Monday, November 30, 2009

IRS Spam Campaign leads to low detection malware

We're getting tons of strange IRS spam this morning.

Subjects like:

IRS - Please Read!
IRS - Tax Refund Notification!
IRS e-file refund notification!
IRS REFUND Notification - Please Read This!
IRS: Your Tax Refund Notification!
Notification - Tax Refund!
Notification - Your Tax Refund!
Tax Refund!
US Internal Revenue Service!
US Treasury Department - Tax Refund!

Bodies look like this:



-----------------------------

Internal Revenue Service
United States Department of the Treasury
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive 533.41$ tax refund under section 501(c) (10) of the Internal Revenue Code. Please submit the Tax Refund Request Form and allow us 3-9 days to process it.

Yours faithfully,
Sarah Hall Ingram, Commissioner

This notification has been sent by the Internal Revenue Service, a bureau of the Department of the Treasury.

-----------------------
This would be a great place to remind people that if you have turned "javascript" on globally, when you visit ANY website, the code on that website runs, and so does the code on any website that is being loaded into your current webpage with an iframe.

In this case, there's an iframe that draws source from here, being blocked by Google Safe Browsing:

infosayt.com/heabes/index.php

An encrypted javascript is supposed to load from /ssp/index.php on each of the sites below.

The javascript on this page causes the page:

hxxp://refund-services.irs.issue.no.l398726.us/ssp/loadjavad.php?page=1

to be loaded, which drops an executable file called "load.exe". We expect that this page is regularly changed to allow a variety of malware to be dropped. At the moment, what it is dropping is a file that has these characteristics:

My Microsoft Forefront calls that: "Trojan:Win32/Oficla.E"
File size: 19968 bytes
MD5 : 8c111a22d26c84dffe3bc3e03907bc28

A VirusTotal Report gives 5 of 41 detects, meaning that MOST anti-virus software will currently return "no virus found" if you scan the file.

-------------------------
As I was working through my analysis, I found that this has actually already been written up quite nicely by CA in their Security Advisor blog by Mary Grace Gabriel.


Here's a list of webpages we've seen so today (November 30th):

refund-services.irs.issue.no.l320584.us
refund-services.irs.issue.no.l324603.us
refund-services.irs.issue.no.l32839.us
refund-services.irs.issue.no.l354923.us
refund-services.irs.issue.no.l362960.us
refund-services.irs.issue.no.l367360.us
refund-services.irs.issue.no.l372905.us
refund-services.irs.issue.no.l376054.us
refund-services.irs.issue.no.l380027.us
refund-services.irs.issue.no.l382703.us
refund-services.irs.issue.no.l383749.us
refund-services.irs.issue.no.l385372.us
refund-services.irs.issue.no.l387246.us
refund-services.irs.issue.no.l387266.us
refund-services.irs.issue.no.l392053.us
refund-services.irs.issue.no.l392086.us
refund-services.irs.issue.no.l398726.us
refund-services.irs.issue.no.l500328.us
refund-services.irs.issue.no.l507229.us
refund-services.irs.issue.no.l524820.us
refund-services.irs.issue.no.l528074.us
refund-services.irs.issue.no.l539028.us
refund-services.irs.issue.no.l539347.us
refund-services.irs.issue.no.l542043.us
refund-services.irs.issue.no.l562804.us
refund-services.irs.issue.no.l567387.us
refund-services.irs.issue.no.l568730.us
refund-services.irs.issue.no.l572463.us
refund-services.irs.issue.no.l57290.us
refund-services.irs.issue.no.l580382.us
refund-services.irs.issue.no.l583720.us
refund-services.irs.issue.no.l58736.us
refund-services.irs.issue.no.l587468.us
refund-services.irs.issue.no.l587938.us
refund-services.irs.issue.no.l590274.us
refund-services.irs.issue.no.l593380.us
refunds.irs.issue.no.l32839.us
refunds.irs.issue.no.l362960.us
refunds.irs.issue.no.l367360.us
refunds.irs.issue.no.l37204.us
refunds.irs.issue.no.l372905.us
refunds.irs.issue.no.l380027.us
refunds.irs.issue.no.l383749.us
refunds.irs.issue.no.l385372.us
refunds.irs.issue.no.l387246.us
refunds.irs.issue.no.l387266.us
refunds.irs.issue.no.l392053.us
refunds.irs.issue.no.l392059.us
refunds.irs.issue.no.l392086.us
refunds.irs.issue.no.l392503.us
refunds.irs.issue.no.l398726.us
refunds.irs.issue.no.l524820.us
refunds.irs.issue.no.l539347.us
refunds.irs.issue.no.l567387.us
refunds.irs.issue.no.l568730.us
refunds.irs.issue.no.l572035.us
refunds.irs.issue.no.l572463.us
refunds.irs.issue.no.l580382.us
refunds.irs.issue.no.l583720.us
refunds.irs.issue.no.l58736.us
refunds.irs.issue.no.l587468.us
refunds.irs.issue.no.l587938.us
refunds.irs.issue.no.l590274.us
refunds.irs.issue.no.l593380.us
ustreasurydept.irs.issue.no.l320584.us
ustreasurydept.irs.issue.no.l324603.us
ustreasurydept.irs.issue.no.l32839.us
ustreasurydept.irs.issue.no.l354923.us
ustreasurydept.irs.issue.no.l362960.us
ustreasurydept.irs.issue.no.l367360.us
ustreasurydept.irs.issue.no.l37204.us
ustreasurydept.irs.issue.no.l372905.us
ustreasurydept.irs.issue.no.l376054.us
ustreasurydept.irs.issue.no.l380027.us
ustreasurydept.irs.issue.no.l382703.us
ustreasurydept.irs.issue.no.l383749.us
ustreasurydept.irs.issue.no.l385372.us
ustreasurydept.irs.issue.no.l387246.us
ustreasurydept.irs.issue.no.l387266.us
ustreasurydept.irs.issue.no.l392053.us
ustreasurydept.irs.issue.no.l392503.us
ustreasurydept.irs.issue.no.l398726.us
ustreasurydept.irs.issue.no.l500328.us
ustreasurydept.irs.issue.no.l507229.us
ustreasurydept.irs.issue.no.l524820.us
ustreasurydept.irs.issue.no.l528074.us
ustreasurydept.irs.issue.no.l539028.us
ustreasurydept.irs.issue.no.l539347.us
ustreasurydept.irs.issue.no.l542043.us
ustreasurydept.irs.issue.no.l562804.us
ustreasurydept.irs.issue.no.l567387.us
ustreasurydept.irs.issue.no.l568730.us
ustreasurydept.irs.issue.no.l572035.us
ustreasurydept.irs.issue.no.l572463.us
ustreasurydept.irs.issue.no.l57290.us
ustreasurydept.irs.issue.no.l583720.us
ustreasurydept.irs.issue.no.l587468.us
ustreasurydept.irs.issue.no.l587938.us
ustreasurydept.irs.issue.no.l590274.us
ustreasury.irs.issue.no.l320584.us
ustreasury.irs.issue.no.l324603.us
ustreasury.irs.issue.no.l354923.us
ustreasury.irs.issue.no.l362960.us
ustreasury.irs.issue.no.l37204.us
ustreasury.irs.issue.no.l376054.us
ustreasury.irs.issue.no.l380027.us
ustreasury.irs.issue.no.l382703.us
ustreasury.irs.issue.no.l383749.us
ustreasury.irs.issue.no.l385372.us
ustreasury.irs.issue.no.l387246.us
ustreasury.irs.issue.no.l387266.us
ustreasury.irs.issue.no.l392053.us
ustreasury.irs.issue.no.l392059.us
ustreasury.irs.issue.no.l392086.us
ustreasury.irs.issue.no.l392503.us
ustreasury.irs.issue.no.l398726.us
ustreasury.irs.issue.no.l528074.us
ustreasury.irs.issue.no.l539028.us
ustreasury.irs.issue.no.l539347.us
ustreasury.irs.issue.no.l542043.us
ustreasury.irs.issue.no.l562804.us
ustreasury.irs.issue.no.l572035.us
ustreasury.irs.issue.no.l572463.us
ustreasury.irs.issue.no.l57290.us
ustreasury.irs.issue.no.l580382.us
ustreasury.irs.issue.no.l583720.us
ustreasury.irs.issue.no.l58736.us
ustreasury.irs.issue.no.l587468.us
ustreasury.irs.issue.no.l587938.us
ustreasury.irs.issue.no.l590274.us
ustreasury.irs.issue.no.l593380.us

These have been shared with appropriate authorities and will hopefully be shut down soon!

Chase Bank phish

Today the top phishing scam that we are seeing in the UAB Spam Data Mine is attacking Chase Bank customers. Its part of the old Avalanche phishing scheme that has lately been seen primarily spreading Zbot trojans.

(Update: Scroll to bottom - Chase spam now replaced with "Ally Bank" spam)

The attack starts with an email similar to this one:



The attack began actually late on November 28th, when we saw 1,030 copies of the phishing email with these website names used:

chaseonline.chase.com.vsmidome1.co.uk
chaseonline.chase.com.vsmidome1.org.uk
chaseonline.chase.com.vsmidome2.co.uk
chaseonline.chase.com.vsmidome2.org.uk
chaseonline.chase.com.vsmidome3.co.uk
chaseonline.chase.com.vsmidome3.org.uk
chaseonline.chase.com.vsmidome.co.uk
chaseonline.chase.com.vsmidome.org.uk

The attack continued throughout the 29th (the UAB Spam Data Mine saw 11,320 copies on the 29th), adding many more website addresses:

chaseonline.chase.com.feccxz.co.uk
chaseonline.chase.com.feccxz.me.uk
chaseonline.chase.com.feccxz.org.uk
chaseonline.chase.com.ficcxz.co.uk
chaseonline.chase.com.ficcxz.me.uk
chaseonline.chase.com.ficcxz.org.uk
chaseonline.chase.com.fihlxz.co.uk
chaseonline.chase.com.fihlxz.me.uk
chaseonline.chase.com.fihlxz.org.uk
chaseonline.chase.com.fikcxz.co.uk
chaseonline.chase.com.fikcxz.me.uk
chaseonline.chase.com.fiklxz.co.uk
chaseonline.chase.com.fiklxz.me.uk
chaseonline.chase.com.fiklxz.org.uk
chaseonline.chase.com.gerchkx.co.uk
chaseonline.chase.com.gerchkx.me.uk
chaseonline.chase.com.gerchkx.org.uk
chaseonline.chase.com.gercxkx.co.uk
chaseonline.chase.com.gercxkx.me.uk
chaseonline.chase.com.gercxkx.org.uk
chaseonline.chase.com.gercxxx.co.uk
chaseonline.chase.com.gercxxx.me.uk
chaseonline.chase.com.gercxxx.org.uk
chaseonline.chase.com.gerhhkx.co.uk
chaseonline.chase.com.gerhhkx.me.uk
chaseonline.chase.com.gerhhkx.org.uk
chaseonline.chase.com.vsmidome1.co.uk
chaseonline.chase.com.vsmidome1.org.uk
chaseonline.chase.com.vsmidome2.co.uk
chaseonline.chase.com.vsmidome2.org.uk
chaseonline.chase.com.vsmidome3.co.uk
chaseonline.chase.com.vsmidome3.org.uk
chaseonline.chase.com.vsmidome.co.uk
chaseonline.chase.com.vsmidome.org.uk
chaseonline.chase.com.yurbzc.co.im
chaseonline.chase.com.yurbzc.com.im
chaseonline.chase.com.yurbzc.im
chaseonline.chase.com.yurbzc.net.im
chaseonline.chase.com.yurbzc.org.im
chaseonline.chase.com.yurtzc.im
chaseonline.chase.com.yuvtzc.co.im
chaseonline.chase.com.yuvtzc.com.im
chaseonline.chase.com.yuvtzc.im
chaseonline.chase.com.yuvtzc.net.im

(Fresh Domains added December 2, 2009:
chaseonline.chase.com.trefcc.be
chaseonline.chase.com.trefee.be
chaseonline.chase.com.treffb.be
chaseonline.chase.com.treffd.be
chaseonline.chase.com.treffe.be
chaseonline.chase.com.treffg.be
chaseonline.chase.com.treffq.be
chaseonline.chase.com.treffr.be
chaseonline.chase.com.treffs.be
chaseonline.chase.com.treffw.be
chaseonline.chase.com.treffx.be
chaseonline.chase.com.xeasdaq.be
chaseonline.chase.com.xeasded.be
chaseonline.chase.com.xeasdga.be
chaseonline.chase.com.xeasdki.be
chaseonline.chase.com.xeasdla.be
chaseonline.chase.com.xeasdmi.be
chaseonline.chase.com.xeasdoc.be
chaseonline.chase.com.xeasduj.be
chaseonline.chase.com.xeasdxk.be
chaseonline.chase.com.xeasdxl.be
chaseonline.chase.com.xeasdxt.be
chaseonline.chase.com.xeasdxx.be
chaseonline.chase.com.xeasdyh.be
)

The attack is still spamming like crazy this morning (we had 3,000+ copies as of 8 AM), but there have been no new domain names added, yet . . .

