ADP Spam / 69.194.194.221

This fake ADP spam leads to malware on 69.194.194.221:

Date:      Sun, 30 Sep 2012 17:31:05 +0200
From:      "ADP Service" [F07EBCC@pop3.rad.net]
Subject:      New transactions

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services

The malicious payload is at [donotclick]69.194.194.221/links/marked-alter.php (Solar VPS, US).

ADP spam / 108.178.59.6

This fake ADP spam leads to malware on 108.178.59.6:

Date:      Fri, 28 Sep 2012 13:22:13 +0300
From:      "ADP Notification" [D7443309@phoenixpv.de]
Subject:      Your Transaction Report(s)

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services

The malicious payload is at [donotclick]108.178.59.6/links/marked-alter.php (Singlehop, US) which looks like a Blackhole 2 exploit kit or similar.

The malware is hosted on this evil network,  blocking 108.178.59.0/26 would be wise.

ADP Spam / 69.194.193.37

This fake ADP spam leads to malware on 69.194.193.37:

Date:      Thu, 27 Sep 2012 14:47:54 -0430
From:      "ADP Alert" [FDCA492F@atlanticbeddingandfurniture.com]
Subject:      Transaction Report(s)

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services

The malicious payload is at [donotclick]69.194.193.37/links/marked-alter.php hosted by Solar VPS in the US.

UPS Spam / sectantes-x.ru

This fake UPS spam leads to malware at sectantes-x.ru:

Date:      Thu, 27 Sep 2012 10:03:27 -0400
From:      Habbo Hotel [auto-contact@habbo.com]
Subject:      UPS Tracking Number H8244648923

    USPS .com Customer Services for big savings!     Can't see images? CLICK HERE.    
    UPS UPS SUPPORT 39    
UPS - UPS TEAM 31 >>
   
    Not Ready to Open

an Account?    
       
    The UPS Store� can help with full service packing and shipping.   
    Learn More >>   
   
       
   
UPS - Your UPS .com Customer Services
Dear, [redacted]

DEAR CUSTOMER , Delivery Confirmation: Failed

Track your Shipment now!

With best wishes , UPS .com Customer Services.
   
                       
Shipping         Tracking         Calculate Time & Cost         Open an Account
                       
@ 2011 United Parcel Service of America, Inc. Your USPS Team, the UPS brandmark, and the color brown are

trademarks of United Parcel Service of America, Inc. All rights reserved.



This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to

Your USPS .US marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.



USPS .com Customer Services, 33 Glenlake Parkway, NE - Atlanta, GA 30580

Attn: Customer Communications Department

The malicious payload is at [donotclick]sectantes-x.ru:8080/forum/links/column.php hosted on the following IP addresses:
84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)

The following IPs and domains are all connected and should be blocked:
84.22.100.108
190.10.14.196
203.80.16.81
rumyniaonline.ru
denegnashete.ru
dimabilanch.ru
ioponeslal.ru
soisokdomen.ru
moskowpulkavo.ru
diareuomop.ru
omahabeachs.ru
sectantes-x.ru

In addition, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection.

Intuit spam / buycelluleans.com

This fake Intuit spam leads to malware on buycelluleans.com

From: Intuit PaymentNetwork [mailto:treacheriesz2@luther.k12.wi.us]
Sent: 27 September 2012 15:24
Subject: Your payroll verification is started by Intuit.


Direct Deposit Service System information
Request status

Dear [redacted]
We received your payroll on September 27, 2012 at 3:28 AM Pacific time.
•    Funds will be transitioned from the bank account number: 6 XXXXX1345 on September 28, 2012.
•    Amount to be withdrawn: $1,107.47
•    Paychecks would be transferred to your employees' accounts on: September 28, 2012
•    Please take a look at your payroll here.
Funds are typically withdrawn before normal bank working hours so please make sure you have sufficient funds available by 12 a.m. Pacific time on the date funds are to be processed.
Intuit must obtain your payroll by 5 p.m. Pacific time, two banking days before your payment date or your personnel payment will be aborted. QuickBooks doesn't proceed payrolls on weekends and federal banking legal holidays. A list of federal banking off-days can be accessed at the Federal Reserve holyday schedule}.
Thank you for your business.
Sincerely,
Intuit Services
NOTICE: This information was sent to inform you of a some actions at your account or software. Please mind that if you confirmed option of receiving informative materials from Intuit QuickBooks you may continue to receive informational materials similar to this message that affect your service or software.
If you have any questions or comments about this email please DO NOT REPLY to this message. If you need further information please contact us.
If you receive an message that appears to come from Intuit but that you suspect is a scam email, submit it on a link below customer feedback .
Copyright 2008-2012 Intuit Inc. QuickBooks and Intuit are registered of or registered service marks of Intuit Inc. in the US and other countries. This email message is not intended to supplement, modify or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Information Services
2816 A. Commerce Center Place, Tucson, AZ 84516

The malicious payload is at [donotclick]buycelluleans.com/detects/groups_him.php (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). This IP address has been used several times for malware distribution and should be blocked if you can.

SMS Spam: "Hi, we think you may be entitled to compensation.."

These annoying spammers (and probably scammers) are back, sending out their scummy PPI spam messages from +447568105443

Hi, we think you may be entitled to compensation of up to £3500 from missold PPI on a credit card or loan.
Reply INFO for more info
Reply STOP to quit

I've never been mis-sold PPI, so this is obviously a generic spam. It also looks like an invitation to make a claim even if you're not eligible. And that would be fraud..

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Amazon.com spam / uenwxgvrymch.net

This Amazon.com spam leads to malware on uenwxgvrymch.net:

From: Gabriel Roach [mailto:plectrumsiy0@independentreporters.com]
Sent: 27 September 2012 13:19
To: UK HPEA 2
Subject: Your Amazon.com order of "Fossil Men's FS9367 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!

Hello,

Shipping Confirmation
Order # 675-5092359-2844093

Your estimated delivery date is:
Friday, August 3 2012

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Fossil Men's FS9367 Black Silicone Bracelet Black Analog Dial Chronograph Watch $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com
===

The malicious payload is at [donotclick]uenwxgvrymch.net/links/claims_separate-learns_buy.php?ioufk=353302063538093336083737030a0a040309020703383305030a060906350a0a&pgaxszhs=39&meus=0a340b37043808020237&wzirxo=0a000300040002 (report here) which is hosted on the same IP address as this attack.

Amazon.com spam / ciafgnepbs.ddns.ms

This fake Amazon.com spam leads to malware on ciafgnepbs.ddns.ms:

From: Viola Chatman [mailto:parchesei642@foxvalley.net]
Sent: 27 September 2012 12:10
Subject: Your Amazon.com order of "Casio Men's PRW7035T-6CR Pathfinder Triple Sensor Tough Solar Digital Multi-Function Titanium Pathfinder Watch" has shipped!

Hello,

Shipping Confirmation
Order # 749-1221929-9346291

Your estimated delivery date is:
Friday, August 3 2012

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Casio Men's PRW7035T-6CR Pathfinder Triple Sensor Tough Solar Digital Multi-Function Titanium Pathfinder Watch $139.95
Item Subtotal: $139.95
Shipping & Handling: $0.00
Total Before Tax: $139.95
Shipment Total: $139.95
Paid by Visa: $139.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

The malicious payload is at [donotclick]ciafgnepbs.ddns.ms/links/claims_separate-learns_buy.php hosted on 62.109.23.82 (TheFirst-RU, Russia), the suspect domain ynrteqhsobjv.dnset.com  is also on the same server, blocking that IP address would protect against other malicious sites on the same server.

You might also want to consider blocking all ddns.ms and dnset.com domains, although this type of Dynamic DNS domain does have its uses, I personally believe that the dangers of mis-use outweigh the benefits.

IRS spam / 1.howtobecomeabostonian.com and mortal-records.net

Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian.com and the other with a malicious payload on mortal-records.net.

Date:      Wed, 26 Sep 2012 20:44:47 +0530
From:      "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Hello,

Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.





For detail information, please refer to:

https://www.irs.gov/Login.aspx?u=E8710D9E9

    Email address: [redacted]

Sincerely yours,

Barry Griffin

IRS Customer Service representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535

==========


Date:      Wed, 26 Sep 2012 11:09:45 -0400
From:      "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Dear business owners,

Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.



For the details please refer to:

https://www.irs.gov/ClientArea.aspx?u=1CBD0FC829256C

    Email address: [redacted]

Sincerely yours,

Damon Abbott

Internal Revenue Service Representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535


==========

Date:      Wed, 26 Sep 2012 19:53:28 +0400
From:      Internal Revenue Service [weirdpr6@polysto.com]
To:      [[redacted]]
Subject:      IRS report of not approved tax bank transfer

Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.

Rejected Tax transaction
Tax Transaction ID:     52007291963155
Reason ID     See details in the report below
State Tax Transaction Report     tax_report_52007291963155.doc (Microsoft Word Document)

Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV  

Payload one is at [donotclick]1.howtobecomeabostonian.com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a hacked GoDaddy domain. Payload two is at [donotclick]mortal-records.net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal.

These other bad domains are associated with the Mongolian IP address:
allmn-leicncester.net
amsnxn.com
bowerystore.net
cahgmt.com
cahmncm.com
casxmn.com
catmngn.com
chgmnm.com
myinfn.com
nitor-solutions.net
ntanwolb.com
penel-opessong.com
sncahmn.com
stafffire.net

Evil network: 108.178.59.0/26

There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)

So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad an should be blocked.

Singlehop have reallocated the IP range to a customer:

network:Class-Name:network
network:ID:ORG-SINGL-8.108-178-59-0/26
network:Auth-Area:108.178.0.0/18
network:IP-Network:108.178.59.0/26
network:Organization:Lorenzo Coco
network:Street-Address:via Nardi, 8 Prato
network:City:Prato
network:State:Italy
network:Postal-Code:59100
network:Country-Code:IT
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20120430
network:Updated:20120430

It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent.

Added: You can also add 108.178.59.6 to the list of malicious sites.

BBB Spam / one.1000houses.biz

This fake BBB spam leads to malware at one.1000houses.biz:

Date:      Tue, 25 Sep 2012 11:42:18 +0200
From:      "Better.Business Bureau" [8050910@zread.com]
Subject:      Activity Report



Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#125368

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

The malicious payload is at [donotclick]one.1000houses.biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses.biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.

Blocking 199.195.116.185 would probably be prudent.

Amazon.com spam / pallada-cruise.net

This fake Amazon spam leads to malware on pallada-cruise.net:

From:     Belinda Gallagher vigilancejy586@williamsguitarcompany.com
To:     [redacted]
Date:     24 September 2012 18:44
Subject:     Your Order Shipped Now

Amazon    
Your Orders &nbsp| Your Account | Amazon.com
Order Confirmation
Order #002-3989927-06014360

Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that our shop shipped your item, and that this completes your order.. If you need to return an good from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:

Friday, September 21, 2012

Why tracking information may not be available?
    Your order was shipped to:

[redacted]
006 S Academy St, App. 1D
S Paolo, DC
United States

This shipment have no an associated delivery tracking No..

Shipment Details
   

LG 42LW5302, SV 46-Inch 720p 120 Hz Cinema 3D LCD HDTV with 3D Blu-ray Player and Four Pairs of 3D Glasses
Sold by onner
Condition: not-used before
    $612.35
Item Subtotal:     $612.35
Shipping & Handling:     $20.43
Total Before Tax:     $612.35
Shipment Total:     $612.35
Paid by MC:     $612.35

Returns are easy. Visit our ON-line Return Center.
If you need further assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and item provider information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

The malicious payload (probably a Blackhole 2 exploit kit) is at [donotclick]pallada-cruise.net/detects/plain-keyboard_beginning-monitor.php hosted on 203.91.113.6 (G Mobile, Mongolia), an IP address that has been very active in spreading badness and which you should block if you can.

BBB Spam / 108.178.59.11

This fake BBB spam leads to malware on 108.178.59.11:

Date:      Mon, 24 Sep 2012 18:39:47 +0530
From:      "BBB Complaint activity report" [B1A41D3F@onlinepcexpert.net]
Subject:      BBB Case #9833204



Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#9833204

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========


Date:      Mon, 24 Sep 2012 08:25:00 -0300
From:      "Better Business Bureau" [792375B2@mbdservices.com]
Subject:      BBB Complaint activity report

Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#360343

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

The malicious payload is on [donotclick]108.178.59.11/links/anybody_miss-knowing.php (Singlehop, US) which is most likely a Blackhole 2 kit. This IP address has been used in other attacks and should be blocked if you can.

LinkedIn spam / 69.194.201.21

This fake LinkedIn spam leads to malware on 69.194.201.21:

Date:      Sat, 22 Sep 2012 15:16:47 -0500
From:      "Reminder" [CC8504C0E@updownstudio.com]
Subject:      LinkedIn: New messages awaiting your response

LinkedIn
REMINDERS

Invitation reminders:
From Emilio Byrd (Insurance Manager at Wolseley)

PENDING MESSAGES

There are a total of 88 message(-s) awaiting your response. Go to InBox now.

This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.

Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.

2012, LinkedIn Corporation.

The malicious payload is at [donotclick]69.194.201.21/links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent.

Amazon.com spam / webgrafismo.net and 203.91.113.6

This fake Amazon.com spam leads to malware on webgrafismo.net:

Date:      Fri, 21 Sep 2012 03:44:47 +0800
From:      "Adolfo Bruno" [debitst54@uky.edu]
Subject:      Your HD TV Delivered Yesterday

  
Your Orders | Your Account | Amazon.com
Shipping Confirmation
Order #002-9587043-55406590

Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated shipment delivery date is:

Friday, September 21, 2012

Why tracking information may be unavailable?
    Your order was sent to:

[redacted]
572 9th Ave, App. 2D
S Paolo, TX
United States

This shipment does not have an associated delivery tracking No..

Conveyance Data
  

Sharp XVT3D32, SV 46-Inch 1080p 1000 Hz Cinema 3D LED-LCD HDTV with 3D Blu-ray Player and Two Pairs of 3D Glasses
Sold by secondipity
Condition: used - acceptable
    $740.43
Item Subtotal:     $740.43
Shipping & Handling:     $22.40
Total Before Tax:     $740.43
Shipment Total:     $740.43
Paid by Maestro:     $740.43

Returns are easy. Visit our ON-line Return Center.
If you need urgent assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

==========

Date:      Thu, 20 Sep 2012 20:51:04 +0100
From:      "Ned@mc2school.org" [Ned@ataonline.com.tr]
Subject:      Re: HDTV Shipped Yesterday

Your Orders | Your Account | Amazon.com                                          
Order Processing Confirmation                                          
Order #002-1662198-01565354                                                                      
Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated  shipment date is:

Friday, September 21, 2012

Why tracking information may  be not available?
        Your order  was delivered to:

[redacted]
148 S Academy Dr, App. 1D
Albuquerque, KY
United States

This shipment does not have an associated delivery  tracking number.                          

Order                                   

Sony  XVT3D15, SV 42-Inch 1080p 600 Hz Cinema 3D  LCD HDTV  with 3D Blu-ray Player and  Two Pairs of 3D Glasses
Sold by  onner
Condition:  used-new
        $594.65
Item Subtotal: $594.65
Shipping & Handling:   $22.34
Total Before Tax:      $594.65
Shipment Total:        $594.65                                            
Paid by  Discover:     $594.65                                                          
Returns are easy. Visit our ON-line Return Center.
If you need  urgent assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and shop information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.                     

                                                                                         
The malicious payload is at [donotclick]webgrafismo.net/detects/rates-event_convinced-sent.php hosted on a known bad IP address of 203.91.113.6 (G Mobile, Mongolia). The exploit kit is probably Blackhole 2 given it's characteristics.



If you can block this IP address then I strong advise it. Other malicious sites on the same IP include.

penel-opessong.com
sncahmn.com
xlzones.com
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
sowendo.net
thebummwrap.net
allmn-leicncester.net
bode-sales.net
webgrafismo.net

Federal Tax Payment Spam / soisokdomen.ru

This fake tax payment spam leads to malware on soisokdomen.ru:

Date:      Thu, 20 Sep 2012 09:10:47 -0300
From:      Badoo [noreply@badoo.com]
Subject:      Re: Fwd: Tax Payment COM1684-645 is failed.

Hello,



Your Federal Tax Payment has been rejected.

Please, check the information and refer to Code I 94 to get details about

your company payment:



http://www.eftps.gov/section794/P9367027



JACINTA Stout,

The Electronic Federal Tax Payment System

The malicious payload (probably Blackhole 2) is at [donotclick]soisokdomen.ru:8080/forum/links/column.php hosted on the following familiar looking IP addresses:

213.135.42.98
50.56.92.47
203.80.16.81


Blocking these would be prudent.

ADP Spam / 69.194.192.203

This fake ADP spam email leads to malware on 69.194.192.203:

Date:      Thu, 20 Sep 2012 14:25:24 +0300
From:      "ADPClientServices" [ABD331056@losblancoba.com.ar]
Subject:      ADP Urgent Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services

The malicious payload is at [donotclick]69.194.192.203/links/deep_recover-result.php (probably Blackhole 2.0) hosted by Solar VPS in the US. This IP has been used for malware before recently, blocking it would be prudent.

UPS Spam / denegnashete.ru

This fake UPS spam (or is it USPS.. or LinkedIn?) leads to malware on denegnashete.ru:

Date:      Tue, 18 Sep 2012 08:01:39 +0100
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      UPS: Your Package H7022585958
Attachments:     UPS_ID7683348.htm


You can use UPS Services to:

Ship Online
Schedule a Pickup
Open a UPS Team Account
      

Welcome to UPS CUSTOMER SERVICES

OI, [redacted].

Dear Customer , We were not able to delivery the postal package

Please print out the invoice copy attached and collect the package at our department.

Best Regards , UPS .com Customer Services.
  
      

Copyright 2011 United Parcel Service of America, Inc. USPS Services, the Your usps Customer Services brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.

Please do not reply directly to this e-mail. Your USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.

We understand the importance of privacy to our customers. For more information, please consult the USPS Team Privacy Policy.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.

The malware can be found at [donotclick]denegnashete.ru:8080/forum/links/column.php which is the same as found on this attack..   

"Scan from a Hewlett-Packard ScanJet" spam / denegnashete.ru

This fake printer spam.. or Craigslist spam.. leads to malware on denegnashete.ru:

From: craigslist - automated message, do not reply [mailto:robot@craigslist.org]
Sent: 18 September 2012 11:44
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet #97273

A document was scanned and sent to you using a Hewlett-Packard HP18412598P


Sent to you by: SIDNEY
Pages : 7
Filetype(s): Images (.jpeg) View

Location: not set.
Device: P91162592KLLD

The malicious payload is at [donotclick]denegnashete.ru:8080/forum/links/column.php (report here) hosted on the same IPs as found here.

IRS spam / xlzones.com

More IRS themed spam, this time leading to malware on xlzones.com:

From: Internal Revenue Service [mailto:papillaq9@wonderware.com]
Sent: 18 September 2012 15:22
Subject: Your IRS federal tax payment has not been accepted
Importance: High


Your Federal Tax transaction (ID: 1550573369185), recently sent from your bank account was returned by The Electronic Federal Tax Payment System.
Not Accepted Tax transfer
Tax Transaction ID:     1550573369185
Reason ID    See details in the report below
Income Tax Transaction Report    tax_report_1550573369185.doc (Microsoft Word Document)

Internal Revenue Service P.O. Box 996 Davis 99627 NY 

The malicious payload can be found at [donotclick]xlzones.com/detects/char-storing-hate.php and [donotclick]xlzones.com/maintain/java.jar (report here) hosted on the familiar IP address of 203.91.113.6 (G Mobile, Mongolia). Block this IP if you can.. also beware of these other malicious domains on the same server:
centennialfield.net
blue-lotusgrove.net
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
thebummwrap.net
bode-sales.net
cat-mails.net
xlzones.com