Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 18 December 2012

ALERT: Emails purporting to be from mail/postal service

Received 13 emails between 16:36 on the 18th and 01:37 this morning, purporting to be from various postal/mail services. Already knew they were bogus and malicious, and as usual, checked the URLs. Only one of them is a 404, the rest, are still live and lead to a Bredolab variant.



Subjects thus far:

Tracking Detail (K)XC02 352 185 3167 5388
Tracking Number (M)EDQ71 831 499 0086 9924
Tracking Number (Q)KF39 182 711 5795 6369
Tracking Detail (P)NT81 928 334 6376 6899
Number (S)SG00 833 337 0817 7498
Tracking Detail (S)QW23 387 901 6971 9377
Tracking Number (H)IB91 904 026 1002 3217
Tracking ID (Q)BEK10 329 006 9946 9210
Number (Q)QQL16 967 179 3585 4866
Tracking Number (A)FP44 770 594 0959 9972
Tracking ID (A)PY97 617 807 8092 7680
Tracking Number (M)NMK28 719 620 1054 5035
Tracking Detail (X)MH62 726 378 8615 3988


Links so far (excluding the one that's now dead);

sinhlyyeu.com/TTSGZHXIIU.php?php=ceipt
manaadm.ru/XWVQLCRVWL.php?php=ceipt
anileboxingteam.altervista.org/NSKJMTHTBM.php?php=ceipt
www.borulukimya.com/RSFPLHAQZL.php?php=ceipt
brumund.de/OWEDUEGCSL.php?php=ceipt
apmtx.com/QGQZKZZJBS.php?php=ceipt

At the time of writing, VT is showing only 8/44 currently detect these;

https://www.virustotal.com/file/9cb9c43ec94898b8bde7529811ebd1f2477a31b04a9d340a6ca15e21c60479d5/analysis/1355882436/

No comments: