Thursday, 24 April 2014

"Balance Scheet" spam

This terse spam has a malicious attachment:

Date:      Thu, 24 Apr 2014 12:80:56 GMT [08:08:00 EDT]
From:      Admin@victimdomain
Subject:      FW: Balance Scheet

Please save the attached file to your hard drive before deleting this message. Thank you.
The mail headers in the email have been faked to make it look like it originated inside the victim's own internal network. Attached to the email is an archive file which in turn contains a malicious executable Balance-Sheet.exe which has a VirusTotal detection rate of just 3/51.

Automated analysis tools [1] [2] [3] show an attempted download from the following locations:

"Atlanta Consulting" fake job offer, / /

This fake job offer comes from a bunch of scammers passing themselves off as "Atlanta Consulting" (not to be confused with several legitimate firms of similar names)

From:     Gertrude Holden []
Date:     24 April 2014 14:16
Subject:     Vacancy

Good Day!

A new advanced vacant position is available!

I am a chief personnel officer of an Australian consulting company. We deal with non-typical business solutions. Also we introduce different outsourcing solutions. Presently we have many clients in Europe. To anticipate our cooperation with them, we need to find few regional managers.
We offer a part-time employment and opportunity to advance. Also we provide free elementary training. Initial salary is 2000 euro. If our offer is interesting to you, please send your answer on our e-mail:

info @ atlantaconsulting . net   (remove spaces before sending email)

specifying your country, city of residence, contact telephone number and desired time for call. Our managers work 24 hours for you!

Best regards!
The following domains are all part of the same scam:

The WHOIS details for the domains are undoubtedly fake and are certainly not Australian:

Administrative Contact ID:                   COCO-5041
Administrative Contact Name:                 John Carpenter
Administrative Contact Address1:             831 Ridgeview Dr
Administrative Contact City:                 Frankfort
Administrative Contact State/Province:       KY
Administrative Contact Postal Code:          40601
Administrative Contact Country:              United States
Administrative Contact Country Code:         US
Administrative Contact Phone Number:         +1.6064521498
Administrative Contact Email:      

There's a flashy website with no real substance..

The sites are hosted on (EDIS GmbH, US) and the email in this case originated from in Colombia.

The so-called job is going to be money laundering, or perhaps parcel reshipping (described in the video below) or some other scam which will involve you doing something illegal. Avoid.

"" spam from Sally Gaskell and Darren Gaskell and

The Sally and Darren Gaskell spamming team strikes again, with another pitch for their perenially "closing down" company.. which has been closing down since 2012 (at least!)

From:     UK Data Portfolio []
Date:     24 April 2014 11:00
Subject:     UK Data Portfolio

UK Business Database

We have decided to cease our data broking service to concentrate on our increasing consultancy work.

We have built and developed a UK business portfolio of 550,000 records. It is opted in at decision maker level and contains full business profiles along with the decision makers direct email address.  It has been verified monthly and is extremely accurate.

We normally sell this information for over £2000 but as we are only permitted to sell another four copies due to opt in agreements and due to the fact that we are closing this division we thought we would offer it to a few businesses at a lower cost of £475.

Sales will close either when four sales are achieved or on Friday 25th April when we aim to finalise things.

We have changed the price of the database on our website to £475 so you just need to purchase the Full UK Database.

Website: freshmarketinguk (.) com

We’ve included the (.) as links can compromise delivery and we are only sending this email to a small number of recipients so we want to make sure they are delivered.

Please reply to this email with any queries or call us on 0114 4055999.  There is also live chat on the website.

Many thanks


Unsubscribe by email
The email is sent (as always) to an address scraped off the internet, so the mailing list there are selling is probably of a similar low quality, or alternatively the list might be stolen off someone else. In any case, the pitch about "closing" is a flat lie as they were using the same line two years ago. There's a very good chance that using this list will get you blacklisted for spamming.

The originating IP is a satellite provider on, it has been sent via ( and is hosted on spam-friendly provider on who have been providing support to the Gaskells for some time.

The Gaskells have to change their websites as often as they do their underwear. The following sites use the contact phone number of 0843 289 9034 and all offer basically the same (probably) worthless product.

OnePlus One


Expected Q2 201423rd April 2014

Possibly the greatest smartphone you have never heard of, the OnePlus One is an attractive, premium smartphone without the expensive price-tag.

OnePlus is a startup founded late last year by Pete Lau, vice-president of up-and-coming Chinese firm OPPO. The stated design philosophy of OnePlus is "Never Settle" which is reflected in an apparently very high quality of product design. The OnePlus One manages to look both smart and distinctive at the same time.

Elegance is sometimes only skin-deep, so what lies underneath the One's pleasing exterior? Inside is a 2.5GHz quad-core Qualcomm Snapdragon CPU with 3GB of RAM, 16 or 64GB of storage and a large 3100 mAh battery. On the front is a 5.5" 1080 x 1920 pixel full HD display with a 13 megapixel camera on the back and a 5 megapixel one on the front. It's worth noting that the main camera is a Sony Exmor unit which has a proven track record in this type of device.

This is an LTE-capable device with NFC support and all the usual high-end features. But there are some more unusual features too.. prefer on-screen navigation buttons? You can have those. Prefer the buttons at the bottom? Well, you can switch on those instead. Want to personalise your phone? You can change the back of the device, and you can even use a wooden panel like the Moto X. In fact, the OnePlus One seems to be full of little design details that lift it way above the run-of-the-mill and allow it to compete with leaders such as the HTC One M8 and Apple iPhone 5S.

The operating system is Cyanogenmod 11S which is a reworking of Android 4.4. Cyanogenmod is popular with people who like to create custom ROMs for their Android devices, and it has a dedicated following of users and developers. You can control the OnePlus with gesture control and pretty much customise it in exactly they way you want.. something that can be difficult with other Android handsets.

The hardware and software look appealing.. but what about the price? OnePlus say that the One will cost $299 / €269 for the 16GB Silk White version or $349 / €299 for the 64GB Sandstone Black version. Initial markets will be the US most of Western Europe* plus Hong Kong and Taiwan.

 That price is about half that of the HTC One M8 which is probably the best handset on the market at the time of writing. OnePlus say that the One should be available during Q2 although the initial release looks like it will be through invitation only. More details can be found on their website at

One word of warning though - OnePlus are a completely new startup and the company has no track record in getting products to market (although many of their employees do). It's quite possible that the product might ship late (or not at all), the price might change or the quality might not be up to scratch. But we certainly hope that this handset is as good as it promises to be.

* Austria, Belgium, Denmark, Finland, France, Germany, Italy, Netherlands, Portugal, Spain, Sweden, United Kingdom.

OnePlus One at a glance
Q2 2014
GSM 850 / 900 / 1800 / 1900
UMTS 850 / 900 / 1700 / 1900 / 2100
LTE Bands 1 / 3 / 4 / 7 / 17 / 38 / 40
LTE + WiFi
5.5" 1080 x 1920 pixels
13 megapixels (main)
5 megapixels (sub)
Large smartphone
153 x 76 x 8.9mm / 162 grams
Internal memory:
16GB / 64GB
Memory card:
2.5GHz quad-core
Yes (plus GLONASS)
Cyanogenmod 11S / Android 4.4
Battery life:
Not specified (3100 mAh cell)

Wednesday, 23 April 2014

"Broad Oak Toiletries Ltd" fake invoice spam

This spam purports to be from a legitimate company called Broad Oak Toiletries Ltd, but in fact it is a fake with a malicious payload and it does not come from Broad Oak Toiletries at all (some other reports say their email has been hacked, it has not.. this is a forgery)

Date:      Wed, 23 Apr 2014 08:13:19 +0000 [04:13:19 EDT]
From:      Sue Mockridge []
Subject:      Invoice 739545


Please can you let me have a payment date for the attached March Invoice?

