2017-03-23 - MALSPAM FOR "QUANTUM CODE" SCAM

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-03-23-quantum-code-malspam-pcaps.zip   18.1 kB (18,058 bytes)

• 2017-03-23-quantum-code-malspam-1st-run.pcap   (16,920 bytes)
• 2017-03-23-quantum-code-malspam-2nd-run.pcap   (15,903 bytes)
• 2017-03-23-quantum-code-malspam-3rd-run.pcap   (10,895 bytes)

• ZIP archive of the pcap:  2017-03-23-quantum-code-malspam-tracker.csv.zip   1.2 kB (1,231 bytes)

• 2017-03-23-quantum-code-malspam-tracker.csv   (1,935 bytes)

• ZIP archive of the emails:  2017-03-23-quantum-code-malspam-examples.zip   14.9 kB (14,921 bytes)

• 2017-03-23-quantum-code-malspam-0755-UTC.eml   (1,890 bytes)
• 2017-03-23-quantum-code-malspam-0822-UTC.eml   (1,913 bytes)
• 2017-03-23-quantum-code-malspam-1039-UTC.eml   (3,223 bytes)
• 2017-03-23-quantum-code-malspam-1112-UTC.eml   (1,825 bytes)
• 2017-03-23-quantum-code-malspam-1121-UTC.eml   (1,797 bytes)
• 2017-03-23-quantum-code-malspam-1343-UTC.eml   (1,728 bytes)
• 2017-03-23-quantum-code-malspam-1348-UTC.eml   (1,733 bytes)
• 2017-03-23-quantum-code-malspam-1432-UTC.eml   (1,764 bytes)
• 2017-03-23-quantum-code-malspam-1458-UTC.eml   (1,907 bytes)
• 2017-03-23-quantum-code-malspam-1517-UTC.eml   (1,915 bytes)
• 2017-03-23-quantum-code-malspam-1518-UTC.eml   (1,516 bytes)
• 2017-03-23-quantum-code-malspam-1617-UTC.eml   (1,971 bytes)
• 2017-03-23-quantum-code-malspam-1622-UTC.eml   (1,888 bytes)

NOTES:

• This is a scam called "Quantum Code" that represents stock trading software that focuses on binary options.  It was formerly known as the Azure Method.  Emails about this scam have links to compromised websites.  Those links in the emails lead to a series of redirects that end at a website advertising "Quantum Code."

• Emails for this scam are similar to malicious spam (malspam) distributing malware.  I've been running across "Quantum Code" emails for months now as I search for actual malware-based malspam.  It's quite annoying.

MORE INFORMATION ON THIS SCAM:

• https://binarysignalsadvise.com/quantum-code-software-scam/
• http://www.binaryoptionswatchdog.com/the-quantum-code-scam-unbiased-review/
• http://scambroker.com/quantum-code/
• http://www.binaryscamalerts.com/quantum-code-scam-software-review/

 

EMAILS

Shown above:  Screenshot of the spreadsheet tracker.

 

Shown above:  An example of the emails.

 

EMAIL EXAMPLES:

(Read: Date/Time -- Sending host -- Sending address, probably spoofed -- Subject)

• 2017-03-23 07:55 UTC -- 202.146.246.170 -- eting@tuat.it -- 4439
• 2017-03-23 08:22 UTC -- mail.pngaf.com.pg -- laughaminute34@yahho.ca -- 3465
• 2017-03-23 10:39 UTC -- durgapur-nas1.meghbelabroadband.in -- jreyes@appliedsilicone.com -- 1025
• 2017-03-23 11:12 UTC -- localhost -- colier@etsc.ch -- 7610
• 2017-03-23 11:21 UTC -- 2.182.130.85 -- liam@soneramail.nl -- 5365
• 2017-03-23 13:43 UTC -- 187.60.35.126 -- apy@papy-salaud.com -- 7288
• 2017-03-23 13:48 UTC -- 190.42.105.252 -- l.heinz.woerlen@matulka.de -- 2050
• 2017-03-23 14:32 UTC -- static-186-155-204-71.static.etb.net.co -- bradles@realfreedate.com -- 0005
• 2017-03-23 14:58 UTC -- 120.56.200.33 -- aytcieza.turismo1@chorpenning.com -- 9790
• 2017-03-23 15:17 UTC -- 46.217.49.66 -- danaka-oziransky@delvacchioleather.it -- 9195
• 2017-03-23 15:18 UTC -- bzq-79-182-204-241.red.bezeqint.net -- hutch@e-universe.com -- 3281
• 2017-03-23 16:17 UTC -- abts-kk-static-010.116.166.122.airtelbroadband.in -- itonishauz@excite.it -- 2584
• 2017-03-23 16:22 UTC -- 182.186.168.67 -- barazz9@excite.it -- 6148

 

TRAFFIC

Shown above:  Pcap of the traffic filtered in Wireshark.

 

Shown above:  Another pcap of the traffic filtered in Wireshark.

 

LINKS FROM THE EMAILS:

• 46.252.201.1 port 80 - www.5fthire.com - GET /wp-content/plugins/akossmett/209ed48e0b.html
• 81.19.145.158 port 80 - www.wender-geistheiler.at - GET /modules/mod_jxtd_slide/61dce701ce.html
• 82.220.34.6 port 80 - www.mvsf.ch - GET /components/com_users/views/reset/tmpl/39b82e3c4a.html
• 89.46.104.19 port 80 - www.cedfacile.com - GET /wp-content/uploads/a6bc762d20.html
• 104.196.103.155 port 80 - global-gold.com - GET /wp-content/uploads/2016/02/5a0ae501f1.html
• 162.254.250.6 port 80 - www.roadstaraudio.com - GET /wp-content/plugins/23c5d28ce6.html
• 185.119.173.120 port 80 - www.ivana-rados.com - GET /wp-content/uploads/8882a75410.html
• 192.185.16.135 port 80 - www.yhalhammamgroup.net - GET /wp-includes/pomo/a6bc762d20.html
• 192.185.30.230 port 80 - www.bigthickbooty.net - GET /wp-content/uploads/3dbee7b9f0.html
• 192.232.251.218 port 80 - www.landwantedfast.com - GET /wp-content/plugins/jetpack/modules/widgets/20e18f23d2.html
• 192.254.233.44 port 80 - www.waledama.com - GET //wp-content/uploads/42e955644c.html
• 209.123.48.11 port 80 - www.levelsetinc.com - GET /sites/default/files/styles/24c887f5dd.html

QUANTUM CODE SCAM WEB SITES:

• 104.27.188.52 port 80 - quantum.binaryguru.biz
• 54.192.130.188 port 80 - www.incomeapp.co - GET /en/thequantumcodes/

 

FROM THE WEBSITE

Shown above:  One of the websites showing the Quantum Code scam.

 

TRANSCRIPT OF VIDEO FROM THE WEBSITE:

Hi there.  My name is Michael Crawford.  Yes, that guy you might have read about in Forbes and other financial magazines.  I'm also called the Wall Street Wizard, the Millionaire Trader, and the nicest rich guy in the world.  So why those names?  Well because I love money.  As you can see, I make a lot of money.  I'm very good at it.

This is my own private jet.  I'm just back from one of the many holidays I take every year all around the world.

But I'm not your average jerk millionaire.  I'm also a well-known philanthropist.  I like to help people more than anything else.  And I do this on a regular basis, or you might have read some articles about me before.  This is how you probably ended up on this website today.

Anyway, today is your lucky day.  I'm about to transform you into my next success story.

And no, I don't want anything in return.  I don't need anything from you.  If you read about me in Forbes, you know you know that I help people making a lot of money for free.

I just need a few minutes of your time, right now...

 

NOTE: As other sites have stated, the person in the video is an actor, or possibly the scammer behind it all.

Shown above:  "This is my own private jet."

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-03-23-quantum-code-malspam-pcaps.zip   18.1 kB (18,058 bytes)
• ZIP archive of the pcap:  2017-03-23-quantum-code-malspam-tracker.csv.zip   1.2 kB (1,231 bytes)
• ZIP archive of the emails:  2017-03-23-quantum-code-malspam-examples.zip   14.9 kB (14,921 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.