Sunday, July 31, 2011

"Wrong Transaction" Hotel spam malware continues to evolve

One of the distinct advantages of having the UAB Spam Data Mine is that we are able to provide near-real-time intelligence about the evolution of malware campaigns being delivered by spam. On July 27, 2011 we provided a warning about Wrong Transaction Hotel Spam that was covered by Robert McMillan in PC World and ComputerWorld, and was also mentioned by Matt Liebowitz for MSNBC.

Unfortunately, from an anti-virus perspective, consumers are no safer than they were when we first put out the warning four days ago.

We're still seeing more than 1,000 copies per day of this malware (with the exception of the 29th) each day:

 count | receiving_date
-------+----------------
1516 | 2011-07-27
1828 | 2011-07-28
813 | 2011-07-29
1470 | 2011-07-30
1258 | 2011-07-31
(5 rows)


but the malware is constantly evolving.

CountMalware MD5TimeRange
593c15eb3c47800fec025b6a86a6409f144 2011-07-27 03:00 AM to 2011-07-27 08:30 AM
100101e3bbd4b6f8c22a3516771f9b6792bc 2011-07-27 12:45 PM to 2011-07-28 04:45 AM
31857d931256fd6d7184528ae983e34677b 2011-07-27 08:00 AM to 2011-07-27 13:30 PM
8656e2eae488317280dd813e3e2fc9e0275 2011-07-28 04:15 AM to 2011-07-28 13:00 PM
554ad760ac5806a84a272e1eb76b315ac31 2011-07-28 12:30 PM to 2011-07-28 20:15 PM
11164140ee10115174fe36a738d4d943f2af 2011-07-29 13:45 PM to 2011-07-30 04:00 AM
614e2d3d4ccf02ea924e6d11cb452235f4c 2011-07-30 03:30 AM to 2011-07-30 16:15 PM
9315bbe80ad216c89bcbb6891178dc4b5fa 2011-07-30 14:45 PM to 2011-07-31 07:30 AM
409ca84d1a0c49eff5ca829b5fa531800e8 2011-07-31 07:30 AM to 2011-07-31 13:15 PM
484aa412182a164321a159f9b2e95be53bc 2011-07-31 13:15 PM to 2011-07-31 CURRENT TIME


Each of the links in the table above will take you to the VirusTotal report showing how many of 43 different anti-virus products detected this particular malware at the time it was submitted to VirusTotal.

I'll let you explore the links for yourself, but may I call attention to the fact the last one is detected by FOUR of forty-three AV products, and the one immediately prior to that by ONE of forty-three.

Just to make sure there was not a problem, I decided to look at those last two and confirm that they actually were malware.

We started with the sample starting with "aa412". It unpacks successfully as an .exe named "Refund_Form" that uses an icon from Microsoft Office Excel to try to trick people into thinking it's a Spreadsheet.

When we launched it, it made connections to:

runescapegpge2011.ru - 84.247.61.25
www.radio-80.com - 210.172.192.38
heftyhips.com - 66.197.251.53

That last would be exactly the same domain that the first sample we looked at on the 27th connected to. It fetched "soft.exe" from www.radio-80.com.

I'm going to go out on a limb and say this is malware. "soft.exe" got renamed "defender.exe" and placed in our "C:\Documents and Settings\All Users\Application Data\" directory, which was scheduled to launch when the machine reboots.

Defender.exe was declared to be malware by 6 of 43 anti-virus packages at VirusTotal. Here's the report. It's Fake anti-virus.

Next, just to be thorough, we also checked out the version that started with "ca84d1". Just like the first, it unpacked to a "Refund_Form.exe" file, although this one had a different MD5. When we launched Refund_Form it made network connections to:

runescapegpge2011.ru - 84.247.61.25
ewingparkbmx2011.ru - failed to resolve

It looks like this version is not functioning due to a dead domain, which may be the reason the "aa412" version was released.

That "84.247.61.25" box is in Romania, currently using a domain name with "RuneScape" in the domain name. The same IP has recently been called bedownloader2011.ru, diamondexchange2011.ru, watchfamilyguynow2011.ru and is also currently resolving as yomwarayom2001.ru.

Update 01AUG2011



At 3:15 this morning, the malware being distributed swapped to:

2e749d608d29aef739f5b08e7f63225a (click for VirusTotal Report)

The MD5 for the exe inside of the zip file with MD5 2e749d608d29aef739f5b08e7f63225a is:

a446ced5db1de877cf78f77741e2a804 Filename: Refund-Form (dot) exe (1 of 43 detects at VirusTotal).


At 4:30 this morning, and continuing to the present moment (07:45 AM Central Time), the malware being distributed swapped to:

4b126c49c261ca0f65fce9e5d08811d6 (click for VirusTotal Report)

The MD5 for the exe inside of the zip file with MD5 4b126c49c261ca0f65fce9e5d08811d6 is:

2f0155c39ddcf490f3a310ba0546c627 Filename: Refund_Form (dot) exe (5 of 43 detects at VirusTotal).

Thursday, July 28, 2011

"Government-related" Zeus spam continues

As we discussed in yesterday's article, "Wrong transaction" hotel spam, the UAB Spam Data Mine now has an ability to provide early alerting when a new spam campaign is directly linking to executable files.



Update: New Zeus distribution site, July 29th AM:

We are receiving spam emails this morning from "nacha.org" From: addresses that direct us to this Zeus distribution site.

hxxp://federalreserve-alert.com/transaction_report.pdf.exe

Here's the VirusTotal report: As of this timestamp (5:30 AM Central time) we see (5 of 43) detections. Only 2 of those are calling this Zeus.




This morning we have a new example of this capability in the form of the two most recent installments of a long-running "government-related" Zeus campaign.

One of the two spammed destinations is:

alert-irs.com /00000700973770US.exe MD5 = 0691a4856713edc97664e60db735747c

This malware is currently showing a (12 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

The other spammed destination is:

fdic-updates.com /system_update_07_28.exe MD5 = 7a0303fdb809ac0c1a84123b106992c2

This malware is currently showing a (8 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

Both files are 172,032 bytes in size, but currently the FDIC one is showing a dramatically wider distribution via email than the IRS one, which may be an indication of "targeting" by the latter.

The FDIC version has been seen almost 500 times, despite the fact that the campaign is less than 45 minutes old as of this writing. Here is the count per 15 minute block seen in the UAB Spam Data Mine:

     5 | ACH and Wire transfers disabled.      | 2011-07-28 06:00:00
3 | Banking security update. | 2011-07-28 06:00:00
1 | Update for your banking account. | 2011-07-28 06:00:00
107 | ACH and Wire transfers disabled. | 2011-07-28 05:45:00
138 | Banking security update. | 2011-07-28 05:45:00
108 | Security update for banking accounts. | 2011-07-28 05:45:00
122 | Update for your banking account. | 2011-07-28 05:45:00
1 | Banking security update. | 2011-07-28 05:30:00
1 | Security update for banking accounts. | 2011-07-28 05:30:00
1 | ACH and Wire transfers disabled. | 2011-07-28 05:15:00
1 | Banking security update. | 2011-07-28 05:15:00
1 | Security update for banking accounts. | 2011-07-28 05:15:00


(Timestamps are US-Central Time, GMT -6)


The FDIC spam comes from email addresses that randomly associate these "usernames" with these "hostnames". Everything in the first column was seen combined with everything in the second column.

admin            @   admin.fdic.gov
adminnistration @ administration.fdic.gov
cunsumer @ fdic.gov
FDIC @ security.fdic.gov
finance @
govdelivery @
information @
inspector @
news @
no-reply @
privacy_policy @
protection @
public @
report @
service @
stats @
support @
webannouncements @


Here's what the email actually says:

Dear clients,
Your account ACH and Wire transactions have been
temporarily suspended for your settings, due to the
expiration of your security version. To download and install the
newest Updates, click here.

As soon as it is Applied, your transaction abilities will be fully restored.

Best regards,
Online security department
Federal Deposit Insurance Corporation



The IRS related spam came first:

     2 | Internal Revenue Service     | 2011-07-28 04:15:00
2 | Federal Tax payment rejected | 2011-07-28 04:00:00
2 | Your IRS payment rejected | 2011-07-28 04:00:00
2 | Internal Revenue Service | 2011-07-28 03:45:00


This is fairly typical spamming for this group. They like to make a new Zeus variant, populate it on a website, and then spam it very hard at the beginning of the East Coast business day. For example, here is the spam for:

"nacha-rejected.com"

     2 | Rejected transaction | 2011-07-27 05:30:00
1 | Canceled payment | 2011-07-27 05:15:00
2 | Canceled transaction | 2011-07-27 05:15:00
3 | Payment rejected | 2011-07-27 05:15:00
5 | Rejected transaction | 2011-07-27 05:15:00
2 | Canceled transaction | 2011-07-27 05:00:00
8 | Canceled transfer | 2011-07-27 05:00:00
5 | Payment canceled | 2011-07-27 05:00:00
3 | Payment rejected | 2011-07-27 05:00:00
4 | Rejected transaction | 2011-07-27 05:00:00
92 | Canceled payment | 2011-07-27 04:45:00
74 | Canceled transaction | 2011-07-27 04:45:00
84 | Canceled transfer | 2011-07-27 04:45:00
60 | Payment canceled | 2011-07-27 04:45:00
75 | Payment rejected | 2011-07-27 04:45:00
57 | Rejected transaction | 2011-07-27 04:45:00
2 | Payment canceled | 2011-07-27 04:30:00
1 | Payment rejected | 2011-07-27 04:30:00
1 | Canceled transaction | 2011-07-27 04:15:00
2 | Payment canceled | 2011-07-27 04:15:00


nacha-transactions.com

     1 | Payment rejected     | 2011-07-27 07:00:00
1 | Rejected transaction | 2011-07-27 06:45:00
4 | Canceled payment | 2011-07-27 06:30:00
2 | Canceled transfer | 2011-07-27 06:30:00
1 | Payment canceled | 2011-07-27 06:30:00
1 | Payment rejected | 2011-07-27 06:30:00
1 | Canceled transaction | 2011-07-27 06:15:00
1 | Canceled transfer | 2011-07-27 06:15:00
1 | Payment canceled | 2011-07-27 06:15:00
1 | Payment rejected | 2011-07-27 06:15:00


taxes-refund.com

     1 | Internal Revenue Service        | 2011-07-27 08:00:00
1 | U.S. Department of the Treasury | 2011-07-27 08:00:00
1 | Internal Revenue Service | 2011-07-27 07:45:00
2 | Internal Revenue Service (IRS) | 2011-07-27 07:45:00
2 | Payment IRS.gov | 2011-07-27 07:45:00
1 | Internal Revenue Service | 2011-07-27 07:30:00
1 | IRS.gov | 2011-07-27 07:30:00
1 | U.S. Department of the Treasury | 2011-07-27 07:30:00


Three consecutive campaigns, one following the other, with the whole thing wrapping up before 8 AM Central time. (which would be 9 AM Eastern time).

The NACHA spam leading to Zeus has been an issue for a very long time. We've seen spam like this since all the way back to November 2009, but it's been fairly constant since February of this year when we shared the article ACH Transaction Rejected Payment Spam.

Following the Botnet Back in Time


Because of the way we archive our email, it's possible for us to ask the UAB Spam Data Mine to reveal a deeper history for this particular spamming botnet by asking a question like:

"Show me all the spam subjects that have been sent by IP addresses that sent me this morning's fdic-updates.com spam message"

     5 | 2011-07-28 06:00:00 | ACH and Wire transfers disabled.
3 | 2011-07-28 06:00:00 | Banking security update.
1 | 2011-07-28 06:00:00 | Update for your banking account.
107 | 2011-07-28 05:45:00 | ACH and Wire transfers disabled.
138 | 2011-07-28 05:45:00 | Banking security update.
108 | 2011-07-28 05:45:00 | Security update for banking accounts.
122 | 2011-07-28 05:45:00 | Update for your banking account.
1 | 2011-07-28 05:30:00 | Banking security update.
1 | 2011-07-28 05:30:00 | Security update for banking accounts.
1 | 2011-07-28 05:15:00 | ACH and Wire transfers disabled.
1 | 2011-07-28 05:15:00 | Banking security update.
1 | 2011-07-28 05:15:00 | Security update for banking accounts.
1 | 2011-07-27 23:30:00 | ho
1 | 2011-07-27 21:15:00 | RE:.. How do you do,
4 | 2011-07-27 20:00:00 | ho
1 | 2011-07-27 14:45:00 | VIDEO: Lockerbie bomber at pro-Gaddafi rally
1 | 2011-07-27 12:00:00 | Yo
1 | 2011-07-27 08:00:00 | Internal Revenue Service
1 | 2011-07-27 06:45:00 | Rejected transaction
2 | 2011-07-27 05:15:00 | Rejected transaction
2 | 2011-07-27 05:00:00 | Canceled transaction
2 | 2011-07-27 05:00:00 | Canceled transfer
3 | 2011-07-27 05:00:00 | Payment rejected
33 | 2011-07-27 04:45:00 | Canceled payment
22 | 2011-07-27 04:45:00 | Canceled transaction
26 | 2011-07-27 04:45:00 | Canceled transfer
24 | 2011-07-27 04:45:00 | Payment canceled
30 | 2011-07-27 04:45:00 | Payment rejected
17 | 2011-07-27 04:45:00 | Rejected transaction
1 | 2011-07-27 04:30:00 | Payment canceled
1 | 2011-07-27 04:15:00 | Canceled transaction
1 | 2011-07-27 04:15:00 | Payment canceled
1 | 2011-07-26 17:15:00 | Attack on Guinea leader repelled
1 | 2011-07-26 06:00:00 | IRC.gov
1 | 2011-07-26 05:45:00 | VIDEO: Phoenix hit by second dust storm
1 | 2011-07-25 14:00:00 | Hi!
1 | 2011-07-23 19:45:00 | Giant space telescope reaches orbit
1 | 2011-07-23 19:45:00 | High Court challenge on care cuts
1 | 2011-07-23 19:45:00 | HMRC in cost-cutting 'challenge'
1 | 2011-07-23 19:45:00 | Mortgage lending remains subdued
1 | 2011-07-23 19:45:00 | Mum's stress reaches baby in womb
1 | 2011-07-23 19:45:00 | Nato hands over key Afghan city
1 | 2011-07-23 19:45:00 | Personal pension advice still bad
1 | 2011-07-23 19:45:00 | Scots economy escapes recession
1 | 2011-07-23 19:45:00 | Serbia arrests last war crimes fugitive
1 | 2011-07-23 19:45:00 | Strauss-Kahn daughter questioned
1 | 2011-07-23 19:45:00 | VIDEO: Key moments as MPs grill Murdochs
1 | 2011-07-23 18:30:00 | Heya
2 | 2011-07-22 19:45:00 | Hi
1 | 2011-07-22 19:00:00 | Hey
1 | 2011-07-22 19:00:00 | Hi
1 | 2011-07-22 13:45:00 | Heya
1 | 2011-07-22 07:15:00 | Read: A Must for High-Rise Emergencies
1 | 2011-07-22 05:00:00 | IRC.gov
1 | 2011-07-22 04:45:00 | Support IRS.gov
2 | 2011-07-22 03:45:00 | Change Confirmation
1 | 2011-07-22 03:45:00 | Does your enterprise including outstanding tax debts
1 | 2011-07-22 03:45:00 | Internal Revenue Service
1 | 2011-07-22 03:45:00 | Internal Revenue Service United States Department of the Treasury
1 | 2011-07-22 03:45:00 | IRC.gov
1 | 2011-07-22 03:45:00 | IRS.gov US
1 | 2011-07-22 03:45:00 | Notice of Underreported Income
3 | 2011-07-22 03:45:00 | Support IRS.gov
2 | 2011-07-22 03:45:00 | Treasury Inspector General for Tax Administration
2 | 2011-07-22 03:45:00 | U.S. Department of the Treasury
2 | 2011-07-22 03:45:00 | Your company including unpaid tax debts
1 | 2011-07-21 13:00:00 | Manhood raisers with price-offs!
1 | 2011-07-21 13:00:00 | Super lasting and good stiff!
1 | 2011-07-21 05:45:00 | New security update
2 | 2011-07-21 04:45:00 | Go id token update
6 | 2011-07-21 04:45:00 | Security token update
1 | 2011-07-21 04:45:00 | Token code update
2 | 2011-07-21 04:45:00 | Token software update
1 | 2011-07-20 07:30:00 | Canceled payment
1 | 2011-07-20 07:30:00 | Rejected transaction
1 | 2011-07-20 07:00:00 | Payment rejected
1 | 2011-07-20 06:45:00 | Canceled payment
1 | 2011-07-20 06:45:00 | Payment canceled
16 | 2011-07-20 06:30:00 | Canceled payment
8 | 2011-07-20 06:30:00 | Canceled transaction
10 | 2011-07-20 06:30:00 | Canceled transfer
7 | 2011-07-20 06:30:00 | Payment canceled
8 | 2011-07-20 06:30:00 | Payment rejected
6 | 2011-07-20 06:30:00 | Rejected transaction
19 | 2011-07-20 06:15:00 | Canceled payment
13 | 2011-07-20 06:15:00 | Canceled transaction
15 | 2011-07-20 06:15:00 | Canceled transfer
16 | 2011-07-20 06:15:00 | Payment canceled
17 | 2011-07-20 06:15:00 | Payment rejected
24 | 2011-07-20 06:15:00 | Rejected transaction
2 | 2011-07-20 05:00:00 | Wire transfer # 3240569823405844930
4 | 2011-07-20 05:00:00 | Wire transfer # 3463453123432454667
1 | 2011-07-20 05:00:00 | Wire transfer # 3858994783568734677
1 | 2011-07-20 05:00:00 | Wire transfer # 4577867895676542367
2 | 2011-07-20 05:00:00 | Wire transfer # 5645746324515345353
2 | 2011-07-20 05:00:00 | Wire transfer # 6754846773457536756
2 | 2011-07-20 05:00:00 | Wire transfer # 6785675623451222333
1 | 2011-07-20 05:00:00 | Wire transfer # 8565696735865742365
2 | 2011-07-20 05:00:00 | Wire transfer ID 2345578568567567544
1 | 2011-07-20 05:00:00 | Wire transfer ID 3265474356547356756
1 | 2011-07-20 05:00:00 | Wire transfer ID 3425215345565475468
1 | 2011-07-20 05:00:00 | Wire transfer id 3425233214234534634
5 | 2011-07-20 05:00:00 | Wire transfer ID 3425233214234534634
1 | 2011-07-20 05:00:00 | Wire transfer id 3452364365475463425
1 | 2011-07-20 05:00:00 | Wire transfer ID 4135146854351231151
1 | 2011-07-20 05:00:00 | Wire transfer ID 4353267658545629087
3 | 2011-07-20 05:00:00 | Wire transfer ID 5468513264769656536
1 | 2011-07-20 05:00:00 | Wire transfer id 5473785489567245623
1 | 2011-07-20 05:00:00 | Wire transfer ID 5687895416264572398
1 | 2011-07-20 05:00:00 | Wire transfer ID 5876978567345176586
1 | 2011-07-20 05:00:00 | Wire transfer ID 6768576565423453415
1 | 2011-07-20 05:00:00 | Wire transfer id 6857234568657433677
3 | 2011-07-20 05:00:00 | Wire transfer id 8479764976835672345
1 | 2011-07-20 05:00:00 | Wire transfer id 8658375686537546544
41 | 2011-07-20 05:00:00 | Your Wire fund transfer
1 | 2011-07-20 04:30:00 | Wire transfer ID 6431531354846843122
1 | 2011-07-19 04:45:00 | Change Confirmation
1 | 2011-07-19 04:45:00 | Does your company is registered outstanding tax debts
2 | 2011-07-19 04:45:00 | U.S. Department of the Treasury
1 | 2011-07-19 04:45:00 | Your IRS payment rejected
1 | 2011-07-19 04:30:00 | Change Confirmation
1 | 2011-07-19 04:30:00 | Does your company including tax debts
1 | 2011-07-19 04:30:00 | Does your enterprise listed unpaid tax debts
2 | 2011-07-19 04:30:00 | Federal Tax payment rejected
1 | 2011-07-19 04:30:00 | For your company including unpaid tax debt
1 | 2011-07-19 04:30:00 | For your enterprise including tax debt
13 | 2011-07-19 04:30:00 | Internal Revenue Service
4 | 2011-07-19 04:30:00 | Internal Revenue Service (IRS)
2 | 2011-07-19 04:30:00 | Internal Revenue Service United States Department of the Treasury
4 | 2011-07-19 04:30:00 | IRC.gov
5 | 2011-07-19 04:30:00 | IRS.gov US
8 | 2011-07-19 04:30:00 | Notice of Underreported Income
6 | 2011-07-19 04:30:00 | Payment IRS.gov
4 | 2011-07-19 04:30:00 | Support IRS.gov
5 | 2011-07-19 04:30:00 | Treasury Inspector General for Tax Administration
1 | 2011-07-19 04:30:00 | U.S. Department of the Treasury
2 | 2011-07-19 04:30:00 | Your enterprise has remained outstanding tax debts
3 | 2011-07-19 04:30:00 | Your IRS payment rejected
1 | 2011-07-19 04:15:00 | Internal Revenue Service
1 | 2011-07-18 10:30:00 | Love BlackJack? Check out the games at Winner Palace
1 | 2011-07-16 02:00:00 | Out of Office AutoReply: Please Review
1 | 2011-07-15 09:00:00 | For your company is registered unpaid tax debt
1 | 2011-07-15 09:00:00 | Internal Revenue Service
2 | 2011-07-15 08:45:00 | Change Confirmation
2 | 2011-07-15 08:45:00 | Federal Tax payment rejected
2 | 2011-07-15 08:45:00 | Internal Revenue Service
2 | 2011-07-15 08:45:00 | Internal Revenue Service (IRS)
4 | 2011-07-15 08:45:00 | Internal Revenue Service United States Department of the Treasury
3 | 2011-07-15 08:45:00 | IRC.gov
1 | 2011-07-15 08:45:00 | IRS.gov US
3 | 2011-07-15 08:45:00 | Payment IRS.gov
2 | 2011-07-15 08:45:00 | Support IRS.gov
1 | 2011-07-15 08:45:00 | Treasury Inspector General for Tax Administration
1 | 2011-07-15 08:45:00 | U.S. Department of the Treasury
2 | 2011-07-15 08:45:00 | Your IRS payment rejected
1 | 2011-07-15 07:30:00 | TV murder appeal prompts 40 calls
1 | 2011-07-14 21:30:00 | US senator requests hacking probe
1 | 2011-07-14 20:15:00 | Parties unite over BSkyB bid call
1 | 2011-07-14 19:45:00 | PM Kan urges 'nuclear-free Japan'
1 | 2011-07-14 18:00:00 | Man tells jury 'I killed Lynette'
1 | 2011-07-14 15:15:00 | VIDEO: Live: Debate on youth unemployment
1 | 2011-07-14 07:15:00 | Security update for banking accounts.
10 | 2011-07-14 07:00:00 | ACH and Wire transfers disabled.
5 | 2011-07-14 07:00:00 | Banking security update.
7 | 2011-07-14 07:00:00 | Security update for banking accounts.
5 | 2011-07-14 07:00:00 | Update for your banking account.
1 | 2011-07-13 11:30:00 | Hospitals warned over clot deaths
1 | 2011-07-13 07:45:00 | Does your enterprise listed unpaid tax debt
3 | 2011-07-13 07:45:00 | Federal Tax payment rejected
5 | 2011-07-13 07:45:00 | Internal Revenue Service United States Department of the Treasury
2 | 2011-07-13 07:45:00 | IRC.gov
7 | 2011-07-13 07:45:00 | Notice of Underreported Income
1 | 2011-07-13 07:45:00 | Treasury Inspector General for Tax Administration
2 | 2011-07-13 07:45:00 | U.S. Department of the Treasury
1 | 2011-07-13 07:45:00 | Your company listed outstanding tax debt
1 | 2011-07-13 07:45:00 | Your enterprise listed unpaid tax debt
1 | 2011-07-13 07:30:00 | Internal Revenue Service
2 | 2011-07-13 07:30:00 | Internal Revenue Service (IRS)
2 | 2011-07-13 07:30:00 | Internal Revenue Service United States Department of the Treasury
1 | 2011-07-13 07:30:00 | Notice of Underreported Income
3 | 2011-07-13 07:30:00 | Payment IRS.gov
1 | 2011-07-13 07:30:00 | Support IRS.gov
2 | 2011-07-13 07:30:00 | U.S. Department of the Treasury
2 | 2011-07-13 07:30:00 | Your IRS payment rejected
3 | 2011-07-13 05:45:00 | Business accounts updates
1 | 2011-07-13 05:45:00 | Dear corporate clients
1 | 2011-07-13 05:45:00 | New settings for wire transfers
1 | 2011-07-13 05:30:00 | Business accounts updates
5 | 2011-07-13 05:30:00 | Corporate banking security
3 | 2011-07-13 05:30:00 | Dear corporate clients
10 | 2011-07-13 05:30:00 | Federalreserve security update
4 | 2011-07-13 05:30:00 | New security settings
4 | 2011-07-13 05:30:00 | New security update
5 | 2011-07-13 05:30:00 | New settings for wire transfers
2 | 2011-07-13 05:30:00 | Wire transfers update



