Sponsored by..

Monday, 26 August 2013

UPS Spam / UPS Invoice 74458652.zip

This fake UPS invoice has a malicious attachment:

From:      "UPSBillingCenter@ups.com" [UPSBillingCenter@ups.com]
Subject:      Your UPS Invoice is Ready


New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.
Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe  which presumably isn't meant to be named like that..

The VirusTotal detection rate is a so-so 18/46. The Malwr analysis is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint.org/forum/viewtopic.php
[donotclick]mierukaproject.jp/PjSE.exe
[donotclick]programcommunications.com/WZP3mMPV.exe
[donotclick]fclww.com/QdytJso0.exe
[donotclick]www.lajen.cz/tPT8oZTB.exe

The VirusTotal detection rate for the downloaded file is not great at just 9/46.

The domain gordonpoint.org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other hijacked domains which are listed below in italics.

Recommended blocklist:
74.207.229.45
gordonpoint.org
hitechcreature.com
industryseeds.ca
infocreature.com
itanimal.com
itanimals.com
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com

mierukaproject.jp
programcommunications.com
fclww.com
www.lajen.cz

Friday, 23 August 2013

Wells Fargo spam / WellsFargo_08232013.exe

This fake Wells Fargo spam has a malicious attachment:

Date:      Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]
From:      Morris_Osborn@wellsfargo.com

Please review attached documents.

Morris_Osborn
Wells Fargo Advisors
817-718-8096 office
817-610-5531 cell Morris_Osborn@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
In this case there is an attachment WellsFargo.victimname.zip which contains a malicious executable WellsFargo_08232013.exe (note the date is encoded into the filename). The VirusTotal detection rate is just 4/45, but the file itself is unusually small (just 21Kb unzipped, 8Kb zipped) when I would normally expect to see the executable closer to 100Kb for this sort of malware.

What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity. Malwr, Comodo CAMAS and Anubis are somewhat less enlightening.

The WHOIS details for the domain huyontop.com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop.com as being potentially malicious and block it if you can.

Thursday, 22 August 2013

"Remittance Docs 2982780" spam / Docs_08222013_218.exe

This fake Chase spam has a malicious attachment:

Date:      Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]
From:      Jed_Gregory [Jed_Gregory@chase.com]
Subject:      Remittance Docs 2982780

Please find attached the remittance 2982780.                                             
                                                            If you are unable to open the
attached file, please reply to this email        with a contact telephone number. The
Finance Dept will be in touch in          due course. Jed_Gregory
Chase Private Banking      Level III Officer
3 Times Square
New York, NY 10036
T. 212.525.8865
F. 212.884.2034
The attachment is in the format Docs_victimdomain.com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46. The Malwr analysis shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
[donotclick]watch-fp.ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial.com/VSMpZX.exe
[donotclick]richardsonlookoutcottages.nb.ca/Q5Vf.exe
[donotclick]idyno.com.au/kvdhx2.exe

The downloader then downloads a second part with a much lower detection rate of 6/46. This appears to be a Zbot variant, and the Malwr analysis for that component is here.

The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server and listed below in italics.

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
successchamp.com
thenatemiller.biz
thenatemiller.co
thenatemiller.info
thenatemiller.net
thenatemiller.org
watch-fp.biz
watch-fp.ca
watch-fp.com
watch-fp.info
watch-fp.mobi
waterwayrealtyteam.us

jatw.pacificsocial.com
richardsonlookoutcottages.nb.ca
idyno.com.au



Discover card "Your account login information updated" spam / abemuggs.com

This fake Discover card spam leads to malware on abemuggs.com:

Date:      Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From:      Discover Card [no-reply@facebook.com]
Subject:      Your account login information updated

Discover
Access My Account
   
ACCOUNT CONFIRMATION    Statements | Payments | Rewards   
Your account login information has been updated.

Dear Customer,

This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.

Log In to review your account details or to make additional changes.

Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
   
Sign up    

Don't miss out—sign up to get exclusive offers via e-mail from Discover.

Sign Up
   
Facebook    Twitter    I Love Cashback Bonus Blog    Mobile

   
Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.

    IMPORTANT INFORMATION

This e-mail was sent to [redacted].

You are receiving this Discover e-mail as a confirmation of your account activity.

Log in to update your e-mail address or view your account e-mail preferences.

If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.

Please do not reply to this e-mail as we are not able to respond to messages sent to this address.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2012 Discover Bank, Member FDIC

TRUPCHNG_A1_A1_A1


The link in the email uses the Twitter redirection service to go to [donotclick]t.co/9PsnfeL8hh then [donotclick]x.co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198.netsolhost.com/frostbite/hyde.js
[donotclick]96.9.28.44/dacca/quintilian.js
[donotclick]cordcamera.dakisftp.com/toothsome/catch.js

From this point the victim ends up at the malicious payload at [donotclick]abemuggs.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).

At the moment, I can only see abemuggs.com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs.com
abesmugs.com
abemugs.com
andagency.com
mytotaltitle.com

I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs.com
02aa198.netsolhost.com
cordcamera.dakisftp.com

Wednesday, 21 August 2013

Facebook spam / thenatemiller.co

This fake Facebook spam leads to malware on thenatemiller.co:

Date:      Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Nothing good will come from clicking the link. First victims go to a legitimate but hacked site that attempts to load the following three scripts:
[donotclick]gemclinicstore.com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup.com/toffies/ceiling.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there the victim is directed to a malware landing page at [donotclick]thenatemiller.co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains (listed below in italics).

Recommended blocklist:
72.5.102.146
successchamp.com
dennissellsgateway.com
thenatemiller.co
thenatemiller.info
justinreid.us
waterwayrealtyteam.us
thenatemiller.biz

gemclinicstore.com
mathenyadvisorygroup.com
www.it-planet.gr

Laughable advanced fee fraud scam promises $2.5

Two-and-a-half bucks? I think I'll pass.
From:     Mr Anthony Freed [johnewele12@cantv.net]
Reply-to:     dhlcorriadeliveryservice@live.com
Date:     20 August 2013 21:13
Subject:     Attention please!!!

Attention please!!!

We have registered your ATM CARD of (US $2.5) with DHL Express Courier Company with registration code of ( 9665776) please Contact with your delivery
information:
DHL OFFICE:
Name Dr:Mark Jonson.
E-mail: dhlcorriadeliveryservice@live.com //officedhldelivery service
Tel:+229 98270349.

We have paid for the Insurance & Delivery fee.The only fee you have to pay is their Security fee only.Please indicate the registration Number of ( 22-82797457 )and ask Him how much is their Security fee so that you can pay it.
Best Regards.
Rev.Anthony Fred
I don't think I've seen an Advanced Fee Fraud spam so full of fail for a long time..

Facebook spam / dennissellsgateway.com

This fake Facebook spam leads to malware on dennissellsgateway.com:

Date:      Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Gene Maynard wants to be friends with you on Facebook.

facebook
   
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate hacked site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas.org/jonson/tried.js
[donotclick]italiangardensomaha.com/moocher/pawned.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there, the victim ends up on a hijacked GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway.com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains (listed in italics below).

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
waterwayrealtyteam.us

www.it-planet.gr
italiangardensomaha.com
ftp.crimestoppersofpinellas.org

Update:
Another spam is circulating with a different pitch, but the same malicious payload:

Dear Customer,

The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report at https://account.authorize.net/login/protected/download/settlementreport/

To view details for a specific transaction, please log into the Merchant Interface.

1.Click "Reports" from the main menu
2.Select "Transaction Details by Settlement Date"
3.Select "Settled Transactions" from the Item Type drop-down box.
4.Select the Settlement Date for the batch you would like to view from the "Date" drop-down box
5.Click "Run Report"
6.In the results, click on any transaction ID to view specific details for that transaction.

If you have any questions regarding this settlement report, please contact us by Secure Mail or you can call Customer Support at 1-877-447-3938.

Thank You,
Authorize.Net
*** You received this email because you chose to be a Credit Card Report
recipient. You may change your email options by logging into the Merchant
Interface. Click on Settings and Profile in the Main Menu, and select
Manage Contacts from the General section. To edit a contact, click the
Edit link next to the contact that you would like to edit. Under Email
Types, select or deselect the Email types you would like to receive. Click
Submit to save any changes. Please do not reply to this email.



Monday, 19 August 2013

"You have received a secure message" spam / securedoc.zip

This fake Citi spam contains a malicious attachment:

Date:      Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From:      "secure.email@citi.com" [secure.email@citi.com]
Subject:      You have received a secure message

You have received a secure message
Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm

Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46. The Malwr analysis (and also ThreatExpert) shows that the file first connects to [donotclick]frankcremascocabinets.com/forum/viewtopic.php (a hijacked GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:

[donotclick]lobbyarkansas.com/0d8H.exe
[donotclick]ftp.ixcenter.com/GMMo6.exe
[donotclick]faithful-ftp.com/kFbWXZX.exe

This second part has another very low VirusTotal detection rate of just 3/46. Malwr gives an insight into what the binary is doing, or alternatively you can look at the Comodo CAMAS report or ThreatExpert report

Recommened blocklist:
184.95.37.96/28
frankcremascocabinets.com
giuseppepiruzza.com
gordonpoint.biz
gordonpoint.info
hitechcreature.com
frankcremasco.com
lobbyarkansas.com
ftp.ixcenter.com
faithful-ftp.com

"You requested a new Facebook password" spam / frankcremascocabinets.com

This fake Facebook spam follows on from this one, but has a different malicious landing page at frankcremascocabinets.com:

From:     Facebook [update+hiehdzge@facebookmail.com]
Date:     19 August 2013 17:38
Subject:     You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes to a legitimate hacked site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then directed to a malware payload at [donotclick]frankcremascocabinets.com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server (listed below in italics).

Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
giuseppepiruzza.com
frankcremascocabinets.com
gordonpoint.biz
hitechcreature.com

frankcremasco.com

Facebook spam / hubbywifewines.com

This fake Facebook spam leads to malware on hubbywifewines.com:

Date:      Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password


facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes to a legitimate hacked site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines.com/topic/able_disturb_planning.php hosted on 72.5.102.192 (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods.com.

Recommended blocklist:
72.5.102.192
hubbywifewines.com
hubbywifefoods.com
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it



MONK / Monarchy Resources, Inc pump-and-dump spam

Another day, another pump-and-dump spam run, this time being sent to randomly generated email addresses promoting MONK (Monarchy Resources, Inc). Here are some examples:

Subject: Pick Of The Week... Do Not Miss Out This Time!
Make easy $15'000 Monday!!! Hello, want to receive $15'000 by
next Friday? You would receive lot more if you get this hot
stock on Monday. The stock symbol is: M_O N_K. It's Monarchy
Resources, Inc.. It sells under 48 cents, but it should
see $1'80 shortly! Purchase shares of M_O N_K on Aug, 19
below 48 cents and multiply your cash! It could be
awesome to get $15'000 by Friday. And it's very easy to
receive. On Monday, Aug 19, 2013 order 43'000 shares of M_O
N_K and get over $15'000 by Friday

Subject: Hot Investor News
Pocket your $17'000 now! Howdy, need to pocket $17'000 by this Saturday? You
will get lots more if you purchase this premium stock on Monday. The stock
symbol is: M_ONK. It's MONARCHY RESOURCES INC.. It sits below 42 cents,
but it should see $1'20 promptly! Purchase shares of M_ONK on Mon, Aug
19th, 2013 under 42 cents and multiply your investment. It will be
amazing to earn $17'000 by Saturday. And its very easy to get! On Aug, 19th
order 29'000 shares of M_ONK and receive over $17'000 by Saturday!!!

Subject: Walgreens News!!!
Make easy $12'000 now! Hello, ready to pocket $12'000 by next
Saturday? You would receive lots more if you order this
undervalued stock on Monday. The company symbol is: M O N K.
It's Monarchy Resources, Inc. It goes under 40 cents, but
it could settle $1.90 promptly! Get shares of M O N K on
Monday, Aug 19th, 2013 under 40 cents and quadruple your
investment. It can be amazing to earn $12'000 by Saturday. And
its very easy to do! On Aug, 19 trade 21'000 shares of M O N K
and get over $12'000 by Saturday.

Subject: Profile Alert
Earn fast $13'000 now! Hello, ready to pocket $13'000 by this Thursday?
You can make lot more if you get this new stock on Monday. The stock
symbol is: M_O N_K. Its MONARCHY RESOURCES, INC. It goes under 30
cents, but it should see $1.55 shortly! Get shares of M_O N_K on
Monday, Aug 19 under 30 cents and quadruple your portfolio. It
could be cool to make $13'000 by Thursday. And it's very easy to do! On
Mon, August 19th, 2013 buy 35'000 shares of M_O N_K and pocket over
$13'000 by Thursday!

The spam that I have seen appears to originate primarily from IP addresses in India.

So, what's up with MONK? The stock has only been trading since June and most of that time it has been at around the $1.00 level. At the beginning of August the price dropped to $0.40 and then $0.20 per share (dropping for one point to just $0.10), losing more than 75% of its value since launch (see the stock chart here).


On 16th August there was a flurry of activity as 209,400 shares were bought at around the $0.20 or somewhat under that. Usually this is the spammers taking up a position in the company that they are about to spam. On the next day (a Saturday) the pump-and-dump spam started. So far today about 450,000 shares have been traded, apparently giving the stock a bit of a bump as whoever has hired the spammers tries to cash out.

As with all pump-and-dump spams, the only people making money out of it are the scammers who run it. Any investor who tries to try to invest in these it likely to lose some or all of their investment. Avoid

Malekal.com Joe Job part II

There has been a Joe Job being run against Malekal.com for some time now. However, the joe job has now morphed and includes a reference to this blog (which is kind of annoying).

Date:      Sun, 18 Aug 2013 14:35:33 +0300 [08/18/13 07:35:33 EDT]
Subject:      Email SPAM for malekal.com

Theses emails SPAM are sent from a botnet (check the mails headers), im not
responsible of theses spam emails.
Someone is probably trying to get the site blacklisted or to get bad reputation
(called this "a Joe Job" - see :
http://blog.dynamoo.com/2013/08/malekalcom-joe-job.html )

The responsible is " Reveton Guy ", try to get revenge after a mass shutdown of
their malvertising :

http://www.malekal.com/2013/07/30/en-juicyads-reveton-malvertising/
http://www.malekal.com/2013/07/28/en-plugrush-reveton-malvertising/
http://www.malekal.com/2013/07/26/en-reveton-adxpansion-com-malvertising/

The August 11, they tried to get my website blacklisted using hacked website :
http://www.malekal.com/2013/08/12/en-reveton-go-now-by-hacked-website/
This is rather more subtle than the previous Joe Job, as it appears to be from the Malekal administrator themselves. However, it is being sent by a botnet (probably the same botnet sending the original spam) and is just another way to cause trouble.

These spam emails are tightly targeted to addresses that are most likely to make complaints. If you are going to report these, then I'd appreciate it if you would report the sending IP only rather than just copy-and-pasting all the links in.

Friday, 16 August 2013

"California Human Right Foundation CHRF USA" scam email

It's hard to say whether or not this scam is simply a version of the advanced fee fraud (you can come to the conference, but there will be fees and hotel charges), or if the idea is that you go down to Senegal and get kidnapped. In any case, this is a scam send to an email address scraped from the web via a hijacked email account in Indonesia. Similar scams have been seen before. Avoid.

From:     Mrs Cira Jonas [dede@yongjin.co.id]
Reply-To:     cirajo101@blumail.org
Date:     16 August 2013 18:06
Subject:     2013 USA (CHRF) CONFERENCE/INVITATION!!!

Dear Colleagues,

On behalf of California Human Right Foundation CHRF USA, It is a great privilege for us to invite you to global Congress meeting against Economic Crisis, Child Protection & HIV/AIDS Treatment, Prostitution, Sex Work and forced Labor. The aims of the conference are to bring together researchers and practitioners in an effort to lay the ground work for future collaborative research, advocacy, and program development as well as to educate social service, health care, and criminal justice professionals on human trafficking and the needs and risks of those victimized by the commercial sex industry.

The global Congress meeting against Economic Crisis, Child Protection & HIV/AIDS Treatment, Prostitution, Sex Work and forced Labor is scheduled to take place from October 20th – 24th 203, in California the United States and in Dakar-Senegal, from October 26th – 30th 2013. The global congress is hosted by the Campaign against Child Labor Coalition and sponsored by (The Bill & Melinda Gates Foundation, The William J. Clinton Foundation and other benevolent donors worldwide.

Note that all interested delegates that requires entry visa to enter the United States to attend this meeting will be assisted by the organization, in obtaining the visa in their passport. Free air round trip tickets to attend this meeting will be provided to all participants. The Workshop welcomes paper presentation from any interested participants willing to present papers during the meeting.

For registration information you are to contact the conference secretariat via  Email: info.secretaryallissa@usa.com


Please share the information with your colleagues.

Sincerely,
Mrs Cira Jonas
E-mail: cirajo101@blumail.org
(M.D) Activities Coordinator

ADP spam / ADP_week_invoice.zip|exe

This fake ADP spam has a malicious attachment:

Date:      Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]
From:      "run.payroll.invoice@adp.com" [run.payroll.invoice@adp.com]
Subject:      ADP Payroll INVOICE for week ending 08/16/2013

Your ADP Payroll invoice for last week is attached for your review. If you have any
questions regarding this invoice, please contact your ADP service team at the number
provided on the invoice for assistance.

Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.
There is an attachment ADP_week_invoice.zip which in turn contains a malicious executable file ADP_week_invoice.exe. The payload is exactly the same as this other malicious spam run which is running in parallel.

"CEO Portal Statements & Notices Event" spam / report_{DIGIT[12]}.exe

This fake Wells Fargo email has a malicious attachment:

Date:      Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From:      Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw@wellsfargo.com]
Subject:      CEO Portal Statements & Notices Event


Wells Fargo

Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available

Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp:    Fri, 16 Aug 2013 09:51:17 -0500
Request Name:    MM3P85NRLOXLOFJ
Event Message ID:    S045-77988311

Please do not reply to this email.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46. The Malwr report shows that this malware does various things, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco.com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another hijacked domain, hubbywifecakes.com.

From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52/39UvZmv.exe
[donotclick]demoscreactivo.com/DKM9.exe
[donotclick]roundaboutcellars.com/Utuw1.exe
[donotclick]bbsmfg.biz/VKPqrms.exe

This executable has an even lower detection rate of just 5/46. You can see the Malwr report for that here.

Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.

Recommended blocklist:
66.151.138.80
hubbywifeco.com
hubbywifecakes.com
208.106.130.52
demoscreactivo.com
roundaboutcellars.com
bbsmfg.biz


Thursday, 15 August 2013

"INCOMING FAX REPORT" spam / chellebelledesigns.com

A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns.com:

From:     Administrator [administrator@victimdomain]
Date:     15 August 2013 16:08
Subject:     INCOMING FAX REPORT : Remote ID: 1043524020

*********************************************************INCOMING FAX REPORT*********************************************************Date/Time: 07/25/2013 02:12:11 ESTSpeed: 66387 bpsConnection time: 04:06Pages: 0Resolution: NormalRemote ID: 1043524020Line number: 7DTMF/DID:Description: June PayrollClick here to view the file online*********************************************************

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
DTMF/DID:
Description: June Payroll

Click here to view the file online

********************************************************* 
Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate hacked site and then on to one of three scripts:
[donotclick]millionaireheaven.com/mable/rework.js
[donotclick]pettigrew.us/airheads/testier.js
[donotclick]www.situ-ingenieurgeologie.de/tuesday/alleviation.js

from there on, the victim is forwarded to a malicious landing page at [donotclick]chellebelledesigns.com/topic/conclusion-western.php using a hacked GoDaddy domain on 173.246.104.55 (Gandi, US). There are other hijacked GoDaddy domains on the same server (listed in italics below):

Recommended blocklist:
173.246.104.55
1800callabe.com
1866callabe.com
chellebelledesign.com
chellebelledesigns.com

millionaireheaven.com
pettigrew.us
www.situ-ingenieurgeologie.de


Something evil on 162.211.231.16

The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example) which have been going on for some time [1] [2] and uses several domains, some of which are listed below.

The WHOIS details for these domains seem to be consistent but are possibly fake:

Registrant ID:CR148448937
Registrant Name:Leonardo Salim Chahda
Registrant Street1:Patron 6755
Registrant Street2:
Registrant Street3:
Registrant City:Capital Federal
Registrant State/Province:Buenos Aires
Registrant Postal Code:1408
Registrant Country:AR
Registrant Phone:+46.444407
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:info@brigitteunderwear.com


All the domains are very recently registered by GoDaddy. The WHOIS details for brigitteunderwear.com (also registered by GoDaddy in 2006) are consistent, but I've seen enough hijacked GoDaddy domains recently to be suspicious that there could be an element of identity theft here, and the named person may well have nothing to do with this attack.

I haven't had time to poke around at the payload too much, but this could well be a good IP to block, or alternatively use the list of domains that I have identified below (it may not be comprehensive, though)

Recommended blocklist:
162.211.231.16
acioepod.biz
acioepod.info
acioepod.org
acioepod.us
adrietod.biz
adrietod.info
adrietod.org
adrietod.us
alienore.biz
alienore.info
alienore.org
alienore.us
alpirute.biz
alpirute.info
alpirute.org
alpirute.us
alpojser.biz
alpojser.info
alpojser.net
alpojser.us
aniopirs.us
bialooes.biz
bialooes.info
bialooes.org
bialooes.us
boriskpr.biz
boriskpr.info
boriskpr.org
boriskpr.us
bugaletir.biz
bugaletir.info
bugaletir.org
bugaletir.us
bugaltoiy.biz
bugaltoiy.info
bugaltoiy.org
bugaltoiy.us
buhortes.biz
buhortes.info
buhortes.org
buhortes.us
caniopeo.us
caoilrsr.biz
caoilrsr.info
caoilrsr.org
caoilrsr.us
ciponeor.biz
ciponeor.info
ciponeor.org
ciponeor.us
deilonei.biz
deilonei.info
deilonei.org
deilonei.us
delovyto.biz
delovyto.info
delovyto.org
delovyto.us
diopoesl.us
diposero.biz
eniroikj.biz
eniroikj.info
eniroikj.org
eniroikj.us
feocipor.biz
feocipor.info
feocipor.org
feocipor.us
foleiord.biz
foleiord.info
foleiord.org
foleiord.us
foliadoe.biz
foliadoe.info
foliadoe.org
foliadoe.us
foprtise.biz
foprtise.info
foprtise.org
foprtise.us
gelaiork.biz
gelaiork.info
gelaiork.org
gelaiork.us
gipoeror.biz
gipoeror.info
gipoeror.org
golerods.biz
golerods.info
golerods.org
golerods.us
imanielo.biz
imanielo.info
imanielo.net
imanielo.us
mokioers.org
nimolpeo.biz
nimolpeo.info
nimolpeo.org
nimolpeo.us
niuritos.biz
niuritos.info
niuritos.org
niuritos.us
okoreiki.biz
okoreiki.info
okoreiki.net
okoreiki.us
openirod.biz
openirod.info
openirod.org
openirod.us
reoiklri.biz
reoiklri.info
reoiklri.org
reoiklri.us
tolikord.biz
tolikord.info
tolikord.org
tolikord.us
viloeirp.biz
viloeirp.org
vilosprs.biz
vilosprs.info
vilosprs.org
vilosprs.us
vokoralr.biz
vokoralr.info
vokoralr.org
vokoralr.us



Wednesday, 14 August 2013

ADP spam / hubbywifeburgers.com

This fake ADP spam leads to malware on hubbywifeburgers.com:

Date:      Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From:      "ADPClientServices@adp.com" [service@citibank.com]
Subject:      ADP Security Management Update

ADP Security Management Update

Reference ID: 39866

Dear ADP Client August 2013

This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security Management (formally ADP Netsecure). This is where you manage your users� access to ADP�s Internet services, and includes the self-service registration process.

