Sponsored by..

Monday, 28 October 2013

American Express "Fraud Alert" spam / steelhorsecomputers.net

This fake Amex spam leads to malware on steelhorsecomputers.net:

       
From:     American Express [fraud@aexp.com]
Date:     28 October 2013 14:14
Subject:     Fraud Alert : Irregular Card Activity


Irregular Card Activity
                   
               
Dear Customer,

We detected irregular card activity on your American Express

Check Card on 28th October, 2013.

As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.

To review your account as soon as possible please.

Please click on the link below to verify your information with us:

https://www.americanexpress.com/

If you account information is not updated within 24 hours then your ability
to access your account will be restricted.

We appreciate your prompt attention to this important matter.


© 2013 American Express Company. All rights reserved.        

AMEX Fraud Department


The link in the email goes through a legitimate but hacked site and then runs of of the following three scripts:
[donotclick]kaindustries.comcastbiz.net/imaginable/emulsion.js
[donotclick]naturesfinest.eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse.com/handmade/analects.js

From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers.net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too, listed below in italics.

Recommended blocklist:
96.126.102.8
8353333.com
chrisfrillman.com
steelhorsecomputers.net
steelhorsecomputers.com

kaindustries.comcastbiz.net
naturesfinest.eu
winklersmagicwarehouse.com

           
                   
       

Sunday, 27 October 2013

"You are a Mercedes-Benz winner !!!" spam

This is a slightly novel twist on an advanced fee fraud scam:

From:     Mercedes-Benz [desk_notification@yahoo.com]
Reply-To:     bmlot20137@live.com
Date:     27 October 2013 13:44
Subject:     You are a Mercedes-Benz winner !!!

Dear Recipient,

You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize of $4,000,000USD and a Brand New 2013 Mercedes-Benz GLK350 4Matic SUV Car. If you have never had a Mercedes-Benz Product, this is your chance to benefit from our company while if you have any of our products this is your opportunity of enjoying some of our benefits apart from the comfortability and efficiency of our products. Just answer the questions asked below and you could be a winner:

QUESTION:

(1). What year was Mercedes-Benz found?
(a). 1946
(b). 1926
(c). 1936

(2). Who was the founder of Benz?
(a). Terry Benz
(b). Tom Benz
(c). Karl Benz

(3). In which country is the Benz Headquarter Located?
(a). Germany
(b). United Kingdom
(c). United State of America

Note that you are to send your answers along with your Full Name, Sex, Age, Phone Number, Country and Occupation.to our Fiduciary agent:

Mr.Richard Ashton
Email: bmlot20137@live.com
TEL: +44 703 590 2283
Fax: +44 871-247-6031

Our aims to support the abilities of the neediest groups to fulfill human dignity and social justice in cooperation with development partners in the world.

Kind Regards,
Mrs.Katherine Dooley
Mercedes-Benz,Online coordinator
The email was sent to a spamtrap address from 41.138.182.219 which is in Lagos, Nigeria via a mail server in the US at 65.40.236.192 (Embarq).

You might wonder what the scam is because it looks like a competition.. once you have answered the three trivially easy questions (we all know that Mercedes Benz was founded by Terry Benz in 1946 and is headquartered in the UK, after all) then you will find that you'll need to pay a stiff fee to get your prize.. which will never materialise.

Saturday, 26 October 2013

Never mind the NSA, here is LinkedIn Intro

LinkedIn recently announced LinkedIn Intro which is an add-in to the iOS mail app, allowing you do display a contact's LinkedIn data in the message you are reading by injected code into the datastream. This is of marginal use to most people, and many reader will recognise this as being something that annoying browser plugins have done for some time.

Despite LinkedIn's Pledge of Privacy, many people are concerned that LinkedIn is intercepting and reading your email. I don't believe that LinkedIn is at all interested in the content of your email, but I do believe that it is interested in finding out who you contact instead in order to sell its so-called "product" on to more and more people.

Here's a thing - I use LinkedIn under an assumed name, but somehow LinkedIn thinks that I may know various people. Now, some of those are obviously connected to my fake profile.. but then it suggested that I know my own wife. We obviously I do, but the fake profile has no connection to her.. so the only source of this information must have been our shared IP address at home.

Then LinkedIn goes on a data-mining spree and suggests that I know all my coworkers who I also share an IP address with - which is true, but the fake profile I created does not. So, it seems pretty clear that LinkedIn uses your IP address to match you up with others.

LinkedIn has often been accused of rummaging through people's mailboxes without permission, but in this case it was not possible as my LinkedIn account is not linked to any mailboxes and uses a different username and password, so IP address is the only logical source of this.

But one day my wife (an occasional LinkedIn user) reported something very creepy indeed.. it reported that she may know a relative of mine that she does not really ever contact. And then some time later, I had another relative pop up in my fake profile. Where the hell does this information come from?

I have several theories about what is going on, including a deep suspicion that LinkedIn creates shadow profiles of non-members, and that it also includes hidden data about the relationships of members as well.. but those are just my opinions and I have nothing concrete to back them up. But what I do know from playing around with fake profiles is that LinkedIn is extremely clever and building up a network of suggested contacts whether you want them to or not.

LinkedIn's primary resource is the personal connections of its users. And just possibly that extends to shadow profiles of non-users as well. And that brings us back to LinkedIn Intro.. the quickest way of building up a truly massive collection of data about personal relationships is to do a traffic analysis on their email. You don't need to know the content, but if you know who they send and receive emails from then you will easily enumerate their professional and personal relationships. And then you can monetise that.

In the end, it doesn't matter if you sign up for LinkedIn Intro or not, because if just one person in your email chain does us it, then there's the possibility that LinkedIn will slurp up all that data for its own use.

LinkedIn has been accused by some of being the creepiest social network, and some commentators have gone even deeper into the risks of using Intro. There's even a lawsuit claiming that LinkedIn hacked email contacts but actually I suspect that LinkedIn wouldn't even need to bother doing that as it is clearly very efficient in working out contacts without it.

I suspect that at some point the issue of LinkedIn's data gathering will become a big issue, and the company will either need to explain exactly how it collects its data or perhaps someone on the inside will leak it out. Are they doing something illegal? Probably not. Are they doing something very creepy? Almost definitely yes.

Friday, 25 October 2013

"You have received a new debit" Lloyds TSB spam

This fake Lloyds TSB message has a malicious attachment:

Date:      Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From:      LloydsTSB [noreply@lloydstsb.co.uk]
Subject:      You have received a new debit
Priority:      High Priority 1 (High)

This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.

The details of the payment are attached.

============================================================================
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.
Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't.

The VirusTotal detection rate is a so-so 13/47. Automated analysis [1] [2] shows an attempted connection to www.baufie.com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box.


Malware sites to block 25/10/2013

This list replaces this one, and mostly contains domains and IPs connected with this gang. The list starts with IPs and web hosts, followed by plain IPs and domains for copy-and-pasting.

5.175.171.89 (GHOSTnet, Germany)
5.231.40.197 (GHOSTnet, Germany)
5.231.47.92 (GHOSTnet, Germany)
31.210.112.28 (Veri Merkezi Hizmetleri, Turkey)
42.121.84.12 (Aliyun Computing Co, China)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
63.251.135.19 (Internap, US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
112.124.27.158 (Alibaba Advertising Co, China)
146.185.147.26 (Digital Ocean, Netherlands)
161.24.16.127 (Centro Tecnico Aeroespacial, Brazil)
181.41.200.191 (Host1plus Brazil, Brazil)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
189.1.169.28 (Maxihost Hospedagem de Sites Ltda, Brazil)
196.40.9.113 (Terminales Santamaria, Costa Rica)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
223.30.27.251 (Sify Limited, India)

5.175.171.89
5.231.40.197
5.231.47.92
31.210.112.28
42.121.84.12
60.199.253.165
63.251.135.19
78.100.140.171
81.91.159.212
103.28.255.207
112.124.27.158
146.185.147.26
161.24.16.127
181.41.200.191
186.3.101.235
186.151.240.197
186.251.180.205
189.1.169.28
196.40.9.113
211.71.99.66
223.30.27.251
acondorwoonkary120.com
avasdayspa.net
blackbox-e.net
bonds.su
carefordying.net
carrykeyboard.net
ceravdilicheskinevoz76.net
consumersshow.net
cormushkaneplohatak300.com
cronshtainymorenah55.net
derivatiexchange.com
dotier.net
dropdistri-butions.net
dulethcentury.net
ermeentroper110.com
ermirovaniedoom153.com
ermirovanievood152.com
ermxxrtroper210.com
eventlogselfn.net
excelledblast.net
foi.su
gormonnsnter105.net
gromydoonye250.com
groove.su
gumatexx.net
hdmltextvoice.net
idersnonvirus.com
introlinkage.com
introlinkage.su
jurassic-spa.net
kotzebuepolice.net
leedsprobate.net
lyvegetarians.net
mesmultimedia.com
milkdriver.com
mymulejams.net
nacase.net
ny-headsets.org
ordersdeluxe.com
pro-senioren.net
rojecttalkway.com
sandlord.com
stabilitymess.net
thetokion.com
uprisingquicks.net
zigbeejournal.net



Thursday, 24 October 2013

"My resume" spam / Resume_LinkedIn.exe

This rather terse spam email message has a malicious attachment:

Date:      Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From:      Elijah Parr [Elijah.Parr@linkedin.com]
Subject:      My resume

Attached is my resume, let me know if its ok.

Thanks,
Elijah Parr

------------------------

Date:      Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From:      Greg Barnes [Greg.Barnes@linkedin.com]
Subject:      My resume

Attached is my resume, let me know if its ok.

Thanks,
Greg Barnes 
The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable.

VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools [1] [2] show an attempted connection to homevisitor.co.uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1] [2].

Wednesday, 23 October 2013

"Voice Message from Unknown" spam / VoiceMessage.exe

These bogus voice message spams have a malicious attachment:

Date:      Wed, 23 Oct 2013 19:17:42 +0530 [09:47:42 EDT]
From:      Administrator [voice8@victimdomain]
Subject:      Voice Message from Unknown (553-843-8846)

- - -Original Message- - -

From: 553-843-8846
Sent: Wed, 23 Oct 2013 19:17:42 +0530
To: [recipient list at victimdomain]
Subject: Important: to all Employee



Date:      Wed, 23 Oct 2013 08:36:24 -0500 [09:36:24 EDT]
From:      Administrator [voice3@victimdomain]
Subject:      Voice Message from Unknown (586-898-9333)

- - -Original Message- - -

From: 586-898-9333
Sent: Wed, 23 Oct 2013 08:36:24 -0500
To: [recipient list at victimdomain]
Subject:  Employees Only 



Date:      Wed, 23 Oct 2013 16:40:22 +0300 [09:40:22 EDT]
From:      Administrator [voice2@victimdomain]
Subject:      Voice Message from Unknown (998-948-7548)

- - -Original Message- - -

From: 998-948-7548
Sent: Wed, 23 Oct 2013 16:40:22 +0300
To: [recipient list at victimdomain]
Subject:  Employees Only

In each case there is an attachment VoiceMessage.zip which in turn contains an executable VoiceMessage.exe with an icon to make it look like an audio file.

Obviously this is malicious, and the detection rate at VirusTotal is a pretty poor 5/46. Automated analysis [1] [2] shows an attempted connection to glyphs-design.com on 212.199.115.173 (012 Smile Communications Ltd, Israel). Blocking that domain is probably prudent, however there are several hundred legitimate domains on the same server, so bear that in mind if you choose to block it.

Added:
The mail goes as far to include fake mail headers to suggest that the spam comes from inside the victim's network (when it does not). For example..
from unknown (192.168.1.88) by filter8.******** with QMQP; 23 Oct 2013 13:47:40 -0000
from unknown (HELO aexp.com) (203.193.165.78) by mxin1.******** with SMTP; 23 Oct 2013 13:48:41 -0000
from voice903.******** (10.0.0.168) by ******** (10.0.0.109) with Microsoft SMTP Server (TLS) id FUOMD6AZ; Wed, 23 Oct 2013 19:17:42 +0530
from voice5005.******** (10.179.13.59) by smtp.******** (10.0.0.34) with Microsoft SMTP Server id YEP40NNY; Wed, 23 Oct 2013 19:17:42 +0530

Tuesday, 22 October 2013

ADP spam / abrakandabr.ru

This fake ADP spam leads to malware on abrakandabr.ru:

From:     ClientService@adp.com [ClientService@adp.com]
Date:     22 October 2013 18:04
Subject:     ADP RUN: Account Charge Alert

ADP Urgent Communication

Note ID: 33400

October, 22 2013
Valued ADP Partner

Account operator with ID 58941 Refused Yesterday Payroll Operation from your ADP account recently. Report(s) have been uploaded to the website:

Sign In here

Please see the following notes:

• Please note that your bank account will be debited within 1 banking day for the total shown on the Summary(s).

•  Please don't try to reply to this message. auto informer system can't accept incoming email. Please Contact your ADP Benefits Specialist.

This notification was sent to current clients in your system that approach ADP Netsecure.

As always, thank you for choosing ADP as your business partner!

Note ID: 33400 



The link goes through a legitimate hacked site and then onto a malware landing page at [donotclick]abrakandabr.ru:8080/adp.report.php (if running Windows, else they get sent to adp.com). This is hosted on quite a lot of IP addresses:

69.46.253.241 (RapidDSL & Wireless, US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
163.18.62.51 (TANET, Taiwan)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156(PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.214.74.5 (BBC Cable, Bulgaria)

As mentioned before, this is either the return of the infamous RU:8080 gang, or it is somebody pretending to be the gang. But one rather peculiar factor is that in this case the bad guys only seem to have a small pool of servers that have been compromised for some time, and don't seem to have added any news ones.

Recommended blocklist:
69.46.253.241
91.205.17.80
111.68.229.205
114.32.54.164
118.163.216.107
163.18.62.51
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.214.74.5
abrakandabr.ru
dynamooblog.ru
inkrediblehalk.ru
intro2seo.ru
hankoksuper.ru


Monday, 21 October 2013

"Last Month Remit" spam / Remit_10212013.exe

This bogus remittance spam comes a malicious attachment:

Date:      Mon, 21 Oct 2013 15:08:15 +0100 [10:08:15 EDT]
From:      Administrator [docs9@victimdomain]
Subject:      FW: Last Month Remit

File Validity: 21/10/2013
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

The email appears to originate from the victim's own domain, and mentions that domain in the body of the text. The attachment also contains the victims domain in the format Remit_domain.tld.zip  which in turn contains a malicious executable with an icon designed to look like a Microsoft Excel file, in this case it is called Remit_10212013.exe but note that the date is encoded into the filename.

The malicious payload has a very low detection rate at VirusTotal of just 2/47. Automated analysis tools [1] [2] [3] show an attempted connection to p3-sports.com on 192.232.198.101 (Websitewelcome, US). There may be other infected domains on the same IP if previous patterns are repeated. Also, the malware appears to try to connect to the following IPs demonstrating a peer-to-peer capability.



Friday, 18 October 2013

Malware sites to block 18/10/2013

These IPs and domains are associated with this spam run. Some of these servers have been compromised for some time by the looks of things. There's a plain list for copy-and-pasting at the end.

12.46.52.147 (Compact Information Systems / AT&T, US)
41.203.18.120 (Hetzner, South Africa)
62.75.246.191 (Intergenia, Germany)
62.76.42.58 (Clodo-Cloud / IT House, Russia)
69.46.253.241 (RapidDSL & Wireless, US)
70.159.17.146 (F G Wilson / AT&T , US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
94.102.14.239 (Netinternet , Turkey)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
140.174.98.150 (NTT America, US)
163.18.62.51 (TANET, Taiwan)
182.237.17.180 (Uclix, India)
201.151.0.164 (Alestra, Mexico)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156 (PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.5.182.144 (RackSRV Communications, UK)
213.143.121.133 (Wien Energie, Austria)
213.214.74.5 (BBC Cable, Bulgaria)

12.46.52.147
41.203.18.120
62.75.246.191
62.76.42.58
69.46.253.241
70.159.17.146
91.205.17.80
94.102.14.239
111.68.229.205
114.32.54.164
118.163.216.107
140.174.98.150
163.18.62.51
182.237.17.180
201.151.0.164
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.5.182.144
213.143.121.133
213.214.74.5
alenikaofsa.ru
alionadorip.ru
dynamooblog.ru
inkrediblehalk.ru
intro2seo.ru

Added:
hankoksuper.ru is now active on those same IPs.

Dropbox spam leads to malware on.. errr.. dynamooblog.ru

Two days ago I wrote about the apparent return of the RU:8080.. well it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog.ru.

Well... hi guys. Things have been a bit quieter without you. Anyway, this is the latest spam email purportedly from Dropbox, and using the same template as used in this ThreeScripts spam run.


Date:      Fri, 18 Oct 2013 16:00:54 -0500 [17:00:54 EDT]
From:      Dropbox [no-reply@dropboxmail.com]
Subject:      Please update your Expired Dropbox Password
Priority:      High Priority 1

Hello [redacted].

We have a warning in our system that you recently tried to login in to Dropbox with a password that you haven't changed long time already. Your old password has expired and you'll need to create a new one to log in.

Please visit the page to update your password

Set New Password

Enjoy!
- The Dropbox Team    
    © 2013 Dropbox


The attack and payload is exactly the same as this one, and the executable is unchanged but now has a better VirusTotal detection rate of 29/48. The domain dynamooblog.ru was registered yesterday to the infamous Russian "Private Person" and is hosted on a lot of IPs that have been serving up Zbot for some time.

I'll have a closer poke at this network in a moment, but in the meantime this is my recommended blocklist:
dynamooblog.ru
12.46.52.147
41.203.18.120
62.76.42.58
69.46.253.241
70.159.17.146
91.205.17.80
94.102.14.239
111.68.229.205
114.32.54.164
118.163.216.107
140.174.98.150
163.18.62.51
182.237.17.180
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.5.182.144
213.143.121.133
213.214.74.5


Avaya "Voice Mail Message" spam with a malicious payload

This fake voice mail message appears to originate from within the victim's own domain (although that is just a forgery):

Date:      Fri, 18 Oct 2013 09:19:42 -0600 [11:19:42 EDT]
From:      Voice Mail Message [1c095eb9-fa18-74e5-b@victimdomain.com]
Subject:      Voice Mail Message ( 45 seconds )

This voice message was created by Avaya Modular Messaging. To listen to this voice
message,just open it.

Attached is a file VoiceATT0685424.zip which in turn contains a malicious executable VoiceMessageTT.exe with an icon to make it look like an audio file. This trick can work if users have decided to hide the extensions of files in Windows, a stupid default setting that has no doubt infected millions of Windows users over the years.

Of course, the .exe file is malware with a pretty low detection rate of just 3/48 at VirusTotal. Automated analysis [1] [2] [3] shows a connection to a domain called adamdevarney.com on 209.236.71.58 (Westhost, US) which has been seen twice before. This means that there are potentially hundreds of compromised domains on the same server, blocking traffic to the IP address will be the most effective way of giving yourself some protection.

"Microsoft Windows Update" phish

A random and untargeted attempt at phishing with a Windows Update twist.

From:     Microsoft Office [accounts-updates@microsoft.com]
Date:     17 October 2013 02:54
Subject:     Microsoft Windows Update

Dear Customer,

Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.

Thank you,

Copyright © 2013 Microsoft Inc. All rights reserved.
The email originates from 66.160.250.236 [mail.andrustrucking.com] which is a trucking company called Doug Andrus Distributing.. so perhaps Microsoft are farming out the updates to a random Idaho company. Or perhaps they have had their email system compromised (maybe by someone using the same phishing technique).

Anyway, the link in the email goes to a legitimate but hacked site and then lands on a phishing page hosted on [donotclick]www.cycook.com/zboard//microsoft-update/index.php.htm. Despite the email saying "Windows Update", the landing page has had Office branding crudely pasted into it.


Entering your credentials simply takes you to a genuine Microsoft page:

Phishing isn't restricted to stuff like bank accounts, the spammers also like a fresh supply of email accounts to abuse, so as ever.. exercise caution.

Thursday, 17 October 2013

"Scan from a Xerox WorkCentre" spam / A136_Incoming_Money_Transfer_Form.exe

The malware spammers are suffering from a chronic lack of imagination with this familiar fake printer spam:

Date:      Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]
From:      Incoming Fax [Incoming.Fax3@victimdomain.com]
Subject:      Scan from a Xerox WorkCentre

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~9.pdf

multifunction device Location: machine location not set
Device Name: Xerox1552


For more information on Xerox products and solutions, please visit http://www.xerox.com
Attached is an executable file Scanned from a Xerox multi~6.zip which in turn contains a file A136_Incoming_Money_Transfer_Form.exe which has a VirusTotal detection rate of 6/48.

Automated analysis [1] [2] [3] shows a connection to cushinc.com on 209.236.71.58 (Westhost, US). This is the same server as seen yesterday, so  my best guess is that the server is compromised and potentially all the 600+ domains on it are too. Blocking that IP address may be prudent.

Wednesday, 16 October 2013

"Atlantics Post LLC" fake job offer

A bit of Money Mule recruiting that isn't really trying very hard..
Date:      Wed, 16 Oct 2013 14:54:34 -0300 [13:54:34 EDT]
From:      Atlantics Post [misstates7@compufort.com]
Subject:      Career with Atlantics Post LLC

Atlantics Post LLC is now hiring for a Shipping Clerk. If You are young, enthusiastic person. Looking for a great job opportunity with a stable in come this job is for you.

Duties:
Receive packages at workplace (out of home possition);
Transfer the packages to our business partners nationwide;
Keeping accurate records of operations and report them

Requirements:
- Thorough knowledge of quality improvement techniques and experience with process and service delivery improvement.
- Strong ability to analyze, organize and simplify complex processes and data.
- Exceptional attention to detail.
- Considerable experience with data reporting systems.
- Leisure business experience an asset.
- Flexible, adaptable to change, and resourceful in the face of shifting priorities and demands.

WHAT'S NEXT?
If you have any questions, you can call our toll-free number 866-652-8106.
If you are interested in this opportunity, please submit your resume by e-mail JoyDugganagg@yahoo.com or fax (904-212-0897).

Originating IP is 181.165.70.97 in Argentina. Avoid.

LinkedIn spam / Contract_Agreement_whatever.zip

This fake LinkedIn spam has a malicious attachment:

Date:      Wed, 16 Oct 2013 11:57:55 -0600 [13:57:55 EDT]
From:      Shelby Gordon [Shelby@linkedin.com]

Attached is your new contract agreements.

Please read the notes attached, then complete, sign and return this form.

Shelby Gordon
Contract Manager
Online Division - LinkedIn
Shelby.Gordon@linkedin.com
Office: 302-449-8859 Ext. 33
Direct: 302-184-9426

This email was intended for dynamoo@spamcop.net.
© 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

The attachment has the format Contract_Agreement_recipientname.zip and in turn contains a malicious executable Contract_Agreement_10162013.exe (note the date encoded into the filename). VirusTotal detections are 10/48.

Automated analysis tools [1] [2] [3] show an attempted connection to miamelectric.com on 209.236.71.58 (Westhost, US). I recommend that you block outbound traffic to that particular domain.

Pinterest spam, alenikaofsa.ru and the return of the RU:8080 gang?

This fake Pinterest spam leads to a malicious download on alenikaofsa.ru:

Date:      Wed, 16 Oct 2013 12:03:11 -0300 [11:03:11 EDT]
From:      Pinterest [pinbot@pinterest.biz]
Subject:      Your Facebook friend Andrew Hernandez joined Pinterest

A Few Updates...
[redacted]
   
Andrew Hernandez    

Your Facebook friend Andrew Hernandez just joined Pinterest. Help welcome Carol to the community!
   
Visit Profile
       
Happy pinning!

©2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions
Andrew is a pretty feminine looking bloke. The link in the email goes through a legitimate hacked site and then ends up on a fake browser download page (report here) that attempts to download [donotclick]alenikaofsa.ru:8080/ieupdate.exe  which has a VirusTotal detection rate of just 1/48 (only Kaspersky detects it.. again).

The ThreatTrack report [pdf] looks like peer-to-peer Zeus to be, the Malwr report and Comodo CAMAS report also give some insight.

alenikaofsa.ru is registered to the infamous Russian "private person" and is hosted on the following IPs:
62.75.246.191 (Intergenia AG, Germany)
69.46.253.241 (RapidDSL & Wireless, US)
The domain alionadorip.ru is also hosted on these IPs.

What's interesting is that 69.46.253.241 was seen here months ago, which makes this look like the unwelcome return of the RU:8080 gang after a long absence.

Recommended blocklist:
62.75.246.191
69.46.253.241
alenikaofsa.ru
alionadorip.ru

Footnote:
The malware page uses a similar script to that used here although with the rather cheeky comment

// It's "cool" to let user wait 2 more seconds :/



Tuesday, 15 October 2013

"Payroll Received by Intuit" spam / payroll_report_147310431_10112013.zip

This fake Intuit spam comes with a malicious attachment:

Date:      Tue, 15 Oct 2013 16:20:40 +0000 [12:20:40 EDT]
From:      Intuit Payroll Services IntuitPayrollServices@payrollservices.intuit.com]
Subject:      Payroll Received by Intuit

Dear, [redacted]
We received your payroll on October 11, 2013 at 4:41 PM .

Attached is a copy of your Remittance. Please click on the attachment in order to view it.

Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later.  If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later.  YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time.  Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.

Sincerely, Intuit Payroll Services

IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software. If you
have any questions or comments about this email, please DO NOT REPLY to this email. If
you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect is
a phishing email, please forward it to immediately to spoof@intuit.com. © 2013 Intuit
Inc. All rights reserved. Intuit and the Intuit Logo are registered trademarks and/or
registered service marks of Intuit Inc. in the United States and other countries. All
other marks are the property of their respective owners, should be treated as such, and
may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706 
The attachment is payroll_report_147310431_10112013.zip which in turn contains payroll_report_10112013.exe (note the date is encoded into those files).

That executable currently has a detection rate of 9/46 at VirusTotal. Automated analysis [1] [2] [3] shows that it attempt to make a connection to mtfsl.com on 184.22.215.50 (Network Operations Center, US). Blocking those temporarily may give some protection against any additional threats using that server.

USPS spam / Label_ZFRLOADD5PGGZ0Z_USPS.zip

This fake USPS spam has a malicious attachment:

Date:      Tue, 15 Oct 2013 09:36:02 -0500 [10:36:02 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Missed package delivery

Notification

Our company's courier couldn't make the delivery of package.

REASON: Postal code contains an error.
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: USPSZFRLOADD5PGGZ0Z
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.

*** This is an automatically generated email, please do not reply ***

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (USPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You 
There is an attachment Label_ZFRLOADD5PGGZ0Z_USPS.zip which contains a malicious executable Label_101513_USPS.exe (note the date encoded into the filename).

VirusTotal shows just 4/46 vendors detect it at present. Automated analysis [1] [2] [3] shows an attempted communication with traderstruthrevealed.com on 103.8.27.82 (SKSA Technology, Malaysia).

There is also another email using this format with the same payload.

Recommended blocklist:
103.8.27.82
traderstruthrevealed.com

Monday, 14 October 2013

Malware sites to block 14/10/2013

It's been a while since I trawled around the activities of the "Amerika" gang, but here is a new set of malicious domains and IPs to block, replacing this list.

24.111.103.183 (Midcontinent Media, US)
42.121.84.12 (Aliyun Computing Co, China)
59.99.226.17 (BB-Multiplay, India)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
62.141.46.8 (fast IT, Germany)
65.189.35.129 (Time Warner Cable, US)
67.207.155.24 (Rackspace, US)
69.163.40.39 (DirectSpace LLC, US)
71.91.8.200 (Charter Communications , US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
108.206.235.75 (AT&T, US)
109.71.136.140 (OpWan, France)
112.124.27.158 (Alibaba Advertising Co, China)
125.20.14.222 (Price Water House Cooperation, India)
146.185.147.26 (Digital Ocean, Netherlands)
165.132.27.59 (Yonsei, Korea)
176.56.228.134 (Routelabel / WeservIT, Netherlands)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
195.225.58.43 (C&A Connect SRL, Romania)
198.71.82.48 (Enzu Inc, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
222.127.21.35 (Network IP, Philippines)
223.30.27.251 (Sify Limited, India)

24.111.103.183
42.121.84.12
59.99.226.17
60.199.253.165
62.141.46.8
65.189.35.129
67.207.155.24
69.163.40.39
71.91.8.200
78.100.140.171
81.91.159.212
103.28.255.207
108.206.235.75
109.71.136.140
112.124.27.158
125.20.14.222
146.185.147.26
165.132.27.59
176.56.228.134
186.3.101.235
186.151.240.197
186.251.180.205
195.225.58.43
198.71.82.48
208.115.114.69
211.71.99.66
222.127.21.35
223.30.27.251
acomboramboarmiab722.net
acormushkivsenamizv992.net
altertraveldream.com
ampala.net
attitude.su
autodlakobiety.net
avasdayspa.net
beo.su
bnamecorni.com
catdigest.net
cormoviedobavkikemm200.com
cormoviedobavkitenn100.com
cremoviedobavkimoj53.net
cronshtainymorenah55.net
crovlianemoyaahule52.net
diggingentert.com
dotier.net
dropdistri-butions.net
dulethcentury.net
eeemoskoymany560.com
ejanormalteene250.com
enanisgotttornee564.com
ermirovaniedoom153.com
ermirovanienony151.com
ermirovanievood152.com
excelledblast.net
fertsonline.net
gjoonalitikeer310.com
glums.net
gormonigraetnapovalahule26.net
grndstyle.ru
groove.su
hdmltextvoice.net
idersnonvirus.com
instotsvin.ru
introlinkage.com
lodanart.net
micnetwork100.com
mobile-unlocked.net
mymulejams.net
nokiasharethelove.net
nvufvwieg.com
ollerblogging.net
ordersdeluxe.com
primthaispa.net
pro-senioren.net
rentimpress.com
robberypolice.net
rojecttalkway.com
rolotto.net
scoutmoor.net
securesmartconnect.net
servidorestable.net
simplesso.com
skather.net
smartsecureconnect.net
smdserver.net
spottingculde.com
streetgreenlj.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
tumble.su
u-janusa.net
uprisingquicks.net
vip-proxy-to-tor.com
whosedigitize.net
wingsawards.net
workathomeuk.net