The Latest in IT Security

Wire Transfer spam / wiskonsintpara.ru

12
Apr
2012

This spam leads to malware on wiskonsintpara.ru:

From:     Marcel Ouellette [email protected]
Date:     11 April 2012 13:30
Subject:     Re: Wire Transfer Confirmation (FED REFERENCE 42420PP01)

Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-900098281493111
CURRENT STATUS: CANCELLED

You can find details in the attached file.(Internet Explorer file)
Transfer_N883664.htm

There’s an HTML attachment which attempts to load malicious content from wiskonsintpara.ru:8080/img/?promo=nacha (although this wasn’t working when I tested it). This domain is multihomed on a set of IP addresses we have seen a lot of lately and are definitely worth blocking:

41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
125.19.103.198 (Bharti Infotel, India)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
62.85.27.129
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
202.149.85.37
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138

Leave a reply


Categories

THURSDAY, AUGUST 22, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks