Quickdimer.com & E-expressprocessing.com "Account Locked" Emails

5th October 2005 - updated 8th October 2005

Warning: The quickdimer.com & e-expressprocessing.com sites will attempt to infect your PC if you visit it using Internet Explorer. If your computer is not fully-up-to date in terms of patching then it is quite possible that your PC will be infected with spyware. This spyware will most likely steal your passwords and confidential information, and also may turn your PC into a "Spam Zombie".

Visitors are tricked into visiting the quickdimer.com site by an email similar to the following:

Date: 5 Oct 2005 11:49:29 -0000
Received: from soot@gte.net by [munged] by uid 1002 with qmail-scanner-1.22
 ( Clear:RC:0(200.146.150.30):.
 Processed in 4.097554 secs); 05 Oct 2005 11:48:33 -0000
Received: from unknown (HELO 200-146-150-30.rev.easyband.com.br) (200.146.150.30)
  by 192.168.147.19 with SMTP; 5 Oct 2005 11:48:29 -0000
Received: from unknown (HELO pest) (192.168.120.30)
    by 200-146-150-30.rev.easyband.com.br with SMTP; Wed, 5 Oct 2005 09:47:06 -0200
To: [munged]
From: "Sibylla Anthony" <soot@gte.net>
Subject: NOTIFICATION. YOUR ACCOUNT LOCKED.

Dear customer,

Sorry. Your account was temporally locked.
The credit card transaction was declined.
This is an email receipt for your recent payment you just made.

The system reported the following error:
KEEP CRD DECLINE NOT AUTHORIZED

Your receipt #2240076354
Billed To:
H WALL
14 Church Way
Basingstoke, RG24 9SU
Hampshire Order Number: L06639795
Receipt Date: 03/10/05
Order Total: GBP 108.04
Billed To: Visa

Information regarding your personal information can be
viewed at http://quickdimer.com/billing/order/order110902.html

This site is powered by the SecureTrading payment system
which means that your credit card details are fully encrypted
using the most sophisticated e-payment software.

The "14 Church Way" address is fake. There is no such address. Not such credit card transaction has taken place. The entire purpose of the email is to get you to click on the link and infect your PC.

The e-expressprocessing.com email is very similar:

From: Billing <billing@e-expressprocessing.com>
Subject: Your Account Has Been Suspended

Dear customer,


Sorry. Your account was temporally locked.The credit card transaction was declined.
This is an email receipt for your recent payment you just made.

The system reported the following error:
KEEP CRD DECLINE NOT AUTHORIZED

Receipt #4650097379   

Billed To:
R HALL
20 North Way
Basingstoke, RG24 9SU
Hampshire
Order Number: YL40084268
Receipt Date: 05/10/05
Total Amount:  GBP 201.06
Billed To: Visa

Information regarding your personal information can be viewed login in (Your  usercode is 86435076
    Your  passcode is 3296133)


http://www.e-expressprocessing.com 

This site is powered by the SecureTrading payment system which means that your credit card details are fully encrypted using the most sophisticated e-payment software.

If you have visited this website, we recommend that you scan your PC thoroughly with an up-to-date virus scanner. We recommend ZoneAlarm Security Suite as a good, comprehensive package. Another good (and currently free) package is Microsoft AntiSpyware. Be aware that any passwords you have entered since visiting the site may be compromised - if in doubt, seek the help of an IT professional to disinfect your system. Using a browser such as Firefox instead of Internet Explorer can also help protect you against attacks.

For the technically minded, the exploit code looks like this (we have rendered it as a graphic to prevent false positives from virus scanners):

The domain registration details for quickdimer.com are no doubt fake:

   Domain Name: quickdimer.com

   Registrant Contact:
      Peitao Ting         pting1000@yahoo.com
      Peitao Ting
      400 Arlington Way
      Menlo Park, ca 94025
      US
      +1.6504731278

   Administrative Contact:
      Peitao Ting         pting1000@yahoo.com
      Peitao Ting
      400 Arlington Way
      Menlo Park, ca 94025
      US
      +1.6504731278

   Technical Contact:
      Peitao Ting         pting1000@yahoo.com
      Peitao Ting
      400 Arlington Way
      Menlo Park, ca 94025
      US
      +1.6504731278

   Billing Contact:
      Peitao Ting         pting1000@yahoo.com
      Peitao Ting
      400 Arlington Way
      Menlo Park, ca 94025
      US
      +1.6504731278

   Record created on 2005-09-27 05:53:47.
   Record expires on 2006-09-27 05:53:47.

   Domain servers in listed order:

      ns1.dreamhost.com
      ns2.dreamhost.com
      ns3.dreamhost.com

The site is currently hosted on 205.196.218.73, a server belonging to New Dream Network, LLC (email abuse -at- dreamhost.com). It appears to be a server shared with several innocent parties.

For e-expressprocessing.com the registration details are:

   Registrant Contact:
      Joy Chang         janejazz@yahoo.com
      Joy Chang
      40182 Lucinda Ct.
      Fremont, CA 94539
      US
      +1.5103648926
 
   Administrative Contact:
      Joy Chang         janejazz@yahoo.com
      Joy Chang
      40182 Lucinda Ct.
      Fremont, CA 94539
      US
      +1.5103648926
 
   Technical Contact:
      Joy Chang         janejazz@yahoo.com
      Joy Chang
      40182 Lucinda Ct.
      Fremont, CA 94539
      US
      +1.5103648926
 
   Billing Contact:
      Joy Chang         janejazz@yahoo.com
      Joy Chang
      40182 Lucinda Ct.
      Fremont, CA 94539
      US
      +1.5103648926
 
   Record created on 2005-10-03 01:38:29.
   Record expires on 2006-10-03 01:38:29.

   Domain servers in listed order:


      ns1.dreamhost.com
      ns2.dreamhost.com
      ns3.dreamhost.com

 Site is hosted on 205.196.214.115 which is again part of New Dream Network, LLC.