Sponsored by..

Thursday, 11 April 2013

Changelog spam / juliaroberzs.ru

This spam leads to malware on juliaroberzs.ru:

Date:      Thu, 11 Apr 2013 02:46:13 +0100
From:      Mayola Phipps via LinkedIn [member@linkedin.com]
Subject:      Re: changelog UPD.
Attachments:     changelog.htm

Good morning,

as promised changelog is attached (Internet Explorer format)



The attachment changelog.htm leads to a malicious landing page at [donotclick]juliaroberzs.ru:8080/forum/links/column.php  (report here) hosted on some familiar IPs:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)

Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jamiliean.ru
jamtientop.ru
janasika.ru
jonahgkio.ru
judianko.ru
judianko.ru
juhajuhaa.ru
juhajuhaa.ru
juliaroberzs.ru
jundaio.ru

Wednesday, 10 April 2013

"Verizon Wireless" spam / jamtientop.ru

This fake Verizon Wireless spam leads to malware on jamtientop.ru:

Date:      Wed, 10 Apr 2013 01:14:51 +0100 [04/09/13 20:14:51 EDT]
From:      DorianBottom@hotmail.com
Subject:      Verizon Wireless

IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
Your acknowledgment message is issued.

Your account No. ending in 1332

Dear Client

For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.

Please browse your informational message for more details relating to your new transaction.


Open Information Message

In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.

Thank you for joining us.     My Verizon is laso works 24 hours 7 days a week to assist you with:

    Viewing your utilization
    Upgrade your tariff
    Manage Account Members
    Pay for your bill
    And much, much more...


© 2013 Verizon Wireless
Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325

We respect your privacy. Please browse our policy for more information

The link goes to a hacked legitimate site to a malicious landing page at [donotclick]jamtientop.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)

Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jamiliean.ru
jamtientop.ru
jonahgkio.ru
judianko.ru
juhajuhaa.ru
jundaio.ru

Congratulations! You are the one millionth visitor to this blog!

Congratulations, you are the one millionth visitor to this blog.. well, almost. Here's a pretty flashing banner for the retro touch.


Actually, the blog hit one million recorded pageviews slightly earlier. Blogger only started recording pageviews in July 2008 by which time the blog had been online for 18 months or so. And I know a pageview isn't a visitor. Anyway, here's the chart just at the moment that the one million mark was hit (click to enlarge).


The was a bit of an unexpected traffic bump today because of a mention on the BBC News site and some other media outlets too. In fact, the story about top porn sites leading to malware is actually the number one most read story currently on the BBC News site which is pretty surprising.


Anyway, it's been a blast and I'd like to say "thank you" to the bad guys who keep me busy, else this blog would just be about cars and the weather. Here's to the next million :)

Malware sites to block 10/4/13 - part II

With a hat tip to a correspondent, here are some more domains connected with this and this. Enjoy.

adamseasytoimplement.org
perfectlylikeness.org
detailingfiletransfer.com
safeguardingencarta.org
netdocumentsidl.org
bluraysphotographers.org
cathedralati.org
diasly.org
trelixwebprice.org
chaptersthegorilla.org
facilitiesbrrrr.org
idyllictoptier.org
fullscalemethod.org
deviceasciences.org
realizewhole.org
sdbbefvw.com
cwfviwgg.com
ddskcwdk.com
groupcycle.biz
kousrytcbqdids.org
uamawhyfonwofua.org
bgdnmbapnahteul.net
hgalevwtwmba.biz
apbojfsktijjhek.org
alreadysnorkeling.biz
xibfwucletrc.biz
rgngsdqwcemxbn.biz
sposwrsbswlynqc.biz
twiytmbbusrktys.org
blkwjoqfmhftd.org
combatthemednexus.biz
rankprediction.biz
artlogistic.net
textingavz.biz
lmlgqnxdjuyis.biz
wcsgdvxlhmxhd.org
syqdvpsmmpvq.biz
dwjlypydywlt.biz
iriengyhgadgt.org
aisjpqgemanskow.org
uspofnlqbyugv.org
cfkuptmplgrqh.biz
bjhwkbkqhbmq.biz
ulkbhsxywwnua.org
oksolomonprices.biz
hitandwillow.biz
randomwireless.biz
demandthings.biz
sitebandweathers.biz
nonadministrativematerial.biz
gamblerspayroll.biz
jfkshaken.biz
fullduplexioss.biz
sgijdxds.com
localcommittee.biz
vialigthroom.biz
limocoupons.biz
bikeplease.biz
fanaticsbuzz.biz
gnawamama.net
metrodemand.biz
headsync.biz
huntershindrance.biz
b7cb9b6e9.org
forecastssystemworks.biz
skillblissfully.biz
amazondarken.biz
foruminsert.biz
toofrequentextraneous.biz
protectoremail.biz
pinoyexchange.biz
concernsvideocentric.biz
toneadvertising.biz
rainbowsfilmstriplike.biz
franciscodish.biz
catastrophicautobiography.biz
fruitdicingsitting.org
monotoneswift.biz
braineravast.biz
metaphorsuite.biz
navigationalsignup.biz
seekerreporter.biz
uploaderaddressa.biz
dedicatedgerm.biz
blendingdiversity.biz
motivationrevenues.biz
nodeswordpresscom.biz
rdiocruises.biz
paymentground.biz
topiwebbased.biz
sharpspool.biz
directtime.biz
purportswarping.biz
diesulead.biz
mailedspokesperson.biz


BBB Spam / jamiliean.ru

This fake BBB spam leads to malware on jamiliean.ru:

From: Habbo Hotel [mailto:auto-contact@habbo.com]
Sent: 10 April 2013 00:17
Subject: Re: Better Business Bureau Complaint

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 24941954)
from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT attached to this email (Internet Exlporer file)

to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

CHRISTI REAGAN


Dispute Counselor
Better Business Bureau

There is an attachment BBB-Complaint-US39824.htm with a malicious payload is at [donotclick]jamiliean.ru:8080/forum/links/column.php. Associated payload, IPs and domains are the same as this attack also running today.

"Your credit line percent was changed" spam / judianko.ru

I haven't seen this one before. It leads to malware on judianko.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 10 April 2013 14:24
Subject: Re: Your credit line percent was changed.

We apologize, but we must raise percent of your credit line up to 22,5%. We would be like to make it lower, but the situation on the market today is not so good, because of it we can not handle other way.

Under this link you can view a details about changing of contract
The link goes through a legitimate but hacked site to [donotclick]judianko.ru:8080/forum/links/column.php (report here) hosted on:
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)

Blocklist:
185.5.185.129
188.65.178.27
judianko.ru
juhajuhaa.ru
imanraiodl.ru
jamiliean.ru

Malware sites to block 10/4/13

These domains and IPs are associated with the Amerika gang and are related to this spam run. Blocking them would be prudent.

46.4.150.96/27
46.161.0.235
93.170.130.241
1thyntyny.itemdb.com
accelerationshrinkwrapped.net
advancementshardofhearing.org
affectingdesktoplevel.net
airplanesreleases.org
androidenabledprivacyx.net
andthisisthird.com
automatedversion.biz
awokeierelated.net
bernardsunhelpful.net
bigstepspinpointing.net
blogsobjectslets.biz
blogsobjectslets.net
blogsobjectslets.org
bruceengaging.org
bustappmosphere.biz
campgroundsdays.org
chappellsuites.org
characteristicsmarking.com
chromewarm.biz
citrixsgp.biz
claimedbizarre.biz
cleanedtravel.biz
clouditcomplaintsome.net
cmsstatements.net
commentstimelimited.biz
couplesubway.biz
courselastused.net
crhazards.org
deactivatingtga.org
denotenag.biz
diesulead.biz
dogsiir.net
dozenmymagicjackcom.net
druidwwwlinux.net
eccentricitiessweep.biz
editdvsmyfitnesspal.biz
editionsglow.net
editorssave.org
educationnonfullscreen.net
eggtasteful.org
enhancementssuunto.biz
exegeneral.net
filedclassics.org
fournightanswering.net
geographicadjustments.net
givegrownups.biz
givesexact.net
hintstrust.org
illinoisnets.net
inaptlyinterviews.org
insightsclout.org
interactivesforensics.org
invoicedaredevil.net
ipodsbegun.biz
lawinsight.biz
limitedwar.net
lionsfusionones.biz
locatestiming.biz
mailedspokesperson.biz
mashedindescribing.net
midtieralmost.org
mtvintrigued.net
multistorypublishers.net
mydruidwwwlinux.biz
occurrelocates.com
ogghunt.org
ogghuntonline.net
ogghunt-shop.net
onstreamdifficulty.biz
outrightclever.net
overkillwhile.net
pageturnneedless.biz
pndclifford.biz
priorteacher.net
quizmfp.biz
rookiedatapad.org
shouldinvoice.org
shranksafetyweb.net
sloppynetbooks.net
snippetscompleted.org
studioinaboxlayer.org
subdividedstripped.org
sweepersigdrs.net
tageditingaction.net
terrainmodeling.net
theatersbears.biz
themadministration.net
thisisspartaaa.com
threesignaling.biz
thresholdingmultiaccount.biz
topiwebbased.biz
totalmediamaking.biz
toutedhints.org
transformedmontana.org
tryingrefers.org
tweetdecksigns.com
uninspiredperspectives.org
uninterruptedlightbox.org
upperrighthandpartner.net

ICANN: thanks for the malware spam / mailedspokesperson.biz

This is a pretty straightforward LinkedIn themed spam that leads to malware on mailedspokesperson.biz:

From:     Leonide Saad - LinkedIn [dreamland@beutelschneiderhamburg.de]
Date:     10 April 2013 15:19
Subject:     Join my network on LinkedIn

LinkedIn
REMINDERS

Invitation reminders:
 From Leonide Saad (Developer at Perot Systems)



PENDING MESSAGES

 There are a total of 8 messages awaiting your response. Go to InBox now.


This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.
The catch with this is that the email address being used is one used only to file WHOIS Compliance Reports with ICANN. If you file reports of inaccurate WHOIS data, then you need to be aware that by default ICANN will forward your contact details to the bad guys.. you can request that this be suppressed, but using an alias is (ironically) probably the best bet. So in this case, the bad guys have presumably just added the email in the complaint to their spam list..

Anyway, this has a link to a legitimate hacked site and thence on to [donotclick]mailedspokesperson.biz/closest/f2ihoiwegjowiejf230hfaj.php (report here) hosted on 46.4.150.117 (Siteko Ltd / Hetzner Online, Germany). The WHOIS details are characteristic of the Amerika gang:


Registrant ID:            INTEUMYC18TPLDWG
Registrant Name:          Hunter Afkham
Registrant Address1:      181 Sullivan St #4
Registrant City:          New York
Registrant Postal Code:   10012
Registrant Country:       United States
Registrant Country Code:  US
Registrant Phone Number:  +1.7914260046
Registrant Email:         hunter_afkham8428@aristotle.org


There are a couple of other bad looking sites on the same server, so this is my recommended blocklist:
46.4.150.117
1thyntyny.itemdb.com
diesulead.biz
mailedspokesperson.biz

Tuesday, 9 April 2013

Top porn sites lead to malware

About a year and a half ago I wrote about a series of malware infections at xvideos.com that were potentially infecting visitor's PCs. This week I saw another spike in infections that also appeared to be caused by a popular porn site.