The website is a series of progressively more complicated questions which the phisher uses not just to steal your money, but to gain deep insight into your identity. Here are the series of questions:









For some reason today the phisher has decided that if he uses thousands of unique subject lines we're not going to realize its all the same phish.

We've counted 666 possible subject lines so far (coincidence?) with a large number of possible variants to these. For each of the below, there are also variants of the subject line which have:

message id: RND
message ref: RND

where the RND is a random number. The message ID or message ref can be enclosed in square brackets [], angle brackets <>, or paranthesis ().

There is also a variant of each followed by "- Ref No. RND", as well as a version ending in a period and a version ending in an exclamation point.

Here are the 374 base subject lines we're seeing today:

account confirmation
account management
account notification
account notification: security alert
account secure confirmation
account security measures
alert
alert - online client form released
alert - online form released
automatic account reminder
automatic notification
automatic reminder
banking alert - action required
banking alert: action required
banking mail from Chase Bank
Chase Bank customer service informs you
Chase Bank customer service team informs you
Chase Bank customer service: account confirmation
Chase Bank customer service: account management
Chase Bank customer service: account notification
Chase Bank customer service: account secure confirmation
Chase Bank customer service: account security measures
Chase Bank customer service: alert
Chase Bank customer service: alert - online client form released
Chase Bank customer service: alert - online form released
Chase Bank customer service: automatic account reminder
Chase Bank customer service: automatic notification
Chase Bank customer service: automatic reminder
Chase Bank customer service: client details confirmation
Chase Bank customer service: confirm your account details
Chase Bank customer service: confirm your account records
Chase Bank customer service: confirm your data
Chase Bank customer service: confirm your details
Chase Bank customer service: confirm your identity
Chase Bank customer service: confirm your information
Chase Bank customer service: confirm your online account details
Chase Bank customer service: confirm your online banking records
Chase Bank customer service: confirmation required
Chase Bank customer service: customer alert
Chase Bank customer service: customer details confirmation
Chase Bank customer service: data confirmation
Chase Bank customer service: details confirmation
Chase Bank customer service: enhanced online security measures
Chase Bank customer service: important account notice
Chase Bank customer service: important account notification
Chase Bank customer service: important announce
Chase Bank customer service: important banking mail
Chase Bank customer service: important information
Chase Bank customer service: important message
Chase Bank customer service: important note on security
Chase Bank customer service: important notice
Chase Bank customer service: important notification
Chase Bank customer service: important security notice
Chase Bank customer service: important security update
Chase Bank customer service: instructions for client
Chase Bank customer service: instructions for customer
Chase Bank customer service: message from customer service
Chase Bank customer service: message regarding your account
Chase Bank customer service: necessary to be read
Chase Bank customer service: new enhanced online security measures
Chase Bank customer service: new online security measures
Chase Bank customer service: new security measures
Chase Bank customer service: new security notification
Chase Bank customer service: notice to all customers
Chase Bank customer service: notification
Chase Bank customer service: official information
Chase Bank customer service: official update
Chase Bank customer service: online banking account confirmation
Chase Bank customer service: online banking alert
Chase Bank customer service: online banking form
Chase Bank customer service: online banking notice
Chase Bank customer service: online banking notification
Chase Bank customer service: online client form released
Chase Bank customer service: online form released
Chase Bank customer service: our enhanced online security measures
Chase Bank customer service: our new security measures
Chase Bank customer service: periodic account notification
Chase Bank customer service: please confirm your banking details
Chase Bank customer service: please confirm your data
Chase Bank customer service: please confirm your details
Chase Bank customer service: please confirm your information
Chase Bank customer service: please confirm your online banking account data
Chase Bank customer service: please confirm your online banking records
Chase Bank customer service: please read this message
Chase Bank customer service: please update your data
Chase Bank customer service: please update your details
Chase Bank customer service: safeguarding customer information
Chase Bank customer service: scheduled security maintenance
Chase Bank customer service: secure confirmation
Chase Bank customer service: secure details confirmation
Chase Bank customer service: securing customer data
Chase Bank customer service: security alert
Chase Bank customer service: security issues
Chase Bank customer service: security maintenance
Chase Bank customer service: security measures
Chase Bank customer service: security warning
Chase Bank customer service: service message
Chase Bank customer service: software updating
Chase Bank customer service: urgent message
Chase Bank customer service: urgent notification
Chase Bank customer service: urgent security alerts
Chase Bank customer service: urgent security notice
Chase Bank customer service: urgent security notification
Chase Bank customer service: urgent security notification for all clients
Chase Bank customer service: urgent security notification for client
Chase Bank customer service: urgent security notification for clients
Chase Bank customer service: urgent security warning
Chase Bank customer service: we need to update your information
Chase Bank customer service: you have 1 new security message alert
Chase Bank customer service: your account
Chase Bank customer service: your account with us
Chase Bank customer service: your online account
Chase Bank notification
Chase Bank online form
Chase Bank reminder: client details confirmation
Chase Bank reminder: client details form
Chase Bank reminder: confirm your account details
Chase Bank reminder: confirm your Chase Bank client details
Chase Bank reminder: confirm your details
Chase Bank reminder: notification
Chase Bank reminder: online form
Chase Bank reminder: please complete online form
Chase Bank reminder: please update your account data
Chase Bank reminder: please update your account details
Chase Bank reminder: please update your account records
Chase Bank reminder: please update your banking data
Chase Bank reminder: please update your banking details
Chase Bank reminder: please update your banking records
Chase Bank reminder: please update your data
Chase Bank reminder: please update your details
Chase Bank security upgrade
Chase Bank: account confirmation
Chase Bank: account management
Chase Bank: account notification
Chase Bank: account secure confirmation
Chase Bank: account security measures
Chase Bank: alert
Chase Bank: alert - online client form released
Chase Bank: alert - online form released
Chase Bank: automatic account reminder
Chase Bank: automatic notification
Chase Bank: automatic reminder
Chase Bank: client details confirmation
Chase Bank: confirm your account details
Chase Bank: confirm your account records
Chase Bank: confirm your data
Chase Bank: confirm your details
Chase Bank: confirm your identity
Chase Bank: confirm your information
Chase Bank: confirm your online account access
Chase Bank: confirm your online account details
Chase Bank: confirm your online banking records
Chase Bank: confirmation required
Chase Bank: customer alert
Chase Bank: customer details confirmation
Chase Bank: data confirmation
Chase Bank: details confirmation
Chase Bank: enhanced online security measures
Chase Bank: important account notice
Chase Bank: important account notification
Chase Bank: important announce
Chase Bank: important banking mail
Chase Bank: important information
Chase Bank: important message
Chase Bank: important note on security
Chase Bank: important notice
Chase Bank: important notification
Chase Bank: important security notice
Chase Bank: important security update
Chase Bank: instructions for client
Chase Bank: instructions for customer
Chase Bank: message from customer service
Chase Bank: message regarding your account
Chase Bank: necessary to be read
Chase Bank: new enhanced online security measures
Chase Bank: new online security measures
Chase Bank: new security measures
Chase Bank: new security notification
Chase Bank: notice to all customers
Chase Bank: notification
Chase Bank: official information
Chase Bank: official update
Chase Bank: online banking account confirmation
Chase Bank: online banking alert
Chase Bank: online banking form
Chase Bank: online banking notice
Chase Bank: online banking notification
Chase Bank: online client form released
Chase Bank: online form released
Chase Bank: our enhanced online security measures
Chase Bank: our new security measures
Chase Bank: periodic account notification
Chase Bank: please confirm your banking details
Chase Bank: please confirm your data
Chase Bank: please confirm your details
Chase Bank: please confirm your information
Chase Bank: please confirm your online banking account data
Chase Bank: please confirm your online banking records
Chase Bank: please read this message
Chase Bank: please update your data
Chase Bank: please update your details
Chase Bank: safeguarding customer information
Chase Bank: scheduled security maintenance
Chase Bank: secure confirmation
Chase Bank: secure details confirmation
Chase Bank: securing customer data
Chase Bank: security alert
Chase Bank: security issues
Chase Bank: security maintenance
Chase Bank: security measures
Chase Bank: security warning
Chase Bank: service message
Chase Bank: software updating
Chase Bank: urgent message
Chase Bank: urgent notice from customer service
Chase Bank: urgent notification
Chase Bank: urgent notification from customer service
Chase Bank: urgent security alerts
Chase Bank: urgent security notice
Chase Bank: urgent security notification
Chase Bank: urgent security notification for all clients
Chase Bank: urgent security notification for client
Chase Bank: urgent security notification for clients
Chase Bank: urgent security warning
Chase Bank: we need to update your information
Chase Bank: you have 1 new security message alert
Chase Bank: your account
Chase Bank: your account with us
Chase Bank: your online account
client details confirmation
cofirm your details with Chase Bank
confirm your account details
confirm your account records
confirm your data
confirm your details
confirm your identity
confirm your information
confirm your online account access
confirm your online account details
confirm your online banking records
confirmation required
customer alert
customer details confirmation
customer notice: data confirmation
customer notice: details confirmation
customer notice: your Chase Bank account
customer notice: your Chase Bank banking account
customer notice: your Chase Bank business account
customer notification: data confirmation
customer notification: details confirmation
customer service: your Chase Bank account
customer service: your Chase Bank banking account
customer service: your Chase Bank business account
data confirmation
dear Chase Bank client
dear Chase Bank customer
details confirmation
enhanced online security measures
Essential System Maintenance
important account notice
important account notice from Chase Bank
important account notification
important alert
important announce
important banking mail
important banking mail from Chase Bank
important banking mail: new online security measures
important Chase Bank mail
important information
important information for Chase Bank client
important information for Chase Bank clients
important information from Chase Bank customer service
important information from customer service
important information from customer service team
Important instructions
important instructions from customer service
important instructions from customer service team
important message
important message for Chase Bank client
important message from Chase Bank
important note on security
important notice
important notice from Chase Bank
important notification
important notification from Chase Bank
Important Scheduled Maintenance
important security notice
important security update
information from Chase Bank customer service
information from Chase Bank customer service team
instructions for client
instructions for customer
instructions for our customers
instructions from customer service
instructions from customer service team
message from customer service
message from customer service team
message regarding your account
necessary to be read
new enhanced online security measures
new online security measures
new security measures
new security notification
notice to all customers
notice: confirm your online banking records
notice: confirm your online records
notification
notification from Chase Bank
official information
official information for all Chase Bank clients
official information for Chase Bank client
official information for client of Chase Bank
official information from Chase Bank customer service
official update
online banking account confirmation
online banking alert
online banking form
online banking notice
online banking notification
online client form released
online form released
our enhanced online security measures
our new security measures
periodic account notification
please confirm your banking details
please confirm your data
please confirm your details
please confirm your information
please confirm your online banking account data
please confirm your online banking records
please read this message
please update your data
please update your details
please update your online banking records
safeguarding customer information
Scheduled Maintenance program
scheduled security maintenance
secure confirmation
secure details confirmation
securing customer data
security alert
security issues
security maintenance
security measures
security warning
service message
service message from Chase Bank
service notification from Chase Bank
software updating
update your details with Chase Bank
urgent message
urgent message for Chase Bank client
urgent message from Chase Bank
urgent notice from customer service
urgent notification
urgent notification from customer service
urgent security alerts
urgent security notice
urgent security notification
urgent security notification for all clients
urgent security notification for client
urgent security notification for client of the Chase Bank
urgent security notification for clients
urgent security warning
we need to update your information
you have 1 new security message alert
your account with Chase Bank
your account with us
your banking account with Chase Bank
your Chase Bank account
your online account
your online account with Chase Bank
your online banking account with Chase Bank

Ally Bank Phish



It looks like this spam campaign is migrating to Ally Bank now. Here are the websites:

secure.ally.com.hreesf.com.im
secure.ally.com.hreesv.org.im
secure.ally.com.hreesf.co.im
secure.ally.com.hreesv.co.im
secure.ally.com.hreesf.im
secure.ally.com.hrees.org.im
secure.ally.com.hreesv.com.im
secure.ally.com.hreesv.net.im
secure.ally.com.hreesf.net.im
secure.ally.com.gerfasu.be
secure.ally.com.hrees.com.im
secure.ally.com.gerfase.be
secure.ally.com.gerfast.be
secure.ally.com.gerfasx.be
secure.ally.com.hrees.im
secure.ally.com.gerfasq.be
secure.ally.com.gerfasr.be
secure.ally.com.gerfaso.be
secure.ally.com.gerfasw.be
secure.ally.com.gerfasy.be
secure.ally.com.hrees.co.im
secure.ally.com.hrees.net.im
secure.ally.com.hreesv.im
secure.ally.com.gerfasi.be
secure.ally.com.hreesf.org.im
secure.ally.com.iuuhet.co.uk
secure.ally.com.iuoket.co.uk
secure.ally.com.iuuhet.me.uk
secure.ally.com.iuohet.me.uk
secure.ally.com.iuohet.co.uk
secure.ally.com.iuuhet.org.uk
secure.ally.com.iuoket.me.uk
secure.ally.com.iuohet.org.uk
secure.ally.com.iuoket.org.uk

and here are some of the spam subjects:

Ally Bank (former GMAC Bank) customer form
For attention of Ally Bank (former GMAC Bank) customer
GMAC Bank is now Ally Bank
Instructions for Ally Bank (former GMAC Bank) customer
New version of Ally Bank (former GMAC bank) customer form has been released

An email sample:




Followed by the webpage series:





Saturday, November 28, 2009

Beware Weekend Facebook Scam!

The cybercriminals seem to have completed their Black Friday shopping and returned to work this morning with a new Facebook scam. Its probably wrong to call it "new", since its a re-tread of the Facebook scam we warned about October 28th.

The UAB Spam Data Mine saw approximately 20,000 copies of this email today, with the following websites being used in the spam:

www.facebook.com.hssaze.be
www.facebook.com.hssazg.be
www.facebook.com.hssazh.be
www.facebook.com.hssazi.be
www.facebook.com.hssazj.be
www.facebook.com.hssazl.be
www.facebook.com.hssazo.be
www.facebook.com.hssazp.be
www.facebook.com.hssazq.be
www.facebook.com.hssazr.be
www.facebook.com.hssazt.be
www.facebook.com.hssazu.be
www.facebook.com.hssazw.be
www.facebook.com.hssazy.be

Three email subjects (with some variation in case) are used:

Facebook Account Update
Facebook Update Tool
New login system

The path, /usersdirectory/LoginFacebook.php is appended with a unique string for each email sent.

The emails look like this:



Dear Facebook user,
In an effort to make your online experience safer and more enjoyable,
Facebook will be implementing a new login system that will affect all
Facebook users. These changes will offer new features and increased
account security.
Before you are able to use the new login system, you will be required to
update your account.
Click here to update your account online now.

If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team



and the webpage starts like this:



After entering your userid and password, the malware page is loaded:



The "updatetool.exe" is malware, of course.

File size: 129536 bytes
MD5...: adc5806e32716e588faf44622ccb5f9a

Early this morning, virustotal was showing a 5 of 41 detection rate. That's greatly improved now, to 17 of 41, as shown in this current VirusTotal Report. The malware is confirmed to be a Zeus/Zbot infector.

Tuesday, November 24, 2009

Some Jerk posted your photo - and now you're infected!

(Update: this scam from November 2009 is being repeated in February 2010 - for more on the current version please see: Minipost: Fake Photo Zeus

Dear Cyber Criminals,

Isn't there someone out there doing something interesting besides the Zeus criminals?

Today we have yet another major spam campaign spreading malware, and yet again, its the same criminals trying to use social engineering to plant their password stealing and bank website altering software on your computer.

Today's campaign started out while I was breaking in a new pair of boots at Oak Mountain State Park by doing the Peavine Falls Green Trail, a nice set of hills. When I came back to my car I noticed a couple text messages asking about a new Zeus campaign. I checked Twitter and saw that Alex Eckelberry from Sunbelt (@alexeck) and WebSense Labs (@websenselabs) had both covered it. Yes, I am not always online! When I take vacation days I only work in the early morning and the evening!

The email subjects used by this spam campaign are:

Subject: hi
Subject: fw
Subject: hey
Subject: re
Subject: your photos
Subject: some jerk has posted your photos
Subject: some jerk has posted your pictures

The website addresses use randomization in the hostname to create an enormous number of possible URLs, all beginning with "archive", followed by 1 to 8 random digits, and a domain name. Some real examples would include:

The domain names we saw earlier include:

hlrtfeb.com
hlrtfec.com
hlrtfef.com
hlrtfeg.com
hlrtfeh.com
hlrtfek.com
hlrtfem.com
hlrtfen.com
hlrtfeo.com
hlrtfet.com
hlrtfeu.com
hlrtfey.com
uhbzal.com
uhczax.com
uhfzav.com
uhgzao.com
uhrzaf.com
uhszaa.com
uhtzar.com
uhvzac.com
uhwzaq.com
uhxzas.com
heddasb.eu
heddasc.eu
heddase.eu
heddask.eu
heddasl.eu
heddasm.eu
heddast.eu
heddasu.eu
heddasz.eu
salikub.eu
salikuc.eu
salikue.eu
salikuf.eu
salikuh.eu
salikui.eu
salikuj.eu
salikuk.eu
salikur.eu
salikus.eu
salikuu.eu
salikuv.eu
salikuy.eu
daaswev.eu
heddaso.eu
heddasp.eu
heddasq.eu

all with the path "/photo-hosting/

All of the initial domains seem to have been taken offline, but the criminal is starting up a second wave of domain names that we are now seeing in the UAB Spam Data Mine.

daaswea.eu
daasweb.eu
daaswec.eu
daaswed.eu
daaswee.eu
daaswef.eu
daasweg.eu
daasweh.eu
daaswer.eu
daaswet.eu
daaswev.eu
daaswex.eu
daaswey.eu
daaswez.eu


Here's a screenshot from a currently live website:



The malware which is currently dropping is "lightly detected" at VirusTotal, but not "poorly detected". A current VirusTotal report shows 15 of 41 detects with only Microsoft, Sunbelt, and Symantec properly labeling the malware as ZBot.

Here are some examples of the actual hostnames we've seen (and we've now seen more than 6,500 copies):

archive4.daaswea.eu
archive7004014104.daasweb.eu
archive9.daaswec.eu
archive69970154.daaswed.eu
archive98206261.daaswee.eu
archive71911819.daaswef.eu
archive091208.daasweg.eu
archive2312350.daasweh.eu
archive329947.daaswer.eu
archive85173554.daaswet.eu
archive69548414.daaswev.eu
archive062274583.daaswex.eu
archive3318.daaswey.eu
archive2720530501.daaswez.eu
archive445.heddasb.eu
archive432.heddasc.eu
archive907.heddase.eu
archive65975290.heddask.eu
archive4.heddasl.eu
archive90689245.heddasm.eu
archive634960.heddaso.eu
archive4450.heddasp.eu
archive6461304410.heddasq.eu
archive20.heddast.eu
archive5927620984.heddasu.eu
archive29613500.heddasz.eu

Rather than having a standard "From:" address, the criminals are mixing this up as well. Here are the last folks from which we received our copies of the spam -- of course these are all fakes created by the spambot:

"Montgomery" Montgomery@tppa.com
"Gayle Leal" Gayle.Leal@kotnet.org
"Erwin Deleon" Erwin.Deleon@altern.org
"Lovett" Lovett@portsevendomain.biz
"Lance Frank" Frank@pacbell.net
"Kendrick1924" Kendrick1924@168city.com
"Sparks1900" Sparks1900@phayze.com
"Timmons" Timmons@malaysia.net
"Fischer1981" Fischer1981@surfeador.com
"Lemuel Starks" Starks1956@aol.com
"Roman1992" Roman1992@mrg.com
"Alphonso Lockwood" Alphonso.Lockwood@mail15.com
"Reed1954" Reed1954@phayze.com
"Jorge Gonzalez" Jorge.Gonzalez@correo1.com
"Amparo.Rock" Amparo.Rock@computermail.net
"Lamar Jeffers" Jeffers@kichimail.com
"Gil Bonds" Bonds1992@purinmail.com
"Suarez" Suarez@arkansas.net
"Margarito Mcghee" Margarito.Mcghee@verizon.com
"Hodges" Hodges@kinki-kids.com
"Cleveland.Pritchard" Cleveland.Pritchard@regiomontano.com
"Josephine Saldana" Saldana1950@we-help-u.biz
"Allen Lee" Allen.Lee@aol.com
"Ott1987" Ott1987@we-help-u.biz
"Santos" Santos@singapore.net
"Mullins1993" Mullins1993@portsevendomain.biz
"Tim Walsh" Walsh@altern.org
"Andres Daly" Daly@free.fr
"Courtney.Dalton" Courtney.Dalton@kellychen.com
"Marsh1993" Marsh1993@atlanta.com
"Cornelia Wilkins" Cornelia.Wilkins@brainpod.com
"Berger" Berger@mail.com
"Lynn1929" Lynn1929@inodes.org
"Kristin.Costa" Kristin.Costa@myramstore.com
"Jewel Lockhart" Jewel.Lockhart@free.fr
"Roxie Tompkins" Tompkins@singapore.net
"Rodney Smallwood" Rodney.Smallwood@surrealismo.com
"IraIrwin" Irwin@fcta.com
"Gilliam" Gilliam@we-help-u.biz
"Calloway" Calloway@punkass.com
"Blackwell" Blackwell@norika-fujiwara.com
"Carmela Hanson" Carmela.Hanson@sesmail.com
"Chi.Benton" Chi.Benton@norika-fujiwara.com
"Andre.Burnette" Andre.Burnette@surfeador.com
"Alfonso.Poe" Alfonso.Poe@we-help-u.biz

Monday, November 23, 2009

UAB Spam Data Mine finds Social Security Statement Zeus Bot

I'm frequently asked how it is that the UAB Spam Data Mine is consistently among the first in reporting new spam campaigns that contain harmful malware. I thought I would show you the manual version of the process this morning.

We start by finding the "top subjects" for the current time period. Because the UAB Spam Data Mine now processes inbound spam every 15 minutes, we can do searches to identify the top spam campaigns in the previous 15 minutes such as:

select count(subject), subject from spam where message_id like '%09Nov23.0715%' group by subject order by count(subject) desc;

Look for something interesting, such as:

53 | Watch for errors on Social Security statement
53 | Watch for errors on your Social Security statement
45 | Review your annual Social Security statement

In the previous 15 minutes period, nothing with "Social Security" showed up in the top 100 subjects. Now we have three items in the top 25. By the time I finished writing this article, the 0730 and 0745 runs were complete, and we now have more than 600 samples of the spam. However, using the techniques we've developed for "emerging threat detection", we were aware of the campaign immediately when the 0715 run showed something that was not present in the 0700 run.

Then we may dig in with a subject specific search:

select a.subject, b.machine, b.path from spam a, spam_link b where a.message_id = b.message_id and a.subject like '%Social Security statement%';


Bingo! 200 results with domains like:

statements.ssa.gov.fawaazq.be | /acu/IPS_INTR/controller.php
statements.ssa.gov.reedask.be | /acu/IPS_INTR/controller.php

Let's get JUST the list of machines used:

select machine from spam_link where machine like 'statements.ssa.gov%' group by machine;
machine
-------------------------------
statements.ssa.gov.reedasn.be
statements.ssa.gov.fawaazv.be
statements.ssa.gov.fawaazc.be
statements.ssa.gov.reedasg.be
statements.ssa.gov.ujbhgk.be
statements.ssa.gov.ujbhgx.be
statements.ssa.gov.fawaazs.be
statements.ssa.gov.fawaaza.be
statements.ssa.gov.ujbhgv.be
statements.ssa.gov.fawaaze.be
statements.ssa.gov.reedasu.be
statements.ssa.gov.reedasv.be
statements.ssa.gov.reedask.be
statements.ssa.gov.ujbhgz.be
statements.ssa.gov.fawaazz.be
statements.ssa.gov.reedasj.be
statements.ssa.gov.fawaazx.be
statements.ssa.gov.reedasb.be
statements.ssa.gov.fawaazf.be
statements.ssa.gov.ujbhgq.be
statements.ssa.gov.reedaso.be
statements.ssa.gov.ujbhgb.be
statements.ssa.gov.fawaazq.be
statements.ssa.gov.reedasm.be
statements.ssa.gov.ujbhgm.be
statements.ssa.gov.reedast.be
statements.ssa.gov.fawaazr.be
statements.ssa.gov.fawaazd.be
statements.ssa.gov.reedash.be
statements.ssa.gov.ujbhga.be
statements.ssa.gov.fawaazw.be
statements.ssa.gov.reedasy.be
(32 rows)

(Update: There are now 80 known machines for this campaign . . . here's how many emails we've seen for each one as of 8:20 PM, Central time)

729 | statements.ssa.gov.reedasv.be
431 | statements.ssa.gov.reedasm.be
395 | statements.ssa.gov.fawaaze.be
386 | statements.ssa.gov.fawaazx.be
378 | statements.ssa.gov.reedasg.be
360 | statements.ssa.gov.fawaazf.be
337 | statements.ssa.gov.fawaazz.be
317 | statements.ssa.gov.fawaazd.be
304 | statements.ssa.gov.ujbhgm.be
281 | statements.ssa.gov.reedasb.be
271 | statements.ssa.gov.ujbhgz.be
263 | statements.ssa.gov.reedast.be
254 | statements.ssa.gov.reedask.be
253 | statements.ssa.gov.fawaazw.be
242 | statements.ssa.gov.fawaaza.be
224 | statements.ssa.gov.ujbhgv.be
222 | statements.ssa.gov.fawaazv.be
209 | statements.ssa.gov.ujbhgc.be
199 | statements.ssa.gov.reedasj.be
197 | statements.ssa.gov.ujbhga.be
186 | statements.ssa.gov.reedaso.be
183 | statements.ssa.gov.fawaazq.be
181 | statements.ssa.gov.ujbhgj.be
170 | statements.ssa.gov.ujbhgq.be
166 | statements.ssa.gov.ujbhgx.be
161 | statements.ssa.gov.ujilld.be
160 | statements.ssa.gov.fawaazs.be
160 | statements.ssa.gov.ujillv.be
154 | statements.ssa.gov.ujillx.be
153 | statements.ssa.gov.uhyuhd.be
152 | statements.ssa.gov.ujbhgn.be
149 | statements.ssa.gov.fawaazr.be
147 | statements.ssa.gov.uhyuhu.be
144 | statements.ssa.gov.ujilln.be
136 | statements.ssa.gov.uhyuhl.be
132 | statements.ssa.gov.ujillc.be
131 | statements.ssa.gov.uhyuha.be
129 | statements.ssa.gov.ujillb.be
125 | statements.ssa.gov.ujills.be
125 | statements.ssa.gov.uhyuhj.be
125 | statements.ssa.gov.ujille.be
119 | statements.ssa.gov.uhyuhq.be
117 | statements.ssa.gov.ujillr.be
116 | statements.ssa.gov.gredfe.be
110 | statements.ssa.gov.reedasn.be
108 | statements.ssa.gov.ujillf.be
107 | statements.ssa.gov.uhyuhe.be
105 | statements.ssa.gov.gredve.be
101 | statements.ssa.gov.fawaazc.be
97 | statements.ssa.gov.reedasy.be
94 | statements.ssa.gov.grezfe.be
91 | statements.ssa.gov.uhyuho.be
86 | statements.ssa.gov.reedasu.be
83 | statements.ssa.gov.uhyuhg.be
76 | statements.ssa.gov.ujillw.be
75 | statements.ssa.gov.grenfe.be
74 | statements.ssa.gov.grewfe.be
72 | statements.ssa.gov.ujbhgk.be
58 | statements.ssa.gov.uhyuht.be
49 | statements.ssa.gov.ytttdsj.be
46 | statements.ssa.gov.ytttdsv.be
43 | statements.ssa.gov.ujbhgb.be
43 | statements.ssa.gov.ytttdsn.be
39 | statements.ssa.gov.reedash.be
38 | statements.ssa.gov.ytttdsk.be
38 | statements.ssa.gov.ytttdse.be
37 | statements.ssa.gov.ytttdsb.be
36 | statements.ssa.gov.ytttdsh.be
34 | statements.ssa.gov.ytttdsm.be
32 | statements.ssa.gov.ytttdsf.be
29 | statements.ssa.gov.ytttdso.be
29 | statements.ssa.gov.nionuie.be
28 | statements.ssa.gov.ytttdsy.be
27 | statements.ssa.gov.ytttdsu.be
27 | statements.ssa.gov.nionuis.be
26 | statements.ssa.gov.nionuia.be
25 | statements.ssa.gov.nionuig.be
22 | statements.ssa.gov.nionuiq.be
21 | statements.ssa.gov.nionuib.be
21 | statements.ssa.gov.nionuid.be


Looks serious. Let's pull a list of all the unique subjects:

select a.subject from spam a, spam_link b
where a.message_id = b.message_id and
b.machine like 'statements.ssa.gov%'
group by a.subject order by a.subject;

subject
----------------------------------------------------
Review annual Social Security statement
Review your annual Social Security statement
Watch for errors on Social Security statement
Watch for errors on your Social Security statement
(4 rows)

Pulling up some samples in an email tool shows us what the original emails looked like:



The emails claim that
Due to possible calculation errors, your annual Social Security statement may contain errors.

Use the link below to review your annual Social Security statement:


The emails say they came from:

"Social Security Administration auto-notifications@ssa.gov"

Next we visit the website to pull screen shots there as well:



After entering a (fake) Social Security Number, we are taking to another screen that offers us the option of "Generating a Report".



Clicking on "Generate Report" prompts us to download the malware:



Throwing that "statement.exe" to VirusTotal shows us a current detect rate of 5 out of 41 anti-virus products. This is very early in the detection cycle. There is no agreement on what this malware may be:

Authentium: W32/Bifrost.C.gen!Eldorado
AVG: Win32/Cryptor
F-Prot: W32/Bifrost.C.gen!Eldorado
McAfee-GW-Edition: Heuristic.BehavesLike.Win32.Trojan.H
Sunbelt: Trojan-Spy.Win32.Zbot.gen (v)

At this point none of the other AV products have a signature in place for this malware.

The malware file statistics:

File size: 129536 bytes
MD5...: 40469349c5be9033fd57f6e021e7d06e

Because so little is known about this malware, we then queue it as a "high priority item" for the UAB Malware Analysis group to look at. We'll be sure to update the blog with more information about the malware when it is available.

UAB Malware Brian Tanner confirmed for us that this is a Zbot trojan, and that it connects to the IP address 193.104.27.42, which has been used to deliver Zbot configuration files since at least October 26th.

Sunday, November 22, 2009

Fake Flash Player Zbot spread by "Your Domain"

The malware just keeps flowing! Today the top email-based threats continue to be related to the Zeus botnet or Zbot. The first we've written about previously in our article on November 18th, Zeus: Same Criminal, New Spam which discussed the malware which pretended to be "payment request from (insert company)" and contained a "module.zip" attachment. That campaign fell away finally about 4:15 Friday morning.

To replace it, we have the new version of the "Avalanche" spam. We've received 51,400 copies of this spam email so far. (Yes! The UAB Spam Data Mine is now growing by more than 1 million messages per day - more about that in the near future.) The new campaign lit up about 9:15 AM on Friday morning, and has been unstoppable since.

The email seems especially scary to recipients because it includes your own email address in the subject, and your own domain name as part of the URL to be visited. So, for instance, if your email address were "bugs@bunny.com", your subject lines would be:

dear owner of the bugs@bunny.com
for bugs@bunny.com owner
for bunny.com email service user
please update your bugs@bunny.com mailbox

And your email would read:
Dear owner of the bugs@bunny.com mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:

http://accounts.bunny.com.dlsports.be/webmail/settings/noflash.php?mode=standart&id=5236183961831736912306248671355740858547&email=bugs@bunny.com


Even some security researchers thought that others were receiving spam using their company name as the site distributing the virus, but in reality each recipient of the spam email sees his own domain name as part of the website address to be visited.

For simplicity, we'll use "mydomain.com" when we document the websites below.

The webpage looks like this:



After warning that "You don't have the latest version of Macromedia Flash Player", the website offers the fairly standard "Get Adobe Flash Player" icon. In this case, however, instead of fetching from Adobe, it installs from the server you are visiting, from the path "/webmail/settings/flashinstaller.exe".

We've seen twenty-two different domains registered for this round of cybercrime. All of these sites are currently live:

accounts.mydomain.com.ftpddrs.be
accounts.mydomain.com.dlsports.be
accounts.mydomain.com.modertps.be
accounts.mydomain.com.dirddrf.be
accounts.mydomain.com.verzzi.co.uk
accounts.mydomain.com.verzzm.co.uk
accounts.mydomain.com.verzzn.me.uk
accounts.mydomain.com.verzzg.org.uk
accounts.mydomain.com.verzzm.org.uk
accounts.mydomain.com.verzzg.co.uk
accounts.mydomain.com.verzzq.me.uk
accounts.mydomain.com.verzzi.me.uk
accounts.mydomain.com.verzzn.co.uk
accounts.mydomain.com.verzzq.co.uk
accounts.mydomain.com.verzzn.org.uk
accounts.mydomain.com.verzzi.org.uk
accounts.mydomain.com.verzzg.me.uk
accounts.mydomain.com.verzzm.me.uk
accounts.mydomain.com.verzzq.org.uk

The VirusTotal report for flashinstaller.exe shows fairly decent detection with many brands calling this a "Zbot" variant.

The file we scanned was the currently live file:
File size: 123392 bytes
MD5 : f890afa3b55a64b70d45f1b1fc60a77b

Some folks have been confused by the great news from the Metropolitan Police of London this past week. Metropolitan Police's Central e-Crime Unit (PCeU) arrested a pair of twenty-year olds, one man and one woman, on November 3rd for their use of the Zeus bot. You can read more about that arrest in Jeremy Kirk's PC World article or in this Press Release on the Metro Police website.

While its terribly exciting news, and we congratulate all the fine folks at PCeU, they've only arrested one of the many groups distributing Zeus, and not "the big one". While Zeus or Zbot is best known as a stealer of banking credentials, its important to remember that ALL userids and passwords entered on a Zeus victim computer end up in the databases of criminals. Whether these be your email password, your Netflix password, your BestBuy or Dell or Amazon.com or eBay or Paypal, or any other password, it now belongs to the criminals, along with your Credit Card and Banking information.


Here are some of the places we're currently seeing these domains resolve:

ip | hostname
-----------------+-------------------------------------
114.47.126.158 | accounts.mydomain.com.dlsports.be
114.47.126.158 | accounts.mydomain.com.modertps.be
114.47.126.158 | accounts.mydomain.com.ftpddrs.be
114.47.126.158 | accounts.mydomain.com.dirddrf.be
116.34.65.11 | accounts.mydomain.com.verzzq.co.uk
116.34.65.11 | accounts.mydomain.com.verzzg.org.uk
116.34.65.11 | accounts.mydomain.com.verzzg.co.uk
116.34.65.11 | accounts.mydomain.com.verzzn.org.uk
116.34.65.11 | accounts.mydomain.com.verzzg.me.uk
116.34.65.11 | accounts.mydomain.com.verzzm.me.uk
116.34.65.11 | accounts.mydomain.com.verzzi.co.uk
116.34.65.11 | accounts.mydomain.com.verzzq.org.uk
116.34.65.11 | accounts.mydomain.com.verzzm.co.uk
116.34.65.11 | accounts.mydomain.com.verzzn.me.uk
116.34.65.11 | accounts.mydomain.com.verzzn.co.uk
116.34.65.11 | accounts.mydomain.com.verzzq.me.uk
116.34.65.11 | accounts.mydomain.com.verzzi.me.uk
116.34.65.11 | accounts.mydomain.com.verzzm.org.uk
116.34.65.11 | accounts.mydomain.com.verzzi.org.uk
117.102.44.55 | accounts.mydomain.com.verzzi.org.uk
117.102.44.55 | accounts.mydomain.com.verzzq.co.uk
117.102.44.55 | accounts.mydomain.com.verzzg.org.uk
117.102.44.55 | accounts.mydomain.com.verzzg.co.uk
117.102.44.55 | accounts.mydomain.com.verzzn.org.uk
117.102.44.55 | accounts.mydomain.com.verzzg.me.uk
117.102.44.55 | accounts.mydomain.com.verzzm.me.uk
117.102.44.55 | accounts.mydomain.com.verzzi.co.uk
117.102.44.55 | accounts.mydomain.com.verzzq.org.uk
117.102.44.55 | accounts.mydomain.com.verzzm.co.uk
117.102.44.55 | accounts.mydomain.com.verzzn.me.uk
117.102.44.55 | accounts.mydomain.com.verzzn.co.uk
117.102.44.55 | accounts.mydomain.com.verzzq.me.uk
117.102.44.55 | accounts.mydomain.com.verzzi.me.uk
117.102.44.55 | accounts.mydomain.com.verzzm.org.uk
118.171.100.18 | accounts.mydomain.com.dirddrf.be
118.171.100.18 | accounts.mydomain.com.dlsports.be
118.171.100.18 | accounts.mydomain.com.modertps.be
118.171.100.18 | accounts.mydomain.com.ftpddrs.be
118.32.132.193 | accounts.mydomain.com.dirddrf.be
118.32.132.193 | accounts.mydomain.com.dlsports.be
118.32.132.193 | accounts.mydomain.com.modertps.be
118.32.132.193 | accounts.mydomain.com.ftpddrs.be
119.202.26.228 | accounts.mydomain.com.dirddrf.be
119.202.26.228 | accounts.mydomain.com.dlsports.be
119.202.26.228 | accounts.mydomain.com.modertps.be
119.202.26.228 | accounts.mydomain.com.ftpddrs.be
121.96.119.92 | accounts.mydomain.com.dirddrf.be
121.96.119.92 | accounts.mydomain.com.dlsports.be
121.96.119.92 | accounts.mydomain.com.modertps.be
121.96.119.92 | accounts.mydomain.com.ftpddrs.be
122.163.117.150 | accounts.mydomain.com.ftpddrs.be
122.163.117.150 | accounts.mydomain.com.dirddrf.be
122.163.117.150 | accounts.mydomain.com.dlsports.be
122.163.117.150 | accounts.mydomain.com.modertps.be
123.201.38.247 | accounts.mydomain.com.ftpddrs.be
123.201.38.247 | accounts.mydomain.com.dirddrf.be
123.201.38.247 | accounts.mydomain.com.dlsports.be
123.201.38.247 | accounts.mydomain.com.modertps.be
123.236.191.162 | accounts.mydomain.com.verzzi.org.uk
123.236.191.162 | accounts.mydomain.com.verzzq.co.uk
123.236.191.162 | accounts.mydomain.com.verzzg.org.uk
123.236.191.162 | accounts.mydomain.com.verzzg.co.uk
123.236.191.162 | accounts.mydomain.com.verzzn.org.uk
123.236.191.162 | accounts.mydomain.com.verzzg.me.uk
123.236.191.162 | accounts.mydomain.com.verzzm.me.uk
123.236.191.162 | accounts.mydomain.com.verzzi.co.uk
123.236.191.162 | accounts.mydomain.com.verzzq.org.uk
123.236.191.162 | accounts.mydomain.com.verzzm.co.uk
123.236.191.162 | accounts.mydomain.com.verzzn.me.uk
123.236.191.162 | accounts.mydomain.com.verzzn.co.uk
123.236.191.162 | accounts.mydomain.com.verzzq.me.uk
123.236.191.162 | accounts.mydomain.com.verzzi.me.uk
123.236.191.162 | accounts.mydomain.com.verzzm.org.uk
186.81.205.197 | accounts.mydomain.com.verzzm.org.uk
186.81.205.197 | accounts.mydomain.com.verzzi.org.uk
186.81.205.197 | accounts.mydomain.com.verzzq.co.uk
186.81.205.197 | accounts.mydomain.com.verzzg.org.uk
186.81.205.197 | accounts.mydomain.com.verzzg.co.uk
186.81.205.197 | accounts.mydomain.com.verzzn.org.uk
186.81.205.197 | accounts.mydomain.com.verzzg.me.uk
186.81.205.197 | accounts.mydomain.com.verzzm.me.uk
186.81.205.197 | accounts.mydomain.com.verzzi.co.uk
186.81.205.197 | accounts.mydomain.com.verzzq.org.uk
186.81.205.197 | accounts.mydomain.com.verzzm.co.uk
186.81.205.197 | accounts.mydomain.com.verzzn.me.uk
186.81.205.197 | accounts.mydomain.com.verzzn.co.uk
186.81.205.197 | accounts.mydomain.com.verzzq.me.uk
186.81.205.197 | accounts.mydomain.com.verzzi.me.uk
187.10.65.176 | accounts.mydomain.com.ftpddrs.be
187.10.65.176 | accounts.mydomain.com.dirddrf.be
187.10.65.176 | accounts.mydomain.com.dlsports.be
187.10.65.176 | accounts.mydomain.com.modertps.be
187.67.255.47 | accounts.mydomain.com.verzzm.org.uk
187.67.255.47 | accounts.mydomain.com.verzzi.org.uk
187.67.255.47 | accounts.mydomain.com.verzzq.co.uk
187.67.255.47 | accounts.mydomain.com.verzzg.org.uk
187.67.255.47 | accounts.mydomain.com.verzzg.co.uk
187.67.255.47 | accounts.mydomain.com.verzzn.org.uk
187.67.255.47 | accounts.mydomain.com.verzzg.me.uk
187.67.255.47 | accounts.mydomain.com.verzzm.me.uk
187.67.255.47 | accounts.mydomain.com.verzzi.co.uk
187.67.255.47 | accounts.mydomain.com.verzzq.org.uk
187.67.255.47 | accounts.mydomain.com.verzzm.co.uk
187.67.255.47 | accounts.mydomain.com.verzzn.me.uk
187.67.255.47 | accounts.mydomain.com.verzzn.co.uk
187.67.255.47 | accounts.mydomain.com.verzzq.me.uk
187.67.255.47 | accounts.mydomain.com.verzzi.me.uk
189.101.130.181 | accounts.mydomain.com.verzzm.org.uk
189.101.130.181 | accounts.mydomain.com.verzzi.org.uk
189.101.130.181 | accounts.mydomain.com.verzzq.co.uk
189.101.130.181 | accounts.mydomain.com.verzzg.org.uk
189.101.130.181 | accounts.mydomain.com.verzzg.co.uk
189.101.130.181 | accounts.mydomain.com.verzzn.org.uk
189.101.130.181 | accounts.mydomain.com.verzzg.me.uk
189.101.130.181 | accounts.mydomain.com.verzzm.me.uk
189.101.130.181 | accounts.mydomain.com.verzzi.co.uk
189.101.130.181 | accounts.mydomain.com.verzzq.org.uk
189.101.130.181 | accounts.mydomain.com.verzzm.co.uk
189.101.130.181 | accounts.mydomain.com.verzzn.me.uk
189.101.130.181 | accounts.mydomain.com.verzzn.co.uk
189.101.130.181 | accounts.mydomain.com.verzzq.me.uk
189.101.130.181 | accounts.mydomain.com.verzzi.me.uk
189.105.69.79 | accounts.mydomain.com.verzzm.org.uk
189.105.69.79 | accounts.mydomain.com.verzzi.org.uk
189.105.69.79 | accounts.mydomain.com.verzzq.co.uk
189.105.69.79 | accounts.mydomain.com.verzzg.org.uk
189.105.69.79 | accounts.mydomain.com.verzzg.co.uk
189.105.69.79 | accounts.mydomain.com.verzzn.org.uk
189.105.69.79 | accounts.mydomain.com.verzzg.me.uk
189.105.69.79 | accounts.mydomain.com.verzzm.me.uk
189.105.69.79 | accounts.mydomain.com.verzzi.co.uk
189.105.69.79 | accounts.mydomain.com.verzzq.org.uk
189.105.69.79 | accounts.mydomain.com.verzzm.co.uk
189.105.69.79 | accounts.mydomain.com.verzzn.me.uk
189.105.69.79 | accounts.mydomain.com.verzzn.co.uk
189.105.69.79 | accounts.mydomain.com.verzzq.me.uk
189.105.69.79 | accounts.mydomain.com.verzzi.me.uk
189.68.28.51 | accounts.mydomain.com.ftpddrs.be
189.68.28.51 | accounts.mydomain.com.dirddrf.be
189.68.28.51 | accounts.mydomain.com.dlsports.be
189.68.28.51 | accounts.mydomain.com.modertps.be
189.99.176.72 | accounts.mydomain.com.ftpddrs.be
189.99.176.72 | accounts.mydomain.com.dirddrf.be
189.99.176.72 | accounts.mydomain.com.dlsports.be
189.99.176.72 | accounts.mydomain.com.modertps.be
190.128.153.40 | accounts.mydomain.com.ftpddrs.be
190.128.153.40 | accounts.mydomain.com.dirddrf.be
190.128.153.40 | accounts.mydomain.com.dlsports.be
190.128.153.40 | accounts.mydomain.com.modertps.be
190.245.105.180 | accounts.mydomain.com.ftpddrs.be
190.245.105.180 | accounts.mydomain.com.dirddrf.be
190.245.105.180 | accounts.mydomain.com.dlsports.be
190.245.105.180 | accounts.mydomain.com.modertps.be
200.86.147.219 | accounts.mydomain.com.verzzm.org.uk
200.86.147.219 | accounts.mydomain.com.verzzi.org.uk
200.86.147.219 | accounts.mydomain.com.verzzq.co.uk
200.86.147.219 | accounts.mydomain.com.verzzg.org.uk
200.86.147.219 | accounts.mydomain.com.verzzg.co.uk
200.86.147.219 | accounts.mydomain.com.verzzn.org.uk
200.86.147.219 | accounts.mydomain.com.verzzg.me.uk
200.86.147.219 | accounts.mydomain.com.verzzm.me.uk
200.86.147.219 | accounts.mydomain.com.verzzi.co.uk
200.86.147.219 | accounts.mydomain.com.verzzq.org.uk
200.86.147.219 | accounts.mydomain.com.verzzm.co.uk
200.86.147.219 | accounts.mydomain.com.verzzn.me.uk
200.86.147.219 | accounts.mydomain.com.verzzn.co.uk
200.86.147.219 | accounts.mydomain.com.verzzq.me.uk
200.86.147.219 | accounts.mydomain.com.verzzi.me.uk
201.165.241.127 | accounts.mydomain.com.verzzq.me.uk
201.165.241.127 | accounts.mydomain.com.verzzi.me.uk
201.165.241.127 | accounts.mydomain.com.verzzm.org.uk
201.165.241.127 | accounts.mydomain.com.verzzi.org.uk
201.165.241.127 | accounts.mydomain.com.verzzq.co.uk
201.165.241.127 | accounts.mydomain.com.verzzg.org.uk
201.165.241.127 | accounts.mydomain.com.verzzg.co.uk
201.165.241.127 | accounts.mydomain.com.verzzn.org.uk
201.165.241.127 | accounts.mydomain.com.verzzg.me.uk
201.165.241.127 | accounts.mydomain.com.verzzm.me.uk
201.165.241.127 | accounts.mydomain.com.verzzi.co.uk
201.165.241.127 | accounts.mydomain.com.verzzq.org.uk
201.165.241.127 | accounts.mydomain.com.verzzm.co.uk
201.165.241.127 | accounts.mydomain.com.verzzn.me.uk
201.165.241.127 | accounts.mydomain.com.verzzn.co.uk
201.226.135.11 | accounts.mydomain.com.verzzm.co.uk
201.226.135.11 | accounts.mydomain.com.verzzn.me.uk
201.226.135.11 | accounts.mydomain.com.verzzn.co.uk
201.226.135.11 | accounts.mydomain.com.verzzq.me.uk
201.226.135.11 | accounts.mydomain.com.verzzi.me.uk
201.226.135.11 | accounts.mydomain.com.verzzm.org.uk
201.226.135.11 | accounts.mydomain.com.verzzi.org.uk
201.226.135.11 | accounts.mydomain.com.verzzq.co.uk
201.226.135.11 | accounts.mydomain.com.verzzg.org.uk
201.226.135.11 | accounts.mydomain.com.verzzg.co.uk
201.226.135.11 | accounts.mydomain.com.verzzn.org.uk
201.226.135.11 | accounts.mydomain.com.verzzg.me.uk
201.226.135.11 | accounts.mydomain.com.verzzm.me.uk
201.226.135.11 | accounts.mydomain.com.verzzi.co.uk
201.226.135.11 | accounts.mydomain.com.verzzq.org.uk
210.4.118.70 | accounts.mydomain.com.ftpddrs.be
210.4.118.70 | accounts.mydomain.com.dirddrf.be
210.4.118.70 | accounts.mydomain.com.dlsports.be
210.4.118.70 | accounts.mydomain.com.modertps.be
220.66.118.214 | accounts.mydomain.com.ftpddrs.be
220.66.118.214 | accounts.mydomain.com.dirddrf.be
220.66.118.214 | accounts.mydomain.com.dlsports.be
220.66.118.214 | accounts.mydomain.com.modertps.be
24.139.111.53 | accounts.mydomain.com.verzzi.co.uk
24.139.111.53 | accounts.mydomain.com.verzzq.org.uk
24.139.111.53 | accounts.mydomain.com.verzzm.co.uk
24.139.111.53 | accounts.mydomain.com.verzzn.me.uk
24.139.111.53 | accounts.mydomain.com.verzzn.co.uk
24.139.111.53 | accounts.mydomain.com.verzzq.me.uk
24.139.111.53 | accounts.mydomain.com.verzzi.me.uk
24.139.111.53 | accounts.mydomain.com.verzzm.org.uk
24.139.111.53 | accounts.mydomain.com.verzzi.org.uk
24.139.111.53 | accounts.mydomain.com.verzzq.co.uk
24.139.111.53 | accounts.mydomain.com.verzzg.org.uk
24.139.111.53 | accounts.mydomain.com.verzzg.co.uk
24.139.111.53 | accounts.mydomain.com.verzzn.org.uk
24.139.111.53 | accounts.mydomain.com.verzzg.me.uk
24.139.111.53 | accounts.mydomain.com.verzzm.me.uk
24.42.38.115 | accounts.mydomain.com.verzzm.co.uk
24.42.38.115 | accounts.mydomain.com.verzzn.me.uk
24.42.38.115 | accounts.mydomain.com.verzzn.co.uk
24.42.38.115 | accounts.mydomain.com.verzzq.me.uk
24.42.38.115 | accounts.mydomain.com.verzzi.me.uk
24.42.38.115 | accounts.mydomain.com.verzzm.org.uk
24.42.38.115 | accounts.mydomain.com.verzzi.org.uk
24.42.38.115 | accounts.mydomain.com.verzzq.co.uk
24.42.38.115 | accounts.mydomain.com.verzzg.org.uk
24.42.38.115 | accounts.mydomain.com.verzzg.co.uk
24.42.38.115 | accounts.mydomain.com.verzzn.org.uk
24.42.38.115 | accounts.mydomain.com.verzzg.me.uk
24.42.38.115 | accounts.mydomain.com.verzzm.me.uk
24.42.38.115 | accounts.mydomain.com.verzzi.co.uk
24.42.38.115 | accounts.mydomain.com.verzzq.org.uk
41.249.1.157 | accounts.mydomain.com.verzzg.co.uk
41.249.1.157 | accounts.mydomain.com.verzzn.org.uk
41.249.1.157 | accounts.mydomain.com.verzzg.me.uk
41.249.1.157 | accounts.mydomain.com.verzzm.me.uk
41.249.1.157 | accounts.mydomain.com.verzzi.co.uk
41.249.1.157 | accounts.mydomain.com.verzzq.org.uk
41.249.1.157 | accounts.mydomain.com.verzzm.co.uk
41.249.1.157 | accounts.mydomain.com.verzzn.me.uk
41.249.1.157 | accounts.mydomain.com.verzzn.co.uk
41.249.1.157 | accounts.mydomain.com.verzzq.me.uk
41.249.1.157 | accounts.mydomain.com.verzzi.me.uk
41.249.1.157 | accounts.mydomain.com.verzzm.org.uk
41.249.1.157 | accounts.mydomain.com.verzzi.org.uk
41.249.1.157 | accounts.mydomain.com.verzzq.co.uk
41.249.1.157 | accounts.mydomain.com.verzzg.org.uk
41.249.3.188 | accounts.mydomain.com.verzzg.org.uk
41.249.3.188 | accounts.mydomain.com.verzzg.co.uk
41.249.3.188 | accounts.mydomain.com.verzzn.org.uk
41.249.3.188 | accounts.mydomain.com.verzzg.me.uk
41.249.3.188 | accounts.mydomain.com.verzzm.me.uk
41.249.3.188 | accounts.mydomain.com.verzzi.co.uk
41.249.3.188 | accounts.mydomain.com.verzzq.org.uk
41.249.3.188 | accounts.mydomain.com.verzzm.co.uk
41.249.3.188 | accounts.mydomain.com.verzzn.me.uk
41.249.3.188 | accounts.mydomain.com.verzzn.co.uk
41.249.3.188 | accounts.mydomain.com.verzzq.me.uk
41.249.3.188 | accounts.mydomain.com.verzzi.me.uk
41.249.3.188 | accounts.mydomain.com.verzzm.org.uk
41.249.3.188 | accounts.mydomain.com.verzzi.org.uk
41.249.3.188 | accounts.mydomain.com.verzzq.co.uk
59.95.168.192 | accounts.mydomain.com.ftpddrs.be
59.95.168.192 | accounts.mydomain.com.dirddrf.be
59.95.168.192 | accounts.mydomain.com.dlsports.be
59.95.168.192 | accounts.mydomain.com.modertps.be
85.108.73.82 | accounts.mydomain.com.verzzq.co.uk
85.108.73.82 | accounts.mydomain.com.verzzg.org.uk
85.108.73.82 | accounts.mydomain.com.verzzg.co.uk
85.108.73.82 | accounts.mydomain.com.verzzn.org.uk
85.108.73.82 | accounts.mydomain.com.verzzg.me.uk
85.108.73.82 | accounts.mydomain.com.verzzm.me.uk
85.108.73.82 | accounts.mydomain.com.verzzi.co.uk
85.108.73.82 | accounts.mydomain.com.verzzq.org.uk
85.108.73.82 | accounts.mydomain.com.verzzm.co.uk
85.108.73.82 | accounts.mydomain.com.verzzn.me.uk
85.108.73.82 | accounts.mydomain.com.verzzn.co.uk
85.108.73.82 | accounts.mydomain.com.verzzq.me.uk
85.108.73.82 | accounts.mydomain.com.verzzi.me.uk
85.108.73.82 | accounts.mydomain.com.verzzm.org.uk
85.108.73.82 | accounts.mydomain.com.verzzi.org.uk

Thursday, November 19, 2009

Running out of Money Mules?

Cyber criminals have launched a new spam campaign this morning trying to recruit more Money Mules. What is a Money Mule? A Money Mule is a person who is participating in a money laundering scheme to help cyber criminals move stolen funds out of the country. The most common way this is performed is to deposit money into the Money Mule's bank account, and then send them instructions on where to wire the money using Western Union, MoneyGram, or some other non-bank world-wide money movement system.

In today's newest Money Mule recruitment scam, the criminals have sent a broad-blast email with email subjects such as:

employees needed
job in USA
job offer
part-time job

The "From:" email is widely scattered with nearly every email forging a different from email address, but most use the from name of either "Employees Needed" or "Job Offer".

The scam emails began arriving around 6:35 AM today, and we've already received more than 500 copies in the UAB Spam Data Mine.

The website advertised in the scam is based in China, currently hosted on the IP 222.73.37.203 in Shanghai China and has the address:

http://abc-webdesign.cn/jobs_usa.htm



Here's the text of their job description from that site:

Financial Manager

Location: USA, statewide
Availability: currently available
Employment type: Part-time employment
Number of employees required: 5

CANDIDATE REQUIREMENTS

* not less than 21 years old
* internet access to reply emails promptly
* availability by phone (1-2 hours a day)
* a bank account to process payments
* good credit history with your bank (new bank account is an option)
* no criminal offense or convictions
* experience in the field of finance is preferred

DUTIES

We are searching for people to process payments coming from our clients. ABCWebDesign will provide an agent with detailed instructions as regards payment processing operations including sender full name and amount total for each separate case.

When funds enter employee's bank account, Financial Agent's duty is to withdraw cash and transfer the funds via Western Union/Money Gram money transfer systems. The main advantage of our services is the shortest possible time within which the seller can receive money for the services sold. If this operation is delayed, our clients are entitled to cancel their contract with us and we suffer financial loss. Therefore, successful applicant must be very responsible and careful!

TRIAL PERIOD POLICY

Successful applicants are offered the position on a probationary period basis (1 month). This is the period when a new employee will be trained and receive online support while working and being paid. A personal supervisor can recommend termination during/after the trial period depending on agent's activity. New employee should be responsible and strictly follow supervisor's recommendations to pass the Probationary Period successfully and be employed by us on a regular basis.

SALARY

During the probationary period we offer $500 monthly salary plus 5% commission for each payment processing operation. For example, an average $5,000 payment will entail $400 commission. A successful agent may ask for additional tasks and earn more Base salary ($500) will be transferred at the end of each month to employee's bank account. Commission (5%) is to be deducted from the processed money.

IMPORTANT DETAILS

* Financial Agent is supposed to process received assets during one business day, i.e. from the moment of money entering his bank account to the moment of re-send to our client in accordance with contract terms. If money enters employee's account on a day-off or holiday, all payment processing procedures have to be completed during the next working day.
* Financial Agent receives invoices for each transaction every 14 days. This document is a confirmation of transaction validity, and in case of any (if any at all) unforeseen circumstances it will evidence your personal non-participation. All invoices will contain detailed information on money sender and will be both sealed and certified with President's signature.
*After the Probationary Period completion, invoices will be sent every business day.
* Since business transfers can be processed with delays, Financial Manager should specify each transfer as a private remittance. This provision is also applicable in case of a third party interest in the transfer.
* Our clients appreciate our operational efficiency and are ready to pay extra fee for shorter transaction terms.
* The fees for Western Union and MoneyGram transfers are paid by our company. Absolutely nothing is subtracted from your commission; you get exactly 5% from amount. The fees will be discounted from the money that you will send via Western Union or MoneyGram transfers.
* We don't ask for any investment to start cooperating with our company.
* The company offers incentive bonus program based on work results with regard to several factors, i.e. total sum of money transferred, payment processing time, etc.

OUR BENEFITS

Probationary period imposes restrictions on the employment benefits of our corporation. Financial Manager will be able to receive ABCWebDesign employment benefits only after probationary period completion. Employment benefits will include:

* stock options
* child-care subsidies
* flex-time
* business casual attire
* free training and professional development programs

*Detailed information concerning the employment benefits will be provided after probationary period successful completion.


If you have a desire to work send us your CV (resume) to hr-usa@abc-webdesign.cn

You can send us this application form instead of CV also.

CURRENT/LAST JOB:
WORK EXPERIENCE (years):
MOBILE or HOME NUMBER:

As soon as we receive your CV (preferred) or application form we call you
with the result of accepting you to our job position and further details.



ABCWebDesign

A: Tarnow, ul. Wałowa 4 1B, 51-326 Poland
T: +48 22 389 7067


(The telephone number belongs to a real company in Poland, City Web Design - city-pl.com. Its very common for these fake job sites to steal a real company's website as the base for their Money Mule website.)




There are so many, many interest things hosted on this IP address, but since this blog entry is primarily about career scams, I'll mention one other in particular.

http://your-usa-address.net/index.php?node=job

Is also on the same IP address in China as the Money Mule site above. This business consists of receiving packages at your home address, and shipping those packages overseas. Criminals establish these "Reshipper" jobs to allow them to buy products online with stolen credit cards and ship them to "less suspicious" addresses here in the United States. Orders made with American credit cards and foreign delivery addresses are treated with a higher level of scrutiny by merchants, so the criminals avoid that by tricking Americans into working for them through attractive career offerings like this one:



The advertisement on this site reads:
The Next Stage of Your Career Starts Here

Jobs come and go. But a rewarding career is a lifelong goal - achieved over time. Working at The Shipping Company Limited offers career-building opportunities, many exciting challenges and the satisfaction of knowing you can make a difference.

We are always looking for the best people to join our growing team. As a diversified services company, we have a wide range of exciting career opportunities. So whether you're just starting out or looking to set a whole new career direction, The Shipping Company Limited can help make it happen.

Are you driven by new challenges every day? Do you love to work with people? If you prefer to be in charge of your own destiny, then Authorized Agent Job may be the right career path for you. In our training program, you'll get valuable hands-on experience and could be on your way to running your own business.

About the Authorized Agent

Every day we support our customers from developing countries to purchase goods in the major trading platforms worldwide, while Authorized Agent's job is focused on receiving goods from the trading platforms and further sending them to our customers. As a Authorized Agent, you'll have an opportunity to:

* Establish your own schedule.
* Grow personally and professionally.
* Control your income level.
* Make a real impact with members and within local communities.

Benefits

As a The Shipping Company Limited Authorized Agent, your salary is just part of the compensation package offered. We understand you have responsibilities both at work and at home, therefore we offer a wide range of flexible benefits designed to provide opportunity, protection, and security for you and your family.
The Shipping Company Limited offers:

* Highly competitive compensation and income potential
* Exceptional, comprehensive training to get you started plus ongoing learning opportunities.

Eligibility Requirements

Exciting opportunities await you if you qualify to be a The Shipping Company Limited Co. Authorized Agent. Job requirements:

* Obtain and maintain:
1. PC, Internet, E-mail user-level skills
2. Mailing/Dispatching prior experience;
* Be eligible for adult employment with C&T Shipment Service.
* Any additional employment is not a hindrance as long as you have 3-4 hours a day free.
* Eligible to work long-term.

Frequently Asked Questions

The opportunity is here. The potential for success is unlimited.

>>> Apply now <<< .

IMPORTANT: Your detailed CV in MS Word format will considerably facilitate our choice.





If you or anyone you know has gotten mixed up in one of these Money Mule or Reshipper schemes, its important that you contact law enforcement. Please save any emails, either recruitment emails or instruction emails, that you receive from the criminals, because these can help law enforcement to identify who the criminals are and where they are located!

If you aren't sure where to report it, this or any other cybercrime can be reported to the Internet Crime & Complaint Center on their website at ic3.gov.

Wednesday, November 18, 2009

Zeus: Same Criminal, New Spam Infrastructure

Last week, one of the most long-lived malware spam delivery systems, which the anti-phishing community knew as "Avalanche" went off-line. After sending spam almost non-stop for many months, no spam at all has been received from the "Avalanche" group, which has been used since June to deliver a variety of Zeus or Zbot infectors, including scams pretending to be MySpace, Facebook, the FDIC, the IRS, NACHA, a Microsoft Outlook Update, and other scams.

Last night a new spam campaign began using a new scam to spread malware. A sample of the email looks like this:
We recorded a payment request from "Amy's Kitchen" to enable the charge of $94.71 on your account.

The payment is pending for the moment.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "Amy's Kitchen".

If you didn't make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).


The "Transaction Inspector Module" is in a file called "module.zip", which when opened contains a file called "module.exe". That file is a piece of malware called "Sasfis", which is a dropper. A tiny piece of malware which, when launched, causes additional malware to be downloaded as well.

The Sasfis malware is File size: 18944 bytes
MD5 : eec53e2239800e5d85b6b85d5e2451cb

A VirusTotal Report shows that this version of Sasfis is very widely detected.

UAB Malware Analyst Brian Tanner ran the malware in the lab for me. After launching, the malware connects to a Command & Control server which is on the same computer as the NACHA version of Zeus! Nothing happens for the first 45 minutes, then two additional executables are downloaded, one of which is a copy of Zeus that uses the same config file and same update server as the NACHA version of Zeus.

The UAB Spam Data Mine has received many thousand copies of the new spam campaign, with 536 unique company names used in the subject and body of the email. Each copy of the spam email has a randomly selected company name, and specifies a random dollar amount for the transaction. Here is the complete list of email Subjects:

