This fake PayPal spam leads to malware on spb-koalitia.ru:
Subject: Welcome to PayPal – Choose your way to pay
Welcome
Hello [victim],
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.Here is what we have on file for you. Take a second to confirm we have your correct information.
[reciptient]@victimdomain.comConfirmation Code
1509-3962-8257-3886-7087
Transfer Information
Amount: 18217.81 $
Reciever: Marcie William
E-mail: [another-recipient]@victimdomain.comAccept Decline
Help Center | Security Center
Please don’t reply to this email. It’ll just confuse the computer that sent it and you won’t get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP9335______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
The malicious payload is on [donotclick]spb-koalitia.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following (familiar looking IPs):
67.227.183.77 (LiquidWeb / SourceDNS, US)
203.80.16.81 (Myren Infrastructure, Malaysia)
213.170.99.11 (Quantum Communications, Russia)
The following domains and IPs are all related:
41.66.137.155
41.168.5.140
62.76.188.138
62.76.190.208
67.227.183.77
78.83.233.242
87.120.41.155
87.204.199.100
173.224.208.60
41.66.137.155
199.71.212.78
203.80.16.81
203.172.140.202
213.170.99.11
moskow-carsharing.ru
mysqlfordummys.ru
leprisoruim.ru
onerussiaboard.ru
online-gaminatore.ru
spb-koalitia.ru
zenedin-zidane.ru
Leave a reply
