Sponsored by..

Thursday, 30 May 2013

ADP spam / 4rentconnecticut.com and 174.140.171.233

These fake ADP spams lead to malware on 4rentconnecticut.com:

Date:      Thu, 30 May 2013 12:41:28 -0500 [13:41:28 EDT]
From:      "ADPClientServices@adp.com" [ADPClientServices@adp.com]
Subject:      ADP Funding Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services

====================

Date:      Thu, 30 May 2013 08:45:16 -0800 [12:45:16 EDT]
From:      ADP Inc [ADP_FSA_Services@ADP.com]
Subject:      ADP Invoice Reminder

Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

Total amount due by May 31, 2013

$26062.29

If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

Questions about your bill?

Contact David Nieto by Secure Mail.

Note: This is an automated email. Please do not reply. 

The link in the email goes to a legitimate hacked site and then tries to load three different scripts, currently:

[donotclick]kalimat.egyta.com/swearer/titan.js
[donotclick]www.asitecsrl.com/servicemen/ethic.js
[donotclick]www.mbbd.it/dzerzhinsky/bewilders.js

From there the victim is directed to the main malware landing page at [donotclick]4rentconnecticut.com/news/cross_destroy-sets-separate.php on 174.140.171.233 (DirectSpace LLC, US). A look at URLquery shows many suspect URLs on this server and VirusTotal also reports several malicious URLs.

It appears that every single domain on this server has been compromsed. Blocking the IP address is the easiest way to mitigate against this problem, but these following domains such all be assumed to be legitimate ones that have been hijacked:

1stchoicehsr.com
4rentanaheim.com
4rentarkansas.com
4rentarlington.com
4rentatlanta.com
4rentaurora.com
4rentbakersfield.com
4rentbaltimore.com
4rentcincinnati.com
4rentcoloradosprings.com
4rentcolumbus.com
4rentconnecticut.com
60minutessexy.com
60secondssexy.com
9602iridium.com
9602sbd.com
aainj.com
askfelix.org
bestskateboard.net
billflemming.com
bondageunlimited.com
bonniemichaels.com
breastcaresupplements.com
bystrictinchallenge.com
celebritwee.com
centurysciences.com
chicagoledsource.com
chitownled.com
compsbook.com
connectionre.com
december2012thefacts.com
desiraephilips.com
deviousgirl.com
deviousmindclothing.com
extrememarriagemakeover.com
firstchoicehsr.com
freyandsonautomotive.co
gilestire.com
glorytogodtires.com
halfromerican.com
halfromerican.net
handiexpertcarcare.com
healthwellnessdeals.com
healthwellnessforum.com
hubbardsauto.net
infocarretera.com
internetmarketingmagicpill.com
investorrichessupport.com
investorwealthacademy.com
iridium9522bmodem.com
iridium9602manual.com
iridium9602price.com
iridium9602sbd.com
iridiumcore9523.com
irishhillstire.com
jasonholmesrealty.com
jjgilestire.com
juniorstire.com
kjinteriorsinc.com
ledillinois.com
linkbuildingbootcamp.com
manisteetire.net
manningstire.com
marinholmes.com
marshalltirecity.com
marysvillecarcare.com
metroimport-tires.com
midlandtireandauto.com
mobileincomeopportunities.com
mobiletextopportunity.com
mobiletextopportunity.net
moonstire.com
msqcconference.org
natestire.com
powersautomotiveshop.com
precisiontunetire.com
premierconstructiongeorgia.com
prideinproperty.com
recoverydepot.net
regaltire.com
richestmaninrelationships.com
rogerclinetire.net
setupmyautoresponder.com
sexymarriagecoaching.com
sexymarriageforum.com
sexymarriagemakeover.com
sexymarriagesecrets.com
sheltontire.com
sherrillfire.org
smokelogix.com
southlyontire.com
spindivas.com
spinpsycho.net
spinpsychoapparel.com
spinpsychoapparel.net
steelbuildingprices.com
stiftelsen-pcn.net
sunless-glow.com
sunnysautocare.com
tandmtire.com
tecumsehtire.com
thejoshbrown.com
thetireoutlet.com
thewealthexplosionsystem.com
tmartapes.com
tracysoldcastle.com
twistedbehavior.com
vulcantire.net
westautorepair.com
woodstireservice.com
yiseoer.com




Al Rowaad Advocates - scumbag, spammy lawyers

This scumbag law firm from the UAE advertises itself through spam.

From:     Professional Lawyers in the UAE [uaelawyers@gmx.com]
Reply-To:     uaelawyers@gmx.com
Date:     30 May 2013 18:52
Subject:     Al Rowaad Advocates - Monthly Newsletter - May 2013

Dear Sirs,

Please forgive our direct email which is intended to give a brief introduction to our law firm based in the United Arab Emirates.

Al Rowaad Advocates and Legal Consultancy is an astute, diverse firm of lawyers working for businesses and private clients, nationally and internationally. The firm is highly regarded, often recommended by other lawyers and is known for combining creative solutions with commercial pragmatism and a friendly, sensitive approach. The firm is also renowned for its integrity and experience in dealing with complex and varied legal issues. Al Rowaad has expertise in clinical negligence, corporate and commercial work, criminal litigation, dispute resolution, family law, employment, real estate and regulatory work.

Al Rowaad Advocates and Legal Consultancy is proud to introduce its monthly newsletter that will discuss topical issues in the legal profession. The newsletter will touch upon various areas of law in the UAE and analyse changes in complex legislative, governance and regulatory provisions.

If you wish to subscribe, please email us at uaelawyers@gmx.com.

Thank you,
Al Rowaad Advocates & Legal Consultancy
Tel.: +971 4 3254000
Fax: +971 4 358 9494

Integrity? Sending spam to an email address that you scraped off the web? I don't think so. The originating IP is 220.112.38.133 in China, presumably where they have outsourced their scummy marketing to.

Amazon.com 55 inch TV spam / ozonatorz.com

This earlier spam run about various brands of 55 inch TVs from Amazon has been updated and is now directing victims to a malware landing page on the domain ozonatorz.com:



From: auto-confirm@emlreq.amazon.com [mailto:bald4@customercare.amazon.com]
Sent: 29 May 2013 17:06
To: [redacted]
Subject: Amazon.com order of Akai NPK55KR9070 55-Inch

Amazon.com

Order Confirmation

[redacted]

Thank you for shopping with us. Wed like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.


Your estimated delivery date is:
Thursday, May 30, 2013 -
Friday, May 31, 2013
Your shipping speed:
Next Day Air
Your Orders
Your order was sent to:
Benjamin Phillips
2724 3rdCotton Avenue
Cohoes, CA 62229-6646
United States


Order Details

Order #175-7801666-2934626
Placed on Wensday, May 29, 2013

Facebook
Twitter
Pinterest
$979.98

Item Subtotal:
$979.98
Shipping & Handling:
$0.00

Total Before Tax:
$979.98
Estimated Tax:
$0.00


Order Total:
$979.98


To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.
Thank you for shopping with us.
Amazon.com
DVD
Books
Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.


The malicious payload is on [donotclick]ozonatorz.com/news/basic_dream-goods.php (report here) hosted on:
41.89.6.179 (Kenya Education Network, Kenya)
141.28.126.201 (Hochschule Furtwangen, Germany)
177.5.244.236 (Brasil Telecom, Brazil)
208.68.36.11 (Digital Ocean, US)

These IPs form part of a much larger network of malicious sites listed here, but if we concentrate of these IPs only we get the following blocklist:
41.89.6.179
141.28.126.201
177.5.244.236
208.68.36.11
aviachecki.ru
avtotracki.ru
balckanweb.com
biati.net
buyparrots.net
federal-credit-union.com
giwmmasnieuhe.ru
icensol.net
mydkarsy.com
nvufvwieg.com
ozonatorz.com
rusistema.ru
smartsecurityapp2013.com
techno5room.ru
testerpro5.ru
trackerpro5.ru
twintrade.net
zeouk-gt.com

Wednesday, 29 May 2013

University of Illinois CS department compromised

There's a bunch of malware sites infesting University of Illinois CS department machines in the 128.174.240.0/24, range, mostly pointed out in this post. Compromised machines are tarrazu.cs.uiuc.edu, croft.cs.illinois.edu, tsvi-pc.cs.uiuc.edu, mirco.cs.uiuc.edu, ytu-laptop.cs.uiuc.edu, node3-3105.cs.uiuc.edu and they are on the following IPs with the following malicious domains (I would recommend blocking the whole /24):

128.174.240.37
balckanweb.com
virgin-altantic.net
twintrade.net
biati.net
icensol.net
outlookexpres.net
gatareykahera.ru
curilkofskie.ru
exrexycheck.ru
gangrenablin.ru
contonskovkiys.ru

128.174.240.52
nvufvwieg.com
zeouk-gt.com
mydkarsy.com
trackerpro5.ru
avtotracki.ru
aviachecki.ru
techno5room.ru
getstatsp.ru

128.174.240.53
enway.pl

128.174.240.74
yelpwapphoned.com
streetgreenlj.com
crossdissstep.com
multipliedfor.com
sweetcarsinkas.at
roobihhooerses.at
stackltiplied.net
nitrogrenberd.net
salesplaytime.net
sludgekeychai.net
uestsradiates.net
smurfberrieswd.su
jounglehoodeze.su
sbliteratedtum.su
solidlettersiz.su

128.174.240.153
confideracia.ru
condalinaradushko.ru
pizdecnujzno.ru
ochengorit.ru
xenaidaivanov.ru

128.174.240.213
balckanweb.com
virgin-altantic.net
twintrade.net
biati.net
icensol.net
outlookexpres.net
gatareykahera.ru
curilkofskie.ru
exrexycheck.ru
gangrenablin.ru
contonskovkiys.ru

Update: the University says that this was a single machine on the network which has now been cleaned up.

Malware sites to block 29/5/13

These domains and IP addresses are connected to this malware spam run and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian).

It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting, finally a list of IPs that are advertised as nameservers within this group for research purposes only.

You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm..

Domains:
adverstindotanes.com
assumedwhacked.su
auditbodies.net
autocanonicals.com
aviachecki.ru
avtotracki.ru
balckanweb.com
bebomsn.net
bednotlonely.com
beveragerefine.su
biati.net
businessdocu.net
buyparrots.net
carambatv.net
chairsantique.net
cocainism.net
condalinaradushko.ru
condalinaradushko5.ru
condalinradishevo.ru
confideracia.ru
coping-capacity.com
crossdissstep.com
crushandflussh.net
curilkofskie.ru
decimallogme.com
docudat.ru
doorandstoned.com
down-vid.net
e-eleves.net
ernutkskiepro.ru
exrexycheck.ru
fastkrug.ru
federal-credit-union.com
fenvid.com
flipboardre-late.com
gangrenablin.ru
garohoviesupi.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
heavygear.net
heidipinks.com
hiddenhacks.com
hotamortisation.net
iberiti.com
icensol.net
independinsy.net
initiationtune.su
insectiore.net
jounglehoodeze.su
letsgofit.net
linguaape.net
metalcrew.net
mgdooling.ru
mortolkr4.com
multipliedfor.com
mydkarsy.com
myfreecamgirls.net
nitrogrenberd.net
normansvenn.com
notyetratedwort.com
nvufvwieg.com
ochengorit.ru
otoperhone.com
outbounduk.net
outlookexpres.net
peertag.com
penetratedsync.su
pizdecnujzno.ru
proxy-tor-service.com
recorderbooks.net
relectsdispla.net
reportingglan.com
restaurantequipmentparadise.net
roobihhooerses.at
rusistema.ru
salesplaytime.net
sbliteratedtum.su
scanskype.pl
secrettapess.com
secureaction120.com
sludgekeychai.net
smartsecurity-app.com
smartsecurityapp2013.com
smurfberrieswd.su
solidlettersiz.su
stackltiplied.net
streetgreenlj.com
streetlookups.com
susubaby.net
sweetcarsinkas.at
tasteh-pux.com
techno5room.ru
testerpro5.ru
timeschedulin.com
time-update.com
time-update.net
trackerpro5.ru
twintrade.net
uestsradiates.net
usergateproxy.net
virgin-altantic.net
xenaidaivanov.ru
yelpwapphoned.com
zeouk-gt.com
zoohits.net

IPs and hosts:
5.175.155.183 (GHOSTnet, Germany)
37.131.214.69 (Interra Ltd, Russia)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal, China)
50.193.197.178 (Comcast, US)
54.214.22.177 (Amazon AWS, US)
62.109.30.168 (TheFirst-RU, Russia)
77.237.190.22 (Parsun Network Solutions, Iran)
82.50.45.42 (Telecom Italia, Italy)
91.93.151.127 (Global Iletisim Hizmetleri, Turkey)
91.193.75.55 (KGB Hosting, Serbia)
94.249.208.228 (GHOSTnet, Germany)
95.43.161.50 (BTC, Bulgaria)
99.61.57.201 (AT&T, US)
103.7.251.36 (Fiberathome, Bangladesh)
109.169.64.170 (ThrustVPS, US)
112.196.2.39 (Quadrant Televentures / HFCL Infotel, India)
114.4.27.219 (Indosat, Indonesia)
114.247.121.139 (China Unicom, China)
115.28.35.163 (HiChina Web Solutions, China)
122.160.51.9 (ABTS, Delhia)
128.174.240.37 (University of Illinois, US)
128.174.240.52 (University of Illinois, US)
128.174.240.74 (University of Illinois, US)
128.174.240.153 (University of Illinois, US)
128.174.240.213 (University of Illinois, US)
140.117.164.154 (Sun Yat-sen University, Taiwan)
151.1.224.118 (Itnet, Italy)
159.253.18.253 (FastVPS, Russia)
162.209.12.86 (Rackspace, US)
166.78.136.235 (Rackspace, US)
177.5.244.236 (Brasil Telecom, Brazil)
178.20.231.214 (Salay Telekomunikasyon Ticaret Limited, Turkey)
178.209.126.87 (WestCall Ltd, Russia)
181.52.237.17 (Telmex, Colmbia)
183.82.221.13 (Hitech, India)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
190.106.207.25 (Comcel, Guatemala)
192.154.103.81 (Gorillaservers, US)
192.210.216.53 (ColoCrossing, US)
197.246.3.196 (The Noor Group, Egypt)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
201.170.148.171 (Telefonos del Noroeste, Mexico)
204.45.7.213 (FDCservers.net, US)
208.68.36.11 (Digital Ocean, US)
210.61.8.50 (Chunghwa Telecom, Taiwan)
212.179.221.31 (Bezeq International, Israel)
213.113.120.211 (Telenor, Sweden)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83

IPs advertising as nameservers (I'm pretty sure some of these are bogus, so use these for research purposes only):
2.121.229.200 (Sky Broadband, UK)
5.175.146.153 (GHOSTnet, Germany)
5.175.154.17 (GHOSTnet, Germany)
5.175.154.149 (GHOSTnet, Germany)
5.231.18.4 (GHOSTnet, Germany)
6.18.199.178 (Department of Defense, US)
6.20.13.25 (Department of Defense, US)
8.13.139.1 (Level 3 Communications, US)
8.18.19.15 (Level 3 Communications, US)
8.18.19.16 (Level 3 Communications, US)
11.3.51.158 (Department of Defense, US)
12.179.132.98 (Intuit, US)
14.139.209.13 (National Institute Of Technology, India)
15.78.78.23 (Hewlett Packard, US)
15.84.23.131 (Hewlett Packard, US)
17.19.12.100 (Apple Inc, US)
20.2.45.143 (CSC, US)
22.100.28.100 (Department of Defense, US)
29.125.31.77 (Department of Defense, US)
42.96.142.17 (Alibaba, China)
42.96.194.13 (Alibaba, China)
46.254.18.79 (Internet-Hosting Ltd, Russia)
65.34.1.1 (RoadRunner / Bright House, US)
65.180.199.2 (Sprint, US)
66.100.109.112 (Savvis, US)
71.123.11.14 (Verizon, US)
77.99.44.18 (Virgin Media, UK)
80.249.65.80 (Djaweb, Algeria)
81.31.227.60 (Chapar Raseneg, Iran)
85.25.189.163 (Intergenia / PlusServer AG, Germany)
91.215.156.62 (Infinite Technologies, Netherlands)
91.242.214.33 (Hostcircle, India)
92.190.190.191 (France Telecom, France)
95.143.41.41 (Inline Internet / VPS4less, Germany)
112.72.64.217 (VTC Wireless Broadband Company, Vietnam)
114.199.141.85 (Hyundai Communications, Korea)
125.39.104.86 (Beijing Sinainternetinformationservice, China)
153.127.248.205 (Kagoya Japan Corporation, Japan)
162.209.14.28 (Rackspace, US)
173.1.12.57 (GoGrid LLC, US)
175.102.0.187 (Shanghai Yovole Networks, China)
176.19.224.180 (Mobily, Saudi Arabia)
177.5.230.242 (Brasil Telecom, Brazil)
184.106.229.74 (Rackspace, US)
186.25.27.65 (Telcel, Venezuela)
186.25.27.66 (Telcel, Venezuela)
201.101.98.89 (UniNet, Mexico)
202.63.105.86 (Southern Online Bio Technologies, India)
202.93.114.90 (FirstasiaNet, Indonesia)
207.58.158.186 (Servint, US)
207.182.146.247 (Xlhost, US)
209.140.18.37 (Landis Holdings, US)
210.25.137.197 (China Education and Research Network, China)
211.20.45.138 (Chunghwa Telecom, Taiwan)
214.191.12.134 (Department of Defense, US)
214.191.102.34 (Department of Defense, US)


55-Inch TV Amazon.com spam / federal-credit-union.com

This fake Amazon.com spam leads to malware on federal-credit-union.com:


From:     auto-confirm@email.amazon.net [loyolay3@emalsrv.amazonmail.com]
Reply-To:     "auto-confirm@email.amazon.net" [loyolay3@emalsrv.amazonmail.com]
Date:     29 May 2013 16:55
Subject:     Amazon.com order of Samsung UN554X6050 55-Inch

Amazon.com  |  Your Account  |  Amazon.com

Order Confirmation

Order #134-8080453-8538443

[redacted]

Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Thursday, May 30, 2013 -
Friday, May 31, 2013
Your shipping speed:
Next Day Air
Your Orders
Your order was sent to:
Tyler Scott
2516 Columbia Dr
Washington, WA 40830-9361
United States

Order Details

Order #134-8080453-8538443
Placed on Wensday, May 29, 2013
Samsung UN554X6050 55-Inch 1080p 120Hz LED 3D HDTV (Dark Grey)
Electronics
In Stock
Sold by World Wide Stereo, Inc.
$1,099.99
Item Subtotal: $1,099.99
Shipping & Handling: $0.00
Total Before Tax: $1,099.99
Estimated Tax: $0.00
Order Total: $1,099.99
To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.
Thank you for shopping with us.
Amazon.com
DVD
Books
Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
I have also seen a similar spam with the subject "Amazon.com order of Sharp UN55EH5080 55-Inch" and I guess there are others. The spam goes through a legitimate hacked site and ends up on [donotclick]federal-credit-union.com/news/basic_dream-goods.php (report here). Luckily right at the moment this domain is suspended and won't work, however. There is a very large number of connected domains though which I am compiling a blocklist for and will post later..

Update: some other subjects include "Amazon.com order of Panasonic UN55EH6030 55-Inch" and "Amazon.com order of Akai NPK55KR9070 55-Inch".

Update 2: the malicious landing page has been replaced  with one using the domain ozonatorz.com.

Tuesday, 28 May 2013

Something (a bit) evil on 158.255.212.96 and 158.255.212.97

The IPs 158.255.212.96 and 158.255.212.97 (EDIS GmbH, Austria) are hosting malware used in injection attacks (see this example for fussball-gsv.de). These two examples report a TDS URL pattern which is resistant to automated analysis. The domains appear to be part of a traffic exchanger system (never a good idea), but they have been used to distribute malware.

The following sites are hosted on those two domains, plus a link to the Google Safebrowsing diagnostics:
linkstoads.net [no malware reported]
node1.hostingstatics.org [malware reported]
node2.hostingstatics.org
nodeph.hostingstatics.org
numstatus.com [no malware reported]
systemnetworkscripts.org [no malware reported]
finger2.climaoluhip.org [malware reported]
connecthostad.net [malware reported]
netstoragehost.com [malware reported]
nethostingdb.com [no malware reported]

In the cases where no malware has been reported it may well be because Google hasn't visited the site. The domains all have anonymous WHOIS details and have been registered in the past year or so.

I can identify a couple more IPs in this cluster, and I would advise you to treat all the domains here as suspect and add them to your blocklist:
158.255.212.96
158.255.212.97
193.102.11.3
205.178.182.1
hostingstatics.org
climaoluhip.org
numstatus.com
linkstoads.net
systemnetworkscripts.org
connecthostad.net
netstoragehost.com
nethostingdb.com

fab.com spam

[Via the WeAreSpammers blog]

I've never heard of fab.com before, but online comments are very negative.  Originating IP is 65.39.215.63 (Sailthru / Peer 1, US) spamvertising mailer.eu.fab.com on 63.251.23.249 (Insight Express LLC, US) which in turn leads to the main site of fab.com on 184.73.196.153 (Amazon.com, US). Avoid.

From: Fab [info@eu.fab.com]
To: donotemail@wearespammers.com
Date: 27 May 2013 17:26
Subject: Invite from jenotsxx@gmail.com to Fab
Mailing list: tm.3775.3198a5cdc7466d097e36916b482cde87.sailthru.com
Signed by: eu.fab.com

 
         

If you are unable to see this message, click here to viewTo ensure delivery to your inbox, please add info@eu.fab.com to your address book.

Smile,

Great News!donotemail@wearespammers.com
Here's your exclusive invite from jenotsxx@gmail.com to join FabFab provides daily design inspirations and sales from the world's leading designers at prices up to 70% off retail.









About Help Contact Us Return Policy Shipping Terms Privacy tw fb

Monday, 27 May 2013

Citibank spam / Statement 57-27-05-2013.zip

This fake Citibank email has a malicious attachment:

Date:      Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
From:      Millard Hinton [leftoverss75@gmail.com]
Subject:      Merchant Statement

Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly.
----------
Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank.
----------
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. 

The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis is that this is a Zbot variant.

For the record, these are the checksums involved:
MD50bbf809dc46ed5d6c9f1774b13521e72
SHA19a50fa08e71711d26d86f34d8179f87757a88fa8
SHA25600b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400