Dynamoo's Blog

Tuesday 24 April 2012

nikjju.com injection attack in progress

The ISC is warning of an injection attack using the domain nikjju.com. The WHOIS details of this domain are very familiar:

Registrant Contact:

   JamesNorthone

   James Northone jamesnorthone@hotmailbox.com

   +1.5168222749 fax: +1.5168222749

   128 Lynn Court

   Plainview NY 11803

   us

The hotmailbox.com domain is a sign of evil, and these are likely to be the "LizaMoon" crew who have been very active over the past couple of years. nikjju.com is hosted on 31.210.100.242 (INTER NET BILGISAYAR LTD STI, Turkey although blocking the domain will help as well because these malicious sites tend to be highly mobile.

Myspace spam / newprescriptionmedical.com

This spam leads to a fake pharmacy on newprescriptionmedical.com, but it could be easily adapted for malware.

Date:     Tue, 24 Apr 2012 20:13:58 -0700
From:     "Myspace" [noreply@message.myspace.com]
Subject:     Account Cancellation

myspace

Your request to cancel your Myspace account has been received.

You must follow this link to complete or cancel your request.

You will receive an email shortly with instructions for confirming that you wish to cancel.
Thank you for using Myspace!

The Myspace Team
http://www.myspace.com

Have questions? Visit our help page. Myspace, 8391 Beverly Blvd, #349, Los Angeles, CA 90048.
� Myspace Inc. All Rights Reserved.

newprescriptionmedical.com is hosted on 95.168.193.182 (Supernetwork, Czech Republic) along with a bunch of other fake pharma sites and is worth blocking.

US Airways Spam / 208.117.43.8

Another US Airways spam run, leading to malware on 208.117.43.8 (as with this Pizza spam campaign).

Date:     Tue, 24 Apr 2012 20:12:38 +0700
From:     "US Airways - Reservations" [reservations@myusairways.com]
Subject:     Please confirm your US Airways online registration.

You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you have to do is print your boarding pass and head to the gate.

Confirmation code: 749251

Check-in online: Online reservation details


Flight

6138
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

====================

Some other subjects include:
Confirm your US airways online reservation.
US Airways online check-in confirmation.

The malicious payload is on 208.117.43.8/showthread.php?t=73a07bcb51f4be71(report here). Blocking this IP would probably be a good idea.

Pizza spam / 208.117.43.8

Another Pizza spam leading to malware:

Date:     Tue, 24 Apr 2012 02:21:42 +0800
From:     "ORSO`s Pizzeria"
Subject:     Re: Fwd: Order confirmation 93278

You've just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Ham
- Italian Sausage
- Chicken
- Black Olives
- Green Peppers
- Pineapple
- Easy On Cheese
- Extra Sauce
Pizza Italian Trio with extras:
- Italian Sausage
- Pork
- Chicken
- Diced Tomatoes
- Black Olives
- Easy On Cheese
- Easy On Sauce
Pizza Spicy Sicilian with extras:
- Italian Sausage
- Pork
- Diced Tomatoes
- Onions
- Jalapenos
- Easy On Cheese
- No Sauce
Pizza Meat Lover's with extras:
- Italian Sausage
- Black Olives
- Black Olives
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Triple Meat Italiano with extras:
- Ham
- Beef
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Ultimate Cheese Lover's with extras:
- Italian Sausage
- Pepperoni
- Onions
- Onions
- No Cheese
- Easy On Sauce
Drinks
- Carling x 3
- Hancock x 3
- Dr. Pepper x 4
Total Due:    131.51$

If you haven't made the order and it's a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don't do that shortly, the order will be confirmed and delivered to you.

With Respect
ORSO`s Pizzeria

The malware is hosted on 208.117.43.8/showthread.php?t=34c79594e8b8ac0f (report here) hosted by Steadfast Networks in the US. There's also an attempted download of an executable from electrosa.com/8zvW2XE.exe on 188.40.0.195 (Hetzner, South Africa) although this looks like a legitimate hacked site.

Monday 23 April 2012

"Scan from a HP ScanJet" spam / 199.15.252.136

Another fake printer spam leading to malware..

