New variation of SSL Spam - SANS Internet Storm Center

New variation of SSL Spam
We've received numerous emails about this already today. This is an update to a diary we did earlier this week. The body of the spam today is: Dear user of the <some company> mailing service! We are informing you that because of the security upgrade of the mailing service your mailbox (<user>@<some company>) settings were changed. In order to apply the new set of settings click on the following link: The email contains a link with a file to download. Some of the files we have seen are: settings-file.exe MD5: 0244586f873a83d89caa54db00853205 settings-file2.exe MD5: e6436811c99289846b0532812ac49986 The files are being detected by some anti-virus software programs at this time as Zbot variants. Thanks Jon, Frank, iTinker, Nick and others for your reports on this.	David 78 Posts Oct 14th 2009
Thread locked Subscribe	Oct 14th 2009 1 decade ago
We just received a large influx of these to our whole enterprise. We use Postini as spam filter and they caught them all. ---------------------------------- Received: from source ([213.21.97.141]) by eu1sys200amx117.postini.com ([207.126.147.14]) with SMTP; Thu, 15 Oct 2009 05:01:31 GMT Received: from 213.21.97.141 by mail-red.research.att.com; Thu, 15 Oct 2009 07:01:25 +0100 Message-ID: <000d01ca4d54$8bc16760$6400a8c0@lizapf5> From: "support@target-domain.com" <support@target-domain.com> To: <user@target-domain.com> Subject: A new settings file for the user@target-domain.com mailbox has just been released Date: Thu, 15 Oct 2009 07:01:25 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01CA4D54.8BC16760" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S: 0.00533/92.62311 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 3 (1.0000:1.0000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from <support@target-domain.com> [233/12] X-pstn-disposition: quarantine Date: Thu, 15 Oct 2009 07:01:25 +0100 From: "support@target-domain.com" <support@target-domain.com> To: <user@target-domain.com> Subject: A new settings file for the user@target-domain.com mailbox has just been released Dear user of the target-domain.com mailing service! We are informing you that because of the security upgrade of the mailing service your mailbox (user@target-domain.com) settings were changed. In order to apply the new set of settings click on the following link: http://target-domain.com/owa/service_directory/settings.php?email=user@target-domain.com&from=target-domain.com&fromname=user Best regards, target-domain.com Technical Support. ---------------------------------- One of our users came round very confused although when i explained that if we had emailed him (internal mail) it wouldn't go through the spam filter at all.	Anonymous
Quote	Oct 15th 2009 1 decade ago
I'm seeing a lot of these as well on my mail servers. Interestingly, not all of m domains are affected: only the ones in .com. I have domains in .ch and these are not affected. Also, sub-domains aren't targeted either.	Anonymous
Quote	Oct 15th 2009 1 decade ago
The interesting thing is that the obfuscated URL in the HTML boundary partof the messages I have seen is http://target-domain.com.polikko.eu/owa/service_directory/settings.php?email=user@target-domain.com&from=target-domain.com&fromname=user Note the addition of the .polikko.eu to the domain name !	Karl 14 Posts
Quote	Oct 15th 2009 1 decade ago
As posted by Karl: "Note the addition of the .polikko.eu to the domain name !" Actually they use a sub-domain of "polikko.eu". In the Text they only quote that sub-domain. So it has nothing to do with "target-domain .com" PS: I am the holder of the "target-domain .com" domain, and I can assure that this junk does originate elsewhere. This really is a pain in the butt :(	Karl 1 Posts
Quote	Oct 15th 2009 1 decade ago
Well, I, for one, have temporary filtered all mail containing the /owa/service_directory/settings.php?email= string as it seems to be the only common trail in all these mails. It's a temporary solution at best, since this string is easy to forge, but it's the only way I've found to really filter these out. Another option I'm persuing is to reject all mail coming in from a local address using the same rules as for mail relay. Unfortunately, my mail server doesn't allow this just yet.	Karl 16 Posts
Quote	Oct 15th 2009 1 decade ago

We've received numerous emails about this already today. This is an update to a diary we did earlier this week.

The body of the spam today is:

  Dear user of the <some company> mailing service!

  We are informing you that because of the security upgrade of the mailing
  service your mailbox (<user>@<some company>) settings were changed. In
  order to apply the new set of settings click on the following link:

The email contains a link with a file to download.  Some of the files we have seen are:

  settings-file.exe   MD5:  0244586f873a83d89caa54db00853205
  settings-file2.exe  MD5:  e6436811c99289846b0532812ac49986

The files are being detected by some anti-virus software programs at this time as Zbot variants.

Thanks Jon, Frank, iTinker, Nick and others for your reports on this.

David

78 Posts

Oct 14th 2009

We just received a large influx of these to our whole enterprise. We use Postini as spam filter and they caught them all.

----------------------------------
Received: from source ([213.21.97.141]) by eu1sys200amx117.postini.com ([207.126.147.14]) with SMTP;
Thu, 15 Oct 2009 05:01:31 GMT
Received: from 213.21.97.141 by mail-red.research.att.com; Thu, 15 Oct 2009 07:01:25 +0100
Message-ID: <000d01ca4d54$8bc16760$6400a8c0@lizapf5>
From: "support@target-domain.com" <support@target-domain.com>
To: <user@target-domain.com>
Subject: A new settings file for the user@target-domain.com mailbox has just been released
Date: Thu, 15 Oct 2009 07:01:25 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CA4D54.8BC16760"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S: 0.00533/92.62311 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 3 (1.0000:1.0000) s cv gt3 gt2 gt1 r p m c
X-pstn-addresses: from <support@target-domain.com> [233/12]
X-pstn-disposition: quarantine

Date: Thu, 15 Oct 2009 07:01:25 +0100
From: "support@target-domain.com" <support@target-domain.com>
To: <user@target-domain.com>
Subject: A new settings file for the user@target-domain.com mailbox has just been released

Dear user of the target-domain.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (user@target-domain.com) settings were changed. In order to apply the new set of settings click on the following link:
http://target-domain.com/owa/service_directory/settings.php?email=user@target-domain.com&from=target-domain.com&fromname=user
Best regards, target-domain.com Technical Support.

----------------------------------

One of our users came round very confused although when i explained that if we had emailed him (internal mail) it wouldn't go through the spam filter at all.

Anonymous

I'm seeing a lot of these as well on my mail servers. Interestingly, not all of m domains are affected: only the ones in .com. I have domains in .ch and these are not affected. Also, sub-domains aren't targeted either.

Anonymous

The interesting thing is that the obfuscated URL in the HTML boundary partof the messages I have seen is http://target-domain.com.polikko.eu/owa/service_directory/settings.php?email=user@target-domain.com&from=target-domain.com&fromname=user

Note the addition of the .polikko.eu to the domain name !

Karl

14 Posts

As posted by Karl:
"Note the addition of the .polikko.eu to the domain name !"

Actually they use a sub-domain of "polikko.eu". In the Text they only quote that sub-domain.
So it has nothing to do with "target-domain .com"

PS:
I am the holder of the "target-domain .com" domain, and I can assure that this junk does originate elsewhere.

This really is a pain in the butt :(

Karl
1 Posts

Well, I, for one, have temporary filtered all mail containing the /owa/service_directory/settings.php?email= string as it seems to be the only common trail in all these mails. It's a temporary solution at best, since this string is easy to forge, but it's the only way I've found to really filter these out. Another option I'm persuing is to reject all mail coming in from a local address using the same rules as for mail relay. Unfortunately, my mail server doesn't allow this just yet.

Karl
16 Posts