Sponsored by..

Tuesday 9 July 2013

Xerox WorkCentre (or is it HP Digital Device?) spam / SCAN_129_07082013_18911.zip

This fake printer spam has a malicious attachment:

Date:      Mon, 8 Jul 2013 12:20:24 -0500 [07/08/13 13:20:24 EDT]
From:      HP Digital Device [HP.Digital8@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [victimdomain]
Number of Images: 8
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: OM7IEQ4M22

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
In this case there is an attachment SCAN_129_07082013_18911.zip containing an executable file SCAN_129_07082013_18911.exe (note that the date is encoded into the file). VirusTotal detections are 26/47 and identify it as a generic downloader, Comodo CAMAS reports that it is a Pony downloader that attempts to contact 2ndtimearoundweddingphotography.com which appears to be a hijacked GoDaddy domain.

As is common at the moment, there are a bunch of related hacked GoDaddy domains on a random (non-GoDaddy) server, in this case 64.94.100.116 (the somewhat notorious Nuclear Fallout Enterprises). All these domains should be treated as malicious according to reports from URLquery and VirusTotal.

gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com

The ThreatTrack report reveals more details [pdf] including the subsequent download locations as does the ThreatExpert report.

[donotclick]lacasadelmovilusado.com/bts1.exe
[donotclick]common.karsak.com.tr/FzPfH6.exe
[donotclick]ftp.vickibettger.com/oEoASW64.exe
[donotclick]qualitydoorblog.com/qbSTq.exe

This second file has a much lower detection rate at VirusTotal of just 3/47 (and they are all generic at that). The ThreatExpert report [pdf] gives more details of the malware plus some connection attempts, and Anubis reports something similar. They all appear to be dynamic ADSL addresses and probably not worth trying to block.

64.136.115.72
66.63.204.26
68.7.103.29
76.226.114.217
77.30.83.91
78.131.54.252
84.59.131.0
85.107.90.53
87.18.47.40
90.189.37.85
94.240.240.106
95.246.170.150
107.217.117.139
108.234.133.110
180.247.156.110
181.67.52.88
190.202.83.105
200.91.49.183
201.209.58.176
212.71.16.46
217.132.249.173
221.215.31.50

Recommended blocklist:
gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com
bobkahnvideo.com
lacasadelmovilusado.com
common.karsak.com.tr
ftp.vickibettger.com
qualitydoorblog.com
64.94.100.116
198.173.93.218
212.58.2.22

Monday 8 July 2013

sendgrid.me / amazonaws.com spam

This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid.me) and leads to malware hosted on Amazon's cloud service, amazonaws.com. There is no body text in the spam, just an image designed to look like a downloadable document.

from:     [victim] via sendgrid.me
date:     8 July 2013 19:08
subject:     Urgent 6:08 PM 244999
Signed by:     sendgrid.me

The email appears to originate from 138.91.78.32 which is a Microsoft IP, so that part of the mail header might be faked. It certainly comes through 208.117.55.132 (o1.f.az.sendgrid.net)

The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick]s3.amazonaws.com/ft556/Document_948357853____.exe [https] (VirusTotal report) which then downloads a further executable from [donotclick]s3.amazonaws.com/mik49/ss32.exe [http] (VirusTotal report) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe.

ThreatExpert reports that the downloader (the first executable) is hardened against VM-based analysis:
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).
Anubis, Comodo CAMAS, Malwr and ThreatTrack give various clues as to what the downloader is doing.

The second part (ss32.exe) attempts to lookup a server called mssql.maurosouza9899.kinghost.net 177.185.196.130 (IPV6 Internet Ltda, Brazil) according to CAMAS and Anubis identifies an attempted connection to bit.ly/15aDtjB  which attempts to connect to an unregistered domain of www.mdaijdasid.com (report here). Malwr gives some further information on system changes as does ThreatTrack. ThreatExpert reports seeing Themida again.

Quite what the second part of the malware does is unclear, and it may simply be that the mdaijdasid.com hasn't been registered quite yet but will be later. VirusTotal does report some other badness on 177.185.196.130 so this is probably worth blocking.

Recommended blocklist:
177.185.196.130
mssql.maurosouza9899.kinghost.net
mdaijdasid.com
s3.amazonaws.com/mik49/
s3.amazonaws.com/ft556/
bit.ly/15aDtjB

Amex spam / americanexpress.com.krasalco.com

This fake Amex spam leads to malware on americanexpress.com.krasalco.com:

    
From: American Express [mailto:AmericanExpress@emalsrv.aexpmail.org]
Sent: 08 July 2013 15:00
Subject: Account Alert: A Payment Was Received


Check your account balance online at any time


   

    Hello, [redacted]
            



________________________________________    View Account

Make a Payment

   
Manage Alerts Preferences





Payment Received   

________________________________________    Check Balance



   
   
       
We received a payment for your Card account.

     Date Received:
         Mon, Jul 08, 2013
     Payment Amount:
         $2,511.92

Payments received after 8PM MST may not be credited until the next day. Please allow 24-48 hours for your payment to appear online.

Thank you for your Cardmembership.

American Express Customer Care

Was this e-mail helpful? Please click here to give us your feedback.

If you'd like to stop receiving this alert, simply click here.
   
   




Like Us on Facebook


Follow Us on Twitter


Subscribe to our channel


Share with Foursquare friends

   
       
    Contact Us
|    Privacy Statement
|    Add us to your address book


Your Cardmember information is included in the upper-right corner to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us via customer service.

© 2013 American Express. All rights reserved.

AU0S0RF76947278       


The link in the email goes through a legitimate hacked site to end up on a malicious landing page at [donoclick]americanexpress.com.krasalco.com/news/slightly_some_movie.php (report here) hosted on the following IPs:

77.240.118.69 (Acens Technologies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (Uninet, Thailand)

Blocklist:
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
americanexpress.com.krasalco.com
aniolyfarmacij.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
grivnichesvkisejj50.ru
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Friday 5 July 2013

EBC "Password Reset Confirmation" spam / paynotice07.net

This fake password reset spam leads to malware on paynotice07.net:

From: EBC_EBC1961Registration@ebank6.secureaps.com
Sent: 05 July 2013 12:27
Subject: Password Reset Confirmation


Your Online Bankking password was successfully changed on 07/05/2013. If you did not make this change, or if you have any questions, please contact EBC Technical Support using this link.

Support is available Monday - Friday, 8 AM to 8 PM CST.

This is an automated message, please do not reply. Your message will not be received.
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************ 
The link goes through a legitimate hacked site and ends up on a payload at [donotclick]paynotice07.net/news/must-producing.php (report here) hosted on the following IPs:

189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
202.28.69.195 (Walailuk University, Thailand)

Blocklist:
189.84.25.188
202.28.69.195
afabind.com
aniolyfarmacij.com
condalinneuwu5.ru
condalnua745746.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
gnanisienviwjunlp.ru
grivnichesvkisejj50.ru
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com

Thursday 4 July 2013

Mystery spam leads to Emailmovers Ltd (emailmovers.com / emvrs.co)

Some time ago I received a spam sent to a scraped email address promoting email marketing services (i.e. spam) which features fake contact details and a carefully anonymised web site at prospectdirect.org that shielded the identity of the spammers.

So who was behind this spam? Well, the easiest way to find out was to pretend to be interested. I filled in the contact form on the site and eventually got a reply from an outfit called Email Movers Ltd. Now, let's be clear - I don't know 100% that Email Movers were responsible for sending the original spam, but somehow my "lead" ended up with this UK-based marketing company.

The enquiry I made was about PPI leads, the mainstay of many sleazy marketing outfits.  The response I got was as follows:

From:     Jonathan Coleman [jonathan.coleman@emailmovers.com]
Date:     23 May 2013 11:06
Subject:     RE - PPI Leads

Hi [redacted],

Thank you for your enquiry. We have excellent PPI data consisting of over 1 million contacts.

The database consists of UK consumers who have taken out a loan within the last 6 years with a payment protection policy attached to the loan. We have called each consumer from a 300 seat call centre in order to verify these details. The flat file we used in order to contact these consumers was originally one of the country’s largest loan packagers completion files.


Available:
Data Name
Home address
Postcode
Landline telephone number
Mobile telephone number

Selections:
Available 300+ selections available via our syndicated multiple overlay platform.
Example selections include:
Credit rating
Credit history
Credit ac
-----------------------------------------------------------------

The data doesn't get released, we will conduct the email broadcast for you. Min order value applies, no less than 50 000 records and it is £1650. Other volumes are priced as following:

50,000 at £1650 + VAT
100,000 at £1990 + VAT
250,000 at £2700 + VAT
500,000 at £4300 + VAT
1 Million at £8000 + VAT

What do you think?

Jonathan Coleman

Senior Account Manager

D: +44 (0)1723 800022
T: +44 (0)845 226 7181
   

Trusted email validation Try Email Inspector  |   Targeted Marketing at a click Try Countrunner

Emailmovers Ltd, Pindar House, Thornburgh Road, Scarborough, North Yorkshire, YO11 3UY UK

Registered in England No. 5046417. Registered office: Medina House, No 2 Station Avenue, Bridlington, YO16 4LZ. United Kingdom.
View email disclaimer

This email comes from an emailmovers.com address with a link to a website emvrs.co. The email originates from a Google IP, so no real clue as to its origin.

Emailmovers have been around for quite a while, but they had attracted quite a lot of adverse comments for spam [1] [2] [3] [4] [5] [6] [7] [8] [9]. They have quite a lot of websites too, in addition to emailmovers.com and emvrs.co, but one in particular caught my eye.. the domain emailinspector.co.uk which is an "email validation" service. Check out the last paragraph in particular:
Email databases decay at an alarming rate. It is imperative to keep your data as accurate and as clean as possible to maintain a good sender reputation and improve the deliverability of your email list.

Email Inspector is a revolutionary new way of updating and cleansing your email addresses without risking blacklisting your IP. This online service allows you to upload bulk lists of email addresses to check for bounces, wrong addresses and duplicates and leaves you with a clean and up-to-date list that is ready for use.

We can also take your database in-house for further analysis to strip out known complainers and run it against our master spam trap file in our full bureau service.


There's another word for this process.. ListWashing. Legitimate mailing lists should never contain spamtrap data, this is only of use if dealing with scraped or malware-harvested email addresses. Exactly what sort of customers is Emailmovers after with a service like this?

The company QuotesPlease Ltd appears to be largely the same operation, with the same personnel and at the same address.

They own several other domains, at least one of which (email-databases.com) has been hacked (see report), also bizibuy.com has been compromised and defaced. theemailexpert.com has also been defaced recently. I don't know if those server contained any personally identifiable data or not.

Perhaps Emailmovers contracted out the lead generation to another party and buy those leads in good faith. I'm sure you can make up your own mind as to how likely that is.

These following domains all appear to belong to Emailmovers Ltd or QuotesPlease Ltd, do with them what you want:
5mins.co.uk
5mins.info
5minsmail.com
5mins-mail.com
5minsmail.net
5mins-mail.net
5mins-mail.org
5mins-ppm.com
5mins-update.com
b2bcompanylist.com
b2bemaillistsuk.com
b2bmailinglistsuk.com
b2bmarketingcompanieslist.com
bestemailmarketinglists.com
bizibuy.biz
bizibuy.com
businessmailinglistsuk.com
callmovers.co.uk
coastline-gallery.com
companiesthatsellemaillists.com
consumeremaillistsuk.com
countrunner.com
dataseeder.com
dataseeder.net
dataseeder.org
emailappending-emailmovers.com
emailcleansing.com
email-databases.com
emailinspector.info
emailinspector.net
emailinspector.org
emailliststobuy.com
emailmarketingconsultancy.com
emailmarketingconsultation.com
emailmovers.com
emm-mail.org
emm-news.com
ems300live.com
emvrs.co
enudge.com
freewordpresstemplates.biz
grannymave.co.uk
likemovers.com
mailinglistuk.com
onlinebusinessecards.com
quotesplease.co.uk
seedalert.com
socialmediaslot.com
theemailexpert.com
ukconsumeremaildatabase.com
ukconsumeremaillist.com
ukemaildata.com
workmug.com

Added: these following domains are also in use for the inital spam, plus there are more details on the comments section:
parkconnect.net
simplequotes.net

Added (II):  some more domains these spammers use can be found here.

Tuesday 2 July 2013

Babylon and the 3954 Trojans, or the Whore of Babylon.com

"Babylon and the 3954 Trojans" sounds like a swords and sandals epic, but unfortunately it's just another example of crapware gone wild. Perhaps "The Whore of Babylon.com" is more apt though.

At the heart of Babylon.com's business is a marginally useful "free" translation application plus some paid add-ons. You know, the sort of thing that Google Translate does, except that the Babylon.com whores itself out and installs a load of crapware onto your computer when it does so.

According to Google's Safe Browsing Diagnostics, the site somehow squeezes in nearly 4000 trojans (viruses) into the site. No, we don't know how that is possible, but this is what Google says:

Safe Browsing

Diagnostic page for babylon.com

What is the current listing status for babylon.com?
This site is not currently listed as suspicious.
What happened when Google visited this site?
Of the 1546 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-07-02, and the last time suspicious content was found on this site was on 2013-07-02.Malicious software includes 3954 trojan(s).
This site was hosted on 13 network(s) including AS32475 (SINGLEHOP), AS2914 (NTT), AS28666 (HOSTLOCATION).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, babylon.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 0 domain(s), including .

Quite why Google hasn't blacklisted it is a mystery. VirusTotal's prognosis is pretty horrible, with malware detected by most products.. but the way the checksums keep changing does make it look like Babylon.com keep changing the binaries, perhaps to avoid detection. The latest version of the software has a much lower detection rate.

To be fair, Babylon do mention in their terms of use that they will fill your computer with crap and pass your data on to others.

Babylon does not give, sell, rent, share, or trade any identifiable personal information regarding our Users to any third party, with the exception of third-party contractors and service providers who work with Babylon to provide the Service and who are strictly prohibited from later use of the information to which they may have access. Babylon may share non-personal aggregate or summary information regarding its Users with partners or other third parties. We can - and you authorize us to - disclose personal information to local, state, or federal law enforcement officials when required to do so by public authorities or when we believe in good faith that the law requires such disclosure. Please read Babylon's Privacy Policy, available here, for a detailed description of Babylon's privacy policy.

You acknowledge and agree that Babylon may process information gathered from different Users visiting the Website or using or downloading material from the Service for the purpose of building a profile of User interests and activities. Based on this profile, Babylon may send you advertisements, offers and content, and provide you with the full benefits of the Service. Additionally, you further acknowledge and agree that Babylon, through its affiliated third party's component named Wizebar (the name of such component may change from time to time) embodied within Babylon Toolbar (the "Component"), may trace, process and trade workstation's visiting websites data with its affiliated third party contractors and/or service providers, which may, following the receipt of such workstation's visiting websites data, store such information in their data base; and thereafter send each workstation relevant advertisements and/or offers from third parties; all according to each workstation's visiting websites data profile. During the downloading process of the Component, which is bundled within the Babylon Toolbar, User shall be notified that following the downloading of the Babylon Toolbar, his/her workstation may receive relevant advertisements and offers of services in accordance with his/her workstation's visiting websites date profile. User is free, at all times, to opt-out from his/her workstation receiving such advertisements and offers of services by taking the following alternative steps:

1. Uncheck the box of receipt of such advertisements and offers; or
2. Remove the Babylon toolbar from the Add/remove dialog on the operating system; or
3. Disable receipt of such services by following the "Disable Page" on the Babylon toolbar.  
Did you read all of that? No, probably neither does anybody else. Which explains why system administrators keep finding the damned product installed on their machines, adware and all. This piece of software even has its own Wikipedia entry covering malware issues. Do you really want your users to go anywhere near this site?

As far as I can tell, at the moment the Babylon software is downloaded from the following IPs which you may want to block (all operated by Singlehop):
69.175.87.109
81.93.185.144
81.93.185.145
173.236.48.139
173.236.91.147
184.154.40.59
184.154.151.19
198.143.175.67
216.104.42.91

The following domains are also related to Babylon and its associated adware, again you may want to block these:
babylon.com
babylon-services.com
dl.babylon.com
dl.babylon-services.com
dl.cdn-services.com
buenosearch.com
claro-search.com
dalesearch.com
delta-search.com
golsearch.com
holasearch.com
myfreegame.net
search-goal.com
searchgol.com
soft-downloads.net
software-files.net
tera-search.com
uno-search.com

There's nothing wrong with companies wanting to make some money out of products that are useful to people. That's the way commerce works. But filling your customers' PCs full of crap is not the way to do it..

Adware sites to block 2/7/13

Never trust an ad network that uses anonymous WHOIS details. These are hosted on 108.161.189.161 (NetDNA, US) and all hide their details. Those marked in yellow are flagged by Google for distributing some malware, the links go to the Google Safebrowsing diagnostic page. Given the amount of adware on this server, I would recommend blocking it.

netloader.cc
cdnloader.com
gamesformore.com
load-net.com
loadasset.info
loadernet.info
secureasset.info
cdnload.net
starscontent.net
cdn-network.org
contentsolution.org
loadfree.org
loadshop.org
softcdn.org
software-net.org

Monday 1 July 2013

Pinterest spam / pinterest.com.reports0701.net

This fake Pinterest spam leads to malware on pinterest.com.reports0701.net:

Date:      Mon, 1 Jul 2013 21:04:36 +0530
From:      "Pinterest" [naughtinessw5@newsletters.pinterest.net]
To:      [redacted]
Subject:      Your password on Pinterest Successfully changed!

[redacted]
  
Yor password was reset. Request New Password.
   
See Password    
       
Pinterest is a tool for collecting and organizing things you love.

This email was sent to [redacted].

Don?t want activity notifications? Change your email preferences.

�2013 Pinterest, Inc. | All Rights Reserved

Privacy Policy | Terms and Conditions
The link goes through a legitimate hacked site to end up on a malicious payload at [donotclick]pinterest.com.reports0701.net/news/pay-notices.php (report here and here) which contains an exploit kit. The malware is hosted on a subdomain of a main domain with fake WHOIS details (it belongs to the Amerika gang) which is a slightly new technique:

   June Parker parker@mail.com
   740-456-7887 fax: 740-456-7844
   4427 Irving Road
   New Boston OH 45663
   us

The following IPs are in use:
77.240.118.69 (Acens Technlogoies, Spain)
89.248.161.148 (Ecatel, Netherland)
208.81.165.252 (Gamewave Hongkong Holdings, US)

Recommended blocklist:
77.240.118.69
89.248.161.148
208.81.165.252
afabind.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
condalnuashyochetto.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
patrihotel.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com


Adware sites to block 1/7/13

Never trust any sort of ad network that uses anonymous domains and hides all other identifying data. These seem to be doing to rounds at the moment, some of them may be involved in injection attacks or adware installs. If you have any experiences with these domains turning up unexpected on your site then please leave a comment.. thanks!

cdnsrv.com
tracksrv.com
cdnloader.com
secure-content-delivery.com
mydatasrv.com


Domains all seem to be on parking IPs or Amazon AWS, so difficult to block by IP address.

Friday 28 June 2013

jConnect spam / FAX_281_3927981981_283.zip

This fake fax spam is meant to contain malware, but in this particular case is being sent out with a corrupt attachment:

Date:      Fri, 28 Jun 2013 09:41:52 -0500 [10:41:52 EDT]
From:      jConnect [message@inbound.j2.com]
Subject:      jConnect fax from "697-377-6967" - 28 page(s), Caller-ID: 697-377-6967

Fax Message[Caller-ID: 697-377-6967] You have received a 28 page(s) fax at 2012-12-17
02:13:41 EST.* The reference number for this fax is
lax3_did10-1019412300-0003832668-11.This message can be opened using your PDF reader. If
you have not already installed j2 Messenger, download it for
free:http://www.j2.com/downloadsPlease visit http://www.j2.com/help if you have any
questions regarding this message or your j2 service.Thank you for using jConnect!Home    
Contact     Login2011 j2 Global Communications, Inc. All rights reserved.jConnect is a
registered trademark of j2 Global Communications, Inc.This account is subject to the
terms listed in thejConnect Customer Agreement.

Both the email and the attachment are horribly mangled, and in this case don't contain their malicious payload (as with this spam run). But be careful if receiving an email of this type as the next time the spammers try it, it may well be more dangerous.

Thursday 27 June 2013

OfficeWorld.com spam / sartorilaw.net

This fake OfficeWorld spam leads to malware on sartorilaw.net:

Date:      Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]
From:      customerservice@emalsrv.officeworldmail.net
Subject:      Confirmation notification for order 1265953

Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!

Please review your order details below. If you have any questions, please Contact Us


Helpful Tips:
--------------------------------------------------------------------
- Please SAVE or PRINT this confirmation for your records.
- ORDER STATUS is available online! Login and click "My Orders" to obtain UPS tracking information, etc.
- If you skipped registration, or forgot your password, simply enter your Login ID (normally your full e-mail address) and click [ forgot password ] to access your account.
--------------------------------------------------------------------

Order:  1265953
Date:           6/27/2013
Ship To:        My Default

Credit Card:    MasterCard


Product Qty     Price   Unit    Extended
--------------------------------------------------------------------
HEWCC392A    1       $9703.09  EA      $15.15         
AVE5366 1       $27.49  BX      $27.49         
SAF3081 2       $56.29  EA      $112.58        


Product Total:     $9855.22
--------------------------------------------------------------------
Total:          $9855.22

OfficeWorld.com values your business!
The link in the email goes through a legitimate hacked site and then on to [donotclick]sartorilaw.net/news/source_fishs.php (report here) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
89.248.161.148 (Ecatel, Netherlands)
108.177.140.2 (Nobis Technology Group, US)

Recommended blocklist:
77.240.118.69
78.108.86.169
89.248.161.148
108.177.140.2
afabind.com
chinadollars.net
condalnuashyochetto.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com



Tuesday 25 June 2013

ADP spam / spanishafair.com

This fake ADP spam leads to malware on spanishafair.com:

Date:      Tue, 25 Jun 2013 14:38:05 +0000 [10:38:05 EDT]
From:      Run Do Not Reply [RunDoNotReply@ipn.adp.net]
Subject:      Your Biweekly payroll is  accepted

Yoyr payroll for check date 06/25/2013 is approved. Your payroll would be done at least 3 days before to your check date to ensure timely tax deposits and payroll delivery. If you offer direct deposit to your employees, this will also support pay down their money by the due date.

Client ID: [redacted]

View Details: Review

Important: Please be advised that calls to and from your payroll service team may be monitored or recorded.

Please do not reply to this message. auto informer system not configured to accept incoming messages.

The malicious payload is at [donotclick]spanishafair.com/news/possibility-redundant.php hosted on:
119.147.137.31 (China Telecom, China)
210.42.103.141 (Wuhan Urban Construction Institute, China)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)

Related evil domains and IP addresses to block can be found here and here.

"Southwest Airlines Confirmation: KQR101" spam / meynerlandislaw.net

This fake Southwest Airlines spam leads to malware on meynerlandislaw.net:

from:     Southwest Airlines [information@luv.southwest.com]
reply-to:     Southwest Airlines [no-reply@emalsrv.southwestmail.com]
date:     25 June 2013 17:09
subject:     Southwest Airlines Confirmation: KQR101

[redacted] 2013-06-25 JACEE3 INITIAL SLC WN PHX0.00T/TFF 0.00 END AY2.50$SLC1.50 1583018870396 2013-12-22 1394 2013-06-26 Depart SALT LAKE CITY IL (SLC) at 10:14 PM on Southwest Airlines Arrive in PAOLO ALTO MI (PHX) at 1:30 PM

You're all set for your travel!
   
Southwest Airlines
   
My Account | Review My Itinerary Online

     
Check In Online
    |    
Check Flight Status
    |    
Change Flight
    |    
Special Offers
    |    
Hotel Deals
    |    
Car Deals
   
Ready for lift-off!
   
Thank You Southwest for your travel! You'll find everything you need about your reservation below. Happy voyage!
Upcoming Journey: 06/26/13 - SLC - Phx Knight 

The link goes through a legimate hacked site and end up on a malicious payload at [donotclick]meynerlandislaw.net/news/possibility-redundant.php (report here) hosted on the following IPs:

119.147.137.31 (China Telecom, China)
203.80.17.155 (MYREN, Malaysia)

Recommended blocklist:
119.147.137.31
203.80.17.155
addressadatal.net
afabind.com
appasnappingf.com
avastsurveyor.com
cardpalooza.su
chinadollars.net
condalnuashyochetto.ru
doggedlegitim.net
dollsinterfer.net
dulethcentury.net
ehnihjrkenpj.ru
ejoingrespubldpl.ru
estimateddeta.com
genown.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
gurieojgndieoj.ru
headbuttingfo.net
historuronded.com
ingrestrained.com
inutesnetworks.su
invisibilitym.net
joinproportio.com
libulionstreet.su
ludena.ru
mantrapura.net
meticulousmus.net
meynerlandislaw.net
multipliedfor.com
oydahrenlitutskazata.ru
photosuitechos.su
relectsdispla.net
reportingglan.com
reveck.com
sendkick.com
shopkeepersne.net
spanishafair.com
stilos.pl
streetgreenlj.com
unabox.pl
voippromotion.su
winne2000.net
zoneagainstre.com


Monday 24 June 2013

Something evil on 173.246.104.154

173.246.104.154 (Gandi, US) is hosting hacked GoDaddy domains serving a variety of malware [1] [2]. At the moment the following domains appear to be hosted on that server:
aandimedsolutions.com
aandimedsolutions.info
aandimedsolutions.net
antarcticland-union.it
antarcticland-union.org
antarcticland-union.us
easymapbuilder.com
findmynewschool.com
governmentofantarcticland.it
governmentofantarcticland.org
governmentofantarcticland.us
governodiantarcticland.it
governodiantarcticland.org
inflectionism.com
marinedockladders.com
premiumrentalproperty.com
principalityaustrallands.org
principatodiantarcticland.it
principatodiantarcticland.org
remote-recording-mixing.com
soundstudiosearch.com
trippling.com
waltwhitman150.org

These domains were recently hosted on that server but now appear to be back with GoDaddy and are probably fixed:
audiomasteringmeistro.com
beachfrontconcierge.com
audio-mastering-music.com
novafitnesstrainer.com
dinneraffairs.com
douglasvillestorage.com
subprimemortgage.us
loadingdockgear.com
loadingdockdepot.com
rippedtrainer.com
herblade.com
audiomasteringmaestro.com
audiomasteringsearch.com
austinremoterecording.com
bestseoamerica.com
hotrankseo.com
jacksonvillefloridacommercialrealestate.com
online-audio-mixing.com
findmynewhouse.co.uk
greatwestinsurancegroup.com
jewelboon.com

"Fiserv Secure Email Notification - TBTATU41DMJDT5B" spam / SecureMessage_TBTATU41DMJDT5B.zip

This fake FISERV email has a malicious attachment SecureMessage_TBTATU41DMJDT5B.zip containing a trojan named SecureMessage.exe:

Date:      Mon, 24 Jun 2013 07:27:59 -0600 [09:27:59 EDT]
From:      Fiserv Secure Notification [secure.notification@fiserv.com]
Subject:      Fiserv Secure Email Notification - TBTATU41DMJDT5B
Part(s):     
      2      SecureMessage_TBTATU41DMJDT5B.zip      [application/zip]      104 KB

You have received a secure message

Read your secure message by opening the attachment, SecureMessage_TBTATU41DMJDT5B.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password -  SUgDu07dn

To read the encrypted message, complete the following steps:

 -  Double-click the encrypted message file attachment to download the file to your computer.
 -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 -  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.710.6198.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved. 
Ask yourself this question: why would you encrypt a message and then put the password in the email? Simple.. to get past virus scanners, of course! The VirusTotal detection for this malware is just 8/46 .

Other analysis is pending, the malware has the following checksums:
Size117248
MD5fdd154360854e2d9fee47a557b296519
SHA1d3de7f5514944807eadb641353ac9380f0c64607
SHA2561ef3302196f5c4cd9bf97c719e934d612a244a17a20f5a742c15d8203d477f59

UPDATE: the Malwr sandbox has an analysis here. URLs involved in downloading components are:
[donotclick]governodiantarcticland.org/ponyb/gate.php
[donotclick]maxprotection.de/N4k.exe
[donotclick]francescobotti-fashion.com/27ZDM9p.exe
[donotclick]liltommy.com/ep9C.exe
[donotclick]keep-smile.net/t4T.exe

Facebook spam / chinadollars.net

This fake Facebook spam leads to malware on chinadollars.net:


Date:      Mon, 24 Jun 2013 09:18:12 -0500
From:      Facebook [notification+SCCRJ42M8P@facebookmail.com]
Subject:      You have 1 friend request

facebook
   
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your friends.
    1 friend request
View Notifications
       
Go to Facebook
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.

Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes through a legitimate but hacked site and then leads to a malware landing page at [donotclick]chinadollars.net/news/inputted-ties.php (report here) hosted on:
119.147.137.31 (China Telecom, China)
202.147.169.211 (LINKdotNET, Pakistan)
203.80.17.155 (MYREN Cloud Infrastructrure, Malaysia)
210.42.103.141 (Wuhan Urban Construction Institute, China)

Recommended blocklist:
119.147.137.31
202.147.169.211
203.80.17.155
210.42.103.141
abacs.pl
addressadatal.net
afabind.com
anygus.com
appasnappingf.com
avastsurveyor.com
cardpalooza.su
chinadollars.net
condalnuas34637.ru
condalnuashyochetto.ru
doggedlegitim.net
dollsinterfer.net
dulethcentury.net
ehnihjrkenpj.ru
ejoingrespubldpl.ru
enway.pl
estimateddeta.com
genown.ru
greli.net
gstoryofmygame.ru
gurieojgndieoj.ru
headbuttingfo.net
historuronded.com
huang.pl
ingrestrained.com
inutesnetworks.su
invisibilitym.net
jetaqua.com
joinproportio.com
libulionstreet.su
lmbcakes.com
ludena.ru
mantrapura.net
meticulousmus.net
multipliedfor.com
nipiel.com
oydahrenlitutskazata.ru
pc-liquidations.net
photosuitechos.su
planete-meuble-pikin.com
pleak.pl
profurnituree.com
relectsdispla.net
reportingglan.com
reveck.com
rmacstolp.net
rustin.pl
sendkick.com
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
stilos.pl
streetgreenlj.com
theislandremembered.com
twintrade.net
unabox.pl
voippromotion.su
winne2000.net
zoneagainstre.com



DanielMcClintic@hotmail.com fake job offer

Another staggeringly crude money mule recruitment spam, like this one. Unless you like prison food I would advise you to leave this fake offer alone.

Date:      Mon, 24 Jun 2013 22:56:39 +0900 [09:56:39 EDT]
From:      Delmar Roark
Subject:      Work in the finance department

We invite you to work in the home assistant offer.

This job takes 2-3 hours a week and requires absolutely no investment.
The essence of this work for incoming client requests in your city.
The starting income is about ~2000 Euro per month + bonuses.

You get paid your money every 2 weeks and your bonuses after finish each task!

We promis work for every person. But we accept applications this week only!
Therefore, you should send email a request right now.
And you will start earning money, starting from next week.

Please write in the request:
Your name:
Your Contact number:
Your email address:
City of residence:

Please send the request to my email DanielMcClintic@hotmail.com, and
I will contact you personally as quickly as possible.

Sincerely,
Delmar Roark 
Originating IP is 211.226.147.218 in Korea.

www.public-trust.com false positive at Phishtank

public-trust.com houses Certificate Revocation Lists (CRLs) and is controlled by Verizon. It probably houses other certificate infrastructure too, but at the moment several web filtering systems are detecting it as a phishing site due to a false positive at Phishtank.

Some example URLs (which are perfectly safe) include:
http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl
http://cdp1.public-trust.com/CRL/Omniroot2025.crl

The problem with the website at www.public-trust.com is that it forwards to www.verizonenterprise.com (a perfectly legitimate Verizon site), but this does make it look a bit like a phishing site. This is the false positive at Phishtank.

At least one person seems to have spotted that it wasn't a phish, but it's quite an easy mistake to make because the screenshot of a Verizon site combined with the very non-obvious domain name makes it look extremely phishy.

For the records, these are the WHOIS registrant details:

Verizon Business Global LLC
Verizon Business Global LLC
One Verizon Way
Basking Ridge NJ 07920
US
domainlegalcontact@verizon.com +1.7033513164 Fax: +1.7033513669

The domain was created in 2002 (most phishing sites don't even last a few weeks) and is hosted on 64.18.30.10 (Verizon Business Global, LLC). At the moment the false positive is in Phishtank, AVGThreatLabs, SURBL and MyWOT blacklists plus anything downstream that uses that data.

Saturday 22 June 2013

julia.sailor@hotmail.com fake job offer

These guys aren't really trying. The email address is julia.sailor@hotmail.com but the email is signed Claudine Nash and appears to be "from" brooksd@kormanlederer.com originating from an IP address in Brazil. The so-called "job" is going to be money laundering or some such, avoid.

Date:      Sat, 22 Jun 2013 20:47:56 -0300 [19:47:56 EDT]
From:      Claudine Nash [brooksd@kormanlederer.com]
Subject:      Regional administrotor

We offer you to work in the remote assistant offer.

This job takes 2-3 hours during the week and requires absolutely no investment.
The essence of this work for entering client requests in your city.
The starting wages is about ~2000 Euro per month + bonuses.

You get paid your money every 2 weeks and your bonuses after fulfilling each task!

We guarantee work for every man. But we accept applications this week only!
Accordingly, you should send email a request right now.
And you will start earning money, starting from next week.

Please write in the request:
Your name:
Your Contact number:
Your email address:
City of residence:

Please send the registration form to my email julia.sailor@hotmail.com, and
I will response you individually at an early date.

Sincerely,
Claudine Nash 

Friday 21 June 2013

LexisNexis spam FAIL

This fake LexisNexis spam is meant to have a malicious attachment, but something has gone wrong. Nonetheless, the next time the spammers try it they will probably get it right.. so beware of any emails similar to this one that have an attachment larger than a couple of hundred bytes.

Date:      Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
From:      LexisNexis [einvoice.notification@lexisnexis.com]Book
Subject:      Invoice Notification for June 2013   

There was an invoice issued to your company: [redacted]

Please double click the PDF attachment to open or print your invoice. To view full invoice details or for any Online Account Management options, download PDF attachment.

    Account Number     455SAZ    
    Invoice Number     904510653899    
    Invoice Date     June 21, 2013    
    Invoice Amount     $3.508.00    
    Account Balance     $0.00    

You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement. If you do not have Adobe Acrobat, please find a link to a free downloadable file at the end of this e-mail.

You can also print this e-mail and send your payment to:
    LexisNexis    
    PO BOX 7247-7090    
    Philadelphia, PA 19170-7090    

If you have questions about your invoice, please contact LexisNexis at 1-800-262-2391, option 3.

If you would like to contact your Account Manager, please contact LexisNexis at 1-800-262-2391, option 2.

Please add this domain @email.lexisnexismail.com to your safe senders list.

Adobe Acrobat free downloadable file available at :
http://www.adobe.com/products/acrobat/readstep2.html

In this case the attachment is just 8 bytes and is harmless. Next time, it probably won't be..

Of note, the only link in the email goes to [donotclick]https://server.nepplelaw.com/owa/redir.aspx?C=430ed6e3b59a4a69b2d5653797c3e3d6&URL=http%3a%2f%2fwww.adobe.com%2fproducts%2facrobat%2freadstep2.html which is the sort of thing that happens to a URL when it goes through Outlook Web Access, in this case it would be on the server server.nepplelaw.com but I have no explanation as to why it is there, however it is harmless.