I decided to revisit the statistics that I compiled for those sites using a combination of Alexa and Google Safe Browsing diagnostics. Alexa gives an idea of how popular a site is and how many pages each user visits, Google gives the number of potentially infected pages out of the total indexed.

The results were quite surprising. Last time I calculated a 28% risk that the average visitor to xvideos.com would be exposed to malware. However, now that site has been cleaned up and appears risk free. But what was shocking was that now visitors to xhamster.com ran a 42% chance of malware contact, and pornhub.com users an atrocious 53% chance with a lower infection rate on tube8.com (14%) and youjizz.com (2%).

xvideos.com, livejasmin.com, redtube.com, xnxx.com, youporn.com and adultfriendfinder.com all appeared to be clean. Well.. you know what I mean.

Site
Alexa Rank
Infected pages / total pages
Infection rate
Average pages / user
Malware contact probability
42
0/176191
0.00%
12.9
0%
46
1067/20986
5.08%
10.3
42%
63
1777/13955
12.73%
5.5
53%
75
0/269
0.00%
2.2
0%
82
0/10387
0.00%
5.1
0%
98
0/84373
0.00%
10
0%
99
1/3854
0.03%
6
0%
129
837/22026
3.80%
3.9
14%
242
14/3537
0.40%
6.2
2%
344
0/593
0.00%
6.4
0%
Note: hyperlinks are safe for work and go to Google's Safe Browsing Diagnostics Page for the site

Now, I have no doubt that it is not the intention of the site operators to infect visitor's machines with malware, but instead third party content and infected banner ads are causing the problem. For example, with xhamster.com Google says:

Safe Browsing
Diagnostic page for xhamster.com

What is the current listing status for xhamster.com?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 4 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 20986 pages we tested on the site over the past 90 days, 1067 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-09, and the last time suspicious content was found on this site was on 2013-04-06.

    Malicious software is hosted on 2 domain(s), including exposedcamz-live.com/, ceskeporno.tv/.

    3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including brandreachsys.com/, traffichaus.com/, crakmedia.com/.

    This site was hosted on 3 network(s) including AS39572 (ADVANCEDHOSTERS), AS16265 (LEASEWEB), AS36351 (SOFTLAYER).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, xhamster.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

for pornhub.com Google says:

Safe Browsing
Diagnostic page for pornhub.com

What is the current listing status for pornhub.com?

    This site is not currently listed as suspicious.

What happened when Google visited this site?

    Of the 13955 pages we tested on the site over the past 90 days, 1777 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-09, and the last time suspicious content was found on this site was on 2013-01-28.

    Malicious software includes 5 exploit(s), 2 trojan(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

    Malicious software is hosted on 9 domain(s), including rodriguezwoca.com.ar/, crucerosinfantiles.com.ar/, ingenet.com.ar/.

    4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including trafficjunky.net/, gammae.com/, rockwork.ch/.

    This site was hosted on 4 network(s) including AS30361 (SWIFTWILL2), AS22822 (LLNW), AS29789 (REFLECTED).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, pornhub.com appeared to function as an intermediary for the infection of 34 site(s) including gaypornplanet.com/, xgaytube.com/, pornmd.com/.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

finally, the report for tube8.com says:

Safe Browsing
Diagnostic page for tube8.com

What is the current listing status for tube8.com?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 63 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 22026 pages we tested on the site over the past 90 days, 837 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-09, and the last time suspicious content was found on this site was on 2013-04-06.

    Malicious software includes 63 exploit(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

    Malicious software is hosted on 22 domain(s), including btsinvestments.com/, nymphdate.com/, dirtymechanics.org/.

    10 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including crakmedia.com/, trafficjunky.net/, justanaffiliate.com/.

    This site was hosted on 4 network(s) including AS30361 (SWIFTWILL2), AS3356 (LEVEL3), AS29789 (REFLECTED).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, tube8.com appeared to function as an intermediary for the infection of 38 site(s) including pornmd.com/, largeporntube.com/, ro89.com/.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

So, we can see that the greatest risk comes from external sites such as crakmedia.com (report), trafficjunky.net (report) and traffichaus.com (report) [although see their statement below] plus several others. These too are intermediaries being abuse by third parties.. but this is part of the problem with poorly regulated banner ads and traffic exchangers. Bad things slip into pages easily, and very few people want to kick up a fuss.

My advice from last time remains pretty much unchanged: If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched (you can use Secunia OSI to check), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential. In addition, Chrome is pretty good at picking up malicious sites.. the biggest problem tends to be Internet Explorer. Oh, if you have Java then you should probably uninstall that as it is one of the most popular vectors for infection.

Note: Google's figures stretch back over 90 days and do not necessarily mean that a site is serving malware right now. Interpret the "malware contact probability" in this way: a visitor viewing the reported average number of pages over the aggregate 90 day period would have this average probability of coming into contact with potential malware during a single browsing session, assuming that the infection rate figures are accurate.

Traffichaus's statement: It seems that it is actually OpenX is the main source of all these malware issues. It is not our server nor Xhamster, nor Brandreach and other sites you have listed. The site Crakmedia.com in this recent incident was hacked via an on going flaw within openx. And Openx is easily hacked on their free version, so this company was using the free version, had their servers completely locked down via ip, and apparently got their servers hacked via a bug update in OpenX.
I'd appreciate it if you could remove our domain and name from the story as it doesn't accurately paint the right picture. Also, the infection rate on Xhamster of 42% is not accurate, that infected advertiser was only on the site for maybe a day and only at a 10% rotation, and on minimal pages, so the infection rate was probably 5-7% and it was only for a 12 hour period before the ads were caught and removed.

FAQs

Q: What do you mean by "malware contact"?
A: This is an attempted malware / viruses infection whether it succeeded or not.

Q: Does this sort of malware impact just PCs or other devices too?
A: I haven't identified any individual malware strain here, but the bad guys are increasingly targeting mobile devices as well as PCs, especially Android. Other platforms are also potentially vulnerable.

Q: Who is behind it? Is it the site owners?
A:  It is almost definitely not site owners or even the ad networks behind it. You could even say that they are victims of it as well. If I had to point a finger at geographical regions then I'd start with Russia and Florida.

Q: Porn is disgusting. Why should we care?
A: I try to be non-judgmental. The biggest of these sites pull in about 2% of all web users per day. Not talking about it is not going to help.

Q: Does this just impact porn sites?
A: No. Infected banner ads can be found (less often) on mainstream media sites too. It is good to take some of the precautions listed above even if you don't stray far from the Daily Mail or NBC.


Intuit spam / juhajuhaa.ru

This fake Intuit spam leads to malware on juhajuhaa.ru:

Date:      Tue, 9 Apr 2013 11:21:18 -0430 [11:51:18 EDT]
From:      Tagged [Tagged@taggedmail.com]
Subject:      Payroll Account Holded by Intuit

Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 9 Apr 2013 11:21:18 -0430.

    Finances would be gone away from below account # ending in 6780 on Tue, 9 Apr 2013 11:21:18 -0430
    amount to be seceded: 4053 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 9 Apr 2013 11:21:18 -0430
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services 

The link in the email goes through a legitimate but hacked site to a malware landing page at [donotclick]juhajuhaa.ru:8080/forum/links/column.php (report here) hosted on some familiar-looking IP addresses that we saw earlier:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jonahgkio.ru
juhajuhaa.ru
jundaio.ru

LinkedIn spam / jonahgkio.ru

This fake LinkedIn spam leads to malware on jonahgkio.ru:

Date:      Tue, 9 Apr 2013 10:03:31 -0300
From:      "service@paypal.com" [service@paypal.com]
Subject:      Join my network on LinkedIn

LinkedIn
Marcelene Bruno has indicated you are a Friend

I'd like to add you to my professional network on LinkedIn.



- Marcelene Bruno
Accept
    View invitation from Marcelene Bruno


WHY MIGHT CONNECTING WITH Marcelene Bruno BE A GOOD IDEA?

Marcelene Bruno's connections could be useful to you

After accepting Marcelene Bruno's invitation, check Marcelene Bruno's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

© 2012, LinkedIn Corporation
The link leads to a malicious payload on [donotclick]jonahgkio.ru:8080/forum/links/column.php which doesn't seem to be working at the moment. However, it is multihomed on some familiar looking IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
itriopea.ru
illuminataf.ru
izamalok.ru
imanraiodl.ru
ifinaksiao.ru
jonahgkio.ru
ivanikako.ru
igionkialo.ru
ijsiokolo.ru
ifikangloo.ru
izjianokr.ru
iztakor.ru
ighjaooru.ru
jundaio.ru

"Unable to process your most recent Bill Payment" spam / BILL_04092013_Fail.exe

This spam contains a attachment 04092013.zip which in turn contains a malicious file BILL_04092013_Fail.exe

Date:      Tue, 9 Apr 2013 10:44:03 -0500 [11:44:03 EDT]
From:      Bank of America [bill.payment@bankofamerica.com]
Subject:      Unable to process your most recent Bill Payment

You have a new e-Message from Bank of America

This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.

Please check attached file for more detailed information on this transaction.



Pay To Account Number:     **********3454
Due Date:     05/01/2013
Amount Due:     $ 508.60
Statement Balance:     $ 2,986.26

IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.

If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.

We apologize for any inconvenience this may cause. .
Please do not reply to this message. If you have any questions about the information in this e-Bill , please contact your Bill Pay customer support . For all other questions, call us at 800-887-5749.

   
Bank of America, N.A. Member FDIC. Equal Housing Lender
Š2013 Bank of America Corporation. All rights reserved.
========================================
Please do not delete this section.
Email_ID:#293891058547188172896_
======================================== 
VirusTotal results are only 11/46

MD5: 3cb04da2747769460a7ac09d1be44fc6
SHA256: 141751e9ae18ec55c8cd71e2e464419f3030c21b21e3f0914b0b320adce3bf70

ThreatExpert reports that the malware attempts to phone home to 64.34.70.31 and 64.34.70.32 (iDigital Internet Inc, Canada) and includes a keylogger.
 

HP ScanJet spam / jundaio.ru

This fake printer spam leads to malware on jundaio.ru:

Date:      Tue, 9 Apr 2013 10:07:40 +0500 [01:07:40 EDT]
From:      Scot Crump [ScotCrump@hotmail.com]
Subject: Re: Scan from a Hewlett-Packard ScanJet  #0437
Attachment: HP-ScannedDoc.htm

Attached document was scanned and sent

to you using a HP HPAD-400812P.
SENT BY : Scot S.
PAGES : 9
FILETYPE: .HTM [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment HP-ScannedDoc.htm leads to malware on [donotclick]jundaio.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
ilianorkin.ru
illuminataf.ru
imanraiodl.ru
imbrigilia.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jundaio.ru



Monday, 8 April 2013

"Kissinger: Thatcher's strong beliefs" spam / ighjaooru.ru

It didn't take long for the Margaret Thatcher themed malware to start after her death. This one leads to malware on ighjaooru.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Josefa Jimenez via LinkedIn
Sent: 08 April 2013 05:41
Subject: Fwd: Re: Kissinger: Thatcher's strong beliefs

Hi, bad news.
Kissinger: Thatcher's strong beliefs

The payload and associated domains and IPs are exactly the same as used in this attack.

"M&I Bank bankruptcy" spam / ighjaooru.ru

I've never heard of M&I Bank but this is quite an old school spam campaign that leads to malware on ighjaooru.ru:

Date:      Mon, 8 Apr 2013 -01:41:06 -0800
From:      Coral Randolph via LinkedIn [member@linkedin.com]
Subject:      Re: Fwd: M&I Bank bankruptcy

Hi, bad news.

M&I Bank bankruptcy
The malicious payload is at [donotclick]ighjaooru.ru:8080/forum/links/column.php (report here) hosted on a whole load of IPs:
72.167.254.194 (GoDaddy, US)
80.246.62.143 (Alfahosting, Germany)
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
72.167.254.194
80.246.62.143
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238
hillaryklinton.ru
hiskinta.ru
humaniopa.ru
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
ilianorkin.ru
illuminataf.ru
imanraiodl.ru
imbrigilia.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru
iztakor.ru

Beware of jonejonesonley.org

One to watch in your logs today is jonejonesonley.org which is being used as a phone-home point for malware being spammed out at the moment.

jonejonesonley.org is hosted on 85.95.236.155 (Inetmar Internet Hizmetleri, Turkey) and is registered to:

Registrant ID:orgzs46077514499
Registrant Name:Zhong Si
Registrant Organization:Xicheng Co.
Registrant Street1:Huixindongjie 15 2
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:Chaoyang
Registrant Postal Code:101402
Registrant Country:CN
Registrant Phone:+86.1066569215
Registrant Phone Ext.:
Registrant FAX:+86.1066549216
Registrant FAX Ext.:
Registrant Email:zhongguancun@yahoo.com


Also connected is a Java exploit at 217.23.11.108 (Worldstream, Netherlands) so this IP is probably worth blocking as well.

Automated malware analysis is pretty patchy: VirusTotal - Comodo CAMAS - Anubis - ThreatExpert.

Blocklist:
85.95.236.155
217.23.11.108
jonejonesonley.org
3-bogatirja-2012-online.ru

Saturday, 6 April 2013

Facebook "Reminder: Reset your password" spam / accooma.org

Another very aggressive spam run promoting accooma.org which is a fake pharma site..

Date:      Sat, 6 Apr 2013 13:16:59 -0700 [16:16:59 EDT]
From:      Facebook
Subject:      Reminder: Reset your password

facebook   
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 2 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.

If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team

The emails vary somewhat in content. I've received 60+ of these today to one email account alone, so this site is being pushed very hard indeed. Although the email is annoying, it does not seem to be harmful. For more details, see this earlier post about another spam run for the same domain.

"Updated information" spam / accooma.org / classic-pharmacy.com

This scary looking spam is nothing more than an attempt to get you to click through to a fake pharmacy site:

Date:      Mon, 9 Feb 2004 13:00:35 +0000 (GMT)
From:      "Account Info Change" [info@virtualregistrar.com]
Subject:      Updated information

    Updated information

Hello,

The following information for your ID [redacted] was updated on 02/09/2012: Date of birth, Security question and answer.

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately.

This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.

Thanks,
Customer Support

The link in the email goes to a landing page on accooma.org (184.82.155.18 - HostNOC, US) which clicks through to classic-pharmacy.com (184.82.155.20 - also HostNOC). These two IPs are very close together which indicates a bad block.

There does not appear to be any malware involved (see here and here) and of course nobody has changed any details on your account. You can safely ignore these emails.

A closer examination shows that HostNOC have suballocated 184.82.155.16/29 (184.82.155.16 - 184.82.155.23) to an unknown party. The following fake pharma sites are active in this range:
accooma.org
classic-pills.net
fdapharmacy.net
iorderpills.net
justpills-com.com
pill-max.net
fdapharmacy-com.com
internetpharmacyreview.com
iorderpills-com.com
just-pills.net
pharmacyfinder.net
pillmax-com.com
classic-pharmacy.com
comparedrugprices-com.com
emedsource-com.com
justmypills-com.com
l-md.info
pharmacheap-com.com
pills-md.net
clinicmeds.info
kamagrafast2.info
pillorder-com.com
zpharmacy-com.com
buymeds-com.com
generics4u.info
rx-cs.info

Friday, 5 April 2013

"Copies of Policies" spam / ifikangloo.ru

This spam leads to malware on ifikangloo.ru:

From: KaelSaine@mail.com [mailto:KaelSaine@mail.com]
Sent: 05 April 2013 11:43
Subject: Fwd: LATONYA - Copies of Policies

Unfortunately, I cannot obtain electronic copies of the SPII policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.


LATONYA Richmond, 
The link in the email leads to a legitimate hacked site and then on to [donotclick]ifikangloo.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)

Blocklist:
91.191.170.26
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru


"End of Aug. Statement" spam / ijsiokolo.ru

This fake invoice spam leads to malware on ijsiokolo.ru:
Date:      Fri, 5 Apr 2013 07:57:37 +0300
From:      "Account Services ups" [upsdelivercompanyb@ups.com]
Subject:      Re: End of Aug. Statement Required
Attachments:     Invoice_AF146989113.htm

Good morning,

I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).

Regards

DAYLE PRIEST

=================

Date:      Fri, 5 Apr 2013 07:56:53 -0300
From:      "Tracking" [ups-account-services@ups.com]
Subject:      Re: FW: End of Aug. Stat.

Hallo,

I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).

Regards

Mariano LEE 
The .htm attachment in the email leads to malware at [donotclick]ijsiokolo.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)

Blocklist:
91.191.170.26
208.94.108.238
ifinaksiao.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru

"Speech.doc" legal spam / itriopea.ru

This fake legal spam leads to malware on itriopea.ru:
Date:      Thu, 4 Apr 2013 07:44:02 -0500
From:      Malaki Brown via LinkedIn [member@linkedin.com]
Subject:      Fwd: Our chances to gain a cause are better than ever.

We conversed with the administration representatives, and if we acknowledge our non-essential contempt for the sake of their statistics increase , the key suit will be closed due to the lack of the state interest to the action. We have executed your elucidative text for the court. Please read it carefully and if anything in it disagrees with you, let us know.

Speech.doc 458kb


With respect to you
Malaki Brown

=====================

Date:      Thu, 4 Apr 2013 05:37:47 -0600
From:      Talisha Sprague via LinkedIn [member@linkedin.com]
Subject:      Re: Fwd: Our chances to gain a suit are higher than ever.

We talked to the administration representatives, and if we admit our minor infringements for the sake of their statistics increase , the main cause will be closed due to the lack of the government interest to the proceedings. We have executed your explicatory text for the court. Please read it carefully and if anything in it dissatisfies you, advise us.

Speech.doc 698kb


With Best Regards
Talisha Sprague

The attachment Speech.doc leads to a malicious payload is at [donotclick]itriopea.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Turkey)

Blocklist (including active nameservers):
62.76.40.244
62.76.41.245
91.191.170.26
93.187.200.250
109.70.4.231
188.65.178.27
199.66.224.130
199.191.59.60
208.94.108.238
ifinaksiao.ru
igionkialo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru

Thursday, 4 April 2013

"British Airways" spam / igionkialo.ru

This fake British Airways spam leads to malware on igionkialo.ru:
Date:      Thu, 4 Apr 2013 10:19:48 +0330
From:      Marleen Camacho via LinkedIn [member@linkedin.com]
Subject:      British Airways E-ticket receipts
Attachments:     E-Receipt.htm



e-ticket receipt
Booking reference: UMA7760047
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 69315274. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The attachment E-Receipt.htm leads to a malicious landing page at [donotclick]igionkialo.ru:8080/forum/links/column.php (report here) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
hillaryklinton.ru
hiskinta.ru
humaniopa.ru
ifinaksiao.ru
igionkialo.ru
ilianorkin.ru
illuminataf.ru
imanraiodl.ru
imbrigilia.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru

"Bill Me Later" spam / PP_BillMeLater_Receipe04032013_4283422.zip

This fake "Bill Me Later" spam comes with a malicious attachment:

Date:      Wed, 3 Apr 2013 21:42:52 +0600 [04/03/13 11:42:52 EDT]
From:      Bill Me Later [notification@billmelater.com]
Subject:      Thank you for scheduling a payment to Bill Me Later



BillMeLater
   
Log in here
       
Your Bill Me Later� statement is now available!

Dear Customer,

Thank you for making a payment online! We've received your
Bill Me Later® payment of $1644.03 and have applied it to your account.

For more details please check attached file : PP_BillMeLater_Receipe04032013_4283422.zip

Here are the details:

Your Bill Me Later Account Number Ending in: 0014

You Paid: $1644.03

Your Payment Date*: 04/03/2013

Your Payment Confirmation Number: 228646660603545001

Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.

BillMeLater

*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.

Bill Me Later accounts are issued by WebBank, Salt Lake City Utah

PP10NDPP1


There is an attachment called PP_BillMeLater_Receipe04032013_4283422.zip which contains an executable file PP_BillMeLater_Receipe_04032013.exe (note that the date is encoded into the filename) which currently has a VirusTotal detection rate of just 26/46. The executable is resistant to automated analysis tools but has the following fingerprint:
MD5: c93bd092c1e62e9401275289f25b4003
SHA256: ae5af565c75b334535d7d7c1594846305550723c54bf2ae77290784301b2ac29


Blocking EXE-in-ZIP files at your perimeter is an effective way of dealing with this threat, assuming you have the technology to do it.

Wednesday, 3 April 2013

"Have you seen how much money has Cameron spent on his new movie?" spam / ixxtigang.ru

This old-fashioned spam leads to malware on ixxtigang.ru:

Date:      Wed, 3 Apr 2013 11:29:19 +0400
From:      LinkedIn Password [password@linkedin.com]
Subject:      I??�m shocked!

Have you seen how much money has Cameron spent on his new movie?
What a graphics, check out the trailer!
The malicous payload is at [donotclick]ixxtigang.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
izamalok.ru
imbrigilia.ru
humaniopa.ru
hiskinta.ru
illuminataf.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanikako.ru
ixxtigang.ru

eFax spam / ivanikako.ru

This fake eFax spam leads to malware on ivanikako.ru:

From: Global Express UPS [mailto:admin@ups.com]
Sent: 02 April 2013 21:12
Subject: Efax Corporate

Fax Message [Caller-ID: 189609656]

You have received a 40 pages fax at Wed, 3 Apr 2013 02:11:58 +0600, (708)-009-8464.

* The reference number for this fax is [eFAX-698329221].

View attached fax using your Internet Browser.

________________________________________
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax Ž is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Ž Customer Agreement. 
The malicious payload is at [donotclick]ivanikako.ru:8080/forum/links/column.php (report here) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
izamalok.ru
imbrigilia.ru
humaniopa.ru
hiskinta.ru
illuminataf.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanikako.ru

Author Iain Banks has terminal cancer

Oh my.

Something evil on 151.248.123.170

151.248.123.170 (Reg.ru, Russia) appears to be active in an injection attack at the moment. In the example I saw, the hacked site has injected code pointing to [donotclick]fdozwnqdb.4mydomain.com/jquery/get.php?ver=jquery.latest.js which then leads to a landing page on [donotclick]db0umfdoap.servegame.com/xlawr/next/requirements_anonymous_ordinary.php (report here but times out) which from the URL looks very much like a BlackHole Exploit kit.

This server hosts a lot of sites using various Dynamic DNS domains. I would recommend blocking the Dynamic DNS domains as a block rather than trying to chase down these bad sites individually. In my experience, Dynamic DNS services are being abuse to such an extent that pre-emptive blocking is probably the safest approach.

These are the domains I can see:
41y7kr.servehttp.com
96ztorwy89.serveblog.net
aehwmcqgx.myddns.com
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
b57idtwn.servehalflife.com
bjtujinsl.changeip.org
bu3l0d4s.serveftp.com
bunahyfba.dns04.com
c9c7gldpp.serveblog.net
cigtdye.changeip.org
cuhadjcnyl.myfw.us
d15txn.servepics.com
db0umfdoap.servegame.com
dzrdmz.youdontcare.com
fapqdfckws.serveusers.com
fdozwnqdb.4mydomain.com
fdqeeo.freeddns.com
fxtloji.serveusers.com
geiuut.itemdb.com
grtyxl.xxuz.com
gxodzugrgq.mypicture.info
hgibkcayvxc.myfw.us
hrxivk.ddns.us
hyjantahjuc.myfw.us
hzfkim.ns01.info
idapjl.port25.biz
igwvypnsne.ftpserver.biz
jghdbtvxgj.ns3.name
jjjpbhx.4pu.com
jziirhsxi.dns04.com
keuiawjhbb.itemdb.com
kptslcbrbg.dsmtp.com
lgjkvp.ddns.us
motxke.dns04.com
mzfpmox.mysecondarydns.com
ngt5lcgnp.3utilities.com
objdjjhjpw.port25.biz
ozcffpa.jetos.com
ppmvfcrlw.youdontcare.com
ptdvlxyn.dsmtp.com
qcoidxrbod.ns02.us
rpsbccts.jetos.com
simiawbsilu.myfw.us
smysfr.ddns.ms
sufgrgzpj.ns3.name
swsdsr.mypicture.info
tbrfrz.lflinkup.net
toqmibzken.dynamicdns.biz
uouxhr.serveusers.com
uv985f.no-ip.info
vnlvrwkat.port25.biz
voc0cjieh.servehttp.com
vvecozzd.ns3.name
w5zik4js.sytes.net
wenrtsjzbc.myfw.us
yupbgt.4pu.com
zenj6u.no-ip.org
zjbihpktdn.myfw.us

This is what I recommend that you block:
151.248.123.170
3utilities.com
4mydomain.com
4pu.com
changeip.org
ddns.ms
ddns.us
dns04.com
dsmtp.com
dynamicdns.biz
freeddns.com
ftpserver.biz
itemdb.com
jetos.com
lflinkup.net
myddns.com
myfw.us
mypicture.info
mysecondarydns.com
no-ip.info
no-ip.org
ns01.info
ns02.us
ns3.name
port25.biz
serveblog.net
serveftp.com
servegame.com
servehalflife.com
servehttp.com
servepics.com
serveusers.com
sytes.net
xxuz.com
youdontcare.com

Tuesday, 2 April 2013

And this is why people don't trust lawyers..

You may or not have heard of Prenda Law.. it's a US law firm that has been pursuing alleged movie downloaders for copyright violations. But it won't reveal who it's clients are, leading to allegations that Prenda is up to some shenanigans.

Anyway.. it's a fascinating story even for non-lawyers, but it all came to a head when a judge dragged them into court and asked them to explain themselves. And they took the fifth. Ken at Popehat writes about the latest episode in this saga here.. but you've just got to love the summary of just how scandalous this is part way down:
In effect, the responsible lawyers for a law firm conducting litigation before a court have refused to explain that litigation to the court on the grounds that doing so could expose them to criminal prosecution.

I mean.. holy crap. It's worth reading that again just to understand what some lawyers are prepared to sink to. Their mothers must be very proud of them.


Sendspace spam / imbrigilia.ru

This fake Sendspace spam leads to malware on imbrigilia.ru:

Date:      Tue, 2 Apr 2013 03:57:26 +0000
From:      "JOSIE HARMON" [HARMON_JOSIE@hotmail.com]
Subject:      You have been sent a file (Filename: [redacted]-7191.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-463168.pdf, (172.5 KB) waiting to be downloaded at sendspace.(It was sent by JOSIE HARMON).



You can use the following link to retrieve your file:



Download Link



The file may be available for a limited time only.



Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]imbrigilia.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)

Blocklist:
80.246.62.143
94.103.45.34
humaniopa.ru
hiskinta.ru
illuminataf.ru
izamalok.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanovoposel.ru
hohohomaza.ru
imbrigilia.ru

"End of Aug. Statement Required" spam / ivanovoposel.ru

This spam leads to malware on ivanovoposel.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 02 April 2013 10:15
Subject: Re: FW: End of Aug. Statement Reqiured

Hallo,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards
SHONTA SCHMITT
Alternate names:
NORIKO Richmond
Raiden MORRISON

Attachments:
Invoice_U13726798.htm
Invoice_U453718.htm
Invoice_U913687.htm

The attachment leads to malware on [donotclick]ivanovoposel.ru:8080/forum/links/column.php (report here) hosted on:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)

Blocklist:
80.246.62.143
94.103.45.34
humaniopa.ru
hiskinta.ru
illuminataf.ru
izamalok.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanovoposel.ru
hohohomaza.ru

"Russian Hackers" spam / kidala.info / hack-sell.su

These spam messages appear to be promoting the underground websites kidala.info and hack-sell.su, both of which appear to be engaged in hacking, crimeware and fraud. But is there something else going on here?

Date:      Tue, 2 Apr 2013 18:07:48 +0700 [07:07:48 EDT]
Subject:      Russian hackers has you neo!

Russian hackers has you neo!
kidala dot info
or this kidala.info

==========================

Date:      Tue, 2 Apr 2013 17:17:29 +0700 [06:17:29 EDT]
Subject:      Russian hackers has you neo!

Need buy some shells?
http://kidala.info

==========================

Date:      Tue, 2 Apr 2013 16:27:24 +0700 [05:27:24 EDT]
Subject:      Russian hackers has anything you need.

World Best hack conference hereurl here: kidala.info

==========================

Date:      Tue, 2 Apr 2013 12:30:09 +0530 [03:00:09 EDT]
Subject:      World Interesting hack site here

Hi Manurl here: http://hack-sell.su

==========================

Date:      Tue, 2 Apr 2013 02:58:24 +0200 [04/01/13 20:58:24 EDT]
Subject:      Russian hackers mafia OWNS YOU!

Russian mafia has you...
hack-sell.su
or this hack-sell dot su

==========================

Subject:      Russian bad boys forum here, come join!

World baddest hackers join us hereurl here: hack-sell .su

==========================

Date:      Mon, 1 Apr 2013 16:01:59 -0400 [04/01/13 16:01:59 EDT]
Subject:      Russian hackers has anything you need.

Prime hack portal here!
hack-sell dot su
or this hack-sell dot su 

(Note that the emails may appear to be "from" your own account or someone in your own organisation. Don't worry, you have not been hacked.. forging an email address is trivially easy (described here).

But there's something unusual because these spams are being sent repeatedly to SpamCop.net email addresses, and I haven't seen them anywhere else. So why send spam emails to people who are very likely to file an abuse complaint.. unless you want the recipient to file an abuse complaint, that is.

This sort of attack pattern looks like a Joe Job, perhaps from a rival to these two underground forums. Targeting addresses that will likely file a complaint is a sort of reverse listwashing, and the pattern of repeated emails to the same address is also a Joe Job characteristic. And the thing about underground forums.. well, they don't tend to spam at all because they like to remain under the radar.

The sites don't appear to be hosting malware, if you've accidentally clicked through then there you are probably OK, although both sites look like they are down at the moment. There may well be more Joe Jobs after this one though, so don't be surprised if more rubbish floods your inbox.

Update: these subject lines are in use at the moment..
Best crack phorum so far!
Best hack conference so far!
Need buy some abuseimmune servers?
Need buy some injects?
Need buy some loads?
Need buy some socks?
Need buy some traffic?
Russian bad boys forum here, come join!
Russian hackers has anything you need.
Russian hackers has you neo!
Russian mafia has you...
Russian hackers mafia OWNS YOU!
Superior crack site so far!
World baddest hackers join us here
World Best hack website here
World Superior hack conference here

Friday, 29 March 2013

"Please respond - overdue payment" spam / INVOICE_28781731.zip

This spam comes with a malware-laden attachment called INVOICE_28781731.zip:

Date:      Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
From:      Victor_Lindsey@key.com
Subject:      Please respond - overdue payment

Please find attached your invoices for the past months. Remit the payment by 02/04/2013
as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Victor Lindsey

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer. Thank you. 
Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports a callback to topcancernews.com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack. Looking for that IP in your logs might show if any of your clients.

Thursday, 28 March 2013

ADP Spam / ipiniadto.ru

This fake ADP spam leads to malware on ipiniadto.ru:

Date:      Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]
From:      Bebo Service [service@noreply.bebo.com]
Subject:      ADP Immediate Notification

ADP Immediate Notification
Reference #: 120327398

Thu, 28 Mar 2013 04:22:48 +0600
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.


This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 975316004
HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious landing page and recommended blocklist are the same as for this parallel attack also running today.

Facebook spam / ipiniadto.ru

The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto.ru:

Date:      Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
From:      FilesTube [filestube@filestube.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303 
The malicious payload is at [donotclick]ipiniadto.ru:8080/forum/links/column.php (report here) hosted on the same IPs as used in this attack:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
heepsteronst.ru
hillairusbomges.ru
hillaryklinton.ru
hinakinioo.ru
hiskinta.ru
hjuiopsdbgp.ru
hohohomaza.ru
hondatravel.ru
humaniopa.ru
humarikanec.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru
ipiniadto.ru


Changelog spam / Changelog_Urgent_N992.doc.exe

This fake "changelog" spam has a malicious attachment Changelog.zip which in turn contains a malware file named Changelog_Urgent_N992.doc.exe

From:      Logistics Express [admin@ups.com]
Subject:      Re: Changelog 2011 update

Hi,
as promised changelog,

Michaud Abran 

VirusTotal detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports the creation of a file C:\Documents and Settings\User\Application Data\KB00085031.exe which is pretty distinctive.

If your email filter supports it, I strongly recommend that you configure it to block EXE-in-ZIP files as they are malicious in the vast majority of cases.

"Scan from a Xerox W. Pro" spam / ilianorkin.ru

This fake printer spam leads to malware on ilianorkin.ru:

From: officejet@[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307

A Document was sent to you using a XEROX WorkJet PRO 481864299.

SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]ilianorkin.ru:8080/forum/links/column.php (report here) hosted on:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hondatravel.ru
hillaryklinton.ru
hinakinioo.ru
hjuiopsdbgp.ru
hillairusbomges.ru
heepsteronst.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru

Wednesday, 27 March 2013

NACHA spam / mgithessia.biz

This fake NACHA spam leads to malware on mgithessia.biz:

From: "Олег.Тихонов@direct.nacha.org" [mailto:universe87@mmsrealestate.com]
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High

To whom it may concern:

We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::

Click here for more information

Please consult with your financial institution to obtain the updated version of the software.

Kind regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894
The malicious payload is at [donotclick]mgithessia.biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this.

DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and  5.187.4.58 (the same).

Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
mgithessia.biz
justintvfreefall.org