Sponsored by..

Wednesday, 12 June 2013

BBB Spam / trleaart.net

This fake BBB spam with a "PLAINT REPORT" (sic) leads to malware on trleaart.net:

From: Better Business Bureau [mailto:rivuletsjb72@bbbemail.org]
Sent: 11 June 2013 18:04

Subject: Better Business Beareau Complaint ¹ S3452568
Importance: High

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser

Better Business Bureau ©
Start With Trust
Tue , 11 Jun 2013
Issue N. S3452568
The Better Business Bureau has been booked the above said claim letter from one of your customers in respect of their dealings with you. The detailed description of the consumer's trouble are available visiting a link below. Please pay attention to this matter and inform us about your mind as soon as possible.
We amiably ask you to open the PLAINT REPORT to answer on this claim.
We awaits to your prompt response.
Faithfully yours
Daniel Cox
Dispute Advisor
Better Business Bureau
________________________________________
________________________________________
Better Business Bureau
3083   Wilson Blvd, Suite 600   Arlington, VA 25301
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277
  
This information was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The link goes through a legitimate hacked site and end up with a malware landing page on [donotclick]trleaart.net/news/members_guarantee.php (report here) hosted on the following IPs:


160.75.169.49 (Istanbul Technical University, Turkey)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)

This network of evil sites is rather large and I haven't had the time to look at it closely, but in the meantime here is a partial blocklist:
160.75.169.49
186.215.126.52
190.93.23.10
193.254.231.51
abacs.pl
balckanweb.com
biati.net
buyparrots.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
federal-credit-union.com
freemart.pl
genown.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
icensol.net
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
ludena.ru
mantuma.pl
mortolkr4.com
myhispress.com
nipiel.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
relectsdispla.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
sngroup.pl
televisionhunter.com
trleaart.net
twintrade.net
usforclosedhomes.net

Tuesday, 11 June 2013

Amazon.com spam / goldcoinvault.com

This fake Amazon.com spam leads to malware on goldcoinvault.com:

Date:      Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From:      "Amazon.com Customer Care Service" [payments-update@amazon.com]
Subject:      Payment for Your Amazon Order # 104-884-8180383

Regarding Your Amazon.com Order

Order Placed: June 11, 2013
Amazon.com order number: 104-884-8180383
Order Total: $2761.86

Sony VAIO E Series SVE11135CXW 11.6-Inch Laptop (White)

Sony KDL50EX645 50-Inch 1080p 120HZ Internet Slim LED HDTV (Black)

Sony DSC-H200 Digital Camera with 3-Inch LCD (Black)



Payment Problem
We're writing to let you know that we are having difficulty processing your payment for the above 
transaction.  To protect your security and privacy, your issuing bank cannot provide us with 
information regarding why your credit card was declined. 

However, we suggest that you double-check the billing address, expiration date and cardholder name 
that you entered; if entered incorrectly these will sometimes cause a card to decline. There is no 
need to place a new order as we  will automatically  try your credit card again.

There are a few steps you can take to make the process faster:  

1. Verify the payment information for this order is correct (expiration date, billing address, etc). 
You can update your account and billing information at : 

https://www.amazon.com/gp/css/summary/edit.html?ie=UTF8&orderID=104-884-8180383 
 
2. Contact your issuing bank using the number on the back of your card to learn more about their 
policies. Some issuers put restrictions on using credit cards for electronic or internet 
purchases.  Please have the exact dollar amount and details of this purchase when you call the 
bank.  If paying by credit card is not an option, buy Amazon.com Gift Card claim codes with cash 
from authorized resellers at a store near you. Visit www.amazon.com/cashgcresellers to learn 
more.  

Thank you for shopping at Amazon.com.  Sincerely, Amazon.com Customer Service 
http://www.amazon.com  

Please note: This e-mail was sent from a notification-only address that cannot accept incoming
 e-mail. Please do not reply to this message..
To view more details click Order Summary.
Please note: This is not a VAT invoice.

Conditions of Use | Privacy Notice 1996-2013, Amazon.com, Inc. or its affiliates

The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
[donotclick]ftp.blacktiedjent.com/mechanic/vaccinated.js
[donotclick]piratescoveoysterbar.com/piggybacks/rejoiced.js
[donotclick]nteshop.es/tsingtao/flanneling.js

..from there it hits the main malware payload site at [donotclick]goldcoinvault.com/news/pictures_hints_causes.php (report here) hosted on goldcoinvault.com which is a hacked GoDaddy domain hijacked to point at 173.255.213.171 (Linode, US). This same server is very active and has been spotted here and here, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good.

These following domains appear to be pointing to that server:
ccrtl.com
chrisandannwedding.com
chriscarlson.com
eaglebay5.com
eaglebay-eb5.com
freepokermoney.com
goldcoinvault.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
page10development.com
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
supportquilting.com
taxfreeincomenow.com
taxfreeincomenow.info
taxfreeincomenow.net
taxfreeincomenow.org
tmgfinancial.org
tmginsurance.org
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
wcaband.org





Something evil on 173.255.213.171

As a follow-up to this post, the exploit server on 173.255.213.171 (Linode, US) is hosting a number of hijacked GoDaddy-registered domains that are serving an exploit kit [1] [2]. If you are unable to block 173.255.213.171 then I would recommend the following blocklist:

ccrtl.com
eaglebay5.com
eaglebay-eb5.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
supportquilting.com
taxfreeincomenow.com
taxfreeincomenow.info
taxfreeincomenow.net
taxfreeincomenow.org
tmgfinancial.org
tmginsurance.org
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
wcaband.org

Monday, 10 June 2013

Wells Fargo spam / Important WellsFargo Doc.exe / Important WellsFargo Docs.exe

This fake Wells Fargo spam run comes with one of two malicious attachments:

Date:      Mon, 10 Jun 2013 13:00:13 -0500 [14:00:13 EDT]
From:           Anthony_Starr@wellsfargo.com
Subject:      IMPORTANT - WellsFargo

Please check attached documents.

Anthony_Starr
Wells Fargo Advisors
817-563-9816 office
817-368-5471 cell Anthony_Starr@wellsfargo.com

ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.

To unsubscribe from marketing e-mails from:
·         An individual Wells Fargo Advisors financial advisor: Reply to one of his/her
e-mails and type “Unsubscribe” in the subject line.
·         Wells Fargo and its affiliates: Unsubscribe at
www.wellsfargoadvisors.com/unsubscribe. Neither of these actions will affect delivery of
important service messages regarding your accounts that we may need to send you or
preferences you may have previously set for other e-mail services.

For additional information regarding our electronic communication policies, visit
http://wellsfargoadvisors.com/disclosures/email-disclosure.html .

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103


CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
There is a ZIP file attached to the email message, and the spammers have attempted to name the attachment after the recipient.. but because the spam has multiple recipients it may end up with a random name. Inside the ZIP file is an EXE file, and there appear to be two variants.

One is called Important WellsFargo Doc.exe and it has a pretty shocking VirusTotal detection rate of 0/47 (yup.. none at all). The Comodo CAMAS report gives the following checksums..

NameValue
Size94720
MD570e604777a66980bcc751dcb00eafee5
SHA152ef61b6296f21a3e14ae35320654ffe3f4e769d
SHA256f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae

..it identifies that this version of the malware attempts to download additional components from mceneryfinancial.com on 173.255.213.171 (specifically it is a pony downloader querying /ponyb/gate.php). More of this later. ThreatTrack has a more detailed report which also identifies callbacks to www.errezeta.biz and ftp.myfxpips.com. ThreatExpert has a slightly different report and further identifies megmcenery.com, taxfreeincomenow.com, taxfreeincomenow.info and 207.204.5.170 (Linode, US).

The second version has a similarly named files called Important WellsFargo Docs.exe (plural) with a higher VirusTotal detection rate of 11/46. Comodo CAMAS reports the following file characteristics..

NameValue
Size114176
MD547e739106c24fbf52ed3b8fd01dc3668
SHA1b85b4295d23c912f9446a81fd605576803a29e53
SHA2562d0d16d29ceca912d529533aa850f1e1539f4b509ea7cb89b8839f672afb418b

..in this case the pony download contacts hraforbiz.com (also on 173.255.213.171). Other analyses are pending.

Several of these malware domains are hosted on 173.255.213.171 (Linode, US) and we can assume that this server is compromised along with all the domains on it. 62.149.131.162 (Aruba, Italy) also seems to be compromised. 173.254.68.134 (Unified Layer, US) and 207.204.5.170 (Register.com, US) appear to be compromised in some way to. Of note is the fact that almost all of these domains appear to be legitimate but have been hacked in some way, I would expect them to be cleaned up at some point in the future.

Putting all these IPs and domains together gives a recommended blocklist:
173.254.68.134
173.255.213.171
207.204.5.170
62.149.131.162
911mx.com
aquaresi.it
arpa.sardegna.it
artisticlubsportincontro.it
babyfattoria.it
clipboom.it
comerioturismo.com
designedtextilesolutions.com
errezeta.biz
escortelegant.com
ftp.myfxpips.com
ganciocielo.com
gosuccessmode.com
gtti.it
hotelvillamaria.net
hraforbiz.com
itisrighi.fg.it
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
pescareamessina.com
pizzotti.net
polisportivaairoldi.eu
salviamofirenze.it
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
sidmodena.it
stesrl.it
stivi.it
taxfreeincomenow.com
the-exhibitionist-journal.com
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net

Friday, 7 June 2013

"PAYVE - Remit file" spam / CD0607213.389710762910.zip

This fake American Express Payment Network spam has a malicious attachment.

Date:      Fri, 7 Jun 2013 20:41:25 +0600 [10:41:25 EDT]
From:      "PAYVESUPPORT@AEXP.COM" [PAYVESUPPORT@AEXP.COM]
Subject:      PAYVE - Remit file

A payment(s) to your company has been processed through the American Express Payment
Network.
The remittance details for the payment(s) are attached (CD06072013.389710762910.zip).

   -   The remittance file contains invoice information passed by your buyer. Please
contact your buyer
       for additional information not available in the file.

   -   The funds associated with this payment will be deposited into your bank account
according to the
       terms of your American Express merchant agreement and may be combined with other
American Express deposits.
       For additional information about Deposits, Fees, or your American Express merchant
agreement:
       Contact American Express Merchant Services at 1-800-528-0265 Monday to Friday,
8:00 AM to 8:00 PM ET.    -  You can also view PAYVE payment and invoice level details
using My Merchant Account/Online Merchant Services.
      If you are not enrolled in My Merchant Account/OMS, you can do so at
www.americanexpress.com/mymerchantaccount
      or call us at 1-866-220-3581, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
be glad to help you.
      For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number)
      and DDA (account number) on hand.

This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails from
American Express.

Copyright 2013 American Express Company. All rights reserved Contact Customer Service:
https://www.americanexpress.com/messagecenter

******************************************************************************
"This message and any attachments are solely for the intended recipient and may contain
confidential or privileged information. If you are not the intended recipient, any
disclosure, copying, use, or distribution of the information included in this message and
any attachments is prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this message and any
attachments. Thank you."
******************************************************************************
Attached to the email is an archive file called CD0607213.389710762910.zip which in turn contains an executable named CD06072013.239871839.exe (note that the date is included in the filename). Virustotal reports that just 8/46 anti-virus scanners detect it.

The Comodo CAMAS report gives some details about the malware, including the following checksums:

MD5fd18576bd4cf1baa8178ff4a2bef0849
SHA18b8ba943393e52a3972c11603c3f1aa1fc053788
SHA256f31ca8a9d429e98160183267eea67dd3a6e592757e045b2c35bb33d5e27d6875

The malware attempts to download further components from storeyourbox.com on 97.107.137.239 (Linode, US) which looks like a legitimate server that has been badly compromised. The following domains appear to be on the server, I would advise that they are all dangerous at the moment:

drjoycethomasderm.com
goodvaluemove.com
jacksonmoving.com
jacksonmoving.net
napervillie-movers.com
reebie.net
storageandmoving.net
storeyourbox.com
storeyourbox.net
storeyourthings.net

Update: the ThreatExpert report took a long time to process, but is quit interesting. It shows DNS queries for:
storeyourbox.com
storeyourbox.net
storeyourthings.net
drjoycethomasderm.com
www.archeting.it
www.errezeta.biz
190.147.81.28
207.204.5.170

The following URLs are accessed:
[donotclick]www.archeting.it/86zP.exe
[donotclick]www.errezeta.biz/ToSN79T.exe
[donotclick]190.147.81.28/yqRSQ.exe
[donotclick]207.204.5.170/PXVYGJx.exe

archeting.it and errezeta.biz are hosted on IPs belonging to Aruba S.p.A. in Italy (62.149.132.57 and 62.149.131.162 respectively). I've long suspected that there's a serious problem with Aruba due to a very high incidence of malware sites. Those are shared hosting IPs and as far as I can tell the rest of the sites on those servers are clean.

190.147.81.28 and 207.204.5.170 (Telmex, Colombia and Register.com US) have been seen before and don't seem to be shared hosts. I would strongly recommend blocking them.



BBB spam / pnpnews.net

This fake BBB spam leads to malware on pnpnews.net:

From: Better Business Bureau [mailto:standoffzwk68@clients.bbb.com]
Sent: 07 June 2013 15:08
Subject: BBB information regarding your customer's pretension No. 00167486

Better Business Bureau ©
Start With Trust ©
Fri, 7 Jun 2013
RE: Complaint No. 00167486
[redacted]
The Better Business Bureau has been entered the above said grievance from one of your users in regard to their business relations with you. The information about the consumer's trouble are available visiting a link below. Please pay attention to this matter and notify us about your sight as soon as possible.
We kindly ask you to overview the CLAIM LETTER REPORT to meet on this claim.
We awaits to your prompt answer.
Faithfully yours
Jonathan Edwards
Dispute Advisor
Better Business Bureau
________________________________________
________________________________________
Better Business Bureau
3093  Wilson Blvd, Suite 600   Arlington, VA 29701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277
 
This letter was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The link in the email goes through a legitimate hacked site and then to a payload at [donotclick]pnpnews.net/news/readers-sections.php (report here) hosted on:

46.18.160.86 - Saudi Electronic Info Exchange Company (Tabadul) JSC
93.89.235.13 - FBS Bilisim Cozumleri, Cyprus
178.16.216.66 - Gabrielson Invest AB, Sweden
186.215.126.52 - Global Village Telecom, Brazil
190.93.23.10 - Greendot, Trinidad and Tobago

Blocklist:
46.18.160.86
93.89.235.13
178.16.216.66
186.215.126.52
190.93.23.10
abacs.pl
balckanweb.com
biati.net
buyparrots.net
citysubway.net
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
enway.pl
federal-credit-union.com
giwmmasnieuhe.ru
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
janefgort.net
myhispress.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
smartsecurityapp2013.com
sngroup.pl
twintrade.net
usforclosedhomes.net


Malware sites to block 7/6/13

Two IPs that look related, the first is 37.235.48.185 (Edis, Poland or Austria) which host some domains that are also found here (158.255.212.96 and 158.255.212.97, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 37.235.48.185:

faggyppvers5.info
finger2.climaoluhip.org
linkstoads.net
node1.hostingstatics.org
node2.hostingstatics.org

Injecting some of the same sites as the domains on the above IPs is jstoredirect.net which is currently offline but was hosted on 149.154.152.18 which is also Edis (can you see the pattern yet?) so I would assume that they are linked. In the few days that jstoredirect.net was online it managed to infect over 1500 sites.

Aggregate blocklist:
98.126.9.34
114.142.147.51
158.255.212.96
158.255.212.97
nethostingdb.com
netstoragehost.com
connecthostad.net
climaoluhip.org
hostingstatics.org
systemnetworkscripts.org
numstatus.com
linkstoads.net
faggyppvers5.info
jstoredirect.net

Thursday, 6 June 2013

USPS spam / USPS_Label_861337597092.zip

This fake USPS spam contains a malicious attachment:

Date:      Thu, 6 Jun 2013 10:43:56 -0500 [11:43:56 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Your package is available for pickup ( Parcel 861337597092 )

Postal Notification,

We attempted to deliver your item at 6 Jun 2013.
Courier service could not make the delivery of your parcel.
Status Deny / Invalid ZIP Code.

If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.

Label/Receipt Number: 861337597092
Expected Delivery Date: Jun 6, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent

For mode details and shipping label please see the attached file.

Print this label to get this package at our post office.

Thank you,
© 2013 Copyright© 2013 USPS. All Rights Reserved.

*** This is an automatically generated email, please do not reply ***

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (USPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You
There is an attachment called USPS_Label_861337597092.zip which in turn contains a malicious executable file USPS_Label_06062013.exe (note the date is encoded into the filename). VirusTotal results for this are 18/47.

The Comodo CAMAS report shows an attempt to download more components from michaelscigarbar.net on 184.95.37.109 (Jolly Works Hosting, Philippines.. rented from Secured Servers in the US). URLquery shows a very large amount of malware activity on that IP, mostly apparently running on legitimate hacked domains. You should probably treat all of the following domains as hostile:
alliancelittleaviators.com
apparelacademy.com
apparelacademy.net
brokerforcolorado.com
carlaellisproperties.com
dragoncigars.net
heavenlycigars.net
libertychristianstore.com
michaelscigarbar.com
michaelscigarbar.net
michaelscigars.net
montverdestore.com
montverdestore.net
montverdestore.org

NatPay "Transmission Confirmation" spam / usforclosedhomes.net

This fake NatPay spam leads to malware on usforclosedhomes.net.

Version 1:
Date:      Thu, 6 Jun 2013 20:53:08 +0600 [10:53:08 EDT]
From:      National Payment Automated Reports System [dunks@services.natpaymail.net]
Subject:      Transmission Confirmation ~26306682~N25BHHL1~

Transmission Verification    
Contact Us
To:    
NPC Account # 26306682
Xavier Reed
   
Re:    
NPC Account # 26306682
D & - D5
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.

Batch Number       408
Batch Description       VENDOR PAY
Number of Dollar Entries       2
Number of Prenotes       0
Total Deposit Amount       $3,848.19
Total Withdraw Amount      $3,848.19
Batch Confirmation Number      50983
   
Date Transmitted      Thursday, June 06, 2013
Date Processed       Thursday, June 06, 2013
Call Start Time       4:06 PM
Call End Time       4:07 PM
Funding Method       2 Day Funding
Cycle       AM
Effective
Entry Date

Transaction Type
   
Entry
Identification

Routing/Transit

Bank Account
Entry Amount
06/08/2013     Checking - Deposit     XXXXXXXX     XXXXXXXXX     XXXXXXXXXX     $3,848.19
06/06/2013     Checking - Withdraw     Offset Entry     XXXXXXXXX     XXXXXXXXXX     -$3,848.19
Totals     $0.00
Report reference ID # N25BHHL1     Created on Thursday, June 06, 2013
Have a question about this report?  Please click here to send us an email with your question.

Version 2:

Date:      Thu, 6 Jun 2013 09:59:06 -0500
From:      National Payment Automated Reports System [lemuel@emalsrv.natpaymail.com]
Subject:      Transmission Confirmation ~10968697~607MPYRC~

Transmission Verification    
Contact Us
To:    
NPC Account # 10968697
Benjamin Turner
   
Re:    
NPC Account # 10968697
D & - MN
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.

Batch Number     219
Batch Description     VENDOR PAY
Number of Dollar Entries     2
Number of Prenotes     0
Total Deposit Amount     $2,549.12
Total Withdraw Amount     $2,549.12
Batch Confirmation Number     24035
   
Date Transmitted     Thursday, June 06, 2013
Date Processed     Thursday, June 06, 2013
Call Start Time     4:06 PM
Call End Time     4:07 PM
Funding Method     2 Day Funding
   
Cycle     AM
Effective

Entry Date

Transaction Type
   
Entry

Identification

Routing/Transit

Bank Account

Entry Amount
06/08/2013     Checking - Deposit     XXXXXXXX     XXXXXXXXX     XXXXXXXXXX     $2,549.12
06/06/2013     Checking - Withdraw     Offset Entry     XXXXXXXXX     XXXXXXXXXX     -$2,549.12
Totals     $0.00
Report reference ID # 607MPYRC     Created on Thursday, June 06, 2013
Have a question about this report? Please click here to send us an email with your question.

The malicious payload is on [donotclick]usforclosedhomes.net/news/walls_autumns-serial.php (report here) hosted on the following IPs:
41.89.6.179 (Kenya Education Network, Kenya)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
112.170.169.56 (Korea Telecom, South Korea)

The cluster of IPs and domains this belongs to identifies it as part of the Amerika spam run.

Blocklist:
41.89.6.179
46.18.160.86
93.89.235.13
112.170.169.56
abacs.pl
biati.net
buyparrots.net
citysubway.net
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
enway.pl
federal-credit-union.com
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
myhispress.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
smartsecurityapp2013.com
sngroup.pl
twintrade.net
usforclosedhomes.net


Innex, Inc fake spam

Innex, Inc is a real company. This spam email message is not from Innex, Inc.

From:     PURCHASING DEPARTMENT [fdmelo@fucsalud.edu.co]
To:
Reply-To:     pinky.yu@chanqtjer.com.tw
Date:     6 June 2013 08:55
Subject:     Innex, Inc.


Sir/Madam,

Our Company is interested in your product, that we saw  in trading site,

Your early reply is very necessary for further detail specification immediately you receive our email.

Regards
Purchasing manager,
Mr James Vincent .

Innex, Inc.
325 Enterprise Place,
Pomona, CA 91768
United States.

Innex is based in California in the US, but the email appears to be from a university in Colombia and solicits replies to an email address in Taiwan. Note as well that the email is very vague about the "product" they are interested in, and the To: field is blank as the recipient list has been suppressed (i.e. it is being sent to multiple recipients). Avoid.

rxlogs.net: spam or Joe Job?

I've had nearly one hundred of these this morning. Is it a genuine spam run or a Joe Job?

Date:      Thu, 6 Jun 2013 09:44:18 -0700 [12:44:18 EDT]
From:      Admin [whisis101@gmail.com]
Reply-To:      ec2-abuse@amazon.com

facebook   
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 4 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.

If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team



The link in the emails goes to multiple pages on rxlogs.net which as far I as can tell is not malware, but is a blog about online pharmacies. But is is spam? Well, let's dig a little deeper..

Each email comes from a different IP, probably being sent by a botnet. That's pretty normal for pharma spam, but in this case there appear to be some anomalous addition headers..

The mildly munged headers from an example email are quite revealing. It appears that there are references to Amazon ECS (Amazon's cloud service) and a valid sender address of whisis101 -at- gmail.com injected into the headers, along with a load of other elements that you'd expect from botnet spam. The email has at no point hit either Gmail or Amazon, but the headers appear to have been faked in order to generate reports to Amazon and/or Gmail. It's worth noting that rxlogs.net is hosted on 107.20.147.122 which is an Amazon IP, so this is beginning to look like a Joe Job.
Received: from lsh410.van.ca.siteprotect.com (204.174.223.206)
  by [redacted] with SMTP; 6 Jun 2013 07:37:53 -0000
Date: Thu, 6 Jun 2013 00:37:53 -0700
To: [redacted]
From: Admin [whisis101 -at- gmail.com]
Return-Path: [bantstreetpottery -at- sctelco.net.au]
Reply-To: ec2-abuse -at- amazon.com
Subject: Reminder: Reset your password
Message-Id: [2cc3f11ac2ce3aa7d59d8682eee6df05@notify.amazon.com]
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
So what do we know about the domain rxlogs.net? Well, the WHOIS details appear to be genuine and not hidden, I've redacted the most of the personal information but some of the key details are:

domain:       rxlogs.net
owner:        Stephen K. Walker
email:        whisis101 -at- gmail.com
address:      [redacted]
city:         [redacted]
postal-code:  [redacted]
country:      US
phone:        +7.[redacted]


The "From" address in the email matches the registration address in the WHOIS. Does that make it a genuine email? No, because no spammer is stupid enough to use their real email address in a spam run like this. Again, this smells like a Joe Job.

Another key indicator that this is a Joe Job is that all the dozens of emails have been sent to a spamcop.net email address, and there are far more emails that you would normally see for this type of spam run. This behaviour is typical for a Joe Job attack, the spammer pick the people who are most likely to complain and then hit them repeatedly to get try to get them to file a complaint with the victim's web host.

If you use Gmail, the email links back to a spare but apparently genuine Google+ profile, which links back to rxlogs.net. Which really leads to the next question.. what is rxlogs.net about?


rxlogs.net appears to be a genuine attempt to look at and rate online pharmacies using secondary sources to judge reliability and trustworthiness. The sites carries some paid advertising, but doesn't appear to deal with prescription medications directly, it looks like an affiliate site.

I'm not an expert in the US online pharmacy market, but I do know that you can check the legitimacy of online pharmacies with LegitScript but this is not without criticism.

My guess is that what has happened here is that Mr Walker has posted something on rxlogs.net which exposes a bogus pharma operation run by the same spammers sending out these emails. In other words, I believe this is a Joe Job and not a "genuine" spam run, and rxlogs.net is simply another victim of the bad guys.


Wednesday, 5 June 2013

More Champions Club Community spam

These grubby little spammers are at it again. Apparently Steve Jobs is dead. Who knew?

Anyway, the originating IP is 217.174.248.194 [web1-opp2.champions-bounce.co.uk] (Fasthosts, UK). Spamvertised domains are champions.onlineprintproofing.co.uk also on 217.174.248.194 and championsclubcommunity.com on 109.203.113.124 (Eukhost, UK). Give these spammers a wide berth.

From:     The Editor - Champions Club Community
Reply-To:     contactus2@championsclubcommunity.com
Date:     5 June 2013 05:45
Subject:     CCC LIFE : This Month - Steve Jobs In Focus

Hello and a very warm welcome to the latest newsletter from Champions Club Community!

This month we have an eclectic mix of articles, hopefully with something for everybody.

Here are a few of the headline articles, with links directly to our site:

    Steve Jobs, often described as a visionary during his life, there has been much speculation about the significance of his last words… http://championsclubcommunity.com/rip-steve-jobs/

    His Royal Highness The Prince of Wales, Patron of Samaritans, hosted a reception for distinguished guests and volunteers to launch the celebrations marking 60 years since the charity received its first call in November 1953. http://championsclubcommunity.com/samaritans-start-60th-celebrations/

    A question was posed to the Dalai Lama - “WHAT IS the thing about humanity that surprises you the most?” His answer:  “Man… sacrifices his health to make money. Then he sacrifices his money to try to gain back his health.” http://championsclubcommunity.com/a-question-was-posed-to-dalai-lama-provided-by-guy-insull/

    Pope Francis I. He is opposed to gay marriage, regards the Falklands Islands as being usurped by the UK, and it is not believed that he will allow priests to marry: controversial or merely traditionalist? http://championsclubcommunity.com/pope-francis-1-a-new-hope-for-the-world-by-dianna-moylan/

    “The spirit of good business is the excellence of the connection between purchaser and supplier.” John Meredith examines “The 8th Habit” in which Stephen Covey says that a tactical plan begins with the customer…  http://championsclubcommunity.com/execution-of-the-strategic-plan-by-john-meredith/

As always, there is a whole lot more inside the magazine.  Enjoy the read and do join in if you have a story to tell that will inspire others to Make A Difference! (Go MAD!!).

Kind regards,

The Editor, Champions Club Community


Please note: if you no longer wish to receive these newsletter communications from us you can unsubscribe from our mailing list by using the "unsubscribe" link at the bottom of this email. Thank you.

Monday, 3 June 2013

"Fiserv Secure Email Notification" spam with an encrypted, malicious ZIP attachment

This spam email contains an encrypted ZIP file with password-protected malware.

Date:      Mon, 3 Jun 2013 14:11:14 -0500 [15:11:14 EDT]
From:      Fiserv Secure Notification [secure.notification@fiserv.com]
Subject:      Fiserv Secure Email Notification - IZCO4O4VUHV83W1

You have received a secure message

Read your secure message by opening the attachment, SecureMessage_IZCO4O4VUHV83W1.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password -  Iu1JsoKaQ

To read the encrypted message, complete the following steps:

 -  Double-click the encrypted message file attachment to download the file to your computer.
 -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 -  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.840.0668.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

Of course, it would be supremely pointless password protecting a document and then including the password in the email! The file has been password protected in an attempt to thwart anti-virus software. In this case, the password for the file SecureMessage_IZCO4O4VUHV83W1.zip is Iu1JsoKaQ which in turn leads to a file called SecureMessage_06032013.exe (note the date in included in that filename).

At the moment the VirusTotal detection rate is a so-so 16/47. The ThreatTrack analysis identifies some locations that the malware phones home to:
netnet-viaggi.it
paulcblake.com
74.54.147.146
116.122.158.195
190.147.81.28
194.184.71.7
207.204.5.170


For the records, those IPs belong to:
74.54.147.146 (ThePlanet, US)
116.122.158.195 (Hanaro Telecom, Korea)
190.147.81.28 (Telmex, Colombia)
194.184.71.7 (Ouverture Service, Italy)
207.204.5.170 (Register.com, US)


Friday, 31 May 2013

Medfos sites to block 31/5/13

The following domains and IPs are currently being used as C&C servers by the Medfos family of trojans (this one in particular):

84.32.116.110
85.25.132.55
173.224.210.244
184.82.62.16
188.95.48.152
ehistats.su
emstats.su
ieguards.su
iestats.cc
inetprotections.su
iprotections.su
netprotections.cc
sysinfo.cc
sysinfonet.cc
westats.cc

The hosts involved are:
84.32.116.110 (LIX Solutions, Lithunia)
85.25.132.55 (Intergenia / PlusServer AG, Germany)
173.224.210.244 (Psychz Networks, US)
184.82.62.16 (HostNOC, US)
188.95.48.152 (Globab Layer, Netherlands)

The domains listed are used in conjunction with hundreds of subdomains. Blocking the main domain will be the best approach, else the ones that I have been able to determine are listed here.

Thursday, 30 May 2013

NewEgg.com spam / 174.140.171.233

This fake NewEgg.com spam leads to malware on 174.140.171.233:

Date:      Thu, 30 May 2013 16:06:12 +0000 [12:06:12 EDT]
From:      Newegg [info@newegg.com]
Subject:      Newegg.com - Payment  Charged

Newegg logo    
My Account     My Account |     Customer Services     Customer Services

Twitter     Twitter     You Tube     You Tube     Facebook     Facebook     Myspace     Myspace
click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Office     MarketPlace     Outlet     More

Customer ID: [redacted]
Account Number: 24577609
Dear Customer,

Thank you for shopping at Newegg.com.

We are happy to inform you that your order (Sales Order Number: 20781193) has been successfully charged to your�AMEX and order verification is now complete.

If you have any questions, please use our LiveChat function or visit our Contact Us Page.

Once You Know, You Newegg.

Your Newegg.com Customer Service Team


ONCE YOU KNOW, YOU NEWEGG. �
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | � 2000-2013 Newegg Inc. All rights reserved.


The malicious payload is any one of a number of domains hosted on 174.140.171.233 which is also being used in this attack. Blocking the IP is the easiest way to protect against the malicious sites hosted on that server.

ADP spam / 4rentconnecticut.com and 174.140.171.233

These fake ADP spams lead to malware on 4rentconnecticut.com:

Date:      Thu, 30 May 2013 12:41:28 -0500 [13:41:28 EDT]
From:      "ADPClientServices@adp.com" [ADPClientServices@adp.com]
Subject:      ADP Funding Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services

====================

Date:      Thu, 30 May 2013 08:45:16 -0800 [12:45:16 EDT]
From:      ADP Inc [ADP_FSA_Services@ADP.com]
Subject:      ADP Invoice Reminder

Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

Total amount due by May 31, 2013

$26062.29

If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

Questions about your bill?

Contact David Nieto by Secure Mail.

Note: This is an automated email. Please do not reply. 

The link in the email goes to a legitimate hacked site and then tries to load three different scripts, currently:

[donotclick]kalimat.egyta.com/swearer/titan.js
[donotclick]www.asitecsrl.com/servicemen/ethic.js
[donotclick]www.mbbd.it/dzerzhinsky/bewilders.js

From there the victim is directed to the main malware landing page at [donotclick]4rentconnecticut.com/news/cross_destroy-sets-separate.php on 174.140.171.233 (DirectSpace LLC, US). A look at URLquery shows many suspect URLs on this server and VirusTotal also reports several malicious URLs.

It appears that every single domain on this server has been compromsed. Blocking the IP address is the easiest way to mitigate against this problem, but these following domains such all be assumed to be legitimate ones that have been hijacked:

1stchoicehsr.com
4rentanaheim.com
4rentarkansas.com
4rentarlington.com
4rentatlanta.com
4rentaurora.com
4rentbakersfield.com
4rentbaltimore.com
4rentcincinnati.com
4rentcoloradosprings.com
4rentcolumbus.com
4rentconnecticut.com
60minutessexy.com
60secondssexy.com
9602iridium.com
9602sbd.com
aainj.com
askfelix.org
bestskateboard.net
billflemming.com
bondageunlimited.com
bonniemichaels.com
breastcaresupplements.com
bystrictinchallenge.com
celebritwee.com
centurysciences.com
chicagoledsource.com
chitownled.com
compsbook.com
connectionre.com
december2012thefacts.com
desiraephilips.com
deviousgirl.com
deviousmindclothing.com
extrememarriagemakeover.com
firstchoicehsr.com
freyandsonautomotive.co
gilestire.com
glorytogodtires.com
halfromerican.com
halfromerican.net
handiexpertcarcare.com
healthwellnessdeals.com
healthwellnessforum.com
hubbardsauto.net
infocarretera.com
internetmarketingmagicpill.com
investorrichessupport.com
investorwealthacademy.com
iridium9522bmodem.com
iridium9602manual.com
iridium9602price.com
iridium9602sbd.com
iridiumcore9523.com
irishhillstire.com
jasonholmesrealty.com
jjgilestire.com
juniorstire.com
kjinteriorsinc.com
ledillinois.com
linkbuildingbootcamp.com
manisteetire.net
manningstire.com
marinholmes.com
marshalltirecity.com
marysvillecarcare.com
metroimport-tires.com
midlandtireandauto.com
mobileincomeopportunities.com
mobiletextopportunity.com
mobiletextopportunity.net
moonstire.com
msqcconference.org
natestire.com
powersautomotiveshop.com
precisiontunetire.com
premierconstructiongeorgia.com
prideinproperty.com
recoverydepot.net
regaltire.com
richestmaninrelationships.com
rogerclinetire.net
setupmyautoresponder.com
sexymarriagecoaching.com
sexymarriageforum.com
sexymarriagemakeover.com
sexymarriagesecrets.com
sheltontire.com
sherrillfire.org
smokelogix.com
southlyontire.com
spindivas.com
spinpsycho.net
spinpsychoapparel.com
spinpsychoapparel.net
steelbuildingprices.com
stiftelsen-pcn.net
sunless-glow.com
sunnysautocare.com
tandmtire.com
tecumsehtire.com
thejoshbrown.com
thetireoutlet.com
thewealthexplosionsystem.com
tmartapes.com
tracysoldcastle.com
twistedbehavior.com
vulcantire.net
westautorepair.com
woodstireservice.com
yiseoer.com




Al Rowaad Advocates - scumbag, spammy lawyers

This scumbag law firm from the UAE advertises itself through spam.

From:     Professional Lawyers in the UAE [uaelawyers@gmx.com]
Reply-To:     uaelawyers@gmx.com
Date:     30 May 2013 18:52
Subject:     Al Rowaad Advocates - Monthly Newsletter - May 2013

Dear Sirs,

Please forgive our direct email which is intended to give a brief introduction to our law firm based in the United Arab Emirates.

Al Rowaad Advocates and Legal Consultancy is an astute, diverse firm of lawyers working for businesses and private clients, nationally and internationally. The firm is highly regarded, often recommended by other lawyers and is known for combining creative solutions with commercial pragmatism and a friendly, sensitive approach. The firm is also renowned for its integrity and experience in dealing with complex and varied legal issues. Al Rowaad has expertise in clinical negligence, corporate and commercial work, criminal litigation, dispute resolution, family law, employment, real estate and regulatory work.

Al Rowaad Advocates and Legal Consultancy is proud to introduce its monthly newsletter that will discuss topical issues in the legal profession. The newsletter will touch upon various areas of law in the UAE and analyse changes in complex legislative, governance and regulatory provisions.

If you wish to subscribe, please email us at uaelawyers@gmx.com.

Thank you,
Al Rowaad Advocates & Legal Consultancy
Tel.: +971 4 3254000
Fax: +971 4 358 9494

Integrity? Sending spam to an email address that you scraped off the web? I don't think so. The originating IP is 220.112.38.133 in China, presumably where they have outsourced their scummy marketing to.

Amazon.com 55 inch TV spam / ozonatorz.com

This earlier spam run about various brands of 55 inch TVs from Amazon has been updated and is now directing victims to a malware landing page on the domain ozonatorz.com:



From: auto-confirm@emlreq.amazon.com [mailto:bald4@customercare.amazon.com]
Sent: 29 May 2013 17:06
To: [redacted]
Subject: Amazon.com order of Akai NPK55KR9070 55-Inch

Amazon.com

Order Confirmation

[redacted]

Thank you for shopping with us. Wed like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.


Your estimated delivery date is:
Thursday, May 30, 2013 -
Friday, May 31, 2013
Your shipping speed:
Next Day Air
Your Orders
Your order was sent to:
Benjamin Phillips
2724 3rdCotton Avenue
Cohoes, CA 62229-6646
United States


Order Details

Order #175-7801666-2934626
Placed on Wensday, May 29, 2013

Facebook
Twitter
Pinterest
$979.98

Item Subtotal:
$979.98
Shipping & Handling:
$0.00

Total Before Tax:
$979.98
Estimated Tax:
$0.00


Order Total:
$979.98


To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.
Thank you for shopping with us.
Amazon.com
DVD
Books
Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.


The malicious payload is on [donotclick]ozonatorz.com/news/basic_dream-goods.php (report here) hosted on:
41.89.6.179 (Kenya Education Network, Kenya)
141.28.126.201 (Hochschule Furtwangen, Germany)
177.5.244.236 (Brasil Telecom, Brazil)
208.68.36.11 (Digital Ocean, US)

These IPs form part of a much larger network of malicious sites listed here, but if we concentrate of these IPs only we get the following blocklist:
41.89.6.179
141.28.126.201
177.5.244.236
208.68.36.11
aviachecki.ru
avtotracki.ru
balckanweb.com
biati.net
buyparrots.net
federal-credit-union.com
giwmmasnieuhe.ru
icensol.net
mydkarsy.com
nvufvwieg.com
ozonatorz.com
rusistema.ru
smartsecurityapp2013.com
techno5room.ru
testerpro5.ru
trackerpro5.ru
twintrade.net
zeouk-gt.com