Date: Wed, 4 Apr 2012 11:33:37 +0100
From: [email protected]
Subject: Dowload your Intuit.com invoice.
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-374-9959 ($2.89/min).
Please download your complete order id #5400523 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malware is a Phoenix exploit kit at dhjhgfkjsldkjdj.ru:8080/navigator/jueoaritjuir.php (Wepawet Report here) which is multihomed on the IPs below, a very similar list to this recent spam run.
126.96.36.199 (AfricaINX, South Africa)
188.8.131.52 (Neotel Pty, South Africa)
184.108.40.206 (ChinaNet Hunan, China)
220.127.116.11 (Microlink, Latvia)
18.104.22.168 (Spectrum Net JSC, Bulgaria)
22.214.171.124 (Vimpelcom, Russia)
126.96.36.199 (Kazakhtelecom, Kazakhstan)
188.8.131.52 (Bharti Infotel Ltd, India)
184.108.40.206 (Ardh Global, Indonesia)
220.127.116.11 (State Technical University of Saint-Petersburg, Russia)
18.104.22.168 (Comite Gestor Da Internet, Brazil)
22.214.171.124 (Satata Neka Tama, Indonesia)
126.96.36.199 (Commission For Science And Technology, Pakistan)
188.8.131.52 (Commission For Science And Technology, Pakistan)
184.108.40.206 (Sejong Telecom, Korea)
220.127.116.11 (SK Broadband Co Ltd, Korea)
18.104.22.168 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
Leave a reply