Something evil on 37.59.164.209 (OVH)

37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux.

Recommended blocklist:
fat-jaguar.info
amazingfingerprint.pingpong-shop.info
androidexclusiveaccepted.soda-waters.info
annesindecisive.ru
antilostprivacystar.soda-waters.info
arrayschamp.pingpong-shop.info
atomicexcelled.pingpong-shop.info
bisnothings.picture-editorsplus.com
bumpyrogue.pingpong-shop.info
cheerskasperskys.get-well-now.info
compilingresolved.get-well-now.info
compositingupfront.soda-waters.info
couponexposes.pingpong-shop.info
defraggingentire.soda-waters.info
designationrim.pingpong-shop.info
dipsisolated.ru
distortstrand.picture-editorsplus.com
droidsreceiver.pingpong-shop.info
errorannouncement.get-well-now.info
experttouserhome.picture-editorsplus.com
fdrsitelets.picture-editorsplus.com
flauntmalwarefighting.ru
fsecurevitas.picture-editorsplus.com
get-well-now.info
jfaxbike.get-well-now.info
karmic-koala.info
kudosphilly.picture-editorsplus.com
laguardiaduly.soda-waters.info
maoctopus.get-well-now.info
meaningsvisor.get-well-now.info
middletierpreventionandcleanup.picture-editorsplus.com
mtvmick.get-well-now.info
mypalmbehaviors.picture-editorsplus.com
nicesoundingextracting.soda-waters.info
noncopyrightprotectedfipscertified.soda-waters.info
nonstopeverconnected.soda-waters.info
offlineclosets.soda-waters.info
pbsearns.get-well-now.info
performgenre.soda-waters.info
pingpong-shop.info
plannerwaiter.get-well-now.info
reopeningphenomenal.pingpong-shop.info
retainedamazoncom.soda-waters.info
satiategb.get-well-now.info
savedtranscodes.soda-waters.info
soda-waters.info
treestructurezeroes.pingpong-shop.info
turbotwisttristate.get-well-now.info
wavelinkswing.pingpong-shop.info
webcontentfaces.ru
www.fat-jaguar.info
xmlbasedautomaticupdate.pingpong-shop.info
certificationthumbtack.job-orders.info
club-sandwich.info
datver.job-orders.info
job-orders.info
mirrorskitschy.job-orders.info
mountain-lion.biz
onion-sauce.com
openglkinectd.job-orders.info
poolseeming.job-orders.info
smallerwebspecific.job-orders.info
trendmicroaddfiletobackup.ru
tweakshunting.job-orders.info

Facebook spam / kapcotool.com

This fake Facebook spam leads to malware on kapcotool.com:

From:     Facebook [no-reply@facebook.com]
Date:     5 September 2013 15:21
Subject:     Michele Murdock wants to be friends with you on Facebook.

facebook
   
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
         
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The link in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa.com/97855 and then to [donotclick]magic-crystal.ch/normalized/index.html, and at this point it attempts to load the following three scripts:

[donotclick]00398d0.netsolhost.com/mcguire/forgiveness.js
[donotclick]202.212.131.8/ruses/nonsmokers.js
[donotclick]japanesevehicles.us/vector/internees.js

The final step is a malware landing page at [donotclick]kapcotool.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains listed in italics below.

Recommended blocklist:
74.207.227.154
jgburgerlounge.ca
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com
justcreature.com
justmonster.com
kalcodistributors.com
kapcotool.com00398d0.netsolhost.com
japanesevehicles.us
202.212.131.8

HSBC spam / Original Copy (Edited).zip

This fake HSBC spam links to a malicious ZIP file:

Date:      Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From:      HSBC Wire Advising service [wireservice@hsbc.com.hk]
Reply-To:      hsbcadviceref@mail.com
Subject:      HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)


Dear Sir/Madam,

The attached payment advice is issued at the request of our customer. The advice is for your reference only.

Kindly Accept Our apology On the copy we sent earlier.

1 attachments (total 586 KB)
View slide show (1)
Download all as zip

Yours faithfully,
Global Payments and Cash Management
HSBC


Copyright © HSBC Group 2013. All rights reserved.Copyright/IP Policy | Terms of Service
NOTICE: We collect personal information on this site. To learn more about how we use your information, see our Privacy Policy.

"SAVE PAPER - THINK BEFORE YOU PRINT!"

The link in the email goes to a file sharing site at [donotclick]ge.tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16.

The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report shows some network activity including a suspect connection to ftp.advice.yzi.me (185.28.21.26, Hostinger International US) which might be worth blocking.

PayPal spam / dshapovalov.info

This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov.info:

Date:      Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      History of transactions #PP-011-538-446-067

ID

Transaction: { figure } {SYMBOL }

On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now

Sincerely, Services for protection

Department

PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.

To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.

Copyright © 1999-2013 PayPal. All rights reserved.

PPID PP {DIGIT } The history of monetary transactions 

The link in the email goes through a URL shortening service at [donotclick]url7.org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23/observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169/garrotting/rumples.js
[donotclick]northeastestateagency.co.uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro,com/peps/dortmund.js

From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack. There are other hijacked GoDaddy domains on the same domain (listed below in italics).

Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
journeyacrossthesky.com
dshapovalov.info
watchfp.net
dshapovalov.info
mineralmizer.webpublishpro.com
northeastestateagency.co.uk
81.143.33.169

Something is very wrong with Gandi US (AS29169 / 173.246.96.0/20)

Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago.

The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites.

First of all, let's look at the warnings I have given about this IP range just in this blog alone (ignoring all external sources):

173.246.101.146	CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com
173.246.102.2	Malware sites to block 7/3/13
173.246.102.223	Citi Cards spam / 6.bbnface.com and 6.mamaswishes.com
173.246.102.246	Something evil on 173.246.102.246
173.246.103.26	ADP spam / 14.sofacomplete.com
173.246.103.59	Malware sites to block 23/11/12
173.246.103.112	Malware sites to block 22/11/12
173.246.103.124	Malware sites to block 23/11/12
173.246.103.184	Malware sites to block 23/11/12
173.246.104.104	Something evil on 173.246.104.104
173.246.104.136	CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net
173.246.104.154	Something evil on 173.246.104.154
173.246.104.184	PayPal spam / londonleatheronline.com
173.246.104.21	Malware sites to block 23/11/12
173.246.104.55	"INCOMING FAX REPORT" spam / chellebelledesigns.com
173.246.105.15	eFax / jConnect spam and eliehabib.com
173.246.106.150	"Scan from a Xerox WorkCentre" spam / Scan_06122013_29911.zip

So, curious about how bad the situation was I went off to identify servers currently hosting malware, and the list I came up with was:


173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185


That's quite a concentration of badness. You can see a full list of the malicious domains, WOT ratings, Google prognosis and SURBL codes here [csv]. There's a plain list of domains at the end of the post for copy-and-pasting.


Now, normally I would recommend blocking at least a /24 when dealing with this sort of level badness, but as this overview of the /20 shows [csv] there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host.



Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.


Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185
17.247nycr.com
17.247nycrealty.com
17.allianceyouthsports.com
17.americanseniorgazette.net
17.apielectrical.com
17.apipoolservice.com
17.bearfoothouse.com
17.bestbysouthwest.net
17.bradentons-finest.com
17.carlileenrollment.com
17.ccbenroll.com
17.chefsenrollment.com
17.culliganwaternet.com
17.culliganwaternet.net
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.deborahramanathan.com
17.docholidaybanners.com
17.doorssanantoniocom.com
17.drdeborahramanathan.com
17.enrollmentforce.com
17.entrepreneursnetworkofmichigan.com
17.foodypon.com
17.foodypon.info
17.grantmassie.com
17.grantmassie.net
17.grantmassie.org
17.heyculliganman.net
17.kathybissell.com
17.kbgolfcoursesales.com
17.kingdom-mystery.org
17.landvirginia.com
17.lascrittore.com
17.ledbymmhd.com
17.lonestarenrollment.com
17.lwrbeerfestival.com
17.meccandivinity.com
17.mmholidaydecor.com
17.moffdomains.com
17.nstarbankenrollment.com
17.opti-max.com
17.optimax.us
17.paperlessenrollment.com
17.paperlessenrollments.com
17.productpurveyors.com
17.quakertownfamilydoctor.com
17.rbasa.com
17.rbasanantonio.com
17.redtreebookings.com
17.renewenrollment.com
17.sanantoniodoors.net
17.sanantoniohardiplank.com
17.sanantoniosiding.com
17.sanantoniosiding.net
17.sanantoniowindows.net
17.scottbarr.org
17.seniorgazette.org
17.seniorgolfrankings.com
17.soonerflight.com
17.southwestexteriors.com
17.texcoteproblems.com
17.thebusiness-solutions.com
17.themarketmakers.org
17.thetelecomgroup.com
17.ultimateserviceexperience.com
17.ultimateserviceguarantee.com
17.valuationwidgets.com
17.vinyl-windows.org
17.webezmarketing.com
17.worldclassexteriors.com
17.yourbrokerforlife.com
1800callabe.com
1866callabe.com
19.accentchicagostore.com
19.advancedweb2solutions.com
19.campaignsusa.com
19.collectiblesminnesota.com
19.diet4usa.org
19.floridafractionalproperty.com
19.floridafractionalrealestate.info
19.floridafractionalrealestate.us
19.giftbasketminnesota.com
19.giftminn.com
19.giftminnesota.com
19.giftmn.com
19.giftsfromminnesota.com
19.giftsminnesota.com
19.icandyliciousshop.com
19.icandyliciousstore.com
19.icandysugarshoppe.com
19.icandysugarshoppe.org
19.kitchenandbathatlanta.com
19.kodiakgaming.com
19.lovefromchicago.com
19.lovefromchicagostore.com
19.lovefromcompanies.com
19.lovefrommn.com
19.minngift.com
19.minnsotagifts.net
19.minnstore.com
19.mngift.com
19.navypierstore.com
19.northwoodscabinstore.com
19.pacifictusk.com
19.pacifictuskbuilders.com
19.souvenirminnesota.com
19.storeminn.com
19.sunburstsouvenirs.com
19.sunburstsouvenirs.info
19.sunburstsouvenirs.net
19.thelovefromcompanies.com
21.3to2converter.com
21.aribadellago.com
21.az55pluscommunity.com
21.baleraatfirerock.com
21.bringmemyleads.biz
21.bringmemyleads.com
21.bringmemyleads.info
21.bringmemyleads.net
21.bringmemyleads.org
21.bringmemyleads.us
21.cedrictherealtor.com
21.cedricthevegasrealtor.com
21.cordilleraatcopperwynd.com
21.crestviewatfountainhills.com
21.customswitchpanel.com
21.homesbythefountain.com
21.liquidstainedglass.com
21.liveinfountainhills.com
21.liveinlassendas.com
21.luxuriousscottsdale.com
21.wow-bottles.com
23.area-plumbing-company.com
23.garryowen.biz
23.goalsettingprogram.biz
23.mdvideoproduction.com
4.whereintuscany.com
4.whereintuscia.com
4.whereinumbria.com
4.whereinvaldaosta.com
4.whereinveneto.com
6.bbnface.com
6.bbnfaces.com
6.bbnfaces.net
6.mamasauction.com
6.mamaswishes.com
6.mamaswishes.net
6.mamaswishes.org
abemoussa.com
abemuggs.com
abes.co
abes.net
abesburger.com
biobcetsozxzxifwchyxxslfcaxws.info
byvcxdydxgyzxqwvnqktgpbfm.com
chellebelledesign.com
chellebelledesigns.com
eaeobxgtsvsjzljwkskvcaegqyay.net
findmynewschool.com
findyourpetcare.info
findyourpetcare.net
findyourpetcare.org
folsomdogplay.com
folsomdogs.com
folsomdogtrainingschool.com
godogresort.com
gottaghost.com
gottagirl.net
greawsome.com
gubmpfypeisctovkgaqghircxsfqlqc.biz
ingeuswghskzddxxlvgmqpvk.net
janetmoss.com
jerseycitybags.com
jerseyluggage.com
jmosswinery.com
jrzlzhmrwomfhaeqclwokvdm.net
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
kneetite.com
kzusdyhpypeavgltsjvdljpvojqg.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com
laserpecs.com
laser-sculpt.com
laser-sculpting.com
lasertoned.com
lasertuck.com
lazersculpt.com
lazertite.com
lidlaser.com
lidtight.com
lipo-exatlanta.com
lipo-exbeverlyhills.com
london-leather.com
magnetas.mx
marinedockladders.com
marzenamelby.com
minneapolisareareosales.com
minneapolisforeclosuredeals.com
pciinvbupnxkfatrsuhicuaue.net
prdqjfhwookftucvkwclhyzlyt.biz
premiumrentalproperty.com
remote-recording-mixing.com
rglrlprbayscvwfkqmbqtkj.com
rockvilleautobody.biz
roll-on-bracelets.info
scnrpnqojbaymfvclcdqhtpdi.org
share.afghans.net
shuofrpvcyukzgqnjbykrvkddu.com
stevecozz.com
tgvwvofaamqcciqhiqoutoprwkqwjn.com
theinternetchauffeur.biz
the-internet-chauffeur.com
trippling.com
twbevoabakbrghlnfylbuempvmfmb.org
twincitiesfamilywellness.com
veolux.com
yhlnibrgxwxplfjsoauondhunv.com
ylhqlrgqxgordeytindafukreqjvtw.info

Something evil on 174.140.168.239

The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].

It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:

174.140.168.239
50shadesofshades.com
50shadesofsunshades.com
800fragrances.com
aeroliteluggage.com
aerotechluggage.com
babysurplusshop.com
bagcast.com
bagd.us
bagdup.com
baggagereviews.com
bagpreview.com
bagpreviews.com
bagsare.us
bagsr.me
bagsr.us
bagswalla.com
bag-tv.com
bhanoteenterprises.com
carluccileather.com
carluccileathers.com
checkpointbackpacks.com
checkpoint-friendly-backpacks.com
checkpoint-friendly-bag.com
checkpoint-friendly-bags.com
checkpointfriendlybusinesscases.com
checkpointfriendlylaptopcases.com
checkpoint-friendly-laptopcases.com
checkpoint-friendly-luggage.com
checkpointfriendlytravelaccessories.com
checkpoint-friendly-travel-accessories.com
checkpointluggage.com
chimneycapsupply.com
clotheswalla.com
consumerluggage.com
coolstowage.com
copperguttersupply.com
couponwalla.com
dealdin.com
eguttersupply.com
filterflowgutterguard.com
guttersupply.mobi
iguttersupply.com
micromeshguttercover.com
micromeshleafguard.com
ornamentalgutters.com
radiantcarbonheat.com
roofmaterialsupply.com
roofpanelsupply.com
rooftilesupply.com
shinglesupply.com
slatesupply.com
solarroofingsupply.com
thinkgreensupply.com
vidaline.com

Facebook spam / watchfp.net

All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp.net:

Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1@facebookmail.com]
Subject: Blake Miranda tagged 5 photos of you on Facebook

facebook

Blake Miranda added 5 photos of you.
See photos

Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Blake is pretty feminine looking for a bloke:

The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:

[donotclick]u.to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa.de/triassic/index.html which loads one of the following:
[donotclick]safbil.com/stashed/flout.js
[donotclick]ftp.spectrumnutrition.ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste.de/covetously/turk.js

The final step is that the victim ends up on a malware landing page at [donotclick]watchfp.net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.

Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
watchfp.net
safbil.com
ftp.spectrumnutrition.ca
schornsteinfeger-helmste.de

PayPal spam / londonleatheronline.com

This fake PayPal spam leads to malware on londonleatheronline.com:

Date:      Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      Identity Issue #PP-716-472-864-836

We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.

Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@paypal.com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details

Your case ID for this reason is PP-U3PR33YIL8AV

For your protection, we might limit your account access. We apologize for any inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE:

This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (PayPal , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

PayPal Email ID PP53161

The link in the email goes to a legitimate hacked site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni.com/liquids/pythias.js
[donotclick]tuviking.com/trillionth/began.js
[donotclick]walegion.comcastbiz.net/wotan/reuses.js

These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack, along with a number of other hijacked domains which are listed in italics below.

Recommended blocklist:
173.246.104.184
jerseycitybags.com
jerseyluggage.com
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
london-leather.com
londonleatheronline.com
ftp.casacalderoni.com
tuviking.com
walegion.comcastbiz.net

MONK spam tries to profit from WAR threat

The MONK (Monarchy Resources Inc) pump-and-dump spam continues. This time though, the spammers are trying to capitalise on the threat of war in the Middle East:

From:     belova04@jeel.com
Date:     2 September 2013 17:32
Subject:     This Stock just released Big News!

Are you interested in enriching yourself by means of war? It`s the very
time to do it! As soon as the first bombs get to the earth in Syria,
stone oil prices will move up the same as MONARCHY RESOURCES INC
(M-ON_K) share price. Go make money on Mon, Sep 2, 2013, get M-ON_K
shares!!!

As previously discussed, the stock price for this company has tanked and is unlikely to get any better. If you attempt to do some war profiteering on this stock then you will lose out, and frankly you won't get any sympathy from me.

Here are some other variants of the same scummy email:

You can make money on war!!! It`s right time to make it. The
moment the first rockets descend to Syria, oil prices will
rise the same as MONARCHY RESOURCES INC. (M O N_K) bond
price!!! Begin earning profits on Monday, September 02, 2013,
grab M O N_K shares.

It`s your turn to make money on war! It`s the very time to make it.
As soon as the first bombs touch the ground in Syria, black gold
prices will skyrocket as well as MONARCHY RESOURCES, INC (M-O-N K)
bond price. Start making money on Mon, Sep 02, 2013, get M-O-N K
shares.

There is a real opportunity to make money on war. It`s right time to
do it!!! As soon as the first bombs touch the ground in Syria, petrol
prices will move up just as Monarchy Resources, Inc (M-O_NK) bond
price. Start making money on Sep 2nd, grab M-O_NK shares!

Do you want to earn money on war? It`s the very time to realize
your plans! Just as the first bombs get to the earth in Syria,
oil prices will move up as well as Monarchy Resources, Inc
(MO-NK) share price! Go make profits on Sep 2nd, grab MO-NK
shares!!!

Facebook spam / london-leather.com

This fake Facebook spam leads to malware on london-leather.com:

Date:      Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      Victoria Carpenter commented on your status

facebook
Hello, Victoria Carpenter commented on your status. Victoria wrote: "so cute;)" Go to comments Reply to this email to comment on this status. See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe. Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem.cz/5xxb8 then [donotclick]93.93.189.108/exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj.com/mummifies/stabbed.js
[donotclick]mobileforprofit.net/affected/liberal.js
[donotclick]tuviking.com/trillionth/began.js

These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy and listed in italics below.

Recommended blocklist:
173.246.104.184
london-leather.com
kitchenwalla.com
kidswalla.com
jerseyluggage.com
jerseycitybags.com
kiddypals.com
kennethcolenyoutlet.com
codebluesecuritynj.com
mobileforprofit.net
tuviking.com

UPS Spam / UPS Invoice 74458652.zip

This fake UPS invoice has a malicious attachment:

From:      "UPSBillingCenter@ups.com" [UPSBillingCenter@ups.com]
Subject:      Your UPS Invoice is Ready


New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.

Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe  which presumably isn't meant to be named like that..

The VirusTotal detection rate is a so-so 18/46. The Malwr analysis is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint.org/forum/viewtopic.php
[donotclick]mierukaproject.jp/PjSE.exe
[donotclick]programcommunications.com/WZP3mMPV.exe
[donotclick]fclww.com/QdytJso0.exe
[donotclick]www.lajen.cz/tPT8oZTB.exe

The VirusTotal detection rate for the downloaded file is not great at just 9/46.

The domain gordonpoint.org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other hijacked domains which are listed below in italics.

Recommended blocklist:
74.207.229.45
gordonpoint.org
hitechcreature.com
industryseeds.ca
infocreature.com
itanimal.com
itanimals.com
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com
mierukaproject.jp
programcommunications.com
fclww.com
www.lajen.cz

Wells Fargo spam / WellsFargo_08232013.exe

This fake Wells Fargo spam has a malicious attachment:

Date:      Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]
From:      Morris_Osborn@wellsfargo.com

Please review attached documents.

Morris_Osborn
Wells Fargo Advisors
817-718-8096 office
817-610-5531 cell Morris_Osborn@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

In this case there is an attachment WellsFargo.victimname.zip which contains a malicious executable WellsFargo_08232013.exe (note the date is encoded into the filename). The VirusTotal detection rate is just 4/45, but the file itself is unusually small (just 21Kb unzipped, 8Kb zipped) when I would normally expect to see the executable closer to 100Kb for this sort of malware.

What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity. Malwr, Comodo CAMAS and Anubis are somewhat less enlightening.

The WHOIS details for the domain huyontop.com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop.com as being potentially malicious and block it if you can.

"Remittance Docs 2982780" spam / Docs_08222013_218.exe

This fake Chase spam has a malicious attachment:

Date:      Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]
From:      Jed_Gregory [Jed_Gregory@chase.com]
Subject:      Remittance Docs 2982780

Please find attached the remittance 2982780.                                             
                                                            If you are unable to open the
attached file, please reply to this email        with a contact telephone number. The
Finance Dept will be in touch in          due course. Jed_Gregory
Chase Private Banking      Level III Officer
3 Times Square
New York, NY 10036
T. 212.525.8865
F. 212.884.2034

The attachment is in the format Docs_victimdomain.com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46. The Malwr analysis shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
[donotclick]watch-fp.ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial.com/VSMpZX.exe
[donotclick]richardsonlookoutcottages.nb.ca/Q5Vf.exe
[donotclick]idyno.com.au/kvdhx2.exe

The downloader then downloads a second part with a much lower detection rate of 6/46. This appears to be a Zbot variant, and the Malwr analysis for that component is here.

The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server and listed below in italics.

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
successchamp.com
thenatemiller.biz
thenatemiller.co
thenatemiller.info
thenatemiller.net
thenatemiller.org
watch-fp.biz
watch-fp.ca
watch-fp.com
watch-fp.info
watch-fp.mobi
waterwayrealtyteam.us
jatw.pacificsocial.com
richardsonlookoutcottages.nb.ca
idyno.com.au

Discover card "Your account login information updated" spam / abemuggs.com

This fake Discover card spam leads to malware on abemuggs.com:

Date:      Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From:      Discover Card [no-reply@facebook.com]
Subject:      Your account login information updated

Discover
Access My Account
   
ACCOUNT CONFIRMATION    Statements | Payments | Rewards   
Your account login information has been updated.

Dear Customer,

This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.

Log In to review your account details or to make additional changes.

Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
   
Sign up    

Don't miss out—sign up to get exclusive offers via e-mail from Discover.

Sign Up
   
Facebook    Twitter    I Love Cashback Bonus Blog    Mobile

   
Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.

    IMPORTANT INFORMATION

This e-mail was sent to [redacted].

You are receiving this Discover e-mail as a confirmation of your account activity.

Log in to update your e-mail address or view your account e-mail preferences.

If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.

Please do not reply to this e-mail as we are not able to respond to messages sent to this address.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2012 Discover Bank, Member FDIC

TRUPCHNG_A1_A1_A1

The link in the email uses the Twitter redirection service to go to [donotclick]t.co/9PsnfeL8hh then [donotclick]x.co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198.netsolhost.com/frostbite/hyde.js
[donotclick]96.9.28.44/dacca/quintilian.js
[donotclick]cordcamera.dakisftp.com/toothsome/catch.js

From this point the victim ends up at the malicious payload at [donotclick]abemuggs.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).

At the moment, I can only see abemuggs.com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs.com
abesmugs.com
abemugs.com
andagency.com
mytotaltitle.com

I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs.com
02aa198.netsolhost.com
cordcamera.dakisftp.com

Facebook spam / thenatemiller.co

This fake Facebook spam leads to malware on thenatemiller.co:

Date:      Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Nothing good will come from clicking the link. First victims go to a legitimate but hacked site that attempts to load the following three scripts:
[donotclick]gemclinicstore.com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup.com/toffies/ceiling.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there the victim is directed to a malware landing page at [donotclick]thenatemiller.co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains (listed below in italics).

Recommended blocklist:
72.5.102.146
successchamp.com
dennissellsgateway.com
thenatemiller.co
thenatemiller.info
justinreid.us
waterwayrealtyteam.us
thenatemiller.biz
gemclinicstore.com
mathenyadvisorygroup.com
www.it-planet.gr

Laughable advanced fee fraud scam promises $2.5

Two-and-a-half bucks? I think I'll pass.

From:     Mr Anthony Freed [johnewele12@cantv.net]
Reply-to:     dhlcorriadeliveryservice@live.com
Date:     20 August 2013 21:13
Subject:     Attention please!!!

Attention please!!!

We have registered your ATM CARD of (US $2.5) with DHL Express Courier Company with registration code of ( 9665776) please Contact with your delivery
information:
DHL OFFICE:
Name Dr:Mark Jonson.
E-mail: dhlcorriadeliveryservice@live.com //officedhldelivery service
Tel:+229 98270349.

We have paid for the Insurance & Delivery fee.The only fee you have to pay is their Security fee only.Please indicate the registration Number of ( 22-82797457 )and ask Him how much is their Security fee so that you can pay it.
Best Regards.
Rev.Anthony Fred

I don't think I've seen an Advanced Fee Fraud spam so full of fail for a long time..

Facebook spam / dennissellsgateway.com

This fake Facebook spam leads to malware on dennissellsgateway.com:

Date:      Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Gene Maynard wants to be friends with you on Facebook.

facebook
   
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate hacked site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas.org/jonson/tried.js
[donotclick]italiangardensomaha.com/moocher/pawned.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there, the victim ends up on a hijacked GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway.com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains (listed in italics below).

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
waterwayrealtyteam.us
www.it-planet.gr
italiangardensomaha.com
ftp.crimestoppersofpinellas.org

Update:
Another spam is circulating with a different pitch, but the same malicious payload:

Dear Customer,

The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report at https://account.authorize.net/login/protected/download/settlementreport/

To view details for a specific transaction, please log into the Merchant Interface.

1.Click "Reports" from the main menu
2.Select "Transaction Details by Settlement Date"
3.Select "Settled Transactions" from the Item Type drop-down box.
4.Select the Settlement Date for the batch you would like to view from the "Date" drop-down box
5.Click "Run Report"
6.In the results, click on any transaction ID to view specific details for that transaction.

If you have any questions regarding this settlement report, please contact us by Secure Mail or you can call Customer Support at 1-877-447-3938.

Thank You,
Authorize.Net
*** You received this email because you chose to be a Credit Card Report
recipient. You may change your email options by logging into the Merchant
Interface. Click on Settings and Profile in the Main Menu, and select
Manage Contacts from the General section. To edit a contact, click the
Edit link next to the contact that you would like to edit. Under Email
Types, select or deselect the Email types you would like to receive. Click
Submit to save any changes. Please do not reply to this email.

"You have received a secure message" spam / securedoc.zip

This fake Citi spam contains a malicious attachment:

Date:      Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From:      "secure.email@citi.com" [secure.email@citi.com]
Subject:      You have received a secure message

You have received a secure message Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer. If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504. First time users - will need to register after opening the attachment. About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm

Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46. The Malwr analysis (and also ThreatExpert) shows that the file first connects to [donotclick]frankcremascocabinets.com/forum/viewtopic.php (a hijacked GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:

[donotclick]lobbyarkansas.com/0d8H.exe
[donotclick]ftp.ixcenter.com/GMMo6.exe
[donotclick]faithful-ftp.com/kFbWXZX.exe

This second part has another very low VirusTotal detection rate of just 3/46. Malwr gives an insight into what the binary is doing, or alternatively you can look at the Comodo CAMAS report or ThreatExpert report. 

Recommened blocklist:
184.95.37.96/28
frankcremascocabinets.com
giuseppepiruzza.com
gordonpoint.biz
gordonpoint.info
hitechcreature.com
frankcremasco.com
lobbyarkansas.com
ftp.ixcenter.com
faithful-ftp.com

"You requested a new Facebook password" spam / frankcremascocabinets.com

This fake Facebook spam follows on from this one, but has a different malicious landing page at frankcremascocabinets.com:

From:     Facebook [update+hiehdzge@facebookmail.com]
Date:     19 August 2013 17:38
Subject:     You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate hacked site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then directed to a malware payload at [donotclick]frankcremascocabinets.com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server (listed below in italics).

Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
giuseppepiruzza.com
frankcremascocabinets.com
gordonpoint.biz
hitechcreature.com
frankcremasco.com

Facebook spam / hubbywifewines.com

This fake Facebook spam leads to malware on hubbywifewines.com:

Date:      Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password


facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate hacked site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines.com/topic/able_disturb_planning.php hosted on 72.5.102.192 (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods.com.

Recommended blocklist:
72.5.102.192
hubbywifewines.com
hubbywifefoods.com
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it

MONK / Monarchy Resources, Inc pump-and-dump spam

Another day, another pump-and-dump spam run, this time being sent to randomly generated email addresses promoting MONK (Monarchy Resources, Inc). Here are some examples:

Subject: Pick Of The Week... Do Not Miss Out This Time!
Make easy $15'000 Monday!!! Hello, want to receive $15'000 by
next Friday? You would receive lot more if you get this hot
stock on Monday. The stock symbol is: M_O N_K. It's Monarchy
Resources, Inc.. It sells under 48 cents, but it should
see $1'80 shortly! Purchase shares of M_O N_K on Aug, 19
below 48 cents and multiply your cash! It could be
awesome to get $15'000 by Friday. And it's very easy to
receive. On Monday, Aug 19, 2013 order 43'000 shares of M_O
N_K and get over $15'000 by Friday

Subject: Hot Investor News
Pocket your $17'000 now! Howdy, need to pocket $17'000 by this Saturday? You
will get lots more if you purchase this premium stock on Monday. The stock
symbol is: M_ONK. It's MONARCHY RESOURCES INC.. It sits below 42 cents,
but it should see $1'20 promptly! Purchase shares of M_ONK on Mon, Aug
19th, 2013 under 42 cents and multiply your investment. It will be
amazing to earn $17'000 by Saturday. And its very easy to get! On Aug, 19th
order 29'000 shares of M_ONK and receive over $17'000 by Saturday!!!

Subject: Walgreens News!!!
Make easy $12'000 now! Hello, ready to pocket $12'000 by next
Saturday? You would receive lots more if you order this
undervalued stock on Monday. The company symbol is: M O N K.
It's Monarchy Resources, Inc. It goes under 40 cents, but
it could settle $1.90 promptly! Get shares of M O N K on
Monday, Aug 19th, 2013 under 40 cents and quadruple your
investment. It can be amazing to earn $12'000 by Saturday. And
its very easy to do! On Aug, 19 trade 21'000 shares of M O N K
and get over $12'000 by Saturday.

Subject: Profile Alert
Earn fast $13'000 now! Hello, ready to pocket $13'000 by this Thursday?
You can make lot more if you get this new stock on Monday. The stock
symbol is: M_O N_K. Its MONARCHY RESOURCES, INC. It goes under 30
cents, but it should see $1.55 shortly! Get shares of M_O N_K on
Monday, Aug 19 under 30 cents and quadruple your portfolio. It
could be cool to make $13'000 by Thursday. And it's very easy to do! On
Mon, August 19th, 2013 buy 35'000 shares of M_O N_K and pocket over
$13'000 by Thursday!

The spam that I have seen appears to originate primarily from IP addresses in India.

So, what's up with MONK? The stock has only been trading since June and most of that time it has been at around the $1.00 level. At the beginning of August the price dropped to $0.40 and then $0.20 per share (dropping for one point to just $0.10), losing more than 75% of its value since launch (see the stock chart here).

On 16th August there was a flurry of activity as 209,400 shares were bought at around the $0.20 or somewhat under that. Usually this is the spammers taking up a position in the company that they are about to spam. On the next day (a Saturday) the pump-and-dump spam started. So far today about 450,000 shares have been traded, apparently giving the stock a bit of a bump as whoever has hired the spammers tries to cash out.

As with all pump-and-dump spams, the only people making money out of it are the scammers who run it. Any investor who tries to try to invest in these it likely to lose some or all of their investment. Avoid

Malekal.com Joe Job part II

There has been a Joe Job being run against Malekal.com for some time now. However, the joe job has now morphed and includes a reference to this blog (which is kind of annoying).

Date:      Sun, 18 Aug 2013 14:35:33 +0300 [08/18/13 07:35:33 EDT]
Subject:      Email SPAM for malekal.com

Theses emails SPAM are sent from a botnet (check the mails headers), im not
responsible of theses spam emails.
Someone is probably trying to get the site blacklisted or to get bad reputation
(called this "a Joe Job" - see :
http://blog.dynamoo.com/2013/08/malekalcom-joe-job.html )

The responsible is " Reveton Guy ", try to get revenge after a mass shutdown of
their malvertising :

http://www.malekal.com/2013/07/30/en-juicyads-reveton-malvertising/
http://www.malekal.com/2013/07/28/en-plugrush-reveton-malvertising/
http://www.malekal.com/2013/07/26/en-reveton-adxpansion-com-malvertising/

The August 11, they tried to get my website blacklisted using hacked website :
http://www.malekal.com/2013/08/12/en-reveton-go-now-by-hacked-website/

This is rather more subtle than the previous Joe Job, as it appears to be from the Malekal administrator themselves. However, it is being sent by a botnet (probably the same botnet sending the original spam) and is just another way to cause trouble.

These spam emails are tightly targeted to addresses that are most likely to make complaints. If you are going to report these, then I'd appreciate it if you would report the sending IP only rather than just copy-and-pasting all the links in.

"California Human Right Foundation CHRF USA" scam email

It's hard to say whether or not this scam is simply a version of the advanced fee fraud (you can come to the conference, but there will be fees and hotel charges), or if the idea is that you go down to Senegal and get kidnapped. In any case, this is a scam send to an email address scraped from the web via a hijacked email account in Indonesia. Similar scams have been seen before. Avoid.

From:     Mrs Cira Jonas [dede@yongjin.co.id]
Reply-To:     cirajo101@blumail.org
Date:     16 August 2013 18:06
Subject:     2013 USA (CHRF) CONFERENCE/INVITATION!!!

Dear Colleagues,

On behalf of California Human Right Foundation CHRF USA, It is a great privilege for us to invite you to global Congress meeting against Economic Crisis, Child Protection & HIV/AIDS Treatment, Prostitution, Sex Work and forced Labor. The aims of the conference are to bring together researchers and practitioners in an effort to lay the ground work for future collaborative research, advocacy, and program development as well as to educate social service, health care, and criminal justice professionals on human trafficking and the needs and risks of those victimized by the commercial sex industry.

The global Congress meeting against Economic Crisis, Child Protection & HIV/AIDS Treatment, Prostitution, Sex Work and forced Labor is scheduled to take place from October 20th – 24th 203, in California the United States and in Dakar-Senegal, from October 26th – 30th 2013. The global congress is hosted by the Campaign against Child Labor Coalition and sponsored by (The Bill & Melinda Gates Foundation, The William J. Clinton Foundation and other benevolent donors worldwide.

Note that all interested delegates that requires entry visa to enter the United States to attend this meeting will be assisted by the organization, in obtaining the visa in their passport. Free air round trip tickets to attend this meeting will be provided to all participants. The Workshop welcomes paper presentation from any interested participants willing to present papers during the meeting.

For registration information you are to contact the conference secretariat via  Email: info.secretaryallissa@usa.com


Please share the information with your colleagues.

Sincerely,
Mrs Cira Jonas
E-mail: cirajo101@blumail.org
(M.D) Activities Coordinator

ADP spam / ADP_week_invoice.zip|exe

This fake ADP spam has a malicious attachment:

Date:      Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]
From:      "run.payroll.invoice@adp.com" [run.payroll.invoice@adp.com]
Subject:      ADP Payroll INVOICE for week ending 08/16/2013

Your ADP Payroll invoice for last week is attached for your review. If you have any
questions regarding this invoice, please contact your ADP service team at the number
provided on the invoice for assistance.

Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.

There is an attachment ADP_week_invoice.zip which in turn contains a malicious executable file ADP_week_invoice.exe. The payload is exactly the same as this other malicious spam run which is running in parallel.

"CEO Portal Statements & Notices Event" spam / report_{DIGIT[12]}.exe

This fake Wells Fargo email has a malicious attachment:

Date:      Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From:      Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw@wellsfargo.com]
Subject:      CEO Portal Statements & Notices Event


Wells Fargo

Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available

Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp:    Fri, 16 Aug 2013 09:51:17 -0500
Request Name:    MM3P85NRLOXLOFJ
Event Message ID:    S045-77988311

Please do not reply to this email.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46. The Malwr report shows that this malware does various things, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco.com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another hijacked domain, hubbywifecakes.com.

From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52/39UvZmv.exe
[donotclick]demoscreactivo.com/DKM9.exe
[donotclick]roundaboutcellars.com/Utuw1.exe
[donotclick]bbsmfg.biz/VKPqrms.exe

This executable has an even lower detection rate of just 5/46. You can see the Malwr report for that here.

Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.

Recommended blocklist:
66.151.138.80
hubbywifeco.com
hubbywifecakes.com
208.106.130.52
demoscreactivo.com
roundaboutcellars.com
bbsmfg.biz