We can also ask it to tell us what spammed destinations were being described by those messages and learn that what we see is:

July 13th = usbanking-security.com
July 15th = federalsecusrity.com
July 19th = taxreport-irs.com
July 19th = irs-taxes-report.com
July 19th = irs-report-link.com
July 20th = www.federalreserve.gov
July 20th = reports-federalreserve.com
July 20th = nacha-alert.org
July 20th = nacha-alert.com
July 20th = alerts-federalresrve.com
July 21st = national-security-agency.com
July 21st = federal-secueity-government.com
July 22nd = irs-downloads.com
July 22nd = irs-files.com
July 26th = taxes-irs.net
July 27th = www.nacha-rejected.com
July 27th = taxes-refund.com
July 28th = fdic-updates.com

Again, the query run says "look at my spam history FOR THE IP ADDRESSES USED BY THE GOV-RELATED ZEUS DOMAIN THIS MORNING and see what else they've sent me previously."

I've temporarily included only those links that were DIRECTLY linking to an executable, but we also have all of the "domain-shortener" spam that was sent on July 13th pretending to be a LinkedIn message. In that case, the spam used 25 different shortener services, most of which seem to have been created specifically for that purpose:

1tja.com
4h.biz
4nu.net
coge.la
d3c.co
flyfrm.com
gli.im
gsfn.info
hi2.com
ion.so
ks.gs
lawurl.com
lllll.im
niy.me
nznet.info
sendtourl.com
shoor.tk
smlurl.info
sra.li
tiny.tw
vs0.net
widg.me
wurl.ca
yi.pe
zolp.net

And yes, we can also tie today's spamming botnet to all of those fake LinkedIn spam messages that distributed Zeus on July 13th.

Wednesday, July 27, 2011

"Wrong Transaction" Hotel Spam

(Updated information available here: Wrong Transaction Hotel Spam Continues to Evolve.)

One of the features in the new version of the UAB Spam Data Mine is the ability to quickly run "malware links" and "malware attachments" reports for the current day, the previous day, or a date range.

The objective of this functionality is to provide as close to "real time" intelligence on potential new email-based threats as possible. You'll see what I mean below.

I've been playing with it for the past several days, but just so you can join in the fun, let me show you the top results that come back when I do:

\i malware.attachments.sql

Spam CountAttached MD5ExtensionSubject
6 c15eb3c47800fec025b6a86a6409f144 zip Hotel Renaissance Chicago made wrong transaction
5 c15eb3c47800fec025b6a86a6409f144 zip Hotel Hyatt Regency Houston made wrong transaction
5 c15eb3c47800fec025b6a86a6409f144 zip Hotel Jefferson made wrong transaction
5 c15eb3c47800fec025b6a86a6409f144 zip Hotel Renaissance Washington made wrong transaction
5 c15eb3c47800fec025b6a86a6409f144 zip Hotel Sheraton Suites San Diego at Symphony Hall made wrong transaction
5 c15eb3c47800fec025b6a86a6409f144 zip Hotel The Westin Oaks made wrong transaction
5 c15eb3c47800fec025b6a86a6409f144 zip Hotel Westin Diplomat Resort & Spa made wrong transaction
5 c15eb3c47800fec025b6a86a6409f144 zip Hotel Westin St. Francis made wrong transaction
4 c15eb3c47800fec025b6a86a6409f144 zip Hotel Hilton Las Vegas made wrong transaction
4 c15eb3c47800fec025b6a86a6409f144 zip Hotel Intercontinental Buckhead Atlanta made wrong transaction
4 c15eb3c47800fec025b6a86a6409f144 zip Hotel Rancho Bernardo Inn made wrong transaction
4 c15eb3c47800fec025b6a86a6409f144 zip Hotel Ritz Carlton Kapalua made wrong transaction
4 c15eb3c47800fec025b6a86a6409f144 zip Hotel Ritz-Carlton Marina Del Rey made wrong transaction
4 c15eb3c47800fec025b6a86a6409f144 zip Hotel The Latham made wrong transaction
4 c15eb3c47800fec025b6a86a6409f144 zip Hotel The Westin New York at Times Square made wrong transaction
4 c15eb3c47800fec025b6a86a6409f144 zip Wrong transaction from your credit card in Ritz Carlton Naples Beach Resort
3 c15eb3c47800fec025b6a86a6409f144 zip Hotel Four Seasons Resort Maui at Wailea made wrong transaction
3c15eb3c47800fec025b6a86a6409f144 zip Hotel The Whitehall made wrong transaction
3 c15eb3c47800fec025b6a86a6409f144 zip Wrong transaction from your credit card in Loews Miami Beach
3 c15eb3c47800fec025b6a86a6409f144 zip Wrong transaction from your credit card in Woodrun V Townhomes


Since we've never seen spam like this before, it's "new" and potentially interesting!

One quick check of whether this is "interesting" is what happens when we ask forty-three different Anti-virus vendors whether the attached file is a virus or not.

We do this by using the services of VirusTotal.com who gave us back this report: VirusTotal Report for c15eb3c47800fec025b6a86a6409f144. At the time of this writing, having already received more than 800 copies of the spam, Sophos and Trend Micro call it "BredoLab", Rising AV of China calls it "suspicious", and NOD32 says it's a "Kryptik" variant. The other thirty-nine AV companies currently don't have published definitions for this malware.



UPDATE: As of 12:36 PM Central Time on July 27th, we are now up to 12 of 43 detects. See the Update VirusTotal Report Here. Curiously, just yesterday someone asked me, do you ever see AV vendors change their mind on what something should be called? You'll note that on the first report, Sophos called this Bredolab, but now they are calling it Zbot. It will be curious to see how that rolls out, since no one else among the 12 detectors believes this to be Zeus (aka Zbot).





The spam messages look like this:



We've already seen more than 400 different subjects that are part of this group!

7 | Hotel Courtyard by Marriott Houston Downtown made wrong transaction
6 | Hotel Ritz-Carlton Marina Del Rey made wrong transaction
6 | Hotel Hilton Las Vegas made wrong transaction
6 | Hotel Renaissance Chicago made wrong transaction
6 | Hotel Westin Diplomat Resort & Spa made wrong transaction
5 | Wrong transaction from your credit card in Icon
5 | Wrong transaction from your credit card in Ritz Carlton Naples Beach Resort
5 | Hotel The Westin Oaks made wrong transaction
5 | Hotel Sheraton Suites San Diego at Symphony Hall made wrong transaction
5 | Hotel Renaissance Washington made wrong transaction
5 | Hotel Jefferson made wrong transaction
5 | Hotel Westin St. Francis made wrong transaction
5 | Hotel Rancho Bernardo Inn made wrong transaction
5 | Hotel Intercontinental Buckhead Atlanta made wrong transaction
5 | Hotel Hyatt Regency Houston made wrong transaction

(The complete list concludes at the bottom of this post . . . )

One of the other great things we can do with the UAB Spam Data Mine though, is to ask "what other things are being sent by the computers that sent us this spam?"

Look what happens when I ask "show me the top subjects from YESTERDAY that were spammed by IP addresses that spammed the hotel spam TODAY?"

62 | 2011-07-26 | Credit Card is one week overdue
51 | 2011-07-26 | Credit Card overdue
43 | 2011-07-26 | Your Credit Card is one week overdue
39 | 2011-07-26 | Payment by credit card overdue
39 | 2011-07-26 | Credit card payment of overstayed
25 | 2011-07-26 | Your financial debt overdue
6 | 2011-07-26 | Re: Re: hi bud
5 | 2011-07-26 | Get your first bonus just for registering.
4 | 2011-07-26 | We offer only top grade Replica watches at only a fraction of the original price,
4 | 2011-07-26 | Chase bonuses no more; register at Winner Palacce.
4 | 2011-07-26 | Seeking gaming glory? Sign up and get free bonus.
3 | 2011-07-26 | A dream come true sign up bonus at Winner Palacce.
3 | 2011-07-26 | Gaming glory beckons, register and get free bonus.


The top group - the most prominent in response to this query - was the "MasterCard" version of the Fake AV malware that we blogged about previously on July 23rd -- MasterCard Spam Leads to Fake AV. SC Magazine's Angelina Moscaritolo wrote that up under the headline "Rogue AV Masquerading as SC Awards 2011 Finalist. The same spamming botnet has been sending out Casino spam and Rolex watch spam for more than a month.

We had 120 different subjects from this small IP sample group yesterday -- many of the subjects are "customized" such as "gar@place.com Rolex.com For You - 77%" or "gar@otherplace.com Rolex.com For You - 55%"

So, what do we predict the Hotel Spam will turn out to be? There is a good chance it will be related to the MasterCard Fake AV Spam. Well . . . one way to find out, right?

The .zip file contained this file:



When we launched the malware, it made connection to the webserver at "yomwarayom2001.ru" on IP address 84.247.61.25.

The first link we hit there was an exploit server -- probably the "BlackHole Exploit Kit" that has been very popular recently on similarly structured web pages. We almost immediately ALSO fetched a file called "forum3/load.php?module=grabbers".

This caused us to download a file "soft.exe" from yomwarayom2001.ru.

In a couple minutes, a pop-up announced "Software Installed" and had an "OK" button. Clicking OK caused a connection to "heftyhips.com" on IP 66.197.251.53.

where the file "images/img.php?id=106" was fetched.

Shortly thereafter we had a "Defender" icon on the desktop, which was this file:



Note that "Defender" claims to be written by AVG Software Development, a real antivirus company!

That was enough to convince me we were still in "Fake AV" territory.


The rest of the hotel spam subject list



Hotel Acqualina Resort & Spa made wrong transaction
Hotel Ahwahnee made wrong transaction
Hotel Amsterdam Hospitality made wrong transaction
Hotel Anglers made wrong transaction
Hotel Argonaut made wrong transaction
Hotel Aria made wrong transaction
Hotel Arizona Biltmore made wrong transaction
Hotel Arrabelle at Vail Square made wrong transaction
Hotel Avalon made wrong transaction
Hotel Bellagio and Casino made wrong transaction
Hotel Beverly Hills & Bungalows made wrong transaction
Hotel Beverly Wilshire, A Four Seasons made wrong transaction
Hotel Biltmore made wrong transaction
Hotel Boston Harbor made wrong transaction
Hotel Boston Marriott Copley Place made wrong transaction
Hotel Breakers Palm Beach made wrong transaction
Hotel Breakwater made wrong transaction
Hotel Camelback Inn, A JW Marriott Resort & Spa made wrong transaction
Hotel Campton Place made wrong transaction
Hotel Carlton on Madison Avenue made wrong transaction
Hotel Casa Del Mar made wrong transaction
Hotel Chamonix made wrong transaction
Hotel Charleston Marriott made wrong transaction
Hotel Charleston Place made wrong transaction
Hotel Conrad Chicago made wrong transaction
Hotel Conrad Miami made wrong transaction
Hotel Courtyard by Marriott Capitol Hill/Navy Yard made wrong transaction
Hotel Courtyard by Marriott Houston Downtown made wrong transaction
Hotel Courtyard Washington Convention Center made wrong transaction
Hotel Crowne Plaza The Hamilton made wrong transaction
Hotel Delano made wrong transaction
Hotel Del Coronado made wrong transaction
Hotel Disney's Grand Californian made wrong transaction
Hotel Disney's Grand Floridian made wrong transaction
Hotel Disney's Polynesian Resort made wrong transaction
Hotel Doubletree by Hilton Orlando at SeaWorld made wrong transaction
Hotel Dunton Hot Springs made wrong transaction
Hotel Embassy Suites Chevy Chase Pavilion made wrong transaction
Hotel Embassy Suites - Convention Center made wrong transaction
Hotel Embassy Suites made wrong transaction
Hotel Embassy Suites North Charleston made wrong transaction
Hotel Embassy Suites Washington made wrong transaction
Hotel Enchantment Resort made wrong transaction
Hotel Encore at Wynn made wrong transaction
Hotel Fairmont Chicago made wrong transaction
Hotel Fairmont Heritage Place Ghiradelli Square made wrong transaction
Hotel Fairmont Kea Lani made wrong transaction
Hotel Fairmont Miramar made wrong transaction
Hotel Fairmont Scottsdale made wrong transaction
Hotel Fairmont & Towers made wrong transaction
Hotel Florida Choice Executive Pool Homes made wrong transaction
Hotel Four Seasons Los Angeles at Beverly Hills made wrong transaction
Hotel Four Seasons made wrong transaction
Hotel Four Seasons Resort Lanai at Manele Bay made wrong transaction
Hotel Four Seasons Resort Maui at Wailea made wrong transaction
Hotel Four Seasons Resort Palm Beach made wrong transaction
Hotel Four Seasons Resort Scottsdale made wrong transaction
Hotel Four Seasons San Francisco made wrong transaction
Hotel Gansevoort South made wrong transaction
Hotel George made wrong transaction
Hotel Gramercy Park made wrong transaction
Hotel Grand Bohemian made wrong transaction
Hotel Grand Hyatt Atlanta in Buckhead made wrong transaction
Hotel Grand Hyatt Kauai Resort & Spa made wrong transaction
Hotel Grand Hyatt New York made wrong transaction
Hotel Grand Hyatt San Francisco made wrong transaction
Hotel Grand Hyatt Seattle made wrong transaction
Hotel Grand Hyatt Washington made wrong transaction
Hotel Granduca made wrong transaction
Hotel Grand Wailea Resort made wrong transaction
Hotel Halekulani made wrong transaction
Hotel Hampton Inn Washington - Convention Center made wrong transaction
Hotel Helix Boutique made wrong transaction
Hotel Hilton Americas Houston made wrong transaction
Hotel Hilton Atlanta Airport made wrong transaction
Hotel Hilton Atlanta made wrong transaction
Hotel Hilton Boston Logan Airport made wrong transaction
Hotel Hilton Chicago made wrong transaction
Hotel Hilton Garden Inn Washington DC Franklin Square made wrong transaction
Hotel Hilton Grand Vacations Club made wrong transaction
Hotel Hilton Hawaiian Village made wrong transaction
Hotel Hilton Houston Plaza made wrong transaction
Hotel Hilton Houston Westchase made wrong transaction
Hotel Hilton Las Vegas made wrong transaction
Hotel Hilton Orlando Bonnet Creek made wrong transaction
Hotel Hilton Washington Embassy Row made wrong transaction
Hotel Hilton Washington made wrong transaction
Hotel Holiday Inn Port of Miami Downtown made wrong transaction
Hotel Homewood Suites made wrong transaction
Hotel Hyatt Grand Aspen made wrong transaction
Hotel Hyatt Regency Atlanta made wrong transaction
Hotel Hyatt Regency Grand Cypress made wrong transaction
Hotel Hyatt Regency Houston made wrong transaction
Hotel Hyatt Regency Huntington Beach made wrong transaction
Hotel Hyatt Regency Maui Resort and Spa made wrong transaction
Hotel Hyatt Regency San Francisco made wrong transaction
Hotel Hyatt Regency Scottsdale Resort made wrong transaction
Hotel Hyatt Regency Waikiki made wrong transaction
Hotel Hyatt Regency Washington made wrong transaction
Hotel Icon made wrong transaction
Hotel Indian Creek made wrong transaction
Hotel Inn at Perry Cabin made wrong transaction
Hotel Inn at the Ballpark made wrong transaction
Hotel Intercontinental Buckhead Atlanta made wrong transaction
Hotel InterContinental Chicago made wrong transaction
Hotel InterContinental made wrong transaction
Hotel Intercontinental San Francisco made wrong transaction
Hotel InterContinental The Barclay New York made wrong transaction
Hotel Jefferson made wrong transaction
Hotel Jerome made wrong transaction
Hotel Jumeirah Essex House made wrong transaction
Hotel JW Marriott Buckhead Atlanta made wrong transaction
Hotel JW Marriott Desert Ridge Resort & Spa made wrong transaction
Hotel JW Marriott Las Vegas Resort, Spa & Golf made wrong transaction
Hotel JW Marriott Miami made wrong transaction
Hotel JW Marriott Orlando Grande Lakes made wrong transaction
Hotel JW Marriott Pennsylvania Avenue made wrong transaction
Hotel JW Marriott San Francisco made wrong transaction
Hotel Kahala Resort made wrong transaction
Hotel Keswick Hall made wrong transaction
Hotel La Costa Resort & Spa made wrong transaction
Hotel Lauberge Del Mar made wrong transaction
Hotel La Valencia made wrong transaction
Hotel Le Meridien San Francisco made wrong transaction
Hotel Le Parker Meridien made wrong transaction
Hotel Lodge At Koele made wrong transaction
Hotel Lodge At Torrey Pines made wrong transaction
Hotel Loews Coronado Bay Resort made wrong transaction
Hotel Loews Miami Beach made wrong transaction
Hotel Loews Regency made wrong transaction
Hotel Loews Santa Monica Beach made wrong transaction
Hotel London West Hollywood made wrong transaction
Hotel Lowell made wrong transaction
Hotel Madera made wrong transaction
Hotel Madison made wrong transaction
Hotel Main Street Station & Casino made wrong transaction
Hotel Mandalay Bay made wrong transaction
Hotel Mandarin Oriental made wrong transaction
Hotel Mandarin Oriental Miami made wrong transaction
Hotel Marriott at Metro Center made wrong transaction
Hotel Marriott Chicago Downtown Magnificent Mile made wrong transaction
Hotel Marriott Houston Airport at George Bush Intercontinental made wrong transaction
Hotel Marriott Marquis San Francisco made wrong transaction
Hotel Marriott Resort made wrong transaction
Hotel Marriott San Francisco Fisherman's Wharf made wrong transaction
Hotel Mauna Kea Beach made wrong transaction
Hotel Mauna Lani Bay & Bungalows made wrong transaction
Hotel McCoy Peak Lodge made wrong transaction
Hotel Melrose made wrong transaction
Hotel Meridian Luxury Suites made wrong transaction
Hotel Michelangelo made wrong transaction
Hotel Millennium UN Plaza made wrong transaction
Hotel Monaco Boutique made wrong transaction
Hotel Monaco Washington DC made wrong transaction
Hotel Mona Lisa Suite made wrong transaction
Hotel Mondrian made wrong transaction
Hotel Mondrian Scottsdale made wrong transaction
Hotel Mondrian South Beach made wrong transaction
Hotel Morenas Resort Morrison-Clark Historic Inn made wrong transaction
Hotel M Resort Spa & Casino made wrong transaction
Hotel New York Marriott Marquis made wrong transaction
Hotel Nolitan made wrong transaction
Hotel Oak Plantation Resort made wrong transaction
Hotel Ocean Key Resort & Spa made wrong transaction
Hotel Ocean Point Resort & Club made wrong transaction
Hotel Omni Berkshire Place made wrong transaction
Hotel Omni Chicago made wrong transaction
Hotel Omni Houston made wrong transaction
Hotel Omni made wrong transaction
Hotel One Bal Harbour Resort & Spa made wrong transaction
Hotel Owl Creek Homes made wrong transaction
Hotel Palms Place & Spa made wrong transaction
Hotel Palomar Boutique made wrong transaction
Hotel Palomar made wrong transaction
Hotel Park Hyatt Chicago made wrong transaction
Hotel Park Hyatt made wrong transaction
Hotel Park Hyatt Resort & Spa made wrong transaction
Hotel Peabody Orlando made wrong transaction
Hotel Peninsula New York made wrong transaction
Hotel Phoenician made wrong transaction
Hotel Pierre A Taj made wrong transaction
Hotel Plaza Athenee made wrong transaction
Hotel Pocono Palace made wrong transaction
Hotel Prescott made wrong transaction
Hotel Raffles L'Ermitage Beverly Hills made wrong transaction
Hotel Rancho Bernardo Inn made wrong transaction
Hotel Rancho Las Palmas Resort & Spa made wrong transaction
Hotel Red Rock Casino Resort & Spa made wrong transaction
Hotel Renaissance Charleston Historic District made wrong transaction
Hotel Renaissance Chicago made wrong transaction
Hotel Renaissance Houston Greenway Plaza made wrong transaction
Hotel Renaissance New York Times Square made wrong transaction
Hotel Renaissance Washington made wrong transaction
Hotel Renaissance Waverly made wrong transaction
Hotel Residence Inn by Marriott Capitol made wrong transaction
Hotel Rio Suite and Casino made wrong transaction
Hotel Ritz-Carlton Battery Park made wrong transaction
Hotel Ritz-Carlton Boston Common made wrong transaction
Hotel Ritz-Carlton Central Park made wrong transaction
Hotel Ritz-Carlton Golf Resort made wrong transaction
Hotel Ritz Carlton Kapalua made wrong transaction
Hotel Ritz Carlton Key Biscayne made wrong transaction
Hotel Ritz-Carlton Laguna Niguel made wrong transaction
Hotel Ritz-Carlton made wrong transaction
Hotel Ritz-Carlton Marina Del Rey made wrong transaction
Hotel Ritz Carlton Naples Beach Resort made wrong transaction
Hotel Ritz Carlton Naples Golf Resort made wrong transaction
Hotel Ritz-Carlton Orlando, Grande Lakes Resort made wrong transaction
Hotel Ritz-Carlton Palm Beach made wrong transaction
Hotel Ritz-Carlton San Francisco made wrong transaction
Hotel Ritz Carlton South Beach made wrong transaction
Hotel Rouge made wrong transaction
Hotel Royal Hawaiian made wrong transaction
Hotel Royal Pacific Resort made wrong transaction
Hotel Royal Palms Resort & Spa made wrong transaction
Hotel Sanctuary on Camelback Mountain made wrong transaction
Hotel Seattle Marriott Waterfront made wrong transaction
Hotel Se San Diego made wrong transaction
Hotel Shangri-La made wrong transaction
Hotel Sheraton Bal Harbour Beach Resort made wrong transaction
Hotel Sheraton Chicago and Towers made wrong transaction
Hotel Sheraton Keauhou Bay Resort & Spa made wrong transaction
Hotel Sheraton Maui Resort made wrong transaction
Hotel Sheraton Moana Surfrider made wrong transaction
Hotel Sheraton Suites Houston Near The Galleria made wrong transaction
Hotel Sheraton Suites San Diego at Symphony Hall made wrong transaction
Hotel Sheraton Waikiki made wrong transaction
Hotel Shore Club made wrong transaction
Hotel Shutters Beach made wrong transaction
Hotel Signature at MGM Grand made wrong transaction
Hotel Skylofts at MGM Grand made wrong transaction
Hotel SLS at Beverly Hills made wrong transaction
Hotel Sofitel Lafayette Square made wrong transaction
Hotel Sonesta Orlando Downtown made wrong transaction
Hotel Sorrento made wrong transaction
Hotel South Beach Marriott made wrong transaction
Hotel Star The Michelangelo made wrong transaction
Hotel St. Gregory Luxury & Suites made wrong transaction
Hotel St. Regis made wrong transaction
Hotel St. Regis Princeville Resort made wrong transaction
Hotel St. Regis Washington made wrong transaction
Hotel Sun Harbour Boutique made wrong transaction
Hotel Sutton Place made wrong transaction
Hotel Swissotel Chicago made wrong transaction
Hotel Taj Boston made wrong transaction
Hotel Taj Campton Place made wrong transaction
Hotel Tamarack by Destination Resorts Snowmass made wrong transaction
Hotel The Alexander made wrong transaction
Hotel The Alex made wrong transaction
Hotel The Carlyle, A Rosewood made wrong transaction
Hotel The Carlyle Suites made wrong transaction
Hotel The Chatwal made wrong transaction
Hotel The Cosmopolitan Las Vegas made wrong transaction
Hotel The Drake made wrong transaction
