Another phishing email targets PayPal users:
Email header details:
Received: from mail.artworkdigital.com.br (ns1.artworkdigital.com.br [18.104.22.168]) Received: from User (216-107-107-254.static.networktel.net [22.214.171.124]) by mail.artworkdigital.com.br (Postfix) Subject: Periodic Maintenance Date: Fri, 18 May 2012 06:56:14 -0500 To: undisclosed-recipients:; Content-Disposition: attachment; filename="PayPal_ReactivationFORMay2012.html"
Attached there is a file named:
File: PayPal_ReactivationFORMay2012.html Size: 10157 bytes MD5: 9617FF24A5647B20883C7FDA37408156 SHA1: 02C0D8DDEE4AFCC07897A141FFFF7540083B9F44 SHA256: E257318F2B84A08B15F5A431F5A1E1FE112A7D9EF0FBFB3A69AA63784C00F73A SHA384: B4C63890B4B001D4B02559C0A75DD0472101FAAB306595AB8ADBEBE71CF4504B9026431A98868B1200FB2A517805447E SHA512: EC5D11EF6509333C492B54D60D6B5D4E9E1FE26A313EAB28B9ADAF3F6154EB6DAE982D00E66486B44C22E4A0CAB9158ED13B48DB70CEEC33EE4F626FE56D8246
Extracted malicious URLs:
hxxp:// adsl-068-157-210-061.sip.bna.bellsouth .net /~jim/style.css hxxp:// adsl-068-157-210-061.sip.bna.bellsouth .net /~jim/w.php
As we can see, the malicious files are hosted in a DSL hostname:
The website adsl-068-157-210-061.sip.bna.bellsouth.net is hosted at BellSouth.net and its current IP address is 126.96.36.199 (adsl-068-157-210-061.sip.bna.bellsouth.net). The server machine is located in United States (US) and in the same server there are hosted other 0 websites. The domain is registered with the suffix NET and the keyword of the domain is bellsouth. The organization is BellSouth.net.
URLVoid scan report: