mxlab - all about anti virus and anti spam » Spam

Spam in fake LinkedIn messages

mxlab — Thu, 19 Jan 2012 16:30:24 +0000

MX Lab, http://www.mxlab.eu, has noticed a large spam campaign on behalf of the Canadian Family Pharmacy in fake LinkedIn messages.

The messages come the spoofed email address with the authors like:

Fenella  Macdonald via LinkedIn 
Catriona  Bailey via LinkedIn 
Susan  Jones via LinkedIn 
....

Subjects in use:

Can i place your photo on my site?
Can i place your photo on our facebook page?
Can i place your information on our web page?
Can i place your video on our web site?
Can i place your video on my facebook page?
Can i place your contacts on our twitter page?
…..

Example of the email:

The URL in the message point to different web hosts and pages with an redirect HTML:

Buy Viagra Online – Online Pharmacy

#1 Online Pharmacy

Online DrugStore
Buy Viagra Online

In return, the redirect points to hxxp://viagralevitratestosterone.com.

Kelihos botnet taken down by Microsoft

mxlab — Wed, 28 Sep 2011 08:33:36 +0000

According to an article on the official Microsoft Blog, the botnet Kelihos, also known as Waledac 2.0, has been taken down on the 27th of September 2011 by Microsoft in an operation codenamed “Operation b79”.

Read the full story.

Emails “Sent via Google Maps” is a redirect to the Canadian Pharmacy

mxlab — Mon, 26 Sep 2011 09:27:32 +0000

MX Lab, http://www.mxlab.eu, intercepted some spam messages with subjects like:

Sent via Google Maps: Brett Lepper sent you: A Maps link
Sent via Google Maps: Brenna Eber sent you: A Maps link
Sent via Google Maps: Theodora Cavitt sent you: A Maps link
…

The subjects start with ‘Sent via Google Maps:’ and end with ‘A Maps link’.
The from email address is spoofed but starts with ‘admin@’ combined with a subdomain address.

Message body examples:

This email was sent to you by a user on Google Maps:

Hi

hxxp://gertie8kthv.blogginc.asia/10/8/gertie-bawa.html

This email was sent to you by a user on Google Maps:

Hi

hxxp://elmira4221c.blogsun.asia/11/10/elmira-antoniuk.html

The URLs in the message will redirect the user to the website of the Canadian Pharmacy at hxxp://www.bestrxs.com/.

Google Picasa scam

mxlab — Fri, 10 Jun 2011 08:49:38 +0000

MX Lab, http://www.mxlab.eu, reported earlier regarding emails that offer an alternative to the official Adobe PDF Reader and the VOIP add ons for Skype.

It now seems that Google Picasa is the next victim of the same type of scam. We intercepted a few messages with the subject “The iTunes of Photo Organization” coming for the email address Picture Tools . This is the message:

The message has a download URL in the format hxxp://aphyet.com/re.php?lnk=1203683910&e=****.****@****.be. Following the link takes us to hxxp://officialversion.su/pics/1/index.asp?aff=11677&camp=esp_may09hld_picasa_jun10 with the following web site:

Notice the button on the right “Download Picasa” now and the mention of 24/7 support. This is very familiar and did ring a bell at the MX Lab HQ. We started to investigate the web site further.

We found a registration and order process very similar to the past cases with the Adobe PDF Reader 2011 and the VOIP add ons for Skype.

The payment transaction appears to be processed on an unsecure HTTP connection but a look into the HTML learns us that the payment form in embedded in an and the form is processed by hxxps://secure-signupway.com/p06/?siteid=6882. This domain is know for fraudulent payment processing so your credit card details will end up in the wrong hands.

As expected, the domain license details are protected and the domain is registered a few days ago.

Domain Name: APHYET.COM 

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Creation Date: 06-Jun-2011
Expiration Date: 06-Jun-2012

Domain servers in listed order:
    ns1.reg.ru
    ns2.reg.ru

Administrative Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Technical Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Billing Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Our recommendation is not to fill in any credit card details – your credit card details will likely be abused – and download this software. Please note that for the real Picasa you need to go to the Google web site at http://picasa.google.com/. And it’s free.

Message from YouTube Administration is spam that leads to the Canadian Family Pharmacy

mxlab — Thu, 26 May 2011 09:54:24 +0000

For several days now, MX Lab, http://www.mxlab.eu, is intercepting a spam campaign with the subject “YouTube Administration sent you a message: Your video on the TOP of YouTube” sent from the spoofed email address YouTube Service . Again, this is a great example of using a well known brand to mislead the public.

The body of the email:

The URLs are pointing to sites like:

hxxp://fotoramblas.com/simplified.html
hxxp://www.afmp.pt/warmth.html
hxxp://hdwhc.com/nimbler.html
hxxp://dallascodecamp.com/desire.html
and many others

These sites will redirect the visitor to the Canadian Family Pharmacy at hxxp://tabletrxdrugspills.com/

Spam messages using the LinkedIn brand

mxlab — Fri, 06 May 2011 14:35:42 +0000

MX Lab, http://www.mxlab.eu, started to intercept a spam campaign by email with the subject”check it out” or “mother days flowers” where the LinkedIn email template is being used.

The email is sent from the spoofed email address “Mark Johnson via LinkedIn ” and has the following body:

The message has a lay out that LinkedIn is using in communication with their members.

Notice that this spam has an embedded imageat the end with the instructions on how to unsubscribe. The URL behind points to hxxp://gy-qes.daukskosos.com/ followed by some numbers.

When following the URin the spam message we got the following messages in our browser:

A few seconds later we are redirected and get the following message in our browser:

Domain registration details:

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com

Domain name: DAUKSKOSOS.COM

Registrant Contact:
   NA
   Anna Shay ()

   Fax:
   NAa
   Olympic Valley, CA 96146
   US

Administrative Contact:
   NA
   Anna Shay (shay.touchsound@gmail.com)
   +1.5305808370
   Fax:
   NAa
   Olympic Valley, CA 96146
   US

Technical Contact:
   NA
   Anna Shay (shay.touchsound@gmail.com)
   +1.5305808370
   Fax:
   NAa
   Olympic Valley, CA 96146
   US

Status: Locked

Name Servers:
   dns1.registrar-servers.com
   dns2.registrar-servers.com
   dns3.registrar-servers.com
   dns4.registrar-servers.com
   dns5.registrar-servers.com

Creation date: 05 May 2011 00:19:00
Expiration date: 04 May 2012 19:19:00

The domain was registered yesterday at a low cost domain registrar and is now in use for spam campaigns. This domain is obviously registered in a bulk domain registrations with the intention to send spam from it for a while and then change domain again.

From this domain we have intercepted some other spam campaigns as well. Check them out:

Bidooka

Apple products – It’s all at your fingertips

Be a part of the Hottest Online Shopping Craze since eBay

Bid Now
hxxp://gy-qes.daukskosos.com/576ade776569dcd6338911a7e58cafabfd7233

Watch as the site unloads the biggest brand name products for pennies on the dollar

——————–
To unsubscribe please go here:
hxxp://gy-qes.daukskosos.com/576ade776569dcd6338912a7e58cafabfd7233

or send mail to:
Unsubscribe
4759 Boles Ct
Fremont, CA 94538

Click this link to unsubscribe: hxxp://gy-qes.daukskosos.com/a7e58cafabfd72333576ade776569dcd6

Receive a bonus of 2000 € – not everything is what it looks like

mxlab — Sun, 03 Apr 2011 16:17:41 +0000

MX Lab, http://www.mxlab.eu, intercept a large spam campaign what in fact appears to be an SMS scam system.

Email messages are sent from no-reply-xxx@finance-magazine.eu, where the XXX stands for random numbers. The domain finance-magazine.eu is from the The European CFO Magazine.

Many different subjects in the French language are being used to get some attraction:

Une offre qou vous ne pouvez pas refuser
Une opportunite unique d’une vie
Faire de l’argent n’a jamais ete aussi facile!
Etes-vous interesse ?
…

This is the email content:

The embedded URLs directs visitors to hxxp://berborso.com/c/8D1DB23B.

On this landing page you will need to fill in your details including your mobile phone number.

When your details are submitted, you’ll receive an SMS with an activation code. This code needs to be filled in again on this webform together with some additional details.

I haven’t filled in my real phone number but I’m pretty sure that this is a complete SMS scam. I wouldn’t be suprised if you receive more SMS messages later on that are credited on your phone bill later on.

This domain name is registered in the Ukraine:

Service Provided By: Center of Ukrainian Internet Names
Website: http://www.ukrnames.com
Contact: +380.577626123

Domain Name: BERBORSO.COM

Creation Date: 28-Mar-2011
Modification Date: 28-Mar-2011
Expiration Date: 28-Mar-2012

Domain servers in listed order:
ns1.hahray.in
ns2.hahray.in

Registrant:
Son Svan hdgi-domains@gmail.com
WATER STREET 45/54
CHRIST CHURCH, BB17056
BARBADOS
+1.24615566596

Be carefull if you receive offers like this.

Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”

mxlab — Sun, 03 Apr 2011 10:06:47 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed email addresses in the format that Facebook is using on the domain facebookmail.com. Some examples:

update+bscts2qxhedj@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
…

This is the body of the email:

Notice that the Facebook looks are used to disguise the real purpose of the message.

4 different URLs are used in each message with the format: http://www.domainhere.tld/s/h/o/p/ that will redirect you to the Canadian Pharmacy at hxxp://midiclxic.ru/.

Download Adobe Reader 10 Alternative scam

mxlab — Fri, 01 Apr 2011 05:58:20 +0000

MX Lab reported earlier on regarding a malicious spam campaign regarding an offer to download and buy PDF Reader/Writer for Windows and Mac in the articles Malicious spam campaign regarding Adobe Acrobat 2010 PDF Reader and VOIP Addons for Skype and Emails offering PDF Reader 2010 lead to unsecure payment site.

MX Lab noticed a new version that will offer the latest PDF Reader. The emails have the subject “Download Adobe Reader 10 Alternative” with the email address dailynews_dec09@m120.redmediaone.com.

This is the body of the email:

Following the link to the web site will lead us here:

When clicking on the download button we have the following screen that looks very familiar:

Okay, let’s go throught the registration process:

The registration transactions are performed on the domain secure-signupway.com. This domain is know for fraudulent payment processing so your credit card details will end up in the wrong hands.

Now, this is also interesting. The domain from where the message is sent, redmediaone.com, has protected registrant details in the WHOIS.

Registrant:
   redmediaone.com
   c/o Whois Privacy Service
   PO BOX 501610
   San Diego, CA 92150-1610
   US

   Domain Name: REDMEDIAONE.COM

   Administrative Contact, Technical Contact, Zone Contact:
      redmediaone.com
      c/o Whois Privacy Service
      PO BOX 501610
      San Diego, CA 92150-1610
      US
      (619) 393-2111
      whois@emailaddressprotection.com

   Domain created on 18-May-2010
   Domain expires on 17-May-2012
   Last updated on 25-Mar-2011

   Domain servers in listed order:

      NS1.DOMAINDISCOVER.COM
      NS2.DOMAINDISCOVER.COM

In the message is the download URL and an unsubscribe URL present that is handled by http://list.onemediaclick.com/. And also iin this case, the registrant details are protected.

Domain Name: ONEMEDIACLICK.COM
Registrar: MONIKER

Registrant [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US

Administrative Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Billing Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Technical Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Domain servers in listed order:

        NS1.DOMAINSERVICE.COM         208.73.210.41
        NS2.DOMAINSERVICE.COM         208.73.211.42
        NS3.DOMAINSERVICE.COM
        NS4.DOMAINSERVICE.COM

        Record created on:        2011-02-14 12:05:30.0
        Database last updated on: 2011-02-14 12:05:32.93
        Domain Expires on:        2012-02-14 12:05:31.0

The web site of Onemediaclick:

These guys are, according to the address on the site, located in Switzerland. When trying to contact them through the web form, nothing happens. The

Botnet Rustock is no longer

mxlab — Mon, 28 Mar 2011 08:57:23 +0000

As you may have read on several news sites, the botnet Rustock, one of the world’s most active spam-generating networks, is no longer since last week (R.I.P. ) on March 16th, 2011.

The Microsoft Digital Crimes Unit (or DCU), together with other agencies and organisation like the U.S. Marshalls, started an operation, under the name “Operation b107″, to take out the C&C servers at multiple locations in the US, which are responsible for managing the infected zombie computers in the botnet, leading the botnet decapitated.

The Rustock botnet was one of the major players on the internet when it comes to spam and infected zombie computers. With an estimated account of approx 1 million infected computers it had a capacity for sending out up to 30 billion spam messages per day ranging from fake Microsoft lottery scams and offers for prescription drugs.

It was not the first attempt of Microsoft to take down an botnet organisation. Earlier on, in February 2010, Microsoft did managed to get hands on +250 domains that where used in the Waladec botnet.

Read more about Rustock and the take down:

Microsoft: Taking Down Botnets: Microsoft and the Rustock Botnet

Wall Street Journal: Spam Network Shut Down

FireEye: An overview of Rustock

Krebs On Security: Rustock Botnet Fed by U.S. Firms