From:    CheyanneDelasancha@hotmail.com
Date:    23 April 2012 13:18
Subject:    Re: Fwd: Scan from a HP ScanJet #352369989

A document was scanned and sent to you using a Hewlett-Packard QJet 8125331KSent to you by: CAMERON
Pages : 9
Filetype(s): Images (.jpeg) Download

Location: MSK.3FL.
Device: DEV674O1JF7863855Mailprint: 1169d03a-fe6923a5                                     =

A document was scanned and sent to you using a Hewlett-Packard QJet 8125331K

Sent to you by: CAMERON
Pages : 9
Filetype(s): Images (.jpeg) Download

Location: MSK.3FL.
Device: DEV674O1JF7863855

Mailprint: 1169d03a-fe6923a5

The malicious payload is on 199.15.252.136/showthread.php?t=34c79594e8b8ac0f (report here) hosted by Electric Postage in the US.

Ning "Sign in Issue" spam / mycanadarx.com

This fake email from Ning (whatever that is) leads to a fake pharmacy site on mycanadarx.com, but it could easily be adapted for malware.

From: Ning Help Center [mailto:helpcenter@ning.com]
Sent: 23 April 2012 17:22
Subject: Sign In Issue

Hello!
Thanks for contacting us. We're writing to let you know we've received your message.
We strive to respond to tickets about issues as quickly as possible.
To provide us with additional details or updates, you can simply Login to Your Account.
Please be sure to leave the subject and body of this email in place. If you are able to resolve the issue, please let us know!
Many common issues are explained in http://help.ning.com/?faq=3800.
Thanks again!
The Ning Team
Summary:
ref:_00D80cCLt._50040JSbrh:ref

mycanadarx.com is hosted on 95.168.193.182 in the Czech Republic with a whole load of other fake pharma sites.

"Welcome to LiveJournal" spam / dietpharmacyeat.com

This "LiveJournal" spam actually leads to a fake pharma site, but it could be adapted easily to deliver malware:

Date:     Sun, 22 Apr 2012 04:21:28 +0000
From:     "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:     Welcome to LiveJournal

Congratulations! Thanks for creating a new journal at LiveJournal!

Please click here to complete validation and set your primary email*

(If you are unable to click on the link, copy and paste code into your browser window.)

Code: 33416121.5p9rmuuyqvzp7tw

All the best,

The LiveJournal Team

http://www.livejournal.com/

* About your primary email address: Your first validated email address (also known as primary email) is the only way to confirm that you own the journal, so please use only your most secure email address. If you chose a less secure address in the process of registration, we recommend that you change it and confirm your new address.

In this case, the fake pharma site is dietpharmacyeat.com. Always check the link carefully before clicking on this type of email, it might not be as it seems.

"MediaWiki Mail" Spam / carewelhealth.com

A novel spam, in this case leading to a fake pharmacy on carewelhealth.com.. but it could just as easily be malware.

Date:     Sun, 22 Apr 2012 16:09:12 +0000
From:     MediaWiki Mail [wiki@wikimedia.org]
Subject:     Account details on Wikipedia

Wikipedia

Someone (probably you, from IP address 105.191.258.285) requested a reminder of your account details for Wikipedia. The following user account is associated with this e-mail address: xxxxxxxxxxx

This reminder will expire in 7 days.
If you didn't initiate the request on Wikipedia, feel free to cancel this message and uncheck the "Reminder" checkbox in your account.

Thanks, and once again Welcome!
http://en.wikipedia.org

Of course, the IP address of 105.191.258.285 is invalid, but most people probably won't be looking too closely. Keep an eye out for this type of spam. it might well lead to something nastier than a fake Viagra merchant.

I love this..

St George's Day and the 30th Anniversary of the ZX Spectrum.. Google have managed to combine both into one logo.. I love it!

Friday 20 April 2012

NACHA Spam / 85.25.189.174

Another NACHA spam, leading to malware on 85.25.189.174:

From:    CarleySpan@hotmail.com
Date:    19 April 2012 21:25
Subject:    Your ACH transaction N73848938

The ACH credit transfer, initiated from your checking acc., was canceled by the other financial institution.

Canceled transaction:

Transaction ID: A7635857812UA
ACH Report: View

LINDSEY Zimmerman
NACHA - The Electronic Payment Association

The malicious payload is on 85.25.189.174/showthread.php?t=34c79594e8b8ac0f hosted by Intergenia / PlusServer in Germany. Avoid.

New Blogger interface: It's all too horrible to contemplate.

If you use Blogger, you'll know that it has a new interface. It's horrible. OK, the old interface was horrible but usable at the same time. This is just horrible, with the familiar looking elements seeming sprinkled at random over the new interface.

There are a lot of companies at the moment doing a similar thing.. making over their tried and tested (but tired) old software interfaces and coming up with something pastel-ly and awful. Or perhaps I'm just a Luddite?

Update: you can share your feedback on the Blogger forum which is full of similar complaints.

LinkedIn spam / mysalepharmacy.com

Here's a very convincing looking LinkedIn spam:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Email Confirmation
Sent: 20 April 2012 09:54
Subject: Please confirm your email address

LinkedIn
Click here to confirm your email address.
If the above link does not work, you can paste the following address into your browser:
https://www.linkedin.com/e/vAIspiNMa9UrLxwLy8OkxtE3ZZ5hfZkRMg0f2bmzDWANi
You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.
If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
Thank you for using LinkedIn!
--The LinkedIn Team
http://www.linkedin.com/
© 2012, LinkedIn Corporation

There are three hyperlinks in the message, two of them are to LinkedIn and one of them is to a fake pharma site on mysalepharmacy.com on 178.19.108.195 in Poland.

Personally, I hate LinkedIn emails. Blocking everything that appears to be from linkedin.com will not have any adverse impact on your life.

Thursday 19 April 2012

LinkedIn Spam / springrheumatology.net

Another LinkedIn spam run leading to malware, this time on springrheumatology.net

Date:     Thu, 19 Apr 2012 19:34:55 +0100
From:     "Callie Holland" [donor@linkedin.com]
Subject:     LinkedIn Invitation from your co-worker

LinkedIn
REMINDERS

Invitation notifications:
? From Patrick Mcdaniel (Your co-worker)

PENDING MESSAGES

? There are a total of 2 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

=========================

Date:     Thu, 19 Apr 2012 14:57:47 -0300
From:     "Jane Gaston" [lulu9@linkedin.com]
Subject:     LinkedIn Reminder

LinkedIn
REMINDERS

Invitation reminders:
? From Solomon Goff (Your Colleague)

PENDING MESSAGES

? There are a total of 2 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

The malicious payload is at springrheumatology.net/main.php?page=9e32768587b0d9a8 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt, a very good IP address to block.

"Scan from a Xerox W. Pro" spam / 184.22.115.24

Another malicious (and fake) printer spam leading to malware:

From: MollieFaw@hotmail.com [mailto:MollieFaw@hotmail.com]
Sent: 19. april 2012 10:40
Subject: Re: Fwd: Fwd: Scan from a Xerox W. Pro #55048919

A Document was sent to you using a XEROX SuperJet 036582425.SENT BY : MIRIAM
IMAGS : 97
FORMAT (.JPG) DOWNLOAD

DEVICE: 69972L7ODS736028L

In this case the malicious payload is on 184.22.115.24/showthread.php?t=34c79594e8b8ac0f (report here) which is hosted by HostNOC in the US.

Tuesday 17 April 2012

"Hello. Thank you for contacting us!" spam

Here's a slightly different spam from normal, in this case it doesn't lead to malware, but to a fake pharmacy site. However, the malware/pharma playloads are easily interchangeable. So, don't click that link, eh?

Date:     Date: Tue, 17 Apr 2012 14:49:18 -0400
From:     Customer center [anfinnegan@pasadena.net]
Subject:     [#3143] Ticket

Hello. Thank you for contacting us!
Your information has been changed and we should be in touch with you soon.
Proceed to Site.
Ticket code: fi5FFkG
You should expect a personal reply within the day or even sooner - as we answer most email within a few hours.

fff

"Scan from a Hewlett-Packard ScanJet 719606" / 173.44.136.197

This fake HP scan email leads to malware on 173.44.136.197.

Date:     Tue, 17 Apr 2012 09:21:07 +0530
From:     HaileyWeeth@hotmail.com
Subject:     Re: Fwd: Scan from a Hewlett-Packard ScanJet 719606

A document was scanned and sent to you using a Hewlett-Packard JET ON22536593S

Sent to you by: LERA
Pages : 4
Filetype: Image (.jpeg) View

Location: NPSK1.4FL.
Device: OP594S3OD1420493

Mailprint: ca5b83c7-2d5b8888

The malware is on 173.44.136.197/showthread.php?t=34c79594e8b8ac0f (report here) hosted by JSC Media in Canada.

Monday 16 April 2012

"You've just ordered pizza from our site" / uiwewsecondary.ru

We haven't seen this "pizza spam" (or spam pizza?) for a while. Rest assured, it leads to malware on uiwewsecondary.ru:

Date:     Mon, 16 Apr 2012 08:40:47 -0500
From:     CeceliaKosack@hotmail.com
Subject:     Order confirmation

You've just ordered pizza from our site

Pizza Triple Meat Italiano with extras:
- Ham
- Ham
- Bacon Pieces
- Pineapple
- Onions
- Easy On Cheese
- No Sauce
Pizza Chicken Supreme with extras:
- Ham
- Jalapenos
- Black Olives
- Extra Cheese
- Extra Sauce
Pizza Hawaiian Luau with extras:
- Pepperoni
- Italian Sausage
- Beef
- Pineapple
- Easy On Cheese
- No Sauce
Pizza Chicken Supreme with extras:
- Italian Sausage
- Bacon Pieces
- Italian Sausage
- Jalapenos
- Diced Tomatoes
- Green Peppers
- Easy On Cheese
- Extra Sauce
Drinks
- Fanta x 4
- Limonade x 6
- Schweppes x 6
- Sprite x 2
Total Charge:    89.70$

If you haven't made the order and it's a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don't do that shortly, the order will be confirmed and delivered to you.

With Best Regards
Pizza by AMERIGO

The malicious payload is at uiwewsecondary.ru:8080/internet/fpkrerflfvd.php (report here) hosted on some familiar IP addresses (a subset of the ones found here):

41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
83.170.91.152 (UK2.NET, UK)
85.214.204.32 (Strato AG, Germany)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
210.56.23.100
211.44.250.173
219.94.194.138

"FedEx Delivery Confirmation 821630" spam / pokeronmep.ru

This spam leads to malware on pokeronmep.ru.

Date:     Mon, 16 Apr 2012 18:26:48 +0900
From:     "Fed Ex SUPPORT 36" [support.391@fedex.com]
Subject:     FedEx Delivery Confirmation 821630
Attachments:     Collect_Letter.htm

ATTENTION!

DEAR USER , Delivery Confirmation: FAILED

PLEASE FILL IN ATTACHED FILE WITH RIGHT ADDRESS AND RESEND TO YOUR PERSONAL MANAGER (Open with Internet Explorer)

With Respect , Your Fed Ex Customer Services

The malicious payload is on pokeronmep.ru:8080/pages/glavctkoasjtct.php (report here) which is hosted on the same IP addresses as found in this attack. Blocking them would be worthwhile.

Friday 13 April 2012

"NY TRAFFIC TICKET " spam / vitalitysomer.ru

This fake traffic ticket spam leads to malware on vitalitysomer.ru:

Date:     Fri, 13 Apr 2012 02:46:11 +0600
From:     "LUIS MOSES" [Phl8DeB6MG@hotmail.com]
Subject:     Fwd: Re: NY TRAFFIC TICKET

New-York Department of Motor Vehicles

TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS

Time: 8:11 AM

Date of Offense: 25/01/2012

SPEED OVER 50 ZONE

TO PLEAD CLICK HERE AND FILL OUT THE FORM

Fingerprint: 67d251e9-830ebcaf

The malware is on vitalitysomer.ru:8080/pages/glavctkoasjtct.php (report here) hosted on the same IP addresses found in this attack.

Fake AV sites to block on 64.120.207.108

There are a bunch of fake AV sites on 64.120.207.108 (HostNOC, US) that are active at the moment. You might want to block them :)

informationmonitorcare.info
preventiontoolsscanning.info
on-linecleanersupervision.info
supervisiontesterinspection.info
reliabilitywormsprocesses.info
verifywrecksafety.info