Spammers use OFAC as hook; the upsurge in one TLD and the return of an old tactic


This morning's collection of spam raises several issues that should interest an extremely broad range of people across organisations.
As of this morning, all of mail servers are rejecting all mail from .us domains. The reason is simple: in a period of 24 hours, almost 20% of spam delivered to us has come from .us domains.
Experience tells us that it is likely that these have been newly registered and are not expected to last long before being blocked. Here are just three examples.
curcm-cm80.us DNS 142.11.218.3 reply puni@6revs.com
heslth89.us DNS 142.11.218.8
sysenergy.us DNS 142.11.218.10
vitigotreat.us DNS 142.11.218.15
The following addresses were given:
56 Peachtree Lane, Helotes, TX 78023
2228 Zimmerman Lane, Los Angeles, CA 90013
2569 Coffman Alley, Elizabethtown, KY 42701
Each e-mail contains code which may or may do something if the mail were to be viewed in html.
There's an old chestnut: criminals are spoofing an address at Russian airline Aeroflot to send out a mail linking to another old trick: a page on an otherwise innocent website which has been hacked to insert a file in the wp-includes/js directory. This directory was widely used by criminals for several years and we had seen a sharp fall in the number of instances. It is therefore imperative that those who have built websites using Wordpress make certain that the directories wp-includes and js are both secure.
The mail purports to come from abdcin.cl which isn't very interesting. What is interesting is that the mail has, in fact, been sent from an IP address approved by Aeroflot's security system at IP address 80.92.36.247.
"Received-SPF: pass (se2.mailspamprotection.com: domain of aeroflot.ru designates 80.92.36.247 as permitted sender) client-ip=80.92.36.247; envelope-from=agpapsu@aeroflot.ru; helo=mx1.aeroflot.ru;"
Equally important is the nature of the mail which, if the HTML version of the mail were to be viewed, would hide the link to the website and show it as being the OFAC website.
The subject line is " Last Warning Urgent Ofac Report" and the body of the mail reads "Dear Agent, Kindly provide a confirmation that underlying transaction is not directly/indirectly related to any OFAC blocked country or any sanctioned entity/individual." There is then a link to a zip file in the hacked site. Equally interesting is that the "reply to" address is given as "admin@ofaccompliance.com"
There is logic in this spam: it appears to be from an airline that may expect at least some of its customers to be doing business with Syria and Iran, amongst others sanctioned via OFAC. The chances of success are high within that target market.
