are useful to people. That's the way commerce works. But filling your customers' PCs full of crap is not the way to do it..

Adware sites to block 2/7/13

Never trust an ad network that uses anonymous WHOIS details. These are hosted on 108.161.189.161 (NetDNA, US) and all hide their details. Those marked in yellow are flagged by Google for distributing some malware, the links go to the Google Safebrowsing diagnostic page. Given the amount of adware on this server, I would recommend blocking it.

netloader.cc
cdnloader.com
gamesformore.com
load-net.com
loadasset.info
loadernet.info
secureasset.info
cdnload.net
starscontent.net
cdn-network.org
contentsolution.org
loadfree.org
loadshop.org
softcdn.org
software-net.org

Monday, 1 July 2013

Pinterest spam / pinterest.com.reports0701.net

This fake Pinterest spam leads to malware on pinterest.com.reports0701.net:

Date:      Mon, 1 Jul 2013 21:04:36 +0530
From:      "Pinterest" [naughtinessw5@newsletters.pinterest.net]
To:      [redacted]
Subject:      Your password on Pinterest Successfully changed!

[redacted]
  
Yor password was reset. Request New Password.
   
See Password    
       
Pinterest is a tool for collecting and organizing things you love.

This email was sent to [redacted].

Don?t want activity notifications? Change your email preferences.

�2013 Pinterest, Inc. | All Rights Reserved

Privacy Policy | Terms and Conditions
The link goes through a legitimate hacked site to end up on a malicious payload at [donotclick]pinterest.com.reports0701.net/news/pay-notices.php (report here and here) which contains an exploit kit. The malware is hosted on a subdomain of a main domain with fake WHOIS details (it belongs to the Amerika gang) which is a slightly new technique:

   June Parker parker@mail.com
   740-456-7887 fax: 740-456-7844
   4427 Irving Road
   New Boston OH 45663
   us

The following IPs are in use:
77.240.118.69 (Acens Technlogoies, Spain)
89.248.161.148 (Ecatel, Netherland)
208.81.165.252 (Gamewave Hongkong Holdings, US)

Recommended blocklist:
77.240.118.69
89.248.161.148
208.81.165.252
afabind.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
condalnuashyochetto.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
patrihotel.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com


Adware sites to block 1/7/13

Never trust any sort of ad network that uses anonymous domains and hides all other identifying data. These seem to be doing to rounds at the moment, some of them may be involved in injection attacks or adware installs. If you have any experiences with these domains turning up unexpected on your site then please leave a comment.. thanks!

cdnsrv.com
tracksrv.com
cdnloader.com
secure-content-delivery.com
mydatasrv.com


Domains all seem to be on parking IPs or Amazon AWS, so difficult to block by IP address.

Friday, 28 June 2013

jConnect spam / FAX_281_3927981981_283.zip

This fake fax spam is meant to contain malware, but in this particular case is being sent out with a corrupt attachment:

Date:      Fri, 28 Jun 2013 09:41:52 -0500 [10:41:52 EDT]
From:      jConnect [message@inbound.j2.com]
Subject:      jConnect fax from "697-377-6967" - 28 page(s), Caller-ID: 697-377-6967

Fax Message[Caller-ID: 697-377-6967] You have received a 28 page(s) fax at 2012-12-17
02:13:41 EST.* The reference number for this fax is
lax3_did10-1019412300-0003832668-11.This message can be opened using your PDF reader. If
you have not already installed j2 Messenger, download it for
free:http://www.j2.com/downloadsPlease visit http://www.j2.com/help if you have any
questions regarding this message or your j2 service.Thank you for using jConnect!Home    
Contact     Login2011 j2 Global Communications, Inc. All rights reserved.jConnect is a
registered trademark of j2 Global Communications, Inc.This account is subject to the
terms listed in thejConnect Customer Agreement.

Both the email and the attachment are horribly mangled, and in this case don't contain their malicious payload (as with this spam run). But be careful if receiving an email of this type as the next time the spammers try it, it may well be more dangerous.

Thursday, 27 June 2013

OfficeWorld.com spam / sartorilaw.net

This fake OfficeWorld spam leads to malware on sartorilaw.net:

Date:      Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]
From:      customerservice@emalsrv.officeworldmail.net
Subject:      Confirmation notification for order 1265953

Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!

Please review your order details below. If you have any questions, please Contact Us


Helpful Tips:
--------------------------------------------------------------------
- Please SAVE or PRINT this confirmation for your records.
- ORDER STATUS is available online! Login and click "My Orders" to obtain UPS tracking information, etc.
- If you skipped registration, or forgot your password, simply enter your Login ID (normally your full e-mail address) and click [ forgot password ] to access your account.
--------------------------------------------------------------------

Order:  1265953
Date:           6/27/2013
Ship To:        My Default

Credit Card:    MasterCard


Product Qty     Price   Unit    Extended
--------------------------------------------------------------------
HEWCC392A    1       $9703.09  EA      $15.15         
AVE5366 1       $27.49  BX      $27.49         
SAF3081 2       $56.29  EA      $112.58        


Product Total:     $9855.22
--------------------------------------------------------------------
Total:          $9855.22

OfficeWorld.com values your business!
The link in the email goes through a legitimate hacked site and then on to [donotclick]sartorilaw.net/news/source_fishs.php (report here) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
89.248.161.148 (Ecatel, Netherlands)
108.177.140.2 (Nobis Technology Group, US)

