Wells Fargo "Important Documents" spam with a malicious ZIP file

This fake Wells Fargo spam comes with a malicious attachment:


Date:      Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]From:      Bryon Faulkner [Bryon.Faulkner@wellsfargo.com]Subject:      Important DocumentsPlease review attached documents.Bryon FaulknerWells Fargo Advisors817-527-6769 office817-380-3921 cell Bryon.Faulkner@wellsfargo.comInvestments in securities and insurance products

Read More

IRS "Invalid File Email Reminder" spam / oooole.org

This fake IRS spam leads to malware on oooole.org:


Date:      Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]From:      "Fire@irs.gov" [burbleoe9@irs.org]Subject:      Invalid File Email Reminder9/30/2013Valued Transmitter,We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good

Read More

Facebook "You have new notifications" spam / directgrid.org

This fake Facebook spam leads to malware on directgrid.org:


Date:      Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From:      Facebook [notification+W85BNFWX@facebookmail.com]
Subject:      You have 21 friend suggestions, 11 friend requests and 14 photo tags

facebook
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've

Read More

Something evil on 91.231.98.149 and boats.net

This injection attack [urlquery] on boats.net caught my attention, a nasty bit of injected code pointing to a (now suspended) domain called gamelikeboards.biz hosted on 91.231.98.149 (Neohost.net, Ukraine). Basically, the victim website has code injected pointing to [donotclick]gamelikeboards.biz/_cp/crone/ which cannot be anything good.

What do we know about gamelikeboards.biz? As luck would

Read More

Intuit spam / Invoice_3056472.zip

It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..


Date:      Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]From:      Lewis Muller [Lewis.Muller@intuit.com]Subject:      FW: Invoice 3056472Your invoice is attached.Sincerely,Lewis MullerThis e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.The

Read More

AICPA spam / children-bicycle.net

This fake AICPA spam leads to malware on the domain children-bicycle.net:


From:     Reggie Wilkins [blockp12@clients.aicpa.net]Date:     25 September 2013 15:03Subject:     Your accountant license can be cancelled.You're receiving this email as a Certified Public Accountant and a member of AICPA.Having trouble reading this email? View it in your browser.AICPA logoCancellation of Accountant

Read More

6rf.net and something evil on 198.50.225.121, 85.25.108.10 and 178.33.208.211

Here are a couple of IPs serving exploit kits.. the case in question is a legitimate site that loads code from 6rf.net and this in turn loads an exploit kit from [donotclick]yandex.ru.sgtfnregsnet.ru and [donotclick]l451l.witnessvacant.biz.

The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains of the following (more here):

witnessvacant.biz

Read More

"International Wire Transfer" spam / INTL_Wire_Report-09242013.zip

This fake wire transfer spam has a malicious attachment:


Date:      Tue, 24 Sep 2013 10:54:32 -0700 [13:54:32 EDT]From:      Wells Fargo Event Messaging Admin [ofsrep.ceoemigw@wellsfargo.com]Subject:      International Wire Transfer File Not Processed

We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.Review the information

Read More

Malware sites to block 24/9/2013

The malicious IPs and domains on this list are operated by this gang, and it replaces the list last week.

5.135.42.104 (OVH, Netherlands)24.111.103.183 (Midcontinent Media, US)24.173.170.230 (Time Warner Cable, US)32.64.143.79 (AT&T, US)37.153.192.72 (Routit BV, Netherlands)37.221.163.174 (Voxility SRL, Romania)42.121.84.12 (Aliyun Computing Co, China)46.32.47.24 (Syd Energi, Denmark)

Read More

Siga Resources Inc (SGAE) pump-and-dump spam

This pump-and-dump (P&D) spam for Siga Resources Inc (SGAE) follows a familiar pattern: it starts almost immediately after the close of trading on the Friday and the characteristics match several other recent spam runs which have been sent out by the Kelihos botnet. The spams look like this:


Are We having Fun Yet? THIS COMPANY IS UP TODAY ON LARGE VOLUME.

Trading Date: Monday, September

Read More

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127

I am indebted to Gary Warner for his analysis of this malware. But I can't resist having a poke at it myself. This malware is particularly cunning.

First of all, it starts with a WhatsApp-themed spam:


From:     WhatsApp Messaging Service
Date:     20 September 2013 19:36
Subject:     3 New Voicemail(s)

WhatsApp

You have a new voicemail!
Details
Time of Call: Sep-17 2013 04:05:07
Lenth of

Read More

Apple (AAPL) pump-and-dump spam

A pump and dump spam trying to move Apple (AAPL) stock? Really? I don't think a spam run is going to have much effect on a $473 share in a company worth $420bn.


From: lpskann@scminvest.com
Subject: This Company continues to surge, could new highs be ahead?

Apple has presented its new models - iPhone 5S and iPhone 5C,
which actually have not moved the providers of financing. But, we
got to

Read More

"INCOMING FAX REPORT" spam / lesperancerenovations.com

This fake fax spam appears to come from the Administrator at the victim's domain:

Date:      Wed, 18 Sep 2013 15:01:42 -0500 [16:01:42 EDT]From:      Administrator [administrator@victimdomain]Subject:   INCOMING FAX REPORT : Remote ID: 8775654573*********************************************************INCOMING FAX REPORT*********************************************************Date/Time: 09/18

Read More

FDIC spam / horse-mails.net

This fake FDIC spam leads to malware on www.fdic.gov.horse-mails.net:


Date:      Tue, 17 Sep 2013 15:28:52 +0330 [07:58:52 EDT]From:      insurance.coverage@fdic.govSubject:      FDIC: About your business accountDear Business Customer,We have important news regarding your financial institution.Please View to see further details.This includes information on the acquiring bank (if applicable),

Read More

ADP spam / ADP_831290760091.zip

This fake ADP spam has a malicious attachment:


Date:      Tue, 17 Sep 2013 20:32:04 +0530 [11:02:04 EDT]
From:      ADP ClientServices
Subject:      ADP - Reference #831290760091
Priority:      High Priority 1 (High)

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.

Transaction details

Read More

FedEx spam FAIL

This fake FedEx spam is presumably meant to have a malicious payload:


Date:      Tue, 17 Sep 2013 13:02:25 +0000 [09:02:25 EDT]From:      webteam@virginmedia.comSubject:      Your Rewards Order Has ShippedHeaders:      Show All Headers                                This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped

Read More

SpeedPacket, CookieBomb and something evil on 37.58.73.42, 95.156.228.69 and 195.210.43.42

A few days ago the Internet Storm Center raised a question about activity on 37.58.73.42 (Softlayer, Netherlands / Techpreneurs India Pvt Ltd, India), 95.156.228.69 (Game Company, Germany) and 195.210.43.42 (Syntis, France).

I hadn't seen the attack in question until today with this injection attack on a legitimate site, using a Cookie Bomb script [1] [2] to send victims to a site [donotclick]

Read More

Malware sites to block 17/9/13

This set of malicious IPs and domains is associate with this gang, and the list replaces the last one published here.

24.173.170.230 (Time Warner Cable, US)32.64.143.79 (AT&T, US)37.153.192.72 (Routit BV, Netherlands)42.121.84.12 (Aliyun Computing Co, China)46.246.111.159 (Portlane Networks, Sweden)58.68.228.148 (Beijing Blue I.T Technologies Co., China)58.246.240.122 (China Unicom, China)

Read More

eFax spam / rockims.com

This fake eFax spam leads to malware on rockims.com:


Date:      Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]From:      eFax Corporate [message@inbound.efax.com]Subject:      Corporate eFax message - 1 pagesWarning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.Fax Message [Caller-ID:

Read More

Walls Fargo spam / WellsFargo - Important Documents.zip

This fake Wells Fargo spam has a malicious attachment:


Date:      Mon, 16 Sep 2013 09:26:51 -0500 [10:26:51 EDT]From:      Harrison_Walsh@wellsfargo.comSubject:      IMPORTANT Documents - WellsFargoPlease review attached documents.Harrison_WalshWells Fargo Advisors817-674-9414 office817-593-0721 cell Harrison_Walsh@wellsfargo.comInvestments in securities and insurance products are:NOT

Read More

Alanco Technologies Inc (ALAN) pump-and-dump spam run

Alanco Technologies Inc is an Arizona-based firm found in 1969 that used to be active in several technology markets, but over recent years it has divested itself of those assets and its primary business activities are now in the business of waste water disposal. The company does not make a profit (and indeed in some recent years made no direct income whatsoever). The bulk of its financial

Read More

citizensbank.com "Issue File I3774 Processed" spam

For some reason I'm seeing a lot of these EXE-in-ZIP attacks recently. Here's another one with a malicious attachment:


Date:      Fri, 13 Sep 2013 11:09:53 -0500 [12:09:53 EDT]From:      "GISPROD@citizensbank.com" [GISPROD@citizensbank.com]Subject:      Issue File I3774 ProcessedRegarding Issue File 3774 - Total Issue Items # 36 Total Issue Amount $42,171.75 Thiswill confirm that your issue

Read More

QuickBooks spam / Invoice_20130912.zip

This fake QuickBooks spam has a malicious attachment:


Date:      Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]From:      QuickBooks Invoice [auto-invoice@quickbooks.com]Subject:      Important - Payment OverduePlease find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.Thank you for your business,Sincerely,Quentin

Read More

USPS spam / Label_FOHWXR30ZZ0LNB1.zip

This fake USPS spam has a malicious attachment:


Date:      Wed, 11 Sep 2013 11:19:05 -0500 [12:19:05 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Missed package delivery
Priority:      High Priority 1 (High)

Notification

Our company's courier couldn't make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL:

Read More

Are top porn sites still riddled with malware?

This summary is not available. Please click here to view the post.

Read More

BBB Spam / Case_0938818_2818.exe

This fake BBB spam has a malicious attachment:


Date:      Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]From:      Better Business Bureau [Aldo_Austin@newyork.bbb.org]Subject:      FW: Case IN11A44X2WCP44MThe Better Business Bureau has received the above-referenced complaint from one of yourcustomers regarding their dealings with you. The details of the consumer's concern areincluded on the

Read More

ACH file ID "999.107" has been processed successfully spam / www.fiscdp.com.airfare-ticketscheap.com

This fake FISC ACH spam leads to malware on www.fiscdp.com.airfare-ticketscheap.com:


Date:      Tue, 10 Sep 2013 17:05:49 +0530 [07:35:49 EDT]From:      Financial Institution Service [improvehv89@m.fiscdp.gov]Subject:      ACH file ID "999.107"  has been processed successfullyFiles FISC Processing ServiceSUCCESS NotificationWe have successfully handled ACH file 'ACH2013-09-09-62.txt' (id '

Read More

ygregistry.org domain scam

This Chinese domain scammers never give up, this scam has been seen several times before [1] [2] [3] [4].


From:     Jim Bing [jim.bing@ygregistry.org]Date:     9 September 2013 14:32Subject:     Regarding "[redacted]" Cn domain name and Internet KeywordDear Manager,(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)This email is from China domain name

Read More

Malware sites to block 9/9/13, part II

Another set of IPs and domains related to this attack detailed by Sophos, and overlapping slightly with the malicious servers documented here.

I've just listed the main domains, but the attack itself uses thousands of subdomains (e.g. zwgaf72d4erv7g.www5.tohk5ja.cc) to do evil things.

46.20.36.9 (Syslayer.com, Germany)
74.63.229.252 (Limestone Networks / 123systems Solutions, US)

Read More

Malware sites to block 9/9/13

These domains and IPs are associated with this gang, this list supersedes (or complements) the one I made last week.

1.209.108.29 (BORANET, Korea)24.173.170.230 (Time Warner Cable, US)37.153.192.72 (Routit BV, Netherlands)42.121.84.12 (Aliyun Computing Co, China)58.68.228.148 (Beijing Blue I.T Technologies Co., China)58.246.240.122 (China Unicom, China)61.36.178.236 (LG DACOM, Korea)

Read More

Dealerbid.co.uk "Quotation.zip" spam with malicious VBS script

The website dealerbid.co.uk has been compromised and their servers hacked in order to send spam to their customer list. Something similar has happened before a few months ago.

In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:


From:     Christopher Rawson [christopher.r@kema.com]Date:     7 September 2013

Read More

"Scanned Document Attached" spam / FSEMC.06092013.exe

This fake financial spam contains an encrypted attachment with a malicious file in it.


Date:      Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]From:      Fiserv [Lawanda_Underwood@fiserv.com]Subject:      FW: Scanned Document AttachedDear Business Associate:Protecting the privacy and security of client, company, and employeeinformation is one of our highest priorities. That is why Fiserv

Read More

CNN "The United States began bombing" spam / luggagepreview.com

This fake CNN spam leads to malware on luggagepreview.com:


Date:      Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: "The United States began bombing"

The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013


(CNN) -- Pentagon officials said that the United States launched the first strikes

Read More

Facebook spam / www.facebook.com.achrezervations.com

This fake Facebook spam leads to malware on www.facebook.com.achrezervations.com:


Date:      Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]From:      Facebook [notification+puppies9@mail.facebookmail.net]Reply-To:      noreply [noreply@postmaster.facebookmail.org]Subject:      Cole Butler confirmed your Facebook friend requestfacebook    Cole Butler has confirmed that you're friends on

Read More

Something evil on 37.59.164.209 (OVH)

37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux.

Recommended blocklist:

Read More

NACHA spam / nacha-ach-processor.com

This fake NACHA spam (I thought these were out of fashion!) leads to malware on nacha-ach-processor.com:


From:     The Electronic Payments Association - NACHA [leansz35@inbound.nacha.com]Date:     5 September 2013 17:55Subject:     Rejected ACH transferThe ACH transaction (ID: 985284643257), yesterday sent from your account (by one of your account members), was cancelled by the recipient's

Read More

Facebook spam / kapcotool.com

This fake Facebook spam leads to malware on kapcotool.com:


From:     Facebook [no-reply@facebook.com]Date:     5 September 2013 15:21Subject:     Michele Murdock wants to be friends with you on Facebook.facebook    Michele Murdock wants to be friends with you on Facebook.University of Houston, Victoria342 friends - 28 photosConfirm Request          See All RequestsThis message was sent to [

Read More

HSBC spam / Original Copy (Edited).zip

This fake HSBC spam links to a malicious ZIP file:


Date:      Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From:      HSBC Wire Advising service [wireservice@hsbc.com.hk]
Reply-To:      hsbcadviceref@mail.com
Subject:      HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)


Dear Sir/Madam,

The attached payment advice is issued at the request of our

Read More

PayPal spam / dshapovalov.info

This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov.info:


Date:      Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]From:      PayPal [service@int.paypal.com]Subject:      History of transactions #PP-011-538-446-067IDTransaction: { figure } {SYMBOL }On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid

Read More

Something is very wrong with Gandi US (AS29169 / 173.246.96.0/20)

Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago.

The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several

Read More

Something evil on 174.140.168.239

The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].

It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:

Read More

Facebook spam / watchfp.net

All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp.net:


Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1@facebookmail.com]
Subject: Blake Miranda tagged 5 photos of you on Facebook

facebook

Blake Miranda added 5 photos of you.
See photos

Go to notifications
This message

Read More

PayPal spam / londonleatheronline.com

This fake PayPal spam leads to malware on londonleatheronline.com:


Date:      Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      Identity Issue #PP-716-472-864-836

We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your

Read More

MONK spam tries to profit from WAR threat

The MONK (Monarchy Resources Inc) pump-and-dump spam continues. This time though, the spammers are trying to capitalise on the threat of war in the Middle East:


From:     belova04@jeel.comDate:     2 September 2013 17:32Subject:     This Stock just released Big News!Are you interested in enriching yourself by means of war? It`s the verytime to do it! As soon as the first bombs get to the

Read More

Facebook spam / london-leather.com

This fake Facebook spam leads to malware on london-leather.com:

Date:      Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      Victoria Carpenter commented on your status


facebook


Hello,

Victoria Carpenter commented on your status.

Victoria wrote: "so cute;)"


Go to comments


Reply to this email to comment on this status.

Read More

Malware sites to block 2/9/13

These IPs and domains are associated with this gang and should all be considered as malicious. This list follows on from this earlier one.

1.209.108.29 (BORANET, Korea)
5.135.114.100 (OVH / onetsolutions.fr, France)
24.173.170.230 (Time Warner Cable, US)
37.200.69.43 (Selectel Ltd, Russia)
42.121.84.12 (Aliyun Computing Co, China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM,

Read More