payment request from "a21"
payment request from "Aaron Rents"
payment request from "Abbott Laboratories"
payment request from "Abercrombie & Fitch"
payment request from "ABM Industries"
payment request from "ABX Air, Inc."
payment request from "ACCO Brands"
payment request from "Ace Hardware"
payment request from "Acme Brick Company"
payment request from "Acme Markets"
payment request from "ACN Inc."
payment request from "Activision Blizzard"
payment request from "Acuity Brands"
payment request from "ADC Telecommunications"
payment request from "Adobe Systems Inc."
payment request from "Advance Auto Parts"
payment request from "Advanced Processing & Imaging"
payment request from "AES"
payment request from "Aetna"
payment request from "Affiliated Computer Services"
payment request from "AFLAC"
payment request from "AGCO"
payment request from "Agilent Technologies"
payment request from "AGL Resources"
payment request from "Air Products & Chemicals"
payment request from "Airgas"
payment request from "AirTran Holdings"
payment request from "AK Steel Holding"
payment request from "Alaska Air Group"
payment request from "Albemarle"
payment request from "Albertsons"
payment request from "Alcoa"
payment request from "Aleris International"
payment request from "Alexander & Baldwin"
payment request from "Allegheny Energy"
payment request from "Allegheny Technologies"
payment request from "Allen Organ"
payment request from "Allergan"
payment request from "Alliant Energy"
payment request from "Alliant Techsystems"
payment request from "Allstate"
payment request from "Amazon.com"
payment request from "AMC Entertainment"
payment request from "AMD"
payment request from "Ameren"
payment request from "America Online"
payment request from "American Airlines"
payment request from "American Apparel"
payment request from "American Axle & Manufacturing"
payment request from "American Broadcasting Company"
payment request from "American Eagle Outfitters"
payment request from "American Electric Power"
payment request from "American Express"
payment request from "American Family Insurance Group"
payment request from "American Financial Group"
payment request from "American Greetings"
payment request from "American Hofmann"
payment request from "American Home Mortgage"
payment request from "American International Group"
payment request from "American Reprographics Company"
payment request from "AmeriCredit"
payment request from "Amerigroup"
payment request from "Ameriprise Financial"
payment request from "AmerisourceBergen"
payment request from "Ametek"
payment request from "Amgen"
payment request from "Amiga"
payment request from "Amkor Technology"
payment request from "Amphenol Corporation"
payment request from "AMR"
payment request from "Amtrak"
payment request from "Amy"s Kitchen"
payment request from "Anadarko Petroleum"
payment request from "Analog Devices"
payment request from "AnaSpec"
payment request from "Anchor Bay Entertainment"
payment request from "AND1"
payment request from "Anixter International"
payment request from "Ann Taylor"
payment request from "Aon"
payment request from "Apache Software Foundation"
payment request from "Apollo Group"
payment request from "Apple Inc."
payment request from "Applebee's"
payment request from "Applied Biosystems"
payment request from "Applied Industrial Technologies"
payment request from "Applied Materials"
payment request from "Aramark"
payment request from "Arbitron"
payment request from "Arch Coal"
payment request from "Archer Daniels Midland"
payment request from "Arctic Cat"
payment request from "Ariba"
payment request from "Armstrong World Industries"
payment request from "Arrow Electronics"
payment request from "Arryx"
payment request from "ArvinMeritor"
payment request from "ASARCO"
payment request from "Asbury Automotive Group"
payment request from "Ashland, Inc."
payment request from "AskMeNow"
payment request from "Aspyr Media Inc."
payment request from "Assurant"
payment request from "AT&T"
payment request from "Atari"
payment request from "Atmos Energy"
payment request from "Autodesk"
payment request from "Autoliv"
payment request from "Automatic Data Processing"
payment request from "AutoNation"
payment request from "Auto-Owners Insurance"
payment request from "Autozone"
payment request from "Avaya"
payment request from "Avery Dennison"
payment request from "Avis Budget Group"
payment request from "Avnet"
payment request from "Avon Products"
payment request from "AVST"
payment request from "Babcock & Wilcox"
payment request from "Baker Hughes"
payment request from "Baldor Electric"
payment request from "Ball"
payment request from "Bank of America Corp."
payment request from "Bank of New York Mellon Corp."
payment request from "Barnes & Noble"
payment request from "Bath & Body Works"
payment request from "Baxter International"
payment request from "BB&T Corp."
payment request from "BE Aerospace"
payment request from "Beaner"s Gourmet Coffee"
payment request from "BearingPoint"
payment request from "Beazer Homes USA"
payment request from "Bechtel Corporation"
payment request from "Beckman Coulter"
payment request from "Becton Dickinson"
payment request from "Bed Bath & Beyond"
payment request from "Belden"
payment request from "Belk"
payment request from "Belkin"
payment request from "Bemis"
payment request from "Benchmark Electronics"
payment request from "Berkshire Hathaway"
payment request from "Berry Plastics"
payment request from "Best Buy"
payment request from "Big Lots"
payment request from "Binney & Smith"
payment request from "Biogen Idec"
payment request from "Biomet"
payment request from "Bio-Rad Laboratories"
payment request from "Birdwell"
payment request from "BJ Services"
payment request from "BJ"s Wholesale Club"
payment request from "Black & Decker"
payment request from "BlackRock"
payment request from "Blockbuster Video"
payment request from "BlueLinx Holdings"
payment request from "BMC Software"
payment request from "Bob Evans Farms"
payment request from "Boeing"
payment request from "Boise"
payment request from "Borders Group"
payment request from "BorgWarner"
payment request from "Bosch Brewing Company"
payment request from "Boston Scientific"
payment request from "Boyd Gaming"
payment request from "Bradley Pharmaceuticals"
payment request from "Briggs & Stratton"
payment request from "Brightpoint"
payment request from "Brinker International"
payment request from "Brinks"
payment request from "Bristol-Myers Squibb"
payment request from "Broadcom"
payment request from "Broadridge Financial Solutions"
payment request from "Brookdale Senior Living"
payment request from "Brown-Forman"
payment request from "Brunswick Corporation"
payment request from "Bucyrus International"
payment request from "Burger King Holdings"
payment request from "Burlington Coat Factory"
payment request from "Burlington Northern Santa Fe"
payment request from "C.H. Robinson Worldwide"
payment request from "CA, Inc."
payment request from "Calpine"
payment request from "Capital One"
payment request from "Cartoon Network Studios"
payment request from "Caterpillar Inc."
payment request from "CBS Corporation"
payment request from "Cerner Corporation"
payment request from "Chem-Dry"
payment request from "Chevron"
payment request from "Chicago Bridge & Iron Company"
payment request from "Chrysler"
payment request from "CIGNA"
payment request from "Cisco Systems, Inc."
payment request from "Citigroup"
payment request from "Citrix"
payment request from "CKE Restaurants"
payment request from "Clear Channel Communications"
payment request from "CNA"
payment request from "CNET"
payment request from "Cognizant Technology Solutions"
payment request from "Colgate-Palmolive"
payment request from "Colt Defense"
payment request from "Colt"s Manufacturing Company"
payment request from "Columbia Pictures"
payment request from "Comcast"
payment request from "Comodo"
payment request from "ConocoPhillips"
payment request from "Conseco"
payment request from "Continental Airlines"
payment request from "Control Data Corporation"
payment request from "Convergys Corp."
payment request from "Converse"
payment request from "Corning Incorporated"
payment request from "Costco"
payment request from "Coventry Health Care"
payment request from "Crazy Eddie"
payment request from "Crowley Maritime Corporation"
payment request from "CVS Pharmacy"
payment request from "Danaher"
payment request from "Darden Restaurants"
payment request from "DaVita"
payment request from "Dean Foods"
payment request from "Deere & Company"
payment request from "Del Monte Foods"
payment request from "Dell, Inc."
payment request from "Delphi"
payment request from "Delta Air Lines"
payment request from "Dereon"
payment request from "Devon Energy"
payment request from "Dexrex"
payment request from "DiC Entertainment"
payment request from "Dick"s Sporting Goods"
payment request from "Diebold"
payment request from "Digi-Key"
payment request from "Dillard's"
payment request from "DineEquity"
payment request from "DirecTV Group"
payment request from "Discovery Communications"
payment request from "DISH Network"
payment request from "Doculabs"
payment request from "Dole Foods"
payment request from "Dollar General"
payment request from "Dollar Tree"
payment request from "Dominion Resources"
payment request from "Domtar"
payment request from "Donaldson"
payment request from "Dover"
payment request from "Dow Jones & Company"
payment request from "Dr Pepper Snapple Group"
payment request from "Dresser Inc."
payment request from "DRS Technologies"
payment request from "DST Systems"
payment request from "DTE Energy"
payment request from "Duke Energy"
payment request from "Dun & Bradstreet"
payment request from "DuPont"
payment request from "DynCorp International"
payment request from "Dynegy"
payment request from "Eastman Chemical Company"
payment request from "Eastman Kodak"
payment request from "eBay"
payment request from "Ecolab"
payment request from "El Paso Corp."
payment request from "Electric Boat"
payment request from "Electronic Data Systems"
payment request from "Eli Lilly and Company"
payment request from "EMC Corporation"
payment request from "Emcor Group"
payment request from "Emerson Electric Company"
payment request from "Energy East"
payment request from "Entergy"
payment request from "Enterprise GP Holdings"
payment request from "Equifax"
payment request from "Erie Insurance Group"
payment request from "Exelon Corporation"
payment request from "Expeditors International"
payment request from "Express Scripts Incorporated"
payment request from "ExxonMobil"
payment request from "Federal Home Loan Mortgage Corporation"
payment request from "Federal National Mortgage Association"
payment request from "FedEx"
payment request from "Fidelity Investments"
payment request from "FileMaker Inc., formerly Claris Corp."
payment request from "Ford Motor Company"
payment request from "Forum Communications"
payment request from "Fox Film Corporation"
payment request from "FreeWave Technologies, Inc."
payment request from "Frontier Airlines"
payment request from "Gartner"
payment request from "Gateway Computers"
payment request from "Gatorade"
payment request from "General Dynamics"
payment request from "General Electric"
payment request from "General Mills"
payment request from "General Motors"
payment request from "Gentiva Health Services"
payment request from "Georgia Pacific"
payment request from "Giant Food"
payment request from "Global Insight"
payment request from "Go Daddy"
payment request from "Goldman Sachs"
payment request from "Goodyear Tire and Rubber Company"
payment request from "Google"
payment request from "H&R Block"
payment request from "H. J. Heinz Company"
payment request from "Haley Builders"
payment request from "Halliburton"
payment request from "Hallmark Cards"
payment request from "Hardee's"
payment request from "Harley-Davidson"
payment request from "Hasbro"
payment request from "Hastings Entertainment"
payment request from "Hawaiian Airlines"
payment request from "HCD Surveys"
payment request from "H-E-B"
payment request from "Hewlett-Packard"
payment request from "Hilton Hotels Corporation"
payment request from "Hi-Point Firearms"
payment request from "Home City Ice Co."
payment request from "Home Depot"
payment request from "Honeywell"
payment request from "Hot Topic"
payment request from "Hyland Software"
payment request from "i-flex Solutions"
payment request from "Infor"
payment request from "Informix"
payment request from "Intel"
payment request from "International Business Machines"
payment request from "International Game Technology"
payment request from "International Paper"
payment request from "Interplay Entertainment"
payment request from "Interstate Batteries"
payment request from "Intuit"
payment request from "ION Media Networks"
payment request from "iRobot"
payment request from "J. C. Penny"
payment request from "J. P. Morgan Chase and Co."
payment request from "JetBlue Airways"
payment request from "JN-International Medical Corporation"
payment request from "Johnson & Johnson"
payment request from "Johnson Controls"
payment request from "Jones Soda Co."
payment request from "Journal Communications"
payment request from "KBR"
payment request from "Kellogg Company"
payment request from "Kerr-McGee"
payment request from "Kimberly-Clark"
payment request from "Kmart Corporation"
payment request from "Kohler"
payment request from "KPMG"
payment request from "KPMG Fiduciaire"
payment request from "Kraft Foods"
payment request from "Kroger"
payment request from "Kurzweil Educational Systems"
payment request from "L.L.Bean"
payment request from "Landscape Binders"
payment request from "Laserfiche"
payment request from "LeapFrog Enterprises"
payment request from "Limited Brands"
payment request from "Liz Claiborne"
payment request from "Local Matters"
payment request from "Lockheed Martin"
payment request from "Louisiana Pacific"
payment request from "Lowe's"
payment request from "Lucas Oil"
payment request from "Lucasfilm"
payment request from "Lumencraft"
payment request from "Marathon Oil"
payment request from "Mars Incorporated"
payment request from "Marsh & McLennan"
payment request from "Marshall Pottery Inc."
payment request from "Martha Stewart Living Omnimedia"
payment request from "Martin Marietta Materials"
payment request from "MasterCard"
payment request from "Mattel"
payment request from "McDonald"s Corporation"
payment request from "MCI"
payment request from "Medimix International"
payment request from "Meijer"
payment request from "Merck and Company"
payment request from "Microsoft"
payment request from "Midway Games"
payment request from "Midwest Communications"
payment request from "Miller Brewing"
payment request from "Minnesota IMPLAN Group"
payment request from "Miro Technologies"
payment request from "Monsanto Company"
payment request from "Morgan Stanley"
payment request from "Motorola"
payment request from "Musco Lighting"
payment request from "Mutual of Omaha"
payment request from "Nabisco"
payment request from "Nationwide Insurance"
payment request from "NBC Universal"
payment request from "NCR Corporation"
payment request from "NetApp"
payment request from "NetZero"
payment request from "New Balance"
payment request from "New Era Tickets"
payment request from "News Corporation"
payment request from "Nike"
payment request from "Northrop Grumman"
payment request from "Northwest Airlines"
payment request from "Novell"
payment request from "Novellus Systems"
payment request from "Office Depot"
payment request from "Office Max"
payment request from "Oracle Corporation"
payment request from "PACCAR"
payment request from "Pacific Gas & Electric Company"
payment request from "PalmOne, Inc."
payment request from "PalmSource, Inc."
payment request from "Paramount Pictures"
payment request from "PayPal"
payment request from "PepsiCo"
payment request from "Pfizer"
payment request from "Pinnacle Systems"
payment request from "Pizza Hut"
payment request from "Polaroid Corporation"
payment request from "Precision Castparts Corporation"
payment request from "Price Waterhouse Coopers"
payment request from "Principal Financial Group"
payment request from "Procter & Gamble"
payment request from "Publix"
payment request from "Qualcomm"
payment request from "Quantrix"
payment request from "Quest Software"
payment request from "Quincy Newspapers"
payment request from "Qwest"
payment request from "R. H. Donnelley"
payment request from "R. R. Donnelley & Sons"
payment request from "RadioShack"
payment request from "Raytheon"
payment request from "RCA"
payment request from "Red Hat"
payment request from "Red River Broadcasting"
payment request from "Regis Corporation"
payment request from "Respironics"
payment request from "Rockwell Automation"
payment request from "Rockwell Collins"
payment request from "Russell Investment Group"
payment request from "Russell Stovers"
payment request from "Safeco Corporation"
payment request from "Safeway Inc."
payment request from "Salem Communications"
payment request from "SBC Communications"
payment request from "Science Applications International Corporation"
payment request from "Sears"
payment request from "Sequoia Voting Systems"
payment request from "Service Corporation International"
payment request from "Silicon Graphics"
payment request from "Six Flags"
payment request from "Skype"
payment request from "SkyWest Airlines"
payment request from "Snap-on Tools"
payment request from "Softscape"
payment request from "Sony Pictures Entertainment"
payment request from "Southern California Edison"
payment request from "Southwest Airlines"
payment request from "Spanx"
payment request from "Sprint Nextel Corporation"
payment request from "Staples, Inc."
payment request from "Starbucks"
payment request from "Starz"
payment request from "State Street Corporation"
payment request from "Steinway & Sons"
payment request from "Sterling Commerce"
payment request from "Sterling Ledet & Associates, Inc."
payment request from "Stewart-Warner"
payment request from "STOUT UNIVERSITY FOUNDATION"
payment request from "STX"
payment request from "Subway"
payment request from "Sun Microsystems"
payment request from "Sunny Delight Beverages"
payment request from "Sunoco"
payment request from "Syntel"
payment request from "Target Corporation"
payment request from "Tesla Motors"
payment request from "Texas Instruments"
payment request from "Textron Inc."
payment request from "The Coca-Cola Company"
payment request from "The Dow Chemical Company"
payment request from "The Liberty Corporation"
payment request from "The Ohio State University Medical Center"
payment request from "The Vanguard Group"
payment request from "The Walt Disney Company"
payment request from "The Weinstein Company"
payment request from "TheStreet.com"
payment request from "Time Warner Cable"
payment request from "Towers Perrin"
payment request from "Trinity Industries Inc."
payment request from "U.S. Robotics"
payment request from "Ubu Productions"
payment request from "Union Oil Company of California"
payment request from "Union Pacific Railroad"
payment request from "Unisys"
payment request from "United Airlines"
payment request from "United Parcel Service"
payment request from "United Services Automobile Association"
payment request from "United Technologies"
payment request from "Universal Studios"
payment request from "US Airways"
payment request from "US Cellular"
payment request from "UTStarcom"
payment request from "Valero Energy Corporation"
payment request from "Vectren"
payment request from "Verizon"
payment request from "Verizon Wireless"
payment request from "Viacom"
payment request from "Visa Inc."
payment request from "VIZ Media"
payment request from "Vizio"
payment request from "VMware"
payment request from "Vocera Communications"
payment request from "W.R. Berkley"
payment request from "Walgreens"
payment request from "Walmart"
payment request from "Washington Mutual"
payment request from "Welch's"
payment request from "Wells Fargo Bank, N.A."
payment request from "Wendy"s/Arby"s Group"
payment request from "West Liberty Foods"
payment request from "Westat"
payment request from "Whole Foods Market"
payment request from "Wizards of the Coast"
payment request from "World Financial Group"
payment request from "World Wrestling Entertainment"
payment request from "Xerox"
payment request from "Xilinx"
payment request from "XPLANE"
payment request from "Yahoo!"
payment request from "YRC Worldwide Inc."
payment request from "Yum! Brands, Inc."
payment request from "Zapata"
payment request from "Zappos.com"