Dynamoo's Blog

Thursday, 13 December 2012

Citi Cards spam / 6.bbnface.com and 6.mamaswishes.com

This fake Citi Cards spam leads to malware on 6.bbnface.com and 6.mamaswishes.com:

Date:     Thu, 13 Dec 2012 11:59:33 +0300
From:     Citi Cards [citicards@info.citibank.com]
Subject:     Your Citi Credit Card Statement


Add citicards@info.citibank.com to your address book to ensure delivery.

Your Account: Important Notification

Your Citi Credit Card statement is ready to view online


Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:

Statement Date:     December 13, 2012
Statement Balance:     -$8,803.77
Minimum Payment Due:     $750.00
Payment Due Date:     Tue, January 01, 2013

Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

To set up alerts sign on to www.citicards.com and go to Account Profile.

Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.


View Your Account         Pay Your Bill         Contact Us


Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.

(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

============================

Date:     Thu, 13 Dec 2012 10:30:55 +0200
From:     Citi Cards [citicards@info.citibank.com]
Subject:     Your Citi Credit Card Statement


Add citicards@info.citibank.com to your address book to ensure delivery.

Your Account: Important Notification

Your Citi Credit Card statement is ready to view online


Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:

Statement Date:     December 13, 2012
Statement Balance:     -$5,319.77
Minimum Payment Due:     $506.00
Payment Due Date:     Tue, January 01, 2013

Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

To set up alerts sign on to www.citicards.com and go to Account Profile.

Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.



View Your Account         Pay Your Bill         Contact Us


Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.

(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface.com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes.com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent.

Update: the following domains appears to be on this server:
6.bbnface.com
6.mamasauction.com
6.bbnfaces.com
6.mamaswishes.com
6.bbnfaces.net
6.mamaswishes.net

Wednesday, 12 December 2012

Citibank spam / platinumbristol.net

This fake Citibank spam leads to malware on platinumbristol.net:

From:    citibankonline@serviceemail1.citibank.com via pado.com.br
Date:    12 December 2012 15:38
Subject:    Account Alert
Mailed-by:    pado.com.br

Citi
Email Security Zone     EMAIL SECURITY AREA

ATM/Credit card ending in: XXX7

Alerting System

Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX2
Amount Debited: $2,973.22
Date: 12/12/12

Log In to Overview Transaction

Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX2
Amount Credited: $.97
Date: 12/12/12

Visit this link to Overview Detailed information

ABOUT THIS MESSAGE
Please DO NOT reply to this message. auomatic informational system unable to accept incoming messages.

Citibank, N.A. Member FDIC.
Š 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

========================

From:    citibankonline@serviceemail5.citibank.com via clickz.com
Date:    12 December 2012 15:39
Subject:    Account Notify
Mailed-by:    clickz.com

Citi
Email Security Zone     EMAIL SAFETY AREA

ATM/Debit card ending in: XXX7

Alerting System

Money Transfer Report

Savings Account XXXXXXXXX8
Amount Withdrawn: $3,620.11
Date: 12/12/12

Visit this link to Cancel Details

Money Transfer Report

Savings Account XXXXXXXXX8
Amount Withdrawn: $.38
Date: 12/12/12

Sign In to Overview Details

ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system unable to accept incoming messages.

Citibank, N.A. Member FDIC.
© 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

========================

Date:     Wed, 12 Dec 2012 23:16:15 +0700
From:     alets-no-reply@serviceemail6.citibank.com
Subject:     Account Insufficient funds

EMAIL SAFETY ZONE

ATM/Debit card ending in: XXX0

Notifications System

Transaction Announcement

Ultimate Savings Account (USA) XXXXXXXXX4
Amount Debited: $4,222.19
Date: 12/12/12

Login to Abort Detailed information

Transaction Announcement

Ultimate Savings Account (USA) XXXXXXXXX4
Amount Credited: $.41
Date: 12/12/12

Go to web site by clicking here to See Operation

ABOUT THIS MESSAGE

Please Not try to reply to this message. automative notification system cannot accept incoming mail.

Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

========================

Date:     Wed, 12 Dec 2012 20:07:46 +0400
From:     citibankonline@serviceemail8.citibank.com
Subject:     Account Operation Alert

EMAIL SECURITY ZONE

Credit card ending in: XXX0

Notifications System

Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX3
Amount Credited: $5,970.51
Date: 12/12/12

Click Here to Review Transaction

Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX3
Amount Withdrawn: $.11
Date: 12/12/12

Sign In to View Operation

ABOUT THIS MESSAGE

Please don't reply to this message. auomatic informational system cannot accept incoming mail.

Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

The malicious payload is at [donotclick]platinumbristol.net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.

I can see the following evil domains on that same server:
eaglepointecondo.org
sessionid0147239047829578349578239077.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
eaglepointecondo.co
naky.net
ygsecured.ru
romoviebabenki.ru
robertokarlosskiy.su
platinumbristol.net

Happy 12:12 12/12/12

Happy 12:12 12/12/12! Well, if you are in the GMT time zone anyway..

Tuesday, 11 December 2012

Changelog spam / aseniakrol.ru

This spam leads to malware on aseniakrol.ru:

Date:     Tue, 11 Dec 2012 10:46:43 -0300
From:     Tarra Comer via LinkedIn [member@linkedin.com]
Subject:     Re: Your Changelog UPDATED

Hi,

as promised your changelog - View

I. Easley

The malicious payload is at [donotclick]aseniakrol.ru:8080/forum/links/column.php hosted on a bunch of IPs that have been used for malware before:

202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)

Monday, 10 December 2012

AICPA spam / eaglepointecondo.org

Yet another fake AICPA spam run today with a slightly different domain from before, now on eaglepointecondo.org:

Date:     Mon, 10 Dec 2012 18:51:38 +0100
From:     "AICPA" [info@aicpa.org]
Subject:     Tax return assistance fraud.

You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having any issues reading this email? Overview it in your favorite browser.

Suspension of CPA license due to income tax indictment

Valued AICPA participant,

We have been notified of your potential participation in income tax refund shady transactions for one of your customers. In concordance with AICPA Bylaw Head # 740 your Certified Public Accountant status can be terminated in case of the act of submitting of a phony or fraudulent tax return for your client or employer.

Please be informed of the complaint below and respond to it within 7 work days. The refusal to respond within this period will finish in cancellation of your Accountant status.

Delation.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===================

Date:     Mon, 10 Dec 2012 14:50:40 -0300
From:     "AICPA" [noreply@aicpa.org]
Subject:     Your accountant license can be end off.

You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having problems reading this email? Review it in your browser.

Suspension of Accountant status due to tax return fraud prosecution

Respected AICPA member,

We have received a complaint about your alleged participation in income tax return fraudulent activity for one of your employees. In accordance with AICPA Bylaw Section No. 500 your Certified Public Accountant license can be terminated in case of the event of presenting of a false or fraudulent tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 3 work days. The rejection to provide the clarifications within this time-frame would abide in end off of your Certified Accountant Career.

SubmittedReport.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

In this case the malicious payload is at [donotclick]eaglepointecondo.org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today.

AICPA spam / eaglepointecondo.co

This fake AICPA spam leads to malware on eaglepointecondo.co:

Date:     Mon, 10 Dec 2012 19:29:21 +0400
From:     "AICPA" [alerts@aicpa.org]
Subject:     Income fake tax return accusations.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having difficulties reading this email? Take a look at it in your browser.

Termination of Public Account Status due to income tax fraud allegations

Respected accountant officer,

We have received a denouncement about your probable interest in income tax return swindle for one of your customers. In concordance with AICPA Bylaw Head # 500 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a faked or fraudulent income tax return for your client or employer.

Please be notified below and provide explanation of this issue to it within 21 business days. The rejection to provide elucidation within this period would finish in end off of your CPA license.

SubmittedReport.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The malicious payload is at [donotclick]eaglepointecondo.co/detects/denouncement-reports.php hosted on 59.57.247.185 in China, which has been used a few times recently for malware distribution.

The following malicious domains appear to be on the same server:
moid.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
zindt.net
naky.net
svictrorymedia.ru
ygsecured.ru
romoviebabenki.ru
addon.su
robertokarlosskiy.su
eaglepointecondo.co

"You have been sent a file" Sendspace spam / anifkailood.ru:

This fake Sendspace spam leads to malware on anifkailood.ru:

Date:     Mon, 10 Dec 2012 06:01:01 -0500
From:     "Octavio BOWMAN" [AdlaiBaldacci@telefonica.net]
Subject:     You have been sent a file (Filename: [redacted]-722.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-018.pdf, (767.2 KB) waiting to be downloaded at sendspace.(It was sent by Octavio BOWMAN).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]anifkailood.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)

Plain list:
202.180.221.186
212.162.52.180
212.162.56.210

Friday, 7 December 2012

Sendspace "You have been sent a file" spam / pelamutrika.ru

This fake Sendspace spam leads to malware on pelamutrika.ru:

Date:     Fri, 7 Dec 2012 10:53:57 +0200
From:     Badoo [noreply@badoo.com]
Subject:     You have been sent a file (Filename: [victimname]-64.pdf)

Sendspace File Delivery Notification:

You've got a file called [victimname]-792244.pdf, (337.19 KB) waiting to be downloaded at sendspace.(It was sent by CHASSIDY PROCTOR).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]pelamutrika.ru:8080/forum/links/column.php hosted on the following familiar IP addresses which you should definitely try to block:

202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)