Tuesday, June 08, 2010

IRS Malware: "Notice of Underreported income" spam

On June 2nd, we reported on American Express phish abusing free webhosting - a new method of delivering phishing, that we've only seen once before. The spammer creates thousands of "shortened URLs" and "free websites", which are all then used to redirect to a Fast Flux hosted phishing site.

The UAB Spam Data Mine started seeing this technique used in some Twitter-imitating spam at 9:13 AM on June 6th. That campaign is still continuing using spam messages with the subject "Twitter ###-##", such as "Twitter 647-01" or "Twitter 041-33". We'll come back to that campaign shortly. Let's get back to the IRS spam.

Here's a sample email:



That URL points to:

http://zyraziti.ibnsites.com/gujivazi.html

If you visit that free web site, it fowards you automagically to:

http://irs.gov.lazagazal.com/fraud_application/directory/statement.php?tid= target-######US



That site says
Finding and paying your federal taxes correctly and on time is an important part of living and working in the United States. Please review (download and execute) your tax statement


The link to 'tax-statement.exe' is malware, of course, which currently is detected by only 3 of the 41 anti-virus products on VirusTotal.com.

Here's a report from VirusTotal on this malware MD5 : 23c77c4c29158fea0e0e805eef535571.

Despite the fact that NONE of the current Anti-Virus definitions detect this as Zeus, we know it is very quickly when we launch it. The malware connects to the server "phaizeipeu.ru" and retrieves a Zeus bin file, "/bin/hueghixa.bin" from the server there. That domain has been tracked on Zeustracker since June 2nd.

The nameserver used to resolve this domain, ns1.interaktivitysearch.net, was also used for the domain cyansmith.com, which we mentioned in last week's Fast Flux information regarding the AmEx phish.

As an example, phaizeipeu.ru has in the past two minutes resolved to these IP addresses:

201.227.120.102 - Panama Cable & Wireless
115.186.118.122 - Karachi Worldcall, Pakistan
121.121.97.100 - Maxis Broadband, Kuala Lumpur, Malaysia
124.120.246.107 - TruehISP, Bangkok, Thailand
186.19.105.151 - Telecentro, Argentina
190.30.203.28 - Apolo Gold Telecom, Buenos Aires, Argentina
190.55.110.94 - Telecontro, Argentina
190.246.221.161 - Cablevision, Buenos Aires, Argentina

Here's an example of some of those "Free Web hosting" sites that are currently being exploited:

/yxagenub.100freemb.com/aqyhyho.html
/zimisipyce.100freemb.com/byhomawa.html
/mipubacif.100freemb.com/ivamixa.html
/pekijoxam.100freemb.com/otatolaq.html
/ihacaqyb.100freemb.com/pezope.html
/uhisoheb.100megsfree5.com/ecufoke.html
/azasiniza.100megsfree5.com/icypuxo.html
/eqegohazuv.100megsfree5.com/xosynap.html
/hofipyhe.1accesshost.com/inynysyh.html
/culykenaza.1accesshost.com/iwivuga.html
/digobizaw.1accesshost.com/mafujyde.html
/orodydekof.1accesshost.com/nymoba.html
/olecomoxip.1accesshost.com/omekyre.html
/gusozivo.1accesshost.com/qojeti.html
/ewiromiru.1accesshost.com/sybygo.html
/oladolyc.1accesshost.com/tufepaqi.html
/lykyqoryt.1accesshost.com/ucymuvix.html
/udolysedu.1accesshost.com/unepyqun.html
/ebacikud.1accesshost.com/zykotu.html
/yvunavohi.angelcities.com/fyfobu.html
/nukowicu.angelcities.com/nuwiba.html
/kawywupo.arcadepages.com/arefoboq.html
/zesolarix.arcadepages.com/bykevim.html
/zesolarix.arcadepages.com/bykevim.html
/petoxevat.arcadepages.com/ewefuxoc.html
/inumynumoc.arcadepages.com/eximiqu.html
/ugijehicip.arcadepages.com/ezygexi.html
/oziqysehij.arcadepages.com/iqypufe.html
/imodarecy.bigheadhosting.net/exefoza.html
/wapovaqyh.bigheadhosting.net/panykeve.html
/pomobalyw.bigheadhosting.net/udewin.html
/afofywog.bigheadhosting.net/xufekap.html
/qecixedake.bigheadhosting.net/ysudydev.html
/qecixedake.bigheadhosting.net/ysudydev.html
/xymyfuqad.builtfree.org/bafazu.html
/okypocup.builtfree.org/ovamyqem.html
/wosogabaf.builtfree.org/upuzyr.html
/wosogabaf.builtfree.org/upuzyr.html
/azykakubol.digitalzones.com/ejitehi.html
/onamowonom.digitalzones.com/gypywoz.html
/godicyce.digitalzones.com/ixydet.html
/vixehuxo.digitalzones.com/woducuda.html
/goqivateg.digitalzones.com/ykybaxu.html
/toguhogi.dreamstation.com/avyryk.html
/utofitala.dreamstation.com/kylebik.html
/eqobymoped.dreamstation.com/ogiqyr.html
/ynexovaxo.dreamstation.com/winipyk.html
/yxyqyhuweh.dreamstation.com/ykeqegag.html
/culaworege.easyfreehosting.com/coriroxi.html
/culaworege.easyfreehosting.com/coriroxi.html
/ejofizyz.easyfreehosting.com/dabizeza.html
/ehuceximog.easyfreehosting.com/finixe.html
/umobafavu.easyfreehosting.com/irafyfa.html
/hemahodo.easyfreehosting.com/ufudimaw.html
/xujuguba.easyfreehosting.com/wybave.html
/ejorikoki.easyfreehosting.com/ygoxuq.html
/eqowiwyryx.envy.nu/bohopi.html
/fekynylum.envy.nu/ecevamib.html
/ewemasavy.envy.nu/ymohale.html
/ypodobuni.envy.nu/zytabe.html
/lijogaju.exactpages.com/apexoke.html
/lijogaju.exactpages.com/apexoke.html
/kogybovise.exactpages.com/vujufapa.html
/kywunereju.fcpages.com/erynoh.html
/bicefipipu.freecities.com/hibahu.html
/uboqenunep.freecities.com/nokoxuqo.html
/efysewezic.freecities.com/zevesaz.html
/tekefopo.freehostyou.com/gadasu.html
/alaradewo.freehostyou.com/guzyxoku.html
/ucoqopaby.freehostyou.com/mebyhuh.html
/wogeqiqyq.freehostyou.com/xegesef.html
/icocoqaby.freewaywebhost.com/cidaci.html
/ikucoban.freewaywebhost.com/ovydodo.html
/lykofuzequ.freewaywebhost.com/yjirox.html
/enecyhofow.freewebportal.com/axefeta.html
/vugogyve.freewebportal.com/cydaquno.html
/uwebijygyq.freewebportal.com/reniqyh.html
/hylydacymi.freewebportal.com/ucasob.html
/xuryqoju.freewebsitehosting.com/kocysu.html
/iruzasahyl.freewebsitehosting.com/olocon.html
/vizuzati.freewebsitehosting.com/oqaxiso.html
/umikyvoca.freewebsitehosting.com/xeruwyca.html
/umikyvoca.freewebsitehosting.com/xeruwyca.html
/oqixunoni.freewebsitehosting.com/xosize.html
/ufininir.freewebsitehosting.com/xusepu.html
/ikadiriga.freewebsitehosting.com/ylydugu.html
/ocerityv.freewebsitehosting.com/zopycy.html
/ubikiwaq.greatnow.com/ezixevol.html
/nififazi.greatnow.com/husadu.html
/isihogezin.greatnow.com/ysuxyrud.html
/cli.gs/eM8NXV
/cli.gs/UQBAHQ
/pokijyny.ibnsites.com/adopadat.html
/keferival.ibnsites.com/erematy.html
/zyraziti.ibnsites.com/gujivazi.html
/izyjopyh.ibnsites.com/jisokoce.html
/upymyvul.ibnsites.com/jylyhu.html
/irytaneb.ibnsites.com/kerific.html
/novufuvaxo.ibnsites.com/myzaquq.html
/nohoxutah.ibnsites.com/nydawodo.html
/eperitupuh.ibnsites.com/puhetyfe.html
/anutugoc.ibnsites.com/pukohe.html
/uwyraxuvy.ibnsites.com/qyqepib.html
/yrozujon.ibnsites.com/rusepen.html
/nagysadyx.ibnsites.com/ypenoc.html
/xisyjemo.lookseekpages.com/edavyket.html
/xisyjemo.lookseekpages.com/edavyket.html
/alezehifo.lookseekpages.com/jomuxa.html
/alezehifo.lookseekpages.com/jomuxa.html
/zysesojej.lookseekpages.com/kicylito.html
/vacagufo.lookseekpages.com/novygidy.html
/vacagufo.lookseekpages.com/novygidy.html
/pexogipol.lookseekpages.com/oxucafe.html
/gusejunad.lookseekpages.com/qinigo.html
/ipolagux.maddsites.com/dyjyzylu.html
/karaqika.maddsites.com/egesor.html
/ufawalijuh.maddsites.com/ilubyqy.html
/jokomule.maddsites.com/leqojo.html
/febaveli.maddsites.com/onapiju.html
/awilubux.mindnmagick.com/kehiwugi.html
/olawisyr.o-f.com/ejepekaz.html
/otumybigu.o-f.com/oqyhuxy.html
/afukafutu.s-enterprize.com/itociwo.html
/wenadinudu.servetown.com/ajihepo.html
/kahahari.servetown.com/biximol.html
/ovepahax.servetown.com/vyzurily.html
/nyfufuveco.servetown.com/xibycepi.html
/odivawuh.the-best-free-web-hosting.com/avyfemu.html
/izepofupy.the-best-free-web-hosting.com/yceqalu.html
/gopirocup.the-best-free-web-hosting.com/ydagyduf.html
/sawatazuky.uvoweb.net/afumox.html
/sawatazuky.uvoweb.net/afumox.html
/xynunuxev.uvoweb.net/ekocap.html
/kebypatat.uvoweb.net/garicedy.html
/eqeqalywoj.uvoweb.net/mafepody.html
/ubejedoqej.uvoweb.net/wetira.html
/vunagugevu.virtue.nu/evawov.html
/elyxupij.virtue.nu/juzepod.html
/elyxupij.virtue.nu/juzepod.html
/mequmato.virtue.nu/kiqabyto.html
/ofopuhymam.virtue.nu/ozowynuf.html
/ipecatuvo.virtue.nu/pokekuke.html
/ihamozavil.virtue.nu/qefeqo.html
/ihamozavil.virtue.nu/qefeqo.html
/xavesahyh.wtcsites.com/dasuqiw.html
/irutajov.wtcsites.com/huzexeje.html
/gisejywira.wtcsites.com/ubumike.html
/ikifinukux.wtcsites.com/upitim.html

Twitter Spam



While the Twitter spam also uses many free websites, it actually has a much smaller number, and combines "googlegroups", "110mb.com", and "t35.com" websites with a selection of compromised domains.

http://aomdesign101.com/d.htm
http://aprendainglesrapido.net/x.htm
http://capelcure.co.uk/1.html
http://cobhamdogs.net/x.htm
http://cobhamdogs.net/x.htm
http://crefxxx.110mb.com/index.htm
http://cresssa.110mb.com/index.htm
http://dreaminom.t35.com
http://faceseverywhere.com/x.htm
http://givisss.110mb.com/index.htm
http://grapevinephotography.com.au/1.htm
http://groups.google.com/group/pppppps
http://jennifervpearl.com/x.htm
http://lessreachom.t35.com
http://millcreekswim.com/x.htm
http://openexe.googlegroups.com/web/Twitter_security_model_setup.zip
http://pppppps.googlegroups.com/web/g.html
http://superiormerchant.com/x.htm
http://toldspeak.com
http://twitter.com/account/not_my_account/
http://twitter-security-model.googlegroups.com/web/Twitter_security_model_setup.zip
http://uucgb.org/x.htm
http://xizinnn.110mb.com/index.htm
http://xyddds.110mb.com/index.htm

The spam from these sites is also varying.

Security version:
Attention! We detected that someone was trying to steal your Twitter account password.

We strongly recomended you to download our secure module to protect account!

Please click on the link below:
http://twitter.com/Twitter_security_model_setup.zip



Pill version:
This version only shows a picture of a man showing "two-thumbs up" surrounded by pills with cheap prices on them.


Unread message version:
You have 1 unread message from Twitter

Please click on the link below or copy and paste the URL into your browser:
http://twitter.com/account/=youremail@yourdomain.com


An alternative, being currently spammed, follows the unread message with a photo of a large-breasted woman showing off her cleavage.

YouTube Spam



The identical photograph (click to see image here if you aren't offended by scantily clad women) is also currently being used in a "YouTube" spam.

Prior to about 2:00 PM Central time, the message did not contain the photograph, but only a YouTube logo and the message below (with a varying "user name" for each email.)

The user Jordan suggests you to become friends on YouTube. Offers and acceptance of offers on friendship simplify tracing of that your friends place in the selected works, add or estimate, and also simplifies video departure by all or to the selected users. To accept or reject this invitation, pass in INBOX


Some of the YouTube versions point to links on these pages:

htp://camaka.net/1.htm
http://aomdesign101.com/d.htm
http://aprendainglesrapido.net/x.htm
http://bombardierconsulting.com/x.htm
http://camaka.net/1.htm
http://cccxxdd.110mb.com/index.htm
http://cresssa.110mb.com/index.htm
http://kayakguy.com/x.htm
http://millcreekswim.com/x.htm
http://superiormerchant.com/x.htm
http://uucgb.org/x.htm
http://wanderingchild.org/x.htm
http://xyddds.110mb.com/index.htm

all of which forward elsewhere for the actual "pill-related" spam content

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.