Sponsored by..

Saturday 6 April 2013

Facebook "Reminder: Reset your password" spam / accooma.org

Another very aggressive spam run promoting accooma.org which is a fake pharma site..

Date:      Sat, 6 Apr 2013 13:16:59 -0700 [16:16:59 EDT]
From:      Facebook
Subject:      Reminder: Reset your password

facebook   
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 2 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.

If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team

The emails vary somewhat in content. I've received 60+ of these today to one email account alone, so this site is being pushed very hard indeed. Although the email is annoying, it does not seem to be harmful. For more details, see this earlier post about another spam run for the same domain.

"Updated information" spam / accooma.org / classic-pharmacy.com

This scary looking spam is nothing more than an attempt to get you to click through to a fake pharmacy site:

Date:      Mon, 9 Feb 2004 13:00:35 +0000 (GMT)
From:      "Account Info Change" [info@virtualregistrar.com]
Subject:      Updated information

    Updated information

Hello,

The following information for your ID [redacted] was updated on 02/09/2012: Date of birth, Security question and answer.

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately.

This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.

Thanks,
Customer Support

The link in the email goes to a landing page on accooma.org (184.82.155.18 - HostNOC, US) which clicks through to classic-pharmacy.com (184.82.155.20 - also HostNOC). These two IPs are very close together which indicates a bad block.

There does not appear to be any malware involved (see here and here) and of course nobody has changed any details on your account. You can safely ignore these emails.

A closer examination shows that HostNOC have suballocated 184.82.155.16/29 (184.82.155.16 - 184.82.155.23) to an unknown party. The following fake pharma sites are active in this range:
accooma.org
classic-pills.net
fdapharmacy.net
iorderpills.net
justpills-com.com
pill-max.net
fdapharmacy-com.com
internetpharmacyreview.com
iorderpills-com.com
just-pills.net
pharmacyfinder.net
pillmax-com.com
classic-pharmacy.com
comparedrugprices-com.com
emedsource-com.com
justmypills-com.com
l-md.info
pharmacheap-com.com
pills-md.net
clinicmeds.info
kamagrafast2.info
pillorder-com.com
zpharmacy-com.com
buymeds-com.com
generics4u.info
rx-cs.info

Friday 5 April 2013

"Copies of Policies" spam / ifikangloo.ru

This spam leads to malware on ifikangloo.ru:

From: KaelSaine@mail.com [mailto:KaelSaine@mail.com]
Sent: 05 April 2013 11:43
Subject: Fwd: LATONYA - Copies of Policies

Unfortunately, I cannot obtain electronic copies of the SPII policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.


LATONYA Richmond, 
The link in the email leads to a legitimate hacked site and then on to [donotclick]ifikangloo.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)

Blocklist:
91.191.170.26
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru


"End of Aug. Statement" spam / ijsiokolo.ru

This fake invoice spam leads to malware on ijsiokolo.ru:
Date:      Fri, 5 Apr 2013 07:57:37 +0300
From:      "Account Services ups" [upsdelivercompanyb@ups.com]
Subject:      Re: End of Aug. Statement Required
Attachments:     Invoice_AF146989113.htm

Good morning,

I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).

Regards

DAYLE PRIEST

=================

Date:      Fri, 5 Apr 2013 07:56:53 -0300
From:      "Tracking" [ups-account-services@ups.com]
Subject:      Re: FW: End of Aug. Stat.

Hallo,

I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).

Regards

Mariano LEE 
The .htm attachment in the email leads to malware at [donotclick]ijsiokolo.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)

Blocklist:
91.191.170.26
208.94.108.238
ifinaksiao.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru

"Speech.doc" legal spam / itriopea.ru

This fake legal spam leads to malware on itriopea.ru:
Date:      Thu, 4 Apr 2013 07:44:02 -0500
From:      Malaki Brown via LinkedIn [member@linkedin.com]
Subject:      Fwd: Our chances to gain a cause are better than ever.

We conversed with the administration representatives, and if we acknowledge our non-essential contempt for the sake of their statistics increase , the key suit will be closed due to the lack of the state interest to the action. We have executed your elucidative text for the court. Please read it carefully and if anything in it disagrees with you, let us know.

Speech.doc 458kb


With respect to you
Malaki Brown

=====================

Date:      Thu, 4 Apr 2013 05:37:47 -0600
From:      Talisha Sprague via LinkedIn [member@linkedin.com]
Subject:      Re: Fwd: Our chances to gain a suit are higher than ever.

We talked to the administration representatives, and if we admit our minor infringements for the sake of their statistics increase , the main cause will be closed due to the lack of the government interest to the proceedings. We have executed your explicatory text for the court. Please read it carefully and if anything in it dissatisfies you, advise us.

Speech.doc 698kb


With Best Regards
Talisha Sprague

The attachment Speech.doc leads to a malicious payload is at [donotclick]itriopea.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Turkey)

Blocklist (including active nameservers):
62.76.40.244
62.76.41.245
91.191.170.26
93.187.200.250
109.70.4.231
188.65.178.27
199.66.224.130
199.191.59.60
208.94.108.238
ifinaksiao.ru
igionkialo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru

Thursday 4 April 2013

"British Airways" spam / igionkialo.ru

This fake British Airways spam leads to malware on igionkialo.ru:
Date:      Thu, 4 Apr 2013 10:19:48 +0330
From:      Marleen Camacho via LinkedIn [member@linkedin.com]
Subject:      British Airways E-ticket receipts
Attachments:     E-Receipt.htm



e-ticket receipt
Booking reference: UMA7760047
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 69315274. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The attachment E-Receipt.htm leads to a malicious landing page at [donotclick]igionkialo.ru:8080/forum/links/column.php (report here) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
hillaryklinton.ru
hiskinta.ru
humaniopa.ru
ifinaksiao.ru
igionkialo.ru
ilianorkin.ru
illuminataf.ru
imanraiodl.ru
imbrigilia.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru

"Bill Me Later" spam / PP_BillMeLater_Receipe04032013_4283422.zip

This fake "Bill Me Later" spam comes with a malicious attachment:

Date:      Wed, 3 Apr 2013 21:42:52 +0600 [04/03/13 11:42:52 EDT]
From:      Bill Me Later [notification@billmelater.com]
Subject:      Thank you for scheduling a payment to Bill Me Later



BillMeLater
   
Log in here
       
Your Bill Me Later� statement is now available!

Dear Customer,

Thank you for making a payment online! We've received your
Bill Me Later® payment of $1644.03 and have applied it to your account.

For more details please check attached file : PP_BillMeLater_Receipe04032013_4283422.zip

Here are the details:

Your Bill Me Later Account Number Ending in: 0014

You Paid: $1644.03

Your Payment Date*: 04/03/2013

Your Payment Confirmation Number: 228646660603545001

Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.

BillMeLater

*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.

Bill Me Later accounts are issued by WebBank, Salt Lake City Utah

PP10NDPP1


There is an attachment called PP_BillMeLater_Receipe04032013_4283422.zip which contains an executable file PP_BillMeLater_Receipe_04032013.exe (note that the date is encoded into the filename) which currently has a VirusTotal detection rate of just 26/46. The executable is resistant to automated analysis tools but has the following fingerprint:
MD5: c93bd092c1e62e9401275289f25b4003
SHA256: ae5af565c75b334535d7d7c1594846305550723c54bf2ae77290784301b2ac29


Blocking EXE-in-ZIP files at your perimeter is an effective way of dealing with this threat, assuming you have the technology to do it.

Wednesday 3 April 2013

"Have you seen how much money has Cameron spent on his new movie?" spam / ixxtigang.ru

This old-fashioned spam leads to malware on ixxtigang.ru:

Date:      Wed, 3 Apr 2013 11:29:19 +0400
From:      LinkedIn Password [password@linkedin.com]
Subject:      I??�m shocked!

Have you seen how much money has Cameron spent on his new movie?
What a graphics, check out the trailer!
The malicous payload is at [donotclick]ixxtigang.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
izamalok.ru
imbrigilia.ru
humaniopa.ru
hiskinta.ru
illuminataf.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanikako.ru
ixxtigang.ru

eFax spam / ivanikako.ru

This fake eFax spam leads to malware on ivanikako.ru:

From: Global Express UPS [mailto:admin@ups.com]
Sent: 02 April 2013 21:12
Subject: Efax Corporate

Fax Message [Caller-ID: 189609656]

You have received a 40 pages fax at Wed, 3 Apr 2013 02:11:58 +0600, (708)-009-8464.

* The reference number for this fax is [eFAX-698329221].

View attached fax using your Internet Browser.

________________________________________
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax Ž is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Ž Customer Agreement. 
The malicious payload is at [donotclick]ivanikako.ru:8080/forum/links/column.php (report here) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
izamalok.ru
imbrigilia.ru
humaniopa.ru
hiskinta.ru
illuminataf.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanikako.ru

Author Iain Banks has terminal cancer

Oh my.

Something evil on 151.248.123.170

151.248.123.170 (Reg.ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain.com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame.com/xlawr/next/requirements_anonymous_ordinary.php (report here but times out) which from the URL looks very much like a BlackHole Exploit kit.

This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach.

These are the domains I can see:
41y7kr.servehttp.com
96ztorwy89.serveblog.net
aehwmcqgx.myddns.com
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
b57idtwn.servehalflife.com
bjtujinsl.changeip.org
bu3l0d4s.serveftp.com
bunahyfba.dns04.com
c9c7gldpp.serveblog.net
cigtdye.changeip.org
cuhadjcnyl.myfw.us
d15txn.servepics.com
db0umfdoap.servegame.com
dzrdmz.youdontcare.com
fapqdfckws.serveusers.com
fdozwnqdb.4mydomain.com
fdqeeo.freeddns.com
fxtloji.serveusers.com
geiuut.itemdb.com
grtyxl.xxuz.com
gxodzugrgq.mypicture.info
hgibkcayvxc.myfw.us
hrxivk.ddns.us
hyjantahjuc.myfw.us
hzfkim.ns01.info
idapjl.port25.biz
igwvypnsne.ftpserver.biz
jghdbtvxgj.ns3.name
jjjpbhx.4pu.com
jziirhsxi.dns04.com
keuiawjhbb.itemdb.com
kptslcbrbg.dsmtp.com
lgjkvp.ddns.us
motxke.dns04.com
mzfpmox.mysecondarydns.com
ngt5lcgnp.3utilities.com
objdjjhjpw.port25.biz
ozcffpa.jetos.com
ppmvfcrlw.youdontcare.com
ptdvlxyn.dsmtp.com
qcoidxrbod.ns02.us
rpsbccts.jetos.com
simiawbsilu.myfw.us
smysfr.ddns.ms
sufgrgzpj.ns3.name
swsdsr.mypicture.info
tbrfrz.lflinkup.net
toqmibzken.dynamicdns.biz
uouxhr.serveusers.com
uv985f.no-ip.info
vnlvrwkat.port25.biz
voc0cjieh.servehttp.com
vvecozzd.ns3.name
w5zik4js.sytes.net
wenrtsjzbc.myfw.us
yupbgt.4pu.com
zenj6u.no-ip.org
zjbihpktdn.myfw.us

This is what I recommend that you block:
151.248.123.170
3utilities.com
4mydomain.com
4pu.com
changeip.org
ddns.ms
ddns.us
dns04.com
dsmtp.com
dynamicdns.biz
freeddns.com
ftpserver.biz
itemdb.com
jetos.com
lflinkup.net
myddns.com
myfw.us
mypicture.info
mysecondarydns.com
no-ip.info
no-ip.org
ns01.info
ns02.us
ns3.name
port25.biz
serveblog.net
serveftp.com
servegame.com
servehalflife.com
servehttp.com
servepics.com
serveusers.com
sytes.net
xxuz.com
youdontcare.com

Tuesday 2 April 2013

And this is why people don't trust lawyers..

You may or not have heard of Prenda Law.. it's a US law firm that has been pursuing alleged movie downloaders for copyright violations. But it won't reveal who it's clients are, leading to allegations that Prenda is up to some shenanigans.

Anyway.. it's a fascinating story even for non-lawyers, but it all came to a head when a judge dragged them into court and asked them to explain themselves. And they took the fifth. Ken at Popehat writes about the latest episode in this saga here.. but you've just got to love the summary of just how scandalous this is part way down:
In effect, the responsible lawyers for a law firm conducting litigation before a court have refused to explain that litigation to the court on the grounds that doing so could expose them to criminal prosecution.

I mean.. holy crap. It's worth reading that again just to understand what some lawyers are prepared to sink to. Their mothers must be very proud of them.


Sendspace spam / imbrigilia.ru

This fake Sendspace spam leads to malware on imbrigilia.ru:

Date:      Tue, 2 Apr 2013 03:57:26 +0000
From:      "JOSIE HARMON" [HARMON_JOSIE@hotmail.com]
Subject:      You have been sent a file (Filename: [redacted]-7191.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-463168.pdf, (172.5 KB) waiting to be downloaded at sendspace.(It was sent by JOSIE HARMON).



You can use the following link to retrieve your file:



Download Link



The file may be available for a limited time only.



Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]imbrigilia.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)

Blocklist:
80.246.62.143
94.103.45.34
humaniopa.ru
hiskinta.ru
illuminataf.ru
izamalok.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanovoposel.ru
hohohomaza.ru
imbrigilia.ru

"End of Aug. Statement Required" spam / ivanovoposel.ru

This spam leads to malware on ivanovoposel.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 02 April 2013 10:15
Subject: Re: FW: End of Aug. Statement Reqiured

Hallo,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards
SHONTA SCHMITT
Alternate names:
NORIKO Richmond
Raiden MORRISON

Attachments:
Invoice_U13726798.htm
Invoice_U453718.htm
Invoice_U913687.htm

The attachment leads to malware on [donotclick]ivanovoposel.ru:8080/forum/links/column.php (report here) hosted on:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)

Blocklist:
80.246.62.143
94.103.45.34
humaniopa.ru
hiskinta.ru
illuminataf.ru
izamalok.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanovoposel.ru
hohohomaza.ru

"Russian Hackers" spam / kidala.info / hack-sell.su

These spam messages appear to be promoting the underground websites kidala.info and hack-sell.su, both of which appear to be engaged in hacking, crimeware and fraud. But is there something else going on here?

Date:      Tue, 2 Apr 2013 18:07:48 +0700 [07:07:48 EDT]
Subject:      Russian hackers has you neo!

Russian hackers has you neo!
kidala dot info
or this kidala.info

==========================

Date:      Tue, 2 Apr 2013 17:17:29 +0700 [06:17:29 EDT]
Subject:      Russian hackers has you neo!

Need buy some shells?
http://kidala.info

==========================

Date:      Tue, 2 Apr 2013 16:27:24 +0700 [05:27:24 EDT]
Subject:      Russian hackers has anything you need.

World Best hack conference hereurl here: kidala.info

==========================

Date:      Tue, 2 Apr 2013 12:30:09 +0530 [03:00:09 EDT]
Subject:      World Interesting hack site here

Hi Manurl here: http://hack-sell.su

==========================

Date:      Tue, 2 Apr 2013 02:58:24 +0200 [04/01/13 20:58:24 EDT]
Subject:      Russian hackers mafia OWNS YOU!

Russian mafia has you...
hack-sell.su
or this hack-sell dot su

==========================

Subject:      Russian bad boys forum here, come join!

World baddest hackers join us hereurl here: hack-sell .su

==========================

Date:      Mon, 1 Apr 2013 16:01:59 -0400 [04/01/13 16:01:59 EDT]
Subject:      Russian hackers has anything you need.

Prime hack portal here!
hack-sell dot su
or this hack-sell dot su 

(Note that the emails may appear to be "from" your own account or someone in your own organisation. Don't worry, you have not been hacked.. forging an email address is trivially easy (described here).

But there's something unusual because these spams are being sent repeatedly to SpamCop.net email addresses, and I haven't seen them anywhere else. So why send spam emails to people who are very likely to file an abuse complaint.. unless you want the recipient to file an abuse complaint, that is.

This sort of attack pattern looks like a Joe Job, perhaps from a rival to these two underground forums. Targeting addresses that will likely file a complaint is a sort of reverse listwashing, and the pattern of repeated emails to the same address is also a Joe Job characteristic. And the thing about underground forums.. well, they don't tend to spam at all because they like to remain under the radar.

The sites don't appear to be hosting malware, if you've accidentally clicked through then there you are probably OK, although both sites look like they are down at the moment. There may well be more Joe Jobs after this one though, so don't be surprised if more rubbish floods your inbox.

Update: these subject lines are in use at the moment..
Best crack phorum so far!
Best hack conference so far!
Need buy some abuseimmune servers?
Need buy some injects?
Need buy some loads?
Need buy some socks?
Need buy some traffic?
Russian bad boys forum here, come join!
Russian hackers has anything you need.
Russian hackers has you neo!
Russian mafia has you...
Russian hackers mafia OWNS YOU!
Superior crack site so far!
World baddest hackers join us here
World Best hack website here
World Superior hack conference here

Friday 29 March 2013

"Please respond - overdue payment" spam / INVOICE_28781731.zip

This spam comes with a malware-laden attachment called INVOICE_28781731.zip:

Date:      Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
From:      Victor_Lindsey@key.com
Subject:      Please respond - overdue payment

Please find attached your invoices for the past months. Remit the payment by 02/04/2013
as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Victor Lindsey

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer. Thank you. 
Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports a callback to topcancernews.com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack. Looking for that IP in your logs might show if any of your clients.

Thursday 28 March 2013

ADP Spam / ipiniadto.ru

This fake ADP spam leads to malware on ipiniadto.ru:

Date:      Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]
From:      Bebo Service [service@noreply.bebo.com]
Subject:      ADP Immediate Notification

ADP Immediate Notification
Reference #: 120327398

Thu, 28 Mar 2013 04:22:48 +0600
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.


This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 975316004
HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious landing page and recommended blocklist are the same as for this parallel attack also running today.

Facebook spam / ipiniadto.ru

The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto.ru:

Date:      Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
From:      FilesTube [filestube@filestube.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303 
The malicious payload is at [donotclick]ipiniadto.ru:8080/forum/links/column.php (report here) hosted on the same IPs as used in this attack:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
heepsteronst.ru
hillairusbomges.ru
hillaryklinton.ru
hinakinioo.ru
hiskinta.ru
hjuiopsdbgp.ru
hohohomaza.ru
hondatravel.ru
humaniopa.ru
humarikanec.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru
ipiniadto.ru


Changelog spam / Changelog_Urgent_N992.doc.exe

This fake "changelog" spam has a malicious attachment Changelog.zip which in turn contains a malware file named Changelog_Urgent_N992.doc.exe

From:      Logistics Express [admin@ups.com]
Subject:      Re: Changelog 2011 update

Hi,
as promised changelog,

Michaud Abran 

VirusTotal detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports the creation of a file C:\Documents and Settings\User\Application Data\KB00085031.exe which is pretty distinctive.

If your email filter supports it, I strongly recommend that you configure it to block EXE-in-ZIP files as they are malicious in the vast majority of cases.

"Scan from a Xerox W. Pro" spam / ilianorkin.ru

This fake printer spam leads to malware on ilianorkin.ru:

From: officejet@[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307

A Document was sent to you using a XEROX WorkJet PRO 481864299.

SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]ilianorkin.ru:8080/forum/links/column.php (report here) hosted on:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hondatravel.ru
hillaryklinton.ru
hinakinioo.ru
hjuiopsdbgp.ru
hillairusbomges.ru
heepsteronst.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru

Wednesday 27 March 2013

NACHA spam / mgithessia.biz

This fake NACHA spam leads to malware on mgithessia.biz:

From: "Олег.Тихонов@direct.nacha.org" [mailto:universe87@mmsrealestate.com]
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High

To whom it may concern:

We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::

Click here for more information

Please consult with your financial institution to obtain the updated version of the software.

Kind regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894
The malicious payload is at [donotclick]mgithessia.biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this.

DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and  5.187.4.58 (the same).

Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
mgithessia.biz
justintvfreefall.org



"British Airways E-ticket receipts" spam / illuminataf.ru

This fake airline ticket spam leads to malware on illuminataf.ru:


Date:      Wed, 27 Mar 2013 03:23:05 +0100
From:      "Xanga" [noreply@xanga.com]
Subject:      British Airways E-ticket receipts
Attachments:     E-Ticket-Receipt.htm

e-ticket receipt
Booking reference: JQ15191488
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 51298446. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The attackment E-Ticket-Receipt.htm (which has a poor detection rate) leads to a malicious payload at [donotclick]illuminataf.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)

Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
heepsteronst.ru
hjuiopsdbgp.ru
hondatravel.ru
illuminataf.ru
iliminattii.ru

Tuesday 26 March 2013

"NY TRAFFIC TICKET" spam / hondatravel.ru

I haven't seen this type of spam for a while, but here it is.. leading to malware on hondatravel.ru:

Date:      Wed, 27 Mar 2013 04:24:14 +0330
From:      "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:      Fwd: Re: NY TRAFFIC TICKET

New-York Department of Motor Vehicles

TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS

Time: 2:15 AM

Date of Offense: 28/07/2012



SPEED OVER 50 ZONE

TO PLEAD CLICK HERE AND FILL OUT THE FORM
The malicious payload appears to be identical to this spam run earlier today.

Wire Transfer spam / hondatravel.ru

This fake Wire Transfer spam leads to malware on hondatravel.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 26 March 2013 11:52
Subject: Re: Wire Transfer Confirmation (FED_4402D79813)

Dear Bank Account Operator,
WIRE TRANSFER: FED68081773954793456
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]hondatravel.ru:8080/forum/links/column.php (report here) hosted on:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)

These IPs were seen earlier with this attack.

UPS spam / Label_8827712794.zip

This fake UPS spam has a malicious EXE-in-ZIP attachment:

Date:      Tue, 26 Mar 2013 20:54:54 +0600 [10:54:54 EDT]
From:      UPS Express Services [service-notification@ups.com]
Subject:      UPS - Your package is available for pickup ( Parcel 4HS287FD )

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

You may pickup the parcel at our post office.

Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
UPS Logistics Services.

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (UPS , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies.  Thank You

The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46. ThreatExpert reports that the malware is a Pony downloader which tries to phone home to:
aseforum.ro (199.19.212.149 / Vexxhost, Canada)
23.localizetoday.com (192.81.131.18 / Linode, US)

Assuming that all domains on those are malicious, this is a partial blocklist:
192.81.131.18
199.19.212.149
aseforum.ro
htlounge.com
htlounge.net
topcancernews.com
23.localizetoday.com
23.localizedonline.com
23.localizedonline.net

eFax Corporate spam / hjuiopsdbgp.ru

This fake eFax spam leads to malware on hjuiopsdbgp.ru:

Date:      Tue, 26 Mar 2013 06:23:36 +0800
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Pages.htm



Fax Message [Caller-ID: 378677295]

You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.

* The reference number for this fax is [eFAX-677484317].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.
The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp.ru:8080/forum/links/column.php (report here) hosted on the following IPs:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
hjuiopsdbgp.ru
heepsteronst.ru


DHL Spam / LABEL-ID-NY26032013-GFK73.zip

This DHL-themed spam contains a malicious attachment.

Date:      Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
From:      Bart Whitt - DHL regional manager [reports@dhl.com]
Subject:      DHL delivery report NY20032013-GFK73
   
Web Version  |  Update preferences  |  Unsubscribe
       

DHL notification

Our company’s courier couldn’t make the delivery of parcel.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
DHL Global
   
       
Edit your subscription | Unsubscribe

Attached is a ZIP file called LABEL-ID-NY26032013-GFK73.zip which in turn contains LABEL-ID-NY26032013-GFK73.EXE (note that the date is encoded into the filename, so subsequent versions will change).

VirusTotal detections for this malware are low (7/46). The malware resists analysis from common tools, so I don't have any deeper insight as to what is going on.

Update:  Comodo CAMAS identified some of the phone-home domains which are the same as the ones used here.

NACHA spam / breathtakingundistinguished.biz

This fake NACHA spam leads to malware on breathtakingundistinguished.biz:

From: "Гена.Симонов@direct.nacha.org" [mailto:corruptnessljx953@bsilogistik.com]
Sent: 25 March 2013 22:26
Subject: Re: Your Direct Deposit disallowance
Importance: High

Attn: Accounting Department

We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:

Click here for more information

Please consult with your financial institution to acquire the updated version of the software.

Yours truly,

ACH Network Rules Department
NACHA - The Electronic Payments Association


19681 Sunrise Valley Drive, Suite 275
Herndon, VA 20135
Phone: 703-561-1796 Fax: 703-787-1698

The malicious payload is at [donotclick]breathtakingundistinguished.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:


necessarytimealtering.biz
hitwiseintelligence.biz
breathtakingundistinguished.biz

Monday 25 March 2013

"Copies of policies" spam / heepsteronst.ru

This spam leads to malware on heepsteronst.ru:

Date:      Mon, 25 Mar 2013 06:20:54 -0500 [07:20:54 EDT]
From:      Ashley Madison [donotreply@ashleymadison.com]
Subject:      RE: DEBBRA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,

and a copy of the most recent schedule.


DEBBRA Barnard, 

The malicious payload is at [donotclick]heepsteronst.ru:8080/forum/links/column.php (report here). The IP addresses used are the same ones as used in this attack.

"Scan from a HP ScanJet" spam / humaniopa.ru

This fake printer spam leads to malware on humaniopa.ru:

Date:      Mon, 25 Mar 2013 03:57:54 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Scan from a HP ScanJet #928909620
Attachments:     Scanned_Document.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 98278P.

Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set
The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
hohohomaza.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
humaniopa.ru
humarikanec.ru


"Bank of America" spam / PAYMENT RECEIPT 25-03-2013-GBK-74

This spam comes with a malicious EXE file in the archive PAYMENT RECEIPT 25-03-2013-GBK-74.zip

Date:      Mon, 25 Mar 2013 05:50:18 +0300 [03/24/13 22:50:18 EDT]
From:      Bank of America [gaudilyl30@gmail.com]
Subject:      Your transaction is completed

Transaction is completed. $4924 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.

*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved 
Opening the ZIP file leads to an EXE caled PAYMENT RECEIPT 25-03-2013-GBK-74.EXE which has a pretty patchy detection rate on VirusTotal. Comodo CAMAS detects traffic to the domains seantit.ru  and programcam.ru hosted on:

59.99.226.54 (BSNL Internet, India)
66.248.200.143 (Avante Hosting Services / Dominic Lambie, US)
77.241.198.65 (VPSnet, Lithunia)
81.20.146.229 (GONetwork, Estonia)
103.14.8.20 (Symphony Communication, Thailand)

Plain list:
59.99.226.54
66.248.200.143
77.241.198.65
81.20.146.229
103.14.8.20


There are many more domains and IPs connected to this, I will post an update later.

Update:  most of the domains are dynamic IPs (scroll all the way down), so blocking them might be ineffective. However, these domains are all related to this malware:

Domains:
conficinskiy.ru
dnssharedfree.com
domainforru.ru
e-eleves.net
english-professional.net
exawiewdmkag.ru
free-onlinednsmy.com
gatovskiedelishki.ru
hostingooooold.com
internetkilo.com
letsgofit.net
mydkarsy.com
ndotgeforceare.com
nvufvwieg.com
oluros.ru
opticdyn.ru
programcam.ru
rodroofing.net
royalcanime.com
seantit.ru
secrettapez.com
secureaction120.com
startofinger.com
staticlike.com
stereomaxisky.com
stockanddraw.net   
szbests.ru
whatisgoodlife.com
verifikation-paypal.org   
wearneedlike.com
yapppi.net
zeouk-gt.com

IPs (for research purposes rather than blocking)
1.1.224.198
1.185.151.43
2.133.218.31
2.184.88.72
2.184.110.125
2.184.113.55
2.184.113.75
2.193.103.139
4.188.3.12
5.9.161.162
5.15.177.43
5.34.43.39
5.175.143.107
11.3.51.158
14.96.41.180
14.96.136.144
14.97.96.149
14.98.223.156
14.99.57.251
14.99.78.143
14.99.161.196
14.99.247.243
27.2.137.94
37.237.21.29
41.70.155.31
41.70.177.45
41.92.102.131
41.92.108.231
41.151.224.172
49.201.253.119
49.249.62.185
58.65.121.241
59.99.226.54
59.161.74.145
59.161.109.194
61.98.178.61
61.102.209.97
62.76.179.184
64.31.62.139
66.248.200.143
77.241.198.65
81.20.146.229
88.83.27.96
88.198.176.115
89.44.194.254
91.231.98.142
94.76.243.95
95.141.128.114
101.60.193.138
101.63.162.177
101.218.7.168
103.14.8.20
105.169.169.204
106.195.9.115
106.196.233.245
106.198.98.12
106.218.108.218
111.161.76.8
113.53.228.28
114.79.40.90
115.137.40.222
115.241.67.83
115.242.75.193
115.252.209.210
115.252.209.245
116.203.44.146
116.203.86.97
117.198.156.91
117.232.236.221
118.34.162.32
118.43.109.153
118.129.82.13
119.157.179.163
120.29.89.97
121.245.30.74
121.245.118.26
121.150.108.146
124.43.202.122
128.111.46.96
151.155.24.150
158.108.168.91
173.208.88.197
174.126.34.114
175.157.154.64
176.202.244.15
176.228.195.54
177.26.243.240
177.99.210.3
177.116.226.181
180.215.112.195
184.176.206.146
186.170.50.138
186.170.98.232
186.170.226.89
187.50.29.218
197.107.82.143
202.142.106.57
203.11.146.21
211.173.142.127
220.149.236.151

Sunday 24 March 2013

"Champions Club Community" / championsclubcommunity.com spam

Why these people bother sending me unsolicited email is a mystery... but in fact the so-called "Champions Club Community" is a bit of a mystery too..

From:     Simon Phillips - Champions Club [news@championsclubcommunity.com]
Reply-To:     contactus2@championsclubcommunity.com
Date:     24 March 2013 15:56
Subject:     March 2013 Newsletter

Email not displaying properly? View it online

CCC Logo



Hello and Welcome to this first newsletter from the revamped, overhauled and thoroughly revised Champions Club Community.

Our Vision hasn’t changed, we’re still here to help create One Global Family but, based on lots of feedback from our Community Ambassadors, our Purpose has been refined to “Inspiring and Enabling all people to make a difference in their lives and the lives of others.”  Or, to put it even more simply, we’re all here to “Go MAD”, where MAD stands for Make A Difference.

This month, our focus is on Homelessness with a number of articles and features highlighting this desperately sad and avoidable problem.

    Dianna Moylan asks – Homelesseness: Can we deal with it?
    Co-founder of CCC, Mark Insull reveals – I was Homeless, I know how it feels
    A Report on – Stop Homelessness, Sleep Easy Event

All of these are presented to inspire you to join in our campaign to end homelessness in the UK and Sign our e-Petition here.

Also featured in the magazine this month:

    This month’s Celebrated Do-Gooder – James Dyson
    Calling all Future Leaders – 5 x £10k bursaries available to all applicants.  If you think you have what it takes to lead our Community one day (or you know someone that does), then Read this Article and get in touch.
    Why I joined Champions Club Community – a series of four tales from our Ambassadors, three of whom have just recently joined us!  Welcome Chris, Kevin and Debs.

What’s Happening?  Some insights into what is going on inside CCC to keep you up to date.  Any questions / thoughts or ideas on how you might be able to help, please contact simon.phillips@championsclubcommunity.com

    Update from the MD including the imminent launch of our youth development programme, called The Leader In Me with Downside Fisher Youth Club.
    We partner with Virgin Giving to setup our £1 a month campaign.
    Work continues on the two major technical projects and Anne Cooper gives us a quick update – The GNB and the £1 a month campaign.

Well, that’s all we’ve got time for this time, there is a whole lot more inside the magazine.  Enjoy the read and do join in if you have a story to tell that will inspire others to Make A Difference!

Kind regards,

Simon

Simon Phillips – MD, Champions Club Community

Champions Club Community
Registered Office: 70 Royal Hill, London SE10 8RF
First of all let's be clear - I have never solicited any communications from these people, but they have been sending me spam since at least 2010.

So the Champions Club Community is a charity? Actually, it is.. registered as charity 1145253. What does this charity actually do? Because it is a registered charity, we can check out its activities on the Charities Commission website here. So, how much did it contribute to charity in 2012?

From an awesome income of £150, this so-called charity expended.. well, let's not beat about the bush here. Fuck all. Not a penny. Nothing. OK, to be fair I haven't received a spam from them since 2011, so perhaps they have been keeping a low profile.

Let's have a a quick look at the web site traffic. According to Alexa (not the most reliable thing but bear with me), the website championsclubcommunity.com is the 1,710,736th most popular site in the world, reaching out to 0.000053% of the world's internet population. By comparison, even a humble low-traffic site like dynamoo.com is ranked 596,722nd with the giddy heights of 0.00031% of the world visiting it. That's about six times the traffic for a blog that is basically about spam.

There's also an associated limited company called Champions Club Community (Trading) Ltd (company number 06243285, formerly called T.S.G.M. Ltd), set up by the charity's founders, Mark Insull and Guy Insull. According to the financial records I have seen, this company has struggled to stay afloat.

So, if like me you are staring at this spam wondering if it's a scam or not.. well, it seems to be genuine. But as a charity the Champions Club Community looks like an abject failure. If you are feeling charitable, then why not try the DEC instead.. at least that actually makes donations to those in need.

Friday 22 March 2013

Changelog spam / hohohomaza.ru

Evil changelog spam episode 274, leading to malware on hohohomaza.ru. Hohoho indeed.

Date:      Fri, 22 Mar 2013 11:06:48 -0430
From:      Hank Sears via LinkedIn [member@linkedin.com]
Subject:      Fwd: Changelog as promised (upd.)

Hello,

as promised changelog - View

L. HENDRICKS

The malware landing page is at [donotclick]hohohomaza.ru:8080/forum/links/column.php (report here) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64  (Endurance International Group, US)
80.246.62.143 (Alfahosting / Host Europe, Germany)

Blocklist:
50.22.0.2
66.249.23.64
80.246.62.143
hillaryklinton.ru
hohohomaza.ru
hillairusbomges.ru
hentaimusika.ru
himalayaori.ru
hiskintako.ru
heelicotper.ru
hinpoka.ru

Wire Transfer spam / dataprocessingservice-alerts.com

This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts.com:

Date:      Fri, 22 Mar 2013 10:42:22 -0600
From:      support@digitalinsight.com
Subject:      Terminated Wire Transfer Notification - Ref: 54133

Immediate Transfers Processing Service

STATUS Notification
The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
TRANSACTION SUMMARY:

Initiated By: [redacted]

Initiated Date & Time: 2013-03-21 4:00:46 PM PST

Reference Number: 54133

For addidional info visit this link
The payload is at [donotclick]dataprocessingservice-alerts.com/kill/chosen_wishs_refuses-limits.php  (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
bestffriendquotes.com
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
dataprocessingservice-alerts.com
fenvid.com
heavygear.net
hotels-guru.net
neo-webnet.com
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
rockbandsongs.net
teenlocal.net
webpageparking.net

Zendesk "An important notice about security" spam / vagh.ru / pillshighest.com

This unusual spam leads to a fake pharma site on pillshighest.com via vagh.ru and an intermediate hacked site.

Date:      Fri, 22 Mar 2013 13:52:08 -0700
From:      Support Team [pinbot@schwegler.com]
To:      [redacted]
Subject:      An important notice about security

We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security breach.

We're sending you this email because we received or answered a message from you using Zendesk. Unfortunately your name, email address and subject line of your message were improperly accessed during their security breach. To help keep your account secure, please:

    Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away.
    Beware of suspicious emails. If you get any emails that look like they're from our Support Team but don't feel right, please let us know - especially if they include details about your support request.
    Use a strong password. If your password is weak, you can create a new one.

We're really sorry this happened, and we'll keep working with law enforcement and our vendors to ensure your information is protected.

Support Team


Questions? See our FAQ.

This email was sent to [redacted].

�2013 Zendesk, Inc. | All Rights Reserved

Privacy Policy | Terms and Conditions

There appears to be no malware involved in this attack. After the user has clicked through to the hacked site (in this case [donotclick]www.2001hockey.com/promo/page/ - report here) the victim is bounced to [donotclick]vagh.ru on 193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine) and then on to [donotclick]pillshighest.com on 91.217.53.30 (Fanjcom, Czech Republic).

Some IPs and domains you might want to block:
91.217.53.30
193.105.210.212
abolade_lillian.rbluhozq.com
andycolley1.rbluhozq.com
cre8aworld.rbluhozq.com
deanna_ware.rbluhozq.com
diane.iverson.rbluhozq.com
j_minchey.rbluhozq.com
jackie.rbluhozq.com
jenkoto.rbluhozq.com
jjlock100.rbluhozq.com
jude256.rbluhozq.com
karenjbentley.rbluhozq.com
krister66.rbluhozq.com
lmatthews.rbluhozq.com
longhorn_97.rbluhozq.com
marcbigelow.rbluhozq.com
marijuanapillsmedical.com
migraineskiherbal.net
mram0523.rbluhozq.com
ns1.vtinodrutry.com
ns2.vtinodrutry.com
pillcarney.com
pillshighest.com
prescriptiondrugwalgreens.com
rjrepp.rbluhozq.com
sophie.ashcroft.rbluhozq.com
storyfullscreen.com
streetinsiderpharmhealth.com
supplementspillherbal.com
tabletlevipad.com
tabletspillspharmacy.ru
vagh.ru
vtinodrutry.com

Changelog spam / hillairusbomges.ru

This fake changelog spam leads to malware on hillairusbomges.ru:

Date:      Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]
From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject:      Re: Changelog Oct.

Good morning,
as prmised updated changelog - View

L. LOYD
The malicious payload is at [donotclick]hillairusbomges.ru:8080/forum/links/column.php (report here) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
188.165.202.204 (OVH, France)

Blocklist:
50.22.0.2
66.249.23.64
188.165.202.204
gxnaika.ru
hentaimusika.ru
forumla.ru
gulivaerinf.ru
foruminanki.ru
heelicotper.ru
forumny.ru
hillairusbomges.ru
hillaryklinton.ru
hinpoka.ru
hifnsiiip.ru

Thursday 21 March 2013

Facebook spam / scriptuserreported.org

This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported.org:

Date:      Thu, 21 Mar 2013 10:56:28 -0500
From:      Facebook [update+oi=MKW63Z@facebookmail.com]
Subject:      John Jenkins commented photo of you.

facebook
   
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.

facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}
The malicious payload is at [donotclick]scriptuserreported.org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:

inetnum:        5.39.37.24 - 5.39.37.31
netname:        n2p3DoHost
descr:          DoHost n2 p3
country:        FR
admin-c:        OTC2-RIPE
tech-c:         OTC2-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered


Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here). This server also hosts the following potentially malicious domains:
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01.com
workhomeheres02.com

There's also a work-at-home scam on 5.39.37.24:
makeworkhome12.pl

5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels.info
supermyadminspanels.info

So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host.net. The WHOIS details for rl-host.net are anonymised, but on the day of registration were:

    Queste Julien
    Email:julien@queste.fr
    50 rue Arthur lamendin
    62330 isbergues
    France
    Tel: +33.649836105

Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..

Minimum blocklist:
5.39.37.31
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Recommended blocklist:
5.39.37.24/29
makeworkhome12.pl
myadminspanels.info
supermyadminspanels.info
workhomeheres01.com
workhomeheres02.com
rl-host.net
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com