Sponsored by..

Monday, 18 March 2013

LinkedIn spam / applockrapidfire.biz

This fake LinkedIn spam leads to malware on applockrapidfire.biz:

From: David O'Connor - LinkedIn [mailto:kissp@gartenplandesign.de]
Sent: 18 March 2013 15:34
Subject: Join my network on LinkedIn
Importance: High

LinkedIn
REMINDERS
Invitation reminders:
 From David O\'Connor (animator at ea)

PENDING MESSAGES
There are a total of 9 messages awaiting your response. Go to InBox now.
This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.
The link in the message goes through a legitimate hacked site to a malware landing page on  [donotclick]applockrapidfire.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php  (report here) hosted on 78.46.222.237 (Hetzner, Germany). applockrapidfire.biz was registered just today to a presumably fake address:
Bernardine McGowan
1639 Heather Sees Way
MUSKOGEE
74401
United States
US
+1.2717159555
bernardine_mcgowan73@gmail.com

URLquery detects traffic to these additional IPs that you might want to block too:
50.22.196.70 (Softlayer / Maxmind LLC, US)
66.85.130.234 (Secured Servers LLC / Phoenix NAP, US)
194.165.17.3 (ADM Service Ltd, Monaco)

The nameservers are NS1.QUANTUMISPS.COM (5.9.212.43: Hetzner, Germany) and NS2.QUANTUMISPS.COM (66.85.131.123: Secured Servers LLC / Phoenix NAP, US).  quantumisps.com was registered to an anonymous person on 2013-03-15.

Minimum blocklist:
78.46.222.237
quantumisps.com
applockrapidfire.biz

Recommended blocklist:
5.9.212.43
50.22.196.70
66.85.130.234
66.85.131.123
78.46.222.237
194.165.17.3
quantumisps.com
applockrapidfire.biz

FOG RANT: turn your lights on!

Much of the part of the UK I live in is currently either a) foggy or b) very foggy. Freezing rain has turned the roads to ice and visibility is bugger all. At the moment the roads look like they do in the picture, and there are multiple accidents all over the place.

What amazes me is the sheer amount of complete f--king idiots driving with NO LIGHTS ON WHATSOEVER. Do they not notice that everyone else has their fog lights on? Do they not notice the radio reports of all the accidents?

Grey or silver cars in particular are almost invisible. Perhaps it is time to invest in a front-mounted laser cannon to blast these idiots of the road..

Friday, 15 March 2013

ADP Package Delivery Confirmation spam / picturesofdeath.net

 This fake ADP spam leads to malware on the jollily-named picturesofdeath.net:

From: ADP Chesapeake Package Delivery Confirmation [mailto:do_not_reply@adp.com]
Sent: 15 March 2013 14:45
Subject: =?iso-8859-1?Q?ADP Chesapeake - Package Delivery Notification
Importance: High

This message is to notify you that your package has been processed and is on schedule for delivery from ADP.

Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Tusesday, 5:00pm
Tracking Number (if one is available for this package): 1Z023R643116536498

Details: Click here to overview and/or modify order

We will notify you via email if the status of your delivery changes.

--------------------------------------------------------------------------------

Access these and other valuable tools at support.ADP.com:
o Payroll and Tax Calculators
o Order Payroll Supplies, Blank Checks, and more
o Submit requests online such as SUI Rate Changes, Schedule Changes, and more
o Download Product Documentation, Manuals, and Forms
o Download Software Patches and Updates
o Access Knowledge Solutions / Frequently Asked Questions
o Watch Animated Tours with Guided Input Instructions

Thank You,
ADP Client Services
support.ADP.com

--------------------------------------------------------------------------------

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
The malicious payload is at [donotclick]picturesofdeath.net/kill/long_fills.php (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:

advarcheskiedela.ru
arhangelpetrov.ru
fenvid.com
gatovskiedelishki.ru
iberiti.com
metalcrew.net
notsk.com
picturesofdeath.net
porftechasgorupd.ru
roadix.net
sawlexmicroupdates.ru
secureaction120.com
secureaction150.com

RU:8080 Malware sites to block 15/3/13

These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos.ru seems to be very active this morning. Block 'em if you can:

5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24
forumilllionois.ru
foruminanki.ru
forumla.ru
forum-la.ru
forumny.ru
forum-ny.ru
giimiiifo.ru
gilaogbaos.ru
giliaonso.ru
gimiinfinfal.ru
gimilako.ru
gimimniko.ru
giminaaaao.ru
giminalso.ru
giminanvok.ru
giminkfjol.ru
gimiuitalo.ru
guioahgl.ru
guuderia.ru
forumla.ru
gimiiiank.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru
giminkfjol.ru
forumla.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru

For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy)

Samsung Galaxy S4

Seriously.. when does it stop being a phone? This Galaxy S4 thing has a 5" HD display, a processor with up to eight cores, and it even watches you watching it. Just remember that last point while you are perusing your favourite rubber midget lesbian vore collection.

What I hadn't heard of before is the Samsung HomeSync server which is basically a 1TB appliance you put in your home and store all your stuff on, which you can then access from the GS4 or apparently a wide range of other devices. Just don't lose your smartphone..

Of course, the thing with smartphones is that there's always something better just around the corner. The Google / Motorola Xphone that is rumoured could be a GS4 beater.

Anyway.. in the meantime your old smartphone just got a bit more obsolete..

Thursday, 14 March 2013

Brian Krebs gets SWATted

It looks like Brian Krebs got a visit from a SWAT team today, after having his site DDOSed and served with a fake takedown notice, possibly in retaliation for this article. Nasty.


It reminds me a little of the "suicide note" incident with the operator of abuse.ch a few years back. You know when you have pissed off the bad guys when they arrange for armed police to come calling..

LinkedIn spam / teenlocal.net

This fake LinkedIn spam leads to malware on teenlocal.net:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 14 March 2013 16:32
Subject: Frank and Len have endorsed you!

Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
   
    Program Management
    Strategic Planning

Continue



You are receiving Endorsements emails. Unsubscribe.

This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
buyersusaremote.net
cyberage-poker.net
hotels-guru.net
teenlocal.net
bbb-complaint.org
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
bbb-accredited.net
metalcrew.net
roadix.net
gatovskiedelishki.ru

"Efax Corporate" spam / gimiinfinfal.ru

This eFax-themed spam leads to malware on gimiinfinfal.ru:

Date:      Thu, 14 Mar 2013 07:39:23 +0300
From:      SarahPoncio@mail.com
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 449555234]

You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.

* The reference number for this fax is [eFAX-263482326].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.
There's an attachment called Efax_Corporate.htm which leads to malware on [donotclick]gimiinfinfal.ru:8080/forum/links/column.php (report here) hosted on:

94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)

Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo.ru

Wednesday, 13 March 2013

"Copies of policies" spam / giimiiifo.ru

This spam leads to malware on giimiiifo.ru:

Date:      Wed, 13 Mar 2013 06:49:25 +0100
From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject:      RE: Alonso - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Alonso SAMS,

The malicious payload is at [donotclick]giimiiifo.ru:8080/forum/links/column.php hosted on two IPs we saw earlier:

94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
 

"Wapiti Lease Corporation" spam / giminaaaao.ru

A fairly bizarre spam leading to malware on giminaaaao.ru:

From: IESHA WILLEY [mailto:AtticusRambo@tui-infotec.com]
Sent: 13 March 2013 11:22
To: Sara Smith
Subject: Fwd: Wapiti Land Corporation Guiding Principles attached

Hello,

Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an opportunity for a preview and to provide any
comments that you would like to make. Please let me know that you have reviewed it and what comments you might have.

Thank you,

IESHA WILLEY
WLC 
This comes with an attachment called WLC-A0064.htm although I have another sample "from" a DEANNE AMOS with an attachment of WLC-A5779.htm. In any case, the attachment tries to direct the victim to a malware landing page at [donotclick]giminaaaao.ru:8080/forum/links/column.php (report here) hosted on:

93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)

Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao.ru
giminkfjol.ru
giminanvok.ru



Zbot sites to block 13/3/13

These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something.

76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack.pl
beveragerefine.su
dinitrolkalor.com
dugsextremesda.su
establishingwi.su
eurasianpolicy.net
euroscientists.at
ewebbcst.info
fireinthesgae.pl
girdiocolocai.com
machinelikeleb.su
mixedstorybase.su
satisfactorily.su
smurfberrieswd.su
sputtersmorele.pl
suggestedlean.com
trashinesscro.com
upkeepfilesyst.su

URLs seen:
[donotclick]beveragerefine.su/hjz/file.php
[donotclick]euroscientists.at/hjz/file.php
[donotclick]machinelikeleb.su/fiv/gfhk.php
[donotclick]mixedstorybase.su/hjz/file.php
[donotclick]satisfactorily.su/hjz/file.php
[donotclick]smurfberrieswd.su/hjz/file.php

And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)

Tuesday, 12 March 2013

"End of Aug. Stat. Required" spam / giminkfjol.ru

This spam leads to malware on giminkfjol.ru:

From: user@victimdomain.com
Sent: 12 March 2013 04:19
Subject: Re: End of Aug. Stat. Required

Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)

Regards

The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol.ru:8080/forum/links/column.php (report here) hosted on:

5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)

Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol.ru

Monday, 11 March 2013

Wire Transfer spam / giminanvok.ru

Another wire transfer spam, this time leading to malware on giminanvok.ru:

Date:      Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Fwd: Wire Transfer (5600LJ65)

Dear Bank Account Operator,


WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]giminanvok.ru:8080/forum/links/column.php (report pending) hosted on the same IPs used earlier today:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)

 I strongly recommend that you block access to these IPs if you can.


Wire Transfer spam / gimikalno.ru

This fake wire transfer spam leads to malware on gimikalno.ru:

Date:      Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From:      Xanga [noreply@xanga.com]
Subject:      Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)

Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]gimikalno.ru:8080/forum/links/column.php (report here) hosted on:

5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)

Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100
gimikalno.ru
guuderia.ru
forum-la.ru
forumla.ru
gimalayad.ru
gosbfosod.ru
ginagion.ru
giliaonso.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumkianko.ru

Sidharth Shah / OVH / itechline.com

I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:

5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27

These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here.

So, what do we know about Mr Shah? Well, the IPs have the following contact details:

organisation:   ORG-SS252-RIPE
org-name:       Shah Sidharth
org-type:       OTHER
address:        12218 Skylark Rd
address:        20871 Clarksburg
address:        US
abuse-mailbox:  ovhresell@gmail.com
phone:          +1.5407378283
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered


This is presumably the same Mr Shah who owns sidharthshah.com:
   Technical Contact:
      Shah, Sidharth  sidharth134@gmail.com
      12128 Skylark Rd
      Clarksburg, Maryland 20871
      United States
      (240) 535-2204


These contact details are 

The email address sidharth134@gmail.com is also associated with itechline.com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah.

BBB rating is based on 16 factors.
Factors that lowered the rating for ITechline.com include:

    Length of time business has been operating
    8 complaints filed against business
    Failure to respond to 7 complaints filed against business

ITechline.com has garnered some very negative consumer reviews [1] [2] [3] [4] . It appears to advertise on search engines for phrases like mcafee support and then charges to look at the computer, with "fixes" that some have reported to be of variable quality. You should make your own mind up as to the veracity of these negative claims.

Whether or no the OVH IP addresses are managed by Mr Shah directly or theourh ITechline is not known. Looking at the malicious domains, I cannot find a direct connection to Mr Shah other than the fact that they are a customer. However, I would not expect a well-managed network to have so many malicious domains and other spammy sites, I would recommend blocking access to all the listed IPs if you can.


Something evil on 176.31.140.64/28

176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post). It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.

Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block.

a50055.info
a6066.info
a70077.info
a80088.info
add5005.info
any303.info
apple2001.info
apple2002.info
apple2003.info
apt707.info
art808.info
article404.info
admin645.info
adscard.net
adscoast.com
adscoast.net
adsknoll.com
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsregarding.com
adsregarding.net
adsset.net
adsspark.com
adsspark.net
adstimes.net
adstown.net
adsvoice.net
akon342.info
alfa763.info
allknowingredscale.org
apolonq3.info
belligerentperformance.biz
booksdesk.org
bymailunstandard.org
cameraandspidermans.org
compatiblesohoos.biz
compellingseven.org
convertingsupply.org

deactivatelens.org
deletionaffordably.org
dlnabeta.org
draggingdownbreakdown.biz
enjoycapacious.org
entertainingsubpoenaed.org
fantasyactv.org
flipsendnow.org
graphicaluseby.org

hardwareturkish.org
ifdependable.org
ignoreorion.biz

imapnearing.org
indeliblefeaturewise.org
inexplicablysitespring.biz

initiatingslatenot.org
innovationfifth.org
inquiryunintuitively.org
interviewsmartcolumns.org

ipartitiontroublesome.org
irresponsibledefrag.biz
jeffalwaysrunning.org

languageinads.com
languageinads.net
leaveinteracted.biz
lowriskremembers.org
machinemargins.biz
madeenergy.biz
materialhencefullfeatured.org
minilabsdetailed.org
modesorganizecontentbased.org
multipledocumentthe.org
museumsinterest.org
nettalksdlsr.biz
nontechnicalcrossdisciplinary.org
notracessurfers.org
offensivesimple.biz

onyxlost.biz
operatingshorter.biz
overloadhell.org
playlistshears.biz
pointandshootfortunately.org
pushedcddb.org
recipesmailings.org

reconfigureboundaries.org
redorewards.biz
remarkablyracer.biz
retrievingevidently.biz
rummaginglistenandrepeats.org
seldomsnailmail.org
selfhealingduo.org
skimmingmanys.org
slideshareempower.org
sorryenters.biz
stretchedtool.org

superdatscalable.biz
taxactsfacebook.org
tonegrapple.biz
tonguesweetening.biz
transformingprofessional.org
transparencymonitoring.org
upsellmediathe.org
usingthisxploreing.org

visualbeesdaemon.org
vpmediastudios.org
westsidespiderman.biz
whocompatible.biz
wpcbots.org
zipsstorms.org

aapp202.info
accon101.info
after121.info
agg7574.info
all9009.info
amigosunspot.biz
bureaubasic.biz
checkinsbr.org
curateeyeballs.biz
efficacycull.biz
inappmovies.biz
menudrivenexternal.biz
moveoutgunned.biz

multitrackonew.net
palmnetstories.biz
predictkillersounding.biz

prohibitingbod.info
redirectionvx.org
selfdefensealphabetical.biz
syncopationhaving.biz

trimmingshyamalan.biz
versustempo.info
altirismotodv.net
bullzipskewing.biz
distortionexperts.net
inteloutdone.biz
opinedvdrw.net
peachtreesauto.net
snowfallsought.net

Something evil on 37.59.214.0/28

37.59.214.0/28 is an OVH IP range suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith.info:89/forum/had.php which is evading automated analysis.

The owner of this block is as follows:
organisation:   ORG-SS252-RIPE
org-name:       Shah Sidharth
org-type:       OTHER
address:        12218 Skylark Rd
address:        20871 Clarksburg
address:        US
abuse-mailbox:  ovhresell@gmail.com
phone:          +1.5407378283
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered


Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious:

1dabify.info
1linktube.info
1myloo.info
1trilium.info
2drill.info
2mars.info
2scrool.info
2skills.info
2walls.info
abubblespot.info
achatterjam.info
athoughtpedia.info
atwitterdrive.info
ayakilith.info
alivexs.info
arealster.info
arealtune.info
atopjam.info
ayombu.info
bbrightbridge.info
bdabdog.info
bfatri.info
bmyva.info
11chattervine.info
11fandu.info
11ncat.info
11tanix.info
22chatset.info
22cogizio.info
22jalium.info
22jaxworks.info
22ooyo.info
22thoughtspace.info
33demilium.info
33digipad.info
33skire.info
3digiset.info
3edgeblab.info
3linkshots.info
3livelounge.info
3meenix.info
3viva.info
5ailium.info
5flashster.info
5gabwire.info
5lalium.info
5skyzu.info
7demiboo.info
7gedeo.info
7jumpbean.info
7jumplist.info
7zambu.info
8abagen.info
8bubbledog.info
8cogitz.info
8plamba.info
8tajo.info
8twitterbox.info

Friday, 8 March 2013

RU:8080 and Amerika spam runs

For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP.

The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080. You can see some current nastiness in action at Malware Must Die.

But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia.

I've labelled this series as Amerika (yes, there was a TV show of the same name) because frankly the domains are about as American as apple pie sharlotka. The Amerika spam run is a little harder to identify, so there may be some errors in it.

I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!

AT&T spam (again)

This fake AT&T spam leads to malware on.. well, in this case nothing at all.

Date:      Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]
From:      AT&T Customer Care [icare7@amcustomercare.att-mail.com]
Subject:      Your AT&T wireless bill is ready to view


att.com | Support | My AT&T Account     Rethink Possible
Your wireless bill is ready to view
Dear Customer,

Your monthly wireless bill for your account is now available online.

Total Balance Due: $1695.64

Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.

Smartphone users: download the free app to manage your account anywhere, anytime.


Thank you,
AT&T Online Services
att.com


Contact Us
AT&T Support - quick & easy support is available 24/7.

Find us on Facebook   Talk to us on twitter   AT&T Community    
Get Peace of Mind

Set up secure AutoPay from your checking account.

Learn more
Go Paperless

Save time, money and the environment.

Learn more
Online Deals!

Shop the Best Deals in your area for Phone, TV, Internet and Wireless.

Learn more
Device Tutorials
Information specific about your phone     Smart Controls
Block calls, set mobile purchase limits, manage usage, and more     Payment Arrangements
Explore your options for arranging a payment plan
PLEASE DO NOT REPLY TO THIS MESSAGE    
©2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. Subsidiaries and affiliates of AT&T Inc. provide products and services under the AT&T brand.
Privacy Policy


In this case the link goes to a redirector page at [donotclick]vtcrm.update.se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!

LinkedIn spam / giminalso.ru

This fake LinkedIn spam leads to malware on giminalso.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...

     [redacted], Congratulations!
You and Aylin are now connected.

    Aylin Welsh

--
Tajikistan    

2012, LinkedIn Corporation
The malicious payload is at [donotclick]giminalso.ru:8080/forum/links/column.php (report here) hosted on the same IPs as in this other attack today:

41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)