Translate

12/03/2013

SCAMMED UP: Nigerian Lottery SCAM from Mr Peter Chec in Connection with Compromised Website in Slovakia

As i tend to analyse my SPAM-Mails after a certain period of time, i started with a Nigerian SCAMMER, Mister Peter Chec (of course not his real name).



At beginning i thought the Sender as well as the sending Domain were randomly generated:
<izabeth@spsnmnv.sk>
It is clear that izabeth is cut out of the female prename ELizabeth.

Also the first look at the Domainname:
<spsnmnv.sk>
gives you an impression reading spam, like:
<spamnv.sk> or even maybe like sms (Short Message Service)   
<smsnpnv.sk>
And do not forget: .sk stands for Slovakia.

This may also be the reason why Mr. Chec calls himself Chec. For Czechoslovakia (Maybe to lazy to call himself like THAT). And all this coming in german Language from NIGERIA (IP Analysis, see at the bottom of this post). Isn't he a smart guy ? He surley thinks he is, i bet !

I prefer to call him Check Mister Chec.



However, my curiosity took me into digging deeper. So i launched that Domain in and with several Analysing Engines & Tools. No Alert. Even JSUNPACK gave up with a Connection Timeout. Except for one: quttera.com. This website for Anti-Malware is still young, but many times the service surprised me with finding serious threats where all wellknown Multiscanners and/or AVVs did not succeed. I took some Screenshots of that detection, as its possible that the next scan wont bring any results, due to the Cybercriminals wiping their malplaced act & code away, as soon as they get detected.



So, the Malware Source lays in this link:

spsnmnv.sk/mmk/cd/mmk-cd.iso
At this point of time you might think its a small ISO-file. But wrong. Its a TFF-file (extention-file). Now before Quttera's Analyse, i threw it through urlquery:

Here & Here. Nothing ! It is very unusual that, that urlquery does not spit any result out, especially in case of an Exploit. I decided then to change the User Agent as well as the referer. The Outcome is a (17 times-try) MALWARE Download:

Here is what he (Check Mister Chec) wrote (In German ! Smartguy !)
"Lieber Gewinner, 
Wir freuen uns, Ihnen mitzuteilen, dass Ihre E-Mail-Adressen mit Ihrem
Online-Winning Ticket-Nummer (11 14 18 20 37 41 46) mit BONUS (8) Sie haben in
der 2. Kategorie des Spiels gewonnen. Ihr Preis wurde am 10th. November 2013
veröffentlicht. 
Der Lotto Max Lotterie ist vollständig auf einem elektronischen Auswahl der
Gewinner mit ihrer E-Mail-Adressen oder Kauf von Rubbellos. 
Sie sind daher für eine Gesamtsumme von £ 4,000.000.00 britische Pfund
gutgeschrieben Ticketnummer 1EC-16529CE3-8887. Für die sofortige
Freilassung der Ihre Gewinne genehmigt wurde, füllen Sie bitte das Formular
aus und senden Sie es an uns über diese E-Mail:

freelotto3333@gmail.com

 (1) Ihr vollständiger Name: ....
 (2) Kontakt-Adresse: ...
 (3) TELEFON: ....
 (4) Beruf (e) ....
 (5) SEX: ...
 Geburt
 Mr Peter Chec."
Remarkable is here the e-mail adress. If you Google it up, it comes to 4 findings (at this moment of Post). It tells you that this SCAM-Email (Scheme) is still pretty fresh & young. And if you see (at VT) that the Domain spsnmnv.sk is classified as an Educational Institution, the doubts start growing when you check (CHEC) this Screenshot. But its not impossible being one...although.



The IP address (Poor Reputation) to that e-mail: 41.203.69.6
For further info on the IP:
Header Analysis Quick Report
Originating IP: 41.203.69.6
Originating ISP: Globacom Ltd
City: n/a
Country of Origin: Nigeria
* For a complete report on this email header goto ipTRACKERonline 41.203.69.6

Keine Kommentare:

Kommentar veröffentlichen