Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 21 December 2009

Some updates . . . Visa/Zeus and Google Jobs

Posted on 11:48 by Unknown
On December 12th we covered a new "Visa.com" version of the Zeus distribution spam.
(See story: Ongoing Visa Scam Drops Zeus Zbot.

There are at least forty domains seen in today's spam. Please see the story above for more on the URL pattern, (the machine name may begin with "alerts", "reports", "statements", "transactions", or a "sessionid" with random characters after the "sessionid" version, but here is one sample URL for each domain:

alerts.visa.com.111ttillil.co.uk
alerts.visa.com.11fttillil.co.uk
alerts.visa.com.11tttillil.co.uk
alerts.visa.com.1jfttillil.co.uk
alerts.visa.com.yjfttillil.co.uk
reports.visa.com.dirpote1.be
alerts.visa.com.dirpote2.be
alerts.visa.com.dirpote3.be
alerts.visa.com.dirpote4.be
alerts.visa.com.dirpote5.be
alerts.visa.com.dirpote6.be
alerts.visa.com.dirpote8.be
alerts.visa.com.dttflji.be
alerts.visa.com.itdflji.be
alerts.visa.com.ittdlji.be
alerts.visa.com.ittfdji.be
alerts.visa.com.ittfldi.be
alerts.visa.com.ittfljd.be
alerts.visa.com.ittflji.be
alerts.visa.com.ittfljx.be
alerts.visa.com.ittflxi.be
alerts.visa.com.ittfxji.be
alerts.visa.com.itxflji.be
alerts.visa.com.ityxlji.be
alerts.visa.com.ixtflji.be
alerts.visa.com.xttflji.be
alerts.visa.com.ydtflji.be
alerts.visa.com.11t1jtiil.com
alerts.visa.com.11t1kt1il.com
alerts.visa.com.11t1kt1pl.com
alerts.visa.com.11t1ktiil.com
alerts.visa.com.11tfjtiil.com
alerts.visa.com.i1tfjtiil.com
alerts.visa.com.ictfjtiil.com
alerts.visa.com.ivtfjtiil.com
alerts.visa.com.11t1jtiil.net
alerts.visa.com.11t1ktiil.net
alerts.visa.com.11tfjtiil.net
alerts.visa.com.i1tfjtiil.net
alerts.visa.com.ivtfjtiil.net

Its too early to know for sure what malware this is, because currently only 4 of the 41 anti-virus products at VirusTotal detect it as anything at all. Sunbelt calls it Bredolab, the three others all say only that it is "suspicious". I'll try to run it through our malware VM later today and make a more definite judgement.

VirusTotal Report here

cardstatement.exe
File size: 188928 bytes
MD5 : d61c6195eda54b1009208ba823ccdac4

Google Jobs Update


We warned about a Google Jobs scam back on December 1st (see article: Google Jobs Scam -- Read the Fine Print!!). Google actually sued the scammers who were running that scheme on December 9th (see article: Google v. Pacific WebWorks. Unfortunately the spam, and the scamming, continues unabated.

One example would be the spam messages for this "spaces.live.com" blog:

http://cid-3d8eb92dd2d67dba.spaces.live.com/

which leads to the website "biznews7.org", which forwards to the website "news2010letter.com", which recruits people to join the scam by sharing their credit card number on the site "http://www.safetrialoffers.com/searchsecretsystems/le5/".

On that site, the same scam is still being run by this organization:

Search 4 Profit, LLC.
7614 Arvilla Avenue.
Sun Valley, CA 91352

The Fine Print still reads:

Terms and Disclosures. Billing authorization obtained pursuant to the Uniform Electronic Transaction Act and the Electronic Signatures in Global and National Transactions Act. By submitting this form, I am ordering Search Secret Systems for a 7-day bonus period for $1.97 billed to my credit Card; If you enjoy Search Secret Systems, simply do nothing. On the 7th day my credit card will automatically be charged an easy payment of $89.26 once a month for three months. After the three months you will not be billed again. You will then maintain unlimited access to our member site. During your three month program you may cancel anytime by calling 1-877-361-8622 M - F, 8am-8pm MST.




Amazingly, the phone number was answered and a person actually asked how they could help me! When we wrote the first article, the phone rang and rang, but no one ever answered.

Of course, there are still quite a few ways this is illegal, even if they do now answer the phone, including the CAN SPAM violations. The email "from" address is forged and there is no "unsubscribe" link of any sort, nor is there a physical mailing address, despite this being a commercial offer. Here's an example spam message:

Never work in an office again! I've been working for someone else my entire life. A few weeks ago I found out about working for Google online so I decided to check it out. I signed up and read a few articles and tried a few different things and within 6 weeks I was making enough to quit my full time job to work at home! If this sounds like something that interests your, check out URL
http://profiles.yahoo.com/blog/MVO2GFP4W7AEJ42YOXCPAVOTU4
A song, a song, high above the trees




Work for the world's largest employer today lori has Earned $2,069 This December Alone! Check it out here:
http://cid-5ccbbcb19ba7028f.spaces.live.com
O tidings of comfort and joy.


Email ThisBlogThis!Share to XShare to Facebook
Posted in zbot | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • Amero to Replace Dollar? Could Storm Worm Be Right?
    According to the newest version of the Storm Worm, the Amero is about to replace the dollar: The U.S. Government began to realize the plan t...
  • FAL$E HOPE$ @ CHRI$TMA$
    FAL$E HOPE$ was a Federal Trade Commission operation announced on December 12, 2006, which cracked down on Bogus Business Opportunities. C...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Minipost: NY Zeus "At Large" Codreanu and Adam captured
    We've previously posted about the FBI's Operation ACHing Mule (that's A-C-H as in Automated-Clearing-House, the way American ba...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ▼  December (12)
      • New Year's Waledac Card
      • 2009 Year in Review
      • A donde se va Avalanche? BBVA! y United Bankers ...
      • Some updates . . . Visa/Zeus and Google Jobs
      • Who is the "Iranian Cyber Army"? Twitter DNS Redi...
      • China changes registration rules - will spam chang...
      • Ongoing VISA scam drop Zeus Zbot
      • Minipost: Google v. Pacific WebWorks
      • Yet Another Facebook spam - New Zeus / Zbot threat
      • Webmasters Targeted by CPANEL phish
      • Minipost: CDC Version of Zeus?
      • Google Jobs Scam: Read the Fine Print
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile