Sponsored by..

Tuesday, 17 July 2012

Fake Craigslist emails / visorwordprocessor.org

These fake Craigslist emails lead to malware on visorwordprocessor.org:


Date:      Tue, 17 Jul 2012 09:01:11 -0500
From:      "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject:      Your Craiglist.org posting URL.

Posting ID # 27643127:

    "Double Stainless Steel Sink" (household items - by owner)

Should now be accessible at the following URL:

    http://craigslist.org/hsh/262383.html

Index pages and search results are updated every 15 minutes.

To edit or delete, please log in to your member area.

If you are having trouble finding your posting in the listings:

    http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings

For other questions or help:

    http://w= ww.craigslist.org/about/help/

Safety tips and avoiding scams:

    http://= www.craigslist.org/about/safety
    http://www.craigslist.o= rg/about/scams

Thanks for using craigslist!

==========


Date:      Tue, 17 Jul 2012 06:00:52 -0800
From:      "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject:      Your Craiglist posting is successful.

Posting ID # 14717917:

    "Turbo 400 Tranny" (household items - by owner)

Should now be accessible at the following URL:

    http://craigslist.org/hsh/888725.html

New postings are updated every 15 minutes.

To edit or delete, please log in to your member area.

If you are having trouble finding your item in the listings:

    http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings

For other questions or help:

    http://w= ww.craigslist.org/about/help/

Safety tips and avoiding scams:

    http://= www.craigslist.org/about/safety
    http://www.craigslist.o= rg/about/scams

Thanks for using craigslist!

==========


Date:      Tue, 17 Jul 2012 15:13:26 +0200
From:      "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject:      Your Craiglist posting is successful.

Posting ID # 49685217:

    "Generator" (household items - by owner)

Should now be viewable at the following URL:

    http://craigslist.org/hsh/887563.html

New postings are updated every 15 minutes.

To edit or delete, please log in to your account.

If you are experiencing problems finding your posting in the listings:

    http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings

For other questions or help:

    http://w= ww.craigslist.org/about/help/

Safety tips and avoiding scams:

    http://= www.craigslist.org/about/safety
    http://www.craigslist.o= rg/about/scams

Thanks for using craigslist!

==========


Date:      Tue, 17 Jul 2012 10:09:15 -0300
From:      "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject:      You can access your Craiglist listing by the new location.

Posting ID # 35649793:

    "Screwdrivers kit" (household items - by owner)

Can now be viewable at the following location:

    http://craigslist.org/hsh/284761.html

Index pages and search results are updated every 15 minutes.

To edit or delete, please log in to your account.

If you are having trouble finding your item in the listings:

    http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings

For other questions or help:

    http://w= ww.craigslist.org/about/help/

Safety tips and avoiding scams:

    http://= www.craigslist.org/about/safety
    http://www.craigslist.o= rg/about/scams

Thanks for using craigslist!

The malicious payload is at [donotclick]visorwordprocessor.org/main.php?page=ed0a25d616022c57 (report here) hosted on 91.227.18.26 (Eximus LLC, Russia). The namesevers are at good-autosport.com which links this attack in with this one earlier today.

Intuit "Henderson LLC" payment spam / mailmergesfinger.org

This fake Intuit spam leads to malware on mailmergesfinger.org:


Date:      Mon, 16 Jul 2012 18:10:26 +0000
From:      "Intuit PaymentNetwork" [support@intuit.com]
Subject:      You have received a new payment through the Intuit network.




Payment received: You received $280.00 from Henderson LLC for invoice 91816

You can access the payment details here.

Funds will be deposited in your bank account.

You now have the possibility to get paid by Credit Card on your invoices. To find put more please sign in to your IPN account and click on the 'Profile' tab on the left.


The malicious payload is at [donotclick]mailmergesfinger.org/main.php?page=bfc8be54a0120bca (report here) hosted on 94.249.172.71 (GHOSTnet, Germany).

The following IPs and domains are connected and should be avoided or blocked:
13.65.99.23
46.20.33.131
62.109.26.35
78.129.132.14
80.77.87.185
94.249.172.71
108.76.72.229
109.164.221.176
164.15.250.148
195.54.32.91
198.144.189.51
200.184.213.131
211.157.105.160

afriget.net
cms-wideopendns.com
fonografs.net
good-autosport.com
mailmergesfinger.org
peace-computer.com
proamd-inc.com
thaidescribed.com

Monday, 16 July 2012

"Intuit Payroll Services" spam / cms-wideopendns.com

These (rather confused) spam emails lead to malware on cms-wideopendns.com:

From: LinkedIn Communication [mailto:support@intuit.com]
Sent: 16 July 2012 15:12
Subject: We have received your payroll processing request.




Direct Deposit Service Communication
Status update

Dear victim
We received your payroll on July 16, 2012 at 1:16 AM Pacific Time.
•    Funds will be withdrawn from the bank account number ending in: XXXX on July 17, 2012.
•    Amount to be withdrawn: $2,476.11
•    Paychecks will be deposited to your employees' accounts on: July 17, 2012
•    Please download your payroll here.
Funds are as a rule processed before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m. Pacific time, two banking days before your payment date or your employees will fail to be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be downloaded at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services



IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter concerning your current service or software. Please note that if you previously opted out of receiving marketing materials from Intuit, you may continue to receive notifications similar to this communication that affect your service or software.
If you have any questions or comments about this email, please DO NOT REPLY to this email. If you need additional information please contact us.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it to immediately to spoof@intuit.com.
Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries. This notification is not intended to supplement, modify, or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706


====================

From: LinkedIn Communication [support@intuit.com]
Sent: Mon 16/07/2012 15:12
Subject: Your payroll processing is initiated by Intuit.

Direct Deposit Service Communication
Status update

Dear victim
We obtained your payroll on July 16, 2012 at 7:36 AM Pacific Time.
•    Funds will be withdrawn from the bank account number ending in: XXXX on July 17, 2012.
•    Amount to be withdrawn: $5,582.11
•    Paychecks will be deposited to your employees' accounts on: July 17, 2012
•    Please download your payroll here.
Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m. Pacific time, two banking days before your payment date or your employees will fail to be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be downloaded at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services



IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter concerning your current service or software. Please note that if you previously opted out of receiving marketing materials from Intuit, you may continue to receive notifications similar to this communication that affect your service or software.
If you have any questions or comments about this email, please DO NOT REPLY to this email. If you need additional information please contact us.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it to immediately to spoof@intuit.com.
Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries. This notification is not intended to supplement, modify, or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706


LinkedIn? Intuit? The bad guys are confused, but these are dangerous emails nonetheless. The malicious payload is at [donotclick]cms-wideopendns.com/main.php?page=bfc8be54a0120bca (report here) hosted on the following IPs:

211.157.105.160 (Chinacomm, China)
109.164.221.176 (Swisscom, Switzerland)



The following IPs and domains are all connected and should be blocked:
46.20.33.131
62.109.26.35
80.77.87.185
108.76.72.229
109.164.221.176
164.15.250.148
195.54.32.91
198.144.189.51
211.157.105.160

afriget.net
cms-wideopendns.com
fonografs.net
peace-computer.com
proamd-inc.com
thaidescribed.com

Sunday, 15 July 2012

Facebook "Error message [404] 404 Not Found" email messages

This one has me scratching my head.. a series of emails this morning with subjects similar to the following:

Error message [404] 404 Not Found for m.facebook.com/media/set/?set=a.[redacted].8100.100000762125833
Error message [404] 404 Not Found for m.facebook.com/pokes/?refid=7
Error message [404] 404 Not Found for m.facebook.com/home.php?sk=photodash


The emails appear to originate from a Yahoo! IP address, the sender's email address matches a registered Facebook account and in one case the URL in the subject links to a gallery from the same user. But I don't know who these people are, and the email address sent to is a rarely used one that has NEVER been used for Facebook.

In most cases the email is blank, in one case there is a photograph of a BlackBerry, apparently taken yesterday from a Samsung GT-C6625 (an oldish Windows Mobile device). The IP headers indicate that this is maybe coming through a mobile version of Yahoo! mail. An infected mobile phone perhaps?

It's all kind of odd, perhaps it is the precursor to something else?

Wednesday, 11 July 2012

UPS Spam / peace-computer.com

This fake UPS spam leads to malware on peace-computer.com:


Date:      Wed, 11 Jul 2012 09:51:41 -0500
From:      "Margret Bellamy" [USPS_Shipping_Services@usps.com]
Subject:      Download your UPS invoices.


   
This is an automatically generated email Please do not reply to this email address.

Dear UPS Customer,

New invoice(invoices) are available for viewing in UPS billing center. Please note that your UPS invoices should be paid within 14 days to avoid any additional charges.



Please visit the UPS Billing Center to view and pay your invoice.



Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read our official journal

(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The malicious payload is at [donotclick]peace-computer.com/main.php?page=22b33afad06e9ba5
on 62.109.26.35 (ISPsystem, Russia). The following domains and IPs are all connected to this attack:

afriget.net
ecocabmedia.net
fonografs.net
ghanarpower.net
hotspotboutique.net
itleadgenie.net
lessthansmoothmasculine.com
nectarstuff.net
sitkatacotruck.com
speciallyregarding.com
thaidescribed.com
yourcheckservice.com
46.105.254.202
62.109.26.35
92.201.139.15
109.164.221.176
109.169.87.169
158.25.100.139
164.15.250.148
173.234.9.84
209.59.210.119
211.157.105.160

Spam: Your Amazon.com order of "GoPro HD Helmet HERO Camcorder - Silver" has shipped!

This fake Amazon spam leads to malware on savidae.net:

Sent: 11 July 2012 15:12
Subject: Your Amazon.com order of "GoPro HD Helmet HERO Camcorder - Silver" has shipped!

Hello,

Shipping Confirmation
Order # 111-8744380-4899254

Your estimated delivery date is:
Friday, July 13 2012

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

GoPro HD Helmet HERO Camcorder - Silver $149.95
Item Subtotal: $149.95
Shipping & Handling: $0.00
Total Before Tax: $149.95
Shipment Total: $149.95
Paid by Visa: $149.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

The message may appear to be sent from your own email address (this is why). The malicious payload is on [donotclick]savidae.net/main.php?page=f8475ba078c011af (report here) hosted on 178.238.130.222 (BurstNet UK, allocated to an individual in Ukraine). These other domains are on the same server, their status is not known.
beingconducts.info
burstingqualcomm.info
cameratoburnergo.info
carpetingpenny.info
clevererreviewed.info
crisisproducer.info
delightsmalwarespywarefree.info
elsedefer.info
enotatepreview.info
expostypes.info
insigniamake.info
meetscellsafety.info
methodicaldiskinternals.info
needingshirts.info
overwhelminglymustdownload.info
premisepreliminary.info
relinquishingpin.info
restoreculled.info
ringtonererender.info
shiftvirtues.info
smartmedialaserlike.info
taxcasterbolstered.info
tubez11.cu.cc
wearguitarlike.info
woodantispy.info
xxxxlivechat.info

UPDATE:
A similar campaign is underway with a payload on peace-computer.com (the same domain is used in this attack)

Another example:

Sent: den 11 juli 2012 16:19
Subject: Your Amazon.com order of "Withings WiFi Body Scale, Black" has shipped!

Hello,

Shipping Confirmation
Order # 353-3382862-1240149

Your estimated delivery date is:
Friday, July 13 2012

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Withings WiFi Body Scale, Black $139.95
Item Subtotal: $139.95
Shipping & Handling: $0.00
Total Before Tax: $139.95
Shipment Total: $139.95
Paid by Visa: $139.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

==========

Subject: Your Amazon.com order of "Boss JWVX3Y6 7-Inch DVD/MP3/CD Widescreen Bluetooth Receiver with USB and SD Card" has shipped!

Hello,

Shipping Confirmation
Order # 087-2687938-8778762

Your estimated delivery date is:
Friday, July 13 2012

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Boss JWVX3Y6 7-Inch DVD/MP3/CD Widescreen Bluetooth Receiver with USB and SD Card $149.95
Item Subtotal: $149.95
Shipping & Handling: $0.00
Total Before Tax: $149.95
Shipment Total: $149.95
Paid by Visa: $149.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

==========

Intuit.com spam / thaidescribed.com

This spam leads to malware on thaidescribed.com:


Date:      Tue, 10 Jul 2012 13:49:59 -0300
From:      "LinkedIn Communication" [USPS_Shipping_Services@usps.com]
Subject:      New Payment through the Intuit network.

Incoming payment received: You received $840.00 from Parks LLC for invoice 53389

You can access the payment details here.

Funds will be transferred in your bank account.

You now have the opportunity to get paid by Credit Card on your invoices. To learn more please sign in to your IPN account and click on the 'Profile' tab on the left.


The malicious payload is on [donotclick]thaidescribed.com/main.php?page=8cb1f95c85bce71b (report here) hosted on 164.15.250.148 (Universite Libre de Bruxelles, Belgium). The malicious IPs and domains associated with this attack can also be found here, but you should probably block the following:


afriget.net
fonografs.net
proamd-inc.com
thaidescribed.com
80.77.87.185
164.15.250.148
200.184.213.131

UPS Spam / proamd-inc.com

This UPS spam leads to malware on proamd-inc.com:

Date:      Tue, 10 Jul 2012 20:34:41 +0200
From:      "Vernon Wade" [USPS_Shipping_Services@usps.com]
Subject:      Your UPS invoices are ready for download.


   
This is an automatically generated email Please do not reply to this email address.

Dear UPS Customer,

New invoice(invoices) are available for download in UPS billing center. Do not forget that your UPS invoices should be paid within 28 days so as not to incur any additional charges.



Please surf to the UPS Billing Center to view and pay your invoice.



Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read our official blog

(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

==========


Date:      Tue, 10 Jul 2012 19:20:05 +0330
From:      "Don Reyes" [USPS_Shipping_Services@usps.com]
Subject:      Please download and pay your UPS delivery charges.


   
This is an automatically generated email Please do not reply to this email address.

Dear UPS Customer,

New invoice(invoices) are available for viewing in UPS billing center. Do not forget that your UPS invoices should be paid within 28 days to avoid any additional charges.



Please visit the UPS Billing Center to view and pay your invoice.



Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read our official blog

(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

==========

From: Miguel Segura [mailto:USPS_Shipping_Services@usps.com]
Sent: 10 July 2012 16:47
Subject: You have outstanding UPS invoices.



   
This is an automatically generated email Please do not reply to this email address.

Valued UPS Customer,
  New invoice(invoices) are available for download in UPS billing center. Please note that your UPS invoices should be paid within 21 days so as not to incur any additional charges.

Please visit the UPS Billing Center to view and pay your invoice.



________________________________________
Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online


________________________________________
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
The malicious payload is at [donotclick]proamd-inc.com/main.php?page=8cb1f95c85bce71b (report here) hosted on 164.15.250.148 (Universite Libre de Bruxelles, Belgium).

The following domains and IPs are also involved in this attack and should be blocked:
afriget.net
fonografs.net
proamd-inc.com
thaidescribed.com
80.77.87.185
164.15.250.148
200.184.213.131

Friday, 6 July 2012

"Your Receipt and Itinerary" spam / ellomb.net

This spam leads to malware on ellomb.net:

From: Johnny Mooney [mailto:kxijgvpu@asistencia.org]
Sent: 06 July 2012 13:56
Subject: Your Receipt and Itinerary

Thank you for choosing Delta. We encourage you to review this information before your trip. If you need to contact Delta or check on your flight information, go to delta.com, call 800-221-1212 or call the number on the back of your SkyMiles© card.
Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta.com. Take control and make changes to your itineraries at delta.com/itineraries.
Speed through the airport. Check-in online for your flight.
Flight Information
DELTA CONFIRMATION #: C1N270
TICKET #: 31894208655700
Day    Date    Flight    Status    Bkng
Class    City    Time    Meals/
Other    Seat/
Cabin
---    -----    ---------------    ------    -----    ----------------    ------    ------    -------
Sun    8 JUL    DELTA 116    OK    U    LV NYC-KENNEDY
AR SAN FRANCISCO    515P
916P    F    45A
COACH
Mon    9 JUL    DELTA 1837    OK    K    LV SAN FRANCISCO
AR NYC-KENNEDY    1230P
702A#    V    32A
COACH
Baggage and check-in requirements vary by airport and airline, so please check with the operating carrier on your ticket.
Please review Delta's check-in Requirements and baggage guidelines for details.
You must be checked in and at the gate at least 15 minutes before your scheduled departure time for travel inside the United States.
You must be checked in and at the gate at least 45 minutes before your scheduled departure time for international travel.
For tips on flying safely with laptops, cell phones, and other battery-powered devices, please visit http://SafeTravel.dot.gov.
Do you have comments about our service? Please email us to share them with us.
-----------------------------------------------------------------------------
Conditions of Carriage
Air transportation on Delta and the Delta Connection carriers is subject to Delta's conditions of carriage. They include terms governing, for example:
Limits on our liability for personal injury or death of passengers, and for loss, damage or delay of goods and baggage.
Claim restrictions, including time periods within which you must file a claim or bring an action against us
Our right to change terms of the contract
Check-in requirements and other rules establishing when we may refuse carriage
Our rights and limits of our liability for delay or failure to perform service, including schedule changes, substitution of alternative air carriers or aircraft, and rerouting
Our policy on overbooking flights, and your rights if we deny you boarding due to an oversold flight
These terms are incorporated by reference into our contract with you. You may view these conditions of carriage on delta.com, or by requesting a copy from Delta.
The malicious payload is on  [donotclick]ellomb.net/main.php?page=d502255d1a941be3 (not resolving when I tried to analyse it) hosted on 83.69.226.143 (Awax Telecom, Russia). Incidentally, 83.69.226.0/24 all looks pretty bad and is worth blocking.

Wednesday, 4 July 2012

Malware sites to block 4/7/12

These malicious domains and IPs are being used in the current "runforestrun" malware attacks. The domains are registered on a daily basis, block the IPs might be more effective in this case.

bdvkpbuldslsapeb.ru
clockworkorange.org
dernflilrdxmfnye.ru
eilqnjkoytyjuchn.ru
evilstalin.https443.net
fjgtmicxtlxynlpf.ru
gytcnulxsxpsqkfn.ru
hyoflopkupjioiqq.ru   
iekiyvsbtyozmmwy.ru
keglxucgvwhqttmi.ru
lfbovcaitdrjmkbe.ru   
npxsiiwpxqqiihmo.ru
ppsvcvrcgkllplyn.ru
qtmyeslmsoxkjbku.ru
ruhctasjmpqbyvhm.ru
skwkybckmywhrhbb.ru
smolny.https443.org
tlrnhskrgijhwtlj.ru
upmqpwyndzwzmmwy.ru
vqhtwlshzzqsltcp.ru
yrxysfyekjfooere.ru
88.198.68.110
94.100.27.16
141.136.17.97
188.138.11.75
188.211.239.249

Firefox OS: will it be safe?

Firefox OS is the new name for the "boot to gecko" project by the Mozilla foundation. It's a fully-featured OS built on a Linux core, and this is what Mozilla have to say about it:

The Firefox OS for mobile devices is built on Mozilla’s “Boot to Gecko project” which unlocks many of the current limitations of web development on mobile, allowing HTML5 applications to access the underlying capabilities of a phone, previously only Unix and Linux based mobile OSes available to native applications. Telefónica’s Digital unit joined forces with Mozilla earlier this year to take this work and showcase a new phone architecture where every phone feature (calling, messaging, games, etc.) is an HTML5 application.
Wait.. what? Basically, the browser can interact directly with the operating system.. and this is being done at a time when vendors are trying to keep the browser as seperated as possible from the OS to mitigate against exploits.

This led me to pose the question in another publication: Firefox OS: will it be safe? Well, if you know Betteridge's Law of Headlines then the answer is probably "no".

We have been down this path before. ActiveX promised to allow the browser (in this case Internet Explorer) access to the system to allow it to do clever things. Yes, software authors could get their applications signed to demonstrate that they were trustworthy, but it was still a security nightmare. And despite the apparent death of ActiveX (when was the last time you installed an ActiveX component that wasn't Adobe Flash?) it still features prominently when it comes to patching.

And then there's Java. Java was meant to be safe because it was sandboxed from the rest of the machine it was running on, making it inherently safe. Fast forward to today.. and what is one of the most common vectors for malware infection? Yes, it's Java. Fundamentally the Java security model is broken, as the endless series of patches we see testifies to.

From a security perspective, keeping the browser just as a browser and limiting the interaction is has with the OS is the best approach. But the Firefox OS wants to turn that on its head. And while Mozilla will no doubt put in processes to try to ensure that it will be safe, the examples of Java and ActiveX show how difficult it can be to nail it down.

Why does it matter? There's a lot of hype about mobile malware at the moment, but in my experience it is still an almost insignificant threat. That will change though, as more and more smartphones and tablets are being used for financially sensitive transactions, and fundamentally a smartphone is just a small computer and it can be added to a botnet for evil purposes.

One last consideration is this - getting updates. As (mostly) Android users will know, OS updates tend to dry up shortly after launch leaving the underlying system vulnerable.. although Apple owners tend to get updates for a much longer time. Keeping on top of security threats will require Mozilla, the manufacturers and networks to co-operate closely to keep security updates rolling out. The Firefox OS model closely matched Android rather than Apple.. so Mozilla and its partners have their work cut out here too.

If you're interested, this article I wrote is a slightly different take on the subject.

Tuesday, 3 July 2012

TD Ameritrade spam / princess-sales.net

This fake spam leads to malware at princess-sales.net:

Date:      Tue, 3 Jul 2012 21:38:09 +0530
From:      "Micah Bright" [client@notifications.tdameritrade.com]
Subject:      sbj

TD Ameritrade
   
       
Your account ending in XXX7     Log on
       
       
Your statement is now available online

Dear Valued Client,

Your statement for your TD Ameritrade account ending in XXX7 is now available online.

Access your statements
To view your statement (along with previous statements), please Log On to your account and choose "History & Statements" (under Accounts). Then click the "Statements" tab, select the appropriate month(s) under the "View statements" drop-down menu, then click the "View" button.

We're here to help
If you have any questions, please log on to your account and click "Message Center" (under Home) to write us. A representative will respond through your Message Center inbox. You can also call Client Services at 800-669-3900. We're available 24 hours a day, seven days a week.

Sincerely,


Tom Bradley
President, Retail Distribution
TD Ameritrade

The malicious payload is at [donotclick]princess-sales.net/main.php?page=7e45713861176c6b (report here) hosted on 203.237.211.223 in Korea.

Fake jobs: careerin-finance.com

This email is trying to recruit people for money laundering ("money mule") operations and other similar illegal activities:

From: [victim]
Date: 2 July 2012 20:48:51 GMT+01:00
To: [victim]
Subject: Recruitment in the large company
We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.

An at home Key Account Manager Position (Ref: 58020-095/1HR) is a great opportunity for stay at home parents or anyone who wants to work in the comfort of their own home.

This is a genuine offer and not to be confused with scams!
The successful candidate must have the ability to handle calls efficiently whilst maintaining the highest levels of customer service and being courteous.
Applicants must have an excellent telephone manner, have a friendly approach, excellent communication skills and be computer literate.
You must have the ability to type and talk at the same time to customers,
as you will be taking customer details over the phone and inputting data onto company database.

Requirements: computer with Internet access, valid email address, good typing skills.
If you fit the above description and meet the requirements, please apply to this ad stating your location.

You will be processing orders from your computer. How much you earn is up to you.
The average is in the region of US$600- US$750.00 per week, depending on whether you work full or part time.

If you would like more information, please contact us stating where you are located and our job reference number - 58020-095/1HR.
Please only SERIOUS applicants.

Our contacts: Olin@careerin-finance.com

Thank You!

The email may appear to come from the recipient (see "why am I sending myself spam?". The domain careerin-finance.com was registered on 2nd July 2012 and solicits replies via a server at 37.247.48.176 (Prometeus, Italy).

Registrant details for the domain are no doubt fake:
   Helen R. Espinoza
   Helen Espinoza info@careerin-finance.com
   413-845-0684 fax: 413-845-0331
   3093 Trouser Leg Road
   Springfield MA 01103
   us

The domain is registered through scam-friendly Chinese registrar BIZCN.COM, Inc.

Nameservers are:
ns1.readycarts.com (37.247.48.176)
ns2.readycarts.com (12.199.102.98)

The 12.199.102.98 is registered to Barnes and Noble in the US. Is there a compromised server here? It's hard to be certain.

The following IPs and domains all seem to be connected:
12.199.102.98
24.217.45.10
37.247.48.176
62.108.39.201
agentrachel.net
americafindjob.com
jobbinthai.com
latviafindjob.com
readycarts.com   

Monday, 2 July 2012

American Airlines spam / ghanarpower.net

This fake spam leads to malware on ghanarpower.net:


Date:      Mon, 2 Jul 2012 16:54:15 +0200
From:      "Cornelius Meyers" <notify@aa.globalnotifications.com>
Subject:      Online American Airlines receipt.


   
Record Locator: MWNMLP

Date of Issue: 2JULY12


Thank you for choosing American Airlines / American Eagle, a member of the oneworld� Alliance.

This receipt is for the purchase of your Preferred Seat(s) which are detailed on your itinerary and receipt confirmation.

If you have any questions regarding your reservations, please call 1-800-433-7300 or visit www.aa.com.



   

   

   
Record Locator: MWNMLP


PASSENGER
CHADBOURN HAWLEY
   
DOCUMENT NUMBER / DATE
0010634774011/2JULY12
   
DESCRIPTION
PREFERRED SEATS
   
AMOUNT
17.67 USD
   
TAX
1.33
   
TOTAL
19.00 USD

Payment Type: Visa XXXXXXXXXXXX1392     Total: $19.00

================


Date:      Mon, 2 Jul 2012 17:59:25 +0430
From:      "Spencer Hurley" <notify@aa.globalnotifications.com>
Subject:      Preferred seat purchase receipt.


   
Record Locator: XTSPJI

Date of Issue: 2JULY12


Thank you for choosing American Airlines / American Eagle, a member of the oneworld� Alliance.

This receipt is for the purchase of your Preferred Seat(s) which are detailed on your itinerary and receipt confirmation.

If you have any questions regarding your reservations, please call 1-800-433-7300 or visit www.aa.com.



   

   

   
Record Locator: XTSPJI


PASSENGER
CHADBOURN HAWLEY
   
DOCUMENT NUMBER / DATE
0010634774011/2JULY12
   
DESCRIPTION
PREFERRED SEATS
   
AMOUNT
17.67 USD
   
TAX
1.33
   
TOTAL
19.00 USD

Payment Type: Visa XXXXXXXXXXXX1293     Total: $19.00

The malicious payload is the same as used in this attack - blocking it and the related IPs and domains is probably wise.

TD Ameritrade Spam / ghanarpower.net

This convincing-looking TD Ameritrade spam leads to malware at ghanarpower.net:

 ________________________________________
Your account ending in XXX7     Log on

________________________________________

Your statement is now available online

Dear Valued Client,

Your statement for your TD Ameritrade account ending in XXX7 is now available online.

Access your statements
To view your statement (along with previous statements), please Log On to your account and choose "History & Statements" (under Accounts). Then click the "Statements" tab, select the appropriate month(s) under the "View statements" drop-down menu, then click the "View" button.

We're here to help
If you have any questions, please log on to your account and click "Message Center" (under Home) to write us. A representative will respond through your Message Center inbox. You can also call Client Services at 800-669-3900. We're available 24 hours a day, seven days a week.

Sincerely,


Tom Bradley
President, Retail Distribution
TD Ameritrade


The malware can be found on [donotclick]ghanarpower.net/main.php?page=8c6c59becaa0da07 (report here) hosted on (188.165.1.192, OVH Ireland).

The following IPs and domains are connected to this attack and should also be blocked:
ecocabmedia.net   
ghanarpower.net
lessthansmoothmasculine.com   
68.171.101.22
92.201.139.15
188.165.1.192
109.164.221.176
211.157.105.160

Thursday, 28 June 2012

Pinterest Spam / medicarewichi.com

Spammers will try anything.. this email pretends to be from Pinterest but it actually appears to lead to a fake pharma site at medicarewichi.com.

From: Pinterest [mailto:pinbot@pinterest.com]
Sent: 28 June 2012 14:41
Subject: New pins added

Hi!

    With millions of new pins added every week, we connecting people all over the world based on shared tastes and interests.        Explore pins   

©2012 Pinterest, Inc. | All Rights Reserved.
Privacy Policy | Terms and Conditions


The spamvertised site is hosted on 91.238.180.92 which looks like a cesspit of toxic sites and is probably best blocked.

Malware sites to block 28/6/12

These malicious sites and IPs are connected with this spam run. I recommend blocking them.

31.17.189.212
41.66.137.155
41.168.5.140
50.57.43.49
50.57.88.200
62.76.45.241
62.76.188.120
62.76.189.62
62.76.191.172
62.213.64.161
64.120.134.7
66.90.76.62
83.143.134.23
83.170.91.152
85.17.72.34
85.214.204.32
87.204.199.100
91.210.189.68
91.221.70.19
94.75.231.156
95.142.167.193
95.168.185.214
95.168.185.215
95.168.185.216
95.168.185.217
95.168.185.218
95.211.18.79
110.234.150.163
110.234.176.99
128.134.57.112
173.203.96.79
178.33.105.222
178.63.208.37
178.63.249.35
178.63.249.45
184.106.189.124
184.106.200.41
188.72.199.247
188.72.220.158
188.212.156.170
190.81.107.70
194.109.21.8
195.14.104.76
200.169.13.84
208.158.5.195
209.114.47.158
211.44.250.173
219.94.194.242

caoodntkioaojdf.ru
clkjshdflhhshdf.ru
ckjsfhlasla.ru
ckjhasbybnhdjf.ru
cruikdfoknaofa.ru
debiudlasduisioa.ru
dkjhasjllasllalaa.ru
dhjikjsdhfkksjud.ru
dinamitbtzusons.ru
dkijhsdkjfhsdf.ru
dnvfodooshdkfhha.ru
doorpsjjaklskfjak.ru
dpasssjiufjkaksss.ru
dppriakjsdjfhss.ru
dsakhfgkallsjfd.ru
forumenginesspb.ru
hamlovladivostok.ru
harmoniavslove.ru
insomniacporeed.ru
kroshkidlahlebans.ru
monashkanasene.ru
opimmerialtv.ru
pekarniamsk.ru
piloramamoskow.ru
porscheforumspb.ru
rushsjhdhfjsldif.su
seledkindoms.ru
semelyontour.ru
spbfotomontag.ru
somaniksuper.ru
spiritzandmore.com
sshgjksdfhhsd.ru
superproomgh.ru
sushfpappsbf.ru
tarantsikvasiliy.ru
zolindarkksokns.ru

NACHA Spam / porscheforumspb.ru

This fake NACHA spam leads to malware on porscheforumspb.ru:

Date:      Wed, 27 Jun 2012 06:18:09 -0430
From:      "Electronic Payments Association" [donotreply@nacha.org]
Subject:      Fwd: ACH Transfer rejected

The ACH transfer, initiated from your bank account, was canceled.

Canceled transfer:

Bath Nr.: FE-45452995330US

Transaction Report: View



ADELINE Jewell

Automated Clearing House, NACHA

The malicious payload is on [donotclick]porscheforumspb.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here), hosted on the following IPs:

110.234.176.99 (Tulip Telecom, India)
128.134.57.112 (Seoul Kwangun University, Korea)
190.81.107.70 (Telmex, Peru)

LinkedIn spam / 74.63.252.106

This fake LinkedIn spam leads to malware on 74.63.252.106:

Date:      Thu, 28 Jun 2012 00:52:04 +0200
From:      "2012, LinkedIn Corporation" [sdexheimer@itrs.com.br]
To:      [y009-xc6.ftdsf@catchamail.com]
Subject:      Relationship LinkedIn Mail

LinkedIn
REMINDERS

Invitation reminders:
• From Kevin Sellers (VP Analytic Services at Glencore)


PENDING MESSAGES

• There are a total of 9 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.


The malicious payload is at [donotclick]74.63.252.106/getfile.php?u=71fd37ed (report here) which is part of a small netblock of 74.63.252.96/27 rented out by Limestone Networks in the US. Some attempt has been made to prevent analysis by generating a fake 403 page if you try to analyse it directly.

Wednesday, 27 June 2012

If you know what this is..

If you know what this is.. well, you'll guess it was a) hard to find and b) expensive.. ;)

Thursday, 21 June 2012

Malware sites to block 21/6/12

These sites and IPs are all connected to recent malicious spam runs. Blocking them either by IP address or domain name would probably be prudent.

46.162.27.165
64.79.106.188
91.227.220.114
109.164.221.176
109.169.86.139
173.234.9.84
187.5.116.251
192.84.186.206
199.101.99.155
abc-spain.net
abilenepaint.net
asiazmile.net
autobouracky.net
autosnort.net
chicleart.net
computerpills.net
cool-mail.net
energirans.net
grapecomputers.net
gtautond.com
hiring-decisions.com
hseclub.net
installandwork.com
itscholarshipz.net
jobforfamily.com
keurigminis.net
mynourigen.net
leadgems.net
perfectbusinesschance.net
savecoralz.net
synergyledlighting.net
systemtestnow.com
workandlivenow.com
workathomeforyou.net
yourfreeworkathome.net
yourlifechance.net

Wednesday, 20 June 2012

UPS Spam / abilenepaint.net

This fake UPS spam leads to malware on abilenepaint.net:

Date:      Wed, 20 Jun 2012 21:15:55 +0500
From:      "UPS Quantum View" [auto-notify@ups.com]
Subject:      Track your UPS shipment online.

Discover more about UPS:
Visit www.ups.com
Sign Up For Additional E-Mail From UPS
Read Compass Online

   

This message was sent to you at the request of ICRealtime Security Solutions LLC to notify you that the electronic shipment information below has been transmitted to UPS. The physical package(s) may or may not have actually been tendered to UPS for shipment. To verify the actual transit status of your shipment, click on the tracking link below or contact ICRealtime Security Solutions LLC directly.

Important Delivery Information

Scheduled Delivery: 09-May-2012

Shipment Detail
Ship To:
xxxxxxxxxxxxxxxxxxxx
CSI SECURITY
2269 JEFFERIES HWY.
WALTERBORO
SC
29488
US

Number of Packages:     1
UPS Service:     GROUND
Weight:     9.0 LBS

Tracking Number:     1ZX603R40369384687
Reference Number 1:     47479
Reference Number 2:     20872

Click here to track if UPS has received your shipment or visit
http://www.ups.com/WebTracking/track?loc=en_US on the Internet.



____2@@2@@2wowT7qQAXmBSs4ogrWusagY4wa____

� 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential.� If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
Contact UPS


The malicious payload is at [donotclick]abilenepaint.net/main.php?page=c3c45bf60719e629 (report here)  hosted on 109.169.86.139 (Rapidswitch / iomart Hosting Ltd / ThrustVPS, UK) which is the same host used in this attack.

Verizon Wireless spam / keurigminis.net

This spam leads to malware on keurigminis.net:
Date:      Wed, 20 Jun 2012 16:37:06 +0100
From:      "AccountNotify@verizonwireless.com" [eAccountNotify@verizonwireless.com]
Subject:      Verizon wireless online bill.



   
    �
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $46.62
Scheduled Automatic Payment Date: 05/29/2012
Keep in mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.

 View and Pay Your Bill

Thank you for choosing Verizon Wireless.

   

   
My Verizon is also available 24/7 to assist you with:
Viewing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...
   


2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 180WVB | Basking Ridge, NJ 07920
We respect your privacy. Please review our privacy policy for more information

If you are not the intended recipient and feel you have received this email in error; or if you
would like to update your customer notification preferences, please click here.
The malicious payload is at [donotclick]keurigminis.net/main.php?page=c3c45bf60719e629 (report here) hosted on 109.169.86.139 (Rapidswitch / iomart Hosting Ltd / ThrustVPS, UK).

BBB Spam / sushfpappsbf.ru

I have't seen any fake BBB spam for a while, but here it is.. this new spam run leads to malware on sushfpappsbf.ru.
Date:      Wed, 20 Jun 2012 05:20:45 +0100
From:      LamarHF4AF78ZFq@gmail.com
Subject:      Urgent information from BBB

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have received a complaint (ID 615337145)
from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.

We are looking forward to your prompt reply.
Regards,

Lamar WILHELM


The malicious payload is at [donotclick]sushfpappsbf.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) which is multihomed on the following IPs:

94.20.30.91 (Delta Telecom, Azerbaijan)
124.124.212.172 (Reliance Communications, India)
173.224.209.130 (Psychz Networks, US)
213.17.171.186 (Netia SA, Poland)

The following IPs and domain names are connected with this malware run and should be blocked if you can:

78.83.233.242
89.111.177.151
94.20.30.91
110.234.176.99
124.124.212.172
173.224.209.130
213.17.171.186
girlsnotcryz.ru
harmoniavslove.ru
huletydyshish.ru
monashkanasene.ru
pekarniamsk.ru
piloramamoskow.ru
saprolaunimaxim.ru
seledkindoms.ru
sumatranajuge.ru
sushfpappsbf.ru

Monday, 18 June 2012

"UPS Quantum View" spam / leadgems.net

A new version of this malicious spam run is under way, this time with a malicious payload at leadgems.net.

The payload page is at [donotclick]leadgems.net/main.php?page=940489e6fc8f17ed (report here) which is hosted on 192.84.186.206 (Seinajoki University of Applied Sciences, Finland).. presumably a hacked server.

Blocking access to 192.84.186.206 will prevent any other malicious sites on the same server from causing a problem.

Friday, 15 June 2012

"Your UPS shipment tracking number" / autobouracky.net

Another UPS spam leading to malware, this time on autobouracky.net:

From:     UPS Quantum View auto-notify@ups.com
Date:     15 June 2012 14:34
Subject:     Your UPS shipment tracking number.

Discover more about UPS:
Visit www.ups.com
Sign Up For Additional E-Mail From UPS
Read Compass Online
My Choice

   

This message was sent to you at the request of ICRealtime Security Solutions LLC to notify you that the electronic shipment information below has been transmitted to UPS. The physical package(s) may or may not have actually been tendered to UPS for shipment. To verify the actual transit status of your shipment, click on the tracking link below or contact ICRealtime Security Solutions LLC directly.

Important Delivery Information

Scheduled Delivery: 09-May-2012

Shipment Detail
Ship To:
xxxxxxxxxx
CSI SECURITY
2269 JEFFERIES HWY.
WALTERBORO
SC
29488
US

Number of Packages:     1
UPS Service:     GROUND
Weight:     9.0 LBS

Tracking Number:     1ZX603R40369384687
Reference Number 1:     47479
Reference Number 2:     20872

Click here to track if UPS has received your shipment or visit
http://www.ups.com/WebTracking/track?loc=en_US on the Internet.



____2@@2@@2wowT7qQAXmBSs4ogrWusagY4wa____

© 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential.  If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
Contact UPS

The malicious payload is at [donotclick]autobouracky.net/main.php?page=0e1cb9b71ef021b2 (report here) which is hosted on 173.208.252.207 (Datashack, US).

rzmanagement.ru / "Rock Zone Management" fake job offer

Another fake job offer in this long running scam:

Date:      Fri, 15 Jun 2012 23:17:59 +0900
Subject:      Job Application Pending

Hello xxxxxxxxx


Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application,
but can not do so until you complete our internal application.

Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

http://rzmanagement.ru

Also, the following perks are potentially available:

- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program

Please take the time to follow the directions and complete the entire application process.

******************
There is no job on offer, the idea of the spam is to get you to sign up for a credit check and some get-rich-quick schemes.

rzmanagement.ru is hosted on 91.217.162.214 (Voejkova Nadezhda, Ukraine) which hosts several other scam sites. You might want to consider blocking access to 91.217.162.0/24 if these are bothering you.

"Verizon wireless online bill" spam / savecoralz.net

This fake Verizon Wireless spam leads to malware on savecoralz.net:
Date:      Thu, 14 Jun 2012 18:20:21 +0200
From:      "AccountNotify@verizonwireless.com" [eAccountNotify@verizonwireless.com]
Subject:      Verizon wireless online bill.



   
    �
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $46.62
Scheduled Automatic Payment Date: 05/29/2012
Keep in mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.

> View and Pay Your Bill

Thank you for choosing Verizon Wireless.

   

   
My Verizon is also available 24/7 to assist you with:
Viewing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...
   


2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 180WVB | Basking Ridge, NJ 07920
We respect your privacy. Please review our privacy policy for more information

If you are not the intended recipient and feel you have received this email in error; or if you
would like to update your customer notification preferences, please click here.
   
The malicious payload is exactly the same as used in this attackwhich is running at the same time.

UPS Spam / savecoralz.net and autosnort.net

This fake UPS spam leads to malware on savecoralz.net:

Date:      Thu, 14 Jun 2012 20:52:08 +0200
From:      "UPS Quantum View" [auto-notify@ups.com]
Subject:      Track your UPS delivery online.

Discover more about UPS:
Visit www.ups.com
Sign Up For Additional E-Mail From UPS
Read Compass Online

  

This message was sent to you at the request of ICRealtime Security Solutions LLC to notify you that the electronic shipment information below has been transmitted to UPS. The physical package(s) may or may not have actually been tendered to UPS for shipment. To verify the actual transit status of your shipment, click on the tracking link below or contact ICRealtime Security Solutions LLC directly.

Important Delivery Information

Scheduled Delivery: 09-May-2012

Shipment Detail
Ship To:
xxxxxxxxxx
CSI SECURITY
2269 JEFFERIES HWY.
WALTERBORO
SC
29488
US

Number of Packages:     1
UPS Service:     GROUND
Weight:     9.0 LBS

Tracking Number:     1ZX603R40369384687
Reference Number 1:     47479
Reference Number 2:     20872

Click here to track if UPS has received your shipment or visit
http://www.ups.com/WebTracking/track?loc=en_US on the Internet.



____2@@2@@2wowT7qQAXmBSs4ogrWusagY4wa____

� 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential.� If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
Contact UPS

Other subjects include:
Your UPS delivery tracking number.
Your UPS shipment tracking number.


The malicious payload is at [donotclick]savecoralz.net/main.php?page=2a709dab1e660eaf (report here) hosted on the following IPs:

109.164.221.176 (Swisscom, Switzerland)
46.162.27.165 (Interphone, Ukraine)

The domain autosnort.net is hosted on the same IPs and is probably also malicious.

Plain list for copy-and-pasting:

109.164.221.176
46.162.27.165
savecoralz.net
autosnort.net

Thursday, 14 June 2012

Apparently FilesTube are handling tax payments now..

Apparently FilesTube are handling tax payments now.. or maybe some malware spammer has gotten their campaign confused.

Date:      Thu, 14 Jun 2012 06:14:40 +0300
From:      "FilesTube" [filestube@filestube.com]
Subject:      Tax Payment N 98426758 is failed.

Hello,


Your Federal Tax Payment ID: 08432389 has been rejected.

Return Reason Code C11 � The identification number used in the Company Identification Field is not valid.


Please, check the information and refer to Code U 56 to get details about

your company payment in transaction contacts section:



http://eftps.gov/N6936721773



CARLY BLOCK,

The Electronic Federal Tax Payment System

The link goes to a malicious page at [donotclick]sumatranajuge.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) which is multihomed on the following IPs:

78.83.233.242 (Spectrum Net JSC, Bulgaria)
110.234.176.99 (Tulip Telecom, India)
173.224.209.130 (Psychz Networks, US)
213.17.171.186 (Netia SA, Poland)

Plain list for copy-and-pasting:
78.83.233.242
110.234.176.99
173.224.209.130
213.17.171.186


Related domains:
huletydyshish.ru
saprolaunimaxim.ru
seledkindoms.ru
girlsnotcryz.ru
sumatranajuge.ru

"American Airlines Order" / saprolaunimaxim.ru

This fake American Airlines spam leads to malware on saprolaunimaxim.ru:

From: "Tereasa Mcwilliams" [lourdes@petalfresh.net]
Date: 14 June 2012 01:36:47 GMT+01:00
Subject: FWD: American Airlines Order


Dear Customer,

FLIGHT NUMBER A47-282
DATE & TIME / JUNE 26, 2012, 12:148 PM
ARRIVING: NEW YORK JFK
TOTAL PRICE : 285.54 USD

Please download and print out your ticket here:
DOWNLOAD

Amercian Airlines

The malicious payload is at [donotclick]saprolaunimaxim.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) which is the same as used in this attack two days ago, however since then the IPs have changed to:

78.83.233.242 (Spectrum Net JSC, Bulgaria)
173.224.209.130 (Psychz Networks, US)

The following domains and IPs are related and should be blocked if you can:
50.57.43.49
50.57.88.200
78.83.233.242
89.108.75.155
89.111.177.151
173.224.209.130
187.85.160.106
girlsnotcryz.ru
hamlovladivostok.ru
holigaansongeer.ru
huletydyshish.ru
insomniacporeed.ru
paranoiknepjet.ru
pekarniamsk.ru
piloramamoskow.ru
pistolitnameste.ru
puleneprobivaemye.ru
pushkidamki.ru
saprolaunimaxim.ru
seledkindoms.ru
spbfotomontag.ru
uzindexation.ru

Wednesday, 13 June 2012

LinkedIn spam / 74.91.112.248

This fake LinkedIn spam appears to lead to a malicious payload on 74.91.112.248:

Date:      Wed, 13 Jun 2012 14:58:15 +0200
From:      "LinkedIn©" [mvclient@mediavisions.net]
Subject:      Express LinkedIn Mail

LinkedIn
REMINDERS

Invitation reminders:
• From kristen redshaw (Country General Manager at Toshiba)


PENDING MESSAGES

• There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.

The malicious payload is on [donotclick]74.91.112.248/page.php?p=88fe38de which is hosted on Nuclear Fallout Enterprises in the US.

"Your credit card is blocked" spam / seledkindoms.ru

This spam leads to malware on seledkindoms.ru:
Date:      Wed, 13 Jun 2012 05:27:07 -0500
From:      Michel Boudreaux via LinkedIn [member@linkedin.com]
Subject:      Your credit card is blocked

Dear Client,



CAUTION: Your credit card is blocked!



With your credit card was removed USD 58,05

Possibly illegal transaction!



VIEW YOUR STATEMENT





Immediately contact your bank .

Best Wishes, VISA Customer Services.


The malicious payload is at [donotclick]seledkindoms.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c hosted on the following IPs:

50.57.43.49 (Slicehost, US)
89.108.75.155 (Agava Ltd, US)

Here's another spam with the same payload:

Date:      Wed, 13 Jun 2012 06:21:51 +0200
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      clongmore, Please confirm your email address with Classmates

        Help us ensure your Classmates� notifications   
      
      
      
Hi xxxxxxxxxx,
Thanks for joining Classmates�. Please click the button below to help us ensure future email delivery.
Yes, this is xxxxxxxxxx �
Not xxxxxxxxxx, please click here.
      
   
   
Your account details
Registration Number: 3164106744
Email Address: xxxxxxxxxx
Your Password: 534B962E Change password
   
   
   
You can change your password to whatever you want.

Change it now �
   
      
      
   
    Tips on finding the posts, photos and stories that people
are sharing with your community.
      
      
    TO PROTECT YOUR PRIVACY:
Do not forward this email to anyone not authorized by you to access your profile. For more information, see our Privacy Policy.

You are receiving this email as part of your Memory Lane membership.

We are unable to respond to messages sent to this automated email address, so if you have questions or have received this message in error, visit the Online Help Center.

Memory Lane, Inc., d/b/a Classmates.com 333 Elliott Ave. W., Seattle, WA 98119
� 1995-2012 Memory Lane, Inc., d/b/a Classmates.com. All Rights Reserved.  

ff

Tuesday, 12 June 2012

"Confirm your Twitter account" spam / saprolaunimaxim.ru

This fake twitter spam leads to malware at saprolaunimaxim.ru.
Date:      Tue, 12 Jun 2012 12:43:11 -0500
From:      Twitter
Subject:      Confirm your Twitter account, xxxxxxxx!

Hi, xxxxxxxx.

Please confirm your Twitter account by clicking this link:

Please click here.

Once you confirm, you will have full access to Twitter and all future notifications will be sent to this email address.

The Twitter Team

If you received this message in error and did not sign up for a Twitter account, click not my account.

Please do not reply to this message; it was sent from an unmonitored email address. This message is a service email related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support.


The domain and payload appear to be the same as this spam. Avoid.

PayPal / eBay spam and kidwingz.net

These fake PayPal / eBay emails lead to malware:

Date:      Tue, 12 Jun 2012 16:56:54 +0200
From:      "PayPal" [notify@paypal.com]
To:      xxxxxxxxxxxxx
Subject:      Your Ebay.com transaction details.


    Transaction ID: 24818126
Hello xxxxxxxxxxxxx,

You sent a payment of $847.48 USD to Quentin Cotton

Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
   

It may take a few moments for this transaction to appear in your account.

Seller

Fernando.Edwards@yahoo.com     Note to seller
You haven't included a note.
Shipping address - confirmed
4787 Hyde Rd
NY 13104-9402
United States
    Shipping details
The seller hasn't provided any shipping details yet.

Description     Unit price     Qty     Amount
PHOTAX PLASTIC SLIDE CASE PLUS 175 x 35mm SLIDES
Item# 263420914
    $847.48 USD     23     $847.48 USD
   
Shipping and handling     $0.00 USD
Insurance - not offered     ----
Total     $847.48 USD
Payment     $847.48 USD


   

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP108

===================


Date:      Tue, 12 Jun 2012 16:52:26 +0200
From:      "PayPal" [notify@paypal.com]
To:      xxxxxxxxxxxxx
Subject:      Your Paypal.com transaction confirmation.


    Transaction ID: 59064148
Hello xxxxxxxxxxxxx,

You sent a payment of $977.48 USD to Elijah Bray

Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
   

It may take a few moments for this transaction to appear in your account.

Seller

Abby.Ford@yahoo.com     Note to seller
You haven't included a note.
Shipping address - confirmed
4787 Hyde Rd
WY 48034
United States
    Shipping details
The seller hasn't provided any shipping details yet.

Description     Unit price     Qty     Amount
Vintage photo sexy college girls 1990's or 2000's
Item# 347197370
    $977.48 USD     23     $977.48 USD
   
Shipping and handling     $0.00 USD
Insurance - not offered     ----
Total     $977.48 USD
Payment     $977.48 USD


   

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP646
The malicious payload is at [donotclick]kidwingz.net/main.php?page=614411383eef8d9 (report here) which is hosted at 68.71.222.8 (Disney Online, Florida) which is the same IP address used in this similar attack and is therefore definitely worth blocking.

"Your Flight Order А994284" / saprolaunimaxim.ru

This fake flight email leads to malware on saprolaunimaxim.ru.

From: Simonne Storey [sandy@krishermckay.com]
Subject: Your Flight Order А994284

Dear Customer,

FLIGHT NUMBER A45-342
DATE & TIME / JUNE 27, 2012, 10:140 PM
ARRIVING: NEW YORK JFK
TOTAL PRICE : 456.62 USD

Please download and print out your ticket here:
DOWNLOAD

Amercian Airlines{br[1-5]}

The link hoes to a malicious payload on [donotclick]saprolaunimaxim.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IP addresses:

89.108.75.155 (Agava Ltd, Russia)
50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)

The following IPs and domains are also connected to this malware and should be considered hostile:
girlsnotcryz.ru
hamlovladivostok.ru
holigaansongeer.ru
paranoiknepjet.ru
piloramamoskow.ru
pistolitnameste.ru
pushkidamki.ru
spbfotomontag.ru
stroby.ru
uzindexation.ru
31.17.189.212
50.57.43.49
50.57.88.200
89.108.75.155
184.106.200.65
187.85.160.106

partyysoon.info injection attack in progress

I haven't had much time to analyse this yet, but there seems to be some sort of injection attack using the domain partyysoon.info. It may be targeting sites in Sweden.

Malicious URLs (don't click these, obviously):
hxxp:||partyysoon.info/index.php
hxxp:||partyysoon.info/js_pa/F.class
hxxp:||partyysoon.info/Set.jar
hxxp:||gotchasworkspaces.in/duquduqu1/font.php
hxxp:||beards.christianmomsgetaways.com/index.php?p=b2e04035f7b91e43

These IPs and domains are all related to the attack:

5.10.65.142 (Spinor J Ltd / Ulrik Sjafalander, Sweden)
partyysoon.info
(Part of a small block of 5.10.65.136 - 5.10.65.143)

141.101.239.97 (Leadertelecom, Russia)
beards.christianmomsgetaways.com
volumea.offerscrate.com
wagea.hcop.com
sexof2a0b5.serveusers.com
sexo41e92f.serveusers.com
beds.fivedollarprogram.info
visitora.legitimatepaidsurveystips.info

69.65.42.35 (Gigenet, US)
gotchasworkspaces.in
kopachrats.info

Blocking access to these IPs might be prudent.

Wire Transfer / HP spam and pistolitnameste.ru

These two fake "wire transfer spams" lead to malware on pistolitnameste.ru

From: "AUSTIN MCDOWELL" [AUSTINMCDOWELLsXmqTdYQvU@hotmail.com]
Date: 11 June 2012 16:54:23 GMT+01:00
Subject: Fwd: Re: Wire Transfer
Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-1987953358499039
CURRENT STATUS: CANCELLED

You can find details in the attached file.(Internet Explorer file)

=============

From: JessicaPecinousky@hotmail.com [mailto:JessicaPecinousky@hotmail.com]
Sent: 11 June 2012 07:13
Subject: Fwd: Wire Transfer Confirmation (FED 5419DS49)

Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-84685588475552771
CURRENT STATUS: CANCELLED

You can find details in the attached file.(Internet Explorer file)

The spammers have their campaigns mixed up - the payload on this is a ZIP file with a HTML file called something similar to HP_DocumentN8983.htm which is the one they use for fake printer spam. The malicious payload is at [donotclick]pistolitnameste.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on 50.57.43.49 and 50.57.88.200 (both Slicehost, US).

The following domains are part of the same malware cluster and should also be avoided:
pistolitnameste.ru
puleneprobivaemye.ru
spbfotomontag.ru
pushkidamki.ru
mazdaforumi.ru
hamlovladivostok.ru
uzindexation.ru
holigaansongeer.ru
paranoiknepjet.ru
piloramamoskow.ru
girlsnotcryz.ru