Another malicious email attack….

A valued reader (and North Korea researcher) sent me this latest example of an email attack which tries to install malware onto the users computer:

———- Forwarded message ———-
From: John Burba <[email protected]>
To: [DELETED]
Cc:
Date: Mon, 12 Mar 2012 22:43:07 -0700 (PDT)
Subject: Dear [DELETED]
I send your photos from last meeting.
I know we took pictures several months ago, but I’m deeply sorry that I’m now sending photos.
Please check your photos, and if you have any queries, give me a reply.

You can download photos on the link below.
Download photos

or

view the photos on my blog.
Visit my blog

Thank you, and have a nice day~

The phrases “Download photos” and “visit my blog” link to these URLs:

ttp://dailypersonal.net/ecard/view/downloader.hta

ttp://dailypersonal.net/ecard/view/goBlog.hta

I removed the “h” at the beginning of the URLs to prevent accidental linking.

I have been blogging about these malicious email attacks for a couple of years now.  See information about and examples of past attacks here.

For internet security professionals, I attach the email header below:

Return-Path:
Received: from nm9-vm6.bullet.mail.ne1.yahoo.com (nm9-vm6.bullet.mail.ne1.yahoo.com [98.138.91.102])
by mtain-dg04.r1000.mx.aol.com (Internet Inbound) with SMTP id AEBC7380000AA
for [DELETED]; Tue, 13 Mar 2012 01:43:07 -0400 (EDT)
Received: from [98.138.90.49] by nm9.bullet.mail.ne1.yahoo.com with NNFMP; 13 Mar 2012 05:43:07 -0000
Received: from [98.138.89.194] by tm2.bullet.mail.ne1.yahoo.com with NNFMP; 13 Mar 2012 05:43:07 -0000
Received: from [127.0.0.1] by omp1052.mail.ne1.yahoo.com with NNFMP; 13 Mar 2012 05:43:07 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: [email protected]
Received: (qmail 48320 invoked by uid 60001); 13 Mar 2012 05:43:07 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1331617387; bh=LqgxXqZGaGR4WM2+yd7sAZoYt3FmOedBVjyPNYJLm0o=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=PDL4ur/kL2UznS8DMqlWKNvDt+Z8X1JF3mV891pCGVyUB3gVjURAkF5VTux4DPsrCxCSJxRgz0sKoJBxxxkyBuZAFp2zXzKezsyuEVpekrzI3QHhK8qZpfqLrj/xxtEvxMeux6RU/jR46w2Afjgm95QjIJDBg4ROdkUyIyD5cj8=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=DZ+OY92Uasik3C5b37GN8r3wEbjQL/maLS0+jRQVe0RxxgF4CfaHmk5ebI0iresPL6HH070C2U7MbDzpaANSnnaObrfiX0uXxQq3Q/ZO83ITtaJogx0KuqZRXPwYC1OUjHrMH56XCpfASwc82264RQDYOcB+EUM81QRKoPpZgdk=;
X-YMail-OSG: sEvCSPwVM1lZLaej4Af5gLJcOUNw7kkzY5QNAoNN_3g446B
_QlM6KcC1r.1SZN7SRL8skTWKxgYbhSH9l5tUCsxpM1iLKc50mBj0qkakXKM
FXKP8rt294.wvnvx59HCvqJbZRBSycB897mIHM6abgI7v30pj5LBwlstPxUO
J6rvpamfuEkCDOlpcnKFV.O8GaFt5fY9HwEcEcDSpJlsILGNX6x9RvFdmpAt
SeMD2NWp04F5rFAVCygrniuKlJiEQuuASKF4mdDPbBsLZSi7TNnGmN9bQVJN
fO5ADEOI4j7KiI3AGLHsyt2g7xkkNBzxPWahdZfq6qVZioDcrnbsLa7IT.CF
teXCUhwmlnqrD6Y3nBYi56GbpX0PUG9rIP.TPfc3nSJ3nNW8.yHfVvtDTOGR
hDspBx88vvGMudJQoRr_NikrT8Ui9839Ym_GXpCPp9AD9Cuf5KxiJuytBSWb
F3mhQj00mSRh9kp36.CML4pszwQ1yAIHcKzPHme_mbW4zvOBR3LXzsbl8PFZ
mOF84PhN4nNwjUwXE90ml
Received: from [121.140.196.206] by web121903.mail.ne1.yahoo.com via HTTP; Mon, 12 Mar 2012 22:43:07 PDT
X-Mailer: YahooMailWebService/0.8.116.338427
Message-ID:
Date: Mon, 12 Mar 2012 22:43:07 -0700 (PDT)
From: John Burba
Reply-To: John Burba
Subject: Dear [DELETED]
To: [DELETED]
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”541675452-2028070624-1331617387=:37045″
x-aol-global-disposition: G
x-aol-sid: 3039ac1d410c4f5ede6b3820
X-AOL-IP: 98.138.91.102
X-AOL-SPF: domain : yahoo.com SPF : none

Share
  • Anonymous

    What’s interesting is that it is a South Korean IP address using Korea Telecom.


An affiliate of 38 North