Last visit was: Fri Jul 04, 2014 8:00 pm
It is currently Fri Jul 04, 2014 8:00 pm

early 2013 Postal-Receipt.zip malware campaign


All times are UTC - 5 hours [ DST ]


 [ 3 posts ] 
Author Message
 PostPosted: Mon Mar 04, 2013 1:29 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Listed below are various URLs that download a deceptive file Postal-Receipt.zip (or an earlier version without the hyphen). Some of the URLs have already been disabled or removed from their servers. Most of the URLs were recently reported by Joe Wein as possible phishing scams, probably because they are typically found in spam email that fraudulently claims to be from either "FedEx" or another shipping company. Only a few antivirus programs currently flag the most recent version of the ZIP file as dangerous or suspicious.

The malicious webpages are coded to reply with HTTP 404 to IP addresses known to be used by many badware reporting sources including PhishTank (example) and by all of the free anonymous proxy servers that I've been using to confirm the ZIP file.

I'd like to continue following the campaign if I could find a few more free anonymous proxy servers that would still work. Suggestions for some?

Code:
www.ais-integral.com/tmp/.tsnwkk.php?receipt=ss00_323
www.antiquescans.com/tmp/.nie6rw.php?receipt=ss00_323
www.3mpromocionales.com/tmp/.vf2ozp.php?receipt=ss00_323
www.1000sabor.com/tmp/.uxcpkn.php?receipt=ss00_323
racinal.com/wp-content/plugins/akismet/mirror.php?receipt=ss00_323
www.xxl-vids.net/components/.qv8jts.php?receipt=ss00_323
www.allergopret.com/tmp/.nas3cs.php?receipt=ss00_323
monterolaw.com/wp-content/plugins/mirror.php?receipt=ss00_323
www.670amkirn.com/tmp/.pyv8yn.php?receipt=802_22961034
www.6440autoparts.com/tmp/.hsnlut.php?receipt=ss00_323
www.abicomp.com/tmp/.gc4sm1.php?receipt=755_222730602
www.abundantharvestentertainment.com/tmp/.gyn05c.php?receipt=802_247849075
www.abh-formation.com/tmp/.r1rdst.php?receipt=ss00_323  HTTP 403 02/25
www.abh-creation.com/tmp/.wvpf1y.php?receipt=802_314284555  HTTP 500 02/25
www.999medical.com/tmp/.qctk10.php?receipt=801_228497914  HTTP 403 02/25
jim-schulte.com/wp-content/plugins/akismet/mirror.php?receipt=801_306114090
www.actsingrovecity.com/tmp/.utpyta.php?receipt=ss00_323  HTTP 404 02/25
www.3dwebsites.biz/tmp/.bmbfmp.php?receipt=755_401801737
www.acumpagnia.com/tmp/.smlzd4.php?receipt=ss00_323
www.advancedchiroperu.com/tmp/.dtrutf.php?receipt=798_953313273
www.ado-metal.com/tmp/.tfv3rq.php?receipt=801_449565167  HTTP 404 02/25
www.3mpromocionales.com/tmp/.vf2ozp.php?receipt=ss00_323
www.acantocountryhouse.com/tmp/.n3esk5.php?receipt=801_515588140
www.ais-integral.com/tmp/.tsnwkk.php?receipt=ss00_323
www.apply4banking.com/tmp/.ectpug.php?receipt=801_158505840
www.aphroditehairextensions.com/tmp/.qva8bh.php?receipt=797_746581174
www.antiquescans.com/tmp/.nie6rw.php?receipt=ss00_323
www.apartamentoslahoguera.com/tmp/.xokh0u.php?receipt=ss00_323  HTTP 403 02/27
www.woodmoorwater.com/components/.hlmugt.php?receipt=ss00_323
www.xn--72c0aeoda2d5cxcdje4b6knf9bg.com/components/.mnm7dc.php?receipt=ss00_323
www.woold.info/components/.qbtrif.php?receipt=ss00_323
www.worldclassdjs.com/components/.s2vqkj.php?receipt=801_301474006
www.wrecker.com/components/.bcgch4.php?receipt=798_206096916
www.wrap-itpackaging.com/components/.gui0lu.php?receipt=755_321050490
www.allergopret-protect.com/tmp/.va0g8q.php?receipt=ss00_323
www.aitype.com/tmp/.muwuni.php?receipt=782_103461792
www.alaricbond.com/tmp/.crogvu.php?receipt=ss00_323
www.x-cite.com/components/.52qixq.php?receipt=801_444066593
www.wwwtraining.net/components/.bxbrh6.php?receipt=801_489531283
www.xn--parkettbrse-yfb.info/components/.fi6fn4.php?receipt=802_237032035
www.xn--ictt82f6rat86b.com/components/.ipyxme.php?receipt=782_35836341
www.woongids.info/components/.tsi9wz.php?receipt=ss00_323
www.wysowa.info/components/.cwpig9.php?receipt=755_255059433
www.wordoftruthchurch.org/components/.clv8ee.php?receipt=ss00_323
www.xarxaemprenedora.org/components/.nkgzbb.php?receipt=755_196406497
www.xarxaemprenedora.org/components/.nkgzbb.php?receipt=ss00_323
www.wslupsku.net/components/.i5e1qx.php?receipt=ss00_323
www.xotix-entertainment.com/components/.hlhkjp.php?receipt=ss00_323
www.xuxutattoo.com/components/.wspqku.php?receipt=ss00_323
www.xaviercurt.com/components/.tnkrox.php?receipt=ss00_323
www.yk-agata.com/components/.igwf2q.php?receipt=836_333433039
www.yellowbirdartsgallery.com/components/.l8wxpb.php?receipt=838_428255783
www.yeisk.net/components/.gbhajv.php?receipt=ss00_323
www.yelsan.com/components/.jq60kj.php?receipt=ss00_323
www.yellowtrip.com/components/.zdefc6.php?receipt=ss00_323
www.yahyalihali.com/components/.ommhiu.php?receipt=839_24293032
www.yellowboxcom.com/components/.ovrfjb.php?receipt=838_269629331
www.yasminjordy.com/components/.pb4biy.php?receipt=ss00_323
www.yacht-finanz.com/components/.g56mfs.php?receipt=838_370694313
www.y3play.net/components/.ruq1hk.php?receipt=ss00_323
www.ya-mama.org/components/.o9cxyj.php?receipt=ss00_323
www.youreyecare.net/components/.sl3skx.php?receipt=ss00_323
www.your-feet.com/components/.w95suo.php?receipt=ss00_323
www.yogakshemamblr.org/components/.qxfsrb.php?receipt=ss00_323
www.ymcatrivalley.org/components/.zaayqp.php?receipt=ss00_323
www.youngscientistsuniversity.org/components/.ebdou2.php?receipt=ss00_323
www.ymca-cc.org/components/.mswldu.php?receipt=831_54995907
 www.ylokk.net/components/.kfapkn.php?receipt=838_581015573
www.yoooga.net/components/.ekom48.php?receipt=830_1907155359
www.ydbconsultant.com/components/.g06wif.php?receipt=ss00_323
www.yoncaloji.com/components/.tx4xlw.php?receipt=841_204595929
www.your-choice-realty.com/components/.ru3gos.php?receipt=ss00_323
www.forealliance.org/wp-content/plugins/akismet/mirror.php?receipt=ss00_323
www.yosji.com/components/.jjo7uq.php?receipt=839_107011168
www.z-list.com/components/.nwzegp.php?receipt=838_251205874
www.yrbestbuy.com/components/.hcrmsh.php?receipt=833_542269220
www.yukselisi.com/components/.gqe608.php?receipt=836_481656355
www.yourtechsupport.net/components/.a2sfeu.php?receipt=839_98218811
www.yusufandpartners.com/components/.brqtt9.php?receipt=831_765334293
www.zalaquettmexico.com/components/.wozfwk.php?receipt=ss00_323
www.zapolskirudd.com/components/.ddaqfb.php?receipt=838_503657069
www.zalaquettchile.com/components/.qim3ly.php?receipt=840_168958623
www.youroffice-virtually.com/components/.ge2fjw.php?receipt=ss00_323
www.youngsters-experience.com/components/.fcuu68.php?receipt=832_711073089
www.ywfc.org/components/.hg6nnp.php?receipt=ss00_323
www.youngbullseducation.com/components/.iwdqxk.php?receipt=ss00_323
www.zentechgrp.com/components/.huvgam.php?receipt=836_974070861
www.zarmishaministry.org/components/.z2mt4x.php?receipt=ss00_323
www.zaganellibus.com/components/.d2bliz.php?receipt=ss00_323
www.zebraslon.com/components/.rwiosy.php?receipt=ss00_323


Top
 Profile  
 PostPosted: Mon Mar 04, 2013 5:58 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 12, 2007 6:55 pm
Posts: 2549
I noticed that many of the .php files start with a period.
This means that if somebody just issues an "ls" will not
see the file. When reporting the links, I would mention
that the .php file is a hidden file and they need to issue
"ls -a" to see the hidden files on a unix OS.


Top
 Profile  
 PostPosted: Mon Mar 04, 2013 8:34 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
NotBuyingIt wrote:

I'd like to continue following the campaign if I could find a few more free anonymous proxy servers that would still work. Suggestions for some?



Vidalia/Tor package gives you hundreds.


Top
 Profile WWW  
 [ 3 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008