Thursday, 24 May 2012

24by7technohelp.com / 24by7onlinesolution.com scam

Technical support scammers call the wrong person in this video..


The website involved is 24by7technohelp.com (there is another site on the same server called 24by7onlinesolution.com doing the same thing). These sites are hosted on 208.91.199.77 (Confluence Networks, British Virgin Islands). I've had the Confluence Networks range of 208.91.196.0/22 blocked for some time with no ill effects..

More on this story here.

[Via]

Where's the malware spam?

You might have noticed that I haven't posted details of any malware spam in the past few days. This is because.. well, there really hasn't been much in the way of malware spam, with only one major campaign in the past three weeks.

When malware spam drops, I notice that fake pharma spam pops up instead, and furthermore malware spam runs are hardly ever at weekends when pharma takes over. And yes.. there's been an uptick of pharma spam lately which follows the pattern.

This malware spam run has been going on for months now, with a few breaks of a few weeks each time. I can't believe that anything fundamental has changed. So stay alert!

Monday, 21 May 2012

Synovate / Avios "Share your opinion and win an iPad!" spam

Here's an annoying piece of spam:
   
From:     Loyalty Research loyaltyresearch@synovate.net
Reply-To:     loyaltyresearch@synovate.net
Date:     21 May 2012 08:41
Subject:     Share your opinion and win an iPad!


Dear Mr Xxxxx,

We are contacting you from Synovate, an independent market research agency and would like to invite you to take part in a survey on behalf of a leading loyalty rewards programme, that you are a member of.

Your name has been given to us in good faith by this company and their loyalty programme name will be revealed to you at the end of the survey.

As a thank you for your participation we will enter you into a prize draw to win a fantastic iPad. Your opinions will be used to improve products and services.

This survey should take less than 20 minutes to complete, and will close on the 30th May 2012

Please click on the link below to begin the survey (CLICK ONCE ONLY):
https://wbint6web.synovate.net/syn.asp?s=XXXXX&p=XXXXX&i=XXXXX&w=XXXXX

Your identity will not be revealed to any third party

All information that we collect is strictly confidential and participation will not lead to any unsolicited mail, phone calls, or e-mails.

Your name will never be associated with your specific responses as they will be combined with those of other respondents. You can view our privacy policy at: http://www.synovate.com/legal/

If the survey link does not open, close the browser window then copy and paste the link into the address line of a new browser window and press enter.

If you exit the survey unexpectedly or accidentally close your Internet browser, clicking on the link above will allow you to re-enter the survey and continue where you left off.

If you have any comments or questions about this survey, please e-mail loyaltyresearch@synovate.net and include this survey ID number XXXXX along with any correspondence.

Kind regards,

The Synovate Team

This e-mail is being sent to you by Synovate on behalf of a leading customer loyalty company. Synovate and this company attempt to comply with all governmental laws for commercial e-mail. We have contacted you specifically either because you agreed to be on their mailing list to receive correspondence such as this, or you have previously participated in a survey on behalf of this company. Who this company is will be revealed at the end of the interview. If you do not wish to receive further communication from us, please reply to this email and let us know.

Terms & Conditions


1.    The prize is a 16gb iPad with wi-fi
2.    The prize draw is open to participants of this survey aged 18 or over resident in the UK, excluding employees and past employees of Synovate or anyone materially connected to the administration of the prize draw.
3.    Entry to the draw is by completion and submission of the survey. No purchase is required.
4.    Closing date for all entries into the prize draw is 30th May 2012 at 12pm. No responsibility will be taken for entries lost, damaged, incomplete or illegible. Proof of submitting will not be accepted as proof of delivery. Entries may be disqualified if incomplete or illegible.
5.    Only one entry per person may be submitted.
6.    The draw will take place by 30.06.12.
7.    The prize will be awarded to the first eligible entry drawn.
8.    The winner will be notified in writing by 06.07.12.
9.    The winner will receive their prize by post no later than 20.07.12.
10.    If a winner cannot be contacted within 14 days from the draw date, an alternative winner will be drawn.
11.    The name and county of the winner will be available to anyone sending a stamped addressed envelope to Ipsos, Prize Draw Winner, c/o Toby Rogers, Minerva House, 5 Montague Close, London, SE1 9AY within 28 days of the published closing date.
12.    All entrants to the prize draw will be deemed to have accepted the rules.
13.    No alternatives to the prize offered will be given
.


The bit that says "Who this company is will be revealed at the end of the interview" is particular appalling as the only way to find out who sold your contact details is to do the suvey! Well, not quite.. because the email address Synovate sent to is only used for registration at Avios (formerly Airmiles). So Avios sold on my contact details for the survey.

