37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux.
Recommended blocklist:
fat-jaguar.info
amazingfingerprint.pingpong-shop.info
androidexclusiveaccepted.soda-waters.info
annesindecisive.ru
antilostprivacystar.soda-waters.info
arrayschamp.pingpong-shop.info
atomicexcelled.pingpong-shop.info
bisnothings.picture-editorsplus.com
bumpyrogue.pingpong-shop.info
cheerskasperskys.get-well-now.info
compilingresolved.get-well-now.info
compositingupfront.soda-waters.info
couponexposes.pingpong-shop.info
defraggingentire.soda-waters.info
designationrim.pingpong-shop.info
dipsisolated.ru
distortstrand.picture-editorsplus.com
droidsreceiver.pingpong-shop.info
errorannouncement.get-well-now.info
experttouserhome.picture-editorsplus.com
fdrsitelets.picture-editorsplus.com
flauntmalwarefighting.ru
fsecurevitas.picture-editorsplus.com
get-well-now.info
jfaxbike.get-well-now.info
karmic-koala.info
kudosphilly.picture-editorsplus.com
laguardiaduly.soda-waters.info
maoctopus.get-well-now.info
meaningsvisor.get-well-now.info
middletierpreventionandcleanup.picture-editorsplus.com
mtvmick.get-well-now.info
mypalmbehaviors.picture-editorsplus.com
nicesoundingextracting.soda-waters.info
noncopyrightprotectedfipscertified.soda-waters.info
nonstopeverconnected.soda-waters.info
offlineclosets.soda-waters.info
pbsearns.get-well-now.info
performgenre.soda-waters.info
pingpong-shop.info
plannerwaiter.get-well-now.info
reopeningphenomenal.pingpong-shop.info
retainedamazoncom.soda-waters.info
satiategb.get-well-now.info
savedtranscodes.soda-waters.info
soda-waters.info
treestructurezeroes.pingpong-shop.info
turbotwisttristate.get-well-now.info
wavelinkswing.pingpong-shop.info
webcontentfaces.ru
www.fat-jaguar.info
xmlbasedautomaticupdate.pingpong-shop.info
certificationthumbtack.job-orders.info
club-sandwich.info
datver.job-orders.info
job-orders.info
mirrorskitschy.job-orders.info
mountain-lion.biz
onion-sauce.com
openglkinectd.job-orders.info
poolseeming.job-orders.info
smallerwebspecific.job-orders.info
trendmicroaddfiletobackup.ru
tweakshunting.job-orders.info
Friday 6 September 2013
Thursday 5 September 2013
Facebook spam / kapcotool.com
This fake Facebook spam leads to malware on kapcotool.com:
[donotclick]00398d0.netsolhost.com/mcguire/forgiveness.js
[donotclick]202.212.131.8/ruses/nonsmokers.js
[donotclick]japanesevehicles.us/vector/internees.js
The final step is a malware landing page at [donotclick]kapcotool.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains listed in italics below.
Recommended blocklist:
74.207.227.154
jgburgerlounge.ca
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com
justcreature.com
justmonster.com
kalcodistributors.com
kapcotool.com00398d0.netsolhost.com
japanesevehicles.us
202.212.131.8
From: Facebook [no-reply@facebook.com]The link in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa.com/97855 and then to [donotclick]magic-crystal.ch/normalized/index.html, and at this point it attempts to load the following three scripts:
Date: 5 September 2013 15:21
Subject: Michele Murdock wants to be friends with you on Facebook.
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
[donotclick]00398d0.netsolhost.com/mcguire/forgiveness.js
[donotclick]202.212.131.8/ruses/nonsmokers.js
[donotclick]japanesevehicles.us/vector/internees.js
The final step is a malware landing page at [donotclick]kapcotool.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains listed in italics below.
Recommended blocklist:
74.207.227.154
jgburgerlounge.ca
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com
justcreature.com
justmonster.com
kalcodistributors.com
kapcotool.com00398d0.netsolhost.com
japanesevehicles.us
202.212.131.8
Wednesday 4 September 2013
HSBC spam / Original Copy (Edited).zip
This fake HSBC spam links to a malicious ZIP file:
The link in the email goes to a file sharing site at [donotclick]ge.tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16.
The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report shows some network activity including a suspect connection to ftp.advice.yzi.me (185.28.21.26, Hostinger International US) which might be worth blocking.
Date: Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From: HSBC Wire Advising service [wireservice@hsbc.com.hk]
Reply-To: hsbcadviceref@mail.com
Subject: HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)
Dear Sir/Madam,
The attached payment advice is issued at the request of our customer. The advice is for your reference only.
Kindly Accept Our apology On the copy we sent earlier.
1 attachments (total 586 KB)
View slide show (1)
Download all as zip
Yours faithfully,
Global Payments and Cash Management
HSBC
Copyright © HSBC Group 2013. All rights reserved.Copyright/IP Policy | Terms of Service
NOTICE: We collect personal information on this site. To learn more about how we use your information, see our Privacy Policy.
"SAVE PAPER - THINK BEFORE YOU PRINT!"
The link in the email goes to a file sharing site at [donotclick]ge.tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16.
The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report shows some network activity including a suspect connection to ftp.advice.yzi.me (185.28.21.26, Hostinger International US) which might be worth blocking.
PayPal spam / dshapovalov.info
This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov.info:
The link in the email goes through a URL shortening service at [donotclick]url7.org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23/observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169/garrotting/rumples.js
[donotclick]northeastestateagency.co.uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro,com/peps/dortmund.js
From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack. There are other hijacked GoDaddy domains on the same domain (listed below in italics).
Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
journeyacrossthesky.com
dshapovalov.info
watchfp.net
dshapovalov.info
mineralmizer.webpublishpro.com
northeastestateagency.co.uk
81.143.33.169
Date: Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From: PayPal [service@int.paypal.com]
Subject: History of transactions #PP-011-538-446-067
ID
Transaction: { figure } {SYMBOL }
On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now
Sincerely, Services for protection
Department
PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.
To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.
Copyright © 1999-2013 PayPal. All rights reserved.
PPID PP {DIGIT } The history of monetary transactions
The link in the email goes through a URL shortening service at [donotclick]url7.org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23/observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169/garrotting/rumples.js
[donotclick]northeastestateagency.co.uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro,com/peps/dortmund.js
From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack. There are other hijacked GoDaddy domains on the same domain (listed below in italics).
Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
journeyacrossthesky.com
dshapovalov.info
watchfp.net
dshapovalov.info
mineralmizer.webpublishpro.com
northeastestateagency.co.uk
81.143.33.169
Something is very wrong with Gandi US (AS29169 / 173.246.96.0/20)
Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago.
The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites.
First of all, let's look at the warnings I have given about this IP range just in this blog alone (ignoring all external sources):
So, curious about how bad the situation was I went off to identify servers currently hosting malware, and the list I came up with was:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185
That's quite a concentration of badness. You can see a full list of the malicious domains, WOT ratings, Google prognosis and SURBL codes here [csv]. There's a plain list of domains at the end of the post for copy-and-pasting.
Now, normally I would recommend blocking at least a /24 when dealing with this sort of level badness, but as this overview of the /20 shows [csv] there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host.
Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.
Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185
17.247nycr.com
17.247nycrealty.com
17.allianceyouthsports.com
17.americanseniorgazette.net
17.apielectrical.com
17.apipoolservice.com
17.bearfoothouse.com
17.bestbysouthwest.net
17.bradentons-finest.com
17.carlileenrollment.com
17.ccbenroll.com
17.chefsenrollment.com
17.culliganwaternet.com
17.culliganwaternet.net
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.deborahramanathan.com
17.docholidaybanners.com
17.doorssanantoniocom.com
17.drdeborahramanathan.com
17.enrollmentforce.com
17.entrepreneursnetworkofmichigan.com
17.foodypon.com
17.foodypon.info
17.grantmassie.com
17.grantmassie.net
17.grantmassie.org
17.heyculliganman.net
17.kathybissell.com
17.kbgolfcoursesales.com
17.kingdom-mystery.org
17.landvirginia.com
17.lascrittore.com
17.ledbymmhd.com
17.lonestarenrollment.com
17.lwrbeerfestival.com
17.meccandivinity.com
17.mmholidaydecor.com
17.moffdomains.com
17.nstarbankenrollment.com
17.opti-max.com
17.optimax.us
17.paperlessenrollment.com
17.paperlessenrollments.com
17.productpurveyors.com
17.quakertownfamilydoctor.com
17.rbasa.com
17.rbasanantonio.com
17.redtreebookings.com
17.renewenrollment.com
17.sanantoniodoors.net
17.sanantoniohardiplank.com
17.sanantoniosiding.com
17.sanantoniosiding.net
17.sanantoniowindows.net
17.scottbarr.org
17.seniorgazette.org
17.seniorgolfrankings.com
17.soonerflight.com
17.southwestexteriors.com
17.texcoteproblems.com
17.thebusiness-solutions.com
17.themarketmakers.org
17.thetelecomgroup.com
17.ultimateserviceexperience.com
17.ultimateserviceguarantee.com
17.valuationwidgets.com
17.vinyl-windows.org
17.webezmarketing.com
17.worldclassexteriors.com
17.yourbrokerforlife.com
1800callabe.com
1866callabe.com
19.accentchicagostore.com
19.advancedweb2solutions.com
19.campaignsusa.com
19.collectiblesminnesota.com
19.diet4usa.org
19.floridafractionalproperty.com
19.floridafractionalrealestate.info
19.floridafractionalrealestate.us
19.giftbasketminnesota.com
19.giftminn.com
19.giftminnesota.com
19.giftmn.com
19.giftsfromminnesota.com
19.giftsminnesota.com
19.icandyliciousshop.com
19.icandyliciousstore.com
19.icandysugarshoppe.com
19.icandysugarshoppe.org
19.kitchenandbathatlanta.com
19.kodiakgaming.com
19.lovefromchicago.com
19.lovefromchicagostore.com
19.lovefromcompanies.com
19.lovefrommn.com
19.minngift.com
19.minnsotagifts.net
19.minnstore.com
19.mngift.com
19.navypierstore.com
19.northwoodscabinstore.com
19.pacifictusk.com
19.pacifictuskbuilders.com
19.souvenirminnesota.com
19.storeminn.com
19.sunburstsouvenirs.com
19.sunburstsouvenirs.info
19.sunburstsouvenirs.net
19.thelovefromcompanies.com
21.3to2converter.com
21.aribadellago.com
21.az55pluscommunity.com
21.baleraatfirerock.com
21.bringmemyleads.biz
21.bringmemyleads.com
21.bringmemyleads.info
21.bringmemyleads.net
21.bringmemyleads.org
21.bringmemyleads.us
21.cedrictherealtor.com
21.cedricthevegasrealtor.com
21.cordilleraatcopperwynd.com
21.crestviewatfountainhills.com
21.customswitchpanel.com
21.homesbythefountain.com
21.liquidstainedglass.com
21.liveinfountainhills.com
21.liveinlassendas.com
21.luxuriousscottsdale.com
21.wow-bottles.com
23.area-plumbing-company.com
23.garryowen.biz
23.goalsettingprogram.biz
23.mdvideoproduction.com
4.whereintuscany.com
4.whereintuscia.com
4.whereinumbria.com
4.whereinvaldaosta.com
4.whereinveneto.com
6.bbnface.com
6.bbnfaces.com
6.bbnfaces.net
6.mamasauction.com
6.mamaswishes.com
6.mamaswishes.net
6.mamaswishes.org
abemoussa.com
abemuggs.com
abes.co
abes.net
abesburger.com
biobcetsozxzxifwchyxxslfcaxws.info
byvcxdydxgyzxqwvnqktgpbfm.com
chellebelledesign.com
chellebelledesigns.com
eaeobxgtsvsjzljwkskvcaegqyay.net
findmynewschool.com
findyourpetcare.info
findyourpetcare.net
findyourpetcare.org
folsomdogplay.com
folsomdogs.com
folsomdogtrainingschool.com
godogresort.com
gottaghost.com
gottagirl.net
greawsome.com
gubmpfypeisctovkgaqghircxsfqlqc.biz
ingeuswghskzddxxlvgmqpvk.net
janetmoss.com
jerseycitybags.com
jerseyluggage.com
jmosswinery.com
jrzlzhmrwomfhaeqclwokvdm.net
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
kneetite.com
kzusdyhpypeavgltsjvdljpvojqg.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com
laserpecs.com
laser-sculpt.com
laser-sculpting.com
lasertoned.com
lasertuck.com
lazersculpt.com
lazertite.com
lidlaser.com
lidtight.com
lipo-exatlanta.com
lipo-exbeverlyhills.com
london-leather.com
magnetas.mx
marinedockladders.com
marzenamelby.com
minneapolisareareosales.com
minneapolisforeclosuredeals.com
pciinvbupnxkfatrsuhicuaue.net
prdqjfhwookftucvkwclhyzlyt.biz
premiumrentalproperty.com
remote-recording-mixing.com
rglrlprbayscvwfkqmbqtkj.com
rockvilleautobody.biz
roll-on-bracelets.info
scnrpnqojbaymfvclcdqhtpdi.org
share.afghans.net
shuofrpvcyukzgqnjbykrvkddu.com
stevecozz.com
tgvwvofaamqcciqhiqoutoprwkqwjn.com
theinternetchauffeur.biz
the-internet-chauffeur.com
trippling.com
twbevoabakbrghlnfylbuempvmfmb.org
twincitiesfamilywellness.com
veolux.com
yhlnibrgxwxplfjsoauondhunv.com
ylhqlrgqxgordeytindafukreqjvtw.info
The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites.
First of all, let's look at the warnings I have given about this IP range just in this blog alone (ignoring all external sources):
173.246.101.146 |
CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com |
173.246.102.2 |
Malware sites to block 7/3/13 |
173.246.102.223 |
Citi Cards spam / 6.bbnface.com and 6.mamaswishes.com |
173.246.102.246 |
Something evil on 173.246.102.246 |
173.246.103.26 |
ADP spam / 14.sofacomplete.com |
173.246.103.59 |
Malware sites to block 23/11/12 |
173.246.103.112 |
Malware sites to block 22/11/12 |
173.246.103.124 |
Malware sites to block 23/11/12 |
173.246.103.184 |
Malware sites to block 23/11/12 |
173.246.104.104 |
Something evil on 173.246.104.104 |
173.246.104.136 |
CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net |
173.246.104.154 |
Something evil on 173.246.104.154 |
173.246.104.184 |
PayPal spam / londonleatheronline.com |
173.246.104.21 |
Malware sites to block 23/11/12 |
173.246.104.55 |
"INCOMING FAX REPORT" spam / chellebelledesigns.com |
173.246.105.15 |
eFax / jConnect spam and eliehabib.com |
173.246.106.150 |
"Scan from a Xerox WorkCentre" spam / Scan_06122013_29911.zip |
So, curious about how bad the situation was I went off to identify servers currently hosting malware, and the list I came up with was:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185
That's quite a concentration of badness. You can see a full list of the malicious domains, WOT ratings, Google prognosis and SURBL codes here [csv]. There's a plain list of domains at the end of the post for copy-and-pasting.
Now, normally I would recommend blocking at least a /24 when dealing with this sort of level badness, but as this overview of the /20 shows [csv] there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host.
Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.
Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185
17.247nycr.com
17.247nycrealty.com
17.allianceyouthsports.com
17.americanseniorgazette.net
17.apielectrical.com
17.apipoolservice.com
17.bearfoothouse.com
17.bestbysouthwest.net
17.bradentons-finest.com
17.carlileenrollment.com
17.ccbenroll.com
17.chefsenrollment.com
17.culliganwaternet.com
17.culliganwaternet.net
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.deborahramanathan.com
17.docholidaybanners.com
17.doorssanantoniocom.com
17.drdeborahramanathan.com
17.enrollmentforce.com
17.entrepreneursnetworkofmichigan.com
17.foodypon.com
17.foodypon.info
17.grantmassie.com
17.grantmassie.net
17.grantmassie.org
17.heyculliganman.net
17.kathybissell.com
17.kbgolfcoursesales.com
17.kingdom-mystery.org
17.landvirginia.com
17.lascrittore.com
17.ledbymmhd.com
17.lonestarenrollment.com
17.lwrbeerfestival.com
17.meccandivinity.com
17.mmholidaydecor.com
17.moffdomains.com
17.nstarbankenrollment.com
17.opti-max.com
17.optimax.us
17.paperlessenrollment.com
17.paperlessenrollments.com
17.productpurveyors.com
17.quakertownfamilydoctor.com
17.rbasa.com
17.rbasanantonio.com
17.redtreebookings.com
17.renewenrollment.com
17.sanantoniodoors.net
17.sanantoniohardiplank.com
17.sanantoniosiding.com
17.sanantoniosiding.net
17.sanantoniowindows.net
17.scottbarr.org
17.seniorgazette.org
17.seniorgolfrankings.com
17.soonerflight.com
17.southwestexteriors.com
17.texcoteproblems.com
17.thebusiness-solutions.com
17.themarketmakers.org
17.thetelecomgroup.com
17.ultimateserviceexperience.com
17.ultimateserviceguarantee.com
17.valuationwidgets.com
17.vinyl-windows.org
17.webezmarketing.com
17.worldclassexteriors.com
17.yourbrokerforlife.com
1800callabe.com
1866callabe.com
19.accentchicagostore.com
19.advancedweb2solutions.com
19.campaignsusa.com
19.collectiblesminnesota.com
19.diet4usa.org
19.floridafractionalproperty.com
19.floridafractionalrealestate.info
19.floridafractionalrealestate.us
19.giftbasketminnesota.com
19.giftminn.com
19.giftminnesota.com
19.giftmn.com
19.giftsfromminnesota.com
19.giftsminnesota.com
19.icandyliciousshop.com
19.icandyliciousstore.com
19.icandysugarshoppe.com
19.icandysugarshoppe.org
19.kitchenandbathatlanta.com
19.kodiakgaming.com
19.lovefromchicago.com
19.lovefromchicagostore.com
19.lovefromcompanies.com
19.lovefrommn.com
19.minngift.com
19.minnsotagifts.net
19.minnstore.com
19.mngift.com
19.navypierstore.com
19.northwoodscabinstore.com
19.pacifictusk.com
19.pacifictuskbuilders.com
19.souvenirminnesota.com
19.storeminn.com
19.sunburstsouvenirs.com
19.sunburstsouvenirs.info
19.sunburstsouvenirs.net
19.thelovefromcompanies.com
21.3to2converter.com
21.aribadellago.com
21.az55pluscommunity.com
21.baleraatfirerock.com
21.bringmemyleads.biz
21.bringmemyleads.com
21.bringmemyleads.info
21.bringmemyleads.net
21.bringmemyleads.org
21.bringmemyleads.us
21.cedrictherealtor.com
21.cedricthevegasrealtor.com
21.cordilleraatcopperwynd.com
21.crestviewatfountainhills.com
21.customswitchpanel.com
21.homesbythefountain.com
21.liquidstainedglass.com
21.liveinfountainhills.com
21.liveinlassendas.com
21.luxuriousscottsdale.com
21.wow-bottles.com
23.area-plumbing-company.com
23.garryowen.biz
23.goalsettingprogram.biz
23.mdvideoproduction.com
4.whereintuscany.com
4.whereintuscia.com
4.whereinumbria.com
4.whereinvaldaosta.com
4.whereinveneto.com
6.bbnface.com
6.bbnfaces.com
6.bbnfaces.net
6.mamasauction.com
6.mamaswishes.com
6.mamaswishes.net
6.mamaswishes.org
abemoussa.com
abemuggs.com
abes.co
abes.net
abesburger.com
biobcetsozxzxifwchyxxslfcaxws.info
byvcxdydxgyzxqwvnqktgpbfm.com
chellebelledesign.com
chellebelledesigns.com
eaeobxgtsvsjzljwkskvcaegqyay.net
findmynewschool.com
findyourpetcare.info
findyourpetcare.net
findyourpetcare.org
folsomdogplay.com
folsomdogs.com
folsomdogtrainingschool.com
godogresort.com
gottaghost.com
gottagirl.net
greawsome.com
gubmpfypeisctovkgaqghircxsfqlqc.biz
ingeuswghskzddxxlvgmqpvk.net
janetmoss.com
jerseycitybags.com
jerseyluggage.com
jmosswinery.com
jrzlzhmrwomfhaeqclwokvdm.net
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
kneetite.com
kzusdyhpypeavgltsjvdljpvojqg.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com
laserpecs.com
laser-sculpt.com
laser-sculpting.com
lasertoned.com
lasertuck.com
lazersculpt.com
lazertite.com
lidlaser.com
lidtight.com
lipo-exatlanta.com
lipo-exbeverlyhills.com
london-leather.com
magnetas.mx
marinedockladders.com
marzenamelby.com
minneapolisareareosales.com
minneapolisforeclosuredeals.com
pciinvbupnxkfatrsuhicuaue.net
prdqjfhwookftucvkwclhyzlyt.biz
premiumrentalproperty.com
remote-recording-mixing.com
rglrlprbayscvwfkqmbqtkj.com
rockvilleautobody.biz
roll-on-bracelets.info
scnrpnqojbaymfvclcdqhtpdi.org
share.afghans.net
shuofrpvcyukzgqnjbykrvkddu.com
stevecozz.com
tgvwvofaamqcciqhiqoutoprwkqwjn.com
theinternetchauffeur.biz
the-internet-chauffeur.com
trippling.com
twbevoabakbrghlnfylbuempvmfmb.org
twincitiesfamilywellness.com
veolux.com
yhlnibrgxwxplfjsoauondhunv.com
ylhqlrgqxgordeytindafukreqjvtw.info
Labels:
Evil Network,
Gandi,
Malware,
Viruses
Something evil on 174.140.168.239
The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].
It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:
174.140.168.239
50shadesofshades.com
50shadesofsunshades.com
800fragrances.com
aeroliteluggage.com
aerotechluggage.com
babysurplusshop.com
bagcast.com
bagd.us
bagdup.com
baggagereviews.com
bagpreview.com
bagpreviews.com
bagsare.us
bagsr.me
bagsr.us
bagswalla.com
bag-tv.com
bhanoteenterprises.com
carluccileather.com
carluccileathers.com
checkpointbackpacks.com
checkpoint-friendly-backpacks.com
checkpoint-friendly-bag.com
checkpoint-friendly-bags.com
checkpointfriendlybusinesscases.com
checkpointfriendlylaptopcases.com
checkpoint-friendly-laptopcases.com
checkpoint-friendly-luggage.com
checkpointfriendlytravelaccessories.com
checkpoint-friendly-travel-accessories.com
checkpointluggage.com
chimneycapsupply.com
clotheswalla.com
consumerluggage.com
coolstowage.com
copperguttersupply.com
couponwalla.com
dealdin.com
eguttersupply.com
filterflowgutterguard.com
guttersupply.mobi
iguttersupply.com
micromeshguttercover.com
micromeshleafguard.com
ornamentalgutters.com
radiantcarbonheat.com
roofmaterialsupply.com
roofpanelsupply.com
rooftilesupply.com
shinglesupply.com
slatesupply.com
solarroofingsupply.com
thinkgreensupply.com
vidaline.com
It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:
174.140.168.239
50shadesofshades.com
50shadesofsunshades.com
800fragrances.com
aeroliteluggage.com
aerotechluggage.com
babysurplusshop.com
bagcast.com
bagd.us
bagdup.com
baggagereviews.com
bagpreview.com
bagpreviews.com
bagsare.us
bagsr.me
bagsr.us
bagswalla.com
bag-tv.com
bhanoteenterprises.com
carluccileather.com
carluccileathers.com
checkpointbackpacks.com
checkpoint-friendly-backpacks.com
checkpoint-friendly-bag.com
checkpoint-friendly-bags.com
checkpointfriendlybusinesscases.com
checkpointfriendlylaptopcases.com
checkpoint-friendly-laptopcases.com
checkpoint-friendly-luggage.com
checkpointfriendlytravelaccessories.com
checkpoint-friendly-travel-accessories.com
checkpointluggage.com
chimneycapsupply.com
clotheswalla.com
consumerluggage.com
coolstowage.com
copperguttersupply.com
couponwalla.com
dealdin.com
eguttersupply.com
filterflowgutterguard.com
guttersupply.mobi
iguttersupply.com
micromeshguttercover.com
micromeshleafguard.com
ornamentalgutters.com
radiantcarbonheat.com
roofmaterialsupply.com
roofpanelsupply.com
rooftilesupply.com
shinglesupply.com
slatesupply.com
solarroofingsupply.com
thinkgreensupply.com
vidaline.com
Facebook spam / watchfp.net
All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp.net:
Blake is pretty feminine looking for a bloke:
The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:
[donotclick]u.to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa.de/triassic/index.html which loads one of the following:
[donotclick]safbil.com/stashed/flout.js
[donotclick]ftp.spectrumnutrition.ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste.de/covetously/turk.js
The final step is that the victim ends up on a malware landing page at [donotclick]watchfp.net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.
Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
watchfp.net
safbil.com
ftp.spectrumnutrition.ca
schornsteinfeger-helmste.de
Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1@facebookmail.com]
Subject: Blake Miranda tagged 5 photos of you on Facebook
Blake Miranda added 5 photos of you.
See photos
Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
Blake is pretty feminine looking for a bloke:
The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:
[donotclick]u.to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa.de/triassic/index.html which loads one of the following:
[donotclick]safbil.com/stashed/flout.js
[donotclick]ftp.spectrumnutrition.ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste.de/covetously/turk.js
The final step is that the victim ends up on a malware landing page at [donotclick]watchfp.net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.
Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
watchfp.net
safbil.com
ftp.spectrumnutrition.ca
schornsteinfeger-helmste.de
Tuesday 3 September 2013
PayPal spam / londonleatheronline.com
This fake PayPal spam leads to malware on londonleatheronline.com:
The link in the email goes to a legitimate hacked site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni.com/liquids/pythias.js
[donotclick]tuviking.com/trillionth/began.js
[donotclick]walegion.comcastbiz.net/wotan/reuses.js
These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack, along with a number of other hijacked domains which are listed in italics below.
Recommended blocklist:
173.246.104.184
jerseycitybags.com
jerseyluggage.com
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
london-leather.com
londonleatheronline.com
ftp.casacalderoni.com
tuviking.com
walegion.comcastbiz.net
Date: Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From: PayPal [service@int.paypal.com]
Subject: Identity Issue #PP-716-472-864-836
We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.
Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@paypal.com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details
Your case ID for this reason is PP-U3PR33YIL8AV
For your protection, we might limit your account access. We apologize for any inconvenience this may cause.
Thanks,
PayPal
CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (PayPal , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You
PayPal Email ID PP53161
The link in the email goes to a legitimate hacked site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni.com/liquids/pythias.js
[donotclick]tuviking.com/trillionth/began.js
[donotclick]walegion.comcastbiz.net/wotan/reuses.js
These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack, along with a number of other hijacked domains which are listed in italics below.
Recommended blocklist:
173.246.104.184
jerseycitybags.com
jerseyluggage.com
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
london-leather.com
londonleatheronline.com
ftp.casacalderoni.com
tuviking.com
walegion.comcastbiz.net
Monday 2 September 2013
MONK spam tries to profit from WAR threat
The MONK (Monarchy Resources Inc) pump-and-dump spam continues. This time though, the spammers are trying to capitalise on the threat of war in the Middle East:
Here are some other variants of the same scummy email:
From: belova04@jeel.comAs previously discussed, the stock price for this company has tanked and is unlikely to get any better. If you attempt to do some war profiteering on this stock then you will lose out, and frankly you won't get any sympathy from me.
Date: 2 September 2013 17:32
Subject: This Stock just released Big News!
Are you interested in enriching yourself by means of war? It`s the very
time to do it! As soon as the first bombs get to the earth in Syria,
stone oil prices will move up the same as MONARCHY RESOURCES INC
(M-ON_K) share price. Go make money on Mon, Sep 2, 2013, get M-ON_K
shares!!!
Here are some other variants of the same scummy email:
You can make money on war!!! It`s right time to make it. The
moment the first rockets descend to Syria, oil prices will
rise the same as MONARCHY RESOURCES INC. (M O N_K) bond
price!!! Begin earning profits on Monday, September 02, 2013,
grab M O N_K shares.
It`s your turn to make money on war! It`s the very time to make it.
As soon as the first bombs touch the ground in Syria, black gold
prices will skyrocket as well as MONARCHY RESOURCES, INC (M-O-N K)
bond price. Start making money on Mon, Sep 02, 2013, get M-O-N K
shares.
There is a real opportunity to make money on war. It`s right time to
do it!!! As soon as the first bombs touch the ground in Syria, petrol
prices will move up just as Monarchy Resources, Inc (M-O_NK) bond
price. Start making money on Sep 2nd, grab M-O_NK shares!
Do you want to earn money on war? It`s the very time to realize
your plans! Just as the first bombs get to the earth in Syria,
oil prices will move up as well as Monarchy Resources, Inc
(MO-NK) share price! Go make profits on Sep 2nd, grab MO-NK
shares!!!
Labels:
Pump and Dump,
Spam
Facebook spam / london-leather.com
This fake Facebook spam leads to malware on london-leather.com:
Date: Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From: Facebook [update+hiehdzge@facebookmail.com]
Subject: Victoria Carpenter commented on your status
In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem.cz/5xxb8 then [donotclick]93.93.189.108/exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj.com/mummifies/stabbed.js
[donotclick]mobileforprofit.net/affected/liberal.js
[donotclick]tuviking.com/trillionth/began.js
These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy and listed in italics below.
Recommended blocklist:
173.246.104.184
london-leather.com
kitchenwalla.com
kidswalla.com
jerseyluggage.com
jerseycitybags.com
kiddypals.com
kennethcolenyoutlet.com
codebluesecuritynj.com
mobileforprofit.net
tuviking.com
Date: Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From: Facebook [update+hiehdzge@facebookmail.com]
Subject: Victoria Carpenter commented on your status
| ||||||
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe. Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303 |
In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem.cz/5xxb8 then [donotclick]93.93.189.108/exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj.com/mummifies/stabbed.js
[donotclick]mobileforprofit.net/affected/liberal.js
[donotclick]tuviking.com/trillionth/began.js
These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy and listed in italics below.
Recommended blocklist:
173.246.104.184
london-leather.com
kitchenwalla.com
kidswalla.com
jerseyluggage.com
jerseycitybags.com
kiddypals.com
kennethcolenyoutlet.com
codebluesecuritynj.com
mobileforprofit.net
tuviking.com
Monday 26 August 2013
UPS Spam / UPS Invoice 74458652.zip
This fake UPS invoice has a malicious attachment:
The VirusTotal detection rate is a so-so 18/46. The Malwr analysis is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint.org/forum/viewtopic.php
[donotclick]mierukaproject.jp/PjSE.exe
[donotclick]programcommunications.com/WZP3mMPV.exe
[donotclick]fclww.com/QdytJso0.exe
[donotclick]www.lajen.cz/tPT8oZTB.exe
The VirusTotal detection rate for the downloaded file is not great at just 9/46.
The domain gordonpoint.org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other hijacked domains which are listed below in italics.
Recommended blocklist:
74.207.229.45
gordonpoint.org
hitechcreature.com
industryseeds.ca
infocreature.com
itanimal.com
itanimals.com
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com
mierukaproject.jp
programcommunications.com
fclww.com
www.lajen.cz
From: "UPSBillingCenter@ups.com" [UPSBillingCenter@ups.com]Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe which presumably isn't meant to be named like that..
Subject: Your UPS Invoice is Ready
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.
The VirusTotal detection rate is a so-so 18/46. The Malwr analysis is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint.org/forum/viewtopic.php
[donotclick]mierukaproject.jp/PjSE.exe
[donotclick]programcommunications.com/WZP3mMPV.exe
[donotclick]fclww.com/QdytJso0.exe
[donotclick]www.lajen.cz/tPT8oZTB.exe
The VirusTotal detection rate for the downloaded file is not great at just 9/46.
The domain gordonpoint.org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other hijacked domains which are listed below in italics.
Recommended blocklist:
74.207.229.45
gordonpoint.org
hitechcreature.com
industryseeds.ca
infocreature.com
itanimal.com
itanimals.com
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com
mierukaproject.jp
programcommunications.com
fclww.com
www.lajen.cz
Friday 23 August 2013
Wells Fargo spam / WellsFargo_08232013.exe
This fake Wells Fargo spam has a malicious attachment:
What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity. Malwr, Comodo CAMAS and Anubis are somewhat less enlightening.
The WHOIS details for the domain huyontop.com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop.com as being potentially malicious and block it if you can.
Date: Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]In this case there is an attachment WellsFargo.victimname.zip which contains a malicious executable WellsFargo_08232013.exe (note the date is encoded into the filename). The VirusTotal detection rate is just 4/45, but the file itself is unusually small (just 21Kb unzipped, 8Kb zipped) when I would normally expect to see the executable closer to 100Kb for this sort of malware.
From: Morris_Osborn@wellsfargo.com
Please review attached documents.
Morris_Osborn
Wells Fargo Advisors
817-718-8096 office
817-610-5531 cell Morris_Osborn@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity. Malwr, Comodo CAMAS and Anubis are somewhat less enlightening.
The WHOIS details for the domain huyontop.com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop.com as being potentially malicious and block it if you can.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Thursday 22 August 2013
"Remittance Docs 2982780" spam / Docs_08222013_218.exe
This fake Chase spam has a malicious attachment:
[donotclick]watch-fp.ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial.com/VSMpZX.exe
[donotclick]richardsonlookoutcottages.nb.ca/Q5Vf.exe
[donotclick]idyno.com.au/kvdhx2.exe
The downloader then downloads a second part with a much lower detection rate of 6/46. This appears to be a Zbot variant, and the Malwr analysis for that component is here.
The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server and listed below in italics.
Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
successchamp.com
thenatemiller.biz
thenatemiller.co
thenatemiller.info
thenatemiller.net
thenatemiller.org
watch-fp.biz
watch-fp.ca
watch-fp.com
watch-fp.info
watch-fp.mobi
waterwayrealtyteam.us
jatw.pacificsocial.com
richardsonlookoutcottages.nb.ca
idyno.com.au
Date: Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]The attachment is in the format Docs_victimdomain.com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46. The Malwr analysis shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
From: Jed_Gregory [Jed_Gregory@chase.com]
Subject: Remittance Docs 2982780
Please find attached the remittance 2982780.
If you are unable to open the
attached file, please reply to this email with a contact telephone number. The
Finance Dept will be in touch in due course. Jed_Gregory
Chase Private Banking Level III Officer
3 Times Square
New York, NY 10036
T. 212.525.8865
F. 212.884.2034
[donotclick]watch-fp.ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial.com/VSMpZX.exe
[donotclick]richardsonlookoutcottages.nb.ca/Q5Vf.exe
[donotclick]idyno.com.au/kvdhx2.exe
The downloader then downloads a second part with a much lower detection rate of 6/46. This appears to be a Zbot variant, and the Malwr analysis for that component is here.
The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server and listed below in italics.
Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
successchamp.com
thenatemiller.biz
thenatemiller.co
thenatemiller.info
thenatemiller.net
thenatemiller.org
watch-fp.biz
watch-fp.ca
watch-fp.com
watch-fp.info
watch-fp.mobi
waterwayrealtyteam.us
jatw.pacificsocial.com
richardsonlookoutcottages.nb.ca
idyno.com.au
Labels:
EXE-in-ZIP,
GoDaddy,
Malware,
Nuclear Fallout Enterprises,
Spam,
Viruses
Discover card "Your account login information updated" spam / abemuggs.com
This fake Discover card spam leads to malware on abemuggs.com:
The link in the email uses the Twitter redirection service to go to [donotclick]t.co/9PsnfeL8hh then [donotclick]x.co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198.netsolhost.com/frostbite/hyde.js
[donotclick]96.9.28.44/dacca/quintilian.js
[donotclick]cordcamera.dakisftp.com/toothsome/catch.js
From this point the victim ends up at the malicious payload at [donotclick]abemuggs.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).
At the moment, I can only see abemuggs.com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs.com
abesmugs.com
abemugs.com
andagency.com
mytotaltitle.com
I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs.com
02aa198.netsolhost.com
cordcamera.dakisftp.com
Date: Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From: Discover Card [no-reply@facebook.com]
Subject: Your account login information updated
Discover
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your account login information has been updated.
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes.
Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
Sign up
Don't miss out—sign up to get exclusive offers via e-mail from Discover.
Sign Up
Facebook Twitter I Love Cashback Bonus Blog Mobile
Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.
IMPORTANT INFORMATION
This e-mail was sent to [redacted].
You are receiving this Discover e-mail as a confirmation of your account activity.
Log in to update your e-mail address or view your account e-mail preferences.
If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.
Please do not reply to this e-mail as we are not able to respond to messages sent to this address.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2012 Discover Bank, Member FDIC
TRUPCHNG_A1_A1_A1
The link in the email uses the Twitter redirection service to go to [donotclick]t.co/9PsnfeL8hh then [donotclick]x.co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198.netsolhost.com/frostbite/hyde.js
[donotclick]96.9.28.44/dacca/quintilian.js
[donotclick]cordcamera.dakisftp.com/toothsome/catch.js
From this point the victim ends up at the malicious payload at [donotclick]abemuggs.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).
At the moment, I can only see abemuggs.com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs.com
abesmugs.com
abemugs.com
andagency.com
mytotaltitle.com
I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs.com
02aa198.netsolhost.com
cordcamera.dakisftp.com
Wednesday 21 August 2013
Facebook spam / thenatemiller.co
This fake Facebook spam leads to malware on thenatemiller.co:
[donotclick]gemclinicstore.com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup.com/toffies/ceiling.js
[donotclick]www.it-planet.gr/schlepped/suitor.js
From there the victim is directed to a malware landing page at [donotclick]thenatemiller.co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains (listed below in italics).
Recommended blocklist:
72.5.102.146
successchamp.com
dennissellsgateway.com
thenatemiller.co
thenatemiller.info
justinreid.us
waterwayrealtyteam.us
thenatemiller.biz
gemclinicstore.com
mathenyadvisorygroup.com
www.it-planet.gr
Date: Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]Nothing good will come from clicking the link. First victims go to a legitimate but hacked site that attempts to load the following three scripts:
From: Facebook [update+hiehdzge@facebookmail.com]
Subject: You requested a new Facebook password
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
[donotclick]gemclinicstore.com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup.com/toffies/ceiling.js
[donotclick]www.it-planet.gr/schlepped/suitor.js
From there the victim is directed to a malware landing page at [donotclick]thenatemiller.co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains (listed below in italics).
Recommended blocklist:
72.5.102.146
successchamp.com
dennissellsgateway.com
thenatemiller.co
thenatemiller.info
justinreid.us
waterwayrealtyteam.us
thenatemiller.biz
gemclinicstore.com
mathenyadvisorygroup.com
www.it-planet.gr
Labels:
Facebook,
GoDaddy,
Malware,
Nuclear Fallout Enterprises,
Spam,
ThreeScripts,
Viruses
Laughable advanced fee fraud scam promises $2.5
Two-and-a-half bucks? I think I'll pass.
From: Mr Anthony Freed [johnewele12@cantv.net]I don't think I've seen an Advanced Fee Fraud spam so full of fail for a long time..
Reply-to: dhlcorriadeliveryservice@live.com
Date: 20 August 2013 21:13
Subject: Attention please!!!
Attention please!!!
We have registered your ATM CARD of (US $2.5) with DHL Express Courier Company with registration code of ( 9665776) please Contact with your delivery
information:
DHL OFFICE:
Name Dr:Mark Jonson.
E-mail: dhlcorriadeliveryservice@live.com //officedhldelivery service
Tel:+229 98270349.
We have paid for the Insurance & Delivery fee.The only fee you have to pay is their Security fee only.Please indicate the registration Number of ( 22-82797457 )and ask Him how much is their Security fee so that you can pay it.
Best Regards.
Rev.Anthony Fred
Labels:
Advanced Fee Fraud,
Scams,
Spam,
Stupidity
Facebook spam / dennissellsgateway.com
This fake Facebook spam leads to malware on dennissellsgateway.com:
This is a "ThreeScripts" attack, with the link first going to a legitimate hacked site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas.org/jonson/tried.js
[donotclick]italiangardensomaha.com/moocher/pawned.js
[donotclick]www.it-planet.gr/schlepped/suitor.js
From there, the victim ends up on a hijacked GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway.com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains (listed in italics below).
Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
waterwayrealtyteam.us
www.it-planet.gr
italiangardensomaha.com
ftp.crimestoppersofpinellas.org
Update:
Another spam is circulating with a different pitch, but the same malicious payload:
Date: Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From: Facebook [no-reply@facebook.com]
Subject: Gene Maynard wants to be friends with you on Facebook.
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
This is a "ThreeScripts" attack, with the link first going to a legitimate hacked site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas.org/jonson/tried.js
[donotclick]italiangardensomaha.com/moocher/pawned.js
[donotclick]www.it-planet.gr/schlepped/suitor.js
From there, the victim ends up on a hijacked GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway.com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains (listed in italics below).
Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
waterwayrealtyteam.us
www.it-planet.gr
italiangardensomaha.com
ftp.crimestoppersofpinellas.org
Update:
Another spam is circulating with a different pitch, but the same malicious payload:
Dear Customer,
The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report at https://account.authorize.net/login/protected/download/settlementreport/
To view details for a specific transaction, please log into the Merchant Interface.
1.Click "Reports" from the main menu
2.Select "Transaction Details by Settlement Date"
3.Select "Settled Transactions" from the Item Type drop-down box.
4.Select the Settlement Date for the batch you would like to view from the "Date" drop-down box
5.Click "Run Report"
6.In the results, click on any transaction ID to view specific details for that transaction.