Recommended blocklist:
77.240.118.69
78.108.86.169
89.248.161.148
108.177.140.2
afabind.com
chinadollars.net
condalnuashyochetto.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com



Tuesday, 25 June 2013

ADP spam / spanishafair.com

This fake ADP spam leads to malware on spanishafair.com:

Date:      Tue, 25 Jun 2013 14:38:05 +0000 [10:38:05 EDT]
From:      Run Do Not Reply [RunDoNotReply@ipn.adp.net]
Subject:      Your Biweekly payroll is  accepted

Yoyr payroll for check date 06/25/2013 is approved. Your payroll would be done at least 3 days before to your check date to ensure timely tax deposits and payroll delivery. If you offer direct deposit to your employees, this will also support pay down their money by the due date.

Client ID: [redacted]

View Details: Review

Important: Please be advised that calls to and from your payroll service team may be monitored or recorded.

Please do not reply to this message. auto informer system not configured to accept incoming messages.

The malicious payload is at [donotclick]spanishafair.com/news/possibility-redundant.php hosted on:
119.147.137.31 (China Telecom, China)
210.42.103.141 (Wuhan Urban Construction Institute, China)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)

Related evil domains and IP addresses to block can be found here and here.

"Southwest Airlines Confirmation: KQR101" spam / meynerlandislaw.net

This fake Southwest Airlines spam leads to malware on meynerlandislaw.net:

from:     Southwest Airlines [information@luv.southwest.com]
reply-to:     Southwest Airlines [no-reply@emalsrv.southwestmail.com]
date:     25 June 2013 17:09
subject:     Southwest Airlines Confirmation: KQR101

[redacted] 2013-06-25 JACEE3 INITIAL SLC WN PHX0.00T/TFF 0.00 END AY2.50$SLC1.50 1583018870396 2013-12-22 1394 2013-06-26 Depart SALT LAKE CITY IL (SLC) at 10:14 PM on Southwest Airlines Arrive in PAOLO ALTO MI (PHX) at 1:30 PM

You're all set for your travel!
   
Southwest Airlines
   
My Account | Review My Itinerary Online

     
Check In Online
    |    
Check Flight Status
    |    
Change Flight
    |    
Special Offers
    |    
Hotel Deals
    |    
Car Deals
   
Ready for lift-off!
   
Thank You Southwest for your travel! You'll find everything you need about your reservation below. Happy voyage!
Upcoming Journey: 06/26/13 - SLC - Phx Knight 

The link goes through a legimate hacked site and end up on a malicious payload at [donotclick]meynerlandislaw.net/news/possibility-redundant.php (report here) hosted on the following IPs:

119.147.137.31 (China Telecom, China)
203.80.17.155 (MYREN, Malaysia)

Recommended blocklist:
119.147.137.31
203.80.17.155
addressadatal.net
afabind.com
appasnappingf.com
avastsurveyor.com
cardpalooza.su
chinadollars.net
condalnuashyochetto.ru
doggedlegitim.net
dollsinterfer.net
dulethcentury.net
ehnihjrkenpj.ru
ejoingrespubldpl.ru
estimateddeta.com
genown.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
gurieojgndieoj.ru
headbuttingfo.net
historuronded.com
ingrestrained.com
inutesnetworks.su
invisibilitym.net
joinproportio.com
libulionstreet.su
ludena.ru
mantrapura.net
meticulousmus.net
meynerlandislaw.net
multipliedfor.com
oydahrenlitutskazata.ru
photosuitechos.su
relectsdispla.net
reportingglan.com
reveck.com
sendkick.com
shopkeepersne.net
spanishafair.com
stilos.pl
streetgreenlj.com
unabox.pl
voippromotion.su
winne2000.net
zoneagainstre.com


Monday, 24 June 2013

Something evil on 173.246.104.154

173.246.104.154 (Gandi, US) is hosting hacked GoDaddy domains serving a variety of malware [1] [2]. At the moment the following domains appear to be hosted on that server:
aandimedsolutions.com
aandimedsolutions.info
aandimedsolutions.net
antarcticland-union.it
antarcticland-union.org
antarcticland-union.us
easymapbuilder.com
findmynewschool.com
governmentofantarcticland.it
governmentofantarcticland.org
governmentofantarcticland.us
governodiantarcticland.it
governodiantarcticland.org
inflectionism.com
marinedockladders.com
premiumrentalproperty.com
principalityaustrallands.org
principatodiantarcticland.it
principatodiantarcticland.org
remote-recording-mixing.com
soundstudiosearch.com
trippling.com
waltwhitman150.org

These domains were recently hosted on that server but now appear to be back with GoDaddy and are probably fixed:
audiomasteringmeistro.com
beachfrontconcierge.com
audio-mastering-music.com
novafitnesstrainer.com
dinneraffairs.com
douglasvillestorage.com
subprimemortgage.us
loadingdockgear.com
loadingdockdepot.com
rippedtrainer.com
herblade.com
audiomasteringmaestro.com
audiomasteringsearch.com
austinremoterecording.com
bestseoamerica.com
hotrankseo.com
jacksonvillefloridacommercialrealestate.com
online-audio-mixing.com
findmynewhouse.co.uk
greatwestinsurancegroup.com
jewelboon.com