Date: Mon, 7 Oct 2013 19:56:29 +0100 [10/07/13 14:56:29 EDT]Attached is a ZIP file containing a malicious EXE file. The VirusTotal detection rate is a fairly healthy 27/48. Automated analysis [1] [2] [3] shows that the malware tries to phones home to lasub-hasta.com on 205.251.152.178 (Global Net Access, US). A quick look at that server shows that it has several hundred sites on, most of which are probably legitimate.. but there is a great deal of suspect activity on this server which you might want to take into account if you are thinking of blocking this IP.
From: "Harry_Buck@wellsfargo.com" [Harry_Buck@wellsfargo.com]
Subject: Documents - WellsFargo
Please review attached files.
Harry_Buck
Wells Fargo Advisors
817-487-2882 office
817-683-6287 cell Harry_Buck@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
Tuesday 8 October 2013
Fake Well Fargo spam comes with a malicious attachment / lasub-hasta.com
This fake Wells Fargo spam is a retread of this one, but comes with a slightly different attachment:
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Friday 4 October 2013
Fake Dropbox spam leads to malware on adelect.com
This fake Dropbox spam leads to malware:
The link in the email goes through a legitimate hacked site and then on to a set of three scripts:
[donotclick]12.158.190.75/molls/smudgier.js
[donotclick]freetraffic2yourweb.com/palermo/uneconomic.js
[donotclick]www.bathroomchoice.com/huntsmen/bestsellers.js
From there the victim is delivered to a malware landing page at [donotclick]adelect.com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 66.150.155.210 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server listed below in italics.
Recommended blocklist:
66.150.155.210
wrightleasing.com
renewalbyandersendayton.com
adelect.com
12.158.190.75
freetraffic2yourweb.com
www.bathroomchoice.com
Date: Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]
From: Dropbox [no-reply@dropboxmail.com]
Subject: Please update your Expired Dropbox Password
Hi [redacted].
We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new one to log in.
Please visit the page to update your password
Reset Password
Thanks!
- The Dropbox Team
The link in the email goes through a legitimate hacked site and then on to a set of three scripts:
[donotclick]12.158.190.75/molls/smudgier.js
[donotclick]freetraffic2yourweb.com/palermo/uneconomic.js
[donotclick]www.bathroomchoice.com/huntsmen/bestsellers.js
From there the victim is delivered to a malware landing page at [donotclick]adelect.com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 66.150.155.210 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server listed below in italics.
Recommended blocklist:
66.150.155.210
wrightleasing.com
renewalbyandersendayton.com
adelect.com
12.158.190.75
freetraffic2yourweb.com
www.bathroomchoice.com
Labels:
GoDaddy,
Malware,
Nuclear Fallout Enterprises,
Spam,
Viruses
Thursday 3 October 2013
Fake Amazon spam uses email address harvested from Comparethemarket.com
This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket.com.
How the email address was extracted from Comparethemarket.com is not known.
The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]berkahabadi.de/unclear/unsettle.js
[donotclick]sigmarho.zxq.net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online.de/creel/eccentrically.js
This redirects the victim to a malware page at [donotclick]globalrealty-nyc.info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). THis is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.
Recommended blocklist:
96.126.103.252
globalrealty-nyc.info
berkahabadi.de
sigmarho.zxq.net
wni9e7311.homepage.t-online.de
From: Amazon.com [ship-confirm@amazon.com]
Reply-To: "Amazon.com" [ship-confirm@amazon.com]
Date: 3 October 2013 15:43
Subject: Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!
Amazon.com
Kindle Store
| Your Account | Amazon.com
Order Confirmation
Order #159-2060285-0376154
[redacted]
Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Thursday, Oct 3, 2013 -
Friday, Oct 4, 2013
Your shipping speed:
Next Day Air
Your Orders
Your order was sent to:
Evan Young
1235 Sunset Dr
San Paolo, NE 69700-0290
United States
Order Details
Order #159-2060285-0376154
Placed on Wensday, May 29, 2013
Canon EOS 60D DSLR 22.3 MP Full Frame CMOS with 1080p Full-HD Video Mode Digital SLR Camera (Body)
Electronics
In Stock
Sold by Electronic Express, Inc.
Facebook Twitter Pinterest
$1,397.99
Item Subtotal: $1,397.99
Shipping & Handling: $0.00
Total Before Tax: $1,397.99
Estimated Tax: $0.00
Order Total: $1,397.99
To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.
Thank you for shopping with us.
Amazon.com
DVD
Books
Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
How the email address was extracted from Comparethemarket.com is not known.
The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]berkahabadi.de/unclear/unsettle.js
[donotclick]sigmarho.zxq.net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online.de/creel/eccentrically.js
This redirects the victim to a malware page at [donotclick]globalrealty-nyc.info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). THis is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.
Recommended blocklist:
96.126.103.252
globalrealty-nyc.info
berkahabadi.de
sigmarho.zxq.net
wni9e7311.homepage.t-online.de
Wednesday 2 October 2013
Fake Staples spam leads to malware on tootle.us
This fake Staples spam leads to malware on a site called tootle.us:
[donotclick]algmediation.org/inventory/symphony.js
[donotclick]apptechgroups.net/katharine/bluejacket.js
[donotclick]ctwebdesignshop.com/marquetry/bucket.js
From there the victim is redirected to a malware landing page at [donotclick]tootle.us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another hijacked GoDaddy domain (there are some more on this server, listed below in italics).
Recommended blocklist:
23.92.22.75
tootle.us
tungstenrents.com
tweetbyte.com
algmediation.org
apptechgroups.net
ctwebdesignshop.com
Date: Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]The link in the email goes to a legimate (but hacked site) and then attempt to load one of the following three scripts:
From: support@orders.staples.com
Subject: Staples order #: 1353083565
Thank you for shopping Staples.
Here's what happens next:
Order No.:1353083565
Customer No.:1278823232 Method of Payment:Credit or Debit Card
Track order: Track your order
Delivery Address:
Caleb Lewis
41 COMMERCE ST
GREENFIELD WA 092980135
Item1 Qty. Subtotal
DELL 1320 BLACK TONER
Item No.:744319Price:$60.38/each
Expected delivery:10/4/2013byUPS 2 $125.26
Item2 Qty. Subtotal
DELL RY854 CYAN TONER
Item No.:717860Price:$61.87/each
Expected delivery:10/4/2013byUPS 2 $124.03
Subtotal:: $243.59
Delivery: FREE
Tax: $17.66
Total: $250.35
Your order is subject to review and the expected delivery date(s) noted above are pending credit or check approval.
Won't be there to sign for your order from 9 am to 5 pm, Monday - Friday. Print ourDriver Release. Some residential orders may be delivered by UPS as late as 7 pm.
Questions about your order? Call us at 1-800-3STAPLE (1-800-378-2753) or email us atsupport@orders.staples.com. You can also fax us at 1-800-333-3199.
See our return policy.
Our prices vary from store prices. Not responsible for typographical errors. Not all items are available. We reserve the right to limit quantities, including the right to prohibit sales to resellers.
Thanks for shopping Staples.
[snip]
[donotclick]algmediation.org/inventory/symphony.js
[donotclick]apptechgroups.net/katharine/bluejacket.js
[donotclick]ctwebdesignshop.com/marquetry/bucket.js
From there the victim is redirected to a malware landing page at [donotclick]tootle.us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another hijacked GoDaddy domain (there are some more on this server, listed below in italics).
Recommended blocklist:
23.92.22.75
tootle.us
tungstenrents.com
tweetbyte.com
algmediation.org
apptechgroups.net
ctwebdesignshop.com
Tuesday 1 October 2013
Fake NACHA spam leads to malware on thewalletslip.com
This fake NACHA spam leads to malware on thewalletslip.com:
The link in the email goes through a legitimate hacked site and then runs one of three scripts:
[donotclick]theodoxos.gr/hairstyles/defiling.js
[donotclick]web29.webbox11.server-home.org/volleyballs/cloture.js
[donotclick]www.knopflos-combo.de/subdued/opposition.js
Then the victim is directed to a malware landing page at [donotclick]thewalletslip.com/topic/latest-blog-news.php and if you follow this blog regularly then you will not be at all surprised to find that it has been hijacked from GoDaddy (others listed in italics below). It is hosted on 75.98.172.238 (A2 Hosting, US) which is the same server spotted yesterday.
Recommended blocklist:
75.98.172.238
herbrim.com
illusioninfusion.com
inspireddesignsbykathy.com
joojle.org
meettherims.com
noonle.org
oooole.org
poople.us
printslip.com
sellmention.com
smartstartfinancial.com
thewalletslip.com
tootle.us
theodoxos.gr
web29.webbox11.server-home.org
www.knopflos-combo.de
Date: Tue, 1 Oct 2013 15:05:56 +0330 [07:35:56 EDT]
From: ACH Network [markdownfyye396@nacha.org]
Subject: Your ACH transfer
The ACH processing (ID: 428858072307), recently was made from your bank account (by you or any other person), was rejected by the other financial institution.
Aborted transfer
ACH transfer ID: 428858072307
Reason of Cancellation Notice information in the report below
Transaction Report View Report 428858072307
About NACHA
Established in 1974, NACHA - The Electronic Payments Association was formed by the California ACH Association, the Georgia Association, the New England ACH Association, and the Upper Midwest ACH Association, to establish uniform operating rules for the exchange of Automated Clearing House (ACH) payments among ACH associations.
To help guide advocacy and related communication activities, NACHA established a Communications and Marketing Advisory Group (CMAG) in early 2010. CMAG brings together practitioners representing ACH Network participants to engage in work efforts to benefit the Network and those who utilize it.
NACHA and its member Regional Payments Associations help industry professionals expand their payments knowledge to further their professional development and benefit their employers. Offerings include in-person, desk-top, and distance learning courses, publications, and the Accredited ACH Professional (AAP) Program. Payments education offered by NACHA at the national level augments the rich offering of educational programs provided by the Regional Payments Associations throughout the country.
18580 Seaside Vale Drive, Suite 235
Herndon, VA 20171
© 2013 NACHA - The Electronic Payments Association
The link in the email goes through a legitimate hacked site and then runs one of three scripts:
[donotclick]theodoxos.gr/hairstyles/defiling.js
[donotclick]web29.webbox11.server-home.org/volleyballs/cloture.js
[donotclick]www.knopflos-combo.de/subdued/opposition.js
Then the victim is directed to a malware landing page at [donotclick]thewalletslip.com/topic/latest-blog-news.php and if you follow this blog regularly then you will not be at all surprised to find that it has been hijacked from GoDaddy (others listed in italics below). It is hosted on 75.98.172.238 (A2 Hosting, US) which is the same server spotted yesterday.
Recommended blocklist:
75.98.172.238
herbrim.com
illusioninfusion.com
inspireddesignsbykathy.com
joojle.org
meettherims.com
noonle.org
oooole.org
poople.us
printslip.com
sellmention.com
smartstartfinancial.com
thewalletslip.com
tootle.us
theodoxos.gr
web29.webbox11.server-home.org
www.knopflos-combo.de
Monday 30 September 2013
Wells Fargo "Important Documents" spam with a malicious ZIP file
This fake Wells Fargo spam comes with a malicious attachment:
The executable file is (obviously) malware, and has a VirusTotal detection rate of just 3/48. Automated analysis [1] [2] [3] shows an attempted connection to the site demandtosupply.com on 84.22.177.37 (ioMart, UK) which is a server spotted in a similar attack a few weeks ago.
Unfortunately, where more than one domain on a server is compromised then it looks like the bad guys have complete control of the server and can do what they like. There are a number of legitimate sites (including one IT security company) on this box (listed below), so exercise caution if deciding to block them.
Recommended blocklist:
84.22.177.37
demandtosupply.com
ce-cloud.com
Sites hosted on 84.22.177.37, for information only:
agoraclinic.co.uk
agoraclinic.com
agorafertility.co.uk
agorafertility.com
assetprotector.co.uk
avicamhomes.co.uk
avicamhomes.com
axiom-ltd.com
batchy.net
bebesta.com
bebesta.org
brighton-cloud.com
cavdb.co.uk
cav-it.com
ce-cloud.com
chriscatering.co.uk
computer-eyez.co.uk
computereyez.com
computer-eyez.com
crewcutdiamond.co.uk
demandtosupply.com
eurovehiclecontracts.co.uk
eyezhosting.net
eyezonline.net
gatwicksaab.co.uk
guardyourmail.co.uk
guardyourmail.com
guidetoveganliving.org.uk
hmbookkeeping.co.uk
i-filter.co.uk
igloosecurity.com
infacom.co.uk
is-it-ok.co.uk
is-it-ok.com
lanoguard.co.uk
mwfencing.co.uk
newhavenplumbingservices.co.uk
oddsquad.co.uk
pentruder.co.uk
planetdiamonduk.com
plugtugs.co.uk
plug-tugs.co.uk
plugtugs.com
plug-tugs.com
prestige-products.co.uk
producepackdeliver.com
questsolutions.co.uk
renewtech.co.uk
rippletech.co.uk
rockeyracing.com
rye4ukbreaks.co.uk
saab-city.co.uk
saab-kent.co.uk
saab-london.co.uk
saab-surrey.co.uk
shorelineaccountants.co.uk
smickersgang.com
southerntesting.co.uk
stconsult.co.uk
stepaheadnlp.co.uk
stepaheadnlp.com
stlc.co.uk
sussexcloud.com
sussex-cloud.com
taskercatchpole.com
thevintagehaven.co.uk
turnershillgarage.com
turnershillsaab.com
uk3.eyezonline.net
worldveganday.com
worldveganmonth.net
young-lee.co.uk
Date: Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]The attached document is starts with "Documents_" and then has the first part of the recipient's email address as part of the filename. Or that's the way it is meant to work because in practice it will probably be a different recipient in the same domain. Inside is an executable file with the date encoded into the filename (in this case Documents_09302013.exe).
From: Bryon Faulkner [Bryon.Faulkner@wellsfargo.com]
Subject: Important Documents
Please review attached documents.
Bryon Faulkner
Wells Fargo Advisors
817-527-6769 office
817-380-3921 cell Bryon.Faulkner@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
The executable file is (obviously) malware, and has a VirusTotal detection rate of just 3/48. Automated analysis [1] [2] [3] shows an attempted connection to the site demandtosupply.com on 84.22.177.37 (ioMart, UK) which is a server spotted in a similar attack a few weeks ago.
Unfortunately, where more than one domain on a server is compromised then it looks like the bad guys have complete control of the server and can do what they like. There are a number of legitimate sites (including one IT security company) on this box (listed below), so exercise caution if deciding to block them.
Recommended blocklist:
84.22.177.37
demandtosupply.com
ce-cloud.com
Sites hosted on 84.22.177.37, for information only:
agoraclinic.co.uk
agoraclinic.com
agorafertility.co.uk
agorafertility.com
assetprotector.co.uk
avicamhomes.co.uk
avicamhomes.com
axiom-ltd.com
batchy.net
bebesta.com
bebesta.org
brighton-cloud.com
cavdb.co.uk
cav-it.com
ce-cloud.com
chriscatering.co.uk
computer-eyez.co.uk
computereyez.com
computer-eyez.com
crewcutdiamond.co.uk
demandtosupply.com
eurovehiclecontracts.co.uk
eyezhosting.net
eyezonline.net
gatwicksaab.co.uk
guardyourmail.co.uk
guardyourmail.com
guidetoveganliving.org.uk
hmbookkeeping.co.uk
i-filter.co.uk
igloosecurity.com
infacom.co.uk
is-it-ok.co.uk
is-it-ok.com
lanoguard.co.uk
mwfencing.co.uk
newhavenplumbingservices.co.uk
oddsquad.co.uk
pentruder.co.uk
planetdiamonduk.com
plugtugs.co.uk
plug-tugs.co.uk
plugtugs.com
plug-tugs.com
prestige-products.co.uk
producepackdeliver.com
questsolutions.co.uk
renewtech.co.uk
rippletech.co.uk
rockeyracing.com
rye4ukbreaks.co.uk
saab-city.co.uk
saab-kent.co.uk
saab-london.co.uk
saab-surrey.co.uk
shorelineaccountants.co.uk
smickersgang.com
southerntesting.co.uk
stconsult.co.uk
stepaheadnlp.co.uk
stepaheadnlp.com
stlc.co.uk
sussexcloud.com
sussex-cloud.com
taskercatchpole.com
thevintagehaven.co.uk
turnershillgarage.com
turnershillsaab.com
uk3.eyezonline.net
worldveganday.com
worldveganmonth.net
young-lee.co.uk
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
IRS "Invalid File Email Reminder" spam / oooole.org
This fake IRS spam leads to malware on oooole.org:
[donotclick]savingourdogs.com/boneheads/meditatively.js
[donotclick]solaropti.manclinux3.ukdns.biz/resonators/sunbonnet.js
[donotclick]polamedia.se/augusts/fraudulence.js
The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole.org/topic/latest-blog-news.php hosted on 75.98.172.238 (A2 Hosting, US) along with several other hijacked domains listed in italics below.
Recommended blocklist:
75.98.172.238
herbrim.com
illusioninfusion.com
inspireddesignsbykathy.com
joojle.org
meettherims.com
noonle.org
oooole.org
savingourdogs.com
solaropti.manclinux3.ukdns.biz
polamedia.se
Date: Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]The link in the email goes through a legitimate hacked site and then redirects through one of the following three scripts:
From: "Fire@irs.gov" [burbleoe9@irs.org]
Subject: Invalid File Email Reminder
9/30/2013
Valued Transmitter,
We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good replacement file. If we do not receive the replacement file within the allowed time from your transmission, late filing payoff may be applied. For further clarification on sending a timely filed replacement, please see Publication 1220, Part B, Section 7.03. The following is a list of your incorrect file(s) that need to be replaced:
Filename # of Times
Email Has
Been Sent Tax
Year
ORIG.62U55.2845 2 2012
If you did not know your file contained invalid data, the results are posted on the FIRE (Filing Information Returns Electronically) System within two business days of your transmission. It is your onus to check your filing results. To view your file results open the page: Check File Status.
If you have sent an acceptable file that you think replaces the above file(s) or if you are uncertain how to resolve the errors in your file(s), please contact the IRS/Information Returns Branch: Please fill in the contact form;
[donotclick]savingourdogs.com/boneheads/meditatively.js
[donotclick]solaropti.manclinux3.ukdns.biz/resonators/sunbonnet.js
[donotclick]polamedia.se/augusts/fraudulence.js
The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole.org/topic/latest-blog-news.php hosted on 75.98.172.238 (A2 Hosting, US) along with several other hijacked domains listed in italics below.
Recommended blocklist:
75.98.172.238
herbrim.com
illusioninfusion.com
inspireddesignsbykathy.com
joojle.org
meettherims.com
noonle.org
oooole.org
savingourdogs.com
solaropti.manclinux3.ukdns.biz
polamedia.se
Labels:
GoDaddy,
IRS,
Malware,
Spam,
ThreeScripts
Friday 27 September 2013
Facebook "You have new notifications" spam / directgrid.org
This fake Facebook spam leads to malware on directgrid.org:
The link in the email goes through a legitimate (but hacked) site and then loads one of the following three scripts:
[donotclick]3dbrandscapes.com/starker/manipulator.js
[donotclick]dtwassociates.com/marry/sullies.js
[donotclick]repairtouch.co.za/lollypops/aquariuses.js
This leads to a malware landing page hosted on a hijacked GoDaddy domain at [donotclick]directgrid.org/topic/lairtg-nilles-slliks.php hosted on 50.116.10.71 (Linode, US) where there are a number of other hijacked domains (listed below in italics)
Recommended blocklist:
50.116.10.71
directgrid.biz
directgrid.com
directgrid.info
directgrid.net
directgrid.org
directgrid.us
gilkjones.com
integra-inspection.ca
taxipunjab.com
taxisamritsar.com
watttrack.com
3dbrandscapes.com
dtwassociates.com
repairtouch.co.za
Date: Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From: Facebook [notification+W85BNFWX@facebookmail.com]
Subject: You have 21 friend suggestions, 11 friend requests and 14 photo tags
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've missed from your friends.
3 messages
11 friend requests
21 friend suggestions
14 photo tags
View Notifications
Go to Facebook
This message was sent to [redacted]. If you don't want to receive these emails
from Facebook in the future, please unsubscribe.Facebook, Inc., Attention: Department
415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes through a legitimate (but hacked) site and then loads one of the following three scripts:
[donotclick]3dbrandscapes.com/starker/manipulator.js
[donotclick]dtwassociates.com/marry/sullies.js
[donotclick]repairtouch.co.za/lollypops/aquariuses.js
This leads to a malware landing page hosted on a hijacked GoDaddy domain at [donotclick]directgrid.org/topic/lairtg-nilles-slliks.php hosted on 50.116.10.71 (Linode, US) where there are a number of other hijacked domains (listed below in italics)
Recommended blocklist:
50.116.10.71
directgrid.biz
directgrid.com
directgrid.info
directgrid.net
directgrid.org
directgrid.us
gilkjones.com
integra-inspection.ca
taxipunjab.com
taxisamritsar.com
watttrack.com
3dbrandscapes.com
dtwassociates.com
repairtouch.co.za
Thursday 26 September 2013
Something evil on 91.231.98.149 and boats.net
This injection attack [urlquery] on boats.net caught my attention, a nasty bit of injected code pointing to a (now suspended) domain called gamelikeboards.biz hosted on 91.231.98.149 (Neohost.net, Ukraine). Basically, the victim website has code injected pointing to [donotclick]gamelikeboards.biz/_cp/crone/ which cannot be anything good.
What do we know about gamelikeboards.biz? As luck would have it, the domain was suspended by the registrar, who also removed the Privacy Protection giving the following WHOIS details:
Registrant ID: DI_29743100
Registrant Name: Deni Kember
Registrant Organization: N/A
Registrant Address1: 350 W 42nd St #37D
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 10036
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.6337362122
Registrant Email: deni_kember658@ghanamail.com
I suspect that these details are fake. The address given is this rather nice $2.1 million apartment in New York, which I suspect has been chosen at random.
I can identify some other (almost definitely malicious) domains that are either on the same server or have been there recently:
eschewsramping.biz
gamelikeboards.biz
sixteenups.biz
sorelyzipmagics.biz
technicaltutoring.biz
zarazagorakakaxx1.org
zarazagorakakaxx2.com
The IP address is allocted as follows:
inetnum: 91.231.98.0 - 91.231.98.255
netname: NEOHOST
descr: FOP ILIUSHENKO VOLODYMYR OLEXANDROVUCH
descr: Neohost.net
country: UA
org: ORG-FIVO1-RIPE
admin-c: IV1015-RIPE
tech-c: IV1015-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: NEOHOST-MNT
mnt-routes: NEOHOST-MNT
mnt-domains: NEOHOST-MNT
source: RIPE # Filtered
organisation: ORG-FIVO1-RIPE
org-name: Neohost.net
org-type: other
address: Ukraine, Kyiv, 03039, Nauki
admin-c: IV1015-RIPE
mnt-ref: NEOHOST-MNT
mnt-by: NEOHOST-MNT
source: RIPE # Filtered
person: ILIUSHENKO VOLODYMYR
address: Ukraine, Kyiv, 03039
phone: +38 (044) 599-79-85
nic-hdl: IV1015-RIPE
mnt-by: NEOHOST-MNT
source: RIPE # Filtered
route: 91.231.98.0/24
descr: Neohost.net
origin: AS57311
mnt-by: NEOHOST-MNT
source: RIPE # Filtered
The name "ILIUSHENKO VOLODYMYR OLEXANDROVUCH" is a weird translation of a name we would more commonly call Vladimir Iliushenko who is the administrator of Neohost. A look at 91.231.98.0/24 indicates a mix of spammy sites plus a number of local Russian and Ukranian sites that look legitimate. Google's prognosis of AS57311 isn't too bad.
I don't know what the payload is, but the IP address was also used in this recent malware attack. The IP and domains are definitely malicious, and I would recommend the following blocklist:
91.231.98.149
eschewsramping.biz
gamelikeboards.biz
sixteenups.biz
sorelyzipmagics.biz
technicaltutoring.biz
zarazagorakakaxx1.org
zarazagorakakaxx2.com
Added: it looks like this site has been compromised before [1] [2] [3]
What do we know about gamelikeboards.biz? As luck would have it, the domain was suspended by the registrar, who also removed the Privacy Protection giving the following WHOIS details:
Registrant ID: DI_29743100
Registrant Name: Deni Kember
Registrant Organization: N/A
Registrant Address1: 350 W 42nd St #37D
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 10036
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.6337362122
Registrant Email: deni_kember658@ghanamail.com
I suspect that these details are fake. The address given is this rather nice $2.1 million apartment in New York, which I suspect has been chosen at random.
I can identify some other (almost definitely malicious) domains that are either on the same server or have been there recently:
eschewsramping.biz
gamelikeboards.biz
sixteenups.biz
sorelyzipmagics.biz
technicaltutoring.biz
zarazagorakakaxx1.org
zarazagorakakaxx2.com
The IP address is allocted as follows:
inetnum: 91.231.98.0 - 91.231.98.255
netname: NEOHOST
descr: FOP ILIUSHENKO VOLODYMYR OLEXANDROVUCH
descr: Neohost.net
country: UA
org: ORG-FIVO1-RIPE
admin-c: IV1015-RIPE
tech-c: IV1015-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: NEOHOST-MNT
mnt-routes: NEOHOST-MNT
mnt-domains: NEOHOST-MNT
source: RIPE # Filtered
organisation: ORG-FIVO1-RIPE
org-name: Neohost.net
org-type: other
address: Ukraine, Kyiv, 03039, Nauki
admin-c: IV1015-RIPE
mnt-ref: NEOHOST-MNT
mnt-by: NEOHOST-MNT
source: RIPE # Filtered
person: ILIUSHENKO VOLODYMYR
address: Ukraine, Kyiv, 03039
phone: +38 (044) 599-79-85
nic-hdl: IV1015-RIPE
mnt-by: NEOHOST-MNT
source: RIPE # Filtered
route: 91.231.98.0/24
descr: Neohost.net
origin: AS57311
mnt-by: NEOHOST-MNT
source: RIPE # Filtered
The name "ILIUSHENKO VOLODYMYR OLEXANDROVUCH" is a weird translation of a name we would more commonly call Vladimir Iliushenko who is the administrator of Neohost. A look at 91.231.98.0/24 indicates a mix of spammy sites plus a number of local Russian and Ukranian sites that look legitimate. Google's prognosis of AS57311 isn't too bad.
I don't know what the payload is, but the IP address was also used in this recent malware attack. The IP and domains are definitely malicious, and I would recommend the following blocklist:
91.231.98.149
eschewsramping.biz
gamelikeboards.biz
sixteenups.biz
sorelyzipmagics.biz
technicaltutoring.biz
zarazagorakakaxx1.org
zarazagorakakaxx2.com
Added: it looks like this site has been compromised before [1] [2] [3]
Labels:
Injection Attacks,
Malware,
Ukraine,
Viruses
Wednesday 25 September 2013
Intuit spam / Invoice_3056472.zip
It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..
Automated analysis [1] [2] [3] [4] shows the usual sort of badness, including a call home to gidleybuilders.com on 78.157.201.219 (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week. Two compromised domains in a week seems a bit more than a coincidence. For information only, the following legitimate domains are also on that same server:
allcool.co.uk
ashmanufacturing.co.uk
ashmanufacturing.com
ashmanufacturing.net
ashmanufacturing.org
awcoomer.com
beingwell.me
bhmlondon.com
bigtinbox.com
buckmastergames.co.uk
buffey.co.uk
colemansfarm.co.uk
connect4commercial.com
connect4recruitment.com
flestates.co.uk
geocom.co.uk
gidleybuilders.com
graysaccountant.com
intoirelandtravel.com
matthewtomich.com
onlinestoregroup.com
paddlers.co.uk
pedalads.co.uk
pedalads.net
photoaweek.com
pickout.co.uk
richardgidley.com
smudgeinc.co.uk
sofmagazine.com
swim24.com
wakeham.co.uk
wakehamgroup.com
wakehamphotographic.com
westside-village.com
Date: Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48.
From: Lewis Muller [Lewis.Muller@intuit.com]
Subject: FW: Invoice 3056472
Your invoice is attached.
Sincerely,
Lewis Muller
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer.
Automated analysis [1] [2] [3] [4] shows the usual sort of badness, including a call home to gidleybuilders.com on 78.157.201.219 (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week. Two compromised domains in a week seems a bit more than a coincidence. For information only, the following legitimate domains are also on that same server:
allcool.co.uk
ashmanufacturing.co.uk
ashmanufacturing.com
ashmanufacturing.net
ashmanufacturing.org
awcoomer.com
beingwell.me
bhmlondon.com
bigtinbox.com
buckmastergames.co.uk
buffey.co.uk
colemansfarm.co.uk
connect4commercial.com
connect4recruitment.com
flestates.co.uk
geocom.co.uk
gidleybuilders.com
graysaccountant.com
intoirelandtravel.com
matthewtomich.com
onlinestoregroup.com
paddlers.co.uk
pedalads.co.uk
pedalads.net
photoaweek.com
pickout.co.uk
richardgidley.com
smudgeinc.co.uk
sofmagazine.com
swim24.com
wakeham.co.uk
wakehamgroup.com
wakehamphotographic.com
westside-village.com
Labels:
EXE-in-ZIP,
INTUIT,
Malware,
Spam
AICPA spam / children-bicycle.net
This fake AICPA spam leads to malware on the domain children-bicycle.net:
I haven't seen AICPA themed spam for a long time, but this follows an established pattern. The link in the email goes to a legitimate hacked site and then on to a malware payload at [donotclick]www.aicpa.org.children-bicycle.net/news/aicpa-all.php (report here).. but only if the visitor is running Windows (more of which in a moment).
The domain children-bicycle.net is registered with fake WHOIS details and the pattern of the domain mark it out as belonging to the Amerika gang.
24.111.103.183 (Midcontinent Media, US)
109.71.136.140 (OpWan, France)
184.82.233.29 (Network Operations Center, US)
As I mentioned, the code detects the visitor's OS and only sends the victim to the exploit kit if they are running Windows, others end up at the genuine aicpa.org website (click to enlarge).
Recommended blocklist:
24.111.103.183
109.71.136.140
184.82.233.29
cernanrigndnisne55.net
children-bicycle.net
demuronline.net
fdic.gov.horse-mails.net
fiscdp.com.airfare-ticketscheap.com
horse-mails.net
mails.rererereecils.com
nacha.org.smscente.net
pidrillospeeder.com
protektest.net
rererereecils.com
smscente.net
www.aicpa.org.children-bicycle.net
www.fdic.gov.horse-mails.net
www.nacha.org.demuronline.net
www.nacha.org.smscente.net
From: Reggie Wilkins [blockp12@clients.aicpa.net]
Date: 25 September 2013 15:03
Subject: Your accountant license can be cancelled.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
AICPA logo
Cancellation of Accountant status due to tax return fraud allegations
Valued accountant officer,
We have received a complaint about your recent participation in tax return infringement for one of your employers. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be withdrawn in case of the occurrence of filing of a false or fraudulent tax return for your client or employer.
Please familiarize yourself with the notification below and provide your feedback to it within 14 days. The failure to do so within this term will result in cancellation of your CPA license.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
I haven't seen AICPA themed spam for a long time, but this follows an established pattern. The link in the email goes to a legitimate hacked site and then on to a malware payload at [donotclick]www.aicpa.org.children-bicycle.net/news/aicpa-all.php (report here).. but only if the visitor is running Windows (more of which in a moment).
The domain children-bicycle.net is registered with fake WHOIS details and the pattern of the domain mark it out as belonging to the Amerika gang.
Administrative Name: Jennifer HorvathThe payload is hosted on the following IP addresses (all also listed here):
Administrative Company: Jennifer Horvath
Administrative Address: 3499 Latitude Cove
Administrative Address: Milton
Administrative Address: GA
Administrative Address: 30004
Administrative Address: US
Administrative Email: mybigben56@yahoo.com
Administrative Tel: +1.7705008444
24.111.103.183 (Midcontinent Media, US)
109.71.136.140 (OpWan, France)
184.82.233.29 (Network Operations Center, US)
As I mentioned, the code detects the visitor's OS and only sends the victim to the exploit kit if they are running Windows, others end up at the genuine aicpa.org website (click to enlarge).
Recommended blocklist:
24.111.103.183
109.71.136.140
184.82.233.29
cernanrigndnisne55.net
children-bicycle.net
demuronline.net
fdic.gov.horse-mails.net
fiscdp.com.airfare-ticketscheap.com
horse-mails.net
mails.rererereecils.com
nacha.org.smscente.net
pidrillospeeder.com
protektest.net
rererereecils.com
smscente.net
www.aicpa.org.children-bicycle.net
www.fdic.gov.horse-mails.net
www.nacha.org.demuronline.net
www.nacha.org.smscente.net
6rf.net and something evil on 198.50.225.121, 85.25.108.10 and 178.33.208.211
Here are a couple of IPs serving exploit kits.. the case in question is a legitimate site that loads code from 6rf.net and this in turn loads an exploit kit from [donotclick]yandex.ru.sgtfnregsnet.ru and [donotclick]l451l.witnessvacant.biz.
The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains of the following (more here):
witnessvacant.biz
objectiongigs.biz
prosecutorpro.biz
That IP hosts various exploit kits and is suballocated to a Russian customer:
CustName: Private Customer
Address: Private Residence
City: Penziatki
StateProv:
PostalCode: 430000
Country: RU
RegDate: 2013-08-12
Updated: 2013-08-12
Ref: http://whois.arin.net/rest/customer/C04667583
Those domains are also associated with some other OVH IPs of 178.33.208.211 and 46.105.166.99 (OVH, France). In both those cases, the OVH range is delegated to another Russian customer:
organisation: ORG-RL152-RIPE
org-name: R5X.org ltd
org-type: OTHER
address: Krasnoselskaja 15-219
address: 346579 Moscow
address: RU
abuse-mailbox: abuse@r5x.org
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Domains associated with the OVH France servers (and I would recommend blocking these) are:
caseagency.biz
chqqwyotlook.biz
cqcodoyogold.biz
flogdoyfohoqobl.biz
gyfowkdoylgoqc.biz
hearsayavailable.biz
jailprojects.biz
liablegigs.biz
lqcolqbtthdoydozzl.biz
objectiongigs.biz
objectionjobs.biz
othtdoyttqd.biz
ottptqc.biz
ottylook.biz
prosecutorpro.biz
qdpqdqcdoyplqdd.biz
subpoenaproject.biz
testimonyjobs.biz
thoqkgvqqgchot.biz
tohhohoqohwoy.biz
vqolqtqdoyodl.biz
witnessvacant.biz
But that's not the only infection that 6rf.net is punting, as there is another malicious domain of [donotclick]yandex.ru.sgtfnregsnet.ru in use (report here) hosted on 85.25.108.10 (Intergenia AG, Germany). There appears to be at least one other malicious domain on the same server (googlebot.ru) which is also serving up an exploit kit [1] [2] and an examination of the rest of the domains on that IP show nothing at all of value:
yandex.ru.sgtfnregsnet.ru
googlerobot.ru
google.directadvertstat.ru
nationalaustralia.org
It looks like other malware sites have been hosted on that IP in the past, so I would recommend blocking that too, giving this recommended blocklist:
46.105.166.99
85.25.108.10
178.33.208.211
198.50.225.121
6rf.net
caseagency.biz
chqqwyotlook.biz
cqcodoyogold.biz
flogdoyfohoqobl.biz
gyfowkdoylgoqc.biz
hearsayavailable.biz
jailprojects.biz
liablegigs.biz
lqcolqbtthdoydozzl.biz
objectiongigs.biz
objectionjobs.biz
othtdoyttqd.biz
ottptqc.biz
ottylook.biz
prosecutorpro.biz
qdpqdqcdoyplqdd.biz
subpoenaproject.biz
testimonyjobs.biz
thoqkgvqqgchot.biz
tohhohoqohwoy.biz
vqolqtqdoyodl.biz
witnessvacant.biz
yandex.ru.sgtfnregsnet.ru
googlerobot.ru
google.directadvertstat.ru
nationalaustralia.org
The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains of the following (more here):
witnessvacant.biz
objectiongigs.biz
prosecutorpro.biz
That IP hosts various exploit kits and is suballocated to a Russian customer:
CustName: Private Customer
Address: Private Residence
City: Penziatki
StateProv:
PostalCode: 430000
Country: RU
RegDate: 2013-08-12
Updated: 2013-08-12
Ref: http://whois.arin.net/rest/customer/C04667583
Those domains are also associated with some other OVH IPs of 178.33.208.211 and 46.105.166.99 (OVH, France). In both those cases, the OVH range is delegated to another Russian customer:
organisation: ORG-RL152-RIPE
org-name: R5X.org ltd
org-type: OTHER
address: Krasnoselskaja 15-219
address: 346579 Moscow
address: RU
abuse-mailbox: abuse@r5x.org
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Domains associated with the OVH France servers (and I would recommend blocking these) are:
caseagency.biz
chqqwyotlook.biz
cqcodoyogold.biz
flogdoyfohoqobl.biz
gyfowkdoylgoqc.biz
hearsayavailable.biz
jailprojects.biz
liablegigs.biz
lqcolqbtthdoydozzl.biz
objectiongigs.biz
objectionjobs.biz
othtdoyttqd.biz
ottptqc.biz
ottylook.biz
prosecutorpro.biz
qdpqdqcdoyplqdd.biz
subpoenaproject.biz
testimonyjobs.biz
thoqkgvqqgchot.biz
tohhohoqohwoy.biz
vqolqtqdoyodl.biz
witnessvacant.biz
But that's not the only infection that 6rf.net is punting, as there is another malicious domain of [donotclick]yandex.ru.sgtfnregsnet.ru in use (report here) hosted on 85.25.108.10 (Intergenia AG, Germany). There appears to be at least one other malicious domain on the same server (googlebot.ru) which is also serving up an exploit kit [1] [2] and an examination of the rest of the domains on that IP show nothing at all of value:
yandex.ru.sgtfnregsnet.ru
googlerobot.ru
google.directadvertstat.ru
nationalaustralia.org
It looks like other malware sites have been hosted on that IP in the past, so I would recommend blocking that too, giving this recommended blocklist:
46.105.166.99
85.25.108.10
178.33.208.211
198.50.225.121
6rf.net
caseagency.biz
chqqwyotlook.biz
cqcodoyogold.biz
flogdoyfohoqobl.biz
gyfowkdoylgoqc.biz
hearsayavailable.biz
jailprojects.biz
liablegigs.biz
lqcolqbtthdoydozzl.biz
objectiongigs.biz
objectionjobs.biz
othtdoyttqd.biz
ottptqc.biz
ottylook.biz
prosecutorpro.biz
qdpqdqcdoyplqdd.biz
subpoenaproject.biz
testimonyjobs.biz
thoqkgvqqgchot.biz
tohhohoqohwoy.biz
vqolqtqdoyodl.biz
witnessvacant.biz
yandex.ru.sgtfnregsnet.ru
googlerobot.ru
google.directadvertstat.ru
nationalaustralia.org
Tuesday 24 September 2013
"International Wire Transfer" spam / INTL_Wire_Report-09242013.zip
This fake wire transfer spam has a malicious attachment:
Attached is a ZIP file called INTL_Wire_Report-09242013.zip which in turn contains a malicious executable INTL_Wire_Report-09242013.exe (note the date in encoded into the filename). The VirusTotal results show a so-so detection rate of 9/48.
Automated analysis [1] [2] [3] shows the usual sort of stuff plus network traffic to ta3online.org on 108.168.164.202 (Softlayer, US) which is some sort of compromised legitimate site.
Blocking EXE-in-ZIP files at you network perimeter is absolutely the best way of avoid malware attacks like this.
Date: Tue, 24 Sep 2013 10:54:32 -0700 [13:54:32 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceoemigw@wellsfargo.com]
Subject: International Wire Transfer File Not Processed
We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.
Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 09/24/2013 03:00 pm PT, the file may not be processed.
Please view the attached file for more details on this transaction.
Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).
Event Message ID: S203-8767457
Date/Time Stamp: Tue, 24 Sep 2013 10:54:32 -0700
----------------------------------------------------------------------------------------------------------------------------------------------------
Please do not reply to this email; this mailbox is only for delivery of Event Messaging notices. To ensure you receive these notices, add ofsrep.ceoemigw@wellsfargo.com to your address book.
For issues related to the receipt of this message, call toll free 1-800-AT-WELLS (1-800-289-3557) Monday through Friday between 4:00 am and 7:00 pm and Saturday between 6:00 am and 4:00 pm Pacific Time.
Customers outside the U.S. and Canada may contact their local representative's office, or place a collect call to Treasury Management Client Services at 1-704-547-0145.
Please have the Event Message ID available when you call.
Attached is a ZIP file called INTL_Wire_Report-09242013.zip which in turn contains a malicious executable INTL_Wire_Report-09242013.exe (note the date in encoded into the filename). The VirusTotal results show a so-so detection rate of 9/48.
Automated analysis [1] [2] [3] shows the usual sort of stuff plus network traffic to ta3online.org on 108.168.164.202 (Softlayer, US) which is some sort of compromised legitimate site.
Blocking EXE-in-ZIP files at you network perimeter is absolutely the best way of avoid malware attacks like this.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Malware sites to block 24/9/2013
The malicious IPs and domains on this list are operated by this gang, and it replaces the list last week.
5.135.42.104 (OVH, Netherlands)
24.111.103.183 (Midcontinent Media, US)
24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
37.221.163.174 (Voxility SRL, Romania)
42.121.84.12 (Aliyun Computing Co, China)
46.32.47.24 (Syd Energi, Denmark)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
69.94.163.22 (Region 18 Education Service Center, US)
69.163.40.39 (DirectSpace LLC, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
79.190.173.125 (TPNET, Poland)
81.28.199.18 (KNET, France)
84.52.66.244 (West Call Ltd, Russia)
85.246.142.214 (PT Comunicacoes, Portugal)
91.220.77.83 (NTH Media, Switzerland)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
109.71.136.140 (OpWan, France)
123.183.210.42 (China Telecom, China)
125.20.14.222 (Price Water House Cooperation, India)
153.127.243.80 (Kagoya Japan Corporation, Japan)
163.32.78.2 (TANET, Taiwan)
174.142.186.89 (iWeb, Canada)
184.82.233.29 (Network Operations Center, US)
186.3.101.235 (Clientes Quito, Ecuador)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
194.44.93.219 (UARNet, Ukraine)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
199.175.49.118 (VPS Cheap, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
216.218.208.55 (Hurricane Electric, US)
223.30.27.251 (Sify Limited, India)
220.68.231.30 (Hansei University, Korea)
5.135.42.104
24.111.103.183
24.173.170.230
32.64.143.79
37.153.192.72
37.221.163.174
42.121.84.12
46.32.47.24
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
69.94.163.22
69.163.40.39
77.123.54.28
79.190.173.125
81.28.199.18
84.52.66.244
85.246.142.214
91.220.77.83
95.111.32.249
103.20.166.67
109.71.136.140
123.183.210.42
125.20.14.222
153.127.243.80
163.32.78.2
174.142.186.89
184.82.233.29
186.3.101.235
186.251.180.205
187.60.172.18
194.44.93.219
194.158.4.42
198.71.90.239
199.175.49.118
208.52.185.178
208.115.114.69
211.71.99.66
216.218.208.55
223.30.27.251
220.68.231.30
24kstudio.net
achrezervations.com
acomboramboarmiab722.net
aconsturcioneoftherive677.net
acormushkivsenamizv992.net
airfare-ticketscheap.com
aristonmontecarlo.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
consistingsec.net
cremenatthemomenter56.net
crovvirnskieertater55.net
crovviyyyyyyuutater90.net
curse.su
deepsealinks.com
demuronline.net
diggingentert.com
dropdistri-butions.net
dulethcentury.net
ehtiebanishkeobprienrt25.net
ejanormalteene250.com
ejanormatoone240.com
elvisalive4ever.com
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
exeteenofthemid74.com
explorerlikem.com
fdic.gov.horse-mails.net
gigiandrose-sf.net
gjoonalitikeer310.com
gjoonanalitik300.com
glums.net
goodnoontoon11.net
gormonigraetnapovalahule26.net
grannyhair.ru
gromovierashodyna73.net
hdmltextvoice.net
higherpricedan.com
horse-mails.net
hotsuperfilms.com
infomashe.com
instotsvin.ru
isightbiowares.su
joyrideengend.net
kolopeto.net
lights-awake.net
loreddiverting.su
macache.net
maxichip.com
micnetwork100.com
mobile-unlocked.net
mssoft.in.net
multiachprocessor.com
myaxioms.com
nacha.org.smscente.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
ollerblogging.net
ordersdeluxe.com
outcastii.com
oversearadios.net
pardus-wiki.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
smartsecureconnect.com
smscente.net
softwareup.pw
spottingculde.com
stjamesang.net
techno-arena.net
thefastor.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.ejanormalteene250.com
www.fdic.gov.horse-mails.net
www.gjoonalitikeer310.com
www.nacha.org.demuronline.net
www.nacha.org.smscente.net
5.135.42.104 (OVH, Netherlands)
24.111.103.183 (Midcontinent Media, US)
24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
37.221.163.174 (Voxility SRL, Romania)
42.121.84.12 (Aliyun Computing Co, China)
46.32.47.24 (Syd Energi, Denmark)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
69.94.163.22 (Region 18 Education Service Center, US)
69.163.40.39 (DirectSpace LLC, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
79.190.173.125 (TPNET, Poland)
81.28.199.18 (KNET, France)
84.52.66.244 (West Call Ltd, Russia)
85.246.142.214 (PT Comunicacoes, Portugal)
91.220.77.83 (NTH Media, Switzerland)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
109.71.136.140 (OpWan, France)
123.183.210.42 (China Telecom, China)
125.20.14.222 (Price Water House Cooperation, India)
153.127.243.80 (Kagoya Japan Corporation, Japan)
163.32.78.2 (TANET, Taiwan)
174.142.186.89 (iWeb, Canada)
184.82.233.29 (Network Operations Center, US)
186.3.101.235 (Clientes Quito, Ecuador)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
194.44.93.219 (UARNet, Ukraine)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
199.175.49.118 (VPS Cheap, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
216.218.208.55 (Hurricane Electric, US)
223.30.27.251 (Sify Limited, India)
220.68.231.30 (Hansei University, Korea)
5.135.42.104
24.111.103.183
24.173.170.230
32.64.143.79
37.153.192.72
37.221.163.174
42.121.84.12
46.32.47.24
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
69.94.163.22
69.163.40.39
77.123.54.28
79.190.173.125
81.28.199.18
84.52.66.244
85.246.142.214
91.220.77.83
95.111.32.249
103.20.166.67
109.71.136.140
123.183.210.42
125.20.14.222
153.127.243.80
163.32.78.2
174.142.186.89
184.82.233.29
186.3.101.235
186.251.180.205
187.60.172.18
194.44.93.219
194.158.4.42
198.71.90.239
199.175.49.118
208.52.185.178
208.115.114.69
211.71.99.66
216.218.208.55
223.30.27.251
220.68.231.30
24kstudio.net
achrezervations.com
acomboramboarmiab722.net
aconsturcioneoftherive677.net
acormushkivsenamizv992.net
airfare-ticketscheap.com
aristonmontecarlo.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
consistingsec.net
cremenatthemomenter56.net
crovvirnskieertater55.net
crovviyyyyyyuutater90.net
curse.su
deepsealinks.com
demuronline.net
diggingentert.com
dropdistri-butions.net
dulethcentury.net
ehtiebanishkeobprienrt25.net
ejanormalteene250.com
ejanormatoone240.com
elvisalive4ever.com
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
exeteenofthemid74.com
explorerlikem.com
fdic.gov.horse-mails.net
gigiandrose-sf.net
gjoonalitikeer310.com
gjoonanalitik300.com
glums.net
goodnoontoon11.net
gormonigraetnapovalahule26.net
grannyhair.ru
gromovierashodyna73.net
hdmltextvoice.net
higherpricedan.com
horse-mails.net
hotsuperfilms.com
infomashe.com
instotsvin.ru
isightbiowares.su
joyrideengend.net
kolopeto.net
lights-awake.net
loreddiverting.su
macache.net
maxichip.com
micnetwork100.com
mobile-unlocked.net
mssoft.in.net
multiachprocessor.com
myaxioms.com
nacha.org.smscente.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
ollerblogging.net
ordersdeluxe.com
outcastii.com
oversearadios.net
pardus-wiki.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
smartsecureconnect.com
smscente.net
softwareup.pw
spottingculde.com
stjamesang.net
techno-arena.net
thefastor.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.ejanormalteene250.com
www.fdic.gov.horse-mails.net
www.gjoonalitikeer310.com
www.nacha.org.demuronline.net
www.nacha.org.smscente.net
Saturday 21 September 2013
Siga Resources Inc (SGAE) pump-and-dump spam
Are We having Fun Yet? THIS COMPANY IS UP TODAY ON LARGE VOLUME.Sample subject lines:
Trading Date: Monday, September 23th
Closed at: 0.015
Company: Siga Resources Inc.
Symbol traded: SG_AE
Target Price: 0.25
Our Watchlist Alert!!! This Stock is back up on strong VOLUME!
----------
This Stock IS RED HOT!!! Massive Breakout!
Date: Sep 23th
Target: .55
Company Name: SIGA RESOURCES INC
Stock: S G_A-E
Buy it at: $0.02
Strong news and a scintillating chart could spell breakout. Driving
towards a new breakout level!
----------
My New Monster Pick Is ... Most Active!!!
Date: Monday, September 23, 2013
Current Price: 0.015
Tick: S-GA-E
Name: SIGA RESOURCES CORP
Short Term Target Price: 0.20
This company had another strong day! We could see further gains
ahead tomorrow. One NOT to Miss.
----------
Take a look at your favorite stock charts. It is featured company ready to
pop!!!
Sym: S-G_A E
Current Price: .02
Date: Monday, Sep 23th, 2013
Company: SIGA RESOURCES, CORP
4-Day Target: $.50
It Broadens Target Markets! Its Time to Buy Again...
Subject: Potential Breakout Stock
Subject: Are you missing this?
Subject: This Company looks ready to explode!
Subject: Do Not Miss This One, You Will Be Bummed If You Do!
As I posted last week, observation of similar P&D spams is that the share price often collapses completely when the spamming stops.
Siga Resources in involved in small-scale minerals exploration. I'm not a financial analyst, but this firm looks almost dormant with zero income and effectively no cash in the bank. There has been no significant news for over a year. Siga's own 10-K filing for 2013 is extremely bleak and uses phrases such as "we have not generated any revenues since our formation on January 18, 2007" and "We require additional cash to continue operations. Such operations could take many years of exploration and would require expenditure of very substantial amounts of money, money we do not presently have and may never be able to raise. If we cannot raise it we will have to abandon our planned exploration activities and go out of business" and "We have one joint venture project on the Lucky Thirteen Claim. The joint venture has to date defaulted on payments to keep the ownership in the Lucky Thirteen Claim intact. Consequently, we are at risk of losing our interests in the Lucky Thirteen Claim entirely."
In short, there is no news at all that would make you want to buy this stock. And it is very important to realise that any information contained in the spam messages is merely a lie to boost the price, sent out by unknown parties.
The stock has not done well since it started, trading at around $0.55 to $0.60 until mid-2011 when it peaked at $2.40. It has since fallen to levels between $0.01 and $0.02.
On a typical day, share trades in SGAE are close to zero and rarely exceed 100,000 shares. But on Friday alone, over a million shares were traded in SGAE with 1.7 million shares traded in total across the week a prices ranges from $0.0288 to $0.015. I believe that the majority of those share trades were done by the spammers themselves taking up a position, with speculators adding a small volume on top.
Do not be tempted to buy SGAE shares on the back of these spammed-out solicitations. They are simply the actions of someone trying to offload almost worthless stock at an inflated price, and past history with these spamvertised stocks shows that there is a high risk that the price will collapse completely afterwards.
Labels:
Pump and Dump,
Spam
Friday 20 September 2013
WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127
I am indebted to Gary Warner for his analysis of this malware. But I can't resist having a poke at it myself. This malware is particularly cunning.
First of all, it starts with a WhatsApp-themed spam:
I'm sort-of-vaguely aware of the existence of WhatsApp in the same way that I am vaguely aware of my wife's birthday. Here's the thing though.. click on the link on the PC and you get a fake Plesk 404 page (see this report). But click on it using an Android device and you get something very different.
So, armed with a random Android user agent string and WGET, I accessed the link (in this case [donotclick]www.organocontinuo.com/app.php?message=hADXwckiPdaYKjapSiWJyMR/guGMDz4l8/PCDGmSemg=) and ended up with a 2,735,848 byte file called WhatsApp.apk instead.
I didn't test this on an Android device or the ADK, but apparently it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48, but who runs anti-virus software on their Android? (If you aren't running AV, then try this).
So what does it do? Well, I've been using the Anubis sandbox to analyse Windows binaries for a while, but it can analyse the results of Android .apk files too, which is pretty darned cool. And this is what Anubis sees the malicious Android app doing.
Now, if you've read Gary's blog then you will know that this is an Android-based fake anti-virus application. Anubis says that the application's reported URL is defenderandroid.org but I am not sure if this is fake. However, the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before [1] [2] [3].
Up until April, the IP 219.235.1.127 hosted the domains w0580.com and juyuanfang.com, both registered to the same person using the email address sisibin@qq.com. I do not know if they are connected with the fake AV in any way.
Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe.
First of all, it starts with a WhatsApp-themed spam:
From: WhatsApp Messaging Service
Date: 20 September 2013 19:36
Subject: 3 New Voicemail(s)
You have a new voicemail!
Details
Time of Call: Sep-17 2013 04:05:07
Lenth of Call: 04 seconds
Play
*If you cannot play, move message to the "Inbox" folder.
2013 WhatsApp Inc
I'm sort-of-vaguely aware of the existence of WhatsApp in the same way that I am vaguely aware of my wife's birthday. Here's the thing though.. click on the link on the PC and you get a fake Plesk 404 page (see this report). But click on it using an Android device and you get something very different.
So, armed with a random Android user agent string and WGET, I accessed the link (in this case [donotclick]www.organocontinuo.com/app.php?message=hADXwckiPdaYKjapSiWJyMR/guGMDz4l8/PCDGmSemg=) and ended up with a 2,735,848 byte file called WhatsApp.apk instead.
I didn't test this on an Android device or the ADK, but apparently it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48, but who runs anti-virus software on their Android? (If you aren't running AV, then try this).
So what does it do? Well, I've been using the Anubis sandbox to analyse Windows binaries for a while, but it can analyse the results of Android .apk files too, which is pretty darned cool. And this is what Anubis sees the malicious Android app doing.
Now, if you've read Gary's blog then you will know that this is an Android-based fake anti-virus application. Anubis says that the application's reported URL is defenderandroid.org but I am not sure if this is fake. However, the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before [1] [2] [3].
Up until April, the IP 219.235.1.127 hosted the domains w0580.com and juyuanfang.com, both registered to the same person using the email address sisibin@qq.com. I do not know if they are connected with the fake AV in any way.
Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe.
Thursday 19 September 2013
Apple (AAPL) pump-and-dump spam
A pump and dump spam trying to move Apple (AAPL) stock? Really? I don't think a spam run is going to have much effect on a $473 share in a company worth $420bn.
#goodluckwiththat- here's another one:
And some more rather ungrammatical auto-generated examples..
From: lpskann@scminvest.com
Subject: This Company continues to surge, could new highs be ahead?
Apple has presented its new models - iPhone 5S and iPhone 5C,
which actually have not moved the providers of financing. But, we
got to hear about the confidential novelty, which is created in
Cupertino (the Main Office of the Apple Company). This specialty
will be of interest for everyone. Through just a year, everybody
will utilize it. Namely now the time is ripe to acquire the
Apple's securities. Their value will be quick increased!!!
#goodluckwiththat- here's another one:
From: h.strutzmann@raymondjames.comA third sample adds the stock ticker symbol:
Subject: This Company is Hot and Premarket analysis is ready
The new-developed models, i.e. iPhone 5S and iPhone 5C, have
been recommended by the Apple Company. Nevertheless the
products have not impressed the business sponsors.
Nevertheless, we have learned about the secret new product,
which is being worked out in Cupertino, the Main Office of
the Apple Company, which will be required by a wide
audience. (It is going to be put in use by everybody duting
the course of only one year). Now it's about time to take
possession of the shareholding of Apple, because quite soon
they will go up in value!
Subject: Advanced Trading Alert Notice
Apple Company (Nasdaq:AA PL) has shown its new-developed models - iPhone
5S and iPhone 5C, which indeed have been not very impressive for the
providers of capital. Still, we got the wind of the confidential new
product, which is created in Cupertino (the Principal Business Place of
the Apple). This new product will be needed by all the people. During
just one year, all the people will put in use the product. Presently it's
high time to obtain the Apple's securities. Their price will grow quite
soon.
And some more rather ungrammatical auto-generated examples..
The providers of financing have not been struck by the
new-developed models, i.e. iPhone 5S and iPhone 5C, which have
been introduced by the Apple. Still, we have got the wind of
the fact that in Cupertino (the Apple's Headquarter), a
confidential innovation is being created. The item will be
popular for all the people. It will be wide put on within just
a year. Right now is the perfect timing for acquiring the
shares of the Apple. Very soon these shares of stock will
increase high in value.
The financiers have not been struck by the new-developed products, i.e.
iPhone 5S and iPhone 5C, which have been shown by the Apple. But, we have
got to hear that in Cupertino (the Apple's Headquarter), a non-public
newcomer is being designed. The item will be required by all the people. It
will be wide put on in just a year. Now is the right time for purchasing
the equity of the Apple. Fast these shareholding will grow high in price.
iPhone 5S and iPhone 5C present the fresh items, which were shown by the
Apple Company (Nasdaq:AA_PL). Nevertheless, these products have little
effect on the providers of financing. All the same, we got to learned that
in Cupertino (where the Apple's Principal Business Office is located), an
undercover recent development gadget is being elaborated. Namely this
novelty will be of interest for everybody (the recent development will be
applied by all the people within the course of one year). The Apple's equity
shall be purchased right at the moment, as fast they will increase in price!
Apple Company (Nasdaq:AAP-L) has offered its latter-day
products - iPhone 5S and iPhone 5C, which actually have
little effect on the backers. However, we got the wind of
the undercover innovation, which is produced in Cupertino
(the General Headquarter of the Apple). This recent
development will be needed by everybody. Within only one
year, everyone will utilize it. Namely now it's about time
to get hold of the Apple's shareholding. Their price will
grow quite soon!!!
Apple Company (Nasdaq:A-A_P L) has presented its new models - iPhone 5S
and iPhone 5C, which indeed have not struck the fund clients. All the
same, we got to learned about the undercover novelty, which is designed
in Cupertino (the Principal Place of Business of the Apple Company).
This new product will be required by all the people. During the course
of just a year, everybody will put on it. The present moment the time is
ripe to get hold of the Apple's shares. Their price will soon grow.
The Apple Company (Nasdaq:A-A-PL) has introduced its new products - iPhone 5S
and iPhone 5C, which truly have little impression on the fund clients. But,
we got to learned about the private newcomer, which is created in Cupertino
(the General Headquarter of the Apple Company). This recent development will
be of interest for everyone. During just a year, everyone will use it. Right
now is the time to obtain the Apple's equity. Their price will grow quite
soon.
Labels:
Apple,
Pump and Dump,
Spam,
Stupidity
Wednesday 18 September 2013
"INCOMING FAX REPORT" spam / lesperancerenovations.com
This fake fax spam appears to come from the Administrator at the victim's domain:
Date: Wed, 18 Sep 2013 15:01:42 -0500 [16:01:42 EDT]
From: Administrator [administrator@victimdomain]
Subject: INCOMING FAX REPORT : Remote ID: 8775654573
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 09/18/2013 05:11:15 EST
Speed: 39287 bps
Connection time: 02:07
Pages: 2
Resolution: Normal
Remote ID: 8775654573
Line number: 1
DTMF/DID:
Description: August Payroll
Click here to view the file online
*********************************************************
The link in the email goes to a legitimate but hacked site and then tries to load one of the following three scripts:
[donotclick]0068421.netsolhost.com/partisanship/poached.js
[donotclick]ade-data.com/exuded/midyear.js
[donotclick]fangstudios.com/macedonian/piles.js
In turn, these try to direct the visitor to a malware landing page at [donotclick]lesperancerenovations.com/topic/seconds-exist-foot.php which is a hijacked GoDaddy domain hosted on 174.140.169.145 (DirectSpace, US) along with several other hijacked GoDaddy domains listed below in italics.
Recommended blocklist:
174.140.169.145
lesperancerenovations.com
louievozza.com
louvozza.com
lv-contracting.com
lvconcordecontracting.com
saltlakecityutahcommercialrealestate.com
0068421.netsolhost.com
ade-data.com
fangstudios.com
Date: Wed, 18 Sep 2013 15:01:42 -0500 [16:01:42 EDT]
From: Administrator [administrator@victimdomain]
Subject: INCOMING FAX REPORT : Remote ID: 8775654573
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 09/18/2013 05:11:15 EST
Speed: 39287 bps
Connection time: 02:07
Pages: 2
Resolution: Normal
Remote ID: 8775654573
Line number: 1
DTMF/DID:
Description: August Payroll
Click here to view the file online
*********************************************************
The link in the email goes to a legitimate but hacked site and then tries to load one of the following three scripts:
[donotclick]0068421.netsolhost.com/partisanship/poached.js
[donotclick]ade-data.com/exuded/midyear.js
[donotclick]fangstudios.com/macedonian/piles.js
In turn, these try to direct the visitor to a malware landing page at [donotclick]lesperancerenovations.com/topic/seconds-exist-foot.php which is a hijacked GoDaddy domain hosted on 174.140.169.145 (DirectSpace, US) along with several other hijacked GoDaddy domains listed below in italics.
Recommended blocklist:
174.140.169.145
lesperancerenovations.com
louievozza.com
louvozza.com
lv-contracting.com
lvconcordecontracting.com
saltlakecityutahcommercialrealestate.com
0068421.netsolhost.com
ade-data.com
fangstudios.com
Labels:
GoDaddy,
Malware,
Spam,
ThreeScripts,
Viruses
Tuesday 17 September 2013
FDIC spam / horse-mails.net
This fake FDIC spam leads to malware on www.fdic.gov.horse-mails.net:
The link goes through a legitimate hacked site and onto a malware landing page at [donotclick]www.fdic.gov.horse-mails.net/news/fdic-insurance.php which belongs to the Amerika gang and is hosted on the following IPs (the recommend blocklist is at the end of the post):
37.221.163.174 (Voxility S.R.L., Romania)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
109.71.136.140 (OpWan SARL, France)
174.142.186.89 (iWeb Technologies, Canada)
216.218.208.55 (Hurricane Electric, US)
Of interest, the legitimate hacked site that is linked to tries to do some OS detection which is a new feature (pictured below)
Recommended blocklist (use in conjunction with this):
37.221.163.174
95.111.32.249
109.71.136.140
174.142.186.89
216.218.208.55
airfare-ticketscheap.com
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
demuronline.net
evreisorinejsopgmrjnet28.net
fiscdp.com.airfare-ticketscheap.com
germaniavampizdanahuj.net
gormonigraetnapovalahule26.net
grannyhair.ru
gstarstats.ru
horse-mails.net
maxichip.com
micnetwork100.com
mirrorsupply.com
nacha.org.samsung-galaxy-games.net
nvufvwieg.com
pidrillospeeder.com
smartsecureconnect.com
softwareup.pw
tor-connect-secure.com
vineostat.ru
vip-proxy-to-tor.com
www.fdic.gov.horse-mails.net
www.fiscdp.com.airfare-ticketscheap.com
www.irs.gov.successsaturday.net
www.nacha.org.demuronline.net
www.nacha.org.multiachprocessor.com
www.nacha.org.samsung-galaxy-games.net
www.nacha.org.smscente.net
Date: Tue, 17 Sep 2013 15:28:52 +0330 [07:58:52 EDT]
From: insurance.coverage@fdic.gov
Subject: FDIC: About your business account
Dear Business Customer,
We have important news regarding your financial institution.
Please View to see further details.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
FDÃŒC Questions for FDÃŒC?
Contact Us
The FDÃŒC receives no Congressional appropriations - it is funded by premiums that banks and thrift institutions pay for deposit insurance coverage and from earnings on investments in U.S. Treasury securities. The FDÃŒC insures approximately $9 trillion of deposits in U.S. banks and thrifts - deposits in virtually every bank and thrift in the country.
Federal Insurance Company · 3501 Fairfax Drive · Arlington VA 22225 · 877-275-3342
The link goes through a legitimate hacked site and onto a malware landing page at [donotclick]www.fdic.gov.horse-mails.net/news/fdic-insurance.php which belongs to the Amerika gang and is hosted on the following IPs (the recommend blocklist is at the end of the post):
37.221.163.174 (Voxility S.R.L., Romania)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
109.71.136.140 (OpWan SARL, France)
174.142.186.89 (iWeb Technologies, Canada)
216.218.208.55 (Hurricane Electric, US)
Of interest, the legitimate hacked site that is linked to tries to do some OS detection which is a new feature (pictured below)
Recommended blocklist (use in conjunction with this):
37.221.163.174
95.111.32.249
109.71.136.140
174.142.186.89
216.218.208.55
airfare-ticketscheap.com
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
demuronline.net
evreisorinejsopgmrjnet28.net
fiscdp.com.airfare-ticketscheap.com
germaniavampizdanahuj.net
gormonigraetnapovalahule26.net
grannyhair.ru
gstarstats.ru
horse-mails.net
maxichip.com
micnetwork100.com
mirrorsupply.com
nacha.org.samsung-galaxy-games.net
nvufvwieg.com
pidrillospeeder.com
smartsecureconnect.com
softwareup.pw
tor-connect-secure.com
vineostat.ru
vip-proxy-to-tor.com
www.fdic.gov.horse-mails.net
www.fiscdp.com.airfare-ticketscheap.com
www.irs.gov.successsaturday.net
www.nacha.org.demuronline.net
www.nacha.org.multiachprocessor.com
www.nacha.org.samsung-galaxy-games.net
www.nacha.org.smscente.net
ADP spam / ADP_831290760091.zip
This fake ADP spam has a malicious attachment:
Automated analysis [1] [2] [3] shows a connection attempt to awcoomer.com on 78.157.201.219 (UK Dedicated Servers Ltd, UK). I don't have any evidence of further infections on this server, it does host 30+ legitimate UK sites if that helps..
Date: Tue, 17 Sep 2013 20:32:04 +0530 [11:02:04 EDT]Attached to the email is a file called ADP_831290760091.zip which in turn contains ADP_Reference_09172013.exe which has a VirusTotal detection rate of 9/48.
From: ADP ClientServices
Subject: ADP - Reference #831290760091
Priority: High Priority 1 (High)
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #831290760091
This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
Automated analysis [1] [2] [3] shows a connection attempt to awcoomer.com on 78.157.201.219 (UK Dedicated Servers Ltd, UK). I don't have any evidence of further infections on this server, it does host 30+ legitimate UK sites if that helps..
Labels:
ADP,
EXE-in-ZIP,
Malware,
Spam,
Viruses
Subscribe to:
Posts (Atom)