123Greetings.comを騙るスパム - postc.html
Published: 2012/08/12
観測日: 2012/8/8
通数: 100通/day
手法: 誘導URL型
目的: マルウェア感染
特徴:
サイトに設置されるスクリプトファイルのファイル名が「postc.html」
いわゆるgreeting card/ecard系のスパムです。
2,3年前にはZeuSやBredolabに利用されて大流行していたネタですが、
久しぶりに最近の攻撃用に利用されているのを観測しました。
最近数年前に流行したネタの再利用を多く観測していますが、その一つです。
文面。
誘導URLの例。「postc.html」が特徴。
http://21soundtracks.com/postc.html http://3680999.com/postc.html http://76ol.net/postc.html http://98793282.p93.sqnet.cn/postc.html http://ankieta.kosmetykiaa.pl/postc.html http://ay-motor.com/postc.html http://bahaoshangcheng.com/postc.html http://beaconpost.com/mail.htm http://beaconpost.com/mail.htm http://beadsgalore.co.nz/postc.html http://bjflm.cn/postc.html http://bjhkby.com/postc.html http://bjlrpc.com/postc.html http://brightsuncoffee.com/postc.html http://carbcomposite.com/postc.html http://centralstudios.cn/postc.html http://chengdaepe.com/postc.html http://ciocolatapersonalizata.ro/postc.html http://ctrip163.com/postc.html http://dhjmsb.com/postc.html http://doleson.com/postc.html http://eletecsystems.ru/postc.html http://foreverbj.com/postc.html http://foryoubbs.com/postc.html http://greencook.net/postc.html http://hbgtbw.com/postc.html http://invest.m-industry.ru/postc.html http://iotsource.com/postc.html http://irecords.cn/postc.html http://itouzi.net/postc.html http://jinqiaouk.com/postc.html http://joanjoy.com/postc.html http://k2medya.com/postc.html http://keenchipled.com/postc.html http://kesaier.com/postc.html http://kushitong.com/postc.html http://labassee.bebe9.com/postc.html http://liquidarchaeology.com/postc.html http://lyzgs.com/postc.html http://mdshy.com/postc.html http://montmorot.bebe9.com/postc.html http://mulhouse-wittenheim.bebe9.com/postc.html http:nhughesp@holyapostlesnyc.org http://nmg8000.com/postc.html http://nopos.jaibanaips.com/postc.html http://novoferm.com.cn/postc.html http://ny.stjarnjul.se/postc.html http://ontarioaug.com/postc.html http://phototula.ru/postc.html http://plantykopernik.pl/postc.html http://pos.bg/postc.html http://postalspecfla.itsmyiq.com/mail.htm http://proje81.com/postc.html http://putlubvi.ru/postc.html http://rivesaltes.bebe9.com/postc.html http://rushangtz.com.cn/postc.html http://s49065.w25.21pages.com/postc.html http://s63475.w25.21pages.com/postc.html http://salonf.spb.ru/postc.html http://sampuesartesanias.com/postc.html http://shanxianzhengda.com/postc.html http://sigortabahcesi.com./postc.html http://speedtest.lbisat.com/postc.html http://sphere.com.my/postc.html http://steamcleanersinc.com/postc.html http://swadeshgifts.com/postc.html http://tangwo.cn/postc.html http://tczp168.com/postc.html http://tender.pl/postc.html http://ts-robot.com/postc.html http://votive.co.uk/postc.html http://whchivast.com/postc.html http://yanjingedu.org/postc.html http://yishiweb.com/postc.html http://ytmeishen.com/postc.html http://zhongmeisb.com/postc.html http://zhuangdian.cc/postc.html http://zuchezhaowo.com/postc.html
ドメインに関して。
domain | ip | 逆引き | AS | AS name | country |
---|---|---|---|---|---|
kushitong.com | 58.215.64.137 | NONE | 4134 | CHINANET-BACKBONE_No.31Jin-rong_Street | China |
brightsuncoffee.com | 202.67.231.155 | dns4.hostingspeed.net. | 4645 | ASN-HKNET-AP_HKNet_Co._Ltd | HongKong |
dhjmsb.com | 121.189.19.22 | NONE | 4766 | KIXS-AS-KR_Korea_Telecom | KoreaRepublic |
keenchipled.com | 121.189.19.24 | NONE | 4766 | KIXS-AS-KR_Korea_Telecom | KoreaRepublic |
shanxianzhengda.com | 121.189.19.21 | NONE | 4766 | KIXS-AS-KR_Korea_Telecom | KoreaRepublic |
ytmeishen.com | 121.189.19.13 | NONE | 4766 | KIXS-AS-KR_Korea_Telecom | KoreaRepublic |
21soundtracks.com | 218.83.160.69 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
ctrip163.com | 61.152.239.188 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
iotsource.com | 61.151.239.134 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
kesaier.com | 218.83.160.69 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
mdshy.com | 61.152.239.188 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
novoferm.com.cn | 61.152.91.38 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
rushangtz.com.cn | 61.152.239.188 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
s49065.w25.21pages.com | 218.83.160.69 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
s63475.w25.21pages.com | 218.83.160.69 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
tangwo.cn | 61.152.239.188 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
ts-robot.com | 218.83.160.69 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
zhuangdian.cc | 61.151.239.202 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
irecords.cn | 121.101.217.125 | NONE | 4847 | CNIX-AP_China_Networks_Inter-Exchange | China |
liquidarchaeology.com | 63.250.48.134 | unix07.hsphere.cc. | 4906 | FDS-01_-_Frontline_Data_Services_Inc | UnitedStates |
ontarioaug.com | 63.250.48.134 | unix07.hsphere.cc. | 4906 | FDS-01_-_Frontline_Data_Services_Inc | UnitedStates |
ciocolatapersonalizata.ro | 193.226.163.129 | NONE | 5606 | KQRO_GTS_Telecom_SRL | Romania |
eletecsystems.ru | 195.131.162.2 | terraon.ru. | 6690 | WEBPLUS-AS_Web_Plus_ZAO | RussianFederation |
invest.m-industry.ru | 194.8.181.65 | vh2.sp.ru. | 6690 | WEBPLUS-AS_Web_Plus_ZAO | RussianFederation |
putlubvi.ru | 81.177.139.124 | NONE | 8342 | RTCOMM-AS_OJSC_RTComm.RU | RussianFederation |
centralstudios.cn | 108.162.198.188 | NONE | 13335 | CLOUDFLARENET_-_CloudFlare_Inc. | UnitedStates |
centralstudios.cn | 108.162.198.88 | NONE | 13335 | CLOUDFLARENET_-_CloudFlare_Inc. | UnitedStates |
tender.pl | 188.165.217.98 | www.bajtkom.pl. | 16276 | OVH_OVH_Systems | France |
nmg8000.com | 122.115.36.190 | NONE | 17429 | BGCTVNET_BEIJING_GEHUA_CATV_NETWORK_CO.LTD | China |
chengdaepe.com | 58.64.187.60 | NONE | 17444 | NWT-AS-AP_AS_number_for_New_World_Telephone_Ltd. | HongKong |
itouzi.net | 113.10.178.78 | NONE | 17444 | NWT-AS-AP_AS_number_for_New_World_Telephone_Ltd. | HongKong |
3680999.com | 203.158.16.72 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
76ol.net | 203.158.16.72 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
98793282.p93.sqnet.cn | 203.158.16.75 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
ay-motor.com | 61.4.83.32 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
bjflm.cn | 61.4.83.39 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
bjhkby.com | 115.47.67.138 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
bjlrpc.com | 115.47.67.171 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
carbcomposite.com | 115.47.73.245 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
doleson.com | 115.47.134.247 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
foreverbj.com | 203.158.16.75 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
foryoubbs.com | 115.47.68.164 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
greencook.net | 61.4.83.39 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
hbgtbw.com | 203.158.16.75 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
jinqiaouk.com | 203.158.16.66 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
lyzgs.com | 203.158.16.75 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
tczp168.com | 203.158.16.75 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
whchivast.com | 203.158.16.66 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
yanjingedu.org | 61.4.83.32 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
yishiweb.com | 203.158.16.72 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
zhongmeisb.com | 115.47.170.99 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
zuchezhaowo.com | 203.158.16.72 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
beaconpost.com | 209.188.15.35 | lonestar.hosted-servers.net. | 19181 | CWIE_-_CWIE_LLC | UnitedStates |
beaconpost.com | 209.188.15.35 | lonestar.hosted-servers.net. | 19181 | CWIE_-_CWIE_LLC | UnitedStates |
nopos.jaibanaips.com | 64.90.42.13 | ps110979.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
postalspecfla.itsmyiq.com | 75.119.194.105 | ps24764.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
steamcleanersinc.com | 184.168.179.1 | p3nlhg220c1220.shr.prod.phx3.secureserver.net. | 26496 | AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_LLC | UnitedStates |
votive.co.uk | 109.75.171.200 | wokingham.webhosting.uk.com. | 29550 | SIMPLYTRANSIT_Simply_Transit_Ltd | UnitedKingdom |
swadeshgifts.com | 108.178.28.74 | hosttrue.dnsracks.com. | 32475 | SINGLEHOP-INC_-_SingleHop | UnitedStates |
sampuesartesanias.com | 66.7.221.226 | gold.nseasy.com. | 33182 | DIMENOC_-_HostDime.com_Inc. | UnitedStates |
pos.bg | 78.90.170.137 | NONE | 35141 | MEGALAN_Megalan_-_Autonomous_System_of_Megalan_Network_Ltd. | Bulgaria |
labassee.bebe9.com | 193.169.65.138 | xe-bb9-web-prod.systonic.net. | 38926 | SYSTONIC-AS_AS_for_BDL-SYSTEME_SA_(aka_Systonic) | France |
montmorot.bebe9.com | 193.169.65.138 | xe-bb9-web-prod.systonic.net. | 38926 | SYSTONIC-AS_AS_for_BDL-SYSTEME_SA_(aka_Systonic) | France |
mulhouse-wittenheim.bebe9.com | 193.169.65.138 | xe-bb9-web-prod.systonic.net. | 38926 | SYSTONIC-AS_AS_for_BDL-SYSTEME_SA_(aka_Systonic) | France |
rivesaltes.bebe9.com | 193.169.65.138 | xe-bb9-web-prod.systonic.net. | 38926 | SYSTONIC-AS_AS_for_BDL-SYSTEME_SA_(aka_Systonic) | France |
ny.stjarnjul.se | 217.70.32.136 | www1-php5.fordon.levonline.com. | 41175 | INTERNETBORDER_Internet_Border_Technolgies_AB | Sweden |
ankieta.kosmetykiaa.pl | 94.124.1.3 | host3.polserwer.net. | 42927 | S-NET-AS_S-NET_Sp._z_o.o. | Poland |
plantykopernik.pl | 94.124.1.3 | host3.polserwer.net. | 42927 | S-NET-AS_S-NET_Sp._z_o.o. | Poland |
k2medya.com | 77.245.149.33 | srv75626s1.trdns.com. | 43391 | NETDIREKT-TR_Netdirekt_A.S. | Turkey |
proje81.com | 77.245.149.55 | host55.b6.nw.com.tr. | 43391 | NETDIREKT-TR_Netdirekt_A.S. | Turkey |
sigortabahcesi.com. | 77.245.149.14 | linmail.mail.trdns.com. | 43391 | NETDIREKT-TR_Netdirekt_A.S. | Turkey |
beadsgalore.co.nz | 119.47.118.75 | linuxplesk13.openhost.net.nz. | 45459 | WEB-DRIVE-NZ-AS-AP_Web_Drive_Limited | NewZealand |
sphere.com.my | 103.6.196.12 | triton.mschosting.com. | 46015 | EXABYTES-AS-AP_Exa_Bytes_Network_Sdn.Bhd. | Malaysia |
joanjoy.com | 69.89.29.66 | 29-66.bluehost.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
phototula.ru | 91.218.228.19 | h9.ihc.ru. | 48172 | OVERSUN-MERCURY_Oversun-Mercury_Ltd | RussianFederation |
アジア圏が少し多め?cloudflareを利用しているサイトが改竄されてるのが気持ち悪いですね。
by jyake