Oh well, easily fixed. We just need to change the privacy settings in Avios to stop this happening.. oh wait, third party emails don't appear in the "contact preferences" section of their site at all:


So what does their privacy policy say? Well:

Direct Marketing and who your data may be passed to

Your data may be passed to carefully selected companies that distribute Avios or companies that we think may be of interest to you. We may also pass your details to suppliers that process data on our behalf. On occasion we may use and disclose data on a collective basis for marketing and research cases but will not in such cases provide individual customer data.
So, you passed my contact details to Synovate for market research purposes, and there's no apparent opt out. Unless perhaps I do it in writing as you can't opt out on the web site..

How to remove yourself from our communication listings

If you do not wish to receive promotional mailings, simply inform us by writing to the address below. Please note that you may still receive an Avios statement as part of your membership.

Customer Account Management
PO Box 90,
Birchwood,
Warrington,
WA3 7XA.
This is really shabby marketing. Avios haven't breached their own privacy policy as it allows them to sell your contact details on in this way, but most consumers won't be expecting it. You should never, ever click on an unsolicited link like this (because it could lead to malware) and Avios and Synovate should at least make their relationship clear in the email rather than keeping it as a secret until you do the survey.

And why is this spam? Well, in my opinion the email is unsolicited, Avios members cannot apparently opt-out or control these, and the relationship of the recipient to the sender is unclear. Avios and Synovate serious need to clean up their act IMO.

Friday, 18 May 2012

Myspace "Security updates" lead to fake pharma

This is a persistent spam run that has been going for a couple of days:

Date:      Fri, 18 May 2012 13:44:44 -0700
From:      "Myspace" [noreply@message.myspace.com]
Subject:      Security updates

myspace

We have recently updated our website to improve our security.

Please follow the instructions to ensure your account is enable and not blocked.

If you need immediate assistance, please contact our support team.

Note: It is important that your personal information is accurate and complete. This information may later be used to help verify the owner of the account. We does not sell or provide your personal information to third party companies.
Thank you for using Myspace!

The Myspace Team
http://www.myspace.com/

Have questions? Visit our help page. Myspace, 8391 Beverly Blvd, #349, Los Angeles, CA 90048.
� Myspace Inc. All Rights Reserved.

The link in the email goes to a variety of fake pharma sites, all of which appear to be hosted on 91.212.124.152 in a block registered to one Aleksandr Nikolaevich Nikultsev in the Ukraine. The doesn't seem to be much you would want to visit in 91.212.124.0/24 so blocking the whole lot might be prudent.

These are the sites I can find hosted on 91.212.124.152:
acefsynqe.com
amwafudicbia.com
badgestabmedicine.com
biolpharmacy.com
boquihcu.net
carepharmedical.com
carepharmgroup.com
cialisviagracounterpunch.com
curot.ru
cvaxvaso.com
dietabletouchpad.com
dietprescriptionfat.com
diong.ru
duski.ru
dzepojkarny.com
ecstasyherbal.com
epoth.ru
ettoicbynn.com
familymedicineviagra.com
fdamedicalprescription.mobi
genericsteva.com
healthtabgroup.com
hospitallnessmedical.mobi
kdffg.ru
kdfgd.ru
leibypharmacylevitra.com
levitrabrooklyn.com
levitracontab.com
levitrapause.com
lkdsfh.ru
lkhj.ru
loug.ru
lupp.ru
medicarewelnessdebt.com
medsdietgroup.com
medslevitraleiby.com
medsmedicinegroup.com
movietestworld.com
mymedicaremeds.com
mypharmacyherbal.com
mypharmed.com
mypillhealth.com
mypillmedical.com
mypillsale.com
newcanadatablet.com
newmedpharmacy.com
newpillscare.com
newrxhealth.com
newrxmed.com
newrxmedicine.com
newtabhealth.com
newtabletcare.com
nyctyckap.com
oedy.ru
patientsviagracare.com
phad.ru
pharmacycarepatients.com
pharmacycifrazier.com
pillsmedicalhospital.com
plew.ru
pohjgh.ru
prescriptiondrugslevitra.com
radicalmediadata.com
sdfhsj.ru
sescahpyff.com
sexualevitra.com
sexualpillsmed.com
sexualwelnessmed.com
simjicwar.com
sleaxmobca.com
smoruroy.com
sniggahcar.com
soylovde.com
sreadafet.com
srenusoxhui.com
stationbeta.com
steelevitra.com
storepharm.com
straussrx.com
tamy.ru
tbin.ru
thow.ru
viagrahalfmile.com
vikingsnotdead.com
vjkcvl.ru
vkgtq.ru
walgreenspillsrx.eu

Monday, 14 May 2012

TaxSlayer.com spam / hseclub.net

After a quiet few days where most of the incoming spam I've seen has been pharma spam, the exploit kits have reared their ugly heads again with this new campaign:

Date:      Mon, 14 May 2012 12:02:23 -0300
From:      "Joann Crowley" [alert@taxslayer.com]
Subject:      Don't make grave tax mistakes.

