Eliminate your debt spam

October 17, 2008 Leave a Comment

With the financial crisis there seems to be an uprise of financial/debt spam emails worldwide. Some of these spam messages also make use of the domain spaces.live.com to host their spam message trying to defeat anti spam engines that use intent analysis.

Some subjects:

debt consolidation
low interest debt consolidation
credit rating
bad debt consolidation
debt external
… 

Content:

 

DO NOT cöñsolidate your debt   Elimiñate It!!!

Leegally Remove your credït card and other unsecured dëbt

* WIT|-|OUTT ever makiñg another pãyment to yoour creditoors
* WITHOUT it affecting yoúr credit long-term
* WITHOUT coñfrontatïon

http://8b1cdN.spaces.live.com/

This IS NOT:

* Båñkrufltcy
* Consolidation
* Or refinancing of any kind

Visit here to leârn how.

http://8b1cdN.spaces.live.com/

* Must have a minimum of 10K in còmbined household unsecured debt to apply 
* Must be a US resident.

Notice the use of special language characters in the spam to trick Bayesian engines and certain content filters that can filter on the word combination consolidate, eliminate and debt.

When visiting the spaces.live.com site you’ll get the following screen that links to the web site http://btstfirstcredit.com/.

When visiting and following the link to http://btstfirstcredit.com/ I arrived at the homepage of Google.be. Is this their intention, get me to Google?

The domain itself has been registered at the DNS registrar OnlineNIC Inc on 16 October 2008 by Shestakov Yuriy, located in Mirniy, Russia with the mailaddress alexey@cocainmail.com.

The domain cocainmail.com itself is registered in Asia at BIZCN.COM, INC by Feis Kiosop from New York.

Filed under Spam Tagged with ,

Statement January – October virus

October 17, 2008 2 Comments

MX Lab intercepted a new virus variant that is only detected by 5 of the 36 anti virus engines on Virus Total. The virus is known as PAK_Generic.001 by Trend Micro, Backdoor.Win32.Haxdoor by Ikarus or as Trojan:Win32/Emold.gen!C by Microsoft.

The emails are distributed with the subjects:

Data request
Attached Statement
Statement January – October
Account data
Account information

xxx.xxx Report 1/1/2008 – 10/1/2008. (where xxx stands for the name that is used in the emailaddress)

This is the content of a sample:

Please take a look at the attached statement on your account. The statement was issued today upon request, and your data has been successfully altered.

Thank you for contacting us.
Sincerely,Gilda

or

Dear Valued Customer:

Your account ID: t.mario.flores

As requested, we are sending you this account report attached this mail between 1/1/2008 and 10/1/2008.

At your service,
Aurelia Schneider

The attachment has the name “tatement_Jan-Oct.zip” and once extracted has the document ”Statement_Jan-Oct.doc             .exe”. Naming can vary when new variants are spread out. The spaces before .exe is a common trick to fool people. It mostly appears as being a .doc file while the actual file type is further in the file name.

Virus Total permalink and MD5: 0d5908b1bc2881c7fb6cd30a48dee64c

Filed under Viruses Tagged with , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers