Some interesting SSL SPAM
A few people have mentioned (Thanks Luke, Anon, et all) that they have started receiving SPAM messages along the following lines:
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http://evil-link/evil-file
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
Not sure what the evil is, as the links I received have been dead, so if you do receive one of these messages please let us know. If you follow the link, be prepared for surprises and do it on a system that you do not care about (and that does not mean the computer belonging to the annoying fellow/gal sitting two desk away.)
One of the reasons I like this is that the reason to many people it would seem quite plausible, especially if they are running an internal CA at the site. They may have received messages like this from their own support desk. So in a targeted attack this could work quite nicely. The English isn't bad either.
UPDATE
the sample file we received was named patch.exe MD5=9abc553703f4e4fedb3ed975502a2c7a
ZBOT characteristics, so trojan, keylogger, disables AV.
http://www.threatexpert.com/report.aspx?md5=9abc553703f4e4fedb3ed975502a2c7a
If you have a sample with a different hash please upload it through the contact form.
UPDATE 2
In the samples received the URL used in the message typically has a component relating to the organisation itself. e.g. http://something.<yourcompanydomain>.thehostingdomain/somefile.aspx Embedding the company domain will make it look a little bit more legit to the user.
Mark H
Comments
Attention!
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http://updates.<mysite>.com.secure.admin-data.net/ssl/id=731758587-admin@<mysite>.com-patch66701.aspx
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
magian
Oct 13th 2009
1 decade ago
Justin Gerard
Oct 13th 2009
1 decade ago
A server (IP based in) in Indonesia sends one email message to the legitimate email address legitimateemail@mycompanydomain.com. (Note the obfuscation of "legitimateemail" and "mycompanydomain.com" for the rest of this message.) It is sent from the email address alex@fm-ip-118.127.223.59.fast.net.id
This email message spoofs the sender email address so that the sender looks like "admin@mycompanydomainname.com"
This email message alerts/tricks the email reader that there is a server upgrade and you will need to click on a link to update your computer. The body of the message is signed with simply "System Administrator".
Inside the body of the message there is a link. This link points to http:||updates.mycompanydomain.com.secure.1-admin.com|mail|id=<10digitID>-legitimateemail@mycompanydomainname.com-patch407574.exe. Several hours after the email came in from a Linux machine I proved that the URL worked and my browser attempted to download this .exe file. This sub domain is of particular importance because the Internet is recognizing the subdomain "updates.mycompanydomain.com" which means either the Internet (DNS servers) have been tricked to resolve this or that a malicious user has actually taken the time to register an updates.mycompanydomain.com subdomain to their domain name root.
The root domain 1-admin.com is owned by a Turkish company. The whois explains that is a Turkish national policy to not disclose certain information in the public whois, so I cannot get the CIDR block for firewall blocking purposes. This domain name has also only been registered since 10/6/09 (6 days ago) and just for one year.
1-admin.com uses russian (.ru) DNS servers.
The IP address that updates.mycompanydomain.com.secure.1-admin.com currently resolves to 212.117.177.108 and this IP is regionly located in Steinsel, Luxembourg.
Countries involved: Indonesia, Turkey, Russia, Luxembourg
MISdude
Oct 13th 2009
1 decade ago
Jamie
Oct 13th 2009
1 decade ago
DJM50
Oct 13th 2009
1 decade ago
MISdude
Oct 13th 2009
1 decade ago
magian
Oct 14th 2009
1 decade ago
magian
Oct 14th 2009
1 decade ago
"Dear user of the company.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (somebody@company.com) settings were changed. In order to apply the new set of settings click on the following link:
http://company.com/owa/service_directory/settings.php?email=somebody@company.com&from=company.com&fromname=somebody
Best regards, company.com Technical Support.
DJM50
Oct 14th 2009
1 decade ago
"Dear user of the company.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (somebody@company.com) settings were changed. In order to apply the new set of settings click on the following link:
http://company.com/owa/service_directory/settings.php?email=somebody@company.com&from=company.com&fromname=somebody
Best regards, company.com Technical Support.
DJM50
Oct 14th 2009
1 decade ago