Sponsored by..

Monday 25 March 2013

"Scan from a HP ScanJet" spam / humaniopa.ru

This fake printer spam leads to malware on humaniopa.ru:

Date:      Mon, 25 Mar 2013 03:57:54 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Scan from a HP ScanJet #928909620
Attachments:     Scanned_Document.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 98278P.

Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set
The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
hohohomaza.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
humaniopa.ru
humarikanec.ru


"Bank of America" spam / PAYMENT RECEIPT 25-03-2013-GBK-74

This spam comes with a malicious EXE file in the archive PAYMENT RECEIPT 25-03-2013-GBK-74.zip

Date:      Mon, 25 Mar 2013 05:50:18 +0300 [03/24/13 22:50:18 EDT]
From:      Bank of America [gaudilyl30@gmail.com]
Subject:      Your transaction is completed

Transaction is completed. $4924 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.

*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved 
Opening the ZIP file leads to an EXE caled PAYMENT RECEIPT 25-03-2013-GBK-74.EXE which has a pretty patchy detection rate on VirusTotal. Comodo CAMAS detects traffic to the domains seantit.ru  and programcam.ru hosted on:

59.99.226.54 (BSNL Internet, India)
66.248.200.143 (Avante Hosting Services / Dominic Lambie, US)
77.241.198.65 (VPSnet, Lithunia)
81.20.146.229 (GONetwork, Estonia)
103.14.8.20 (Symphony Communication, Thailand)

Plain list:
59.99.226.54
66.248.200.143
77.241.198.65
81.20.146.229
103.14.8.20


There are many more domains and IPs connected to this, I will post an update later.

Update:  most of the domains are dynamic IPs (scroll all the way down), so blocking them might be ineffective. However, these domains are all related to this malware:

Domains:
conficinskiy.ru
dnssharedfree.com
domainforru.ru
e-eleves.net
english-professional.net
exawiewdmkag.ru
free-onlinednsmy.com
gatovskiedelishki.ru
hostingooooold.com
internetkilo.com
letsgofit.net
mydkarsy.com
ndotgeforceare.com
nvufvwieg.com
oluros.ru
opticdyn.ru
programcam.ru
rodroofing.net
royalcanime.com
seantit.ru
secrettapez.com
secureaction120.com
startofinger.com
staticlike.com
stereomaxisky.com
stockanddraw.net   
szbests.ru
whatisgoodlife.com
verifikation-paypal.org   
wearneedlike.com
yapppi.net
zeouk-gt.com

IPs (for research purposes rather than blocking)
1.1.224.198
1.185.151.43
2.133.218.31
2.184.88.72
2.184.110.125
2.184.113.55
2.184.113.75
2.193.103.139
4.188.3.12
5.9.161.162
5.15.177.43
5.34.43.39
5.175.143.107
11.3.51.158
14.96.41.180
14.96.136.144
14.97.96.149
14.98.223.156
14.99.57.251
14.99.78.143
14.99.161.196
14.99.247.243
27.2.137.94
37.237.21.29
41.70.155.31
41.70.177.45
41.92.102.131
41.92.108.231
41.151.224.172
49.201.253.119
49.249.62.185
58.65.121.241
59.99.226.54
59.161.74.145
59.161.109.194
61.98.178.61
61.102.209.97
62.76.179.184
64.31.62.139
66.248.200.143
77.241.198.65
81.20.146.229
88.83.27.96
88.198.176.115
89.44.194.254
91.231.98.142
94.76.243.95
95.141.128.114
101.60.193.138
101.63.162.177
101.218.7.168
103.14.8.20
105.169.169.204
106.195.9.115
106.196.233.245
106.198.98.12
106.218.108.218
111.161.76.8
113.53.228.28
114.79.40.90
115.137.40.222
115.241.67.83
115.242.75.193
115.252.209.210
115.252.209.245
116.203.44.146
116.203.86.97
117.198.156.91
117.232.236.221
118.34.162.32
118.43.109.153
118.129.82.13
119.157.179.163
120.29.89.97
121.245.30.74
121.245.118.26
121.150.108.146
124.43.202.122
128.111.46.96
151.155.24.150
158.108.168.91
173.208.88.197
174.126.34.114
175.157.154.64
176.202.244.15
176.228.195.54
177.26.243.240
177.99.210.3
177.116.226.181
180.215.112.195
184.176.206.146
186.170.50.138
186.170.98.232
186.170.226.89
187.50.29.218
197.107.82.143
202.142.106.57
203.11.146.21
211.173.142.127
220.149.236.151

Sunday 24 March 2013

"Champions Club Community" / championsclubcommunity.com spam

Why these people bother sending me unsolicited email is a mystery... but in fact the so-called "Champions Club Community" is a bit of a mystery too..

From:     Simon Phillips - Champions Club [news@championsclubcommunity.com]
Reply-To:     contactus2@championsclubcommunity.com
Date:     24 March 2013 15:56
Subject:     March 2013 Newsletter

Email not displaying properly? View it online

CCC Logo



Hello and Welcome to this first newsletter from the revamped, overhauled and thoroughly revised Champions Club Community.

Our Vision hasn’t changed, we’re still here to help create One Global Family but, based on lots of feedback from our Community Ambassadors, our Purpose has been refined to “Inspiring and Enabling all people to make a difference in their lives and the lives of others.”  Or, to put it even more simply, we’re all here to “Go MAD”, where MAD stands for Make A Difference.

This month, our focus is on Homelessness with a number of articles and features highlighting this desperately sad and avoidable problem.

    Dianna Moylan asks – Homelesseness: Can we deal with it?
    Co-founder of CCC, Mark Insull reveals – I was Homeless, I know how it feels
    A Report on – Stop Homelessness, Sleep Easy Event

All of these are presented to inspire you to join in our campaign to end homelessness in the UK and Sign our e-Petition here.

Also featured in the magazine this month:

    This month’s Celebrated Do-Gooder – James Dyson
    Calling all Future Leaders – 5 x £10k bursaries available to all applicants.  If you think you have what it takes to lead our Community one day (or you know someone that does), then Read this Article and get in touch.
    Why I joined Champions Club Community – a series of four tales from our Ambassadors, three of whom have just recently joined us!  Welcome Chris, Kevin and Debs.

What’s Happening?  Some insights into what is going on inside CCC to keep you up to date.  Any questions / thoughts or ideas on how you might be able to help, please contact simon.phillips@championsclubcommunity.com

    Update from the MD including the imminent launch of our youth development programme, called The Leader In Me with Downside Fisher Youth Club.
    We partner with Virgin Giving to setup our £1 a month campaign.
    Work continues on the two major technical projects and Anne Cooper gives us a quick update – The GNB and the £1 a month campaign.

Well, that’s all we’ve got time for this time, there is a whole lot more inside the magazine.  Enjoy the read and do join in if you have a story to tell that will inspire others to Make A Difference!

Kind regards,

Simon

Simon Phillips – MD, Champions Club Community

Champions Club Community
Registered Office: 70 Royal Hill, London SE10 8RF
First of all let's be clear - I have never solicited any communications from these people, but they have been sending me spam since at least 2010.

So the Champions Club Community is a charity? Actually, it is.. registered as charity 1145253. What does this charity actually do? Because it is a registered charity, we can check out its activities on the Charities Commission website here. So, how much did it contribute to charity in 2012?

From an awesome income of £150, this so-called charity expended.. well, let's not beat about the bush here. Fuck all. Not a penny. Nothing. OK, to be fair I haven't received a spam from them since 2011, so perhaps they have been keeping a low profile.

Let's have a a quick look at the web site traffic. According to Alexa (not the most reliable thing but bear with me), the website championsclubcommunity.com is the 1,710,736th most popular site in the world, reaching out to 0.000053% of the world's internet population. By comparison, even a humble low-traffic site like dynamoo.com is ranked 596,722nd with the giddy heights of 0.00031% of the world visiting it. That's about six times the traffic for a blog that is basically about spam.

There's also an associated limited company called Champions Club Community (Trading) Ltd (company number 06243285, formerly called T.S.G.M. Ltd), set up by the charity's founders, Mark Insull and Guy Insull. According to the financial records I have seen, this company has struggled to stay afloat.

So, if like me you are staring at this spam wondering if it's a scam or not.. well, it seems to be genuine. But as a charity the Champions Club Community looks like an abject failure. If you are feeling charitable, then why not try the DEC instead.. at least that actually makes donations to those in need.

Friday 22 March 2013

Changelog spam / hohohomaza.ru

Evil changelog spam episode 274, leading to malware on hohohomaza.ru. Hohoho indeed.

Date:      Fri, 22 Mar 2013 11:06:48 -0430
From:      Hank Sears via LinkedIn [member@linkedin.com]
Subject:      Fwd: Changelog as promised (upd.)

Hello,

as promised changelog - View

L. HENDRICKS

The malware landing page is at [donotclick]hohohomaza.ru:8080/forum/links/column.php (report here) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64  (Endurance International Group, US)
80.246.62.143 (Alfahosting / Host Europe, Germany)

Blocklist:
50.22.0.2
66.249.23.64
80.246.62.143
hillaryklinton.ru
hohohomaza.ru
hillairusbomges.ru
hentaimusika.ru
himalayaori.ru
hiskintako.ru
heelicotper.ru
hinpoka.ru

Wire Transfer spam / dataprocessingservice-alerts.com

This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts.com:

Date:      Fri, 22 Mar 2013 10:42:22 -0600
From:      support@digitalinsight.com
Subject:      Terminated Wire Transfer Notification - Ref: 54133

Immediate Transfers Processing Service

STATUS Notification
The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
TRANSACTION SUMMARY:

Initiated By: [redacted]

Initiated Date & Time: 2013-03-21 4:00:46 PM PST

Reference Number: 54133

For addidional info visit this link
The payload is at [donotclick]dataprocessingservice-alerts.com/kill/chosen_wishs_refuses-limits.php  (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
bestffriendquotes.com
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
dataprocessingservice-alerts.com
fenvid.com
heavygear.net
hotels-guru.net
neo-webnet.com
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
rockbandsongs.net
teenlocal.net
webpageparking.net

Zendesk "An important notice about security" spam / vagh.ru / pillshighest.com

This unusual spam leads to a fake pharma site on pillshighest.com via vagh.ru and an intermediate hacked site.

Date:      Fri, 22 Mar 2013 13:52:08 -0700
From:      Support Team [pinbot@schwegler.com]
To:      [redacted]
Subject:      An important notice about security

We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security breach.

We're sending you this email because we received or answered a message from you using Zendesk. Unfortunately your name, email address and subject line of your message were improperly accessed during their security breach. To help keep your account secure, please:

    Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away.
    Beware of suspicious emails. If you get any emails that look like they're from our Support Team but don't feel right, please let us know - especially if they include details about your support request.
    Use a strong password. If your password is weak, you can create a new one.

We're really sorry this happened, and we'll keep working with law enforcement and our vendors to ensure your information is protected.

Support Team


Questions? See our FAQ.

This email was sent to [redacted].

�2013 Zendesk, Inc. | All Rights Reserved

Privacy Policy | Terms and Conditions

There appears to be no malware involved in this attack. After the user has clicked through to the hacked site (in this case [donotclick]www.2001hockey.com/promo/page/ - report here) the victim is bounced to [donotclick]vagh.ru on 193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine) and then on to [donotclick]pillshighest.com on 91.217.53.30 (Fanjcom, Czech Republic).

Some IPs and domains you might want to block:
91.217.53.30
193.105.210.212
abolade_lillian.rbluhozq.com
andycolley1.rbluhozq.com
cre8aworld.rbluhozq.com
deanna_ware.rbluhozq.com
diane.iverson.rbluhozq.com
j_minchey.rbluhozq.com
jackie.rbluhozq.com
jenkoto.rbluhozq.com
jjlock100.rbluhozq.com
jude256.rbluhozq.com
karenjbentley.rbluhozq.com
krister66.rbluhozq.com
lmatthews.rbluhozq.com
longhorn_97.rbluhozq.com
marcbigelow.rbluhozq.com
marijuanapillsmedical.com
migraineskiherbal.net
mram0523.rbluhozq.com
ns1.vtinodrutry.com
ns2.vtinodrutry.com
pillcarney.com
pillshighest.com
prescriptiondrugwalgreens.com
rjrepp.rbluhozq.com
sophie.ashcroft.rbluhozq.com
storyfullscreen.com
streetinsiderpharmhealth.com
supplementspillherbal.com
tabletlevipad.com
tabletspillspharmacy.ru
vagh.ru
vtinodrutry.com

Changelog spam / hillairusbomges.ru

This fake changelog spam leads to malware on hillairusbomges.ru:

Date:      Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]
From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject:      Re: Changelog Oct.

Good morning,
as prmised updated changelog - View

L. LOYD
The malicious payload is at [donotclick]hillairusbomges.ru:8080/forum/links/column.php (report here) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
188.165.202.204 (OVH, France)

Blocklist:
50.22.0.2
66.249.23.64
188.165.202.204
gxnaika.ru
hentaimusika.ru
forumla.ru
gulivaerinf.ru
foruminanki.ru
heelicotper.ru
forumny.ru
hillairusbomges.ru
hillaryklinton.ru
hinpoka.ru
hifnsiiip.ru

Thursday 21 March 2013

Facebook spam / scriptuserreported.org

This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported.org:

Date:      Thu, 21 Mar 2013 10:56:28 -0500
From:      Facebook [update+oi=MKW63Z@facebookmail.com]
Subject:      John Jenkins commented photo of you.

facebook
   
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.

facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}
The malicious payload is at [donotclick]scriptuserreported.org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:

inetnum:        5.39.37.24 - 5.39.37.31
netname:        n2p3DoHost
descr:          DoHost n2 p3
country:        FR
admin-c:        OTC2-RIPE
tech-c:         OTC2-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered


Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here). This server also hosts the following potentially malicious domains:
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01.com
workhomeheres02.com

There's also a work-at-home scam on 5.39.37.24:
makeworkhome12.pl

5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels.info
supermyadminspanels.info

So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host.net. The WHOIS details for rl-host.net are anonymised, but on the day of registration were:

    Queste Julien
    Email:julien@queste.fr
    50 rue Arthur lamendin
    62330 isbergues
    France
    Tel: +33.649836105

Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..

Minimum blocklist:
5.39.37.31
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Recommended blocklist:
5.39.37.24/29
makeworkhome12.pl
myadminspanels.info
supermyadminspanels.info
workhomeheres01.com
workhomeheres02.com
rl-host.net
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com


"Data Processing Service" spam / airtrantran.com

This spam leads to malware on

Date:      Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]
From:      Data Processing Service [customerservice@dataprocessingservice.com]
Subject:      ACH file ID "973.995"  has been processed successfully

Files Processing Service

SUCCESS Notification
We have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '2013-03-20 23:24:14.9'.
FILE SUMMARY:
Item count: 21
Total debits: $17,903.59
Total credits: $17,903.59

For addidional info    review it here

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247
airtrantran.com
basic-printers.com
bestffriendquotes.com
buxarsurf.net
buyersusaremote.net
crackedserverz.com
cyberage-poker.net
dyntic.com
fenvid.com
heavygear.net
hotels-guru.net
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
ricepad.net
rockbandsongs.net
smartsecurityapp.com
teenlocal.net
webpageparking.net

NACHA spam / encodeshole.org

This fake NACHA spam leads to malware on encodeshole.org:

From: "Тимур.Родионов@direct.nacha.org" [mailto:biker@wmuttkecompany.com]
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High

Dear Sirs,

Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::

Click here for more information

Please apply to your financial institution to get the necessary updates of the Direct Deposit software.

Best regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


10933 Sunrise Valley Drive, Suite 771
Herndon, VA 20190
Phone: 703-561-0849 Fax: 703-787-0548
The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:

91.234.33.187
encodeshole.org
rotariesnotify.org
rigidembraces.info
storeboughtmodelers.info


"Scan from a Hewlett-Packard ScanJet" spam / hillaryklinton.ru

This fake printer spam leads to malware on the amusingly-named hillaryklinton.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 21 March 2013 06:56
Subject: Scan from a Hewlett-Packard ScanJet #269644

Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 6209P.

Sent by: SANDIE
Images : 1
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set
In this case there is an attachment called Scanned_Document.htm which leads to a malicious payload at [donotclick]hillaryklinton.ru:8080/forum/links/column.php (report here) hosted on:

50.22.0.2 (SoftLayer, US)
62.75.157.196 (Inergenia, Germany)
109.230.229.156 (High Quality Server, Germany)

Blocklist:
50.22.0.2
62.75.157.196
109.230.229.156
foruminanki.ru
forumla.ru
forumny.ru
gulivaerinf.ru
gxnaika.ru
hanofk.ru
heelicotper.ru
hifnsiiip.ru
hillaryklinton.ru
himalayaori.ru
humalinaoo.ru



Wednesday 20 March 2013

"End of Aug. Statement" spam / hifnsiiip.ru

This fake invoice spam leads to malware on hifnsiiip.ru:

Date:      Wed, 20 Mar 2013 05:41:44 +0100
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoices-AS9927.htm

Good morning,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)

Regards
The attached Invoices-AS9927.htm file attempts to direct the victim to a malicious landing page [donotclick]hifnsiiip.ru:8080/forum/links/column.php (report here) hosted on:

50.22.0.2 (SoftLayer, US)
109.230.229.156 (High Quality Server, Germany)
188.165.202.204 (OVH, France)

Recommended blocklist:
50.22.0.2
109.230.229.156
188.165.202.204
foruminanki.ru
forumla.ru
forumny.ru
giimiiifo.ru
giliaonso.ru
gimiiiank.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
gulivaerinf.ru
gxnaika.ru
hentaimusika.ru
hifnsiiip.ru
himalayaori.ru
hiskintako.ru

USPS Spam / himalayaori.ru

This fake UPS (or is it USPS?) spam leads to malware on  himalayaori.ru. The malicious link is in an attachment called ATT17235668.htm.

For some reason the only sample of the spam that I have is horribly mangled:

From: HamzaRowson@hotmail.com [mailto:HamzaRowson@hotmail.com]
Sent: 19 March 2013 23:40
Subject: United Postal Service Tracking Number H1338091657

                                                                                                                          Your USPS TEAM for big savings!                    Can't see images? CLICK HERE.                                                                                                                                                                                                                                                                                                                                                                                       UPS UPS SUPPORT 56                                                                                                                                                                                                                                                                                                                                                                                                                   Not Ready to Open an Account? The UPS Store® can help with full service packing and shipping.Learn More >>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        UPS - Your UPS Team                                                                                                                                                                Good day, [redacted].      
      
                        Dear User , Delivery Confirmation: Failed

                                Track your Shipment now!

                                            With best regards , Your UPS Customer Services.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Shipping                                      Tracking                                       Calculate Time & Cost                                      Open an Account                                                                                                                                                                                                                                                                @ 2011 United Parcel Service of America, Inc. USPS Team, the UPS brandmark, and the color brown are             trademarks of United Parcel Service of America, Inc. All rights reserved.                        This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to             USPS .us Customer Services marketing e-mail For information on UPS's privacy practices, please refer to UPS Privacy Policy.                        Your USPS .US, 5 Glenlake Parkway, NE - Atlanta, GA 30325            Attn: Customer Communications Department                                                                               


Clicking on the attachment sends the intended victim to a malicious web page at [donotclick]himalayaori.ru:8080/forum/links/column.php (report here), in this case via a legitimate hacked site at [donotlick]www.unisgolf.ch/report.htm but that is less important.

himalayaori.ru is hosted on a couple of IPs that look familiar:

50.22.0.2 (SoftLayer, US)
188.165.202.204 (OVH, France)

Recommended blocklist:
50.22.0.2
188.165.202.204
himalayaori.ru
hentaimusika.ru
hiskintako.ru
gxnaika.ru
forumla.ru
gulivaerinf.ru
foruminanki.ru
forumny.ru

Tuesday 19 March 2013

Malware spam: "Opinion: Cyprus banks shut extended to Monday - CNN.com" / salespeoplerelaunch.org

This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch.org:

Date:      Tue, 19 Mar 2013 10:40:22 -0600
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: Cyprus banks shut extended to Monday - CNN.com

   
Powered by    
* Please note, the sender's email address has not been verified.
   
   
You have received the following link from BreakingNews@mail.cnn.com:    
   
   
Click the following to access the sent link:
   
   
Cyprus banks shut extended to Monday - CNN.com*
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
   
   
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
The malicious payload is at [donotclick]salespeoplerelaunch.org/close/printed_throwing-interpreting-dedicated.php (report here) hosted on 69.197.177.16 (WholeSale Internet, US).

Nameservers are NS1.DNSLVLUP.COM (5.9.212.43, Hetzner / Dolorem Ipsum Management Ltd, Germany) and NS2.DNSLVLUP.COM (66.85.131.123, Secured Servers LLC / Phoenix NAP, US)

Recommended blocklist:
salespeoplerelaunch.org
dnslvlup.com
69.197.177.16
5.9.212.43
66.85.131.123



Facebook spam / heelicotper.ru

This fake Facebook spam leads to malware on heelicotper.ru:

Date:      Tue, 19 Mar 2013 08:37:37 +0200
From:      Facebook [updateSIXQG03I44AX@facebookmail.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
TAMISHA Gore has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]heelicotper.ru:8080/forum/links/column.php which isn't resolving at the moment, but was earlier hosted on:

50.22.0.2 (SoftLayer, US)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)

The payload and associated IPs are the same as in this attack.

"End of Aug. Statement Reqiured" spam / hiskintako.ru


This spam leads to malware on hiskintako.ru:


Date:      Tue, 19 Mar 2013 08:04:18 +0300
From:      "package update Ups" [upsdelivercompanyb@ups.com]
Subject:      Re: FW: End of Aug. Statement Reqiured
Attachments:     Invoices-CAS9927.htm

Hi,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)

Regards

-----------------------

Date:      Tue, 19 Mar 2013 02:18:06 +0600
From:      MyUps [ups-delivery-services@ups.com]
Subject:      Re: FW: End of Aug. Stat. Required

Hi,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)


Regards

The malicious payload is at [donotclick]hiskintako.ru:8080/forum/links/column.php  (report here) hosted on:
50.22.0.2 (SoftLayer, US)
89.110.131.10 (Netclusive, Germany)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)

BLOCKLIST:
50.22.0.2
89.110.131.10
132.230.75.95
188.165.202.204
forumla.ru
gimiiiank.ru
giminanvok.ru
giminkfjol.ru
giminaaaao.ru
giimiiifo.ru
giliaonso.ru
forumny.ru
hiskintako.ru
gxnaika.ru
gulivaerinf.ru

Monday 18 March 2013

Malware spam "New Pope Sued For Not Wearing Seat Belt In Popemobile" / webpageparking.net

This pope themed spam leads to malware on webpageparking.net:

Date:      Mon, 18 Mar 2013 20:20:54 +0200
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com


Powered by    
* Please note, the sender's email address has not been verified.

You have received the following link from BreakingNews@mail.cnn.com:    
       
Click the following to access the sent link:
       
New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com*
   
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
   
   
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

The link goes through a legitimate hacked site and leads to a malicious payload at [donotclick]webpageparking.net/kill/borrowing_feeding_gather-interesting.php (report here) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom KFT, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)

BLOCKLIST:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
fenvid.com
gatovskiedelishki.ru
heavygear.net
hotels-guru.net
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
porftechasgorupd.ru
sawlexmicroupdates.ru
secureaction120.com
secureaction150.com
teenlocal.net

UPDATE: another version of this is doing the rounds with a subject "Opinion: Can New-Pope Benedict be Sued for the Sex Abuse Cases? - CNN.com"

LinkedIn spam / applockrapidfire.biz

This fake LinkedIn spam leads to malware on applockrapidfire.biz:

From: David O'Connor - LinkedIn [mailto:kissp@gartenplandesign.de]
Sent: 18 March 2013 15:34
Subject: Join my network on LinkedIn
Importance: High

LinkedIn
REMINDERS
Invitation reminders:
 From David O\'Connor (animator at ea)

PENDING MESSAGES
There are a total of 9 messages awaiting your response. Go to InBox now.
This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.
The link in the message goes through a legitimate hacked site to a malware landing page on  [donotclick]applockrapidfire.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php  (report here) hosted on 78.46.222.237 (Hetzner, Germany). applockrapidfire.biz was registered just today to a presumably fake address:
Bernardine McGowan
1639 Heather Sees Way
MUSKOGEE
74401
United States
US
+1.2717159555
bernardine_mcgowan73@gmail.com

URLquery detects traffic to these additional IPs that you might want to block too:
50.22.196.70 (Softlayer / Maxmind LLC, US)
66.85.130.234 (Secured Servers LLC / Phoenix NAP, US)
194.165.17.3 (ADM Service Ltd, Monaco)

The nameservers are NS1.QUANTUMISPS.COM (5.9.212.43: Hetzner, Germany) and NS2.QUANTUMISPS.COM (66.85.131.123: Secured Servers LLC / Phoenix NAP, US).  quantumisps.com was registered to an anonymous person on 2013-03-15.

Minimum blocklist:
78.46.222.237
quantumisps.com
applockrapidfire.biz

Recommended blocklist:
5.9.212.43
50.22.196.70
66.85.130.234
66.85.131.123
78.46.222.237
194.165.17.3
quantumisps.com
applockrapidfire.biz

FOG RANT: turn your lights on!

Much of the part of the UK I live in is currently either a) foggy or b) very foggy. Freezing rain has turned the roads to ice and visibility is bugger all. At the moment the roads look like they do in the picture, and there are multiple accidents all over the place.

What amazes me is the sheer amount of complete f--king idiots driving with NO LIGHTS ON WHATSOEVER. Do they not notice that everyone else has their fog lights on? Do they not notice the radio reports of all the accidents?

Grey or silver cars in particular are almost invisible. Perhaps it is time to invest in a front-mounted laser cannon to blast these idiots of the road..

Friday 15 March 2013

ADP Package Delivery Confirmation spam / picturesofdeath.net

 This fake ADP spam leads to malware on the jollily-named picturesofdeath.net:

From: ADP Chesapeake Package Delivery Confirmation [mailto:do_not_reply@adp.com]
Sent: 15 March 2013 14:45
Subject: =?iso-8859-1?Q?ADP Chesapeake - Package Delivery Notification
Importance: High

This message is to notify you that your package has been processed and is on schedule for delivery from ADP.

Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Tusesday, 5:00pm
Tracking Number (if one is available for this package): 1Z023R643116536498

Details: Click here to overview and/or modify order

We will notify you via email if the status of your delivery changes.

--------------------------------------------------------------------------------

Access these and other valuable tools at support.ADP.com:
o Payroll and Tax Calculators
o Order Payroll Supplies, Blank Checks, and more
o Submit requests online such as SUI Rate Changes, Schedule Changes, and more
o Download Product Documentation, Manuals, and Forms
o Download Software Patches and Updates
o Access Knowledge Solutions / Frequently Asked Questions
o Watch Animated Tours with Guided Input Instructions

Thank You,
ADP Client Services
support.ADP.com

--------------------------------------------------------------------------------

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
The malicious payload is at [donotclick]picturesofdeath.net/kill/long_fills.php (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:

advarcheskiedela.ru
arhangelpetrov.ru
fenvid.com
gatovskiedelishki.ru
iberiti.com
metalcrew.net
notsk.com
picturesofdeath.net
porftechasgorupd.ru
roadix.net
sawlexmicroupdates.ru
secureaction120.com
secureaction150.com