"Please respond - overdue payment" spam / INVOICE_28781731.zip

This spam comes with a malware-laden attachment called INVOICE_28781731.zip:


Date:      Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
From:      Victor_Lindsey@key.com
Subject:      Please respond - overdue payment

Please find attached your invoices for the past months. Remit the payment by 02/04/2013
as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,

Read More

ADP Spam / ipiniadto.ru

This fake ADP spam leads to malware on ipiniadto.ru:


Date:      Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]From:      Bebo Service [service@noreply.bebo.com]Subject:      ADP Immediate NotificationADP Immediate NotificationReference #: 120327398Thu, 28 Mar 2013 04:22:48 +0600Dear ADP ClientYour Transfer Record(s) have been created at the web site:https://www.flexdirect.adp.com/

Read More

Facebook spam / ipiniadto.ru

The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto.ru:


Date:      Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]From:      FilesTube [filestube@filestube.com]Subject:      You have notifications pendingfacebookHi,Here's some activity you may have missed on Facebook.BERTIE Goldstein has posted

Read More

Changelog spam / Changelog_Urgent_N992.doc.exe

This fake "changelog" spam has a malicious attachment Changelog.zip which in turn contains a malware file named Changelog_Urgent_N992.doc.exe


From:      Logistics Express [admin@ups.com]
Subject:      Re: Changelog 2011 update

Hi,
as promised changelog,

Michaud Abran 

VirusTotal detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports

Read More

"Scan from a Xerox W. Pro" spam / ilianorkin.ru

This fake printer spam leads to malware on ilianorkin.ru:


From: officejet@[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307

A Document was sent to you using a XEROX WorkJet PRO 481864299.

SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]ilianorkin.ru:8080/forum/links/column.php (report here) hosted on:

Read More

NACHA spam / mgithessia.biz

This fake NACHA spam leads to malware on mgithessia.biz:


From: "Олег.Тихонов@direct.nacha.org" [mailto:universe87@mmsrealestate.com]Sent: 27 March 2013 03:25Subject: Disallowed Direct Deposit paymentImportance: HighTo whom it may concern:We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package

Read More

"British Airways E-ticket receipts" spam / illuminataf.ru

This fake airline ticket spam leads to malware on illuminataf.ru:



Date:      Wed, 27 Mar 2013 03:23:05 +0100
From:      "Xanga" [noreply@xanga.com]
Subject:      British Airways E-ticket receipts
Attachments:     E-Ticket-Receipt.htm

e-ticket receipt
Booking reference: JQ15191488
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your

Read More

"NY TRAFFIC TICKET" spam / hondatravel.ru

I haven't seen this type of spam for a while, but here it is.. leading to malware on hondatravel.ru:


Date:      Wed, 27 Mar 2013 04:24:14 +0330From:      "LiveJournal.com" [do-not-reply@livejournal.com]Subject:      Fwd: Re: NY TRAFFIC TICKETNew-York Department of Motor VehiclesTRAFFIC TICKETNEW-YORK POLICE DEPARTMENTTHE PERSON CHARGED AS FOLLOWSTime: 2:15 AMDate of Offense: 28/07/2012SPEED

Read More

Wire Transfer spam / hondatravel.ru

This fake Wire Transfer spam leads to malware on hondatravel.ru:


From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedInSent: 26 March 2013 11:52Subject: Re: Wire Transfer Confirmation (FED_4402D79813)Dear Bank Account Operator,WIRE TRANSFER: FED68081773954793456CURRENT STATUS: PENDING Please REVIEW YOUR TRANSACTION as soon as possible.

Read More

UPS spam / Label_8827712794.zip

This fake UPS spam has a malicious EXE-in-ZIP attachment:


Date:      Tue, 26 Mar 2013 20:54:54 +0600 [10:54:54 EDT]From:      UPS Express Services [service-notification@ups.com]Subject:      UPS - Your package is available for pickup ( Parcel 4HS287FD )The courier company was not able to deliver your parcel by your address.Cause: Error in shipping address.You may pickup the parcel at our post

Read More

eFax Corporate spam / hjuiopsdbgp.ru

This fake eFax spam leads to malware on hjuiopsdbgp.ru:


Date:      Tue, 26 Mar 2013 06:23:36 +0800
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Pages.htm



Fax Message [Caller-ID: 378677295]

You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.

* The reference number for this fax is [eFAX-677484317].

View

Read More

DHL Spam / LABEL-ID-NY26032013-GFK73.zip

This DHL-themed spam contains a malicious attachment.


Date:      Tue, 26 Mar 2013 17:27:46 +0700 [06:27:46 EDT]
From:      Bart Whitt - DHL regional manager [reports@dhl.com]
Subject:      DHL delivery report NY20032013-GFK73
   
Web Version  |  Update preferences  |  Unsubscribe
       

DHL notification

Our company’s courier couldn’t make the delivery of parcel.

REASON: Postal code

Read More

NACHA spam / breathtakingundistinguished.biz

This fake NACHA spam leads to malware on breathtakingundistinguished.biz:


From: "Гена.Симонов@direct.nacha.org" [mailto:corruptnessljx953@bsilogistik.com] Sent: 25 March 2013 22:26Subject: Re: Your Direct Deposit disallowanceImportance: HighAttn: Accounting DepartmentWe are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business

Read More

"Copies of policies" spam / heepsteronst.ru

This spam leads to malware on heepsteronst.ru:


Date:      Mon, 25 Mar 2013 06:20:54 -0500 [07:20:54 EDT]
From:      Ashley Madison [donotreply@ashleymadison.com]
Subject:      RE: DEBBRA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,

and a copy of the most recent schedule.


DEBBRA Barnard, 

Read More

"Scan from a HP ScanJet" spam / humaniopa.ru

This fake printer spam leads to malware on humaniopa.ru:


Date:      Mon, 25 Mar 2013 03:57:54 -0500From:      LinkedIn Connections [connections@linkedin.com]Subject:      Scan from a HP ScanJet #928909620Attachments:     Scanned_Document.htmAttached document was scanned and sentto you using a Hewlett-Packard HP Officejet 98278P.Sent by: CHANGImages : 5Attachment Type: .HTM [INTERNET EXPLORER]

Read More

"Bank of America" spam / PAYMENT RECEIPT 25-03-2013-GBK-74

This spam comes with a malicious EXE file in the archive PAYMENT RECEIPT 25-03-2013-GBK-74.zip


Date:      Mon, 25 Mar 2013 05:50:18 +0300 [03/24/13 22:50:18 EDT]
From:      Bank of America [gaudilyl30@gmail.com]
Subject:      Your transaction is completed

Transaction is completed. $4924 has been successfully transferred.
If the transaction was made by mistake please contact our customer

Read More

contactemaillists.com / Contact Email Lists / Sally Gaskell spam

Would you buy a mailing list from a company that just spammed you? In this case "Contact Email Lists" (contactemaillists.com) has been spamming random at one of my domains (website@, server@ and shopping@), and yet they boast that their data "has been strictly opted in at decision maker level."

Assuming that they are using their own mailing lists for marketing, then their claim is a lie. In

Read More

"Champions Club Community" / championsclubcommunity.com spam

Why these people bother sending me unsolicited email is a mystery... but in fact the so-called "Champions Club Community" is a bit of a mystery too..


From:     Simon Phillips - Champions Club [news@championsclubcommunity.com]Reply-To:     contactus2@championsclubcommunity.comDate:     24 March 2013 15:56Subject:     March 2013 NewsletterEmail not displaying properly? View it onlineCCC

Read More

Changelog spam / hohohomaza.ru

Evil changelog spam episode 274, leading to malware on hohohomaza.ru. Hohoho indeed.


Date:      Fri, 22 Mar 2013 11:06:48 -0430From:      Hank Sears via LinkedIn [member@linkedin.com]Subject:      Fwd: Changelog as promised (upd.)Hello,as promised changelog - ViewL. HENDRICKS

The malware landing page is at [donotclick]hohohomaza.ru:8080/forum/links/column.php (report here) hosted on:

Read More

Wire Transfer spam / dataprocessingservice-alerts.com

This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts.com:


Date:      Fri, 22 Mar 2013 10:42:22 -0600
From:      support@digitalinsight.com
Subject:      Terminated Wire Transfer Notification - Ref: 54133

Immediate Transfers Processing Service

STATUS Notification
The following wire transfer has been submitted for approval. Please visit this link to review the

Read More

Zendesk "An important notice about security" spam / vagh.ru / pillshighest.com

This unusual spam leads to a fake pharma site on pillshighest.com via vagh.ru and an intermediate hacked site.


Date:      Fri, 22 Mar 2013 13:52:08 -0700
From:      Support Team [pinbot@schwegler.com]
To:      [redacted]
Subject:      An important notice about security

We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security

Read More

Changelog spam / hillairusbomges.ru

This fake changelog spam leads to malware on hillairusbomges.ru:


Date:      Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]Subject:      Re: Changelog Oct.Good morning,as prmised updated changelog - ViewL. LOYD
The malicious payload is at [donotclick]hillairusbomges.ru:8080/forum/links/column.php (report here) hosted on:

Read More

Facebook spam / scriptuserreported.org

This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported.org:


Date:      Thu, 21 Mar 2013 10:56:28 -0500
From:      Facebook [update+oi=MKW63Z@facebookmail.com]
Subject:      John Jenkins commented photo of you.

facebook
   
John Jenkins commented on {l5}.
reply

Read More

"Data Processing Service" spam / airtrantran.com

This spam leads to malware on


Date:      Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]From:      Data Processing Service [customerservice@dataprocessingservice.com]Subject:      ACH file ID "973.995"  has been processed successfullyFiles Processing ServiceSUCCESS NotificationWe have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '

Read More

NACHA spam / encodeshole.org

This fake NACHA spam leads to malware on encodeshole.org:


From: "Тимур.Родионов@direct.nacha.org" [mailto:biker@wmuttkecompany.com]
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High

Dear Sirs,

Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date.

Read More

"Scan from a Hewlett-Packard ScanJet" spam / hillaryklinton.ru

This fake printer spam leads to malware on the amusingly-named hillaryklinton.ru:


From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn PasswordSent: 21 March 2013 06:56Subject: Scan from a Hewlett-Packard ScanJet #269644Attached document was scanned and sentto you using a Hewlett-Packard HP Officejet 6209P.Sent by: SANDIEImages :

Read More

"End of Aug. Statement" spam / hifnsiiip.ru

This fake invoice spam leads to malware on hifnsiiip.ru:


Date:      Wed, 20 Mar 2013 05:41:44 +0100From:      LinkedIn Connections [connections@linkedin.com]Subject:      Re: FW: End of Aug. StatementAttachments:     Invoices-AS9927.htmGood morning,as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)Regards
The attached Invoices-AS9927.htm file attempts to

Read More

USPS Spam / himalayaori.ru

This fake UPS (or is it USPS?) spam leads to malware on  himalayaori.ru. The malicious link is in an attachment called ATT17235668.htm.

For some reason the only sample of the spam that I have is horribly mangled:


From: HamzaRowson@hotmail.com [mailto:HamzaRowson@hotmail.com] Sent: 19 March 2013 23:40Subject: United Postal Service Tracking Number H1338091657

Read More

Malware spam: "Opinion: Cyprus banks shut extended to Monday - CNN.com" / salespeoplerelaunch.org

This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch.org:


Date:      Tue, 19 Mar 2013 10:40:22 -0600
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: Cyprus banks shut extended to Monday - CNN.com

   
Powered by    
* Please note, the sender's email address has not been verified.
   
   
You have received the following link

Read More

Facebook spam / heelicotper.ru

This fake Facebook spam leads to malware on heelicotper.ru:


Date:      Tue, 19 Mar 2013 08:37:37 +0200From:      Facebook [updateSIXQG03I44AX@facebookmail.com]Subject:      You have notifications pendingfacebookHi,Here's some activity you may have missed on Facebook.TAMISHA Gore has posted statuses, photos and more on Facebook.Go To Facebook    See All NotificationsThis message was sent to [

Read More

Squeak Data / squeakdata.com spam

This spam is really just a laughable tissue of bullshit. The email address they are sending to has been harvested, so you can be pretty sure that the mailing lists they sell are of very low quality. But there's a bit more to this spam than meets the eye..


From:     Squeak Data [enquiries@squeakdata.com] via smtpguru.net
Date:     19 March 2013 13:35
Subject:     Squeak Data
Signed by:     

Read More

"End of Aug. Statement Reqiured" spam / hiskintako.ru

This spam leads to malware on hiskintako.ru:



Date:      Tue, 19 Mar 2013 08:04:18 +0300From:      "package update Ups" [upsdelivercompanyb@ups.com]Subject:      Re: FW: End of Aug. Statement ReqiuredAttachments:     Invoices-CAS9927.htmHi,as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)Regards-----------------------Date:      Tue, 19 Mar 2013 02:18:

Read More

Malware spam "New Pope Sued For Not Wearing Seat Belt In Popemobile" / webpageparking.net

This pope themed spam leads to malware on webpageparking.net:


Date:      Mon, 18 Mar 2013 20:20:54 +0200
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com


Powered by    
* Please note, the sender's email address has not been verified.

You have received the following link from BreakingNews@

Read More

LinkedIn spam / applockrapidfire.biz

This fake LinkedIn spam leads to malware on applockrapidfire.biz:


From: David O'Connor - LinkedIn [mailto:kissp@gartenplandesign.de]
Sent: 18 March 2013 15:34
Subject: Join my network on LinkedIn
Importance: High

LinkedIn
REMINDERS
Invitation reminders:
 From David O\'Connor (animator at ea)

PENDING MESSAGES
There are a total of 9 messages awaiting your response. Go to InBox now.
This

Read More

FOG RANT: turn your lights on!

Much of the part of the UK I live in is currently either a) foggy or b) very foggy. Freezing rain has turned the roads to ice and visibility is bugger all. At the moment the roads look like they do in the picture, and there are multiple accidents all over the place.

What amazes me is the sheer amount of complete f--king idiots driving with NO LIGHTS ON WHATSOEVER. Do they not notice that

Read More

ADP Package Delivery Confirmation spam / picturesofdeath.net

 This fake ADP spam leads to malware on the jollily-named picturesofdeath.net:


From: ADP Chesapeake Package Delivery Confirmation [mailto:do_not_reply@adp.com] Sent: 15 March 2013 14:45Subject: =?iso-8859-1?Q?ADP Chesapeake - Package Delivery NotificationImportance: HighThis message is to notify you that your package has been processed and is on schedule for delivery from ADP. Here are the

Read More

RU:8080 Malware sites to block 15/3/13

These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos.ru seems to be very active this morning. Block 'em if you can:

5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24
forumilllionois.ru
foruminanki.ru
forumla.ru
forum-la.ru
forumny.ru
forum-ny.ru
giimiiifo.ru
gilaogbaos.ru
giliaonso.ru

Read More

Samsung Galaxy S4

Seriously.. when does it stop being a phone? This Galaxy S4 thing has a 5" HD display, a processor with up to eight cores, and it even watches you watching it. Just remember that last point while you are perusing your favourite rubber midget lesbian vore collection.

What I hadn't heard of before is the Samsung HomeSync server which is basically a 1TB appliance you put in your home and store

Read More

Brian Krebs gets SWATted

It looks like Brian Krebs got a visit from a SWAT team today, after having his site DDOSed and served with a fake takedown notice, possibly in retaliation for this article. Nasty.




It reminds me a little of the "suicide note" incident with the operator of abuse.ch a few years back. You know when you have pissed off the bad guys when they arrange for armed police to come calling..

Read More

LinkedIn spam / teenlocal.net

This fake LinkedIn spam leads to malware on teenlocal.net:


From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedInSent: 14 March 2013 16:32Subject: Frank and Len have endorsed you!Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:         Program Management    

Read More

"Efax Corporate" spam / gimiinfinfal.ru

This eFax-themed spam leads to malware on gimiinfinfal.ru:


Date:      Thu, 14 Mar 2013 07:39:23 +0300From:      SarahPoncio@mail.comSubject:      Efax CorporateAttachments:     Efax_Corporate.htmFax Message [Caller-ID: 449555234]You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.* The reference number for this fax is [eFAX-263482326].View attached fax using

Read More

"Copies of policies" spam / giimiiifo.ru

This spam leads to malware on giimiiifo.ru:


Date:      Wed, 13 Mar 2013 06:49:25 +0100From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]Subject:      RE: Alonso - Copies of Policies.Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.Here is the Package and Umbrella,and a copy of the most recent schedule.Alonso SAMS,

The malicious payload

Read More

"Wapiti Lease Corporation" spam / giminaaaao.ru

A fairly bizarre spam leading to malware on giminaaaao.ru:


From: IESHA WILLEY [mailto:AtticusRambo@tui-infotec.com] Sent: 13 March 2013 11:22To: Sara SmithSubject: Fwd: Wapiti Land Corporation Guiding Principles attachedHello,Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an

Read More

Zbot sites to block 13/3/13

These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something.

76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack.pl
beveragerefine.su
dinitrolkalor.com
dugsextremesda.su
establishingwi.su
eurasianpolicy.net
euroscientists.at
ewebbcst.info
fireinthesgae.pl

Read More

"End of Aug. Stat. Required" spam / giminkfjol.ru

This spam leads to malware on giminkfjol.ru:


From: user@victimdomain.comSent: 12 March 2013 04:19Subject: Re: End of Aug. Stat. RequiredGood morning, as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)Regards
The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol.ru:8080/forum/links/column.php (report here) hosted on:

Read More

Wire Transfer spam / giminanvok.ru

Another wire transfer spam, this time leading to malware on giminanvok.ru:


Date:      Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Fwd: Wire Transfer (5600LJ65)

Dear Bank Account Operator,


WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious

Read More

Wire Transfer spam / gimikalno.ru

This fake wire transfer spam leads to malware on gimikalno.ru:


Date:      Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From:      Xanga [noreply@xanga.com]
Subject:      Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)

Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious

Read More

Sidharth Shah / OVH / itechline.com

I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:

5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29

Read More

Something evil on 176.31.140.64/28

176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post). It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from

Read More

Something evil on 37.59.214.0/28

37.59.214.0/28 is an OVH IP range suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith.info:89/forum/had.php which is evading automated analysis.

The owner of this block is as follows:
organisation:   ORG-SS252-RIPEorg-name:       Shah Sidharthorg-type

Read More

RU:8080 and Amerika spam runs

For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP.

The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have

Read More

AT&T spam (again)

This fake AT&T spam leads to malware on.. well, in this case nothing at all.


Date:      Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]From:      AT&T Customer Care [icare7@amcustomercare.att-mail.com]Subject:      Your AT&T wireless bill is ready to viewatt.com | Support | My AT&T Account     Rethink PossibleYour wireless bill is ready to viewDear Customer,Your monthly wireless bill for your

Read More

LinkedIn spam / giminalso.ru

This fake LinkedIn spam leads to malware on giminalso.ru:


From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...

     [redacted], Congratulations!
You and Aylin are now connected.

    Aylin Welsh

--
Tajikistan    

2012, LinkedIn

Read More

"Your tax return appeal is declined" / gimilako.ru

This following fake IRS spam leads to malware on gimilako.ru:


From: Myspace [mailto:noreply@message.myspace.com]
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.

Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the

Read More

Adobe CS4 spam / guuderia.ru

This fake Adobe spam leads to malware on guuderia.ru:


From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Donnie Cherry via LinkedIn
Sent: 07 March 2013 12:39
Subject: Order N40898

Good afternoon,

You can download your Adobe CS4 License here -

We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials,

Read More

Malware sites to block 7/3/13

Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:

173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)

Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42
17.247nycr.com
17.optimax-fuel-saver.us
17.grantmassie.org
17.seniorgazette.org
17.scottbarr.org
17.

