PHISHING: Re: Bestellbestätigung. "ACHTUNG ! Sondernewsletter !" FROM: Snowshoe Spammer mawamalai.com (IPs: 79.124.56.67 - 79.124.56.70) PUA.JS.Xored BULGARIA

ACHTUNG! Sondernewsletter!

Sie haben keine Bestellung bei uns getätigt. Sie werden es aber wie 97.2% der Leser tun, wenn Sie diese Mail gelesen haben!
Rührende Geschichte bringt Moderatorin von "Raus aus den Schulden" zu weinen!

Arbeitslos und mit über 130.000 Euro verschuldet!
Dieser Mann änderte sein Leben und verdient mit diesem System bis zu 263,69 Euro am Tag!
Bald von hohen Schulden zum Reichtum? RTL2 testete Live im TV!

Die Moderatoren waren verblüfft! Sie können es auch! Uns zwar absolut KOSTENLOS!
Doch es gibt einen Haken! Dieses Patent wird ist leider stark begrenzt.
Denn der Patentbesitzer hat dieses System an eine US Bank verkauft!

Nur Diejenigen, die sich noch rechtzeitig registrieren, dürfen das System lebenslänglich kostenfrei nutzen!

Schauen Sie sich schnell das Video an, das Ihr Leben verändern wird!


HIER GEHT ES ZUM VIDEO

Sollte der Link nicht funktionieren, dann kopieren Sie bitte die Domain in den Browser: http://b-unitd.com/9uy

Click here to unsubscribe

Mail Screenshot

PHISHING SPAM-DOMAIN: 
FROM BULGARIA

http://mawamalai.com/

• https://www.virustotal.com/de/url/6896cabd8597b88bada31b7daa824a29a707f6ab3078291cc0fc256bdbdbdf12/analysis/1398514506/

HTML:

• https://www.virustotal.com/de/file/dbb6e6caba47b4688bd5a128e57eb8d26620942b13d5b07a0fa51d75fde63d2a/analysis/1398514432/

*********************************************************************************************************************

ANALYSIS IP: 79.124.56.67

http://79.124.56.67/

• https://www.virustotal.com/de/url/ef621203c8c566900d8a693072d085991dd8111f907a5a97aa828560f19ede02/analysis/1398517859/

Invalid HTML data

• https://www.virustotal.com/de/file/b7bd64ddcc323a81ffc9806c613c863132802289e9bc57f62affcce235d996e9/analysis/1398517950/

• https://www.virustotal.com/de/ip-address/79.124.56.67/information/

HOSTNAME:

http://news1.bowntymailer.com/

• https://www.virustotal.com/de/url/73c6ee9f15bc9c283a3281fa27d6dc857f8a92ee572d3733bc96ebe6247f05d6/analysis/1398521012/

REDIRECTS TO:

http://79.124.56.67/cgi-sys/defaultwebpage.cgi

• https://www.virustotal.com/de/url/aec08d798876325028714570d7ccaedfe9ac44e8c7001c4b7734aaa322657d64/analysis/1398519269/

IP 79.124.56.67 IS BLACKLISTED AT:

1)
SPAMHAUS (SBL): SNOWSHOE SPAMMER

• http://www.spamhaus.org/query/bl?ip=79.124.56.67
• http://www.spamhaus.org/sbl/query/SBL213606
• http://www.spamhaus.org/sbl/listings/telehouse.bg

http://telehouse.bg/

• https://www.virustotal.com/de/url/4a0a98bd45413718c532b3128cfc59a15f8b8ba7bc5195fab8c9042cab9d827b/analysis/

2)
WOT:

• https://www.mywot.com/en/scorecard/79.124.56.67

3)
spam.abuse.ch:

• http://dnsbl.abuse.ch/?ipaddress=79.124.56.67

4)
WEB-REP: POOR
EMAIL-REP: POOR

• http://www.senderbase.org/lookup/?search_string=79.124.56.67

*********************************************************************************************************************

Originating PHISHING-MAIL-IP Address: 79.124.56.70

http://79.124.56.70/

• https://www.virustotal.com/de/url/94a3d7b252550f754c522cbee1ab45246f8c8ec7d5f69be7165d0f2289ffe12a/analysis/1398519845/
• https://www.virustotal.com/de/ip-address/79.124.56.70/information/

Invalid HTML data

• https://www.virustotal.com/de/file/b7bd64ddcc323a81ffc9806c613c863132802289e9bc57f62affcce235d996e9/analysis/1398517950/
• https://www.virustotal.com/de/ip-address/79.124.56.70/information/

HOSTNAME:

http://news4.bowntymailer.com/

• https://www.virustotal.com/de/url/07f76972f4be2bd08f85c65791eb977f9ae1eb70c410ca5a74dabe047c66ea2c/analysis/1398520764/

REDIRECTS TO:

http://79.124.56.70/cgi-sys/defaultwebpage.cgi

• https://www.virustotal.com/de/url/1dff6d9729554c1422fd204c39c3c16d202a9ec6ac2822f2eeabfc6e921a7983/analysis/1398520085/

IP 79.124.56.70 IS BLACKLISTED AT:

1)
SPAMHAUS (SBL): SNOWSHOE SPAMMER

• http://www.spamhaus.org/query/bl?ip=79.124.56.70
• http://www.spamhaus.org/sbl/query/SBL213606
• http://www.spamhaus.org/sbl/listings/telehouse.bg

http://telehouse.bg/

• https://www.virustotal.com/de/url/4a0a98bd45413718c532b3128cfc59a15f8b8ba7bc5195fab8c9042cab9d827b/analysis/

2)
WOT:

• https://www.mywot.com/en/scorecard/79.124.56.70

3)
spam.abuse.ch:

• http://dnsbl.abuse.ch/?ipaddress=79.124.56.70

4)
WEB-REP: POOR
EMAIL-REP: POOR

• http://www.senderbase.org/lookup/?search_string=79.124.56.70

*********************************************************************************************************************

OTHER LINKS CONNECTED TO THE PHISHING MAIL:

1.0

http://mawamalai.com/link.php

• https://www.virustotal.com/de/url/7db23e02d8d6153c472dc14a24fb6a995875b1bb2fb271bf57cd42f78a7196ba/analysis/1398514872/

• https://www.virustotal.com/de/file/23d32b79f3e71e41c2eb3d8811f58f72a2b6b5eb04c0981f16f61ab009945054/analysis/1398434545/

1.1

http://mawamalai.com/open.php

• https://www.virustotal.com/de/url/dab2df490d9409a591b7b634045eb4699e62a0e15409a21de06efc1b305d456d/analysis/1398514992/
• https://www.virustotal.com/de/file/dd5bdccb831d1b19c505bd3e67553f6049cea2e20dba7eb231a02ed0103e521f/analysis/1398169420/

1.2

http://mawamalai.com/unsubscribe.php

• https://www.virustotal.com/de/url/e46fa0421bfd53d4679c0d1fd2005a9b877cce218e9773c9302d4bacaa09cb1b/analysis/1398515065/
• https://www.virustotal.com/de/file/baefeec3f91b70b39b03c556d29dd1ad4eff87fe7bb0ba91fc3b774e70089281/analysis/1397141557/

2.0 (AS YOU CAN SEE IN THE MAIL-SCREENSHOT)

http://b-unitd.com/9uy

• https://www.virustotal.com/de/url/5509e6b6e3a8aea57a3d1f566f2823d2cfea8dc636069e390ac91a7de7985732/analysis/1398515235/

REDIRECTS TO:

http://tracker.regaloptions.com/9uy

• https://www.virustotal.com/de/url/f264470eb6d29a18bd40c6451cf1a21ae7341a3db08bf4a34352c799c9cc7c95/analysis/1398515582/

REDIRECTS TO:

http://www.projekt95pro.com/?campaign=6739&ft=1&p=jsbfaeyJhIjoiMTAwODg4IiwiYyI6IjEzOTg1MTUyNjg2NzU0ODY5MDMifQ==

• https://www.virustotal.com/de/url/9f7dbb1fb3caa99f8b80908ee4e17c5be0c176938a8953b5f58d66fbaf4c56a7/analysis/

HTML:

• https://www.virustotal.com/de/file/876dfcc859ab841d81c38c7ae8195570475b176540797ace7223e0b2af998976/analysis/1398515488/

(FROM 2.0) OR TO !:

http://tracker.cedarfinance.com/

• https://www.virustotal.com/de/url/b74481dafb943ce7417addb8795ca57b616850f4cb3b93950c215203b14f95ca/analysis/1398515998/

REDIRECTS TO:

https://www.cedarfinance.com/?ft=1

• https://www.virustotal.com/de/url/89eb4f88e14c1c1b12a1ecdba00c72c4b360d70235b10b0db0a18437b79766ad/analysis/1398517210/

OTHER SUSPICIOUS LINK FROM mawamalai:

http://mawamalai.com/admin/includes/js/javascript.js

• https://www.virustotal.com/de/url/f1d7cbde38ced99e4fc12d0265eeca61a5bdba41fd3aa60a8f04c36dc57b5e6c/analysis/1398516567/

PUA.JS.Xored

• https://www.virustotal.com/de/file/40ea889122eaed21758c286ac2eb832a1f7263abc47e60f538e8360511c009be/analysis/
• http://virusscan.jotti.org/de/scanresult/b14d12cc39c2a0ee18b3df555067046fdaa75169

HEARTBLEED: Firmware Update for Apple Air-Port Devices

Apple has released firmware update 7.7.3 for AirPort Extreme and AirPort Time Capsule base stations with 802.11ac. The update addresses the OpenSSL "Heartbleed" vulnerability where an attacker may obtain memory contents.

The United States Computer Emergency Readiness Team recommends that users and administrators review Apple Security Update HT6203 and apply the necessary update at:

http://support.apple.com/kb/HT6203

For more details and recommended actions regarding the OpenSSL "Heartbleed" vulnerability please see TA14-098A and Heartbleed OpenSSL Vulnerability.pdf

http://www.us-cert.gov/ncas/alerts/TA14-098A

http://www.us-cert.gov/sites/default/files/publications/Heartbleed%20OpenSSL%20Vulnerability_0.pdf

FRENCH CASINO PHISHING: "Jeux sur Internet - Prenez Votre B0nus" positionstatus.com (IP: 68.66.55.34) Spamhaus Listed (Hamilton, CANADA)

Rien n’est comparable aux B0NUS offerts
par Euroking et en vous joignant a
ses membres vous en recevrez une
multitude.

Ces Primes vous permettront de vous
eclater dans un environnement
fantastique et sur des tables superbes
ainsi que d’en gagner les cagnottes qui
sont, de l’avis de tous, parmi les plus
genereuses du web.

Ne laissez pas passer cette
opportunite de gagner une fortune et
venez vite vous mettre au jeu.

Accédez au site en cliquant là >>>

A tout de suite...

SPAM & PHISHING DOMAIN:

http://positionstatus.com/

• https://www.virustotal.com/de/url/ebc6a370b83be39f4d86787a6d757c76985d3be66809969090d2649e5c49bd32/analysis/1398322886/

LISTED AT SPAMHAUS:

• http://www.spamhaus.org/query/domain/positionstatus.com

LISTED AT SURBL:

• http://www.surbl.org/lists

• https://www.mywot.com/en/scorecard/positionstatus.com

--------------------------

http://positionstatus.com/link.php

• https://www.virustotal.com/de/url/f7fe5bafd2152c3bc8ec03a8c332ba4217f6a95796ad0f7607967928f0e9c8fc/analysis/1398322918/

http://positionstatus.com/unsubscribe.php

• https://www.virustotal.com/de/url/9d19b31ca3fbcad91c6becab677c0ba46f6c94c8d70addba06875d96c4d3302d/analysis/1398322961/

ORIGINATING IP:

http://68.66.55.34/

• https://www.virustotal.com/de/url/e5e675654f7df2e537064f8f11def3aa257d8ffc9fc59f67eb193890731531a2/analysis/1398322996/

LISTED AT SPAMHAUS (SBL):

• http://www.spamhaus.org/query/bl?ip=68.66.55.34

EMAIL-REP: POOR
WEB-REP: POOR

• http://www.senderbase.org/lookup/?search_string=68.66.55.34

MALICIOUS BLOGVISITOR FROM Hangzhou, CHINA PHISHING: billingcheckout.com (IP: 70.39.189.232) & js.realypay.com (IP: 122.225.38.53)

DOMAIN 1:

China Telecomcenter

http://www.billingcheckout.com/

• https://www.virustotal.com/de/url/d094721c14cdcebbee68aa9f08211ac1db05bee594e63e48667aaa6ba5c4ebcc/analysis/1398259763/ 

VISITING URL (on this BLOG)

http://www.billingcheckout.com/risk/index.js

• https://www.virustotal.com/de/url/832c73b107ea273b0c1f89f78554f82c19824a74af820c6b71be41315ecaa39c/analysis/  

• https://www.virustotal.com/de/file/dd6dc666f505f2f2d7664f13539a8dcb4537231c7350e0a468784da4035d7f64/analysis/1397057907/

IP:

China Telecomcenter

http://70.39.189.232/

• https://www.virustotal.com/de/url/56f02705ec3f5dcf32c0f5b4d2f8371a514f2c2fb5c7f262b370c120e1171654/analysis/1398260122/ 

• https://www.virustotal.com/de/ip-address/70.39.189.232/information/

REDIRECTS TO: --------------->  
(Reference See: http://wepawet.iseclab.org/view.php?hash=18cf2248ff8c66c0e25f36c34fc849d7&t=1392066256&type=js)

DOMAIN 2:

China Telecom Zhejiang

http://js.realypay.com/

• https://www.virustotal.com/de/url/fe243629b072a3fbc0a2441bcbe6f47c5485ca2c5308e1d30e1623f2dc30bf82/analysis/1398261500/ 

REDIRECT LINK:

http://js.realypay.com/index2.js?ref=&url=http%3A%2F%2Fwww.billingcheckout.com%2Frisk%2Findex.js&w=1024&h=768&lx=IE7.0&auth=f2d9Pqacl20tqeAAq2ALsY7pxonRQq9w8T6J01rfr%2FNt98aDqte65aV%2FexcKt9mKFUYD3undAMCB   

• https://www.virustotal.com/de/url/e717239f9c1ed65c250f8d024290d0f4605ba37a744495925135c67e970f5c7e/analysis/1398261822/

• https://www.virustotal.com/de/file/0d23d902baf9638276780afdb9df44a26b748f775a350e1606b9472febee964f/analysis/1398261736/ 

IP:

China Telecom Zhejiang

http://122.225.38.53/

• https://www.virustotal.com/de/url/5510f55d0eb200ce7673e5d94310cd473316d970a7d098c9c0df2541890b6fd6/analysis/1398262349/

• https://www.virustotal.com/de/file/282c12070ea3254e26761b3dc58a7f342ac7e9f4c3b1f1630cf4d5c96bfce7de/analysis/1398262288/

• https://www.virustotal.com/de/ip-address/122.225.38.53/information/

Category MALICIOUS IP: 203.153.99.142 (cds-id.com , dart.co.id) "This IP is infected with a spam or malware forwarding link. In other words the site has been hacked."SPAMBOT & DICTIONARY ATTACKER3 "Hacked" entries 46 "SPAM" entries (INDONESIA)

The IP Address 203.153.99.142 is listed in the CBL (Composite Blocking List). This web site (IP) has a redirect that takes the user's browser to a spam or malware site. It's mainly fake russian pills or pornography.

The web server's host name is "www.dart.co.id", and this link has an example of the redirect: "http://www.dart.co.id/stylish.html?dijupiho".

http://www.dart.co.id/

• https://www.virustotal.com/de/url/032f38a47d19c6c6e68793600ee7bdc011a82459e1a416079b208381566a4133/analysis/1398254023/

http://www.dart.co.id/stylish.html?dijupiho

• https://www.virustotal.com/de/url/6f6fe170ab65546d0ee38ba507e945373c52e12d9de1b4edde3858dae7455fdd/analysis/1398254023/

Infected servers are usually shared web hosting environments running Cpanel, Plesk, Joomla or Wordpress CMS software that have become compromised either through a vulnerability (meaning the CMS software is out of date and needs patching), or users account information (userids/passwords) have been compromised, and malicious software/files are being uploaded by ftp or ssl.

We believe that these specific infections are frequently done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors. We would appreciate it if you can give us copies of the modifications that this infection has made to your system.

It probable that the change was made via SSL or ftp login using userid/password stolen from the "owner" of the hostname/domain. They should run anti-virus tools on their computers, and the password they use to access the web site should be changed immediately.

If you do not recognize the hostname www.dart.co.id as belonging to you, it means that some other account on this shared hosting site has been compromised, and there is NOTHING you (or we) can do to fix the infection. Only the administrator of this machine or the owner of www.dart.co.id can fix it.

--------------------------------------------------------------------------------------------------------------------------------------------

MALICIOUS IP FROM INDONESIA:

SPAMBOT, DICTIONARY ATTACKER

http://203.153.99.142/

• https://www.virustotal.com/de/url/3eed7d8163d563a7f2cee883ca1b0627e6af286dcf89a63831ee311b14cb0f2f/analysis/1398250732/

• https://www.virustotal.com/de/ip-address/203.153.99.142/information/

DOMAIN & HOSTNAME (See Senderbase as Reference):

http://cds-id.com/

• https://www.virustotal.com/de/url/d58f4bda3839bea826584e8f98e3b0b1ed3ebeb72508f400a53770f60c1238af/analysis/1398252129/

HTML (406 Not Acceptable)

• https://www.virustotal.com/de/file/390814aae53b4fe7b317f869b6bb97b242131cad27c8cdfd86e8ba70a677653f/analysis/1398252281/

NUMBER OF SPAM-MAILS RECEIVED FROM THIS IP: 174
DICTIONARY ATTACKS FROM THIS IP: 21

• https://www.projecthoneypot.org/ip_203.153.99.142

LISTED AT SPAMHAUS (CBL):

• http://www.spamhaus.org/query/bl?ip=203.153.99.142

LISTED AT CBL:

• http://cbl.abuseat.org/lookup.cgi?ip=222.165.193.218&.pubmit=Lookup

LISTED AT SPAMCOP:

In the past 78.1 days, it has been listed 19 times for a total of 18.9 days

Causes of listing:

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

• http://spamcop.net/w3m?action=checkblock&ip=203.153.99.142

LISTED AT SORBS:

Current Listings (active)

• 3 "Hacked" entries (01:08:09 16 Apr 2013 GMT)

• 46 "Spam" entries (20:13:30 30 May 2013 GMT)

 

Historical Listings (inactive)

• 22 "Spamvertised" entries (21:37:31 22 Apr 2013 GMT)

http://www.au.sorbs.net/lookup.shtml

LISTED AT CISCO SENDERBASE:

Fwd/Rev DNS Match: NO
EMAIL REP.: POOR

• http://www.senderbase.org/lookup/?search_string=203.153.99.142

SEE ALSO:

NETCRAFT: 7/10

• http://toolbar.netcraft.com/site_report?url=203.153.99.142