Hotel The Enclave made wrong transaction
Hotel The Equinox Resort & Spa made wrong transaction
Hotel The Fairmont Copley Plaza made wrong transaction
Hotel The Fairmont made wrong transaction
Hotel The Fairmont Olympic made wrong transaction
Hotel The Fairmont Orchid made wrong transaction
Hotel The Fairmont Washington made wrong transaction
Hotel The Hay-Adams made wrong transaction
Hotel The Helmsley Carlton House made wrong transaction
Hotel The Henley Park made wrong transaction
Hotel The Houstonian Club & Spa made wrong transaction
Hotel The Huntington and Nob Hill Spa made wrong transaction
Hotel The Iroquois made wrong transaction
Hotel The Langham Huntington & SPA made wrong transaction
Hotel The Latham made wrong transaction
Hotel The Lenox made wrong transaction
Hotel The Little Nell made wrong transaction
Hotel The Lucerne made wrong transaction
Hotel The New York Helmsley made wrong transaction
Hotel The Orchard made wrong transaction
Hotel The Palmer House Hilton made wrong transaction
Hotel The Peninsula Beverly Hills made wrong transaction
Hotel The Peninsula made wrong transaction
Hotel The Phoenician made wrong transaction
Hotel The Pierre made wrong transaction
Hotel The Plaza made wrong transaction
Hotel The Quincy made wrong transaction
Hotel The Ritz-Carlton Bachelor Gulch made wrong transaction
Hotel The Ritz-Carlton Buckhead made wrong transaction
Hotel The Ritz-Carlton Fort Lauderdale made wrong transaction
Hotel The Ritz-Carlton Georgetown made wrong transaction
Hotel The Ritz-Carlton Laguna Niguel made wrong transaction
Hotel The Ritz Carlton made wrong transaction
Hotel The Ritz-Carlton Orlando, Grande Lakes made wrong transaction
Hotel The Setai Fifth Avenue made wrong transaction
Hotel The Setai made wrong transaction
Hotel The St. Regis Aspen made wrong transaction
Hotel The St. Regis Monarch Beach made wrong transaction
Hotel The Venetian Resort and Casino made wrong transaction
Hotel The Villa By Barton G made wrong transaction
Hotel The Washington Court On Capital Hil made wrong transaction
Hotel The Westin Atlanta Airport made wrong transaction
Hotel The Westin Chicago River North made wrong transaction
Hotel The Westin Embassy Row made wrong transaction
Hotel The Westin Grand made wrong transaction
Hotel The Westin Michigan Avenue made wrong transaction
Hotel The Westin Mission Hills Resort & Spa made wrong transaction
Hotel The Westin New York at Times Square made wrong transaction
Hotel The Westin Oaks made wrong transaction
Hotel The Westin Peachtree Plaza made wrong transaction
Hotel The Westin Seattle made wrong transaction
Hotel The Whitehall made wrong transaction
Hotel The Wit-A Doubletree made wrong transaction
Hotel Tides South Beach made wrong transaction
Hotel Topaz made wrong transaction
Hotel Trump International Sonesta Beach resort made wrong transaction
Hotel Trump International & Tower made wrong transaction
Hotel Trump International Waikiki Beach Walk made wrong transaction
Hotel Trump Las Vegas made wrong transaction
Hotel Trump Soho made wrong transaction
Hotel Universal Portofino Bay a Loews made wrong transaction
Hotel Universal Royal Pacific Resort a Loews made wrong transaction
Hotel Vdara & Spa made wrong transaction
Hotel Viceroy Palm Springs made wrong transaction
Hotel Villas Of Grand Cypress made wrong transaction
Hotel Wailea Marriott an Outrigger Resort made wrong transaction
Hotel Waldorf Astoria Orlando made wrong transaction
Hotel Waldorf Astoria & Towers made wrong transaction
Hotel Waldorf Towers made wrong transaction
Hotel Walt Disney World Swan and Dolphin made wrong transaction
Hotel Wardman Park Marriott made wrong transaction
Hotel Washington Court on Capitol Hill made wrong transaction
Hotel Washington Suites Georgetown made wrong transaction
Hotel W Atlanta Midtown made wrong transaction
Hotel W Boston made wrong transaction
Hotel Westin Diplomat Resort & Spa made wrong transaction
Hotel Westin Maui Resort & Spa made wrong transaction
Hotel Westin Princeville Ocean Resort Villas made wrong transaction
Hotel Westin St. Francis made wrong transaction
Hotel W Hollywood made wrong transaction
Hotel Willard InterContinental made wrong transaction
Hotel Windsor Court made wrong transaction
Hotel W Los Angeles Westwood made wrong transaction
Hotel Woodrun Place Condo made wrong transaction
Hotel Woodrun V Townhomes made wrong transaction
Hotel W Seattle made wrong transaction
Hotel Wyndham Grand Desert made wrong transaction
Hotel Wynn Las Vegas made wrong transaction
Hotel XV Beacon made wrong transaction
Hotel ZaZa Houston made wrong transaction
Hotel Z Ocean made wrong transaction
Wrong transaction from your credit card in Acqualina Resort & Spa
Wrong transaction from your credit card in Ahwahnee
Wrong transaction from your credit card in Amsterdam Hospitality
Wrong transaction from your credit card in Anglers
Wrong transaction from your credit card in Argonaut
Wrong transaction from your credit card in Aria
Wrong transaction from your credit card in Arizona Biltmore
Wrong transaction from your credit card in Arrabelle at Vail Square
Wrong transaction from your credit card in Avalon
Wrong transaction from your credit card in Bellagio and Casino
Wrong transaction from your credit card in Beverly Hills & Bungalows
Wrong transaction from your credit card in Beverly Wilshire, A Four Seasons
Wrong transaction from your credit card in Biltmore
Wrong transaction from your credit card in Boston Harbor
Wrong transaction from your credit card in Boston Marriott Copley Place
Wrong transaction from your credit card in Breakers Palm Beach
Wrong transaction from your credit card in Breakwater
Wrong transaction from your credit card in Camelback Inn, A JW Marriott Resort & Spa
Wrong transaction from your credit card in Campton Place
Wrong transaction from your credit card in Carlton on Madison Avenue
Wrong transaction from your credit card in Casa Del Mar
Wrong transaction from your credit card in Chamonix
Wrong transaction from your credit card in Charleston Marriott
Wrong transaction from your credit card in Charleston Place
Wrong transaction from your credit card in Conrad Chicago
Wrong transaction from your credit card in Conrad Miami
Wrong transaction from your credit card in Courtyard by Marriott Capitol Hill/Navy Yard
Wrong transaction from your credit card in Courtyard by Marriott Houston Downtown
Wrong transaction from your credit card in Courtyard Washington Convention Center
Wrong transaction from your credit card in Crowne Plaza The Hamilton
Wrong transaction from your credit card in Delano
Wrong transaction from your credit card in Del Coronado
Wrong transaction from your credit card in Disney's Grand Californian
Wrong transaction from your credit card in Disney's Grand Floridian
Wrong transaction from your credit card in Disney's Polynesian Resort
Wrong transaction from your credit card in Doubletree by Hilton Orlando at SeaWorld
Wrong transaction from your credit card in Dunton Hot Springs
Wrong transaction from your credit card in Embassy Suites
Wrong transaction from your credit card in Embassy Suites Chevy Chase Pavilion
Wrong transaction from your credit card in Embassy Suites - Convention Center
Wrong transaction from your credit card in Embassy Suites North Charleston
Wrong transaction from your credit card in Embassy Suites Washington
Wrong transaction from your credit card in Enchantment Resort
Wrong transaction from your credit card in Encore at Wynn
Wrong transaction from your credit card in Fairmont Chicago
Wrong transaction from your credit card in Fairmont Heritage Place Ghiradelli Square
Wrong transaction from your credit card in Fairmont Kea Lani
Wrong transaction from your credit card in Fairmont Miramar
Wrong transaction from your credit card in Fairmont Scottsdale
Wrong transaction from your credit card in Fairmont & Towers
Wrong transaction from your credit card in Florida Choice Executive Pool Homes
Wrong transaction from your credit card in Four Seasons
Wrong transaction from your credit card in Four Seasons Los Angeles at Beverly Hills
Wrong transaction from your credit card in Four Seasons Resort Lanai at Manele Bay
Wrong transaction from your credit card in Four Seasons Resort Maui at Wailea
Wrong transaction from your credit card in Four Seasons Resort Palm Beach
Wrong transaction from your credit card in Four Seasons Resort Scottsdale
Wrong transaction from your credit card in Four Seasons San Francisco
Wrong transaction from your credit card in Gansevoort South
Wrong transaction from your credit card in George
Wrong transaction from your credit card in Gramercy Park
Wrong transaction from your credit card in Grand Bohemian
Wrong transaction from your credit card in Grand Hyatt Atlanta in Buckhead
Wrong transaction from your credit card in Grand Hyatt Kauai Resort & Spa
Wrong transaction from your credit card in Grand Hyatt New York
Wrong transaction from your credit card in Grand Hyatt San Francisco
Wrong transaction from your credit card in Grand Hyatt Seattle
Wrong transaction from your credit card in Grand Hyatt Washington
Wrong transaction from your credit card in Granduca
Wrong transaction from your credit card in Grand Wailea Resort
Wrong transaction from your credit card in Halekulani
Wrong transaction from your credit card in Hampton Inn Washington - Convention Center
Wrong transaction from your credit card in Helix Boutique
Wrong transaction from your credit card in Hilton Americas Houston
Wrong transaction from your credit card in Hilton Atlanta
Wrong transaction from your credit card in Hilton Atlanta Airport
Wrong transaction from your credit card in Hilton Boston Logan Airport
Wrong transaction from your credit card in Hilton Chicago
Wrong transaction from your credit card in Hilton Garden Inn Washington DC Franklin Square
Wrong transaction from your credit card in Hilton Grand Vacations Club
Wrong transaction from your credit card in Hilton Hawaiian Village
Wrong transaction from your credit card in Hilton Houston Plaza
Wrong transaction from your credit card in Hilton Houston Westchase
Wrong transaction from your credit card in Hilton Las Vegas
Wrong transaction from your credit card in Hilton Orlando Bonnet Creek
Wrong transaction from your credit card in Hilton Washington
Wrong transaction from your credit card in Hilton Washington Embassy Row
Wrong transaction from your credit card in Holiday Inn Port of Miami Downtown
Wrong transaction from your credit card in Homewood Suites
Wrong transaction from your credit card in Hyatt Grand Aspen
Wrong transaction from your credit card in Hyatt Regency Atlanta
Wrong transaction from your credit card in Hyatt Regency Grand Cypress
Wrong transaction from your credit card in Hyatt Regency Houston
Wrong transaction from your credit card in Hyatt Regency Huntington Beach
Wrong transaction from your credit card in Hyatt Regency Maui Resort and Spa
Wrong transaction from your credit card in Hyatt Regency San Francisco
Wrong transaction from your credit card in Hyatt Regency Scottsdale Resort
Wrong transaction from your credit card in Hyatt Regency Waikiki
Wrong transaction from your credit card in Hyatt Regency Washington
Wrong transaction from your credit card in Icon
Wrong transaction from your credit card in Indian Creek
Wrong transaction from your credit card in Inn at Perry Cabin
Wrong transaction from your credit card in Inn at the Ballpark
Wrong transaction from your credit card in InterContinental
Wrong transaction from your credit card in Intercontinental Buckhead Atlanta
Wrong transaction from your credit card in InterContinental Chicago
Wrong transaction from your credit card in Intercontinental San Francisco
Wrong transaction from your credit card in InterContinental The Barclay New York
Wrong transaction from your credit card in Jefferson
Wrong transaction from your credit card in Jerome
Wrong transaction from your credit card in Jumeirah Essex House
Wrong transaction from your credit card in JW Marriott Buckhead Atlanta
Wrong transaction from your credit card in JW Marriott Desert Ridge Resort & Spa
Wrong transaction from your credit card in JW Marriott Las Vegas Resort, Spa & Golf
Wrong transaction from your credit card in JW Marriott Miami
Wrong transaction from your credit card in JW Marriott Orlando Grande Lakes
Wrong transaction from your credit card in JW Marriott Pennsylvania Avenue
Wrong transaction from your credit card in JW Marriott San Francisco
Wrong transaction from your credit card in Kahala Resort
Wrong transaction from your credit card in Keswick Hall
Wrong transaction from your credit card in La Costa Resort & Spa
Wrong transaction from your credit card in Lauberge Del Mar
Wrong transaction from your credit card in La Valencia
Wrong transaction from your credit card in Le Meridien San Francisco
Wrong transaction from your credit card in Le Parker Meridien
Wrong transaction from your credit card in Lodge At Koele
Wrong transaction from your credit card in Lodge At Torrey Pines
Wrong transaction from your credit card in Loews Coronado Bay Resort
Wrong transaction from your credit card in Loews Miami Beach
Wrong transaction from your credit card in Loews Regency
Wrong transaction from your credit card in Loews Santa Monica Beach
Wrong transaction from your credit card in London West Hollywood
Wrong transaction from your credit card in Lowell
Wrong transaction from your credit card in Madera
Wrong transaction from your credit card in Madison
Wrong transaction from your credit card in Main Street Station & Casino
