STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns. I also suspect these domains are part of a current fake XP activation SPAM campaign.
DOMAINS:
campingchip.com
daily–movie-code.info
daily–movie-code.net
daily–movie-code.org
daily-movie–code.info
daily-movie–code.net
daily-movie-code.info
get–activation-code1.com
movie–code–online.info
movie–online-promo.info
movie-code-online.com
movie-code-online.info
movie-code-online.net
movie-code-online.org
movie-online-promo.info
movie-online-promo.org
net–activation–code1.com
net–activation–code1.net
net–activation-code1.info
net–activation-code1.net
net–activation-code1.org
net–code–activation.com
net–code–activation.info
net–code–activation.net
net–code-activation.com
net–code-activation.info
net–code-activation.net
net–code-activation.org
net–movie–promo.net
net–online–product.info
net–online–product.org
net–online-product.info
net–online-product.org
net–pdf–promo.info
net–pdf–promo.net
net–pdf-promo.com
net–pdf-promo.info
net–pdf-promo.net
net–pdf-promo.org
net-activation–code1.info
net-activation–code1.net
net-activation-code.com
net-activation-code1.info
net-activation-code1.net
net-activation-code1.org
net-online–product.info
net-online–promos.info
net-online-product.info
net-online-product.org
net-pdf–promo.info
net-pdf–promo.net
net-pdf-promo.com
net-pdf-promo.info
net-pdf-promo.net
net-pdf-promo.org
new–movie–code.net
new–product–offer.com
new–product–offers.com
new-movie–code.info
new-movie–code.net
new-movie–code.org
online–activation–code.net
online–activation-code.org
online–movie–promo.info
online–movie-promo.info
online–product-promos.info
online–promo–products.info
online–promo–products.org
online–promo-products.info
online–promo-products.org
online-activation–code.org
online-activation-code.com
online-activation-code.org
online-movie–promo.info
online-movie-promo.info
online-product–promo.net
online-product-promo.com
online-promo–products.info
online-promo-products.info
online-tv–promo.info
pdf–online–promo.org
pdf–online-promo.info
pdf–online-promo.org
pdf–promo-info1.net
pdf-online–promo.info
pdf-online–promo.org
pdf-online-promo.info
pdf-promo–code.org
pdf-promo–info1.net
pdf-promo-info.net
pdf-promo-info1.net
superiway.com
tv-new-promo.info
IPs INVOLVED:
27645 | 66.79.162.82 | ASN-NA-MSG-01 - Managed Solutions Group, Inc.
33314 | 66.79.162.82 | ASN-AKANOC-SJC-01 - AKANOC Solutions Inc.
16131 | 91.199.50.101 | GRAFIX-IS GrafiX Internet B.V.
–mwdisector
In the past few days I’ve seen many websites pop up pretending to be mailing list unsubscription sites. And per usual, these sites feature legit sounding names like antivirus-activation-code1.org or online-activation-code.info.
Example screenshot.
STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns. I also suspect these domains are part of a current fake XP activation SPAM campaign.
Domains involved:
antivirus–activation–code1.org
antivirus–activation-code2.org
antivirus-activation–code1.org
antivirus-activation-code1.org
antivirus-activation-code2.org
antivirus-activation–code.info
antivirus–activation–code.info
new-activation-code.info
new–activation-code.info
online-activation-code.info
online–activation-code.info
online-activation–code.info
online–activation–code.info
pdf-activation-code.info
pdf–activation-code.info
pdf-activation–code.info
IPs associated with these:
66.79.162.82
67.209.140.130
antivirus-activation–code2.org
91.199.50.101
BE ADVISED: These sites may still be active, be careful!
–mwdisector
Found another phishing/malware distribution scheme this time using Ocean Bank. Just as the ones we’ve seen in the past, it pushes a file to download that they say is a SSL certificate needed for security purposes. As you’ll see below there are quite a few URL’s pushing this malware and the ones listed are just a fraction of the total number. Once the file is run, it installs a rootkit to the system. The sample is available in /pnuemo-malware/.
BE ADVISED: These URL’s may still be active. Proceed at your own risk.
Oceanmultissl.exe (Downloads or Creates: s.exe)
Result: 21/34 (61.77%)
MD5: c4906f64d0ea19dab7a9e7626ee40781
VirusTotal
ThreatExpert Analysis
s.exe & 9129837.exe (Downloads or Creates: 9129837.exe & new_drv.sys)
Result: 18/36 (50%)
MD5: d951f3a8e3485c3c150ba17c0f53db86
VirusTotal
ThreatExpert Analysis
new_drv.sys
Result: 34/36 (94.45%)
MD5: a54de1d46ff7bdefbf9d9284c1916c5e
VirusTotal
ThreatExpert Analysis
ns1.domensinter.com
ns2.domensinter.com
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.verification.0wylzehgk.edfrkti.com/103541.html?/renewmirror/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.demystifying.1vzohkwd0.edfrkti.com/103541.html?/ptcontrol/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.procedure.gnyit07m8.edfrkti.com/103541.html?/onlineupdate/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.jdv6kcukz.ceuewys.com/103541.html?/comreportid/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.ifzsgwhsm.edfrkti.com/103541.html?/customerlogin/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.bankonenet.9sxkghaq8.gineehg.com/103541.html?/viewcontent/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.renewmirror.mnskscirl.ceuewys.com/103541.html?/sitesurvey/encrypted
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.ptcontrol.jcpptbgdz.ceuewys.com/103541.html?/procedure/actionvalidate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.carehtmlclient.lg3qhifus.ceuewys.com/103541.html?/memberverify/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.bankonenet.aldz11d6n.gineehg.com/103541.html?/bankonenet/bankonline
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.rnalid.gyomouftr.reueys.com/103541.html?/securitychallenge/memberverify
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.portalserver.fkquawuv8.ceuewys.com/103541.html?/verification/exacttrget
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.selfservice.servletdologin.jgu801sal.edfrkti.com/103541.html?/servletdologin/bankonenet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.securitychallenge.certificateupdate.dpf29qakc.edfrkti.com/103541.html?/bankonline/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.portalserver.rczkjzpmm.reuybso.com/103541.html?/memberverify/procedure
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.onlineupdatemirror.pqwzbc38r.reueys.com/103541.html?/communitypage/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.slapiservlet.kjlxlurym.gineehg.com/103541.html?/certificateUpdate/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.demystifying.kululslhk.edfrkti.com/103541.html?/cfmasternbank/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.comreportid.0hbfmxry5.reueys.com/103541.html?/configlogin/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.bankonenet.jrbks5mu1.reueys.com/103541.html?/demystifying/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.sessionervlet.zsbtlddf1.gineehg.com/103541.html?/doexte/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.ptcontrol.e9s82vmjo.edfrkti.com/103541.html?/ptcontrol/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.productsremote.uj8mqt7af.edfrkti.com/103541.html?/carehtmlclient/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.portalserver.uhdirryyz.edfrkti.com/103541.html?/services/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.bankonline.xfadkkfg9.reueys.com/103541.html?/services/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.onlineupdatemirror.hia3rhicq.edfrkti.com/103541.html?/linkbrowse/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.exacttrget.sl1iyagjp.reueys.com/103541.html?/comservlet/communitypage
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.demystifying.ebulerhz1.reuybso.com/103541.html?/linkbrowse/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.carehtmlclient.m0fz6fjtp.reuybso.com/103541.html?/customerlogin/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.renewmirror.e4s0uhfhb.edfrkti.com/103541.html?/communitypage/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.exacttrget.mkcxdf604.reueys.com/103541.html?/onlineupdatemirror/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.communitypage.f3lg1sydw.edfrkti.com/103541.html?/carehtmlclient/demystifying
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.onlineupdate.services.bodkqha20.edfrkti.com/103541.html?/communitypage/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.memberverify.certificateupdate.h5sfn919q.gineehg.com/103541.html?/exacttrget/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.linkbrowse.privatelogin.ehe2hxod6.edfrkti.com/103541.html?/privatelogin/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.exacttrget.demystifying.djzxt6l3z.edfrkti.com/103541.html?/bankonenet/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.encrypted.siteminderagent.oit17c3jq.edfrkti.com/103541.html?/sessionervlet/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.rnalid.p7jzbwnji.gineehg.com/103541.html?/renewmirror/sitesurvey
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.ptcontrol.utqnl5dg0.ceuewys.com/103541.html?/exacttrget/privatelogin
Here are some domains hosting eBay phishing sites. These are intended to harvest user credentials for the popular auction site. This along with the M&I Bank post are intended to show how well these pages are created and can trick even an educated web surfer.
Below is a screenshot of the phishing website along with domains that are currently hosting the phishing site.
hxxp://signin.ebay.com.pwitr7y9scfbu51yl.333krv7olw2ynfgw1n.web.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=x&ref=eb&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.gdriyip90t1a.333m9ocosl9h7fo985.info.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=belfire27@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.j4eupml07uipz.333ana77×9jwudokll.net.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=mattlisab28@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.ri0g9apjjlf4algqb8k.333krv7olw2ynfgw1n.info.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=saco252@aol.com&ref=eba1&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.f033ab37c30201f73f142449d037028d.mldfki29y30×11lpx3.com/ws/eBayISAPI.dll/?cmd=SignIn&co_partnerId=2&pUserId=&email=dropshippeddirect@verizon.net&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor&MfcISAPICommand=ConfirmRegistration
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.44f683a84163b3523afe57c2e008bc8c.df34uifyn389o13f1c.com/ws/eBayISAPI.dll/?cmd=SignIn&
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.ea5d2f1c4608232e07d3aa3d998e5135.df34uifyn389o13f1c.com/ws/eBayISAPI.dll/?cmd=SignIn&
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.fe9fc289c3ff0af142b6d3bead98a923.pqmdcjh8y2tnx2i3rc.com/ws/eBayISAPI.dll/?cmd=SignIn&co_partnerId=2&pUserId=&email=margimac@earthlink.net&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor&MfcISAPICommand=ConfirmRegistration
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.d82c8d1619ad8176d665453cfb2e55f0.pqmdcjh8y2tnx2i3rc.com/ws/eBayISAPI.dll/?cmd=SecurityMeasure&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&email=lance@lbcad.com
hxxp://signin.ebay.com.pwitr7y9scfbu51yl.333krv7olw2ynfgw1n.web.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=x&ref=eb&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.0m3kw84y2qx3mdf.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=lisettechiasson@hotmail.com&ref=eb&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.j03tlcwradrnyl6ecj.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=tlizzie1@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.rbjvo7q3uk3dpnj.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=moskaterx@yahoo.com&ref=eb&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.5ya63pn8gzhev4ko413.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=robdebaa@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.4oz0i3iiahwup.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=fx94@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.cflc4xfunpul.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=jackster@consolidated.net&ref=eb&sspagename=ADME:X:CEM:U
There is a campaign to spread malware through fake M&I Bank websites. The malware that these pages try to install were feature in todays database update and can be accessed through /pnuemo-malware/MIbankcertificate.zip in our repository.
Below is a screenshot of the website along with a list of some of the domains hosting these pages. Luckily both Firefox and Internet Explorer detected these as suspicious pages.
hxxp://businessportal.mibank.mibusinessonlinebanking.qzbpkh9in1q7mzd.bankonenet.services.wlienex.com/subsections.htm?/actionvalidate/onlineupdate/OSL.htm?LOB=3163895149&refer=bpkH9iN1Q7mzDrZ
hxxp://businessportal.mibank.mibusinessonlinebanking.sybzjefp95juuqd.bankonline.configlogin.bineeo.com/subsections.htm?/viewcontent/privatelogin/OSL.htm?LOB=0820757379&refer=bZjEFP95juuQd8T
hxxp://businessportal.mibank.mibusinessonlinebanking.hgt7nxvcm13ieqf.renewmirror.siteminderagent.sddgus.com/subsections.htm?/carehtmlclient/bankonline/OSL.htm?LOB=6355552810&refer=T7nXvCm13IEqfNX
hxxp://businessportal.mibank.mibusinessonlinebanking.4xgbf1wlvys8xl4.doexte.linkbrowse.sddgus.com/subsections.htm?/actionvalidate/ptcontrol/OSL.htm?LOB=5425746488&refer=gbf1WlVyS8xl4Xg
hxxp://businessportal.mibank.mibusinessonlinebanking.sb0pryfloi89guq.renewmirror.productsremote.bineeo.com/subsections.htm?/doexte/exacttrget/OSL.htm?LOB=8754725917&refer=0PrYFloI89GuQAR
hxxp://businessportal.mibank.mibusinessonlinebanking.ibxtphpk5roeojr.comservlet.servletdologin.bineeo.com/subsections.htm?/procedure/privatelogin/OSL.htm?LOB=5359068295&refer=XTPHPk5rOEOJrK4
hxxp://businessportal.mibank.mibusinessonlinebanking.9cl3xftk4ni9t9t.servletdologin.ptcontrol.bineeo.com/subsections.htm?/onlineupdate/configlogin/OSL.htm?LOB=1831421831&refer=L3Xftk4nI9T9tv5
hxxp://businessportal.mibank.mibusinessonlinebanking.ynqcyrmfqwjt2st.bankonenet.comreportid.bueozia.com/subsections.htm?/bankonline/customerlogin/OSL.htm?LOB=2678391850&refer=QCyrmFqWJt2stbY
hxxp://businessportal.mibank.mibusinessonlinebanking.j880s7k6hjwpqsz.onlineupdate.onlineupdate.bueozia.com/subsections.htm?/configlogin/customerlogin/OSL.htm?LOB=2783087268&refer=80S7k6HjwpQSzmp
hxxp://businessportal.mibank.mibusinessonlinebanking.4vlhcq1ray5plj8.securitychallenge.configlogin.sddgus.com/subsections.htm?/verification/encrypted/OSL.htm?LOB=1963750084&refer=lhCQ1RAy5Plj8qn
hxxp://businessportal.mibank.mibusinessonlinebanking.w4kjtij48tuycyg.bankonenet.carehtmlclient.bueozia.com/subsections.htm?/cfmasternbank/doexte/OSL.htm?LOB=7399944416&refer=kJtij48TUYCYgR6
We found a new phishing site today targeting Gmail usernames and passwords. The site (gmail-security.com) uses authentic parts of the Gmail website and one of the few things that unsuspecting users might notice is the unofficial Google domain and some minor aesthetic differences. If credentials are entered into the site a POST will be sent via load.php and then a forward to the official Gmail site is made.
Here is what the “gmail-security” phishing site looks like:
Here is what the official Gmail site looks like:
Today we are seeing an influx of Lloyds TSB bank phishing scam e-mails pouring in. Here is what the e-mail looks like. It contains a link to a phishing site where it will harvest the username and passwords entered into it.
Subject: Updated Terms and Conditions of Lloyds TSB Bank
Site: hxxp://www.lloydsterm.com
Harvests: User/Password/Memorable Information