Effective August 15th, ADP Security Management will reflect a new user interface. This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management.

Please review the following information:

� Click here to view more details of the enhancements in Phase 2

� Complete the What�s New in Security Management Service here (Expected to take about 15 minutes)

� View the Supported Browsers and Operating Systems, listed here. These are updated to reflect more current versions to ensure proper presentation of the updated user interface. It is important to note that the new ADP Security Management is best accessed using Microsoft Internet Explorer Version 8 or Mozilla Firefox Version 3.6, at minimum.

This email was sent to active users in your company that access ADP Netsecure with a security role of �security master� or �security admin�. You may have other users that also access ADP Netsecure with other security roles. Please inform those users of these enhancements, noting that the above resources will have some functionality that does not apply to their role.

As always, thank you for choosing ADP as your business partner! If you have any questions, please contact your ADP Technical Support organization.

Ref: 0725 MSAMALONIS1@TWNSHP

[This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.]


Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in the message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.


Yeah.. click the link. What could possibly go wrong? Well, first you go to a legitimate hacked site that tried to load one of the following three scripts:

[donotclick]e-equus.kei.pl/perusing/cassie.js
[donotclick]cncnc.biz/pothooks/addict.js
[donotclick]khalidkala.com/immigration/unkind.js

From there, the victim is sent to a malware site that uses a hijacked GoDaddy domain at [donotclick]hubbywifeburgers.com/topic/nearby-promptly.php hosted on 199.195.116.51 (A2 Hosting, US - report here). This IP probably contains other hijacked domains from the same owner.

Recommended blocklist:
199.195.116.51
hubbywifeburgers.com
e-equus.kei.pl
cncnc.biz
khalidkala.com

Gmail Compose.. another app screwed up by Google

If you use Gmail then you've probably seen the "new compose" experience before. And turned it off. Well, Google never listed to feedback now Gmail joins a long list of applications that Google have screwed up, including Blogger, Google Play Music, Google Maps for Android and don't get me started on Google Reader and iGoogle.


The new compose experience attempts to be minimalist, but in reality it's either too small, or too big. If you are reply to a message then you get a tiny box at the bottom of the screen, a long way from the top of the email you are trying to reply to. And all the usual buttons have been hidden away because.. well, goodness only knows. It's a mess.

With these latest bodged updates, I really think that Google is jumping the shark and changing applications for no good reason at all. Android in particular is becoming a disaster area with important apps being screwed up completely. Perhaps it's time to buy a Lumia?

Tuesday, 13 August 2013

Bank of American spam / Instructions Secured E-mail.zip

This fake Bank of American spam has a malicious attachment:

Date:      Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From:      "Alphonso.Wilcox" [Alphonso.Wilcox@bankofamerica.com]
Subject:      Instructions Secured E-mail.pdf

I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.

Thanks,

Amado.Underwood
Bank of America
Principal Business Relationship Manager
Direct - 915-045-4237 office
Cell - 915-070-4128 cell
Amado.Underwood@bankofamerica.com

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. 
Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.

The detection rate for this initial malware is just 9/45 at VirusTotal.

This is a pony/gate downloader [1] which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack, and it also utilises a hijacked GoDaddy domain.

The download then attempts to download a second stage from the from the following locations [2] (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs.com/D5F7G.exe
[donotclick]betterbacksystems.com/kvq.exe
[donotclick]www.printdirectadvertising.com/vfMJH.exe
[donotclick]S381195155.onlinehome.us/vmkCQg8N.exe

The second stage has an even lower detection rate of just 3/45. The analyses by Comodo CAMAS and Malwr do give some detail as to how this part infects the target system.

Recommended blocklist:
192.81.135.132
guterprotectionperfection.com
Missionsearchjobs.com
betterbacksystems.com
www.printdirectadvertising.com
S381195155.onlinehome.us