Potentially malicious spam from ticketmaster.com?

[opps]

Hi all

Just received an email proportion to be from Abode- wishing me a happy Xmas and suggesting that I upgrade Adobe reader?

The oddest thing is that the hyperlinks to upgrade ( http://www.2012-acrobat-adobe-download.com/ ) actually points to ticketmaster.com.

Having looked through the header it looks as though the email actually came from ticketmaster or am I miss-reading the header?

i have obscured personal details...


Delivered-To: [email protected]
Received: by 10.229.231.9 with SMTP id jo9cs13170qcb;
Sat, 11 Feb 2012 07:21:03 -0800 (PST)
Received: by 10.216.136.200 with SMTP id w50mr3911040wei.2.1328973662465;
Sat, 11 Feb 2012 07:21:02 -0800 (PST)
Return-Path: <return_smverp_.16817231.1414343.DATABASEID.1445403.830562067.108483._smverp_.me=mydomain.co.uk@ab.mm.ticketmaster.com>
Received: from web1.myprovider.co.uk (ns0.myprovider.co.uk. [193.189.75.xxx])
by mx.google.com with ESMTPS id z8si6378700wec.53.2012.02.11.07.21.02
(version=TLSv1/SSLv3 cipher=OTHER);
Sat, 11 Feb 2012 07:21:02 -0800 (PST)
Received-SPF: fail (google.com: domain of return_smverp_.16817231.1414343.DATABASEID.1445403.830562067.108483._smverp_.me=mydomain.co.uk@ab.mm.ticketmaster.com does not designate 193.189.75.xxx as permitted sender) client-ip=193.189.75.xxx;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of return_smverp_.16817231.1414343.DATABASEID.1445403.830562067.108483._smverp_.me=mydomain.co.uk@ab.mm.ticketmaster.com does not designate 193.189.75.xxx as permitted sender) smtp.mail=return_smverp_.16817231.1414343.DATABASEID.1445403.830562067.108483._smverp_.me=mydomain.co.uk@ab.mm.ticketmaster.com
Received: from sms1-els203-80.mm.ticketmaster.com ([209.104.36.80])
by web1.myprovider.co.uk with esmtp (Exim 4.69)
(envelope-from <return_smverp_.16817231.1414343.DATABASEID.1445403.830562067.108483._smverp_.me=mydomain.co.uk@ab.mm.ticketmaster.com>)
id 1RwEkx-0006uR-GT
for [email protected]; Sat, 11 Feb 2012 15:20:59 +0000
Received: from sms2.mm.els203.clisys.tmcs ([10.75.20.210])
by sms1-els203-80.mm.ticketmaster.com (-); Sat, 11 Feb 2012 07:20:48 -0800
X-VirtualServer: Default, sms1-els203-80.mm.ticketmaster.com, 10.75.20.210
X-VirtualServerGroup: Default
X-MailingID: 16817231::1414343:ATABASEID::1445403::830562067::108483
X-SMHeaderMap: mid="X-MailingID"
X-Destination-ID: [email protected]
X-SMFBL: ZGFyeWxAaW1hZ2luYXJ5bnVtYmVyLmNvLnVr
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative;
boundary="----=_NextPart_20E_319A_07D69C25.6F65301D"
MIME-Version: 1.0
Message-ID: <[email protected]>
Subject: =?UTF-8?B?QWN0aW9uIFJlcXVpcmVkIDogVXBkYXRlIFlvdXIgUERGIEFwcGxpY2F0aW9u?=
Date: Sat, 11 Feb 2012 07:20:48 -0800
To: [email protected]
From: "=?UTF-8?B?QWRvYmUgQWNyb2JhdCBSZWFkZXI=?=" <[email protected]>
X-Spam-Status: No, score=-1.9
X-Spam-Score: -18
X-Spam-Bar: -
X-Ham-Report: Spam detection software, running on the system "web1.myprovider.co.uk", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: INTRODUCING UPGRADED ADOBE ACROBAT READER 2012 Since the Holidays
are in full swing and the New Year is approaching, we've decided to unveil
our latest Adobe PDF Reader/Writer 2012 Version http://smr.mm.ticketmaster.com:80/t...vMDY3JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZDcvcvv0
[...]
Content analysis details: (-1.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[209.104.36.80 listed in list.dnswl.org]
1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
[URIs: 2012-acrobat-adobe-download.com]
-0.0 SPF_PASS SPF: sender matches SPF record
-1.8 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
1.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
1.4 AWL AWL: From: address is in the auto white-list
X-Spam-Flag: NO
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.myprovider.co.uk
X-AntiAbuse: Original Domain - mydomain.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ab.mm.ticketmaster.com
X-Source:
X-Source-Args:
X-Source-Dir:

 

[joinerjohn]

Almost certainly Spam. The site link www.2012-acrobat, etc etc etc isn't the official Adobe site. Adobe's latest version for Windows is 10. summat. There's no mention of Adobe Reader 2012, on teh official site.
I did click your link as I'm running Linux and so fairly safe from suspect websites) Looks somewhat realistic enough. I'm sure someone will be easily fooled.
You could probably report it to Adobe, who'd be interested in a site using their name.

 

[opps]

Thanks for the reply

I didn't bother going to the site, I realised it was hooky. I was trying to workout why the actual hyperlink goes to

http://smr.mm.ticketmaster.com:80/t...LjIwMTItYWNyb2JhdC1hZG9iZS1kb3dubG9hZC5jb20ee

and not to the pretend adobe site.

BTW I have changed two of the later letters in the above hyperlink.

The last email sever listed is indeed the ticketmaster one. Can that be spoofed?

 

[opps]

UPDATE

Yep they were hacked!!!!

Or rather ticketweb were.

I got this email from them today to apologise to customers

Dear TicketWeb Customer,

We have discovered that our TicketWeb UK direct email marketing system was exposed to unauthorised access. As a result, you may have received up to four emails on Saturday, February the 11th, from an unauthorised party with the subject as "Action Required: Update Your PDF Application" and containing a link to update an Adobe Acrobat PDF application. Please do not click this link, but delete the email.

We have taken immediate action to close the vulnerability. You can rest assured that none of your credit card information was vulnerable during this attack.

We sincerely regret any inconvenience this has caused. We are continuing to investigate this unauthorised access, and will send you a follow-up email when we have additional information.

Please contact www.ticketweb.co.uk/helpdesk with any questions you may have. Thank you for your understanding as we continue to resolve this concern.

I still don't understand why the headers said ticketmaster not ticket web...



more info on thier facebookpage

http://www.facebook.com/TicketWebUK

 

[joinerjohn]

Malicious spam like this often contains links that at first glance appear to be genuine. Someone not as web savvy as yourself may have seen "ticketmaster" and assumed it was from "Ticketweb" (since the email apparently came from ticketweb).
I often receive emails purporting to be from banking institutions. The links take you to a site which at first glance look surprisingly like the real bank's website login page. Usually though a quick inspection of the url reveals it's a false site. Sometimes I have clicked the login screen and entered something like Gordon Brown, followed by a password like bankrupt. (strictly for laughs).

These are usually for banks I don't have any dealings with anyway so I know they are phishing.

BTW the link you provided just comes up as url not found, possibly an attempt to make you click the other link (which does take you to a site)

 

[opps]

hi john

The url in my third post had been tweaked by me to render it useless.

The long sequence of random letters made me think that it might be somekind of base64 exploit.

Ticketmaster (via ticketweb) on facebook are trying to reassure customers but tbh they aren't doing a very good job of it...

The BIG difference between this email and ALL of the other spam I have received is that the email did actually come from TicketMaster's servers and that the links in the email pointed to their servers.

It is highly likely most email spam filters would have let it through as it came from a trusted source.

This seems to have been sent to everyone that ever purchased from ticketweb, potentially a lot of people, and as I write this Ticketmaster admit that they don't know if the links were malicious or not!!!

 

[Monkeh]

The links most likely are malicious. Feel free to PM me the unmodified link and I'll check it out.

 

[opps]

Thanks monkeh

I decoded them from base64 and then changed some of my personal details before then re-encoding them.

I then followed the (ammended) links which went via the ticketmaster site and then on to the fake adobe site.

Although fake, the home page was not malicious. It is worrying though that after 24 hours Ticketmaster were unable to fix their server and stop redirecting customers.

They really have not done themselves any favours.

 

[opps]

They stillllllll haven't plugged the hole

http://smr.mm.ticketmaster.com/trac...mbWVzc2FnZWlkPTE0NDU0MDMmZGF0YWJhc2VpZD1EQVRB
QkFTRUlEJnNlcmlhbD0xNjgxNzIzMSZlbWFpbGlkPXBpc3NvZmZAZnVja3dpdHMuY28udWsmdXNl
cmlkPTgzMDU2MjAxMTEmZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJmh0dHA6Ly93d3cuMjAx
Mi1hY3JvYmF0LWFkb2JlLWRvd25sb2FkLmNvbS8=

Follow that and see what I mean- BTW I can confirm that there is no dodgy code on the above link, I don't know about other pages

 

[Monkeh]

The product they're offering may well be malicious. ps. you're too late, I already have your address.

 

[opps]

yeah I didn't alter the original code sufficiently.

 

[opps]

FFS

Their server is still redirecting.

Next time I want tickets I will just go to the box office.