Tuesday, February 25, 2014

Cyberattack of the Antis

This was waiting for me in my inbox this morning:
No doubt the link goes to a malicious site.

I doubt it came from someone in the organization, but there's always the possibility they've been hacked/had their address book hijacked.  My edress would be in it, because I signed up for bus tour notifications, which they never sent me.

Then again, it could just be someone who knows I signed up because I was encouraging everyone to do so at the time. I had one guy telling me he was an insider and offering to sell me the schedule.  I figured, if true, such a snake would do more damage if left to plot on his own.

In any case, it seems reasonable to believe this is targeted.  Here's the message source code, for any of you who know how to make heads or tails out of it:
x-store-info:7YsnRco0gQJ3EyekdHv0zlwbSFmh6T19lw0H9Cp5ZEx6D1RZG17SC+l2JXAs8WURhUVMDHRt/QLZxZiEpT4kDZRyeb7wfKNheF8pKpAVT5iSgn9MXkcz6ah6ol3Gh4OSss7poc/2YJ8= Authentication-Results: hotmail.com; spf=pass (sender IP is 130.185.83.90; identity alignment result is fail and alignment mode is relaxed) smtp.mailfrom=pedro.martins@proengel.pt; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=yahoo.com; x-hmca=none header.id=bloombergbustour@yahoo.com X-SID-PRA: bloombergbustour@yahoo.com X-AUTH-Result: NONE X-SID-Result: NONE X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0yO1NDTD0w X-Message-Info: NhFq/7gR1vQyjzXYE8jYWufiQNeFNAIi8fQ/wFgbQD1rNh1i5dEHQzp8vTIkRRfY9FJNm5jGPiKTPqh9riTpeqwGMYUgkuThWrK+ykQpbB0x6wBUDJacF6k/94eJ/JF6WDBBeaP/yzsH5+BJIg4qFMC5sTJhXNTRjAmhtykuJ34oeBocnBg8xfEZ4gWONrStuHjT3cxQ/CciDx2s39gb1J05qATXQHV0 Received: from serv2.designbinarioserver2.com ([130.185.83.90]) by SNT0-MC4-F21.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Tue, 25 Feb 2014 03:16:57 -0800 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=proengel.pt; s=default; h=Content-Description:Content-type:Reply-To:MIME-Version:Date:Subject:To:From; bh=1SmaaUQj49jH/77mvnZ3zqZBbXpzqpg5H82Cg0TEDh0=; b=FcUWF7QDRs44erxoz7lmAHzsjvrUUW/sYXdThg+8cKnb7f7vt/pZXjiTPQ2ak5V+gwufNvVIJG+kkURewuBS5H7CXxXho78HE6VvARO6231t73oYtp5xtRk35EF/0s/0; Received: from cable-188-2-94-84.dynamic.sbb.rs ([188.2.94.84]:2310 helo=mycomputer) by serv2.designbinarioserver2.com with esmtpa (Exim 4.82) (envelope-from ) id 1WIG0N-000qm5-43 for dcodrea@hotmail.com; Tue, 25 Feb 2014 11:16:55 +0000 From: "Bloomberg BusTour" To: "dcodrea" Subject: Bloomberg BusTour Date: Mon, 25 Feb 2014 12:16:56 +0100 MIME-Version: 1.0 X-mailer: Microsoft Office Outlook, Build 11.0.5510 Reply-To: bloombergbustour@yahoo.com Content-type: Multipart/mixed; boundary="1872BEDD_42B5E946_boundary" Content-Description: Multipart message X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - serv2.designbinarioserver2.com X-AntiAbuse: Original Domain - hotmail.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - proengel.pt X-Get-Message-Sender-Via: serv2.designbinarioserver2.com: authenticated_id: pedro.martins@proengel.pt Return-Path: pedro.martins@proengel.pt Message-ID: X-OriginalArrivalTime: 25 Feb 2014 11:16:58.0031 (UTC) FILETIME=[18E6ABF0:01CF321B] --1872BEDD_42B5E946_boundary Content-type: text/html; charset=UTF-8 Content-Transfer-Encoding: Quoted-printable Content-Disposition: inline Content-Description: HTML text =EF=BB=BFhttp://www.dydnik.ru/ssygzzu/news.p= hp
Bloomberg BusTour --1872BEDD_42B5E946_boundary--

Is "Pedro" a victim too?

Regardless, if you get a similar email, don't click on the link. 

1 comment:

Anonymous said...

The earliest recorded origination point for that email was from a computer on what appears to be a residential internet connection in Serbia.

Received: from cable-188-2-94-84.dynamic.sbb.rs

Targetted or not, everything (links, attachments) in that email should be considered extremely suspicious and dangerous.