Sponsored by..

Friday, 25 October 2013

"You have received a new debit" Lloyds TSB spam

This fake Lloyds TSB message has a malicious attachment:

Date:      Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From:      LloydsTSB [noreply@lloydstsb.co.uk]
Subject:      You have received a new debit
Priority:      High Priority 1 (High)

This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.

The details of the payment are attached.

============================================================================
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.
Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't.

The VirusTotal detection rate is a so-so 13/47. Automated analysis [1] [2] shows an attempted connection to www.baufie.com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box.


Malware sites to block 25/10/2013

This list replaces this one, and mostly contains domains and IPs connected with this gang. The list starts with IPs and web hosts, followed by plain IPs and domains for copy-and-pasting.

5.175.171.89 (GHOSTnet, Germany)
5.231.40.197 (GHOSTnet, Germany)
5.231.47.92 (GHOSTnet, Germany)
31.210.112.28 (Veri Merkezi Hizmetleri, Turkey)
42.121.84.12 (Aliyun Computing Co, China)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
63.251.135.19 (Internap, US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
112.124.27.158 (Alibaba Advertising Co, China)
146.185.147.26 (Digital Ocean, Netherlands)
161.24.16.127 (Centro Tecnico Aeroespacial, Brazil)
181.41.200.191 (Host1plus Brazil, Brazil)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
189.1.169.28 (Maxihost Hospedagem de Sites Ltda, Brazil)
196.40.9.113 (Terminales Santamaria, Costa Rica)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
223.30.27.251 (Sify Limited, India)

5.175.171.89
5.231.40.197
5.231.47.92
31.210.112.28
42.121.84.12
60.199.253.165
63.251.135.19
78.100.140.171
81.91.159.212
103.28.255.207
112.124.27.158
146.185.147.26
161.24.16.127
181.41.200.191
186.3.101.235
186.151.240.197
186.251.180.205
189.1.169.28
196.40.9.113
211.71.99.66
223.30.27.251
acondorwoonkary120.com
avasdayspa.net
blackbox-e.net
bonds.su
carefordying.net
carrykeyboard.net
ceravdilicheskinevoz76.net
consumersshow.net
cormushkaneplohatak300.com
cronshtainymorenah55.net
derivatiexchange.com
dotier.net
dropdistri-butions.net
dulethcentury.net
ermeentroper110.com
ermirovaniedoom153.com
ermirovanievood152.com
ermxxrtroper210.com
eventlogselfn.net
excelledblast.net
foi.su
gormonnsnter105.net
gromydoonye250.com
groove.su
gumatexx.net
hdmltextvoice.net
idersnonvirus.com
introlinkage.com
introlinkage.su
jurassic-spa.net
kotzebuepolice.net
leedsprobate.net
lyvegetarians.net
mesmultimedia.com
milkdriver.com
mymulejams.net
nacase.net
ny-headsets.org
ordersdeluxe.com
pro-senioren.net
rojecttalkway.com
sandlord.com
stabilitymess.net
thetokion.com
uprisingquicks.net
zigbeejournal.net



Thursday, 24 October 2013

"My resume" spam / Resume_LinkedIn.exe

This rather terse spam email message has a malicious attachment:

Date:      Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From:      Elijah Parr [Elijah.Parr@linkedin.com]
Subject:      My resume

Attached is my resume, let me know if its ok.

Thanks,
Elijah Parr

------------------------

Date:      Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From:      Greg Barnes [Greg.Barnes@linkedin.com]
Subject:      My resume

Attached is my resume, let me know if its ok.

Thanks,
Greg Barnes 
The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable.

VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools [1] [2] show an attempted connection to homevisitor.co.uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1] [2].

Wednesday, 23 October 2013

"Voice Message from Unknown" spam / VoiceMessage.exe

These bogus voice message spams have a malicious attachment:

Date:      Wed, 23 Oct 2013 19:17:42 +0530 [09:47:42 EDT]
From:      Administrator [voice8@victimdomain]
Subject:      Voice Message from Unknown (553-843-8846)

- - -Original Message- - -

From: 553-843-8846
Sent: Wed, 23 Oct 2013 19:17:42 +0530
To: [recipient list at victimdomain]
Subject: Important: to all Employee



Date:      Wed, 23 Oct 2013 08:36:24 -0500 [09:36:24 EDT]
From:      Administrator [voice3@victimdomain]
Subject:      Voice Message from Unknown (586-898-9333)

- - -Original Message- - -

From: 586-898-9333
Sent: Wed, 23 Oct 2013 08:36:24 -0500
To: [recipient list at victimdomain]
Subject:  Employees Only 



Date:      Wed, 23 Oct 2013 16:40:22 +0300 [09:40:22 EDT]
From:      Administrator [voice2@victimdomain]
Subject:      Voice Message from Unknown (998-948-7548)

- - -Original Message- - -

From: 998-948-7548
Sent: Wed, 23 Oct 2013 16:40:22 +0300
To: [recipient list at victimdomain]
Subject:  Employees Only

In each case there is an attachment VoiceMessage.zip which in turn contains an executable VoiceMessage.exe with an icon to make it look like an audio file.

Obviously this is malicious, and the detection rate at VirusTotal is a pretty poor 5/46. Automated analysis [1] [2] shows an attempted connection to glyphs-design.com on 212.199.115.173 (012 Smile Communications Ltd, Israel). Blocking that domain is probably prudent, however there are several hundred legitimate domains on the same server, so bear that in mind if you choose to block it.

Added:
The mail goes as far to include fake mail headers to suggest that the spam comes from inside the victim's network (when it does not). For example..
from unknown (192.168.1.88) by filter8.******** with QMQP; 23 Oct 2013 13:47:40 -0000
from unknown (HELO aexp.com) (203.193.165.78) by mxin1.******** with SMTP; 23 Oct 2013 13:48:41 -0000
from voice903.******** (10.0.0.168) by ******** (10.0.0.109) with Microsoft SMTP Server (TLS) id FUOMD6AZ; Wed, 23 Oct 2013 19:17:42 +0530
from voice5005.******** (10.179.13.59) by smtp.******** (10.0.0.34) with Microsoft SMTP Server id YEP40NNY; Wed, 23 Oct 2013 19:17:42 +0530

Tuesday, 22 October 2013

ADP spam / abrakandabr.ru

This fake ADP spam leads to malware on abrakandabr.ru:

From:     ClientService@adp.com [ClientService@adp.com]
Date:     22 October 2013 18:04
Subject:     ADP RUN: Account Charge Alert

ADP Urgent Communication

Note ID: 33400

October, 22 2013
Valued ADP Partner

Account operator with ID 58941 Refused Yesterday Payroll Operation from your ADP account recently. Report(s) have been uploaded to the website:

Sign In here

Please see the following notes:

• Please note that your bank account will be debited within 1 banking day for the total shown on the Summary(s).

•  Please don't try to reply to this message. auto informer system can't accept incoming email. Please Contact your ADP Benefits Specialist.

This notification was sent to current clients in your system that approach ADP Netsecure.

As always, thank you for choosing ADP as your business partner!

Note ID: 33400 



The link goes through a legitimate hacked site and then onto a malware landing page at [donotclick]abrakandabr.ru:8080/adp.report.php (if running Windows, else they get sent to adp.com). This is hosted on quite a lot of IP addresses:

69.46.253.241 (RapidDSL & Wireless, US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
163.18.62.51 (TANET, Taiwan)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156(PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.214.74.5 (BBC Cable, Bulgaria)

As mentioned before, this is either the return of the infamous RU:8080 gang, or it is somebody pretending to be the gang. But one rather peculiar factor is that in this case the bad guys only seem to have a small pool of servers that have been compromised for some time, and don't seem to have added any news ones.

Recommended blocklist:
69.46.253.241
91.205.17.80
111.68.229.205
114.32.54.164
118.163.216.107
163.18.62.51
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.214.74.5
abrakandabr.ru
dynamooblog.ru
inkrediblehalk.ru
intro2seo.ru
hankoksuper.ru


Monday, 21 October 2013

"Last Month Remit" spam / Remit_10212013.exe

This bogus remittance spam comes a malicious attachment:

Date:      Mon, 21 Oct 2013 15:08:15 +0100 [10:08:15 EDT]
From:      Administrator [docs9@victimdomain]
Subject:      FW: Last Month Remit

File Validity: 21/10/2013
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

The email appears to originate from the victim's own domain, and mentions that domain in the body of the text. The attachment also contains the victims domain in the format Remit_domain.tld.zip  which in turn contains a malicious executable with an icon designed to look like a Microsoft Excel file, in this case it is called Remit_10212013.exe but note that the date is encoded into the filename.

The malicious payload has a very low detection rate at VirusTotal of just 2/47. Automated analysis tools [1] [2] [3] show an attempted connection to p3-sports.com on 192.232.198.101 (Websitewelcome, US). There may be other infected domains on the same IP if previous patterns are repeated. Also, the malware appears to try to connect to the following IPs demonstrating a peer-to-peer capability.



Friday, 18 October 2013

Malware sites to block 18/10/2013

These IPs and domains are associated with this spam run. Some of these servers have been compromised for some time by the looks of things. There's a plain list for copy-and-pasting at the end.

12.46.52.147 (Compact Information Systems / AT&T, US)
41.203.18.120 (Hetzner, South Africa)
62.75.246.191 (Intergenia, Germany)
62.76.42.58 (Clodo-Cloud / IT House, Russia)
69.46.253.241 (RapidDSL & Wireless, US)
70.159.17.146 (F G Wilson / AT&T , US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
94.102.14.239 (Netinternet , Turkey)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
140.174.98.150 (NTT America, US)
163.18.62.51 (TANET, Taiwan)
182.237.17.180 (Uclix, India)
201.151.0.164 (Alestra, Mexico)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156 (PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.5.182.144 (RackSRV Communications, UK)
213.143.121.133 (Wien Energie, Austria)
213.214.74.5 (BBC Cable, Bulgaria)

12.46.52.147
41.203.18.120
62.75.246.191
62.76.42.58
69.46.253.241
70.159.17.146
91.205.17.80
94.102.14.239
111.68.229.205
114.32.54.164
118.163.216.107
140.174.98.150
163.18.62.51
182.237.17.180
201.151.0.164
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.5.182.144
213.143.121.133
213.214.74.5
alenikaofsa.ru
alionadorip.ru
dynamooblog.ru
inkrediblehalk.ru
intro2seo.ru

Added:
hankoksuper.ru is now active on those same IPs.

Dropbox spam leads to malware on.. errr.. dynamooblog.ru

Two days ago I wrote about the apparent return of the RU:8080.. well it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog.ru.

Well... hi guys. Things have been a bit quieter without you. Anyway, this is the latest spam email purportedly from Dropbox, and using the same template as used in this ThreeScripts spam run.


Date:      Fri, 18 Oct 2013 16:00:54 -0500 [17:00:54 EDT]
From:      Dropbox [no-reply@dropboxmail.com]
Subject:      Please update your Expired Dropbox Password
Priority:      High Priority 1

Hello [redacted].

We have a warning in our system that you recently tried to login in to Dropbox with a password that you haven't changed long time already. Your old password has expired and you'll need to create a new one to log in.

Please visit the page to update your password

Set New Password

Enjoy!
- The Dropbox Team    
    © 2013 Dropbox


The attack and payload is exactly the same as this one, and the executable is unchanged but now has a better VirusTotal detection rate of 29/48. The domain dynamooblog.ru was registered yesterday to the infamous Russian "Private Person" and is hosted on a lot of IPs that have been serving up Zbot for some time.

