[153754] in North American Network Operators' Group
Re: EBAY and AMAZON
daemon@ATHENA.MIT.EDU (Joel Esler)
Mon Jun 11 18:43:48 2012
In-Reply-To: <CC75EEBF17C7374EA8309102B7B10C848618F8E1@SHSBS.shenrons-house.local>
From: Joel Esler <jesler@sourcefire.com>
Date: Mon, 11 Jun 2012 18:43:34 -0400
To: Blake Pfankuch <blake@pfankuch.me>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
These are exploit kit teasers.=20
Black hole exploit kit specifically. I wouldn't click on any of the links in=
there.=20
Anyone who would like to send me copies of these, I'll take. =20
--
Joel Esler
On Jun 11, 2012, at 4:51 PM, Blake Pfankuch <blake@pfankuch.me> wrote:
> I have a spam pit email address which I monitor for trends to have a littl=
e bit of jump on the possible things users might touch at work. I started s=
eeing the amazon, ebay and paypal ones a few weeks back. The other one I ha=
ve started to see a lot of is the "Free or cheaper home phone service throug=
h magic jack" ones. Again as expected they link to some .ru domain and look=
just like the normal sign up page. Also my handy dandy virtual machine was=
instantly owned with malware just by loading the page. The VM runs Windows=
7 as a non administrative user, UAC cranked up and IE9. Something like 10 i=
nstalled apps showed up including "Adobe Flash Player Latest."
>=20
> The other cool one I have been seeing is along the lines of "How to better=
utilize your office phone system" or "New Business Phone systems" with supp=
osed links to "popular new phone system trends". This one is rather crafty a=
s it has an embedded image which is a nice weblink to an infected jpg. So y=
ou click show picture in outlook, or in your browser and you get another ins=
talled piece of nastyware.
>=20
> -----Original Message-----
> From: Kain, Rebecca (.) [mailto:bkain1@ford.com]=20
> Sent: Monday, June 11, 2012 12:40 PM
> To: nick@flhsi.com; Brandt, Ralph; nanog@nanog.org
> Subject: RE: EBAY and AMAZON
>=20
> I have gotten them from "amazon" stating "order number X was cancelled and=
please click on the below file for more information". Because I order so m=
uch on amazon, I almost thought it was real and clicked on it but then went t=
o the amazon site and looked at "my open orders". It always pays to goto th=
e site, not believe email.
>=20
>=20
> -----Original Message-----
> From: Nick Olsen [mailto:nick@flhsi.com]
> Sent: Monday, June 11, 2012 2:06 PM
> To: Brandt, Ralph; nanog@nanog.org
> Subject: re: EBAY and AMAZON
>=20
> I think it might just be coincidence. I've gotten about 10 of them and hav=
en't been to ebay or amazon in months.
> Most of them have been for >60 dollar books.
>=20
> Nick Olsen
> Network Operations (855) FLSPEED x106
>=20
> ----------------------------------------
> From: "Brandt, Ralph" <ralph.brandt@pateam.com>
> Sent: Monday, June 11, 2012 1:28 PM
> To: nanog@nanog.org
> Subject: EBAY and AMAZON
>=20
> I have received bogus emails from both of the above on Friday.=20
>=20
> These look like I bought something that in both cases I did not buy.
> The EBAY was a golf club for $887 and the Amazon was a novel for $82, far m=
ore than I would have spent on either.
>=20
> I think I looked at the novel on Amazon and I remember the golf club came u=
p on a search with something else on Ebay. =20
>=20
> How this information could get to someone spoofing is a little disconcerti=
ng. =20
>=20
> I have changed EBAY and Paypal Passwords as instructed. =20
>=20
> Ralph Brandt
> Communications Engineer
> HP Enterprise Services
> Telephone +1 717.506.0802
> FAX +1 717.506.4358
> Email Ralph.Brandt@pateam.com
> 5095 Ritter Rd
> Mechanicsburg PA 17055
>=20
>=20
>=20
>=20
