2072 replies to this topic

[AplusWebMaster]

FYI...

Fake ACH emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
Feb 25, 2013 - "... yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....service_ach.png
... Upon successful client-side exploitation, the campaign drops MD5: faa3a6c7bbf5b0449f60409c8bf63859 * ... Trojan-Spy.Win32.Zbot.jfpy.
... It then attempts to connect to the following IPs:
24.120.165.58, 66.117.77.134, 64.219.121.189, 66.117.77.134, 75.47.231.138, 108.211.64.46,
91.99.146.167, 108.211.64.46, 71.43.217.3, 81.136.230.235, 101.162.73.132, 99.76.3.38,
85.29.177.249, 24.126.54.116, 108.130.34.42, 99.116.134.54, 80.252.59.142
Malicious domain name reconnaissance:
dekolink .net – 50.7.251.59; 176.120.38.238 – Email: wondermitch @hotmail .com
Name Server: NS1.THEREGISTARS .COM – 31.170.106.17 – Email: lockwr @rocketmail .com
Name Server: NS2.THEREGISTARS .COM – 67.15.223.219 – Email: lockwr @rocketmail .com ..."
(More detail available at the webroot URL above.)
* https://www.virustot...8ca62/analysis/
File name: info.exe
Detection ratio: 27/45
Analysis date: 2013-02-25
___

Trustwave Trustkeeper Phish
- https://isc.sans.edu...l?storyid=15271
Last Updated: 2013-02-25 17:41:36 UTC - ... the give away that this is a fake is the from e-mail address as well as the link leading to a different site then advertised. Click on the image for a full size example.
> https://isc.sans.edu...stwavephish.png
[Update:] An analysis of this phish by Trustwave's own Spiderlabs can be found here:
- http://blog.spiderla...eper-phish.html

- http://blog.dynamoo....ities-scan.html
25 Feb 2013 - "... this "TrustKeeper Vulnerabilities Scan Information" -spam- leads to an exploit kit on saberdelvino .net...
> https://lh3.ggpht.co...0/trustwave.png
... The malicious payload is at [donotclick]saberdelvino .net/detects/random-ship-members-daily.php (report here*) hosted on the following IPs:
118.97.77.122 (PT Telekon, Indonesia)
176.120.38.238 (Langate, Ukraine)..."
* http://www.urlquery.....php?id=1120754
... Blackhole 2

Edited by AplusWebMaster, 25 February 2013 - 03:04 PM.

[AplusWebMaster]

FYI...

Fake Facebook SPAM / lazaro-sosa .com
- http://blog.dynamoo....ro-sosacom.html
26 Feb 2013 - "This fake Facebook spam leads to malware on lazaro-sosa .com:
Date: Tue, 26 Feb 2013 14:26:20 +0200
From: "Facebook" [twiddlingv29@informer.facebook.com]
Subject: Brian Parker commented your photo.
facebook
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307

The malicious payload is at [donotclick]lazaro-sosa .com/detects/queue-breaks-many_suffering.php (report here*) hosted on:
118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)
Blocking these IPs is probably prudent."
* http://www.urlquery.....php?id=1135254
... Blackhole
___

Fake Intuit SPAM / forumligandaz .ru
- http://blog.dynamoo....ligandazru.html
26 Feb 2013 - "This fake Intuit spam leads to malware on forumligandaz .ru:
Date: Tue, 26 Feb 2013 01:27:09 +0330
From: "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject: Payroll Account Holded by Intuit
Direct Deposit Service Informer
Communicatory Only
We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.
Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
amount to be seceded: 3373 USD
Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
Log In to Review Operation
Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]forumligandaz .ru:8080/forum/links/column.php hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58 ..."
(More detail at the dynamoo URL above.)

Edited by AplusWebMaster, 26 February 2013 - 02:53 PM.

[AplusWebMaster]

FYI...

Fake US Airways SPAM / berrybots .net
- http://blog.dynamoo....rrybotsnet.html
27 Feb 2013 - "... fake US Airways spam leads to malware on berrybots .net:
Date: Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
From: bursarp1 @email-usairways .com
Subject: Your US Airways trip...
> http://images.usairw...r_630px_yrs.gif
Confirmation code: B339AO
Date issued: Tuesday, February 26, 2013
Barcode
[redacted]
Scan at any US Airways kiosk to check in
Passenger summary
Passenger name
Frequent flyer # (Airline)
Ticket number
Special needs
Angel Morris 40614552582 (US) 22401837506661
Robert White 12938253579871
Fly details Download to Outlook
Depart: Philadelphia, PA (PHL) Chicago, IL (O'Hare) (ORD)...

(More detail at the dynamoo URL above.)

Picture version (click to enlarge):
> http://blog.dynamoo....rrybotsnet.html
The malicious payload is at [donotclick]berrybots .net/detects/circulation-comparatively.php (report here*) hosted on:
118.97.77.122 (PT Telkon, Jakarta)
147.91.83.31 (AMRES, Serbia)
195.88.139.78 (Neiron Systems, Ukraine)
Recommended blocklist:
118.97.77.122
147.91.83.31
195.88.139.78
greatfallsma .com
lazaro-sosa .com
yoga-thegame .net
dekolink .net
saberdelvino .net
berrybots .net ..."
* http://www.urlquery.....php?id=1168427
... Blackhole Java applet with obfuscated URL
... 147.91.83.31 Blackhole 2 Landing Page
___

Fake Invoice-themed SPAM / forumusaaa .ru
- http://blog.dynamoo....rumusaaaru.html
27 Feb 2013 - "This invoice-themed spam leads to malware on forumusaaa .ru:
Date: Thu, 28 Feb 2013 06:04:08 +0530
From: "Lisa HAGEN" [WilsonVenditti @ykm .com .tr]
Subject: Re: FW: End of Aug. Statement
Attachments: Invoice_JAN-2966.htm
Good day,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
Regards
Lisa HAGEN

The malware is hosted at [donotclick]forumusaaa .ru:8080/forum/links/column.php (report here*) hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58..."
(More listed at the dynamoo URL above.)
* http://www.urlquery.....php?id=1170276
... suspicious URL pattern
... 31.200.240.153 Blackhole 2 Landing Page
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Payment Advice Notification E-mail Messages - February 27, 2013
Fake Overdue Payment Notification E-mail Messages - February 27, 2013
Fake Bank Account Update E-mail Messages - February 27, 2013
Fake Product Order E-mail Messages - February 27, 2013
Fake Product Order Quotation Attachment E-mail - February 27, 2013
Fake Wire Transfer Notification E-mail Messages - February 27, 2013
Fake Invoice Statement Attachment E-mail Messages - February 27, 2013
Fake Bank Account Statement Notification E-mail Messages - February 27, 2013
Fake Quotation Attachment E-mail Messages - February 27, 2013
(Links and more info at the cisco URL above.)

