The local news station, KOLO 8, contacted CostCo by telephone and received this automated warning:
"If you received an email concerning a delivery failure or cancellation: immediately delete the e-mail and do not reply. This is a phishing scam and was not sent by Costco. Costco is not affiliated with the e-mail in any way."
Here's the email that Marianne and hundreds of thousands of American Christmas shoppers have been receiving since December 19th at approximately 10 AM. The non-stop bombardment of spam continued throughout the day today, December 26th, and will likely continue tomorrow as well:
But it wasn't just CostCo. In fact, Walmart and BestBuy were also used in this spam campaign with emails that looked like these:
Each day the Malcovery Spam Data Mine processes more than a million spam email messages searching for dangerous threats like these and our analysts evaluate the threats and provide intelligence to customers to help them protect themselves. In this case, Malcovery has seen more than 3,000 copies of these "Delivery" emails, which come with one of several prominent Subject lines:
- Express Delivery Failure
- Standard Delivery Failure
- Scheduled Home Delivery Problem
- Delivery Canceling
- Special Order Delivery Problem
- Expedited Delivery Problem
- Expedited Delivery Problem
The spam messages are being sent out by the ASProx spam-sending botnet. Although the emails can come from any username and any domain, the "Sender Name" (the human-friendly portion of the "From" address) has been consistent as one of these:
- Best Buy
- Best Buy Shipping Agent
- Costco
- Costco Shipping Agent
- Costco Shipping Manager
- Walmart
- Walmart Delivery
- Walmart Delivery Agent
What would happen if someone clicked on one of these emails? The actual destination would depend on which date and which email type they clicked on, but we have collected a fairly extensive list of destination websites. A full list of the 636 compromised websites that we have seen so far in this campaign is listed at the very end of this article. Just in the past four hours we've seen spam samples that went to each of these websites:
kinderopvangnatuurlijk.nl radomir.lt kaufhaus-myklick.de quranrazavi.ir puertaselectricasof.com pryozerne.com proschild24.com profi-poz.pl profilaktica.tv preventia.nl priroda.by pratabong.com palswebservice.com pravoslavie-hristianstvo.ru pornoholigans.com polarcol.com polluxautos.nl porncontent.nl podiodemo.aalilaa.com ponorogozone.comEach of those websites has been broken into by a criminal's hacking program which has created many subdirectories on the server, each starting with either "/media/" or "/messages/" followed by a long random-looking string, followed by a "Form Name". Here a couple recent examples:
/media/Zo6es/bMNyDwcSdtDF1IPBaXWwNlBiBFq/kCUlscSGI=/WalmartForm
/media/J4oHEmjaJvBvrdXTz3KJ5i7G46NP5/dGAYZ5aN4O qs=/CostcoForm
/media/fs1vp YmmEnb7Z6ftU5jKPU7X9Gc3DsasqKZPCIooRc=/WalmartForm
/media/9mz6i EkIDix5uVIAMa4AuEYNuNf18/32d3lFXUnyIQ=/CostcoForm
The "message" path (and the two BestBuy Forms) were more common earlier in the campaign. In fact, on the 19th, we ONLY saw BestBuy samples of the spam:
/message/zZFXQdfn98Ze1SQS7s6a9/yldS qZDpeIXu2C4RRif8=/BbForm
/message/ByundeWiiEoYMllShj48YUj2k53Nndy0jf2mDPhJdNI=/WalmartForm
/message/xERnC10Jrrv0FedQUPsBkZcIonAwqG6e9vMULe1vDkw=/BestBuyForm
What happens first is that the website prompts the visitor to save or open the file "WalmartForm.zip" (or whichever form they have visited.)
If they choose "Open" it will show them that there is a form to be extracted within the .zip file.
If extracted or moved to the Desktop, the form will display a comforting Microsoft Word logo, despite the ".exe" extension
If the visitor tries to open the WalMartForm.exe program, they will get an error message, which is actually a file called WalmartForm.txt opening in Notepad:
If we check memory though, the program "WalMartForm.exe" has spawned an instance of "svchost.exe" which has some very interesting strings, including:
http://192.210.142.87:8080/709E5B7E58D806F5837DA791871C5FD8EF71A1A7F2
That IP is believed to be the Command & Control (C&C) server to which my infected computer instance is talking.
Other interesting strings include a "knock" tag:
(knock)(id)709E5B7E71F412D245208000C3208388(/id)
(group)2612r(/group)
(src)21(/src)
(transport)0(/transport)
(time)-194855676(/time)
(version)1281(/version)
(status)0(/status)
(debug)5.1 x32 none none(/debug)(/knock)
The location of some additional malware dropped from the server:C:\Documents and Settings\Owner\Local Settings\Application Data\kinwmeiq.exe
And a tag that SEEMS to show the username of the malware author, though I'll not include that here . . .
Note that even though this malware distribution campaign has been running for at least seven days, many major anti-virus products are still unable to detect the malware as being malicious. A VirusTotal report showed that only 20 of 48 anti-virus products currently detect the malware that I received when visiting the most recent website seen in spam. Neither of the two locally installed AV products on my machine detect the malware, and the URL I attempted to visit was not marked as dangerous by any of the systems I have installed. VirusTotal Report here.
Hacked websites used to Deliver Delivery malware
12zuilen.com 1clicksoeasy.com 235concept.com 2emamzadegan.com 3tm.org 4wedding.in.ua 555robogo.hu 8888.ru 911-experience.nl aa.tukums.lv aaronsautomatedclassroom.com aayushivfraipur.com abc-f.com.ua acciongranate.com ace.amiworks.co.in acod.digitalgeneration.be acrideme.co.mz addvo.ru adventistfamily.net aesthetic-dentistry-travel.com africinworld.net ag376.us ahangerooz.com ahbrownlibrary.org ahpamt.com ahr-fund.com akhals.com albergoquisisana.it albertheijnwijkerbaan.nl alecro.nl alexian.com algofacil.orgs.pe almexterminatinginc.com alphaomedia.org alphaservices.co.in alstudios.net aluracks.be amateurpov.nl ame.edu.lr americanexceptionalism.com amgsmit.nl amigosporelkartismo.com andeandiscovery.com andysarcade.de angelinaconsignment.com angelleinsurance.com anoesjkasmoveon.nl antonidesmedia.nl antoniofalduto.it antonio-vitolo.de apishosting.com aproshop.hu aquadistri-china.com aquafarminternational.com aquafora.nl arbobhv.com arcobriga.com arefeens.com areyousavedtour.com arino.de arnoldonline.eu artartel.ru artexpotema.com art-lenimarx.de ascoelda.nl asiancarcenter.net asooneh.ir astarta-group.ru atades.com atena-tile.ir atlanticfitnessproducts.com attento-systems.de ausprogroup.com.au autobedrijfleidscherijn.nl autobike.tw autocadtekenaar.nl automartin.com autoteile-online-shop24.de avast.softvisia.com avtoshkola-v-moskve.ru awardcom.net awaylifecommunications.com aziendagricolacosta.it backend.myamcat.com balance-kettwig.de ballandautreyancestry.com baltiyskayasloboda.ru barbarameszaros.com bbkdw.com bcstrikebusters.de bear-tail.net bella-signorina.nl bermejo.be bexeeco.com bierwinkeltje.nl bloemenhof-heemstede.nl blueorangeapps.com blueskyworksstudios.com bmaschool.net bodyandskincenter.be boerenheerlijkheid.nl boerenrock.fm bosma.com bphn.go.id brandschutz-poenitz.de breslavtsev.com bright-color.de bright-on-design.co.uk brillenhuis.nl bruggejudo.be brugwaarde.nl btw-nummer-controleren.nl btwnummers.be budapestivillanyszerelo.hu businessmaturity.nl butikispot.com bvlemmer.nl cafe-boehlig.de callabook.ru callshop-discount.de camspleetje.com canceris.net capital-incentive.com careercompasscanada.com carinvandenberg.nl carolinaalpacafarms.org carrefoursteusebe.com castlekeepdanes.com cgrc.org challenge-center.org chazeaux.com cher.ec-jugend.de chezjeanpartyservice.nl chiduong.net chooyilin.com christianfamily.net christliche-devotionalien.de cinefocus.nl citrusempirewebdev.com cjays.nl cmjardim.com.br cocoxiang.com coleon.ru collectorsfair.nl conectareus.es confitt.de constructii24.ro consultoriasocial.com convertidosacristo.org corrado-club.nl costa-development.nl costa-smeralda-sardinia.com country-freunde-nesselroeden.de coxengines.eu coyotepetanquetour.com cpmerced.com crea3x7.mx creativefill.com creative-interchange.com creatures.gr ctechmetrology.com cuahanghieu.com cyndiknill.ca daalbhaat.com dafhobby.nl da-fortunato.de dansgroepsplinter.be dcb-substrate.com deborahharrisinc.com deeterinkbetonwerken.nl Deko-Kerze.de demo-design.nl deutscheq.de dianaostariz.com diceonice.com dietweetest.nl directadvies.info directcorp.de diseclick.tk distillator66.ru djet.by dmwgalvano.nl dohodbezriska.ru dokterfred.be dongle2bin.com doorenmalen.nl dosmundostravel.com dr-bekele.de drpind.com dscorpio.com duapulos.com eatecnologia.com.br ebbinghaus-gewinnspiel.de ebrahimiclinic.com echocentrumamsterdam.nl economistasmurcia.es effectivemarketing.be egypt4all.com ehbo-zieuwent.nl eierbettelnleissling.de eijlders.net electricmattresspadreview.com eleganceorganizasyon.com ellsshop.nl emthesisconsulting.com energotorg.com.ua energyartgroup.com engels-konzertbuero.de eniac.net enmarkservices.com e-oksi.ru epicschool.com equinoxinnovations.com equipenordestebrasil.com.br e-quit.co.uk erwinvandewiel.nl esector.co esmee.es espaciosvintage.cl esperanza-cafe.de espinosagomez.com esscortgreek.com ethaarle.nl evacuaid.nl evergreenbuddhist.com evociente.nl ewfoods.com excipientfest.com explode7.com eyco.org ezdevajasooneh.com f1ltracers.lt fabgiftidea.com fabrykakatalogow.pl fahrfreunde.de fakita.com famdiffusion.ch farbenscheibe.de fasaltrading.com fashionfloorz.com fastproinvestments.nl fccr.org.br fceibergen.nl fcr-jugend.de feathersonwings.com feichtinger-wurst.at feldmochinger-hof.eu fengshui-eschke.de feriasnoriodejaneiro.com.br fewo-haus-fuchs.de fewo-labo.de ff-altmannstein.de fgh-co.ir fgz-heidelberg.de fidesgroup.es fietsenineuropa.nl final-fight.net financialarchitects.us finanzen-und-kredite24.de finde-immobilien.de fineafricasafaris.com finishlinebuilders.com fisch-schmidt.de fiseon.com flcams.com fleer-ellerbrake.de flicflac-mannheim.de florarbo.com florarie.kikirara.jp flybowshop.com fm.utopica.com foodinnmobile.lpipl.com footballmoves.com forestshores.com fotobox-lenthe.de fotografie-schwelm.de franckviviani.fr frankenturm-trier.de fransvanloon.com frantoio-ramoino.com fratresmugello.it frederique-magnetiseur.fr frevert-almena.de friesekoers.nl front404.com froschtempel.de fr-project.fr fsg-pforzheim.de fujisawa-shinya.com funeralgravestonesandmemorialplaques.com fysiofits.nl galerie-rekonquista.de galeritenuntroso.com garage-silvestre.com garageviaene.be gas-zaragoza.net gbnf.edu.co gbrsas.com gdp.aalilaa.com gente1.com gepassioneerdeeindgebruikers.nl getfoundlocally.info ghostwriter-sm.de ghscowboys.com gidroponika.pro gipack.it glavmel.ru glcalpacaplace.com goedkope-webcamsex.nl goodnightdrink.mv good-relation.de gorganonline.com graymankin.com greatwhitegoldens.com greendatahosting.com.au green-fuel.us grmt.net growthdevelopmentpartners.com grupofef.com.br grup-yakamoz.de hallandwilliamson.com hameleon76.ru hangvietgiatot.com harms-melzer.de hartvanleerdam.nl hasanbaranatas.com hausaerzte-bremen.de healthycolontoday.com heli-online.com hellobaby.kz herefordesign.com hetofde.nl hickscsc.com hi-ns.com hoegy.de hoffmans-leder.de hokkoku-cs.co.jp holmeswf.it homewiredandwireless.com hondenkapperijmazzel.nl hoofdtoren.nl hoogglansspray.nl hortifrut.com.ar hostingacela.com hotel-heigerhof.de hotellequerce.it hotsia.com hotstonerelax.nl housecoating-takayama.com hoveniersbedrijfveere.nl hr-solutions.pl i.walmartimages.com iconicalcreative.com idvpistoia.it ienova.com ifb-bernhard.at igl-netto.de iic-corporation.com ikastpedersen.dk imajthailand.com imediak.de imenkadeh.com impiantioleari.it infostart.it infostudio.org ingomoegling.de ini-europe.com in-kom.com integrityperiod.net interakces.com.pl interior.de intermet.it interweavecorp.com intlead.ru iphometech.com iphone5bestellen.net iridewheelies.com iso17025handbuch.de isoftenterprise.com it2simplify.de italcaseimmobiliare.eu itathomegroup.com iwmpyashada.in iz5ilj.it jamesroke.co.uk jappoo-nrw.de jdkjaslo.pl jelte.nl jeuxprizee.com jmwdesign.nl jobsearchsimplified.com joemahonedrummer.com johndeereoldtimers.com jojama.nl jonasnovello.com jonkers-en-juffers.nl joomla15.guru99.com joomla3.guru99.com jordanhomesmn.com joyful-miniaussies.nl j-rs.com judithvandevecht.nl julienblog.com justlikedreams.com justthrift.com kaitoweb.com kalinkinhill.com kaolincentre.com.ua kastelsbroodje.be katglobal.in kaufhaus-myklick.de khoandph01081.tk khuyenhoccham.com kimupvc.com kinderopvangnatuurlijk.nl kingstarsm.com kirschner-sonthofen.de kitesurfschool.co.za kmg.hobbit.seedboxes.cc knightsbridgestudenthousing.com komproweb.nl kongres.pgri.or.id koreanspa.lk koshiki.nl kowalewskiczarter.pl kranendijk-domotica.nl kreuzhuber.de krishwellness.com kromkesim.com kursimakan.info kursitamu.info kvs-centr.com.ua labelsexchange.ca lafotografa.net lapetito.cz larredabene.com laurenfrances.com lavidayogabodyworks.com ldkgroup.eu ledmateriaal.nl lee-kleimann.de leerkrachtbegeleiding.nl lema-cad.de lesavto.ru letreros-abc.cl lightingretrofit.com.au lilyzhang.net livredesignrio.com.br losbailongos.es lovesdoor.org lowerheidelbergtownship.org lucas-av.com luger-genesis.com lummysoft.com maasukraine.com.ua macora.tv madamebloem.nl madsnow.ru magentoconnect.us mainlinemedical.com mamonia-club.com manliodeangeli.it marcelldev.nl markazisport.ir marketingandsupport.com markhalwani.com marokko-ferien.de marriageselite.com masseriabaronia.it matius.net mayahuel.info mcatransportation.com media-aetas.de media-industries.nl megashoes.com.ua memorialmustangs.com menya-marugen.com merflemunchies.com merkx-mook.nl methodistfamily.com mftqs.com michaelbadura.net michelsweb.nl mijnbieshaar.nl minamargroup.com minasvale.com.br minuscity.ru miriam-strehlau.com mixpromocionales.com mobifrit.be modumorientering.no molecularmotors.org mon-arch.com.ua mondart.net monkeyinthecage.com monster-rock.com montanaflowergirls.com mooibeautyandwellness.nl mooigelukt.nl mootstudio.mx mops-greta.de mortgage-rates-refinancing.com mostly3d.com mpacreative.co.uk mrcollection.com mrfancyplantsnursery.com msmarketintel.com mvcf.dreamhosters.com mvcfmaster.com mybloodfirst.com nakyb.com nancydsolomon.com nanogate.co.uk naturex.lt naunhofer-wohnbau.de nawazone.com nayaraspa.com nederlandoutdoor.nl needhamcab.com nepal-himalaya-trekking.de nesslerfamily.com netscripter.org new.free-dom.by newelementgaming.net neweranewplan.com newhanovergardens.com newstylezone.com nhasachphuongdong.com nickmudge.info nipponboard.com nododono.com norcalcompetitivesports.com northgateanimalclinic.com noval.cl novinhosdobrasil.com.br noworriesit.net nrgservice.ru nudiism.com nujit.com nur-celik.com nushaba.ru nysalons.com nystormnyc.com odeaannemer.nl odessa-live.ru offertedelmomento.it olense-truckersvrienden.be oliehandeltwente.nl omsinchan.ac.th onetelenet.co.uk online-planning.eu opportunityspinner.com optimosapto.com optiontradingnewsletter.com oreda.nl organicfoodtown.com ortalsoft.com oshoppingtv.com otm-corp.com otudo.ru owingen-coudoux.de ows-winespirits.com pafrock.de palswebservice.com paoloverrecchia.it papironi.com patatfriet.com pavlab.com pcmcalibrators.com pcs-network.de peaceofmind.com.pl penumbrasolutions.com petr.ilgner.cz photo2canvasdirect.com pimhesse.nl pinkdiamondconsulting.com pixelonnet.de piyamaku.com planet-intv.com pn-kotamobagu.info podiodemo.aalilaa.com pokojegoscinnekarpacz.pl polarcol.com polkphotography.net polluxautos.nl ponorogozone.com porncontent.nl pornoholigans.com pratabong.com pravoslavie-hristianstvo.ru prazdnik-doma.by preventia.nl priroda.by profilaktica.tv profi-poz.pl proschild24.com pryozerne.com puertaselectricasof.com quranrazavi.ir radomir.lt redwineevents.biz rik-design.ru rockzulte.be rondomhetpark.nl salsacursussen.nl scienceofsailing.info sheltiesvombuchenweg.de shikmodern.by shotredes.com slotoking.com smartwebarchitect.be snoeppotten.nl sobob.org standbouwmateriaal.nl sterconsultancy.nl stnw.nl tauer.pl tk-simvol.ru topsticker.nl tr-edv.info ufakupon.ru usethis.ru versinamsterdam.nl vibocenter.nl voet-fit.nl webmasterkursu.net webwinkelprijsvergelijk.nl wellingtonaugusto.com xamb.nl yellow-bricks.de yfk-web.jp zachtfruit.nl zakenkantoorvancauwenberghe.be zeltlager-amelsbueren.de
Update -- the following destination domains seen on December 27th & December 28th.
machine
-----------------------------
ahbrownlibrary.org
asu-student.com
e-quit.co.uk
garageviaene.be
hameleon76.ru
magentoconnect.us
nederlandoutdoor.nl
newelementgaming.net
nospammer.net
otm-corp.com
pratabong.com
pruebas.tasoge.es
radomir.lt
ralf-willms.eu
rbook.ir
recycling-zukunft.de
reinhard-jaeger.de
reklametataneon.com
retailunitglasgow.co.uk
revistaxtreme.com
rezalighting.com
ribalka100.ru
rik-design.ru
rnpadvisory.com
robwa.nl
rockinspain.es
rocksonjohn.com
rockymtneventcenter.com
rockzulte.be
roes-vermessung.de
romarkmarble.com
ronachhuettli.ch
rondomhetpark.nl
rork.lpipl.com
rosdeutschland.de
rosfrance.fr
ros-hungary.hu
ros-romania.ro
rossbach-onkes.de
ros-schweiz.ch
rozasalesconsultancy.nl
rri-berlin.de
rudyenkarolien.nl
ruschke-wilfling.de
russelmanagement.com
rweis.com
rwtb-schneesport.de
ryoh.com
salon-cuna.net
salsacursussen.nl
sankinhdoanh.vn
sardanet.org
saskiakusters.nl
satin-solutions.de
satorilinens.com
sattinfo.kz
saturntechnolabs.com
savakovacevic.rs
saw-eishockeycamp.de
scala-rijopleiding.nl
scandalltypess.com
sccschmeligk.com
scharenborg.nl
schmetterling-ev.de
schnaase.de
schottland-reisen.at
schottranch.com
schreibschwung.de
schylgefoto.nl
scienceofsailing.info
scribbleballard.com
sealservice.nl
SECWAY.PT
seiungakuin.com
selmo-honmoku.com
sen-sei.nl
sentimentrecords.com
sequoyahregionallibrary.org
setarip.com
sgelettronica.it
shampooink.com
shekarkhand.ir
shikmodern.by
shineyouththeatre.com
shootingfairytales.be
shopdiversant.com
shopzippers.com
shotredes.com
shufflerror.com
simantabnews.com
simonebertolotti.it
singflut-burghaun.de
sitoo.nl
sklauctions.com
skm.lt
slm-kunststofftechnik.de
smaakkeuken.tv
sma-amersfoort.nl
smartwebarchitect.be
smilelandtravel.com
smilenews.org
sms-silvestergruesse.de
snoeppotten.nl
snowwhiteweddings.nl
sobob.org
socialapp.in
solardynamicsinc.com
solutions-imprimees.net
solvam.es
soolz.nl
soomtech.evisionegypt.com
sortirenfauteuil.com
souburgh.nl
soudomundo.es
sounddreamradio2007.de
spaghetti-casa.de
spb-dctec.ru
spireplayschool.co.uk
splinterville.com
spoekes.eu
spoker.ro
sportwelt-verlag.de
spotfx.com
standbouwmateriaal.nl
stanislav-glazar.si
starbene.it
starthelpfoundation.org
startmenu.nl
staug.org
sterconsultancy.nl
sterre.fr
st-exupery.be
stnw.nl
strandhousestmarys.com
strandoase.de
strokersex.com
stscpeduc.ph
studio-fantasy.de
subway-uae.com
sunoil-biodiesel.com
sunucuhizmetleri.net
superiorsecurity.org
swim.intersectmg.com
swing-sport.com
szantai.hu
www.mailscanner.info
www.transtec.co.uk
(147 rows)
Posts
