June 2013 ~ tech support 9

Friday, 28 June 2013

jConnect spam / FAX_281_3927981981_283.zip

Posted on 08:09 by Unknown

This fake fax spam is meant to contain malware, but in this particular case is being sent out with a corrupt attachment:

Date:     Fri, 28 Jun 2013 09:41:52 -0500 [10:41:52 EDT]
From:     jConnect [message@inbound.j2.com]
Subject:     jConnect fax from "697-377-6967" - 28 page(s), Caller-ID: 697-377-6967

Fax Message[Caller-ID: 697-377-6967] You have received a 28 page(s) fax at 2012-12-17

Posted in EXE-in-ZIP, Fail, Spam | No comments

Thursday, 27 June 2013

OfficeWorld.com spam / sartorilaw.net

Posted on 11:00 by Unknown

This fake OfficeWorld spam leads to malware on sartorilaw.net:

Date: Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]From: customerservice@emalsrv.officeworldmail.netSubject: Confirmation notification for order 1265953Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!Please review your order details below. If you have any questions,

Posted in Amerika, Malware, Netherlands, Russia, Spain, Spam, Viruses | No comments

Tuesday, 25 June 2013

ADP spam / spanishafair.com

Posted on 15:53 by Unknown

This fake ADP spam leads to malware on spanishafair.com:

Date: Tue, 25 Jun 2013 14:38:05 +0000 [10:38:05 EDT]From: Run Do Not Reply [RunDoNotReply@ipn.adp.net]Subject: Your Biweekly payroll is acceptedYoyr payroll for check date 06/25/2013 is approved. Your payroll would be done at least 3 days before to your check date to ensure timely tax deposits and payroll delivery. If

Posted in ADP, Amerika, China, Spam, Viruses | No comments

"Southwest Airlines Confirmation: KQR101" spam / meynerlandislaw.net

Posted on 09:53 by Unknown

This fake Southwest Airlines spam leads to malware on meynerlandislaw.net:

from: Southwest Airlines [information@luv.southwest.com]reply-to: Southwest Airlines [no-reply@emalsrv.southwestmail.com]date: 25 June 2013 17:09subject: Southwest Airlines Confirmation: KQR101[redacted] 2013-06-25 JACEE3 INITIAL SLC WN PHX0.00T/TFF 0.00 END AY2.50$SLC1.50 1583018870396 2013-12-22 1394

Posted in Amerika, China, Malware, Spam, Viruses | No comments

Monday, 24 June 2013

Something evil on 173.246.104.154

Posted on 14:01 by Unknown

173.246.104.154 (Gandi, US) is hosting hacked GoDaddy domains serving a variety of malware [1] [2]. At the moment the following domains appear to be hosted on that server:
aandimedsolutions.com
aandimedsolutions.info
aandimedsolutions.net
antarcticland-union.it
antarcticland-union.org
antarcticland-union.us
easymapbuilder.com
findmynewschool.com
governmentofantarcticland.it

Posted in Gandi, Malware, Viruses | No comments

"Fiserv Secure Email Notification - TBTATU41DMJDT5B" spam / SecureMessage_TBTATU41DMJDT5B.zip

Posted on 08:24 by Unknown

This fake FISERV email has a malicious attachment SecureMessage_TBTATU41DMJDT5B.zip containing a trojan named SecureMessage.exe:

Date:     Mon, 24 Jun 2013 07:27:59 -0600 [09:27:59 EDT]
From:     Fiserv Secure Notification [secure.notification@fiserv.com]
Subject:     Fiserv Secure Email Notification - TBTATU41DMJDT5B
Part(s):
    2     SecureMessage_TBTATU41DMJDT5B.zip     [

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

Facebook spam / chinadollars.net

Posted on 07:58 by Unknown

This fake Facebook spam leads to malware on chinadollars.net:

Date: Mon, 24 Jun 2013 09:18:12 -0500From: Facebook [notification+SCCRJ42M8P@facebookmail.com]Subject: You have 1 friend requestfacebook You have new notifications.A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your friends. 1 friend requestView

Posted in China, Facebook, Malware, Spam, Viruses | No comments

DanielMcClintic@hotmail.com fake job offer

Posted on 05:32 by Unknown

Another staggeringly crude money mule recruitment spam, like this one. Unless you like prison food I would advise you to leave this fake offer alone.

Date: Mon, 24 Jun 2013 22:56:39 +0900 [09:56:39 EDT]From: Delmar RoarkSubject: Work in the finance departmentWe invite you to work in the home assistant offer.This job takes 2-3 hours a week and requires absolutely no

Posted in Job Offer Scams, Korea | No comments

www.public-trust.com false positive at Phishtank

Posted on 02:14 by Unknown

public-trust.com houses Certificate Revocation Lists (CRLs) and is controlled by Verizon. It probably houses other certificate infrastructure too, but at the moment several web filtering systems are detecting it as a phishing site due to a false positive at Phishtank.

Some example URLs (which are perfectly safe) include:
http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crlhttp://cdp1.

Posted in False Positive, Phishtank | No comments

Saturday, 22 June 2013

julia.sailor@hotmail.com fake job offer

Posted on 10:40 by Unknown

These guys aren't really trying. The email address is julia.sailor@hotmail.com but the email is signed Claudine Nash and appears to be "from" brooksd@kormanlederer.com originating from an IP address in Brazil. The so-called "job" is going to be money laundering or some such, avoid.

Date: Sat, 22 Jun 2013 20:47:56 -0300 [19:47:56 EDT]From: Claudine Nash [brooksd@kormanlederer.com]

Posted in Job Offer Scams, Spam | No comments

Friday, 21 June 2013

LexisNexis spam FAIL

Posted on 14:49 by Unknown

This fake LexisNexis spam is meant to have a malicious attachment, but something has gone wrong. Nonetheless, the next time the spammers try it they will probably get it right.. so beware of any emails similar to this one that have an attachment larger than a couple of hundred bytes.

Date: Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
From: LexisNexis [einvoice.notification@

Posted in EXE-in-ZIP, Fail, Spam | No comments

"Unusual Visa card activity" spam / anygus.com

Posted on 14:31 by Unknown

It's not usually like these guys to mess up so badly, but this FAIL of a Visa spam leads to malware on anygus.com. Note the bits in {braces} that should have content..

From:    Visa Anti-Fraud [upbringingve@visabusiness.com]
Date:    21 June 2013 17:36
Subject:    Unusual Visa card activity

we {l1} detected {l2} activity in your business visa account.

please click here to view {l4}
your

Posted in Amerika, Blackhole, Malware, Romania, Spam, Viruses | No comments

luntravel.com are a bunch of stupid spammers

Posted on 05:40 by Unknown

Like most people I get of lot of spam. Sometimes it makes me cross. Here's one sent to scraped email address that is effectively a spamtrap.

From:    Luntravel [noreply@luntravelmail.com]
Reply-To:    Luntravel [noreply@luntravelmail.com]
Date:    21 June 2013 13:03
Subject:    New offers from £49
Mailing list:    c425d640a3819ebec8af23ba171be24c

So far, just a spam with a graphic in,

Posted in OVH, Spain, Spam, Stupidity | No comments

Thursday, 20 June 2013

ADP spam / planete-meuble-pikin.com

Posted on 06:44 by Unknown

This fake ADP spam leads to malware on planete-meuble-pikin.com:

Date: Thu, 20 Jun 2013 07:12:28 -0600From: EasyNetDoNotReply@clients.adpmail.orgSubject: ADP EasyNet: Bank Account Change AlertDear Valued ADP Client,As part of ADP's commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are

Posted in ADP, Amerika, Malware, Romania, Spain, Spam | No comments

Moniker "Security Notice: Service-wide Password Reset" mail and t.lt02.net

Posted on 01:04 by Unknown

This email from Moniker shows an impressive combination of WIN and FAIL at the same time.

www.moniker.com MonikerMoniker’s Operations & Security team has discovered and blocked suspicious activity on the Moniker network that appears to have been a coordinated attempt to access a number of Moniker user accounts.As a precaution to protect your domains, we have decided to implement a

Posted in Data Breach, Fail | No comments

Wednesday, 19 June 2013

HP Spam / HP_Scan_06292013_398.zip FAIL

Posted on 08:33 by Unknown

I've been seeing these spams for a couple of days now..

Date: Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]From: HP Digital Device [HP.Digital0@victimdomain]Subject: Scanned CopyPlease open the attached document. This document was digitally sent to you using an HP Digital Sending device.To view this document you need to use the Adobe Acrobat Reader.----------------------------

Posted in EXE-in-ZIP, Fail, Malware, Printer Spam, Spam, Viruses | No comments

Something evil on 205.234.139.169

Posted on 04:20 by Unknown

205.234.139.169 (Hostforweb, US) appears to be hosting a bunch of Java exploits being served up on subdomains of hacked GoDaddy domains. The malware looks like it is being served up in some sort of injection attack. Here are some example URLs of badness:

[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/applet.jnlp[donotclick]blog2.stefuraassociatesinc.com:6842/

Posted in GoDaddy, Injection Attacks, Malware, Viruses | No comments

Tuesday, 18 June 2013

UPS Spam / rmacstolp.net

Posted on 07:15 by Unknown

This fake UPS spam leads to malware on rmacstolp.net:

Date:     Tue, 18 Jun 2013 01:21:34 -0800 [05:21:34 EDT]
From:     UPSBillingCenter@upsmail.net
Subject:     Your UPS Invoice is Ready

UPS Billing Center

This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

Thank you for your business.

New invoice(s) are available for the

Posted in Brazil, Malware, Romania, Spam, UPS, Viruses | No comments

Something phishy on 92.48.75.214

Posted on 03:14 by Unknown

A couple of phishing sites 92.48.75.214 (Simply Transit, UK):

linkedlne.com - LinkedIn / Webmail Phish
This laughable fake LinkedIn login page is trying to harvest webmail addresses, being sent out via a spam message and leading to a link at [donotclick]www.linkedlne.com/login/user/:

From: Linkedln Support [Support@supportlinkedln.com]Date: 18 June 2013 06:53Subject: You need to

Posted in LinkedIn, Phishing, Simply Transit | No comments

Are OVH finally taking action against spammers?

Posted on 01:30 by Unknown

An interesting announcement from OVH might finally get the spammers on their network under control, especially the ones from India who tend to spam with impunity.

We are carrying out setup tests on the duplication of outgoing email flow.The idea is to duplicate all the traffic created by customers, going out through port 25 (smtp) on an anti-spam network, and then to analyse the sample of

Posted in OVH, Spam | No comments

Monday, 17 June 2013

NewEgg.com spam / profurnituree.com

Posted on 11:34 by Unknown

This fake NewEgg.com spam leads to malware on profurnituree.com:

Date: Mon, 17 Jun 2013 20:09:35 +0300 [13:09:35 EDT]From: Newegg Auto-Notification [indeedskahu02@services.neweg.com]Subject: Newegg.com - Payment ChargedNewegg logo My Account My Account | Customer Services Customer ServicesTwitter Twitter You Tube You Tube Facebook

Posted in Amerika, Brazil, Malware, Spam, Viruses | No comments

Something evil on 85.214.64.153

Posted on 03:52 by Unknown

85.214.64.153 is an IP belonging to Strato AG in Germany, it appears to host some legitimate sites but the server seems to be serving up the Neutrino exploit kit (example) which is being injected into hacked websites (specifically, malicious code is being appended to legitimate .js files on those site).

The follow Dynamic DNS domains are being abused in this attack, while they are not

Posted in Dynamic DNS, Germany, Injection Attacks, Malware, Viruses | No comments

Saturday, 15 June 2013

HAIR / Biostem Pump and Dump rakes in the dollars

Posted on 09:45 by Unknown

If like me you've been plagued with pump and dump spam messages for Biostem US Corp (stock ticker HAIR) for the past several days, you might be curious to know if this massive spam run is actually having any impact on the company's share price.

The stock spam started after the close of trading on Friday 7th June 2013 and has continued aggressively ever since. In parallel, the message boards

Posted in Pump and Dump | No comments

Friday, 14 June 2013

On 195.110.124.133

Posted on 03:20 by Unknown

A couple of days ago I recommended blocking 195.110.124.133 (Register.it, Italy) as a malware C&C server. It turns out that I didn't do enough checking, and this is a parking server with nearly 200k sites on it, mostly for Italian customers.

You might want to unblock the IP and block the domain ftp.videotre.tv.it instead. On the other hand, there is still some actual evil-ness on this server

Posted in Italy, Mea Culpa | No comments

Yahoo! "We want you back" email mystery

Posted on 00:59 by Unknown

Here's a minor mystery with something that looks very much like a phishing email..

From:    Yahoo! [noreply@email.yahoo-inc.com]
Date:    14 June 2013 08:42
Subject:    We want you back
Signed by:    email.yahoo-inc.com

Yahoo!
We want you back.
Sign in now


Keep your account active by signing in before July 15th, 2013.

By reactivating your Yahoo! account you can

Posted in Stupidity, Yahoo | No comments

Wednesday, 12 June 2013

"Scan from a Xerox WorkCentre" spam / Scan_06122013_29911.zip

Posted on 15:57 by Unknown

This fake Xerox WorkCentre spam comes with a malicious attachment and appears to come from the victim's own domain:

Date:     Wed, 12 Jun 2013 10:36:16 -0500 [11:36:16 EDT]
From:     Xerox WorkCentre [Xerox.Device9@victimdomain.com]
Subject:     Scan from a Xerox WorkCentre

Please download the document. It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf

Posted in Malware, Printer Spam, Spam | No comments

Fedex spam / oxfordxtg.net

Posted on 15:40 by Unknown

This fake FedEx spam leads to malware on oxfordxtg.net:

Date: Thu, 13 Jun 2013 01:18:09 +0800 [13:18:09 EDT]From: FedEx [wringsn052@emc.fedex.com]Subject: Your Fedex invoice is ready to be paid now.FedEx(R) FedEx Billing Online - Ready for Payment fedex.com Hello [redacted]You have a new outstanding invoice(s) from FedEx that is ready for payment.The

Posted in Amerika, Blackhole, China, FedEx, Malware, Spam | No comments

Is this Guy a moron spammer?

Posted on 05:29 by Unknown

Here's a spam email from somebody I'll call Guy Van Dumbass (not quite his real name, but close enough). Is this Guy a moron spammer? Or does he just hire morons to push his CV through spam?

From:    Guy Van Dumbass [gvd@g-vanDumbass.be]
Date:    12 June 2013 09:52
Subject:    Sollicitatie als directiemedewerker

Pour la version française, cliquez ici

Betreft : Spontane sollicitatie –

Posted in Spam, Stupidity | No comments

Malware sites to block 12/6/13

Posted on 04:38 by Unknown

This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway.

Hosts involved:

Posted in Amerika, Brazil, China, Estonia, Germany, GHOSTnet, India, Italy, Kenya, Korea, Leaseweb, Malware, Netherlands, Russia, Slicehost, Sweden, Taiwan, Thailand, Turkey, Viruses | No comments

BBB Spam / trleaart.net

Posted on 02:43 by Unknown

This fake BBB spam with a "PLAINT REPORT" (sic) leads to malware on trleaart.net:

From: Better Business Bureau [mailto:rivuletsjb72@bbbemail.org]
Sent: 11 June 2013 18:04

Subject: Better Business Beareau Complaint ¹ S3452568
Importance: High

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser

Better Business Bureau ©
Start With Trust
Tue , 11

Posted in Amerika, BBB, Brazil, Malware, Romania, Spam, Turkey, Viruses | No comments

Tuesday, 11 June 2013

Amazon.com spam / goldcoinvault.com

Posted on 14:07 by Unknown

This fake Amazon.com spam leads to malware on goldcoinvault.com:

Date:     Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From:     "Amazon.com Customer Care Service" [payments-update@amazon.com]
Subject:     Payment for Your Amazon Order # 104-884-8180383

Regarding Your Amazon.com Order

Order Placed:

Posted in Amazon, Linode, Malware, Spam, Viruses | No comments

Something evil on 173.255.213.171

Posted on 08:04 by Unknown

As a follow-up to this post, the exploit server on 173.255.213.171 (Linode, US) is hosting a number of hijacked GoDaddy-registered domains that are serving an exploit kit [1] [2]. If you are unable to block 173.255.213.171 then I would recommend the following blocklist:

ccrtl.com
eaglebay5.com
eaglebay-eb5.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com

Posted in Blackhole, Linode, Malware, Spam | No comments

Monday, 10 June 2013

Wells Fargo spam / Important WellsFargo Doc.exe / Important WellsFargo Docs.exe

Posted on 13:22 by Unknown

This fake Wells Fargo spam run comes with one of two malicious attachments:

Date:     Mon, 10 Jun 2013 13:00:13 -0500 [14:00:13 EDT]
From:          Anthony_Starr@wellsfargo.com
Subject:     IMPORTANT - WellsFargo

Please check attached documents.

Anthony_Starr
Wells Fargo Advisors
817-563-9816 office
817-368-5471 cell Anthony_Starr@wellsfargo.com

ATTENTION: THIS E-MAIL MAY BE AN

Posted in Aruba, EXE-in-ZIP, Linode, Malware, Spam, Viruses | No comments

Friday, 7 June 2013

"PAYVE - Remit file" spam / CD0607213.389710762910.zip

Posted on 11:05 by Unknown

This fake American Express Payment Network spam has a malicious attachment.

Date:     Fri, 7 Jun 2013 20:41:25 +0600 [10:41:25 EDT]
From:     "PAYVESUPPORT@AEXP.COM" [PAYVESUPPORT@AEXP.COM]
Subject:     PAYVE - Remit file

A payment(s) to your company has been processed through the American Express Payment
Network.
The remittance details for the payment(s) are attached (

Posted in EXE-in-ZIP, Linode, Malware, Spam, Viruses | No comments

BBB spam / pnpnews.net

Posted on 07:46 by Unknown

This fake BBB spam leads to malware on pnpnews.net:

From: Better Business Bureau [mailto:standoffzwk68@clients.bbb.com]
Sent: 07 June 2013 15:08
Subject: BBB information regarding your customer's pretension No. 00167486

Better Business Bureau ©
Start With Trust ©
Fri, 7 Jun 2013
RE: Complaint No. 00167486
[redacted]
The Better Business Bureau has been entered the above said grievance

Posted in Amerika, BBB, Malware, Spam, Sweden, Viruses | No comments

Malware sites to block 7/6/13

Posted on 02:35 by Unknown

Two IPs that look related, the first is 37.235.48.185 (Edis, Poland or Austria) which host some domains that are also found here (158.255.212.96 and 158.255.212.97, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 37.235.48.185:

faggyppvers5.infofinger2.climaoluhip.orglinkstoads.netnode1.hostingstatics.orgnode2.hostingstatics.org

Injecting

Posted in Austria, Edis, Injection Attacks, Malware, Viruses | No comments

Thursday, 6 June 2013

USPS spam / USPS_Label_861337597092.zip

Posted on 13:57 by Unknown

This fake USPS spam contains a malicious attachment:

Date:     Thu, 6 Jun 2013 10:43:56 -0500 [11:43:56 EDT]
From:     USPS Express Services [service-notification@usps.com]
Subject:     USPS - Your package is available for pickup ( Parcel 861337597092 )

Postal Notification,

We attempted to deliver your item at 6 Jun 2013.
Courier service could not make the delivery of your parcel.
Status

Posted in EXE-in-ZIP, Jolly Works Hosting, Malware, Spam, USPS, Viruses | No comments

NatPay "Transmission Confirmation" spam / usforclosedhomes.net

Posted on 08:36 by Unknown

This fake NatPay spam leads to malware on usforclosedhomes.net.

Version 1:

Date:     Thu, 6 Jun 2013 20:53:08 +0600 [10:53:08 EDT]
From:     National Payment Automated Reports System [dunks@services.natpaymail.net]
Subject:     Transmission Confirmation ~26306682~N25BHHL1~
Transmission Verification     Contact UsTo:     NPC Account # 26306682Xavier Reed    Re:     NPC Account # 26306682D &

Posted in Amerika, Kenya, Korea, Malware, Spam | No comments

Innex, Inc fake spam

Posted on 01:51 by Unknown

Innex, Inc is a real company. This spam email message is not from Innex, Inc.

From:    PURCHASING DEPARTMENT [fdmelo@fucsalud.edu.co]
To:
Reply-To:    pinky.yu@chanqtjer.com.tw
Date:    6 June 2013 08:55
Subject:    Innex, Inc.

Sir/Madam,

Our Company is interested in your product, that we saw in trading site,

Your early reply is very necessary for further detail specification

Posted in Scam, Spam | No comments

rxlogs.net: spam or Joe Job?

Posted on 01:32 by Unknown

I've had nearly one hundred of these this morning. Is it a genuine spam run or a Joe Job?

Date: Thu, 6 Jun 2013 09:44:18 -0700 [12:44:18 EDT]From: Admin [whisis101@gmail.com]Reply-To: ec2-abuse@amazon.comfacebook You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 4 ago.This is a reminder that

Posted in Facebook, Joe Job, Spam | No comments

Wednesday, 5 June 2013

More Champions Club Community spam

Posted on 00:59 by Unknown

These grubby little spammers are at it again. Apparently Steve Jobs is dead. Who knew?

Anyway, the originating IP is 217.174.248.194 [web1-opp2.champions-bounce.co.uk] (Fasthosts, UK). Spamvertised domains are champions.onlineprintproofing.co.uk also on 217.174.248.194 and championsclubcommunity.com on 109.203.113.124 (Eukhost, UK). Give these spammers a wide berth.

From: The Editor -

Posted in Spam | No comments

Monday, 3 June 2013

"Fiserv Secure Email Notification" spam with an encrypted, malicious ZIP attachment

Posted on 14:17 by Unknown

This spam email contains an encrypted ZIP file with password-protected malware.

Date:     Mon, 3 Jun 2013 14:11:14 -0500 [15:11:14 EDT]
From:     Fiserv Secure Notification [secure.notification@fiserv.com]
Subject:     Fiserv Secure Email Notification - IZCO4O4VUHV83W1

You have received a secure message

Read your secure message by opening the attachment, SecureMessage_IZCO4O4VUHV83W1.zip

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments