Below there are some examples of subjects used in the scam emails:

Subject: Important Update
Subject: Security Check
Subject: Update your profile
Subject: Urgent Notice
Subject: Profile update
Subject: Security Warning
Subject: Update your Account
Subject: Update your Password

While I was checking the headers of the emails, I noticed that most of the IP addresses of the senders come from Chinese (.CN) domains:

mail.bnu.edu.cn (mail.bnu.edu.cn [219.142.99.2])
58.185.112.164 (HELO user) (58.185.112.164) by 219.142.99.2
mailqd.cmr.com.cn (unknown [211.100.42.132])
User ([212.62.45.71]) by mailqd.cmr.com.cn
mail0.shift.edu.cn (unknown [61.152.219.51])
User ([58.185.112.164]) by mail0.shift.edu.cn
mail.smu.ac.kr (smu.ac.kr [203.237.168.13])
User ([58.185.112.164]) (authenticated (0 bits)) by mail.smu.ac.kr
idrgroup-nx0i3d.idrgroup.local (servera210.opencom.com [121.78.88.210])
User ([58.185.112.164]) by idrgroup-nx0i3d.idrgroup.local
mail.fudan.edu.cn (unknown [61.129.42.10])
User ([212.62.45.71]) by mail.fudan.edu.cn

Some of the malicious links used for phishing attacks are the following:

1
2
3
4
5

hxxp://zoahaza.isfreeweb.com/tt/style/setup/image/m2u.htm
hxxp://www.dobongn.kr/gnuboard4/bbs/m2u.htm
hxxp://central-groove.co.uk/images/M_images/www.maybank2u.com.my/m2u.htm
hxxp://zoahaza.isfreeweb.com/tt/components/m2u.htm
hxxp://womabkr.com.tw/Ch/img/main.htm

Not all the links are still active and fortunately there are also links that are detected and blocked by Mozilla Firefox but keep in mind that there are always links that are not blocked or that are not detected by any antispam filter!

Remember always to NOT insert sensitive data in unknown websites and to never click in links contained in unknown emails. When you receive this kind of emails, example from your Bank, and you are requested to insert sensitive data make sure to give a call to your bank before insert any kind of data in the suspicious website.

The attached file contains a redirect to a malicious link:

Malicious link details:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

Domain: 9-000.com
Ip Address: 203.93.208.86
 
Administrative Contact:
Name : NIUJINGYI
Organization : NIUJINGYI
Address : CHANGFENGLU51
City : jiujiangshi
Province/State : jiangxisheng
Country : china
Postal Code : 332113
Phone Number : 86-0792-56051418
Fax : 86-0792-56051418
Email : NIUJINGYI@126.COM

Other malicious domains:

1
2
3

4-999.net
7-999.com
4-555.net

We have noticed around 150 spam emails of this type on 48 hours and most senders seem to be ADSL users… is possible the spam campaign was started by a botnet.

The surprise was attached in .gif or .jpg or .png format:

The attached image has inside all the info related to various pharmacy products and the malicious http url:

Spammers are using this strategy to bypass common anti spam filters and to avoid to be placed in the “spam folder” of the email clients.

Other spam messages were full of links that redirected to yahoo groups with random names:

groups.yahoo.com/group/zygikyromaxit49/message/1
groups.yahoo.com/group/vigecydavypov17/message/1
groups.yahoo.com/group/gefyfewozimax24/message/1

All the above links redirected again to other suspicious domains:

proudtasty.com
advocacywife.com

Pay always attenction when opening unknown, and even known, emails.

Malicious links used for phishing attacks:

1
2

hxxp://217.24.231.33/login.html
hxxp://79.39.132.165/poste/index.htm

Message

Promemoria eBay per oggetto non pagato numero 3104678753291

Gentile member,
alenf ha segnalato di non avere ancora ricevuto il pagamento per il seguente
oggetto: numero 3104678753291

Al momento non viene intrapresa alcuna azione nei confronti del tuo account.
Tuttavia, ti ricordiamo che quando fai un’offerta o acquisti un oggetto su eBay,
prendi un impegno vincolante con il venditore. Se la situazione non verr? risolta
entro 7 giorni dalla ricezione di questo promemoria, riceverai un ammonimento per
oggetto non pagato…

Header

Received: from hsenc.co.kr (unknown [211.215.20.40])
Received: from User (80.229.253.105)
by hsenc.co.kr (211.215.20.40) with [Nmail V3.6]
Subject: Promemoria eBay per oggetto non pagato numero 3104678753291
Date: Thu, 29 Jan 2009 15:25:31 -0000

Received: from 419revolution.org (unknown [211.106.23.71])
Received: from User ([])
by 419revolution.org (Merak 6.1.0)
Subject: Promemoria eBay per oggetto non pagato numero 292567831524
Date: Mon, 28 Jan 2009 14:38:18 -0000

Received: from mail.quike.com.cn (unknown [202.75.222.151])
Received: from User ([80.229.253.105])
by 211.155.233.151 with ESMTP
Subject: Hai ricevuto un ammonimento per Oggetto non pagato 260300220759
Date: Mon, 28 Jan 2009 14:38:18 -0000

Received: from topinfo.com.cn (unknown [211.157.2.61])
Received: from User [80.229.253.105] by topinfo.com.cn
Subject: Promemoria eBay per oggetto non pagato numero 299010852347
Date: Mon, 17 Nov 2008 10:51:59 -0000

Make sure to not fall in this scam, check always the address of the site before write sensitive data in web forms and analyze always the header of the emails.

• Use always maximum attenction when reading the email
• Never click on http links or images
• Never download attachments
• Analyze the header of the email
• Check the email of the sender on google to see if you find bad info
• Check the info of the sender’s site on google
• Report the email to your local authorities
• Report the email to PhishTank
• Delete the email