This spam leads to malware ondiareuomop.ru:From: Carleen GarrettThe payload is at [donotclick]diareuomop.ru:8080/forum/links/column.php hosted on the following IPs:
Sent: Tuesday, September 18, 2012 3:17:33 PM
Subject: Photos
Hi,
as promised your photos - http://flyershot.com/gallery.htm
Date: Mon, 17 Sep 2012 08:54:50 -0600
From: "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject: Your Intuit.com software order.
Attachments: Intuit_Order_A49436.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION
Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malicious payload is at [donotclick]virtual-geocaching.net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others.
Date: Mon, 17 Sep 2012 11:28:14 -0600
From: Internal Revenue Service [tangierss4@porterorlin.com]
Subject: IRS report of not approved tax transfer
Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.
Not Accepted Tax transaction
Tax Transaction ID: 30062091798009
Reason of rejection See details in the report below
Federal Tax Transaction Report tax_report_30062091798009.doc (Microsoft Word Document)
Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA
From: Internal Revenue Service [mailto:fascinatesh07@deltamar.net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted
Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID: 60498447771657
Rejection code See details in the report below
Income Tax Transaction Report tax_report_60498447771657.doc (Microsoft Word Document)
Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI
Date: Mon, 17 Sep 2012 08:39:16 -0300The numbers vary in each email, from single digits to quite long sequences. The body text is always "Hi", nothing appears to be hidden or malicious in any way. One characteristic is that the recipient is not usually the one in the "To" field as the spam is using the BCC field to suppress recipients.
Subject: Re: 89898877282500
Hi
From: ADP_Online_Invoice_DoNotReply@adp.com ADP_Online_Invoice_DoNotReply@adp.com
Date: 13 September 2012 14:29
Subject: ADP Invoice Reminder
Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .
To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.
Total amount due by September 13, 2012
$17202.04
If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.
Questions about your bill?
Contact David Nieto by Secure Mail.
Note: This is an automated email. Please do not reply.
Date: Tue, 11 Sep 2012 15:32:42 -0300
From: "US Airways - Reservations" [reservations@myusairways.com]
Subject: Please confirm your US Airways online registration.
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). Then, all you need to do is print your boarding pass and proceed to the gate.
Confirmation code: 592499
Check-in online: Online reservation details
Flight
6840
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 9/12/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
==========
Date: Tue, 11 Sep 2012 23:29:14 +0700
From: "US Airways - Reservations" [intuitpayroll@e.payroll.intuit.com]
Subject: US Airways online check-in.
you {l2} check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying {l3}). {l4}, all you {l5} to do is print your boarding pass and {l6} to the gate.
confirmation code: {digit}
check-in online: online reservation details
flight
{digit}
departure city and time
washington, dc (dca) 10:00pm
depart date: 9/12/2012
we are committed to protecting your privacy. your information is kept private and confidential. for information about our privacy policy visit usairways.com.
us airways, 111 w. rio salado pkwy, tempe, az 85281 , copyright us airways , all rights reserved.
Date: Thu, 6 Sep 2012 11:00:28 -0600
From: BillingOnline@fedex.com
Subject: Your Fedex invoice is ready to be paid now.
FedEx Billing Online - Ready for Payment
fedex.com
<td wid="th="10"" rowspan="2">
Hello [redacted]
You have a new not paid bill from FedEx that is ready for payment.
The following ivoice(s) are ready for your review :
<table border-top="1px solid #000" solid="" #000"="" border-left="1px solid #ccc" border="-bottom="1px" height="55" width="473">
<td= class="resultstableheader">
Invoice Number
7215-17193
To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo
Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo
Thank you,
Revenue Services
FedEx
This message has been sent by an auto responder system. Please do not reply to this message.
The content of this message is protected by copyright and trademark laws under U.S. and international law.
Review our privacy policy. All rights reserved.
Records passed to us show you're entitled to a refund approximately £2560 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop
From: HM Revenue & Customs [mailto:refund.request@hmrc.gov.uk]
Sent: 05 September 2012 14:27
Subject: Tax Refund Alert - Action Required
How to complain, ask for a review or make an appeal
Review process update
Review process - the first 12 months. Find out more
Claim Your Tax Refund Online
We identified an error in the calculation of your tax from the last payment, amounting to £ 859.00. In order for us to return the excess payment, we need to confirm a few extra details after which the funds will be credited to your specified bank account. Please click "Refund Me Now" below to claim your refund:
Refund Me Now
We are here to ensure the correct tax is paid at the right time, whether this relates to payment of taxes received by the department or entitlement to benefits paid.
Best Regards,
HM Revenue & Customs Refund Department
• See also
• Appeal and review news
• Working and paying tax
• Pensioners
• Find a form
• Complaints factsheet C/FS (PDF 67K)
• Feedback
Date: Tue, 04 Sep 2012 10:43:03 +0100
From: "noreply" [noreply@linkedin.com]
Subject: Link LinkedIn Mail
REMINDERS
Invitation reminders:
• From Charlie Alexander (Mexico Key Account Director at Quanta)
PENDING MESSAGES
• There are a total of 5 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.
Date: Tue, 28 Aug 2012 11:04:30 -0400
From: "Intuit Payroll Services" [intuitpayroll@e.payroll.intuit.com]
Subject: QuickBooks Security Update
You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST™) after 31th of August, 2012.
You can update Intuit Security Tool here.
After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly.
This email was sent from an auto-notification system that can't accept incoming email. Please don't reply to this message.
You have received this business communication as part of our efforts to fulfill your request or service your account.
You may receive this and other business communications from us even if you have opted out of marketing messages.
Terms, conditions, pricing, features, and service options are subject to change. View our complete Terms of Service.
Date: Mon, 27 Aug 2012 18:15:37 +0300
From: "Internal Revenue Service" [irs@service.govdelivery.com]
Subject: Federal Tax transaction canceled
Your Tax transaction (ID: 849395748011), recently sent from your checking account was canceled by the your financial institution.
Rejected Tax transfer
Tax Transaction ID: 849395748011
Return Reason See details in the report below
FederalTax Transaction Report tax_report_849395748011.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Mon, 27 Aug 2012 16:41:45 +0200
From: "Internal Revenue Service" [irs@service.govdelivery.com]
Subject: Rejected Federal Tax payment
Your Tax transaction (ID: 13394702616857), recently initiated from your bank account was returned by the your Bank.
Rejected Tax transfer
Tax Transaction ID: 13394702616857
Reason for rejection See details in the report below
Tax Transaction Report tax_report_13394702616857.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Mon, 27 Aug 2012 16:41:35 +0200
From: "Internal Revenue Service" [support@govdelivery.com]
Subject: Federal Tax payment canceled
Your Tax transaction (ID: 7227784606474), recently initiated from your bank account was returned by the The Electronic Federal Tax Payment System.
Rejected Tax transfer
Tax Transaction ID: 7227784606474
Reason for rejection See details in the report below
FederalTax Transaction Report tax_report_7227784606474.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
Date: Fri, 17 Aug 2012 06:50:08 -0400
From: "Global Express" [ups-services@ups.com]
Subject: Re: FW: End of Aug. Stat. Required
Attachments: Invoices-26-2012.htm
Hallo,
as reqeusted I give you inovices issued to you per july.
Regards
Date: Thu, 16 Aug 2012 12:20:25 +0500The malicious payload is on [donotclick]anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on a bunch of familiar looking IP addresses:
From: Mariah Gunn via LinkedIn [member@linkedin.com]
Subject: Fwd: Scan from a Hewlett-Packard ScanJet #88682504
Attachments: HP_scanDoc.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP 90027P.
SENT BY : SAVANNAH
PAGES : 1
FILETYPE: .HTML [Internet Explorer File]
The malicious spam pushers are trying very hard today to drive traffic to their malware site on mskoblastionline.ru with a variety of familiar-looking spam emails:Date: Wed, 15 Aug 2012 01:20:05 -0400
From: CarinaRue@mail.com
Subject: Fwd: Wire Transfer (1408EA58)
Attachments: Wire_Transfer_N839.htm
Dear Operator,
WIRE TRANSACTION: AC-961141236714971
STATUS: CANCELLED
You can find details in the attached file.
==========
Date: Wed, 15 Aug 2012 10:51:49 -0500
From: "LEILANI Roe" [RoeRmLEILANI@hotmail.com]
Subject: Fwd: Re: Wire Transfer Confirmation
Attachments: Wire_Transfer_N839.htm
Dear Operator,
WIRE TRANSACTION: AC-6427060719674502
STATUS: CANCELLED
You can find details in the attached file.
==========
Date: Wed, 15 Aug 2012 12:31:44 +0300
From: sales1@victimdomain.com
Subject: Re: Your Flight US 34-4827
Attachments: FLIGHT_TICKET_US1650023.htm
Dear Customer,
FLIGHT NUMBER 42463-8276
DATE/TIME : SEPT 27, 2012, 11:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 449.06 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
ESMERALDA KNUTSON,
==========
Date: Wed, 15 Aug 2012 08:06:14 +0100
From: Collene Varner via LinkedIn [member@linkedin.com]
Subject: Fwd: Re: Your Flight US 65-46595
Attachments: FLIGHT_TICKET_US284399461.htm
Dear Customer,
FLIGHT NUMBER 4108-2738
DATE/TIME : SEPT 21, 2012, 10:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 083.97 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
Abeni PINA,
==========
Date: Wed, 15 Aug 2012 00:50:03 -0800
From: LinkedIn [welcome@linkedin.com]
Subject: Fwd: Better Business Bureau Complaint
Attachments: Complaint_ID45JG836043169.htm
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 1630630165) from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
KARRI PENA
Dispute Counselor
Better Business Bureau
==========
Date: Wed, 15 Aug 2012 04:02:26 +0600
From: Ashley Madison [donotreply@ashleymadison.com]
Subject: Re: Better Business Bureau Complaint
Attachments: Complaint_N35XL147712.htm
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 63959031295)
from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
CONNIE DORAN
Dispute Counselor
Better Business Bureau
==========
The malicious payload is at [donotclick]mskoblastionline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
Date: Wed, 15 Aug 2012 05:31:19 -0500
From: LinkedIn Connections [connections@linkedin.com]
Subject: Re: Fwd: Better Business Bureau Complaint
Attachments: Complaint_ID61Zu4932887.htm
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 501379901) from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
Romeo Keyes
Dispute Counselor
Better Business Bureau
