Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Emails pretending to be from your registrar claim they are suspending your domain for abuse complains.

Link downloads malware.

These emails are NOT coming from your domain registrar!!1!

 


  

Subject: Domain [ domain name ] Suspension Notice


Dear Sir/Madam,

The following domain names have been suspended for violation of the
[ domain registrar ] Abuse Policy:

Domain Name: [ domain name ]
Registrar: [ domain registrar ]
Registrant Name: [ name of domain registrant ]

Multiple warnings were sent by [ domain registrar ] Spam and Abuse Department to give
you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to
contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our
attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,
[ domain registrar ]
Spam and Abuse Department
Abuse Department Hotline: 480-131-5681

This email has been protected by YAC (Yet Another Cleaner)
www.yac.mx

Picture of fake domain abuse complaint email with malware.

The .php script seems to expect a domain in the GET request which the email provides.


 

Header Examples:

2 November 2015 

So not only do they name-drop your domain and registrar in the email body, they show up in your From and Envelope headers.

Received: from mta02.eonet.ne.jp [203.140.81.51]
X-Envelope-From: kazuhiko1961ss @leto.eonet.ne.jp
From: " [ domain registrar ] " <icann-abuse-reports@[ domain like your registrar ]>
Subject: Domain [ domain name ] Suspension Notice

 

Malware

2 November 2015

Downloaded executable : [ domain name ]_copy_of_complaints.pdf.scr  ( Cryptowall ransomware )

VirusTotal report | malwr.com report | hybrid-analysis.com report 

A for effort. Yes, the GET with your domain name in it results results in an executable named with your domain name.

Anywhoo... gets public-facing IP address :

ip-addr.e
myexternalip.com
curlmyip.com

POSTs data to and gets data from a ton of hacked/junky websites :

asistent.su/F3eRnj.php
droidmaza.com/eHViNt.php
nobilighting.com/eX8yjr.php
noblevisage.com/2qs9Rr.php
grupointernex.com.br/4cJIAr.php
damozhai.com/aJPK4y.php
ipanema-penthouse.com/lxUs6S.php
zemamranews.com/jxke9u.php
wpwarriors.com/gnHPMv.php
naimselmonaj.com/QoYx31.php
shopshe.com/jECfKN.php
descargar-facebook-messenger.com/UjZHsJ.php
ipmon.net/CLuOIk.php
konstructmarketing.com/Ml63Pu.php
tamazawatokuichiro.com/TkCs3y.php
bolle-immobilien.de/Idvn79.php
gainsenligne.info/TiWyMt.php
immigrating.xsrv.jp/5OUAvK.php
tmp3malinium.com/7DSCmu.php
travancy.com/8GBn_t.php
engagedforpeace.org/R4uGnH.php
thecarnivalfest.com/mQF14M.php
fengfeifei.net/yQS3_B.php
xn--e1asbeck.xn--p1ai/7xSCFU.php
doozfriend.com/T9Hqj0.php
befitster.com/Bfv30s.php
project976.org/zyS9Kf.php
meaarts.com/bMUmqv.php
perpabaskievi.net/VCOzj5.php
promofordbekasi.com/6jVb5D.php
bookstower.com/bmrWeQ.php
rationwalaaa.com/QOPYrs.php
sparshsewa.com/5a8CTM.php
sadefuar.com/xdqHcr.php
vlsex.net/O4vH1A.php
handmade.co.id/m2MEnC.php
therealdiehls.com/K3_J96.php
primemovies.net/z6Hfan.php
conectcon.com/evYR0G.php
pretor.su/ZLoNyf.php
virginia-education.com/8Ycy6k.php
theboomerzblog.com/fQu7UH.php
euro-dom.de/TzmNHk.php
forexinsuracembard.com/j97S0E.php
suttonfarms.net/gqd1aw.php
safepeace.com/_QXEd6.php
freeapkipa.com/Zw6oOb.php
myfacecom.com/EPSUrj.php
snocmobilya.com/XqDZ4I.php
reanimator-service.com/Y1U5s7.php
icanconsultancy.org/nm9Eul.php
webandnoticias.com/t6xe1z.php
spideragroscience.com/cWo1T2.php
asistent.su/docs/xdEjFf.php
sudatrain.net/De1uQF.php
basketball256.com/9xnMgP.php
centroinformativoviral.com/k6dYbZ.php
abenorbenin.com/jcMISv.php

I'm sure eventually we would get a bunch of ransom notes and some tor2web gateways with which we could buy our files back.

When I ran it, the tor2web gateways were :

ayh2m57ruxjtwyd5.blindpayallfor.com/1Ui4dRY
ayh2m57ruxjtwyd5.stopmigrationss.com/1Ui4dRY
ayh2m57ruxjtwyd5.starswarsspecs.com/1Ui4dRY
ayh2m57ruxjtwyd5.malerstoniska.com/1Ui4dRY

Ransom went to Bitcoin wallet :

1GiP49H6Wzda5SdM3tUWyTMLm8Z1YG7Vcs