Never trust an ad network that uses anonymous WHOIS details. These are hosted on 108.161.189.161 (NetDNA, US) and all hide their details. Those marked in yellow are flagged by Google for distributing some malware, the links go to the Google Safebrowsing diagnostic page. Given the amount of adware on this server, I would recommend blocking it.
netloader.cc
cdnloader.com
gamesformore.com
load-net.com
loadasset.info
loadernet.info
secureasset.info
cdnload.net
starscontent.net
cdn-network.org
contentsolution.org
loadfree.org
loadshop.org
softcdn.org
software-net.org
Tuesday 2 July 2013
Monday 1 July 2013
Pinterest spam / pinterest.com.reports0701.net
This fake Pinterest spam leads to malware on pinterest.com.reports0701.net:
June Parker parker@mail.com
740-456-7887 fax: 740-456-7844
4427 Irving Road
New Boston OH 45663
us
The following IPs are in use:
77.240.118.69 (Acens Technlogoies, Spain)
89.248.161.148 (Ecatel, Netherland)
208.81.165.252 (Gamewave Hongkong Holdings, US)
Recommended blocklist:
77.240.118.69
89.248.161.148
208.81.165.252
afabind.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
condalnuashyochetto.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
patrihotel.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com
Date: Mon, 1 Jul 2013 21:04:36 +0530The link goes through a legitimate hacked site to end up on a malicious payload at [donotclick]pinterest.com.reports0701.net/news/pay-notices.php (report here and here) which contains an exploit kit. The malware is hosted on a subdomain of a main domain with fake WHOIS details (it belongs to the Amerika gang) which is a slightly new technique:
From: "Pinterest" [naughtinessw5@newsletters.pinterest.net]
To: [redacted]
Subject: Your password on Pinterest Successfully changed!
[redacted]
Yor password was reset. Request New Password.
See Password
Pinterest is a tool for collecting and organizing things you love.
This email was sent to [redacted].
Don?t want activity notifications? Change your email preferences.
�2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions
June Parker parker@mail.com
740-456-7887 fax: 740-456-7844
4427 Irving Road
New Boston OH 45663
us
The following IPs are in use:
77.240.118.69 (Acens Technlogoies, Spain)
89.248.161.148 (Ecatel, Netherland)
208.81.165.252 (Gamewave Hongkong Holdings, US)
Recommended blocklist:
77.240.118.69
89.248.161.148
208.81.165.252
afabind.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
condalnuashyochetto.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
patrihotel.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com
Adware sites to block 1/7/13
Never trust any sort of ad network that uses anonymous domains and hides all other identifying data. These seem to be doing to rounds at the moment, some of them may be involved in injection attacks or adware installs. If you have any experiences with these domains turning up unexpected on your site then please leave a comment.. thanks!
cdnsrv.com
tracksrv.com
cdnloader.com
secure-content-delivery.com
mydatasrv.com
Domains all seem to be on parking IPs or Amazon AWS, so difficult to block by IP address.
cdnsrv.com
tracksrv.com
cdnloader.com
secure-content-delivery.com
mydatasrv.com
Domains all seem to be on parking IPs or Amazon AWS, so difficult to block by IP address.
Labels:
Adware
Friday 28 June 2013
jConnect spam / FAX_281_3927981981_283.zip
Date: Fri, 28 Jun 2013 09:41:52 -0500 [10:41:52 EDT]
From: jConnect [message@inbound.j2.com]
Subject: jConnect fax from "697-377-6967" - 28 page(s), Caller-ID: 697-377-6967
Fax Message[Caller-ID: 697-377-6967] You have received a 28 page(s) fax at 2012-12-17
02:13:41 EST.* The reference number for this fax is
lax3_did10-1019412300-0003832668-11.This message can be opened using your PDF reader. If
you have not already installed j2 Messenger, download it for
free:http://www.j2.com/downloadsPlease visit http://www.j2.com/help if you have any
questions regarding this message or your j2 service.Thank you for using jConnect!Home
Contact Login2011 j2 Global Communications, Inc. All rights reserved.jConnect is a
registered trademark of j2 Global Communications, Inc.This account is subject to the
terms listed in thejConnect Customer Agreement.
Both the email and the attachment are horribly mangled, and in this case don't contain their malicious payload (as with this spam run). But be careful if receiving an email of this type as the next time the spammers try it, it may well be more dangerous.
Labels:
EXE-in-ZIP,
Fail,
Spam
Thursday 27 June 2013
OfficeWorld.com spam / sartorilaw.net
This fake OfficeWorld spam leads to malware on sartorilaw.net:
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
89.248.161.148 (Ecatel, Netherlands)
108.177.140.2 (Nobis Technology Group, US)
Recommended blocklist:
77.240.118.69
78.108.86.169
89.248.161.148
108.177.140.2
afabind.com
chinadollars.net
condalnuashyochetto.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com
Date: Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]The link in the email goes through a legitimate hacked site and then on to [donotclick]sartorilaw.net/news/source_fishs.php (report here) hosted on the following IPs:
From: customerservice@emalsrv.officeworldmail.net
Subject: Confirmation notification for order 1265953
Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!
Please review your order details below. If you have any questions, please Contact Us
Helpful Tips:
--------------------------------------------------------------------
- Please SAVE or PRINT this confirmation for your records.
- ORDER STATUS is available online! Login and click "My Orders" to obtain UPS tracking information, etc.
- If you skipped registration, or forgot your password, simply enter your Login ID (normally your full e-mail address) and click [ forgot password ] to access your account.
--------------------------------------------------------------------
Order: 1265953
Date: 6/27/2013
Ship To: My Default
Credit Card: MasterCard
Product Qty Price Unit Extended
--------------------------------------------------------------------
HEWCC392A 1 $9703.09 EA $15.15
AVE5366 1 $27.49 BX $27.49
SAF3081 2 $56.29 EA $112.58
Product Total: $9855.22
--------------------------------------------------------------------
Total: $9855.22
OfficeWorld.com values your business!
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
89.248.161.148 (Ecatel, Netherlands)
108.177.140.2 (Nobis Technology Group, US)
Recommended blocklist:
77.240.118.69
78.108.86.169
89.248.161.148
108.177.140.2
afabind.com
chinadollars.net
condalnuashyochetto.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com
Tuesday 25 June 2013
ADP spam / spanishafair.com
This fake ADP spam leads to malware on spanishafair.com:
The malicious payload is at [donotclick]spanishafair.com/news/possibility-redundant.php hosted on:
119.147.137.31 (China Telecom, China)
210.42.103.141 (Wuhan Urban Construction Institute, China)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
Related evil domains and IP addresses to block can be found here and here.
Date: Tue, 25 Jun 2013 14:38:05 +0000 [10:38:05 EDT]
From: Run Do Not Reply [RunDoNotReply@ipn.adp.net]
Subject: Your Biweekly payroll is accepted
Yoyr payroll for check date 06/25/2013 is approved. Your payroll would be done at least 3 days before to your check date to ensure timely tax deposits and payroll delivery. If you offer direct deposit to your employees, this will also support pay down their money by the due date.
Client ID: [redacted]
View Details: Review
Important: Please be advised that calls to and from your payroll service team may be monitored or recorded.
Please do not reply to this message. auto informer system not configured to accept incoming messages.
The malicious payload is at [donotclick]spanishafair.com/news/possibility-redundant.php hosted on:
119.147.137.31 (China Telecom, China)
210.42.103.141 (Wuhan Urban Construction Institute, China)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
Related evil domains and IP addresses to block can be found here and here.
"Southwest Airlines Confirmation: KQR101" spam / meynerlandislaw.net
This fake Southwest Airlines spam leads to malware on meynerlandislaw.net:
The link goes through a legimate hacked site and end up on a malicious payload at [donotclick]meynerlandislaw.net/news/possibility-redundant.php (report here) hosted on the following IPs:
119.147.137.31 (China Telecom, China)
203.80.17.155 (MYREN, Malaysia)
Recommended blocklist:
119.147.137.31
203.80.17.155
addressadatal.net
afabind.com
appasnappingf.com
avastsurveyor.com
cardpalooza.su
chinadollars.net
condalnuashyochetto.ru
doggedlegitim.net
dollsinterfer.net
dulethcentury.net
ehnihjrkenpj.ru
ejoingrespubldpl.ru
estimateddeta.com
genown.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
gurieojgndieoj.ru
headbuttingfo.net
historuronded.com
ingrestrained.com
inutesnetworks.su
invisibilitym.net
joinproportio.com
libulionstreet.su
ludena.ru
mantrapura.net
meticulousmus.net
meynerlandislaw.net
multipliedfor.com
oydahrenlitutskazata.ru
photosuitechos.su
relectsdispla.net
reportingglan.com
reveck.com
sendkick.com
shopkeepersne.net
spanishafair.com
stilos.pl
streetgreenlj.com
unabox.pl
voippromotion.su
winne2000.net
zoneagainstre.com
from: Southwest Airlines [information@luv.southwest.com]
reply-to: Southwest Airlines [no-reply@emalsrv.southwestmail.com]
date: 25 June 2013 17:09
subject: Southwest Airlines Confirmation: KQR101
[redacted] 2013-06-25 JACEE3 INITIAL SLC WN PHX0.00T/TFF 0.00 END AY2.50$SLC1.50 1583018870396 2013-12-22 1394 2013-06-26 Depart SALT LAKE CITY IL (SLC) at 10:14 PM on Southwest Airlines Arrive in PAOLO ALTO MI (PHX) at 1:30 PM
You're all set for your travel!
Southwest Airlines
My Account | Review My Itinerary Online
Check In Online
|
Check Flight Status
|
Change Flight
|
Special Offers
|
Hotel Deals
|
Car Deals
Ready for lift-off!
Thank You Southwest for your travel! You'll find everything you need about your reservation below. Happy voyage!
Upcoming Journey: 06/26/13 - SLC - Phx Knight
The link goes through a legimate hacked site and end up on a malicious payload at [donotclick]meynerlandislaw.net/news/possibility-redundant.php (report here) hosted on the following IPs:
119.147.137.31 (China Telecom, China)
203.80.17.155 (MYREN, Malaysia)
Recommended blocklist:
119.147.137.31
203.80.17.155
addressadatal.net
afabind.com
appasnappingf.com
avastsurveyor.com
cardpalooza.su
chinadollars.net
condalnuashyochetto.ru
doggedlegitim.net
dollsinterfer.net
dulethcentury.net
ehnihjrkenpj.ru
ejoingrespubldpl.ru
estimateddeta.com
genown.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
gurieojgndieoj.ru
headbuttingfo.net
historuronded.com
ingrestrained.com
inutesnetworks.su
invisibilitym.net
joinproportio.com
libulionstreet.su
ludena.ru
mantrapura.net
meticulousmus.net
meynerlandislaw.net
multipliedfor.com
oydahrenlitutskazata.ru
photosuitechos.su
relectsdispla.net
reportingglan.com
reveck.com
sendkick.com
shopkeepersne.net
spanishafair.com
stilos.pl
streetgreenlj.com
unabox.pl
voippromotion.su
winne2000.net
zoneagainstre.com
Monday 24 June 2013
Something evil on 173.246.104.154
173.246.104.154 (Gandi, US) is hosting hacked GoDaddy domains serving a variety of malware [1] [2]. At the moment the following domains appear to be hosted on that server:
aandimedsolutions.com
aandimedsolutions.info
aandimedsolutions.net
antarcticland-union.it
antarcticland-union.org
antarcticland-union.us
easymapbuilder.com
findmynewschool.com
governmentofantarcticland.it
governmentofantarcticland.org
governmentofantarcticland.us
governodiantarcticland.it
governodiantarcticland.org
inflectionism.com
marinedockladders.com
premiumrentalproperty.com
principalityaustrallands.org
principatodiantarcticland.it
principatodiantarcticland.org
remote-recording-mixing.com
soundstudiosearch.com
trippling.com
waltwhitman150.org
These domains were recently hosted on that server but now appear to be back with GoDaddy and are probably fixed:
audiomasteringmeistro.com
beachfrontconcierge.com
audio-mastering-music.com
novafitnesstrainer.com
dinneraffairs.com
douglasvillestorage.com
subprimemortgage.us
loadingdockgear.com
loadingdockdepot.com
rippedtrainer.com
herblade.com
audiomasteringmaestro.com
audiomasteringsearch.com
austinremoterecording.com
bestseoamerica.com
hotrankseo.com
jacksonvillefloridacommercialrealestate.com
online-audio-mixing.com
findmynewhouse.co.uk
greatwestinsurancegroup.com
jewelboon.com
aandimedsolutions.com
aandimedsolutions.info
aandimedsolutions.net
antarcticland-union.it
antarcticland-union.org
antarcticland-union.us
easymapbuilder.com
findmynewschool.com
governmentofantarcticland.it
governmentofantarcticland.org
governmentofantarcticland.us
governodiantarcticland.it
governodiantarcticland.org
inflectionism.com
marinedockladders.com
premiumrentalproperty.com
principalityaustrallands.org
principatodiantarcticland.it
principatodiantarcticland.org
remote-recording-mixing.com
soundstudiosearch.com
trippling.com
waltwhitman150.org
These domains were recently hosted on that server but now appear to be back with GoDaddy and are probably fixed:
audiomasteringmeistro.com
beachfrontconcierge.com
audio-mastering-music.com
novafitnesstrainer.com
dinneraffairs.com
douglasvillestorage.com
subprimemortgage.us
loadingdockgear.com
loadingdockdepot.com
rippedtrainer.com
herblade.com
audiomasteringmaestro.com
audiomasteringsearch.com
austinremoterecording.com
bestseoamerica.com
hotrankseo.com
jacksonvillefloridacommercialrealestate.com
online-audio-mixing.com
findmynewhouse.co.uk
greatwestinsurancegroup.com
jewelboon.com
"Fiserv Secure Email Notification - TBTATU41DMJDT5B" spam / SecureMessage_TBTATU41DMJDT5B.zip
Date: Mon, 24 Jun 2013 07:27:59 -0600 [09:27:59 EDT]Ask yourself this question: why would you encrypt a message and then put the password in the email? Simple.. to get past virus scanners, of course! The VirusTotal detection for this malware is just 8/46 .
From: Fiserv Secure Notification [secure.notification@fiserv.com]
Subject: Fiserv Secure Email Notification - TBTATU41DMJDT5B
Part(s):
2 SecureMessage_TBTATU41DMJDT5B.zip [application/zip] 104 KB
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_TBTATU41DMJDT5B.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - SUgDu07dn
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.710.6198.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.
Other analysis is pending, the malware has the following checksums:
Size | 117248 |
MD5 | fdd154360854e2d9fee47a557b296519 |
SHA1 | d3de7f5514944807eadb641353ac9380f0c64607 |
SHA256 | 1ef3302196f5c4cd9bf97c719e934d612a244a17a20f5a742c15d8203d477f59 |
UPDATE: the Malwr sandbox has an analysis here. URLs involved in downloading components are:
[donotclick]governodiantarcticland.org/ponyb/gate.php
[donotclick]maxprotection.de/N4k.exe
[donotclick]francescobotti-fashion.com/27ZDM9p.exe
[donotclick]liltommy.com/ep9C.exe
[donotclick]keep-smile.net/t4T.exe
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Facebook spam / chinadollars.net
This fake Facebook spam leads to malware on chinadollars.net:
The link in the email goes through a legitimate but hacked site and then leads to a malware landing page at [donotclick]chinadollars.net/news/inputted-ties.php (report here) hosted on:
119.147.137.31 (China Telecom, China)
202.147.169.211 (LINKdotNET, Pakistan)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
210.42.103.141 (Wuhan Urban Construction Institute, China)
Recommended blocklist:
119.147.137.31
202.147.169.211
203.80.17.155
210.42.103.141
abacs.pl
addressadatal.net
afabind.com
anygus.com
appasnappingf.com
avastsurveyor.com
cardpalooza.su
chinadollars.net
condalnuas34637.ru
condalnuashyochetto.ru
doggedlegitim.net
dollsinterfer.net
dulethcentury.net
ehnihjrkenpj.ru
ejoingrespubldpl.ru
enway.pl
estimateddeta.com
genown.ru
greli.net
gstoryofmygame.ru
gurieojgndieoj.ru
headbuttingfo.net
historuronded.com
huang.pl
ingrestrained.com
inutesnetworks.su
invisibilitym.net
jetaqua.com
joinproportio.com
libulionstreet.su
lmbcakes.com
ludena.ru
mantrapura.net
meticulousmus.net
multipliedfor.com
nipiel.com
oydahrenlitutskazata.ru
pc-liquidations.net
photosuitechos.su
planete-meuble-pikin.com
pleak.pl
profurnituree.com
relectsdispla.net
reportingglan.com
reveck.com
rmacstolp.net
rustin.pl
sendkick.com
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
stilos.pl
streetgreenlj.com
theislandremembered.com
twintrade.net
unabox.pl
voippromotion.su
winne2000.net
zoneagainstre.com
Date: Mon, 24 Jun 2013 09:18:12 -0500
From: Facebook [notification+SCCRJ42M8P@facebookmail.com]
Subject: You have 1 friend request
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your friends.
1 friend request
View Notifications
Go to Facebook
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes through a legitimate but hacked site and then leads to a malware landing page at [donotclick]chinadollars.net/news/inputted-ties.php (report here) hosted on:
119.147.137.31 (China Telecom, China)
202.147.169.211 (LINKdotNET, Pakistan)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
210.42.103.141 (Wuhan Urban Construction Institute, China)
Recommended blocklist:
119.147.137.31
202.147.169.211
203.80.17.155
210.42.103.141
abacs.pl
addressadatal.net
afabind.com
anygus.com
appasnappingf.com
avastsurveyor.com
cardpalooza.su
chinadollars.net
condalnuas34637.ru
condalnuashyochetto.ru
doggedlegitim.net
dollsinterfer.net
dulethcentury.net
ehnihjrkenpj.ru
ejoingrespubldpl.ru
enway.pl
estimateddeta.com
genown.ru
greli.net
gstoryofmygame.ru
gurieojgndieoj.ru
headbuttingfo.net
historuronded.com
huang.pl
ingrestrained.com
inutesnetworks.su
invisibilitym.net
jetaqua.com
joinproportio.com
libulionstreet.su
lmbcakes.com
ludena.ru
mantrapura.net
meticulousmus.net
multipliedfor.com
nipiel.com
oydahrenlitutskazata.ru
pc-liquidations.net
photosuitechos.su
planete-meuble-pikin.com
pleak.pl
profurnituree.com
relectsdispla.net
reportingglan.com
reveck.com
rmacstolp.net
rustin.pl
sendkick.com
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
stilos.pl
streetgreenlj.com
theislandremembered.com
twintrade.net
unabox.pl
voippromotion.su
winne2000.net
zoneagainstre.com
DanielMcClintic@hotmail.com fake job offer
Another staggeringly crude money mule recruitment spam, like this one. Unless you like prison food I would advise you to leave this fake offer alone.
Date: Mon, 24 Jun 2013 22:56:39 +0900 [09:56:39 EDT]Originating IP is 211.226.147.218 in Korea.
From: Delmar Roark
Subject: Work in the finance department
We invite you to work in the home assistant offer.
This job takes 2-3 hours a week and requires absolutely no investment.
The essence of this work for incoming client requests in your city.
The starting income is about ~2000 Euro per month + bonuses.
You get paid your money every 2 weeks and your bonuses after finish each task!
We promis work for every person. But we accept applications this week only!
Therefore, you should send email a request right now.
And you will start earning money, starting from next week.
Please write in the request:
Your name:
Your Contact number:
Your email address:
City of residence:
Please send the request to my email DanielMcClintic@hotmail.com, and
I will contact you personally as quickly as possible.
Sincerely,
Delmar Roark
Labels:
Job Offer Scams,
Korea
www.public-trust.com false positive at Phishtank
public-trust.com houses Certificate Revocation Lists (CRLs) and is controlled by Verizon. It probably houses other certificate infrastructure too, but at the moment several web filtering systems are detecting it as a phishing site due to a false positive at Phishtank.
Some example URLs (which are perfectly safe) include:
http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl
http://cdp1.public-trust.com/CRL/Omniroot2025.crl
The problem with the website at www.public-trust.com is that it forwards to www.verizonenterprise.com (a perfectly legitimate Verizon site), but this does make it look a bit like a phishing site. This is the false positive at Phishtank.
At least one person seems to have spotted that it wasn't a phish, but it's quite an easy mistake to make because the screenshot of a Verizon site combined with the very non-obvious domain name makes it look extremely phishy.
For the records, these are the WHOIS registrant details:
Verizon Business Global LLC
Verizon Business Global LLC
One Verizon Way
Basking Ridge NJ 07920
US
domainlegalcontact@verizon.com +1.7033513164 Fax: +1.7033513669
The domain was created in 2002 (most phishing sites don't even last a few weeks) and is hosted on 64.18.30.10 (Verizon Business Global, LLC). At the moment the false positive is in Phishtank, AVGThreatLabs, SURBL and MyWOT blacklists plus anything downstream that uses that data.
Some example URLs (which are perfectly safe) include:
http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl
http://cdp1.public-trust.com/CRL/Omniroot2025.crl
The problem with the website at www.public-trust.com is that it forwards to www.verizonenterprise.com (a perfectly legitimate Verizon site), but this does make it look a bit like a phishing site. This is the false positive at Phishtank.
At least one person seems to have spotted that it wasn't a phish, but it's quite an easy mistake to make because the screenshot of a Verizon site combined with the very non-obvious domain name makes it look extremely phishy.
For the records, these are the WHOIS registrant details:
Verizon Business Global LLC
Verizon Business Global LLC
One Verizon Way
Basking Ridge NJ 07920
US
domainlegalcontact@verizon.com +1.7033513164 Fax: +1.7033513669
The domain was created in 2002 (most phishing sites don't even last a few weeks) and is hosted on 64.18.30.10 (Verizon Business Global, LLC). At the moment the false positive is in Phishtank, AVGThreatLabs, SURBL and MyWOT blacklists plus anything downstream that uses that data.
Labels:
False Positive,
Phishtank
Saturday 22 June 2013
julia.sailor@hotmail.com fake job offer
These guys aren't really trying. The email address is julia.sailor@hotmail.com but the email is signed Claudine Nash and appears to be "from" brooksd@kormanlederer.com originating from an IP address in Brazil. The so-called "job" is going to be money laundering or some such, avoid.
Date: Sat, 22 Jun 2013 20:47:56 -0300 [19:47:56 EDT]
From: Claudine Nash [brooksd@kormanlederer.com]
Subject: Regional administrotor
We offer you to work in the remote assistant offer.
This job takes 2-3 hours during the week and requires absolutely no investment.
The essence of this work for entering client requests in your city.
The starting wages is about ~2000 Euro per month + bonuses.
You get paid your money every 2 weeks and your bonuses after fulfilling each task!
We guarantee work for every man. But we accept applications this week only!
Accordingly, you should send email a request right now.
And you will start earning money, starting from next week.
Please write in the request:
Your name:
Your Contact number:
Your email address:
City of residence:
Please send the registration form to my email julia.sailor@hotmail.com, and
I will response you individually at an early date.
Sincerely,
Claudine Nash
Labels:
Job Offer Scams,
Spam
Friday 21 June 2013
LexisNexis spam FAIL
Date: Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
From: LexisNexis [einvoice.notification@lexisnexis.com]Book
Subject: Invoice Notification for June 2013
There was an invoice issued to your company: [redacted]
Please double click the PDF attachment to open or print your invoice. To view full invoice details or for any Online Account Management options, download PDF attachment.
Account Number 455SAZ
Invoice Number 904510653899
Invoice Date June 21, 2013
Invoice Amount $3.508.00
Account Balance $0.00
You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement. If you do not have Adobe Acrobat, please find a link to a free downloadable file at the end of this e-mail.
You can also print this e-mail and send your payment to:
LexisNexis
PO BOX 7247-7090
Philadelphia, PA 19170-7090
If you have questions about your invoice, please contact LexisNexis at 1-800-262-2391, option 3.
If you would like to contact your Account Manager, please contact LexisNexis at 1-800-262-2391, option 2.
Please add this domain @email.lexisnexismail.com to your safe senders list.
Adobe Acrobat free downloadable file available at :
http://www.adobe.com/products/acrobat/readstep2.html
In this case the attachment is just 8 bytes and is harmless. Next time, it probably won't be..
Of note, the only link in the email goes to [donotclick]https://server.nepplelaw.com/owa/redir.aspx?C=430ed6e3b59a4a69b2d5653797c3e3d6&URL=http%3a%2f%2fwww.adobe.com%2fproducts%2facrobat%2freadstep2.html which is the sort of thing that happens to a URL when it goes through Outlook Web Access, in this case it would be on the server server.nepplelaw.com but I have no explanation as to why it is there, however it is harmless.
Labels:
EXE-in-ZIP,
Fail,
Spam
luntravel.com are a bunch of stupid spammers
Like most people I get of lot of spam. Sometimes it makes me cross. Here's one sent to scraped email address that is effectively a spamtrap.
From: Luntravel [noreply@luntravelmail.com]
Reply-To: Luntravel [noreply@luntravelmail.com]
Date: 21 June 2013 13:03
Subject: New offers from £49
Mailing list: c425d640a3819ebec8af23ba171be24c
So far, just a spam with a graphic in, but the email footer is what got my goat..
Oh what was that about logos?
Say again?
The spam originates from 93.159.211.199 (CPC Servicios Informaticos SL, Spain) with links to newsletters.tradaticket.com on 93.159.209.72 (also CPC) and then onto luntravel.com on 94.23.82.229 (OVH, France) [report here]. luntravel.com is registered to:
From: Luntravel [noreply@luntravelmail.com]
Reply-To: Luntravel [noreply@luntravelmail.com]
Date: 21 June 2013 13:03
Subject: New offers from £49
Mailing list: c425d640a3819ebec8af23ba171be24c
So far, just a spam with a graphic in, but the email footer is what got my goat..
You receive this newsletter because you used google sometime and we send you our best deals.Wait.. I received this spam because I use Google? I've never used any Google product in my life. Not even blogger. And then it goes on to say that the prices quoted may as well be completely made up. Which no doubt they are. Oh yes, SPAM spelled in CAPITALS is a trademark for a brand of tinned meat.
Prices shown as 'from' point to the lowest bidder at the time of sending this communication, so we can not guarantee that they remain in force at the time you receive this newsletter.
Save our info@luntravelmail.com address in your e-book for the best deals do not end up in the SPAM folder.
To unsubscribe from receipt of this message, you can click on Unsubscribe, our private site is Luntravel.com
Now the stupid legal blurb which basically says we can spam you but you can't publish anything about our website, and now we'll quote some Spanish laws which may or may not exist but we are probably breaking by sending the spam (actually the relevant law is Act 34/2002 of 11 July on Information Society Services and Electronic Commerce, but I don't think they have read it).
All of the content, trademarks, logos, images, etc. displayed on the Website are protected by the intellectual and industrial property rights, patents, trademarks and copyrights of Luntravel, which are expressly reserved by Luntravel and, when applicable, any other persons or companies that figure as the authors or holders of such rights. Any violation of the abovementioned rights shall be prosecuted in accordance with currently effective legislation. Therefore, it is strictly prohibited to reproduce, exploit, alter, distribute or publicly communicate any of the Website content through any means for any use other than legitimate informational purposes or for the User to contract the services offered therein. In any event, doing so shall require the prior written consent of Luntravel.
The User acknowledges that the operation of this service is governed by Spanish legislation. Luntravel reserves the right to make any changes it deems appropriate in observance of the terms and conditions envisaged in the General Law in Defence of Consumers and Users (Law No. 1/2007), the various regulations governing the activities of travel agencies in the Autonomous Communities and the various legal amendments to and supplemental regulations of the legislation related to free access to the activities of services and their performance.
Oh what was that about logos?
Say again?
The spam originates from 93.159.211.199 (CPC Servicios Informaticos SL, Spain) with links to newsletters.tradaticket.com on 93.159.209.72 (also CPC) and then onto luntravel.com on 94.23.82.229 (OVH, France) [report here]. luntravel.com is registered to:
miguel angel lancho milan Lancho milan Miguel angel C/ General Barroso 37-21 Valencia, 46017 ES +34.963788523 7i54o32ibghg27t42930@b.o-w-o.info
Dealing with spammers is never a good idea. I would avoid this bunch.
Thursday 20 June 2013
ADP spam / planete-meuble-pikin.com
This fake ADP spam leads to malware on planete-meuble-pikin.com:
173.254.254.110 (Quadranet, US)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.147.61.250 (Universidad Rey Juan Carlos, Spain)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET, Pakistan)
Recommended blocklist:
173.254.254.110
190.93.23.10
193.147.61.250
193.254.231.51
202.147.169.211
appasnappingf.com
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
ghroumingoviede.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
jetaqua.com
joinproportio.com
multipliedfor.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
pc-liquidations.net
planete-meuble-pikin.com
pnpnews.net
profurnituree.com
reportingglan.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winne2000.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
www.condalinarad72234652.ru
Date: Thu, 20 Jun 2013 07:12:28 -0600The link in the email goes through a legitimate but hacked site and end up on a malware landing page at [donotclick]planete-meuble-pikin.com/news/network-watching.php (report here) hosted on:
From: EasyNetDoNotReply@clients.adpmail.org
Subject: ADP EasyNet: Bank Account Change Alert
Dear Valued ADP Client,
As part of ADP's commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:
** Dominic Johnson **
** Ayden Campbell **
Use this links to: Review or Decline this changes.
If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.
This security precaution is another reason why so many businesses like yours choose ADP, the world's leading payroll provider for over 60 years, to handle their payroll.
Sincerely,
Your ADP Service Team
This e-mail comes from an unattended mailbox. Please do not reply.
173.254.254.110 (Quadranet, US)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.147.61.250 (Universidad Rey Juan Carlos, Spain)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET, Pakistan)
Recommended blocklist:
173.254.254.110
190.93.23.10
193.147.61.250
193.254.231.51
202.147.169.211
appasnappingf.com
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
ghroumingoviede.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
jetaqua.com
joinproportio.com
multipliedfor.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
pc-liquidations.net
planete-meuble-pikin.com
pnpnews.net
profurnituree.com
reportingglan.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winne2000.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
www.condalinarad72234652.ru
Moniker "Security Notice: Service-wide Password Reset" mail and t.lt02.net
This email from Moniker shows an impressive combination of WIN and FAIL at the same time.
Full disclosure and prompt action is a WIN. Shit happens, it's often how you deal with it that makes the difference. But wait.. where does the link in the email go to? t.lt02.net? Who the heck are they? And this is where a big dose of FAIL happens.
lt02.net belongs to a company called VertexInternet (vertex.net). This company is not related to Moniker, and bearing in mind that this email is about a potential security breach you might expect people to be a little bit cautious about clicking through those links.
To be fair, the body of the email does suggest going to "moniker.com" (i.e. typing it in the address bar). The mystery of lt02.net is easily explainable too.. VertexInternet run an email marketing system called Listrak which is what is being used to send out the email. The email is legitimate, and presumably it has been done this way for reasons of speed.. the problem is that many people will probably be highly suspicious of this email given the context and that this approach is often used by the Bad Guys.
If you are going to send out a message like this, make sure that all the links go to a site that the recipient would recognise. In this case the sensible option would be to link directly to moniker.com. I'm betting that quite a few people will ignore this message and then wonder why they cannot log into their accounts at a later date.
www.moniker.com
Moniker
Moniker’s Operations & Security team has discovered and blocked suspicious activity on the Moniker network that appears to have been a coordinated attempt to access a number of Moniker user accounts.
As a precaution to protect your domains, we have decided to implement a system-wide password reset. Please read the below instructions to create a new password. You will not be able to access your Moniker account until these steps are taken.
In our security investigation, we have found no evidence that domains have been lost or transferred out. We also have no evidence that any confidential or credit card information has been compromised.
While our password encryption measures are robust, we are taking additional steps to ensure that your personal data and domains remain secure. This means that, to be absolutely sure of the security of your account, we are requiring all users to reset their Moniker account passwords.
Please reset your password by following the directions below.
1) Go to Moniker.com and click the “Sign In” button in the upper right hand corner of the home page. Select the “Forgot Your Password” link.
2) You will be directed to a page to “Retrieve” your Moniker Account Password. When prompted, enter your account number and click “Submit”.
3) You will be directed to a page that displays the message below. You will receive an email from Moniker. Please follow the instructions in this email to complete the password reset.
As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your domains and personal data safe very seriously, and we're constantly enhancing the security of our service infrastructure to protect our customers. We feel it is also important to be clear that we view this as attempted illegal activity and have taken steps to report this to the appropriate authorities.
There are also several important steps that you can take to ensure that your data on any website, including Moniker, is secure:
• Avoid using simple passwords based on dictionary words
• Never use the same password on multiple sites or services
• Never click on 'reset password' requests in emails that you did not request
Thank you for taking the time to read this email. We sincerely apologize for the inconvenience of having to change your password, but, ultimately, we believe this simple step will result in a more secure experience. If you have any questions, please do not hesitate to contact Moniker Support. Our support team is standing by to assist at 800-688-6311 or outside the U.S. and Canada: 954-607-1294.
Drake Harvey
Chief Operations Officer
Moniker.com
Moniker
1800 SW 1st Ave, Suite 440, Portland, OR, USA
Sales and Support: +1 (800) 688-6311
www.moniker.com
Copyright © 2013 Moniker.com | SnapNames.
Full disclosure and prompt action is a WIN. Shit happens, it's often how you deal with it that makes the difference. But wait.. where does the link in the email go to? t.lt02.net? Who the heck are they? And this is where a big dose of FAIL happens.
lt02.net belongs to a company called VertexInternet (vertex.net). This company is not related to Moniker, and bearing in mind that this email is about a potential security breach you might expect people to be a little bit cautious about clicking through those links.
To be fair, the body of the email does suggest going to "moniker.com" (i.e. typing it in the address bar). The mystery of lt02.net is easily explainable too.. VertexInternet run an email marketing system called Listrak which is what is being used to send out the email. The email is legitimate, and presumably it has been done this way for reasons of speed.. the problem is that many people will probably be highly suspicious of this email given the context and that this approach is often used by the Bad Guys.
If you are going to send out a message like this, make sure that all the links go to a site that the recipient would recognise. In this case the sensible option would be to link directly to moniker.com. I'm betting that quite a few people will ignore this message and then wonder why they cannot log into their accounts at a later date.
Labels:
Data Breach,
Fail
Wednesday 19 June 2013
HP Spam / HP_Scan_06292013_398.zip FAIL
I've been seeing these spams for a couple of days now..
The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
Date: Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]
From: HP Digital Device [HP.Digital0@victimdomain]
Subject: Scanned Copy
Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
To view this document you need to use the Adobe Acrobat Reader.
-------------------------------------------------------------------------------
This email has been scanned for viruses and spam.
-------------------------------------------------------------------------------
The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
12 BA E8 AC 16 AC 7B AEAnother sample version looks like this, with just 6 bytes:
12 BA E8 AC 16 ACGoogling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it). Weird, huh?
Labels:
EXE-in-ZIP,
Fail,
Malware,
Printer Spam,
Spam,
Viruses
Something evil on 205.234.139.169
205.234.139.169 (Hostforweb, US) appears to be hosting a bunch of Java exploits being served up on subdomains of hacked GoDaddy domains. The malware looks like it is being served up in some sort of injection attack. Here are some example URLs of badness:
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/applet.jnlp
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/contact.php
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe/class.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/jfygZbFu
URLquery and VirusTotal are not very conclusive, but if it walks like a duck and quacks like a duck.. well, you know the rest.
The following domains appear to be hosted on the server. You should assume that they are all malicious, ones already flagged by Google are marked in red .
blog2.4glenview.com
blog2.bigciti.com
blog2.bonitajoe.com
blog2.dnbmedia.com
blog2.dynamomedia.com
blog2.equityblueprintmn.com
blog2.floridawaterfrontpro.com
blog2.flsearchmls.com
blog2.fmbcribs.com
blog2.fmbjoe.tv
blog2.fortmyersbeachrealestatejoe.com
blog2.joe22.com
blog2.joemoves.com
blog2.joeorlandini.com
blog2.joesrealtygroup.com
blog2.joey1.com
blog2.joeyou.com
blog2.kitejunkys.com
blog2.loan2have.com
blog2.mailjoe.com
blog2.mlsfloridasearch.com
blog2.mysportnovelties.ca
blog2.mysportnovelties.com
blog2.naplezjoe.com
blog2.orlandinifamily.com
blog2.parkshorejoe.com
blog2.portroyaljoe.com
blog2.stefura.com
blog2.stefura-associates.com
blog2.stefuraassociatesinc.com
blog3.augustacampoli.com
blog3.bhs.com.pk
blog3.buckinghamsports.ca
blog3.itcspakistan.com
blog3.sindclub.org
blog3.sindclub.org.pk
(And yes, apparently you can get .pk domains through GoDaddy!)
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/applet.jnlp
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/contact.php
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe/class.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/jfygZbFu
URLquery and VirusTotal are not very conclusive, but if it walks like a duck and quacks like a duck.. well, you know the rest.
The following domains appear to be hosted on the server. You should assume that they are all malicious, ones already flagged by Google are marked in red .
blog2.4glenview.com
blog2.bigciti.com
blog2.bonitajoe.com
blog2.dnbmedia.com
blog2.dynamomedia.com
blog2.equityblueprintmn.com
blog2.floridawaterfrontpro.com
blog2.flsearchmls.com
blog2.fmbcribs.com
blog2.fmbjoe.tv
blog2.fortmyersbeachrealestatejoe.com
blog2.joe22.com
blog2.joemoves.com
blog2.joeorlandini.com
blog2.joesrealtygroup.com
blog2.joey1.com
blog2.joeyou.com
blog2.kitejunkys.com
blog2.loan2have.com
blog2.mailjoe.com
blog2.mlsfloridasearch.com
blog2.mysportnovelties.ca
blog2.mysportnovelties.com
blog2.naplezjoe.com
blog2.orlandinifamily.com
blog2.parkshorejoe.com
blog2.portroyaljoe.com
blog2.stefura.com
blog2.stefura-associates.com
blog2.stefuraassociatesinc.com
blog3.augustacampoli.com
blog3.bhs.com.pk
blog3.buckinghamsports.ca
blog3.itcspakistan.com
blog3.sindclub.org
blog3.sindclub.org.pk
(And yes, apparently you can get .pk domains through GoDaddy!)
Labels:
GoDaddy,
Injection Attacks,
Malware,
Viruses
Tuesday 18 June 2013
UPS Spam / rmacstolp.net
This fake UPS spam leads to malware on rmacstolp.net:
The link in the email goes through a legitimate hacked site but then ends up on a malicious payload at [donotclick]rmacstolp.net/news/fishs_grands.php (report here and here). The payload appears to be the Blackhole Exploit kit, but the site seems to be either not working or (more likely) is being resistant to analysis.
If not called properly, the malware appears to serve up random payload pages.. I think they may be fake ones to evade detection. Here are some of them:
[donotclick]shop.babeta.ru/ftyxsem.php
[donotclick]kontra-antiabzocker.net/cpdedlp.php
[donotclick]www.cyprusivf.net/iabsvkc.php
[donotclick]clubempire.ru/ayrwoxt.php
[donotclick]artstroydom.com/rwlqqtq.php
[donotclick]www.masthotels.gr/ysmaols.php
rmacstolp.net is hosted on the following IPs:
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
Recommended blocklist:
186.215.126.52
190.93.23.10
193.254.231.51
202.147.169.211
balckanweb.com
buyparrots.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
federal-credit-union.com
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
haicut.com
jetaqua.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
profurnituree.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
zurcherarchitectz.com
Date: Tue, 18 Jun 2013 01:21:34 -0800 [05:21:34 EDT]
From: UPSBillingCenter@upsmail.net
Subject: Your UPS Invoice is Ready
UPS Billing Center
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
Thank you for your business.
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.
Please visit the UPS Billing Center to view your paid invoice.
Questions about your charges? To get a better understanding of surcharges on your invoice, click here.
Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online
© 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
The link in the email goes through a legitimate hacked site but then ends up on a malicious payload at [donotclick]rmacstolp.net/news/fishs_grands.php (report here and here). The payload appears to be the Blackhole Exploit kit, but the site seems to be either not working or (more likely) is being resistant to analysis.
If not called properly, the malware appears to serve up random payload pages.. I think they may be fake ones to evade detection. Here are some of them:
[donotclick]shop.babeta.ru/ftyxsem.php
[donotclick]kontra-antiabzocker.net/cpdedlp.php
[donotclick]www.cyprusivf.net/iabsvkc.php
[donotclick]clubempire.ru/ayrwoxt.php
[donotclick]artstroydom.com/rwlqqtq.php
[donotclick]www.masthotels.gr/ysmaols.php
rmacstolp.net is hosted on the following IPs:
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)
Recommended blocklist:
186.215.126.52
190.93.23.10
193.254.231.51
202.147.169.211
balckanweb.com
buyparrots.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
federal-credit-union.com
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
haicut.com
jetaqua.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
profurnituree.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
zurcherarchitectz.com
Subscribe to:
Posts (Atom)