Blog for hpHosts, and whatever else I feel like writing about ....

Friday 7 February 2014

Alert: Fake Evernote malspam leading to Angler EK

Received 78 of these little chaps so far, all leading to a compromised site that then leads to two others, which finally leads to the EK itself.

Offending URLs so far:

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 09:36:34
--------------------------------------------

Link: hxxp://cluster014.ovh.net/~planetexh/1.html
    Domain: cluster014.ovh.net
    IP: 213.186.33.87 [ cluster014.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 09:49:05
--------------------------------------------

Link: hxxp://keyways.pt/~keyways/1.html
    Domain: keyways.pt
    IP: 94.23.79.17 [ cluster006.ovh.net ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 09:46:10
--------------------------------------------

Link: hxxp://www.lccl.org.uk/1.html
    Domain: www.lccl.org.uk
    IP: 67.231.249.62 [ s62.EXCALIBURHOST.COM ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 09:52:18
--------------------------------------------

Link: hxxp://www.neweraftp.com/1.html
    Domain: www.neweraftp.com
    IP: 184.154.233.8 [ ns1.siteground282.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:03:28
--------------------------------------------

Link: hxxp://cs2-dallas.accountservergroup.com/~atfxsyst/1.html
    Domain: cs2-dallas.accountservergroup.com
    IP: 50.23.239.111 [ cs2-dallas.accountservergroup.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:16:31
--------------------------------------------

Link: hxxp://j2m-communication.com/~jmcommun/1.html
    Domain: j2m-communication.com
    IP: 213.186.33.40 [ cluster011.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:23:27
--------------------------------------------

Link: hxxp://nt-associates.com/1.html
    Domain: nt-associates.com
    IP: 213.171.218.52 [ server213-171-218-52.livedns.org.uk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 10:29:36
--------------------------------------------

Link: hxxp://yourdoompoker.com/1.html
    Domain: yourdoompoker.com
    IP: 50.87.172.214 [ 50-87-172-214.unifiedlayer.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:31:05
--------------------------------------------

Link: hxxp://intaii.com/1.html
    Domain: intaii.com
    IP: 217.76.130.169 [ sirio.servidoresdns.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:31:05
--------------------------------------------

Link: hxxp://intaii.com/1.html
    Domain: intaii.com
    IP: 217.76.130.169 [ sirio.servidoresdns.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:37:27
--------------------------------------------

Link: hxxp://per-nunker.dk/1.html
    Domain: per-nunker.dk
    IP: 94.231.108.60 [ web20.123hotel.dk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 10:45:54
--------------------------------------------

Link: hxxp://d1054130-28095.cp.blacknight.com/1.html
    Domain: d1054130-28095.cp.blacknight.com
    IP: 78.153.216.42 [ PEMLINWEB133.blacknight.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:52:08
--------------------------------------------

Link: hxxp://portraitphotographygroup.com/~lorijill/1.html
    Domain: portraitphotographygroup.com
    IP: 192.185.46.31 [ Resolution failed ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:51:52
--------------------------------------------

Link: hxxp://nestorconsulting.net/1.html
    Domain: nestorconsulting.net
    IP: 74.50.25.155 [ chaos.lunarbreeze.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 11:01:17
--------------------------------------------

Link: hxxp://cluster014.ovh.net/~planetexh/1.html
    Domain: cluster014.ovh.net
    IP: 213.186.33.87 [ cluster014.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 11:21:14
--------------------------------------------

Link: hxxp://91.99.102.154/1.html
    Domain: 91.99.102.154
    IP: 91.99.102.154 [ 91.99.102.154.parsonline.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 11:30:40
--------------------------------------------

Link: hxxp://mylabsrl.com/1.html
    Domain: mylabsrl.com
    IP: 46.28.6.113 [ Resolution failed ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 11:37:54
--------------------------------------------

Link: hxxp://taroniehaus.com/1.html
    Domain: taroniehaus.com
    IP: 81.94.203.180 [ plesk-xen01.jannar.host4africa.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 11:44:33
--------------------------------------------

Link: hxxp://d1054130-28095.cp.blacknight.com/1.html
    Domain: d1054130-28095.cp.blacknight.com
    IP: 78.153.216.42 [ PEMLINWEB133.blacknight.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:06:18
--------------------------------------------

Link: hxxp://ozzysixsixsix.web.fc2.com/1.html
    Domain: ozzysixsixsix.web.fc2.com
    IP: 208.71.106.61 [ hps13.fc2.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:49:02
--------------------------------------------

Link: hxxp://ejconstruction.net/~ejconstr/1.html
    Domain: ejconstruction.net
    IP: 213.186.33.17 [ cluster006.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 12:41:56
--------------------------------------------

Link: hxxp://alisat.biz/1.html
    Domain: alisat.biz
    IP: 211.43.212.39 [ linux39.gabia.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 12:35:02
--------------------------------------------

Link: hxxp://109-204-26-16.netconnexion.managedbroadband.co.uk/1.html
    Domain: 109-204-26-16.netconnexion.managedbroadband.co.uk
    IP: 109.204.26.16 [ 109-204-26-16.netconnexion.managedbroadband.co.uk ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:49:02
--------------------------------------------

Link: hxxp://ejconstruction.net/~ejconstr/1.html
    Domain: ejconstruction.net
    IP: 213.186.33.17 [ cluster006.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:45:14
--------------------------------------------

Link: hxxp://zu-yuan.com/1.html
    Domain: zu-yuan.com
    IP: 202.190.181.149 [ Resolution failed ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 12:41:56
--------------------------------------------

Link: hxxp://alisat.biz/1.html
    Domain: alisat.biz
    IP: 211.43.212.39 [ linux39.gabia.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 12:35:02
--------------------------------------------

Link: hxxp://109-204-26-16.netconnexion.managedbroadband.co.uk/1.html
    Domain: 109-204-26-16.netconnexion.managedbroadband.co.uk
    IP: 109.204.26.16 [ 109-204-26-16.netconnexion.managedbroadband.co.uk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 12:35:02
--------------------------------------------

Link: hxxp://109-204-26-16.netconnexion.managedbroadband.co.uk/1.html
    Domain: 109-204-26-16.netconnexion.managedbroadband.co.uk
    IP: 109.204.26.16 [ 109-204-26-16.netconnexion.managedbroadband.co.uk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:15:45
--------------------------------------------

Link: hxxp://nestorconsulting.net/1.html
    Domain: nestorconsulting.net
    IP: 74.50.25.155 [ chaos.lunarbreeze.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:06:31
--------------------------------------------

Link: hxxp://cs2-dallas.accountservergroup.com/~atfxsyst/1.html
    Domain: cs2-dallas.accountservergroup.com
    IP: 50.23.239.111 [ cs2-dallas.accountservergroup.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:15:45
--------------------------------------------

Link: hxxp://nestorconsulting.net/1.html
    Domain: nestorconsulting.net
    IP: 74.50.25.155 [ chaos.lunarbreeze.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:14:23
--------------------------------------------

Link: hxxp://combers-uk.com/~schumug/1.html
    Domain: combers-uk.com
    IP: 217.168.145.10 [ mcl10.mclweb.co.uk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:13:09
--------------------------------------------

Link: hxxp://www.c9972855.myzen.co.uk/1.html
    Domain: www.c9972855.myzen.co.uk
    IP: 82.71.204.28 [ shcp04.hosting.zen.net.uk ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:09:31
--------------------------------------------

Link: hxxp://www.nothingcompares.co.uk/1.html
    Domain: www.nothingcompares.co.uk
    IP: 82.165.204.223 [ kundenserver.de ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:07:09
--------------------------------------------

Link: hxxp://ip-182-50-129-164.ip.secureserver.net/1.html
    Domain: ip-182-50-129-164.ip.secureserver.net
    IP: 182.50.129.164 [ ip-182-50-129-164.ip.secureserver.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:06:31
--------------------------------------------

Link: hxxp://cs2-dallas.accountservergroup.com/~atfxsyst/1.html
    Domain: cs2-dallas.accountservergroup.com
    IP: 50.23.239.111 [ cs2-dallas.accountservergroup.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:06:18
--------------------------------------------

Link: hxxp://cluster013.ovh.net/~bgfiban/1.html
    Domain: cluster013.ovh.net
    IP: 213.186.33.24 [ cluster013.ovh.net ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:05:23
--------------------------------------------

Link: hxxp://d1054130-28095.cp.blacknight.com/1.html
    Domain: d1054130-28095.cp.blacknight.com
    IP: 78.153.216.42 [ PEMLINWEB133.blacknight.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:02:01
--------------------------------------------

Link: hxxp://ip-182-50-129-164.ip.secureserver.net/1.html
    Domain: ip-182-50-129-164.ip.secureserver.net
    IP: 182.50.129.164 [ ip-182-50-129-164.ip.secureserver.net ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:00:27
--------------------------------------------

Link: hxxp://baskadesign.com/1.html
    Domain: baskadesign.com
    IP: 213.171.219.4 [ server213-171-219-4.livedns.org.uk ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:57:55
--------------------------------------------

Link: hxxp://arnoldlanecars.co.uk/~thedrake/1.html
    Domain: arnoldlanecars.co.uk
    IP: 64.37.48.20 [ era.superdomainzone.com ]

--------------------------------------------
E-mail subject: Image has been sent <burn[REMOVED]>
Received: 07/02/2014 12:55:35
--------------------------------------------

Link: hxxp://users173.lolipop.jp/~lolipop.jp-204f9d446b7f9eb/1.html
    Domain: users173.lolipop.jp
    IP: 210.157.22.62 [ users173.phy.lolipop.jp ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:53:38
--------------------------------------------

Link: hxxp://indepth-registration.net/~indept18032/1.html
    Domain: indepth-registration.net
    IP: 217.72.181.181 [ linux3.cloud.hotchilli.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:53:36
--------------------------------------------

Link: hxxp://littlepandaexpress888.com/1.html
    Domain: littlepandaexpress888.com
    IP: 192.185.171.172 [ ns965.websitewelcome.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:53:33
--------------------------------------------

Link: hxxp://cluster015.ovh.net/~orabenin/1.html
    Domain: cluster015.ovh.net
    IP: 213.186.33.3 [ cluster015.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 13:40:03
--------------------------------------------

Link: hxxp://91.99.102.154/1.html
    Domain: 91.99.102.154
    IP: 91.99.102.154 [ 91.99.102.154.parsonline.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 13:40:03
--------------------------------------------

Link: hxxp://91.99.102.154/1.html
    Domain: 91.99.102.154
    IP: 91.99.102.154 [ 91.99.102.154.parsonline.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 13:40:03
--------------------------------------------

Link: hxxp://91.99.102.154/1.html
    Domain: 91.99.102.154
    IP: 91.99.102.154 [ 91.99.102.154.parsonline.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 13:40:03
--------------------------------------------

Link: hxxp://91.99.102.154/1.html
    Domain: 91.99.102.154
    IP: 91.99.102.154 [ 91.99.102.154.parsonline.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:35:54
--------------------------------------------

Link: hxxp://42.96.151.54/1.html
    Domain: 42.96.151.54
    IP: 42.96.151.54 [ AY130729150259Z ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:28:59
--------------------------------------------

Link: hxxp://raysoftindia.com/1.html
    Domain: raysoftindia.com
    IP: 205.178.152.48 [ w2k3-web48.prod.netsolhost.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:26:18
--------------------------------------------

Link: hxxp://zu-yuan.com/1.html
    Domain: zu-yuan.com
    IP: 202.190.181.149 [ Resolution failed ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:25:25
--------------------------------------------

Link: hxxp://cluster014.ovh.net/~planetexh/1.html
    Domain: cluster014.ovh.net
    IP: 213.186.33.87 [ cluster014.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:22:40
--------------------------------------------

Link: hxxp://alexandria90.etcserver.com/~psychica/1.html
    Domain: alexandria90.etcserver.com
    IP: 50.23.98.194 [ alexandria90.etcserver.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:03:30
--------------------------------------------

Link: hxxp://nortonfire.co.uk/1.html
    Domain: nortonfire.co.uk
    IP: 82.165.213.55 [ kundenserver.de ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:16:34
--------------------------------------------

Link: hxxp://hrdcvn.com.vn/1.html
    Domain: hrdcvn.com.vn
    IP: 123.30.184.132 [ vdc184-132.vmms.vn ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:15:40
--------------------------------------------

Link: hxxp://lespeulons-auxerre.com/~lespeulo/1.html
    Domain: lespeulons-auxerre.com
    IP: 213.186.33.87 [ cluster014.ovh.net ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 14:23:10
--------------------------------------------

Link: hxxp://finnhair.co.uk/1.html
    Domain: finnhair.co.uk
    IP: 208.123.212.48 [ wp03.yeg.alentus.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:26:46
--------------------------------------------

Link: hxxp://littlepandaexpress888.com/1.html
    Domain: littlepandaexpress888.com
    IP: 192.185.171.172 [ ns965.websitewelcome.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:25:52
--------------------------------------------

Link: hxxp://finnhair.co.uk/1.html
    Domain: finnhair.co.uk
    IP: 208.123.212.48 [ wp03.yeg.alentus.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:32:42
--------------------------------------------

Link: hxxp://arnoldlanecars.co.uk/~thedrake/1.html
    Domain: arnoldlanecars.co.uk
    IP: 64.37.48.20 [ era.superdomainzone.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:28:16
--------------------------------------------

Link: hxxp://forjiran.co/1.html
    Domain: forjiran.co
    IP: 87.247.179.35 [ Resolution failed ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 14:41:13
--------------------------------------------

Link: hxxp://advancetec.co.uk/1.html
    Domain: advancetec.co.uk
    IP: 212.48.68.157 [ atfx.atfx-systems.co.uk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 14:40:51
--------------------------------------------

Link: hxxp://www.wwwfel.org.ng/1.html
    Domain: www.wwwfel.org.ng
    IP: 173.230.248.116 [ 116.248.230.173.securenet-server.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:50:54
--------------------------------------------

Link: hxxp://www.neweraftp.com/1.html
    Domain: www.neweraftp.com
    IP: 184.154.233.8 [ ns1.siteground282.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 15:11:11
--------------------------------------------

Link: hxxp://s15411540.onlinehome-server.info/1.html
    Domain: s15411540.onlinehome-server.info
    IP: 82.165.141.157 [ s15411540.onlinehome-server.info ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 15:10:08
--------------------------------------------

Link: hxxp://tamilcm.com/1.html
    Domain: tamilcm.com
    IP: 67.227.152.196 [ windows2.india-to.net ]

--------------------------------------------


You'll find a copy of the emails here;

http://temp.it-mate.co.uk/Evernote_malspam-07022014.3.7z

The MITM URLs are;

hxxp://epsommalevoicechoir.org.uk/1.txt
hxxp://www.t-gas.co.uk/1.txt

Which lead so far, to;

hxxp://jolygoestobeinvester.ru:8080/tqdeeuwf4n
IPs:

54.254.203.163    ec2-54-254-203-163.ap-southeast-1.compute.amazonaws.com    38895    38895 54.254.128.0/17 AMAZON-AS-AP Amazon.com Tech Telecom
78.108.93.186    static.78.108.93.186.clients.majordomo.ru    29076    29076 78.108.92.0/23 CITYTELECOM-AS Filanco LTD
78.129.184.4    Failed resolution    20860    20860 78.129.128.0/17 IOMART-AS Iomart
140.112.31.129    ecns1.csie.ntu.edu.tw    17716    17716 140.112.0.0/17 NTU-TW National Taiwan University
202.22.156.178    compta.corail.nc    56089    56089 202.22.128.0/19 OFFRATEL-AS-AP OFFRATEL
31.222.178.84    31-222-178-84.static.cloud-ips.co.uk    15395    15395 31.222.128.0/18 Rackspace Ltd.
37.59.36.223    ks398186.kimsufi.com    16276    16276 37.59.0.0/16 OVH OVH Systems

No comments: