Sponsored by..

Thursday, 21 March 2013

"Data Processing Service" spam / airtrantran.com

This spam leads to malware on

Date:      Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]
From:      Data Processing Service [customerservice@dataprocessingservice.com]
Subject:      ACH file ID "973.995"  has been processed successfully

Files Processing Service

SUCCESS Notification
We have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '2013-03-20 23:24:14.9'.
FILE SUMMARY:
Item count: 21
Total debits: $17,903.59
Total credits: $17,903.59

For addidional info    review it here

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247
airtrantran.com
basic-printers.com
bestffriendquotes.com
buxarsurf.net
buyersusaremote.net
crackedserverz.com
cyberage-poker.net
dyntic.com
fenvid.com
heavygear.net
hotels-guru.net
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
ricepad.net
rockbandsongs.net
smartsecurityapp.com
teenlocal.net
webpageparking.net
Posted by at 2 comments:
Labels: , , , ,

NACHA spam / encodeshole.org

This fake NACHA spam leads to malware on encodeshole.org:

From: "Тимур.Родионов@direct.nacha.org" [mailto:biker@wmuttkecompany.com]
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High

Dear Sirs,

Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::

Click here for more information

Please apply to your financial institution to get the necessary updates of the Direct Deposit software.

Best regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


10933 Sunrise Valley Drive, Suite 771
Herndon, VA 20190
Phone: 703-561-0849 Fax: 703-787-0548
The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:

91.234.33.187
encodeshole.org
rotariesnotify.org
rigidembraces.info
storeboughtmodelers.info


Posted by at No comments:
Labels: , , , ,

"Scan from a Hewlett-Packard ScanJet" spam / hillaryklinton.ru

This fake printer spam leads to malware on the amusingly-named hillaryklinton.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 21 March 2013 06:56
Subject: Scan from a Hewlett-Packard ScanJet #269644

Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 6209P.

Sent by: SANDIE
Images : 1
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set
In this case there is an attachment called Scanned_Document.htm which leads to a malicious payload at [donotclick]hillaryklinton.ru:8080/forum/links/column.php (report here) hosted on:

50.22.0.2 (SoftLayer, US)
62.75.157.196 (Inergenia, Germany)
109.230.229.156 (High Quality Server, Germany)

Blocklist:
50.22.0.2
62.75.157.196
109.230.229.156
foruminanki.ru
forumla.ru
forumny.ru
gulivaerinf.ru
gxnaika.ru
hanofk.ru
heelicotper.ru
hifnsiiip.ru
hillaryklinton.ru
himalayaori.ru
humalinaoo.ru



Posted by at No comments:
Labels: , , , , ,

Wednesday, 20 March 2013

"End of Aug. Statement" spam / hifnsiiip.ru

This fake invoice spam leads to malware on hifnsiiip.ru:

Date:      Wed, 20 Mar 2013 05:41:44 +0100
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoices-AS9927.htm

Good morning,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)

Regards
The attached Invoices-AS9927.htm file attempts to direct the victim to a malicious landing page [donotclick]hifnsiiip.ru:8080/forum/links/column.php (report here) hosted on:

50.22.0.2 (SoftLayer, US)
109.230.229.156 (High Quality Server, Germany)
188.165.202.204 (OVH, France)

Recommended blocklist:
50.22.0.2
109.230.229.156
188.165.202.204
foruminanki.ru
forumla.ru
forumny.ru
giimiiifo.ru
giliaonso.ru
gimiiiank.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
gulivaerinf.ru
gxnaika.ru
hentaimusika.ru
hifnsiiip.ru
himalayaori.ru
hiskintako.ru
Posted by at No comments:
Labels: , , , , ,

USPS Spam / himalayaori.ru

This fake UPS (or is it USPS?) spam leads to malware on  himalayaori.ru. The malicious link is in an attachment called ATT17235668.htm.

For some reason the only sample of the spam that I have is horribly mangled:

From: HamzaRowson@hotmail.com [mailto:HamzaRowson@hotmail.com]
Sent: 19 March 2013 23:40
Subject: United Postal Service Tracking Number H1338091657

                                                                                                                          Your USPS TEAM for big savings!                    Can't see images? CLICK HERE.                                                                                                                                                                                                                                                                                                                                                                                       UPS UPS SUPPORT 56                                                                                                                                                                                                                                                                                                                                                                                                                   Not Ready to Open an Account? The UPS Store® can help with full service packing and shipping.Learn More >>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        UPS - Your UPS Team                                                                                                                                                                Good day, [redacted].      
      
                        Dear User , Delivery Confirmation: Failed

                                Track your Shipment now!

                                            With best regards , Your UPS Customer Services.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Shipping                                      Tracking                                       Calculate Time & Cost                                      Open an Account                                                                                                                                                                                                                                                                @ 2011 United Parcel Service of America, Inc. USPS Team, the UPS brandmark, and the color brown are             trademarks of United Parcel Service of America, Inc. All rights reserved.                        This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to             USPS .us Customer Services marketing e-mail For information on UPS's privacy practices, please refer to UPS Privacy Policy.                        Your USPS .US, 5 Glenlake Parkway, NE - Atlanta, GA 30325            Attn: Customer Communications Department                                                                               


Clicking on the attachment sends the intended victim to a malicious web page at [donotclick]himalayaori.ru:8080/forum/links/column.php (report here), in this case via a legitimate hacked site at [donotlick]www.unisgolf.ch/report.htm but that is less important.

himalayaori.ru is hosted on a couple of IPs that look familiar:

50.22.0.2 (SoftLayer, US)
188.165.202.204 (OVH, France)

Recommended blocklist:
50.22.0.2
188.165.202.204
himalayaori.ru
hentaimusika.ru
hiskintako.ru
gxnaika.ru
forumla.ru
gulivaerinf.ru
foruminanki.ru
forumny.ru

Posted by at No comments:
Labels: , , , , , ,

Tuesday, 19 March 2013

Malware spam: "Opinion: Cyprus banks shut extended to Monday - CNN.com" / salespeoplerelaunch.org

This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch.org:

Date:      Tue, 19 Mar 2013 10:40:22 -0600
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: Cyprus banks shut extended to Monday - CNN.com

   
Powered by    
* Please note, the sender's email address has not been verified.
   
   
You have received the following link from BreakingNews@mail.cnn.com:    
   
   
Click the following to access the sent link:
   
   
Cyprus banks shut extended to Monday - CNN.com*
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
   
   
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
The malicious payload is at [donotclick]salespeoplerelaunch.org/close/printed_throwing-interpreting-dedicated.php (report here) hosted on 69.197.177.16 (WholeSale Internet, US).

Nameservers are NS1.DNSLVLUP.COM (5.9.212.43, Hetzner / Dolorem Ipsum Management Ltd, Germany) and NS2.DNSLVLUP.COM (66.85.131.123, Secured Servers LLC / Phoenix NAP, US)

Recommended blocklist:
salespeoplerelaunch.org
dnslvlup.com
69.197.177.16
5.9.212.43
66.85.131.123



Posted by at No comments:
Labels: , , , , ,

Facebook spam / heelicotper.ru

This fake Facebook spam leads to malware on heelicotper.ru:

Date:      Tue, 19 Mar 2013 08:37:37 +0200
From:      Facebook [updateSIXQG03I44AX@facebookmail.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
TAMISHA Gore has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]heelicotper.ru:8080/forum/links/column.php which isn't resolving at the moment, but was earlier hosted on:

50.22.0.2 (SoftLayer, US)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)

The payload and associated IPs are the same as in this attack.
Posted by at No comments:
Labels: , , , ,

"End of Aug. Statement Reqiured" spam / hiskintako.ru


This spam leads to malware on hiskintako.ru:


Date:      Tue, 19 Mar 2013 08:04:18 +0300
From:      "package update Ups" [upsdelivercompanyb@ups.com]
Subject:      Re: FW: End of Aug. Statement Reqiured
Attachments:     Invoices-CAS9927.htm

Hi,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)

Regards

-----------------------

Date:      Tue, 19 Mar 2013 02:18:06 +0600
From:      MyUps [ups-delivery-services@ups.com]
Subject:      Re: FW: End of Aug. Stat. Required

Hi,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)


Regards

The malicious payload is at [donotclick]hiskintako.ru:8080/forum/links/column.php  (report here) hosted on:
50.22.0.2 (SoftLayer, US)
89.110.131.10 (Netclusive, Germany)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)

BLOCKLIST:
50.22.0.2
89.110.131.10
132.230.75.95
188.165.202.204
forumla.ru
gimiiiank.ru
giminanvok.ru
giminkfjol.ru
giminaaaao.ru
giimiiifo.ru
giliaonso.ru
forumny.ru
hiskintako.ru
gxnaika.ru
gulivaerinf.ru
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Comments (Atom)