Edited by AplusWebMaster, 27 February 2013 - 03:22 PM.

[AplusWebMaster]

FYI...

"Follow this link" SPAM / sidesgenealogist .org
- http://blog.dynamoo....-link-spam.html
28 Feb 2013 - "This rather terse spam appears to leads to an exploit kit on sidesgenealogist .org:
From: Josefina Underwood [mailto:hdFQe @heathrowexpress .com]
Sent: 27 February 2013 16:43
Subject: Follow this link
I have found it http ://www.eurosaudi .com/templates/beez/wps.php?v20120226
Sincerely yours,
Sara Walton

The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist .org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here* that indicates an exploit kit. The malware is hosted on 188.93.210.226 (Logol.ru, Russia**). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:
reinstalltwomonthold .org
nephewremovalonly .org
scriptselse .org
everflowinggopayment .net "
* http://urlquery.net/....php?id=1180853
... Blackholev2 url structure detected... Multiple Exploit Kit Payload detection

** https://www.google.c...c?site=AS:49352
___

Fake "Contract" SPAM / forumny .ru
- http://blog.dynamoo....-forumnyru.html
28 Feb 2013 - "This contracts-themed spam leads to malware on forumny .ru:
Date: Thu, 28 Feb 2013 11:43:15 +0400
From: "LiveJournal.com" [do-not-reply@livejournal.com]
Subject: Fw: Contract of 09.07.2011
Attachments: Contract_Scan_IM0826.htm
Dear Sirs,
In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.
Best regards,
SHERLENE DARBY, secretary

The -attachment- Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny .ru:8080/forum/links/column.php (report here*) on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58 ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=1183959
... suspicious URL pattern
... 31.200.240.153 Blackhole 2 Landing Page
___

Fake job offer
- http://blog.dynamoo....-job-offer.html
28 Feb 2013 - "This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:
Date: Thu, 28 Feb 2013 14:57:55 -0600
From: andrzej.wojnarowski@[victimdomain]
Subject: There is a vacancy of a Regional manager in USA:
If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.
If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:
Please email us for details: Paulette @usanewwork .com

In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):
Sarah Shepard info @usanewwork .com
360-860-3630 fax: 360-860-3321
4478 Pratt Avenue
Tukwila WA 98168
us
The domain was only registered two days ago on 28/2/13. The nameservers ns1.stageportal .net and ns2.stageportal .net are shared by several other domains offering similar fake jobs...
IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)
This job offer is best avoided unless you like prison food..."
(More detail at the dynamoo URL above.)
___

Fake BBB SPAM / forumnywrk .ru
- http://blog.dynamoo....rumnywrkru.html
28 Feb 2013 - "This fake BBB Spam leads to malware on forumnywrk .ru:
Date: Thu, 28 Feb 2013 07:29:10 -0500 [07:29:10 EST]
From: LinkedIn Password [password @linkedin .com]
Subject: Urgent information from BBB
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have received a complaint (ID 832708632)
from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.
We are looking forward to your prompt reply.
Regards,
VERSIE Stringer

The malicious payload is on [donotclick]forumnywrk .ru:8080/forum/links/column.php hosted on:
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
83.169.41.58
31.200.240.153 ..."
(More detail at the dynamoo URL above.)

Edited by AplusWebMaster, 28 February 2013 - 10:19 PM.

[AplusWebMaster]

FYI...

Casino-themed Blackhole sites
- http://blog.dynamoo....hole-sites.html
1 March 2013 - "Here's a a couple of URLs that look suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:
[donotclick]888casino-luckystar .net/discussing/sizes_agreed.php
[donotclick]555slotsportal .org/discussing/alternative_distance.php
[donotclick]555slotsportal .net/shrift.php
[donotclick]555slotsportal .net/discussing/alternative_distance.php
[donotclick]555slotsportal .me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez .biz/discussing/alternative_distance.php
You can find a sample report here*... there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/....php?id=1199381
... Detected BlackHole v2.0 exploit kit URL pattern

[AplusWebMaster]

FYI...

Fake Delta Airlines SPAM / inanimateweaknesses .net and complainpaywall .net
- http://blog.dynamoo....weaknesses.html
4 March 2013 - "This fake Delta Airlines spam leads to malware on inanimateweaknesses .net and complainpaywall .net:
From: DELTA CONFIRMATION [mailto:cggQozvOc @sutaffu .co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary
Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries
Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta .com/itineraries.
Take control and make changes to your itineraries at delta.com/itineraries.
Speed through the airport. Check-in online for your flight.
Check-in
Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ------------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH
Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH
Check your flight information online at delta.com/itineraries

The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here*) or [donotclick]complainpaywall .net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here**) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.
Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page."
* http://urlquery.net/....php?id=1246850
... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
** http://urlquery.net/....php?id=1246854
... Detected BlackHole v2.0 exploit kit URL pattern ... Detected live BlackHole v2.0 exploit kit
___

Fake eFax SPAM / forumla .ru
- http://blog.dynamoo....-forumlaru.html
4 Mar 2013- "This fake eFax spam leads to malware on forumla .ru:
Date: Mon, 4 Mar 2013 08:53:20 +0300
From: LinkedIn [welcome@linkedin.com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 646370000]
You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.
* The reference number for this fax is [eFAX-336705661].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]forumla .ru:8080/forum/links/column.php (report here*) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
foruminanki .ru
ny-news-forum .ru
forumilllionois .ru
forum-ny .ru
forumny .ru
forumla .ru"
* http://urlquery.net/....php?id=1247054
... Detected suspicious URL pattern... Detected live BlackHole v2.0 exploit kit
___

Fake dealerbid .co.uk SPAM
- http://blog.dynamoo....dcouk-spam.html
4 March 2013 - "This -spam- uses an email address ONLY used to sign up for dealerbid .co.uk
From: HM Revenue & Customs [enroll @hmrc .gov.uk]
Date: 4 March 2013 13:37
Subject: HMRC Tax Refund ID: 3976244
Dear Taxpayer,
After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.
Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).
Kind regards,
Paul McWeeney
Head of Consumer Sales and Service

The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:
everybodyonline .co.uk
uk-car-discount .co.uk
The email address has been -stolen- from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run. It looks like I am not the only person to notice this same problem*.."
* http://www.reviewcen...-review_1884815
___

Fake Justin Bieber social media claims
- http://www.hoax-slay...rash-hoax.shtml
March 4, 2013 - "Outline: Message circulating via social media claims that popular young singing star Justin Bieber has died in a car accident...
> http://www.hoax-slay...-crash-hoax.jpg
... Many of these false death rumours originate from several tasteless "prank" websites that allow users to create fake news stories detailing the supposed death of various celebrities. Users can generally pick from several "news" templates, add the name of their chosen celebrity and then attempt to fool their friends by sharing the -bogus- story..."
___

Fake Facebook email/SPAM 'Violation of Terms' - Phishing Scam
- http://www.hoax-slay...hing-scam.shtml
March 4, 2013 - "Outline: Inbox message purporting to be from "Mark Zurckerberg" claims that the user's Facebook Page has violated the Facebook Terms of Service and may be permanently deleted unless the account is verified by clicking a link in the message... There have been a number of variations of these Facebook account phishing scams distributed in recent years. If you receive any message that claims that your Facebook account may be disabled or deleted if you do not verify account details, do not click on any links or attachments that it may contain. It is always safest to login to your Facebook account - and other online accounts - by entering the address into your browser's address bar rather than by following a link."

Edited by AplusWebMaster, 04 March 2013 - 01:43 PM.

[AplusWebMaster]

FYI...

New Java exploits centered exploit kit
- http://blog.webroot....ed-exploit-kit/
March 5, 2013 - "... its current version is entirely based on Java exploits (CVE-2012-1723 and CVE-2013-0431), naturally, with “more exploits to be introduced any time soon”... More details:
Sample screenshot of the statistics page of the newly released Web malware exploitation kit:
> https://webrootblog....stics_loads.png
The majority of affected users are U.S.-based hosts, and the majority of infected operating systems are Windows NT 6.1, followed by Windows XP... according to the cybercriminals pitching the kit, they’ve also managed to infect some Mac OS X hosts... competing Web malware exploitation kits tend to exploit a much more diversified set of client-side vulnerabilities, consequently, achieving higher exploitation rates... In the wake of two recently announced Java zero day vulnerabilities, users are advised to disable Java, as well as to ensure that they’re not running any outdated versions of their third-party software and browser plugins."

- http://seclists.org/...ure/2013/Mar/38
4 Mar 2013 - "... 5 -new- security issues were discovered in Java SE 7..."
___

Fake British Airways SPAM / forum-la .ru
- http://blog.dynamoo....eipts-spam.html
4 March 2013 - "This fake British Airways spam leads to malware on forum-la .ru:
From: LiveJournal.com [do-not-reply @livejournal .com]
Date: 4 March 2013 12:17
Subject: British Airways E-ticket receipts
e-ticket receipt
Booking reference: 9AZ3049885
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la .ru:8080/forum/links/column.php (report here*) hosted on:
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
198.104.62.49
210.71.250.131
forumla .ru
forumny .ru
forum-la .ru
foruminanki .ru
ny-news-forum .ru
forumilllionois .ru
forum-ny .ru ..."
* http://www.urlquery.....php?id=1251838
... Detected suspicious URL pattern
___

iFrame injections drive traffic to Blackhole exploit kit
- http://nakedsecurity...le-exploit-kit/
March 5, 2013 - "... recent attacks against legitimate websites that are being used to drive unsuspecting user traffic to the Blackhole exploit sites. JavaScript libraries on the legitimate websites are prepended with code... SophosLabs has seen huge volumes of legitimate sites being compromised in this way in recent weeks. In fact, Mal/Iframe-AL has been the most prevalent web threat detected on customer endpoints and web appliances for the past few weeks, accounting for almost 30% of all detected web threats! If we correlate our malicious URL data against the Alexa top million site data, you can see that these Mal/Iframe-AL injections account for almost two-thirds of all popular sites... have been compromised in some way over the past week.
> https://sophosnews.f...alexa.png?w=640
... Looking at data collected over the past 14 days (Feb 18th - March 4th 2013), I started off by looking at the host ISPs for the compromised web sites. As you can see below, a good spread of ISPs have been hit (368 in total), with 18 of them accounting for approximately half of all infected sites.
> https://sophosnews.f..._isps.png?w=640
Looking at the countries hosting the affected web servers shows the expected spread, somewhat reflective of where hosting providers are based.
> https://sophosnews.f...untry.png?w=640
If we take a look at the web server platform, the compromised sites are almost exclusively running Apache. This is in contrast to the 60% or so we would expect* if the attacks were agnostic to the platform.
> https://sophosnews.f...tform.png?w=640
Most of these servers are running CentOS (then Debian then Ubuntu). This last piece of data gives us some clues as to how these attacks are happening. Could it be a rogue Apache module being used to inject the redirect into content as it is delivered from the server? There have been several other recent attacks doing this. Digging around it appears that this is indeed the root cause. The folks over at Sucuri** managed to get hold of the rogue module that was used on one such victim server.
Administrators or owners of sites that have been affected by these attacks should therefore check their Apache configuration as a matter of urgency and look out for unexpected modules being loaded..."
* http://news.netcraft...ver-survey.html

** http://blog.sucuri.n...he-modules.html
___

Something evil on 5.9.196.3 and 5.9.196.6
- http://blog.dynamoo....and-591966.html
5 March 2013 - "Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama .nl/relay.php) leading to two identified malware landing pages:
[donotclick]kisielius.surfwing .me/world/explode_conscious-scandal.jar (report here*)
[donotclick]alkalichlorideasenteeseen.oyunhan .net/world/romance-apparatus_clinical_repay.php (report here**)
Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan .net
kisielius.surfwing .me
dificilmentekvelijitten.surfwing .me
kisielius.surfwing .me
befool-immatriculation.nanovit .me
locoburgemeester.toys2bsold .com
ratiocination-wselig.smithsisters .us
A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb .com
Blocking these domains completely is probably a good idea:
oyunhan .net
surfwing .me
nanovit .me
toys2bsold .com
smithsisters .us
creatinaweb .com
5.9.196.0/28 is a Hetzner IP*** ... I haven't seen anything of value in this /28, blocking it may be prudent."
* http://www.urlquery.....php?id=1248746
... Zip archive data
** http://www.urlquery.....php?id=1265212
... Adobe PDF Memory Corruption
*** https://www.google.c...c?site=AS:24940
"... over the past 90 days, 6823 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-04, and the last time suspicious content was found was on 2013-03-04..."
___

Fake HP printer SPAM / giliaonso .ru
- http://blog.dynamoo....anjet-spam.html
5 Mar 2013 - "This fake HP printer spam leads to malware on giliaonso .ru:
Date: Tue, 5 Mar 2013 12:53:40 +0500
From: "Classmates . com" [classmatesemail @accounts.classmates .com]
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments: HP_Scan.htm
Attached document was scanned and sent
to you using a HP A-16292P.
SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment leads to malware on [donotclick]giliaonso .ru:8080/forum/links/column.php (report here*) hosted on the following IPs:
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131 ..."
* http://urlquery.net/....php?id=1266289
... Detected suspicious URL pattern... Blackhole 2 Landing Page 210.71.250.131
___

Fake Sendspace SPAM / forumkianko .ru
- http://blog.dynamoo....umkiankoru.html
5 Mar 2013 - "This fake Sendspace spam leads to malware on forumkianko .ru:
Date: Tue, 5 Mar 2013 06:52:10 +0100
From: AyanaLinney@ [redacted]
Subject: You have been sent a file (Filename: [redacted]-51153.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]forumkianko .ru:8080/forum/links/column.php (report here*) hosted on:
46.4.77.145 (Hetzner, Germany***)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
These IPs are the same as used in this attack**..."
* http://urlquery.net/....php?id=1267580
... Detected suspicious URL pattern... Blackhole 2 Landing Page 46.4.77.145
** http://blog.dynamoo....anjet-spam.html

*** https://www.google.c...c?site=AS:24940

Edited by AplusWebMaster, 05 March 2013 - 10:44 AM.

[AplusWebMaster]

FYI...

Fake BT SPAM / ginagion .ru
- http://blog.dynamoo....ginagionru.html
6 March 2013 - "This fake BT spam leads to malware on ginagion .ru:
From: Bebo Service [mailto:service=noreply.bebo .com@bebo .com] On Behalf Of Bebo Service
Sent: 05 March 2013 21:22
Subject: BT Business Direct Order
Notice of delivery
Hi,
We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.
Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.
***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***
We've despatched...
..using the attached shipment details...
Courier Ref Carriage method
Royal Mail FM320725534 1-3 Days
Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.
For information on how track your delivery, please follow to attached file.
Important information for Yodel deliveries:
If your consignment number starts with 3S3996956 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.

The malicious payload is at [donotclick]ginagion .ru:8080/forum/links/column.php ... hosted on:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
gosbfosod .ru
giliaonso .ru
forum-ny .ru
ginagion .ru ..."
___

Pizza SPAM / gimalayad .ru
- http://blog.dynamoo....imalayadru.html
6 Mar 2013 - "... This spam actually leads to malware on gimalayad .ru:
Date: Wed, 6 Mar 2013 12:22:04 +0330
From: Tagged [Tagged @taggedmail .com]
Subject: Fwd: Order confirmation
You??™ve just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
Drinks
- Grolsch x 6
- 7up x 3
- Budweiser x 4
- Carling x 2...
If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don??™t do that shortly, the order will be confirmed and delivered to you...
Total Charge: 232.33$
========
Date: Wed, 6 Mar 2013 09:16:56 +0100
From: "Xanga" [noreply @xanga .com]
Subject: Re: Fwd: Order confirmation
You??™ve just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
- Beef
- Pepperoni...
- Extra Sauce
Pizza Italian Trio with extras:
- Beef
- Black Olives...
Drinks
- Simply Orange x 4
- Fanta x 2
- 7up x 2
- Heineken x 2
- Lift x 5
- Pepsi x 4
- Budweiser x 4
Total Charge: 242.67$
If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don??™t do that shortly, the order will be confirmed and delivered to you.
With Respect
PIERO`s Pizzeria

The malicious payload is at [donotclick]gimalayad .ru:8080/forum/links/column.php (report here*) hosted on the same IPs used in this attack:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4 ..."
* http://www.urlquery.....php?id=1289205
... Detected suspicious URL pattern... Blackhole 2 Landing Page 212.180.176.4
___

Fake inTuit email
- http://security.intu.../alert.php?a=76
3/06/13 - "People are receiving fake emails with the title 'Please respond - overdue payment.' These mails are coming from auto-invoice @quickbooks .com, which is -not- a legitimate email address. Below is a copy of the email... The email does not contain a link; however, the email has a .zip attachment that contains malware. Do not open the .zip file.

Please find attached your invoices for the past months. Remit the payment by 02/25/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Earline Robles

This is the end of the fake email.
Steps to Take Now:
- Do -not- open the attachment in the email...
- Delete the email..."
___

- http://tools.cisco.c...Outbreak.x?i=77
Malicious Attachment E-mail Messages - March 06, 2013
Fake Unpaid Debt Invoice E-mail Messages - March 06, 2013
Fake Overdue Payment Notification E-mail Messages - March 06, 2013
Fake Employee Document Sharing Notification E-mail - March 06, 2013
Fake Money Transfer Notification E-mail Messages - March 06, 2013
Fake UPS Payment Document Attachment E-mail Messages - March 06, 2013
(Links and more info at the cisco URL above.)

Edited by AplusWebMaster, 07 March 2013 - 09:46 AM.

[AplusWebMaster]

FYI...

Fake BBB SPAM / alteshotel .net and bbb-accredited .net
- http://blog.dynamoo....et-and-bbb.html
7 Mar 2013 - "This fake BBB spam leads to malware onalteshotel .net and bbb-accredited .net:
Date: Thu, 7 Mar 2013 06:23:12 -0700
From: "Better Business Bureau Warnings" [hurriese3 @bbb .com]
Subject: BBB details regarding your claim No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.
We graciously ask you to overview the TERMINATION REPORT to meet on this claim
-We awaits to your prompt rebound- .
If you think you got this email by mistake - please forward this message to your principal or accountant
Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
========
Date: Thu, 7 Mar 2013 21:19:18 +0800
From: "Better Business Bureau Warnings" [prettifyingde7 @transfers.americanpayroll .org]
Subject: BBB details about your pretense No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.
We graciously ask you to visit the ABUSE REPORT to answer on this appeal
- We awaits to your prompt answer. -
If you think you got this email by mistake - please forward this message to your principal or accountant
Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

One potentially malicious payload is at [donotclick]alteshotel .net/detects/review_complain.php (looks like it might be broken - report here*) hosted on:
69.43.161.176 (Parked at Castle Access Inc, US)
The other is at [donotclick]bbb-accredited .net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here**) hosted on:
64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia) ...
Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214..."
(More detail at the dynamoo uRL above.)
* http://urlquery.net/....php?id=1302657

** http://urlquery.net/....php?id=1302670
... Detected live BlackHole v2.0 exploit kit
___

Malware sites to block 7/3/13
- http://blog.dynamoo....block-7313.html
7 March 2013 - "Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:
173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)
Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42 ..."
(Long list at the dynamoo URL above.)

Edited by AplusWebMaster, 07 March 2013 - 10:37 AM.

[AplusWebMaster]

FYI...

Fake Adobe CS4 SPAM / guuderia .ru
- http://blog.dynamoo....guuderiaru.html
8 March 2013 - "This fake Adobe spam leads to malware on guuderia .ru:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of Donnie Cherry via LinkedIn
Sent: 07 March 2013 12:39
Subject: Order N40898
Good afternoon,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated

The malicious payload is at [donotclick]guuderia .ru:8080/forum/links/column.php (report here*) hosted on:
41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
212.180.176.4
forum-la .ru
forumla .ru
gimalayad .ru
ginagion .ru
giliaonso .ru
forum-ny .ru
forumny .ru
guuderia .ru
gosbfosod .ru "
* http://urlquery.net/....php?id=1318046
... Detected suspicious URL pattern... Blackhole 2 Landing Page 212.180.176.4
___

Fake IRS SPAM / gimilako .ru
- http://blog.dynamoo....s-declined.html
8 March 2013 - "This following fake IRS spam leads to malware on gimilako .ru:
From: Myspace [mailto:noreply@message .myspace .com]
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.
Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.
Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

The malicious payload is at [donotclick]gimilako .ru:8080/forum/links/column.php (reported here*) hosted on:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako .ru
forum-la .ru
forumla .ru
gimalayad .ru
ginagion .ru
giliaonso .ru
forum-ny .ru
forumny .ru
gosbfosod .ru "
* http://urlquery.net/....php?id=1321924
... Detected suspicious URL pattern... Blackhole 2 Landing Page 89.107.184.167
___

Fake LinkedIn SPAM / giminalso .ru
- http://blog.dynamoo....iminalsoru.html
8 March 2013 - "This fake LinkedIn spam leads to malware on giminalso .ru:
From: messages-noreply@bounce. linkedin .com [mailto:messages-noreply@bounce .linkedin .com] On Behalf Of LinkedIn Password
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...
[redacted], Congratulations!
You and Aylin are now connected.
Aylin Welsh
Tajikistan
2012, LinkedIn Corporation

The malicious payload is at [donotclick]giminalso .ru:8080/forum/links/column.php (report here*) hosted on the same IPs as in this other attack** today:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)"
* http://urlquery.net/....php?id=1322125
... Detected suspicious URL pattern... Blackhole 2 Landing Page 41.72.150.100
** http://blog.dynamoo....s-declined.html
___

Fake AT&T spam (again)
- http://blog.dynamoo....spam-again.html
8 Mar 2013 - "This fake AT&T spam leads to malware on.. well, in this case nothing at all.
Date: Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]
From: AT&T Customer Care [icare7@amcustomercare .att-mail .com]
Subject: Your AT&T wireless bill is ready to view
att.com | Support | My AT&T Account Rethink Possible
Your wireless bill is ready to view
Dear Customer,
Your monthly wireless bill for your account is now available online.
Total Balance Due: -$1695.64-
Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.
Smartphone users: download the free app to manage your account anywhere, anytime.
Thank you,
AT&T Online Services ...

> https://lh3.ggpht.co.../att-bill-2.png

In this case the link goes to a redirector page at [donotclick]vtcrm.update .se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!"
___

RU:8080 and Amerika SPAM runs
- http://blog.dynamoo....-spam-runs.html
8 March 2013 - "For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP. The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080*. You can see some current nastiness in action at Malware Must Die**. But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia. I've labelled this series as Amerika***... The Amerika spam run is a little harder to identify, so there may be some errors in it. I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!"
* http://blog.dynamoo....h/label/RU:8080

** http://malwaremustdi...hat-do-you.html
March 5, 2013

*** http://blog.dynamoo....h/label/Amerika
___

- http://tools.cisco.c...Outbreak.x?i=77
Fake Electronic Payment Cancellation E-mail Messages - 2013 Mar 08
Fake Business Complaint E-mail Messages - 2013 Mar 08
Fake Italian Online Dating Request E-mail Messages - 2013 Mar 08
Fake Portuguese Payment Invoice E-mail Messages - 2013 Mar 08
Fake Portuguese Banking Service Notification E-mail Messages - 2013 Mar 08
(Links and more detail at the cisco URL above.)

Edited by AplusWebMaster, 09 March 2013 - 01:02 PM.

[AplusWebMaster]

FYI...

Something evil on 37.59.214.0/28
- http://blog.dynamoo....3759214028.html
11 March 2013 - "37.59.214.0/28 is an OVH IP range* suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith .info:89/forum/had.php which is evading automated analysis**. The owner of this block is as follows:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell @gmail .com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious..."
(List at the dynamoo URL above.)
* http://urlquery.net/....php?id=1368280

AS16276 (OVH)
* https://www.google.c...c?site=AS:16276
"... over the past 90 days, 6134 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-03-11, and the last time suspicious content was found was on 2013-03-11... Over the past 90 days, we found 911 site(s) on this network... that appeared to function as intermediaries for the infection of 2222 other site(s)... We found 1665 site(s)... that infected 8762 other site(s)..."
___

Something evil on 176.31.140.64/28
- http://blog.dynamoo....6311406428.html
11 March 2013 - "176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post)*. It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.
Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block..."
(List at the dynamoo URL above.)
* http://blog.dynamoo....3759214028.html
___

Sidharth Shah / OVH / itechline .com
- http://blog.dynamoo....echlinecom.html
11 March 2013 - "I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:
5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27
These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here*...
The email address sidharth134 @gmail .com is also associated with itechline .com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah. BBB rating is based on 16 factors.
Factors that lowered the rating for ITechline.com include:
Length of time business has been operating
8 complaints filed against business
Failure to respond to 7 complaints filed against business
> https://lh3.ggpht.co...0/itechline.png
... ITechline.com has garnered some very negative consumer reviews..."
* http://www.dynamoo.c...dharth-shah.csv
___

Fake Wire Transfer SPAM / gimikalno .ru
- http://blog.dynamoo....imikalnoru.html
11 Mar 2013 - "This fake wire transfer spam leads to malware on gimikalno .ru:
Date: Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From: Xanga [noreply@xanga .com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)
Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]gimikalno .ru:8080/forum/links/column.php (report here*) hosted on:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100 ..."
* http://urlquery.net/....php?id=1371618
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.102.14.239

Edited by AplusWebMaster, 11 March 2013 - 05:51 PM.

[AplusWebMaster]

FYI...

Fake BofA emails lead to malware
- http://blog.webroot....ead-to-malware/
March 12, 2013 - "Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineering BofA’s CashPro users into downloading and executing a -bogus- online digital certificate attached to the fake emails...
Sample screenshot of the spamvertised email:
> https://webrootblog....engineering.png
Detection rate for the malicious executable: MD5: bfe7c4846823174cbcbb10de9daf426b * ... Password-Stealer.
The attachement uses the following naming convention:
cashpro_cert_7585cc6726.zip
cashpro_cert_cc1d4a119071.zip...
It then attempts to connect to 74.207.227.67; 17.optimaxmagnetics .us, and successfully establishes a connection with the C&C server at 50.28.90.36 :8080/forum/viewtopic.php...
More MD5s are known to have phoned back to the same IP..."
(More detail at the webroot URL above.)
* https://www.virustot...bcdf3/analysis/
File name: Ywiti
Detection ratio: 36/45
Analysis date: 2013-03-11
___

Fake "End of Aug. Stat. Required" SPAM / giminkfjol .ru
- http://blog.dynamoo....uired-spam.html
12 March 2013 - "This spam leads to malware on giminkfjol .ru:
From: user @victimdomain .com
Sent: 12 March 2013 04:19
Subject: Re: End of Aug. Stat. Required
Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards

The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol .ru:8080/forum/links/column.php (report here*) hosted on:
5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol .ru ..."
* http://urlquery.net/....php?id=1389261
... Detected suspicious URL pattern... Blackhole 2 Landing Page 213.215.240.24
___

HP LaserJet printer backdoor
- http://h-online.com/-1821334
12 March 2013 - "A number of HP LaserJet printers can be accessed through the network and unencrypted data can be read from them without authentication. The US-CERT has issued an advisory* that warns users of these printers and is calling on them to update the printer's firmware with a fixed version... HP's own advisory** identifies HP LaserJet Pro P1102w, P1606dn, M1212nf MFP (Multi Function Printer), M1213nf MFP, M1214nfh MFP, M1216nfh MFP, M1217nfw MFP, M1219nf MFP and CP1025nw printers as affected by the problem and has issued firmware and installation instructions for that firmware to close the vulnerability."
* http://www.kb.cert.org/vuls/id/782451
Last revised: 11 Mar 2013

** https://h20566.www2....mr_na-c03684249
Last Updated: 2013-03-06
References: CVE-2012-5215
___

Fake News Diet Supplement Site
- http://www.gfi.com/b...upplement-site/
March 12, 2013 - "... something called “Thinspo” – it’s a shortened term for “Thinspiration”, usually a tag on social media sites... an attempt at directing such individuals to fake news websites touting “green coffee” weight loss offers. Here’s the Tumblr in question, which contains numerous “Thinspo” pictures...
> http://www.gfi.com/b...03/thinspo1.jpg
Sending kids and teens with potentially serious body image hang-ups to -fake- news report sites such as this which practically beg them to sign up and lose weight is incredibly creepy... It’s entirely possible there’s more of them lurking on various social networks though, so please be aware that no matter how controversial the subject, someone is always going to want to take advantage of it for their own benefit."
___

Fake ACH Batch Download Notification
- http://security.intu.../alert.php?a=77
11 Mar 2013 - "People are receiving fake emails with the title 'ACH Batch Download Notification'. Below is a copy of the email people are receiving, including the mistakes shown.

Refund check in the amount of $4,370.00 for
The following ACH batch has been submitted for processing.
Initiated By: colleen
Initiated Date & Time: Mon, 11 Mar 2013 19:59:38 +0500 Batch ID: 8242710 Batch Template Name: PAYROLL
Please view the attached file to review the transaction details.

This is the end of the fake email.
Steps to Take Now
- Do -not- click on the link in the email or open the attached file...
- Delete the email."
___

Fake Wire Transfer SPAM / giminanvok .ru
- http://blog.dynamoo....minanvokru.html
11 Mar 2013 - "Another wire transfer spam, this time leading to malware on giminanvok .ru:
Date: Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
From: LinkedIn Connections [connections@linkedin.com]
Subject: Fwd: Wire Transfer (5600LJ65)
Dear Bank Account Operator,
WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]giminanvok .ru:8080/forum/links/column.php (report pending*) hosted on the same IPs used earlier today:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
I strongly recommend that you block access to these IPs if you can."

Edited by AplusWebMaster, 12 March 2013 - 12:44 PM.

[AplusWebMaster]

FYI...

Fake BBB emails lead to BlackHole Exploit Kit
- http://blog.webroot....le-exploit-kit/
March 13, 2013 - "Over the past week, a cybercriminal/gang of cybercriminals whose activities we’ve been actively profiling over a significant period of time, launched two separate massive spam campaigns, this time impersonating the Better Business Bureau (BBB), in an attempt to trick users into thinking that their BBB accreditation has been terminated. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the first BBB themed spamvertised campaign:
> https://webrootblog....exploit_kit.png
Sample screenshot of the second BBB themed spamvertised campaign:
> https://webrootblog....loit_kit_01.png
... Malicious domain names reconnaissance:
bbb-complaint .org – 63.141.224.171; 149.154.68.214; 155.239.247.247 – Email: gonumina1 @dbzmail .com
Name Server: NS1.STREETCRY .NET – 93.186.171.133 – Email: webclipradio @aol .com
Name Server: NS2.STREETCRY .NET – 15.214.13.118 – Email: webclipradio@aol .com
bbb-accredited .net – not responding
Responding to 149.154.68.214 are also the following malicious domains:
fab73 .ru, misharauto .ru
secureaction120 .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn @yandex .ru
secureaction150 .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn @yandex .ru
iberiti .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: biedermann @iberiti .com
notsk .com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: jenifer@notsk .com
metalcrew .net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: heffner@metalcrew .net
roadix .net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: marunga@roadix .net
gatovskiedelishki.ru – 149.154.68.214; 155.239.247.247; 141.0.176.234 conbicormiks .ru
Name servers used in the campaign:
Name Server: NS1.STREETCRY .NET – 93.186.171.133 – Email: webclipradio @aol .com
Name Server: NS2.STREETCRY .NET – 15.214.13.118 – Email: webclipradio @aol .com
Name Server: NS1.E-ELEVES .NET – 173.208.88.196
Name Server: NS1.E-ELEVES .NET – 43.109.79.23
Name Server: NS1.LETSGOFIT .NET – 173.208.88.196 – Email: weryrebel @live.com
Name Server: NS1.LETSGOFIT .NET – 11.3.51.158 – Email: weryrebel @live .com
Name Server: NS1.BLACKRAGNAROK .NET – 209.140.18.37 – Email: onetoo @gmx .com
Name Server: NS2.BLACKRAGNAROK .NET – 6.20.13.25 – Email: onetoo @gmx .com
Name Server: NS1.OUTBOUNDUK .NET
Name Server: NS2.OUTBOUNDUK .NET
Not surprisingly, we’ve already seen the onetoo @gmx .com email in the following previously profiled malicious campaign – “Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware“.
Upon successful client-side exploitation, a sampled campaign drops: MD5: 126a104f260cb0059b901c6a23767d76 * ... Worm:Win32/Cridex.E ..."
(More detail at the webroot URL above.)
* https://www.virustot...b3f77/analysis/
File name: cf2d476e6b1a8eae707ffae520c4d019c7226948
Detection ratio: 28/45
Analysis date: 2013-03-10
___

- http://gfisoftware.t...tation-has-been
5 days ago - "... Subjects seen:
BBB Accreditation Terminated
Typical e-mail details:
Valued Owner:
Your accreditation with Better Business Beaureau was Discontinued
A number of latest claims on you / your company motivated us to provisional Suspend your accreditation with Better Business Beaureau. The information about the our decision are available for review at a link below. Please give attention to this issue and inform us about your sight as soon as possible.
We amiably ask you to click and review the SUSPENSION REPORT to meet on this grievance.
If you think you got this email by mistake - please forward this message to your principal or accountant
We awaits to your prompt rebound ..."
___

Zbot sites to block 13/3/13
- http://blog.dynamoo....s-to-block.html
13 Mar 2013 - "These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something*.
76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack .pl
beveragerefine .su
dinitrolkalor .com
dugsextremesda .su
establishingwi .su
eurasianpolicy .net
euroscientists .at
ewebbcst .info
fireinthesgae .pl
girdiocolocai .com
machinelikeleb .su
mixedstorybase .su
satisfactorily .su
smurfberrieswd .su
sputtersmorele .pl
suggestedlean .com
trashinesscro .com
upkeepfilesyst .su
URLs seen:
[donotclick]beveragerefine .su/hjz/file.php
[donotclick]euroscientists .at/hjz/file.php
[donotclick]machinelikeleb .su/fiv/gfhk.php
[donotclick]mixedstorybase .su/hjz/file.php
[donotclick]satisfactorily .su/hjz/file.php
[donotclick]smurfberrieswd .su/hjz/file.php
And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)..."
* https://www.abuse.ch/?p=3581
___

Fake "Wapiti Lease Corp" SPAM / giminaaaao .ru
- http://blog.dynamoo....ation-spam.html
13 March 2013 - "A fairly bizarre spam leading to malware on giminaaaao .ru:
From: IESHA WILLEY [mailto:AtticusRambo @tui-infotec .com]
Sent: 13 March 2013 11:22
To: Sara Smith
Subject: Fwd: Wapiti Land Corporation Guiding Principles attached
Hello,
Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an opportunity for a preview and to provide any
comments that you would like to make. Please let me know that you have reviewed it and what comments you might have.
Thank you,
IESHA WILLEY
WLC

This comes with an attachment called WLC-A0064.htm although I have another sample "from" a DEANNE AMOS with an attachment of WLC-A5779.htm. In any case, the attachment tries to direct the victim to a malware landing page at [donotclick]giminaaaao .ru:8080/forum/links/column.php (report here*) hosted on:
93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao .ru
giminkfjol .ru
giminanvok .ru "
* http://urlquery.net/....php?id=1406092
... Detected suspicious URL pattern... Blackhole 2 Landing Page 94.102.14.239
___

Fake "Copies of policies" SPAM / giimiiifo .ru
- http://blog.dynamoo....iimiiiforu.html
13 Mar 2013 - "This spam leads to malware on giimiiifo .ru:
Date: Wed, 13 Mar 2013 06:49:25 +0100
From: LinkedIn Email Confirmation [emailconfirm @linkedin .com]
Subject: RE: Alonso - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Alonso SAMS,

The malicious payload is at [donotclick]giimiiifo .ru:8080/forum/links/column.php hosted on two IPs we saw earlier:
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)"

Edited by AplusWebMaster, 13 March 2013 - 03:38 PM.

[AplusWebMaster]

FYI...

Fake Efax SPAM / gimiinfinfal .ru
- http://blog.dynamoo....infinfalru.html
14 Mar 2013 - "This eFax-themed spam leads to malware on gimiinfinfal .ru:
Date: Thu, 14 Mar 2013 07:39:23 +0300
From: SarahPoncio @mail .com
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 449555234]
You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.
* The reference number for this fax is [eFAX-263482326].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.