Wrong transaction from your credit card in Mandalay Bay
Wrong transaction from your credit card in Mandarin Oriental
Wrong transaction from your credit card in Mandarin Oriental Miami
Wrong transaction from your credit card in Marriott at Metro Center
Wrong transaction from your credit card in Marriott Chicago Downtown Magnificent Mile
Wrong transaction from your credit card in Marriott Houston Airport at George Bush Intercontinental
Wrong transaction from your credit card in Marriott Marquis San Francisco
Wrong transaction from your credit card in Marriott Resort
Wrong transaction from your credit card in Marriott San Francisco Fisherman's Wharf
Wrong transaction from your credit card in Mauna Kea Beach
Wrong transaction from your credit card in Mauna Lani Bay & Bungalows
Wrong transaction from your credit card in McCoy Peak Lodge
Wrong transaction from your credit card in Melrose
Wrong transaction from your credit card in Meridian Luxury Suites
Wrong transaction from your credit card in Michelangelo
Wrong transaction from your credit card in Millennium UN Plaza
Wrong transaction from your credit card in Monaco Boutique
Wrong transaction from your credit card in Monaco Washington DC
Wrong transaction from your credit card in Mona Lisa Suite
Wrong transaction from your credit card in Mondrian
Wrong transaction from your credit card in Mondrian Scottsdale
Wrong transaction from your credit card in Mondrian South Beach
Wrong transaction from your credit card in Morenas Resort Morrison-Clark Historic Inn
Wrong transaction from your credit card in M Resort Spa & Casino
Wrong transaction from your credit card in New York Marriott Marquis
Wrong transaction from your credit card in Nolitan
Wrong transaction from your credit card in Oak Plantation Resort
Wrong transaction from your credit card in Ocean Key Resort & Spa
Wrong transaction from your credit card in Ocean Point Resort & Club
Wrong transaction from your credit card in Omni
Wrong transaction from your credit card in Omni Berkshire Place
Wrong transaction from your credit card in Omni Chicago
Wrong transaction from your credit card in Omni Houston
Wrong transaction from your credit card in One Bal Harbour Resort & Spa
Wrong transaction from your credit card in Owl Creek Homes
Wrong transaction from your credit card in Palms Place & Spa
Wrong transaction from your credit card in Palomar
Wrong transaction from your credit card in Palomar Boutique
Wrong transaction from your credit card in Park Hyatt
Wrong transaction from your credit card in Park Hyatt Chicago
Wrong transaction from your credit card in Park Hyatt Resort & Spa
Wrong transaction from your credit card in Peabody Orlando
Wrong transaction from your credit card in Peninsula New York
Wrong transaction from your credit card in Phoenician
Wrong transaction from your credit card in Pierre A Taj
Wrong transaction from your credit card in Plaza Athenee
Wrong transaction from your credit card in Pocono Palace
Wrong transaction from your credit card in Prescott
Wrong transaction from your credit card in Raffles L'Ermitage Beverly Hills
Wrong transaction from your credit card in Rancho Bernardo Inn
Wrong transaction from your credit card in Rancho Las Palmas Resort & Spa
Wrong transaction from your credit card in Red Rock Casino Resort & Spa
Wrong transaction from your credit card in Renaissance Charleston Historic District
Wrong transaction from your credit card in Renaissance Chicago
Wrong transaction from your credit card in Renaissance Houston Greenway Plaza
Wrong transaction from your credit card in Renaissance New York Times Square
Wrong transaction from your credit card in Renaissance Washington
Wrong transaction from your credit card in Renaissance Waverly
Wrong transaction from your credit card in Residence Inn by Marriott Capitol
Wrong transaction from your credit card in Rio Suite and Casino
Wrong transaction from your credit card in Ritz-Carlton
Wrong transaction from your credit card in Ritz-Carlton Battery Park
Wrong transaction from your credit card in Ritz-Carlton Boston Common
Wrong transaction from your credit card in Ritz-Carlton Central Park
Wrong transaction from your credit card in Ritz-Carlton Golf Resort
Wrong transaction from your credit card in Ritz Carlton Kapalua
Wrong transaction from your credit card in Ritz Carlton Key Biscayne
Wrong transaction from your credit card in Ritz-Carlton Laguna Niguel
Wrong transaction from your credit card in Ritz-Carlton Marina Del Rey
Wrong transaction from your credit card in Ritz Carlton Naples Beach Resort
Wrong transaction from your credit card in Ritz Carlton Naples Golf Resort
Wrong transaction from your credit card in Ritz-Carlton Orlando, Grande Lakes Resort
Wrong transaction from your credit card in Ritz-Carlton Palm Beach
Wrong transaction from your credit card in Ritz-Carlton San Francisco
Wrong transaction from your credit card in Ritz Carlton South Beach
Wrong transaction from your credit card in Rouge
Wrong transaction from your credit card in Royal Hawaiian
Wrong transaction from your credit card in Royal Pacific Resort
Wrong transaction from your credit card in Royal Palms Resort & Spa
Wrong transaction from your credit card in Sanctuary on Camelback Mountain
Wrong transaction from your credit card in Seattle Marriott Waterfront
Wrong transaction from your credit card in Se San Diego
Wrong transaction from your credit card in Shangri-La
Wrong transaction from your credit card in Sheraton Chicago and Towers
Wrong transaction from your credit card in Sheraton Keauhou Bay Resort & Spa
Wrong transaction from your credit card in Sheraton Maui Resort
Wrong transaction from your credit card in Sheraton Moana Surfrider
Wrong transaction from your credit card in Sheraton Suites Houston Near The Galleria
Wrong transaction from your credit card in Sheraton Suites San Diego at Symphony Hall
Wrong transaction from your credit card in Sheraton Waikiki
Wrong transaction from your credit card in Shore Club
Wrong transaction from your credit card in Shutters Beach
Wrong transaction from your credit card in Signature at MGM Grand
Wrong transaction from your credit card in Skylofts at MGM Grand
Wrong transaction from your credit card in SLS at Beverly Hills
Wrong transaction from your credit card in Sofitel Lafayette Square
Wrong transaction from your credit card in Sonesta Orlando Downtown
Wrong transaction from your credit card in Sorrento
Wrong transaction from your credit card in South Beach Marriott
Wrong transaction from your credit card in Star The Michelangelo
Wrong transaction from your credit card in St. Gregory Luxury & Suites
Wrong transaction from your credit card in St. Regis
Wrong transaction from your credit card in St. Regis Princeville Resort
Wrong transaction from your credit card in St. Regis Washington
Wrong transaction from your credit card in Sun Harbour Boutique
Wrong transaction from your credit card in Sutton Place
Wrong transaction from your credit card in Swissotel Chicago
Wrong transaction from your credit card in Taj Boston
Wrong transaction from your credit card in Taj Campton Place
Wrong transaction from your credit card in Tamarack by Destination Resorts Snowmass
Wrong transaction from your credit card in The Alex
Wrong transaction from your credit card in The Alexander
Wrong transaction from your credit card in The Carlyle, A Rosewood
Wrong transaction from your credit card in The Carlyle Suites
Wrong transaction from your credit card in The Chatwal
Wrong transaction from your credit card in The Cosmopolitan Las Vegas
Wrong transaction from your credit card in The Drake
Wrong transaction from your credit card in The Enclave
Wrong transaction from your credit card in The Equinox Resort & Spa
Wrong transaction from your credit card in The Fairmont
Wrong transaction from your credit card in The Fairmont Copley Plaza
Wrong transaction from your credit card in The Fairmont Olympic
Wrong transaction from your credit card in The Fairmont Orchid
Wrong transaction from your credit card in The Fairmont Washington
Wrong transaction from your credit card in The Hay-Adams
Wrong transaction from your credit card in The Helmsley Carlton House
Wrong transaction from your credit card in The Henley Park
Wrong transaction from your credit card in The Houstonian Club & Spa
Wrong transaction from your credit card in The Huntington and Nob Hill Spa
Wrong transaction from your credit card in The Iroquois
Wrong transaction from your credit card in The Langham Huntington & SPA
Wrong transaction from your credit card in The Latham
Wrong transaction from your credit card in The Lenox
Wrong transaction from your credit card in The Little Nell
Wrong transaction from your credit card in The Lucerne
Wrong transaction from your credit card in The New York Helmsley
Wrong transaction from your credit card in The Orchard
Wrong transaction from your credit card in The Palmer House Hilton
Wrong transaction from your credit card in The Peninsula
Wrong transaction from your credit card in The Peninsula Beverly Hills
Wrong transaction from your credit card in The Phoenician
Wrong transaction from your credit card in The Pierre
Wrong transaction from your credit card in The Plaza
Wrong transaction from your credit card in The Quincy
Wrong transaction from your credit card in The Ritz Carlton
Wrong transaction from your credit card in The Ritz-Carlton Bachelor Gulch
Wrong transaction from your credit card in The Ritz-Carlton Buckhead
Wrong transaction from your credit card in The Ritz-Carlton Fort Lauderdale
Wrong transaction from your credit card in The Ritz-Carlton Georgetown
Wrong transaction from your credit card in The Ritz-Carlton Laguna Niguel
Wrong transaction from your credit card in The Ritz-Carlton Orlando, Grande Lakes
Wrong transaction from your credit card in The Setai
Wrong transaction from your credit card in The Setai Fifth Avenue
Wrong transaction from your credit card in The St. Regis Aspen
Wrong transaction from your credit card in The St. Regis Monarch Beach
Wrong transaction from your credit card in The Venetian Resort and Casino
Wrong transaction from your credit card in The Villa By Barton G
Wrong transaction from your credit card in The Washington Court On Capital Hil
Wrong transaction from your credit card in The Westin Atlanta Airport
Wrong transaction from your credit card in The Westin Chicago River North
Wrong transaction from your credit card in The Westin Embassy Row
Wrong transaction from your credit card in The Westin Grand
Wrong transaction from your credit card in The Westin Michigan Avenue
Wrong transaction from your credit card in The Westin Mission Hills Resort & Spa
Wrong transaction from your credit card in The Westin New York at Times Square
Wrong transaction from your credit card in The Westin Oaks
Wrong transaction from your credit card in The Westin Peachtree Plaza
Wrong transaction from your credit card in The Westin Seattle
Wrong transaction from your credit card in The Whitehall
Wrong transaction from your credit card in The Wit-A Doubletree
Wrong transaction from your credit card in Tides South Beach
Wrong transaction from your credit card in Topaz
Wrong transaction from your credit card in Trump International Sonesta Beach resort
Wrong transaction from your credit card in Trump International & Tower
Wrong transaction from your credit card in Trump International Waikiki Beach Walk
Wrong transaction from your credit card in Trump Las Vegas
Wrong transaction from your credit card in Trump Soho
Wrong transaction from your credit card in Universal Portofino Bay a Loews
Wrong transaction from your credit card in Universal Royal Pacific Resort a Loews
Wrong transaction from your credit card in Vdara & Spa
Wrong transaction from your credit card in Viceroy Palm Springs
Wrong transaction from your credit card in Villas Of Grand Cypress
Wrong transaction from your credit card in Wailea Marriott an Outrigger Resort
Wrong transaction from your credit card in Waldorf Astoria Orlando
Wrong transaction from your credit card in Waldorf Astoria & Towers
Wrong transaction from your credit card in Waldorf Towers
Wrong transaction from your credit card in Walt Disney World Swan and Dolphin
Wrong transaction from your credit card in Wardman Park Marriott
Wrong transaction from your credit card in Washington Court on Capitol Hill
Wrong transaction from your credit card in Washington Suites Georgetown
Wrong transaction from your credit card in W Atlanta Midtown
Wrong transaction from your credit card in W Boston
Wrong transaction from your credit card in Westin Diplomat Resort & Spa
Wrong transaction from your credit card in Westin Maui Resort & Spa
Wrong transaction from your credit card in Westin Princeville Ocean Resort Villas
Wrong transaction from your credit card in Westin St. Francis
Wrong transaction from your credit card in W Hollywood
Wrong transaction from your credit card in Willard InterContinental
Wrong transaction from your credit card in Windsor Court
Wrong transaction from your credit card in W Los Angeles Westwood
Wrong transaction from your credit card in Woodrun Place Condo
Wrong transaction from your credit card in Woodrun V Townhomes
Wrong transaction from your credit card in W Seattle
Wrong transaction from your credit card in Wyndham Grand Desert
Wrong transaction from your credit card in Wynn Las Vegas
Wrong transaction from your credit card in XV Beacon
Wrong transaction from your credit card in ZaZa Houston
Wrong transaction from your credit card in Z Ocean
(689 rows)

Saturday, July 23, 2011

MasterCard spam leads to Fake AV

The FBI is doing a great job gaining international cooperation in going after cyber criminals. Just last month yet another malware group was arrested, as the public learned about in the June 22, 2011 FBI press release, Department of Justice disrupts international cybercrime rings distributing scareware. In that case, criminals were arrested as part of a scareware ring that had infected more than 1 million computers and caused more than $72 million in losses!

Unfortunately, the end of fake Anti-virus scareware has not yet arrived. Here's an example from today's spam from the UAB Spam Data Mine.

Please see end for an update



We're seeing a significant "spam attached malware" campaign in the past 24 hours with six different attachment MD5s.

uab_spam=> select count(*), sender_domain, md5_hex, size from spam natural join spam_attach where sender_domain = 'mastercard.com' and receiving_date >= '2011-07-22' group by sender_domain, md5_hex, size;

count | received | md5_hex | size
-------+-------------------------+---------------------------------+-------
318 | 7/22 03:15 - 7/22 10:15 | 241cc18918540d6c49dd8b45df31985d | 67584
20 | 7/22 10:45 - 7/22 11:00 | 5f8a95d194f7dcadabf442ed5705c4e0 | 79872
565 | 7/22 11:30 - 7/22 17:30 | 0256a71baefd0f625910bbc44147e432 | 68096
1133 | 7/22 17:45 - 7/23 04:00 | f4aea68ea94d7780a5b1abd709f7730f | 69632
67 | 7/22 12:00 - 7/23 08:15 | 277eb4dacd401a3c520dc5bb9ede70f0 | 77237
439 | 7/23 04:00 - 7/23 08:15 | fe88c3a276d11aa208dac7ae68f55cd3 | 67584
(6 rows)

Most popular email subjects:

count | subject
-------+-----------------------------------------------
24 | WARNING: Your credit card is locked!
26 | WARNING: Your credit card is blocked!
26 | ATTENTION: Your credit card has been blocked!
1116 | Your credit card is blocked
29 | ATTENTION: Your credit card is blocked!
1184 | Your credit card has been blocked
24 | CAUTION: Your credit card is locked!
29 | ATTENTION: Your credit card is locked!
31 | WARNING: Your credit card has been blocked!
19 | CAUTION: Your credit card has been blocked!
34 | CAUTION: Your credit card is blocked!
(11 rows)

The body of the email looks like the attached file:



------------------
Dear User,
Your credit card is locked!
From your credit card has been removed $ 3951,74
Possibly illegal operation!
More details in the attached file.
Instantly contact your bank .
Best regards, MASTERCARD Services.
-------------------


The username portion of the email sender is random, using a classic mis-spelling that has been consistent for this sender (which is the same guy who has been doing the "government imitating" zeus). "cunsumer"

Usernames are a single word, followed by a ".", "_", or "-", followed by a two or three digit number.

The most popular words (by far) are "manager" (770 time), and "support" (757 times), but we've also seen admin, adminnistration, alerts, cunsumer, delivery, e-file, finance, frboard-webannouncements, govdelivery, information, inspector, news, news-alerts, no-reply, protection, public, report, service, stats, subscriber, subscriptions, usttb, and webannouncements.

The attached file is actually named as a ".com" file, using a random-seeming filename in the format "id" followed by a 5-7 digit number (such as id918538.com).

Of the 2,649 IP addresses that have sent us the spam so far, they have come from 1,443 distinct sending IP addresses. Some of our most popular senders have been:

count | sender_ip
-------+--------------------
10 | 113.172.171.155/32
10 | 190.99.213.191/32
9 | 75.145.37.117/32
9 | 187.126.15.108/32
9 | 110.164.112.159/32
8 | 188.81.213.237/32
8 | 201.240.80.96/32
8 | 79.82.153.66/32
8 | 110.138.30.34/32
7 | 180.253.110.135/32
7 | 151.64.138.215/32
7 | 79.178.152.194/32
6 | 95.37.41.218/32
6 | 201.240.215.105/32
6 | 94.20.98.220/32
6 | 122.167.44.208/32
6 | 71.197.255.106/32
6 | 113.190.138.153/32
6 | 90.177.147.202/32
6 | 178.150.237.124/32
6 | 65.10.178.64/32
6 | 178.204.204.172/32
6 | 24.90.102.247/32
6 | 93.75.103.25/32
6 | 190.235.93.183/32
6 | 82.51.62.237/32
6 | 77.236.26.169/32
6 | 110.164.106.145/32
6 | 178.222.27.142/32
6 | 113.53.181.86/32
6 | 123.17.157.159/32
6 | 151.25.53.47/32
5 | 201.68.209.20/32
5 | 180.180.150.248/32
5 | 120.62.24.122/32
5 | 59.182.51.42/32
5 | 182.53.176.152/32
5 | 194.28.88.58/32
5 | 85.186.178.173/32
5 | 41.140.170.143/32
5 | 71.200.55.41/32
5 | 200.91.255.142/32
5 | 190.43.147.223/32
5 | 125.24.202.30/32
5 | 41.140.43.44/32
5 | 59.184.128.238/32
5 | 95.58.34.230/32
5 | 117.201.20.59/32
5 | 186.6.177.39/32

I chose the most recent MD5 and did a scan at VirusTotal, finding that only 3 of 43 Antivirus products were able to detect this as a virus, according to this VirusTotal report.

Since this was an email attachment, web reputation didn't really help here. This would be a case where your spam blocking would be your best defense!

When the file is launched, it attempts to make connections to a long list of domains that are probably made by a "DGA" or "Domain Generation Algorithm". It's likely that at different times or days this list would be different. My domains included:

syqivolurypugi.com
qotasifelaw.com
tibumuqel.com
suzehebaq.com
sivycaqilugoq.com
levulehup.com
ledimajezociw.com
rabuqibareme.com
fopuvuwupode.com
cinuherijugeg.com

and more.

bakagunaxepo.com responded as 193.164.132.20 <= Gigahosting, Germany
bipuwyqojivu.com responded as 85.17.239.165 <= Leaseweb, Netherlands
civivicuqekexo.com responded as 93.104.208.84 <= Gigahosting
levulehup.com responded as 204.45.120.27 <= FDC Servers, Chicago
levysavasezo.com responded as 85.17.239.215 <= Leaseweb, Netherlands
pafozykavygaj.com responded as 85.17.239.216 <= Leaseweb, Netherlands
pejozehywe.com responded as 50.2.7.242 <= Eonix/GotHost
suzehebaq.com responded as 206.217.134.44 <= Colocrossing
syqivolurypugi.com responded as 206.217.134.43 <= Colocrossing
waciroqohuli.com responded as 64.56.65.213 <= VRTServers.net
zarapetahuryp.com responded as 50.2.7.241 <= Eonix/GotHost

as a few examples . . .

The purpose of the malware? Seems to be just another Fake Anti-virus product. Here's the scan that kicked off:



After the scan, I was of course constantly reminded of the grave danger I was in:



First it did a get for "1038000112" from "bogekizase.com" on 66.197.213.6.

All it got back from there was "OK."

Most of the interaction was from tibumuqel.com on 79.143.178.101.

tibumuqel.com was registered on July 15, 2011 using the contact info:


Ana Ivancic freon@cutemail.org
+385.20324535
Od Domina 5
Dubrovnik,Southern Dalmatia,HR 20000

Searching on her details will show that "Ana" has registered plenty of other malware domains as well, usually with different email addresses.

From the tibumuqel.com domain, we did a get for "10380001124255461742" which was redirected to "buy.html"

That's also the box that my payment information was posted back to, although unfortunately, my credit card was declined. 8-(


That was my "purchase the fake AV product" screen, giving me my pricing options, and letting me know that this fake AV product was an SC Magazine 2011 award finalist!



What are our lessons learned?

Anti-virus can't protect you by itself, as evidenced by the 3 of 43 AV products that new about this malware this morning. You need a robust security strategy that includes:

a. Being Smart about what you click on. (Start with CLICK ON NOTHING)
b. a web-reputation component (stopping traffic to bad websites)
c. a strong spam filter


Update



While looking at a totally different spam message, I saved the attachment and scanned it at VirusTotal. I thought the MD5 looked familiar, and ran a different search in the UAB Spam Data Mine.

This query says "show me the most popular subjects since yesterday where the email had an attachment with the MD5 = "277eb..."

uab_spam=> select count(*), subject from spam natural join spam_attach where md5_hex = '277eb4dacd401a3c520dc5bb9ede70f0' and receiving_date >= '2011-07-22' group by subject order by count desc;

The search results reveal that in addition to the MasterCard spam ("Your credit card is blocked") the BINARY IDENTICAL malware is being distributed in a set of spam messages calling themselves a new "love card" game, and also as a "FedEx" message.


count | subject
-------+------------------------------------------------
187 | Your credit card is blocked
179 | Your credit card has been blocked
6 | Gift from Your Babbie
6 | LOVE-CARD from Your Babbie
5 | Nice Gift only for YOU
5 | Nice Gift from Your Babbie
5 | LOVE - CARD from YOUR BABY
5 | Gift for special YOU
4 | LOVE GIFT from Your GirlFriend
4 | Love-Card from Your Babbie
4 | Gift from YOUR BABBIE
4 | Gift from Your Love
4 | LOVE GIFT from Your Baby
4 | Gift for YOU
4 | LOVE - CARD only for YOU
4 | LoveCard from YOUR PUSSY
4 | LOVECARD for YOU
4 | Gift from YOUR PUSSY
3 | Love Gift from Y
3 | LOVE GIFT from YOUR BABBIE
3 | LOVECARD from YOUR BABBIE
3 | LOVECARD from Your Pussy
3 | NICE GIFT only for YOU
3 | LOVE GIFT from Your Love
3 | Nice Gift from YOUR LOVE
3 | NICE GIFT from Your GirlFriend
3 | Love-Card from Your GirlFriend
3 | Love-Card from YOUR BABY
3 | Love-Card from YOUR LOVE
3 | LOVE - CARD for YOU
3 | LOVECARD from Your Love
3 | LOVE - CARD from Your Pussy
3 | FedEx Delivery Confirmation 959256
3 | LOVE GIFT special for YOU
3 | Nice Gift from Your Baby
2 | Love-Card from Your Baby
2 | Love-Card from Your Love
2 | Love Gift special for YOU
2 | Love Gift from Your GirlFriend
2 | Nice Gift from YOUR BABBIE
2 | LOVECARD from YOUR PUSSY
2 | NICE GIFT from Your Pussy
2 | Love-Card for YOU
2 | GIFT from YOUR BABY
2 | Love Gift from YOUR BABY
2 | our Love
2 | GIFT from YOUR GIRLFRIEND
2 | Love Gift from Your Baby
2 | LOVECARD from YOUR GIRLFRIEND
2 | LOVECARD from YOUR LOVE
2 | LoveCard from YOUR BABY
2 | Nice Gift from YOUR PUSSY
2 | LOVE GIFT from YOUR GIRLFRIEND
2 | LOVECARD only for YOU
2 | LoveCard from YOUR LOVE
2 | Love-Card only for YOU
2 | LOVE-CARD from Your Love
2 | GIFT from Your GirlFriend
2 | LoveCard only for YOU
2 | GIFT from Your Pussy
2 | LOVE GIFT only for YOU
2 | NICE GIFT from YOUR BABY
2 | LoveCard from YOUR BABBIE
2 | Nice Gift from Your GirlFriend
2 | Love Gift from YOUR PUSSY
2 | Gift from Your GirlFriend
2 | Love Gift from Your Babbie
2 | NICE GIFT from YOUR GIRLFRIEND
2 | LOVE-CARD for YOU
2 | Nice Gift from YOUR BABY
2 | NICE GIFT from Your Love
2 | Gift from YOUR BABY
2 | LOVE-CARD only for YOU
2 | LOVE-CARD from YOUR PUSSY
2 | LOVE - CARD from YOUR GIRLFRIEND
2 | LOVE GIFT from YOUR LOVE
2 | LOVE-CARD from YOUR BABY
1 | Your Fed Ex id. 1261345
1 | From Fed Ex 1608374
1 | Fed Ex id. 72663522
1 | Fed Ex: DELIVER CONFIRMATION - FAILED 61010754
1 | From FEDEX 66810145
1 | FEDEX: DELIVER CONFIRMATION - FAILED 77170773
1 | Your FedEx id. 1629114
1 | Your Fedex id. 32327869
1 | FEDEX Attention 29219918
1 | Fed Ex Attention 67868668
1 | DELIVERY CONFIRMATION FROM Fedex 9190176
1 | Fedex: DELIVER CONFIRMATION - FAILED 41984219
1 | Fedex ATTENTION 6338557
1 | FEDEX Attention 046196
1 | Fed Ex Attention 387314
1 | Your Fedex id. 434089
1 | Fed Ex Delivery Confirmation 2241136
1 | Fed Ex DELIVERY CONFIRMATION 87476541
1 | Fed Ex: DELIVER CONFIRMATION - FAILED 3022529
1 | Fed Ex Delivery Confirmation 4749239
1 | FEDEX Delivery Confirmation 3963252
1 | FEDEX ATTENTION 856587
1 | FEDEX id. 1677134
1 | FedEx ATTENTION 76569153
1 | From Fed Ex 9733307
1 | FedEx Delivery Confirmation 35208363
1 | FEDEX: DELIVER CONFIRMATION - FAILED 806406
1 | DELIVERY CONFIRMATION FROM FedEx 290057
1 | From Fed Ex 630972
1 | Fedex ATTENTION 415495
1 | FEDEX Attention 72445407
1 | FEDEX Attention 9647476
1 | From Fed Ex 6560851
1 | FedEx id. 7689961
1 | FEDEX Attention 3225080
1 | Fedex Attention 0014817
1 | Fed Ex DELIVERY CONFIRMATION 17629587
1 | FEDEX DELIVERY CONFIRMATION 97113221
1 | FedEx Attention 76468884
1 | Fed Ex Delivery Confirmation 32603804
1 | FEDEX: DELIVER CONFIRMATION - FAILED 5347890
1 | FedEx Delivery Confirmation 20606057
1 | Fedex: DELIVER CONFIRMATION - FAILED 804651
1 | FedEx DELIVERY CONFIRMATION 9137898
1 | Fedex Delivery Confirmation 60516598
1 | Fed Ex Attention 166784
1 | From Fedex 491840
1 | From FEDEX 55788940
1 | Fed Ex ATTENTION 82103305
1 | From Fed Ex 0947757
1 | FedEx DELIVERY CONFIRMATION 399387
1 | Fed Ex Delivery Confirmation 15166031
1 | Fedex ATTENTION 692266
1 | FedEx: DELIVER CONFIRMATION - FAILED 229436
1 | From Fedex 490430
1 | FEDEX ATTENTION 021008
1 | DELIVERY CONFIRMATION FROM Fedex 443617
1 | FedEx Delivery Confirmation 73541619
1 | Fed Ex Delivery Confirmation 4746337
1 | DELIVERY CONFIRMATION FROM FedEx 571030
1 | FEDEX: DELIVER CONFIRMATION - FAILED 146965
1 | FEDEX id. 4571782
1 | FedEx ATTENTION 668706
1 | DELIVERY CONFIRMATION FROM Fed Ex 7294665
1 | From Fed Ex 072503
1 | Fed Ex DELIVERY CONFIRMATION 87980984
1 | From Fed Ex 04974153
1 | DELIVERY CONFIRMATION FROM Fed Ex 8260718
1 | Your FEDEX id. 095521
1 | LOVE-CARD from YOUR LOVE
1 | Your Fed Ex id. 11329550

Love Card Version



The "Love card" version of the spam reads like this:

-------

GOOD AFTERNOON! Do you like games ?

Service www. lovecard. ge Present New Game For Amateurs Strawberries
This game is still freeware. You can find it in Attached. Please test it and send us Your comments and suggestions !
With Best Wishes !.. www. love-card. org

-------

or

-------

Attention! Do you like games ?

Service www. mylovecards. com Present New Game For Amateurs Strawberries
This game is still freeware. You can find it in Attached. Please test it and send us Your comments and suggestions !
With Best Wishes !.. www. love-card. org

-----

The "love card" version ends with "white on white" text in tiny letters that reads:




Are you tired of routine romance and love making? Are you looking for a little more fun and excitement? Games are light-hearted and lots of fun. They take the pressure off and allow you and your partner to really let loose. Whether you're trying to get to know each other better, spark the romance, or improve your sex life, a game is a fun way to do it! www. love-card. org is the recognised industry leader in adult games for lovers who want to explore a deeper level of intimacy, sexuality and romance. We have been offering couples in loving relationships pleasurable and educational entertainment to enhance their relationship since 1987. Developed with the assistance of professionals, our games and products are tasteful, sensitive and respectful.

FedEx Version




The "FedEx" version looks like this:

GOOD DAY!
DEAR CONSUMER , Delivery Confirmation: FAILED
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT
Pack it. Ship ip. No calculating , Your FedEx TEAM

or

Hello!
DEAR USER , DELIVERY CONFIRMATION: FAILED
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT
With respect , FedEx .com Customer Services

or

Good day!
DEAR USER , We were not able to delivery the post package
Please print out the invoice copy attached and collect the package at our department
Best Regards , Fedex Customer Services