FYI... multiple entries:Intuit SPAM
- Shipment / art-london .net
1 Oct 2012 - "This terminally confused Intuit / USPS / Amazon-style spam leads to malware
...Date: Mon, 1 Oct 2012 21:31:57 +0430
From: "Intuit Customer Service" [firstname.lastname@example.org]
Subject: Intuit Shipment Confirmation
Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.
Thank you for your interest.
Order #: ID859560
Order Date: Sep 25, 2012
Item(s) In Your Order
Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217
1 Intuit Card Reader Device - Gray
Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.
We sent your item(s) to the next address:
065 S Paolo Ave, App. 5A
S Maria, FL
Questions about your order? Please visit Customer Service.
Return Policy and Instructions
Privacy | Legal Disclaimer | Contact Us | About
You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications...
The malicious payload is at [donotclick]art-london .net/detects/stones-instruction_think.php hosted on 220.127.116.11
(Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domain indice-acores .net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it
___Fake Intuit order confirmation
10/01/2012 - "... receiving emails with the title "Your Intuit Order Notification."
Below is a copy of the email people are receiving:
... This is the end of the fake email. Steps to Take Now: Do not click on the link in the email... Delete the email..." etc...
/ onlinebayunator .ru
1 Oct 2012 - "I haven't seen Sendspace spam before.. but here it is, leading to malware
on onlinebayunator .ru: Date: Mon, 1 Oct 2012 10:40:29 +0300
Subject: You have been sent a file (Filename: [redacted]-9038870.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-56.pdf, (133.8 KB) waiting to be downloaded at sendspace.(It was sent by CHIQUITA Caldwell).
You can use the following link to retrieve your file:
The file may be available for a limited time only.
sendspace - The best free file sharing service...
The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php hosted on the same IP address ( 18.104.22.168/19
) as this attack* earlier today.
1 Oct 2012 - "I haven't seen this spam before, it leads to malware
on 22.214.171.124: Date: Mon, 01 Oct 2012 15:44:59 +0200
From: "INTUIT" [D6531193@familyhealthplans.com]
Subject: Information regarding Employer Contribution
Attn: Account Holder
You can view the information about all Employer contributions that are due to be made on 2/1/2012 by visiting the following link:
http ://intuithealthemployer .lh1ondemand .com
Please let us know employment alterations on your enrollment spreadsheet within the period of two business days. The foregoing report shows the ACH amount we will withdraw from your bank account for the contributions on the first business day of the month. Please remember, if changes occur, this may affect the ACH amount.
Intuit Health Debit Card Powered by Evolution1 Employer Services..."
The malicious payload is on 126.96.36.199
(Solar VPS, US) ..."
/ onlinebayunator .ru
1 Oct 2012 - "This fake NACHA spam leads to malware
on onlinebayunator.ru: Date: Mon, 1 Oct 2012 04:16:46 -0500
From: Bebo Service [email@example.com]
Subject: Fwd: ACH Transfer rejected
The ACH debit transfer, initiated from your bank account, was canceled.
Transfer ID: FE-764029897226US
Transaction Report: View
NACHA - The Electronic Payment Association
The malicious payload is at [donotclick]onlinebayunator .ru:8080/forum/links/column.php (probably a Blackhole 2 exploit kit
) hosted on the following familiar IPs that should be blocked
(Republic CyberBunker, Antarctica - Amsterdam more likely)188.8.131.52
(RACSA, Costa Rica)184.108.40.206
Of note, CyberBunker has a long history of spamming
and tolerating criminals
. Blocking the range 220.127.116.11/19
should afford your network some additional protection."