[nsp-sec] Two variations on the mail settings stuff - one on a Google Docs site
Smith, Donald
Donald.Smith at qwest.com
Thu May 13 13:41:22 EDT 2010
www.virustotal.com
www.cwsandbox.org
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Bill Owens
> Sent: Thursday, May 13, 2010 10:57 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Two variations on the mail settings stuff
> - one on a Google Docs site
>
> ----------- nsp-security Confidential --------
>
> Two seemingly identical fraudulent emails. One - canadian
> pharmacy spam. The other - a Windows .exe file, presumably
> malware (which I will be happy to submit for analysis, if
> someone will suggest where to do so).
>
> Example one:
>
> >Return-path: <misprintinggf677 at roundtheworld.com>
> >Received: from KDDVETEVMG (unknown [182.0.204.159])
> > by adelie.nysernet.org (Postfix) with ESMTP id 06C46590050 for
> > <bill-tapr at owensfamily.org>; Wed, 12 May 2010 16:28:09 -0400 (EDT)
> >Date: Thu, 13 May 2010 03:28:00 +0700
> >From: "owensfamily.org support" <bill-tapr at owensfamily.org>
> >Subject: setting for your mailbox bill-tapr at owensfamily.org
> are changed
> >To: <bill-tapr at owensfamily.org>
> >Message-id: <000d01caf211$9dc21ab0$6400a8c0 at misprintinggf677>
> >
> >SMTP and POP3 servers for bill-tapr at owensfamily.org mailbox
> are changed. Please carefully read the attached instructions
> before updating settings.
> >
> >http://www.futurefunk.co.uk/upload/21.html
>
> That's a redirect to our friends from yesterday:
> <meta http-equiv="refresh" content="0;url=http://saidmeek.com" />
>
> and saidmeek.com is still the pharmacy page.
>
> Example two:
>
> >Return-path: <willfulb9 at rihard.com>
> >Received: from PCOGBDN (unknown [115.131.195.10])
> > by adelie.nysernet.org (Postfix) with ESMTP id 8A670590050 for
> > <bill-tapr at owensfamily.org>; Thu, 13 May 2010 12:24:23 -0400 (EDT)
> >Date: Fri, 14 May 2010 01:54:17 +0930
> >From: "owensfamily.org support" <bill-tapr at owensfamily.org>
> >Subject: setting for your mailbox bill-tapr at owensfamily.org
> are changed
> >To: <bill-tapr at owensfamily.org>
> >Message-id: <000d01caf2b8$bc233a50$6400a8c0 at willfulb9>
> >
> >SMTP and POP3 servers for bill-tapr at owensfamily.org mailbox
> are changed. Please carefully read the attached instructions
> before updating settings.
> >
> >https://docs.google.com/leaf?id=0BxwkuMlR0FFdMzY1NDE1ZDYtZDU4
> NS00YTYzLTlmM2EtMjQ1NzM3OGQwOWRm
>
> This one points to a Google Docs page, containing a
> downloadable Windows executable file, setup.exe, 161792 bytes.
>
> Bill.
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list