If you have any questions regarding this settlement report, please contact us by Secure Mail or you can call Customer Support at 1-877-447-3938.
Thank You,
Authorize.Net
*** You received this email because you chose to be a Credit Card Report
recipient. You may change your email options by logging into the Merchant
Interface. Click on Settings and Profile in the Main Menu, and select
Manage Contacts from the General section. To edit a contact, click the
Edit link next to the contact that you would like to edit. Under Email
Types, select or deselect the Email types you would like to receive. Click
Submit to save any changes. Please do not reply to this email.
Labels:
Facebook,
GoDaddy,
Malware,
Nuclear Fallout Enterprises,
Spam,
ThreeScripts,
Viruses
Monday 19 August 2013
"You have received a secure message" spam / securedoc.zip
Date: Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From: "secure.email@citi.com" [secure.email@citi.com]
Subject: You have received a secure message
|
Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46. The Malwr analysis (and also ThreatExpert) shows that the file first connects to [donotclick]frankcremascocabinets.com/forum/viewtopic.php (a hijacked GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:
[donotclick]lobbyarkansas.com/0d8H.exe
[donotclick]ftp.ixcenter.com/GMMo6.exe
[donotclick]faithful-ftp.com/kFbWXZX.exe
This second part has another very low VirusTotal detection rate of just 3/46. Malwr gives an insight into what the binary is doing, or alternatively you can look at the Comodo CAMAS report or ThreatExpert report.
Recommened blocklist:
184.95.37.96/28
frankcremascocabinets.com
giuseppepiruzza.com
gordonpoint.biz
gordonpoint.info
hitechcreature.com
frankcremasco.com
lobbyarkansas.com
ftp.ixcenter.com
faithful-ftp.com
Labels:
EXE-in-ZIP,
GoDaddy,
Jolly Works Hosting,
Malware,
Spam,
ThreeScripts,
Viruses
"You requested a new Facebook password" spam / frankcremascocabinets.com
This fake Facebook spam follows on from this one, but has a different malicious landing page at frankcremascocabinets.com:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js
The victim is then directed to a malware payload at [donotclick]frankcremascocabinets.com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server (listed below in italics).
Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
giuseppepiruzza.com
frankcremascocabinets.com
gordonpoint.biz
hitechcreature.com
frankcremasco.com
From: Facebook [update+hiehdzge@facebookmail.com]The link in the email goes to a legitimate hacked site which then tries to load one or more of the following three scripts:
Date: 19 August 2013 17:38
Subject: You requested a new Facebook password
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js
The victim is then directed to a malware payload at [donotclick]frankcremascocabinets.com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server (listed below in italics).
Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
giuseppepiruzza.com
frankcremascocabinets.com
gordonpoint.biz
hitechcreature.com
frankcremasco.com
Labels:
Facebook,
GoDaddy,
Jolly Works Hosting,
Malware,
Spam,
ThreeScripts,
Viruses
Facebook spam / hubbywifewines.com
This fake Facebook spam leads to malware on hubbywifewines.com:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js
The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines.com/topic/able_disturb_planning.php hosted on 72.5.102.192 (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods.com.
Recommended blocklist:
72.5.102.192
hubbywifewines.com
hubbywifefoods.com
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
Date: Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]The link in the email goes to a legitimate hacked site and then loads one or more of these three scripts:
From: Facebook [update+hiehdzge@facebookmail.com]
Subject: You requested a new Facebook password
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js
The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines.com/topic/able_disturb_planning.php hosted on 72.5.102.192 (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods.com.
Recommended blocklist:
72.5.102.192
hubbywifewines.com
hubbywifefoods.com
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
Labels:
Facebook,
GoDaddy,
Malware,
Nuclear Fallout Enterprises,
Spam,
ThreeScripts,
Viruses
MONK / Monarchy Resources, Inc pump-and-dump spam
Another day, another pump-and-dump spam run, this time being sent to randomly generated email addresses promoting MONK (Monarchy Resources, Inc). Here are some examples:
The spam that I have seen appears to originate primarily from IP addresses in India.
So, what's up with MONK? The stock has only been trading since June and most of that time it has been at around the $1.00 level. At the beginning of August the price dropped to $0.40 and then $0.20 per share (dropping for one point to just $0.10), losing more than 75% of its value since launch (see the stock chart here).
On 16th August there was a flurry of activity as 209,400 shares were bought at around the $0.20 or somewhat under that. Usually this is the spammers taking up a position in the company that they are about to spam. On the next day (a Saturday) the pump-and-dump spam started. So far today about 450,000 shares have been traded, apparently giving the stock a bit of a bump as whoever has hired the spammers tries to cash out.
As with all pump-and-dump spams, the only people making money out of it are the scammers who run it. Any investor who tries to try to invest in these it likely to lose some or all of their investment. Avoid
Subject: Pick Of The Week... Do Not Miss Out This Time!
Make easy $15'000 Monday!!! Hello, want to receive $15'000 by
next Friday? You would receive lot more if you get this hot
stock on Monday. The stock symbol is: M_O N_K. It's Monarchy
Resources, Inc.. It sells under 48 cents, but it should
see $1'80 shortly! Purchase shares of M_O N_K on Aug, 19
below 48 cents and multiply your cash! It could be
awesome to get $15'000 by Friday. And it's very easy to
receive. On Monday, Aug 19, 2013 order 43'000 shares of M_O
N_K and get over $15'000 by Friday
Subject: Hot Investor News
Pocket your $17'000 now! Howdy, need to pocket $17'000 by this Saturday? You
will get lots more if you purchase this premium stock on Monday. The stock
symbol is: M_ONK. It's MONARCHY RESOURCES INC.. It sits below 42 cents,
but it should see $1'20 promptly! Purchase shares of M_ONK on Mon, Aug
19th, 2013 under 42 cents and multiply your investment. It will be
amazing to earn $17'000 by Saturday. And its very easy to get! On Aug, 19th
order 29'000 shares of M_ONK and receive over $17'000 by Saturday!!!
Subject: Walgreens News!!!
Make easy $12'000 now! Hello, ready to pocket $12'000 by next
Saturday? You would receive lots more if you order this
undervalued stock on Monday. The company symbol is: M O N K.
It's Monarchy Resources, Inc. It goes under 40 cents, but
it could settle $1.90 promptly! Get shares of M O N K on
Monday, Aug 19th, 2013 under 40 cents and quadruple your
investment. It can be amazing to earn $12'000 by Saturday. And
its very easy to do! On Aug, 19 trade 21'000 shares of M O N K
and get over $12'000 by Saturday.
Subject: Profile Alert
Earn fast $13'000 now! Hello, ready to pocket $13'000 by this Thursday?
You can make lot more if you get this new stock on Monday. The stock
symbol is: M_O N_K. Its MONARCHY RESOURCES, INC. It goes under 30
cents, but it should see $1.55 shortly! Get shares of M_O N_K on
Monday, Aug 19 under 30 cents and quadruple your portfolio. It
could be cool to make $13'000 by Thursday. And it's very easy to do! On
Mon, August 19th, 2013 buy 35'000 shares of M_O N_K and pocket over
$13'000 by Thursday!
The spam that I have seen appears to originate primarily from IP addresses in India.
