The Latest in IT Security

mskoblastionline.ru – malicious spam goes nuts

16
Aug
2012

The malicious spam pushers are trying very hard today to drive traffic to their malware site on mskoblastionline.ru with a variety of familiar-looking spam emails:

Date:      Wed, 15 Aug 2012 01:20:05 -0400
From:      [email protected]
Subject:      Fwd: Wire Transfer (1408EA58)
Attachments:     Wire_Transfer_N839.htm

Dear Operator,

WIRE TRANSACTION: AC-961141236714971

STATUS: CANCELLED

You can find details in the attached file.

==========

Date:      Wed, 15 Aug 2012 10:51:49 -0500
From:      “LEILANI Roe” [[email protected]]
Subject:      Fwd: Re: Wire Transfer Confirmation
Attachments:     Wire_Transfer_N839.htm

Dear Operator,

WIRE TRANSACTION: AC-6427060719674502

STATUS: CANCELLED

You can find details in the attached file.

==========

Date:      Wed, 15 Aug 2012 12:31:44 +0300
From:      [email protected]
Subject:      Re: Your Flight US 34-4827
Attachments:     FLIGHT_TICKET_US1650023.htm

Dear Customer,

FLIGHT NUMBER 42463-8276

DATE/TIME : SEPT 27, 2012, 11:12 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 449.06 USD

Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.

ESMERALDA KNUTSON,

==========

Date:      Wed, 15 Aug 2012 08:06:14 +0100
From:      Collene Varner via LinkedIn [[email protected]]
Subject:      Fwd: Re: Your Flight US 65-46595
Attachments:     FLIGHT_TICKET_US284399461.htm

Dear Customer,

FLIGHT NUMBER 4108-2738

DATE/TIME : SEPT 21, 2012, 10:15 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 083.97 USD

Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.

Abeni PINA,

==========

Date:      Wed, 15 Aug 2012 00:50:03 -0800
From:      LinkedIn [[email protected]]
Subject:      Fwd: Better Business Bureau Complaint
Attachments:     Complaint_ID45JG836043169.htm

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 1630630165) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

KARRI PENA

Dispute Counselor

Better Business Bureau

==========

Date:      Wed, 15 Aug 2012 04:02:26 +0600
From:      Ashley Madison [[email protected]]
Subject:      Re: Better Business Bureau Complaint
Attachments:     Complaint_N35XL147712.htm

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 63959031295)
from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

CONNIE DORAN

Dispute Counselor

Better Business Bureau

==========

Date:      Wed, 15 Aug 2012 05:31:19 -0500
From:      LinkedIn Connections [[email protected]]
Subject:      Re: Fwd: Better Business Bureau Complaint
Attachments:     Complaint_ID61Zu4932887.htm

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 501379901) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

Romeo Keyes

Dispute Counselor

Better Business Bureau

The malicious payload is at [donotclick]mskoblastionline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:

50.56.92.47 (Slicehost, US)
190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)

The following IPs and domains are all connected and should be blocked:
50.56.92.47
190.120.228.92
203.80.16.81
spb-koalitia.ru
gorysevera.ru
sergikgorec.ru
mskoblastionline.ru
kefrikin.ru
pussyriotss.ru
ashanrestaurant.ru
panamamoskow.ru
mirdymas.ru

Leave a reply


Categories

WEDNESDAY, OCTOBER 18, 2017

Featured

Archives

Latest Comments

Social Networks