For the last several days, I've been receiving a new kind of spam. Below you can see a copy of the email. Following the email is my analysis of this:
Subject: Member Details From: "MP3 World" <email@example.com> New Member, Thank You for Joining MP3 World. Confirmation Number: 7245114248563 Your Temp. Login ID: user1043 Temorary Password: pu345 Your temporary Login Info will expire in 24 hours. Please login and change it. Use this link to change your Login info: MP3 World Thank You, Confirmation Dept. MP3 World
The first red flag I noticed was the From email address. Ok, so "MP3 World" sounds like a legitimate web site. The problem is, the actual email address next to it is the email address of some grade school in Connecticut! You can tell this because the email contains 'cheshire.k12.ct.us'. The 'ct.us' indicates that this likely in Connecticut in the United States. The 'k12' usually indicates a grade school (i.e. Kindergarden through 12th grade). 'cheshire' is likely the name of the school. So in other words, Cheshire High School in Connecticut is running a web site called 'MP3 World'? Unlikely. If this were a legitimate web site, the email address would likely end in 'mp3world.com' or something like that. Granted, the From address on an email address can easily be faked, but on this one they didn't even bother to do that.
The next obvious red flag was that it was for a site that I'd never heard of and had not signed up for. If you don't recognize the name of the site and don't remember signing up for it, that's a good sign that this is at worst spam, and at best a mistake by that web site.
The next red flag that I noticed was the link to 'MP3 World' itself that was in the email. If you look at the email, the link was pointing to 'http:// 220.127.116.11' rather than 'http://www.mp3world.com' or something like that, as you would expect. I did a reverse DNS lookup on that 18.104.22.168 and found out that it was a RoadRunner IP address. RoadRunner is a Cable broadband provider for homes. Why would a home user be hosting an 'MP3 World' web site from his home computer. That makes no sense. Plus, the fact that it is listed as an IP rather than a domain name, likely means there IS no DNS record for a 'MP3 World' domain.
The next thing I did was to carefully retrieve the HTML page listed at that IP address. I did NOT do this using a web browser. That's a good way to get your computer 'owned'. I used a program called wget, which just downloads the raw HTML and that's all. Upon looking at the HTML, all I saw was a very basic web page that had a link to 'ecard.exe' for download. That fact that it was trying to download an executable was another huge red flag. If all you are doing is logging into a web site, you don't need any executables for that. You just need to log into the web site from any browser. The presence of this executable is a STRONG sign that that executable is a virus that will infect your machine.
Based on these observations, it appears a computer at some grade school in Connecticut has become infected with spyware that is being used to secretly spread that spyware to other computers.
Beware of this latest scam!