There's an attachment called Efax_Corporate.htm which leads to malware on [donotclick]gimiinfinfal .ru:8080/forum/links/column.php (report here) hosted on:
94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)
Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo .ru
___

Fake LinkedIn SPAM / teenlocal .net
- http://blog.dynamoo....enlocalnet.html
14 March 2013 - "This fake LinkedIn spam leads to malware on teenlocal .net:
From: messages-noreply@bounce .linkedin .com [mailto:messages-noreply @bounce.linkedin .com] On Behalf Of LinkedIn
Sent: 14 March 2013 16:32
Subject: Frank and Len have endorsed you!
Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
Program Management
Strategic Planning
Continue
You are receiving Endorsements emails. Unsubscribe.
This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

The malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247 ..."
(More detail at the dynamoo URL above.)

Edited by AplusWebMaster, 14 March 2013 - 12:41 PM.

[AplusWebMaster]

FYI...

Fake Wire Transfer emails serve client-side exploits and malware
- http://blog.webroot....ts-and-malware/
March 15, 2013 - "Over the last couple of days, a cybercricriminal/gang of cybercriminals that we’ve been extensively profiling, resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....re_transfer.png
... Sample client-side exploits serving URL: hxxp://gimikalno .ru:8080/forum/links/column.php
Sample malicious payload dropping URL: hxxp://gimikalno .ru:8080/forum/links/column.php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
Upon successful client-side exploitation, the campaign drops MD5: 93a104caf7b01de69614498de5cf870a * ... Trojan.FakeMS
... phones back to:
149.156.96.9 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
72.251.206.90 /J9/vp//EGa+AAAAAA/2MB9vCAAAA/
202.29.5.195 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
213.214.74.5 /AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen 213.214.74.5 in... previously profiled campaigns
Malicious domain name reconnaissance:
gimikalno .ru – 66.249.23.64; 94.102.14.239; 5.9.40.136
Name Servers: ns1.gimikalno .ru 41.168.5.140
Name Servers: ns2.gimikalno .ru 110.164.58.250 (nangrong.ac.th)
Name Servers: ns3.gimikalno .ru 210.71.250.131 (tecom.com.tw)
Name Servers: ns4.gimikalno .ru 194.249.217.8 (gimnazija-tolmin1.si)
Name Servers: ns5.gimikalno .ru 72.251.206.90 ..."
(More detail at the webroot URL above.)
* https://www.virustot...46642/analysis/
File name: docprop.dll
Detection ratio: 26/45
Analysis date: 2013-03-13
___

Malware sites to block 15/3/13
- http://blog.dynamoo....lock-15313.html
15 March 2013 - "These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos .ru seems to be very active this morning. Block 'em if you can:
5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24...
For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy) ..."
(More listed at the dynamoo URL above.)
___

Fake ADP SPAM / picturesofdeath .net
- http://blog.dynamoo....ation-spam.html
15 March 2013 - "This fake ADP spam leads to malware on... picturesofdeath .net:
From: ADP Chesapeake Package Delivery Confirmation [mailto:do_not_reply @adp .com]
Sent: 15 March 2013 14:45
Subject: =?iso-8859-1?Q?ADP Chesapeake - Package Delivery Notification
Importance: High
This message is to notify you that your package has been processed and is on schedule for delivery from ADP.
Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Tusesday, 5:00pm
Tracking Number (if one is available for this package): 1Z023R643116536498
Details: Click here to overview and/or modify order
We will notify you via email if the status of your delivery changes.
Access these and other valuable tools at support.ADP.com:
o Payroll and Tax Calculators
o Order Payroll Supplies, Blank Checks, and more
o Submit requests online such as SUI Rate Changes, Schedule Changes, and more
o Download Product Documentation, Manuals, and Forms
o Download Software Patches and Updates
o Access Knowledge Solutions / Frequently Asked Questions
o Watch Animated Tours with Guided Input Instructions
Thank You,
ADP Client Services
support.ADP.com ...

The malicious payload is at [donotclick]picturesofdeath.net/kill/long_fills.php (report here*) hosted on:
24.111.157.113 (Midcontinent Media, US)
155.239.247.247 (Centurion Telkom, South Africa)..."
(More URLs listed at the dynamoo URL above.)
* http://urlquery.net/....php?id=1446662
... Detected live BlackHole v2.0 exploit kit 24.111.157.113

- http://blog.webroot....le-exploit-kit/
March 18, 2013 - "A currently ongoing malicious email campaign is impersonating ADP in an attempt to trick its customers into thinking that they’ve received a ‘Package Delivery Notification.’ In reality though, once a user clicks on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog....exploit_kit.png
... responded to 24.111.157.113; 58.26.233.175; 155.239.247.247... 58.26.233.175; 155.239.247.247... 77.241.198.65; 80.241.211.26; 83.255.90.5; 103.14.8.20; 190.30.219.85... phones back to 212.68.63.82..."
(More detail at the webroot URL above.)
___

BoA SPAM - on short list of Scammers’ Spam Lures
- http://www.hotforsec...lures-5668.html
March 15, 2013 - "... crooks unleashed a series of aggressive spam campaigns that include the Bank of America in the title as bait. In the context of a security breach, the name of the bank was used to catch customers’ attention, infect them with malware, have them type in sensitive data or entice them into sending money in advance for a service they will never receive. “Online Banking Passcode Modified” invites people to click a link to reset their online banking passcode. The same template and con is entirely recycled from a similar attack in November 2012. This new spamvertised malware campaign attempts to get Bank of America customers to -click a link- to a webpage associated with the Redkit Exploit Kit – a crimeware tool that exploits vulnerabilities in browsers and plugins to silently infect victims’ PCs.
> http://www.hotforsec...de-Modified.png
"Bank of America Corporate Office Headquarters” and the very recent “Payment Notification from Bank of America” spam campaigns are examples of a complicated Nigerian-like scam informing customers that their funds will be transferred to the United States Treasury Account...
> http://www.hotforsec...eadquarters.png
"Bank of America Alert: Suspicious Activities on your Account!” and “Bank of America Alert: Sign-in to Online Banking Locked” lure customers to a phishing page...
> http://www.hotforsec...our-Account.png
"Reminder: Bank of America Customer Survey” is another active scam ...
> http://www.hotforsec...omer-Survey.png
Bank of America has been recycled in spammed scams since 2006 and used multiple times a year, for more or less the same results: steal card and identity information, infect people with malware, and unwarily recruit them into money-muling operations..."

Edited by AplusWebMaster, 18 March 2013 - 10:32 AM.