Read More

BBB Spam / alteshotel.net and bbb-accredited.net

This fake BBB spam leads to malware onalteshotel.net and bbb-accredited.net:



Date:      Thu, 7 Mar 2013 06:23:12 -0700
From:      "Better Business Bureau Warnings" [hurriese3@bbb.com]
Subject:      BBB details regarding your claim No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Read More

Pizza spam / gimalayad.ru

Cheese Lover's Pizza with no cheese?! Chicken pizza with three lots of extra ham?? This spam actually leads to malware on gimalayad.ru:


Date:      Wed, 6 Mar 2013 12:22:04 +0330
From:      Tagged [Tagged@taggedmail.com]
Subject:      Fwd: Order confirmation

You??™ve just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Bacon Pieces
- Ham
- Bacon Pieces
- Jalapenos
-

Read More

BT Business Direct Order Spam / ginagion.ru

This fake BT spam leads to malware on ginagion.ru:


From: Bebo Service [mailto:service=noreply.bebo.com@bebo.com] On Behalf Of Bebo Service
Sent: 05 March 2013 21:22
Subject: BT Business Direct Order


Notice of delivery

Hi,

We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.

Unless you chose a next day or other premium delivery

Read More

Sendspace spam / forumkianko.ru

This fake Sendspace spam leads to malware on forumkianko.ru:


Date:      Tue, 5 Mar 2013 06:52:10 +0100
From:      AyanaLinney@[redacted]
Subject:      You have been sent a file (Filename: [redacted]-51153.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).

You can use the

Read More

"Scan from a Hewlett-Packard ScanJet" spam / giliaonso.ru

This fake HP printer spam leads to malware on giliaonso.ru:


Date:      Tue, 5 Mar 2013 12:53:40 +0500
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments:     HP_Scan.htm

Attached document was scanned and sent

to you using a HP A-16292P.

SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET

Read More

Something evil on 5.9.196.3 and 5.9.196.6

Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama.nl/relay.php) leading to two identified malware landing pages:

[donotclick]kisielius.surfwing.me/world/explode_conscious-scandal.jar (report here)
[donotclick]

Read More

"British Airways E-ticket receipts" spam / forum-la.ru

This fake British Airways spam leads to malware on forum-la.ru:


From:     LiveJournal.com [do-not-reply@livejournal.com]
Date:     4 March 2013 12:17
Subject:     British Airways E-ticket receipts

e-ticket receipt
Booking reference: 9AZ3049885
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will

Read More

dealerbid.co.uk spam

This spam uses an email address ONLY used to sign up for dealerbid.co.uk


From:     HM Revenue & Customs [enroll@hmrc.gov.uk]
Date:     4 March 2013 13:37
Subject:     HMRC Tax Refund ID: 3976244

Dear Taxpayer,

After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and

Read More

eFax spam / forumla.ru

This fake eFax spam leads to malware on forumla.ru:

Date:      Mon, 4 Mar 2013 08:53:20 +0300
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 646370000]

You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.

* The reference number for this fax is [eFAX-336705661].

View

Read More

Delta Airlines spam / inanimateweaknesses.net and complainpaywall.net

This fake Delta Airlines spam leads to malware on inanimateweaknesses.net and complainpaywall.net:


From: DELTA CONFIRMATION [mailto:cggQozvOc@sutaffu.co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary

Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/

Read More

Casino-themed Blackhole sites

Here's a a couple of URLs that looks suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:

[donotclick]888casino-luckystar.net/discussing/sizes_agreed.php
[donotclick]555slotsportal.org/discussing/alternative_distance.php
[donotclick]555slotsportal.net/shrift.php
[donotclick]555slotsportal.net/discussing/alternative_distance.php
[donotclick]555slotsportal.me/discussing/

Read More