May 2010 Archives

If you recently received an e-mail from something as vague as "Email Administrator IT Service", don't believe it (not that you would have anyways).  The body of the message is something like the following:

Dear subscribers.

This message is from the Email Administrator  IT Service to all our email account subscribers.You are to provide to us the below information to revalidate your account due to spam and to upgrade the new 2010 spam version.

Notice:Your access.k12.wv.us  Email account will be expired after a week, if you do not revalidate or update your account. Please do co-operate with us so we can serve you better, contact the adminstrator!!****

User Name:
Password:
Confirm Your Password:
Alternative Email :

Thank You.
 Email Administrator
Warning Code :ID67565434

Okay, just reading this message should be throwing up alarms in your mind.  No IT administrator would ever ask you for your password, they are admins and have the ability to make changes that doesn't require your password.  This particular e-mail originated from within Canada.

Received: from duo.kics.bc.ca (68.233.169.222)
  by XXXXXXXXXXXXXXXXX with SMTP; 15 May 2010 17:16:15 -0400
Received: (qmail 18103 invoked from network); 15 May 2010 21:08:54 -0000
Received: from unknown (HELO squirrel.kics.bc.ca) (68.233.169.222)
  by kics.bc.ca with SMTP; 15 May 2010 21:08:53 -0000
Received: from 82.128.112.55
        (SquirrelMail authenticated user market@eco.kics.bc.ca)
        by squirrel.kics.bc.ca with HTTP;
        Sat, 15 May 2010 14:08:53 -0700 (PDT)
Message-ID: <46ef1fc8b2696f757c51403ff8ec660f.squirrel@squirrel.kics.bc.ca>
Date: Sat, 15 May 2010 14:08:53 -0700 (PDT)
Subject: Dear subscribers.
From: "E-MAIL. MANAGEMENT" <info@microsoft.org>
Reply-To: upgradingteam@24.tc

This is something to look out for.  Below is a capture of the actual email item.

Be on the lookout for email that's suppose to be from iTunes with the subject "Thank you for buying iTunes Gift Certificate!"  It contains a zip file marked as "iTunes_certificate_247.zip" about 25 bytes in size.


When you examine the email headers, you will see that the email didn't come from the iTunes/Apple mail servers.  This email originated from mail.pizzaandpizzas.com

Received: (qmail 26872 invoked from network); 7 May 2010 00:55:44 -0400
Received: from unknown (HELO BNFWYFODZ) (203.76.125.195)
  by XXXXXXXXXXXXX with SMTP; 7 May 2010 00:55:22 -0400
Received: from 203.76.125.195 by mail.pizzaandpizzas.com; Fri, 7 May 2010 11:55:19 +0700
From: "Your  iTunes" <account@itunes.com>
To: XXXXXXXXXXXXXXXX
Subject: Thank you for buying iTunes Gift Certificate!
Date: Fri, 7 May 2010 11:55:19 +0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_000E_01CAEDA1.7DF24F30"
Message-ID: <000d01caeda1$7df24f30$6400a8c0@spriestl07>

This variation to the email notification "Webmail: Your mailbox has exceeded the storage limit" is designed to dupe folks into clicking on the link that will take you a website that is suppose to fix your email settings.  Of course, that's far from the truth.  The link that you click on will no doubt trick you into downloading a malicious malware package on your computer.

Looks like the free usage of GoogleGroups and Yahoo!Groups is the home of many of these emails with the following pattern:

http://XXXXXX.googlegroups.com/web/XXXXXXX
http://f1.grp.yahoofs.com/XXXXXXXXXXXXXXXXX

The email headers shows that it originated from Argentina (190.176.213.228)

Received: (qmail 22391 invoked from network); 9 May 2010 15:34:08 -0400
Received: from 190-176-213-228.speedy.com.ar (HELO NTFRQLO) (190.176.213.228)
  by XXXXXXXXXXXXXXXXXX with SMTP; 9 May 2010 15:34:07 -0400
Message-ID: <000d01caefae$95d7db60$6400a8c0@futonstbc8>
From: XXXXXXXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Subject: setting for your mailbox XXXXXXXXXXXXXXXXXXXX are changed
Date: Sun, 9 May 2010 21:34:05 +0100

The IP address belongs to Telefonica de Argentina:

inetnum:     190.176/15
status:      allocated
owner:       Telefonica de Argentina
ownerid:     AR-TEAR7-LACNIC
responsible: Agust�n Gomez Dhers
address:     AV. ING. HUERGO - OBS. JUDICIALES, 723,
address:     1065 - Buenos Aires - CF
country:     AR
phone:       +54 11 4333-2220 []
owner-c:     TEA
tech-c:      TEA
abuse-c:     TEA
inetrev:     190.176/15
nserver:     DNS1.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
nserver:     DNS2.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
nserver:     DNS3.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
nserver:     DNS4.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
created:     20080311
changed:     20080311



Update: 2010-05-12

http://monerxmonerx.googlegroups.com/web/setup.zip
http://videoxman.googlegroups.com/web/1.html

Update: 2010-05-13

http://f1.grp.yahoofs.com/v1/wAjrSwtpvg6L6efPNZBiYDP__uzORA7CvCfs583JeF5kU1cW01CupKTBEyymaZZeXC3n4Mvczz4J4m6bIFXFmA/open.exe