2072 replies to this topic

[AplusWebMaster]

FYI...

Fake StumbleUpon SPAM / drugstorepillstablets .ru
- http://blog.dynamoo....stabletsru.html
4 Feb 2013 - "This fake StumbleUpon spam is something new, it leads to a fake pharma site on drugstorepillstablets .ru:
Date: Mon, 4 Feb 2013 01:01:46 -0600 (CST)
From: StumbleUpon [no-reply @stumblemail .com]
Subject: Update: Changes to Your Email Settings
Hi [redacted],
This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've created a bunch of new notification options that allow you to have more control over what types of emails you'll receive from us. These new notification options are not compatible with the old settings, so your settings have been reset. We apologize for any inconvenience, and want to make sure we only send you the emails you want to receive.
Now what? Please click here to head over to your email settings and update your preferences, so we know exactly what emails you'd like to receive from StumbleUpon.
Want to receive all notifications about shares from friends, recommended Stumbles, and more? Great, you don't have to do anything at all!
Thanks for Stumbling,
The StumbleUpon Team
P.S. Haven't signed in for a while and can't remember your password? You can reset it here by entering the email address used in this email.
Please don't reply to this message - for all questions, check out our Help Center. To visit your email settings, please click here.
StumbleUpon | 301 Brannan Street, 6th Floor, San Francisco, CA 94107

There's no surprise to see that the IP address of the spamvertised site is 92.48.119.139 (Simply Transit, UK)..."
(More detail at the dynamoo URL above.)
___

Something evil on 108.61.12.43 and 212.7.192.100
- http://blog.dynamoo....611243-and.html
4 Feb 2013 - "A few sites worth blocking on 108.61.12.43 (Constant Hosting, US) courtesy of Malware Must Die*:
helloherebro .com
painterinvoice .ru
painterinvoicet .ru
immediatelyinvoicew .ru
While you are at it, you might like to block 212.7.192.100** (Dediserv, Netherlands) as well."
* http://malwaremustdi...xploit-kit.html

** http://malwaremustdi...t-infector.html
___

Phytiva / XCHC pump-and-dump SPAM
- http://blog.dynamoo....p-and-dump.html
4 Feb 2013 - "This pump-and-dump spam (at least I assume that's what it is) caught my eye:
From: Hugh Crouch [tacticallyf44 @riceco .com]
Date: 4 February 2013 12:39
Subject: RE: Targeting the global Cosmoceutical market
US leading biotech company is please to introduce a newly launched brand - a hybrid of a proven, existing product line that has been well-managed and conservatively-run for over a decade with a hemp-based product line, utilizing the unique and potent benefits of the plants. Revolutionary formulations target not just the symptom, but also the cause. The plant is the ideal basis for healing solutions and has been utilized for centuries, as skin responds extremely well to its properties.
Its newest Plant based Product lines that have identified over a dozen ailments that we believe that the products will be the superior choice on the market. These ailments include cancer, arthritis, influenza, HIV/ AIDS, PTSD and many more.
We are looking for leading beauty and health care investors. If you are dedicated to making difference in people”s lives, we need your help now more than ever before toprovide excellent and efficient medical and health care for our future researches.
For more information, please visit
You can unsubscribe from all our future email communications at

The email originates from 31.25.91.159 in the Islamic Republic of Iran, spamvertising a site at www.xn--80aakfmpm2afbm .xn--p1ai (yes, that's a valid international domain name) hosted on 111.123.180.11 in China. In all likelihood, Phytiva and its parent company The X-Change Corporation (stock ticker XCHC) are almost definitely nothing to do with this rather odd spam. Avoid."
___

Fake FedEx emails lead to malware
- http://blog.webroot....ead-to-malware/
Feb 4, 2013 - "... the digital fingerprint of one of the most recently introduced malware variants used in the campaign corresponds to the digital fingerprint of a malware-serving campaign that we’ve already profiled, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog....ail_malware.png
... Detection rate for the malware variants distributed over the past 24 hours:
MD5: bf061265407ea1f7c21fbf5f545c4c2b * ...PAK_Generic.001
The campaign is ongoing, so watch what you click on!..."
(More detail at the websense URL above.)
* https://www.virustot...9a2a2/analysis/
File name: ukjlbkma.exe
Detection ratio: 30/46
Analysis date: 2013-02-04
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Tax Documents Notification E-mail Messages - February 04, 2013
Fake Apple Coupon Offer E-mail Messages - February 04, 2013
Malicious Attachment E-mail Message - February 04, 2013
Fake Product Order Request E-mail Messages - February 04, 2013
Fake Portuguese Money Deposit E-mail Messages - February 04, 2013
Fake Purchase Order Notification E-mail Messages - February 04, 2013
Fake Product Order E-mail Message - February 04, 2013
Fake Telegraphic Transfer E-mail Messages - February 04, 2013
Fake Money Transfer Notification E-mail Messages - February 04, 2013
Malicious Personal Photograph Attachment E-mail Messages - February 04, 2013
Malicious Personal Pictures Attachment E-mail Messages - February 04, 2013
Fake Xerox Scan Attachment E-mail Messages - February 04, 2013
(More detail and links at the cisco URL above.)

Edited by AplusWebMaster, 04 February 2013 - 06:37 PM.

[AplusWebMaster]

FYI...

Fake ‘Your Kindle e-book Amazon receipt’ emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
5 Feb 2013 - "Kindle owners, watch what you click on! Cybercriminals are currently attempting to trick Kindle owners into thinking that they’ve received a receipt from an E-book purchase from Amazon .com. In reality, when users click on -any- of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
starsoftgroup.net – 175.121.229.209; 198.144.191.50 – Email: wondermitch @hotmail .com
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
We’ve already seen the same name servers used in the following previously profiled campaigns, indicating that they’ve been launched by the same cybercriminals... Upon successful client-side exploitation, the campaign drops MD5: 13d23f4c1eb1d4d3841e2de50b1948cc * ... UDS:DangerousObject.Multi.Generic...
Upon execution, the sample also phones back to the following C&C servers:
hxxp :// 195.191.22.90 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp :// 37.122.209.102 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp :// 217.65.100.41 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp :// 173.201.177.77 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp :// 210.56.23.100 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp :// 213.214.74.5 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp :// 180.235.150.72 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
We’ve already seen the same pseudo-random C&C communication characters (DPNilBA) used... As well as the same C&C server IPs (173.201.177.77; 210.56.23.100; 180.235.150.72) ...
(More detail at the webroot URL above.)
* https://www.virustot...4e6a2/analysis/
File name: DWIntl20.Dll
Detection ratio: 7/46
Analysis date: 2013-02-04
___

Free Disneyland Tickets Survey SCAM
- http://www.hoax-slay...rvey-scam.shtml
Feb 5, 2013
Outline: Various -Facebook- messages claim that users can receive free tickets to Disneyland by liking and sharing a picture and participating in online surveys.
Brief Analysis: The supposed giveaways are scams designed to trick people into spamming their friends and participating in -bogus- online surveys. No matter how many surveys they complete, participants will -never- receive the promised Disneyland tickets. These offers are not endorsed by and have no connection to Disney. If you receive one of these messages, do not click any links that it contains.
> http://www.hoax-slay...ickets-scam.jpg
___

Fake Amazon .com SPAM / salam-tv .com
- http://blog.dynamoo....alam-tvcom.html
5 Feb 2013 - "This fake Amazon email leads to malware on salam-tv .com:
Date: Tue, 5 Feb 2013 18:32:06 +0100
From: "Amazon.com Orders" [no-reply @amazon .com]
Subject: Your Amazon.com order receipt.
Click here if the e-mail below is not displayed correctly.
Follow us:
Your Amazoncom Today's Deals See All Departments
Dear Amazon.com Customer,
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Details:
E-mail Address: [redacted]
Billing Address:
1170 CROSSING CRK N Rd.
Fort Wayne OH 49476-1748
United States
Phone: 1- 749-787-0001
Order Grand Total: $ 91.99
Earn 3% rewards on your Amazon .com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: C59-2302433-5787713
Subtotal of items: $ 91.99
Total before tax: $ 91.99
Tax Collected: $0.00
Grand Total: $ 90.00
Gift Certificates: $ 1.99
Total for this Order: $ 91.99
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.
2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon .com, the Amazon .com logo and 1-Click are registered trademarks of Amazon .com, Inc. or its affiliates. Amazon .com, 466 Sally Ave. N., Seattle, MA 71168-8282. Reference: 25090571
Please note that this message was sent to the following e-mail address: [redacted]

The malicious payload should be at [donotclick]salam-tv .com/detects/visit_putts.php but at the moment this domain doesn't seem to be resolving properly. A bit of digging around shows that it may be hosted on 198.144.191.50 (Chicago VPS, US) and the following malicious domains can be traced to that IP address:
morepowetradersta .com
capeinn .net
starsoftgroup .net
salam-tv .com "
___

Malwarebytes uncovers digital certificate-spoofing Trojan
- http://blog.malwareb...-dangerous-mix/
Update (Feb 4th, 3:44 PM): Egnyte has promptly taken down the illicit account following our call. However, digital signature is still in use.
"... we just spotted a new malware sample (Brazilian banking/password stealer) which happens to be signed with a real and valid digital certificate issued by DigiCert:
> http://blog.malwareb...13/02/digi1.png
This certificate is issued to a company called “Buster Paper Comercial Ltda”, a Brazilian company that actually does -not- exist and was registered with bogus data... The file – disguised as a PDF document (an invoice) – actually opens up as such to really fool the victim:
> http://blog.malwareb.../02/invoice.png
... the malware connects to: som.egnyte .com ... size matters as many antivirus scanners have trouble with detecting larger files. Digging a little deeper, this is not a new case at all. In fact, last November the same kind of digitally signed Trojan was also distributed (See this ThreatExpert report* for proof). Its certificate has, since then, been revoked... What we have here is a total abuse of hosting services, digital certificates and repeated offenses from the same people... Digital certificate theft can be used in targeted attacks as a spear phishing attack for example...An attacker can easily find out or guess what antivirus a company is running and craft a piece of malware that will not be detected by it. Because such attacks are very narrow, the sample will not be disseminated around the world, making its discovery less likely..."
* http://www.threatexp...1213d3551eb3c28

Edited by AplusWebMaster, 05 February 2013 - 05:49 PM.

[AplusWebMaster]

FYI...

Fake job offer inukjob .com, ineurojob .com and hollandsjob .com
- http://blog.dynamoo....offer-also.html
6 Feb 2013 - "This fake job offer from inukjob .com involves illegal money laundering, and it also seems that the scammers want to use your identity for "correspondence" which normally means things like reshipping stolen goods and identity theft.
From: Victim
To: Victim
Date: 6 February 2013 09:16
Subject: Looking for remote assistants, paid $ 100 per hour helping other people
Good afternoon!
Is it possible for you to spare a few hours a week to the new occupation, which would increase your wages in 2-3 times, without investing a penny? While you are looking for the trick in this offer, hundreds of your compatriots have already been reaping the benefits of working with us.
This is not a financial pyramid or marketing of any kind. It's about doing simple assignments, not exceed the limits of morals or ethics.
Your gender, age, employment do not matter - the main factors are your diligence and conscientiousness.
Lots of our employees began with a part-time employment and combined with other jobs, but two weeks later,
most of them devoted themselves to our job.
We are in all respects ready to remove all your doubts and help you to understand all details.
Position is called the "Regional Manager".
Functional duties:
- to represent the interests of foreign companies in the region (For example: providing your address for correspondence.)
- to take control of transactions between the company and the client in your area.
For more information, please, email us attaching your CV, the country and city of residence.
It will considerably increase your chances for employment. Email: Kelsey@inukjob.com
Best Regards,
PR Manager

I've seen another variant with a reply address of Delores @inukjob .com. In all these cases, the email appears to come from the victim (here's why*). Let's dig a little deeper into the domain. It turns out that it is registered by scam-friendly Chinese registrar BIZCN .COM. The WHOIS details are fake:
Tara Zwilling info @inukjob .com
315-362-4562 fax: 315-362-4511
3201 Oak Street
Syracuse NY 13221
us
There is -no- number 3201 Oak Street in Syracuse, New York (see for yourself**) and the Zip code is incorrect, it should be 13203 and -not- 13221. There's -no- web site, mail is handled by a server at 31.214.169.94 (Exetel, Germany). The following mailservers can be found at that IP:
mx.ineurojob .com
mx.hollandsjob .com
mx.inukjob .com
You can assume that all these domains are fraudulent. If we dig a little deeper at the namesevers ns1.ariparts .net (also on 31.214.169.94) and ns2.ariparts .net (8.163.20.161, Level 3, US), then we can also find the following very dodgy domains:
hollandsjob .com
pracapolsk .com
ariparts .net
ineurojob .com
All these domains have fake or hidden registration details and can assume to be part of a scam. Avoid."
* http://blog.dynamoo....yself-spam.html

** http://goo.gl/maps/KimC4
___

Google store - malicious apps
- http://blog.webroot....run-protection/
5 Feb 2013 - "Recently, two applications designed with malicious intent were discovered within the Google Play application store. The apps were built with a façade of being utility cleaners designed to help optimize Android-powered phones, but in reality, both apps had code built in designed to copy private files, including photos, and submit them to remote servers. The applications, named SuperClean and DroidClean, did not stop there. Researchers also found that the malware was able to AutoRun on Windows PC devices when the phones were paired, and infect the main computer. The malware was designed to record audio through the computer’s microphone. AutoRun has often been used as a method of infection, and Microsoft has since sent a security fix out to Windows XP/Vista/7 in order to disable the exploitable element. In some cases, however, the feature might have been re-enabled by the user for convenience or never changed through a backlog of updates. An application such as this has not been seen in the past, and is showing the creative methods through which malware coders are attempting to break through a computer’s security. With the Android device acting as a Trojan horse for the infection, malicious code has the potential of bypassing established security parameters that typically keep endpoint users safe within their network. While Webroot has classified the malicious apps, which have been removed from Google Play’s market, it goes to show that protective steps are necessary on all levels of devices to avoid an infection... For all users, we recommend ensuring that AutoRun is -disabled- on your computer. Even though Microsoft rolled out updates to disable, it is possible it could be enabled. Finally, always ensure you scan USB and other connected devices for malware before storing data or using on other PCs."

[AplusWebMaster]

FYI...

Fake FFIEC SPAM / live-satellite-view .net
- http://blog.dynamoo....te-viewnet.html
7 Feb 2013 - "This spam attempts to load malware from live-satellite-view .net, but fails because at the moment the domain isn't registered. However, you can expect them to try again.. so watch out for emails like this.
From: FFIEC [mailto:complaints @ffiec .gov]
Sent: 06 February 2013 16:17
Subject: FFIEC Occasion No. 77715
This summons is meant to make advise of file # 77715 which is opened and under interrogative with FFIEC following a accusation of your Financial Institution regarding suspect financial activity on your account.
A hard copy of this judicial process will be delivered to your business address.
Our institution will forward information to competent government agencies following this accusation.
Information and contacts regarding your Occasion file # can be found at
Occasion Number: 77715
Observed by
Federal Financial Institution Examination Council
Emily Gray

The attempted download is from [donotclick]live-satellite-view .net/detects/advanced_selected_determines_comparison.php although it fails to resolve. Perhaps the registrar nuked the domain? However, it is possible to tell that the nameservers were ns1.http-page .net and ns2.http-page .net, and up investigate it turns out that all the following IPs and domains are related and should be treated as malicious:
7.129.51.158
31.170.106.17
74.4.6.128
98.144.191.50
175.121.229.209
198.144.191.50
208.117.43.145
222.238.109.66
able-stock .net
capeinn .net
duriginal .net
euronotedetector .net
gonita .net
gutprofzumbns .com
http-page .net
live-satellite-view .net
morepowetradersta .com
ocean-movie .net
starsoftgroup .net
vespaboise .net "
___

Ransomware Spam Pages on Github, Sourceforge, Others
- http://www.gfi.com/b...ceforge-others/
Feb 7, 2013 - "There’s currently a large and determined effort to infect computers with Ransomware, courtesy of the Stamp EK exploit kit... The bait for most of these redirects to Ransomware appears to be a slice of US news reporters in various “fake” (ie nonexistent) nude pictures, along with a smattering of film actresses / singers – in other words, the usual shenanigans. Curiously, we’ve observed a lot of wrestlers / people involved in the wrestling industry listed on many of the spam pages too... There are pages and pages of ripped content sitting on various websites such as one located on a .ua domain... So far we have observed Weelsof and Reveton Ransomware being dropped. The below piece of Ransomware is demanding $300 to “Unlock your computer and avoid other legal consequences”. As with other similar forms of Ransomware, it accuses the user of accessing illegal pornography and makes no bones about the fact that they should be paying up “or else”... Unfortunately much of the same content can currently be found on both Github and Sourceforge, typically in the form of a Youtube page or a collection of sex pictures lifted from a real porn site. We’ve also seen air rifle stores, a rip of a Windows for Dummies site, Twitter pages and a whole lot more besides. A lot of these pages seem to be in the process of being taken down, but there’s still enough floating around out there to be a problem..."
(Screenshots available at the gfi URL above.)
___

Telepests... Robocalls ...
- http://blog.dynamoo....5-telepest.html
7 Feb 2013 - "For some reason I've been plagued with cold calling telepests recently. This particular one (+20 3 2983245) offered the usual "press 5 to be ripped off" and "press 9 to try to unsubscribe which we will ignore" recorded message about claiming for an accident. There was a very politely spoken and nice young man on the end of the phone. He seemed a bit perplexed and upset when I told him to f**k off and leave me alone. Good. I don't know exactly who is behind this nuisance activity, but they were calling a TPS-registered phone from a number in Alexandria, Egypt. Offshoring fraudulent activity like this is quite common, but this is the first time that I've had to swear at an Egyptian. Perhaps the poor guy will consider doing something less scummy instead."

- https://www.bbb.org/...ying-robocalls/

> http://www.ftc.gov/b...ites/robocalls/
___

Whitehole Exploit Kit in-the-wild...
- http://blog.trendmic...it-kit-emerges/
Feb 6, 2013 - "... there is news of an emerging exploit kit dubbed Whitehole Exploit Kit. The name Whitehole Exploit Kit is just a randomly selected name to differentiate it from BHEK. While it uses similar code as Blackhole Exploit kit, BHEK in particular uses JavaScript to hide its usage of plugindetect.js, while Whitehole does not. It directly uses it without obfuscating this. We analysed the related samples, including the exploit malware cited in certain reports. The malware (detected as JAVA_EXPLOYT.NTW) takes advantage of the following vulnerabilities to download malicious files onto the system:
• CVE-2012-5076
• CVE-2011-3544
• CVE-2012-4681
• CVE-2012-1723
• CVE-2013-0422
Worth noting is CVE-2013-0422, which was involved in the zero-day incident that distributed REVETON variants and was used in toolkits like the Blackhole Exploit Kit and Cool exploit kit. Because of its serious security implication, Oracle immediately addressed this issue and released a software update, which was received with skepticism. The downloaded files are detected as BKDR_ZACCESS.NTW and TROJ_RANSOM.NTW respectively. ZACCESS/SIRIEF variants are known bootkit malware that download other malware and push fake applications. This specific ZACCESS variant connects to certain websites to send and receive information as well as terminates certain processes. It also downloads additional malicious files onto already infected systems. On the other hand, ransomware typically locks systems until users pay a sum of money via specific payment modes... Whitehole Exploit Kit is purportedly under development and runs in “test-release” mode. However, the people behind this kit are already peddling the kit and even command a fee ranging from USD 200 to USD 1800. Other notable features of this new toolkit include its ability to evade antimalware detections, to prevent Google Safe Browsing from blocking it, and to load a maximum of 20 files at once. Given Whitehole’s current state, we may be seeing more noteworthy changes to the exploit kit these coming months. Thus, we are continuously monitoring this threat for any developments..."
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Bank Wire Transfer Notification E-mail Messages - February 07, 2013
Fake Real Estate Offer E-mail Messages - February 07, 2013
Fake Money Transfer Notification E-mail Messages - February 07, 2013
Fake Debt Collection E-mail Messages - February 07, 2013
Fake Money Transfer Notification E-mail Messages - February 07, 2013
Malicious Attachment E-mail Messages - February 07, 2013
Fake Product Order Quotation Attachment E-mail Messages - February 07, 2013
(More detail and links available at the cisco URL above.)

Edited by AplusWebMaster, 07 February 2013 - 11:32 PM.

[AplusWebMaster]

FYI...

radarsky.biz and something evil on 5.135.67.160/28
- http://blog.dynamoo....ng-evil-on.html
8 Feb 2013 - "There is currently an injection attack -redirecting- visitors to a domain radarsky .biz (for example) hosted on 5.135.67.173 (OVH*) and suballocated to:
inetnum: 5.135.67.160 - 5.135.67.175
netname: MMuskatov-FI
descr: MMuskatov
country: FI
org: ORG-OH6-RIPE
admin-c: OTC15-RIPE
tech-c: OTC15-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
"MMuskatov" was involved in this attack too, and a quick inspection of 5.135.67.160/28 doesn't look promising, you might want to block it and 5.135.67.144/28 and 5.135.67.192/28 as well. A deeper analysis is in progress."

* https://www.google.c...c?site=AS:16276
"... over the past 90 days, 7580 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-08, and the last time suspicious content was found was on 2013-02-08... we found 518 site(s) on this network... that appeared to function as intermediaries for the infection of 3631 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1465 site(s)... that infected 7340 other site(s)..."
___

Fake ACH Batch Download Notification emails
- http://security.intu.../alert.php?a=71
2/8/13 - "People are receiving fake emails with the title "ACH Batch Download Notification". Below is a copy of the email people are receiving, including the mistakes shown.
Refund check in the amount of $4,370.00 for
The following ACH batch has been submitted for processing.
Initiated By: colleen
Initiated Date & Time: Fri, 8 Feb 2013 21:38:16 +0600 Batch ID: 7718720 Batch Template Name: PAYROLL
Please view the attached file to review the transaction details.

This is the end of the fake email..."
___

Fake BBB SPAM / madcambodia .net
- http://blog.dynamoo....ambodianet.html
8 Feb 2013 - "This fake BBB spam leads to malware on madcambodia .net:
Date: Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From: Better Business Bureau [notify @bbb .org]
Subject: BBB details about your cliente's pretense ID 43C796S77
Better Business Bureau ©
Start With Trust ©
Thu, 7 Feb 2013
RE: Issue No. 43C796S77
[redacted]
The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.
We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.
We awaits to your prompt response.
Best regards
Luis Davis
Dispute Advisor
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 23501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is at [donotclick]madcambodia .net/detects/review_complain.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US) ..."
___

Fake ADP SPAM / 048575623_02082013 .zip
- http://blog.dynamoo....2082013zip.html
8 Feb 2013 - "This fake ADP spam comes with a malicious attachment:
Date: Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]
From: "ops_invoice @adp .com" [ops_invoice @adp .com]
Subject: ADP Payroll Invoice for week ending 02/08/2013 - 01647
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.

In this case there was a ZIP file called 048575623_02082013 .zip (this may vary) with an attachment 048575623_02082013 .exe designed to look like a PDF file. VirusTotal* identifies it as a Zbot variant. According to ThreatExpert**, the malware attempts to connect to the following hosts:
eyon-neos .eu
quest.social-neos .eu
social-neos .eu
These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.
* https://www.virustot...sis/1360370000/
File name: 048575623_02082013.exe
Detection ratio: 17/45
Analysis date: 2013-02-09

** http://www.threatexp...e0342013e5d0ad0

Edited by AplusWebMaster, 08 February 2013 - 07:33 PM.

[AplusWebMaster]

FYI...

Fake "Support Center" SPAM / phticker .com
- http://blog.dynamoo....htickercom.html
11 Feb 2013 - "Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker .com:
Date: Mon, 11 Feb 2013 06:13:52 -0700
From: "Brinda Wimberly" [noreply @mdsconsulting .be]
Subject: Support Center
Welcome to Help Support Center
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
See All tickets
Go To Profile
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.

The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with other fake pharma sites..."
___

Something evil on 46.163.79.209
- http://blog.dynamoo....4616379209.html
11 Feb 2013 - "The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.
social-neos .eu
cloud.social-neos .eu
quest.social-neos .eu
archiv.social-neos .eu
eyon-neos .eu
international.eyon-neos .eu
ns.eyon-neos .eu
euroherz.eyon-neos .eu
The domains look like they might be legitimate ones that have been hijacked, nonetheless blocking them would be an excellent move."
___

Fake Citi Group SPAM
- http://www.hotforsec...omers-5322.html
Feb 11, 2013 - "... it’s time Citi clients keep an eye open for e-mails that read “You have received a secure message” inviting them to read the message by opening the attachments securedoc .html...
> http://www.hotforsec...p-Customers.png
The emails include a link and an attachment. While the link is harmless, taking receivers to the legitimate Citi page, the attachment is a password stealer that opens a backdoor for remote attackers. Some instances appear to also download components of the BlackHole or ZeuS exploit kits. Untrained eyes could fall for this trick, since these e-mails are written in good English, with decent grammar and harmless-looking attachments. Of the countless ways of infecting a computer, spam delivering malware continues to pay off despite restless efforts of media and the security community. Infecting PCs via spam proves an efficient dissemination method, since users are still caught off-guard by malicious links or attachments such as this message addressed to Citi Group clients..."
___

Fake British Airways SPAM / epianokif .ru
- http://blog.dynamoo....pianokifru.html
11 Feb 2013 - "This fake British Airways spam leads to malware on epianokif .ru:
Date: Mon, 11 Feb 2013 11:30:39 +0330
From: JamesTieszen @[victimdomain .com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-N234922XM .htm
e-ticket receipt
Booking reference: DZ87548418
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 74665737. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The malicious payload is at [donotclick]epianokif .ru:8080/forum/links/column.php (report here) hosted on:
82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia) ..."
___

Fake NACHA SPAM / albaperu .net
- http://blog.dynamoo....lbaperunet.html
11 Feb 2013 - "This fake NACHA spam leads to malware on albaperu .net:
Date: Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]
From: ACH Network [reproachedwp41 @direct.nacha .org]
Subject: ACH Transfer canceled
Aborted transfer
The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.
Transaction ID: 838907191379
Reason of Cancellation See detailed information in the despatch below
Transaction Detailed Report RP838907191379.doc (Microsoft Word Document)
13150 Sunrise Drive, Suite 100 Herndon, VA 20172 (703) 561-1600
2013 NACHA - The Electronic Payments Association

The malicious payload is at [donotclick]albaperu .net/detects/case_offices.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)..."
___

Something evil on 46.165.206.16
- http://blog.dynamoo....4616520616.html
11 Feb 2013 - "This is a little group of fake analytics sites containing malware (for example*), hosted on 46.165.206.16 (Leaseweb, Germany**). Sites listed in -red- have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.
adstat150 .com
cexstat20 .com
katestat77 .us
kmstat505 .us
kmstat515 .us
kmstat530 .com
lmstat450 .com
mptraf11 .info
mptraf2 .info
mxstat205 .us
mxstat570 .com
mxstat740 .com
mxstat760 .com
rxtraf25 .ru
rxtraf26 .ru
skeltds .us
vmstat100 .com
vmstat120 .com
vmstat140 .com
vmstat210 .com
vmstat230 .com
vmstat320 .com ..."
* http://urlquery.net/...t.php?id=738388

Diagnostic page for AS16265 (LEASEWEB)
** https://www.google.c...c?site=AS:16265
"... over the past 90 days, 3350 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-12, and the last time suspicious content was found was on 2013-02-12... we found 1006 site(s) on this network... that appeared to function as intermediaries for the infection of 3958 other site(s)... We found 1567 site(s)... that infected 6879 other site(s)..."

Edited by AplusWebMaster, 12 February 2013 - 06:23 AM.

[AplusWebMaster]

FYI...

Fake IRS SPAM / micropowerboating .net
- http://blog.dynamoo....emaianemru.html
12 Feb 2013 - "This fake IRS spam leads to malware on micropowerboating .net:
Date: Tue, 12 Feb 2013 22:06:55 +0800
From: Internal Revenue Service [damonfq43 @taxes.irs .gov]
Subject: Income Tax Refund TURNED DOWN
Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to misunderstanding of the fact(s), be prepared to serve additional information. You can obtain refusal to accept details and re-submit your appeal by browsing a link below.
Please enter official website for information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
9611 Tellus. Av.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
===
Date: Tue, 12 Feb 2013 15:00:35 +0100
From: Internal Revenue Service [zirconiumiag0 @irs .gov]
Subject: Income Tax Refund NOT ACCEPTED
Hereby we hav to inform that Your Income Tax Refund Appeal ({ID: 46303803645929), recently has been CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to equip additional information. You can obtain non-acceptance details and re-submit your appeal by browsing a link below.
Please browse official site for more information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
3192 Aliquam Rd.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
===
Date: Tue, 12 Feb 2013 15:13:37 +0100 [09:13:37 EST]
From: Internal Revenue Service [idealizesmtz @informer.irs .gov]
Subject: Income Tax Refund TURNED DOWN
Hereby You notified that Your Income Tax Outstanding transaction Appeal (No: 8984589927661), recently was CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to deliver additional information. You can obtain refusal of acceptance details and re-submit your appeal by using a link below.
Please enter official site for information
Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
P.O. Box 265
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.

The malicious payload is on [donotclick]micropowerboating .net/detects/pending_details.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)
The following IPs and domains should be blocked:
175.121.229.209
198.144.191.50
micropowerboating .net
morepowetradersta .com
asistyapipressta .com
uminteraktifcozumler .com
rebelldagsanet .com
madcambodia .net
acctnmrxm .net
capeinn .net
albaperu .net
live-satellite-view .net ..."
___

Fake Changelog SPAM / emaianem .ru
- http://blog.dynamoo....emaianemru.html
12 Feb 2013 - "This changelog spam leads to malware on emaianem .ru:
Date: Tue, 12 Feb 2013 09:11:11 +0200
From: LinkedIn Password [password@linkedin.com]
Subject: Re: Changlog 10.2011
Good day,
changelog update - View
L. KIRKLAND
===
Date: Tue, 12 Feb 2013 05:14:54 -0600
From: LinkedIn [welcome @linkedin .com]
Subject: Fwd: Re: Changelog as promised(updated)
Good morning,
as prmised updated changelog - View
L. AGUILAR

The malicious payload is at [donotclick]emaianem .ru:8080/forum/links/column.php and is hosted on the same servers as found here*."
* http://blog.dynamoo....tipaindoru.html
46.175.224.21 (Maxnet Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)
___

Something evil on 192.81.129.219
- http://blog.dynamoo....9281129219.html
12 Feb 2013 - "It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example*). The IP is controlled by Linode in the US who have been a bit quiet recently... active domains that I can identify on this IP..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/...t.php?id=986474

Edited by AplusWebMaster, 12 February 2013 - 05:10 PM.

[AplusWebMaster]

FYI...

Fake NACHA SPAM / thedigidares .net
- http://blog.dynamoo....gidaresnet.html
13 Feb 2013 - "This fake NACHA spam leads to malware on thedigidares .net:
Date: Wed, 13 Feb 2013 12:10:27 +0000
From: " NACHA" [limbon@direct .nacha .org]
Subject: Aborted transfer
Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.
Transaction ID: 648919687408
Cancellation Reason Review additional info in the statement below
Transaction Detailed Report Report_648919687408.xls (Microsoft/Open Office Word Document)
13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200
2013 NACHA - The Electronic Payments Association

The malicious payload is at [donotclick]thedigidares .net/detects/irritating-crashed-registers.php (report here*) hosted on:
134.74.14.98 (City College of New York, US)
175.121.229.209 (Hanaro Telecom, Korea)
The following IPs and domains are linked and should be blocked:
134.74.14.98
175.121.229.209
albaperu .net
capeinn .net
thedigidares .net
madcambodia .net
micropowerboating .net
dressaytam .net
acctnmrxm .net
albaperu .net
live-satellite-view .net
dressaytam .net "
* http://urlquery.net/...t.php?id=993904
BlackHole v2.0 exploit kit

- http://blog.dynamoo....inakotprru.html
13 Feb 2013 - "More fake NACHA spam, this time leading to malware on eminakotpr .ru:
Date: Wed, 13 Feb 2013 05:24:26 +0530
From: "ACH Network" [risk-management@nacha.org]
Subject: Re: Fwd: ACH Transfer rejected
The ACH transaction, initiated from your checking acc., was canceled.
Canceled transfer:
Transfer ID: FE-65426265630US
Transaction Report: View
August BLUE
NACHA - The National Automated Clearing House Association

The malicious payload is at [donotclick]eminakotpr .ru:8080/forum/links/column.php hosted on:
46.175.224.21 (MAXNET Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)..."
___

Malware sites to block 13/2/13
- http://blog.dynamoo....lock-13213.html
13 Feb 2013 - "These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca .ru/nothing.exe: URLquery, VirusTotal*, Comodo CAMAS, ThreatExpert**.
I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.."
(Long list [mostly *.ru] at the dynamoo URL above.)
* https://www.virustot...sis/1360769367/
File name: khgkg01.exe
Detection ratio: 8/43
Analysis date: 2013-02-13
Behavioural information
TCP connections...
85.121.3.1:80
76.169.151.26:80
195.228.43.24:80
46.162.243.26:80
** http://www.threatexp...0988293dffbdc9a
192.5.5.241
___

- http://tools.cisco.c...r...&sortType=d
Fake CashPro Online Digital Certificate Notification E-mail Messages - February 13, 2013
Fake Failed Package Delivery Notification E-mail Messages - February 13, 2013
Fake Message Receipt Notification E-mail Messages - February 13, 2013
Fake Western Union Money Transfer Transaction E-Mail Messages - February 13, 2013
Fake Payment Request E-mail Messages - February 13, 2013
Fake Voicemail Message Notification E-mail Messages - February 13, 2013
Fake Turkish Airline Ticket Booking Confirmation E-mail Messages - February 13, 2013
Fake Antiphishing Notification E-mail Messages - February 13, 2013
Fake Bank Transfer Confirmation Notification E-mail Messages - February 13, 2013
Fake Product Order Change Notification E-mail Messages - February 13, 2013
Fake Italian Policy Change Notification E-mail Messages - February 13, 2013
Fake United Parcel Service Shipment Error E-mail Messages - February 13, 2013
(Links and more info available at the cisco URL above.)
___

Fake Bank "Secure Email Notification" SPAM
- http://blog.dynamoo....cure-email.html
13 Feb 2013 - "It looks a bit like a phish, but this "First Foundation Bank Secure Email Notification" spam has a ZIP file that leads to malware:
Date: Wed, 13 Feb 2013 20:08:46 +0200 [13:08:46 EST]
From: FF-inc Secure Notification [secure.notification @ff-inc .com]
Subject: First Foundation Bank Secure Email Notification - 94JIMEEQ
You have received a secure message
Read your secure message by opening the attachment, secure_mail_94JIMEEQ. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.ff-inc.com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.795.7643.
2000-2013 First Foundation Inc. All rights reserved.

Attached is a file called secure_mail_94JIMEEQ.zip which expands into.. well, nothing good.. a file called secure_mail_{_Case_DIG}.exe with an icon that is meant to disguise it as an Acrobat file. VirusTotal detection rates* are just 15/45 and the malware is resistant to analysis. Incidentally, emailing mobile @res.ff-inc .com just generates a failure message. Avoid."
* https://www.virustot...sis/1360795797/
File name: secure_mail_{_Case_DIG}.exe
Detection ratio: 15/45
Analysis date: 2013-02-13

Edited by AplusWebMaster, 13 February 2013 - 05:43 PM.

[AplusWebMaster]

FYI...

Something evil on 92.63.105.23
- http://blog.dynamoo....-926310523.html
14 Feb 2013 - "Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia*) - see an example of the nastiness here** (this link is safe to click!). The following domains are present on this address, although there are probably more..."
(Long list at the dynamoo URL above.)
** http://urlquery.net/...t.php?id=995495
... Blackholev2 url structure detected

* https://www.google.c...c?site=AS:29182
"... over the past 90 days, 606 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-02-14, and the last time suspicious content was found was on 2013-02-14... we found 182 site(s) on this network... that appeared to function as intermediaries for the infection of 652 other site(s)... We found 655 site(s)... that infected 4547 other site(s)..."
___

Top 10 Valentine’s Day Scams...
- http://www.hotforsec...perts-5357.html
Feb 14, 2013 - "... advises users to stay away from fake limousine offers and online ‘heart experts’ who claim to heal troubled relationships. This type of scam spreads through spam and redirects users to phishing, fraud and malware-infected websites... The bait that tricks men these days includes fake chocolate offers, diamond-like rings, perfumes, personalized gifts, heart-shaped jewelry and replica watches... A fast spreading scam tricks victims to download Valentine’s Day wallpapers which redirect to fraudulent websites. Users are told they won an iPhone 5 and asked for personal details. In the name of Cupid, similar scams circulate on Facebook, too. Valentine’s Day games and Android apps downloaded from unofficial marketplaces such as free love calculators may install adware and malware. Britons should be especially careful with flower offers. Valentine’s Day is not only the busiest day of the year for UK florists, but also for fake ‘flower’ scammers..."
> http://www.hotforsec...t-experts-1.jpg
___

Malicious URL hits related to “valentine” from January to Feb. 14
> http://blog.trendmic...s-URLs-2013.png

Malware detections related to “valentine” from January to Feb. 14
> http://blog.trendmic...ntines-2013.png
___

Fake 'Facebook blocked' emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
14 Feb 2013 - "Cybercriminals are currently spamvertising two separate campaigns, impersonating Facebook Inc., in an attempt to trick its users into thinking that their Facebook account has been disabled. What these two campaigns have in common is the fact that the client-side exploits serving domains are both parked on the same IP. Once users click on -any- of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised campaign:
> https://webrootblog....exploit_kit.png
... Malicious domain names reconnaissance:
gonita .net – 222.238.109.66 – Email: lockwr @rocketmail .com
able-stock .net – 222.238.109.66
capeinn .net – 222.238.109.66; 198.144.191.50 – Email: softonlines @yahoo .com
Name servers used in the campaign:
Name Server: NS1.HTTP-PAGE .NET
Name Server: NS2.HTTP-PAGE .NET
We’ve already seen the same name servers used in... malicious campaigns...
Responding to 222.238.109.66 are... malicious/fraudulent domains...
Responding to 198.144.191.50 are... malicious domains...
We’ve already seen the same pseudo-randm C&C communication characters (EGa+AAAAAA), as well as the same C&C server (173.201.177.77) in... previously profiled campaigns..."
(More detail at the webroot URL above.)
___

Fake HP ScanJet SPAM / eipuonam .ru
- http://blog.dynamoo....eipuonamru.html
14 Feb 2013 - "This fake printer spam leads to malware on eipuonam .ru:
Date: Thu, 14 Feb 2013 -02:00:50 -0800
From: "Xanga" [noreply@xanga.com]
Subject: Fwd: Scan from a HP ScanJet #72551
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-39329P.
SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam .ru:8080/forum/links/column.php (report here*) hosted on:
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=1000763
... Detected suspicious URL pattern
___

Fake "Copies of policies" SPAM / ewinhdutik .ru
- http://blog.dynamoo....inhdutikru.html
14 Feb 2013 - "This spam leads to malware on ewinhdutik .ru:
Date: Thu, 14 Feb 2013 07:16:28 -0500
From: "Korbin BERG" [ConnorAlmeida @telia .com]
Subject: RE: Korbin - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Korbin BERG,
===
Date: Thu, 14 Feb 2013 03:30:52 +0530
From: Tagged [Tagged @taggedmail .com]
Subject: RE: KESHIA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
KESHIA LEVINE,

The malicious payload is at [donotclick]ewinhdutik .ru:8080/forum/links/column.php (report here*) hosted on the same IP addresses as this attack we saw earlier:
- http://blog.dynamoo....eipuonamru.html
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)"
* http://urlquery.net/....php?id=1001864
... AS48716** Kazakhstan... suspicious URL pattern
** https://www.google.c...c?site=AS:48716
___

Fake HP ScanJet SPAM / 202.72.245.146
- http://blog.dynamoo....0272245146.html
14 Feb 2013 - "This fake printer spam leads to malware on 202.72.245.146:
Date: Thu, 14 Feb 2013 10:10:56 +0000
From: AntonioShapard @hotmail .com
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-32347P.
SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
===
Date: Thu, 14 Feb 2013 06:07:00 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Fwd: Scan from a Hewlett-Packard ScanJet 83097855
Attachments: HP_Document.htm
Attached document was scanned and sent
to you using a HP A-775861P.
SENT BY : CARLINE
PAGES : 4
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/column.php which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server..."
(Long list at the dynamoo URL above.)
___

Fake Intuit SPAM / epionkalom .ru
- http://blog.dynamoo....ionkalomru.html
14 Feb 2013 - "This fake Intuit spam leads to malware on epionkalom .ru:
Date: Thu, 14 Feb 2013 09:05:48 -0500
From: "Classmates . com" [classmatesemail @accounts.classmates .com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.
Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
amount to be seceded: 2246 USD
Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]epionkalom .ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:
91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia) ..."
___

Fake 'TurboTax State Return Rejected' SPAM
- http://security.intu.../alert.php?a=72
2/14/13 - "People are receiving fake emails with the title 'TurboTax State Return Rejected'. Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.
> http://security.intu...rbotaxstate.jpg
This is the end of the fake email..."

Edited by AplusWebMaster, 14 February 2013 - 08:03 PM.

[AplusWebMaster]

FYI...

Fake IRS emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Feb 15, 2013 - "Its tax season and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an attempt to trick users into thinking that their income tax refund has been “turned down”. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
micropowerboating .net – 175.121.229.209; 198.144.191.50 – Email: dooronemars @aol .com
Name Server: NS1.POOPHANAM .NET – 31.170.106.17
Name Server: NS2.POOPHANAM .NET – 65.135.199.21
The following malicious domains also respond to the same IPs (175.121.229.209; 198.144.191.50) and are part of the campaign’s infrastructure...
Although the initial client-side exploits serving domain used in the campaign (micropowerboating .net) was down when we attempted to reproduce its malicious payload, we managed to reproduce the malicious payload for a different domain parked at the same IP (175.121.229.209), namely, madcambodia .net.
Detection rate for the dropped malware:
madcambodia .net – 175.121.229.209 – MD5: * ... Trojan-Spy.Win32.Zbot.ivkf.
Once executed, the sample also phones back to the following C&C (command and control) servers: 94.68.61.135 :14511, 99.76.3.38 :11350
We also got another MD5 phoning back to the same IP..."
(More detail at the webroot URL above.)
* https://www.virustot...19a70/analysis/
File name: 2da28ae0df7a90ce89c7c43878927a9f
Detection ratio: 23/45
Analysis date: 2013-02-10
___

Malware sites to block 15/2/13
- http://blog.dynamoo....lock-15313.html
15 Feb 2013 - "A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US**) which may be a C&C server. Interested parties might want to poke at the server a bit.. As a bonus, these are the IPs* that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more..."
* http://www.dynamoo.c...tnet-feb-13.txt

** https://www.google.c...c?site=AS:46664
___

Fake IRS SPAM / azsocseclawyer .net
- http://blog.dynamoo....clawyernet.html
15 Feb 2013 - "This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer .net:
Date: Fri, 15 Feb 2013 09:47:25 -0500
From: Internal Revenue Service [ahabfya196 @etax.irs .gov]
Subject: pecuniary penalty for delay of tax return filling
Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.
Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.
You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.
Please visit official website for more information
Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.

The malicious payload is at [donotclick]azsocseclawyer .net/detects/necessary_documenting_broadcasts-sensitive.php (report here*) hosted on:
77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)..."
* http://urlquery.net/....php?id=1009373
... BlackHole v2.0 exploit kit
___

Fake Wire transfer SPAM / 202.72.245.146
- http://blog.dynamoo....0272245146.html
15 Feb 2013 - "This fake wire transfer spam leads to malware on 202.72.245.146:
Date: Fri, 15 Feb 2013 07:24:40 -0500
From: Tasha Rosenthal via LinkedIn [member@linkedin.com]
Subject: RE: Wire transfer cancelled
Good day,
Wire Transfer was canceled by the other bank.
Canceled transaction:
FED NR: 94813904RE5666838
Transfer Report: View
The Federal Reserve Wire Network

The malicious payload is on [donotclick]202.72.245.146 :8080/forum/links/public_version.php (Railcom, Mongolia) (report here) which is a well-known malicious IP that you should definitely block if you can.
Update: there is also a "Scan from a HP ScanJet #841548" spam for the same IP, sending victims to [donotclick]202.72.245.146 :8080/forum/links/column.php..."

Edited by AplusWebMaster, 15 February 2013 - 11:22 AM.

[AplusWebMaster]

FYI...

Facebook Wall posts malware propagations ...
- http://blog.webroot....ook-wall-posts/
Feb 18, 2013 - "We’ve recently intercepted a localized — to Bulgarian — malware campaign, that’s propagating through Facebook Wall posts. Basically, a malware-infected user would unknowingly post a link+enticing message, in this case “Check it out!“, on their friend’s Walls, in an attempt to abuse their trusted relationship and provoke them to click on the malicious link. Once users click on the link, they’re exposed to the malicious software...
Sample screenshot of the propagation in action:
> https://webrootblog....lware_links.png
Sample spamvertised URL appearing on Facebook users’ Walls:
hxxp ://0845 .com/fk7u
Sample redirection chain:
hxxp ://0845 .com/fk7u -> hxxp ://connectiveinnovations .com/mandolin.html?excavator=kmlumm -> hxxp ://91.218.38.245 /imagedl11.php
Sample detection rates for the malicious executables participating in the campaign:
hxxp ://91.218.38.245 /imagedl11.php – MD5: 1ad434025cd1fb681597db80447290e4 * ... Backdoor:Win32/Tofsee.F ...
Responding to this IP (91.218.38.245, AS197145 Infium Ltd.) are also... malicious/fraudulent domains...
More MD5s are known to have phoned back to 91.218.38.245:
MD5: 20057f1155515dd3a37afde0b459b2cf
MD5: 665419c0e458883122a790f260115ada
MD5: 1ea373c41eabd0ad3787039dd0927525
MD5: f3472ec713d3ab2e255091194e4dccaa
MD5: 4d54a2c022dad057f8e44701d52fec6b
MD5: 6807409c44a4a9c83ce67abc3d5fe982
As well as related MD5s phoning back to 185.4.227.76:
MD5: 6b1e671746373a5d95e55d17edec5623
MD5: 377c2e63ff3fd6f5fdd93ff27c8216fe
MD5: 2D4C5B95321C5A9051874CEE9C9E9CDC
MD5: 3f9df3fd39778b1a856dedebf8f39654
MD5: 82e2672c2ca1b3200d234c6c419fc83a
MD5: 796967255c8b99640d281e89e3ffe673
MD5: bc1883b07b47423bd30645e54db4775c
MD5: e6f081d2c5a3608fad9b2294f1cb6762
What’s special about the second C&C phone back IP (185.4.227.76) is that it was used in another Facebook themed malware campaign back in December, 2012, indicating that this cybercriminal/group of cybercriminals are actively impersonating Facebook Inc. for malicious and fraudulent purposes..."
(More detail at the webroot URL above.)
* https://www.virustot...75947/analysis/
File name: Dionis
Detection ratio: 31/45
Analysis date: 2013-02-15

AS197145 Infium
- https://www.google.c...?site=AS:197145

Edited by AplusWebMaster, 19 February 2013 - 07:45 AM.

[AplusWebMaster]

FYI...

Fake Wire Transfer emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Feb 19, 2013 - "... a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes... they all share the same malicious infrastructure. Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
Sample spamvertised compromised URLs:
hxxp://2555.ruksadindan .com/page-329.htm
hxxp://www.athenassoftware .com.br/page-329.htm
hxxp://www.sweetgarden .ca/page-329.htm
hxxp://lab.monohrom .uz/page-329.htm
hxxp://easy2winpoker .com/page-329.htm
hxxp://ideashtor .ru/page-329.htm
Sample client-side exploits serving URL:
hxxp:// 202.72.245.146 :8080/forum/links/public_version.php
... malicious domains also respond to the same IP (202.72.245.146) and are part of multiple campaigns spamvertised over the past couple of days...
(Long list available at the webroot URL above.)...
Sample malicious payload dropping URL:
hxxp:// 202.72.245.146 :8080/forum/links/public_version.php?mmltejvt=1g:2v:33:2v:2w&pstvw=3d&xrej=1j:33:32:1l:1g:1i:1o:1n:1o:1i&vczaspnq=1n:1d:1f:1d:1f:1d:1j:1k:1l
Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 04e9d4167c9a1b82e622e04ad85f8e99 * ... Trojan.Win32.Yakes.cdxy.
Once executed, the sample creates... Registry Keys... And modifies them..."
(More detail available at the webroot URL above.)
* https://www.virustot...9d48d/analysis/
File name: contacts.exe
Detection ratio: 33/46
Analysis date: 2013-02-18
___

Something evil on 67.208.74.71
- http://blog.dynamoo....-672087471.html
19 Feb 2013 - "67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here*.
Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain...
You can find a copy of the domains, IPs, WOT ratings and Google prognosis here** [csv].
These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics...
These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious...
These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present...
These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect..."
(More detail available at the dynamoo URL above.)
* http://blog.dynamoo....-926310523.html

** http://www.dynamoo.c...7-208-74-71.csv

- https://www.google.c...c?site=AS:33597
___

Fake UPS SPAM / emmmhhh .ru
- http://blog.dynamoo....-emmmhhhru.html
19 Feb 2013 - "The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462
You can use UPS .COM to:
Ship Online
Schedule a Pickup
Open a UPS .COM Account
Welcome to UPS Team
Hi, [redacted].
DEAR CUSTOMER , We were not able to delivery the post package
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
With best regards , UPS Customer Services.
Copyright 2011 United Parcel Service of America, Inc. Your USPS ...us

There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh .ru:8080/forum/links/column.php hosted on:
50.31.1.104 (Steadfast Networks, US)
66.249.23.64 (Endurance International, US)
195.210.47.208 (PS Internet Company, Kazakhstan)
The following IPs and domains are all malicious and should be blocked:
50.31.1.104
66.249.23.64
195.210.47.208..."
___

Something evil on 74.208.148.35
- http://blog.dynamoo....7420814835.html
19 Feb 2013 - "Spotted by the good folks at GFI Labs here*, here** and here*** are several Canadian domains on the same server, 74.208.148.35 (1&1, US):
justcateringfoodservices .com
dontgetcaught .ca
blog.ritual .ca
lumberlandnorth .com
Obviously, there's some sort of server-level compromise here. Blocking access to 74.208.148.35 will give some protection against several very active malicious spam campaigns..."
* http://gfisoftware.t...ll-invoice-spam

** http://gfisoftware.t...-complaint-spam

*** http://gfisoftware.t...e-transfer-spam
___

Fake pharma SPAM - Cyberbunker / 84.22.104.123
- http://blog.dynamoo....8422104123.html
19 Feb 2013 - "Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:
Date: Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From: Apple [noreply @bellona.wg.saar .de]
To: [redacted]
Subject: Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5
Dear Customer,
Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.
Privacy Policy
Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.

The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets .ru hosted on 84.22.104.123 along with... spammy sites... Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.
(More detail at the dynamoo URL above.)

* https://www.google.c...c?site=AS:34109

Edited by AplusWebMaster, 19 February 2013 - 06:21 PM.

[AplusWebMaster]

FYI...

Fake USPS SPAM / USPS delivery failure report.zip
- http://blog.dynamoo....ry-failure.html
20 Feb 2013 - "This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.
Date: Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]
From: USPS client manager Michael Brewer [reports @usps .com]
Subject: USPS delivery failure report
USPS notification
Our company’s courier couldn’t make the delivery of package.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: KnoxvilleFort
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: M1PZN6BI4F
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
USPS Global.

The attachment is double-zipped, presumably to try to evade virus and content scanners. Opening it extracts another ZIP file called USPS report id 943577924988734.zip which contains another file called USPS report id 943577924988734.exe.
The VirusTotal detections for this are patchy and fairly generic*. Automated analysis tools are pretty inconclusive** when it comes to the payload, although if you are trying to clean it up then starting with HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (which is set to "C:\Documents and Settings\All Users\svchost.exe") is probably a good start."
* https://www.virustot...sis/1361351470/
File name: USPS report id 943577924988734.exe
Detection ratio: 27/46
Analysis date: 2013-02-20
** http://camas.comodo....3ac5b32d8e28682
___

Something evil on 62.212.130.115
- http://blog.dynamoo....2212130115.html
20 Feb 2013 - "Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.
Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation .co.za - these are mostly hijacked .co.za and .cl domains. The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in red have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP)...
The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report*) and can be assumed to be malicious, and are hosted on 62.212.130.115...
The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on) 62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too..."
(More detail at the dynamoo URL above.)
* http://pastebin.com/FNjkdB34
___

famagatra .ru injection attack in progress
- http://blog.dynamoo....n-progress.html
20 Feb 2013 - "There seems to be an injection attack in progress, leading visitors to a hacked website to a malicious page on the server famagatra .ru.
The payload is at [donotclick]famagatra .ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here*) which is basically a nasty dose of Blackhole.
84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Inernet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)
The following domains are IPs are all part of the same evil circus:
84.23.66.74
195.210.47.208
210.71.250.131..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=1050803
... Blackholev2 redirection successful
___

Fake Wire transfer SPAM / fulinaohps .ru
- http://blog.dynamoo....linaohpsru.html
20 Feb 2013 - "This fake wire transfer spam leads to malware on fulinaohps .ru:
Date: Wed, 20 Feb 2013 04:28:14 +0600
From: accounting@[victimdomain]
Subject: Fwd: ACH and Wire transfers disabled.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department

The malicious payload is at [donotclick]fulinaohps .ru:8080/forum/links/column.php (report here*) hosted om the following IPs:
84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Internet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)
These are the same IPs as used in this attack**, you should block them if you can."
* http://urlquery.net/....php?id=1051770
... suspicious URL pattern... obfuscated URL
** http://blog.dynamoo....n-progress.html
___

Fake SendSecure Support SPAM / secure_message... .zip
- http://blog.dynamoo....pport-spam.html
20 Feb 2013 - "This fake SendSecure Support / Bank of America spam comes with a malicious attachment called secure_message_02202013_01590106757637303.zip:
Date: Wed, 20 Feb 2013 11:23:43 -0400 [10:23:43 EST]
From: SendSecure Support [SendSecure.Support @bankofamerica .com]
Subject: You have received a secure message from Bank Of America
You have received a secure message.
Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly.
First time users - will need to register after opening the attachment.
Help - https ://securemail.bankofamerica .com/websafe/help?topic=Envelope

The zip file secure_message_02202013_01590106757637303 .zip unzips into secure_message_02202013_01590106757637303 .exe with a VirusTotal detection**... According to ThreatExpert***, the malware installs a keylogger and also tries to phone home to:
blog.ritual .ca
dontgetcaught .ca
These sites are hosted on 74.208.148.35 which I posted about yesterday*. Blocking access to this IP might mitigate against this particular threat somewhat."
* http://blog.dynamoo....7420814835.html

** https://www.virustot...sis/1361376818/
File name: secure_message_02202013_{DIGIT[17]}.exe
Detection ratio: 6/46
Analysis date: 2013-02-20

*** http://www.threatexp...b27e6479a4dffd3
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Airline Ticket Credit Card Processing E-mail Messages - February 20, 2013
Fake CashPro Online Digital Certificate Notification E-mail Messages - February 20, 2013
Fake Tax Document Notification E-mail Messages - February 20, 2013
Fake Rejected Tax Form Notification E-mail Messages - February 20, 2013
Fake Bank Deposit Notification E-mail Messages - February 20, 2013
Fake Package Delivery Failure E-mail Messages - February 20, 2013
Fake Product Order E-mail Messages - February 20, 2013
(More info and links available at the cisco URL above.)

Edited by AplusWebMaster, 20 February 2013 - 04:12 PM.

[AplusWebMaster]

FYI...

Fake ADP SPAM / faneroomk .ru
- http://blog.dynamoo....aneroomkru.html
21 Feb 2013 - "This fake ADP spam tries (and fails) to lead to malware on faneroomk .ru:
From: messages-noreply @bounce.linkedin .com [mailto:messages-noreply@bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 001737199
Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please see the following notes:
• Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
• Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 890911798
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is meant to be [donotclick]faneroomk .ru:8080/forum/links/column.php but right at the moment it is not resolving... The following IPs and domains are all related:
41.168.5.140
110.164.58.250
184.106.195.200
210.71.250.131
203.171.234.53 ..."
(More detail at the dynamoo URL above.)
___

Fake Verizon Wireless SPAM / participamoz .com
- http://blog.dynamoo....cipamozcom.html
20 Feb 2013 - "This fake Verizon Wireless spam leads to malware on participamoz .com:
Date: Wed, 20 Feb 2013 23:24:49 +0400
From: "AccountNotify @verizonwireless .com" [cupcakenc0 @irs .gov]
Subject: Verizon wireless online bill.
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $48.15
Scheduled Automatic Payment Date: 02/25/2012
Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.
> Review and Pay Your Bill
Thank you for choosing Verizon Wireless.
My Verizon is also available 24/7 to assist you with:
Vrowsing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...
2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
We respect your privacy. Please review our privacy policy for more information
If you are not the intended recipient and feel you have received this email in error; or if you would like to update your customer notification preferences, please click here.

The malicious payload is at [donotclick]participamoz .com/detects/holds_edge.php hosted on:
161.200.156.200 (Chulanet, Thailand)
173.251.62.46 (MSP Digital / Cablevision, US)
The following IPs and domains are connected should be treated as malicious:
161.200.156.200
173.251.62.46
prosctermobile .com
aftandilosmacerati .com
pardontemabelos .com
participamoz .com ..."
___

Fake Verizon emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
Feb 21, 2013 - "On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails... one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... Malicious domain name reconnaissance:
participamoz .com – 173.251.62.46; 161.200.156.200 – Email: dort.dort @live .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com
... Upon successful client-side exploitation, the campaign drops MD5: 4377dcc591f87cc24e75f8c69a2a7f8f * ... UDS:DangerousObject.Multi.Generic.
It then attempts to phone back to the following IPs:
110.143.183.104, 24.120.165.58, 110.143.183.104, 75.80.49.248, 71.42.56.253, 94.65.0.48,
98.16.107.213, 190.198.30.168, 76.193.173.205, 71.43.217.3, 66.229.110.89, 101.162.73.132,
94.68.49.208, 64.219.121.189, 99.122.152.158, 80.252.59.142, 108.211.64.46, 69.39.74.6,
91.99.146.167, 187.131.70.221, 76.202.211.184, 168.93.99.82, 122.60.136.168, 213.105.24.171,
122.60.136.168, 84.72.243.231, 79.56.80.211 ..."
(More detail at the webroot URL above.)
* https://www.virustot...b3dd9/analysis/
File name: info.exe
Detection ratio: 25/46
Analysis date: 2013-02-21
___

Fake "Efax Corporate" SPAM / fuigadosi .ru
- http://blog.dynamoo....uigadosiru.html
21 Feb 2013 - "This fake eFax spam leads to malware on fuigadosi .ru:
Date: Thu, 21 Feb 2013 -05:24:35 -0800
From: LinkedIn Password [password @linkedin .com]
Subject: Efax Corporate
Attachments: EFAX_Corporate.htm
Fax Message [Caller-ID: 705646877]
You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.
* The reference number for this fax is [eFAX-806896385].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]fuigadosi .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)..."
* http://urlquery.net/....php?id=1060334
___

Fake Trustwave TrustKeeper emails - Phish ...
- http://blog.spiderla...hing-alert.html
21 Feb 2013 - "Over the last few hours, Trustwave has received multiple reports of individuals receiving fake emails pretending to be from Trustwave. These emails did not originate from Trustwave. Recipients should immediately delete the emails and not follow any links presented in them. These emails indicate they are being sent as part of a “TrustKeeper PCI Scan Notification” and are alerting the recipient to login to a portal to respond to an issue related to a vulnerability scan of their network. Early analysis has shown these emails are being sent from many variations of fake Trustwave email addresses and redirecting users to multiple non-Trustwave URLs. Visiting these URLs might introduce malware onto your systems. Below is a screenshot of a fake email:
> http://npercoco.type...41337399970c-pi ..."
___

Fake inTuit emails - overdue payment
- http://security.intu.../alert.php?a=73
2/21/13 - "People are receiving fake emails with the title "Please respond - overdue payment." Below is a copy of the email people are receiving. The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file:
Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Earline Robles

This is the end of the fake email.
Steps to Take Now: Do -not- open the attachment in the email..."
___

Fake "Xerox WorkCentre Pro" SPAM / familanar .ru
- http://blog.dynamoo....e-pro-spam.html
21 Feb 2013 - "This familiar printer spam leads to malware on the familanar .ru domain:
Date: Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From: Tagged [Tagged @taggedmail .com]
Subject: Fwd: Re: Scan from a Xerox WorkCentre Pro #800304
A Document was sent to you using a XEROX WorkJet PRO 760820.
SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD

The malicious payload is at [donotclick]familanar .ru:8080/forum/links/column.php (report here*) hosted on:
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)
Which are the same IPs found in this attack** and several others. Block 'em if you can."
* http://www.urlquery.....php?id=1064138

** http://blog.dynamoo....uigadosiru.html
___

Fake ACH transaction SPAM / payment receipt - 884993762994.zip
- http://blog.dynamoo....ction-spam.html
21 Feb 2013 - "This fake ACH transaction spam comes with a malicous attachment:
Date: Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
From: Payment notification system [homebodiesga38@gmail.com]
Subject: Automatic transfer notification
ACH transaction is completed. $443 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.
This is an automatically generated email, please do not reply

Attached is a file called payment receipt - 884993762994.zip which unzips to payment receipt - 884993762994.exe which has a disappointing VirusTotal detection count of just 14/46... Blocking EXE-in-ZIP files at the perimeter generally causes very little trouble, assuming you can do it.."

Edited by AplusWebMaster, 21 February 2013 - 06:46 PM.

[AplusWebMaster]

FYI...

Fake Invoice SPAM - "End of Aug. Stat" forummersedec .ru
- http://blog.dynamoo....mersedecru.html
22 Feb 2013 - "This fake invoice email leads to malware on forummersedec .ru:
Date: Fri, 22 Feb 2013 11:33:38 +0530
From: AlissonNistler@ [victimdomain]
Subject: Re: FW: End of Aug. Stat.
Attachments: Invoices-1207-2012.htm
Hallo,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)
Regards

The attachment attempts to redirect the victim to a malicious payload at [donotclick]forummersedec .ru:8080/forum/links/column.php (report here*) hosted on
84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
The following IPs and domains are related and should be blocked:
84.23.66.74
122.160.168.219...
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=1069702
___

Fake "Data Processing" SPAM / dekolink .net
- http://blog.dynamoo....ekolinknet.html
22 Feb 2013 - "This fake "Data Processing" spam leads to malware on dekolink .net:
Date: Fri, 22 Feb 2013 08:06:43 -0500
From: "Data Processing Service" [customersupport @dataprocessingservice .com]
Subject: ACH file ID '768.579
Files Processing Service
SUCCESS Note
We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:30.7'.
FILE SUMMARY:
Item count: 79
Total debits: $28,544.53
Total credits: $28,544.53
For more info click here

The malicious payload is at [donotclick]dekolink .net/detects/when-weird-contrast.php (report here*) hosted on the following servers:
50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine).."
* http://urlquery.net/....php?id=1062564
... BlackHole v2.0 exploit kit
___

Fake LinkedIn SPAM / greatfallsma .com
- http://blog.dynamoo....fallsmacom.html
22 Feb 2013 - "This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma .com:
From: LinkedIn [mailto:papersv@ informer.linkedin .com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending
See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
© 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063

> Another example:
Date: Fri, 22 Feb 2013 18:21:25 +0200
From: "LinkedIn" [noblest00@ info.linkedin .com]
Subject: Reminder about link requests pending
[redacted]
See who requested link with you on LinkedIn
Now it's easy to connect with people you email
Continue
This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043

The malicious payload is at [donotclick]greatfallsma .com/detects/impossible_appearing_timing.php (report here*) hosted on:
50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)
These are the same two servers used in this attack, blocking them would probably be a good idea."
* http://urlquery.net/....php?id=1071027
... Blackhole 2 Landing Page

Edited by AplusWebMaster, 22 February 2013 - 11:13 AM.