Your e-mail will be blocked within 48 hours for spam, if this is mistake please cintact us.
Please click here for detailes.
Spam security Customer Service
The "Click Here" portion of the email was a link to a website containing the domain name:
with a randomized "host name" portion of the machine, such as:
Email subject lines observed during this phishing campaign included:
Alert: Account Deactivation Notice
Important message about your account information
NOTIFICATION OF LIMITED ACCOUNT ACCESS
Online Access Supended
Online Account Locked
Online Security Measures
Re-Confirm Your Online Access.
Your account has been flagged!
Your account has been placed on restricted status
Your Account Suspension
Your Online Account Needs Update
The spam had a unique forgery in the email headers to make them appear to be from Microsoft. In an email header, there is a "Received" line which shows the address from which an email was sent, such as:
Received: from dsl-189-139-6-108-dyn.prod-infinitum.com.mx (dsl-189-139-6-108-dyn.prod-infinitum.com.mx [184.108.40.206] (may be forged))
by GarsServer.com (8.11.6/8.11.0) with ESMTP id n96Lew069365
for <85qrhskymaucw@GarsDomain.com>; Tue, 6 Oct 2009 21:40:59 GMT
Received: from dns749.microsoft.com(dns697.microsoft.com [220.127.116.11]) by 18.104.22.168 with SMTP id 69811070;
In this case, the "Return-Path" line is fake, and has been added by the sender. The second "Received" line is also fake, trying to convince you that the sending IP "22.214.171.124" is actually a Microsoft computer, which it's not!
Unfortunately, that's as far as this part of the investigation can go. The website had already been terminated, by asking the Registrar to remove the nameserver from active duty, meaning that no computers can reach the website in question.
But is that really the end?
The nameserver for this domain, which has already been terminated, was ns1.bloktrest.net. By setting that as our nameserver, we can see that the site was "fast flux" hosted on many different IP addresses. For instance, resolving the domain currently, according to bloktrest.net, points us to:
By hard-coding one of these IP addresses to the domain name, we can see that what WOULD have happened if we had visited the site was that we would have loaded an IFRAME from the site:
(DO NOT VISIT!) us-business-shop-2019.com/shop/?0a8f23e34c3fccbdbc459ef0d52b3910
THAT website has been listed since September 3rd at MalwareDomainList as a LuckySploit exploiter.
So, the question is at large - was this a phishing site at all? or merely a way to get people to have LuckySploit take over their computers?
Whois points to Badness
Here is the WHOIS data for 58342875324752.com which was registered October 5, 2009 at TodayNIC.com, an infamous Chinese registrar.
Name: Ferd Derfo
Organization: Ferd Derfo
Postal Code: 133331
Here is the WHOIS data for us-business-shop-2019.com which was registered at another infamous Chinese registrar, ONLINENIC.com, on July 21, 2009:
Serpino Berbeto email@example.com +1.2128848801
403 po box
New York NY US 10037
Do a search on "Serpino Berbeto" and you'll find more than 1,000 ways in which this identity is involved in the creation of domains used for the distribution of malware, and with online fraud domains, including fake Escrow sites, spam, pirated software (easy-software-store.com), Canadian Pharmacy (shop29.net).
The Serpino identity is one of the many "resellers" that cause OnlineNIC and other Chinese registrars to be such widely used havens for cybercriminals.
Serpino is hosting this site, and several other recent malware infection sites he's been behind, on a webblock belonging to "The Bigness Group" in St. Petersburg, Russia.
Serpino's sites on that netblock include:
yournewvideo.info - 126.96.36.199
brberfsdfsdafs.com - 188.8.131.52
lovisiribkabolishajaimalenkaja - 184.108.40.206
us-business-shop-2019.com - 220.127.116.11
fgddfgdgdfg.com - 18.104.22.168
of course other aliases are also hosting malware on this netblock, which seems to be filling the role of the old Russian Business Network, also of St. Petersburg:
Tourino Markes / firstname.lastname@example.org has registered:
vertigoinvasion.com = 22.214.171.124 - associated with both Zeus and the Fragus exploit kit
Kelly Watsen / email@example.com has registered:
landingerfor.org = 126.96.36.199 - associated with LuckySploit exploit kit
Fego Fegochev / firstname.lastname@example.org has registered:
ppoqass.info = 188.8.131.52 - associated with the LuckySploit exploit kit
bbortixx.info = 184.108.40.206 - also associated with LuckySploit
Passive DNS reveals all sorts of badness. Recommendation? Everyone should block "The Bigness" and their entire network block!
IRS Zeus Again???
I ran the fast flux IP addresses given above through some checks at a Passive DNS Logging system to see if they were "known" IP addresses. Yes. Several of the IP addresses above are part of the same Fast Flux network which is being used for the "Avalanche" botnet, which is currently behind the IRS Zeus net!
So what happens if we hard-code a host entry for the above IP addresses, and tell it that it is one of the recent IRS domains?
That's right. I added this line to my "hosts" file:
an IRS domain which has no active nameserver and has not been live for more than a week. It resolved on the IP address used above for the domain 58342875324752.com, and displayed the IRS Zeus infection website, complete with an active link for downloading the current malware.
File size: 95744 bytes
Click for Virus Total Report, showing that only 7 of 41 anti-virus products currently detect this Zbot / Zeus Bot infector.