View Online | View Mobile | Unsubscribe from TaxSlayer e-mails.    

    Avoid tax deadline mistakes that delay your tax return

With the tax deadline looming, it is essential to make sure that you prevent any errors on your tax return that could delay the filing and processing of your returns. The IRS recently released a list of their most commonly seen errors.

Read More
    
FREE TAX ADVICE x96
with TaxSlayer.com
Do you have a tax-related question that you would like to ask someone? Try our newest feature!

Read More          Do you need
more time to file?
The deadline for filing your tax return will be April 17th this year. See what you can do if you need more time.

Read More          Do you need a last minute deduction?
If you are in need of another tax deduction, you may be able to deduct some or all of your IRA contributions.

Read More

This email was sent to xxxxxxxxx by notification@taxslayer.com.
Click here to unsubscribe from TaxSlayer.com e-mails.
TaxSlayer.com | 610 Ronald Reagan Drive | Evans, GA 30809

Needless to say, this spam isn't from TaxSlayer.com but it leads to malware, this time with a malicious payload at [donotclick]hseclub.net/main.php?page=3d45d0a0fe805ff8 (report here) hosted on 37.59.68.23 (OVH, UK). Blocking that IP will probably do you no harm.

Saturday, 12 May 2012

Nadine Dorries: Where's My Shotgun?

You're not in Florida, Nadine. My MP (who I've never actually seen in the flesh at anything I've been to) Tweets about Reginald D Hunter (after being on Have I Got News For You):
"I have now left the HIGNFY after party. As I looked over my shoulder, Reginald D Hunter was talking to my daughter.#wheresmyshotgunman"

Usually when Tory MPs are involved in online death threats, it's the other way around..

Friday, 11 May 2012

Scamworld: 'Get rich quick' schemes mutate into an online monster

Here's a long and very detailed article from The Verge on how the current crop of get-rich-quick schemes on the Internet work. If it's a case of tl;dr then you can get a flavour of it from this video:


Thursday, 10 May 2012

Fake job and credit check sites to avoid

A little cluster of spam/scam sites on 95.142.173.176, running a scam related to this one. Avoid.

creditdealmanagement.com
creditlevelreport.com
hotdealsmanagement.com
hotoffermanagement.com
rockingdealmanagement.com
rockingdealmanagements.com
rockingoffermanagement.com
rockingscoremanagement.com
tql-billing.com

The WHOIS details are as follows:
creditdealmanagement.com
  Aleje Ujazdowskie 88-44
  Warszawa
  Warszawa,
  PL
  00545
  name:(Sophie Ellis)
  mail:(admin@creditdealmanagement.com)
  +022.8260898
  +022.8260898
  Hot Date

creditlevelreport.com
   NA
   Torrie Ots admin@creditlevelreport.com
   +14122666060 fax: +14122666060
   123 6th Street
   Pittsburgh PA 64213
   us

hotdealsmanagement.com
  name:(Sophie Ellis)
  Email:(admin@creditdealmanagement.com)
  tel-- +022.8260898  
  fax:(+022.8260898)
  Hot Date
  Aleje Ujazdowskie 88-44
  Warszawa
  Warszawa,
  PL
  zipcode:00545

hotoffermanagement.com
  Aleje Ujazdowskie 88-44
  Warszawa
  Warszawa,
  PL
  00545
  name:(Sophie Ellis)
  mail:(admin@creditdealmanagement.com)
  +022.8260898
  +022.8260898
  Hot Date

rockingdealmanagement.com
  name:(Niko Irlung)
  Email:(admin@rockingoffermanagement.com)
  tel-- +022.4860345
  fax:(+022.4860345)
  Rockinig
  Aleje Ujazdowskie 54C
  Warszawa
  Warszawa,
  PL
  zipcode:00541

rockingdealmanagements.com
   NA
   Yawn Paul admin@rockingscoremanagement.com
   +14122821060 fax: +14122821060
   34G W C Jobs
   Pittsburgh PA 64421
   us

rockingoffermanagement.com
  Niko Irlung admin@rockingoffermanagement.com
  +022.4860345
  +022.4860345
  Rockinig
  Aleje Ujazdowskie 54C
  Warszawa,
  Warszawa,
  PL 00541

rockingscoremanagement.com
   NA
   Yawn Paul admin@rockingscoremanagement.com
   +14122821060 fax: +14122821060
   34G W C Jobs
   Pittsburgh PA 64421
   us

tql-billing.com
  Aleje Ujazdowskie 87-44
  Warszawa
  Warszawa,
  PL
  00540
  name:(Dill Nilson)
  mail:(admin@tql-billing.com)
 +022.8277528
 +022.8277528    TQL