The UAB Spam Data Mine started seeing this technique used in some Twitter-imitating spam at 9:13 AM on June 6th. That campaign is still continuing using spam messages with the subject "Twitter ###-##", such as "Twitter 647-01" or "Twitter 041-33". We'll come back to that campaign shortly. Let's get back to the IRS spam.
Here's a sample email:
That URL points to:
http://zyraziti.ibnsites.com/gujivazi.html
If you visit that free web site, it fowards you automagically to:
http://irs.gov.lazagazal.com/fraud_application/directory/statement.php?tid= target-######US
That site says
Finding and paying your federal taxes correctly and on time is an important part of living and working in the United States. Please review (download and execute) your tax statement
The link to 'tax-statement.exe' is malware, of course, which currently is detected by only 3 of the 41 anti-virus products on VirusTotal.com.
Here's a report from VirusTotal on this malware MD5 : 23c77c4c29158fea0e0e805eef535571.
Despite the fact that NONE of the current Anti-Virus definitions detect this as Zeus, we know it is very quickly when we launch it. The malware connects to the server "phaizeipeu.ru" and retrieves a Zeus bin file, "/bin/hueghixa.bin" from the server there. That domain has been tracked on Zeustracker since June 2nd.
The nameserver used to resolve this domain, ns1.interaktivitysearch.net, was also used for the domain cyansmith.com, which we mentioned in last week's Fast Flux information regarding the AmEx phish.
As an example, phaizeipeu.ru has in the past two minutes resolved to these IP addresses:
201.227.120.102 - Panama Cable & Wireless
115.186.118.122 - Karachi Worldcall, Pakistan
121.121.97.100 - Maxis Broadband, Kuala Lumpur, Malaysia
124.120.246.107 - TruehISP, Bangkok, Thailand
186.19.105.151 - Telecentro, Argentina
190.30.203.28 - Apolo Gold Telecom, Buenos Aires, Argentina
190.55.110.94 - Telecontro, Argentina
190.246.221.161 - Cablevision, Buenos Aires, Argentina
Here's an example of some of those "Free Web hosting" sites that are currently being exploited:
/yxagenub.100freemb.com/aqyhyho.html
/zimisipyce.100freemb.com/byhomawa.html
/mipubacif.100freemb.com/ivamixa.html
/pekijoxam.100freemb.com/otatolaq.html
/ihacaqyb.100freemb.com/pezope.html
/uhisoheb.100megsfree5.com/ecufoke.html
/azasiniza.100megsfree5.com/icypuxo.html
/eqegohazuv.100megsfree5.com/xosynap.html
/hofipyhe.1accesshost.com/inynysyh.html
/culykenaza.1accesshost.com/iwivuga.html
/digobizaw.1accesshost.com/mafujyde.html
/orodydekof.1accesshost.com/nymoba.html
/olecomoxip.1accesshost.com/omekyre.html
/gusozivo.1accesshost.com/qojeti.html
/ewiromiru.1accesshost.com/sybygo.html
/oladolyc.1accesshost.com/tufepaqi.html
/lykyqoryt.1accesshost.com/ucymuvix.html
/udolysedu.1accesshost.com/unepyqun.html
/ebacikud.1accesshost.com/zykotu.html
/yvunavohi.angelcities.com/fyfobu.html
/nukowicu.angelcities.com/nuwiba.html
/kawywupo.arcadepages.com/arefoboq.html
/zesolarix.arcadepages.com/bykevim.html
/zesolarix.arcadepages.com/bykevim.html
/petoxevat.arcadepages.com/ewefuxoc.html
/inumynumoc.arcadepages.com/eximiqu.html
/ugijehicip.arcadepages.com/ezygexi.html
/oziqysehij.arcadepages.com/iqypufe.html
/imodarecy.bigheadhosting.net/exefoza.html
/wapovaqyh.bigheadhosting.net/panykeve.html
/pomobalyw.bigheadhosting.net/udewin.html
/afofywog.bigheadhosting.net/xufekap.html
/qecixedake.bigheadhosting.net/ysudydev.html
/qecixedake.bigheadhosting.net/ysudydev.html
/xymyfuqad.builtfree.org/bafazu.html
/okypocup.builtfree.org/ovamyqem.html
/wosogabaf.builtfree.org/upuzyr.html
/wosogabaf.builtfree.org/upuzyr.html
/azykakubol.digitalzones.com/ejitehi.html
/onamowonom.digitalzones.com/gypywoz.html
/godicyce.digitalzones.com/ixydet.html
/vixehuxo.digitalzones.com/woducuda.html
/goqivateg.digitalzones.com/ykybaxu.html
/toguhogi.dreamstation.com/avyryk.html
/utofitala.dreamstation.com/kylebik.html
/eqobymoped.dreamstation.com/ogiqyr.html
/ynexovaxo.dreamstation.com/winipyk.html
/yxyqyhuweh.dreamstation.com/ykeqegag.html
/culaworege.easyfreehosting.com/coriroxi.html
/culaworege.easyfreehosting.com/coriroxi.html
/ejofizyz.easyfreehosting.com/dabizeza.html
/ehuceximog.easyfreehosting.com/finixe.html
/umobafavu.easyfreehosting.com/irafyfa.html
/hemahodo.easyfreehosting.com/ufudimaw.html
/xujuguba.easyfreehosting.com/wybave.html
/ejorikoki.easyfreehosting.com/ygoxuq.html
/eqowiwyryx.envy.nu/bohopi.html
/fekynylum.envy.nu/ecevamib.html
/ewemasavy.envy.nu/ymohale.html
/ypodobuni.envy.nu/zytabe.html
/lijogaju.exactpages.com/apexoke.html
/lijogaju.exactpages.com/apexoke.html
/kogybovise.exactpages.com/vujufapa.html
/kywunereju.fcpages.com/erynoh.html
/bicefipipu.freecities.com/hibahu.html
/uboqenunep.freecities.com/nokoxuqo.html
/efysewezic.freecities.com/zevesaz.html
/tekefopo.freehostyou.com/gadasu.html
/alaradewo.freehostyou.com/guzyxoku.html
/ucoqopaby.freehostyou.com/mebyhuh.html
/wogeqiqyq.freehostyou.com/xegesef.html
/icocoqaby.freewaywebhost.com/cidaci.html
/ikucoban.freewaywebhost.com/ovydodo.html
/lykofuzequ.freewaywebhost.com/yjirox.html
/enecyhofow.freewebportal.com/axefeta.html
/vugogyve.freewebportal.com/cydaquno.html
/uwebijygyq.freewebportal.com/reniqyh.html
/hylydacymi.freewebportal.com/ucasob.html
/xuryqoju.freewebsitehosting.com/kocysu.html
/iruzasahyl.freewebsitehosting.com/olocon.html
/vizuzati.freewebsitehosting.com/oqaxiso.html
/umikyvoca.freewebsitehosting.com/xeruwyca.html
/umikyvoca.freewebsitehosting.com/xeruwyca.html
/oqixunoni.freewebsitehosting.com/xosize.html
/ufininir.freewebsitehosting.com/xusepu.html
/ikadiriga.freewebsitehosting.com/ylydugu.html
/ocerityv.freewebsitehosting.com/zopycy.html
/ubikiwaq.greatnow.com/ezixevol.html
/nififazi.greatnow.com/husadu.html
/isihogezin.greatnow.com/ysuxyrud.html
/cli.gs/eM8NXV
/cli.gs/UQBAHQ
/pokijyny.ibnsites.com/adopadat.html
/keferival.ibnsites.com/erematy.html
/zyraziti.ibnsites.com/gujivazi.html
/izyjopyh.ibnsites.com/jisokoce.html
/upymyvul.ibnsites.com/jylyhu.html
/irytaneb.ibnsites.com/kerific.html
/novufuvaxo.ibnsites.com/myzaquq.html
/nohoxutah.ibnsites.com/nydawodo.html
/eperitupuh.ibnsites.com/puhetyfe.html
/anutugoc.ibnsites.com/pukohe.html
/uwyraxuvy.ibnsites.com/qyqepib.html
/yrozujon.ibnsites.com/rusepen.html
/nagysadyx.ibnsites.com/ypenoc.html
/xisyjemo.lookseekpages.com/edavyket.html
/xisyjemo.lookseekpages.com/edavyket.html
/alezehifo.lookseekpages.com/jomuxa.html
/alezehifo.lookseekpages.com/jomuxa.html
/zysesojej.lookseekpages.com/kicylito.html
/vacagufo.lookseekpages.com/novygidy.html
/vacagufo.lookseekpages.com/novygidy.html
/pexogipol.lookseekpages.com/oxucafe.html
/gusejunad.lookseekpages.com/qinigo.html
/ipolagux.maddsites.com/dyjyzylu.html
/karaqika.maddsites.com/egesor.html
/ufawalijuh.maddsites.com/ilubyqy.html
/jokomule.maddsites.com/leqojo.html
/febaveli.maddsites.com/onapiju.html
/awilubux.mindnmagick.com/kehiwugi.html
/olawisyr.o-f.com/ejepekaz.html
/otumybigu.o-f.com/oqyhuxy.html
/afukafutu.s-enterprize.com/itociwo.html
/wenadinudu.servetown.com/ajihepo.html
/kahahari.servetown.com/biximol.html
/ovepahax.servetown.com/vyzurily.html
/nyfufuveco.servetown.com/xibycepi.html
/odivawuh.the-best-free-web-hosting.com/avyfemu.html
/izepofupy.the-best-free-web-hosting.com/yceqalu.html
/gopirocup.the-best-free-web-hosting.com/ydagyduf.html
/sawatazuky.uvoweb.net/afumox.html
/sawatazuky.uvoweb.net/afumox.html
/xynunuxev.uvoweb.net/ekocap.html
/kebypatat.uvoweb.net/garicedy.html
/eqeqalywoj.uvoweb.net/mafepody.html
/ubejedoqej.uvoweb.net/wetira.html
/vunagugevu.virtue.nu/evawov.html
/elyxupij.virtue.nu/juzepod.html
/elyxupij.virtue.nu/juzepod.html
/mequmato.virtue.nu/kiqabyto.html
/ofopuhymam.virtue.nu/ozowynuf.html
/ipecatuvo.virtue.nu/pokekuke.html
/ihamozavil.virtue.nu/qefeqo.html
/ihamozavil.virtue.nu/qefeqo.html
/xavesahyh.wtcsites.com/dasuqiw.html
/irutajov.wtcsites.com/huzexeje.html
/gisejywira.wtcsites.com/ubumike.html
/ikifinukux.wtcsites.com/upitim.html
Twitter Spam
While the Twitter spam also uses many free websites, it actually has a much smaller number, and combines "googlegroups", "110mb.com", and "t35.com" websites with a selection of compromised domains.
http://aomdesign101.com/d.htm
http://aprendainglesrapido.net/x.htm
http://capelcure.co.uk/1.html
http://cobhamdogs.net/x.htm
http://cobhamdogs.net/x.htm
http://crefxxx.110mb.com/index.htm
http://cresssa.110mb.com/index.htm
http://dreaminom.t35.com
http://faceseverywhere.com/x.htm
http://givisss.110mb.com/index.htm
http://grapevinephotography.com.au/1.htm
http://groups.google.com/group/pppppps
http://jennifervpearl.com/x.htm
http://lessreachom.t35.com
http://millcreekswim.com/x.htm
http://openexe.googlegroups.com/web/Twitter_security_model_setup.zip
http://pppppps.googlegroups.com/web/g.html
http://superiormerchant.com/x.htm
http://toldspeak.com
http://twitter.com/account/not_my_account/
http://twitter-security-model.googlegroups.com/web/Twitter_security_model_setup.zip
http://uucgb.org/x.htm
http://xizinnn.110mb.com/index.htm
http://xyddds.110mb.com/index.htm
The spam from these sites is also varying.
Security version:
Attention! We detected that someone was trying to steal your Twitter account password.
We strongly recomended you to download our secure module to protect account!
Please click on the link below:
http://twitter.com/Twitter_security_model_setup.zip
Pill version:
This version only shows a picture of a man showing "two-thumbs up" surrounded by pills with cheap prices on them.
Unread message version:
You have 1 unread message from Twitter
Please click on the link below or copy and paste the URL into your browser:
http://twitter.com/account/=youremail@yourdomain.com
An alternative, being currently spammed, follows the unread message with a photo of a large-breasted woman showing off her cleavage.
YouTube Spam
The identical photograph (click to see image here if you aren't offended by scantily clad women) is also currently being used in a "YouTube" spam.
Prior to about 2:00 PM Central time, the message did not contain the photograph, but only a YouTube logo and the message below (with a varying "user name" for each email.)
The user Jordan suggests you to become friends on YouTube. Offers and acceptance of offers on friendship simplify tracing of that your friends place in the selected works, add or estimate, and also simplifies video departure by all or to the selected users. To accept or reject this invitation, pass in INBOX
Some of the YouTube versions point to links on these pages:
htp://camaka.net/1.htm
http://aomdesign101.com/d.htm
http://aprendainglesrapido.net/x.htm
http://bombardierconsulting.com/x.htm
http://camaka.net/1.htm
http://cccxxdd.110mb.com/index.htm
http://cresssa.110mb.com/index.htm
http://kayakguy.com/x.htm
http://millcreekswim.com/x.htm
http://superiormerchant.com/x.htm
http://uucgb.org/x.htm
http://wanderingchild.org/x.htm
http://xyddds.110mb.com/index.htm
all of which forward elsewhere for the actual "pill-related" spam content
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.