cNotes 検索 一覧 カテゴリ

123Greetings.comを騙るスパム - postc.html

Published: 2012/08/12

観測日: 2012/8/8

通数: 100通/day

手法: 誘導URL型

目的: マルウェア感染

特徴:

サイトに設置されるスクリプトファイルのファイル名が「postc.html」

いわゆるgreeting card/ecard系のスパムです。

2,3年前にはZeuSやBredolabに利用されて大流行していたネタですが、

久しぶりに最近の攻撃用に利用されているのを観測しました。

最近数年前に流行したネタの再利用を多く観測していますが、その一つです。


文面。

誘導URLの例。「postc.html」が特徴。

 http://21soundtracks.com/postc.html
 http://3680999.com/postc.html
 http://76ol.net/postc.html
 http://98793282.p93.sqnet.cn/postc.html
 http://ankieta.kosmetykiaa.pl/postc.html
 http://ay-motor.com/postc.html
 http://bahaoshangcheng.com/postc.html
 http://beaconpost.com/mail.htm
 http://beaconpost.com/mail.htm
 http://beadsgalore.co.nz/postc.html
 http://bjflm.cn/postc.html
 http://bjhkby.com/postc.html
 http://bjlrpc.com/postc.html
 http://brightsuncoffee.com/postc.html
 http://carbcomposite.com/postc.html
 http://centralstudios.cn/postc.html
 http://chengdaepe.com/postc.html
 http://ciocolatapersonalizata.ro/postc.html
 http://ctrip163.com/postc.html
 http://dhjmsb.com/postc.html
 http://doleson.com/postc.html
 http://eletecsystems.ru/postc.html
 http://foreverbj.com/postc.html
 http://foryoubbs.com/postc.html
 http://greencook.net/postc.html
 http://hbgtbw.com/postc.html
 http://invest.m-industry.ru/postc.html
 http://iotsource.com/postc.html
 http://irecords.cn/postc.html
 http://itouzi.net/postc.html
 http://jinqiaouk.com/postc.html
 http://joanjoy.com/postc.html
 http://k2medya.com/postc.html
 http://keenchipled.com/postc.html
 http://kesaier.com/postc.html
 http://kushitong.com/postc.html
 http://labassee.bebe9.com/postc.html
 http://liquidarchaeology.com/postc.html
 http://lyzgs.com/postc.html
 http://mdshy.com/postc.html
 http://montmorot.bebe9.com/postc.html
 http://mulhouse-wittenheim.bebe9.com/postc.html
 http:nhughesp@holyapostlesnyc.org
 http://nmg8000.com/postc.html
 http://nopos.jaibanaips.com/postc.html
 http://novoferm.com.cn/postc.html
 http://ny.stjarnjul.se/postc.html
 http://ontarioaug.com/postc.html
 http://phototula.ru/postc.html
 http://plantykopernik.pl/postc.html
 http://pos.bg/postc.html
 http://postalspecfla.itsmyiq.com/mail.htm
 http://proje81.com/postc.html
 http://putlubvi.ru/postc.html
 http://rivesaltes.bebe9.com/postc.html
 http://rushangtz.com.cn/postc.html
 http://s49065.w25.21pages.com/postc.html
 http://s63475.w25.21pages.com/postc.html
 http://salonf.spb.ru/postc.html
 http://sampuesartesanias.com/postc.html
 http://shanxianzhengda.com/postc.html
 http://sigortabahcesi.com./postc.html
 http://speedtest.lbisat.com/postc.html
 http://sphere.com.my/postc.html
 http://steamcleanersinc.com/postc.html
 http://swadeshgifts.com/postc.html
 http://tangwo.cn/postc.html
 http://tczp168.com/postc.html
 http://tender.pl/postc.html
 http://ts-robot.com/postc.html
 http://votive.co.uk/postc.html
 http://whchivast.com/postc.html
 http://yanjingedu.org/postc.html
 http://yishiweb.com/postc.html
 http://ytmeishen.com/postc.html
 http://zhongmeisb.com/postc.html
 http://zhuangdian.cc/postc.html
 http://zuchezhaowo.com/postc.html

ドメインに関して。

domainip逆引きASAS namecountry
kushitong.com58.215.64.137NONE4134CHINANET-BACKBONE_No.31Jin-rong_StreetChina
brightsuncoffee.com202.67.231.155dns4.hostingspeed.net.4645ASN-HKNET-AP_HKNet_Co._LtdHongKong
dhjmsb.com121.189.19.22NONE4766KIXS-AS-KR_Korea_TelecomKoreaRepublic
keenchipled.com121.189.19.24NONE4766KIXS-AS-KR_Korea_TelecomKoreaRepublic
shanxianzhengda.com121.189.19.21NONE4766KIXS-AS-KR_Korea_TelecomKoreaRepublic
ytmeishen.com121.189.19.13NONE4766KIXS-AS-KR_Korea_TelecomKoreaRepublic
21soundtracks.com218.83.160.69NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
ctrip163.com61.152.239.188NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
iotsource.com61.151.239.134NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
kesaier.com218.83.160.69NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
mdshy.com61.152.239.188NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
novoferm.com.cn61.152.91.38NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
rushangtz.com.cn61.152.239.188NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
s49065.w25.21pages.com218.83.160.69NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
s63475.w25.21pages.com218.83.160.69NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
tangwo.cn61.152.239.188NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
ts-robot.com218.83.160.69NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
zhuangdian.cc61.151.239.202NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
irecords.cn121.101.217.125NONE4847CNIX-AP_China_Networks_Inter-ExchangeChina
liquidarchaeology.com63.250.48.134unix07.hsphere.cc.4906FDS-01_-_Frontline_Data_Services_IncUnitedStates
ontarioaug.com63.250.48.134unix07.hsphere.cc.4906FDS-01_-_Frontline_Data_Services_IncUnitedStates
ciocolatapersonalizata.ro193.226.163.129NONE5606KQRO_GTS_Telecom_SRLRomania
eletecsystems.ru195.131.162.2terraon.ru.6690WEBPLUS-AS_Web_Plus_ZAORussianFederation
invest.m-industry.ru194.8.181.65vh2.sp.ru.6690WEBPLUS-AS_Web_Plus_ZAORussianFederation
putlubvi.ru81.177.139.124NONE8342RTCOMM-AS_OJSC_RTComm.RURussianFederation
centralstudios.cn108.162.198.188NONE13335CLOUDFLARENET_-_CloudFlare_Inc.UnitedStates
centralstudios.cn108.162.198.88NONE13335CLOUDFLARENET_-_CloudFlare_Inc.UnitedStates
tender.pl188.165.217.98www.bajtkom.pl.16276OVH_OVH_SystemsFrance
nmg8000.com122.115.36.190NONE17429BGCTVNET_BEIJING_GEHUA_CATV_NETWORK_CO.LTDChina
chengdaepe.com58.64.187.60NONE17444NWT-AS-AP_AS_number_for_New_World_Telephone_Ltd.HongKong
itouzi.net113.10.178.78NONE17444NWT-AS-AP_AS_number_for_New_World_Telephone_Ltd.HongKong
3680999.com203.158.16.72NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
76ol.net203.158.16.72NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
98793282.p93.sqnet.cn203.158.16.75NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
ay-motor.com61.4.83.32NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
bjflm.cn61.4.83.39NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
bjhkby.com115.47.67.138NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
bjlrpc.com115.47.67.171NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
carbcomposite.com115.47.73.245NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
doleson.com115.47.134.247NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
foreverbj.com203.158.16.75NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
foryoubbs.com115.47.68.164NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
greencook.net61.4.83.39NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
hbgtbw.com203.158.16.75NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
jinqiaouk.com203.158.16.66NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
lyzgs.com203.158.16.75NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
tczp168.com203.158.16.75NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
whchivast.com203.158.16.66NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
yanjingedu.org61.4.83.32NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
yishiweb.com203.158.16.72NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
zhongmeisb.com115.47.170.99NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
zuchezhaowo.com203.158.16.72NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
beaconpost.com209.188.15.35lonestar.hosted-servers.net.19181CWIE_-_CWIE_LLCUnitedStates
beaconpost.com209.188.15.35lonestar.hosted-servers.net.19181CWIE_-_CWIE_LLCUnitedStates
nopos.jaibanaips.com64.90.42.13ps110979.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
postalspecfla.itsmyiq.com75.119.194.105ps24764.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
steamcleanersinc.com184.168.179.1p3nlhg220c1220.shr.prod.phx3.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_LLCUnitedStates
votive.co.uk109.75.171.200wokingham.webhosting.uk.com.29550SIMPLYTRANSIT_Simply_Transit_LtdUnitedKingdom
swadeshgifts.com108.178.28.74hosttrue.dnsracks.com.32475SINGLEHOP-INC_-_SingleHopUnitedStates
sampuesartesanias.com66.7.221.226gold.nseasy.com.33182DIMENOC_-_HostDime.com_Inc.UnitedStates
pos.bg78.90.170.137NONE35141MEGALAN_Megalan_-_Autonomous_System_of_Megalan_Network_Ltd.Bulgaria
labassee.bebe9.com193.169.65.138xe-bb9-web-prod.systonic.net.38926SYSTONIC-AS_AS_for_BDL-SYSTEME_SA_(aka_Systonic)France
montmorot.bebe9.com193.169.65.138xe-bb9-web-prod.systonic.net.38926SYSTONIC-AS_AS_for_BDL-SYSTEME_SA_(aka_Systonic)France
mulhouse-wittenheim.bebe9.com193.169.65.138xe-bb9-web-prod.systonic.net.38926SYSTONIC-AS_AS_for_BDL-SYSTEME_SA_(aka_Systonic)France
rivesaltes.bebe9.com193.169.65.138xe-bb9-web-prod.systonic.net.38926SYSTONIC-AS_AS_for_BDL-SYSTEME_SA_(aka_Systonic)France
ny.stjarnjul.se217.70.32.136www1-php5.fordon.levonline.com.41175INTERNETBORDER_Internet_Border_Technolgies_ABSweden
ankieta.kosmetykiaa.pl94.124.1.3host3.polserwer.net.42927S-NET-AS_S-NET_Sp._z_o.o.Poland
plantykopernik.pl94.124.1.3host3.polserwer.net.42927S-NET-AS_S-NET_Sp._z_o.o.Poland
k2medya.com77.245.149.33srv75626s1.trdns.com.43391NETDIREKT-TR_Netdirekt_A.S.Turkey
proje81.com77.245.149.55host55.b6.nw.com.tr.43391NETDIREKT-TR_Netdirekt_A.S.Turkey
sigortabahcesi.com.77.245.149.14linmail.mail.trdns.com.43391NETDIREKT-TR_Netdirekt_A.S.Turkey
beadsgalore.co.nz119.47.118.75linuxplesk13.openhost.net.nz.45459WEB-DRIVE-NZ-AS-AP_Web_Drive_LimitedNewZealand
sphere.com.my103.6.196.12triton.mschosting.com.46015EXABYTES-AS-AP_Exa_Bytes_Network_Sdn.Bhd.Malaysia
joanjoy.com69.89.29.6629-66.bluehost.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
phototula.ru91.218.228.19h9.ihc.ru.48172OVERSUN-MERCURY_Oversun-Mercury_LtdRussianFederation

アジア圏が少し多め?cloudflareを利用しているサイトが改竄されてるのが気持ち悪いですね。

[カテゴリ:spam観察日記]

by jyake