Dynamoo's Blog

Monday, 17 December 2012

pillscarehealthcare.com spam

There has been a massive amount of pharma spam pointing to pillscarehealthcare.com over the past 48 hours or so. Here are some examples:

Date:     Mon, 17 Dec 2012 02:47:56 +0000 (GMT)
From:     "Account Info Change" [tyjinc@palmerlakearttour.com]
To:     [redacted]
Subject:     Updated information

    Updated information

Hello,

The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.

This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.

Thanks,
Customer Support

==================

Date:     Mon, 17 Dec 2012 01:22:56 -0700
From:     "Angela Snider" [directsales@tyroo.com]
To:     [redacted]
Subject:     Pending ticket status

Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or close the ticket here
Go To Profile

See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.

==================

Date:     Sat, 15 Dec 2012 21:37:47 -0700
From:     "Alexis Houston" [cmassuda@agf.com.br]
To:     [redacted]
Subject:     Pending ticket notification

Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
Go To Profile

See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.

==================

Date:     Sat, 15 Dec 2012 07:06:30 -0800
From:     "Account Sender Mail" [daresco@excite.com]
To:     [redacted]
Subject:     Account is now available

    Login unavailable due to maintenance ([redacted])

Hello,

Your Account is now available.

Our systems were unavailable due to maintenance and upgrading system. We apologizes for any inconvenience and appreciates the patience while this critical maintenance was performed. If you still face the problem then it would be better if you contact our team.

Access Your Account

Hope this information helps you.

Thanks,
Support team

==================

From: Kennedi Marquez [mailto:cwtroutn@naturalskincarereviews.info]
Sent: 17 December 2012 11:18
Subject: Updated information

    Updated information

Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.

This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.

Thanks,
Customer Support

This appears to be punting fake drugs rather than malware. pillscarehealthcare.com is hosted on 95.58.254.74 (Kazakh Telecom, Kazakhstan). In my opinion blocking 95.58.254.0/24 will probably do you no harm. These other fake pharma web sites can be found on the same IP address:

retailersviagrasale.nl
tabdisease.nl
viagralberta.com
medmedsepub.com
tabletlevitripad.com
newpharmsale.com
pillscarehealthcare.com
qrigzh.themedsdrugstore.com
medsmedicinedisease.com
pillsmedicinedrug.com
medmedsceccoli.com
garciniaherbal.com
medicinepharmedical.com
viagraherbalflavor.com
drugenericsmeds.com
petraeuslismeds.com
patientsmedicinepills.com
tabpatients.com
tabhealthpatients.com
cialispetraeus.com
dietwifat.com
viagradiet.com
weightprescriptiondiet.com
kidneyprescriptiondiet.com
www.welnesskidney.com
www.medicaremedsromney.com
herbalapple.at
levitratcu.at
welnessgenerics.net
romneyrx.net
pillspharmamedicine.ru
pillsdrugstoredrugstore.ru
parisdrugstore.ru
pharmacypresciption.ru
pillpharmacydrugs.ru
controlpills.ru
drugtorefitnesspills.ru
pharmacypillstreatments.ru
drugstorehealthcarerx.ru
drugstorehealthrx.ru
drugstoretabsrx.ru
pharmacymedsrx.ru
fitnessdrugstorepharmacy.ru
dosehealthpharmacy.ru
medicinerxpharmacy.ru
caprxpharmacy.ru
cappharmacypharmacy.ru

2001 Trailer Recut

This is a kind of parody.. what would happen if 2001: A Space Odyssey was being promoted via a modern blockbuster-style parody today? Actually.. I think it looks freakin' awesome:

[Via]

Friday, 14 December 2012

Changelog spam / aviaonlolsio.ru

This fake Changelog spam leads to malware on aviaonlolsio.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Earlean Gardner via LinkedIn
Sent: 13 December 2012 20:22
Subject: Re: Changelog as promised (upd.)

Hi,
as promised - View

I. SWEET

====================

Date:     Fri, 14 Dec 2012 05:22:54 +0700
From:     "Kaiya HIGGINS" [fwGpEzHIGGINS@hotmail.com]
Subject:     Re: Fwd: Changelog as promised(updated)

Hi,

as promised chnglog updated - View

I. HIGGINS

The malicious payload is at [donotclick]aviaonlolsio.ru:8080/forum/links/column.php hosted on the same IPs as used in this attack:

75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)

The following malicious domains are on those same IPs:

ahiontota.ru
aliamognoa.ru
amnaosogo.ru
anifkailood.ru
aofngppahgor.ru
aseniakrol.ru
aviaonlolsio.ru
awoeionfpop.ru
dimarikanko.ru
pelamutrika.ru
pitoniamason.ru
podarunoki.ru
publicatorian.ru

Citibank spam / 6.bbnsmsgateway.com

This fake Citibank spam leads to malware on 6.bbnsmsgateway.com:

Date:     Fri, 14 Dec 2012 19:27:56 +0530
From:     Citi Cards [citicards@info.citibank.com]
Subject:     Your Citi Credit Card Statement

Add citicards@info.citibank.com to your address book to ensure delivery.

Your Account: Important Notification

Your Citi Credit Card statement is ready to view online


Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:

Statement Date:     December 13, 2012
Statement Balance:     -$4,873.54
Minimum Payment Due:     $578.00
Payment Due Date:     Tue, January 01, 2013

Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

To set up alerts sign on to www.citicards.com and go to Account Profile.

Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.



View Your Account         Pay Your Bill         Contact Us


Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.

(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

The malicious payload is at [donotclick]6.bbnsmsgateway.com/string/obscure-logs-useful.php hosted on 192.155.81.9 (Linode, US). There are probably some other bad domains on this server, so blocking access to that IP could be prudent.

Citibank spam / 4.whereintrentinoaltoadige.com

This fake Citibank spam leads to malware on 4.whereintrentinoaltoadige.com:

Date:     Fri, 14 Dec 2012 13:54:14 +0200
From:     Citi Cards [citicards@info.citibank.com]
Subject:     Your Citi Credit Card Statement

Add citicards@info.citibank.com to your address book to ensure delivery.

Your Account: Important Notification

Your Citi Credit Card statement is ready to view online


Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:

Statement Date:     December 13, 2012
Statement Balance:     -$4,550.67
Minimum Payment Due:     $764.00
Payment Due Date:     Tue, January 01, 2013

Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

To set up alerts sign on to www.citicards.com and go to Account Profile.

Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.


View Your Account         Pay Your Bill         Contact Us

Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.

(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

====================

Alternative mid-sections:

Statement Date:     December 13, 2012
Statement Balance:     -$8,902.58
Minimum Payment Due:     $211.00
Payment Due Date:     Tue, January 01, 2013

Statement Date:     December 13, 2012
Statement Balance:     -$9,905.95
Minimum Payment Due:     $535.00
Payment Due Date:     Tue, January 01, 2013

The malicious payload is at [donotclick]4.whereintrentinoaltoadige.com/string/obscure-logs-useful.php hosted on 198.74.54.28 (Linode, US).

The following malicious domains are also on the same server:
4.whereinpuglia.com
4.whereinsicilia.com
4.whereinliguria.com
4.whereintoscana.com
4.whereinsardegna.com
4.whereinmolise.com
4.whereinpiemonte.com
4.whereinmilan.com
4.whereinlazio.com
4.whereinlombardy.com
4.whereinitaly.com
4.whereinsicily.com
4.whereintrentinoaltoadige.com
4.whereintoscana.com

Something evil on 87.229.26.138

This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example).

There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.

The registration details are probably fake, but for the record the .eu domains are registered to:
Juha Salonen
Lukiokatu 23
13430 Hameenlinna
Hameenlinna
Finland
salonen_juha@yahoo.com

The .in domains are registered to:
Puk T Lapkanen
Puruntie 33
LAPPEENRANTA
53200
FI
+358.443875638
puklapkanen@yahoo.com

If you can block the IP address then it will be the simplest option as there are rather a lot of domains here:

krvrkh.in
pmkvyh.in
hqzzpk.in
wkhmyk.in
ymjjjm.in
lupszm.in
gguwvn.in
znztip.in
onylkp.in
jlqrnp.in
yyssyr.in
nxwktt.in
zpjhjv.in
zjmnwv.in
ypmptx.in
humswz.in

quoorh.eu
zxlngj.eu
lxtnmm.eu
lrqjrn.eu
knxhsn.eu
pzgztn.eu
wokjpq.eu
lkowgs.eu
hiikrs.eu
knvutt.eu
smqtnu.eu
tmkvmv.eu
ihltwv.eu
prhhvw.eu
sowxyw.eu
utppry.eu

anshg.quoorh.eu
hjzg.quoorh.eu
utkvvk.quoorh.eu
krqm.quoorh.eu
rueyn.quoorh.eu
cdnro.quoorh.eu
xdxp.quoorh.eu
qrhxp.quoorh.eu
vtr.quoorh.eu
zrlrrs.quoorh.eu
dvyy.quoorh.eu
vymf.zxlngj.eu
xjpf.zxlngj.eu
xxvcj.zxlngj.eu
radcm.zxlngj.eu
lixcmn.zxlngj.eu
nnn.zxlngj.eu
hwpdq.zxlngj.eu
akiy.zxlngj.eu
mvtrn.lxtnmm.eu
ygz.lxtnmm.eu
hkauh.lrqjrn.eu
aqsf.knxhsn.eu
mqjpl.pzgztn.eu
wmmj.wokjpq.eu
plfztn.wokjpq.eu
fyqwrv.wokjpq.eu
prz.wokjpq.eu
ygh.lkowgs.eu
jasiv.hiikrs.eu
gechga.knvutt.eu
dxcypc.knvutt.eu
pod.knvutt.eu
sie.knvutt.eu
pdlgf.knvutt.eu
qvxqj.knvutt.eu
xdp.knvutt.eu
ikp.knvutt.eu
foxq.knvutt.eu
snt.knvutt.eu
wou.knvutt.eu
env.knvutt.eu
xor.knvutt.eu
pllrcn.knvutt.eu
stgc.smqtnu.eu
uknqc.smqtnu.eu
ynkf.smqtnu.eu
sgph.smqtnu.eu
sgo.smqtnu.eu
nlcowd.tmkvmv.eu
amp.tmkvmv.eu
wbs.tmkvmv.eu
uvpne.ihltwv.eu
vfjrn.ihltwv.eu
zlpttn.ihltwv.eu
xlt.ihltwv.eu
kcvvct.prhhvw.eu
kda.sowxyw.eu
kvb.sowxyw.eu
jbjol.sowxyw.eu
hegr.sowxyw.eu
maizss.sowxyw.eu
jfeu.sowxyw.eu
ozku.sowxyw.eu
rgpxz.sowxyw.eu
houqw.utppry.eu

Thursday, 13 December 2012

"Copies of Policies" spam / awoeionfpop.ru:

This spam leads to malware on awoeionfpop.ru:

Date:     Thu, 13 Dec 2012 09:08:32 -0400
From:     "Myspace" [noreply@message.myspace.com]
Subject:     Fwd: Deshaun - Copies of Policies

Unfortunately, I cannot obtain electronic copies of the SPII policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Deshaun ZAMORA,

The malicious payload is at [donotclick]awoeionfpop.ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:

75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)

The following domains are also on these IPs:
pelamutrika.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
amnaosogo.ru
dimarikanko.ru
aofngppahgor.ru
awoeionfpop.ru

Citibank spam / eaglepointecondo.biz

This fake Citibank spam leads to malware on eaglepointecondo.biz:

Date:     Thu, 13 Dec 2012 16:59:14 +0400
From:     "Citi Alerts" [lubumbashiny63@bankofdeerfield.com]
Subject:     Account Operation Alert

EMAIL SAFETY AREA

ATM/Credit card ending in: XXX8

Notifications System

Wire Transaction Issued

Ultimate Savings Account (USA) XXXXXXXXX5
Amount Withdrawn: $4,564.61
Date: 12/12/12

Sign In to Abort Details

Wire Transaction Issued

Ultimate Savings Account (USA) XXXXXXXXX5
Amount Debited: $.24
Date: 12/12/12

Login to Overview Operation

ABOUT THIS MESSAGE

Please DO NOT reply to this message. auto-notification system can't accept incoming mail.

Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

====================

From: Citibank - Alerts [mailto:enormityyf10@iztzg.hr]
Sent: 13 December 2012 12:50
Subject: Account Operation Alert
Importance: High

EMAIL SAFETY AREA

ATM/Credit card ending in: XXX6

Notifications System

Bill Payment

Checking XXXXXXXXX7
Amount Withdrawn: $5,951.56
Date: 12/12/12

Visit this link to Cancel Detailed information

Bill Payment

Checking XXXXXXXXX7
Amount Debited: $.14
Date: 12/12/12

Login to Review Operation

ABOUT THIS MESSAGE

Please don't reply to this message. auto informer system unable to accept incoming mail.

Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

====================

From: Citibank - Service [mailto:goaliesj79@wonderware.com]
Sent: 13 December 2012 12:59
Subject: Account Alert
Importance: High

EMAIL SAFETY ZONE

ATM/Debit card ending in: XXX8

Alerting System

Withdraw Message

Savings Account XXXXXXXXX4
Amount Debited: $1,218.42
Date: 12/12/12

Login to Abort Operation

Withdraw Message

Savings Account XXXXXXXXX4
Amount Withdrawn: $.42
Date: 12/12/12

Sign In to Overview Operation

ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system not configured to accept incoming mail.

Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

The malicious payload is on [donotclick]eaglepointecondo.biz/detects/operation_alert_login.php hosted on 59.57.247.185 in China, the same IP has been used several times for evil recently and you should block it if you can.