I'll have a closer poke at this network in a moment, but in the meantime this is my recommended blocklist:
dynamooblog.ru
12.46.52.147
41.203.18.120
62.76.42.58
69.46.253.241
70.159.17.146
91.205.17.80
94.102.14.239
111.68.229.205
114.32.54.164
118.163.216.107
140.174.98.150
163.18.62.51
182.237.17.180
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.5.182.144
213.143.121.133
213.214.74.5


Avaya "Voice Mail Message" spam with a malicious payload

This fake voice mail message appears to originate from within the victim's own domain (although that is just a forgery):

Date:      Fri, 18 Oct 2013 09:19:42 -0600 [11:19:42 EDT]
From:      Voice Mail Message [1c095eb9-fa18-74e5-b@victimdomain.com]
Subject:      Voice Mail Message ( 45 seconds )

This voice message was created by Avaya Modular Messaging. To listen to this voice
message,just open it.

Attached is a file VoiceATT0685424.zip which in turn contains a malicious executable VoiceMessageTT.exe with an icon to make it look like an audio file. This trick can work if users have decided to hide the extensions of files in Windows, a stupid default setting that has no doubt infected millions of Windows users over the years.

Of course, the .exe file is malware with a pretty low detection rate of just 3/48 at VirusTotal. Automated analysis [1] [2] [3] shows a connection to a domain called adamdevarney.com on 209.236.71.58 (Westhost, US) which has been seen twice before. This means that there are potentially hundreds of compromised domains on the same server, blocking traffic to the IP address will be the most effective way of giving yourself some protection.

"Microsoft Windows Update" phish

A random and untargeted attempt at phishing with a Windows Update twist.

From:     Microsoft Office [accounts-updates@microsoft.com]
Date:     17 October 2013 02:54
Subject:     Microsoft Windows Update

Dear Customer,

Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.

Thank you,

Copyright © 2013 Microsoft Inc. All rights reserved.
The email originates from 66.160.250.236 [mail.andrustrucking.com] which is a trucking company called Doug Andrus Distributing.. so perhaps Microsoft are farming out the updates to a random Idaho company. Or perhaps they have had their email system compromised (maybe by someone using the same phishing technique).

Anyway, the link in the email goes to a legitimate but hacked site and then lands on a phishing page hosted on [donotclick]www.cycook.com/zboard//microsoft-update/index.php.htm. Despite the email saying "Windows Update", the landing page has had Office branding crudely pasted into it.


Entering your credentials simply takes you to a genuine Microsoft page:

Phishing isn't restricted to stuff like bank accounts, the spammers also like a fresh supply of email accounts to abuse, so as ever.. exercise caution.

Thursday, 17 October 2013

"Scan from a Xerox WorkCentre" spam / A136_Incoming_Money_Transfer_Form.exe

The malware spammers are suffering from a chronic lack of imagination with this familiar fake printer spam:

Date:      Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]
From:      Incoming Fax [Incoming.Fax3@victimdomain.com]
Subject:      Scan from a Xerox WorkCentre

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~9.pdf

multifunction device Location: machine location not set
Device Name: Xerox1552


For more information on Xerox products and solutions, please visit http://www.xerox.com
Attached is an executable file Scanned from a Xerox multi~6.zip which in turn contains a file A136_Incoming_Money_Transfer_Form.exe which has a VirusTotal detection rate of 6/48.

Automated analysis [1] [2] [3] shows a connection to cushinc.com on 209.236.71.58 (Westhost, US). This is the same server as seen yesterday, so  my best guess is that the server is compromised and potentially all the 600+ domains on it are too. Blocking that IP address may be prudent.

Wednesday, 16 October 2013

"Atlantics Post LLC" fake job offer

A bit of Money Mule recruiting that isn't really trying very hard..
Date:      Wed, 16 Oct 2013 14:54:34 -0300 [13:54:34 EDT]
From:      Atlantics Post [misstates7@compufort.com]
Subject:      Career with Atlantics Post LLC

Atlantics Post LLC is now hiring for a Shipping Clerk. If You are young, enthusiastic person. Looking for a great job opportunity with a stable in come this job is for you.

Duties:
Receive packages at workplace (out of home possition);
Transfer the packages to our business partners nationwide;
Keeping accurate records of operations and report them

Requirements:
- Thorough knowledge of quality improvement techniques and experience with process and service delivery improvement.
- Strong ability to analyze, organize and simplify complex processes and data.
- Exceptional attention to detail.
- Considerable experience with data reporting systems.
- Leisure business experience an asset.
- Flexible, adaptable to change, and resourceful in the face of shifting priorities and demands.

WHAT'S NEXT?
If you have any questions, you can call our toll-free number 866-652-8106.
If you are interested in this opportunity, please submit your resume by e-mail JoyDugganagg@yahoo.com or fax (904-212-0897).

Originating IP is 181.165.70.97 in Argentina. Avoid.

LinkedIn spam / Contract_Agreement_whatever.zip

This fake LinkedIn spam has a malicious attachment:

Date:      Wed, 16 Oct 2013 11:57:55 -0600 [13:57:55 EDT]
From:      Shelby Gordon [Shelby@linkedin.com]

Attached is your new contract agreements.

Please read the notes attached, then complete, sign and return this form.

Shelby Gordon
Contract Manager
Online Division - LinkedIn
Shelby.Gordon@linkedin.com
Office: 302-449-8859 Ext. 33
Direct: 302-184-9426

This email was intended for dynamoo@spamcop.net.
© 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

The attachment has the format Contract_Agreement_recipientname.zip and in turn contains a malicious executable Contract_Agreement_10162013.exe (note the date encoded into the filename). VirusTotal detections are 10/48.

Automated analysis tools [1] [2] [3] show an attempted connection to miamelectric.com on 209.236.71.58 (Westhost, US). I recommend that you block outbound traffic to that particular domain.

Pinterest spam, alenikaofsa.ru and the return of the RU:8080 gang?

This fake Pinterest spam leads to a malicious download on alenikaofsa.ru:

Date:      Wed, 16 Oct 2013 12:03:11 -0300 [11:03:11 EDT]
From:      Pinterest [pinbot@pinterest.biz]
Subject:      Your Facebook friend Andrew Hernandez joined Pinterest

A Few Updates...
[redacted]
   
Andrew Hernandez    

Your Facebook friend Andrew Hernandez just joined Pinterest. Help welcome Carol to the community!
   
Visit Profile
       
Happy pinning!

©2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions
Andrew is a pretty feminine looking bloke. The link in the email goes through a legitimate hacked site and then ends up on a fake browser download page (report here) that attempts to download [donotclick]alenikaofsa.ru:8080/ieupdate.exe  which has a VirusTotal detection rate of just 1/48 (only Kaspersky detects it.. again).

The ThreatTrack report [pdf] looks like peer-to-peer Zeus to be, the Malwr report and Comodo CAMAS report also give some insight.

alenikaofsa.ru is registered to the infamous Russian "private person" and is hosted on the following IPs:
62.75.246.191 (Intergenia AG, Germany)
69.46.253.241 (RapidDSL & Wireless, US)
The domain alionadorip.ru is also hosted on these IPs.

What's interesting is that 69.46.253.241 was seen here months ago, which makes this look like the unwelcome return of the RU:8080 gang after a long absence.

Recommended blocklist:
62.75.246.191
69.46.253.241
alenikaofsa.ru
alionadorip.ru

Footnote:
The malware page uses a similar script to that used here although with the rather cheeky comment

// It's "cool" to let user wait 2 more seconds :/



Tuesday, 15 October 2013

"Payroll Received by Intuit" spam / payroll_report_147310431_10112013.zip

This fake Intuit spam comes with a malicious attachment:

Date:      Tue, 15 Oct 2013 16:20:40 +0000 [12:20:40 EDT]
From:      Intuit Payroll Services IntuitPayrollServices@payrollservices.intuit.com]
Subject:      Payroll Received by Intuit

Dear, [redacted]
We received your payroll on October 11, 2013 at 4:41 PM .

Attached is a copy of your Remittance. Please click on the attachment in order to view it.

Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later.  If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later.  YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time.  Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.

Sincerely, Intuit Payroll Services

IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software. If you
have any questions or comments about this email, please DO NOT REPLY to this email. If
you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect is
a phishing email, please forward it to immediately to spoof@intuit.com. © 2013 Intuit
Inc. All rights reserved. Intuit and the Intuit Logo are registered trademarks and/or
registered service marks of Intuit Inc. in the United States and other countries. All
other marks are the property of their respective owners, should be treated as such, and
may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706 
The attachment is payroll_report_147310431_10112013.zip which in turn contains payroll_report_10112013.exe (note the date is encoded into those files).

That executable currently has a detection rate of 9/46 at VirusTotal. Automated analysis [1] [2] [3] shows that it attempt to make a connection to mtfsl.com on 184.22.215.50 (Network Operations Center, US). Blocking those temporarily may give some protection against any additional threats using that server.

USPS spam / Label_ZFRLOADD5PGGZ0Z_USPS.zip

This fake USPS spam has a malicious attachment:

Date:      Tue, 15 Oct 2013 09:36:02 -0500 [10:36:02 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Missed package delivery

Notification

Our company's courier couldn't make the delivery of package.

REASON: Postal code contains an error.
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: USPSZFRLOADD5PGGZ0Z
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.

*** This is an automatically generated email, please do not reply ***

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (USPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You 
There is an attachment Label_ZFRLOADD5PGGZ0Z_USPS.zip which contains a malicious executable Label_101513_USPS.exe (note the date encoded into the filename).

VirusTotal shows just 4/46 vendors detect it at present. Automated analysis [1] [2] [3] shows an attempted communication with traderstruthrevealed.com on 103.8.27.82 (SKSA Technology, Malaysia).

There is also another email using this format with the same payload.

Recommended blocklist:
103.8.27.82
traderstruthrevealed.com

Monday, 14 October 2013

Malware sites to block 14/10/2013

It's been a while since I trawled around the activities of the "Amerika" gang, but here is a new set of malicious domains and IPs to block, replacing this list.

24.111.103.183 (Midcontinent Media, US)
42.121.84.12 (Aliyun Computing Co, China)
59.99.226.17 (BB-Multiplay, India)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
62.141.46.8 (fast IT, Germany)
65.189.35.129 (Time Warner Cable, US)
67.207.155.24 (Rackspace, US)
69.163.40.39 (DirectSpace LLC, US)
71.91.8.200 (Charter Communications , US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
108.206.235.75 (AT&T, US)
109.71.136.140 (OpWan, France)
112.124.27.158 (Alibaba Advertising Co, China)
125.20.14.222 (Price Water House Cooperation, India)
146.185.147.26 (Digital Ocean, Netherlands)
165.132.27.59 (Yonsei, Korea)
176.56.228.134 (Routelabel / WeservIT, Netherlands)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
195.225.58.43 (C&A Connect SRL, Romania)
198.71.82.48 (Enzu Inc, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
222.127.21.35 (Network IP, Philippines)
223.30.27.251 (Sify Limited, India)