So, what's up with MONK? The stock has only been trading since June and most of that time it has been at around the $1.00 level. At the beginning of August the price dropped to $0.40 and then $0.20 per share (dropping for one point to just $0.10), losing more than 75% of its value since launch (see the stock chart here).
On 16th August there was a flurry of activity as 209,400 shares were bought at around the $0.20 or somewhat under that. Usually this is the spammers taking up a position in the company that they are about to spam. On the next day (a Saturday) the pump-and-dump spam started. So far today about 450,000 shares have been traded, apparently giving the stock a bit of a bump as whoever has hired the spammers tries to cash out.
As with all pump-and-dump spams, the only people making money out of it are the scammers who run it. Any investor who tries to try to invest in these it likely to lose some or all of their investment. Avoid
Labels:
Pump and Dump,
Spam
Malekal.com Joe Job part II
There has been a Joe Job being run against Malekal.com for some time now. However, the joe job has now morphed and includes a reference to this blog (which is kind of annoying).
These spam emails are tightly targeted to addresses that are most likely to make complaints. If you are going to report these, then I'd appreciate it if you would report the sending IP only rather than just copy-and-pasting all the links in.
Date: Sun, 18 Aug 2013 14:35:33 +0300 [08/18/13 07:35:33 EDT]This is rather more subtle than the previous Joe Job, as it appears to be from the Malekal administrator themselves. However, it is being sent by a botnet (probably the same botnet sending the original spam) and is just another way to cause trouble.
Subject: Email SPAM for malekal.com
Theses emails SPAM are sent from a botnet (check the mails headers), im not
responsible of theses spam emails.
Someone is probably trying to get the site blacklisted or to get bad reputation
(called this "a Joe Job" - see :
http://blog.dynamoo.com/2013/08/malekalcom-joe-job.html )
The responsible is " Reveton Guy ", try to get revenge after a mass shutdown of
their malvertising :
http://www.malekal.com/2013/07/30/en-juicyads-reveton-malvertising/
http://www.malekal.com/2013/07/28/en-plugrush-reveton-malvertising/
http://www.malekal.com/2013/07/26/en-reveton-adxpansion-com-malvertising/
The August 11, they tried to get my website blacklisted using hacked website :
http://www.malekal.com/2013/08/12/en-reveton-go-now-by-hacked-website/
These spam emails are tightly targeted to addresses that are most likely to make complaints. If you are going to report these, then I'd appreciate it if you would report the sending IP only rather than just copy-and-pasting all the links in.
Friday 16 August 2013
"California Human Right Foundation CHRF USA" scam email
It's hard to say whether or not this scam is simply a version of the advanced fee fraud (you can come to the conference, but there will be fees and hotel charges), or if the idea is that you go down to Senegal and get kidnapped. In any case, this is a scam send to an email address scraped from the web via a hijacked email account in Indonesia. Similar scams have been seen before. Avoid.
From: Mrs Cira Jonas [dede@yongjin.co.id]
Reply-To: cirajo101@blumail.org
Date: 16 August 2013 18:06
Subject: 2013 USA (CHRF) CONFERENCE/INVITATION!!!
Dear Colleagues,
On behalf of California Human Right Foundation CHRF USA, It is a great privilege for us to invite you to global Congress meeting against Economic Crisis, Child Protection & HIV/AIDS Treatment, Prostitution, Sex Work and forced Labor. The aims of the conference are to bring together researchers and practitioners in an effort to lay the ground work for future collaborative research, advocacy, and program development as well as to educate social service, health care, and criminal justice professionals on human trafficking and the needs and risks of those victimized by the commercial sex industry.
The global Congress meeting against Economic Crisis, Child Protection & HIV/AIDS Treatment, Prostitution, Sex Work and forced Labor is scheduled to take place from October 20th – 24th 203, in California the United States and in Dakar-Senegal, from October 26th – 30th 2013. The global congress is hosted by the Campaign against Child Labor Coalition and sponsored by (The Bill & Melinda Gates Foundation, The William J. Clinton Foundation and other benevolent donors worldwide.
Note that all interested delegates that requires entry visa to enter the United States to attend this meeting will be assisted by the organization, in obtaining the visa in their passport. Free air round trip tickets to attend this meeting will be provided to all participants. The Workshop welcomes paper presentation from any interested participants willing to present papers during the meeting.
For registration information you are to contact the conference secretariat via Email: info.secretaryallissa@usa.com
Please share the information with your colleagues.
Sincerely,
Mrs Cira Jonas
E-mail: cirajo101@blumail.org
(M.D) Activities Coordinator
Labels:
Advanced Fee Fraud,
Scam,
Senegal
ADP spam / ADP_week_invoice.zip|exe
This fake ADP spam has a malicious attachment:
Date: Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]There is an attachment ADP_week_invoice.zip which in turn contains a malicious executable file ADP_week_invoice.exe. The payload is exactly the same as this other malicious spam run which is running in parallel.
From: "run.payroll.invoice@adp.com" [run.payroll.invoice@adp.com]
Subject: ADP Payroll INVOICE for week ending 08/16/2013
Your ADP Payroll invoice for last week is attached for your review. If you have any
questions regarding this invoice, please contact your ADP service team at the number
provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.
Labels:
ADP,
EXE-in-ZIP,
Malware,
Spam,
Viruses
"CEO Portal Statements & Notices Event" spam / report_{DIGIT[12]}.exe
This fake Wells Fargo email has a malicious attachment:
The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46. The Malwr report shows that this malware does various things, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco.com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another hijacked domain, hubbywifecakes.com.
From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52/39UvZmv.exe
[donotclick]demoscreactivo.com/DKM9.exe
[donotclick]roundaboutcellars.com/Utuw1.exe
[donotclick]bbsmfg.biz/VKPqrms.exe
This executable has an even lower detection rate of just 5/46. You can see the Malwr report for that here.
Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.
Recommended blocklist:
66.151.138.80
hubbywifeco.com
hubbywifecakes.com
208.106.130.52
demoscreactivo.com
roundaboutcellars.com
bbsmfg.biz
Date: Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw@wellsfargo.com]
Subject: CEO Portal Statements & Notices Event
Wells Fargo
Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available
Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp: Fri, 16 Aug 2013 09:51:17 -0500
Request Name: MM3P85NRLOXLOFJ
Event Message ID: S045-77988311
Please do not reply to this email.
The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46. The Malwr report shows that this malware does various things, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco.com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another hijacked domain, hubbywifecakes.com.
From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52/39UvZmv.exe
[donotclick]demoscreactivo.com/DKM9.exe
[donotclick]roundaboutcellars.com/Utuw1.exe
[donotclick]bbsmfg.biz/VKPqrms.exe
This executable has an even lower detection rate of just 5/46. You can see the Malwr report for that here.
Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.
Recommended blocklist:
66.151.138.80
hubbywifeco.com
hubbywifecakes.com
208.106.130.52
demoscreactivo.com
roundaboutcellars.com
bbsmfg.biz
Labels:
EXE-in-ZIP,
GoDaddy,
Malware,
Nuclear Fallout Enterprises,
Spam,
Viruses
Subscribe to:
Posts (Atom)