24.111.103.183
42.121.84.12
59.99.226.17
60.199.253.165
62.141.46.8
65.189.35.129
67.207.155.24
69.163.40.39
71.91.8.200
78.100.140.171
81.91.159.212
103.28.255.207
108.206.235.75
109.71.136.140
112.124.27.158
125.20.14.222
146.185.147.26
165.132.27.59
176.56.228.134
186.3.101.235
186.151.240.197
186.251.180.205
195.225.58.43
198.71.82.48
208.115.114.69
211.71.99.66
222.127.21.35
223.30.27.251
acomboramboarmiab722.net
acormushkivsenamizv992.net
altertraveldream.com
ampala.net
attitude.su
autodlakobiety.net
avasdayspa.net
beo.su
bnamecorni.com
catdigest.net
cormoviedobavkikemm200.com
cormoviedobavkitenn100.com
cremoviedobavkimoj53.net
cronshtainymorenah55.net
crovlianemoyaahule52.net
diggingentert.com
dotier.net
dropdistri-butions.net
dulethcentury.net
eeemoskoymany560.com
ejanormalteene250.com
enanisgotttornee564.com
ermirovaniedoom153.com
ermirovanienony151.com
ermirovanievood152.com
excelledblast.net
fertsonline.net
gjoonalitikeer310.com
glums.net
gormonigraetnapovalahule26.net
grndstyle.ru
groove.su
hdmltextvoice.net
idersnonvirus.com
instotsvin.ru
introlinkage.com
lodanart.net
micnetwork100.com
mobile-unlocked.net
mymulejams.net
nokiasharethelove.net
nvufvwieg.com
ollerblogging.net
ordersdeluxe.com
primthaispa.net
pro-senioren.net
rentimpress.com
robberypolice.net
rojecttalkway.com
rolotto.net
scoutmoor.net
securesmartconnect.net
servidorestable.net
simplesso.com
skather.net
smartsecureconnect.net
smdserver.net
spottingculde.com
streetgreenlj.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
tumble.su
u-janusa.net
uprisingquicks.net
vip-proxy-to-tor.com
whosedigitize.net
wingsawards.net
workathomeuk.net

Friday, 11 October 2013

Meet Muhammad Ali Hassan, spammer

This idiot is attempting to get a job by randomly sending out spam.

From:     Muhammad Ali Hassan [sumtech12@emirates.net.ae]
Reply-To:     ALY.HASSAN.ZIA@gmail.com
Date:     11 October 2013 11:57
Subject:     Applying for the post of Chartered Accountant / Finance Manager /Financial Analytics & Auditor or any other suitable position as per my knowledge and experience.

Sub: Applying for the post of Chartered Accountant / Finance Manager /Financial Analytics & Auditor or any other suitable position as per my knowledge and experience.

Dear Sir/Madam.  

This is to introduce myself to you as a potential candidate for the job placement in Accounting, Finance and Audit at your organization. I am currently residing in UAE and seeking job placement in the GCC countries. I have taken the time to research your company and am very impressed. I would appreciate the opportunity of an interview.

I am Associate Chartered Accountant (ACA), Associate Public Finance Accountant (APFA) and CFA Level 1 Candidate. I am currently seeking job prospects that commensurate with my qualification and work experience. I am available in UAE during October and November 2013 and can be contacted for an interview in person. Otherwise, I can be reached for telephonic or video interview via contact details mentioned in my Résumé attached hereunder.

WORK  EXPERIENCE:

A. F. Ferguson & Co., Chartered Accountants (a member firm of PricewterhouseCoopers network) Karachi, Pakistan
Designation: Audit Assistant – December 2008 to February 2011
Designation: Audit Senior – March 2011 to May 2012
Designation: Tax Executive – June 2012 to Date.

BRIEF OVERVIEW OF RESPONSIBILITIES(DETAILS IN RESUME)

·         Effective planning and execution of audit engagements  and other assignments to ensure completion of the same within the prescribed deadlines;
·         assisting clients in the preparation and consolidation of financial statements in accordance with the applicable financial reporting framework;
·         assisting clients consolidation of financial statements of group companies;
dealing with IFRS/IAS and ISA issues in financial reporting and auditing
preparing final audit deliverables; the audit report, the covering letter to the Board of Directors, the Management Letter, Group Reporting Packs and Certificates;
·         identifying key risk areas by developing risk assessment procedures for critical business processes;
·         performing overall analytical review, testing internal controls and carrying out detailed testing of the significant areas of the Financial Statements:
·         reviewing internal control systems and identifying significant weaknesses and recommended improvements thereon; and
·         supervising, training and motivating multiple subordinate team members.

EDUCATIONAL QUALIFICATION:

    Associate Chartered Accountant (ACA) --- The Institute of Chartered Accountants of Pakistan – ICAP---2013
    Associate Public Finance Accountant (APFA)--- Pakistan Institute of Public Finance Accountants – PIPFA---2012
    CFA Level 1 Candidate ---CFA Institute USA


PROFESSIONAL SKILLS AND ABILITIES

·         Proficient user of PwC’s auditing  & documentation software including Aura, My Client, Smart Statements and Lotus Notes.
·         Completed 90-hour Course of Computer Practical Training (CCPT) recommended by ICAP.
·         Proficient in all applications of Microsoft Office
·         User-level knowledge of various accounting and ERP software including Tally, Peachtree, SAP, Oracle Financials, JD Edwards, Maximo etc
·         Strong analytical skills and in depth technical knowledge of all financial and non-financial information.
·         Have experience of business and audit risk assessment via variance analysis of budgets and other statistical techniques.
·         Have experience of co-ordination with professionals in fields like legal, actuarial, taxation and information technology.
·         Able to meet stringent deadlines and the supervision, training and motivation of team members.
·         Ambitious, pro-active and result-oriented.
·         Able to transform knowledge into achievement of assigned tasks within the schedule and maintain quality.
·         Committed to implementing quality improvement techniques that drive business operations to success.
·         Strong leadership and problem-solving skills.
·         Capable of working well under pressure and able to handle multiple tasks.

OTHER INFORMATION:

Language Known: English, and Urdu.
Visa Status: Visit Visa Valid Till 5th November 2013

I do hereby declare that the above information is true to the best of my knowledge.                   

Yours sincerely,

Muhammad Ali Hassan
Email: aly.hassan.zia@gmail.com
Mobile: [redacted]
Attached to this is his CV. Because that probably contains enough information to do a serious bit of identity theft I'll just post a picture..


I wonder just how many other poor sods this spammer has sent his CV to?

Thursday, 10 October 2013

Companies House phish

This fake Companies House spam appears to be some sort of phishing attempt:

Date:      Thu, 10 Oct 2013 11:57:31 +0300 [04:57:31 EDT]
From:      Companies House [contact@companieshouse.co.uk]
Subject:      Compulsory Companies House WebFiling Update #90721

Compulsory Companies House WebFiling Update #90721

This is an important notice to inform you as a registered company to update your details.

This will make it easier to update our database and keep records of our company.

Kindly follow the link below to update your information.

CLICK - Start Here
Companies House
Crown Way
Cardiff CF14 3UZ

DX 33050 Cardiff 

The link in the email goes to [phish]www.misspanama.net/respaldo/ukcompany/CompaniesHouse.htm which asks only for a Company Name, email address and password.

Once the credentials have been harvested, the victim is sent to a genuine Companies House webpage at www.companieshouse.gov.uk/forms/introduction.shtml


So, what is being harvested here? There seems to be no malware involved, so perhaps the bad guys are actually trying to hijack company identities for some evil purpose.

It turns out that Companies House have a webpage all about this type of threat and recommend that you forward offending emails to phishing@companieshouse.gov.uk. Just remember.. sometimes phishers are after something a lot less obvious than your bank details!

Wednesday, 9 October 2013

"Annual Form - Authorization to Use Privately Owned Vehicle on State Business" spam / warehousesale.com.my

This oddly-themed spam has a malicious attachment:

Date:      Tue, 8 Oct 2013 11:49:49 -0600 [10/08/13 13:49:49 EDT]
From:      Waldo Reeder [Waldo@victimdomain.com]
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business

All employees need to have on file this form STD 261 (attached).  The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.

Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file.  Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim. 
The is a ZIP file attached which includes the victim's domain name as part of the filename. Inside is an exectuable file with an icon to make it look like a PDF file, and the date is encoded into the filename.

VirusTotal detections are not bad at 25/48. Automated analysis [1] [2] [3] shows an attempted connection to warehousesale.com.my hosted on 42.1.61.90 (Exa Bytes Network, Malaysia). There are no other sites on that server that I can see and I recommend that you block both the IP and domain as a precaution.

Recommended blocklist:
warehousesale.com.my
42.1.61.90