Kind Regards

Sue Mockridge
Accounts Administrator

' (Main) 01884 242626  ' (Direct Dial) 01884 250764

Please consider the environment before printing

Broad Oak Toiletries Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602

The information in this email and any attachments is confidential. It is intended solely for the attention and use of the named addressee(s). The unauthorised copying, retransmission, dissemination and other use of, or taking of any action in reliance upon, this information is prohibited. Unless explicitly stated otherwise, the contents of this message are strictly subject to contract; any views expressed may be personal and shall not create a binding legal contract or other commitment on the part of Broad Oak Toiletries Ltd.

This email has been scanned by the Symantec Email service.
For more information please visit
The attachment is Invoice 493234 March which in turn contains a malicious executable Invoice 288910 March 2014.exe which has a VirusTotal detection rate of just 2/51.

Automated analysis tools [1] [2] show attempted connections to the following URLs:

Recommended blocklist:

Thursday, 17 April 2014 hacked, used in pharma spam run

Overnight I received about 500 messages similar to this:

Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Bethany Briseno, Support Team manager.


Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Silas Mixon, Support Team manager.


Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Jenna Golden, Support Team manager.


Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Fredricka Palacios, Support Team manager.
In each case the message was from either "Support Center" or "Ticket Support" with a subject in the form of "Ticket [#5409290]" (the number is random).

The links in the email go to a legitimate site belonging to Omrom Healthcare which has been hacked to serve illegal pharmacy pages, for example:

The landing page does not appear to be malicious, but care should be taken. See this URLquery report for an example.

Omron is a multibillion dollar Japanese corporation, but it appears to have been hacked through an insecure WordPress installation which is rather shabby.

One amusing sidenote, the server that hosts also hosts another Omron-owned site Enough said.

Update 22/4/2014: Omron say that they have now fixed the issue.

Wednesday, 16 April 2014

Something still evil on

Last week I wrote about a rogue netblock hosted by Network Operation Center in the US. Well, it's still spreading malware but now there are more domains active on this range.

A full list of the subdomains I can find are listed here [pastebin]. I would recommend that you apply the following blocklist:

Tuesday, 15 April 2014 "Statement of account" spam

Another fake email with a malicious payload..

Date:      Tue, 15 Apr 2014 19:40:23 +0800 [07:40:23 EDT]
From:      "" []
Subject:      Statement of account


Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for


This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 
Attached is a file which contains a malicious executable Statement.scr which has a VirusTotal detection rate of 9/51. Automated analysis tools [1] [2] [3] show an attempted download from the following locations:

A number of other IPs are contacted as well, indicating this this is P2P/Gameover Zeus.

Friday, 11 April 2014

Something evil on,, and,

This set of IPs is being used to push the Angler EK [1] [2]:

Intergenia, Germany

Network Operations Center (HostNOC), US

A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to and

Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range. I would recommend that you block the following:



Thursday, 10 April 2014

"CCAHC: Climate Change And Health Conference 2014" scam

This spam is a form of advanced fee fraud scam:

From:     CCAHC
Date:     10 April 2014 16:04
Subject:     Call for Poster

CCAHC: Climate Change And Health Conference 2014

Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014. 
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues.
The main theme for this year's poster session is:  "Impacts of Climate Change in Health and Nutrition"
While this is the main theme for the poster session it is not exclusive and you are welcome to submit a poster outside of this theme.
CCAHC 2014 showcases yet another exceptional programme with the latest scientific and best practice consensus on sustainable environment, biometeorological adaptation, global warming, climate change, waste management, greenhouse gas, pollution control, heart health, obesity, weight management, diabetes, child health, gut health, food sensitivity, healthy living and many other hot topics.
Why Attend:
  • Receive current updates on a range of topics, from leaders and expert practitioners.
  • Understand the latest scientific research in detail and discover its implications for your work.
  • Explore and debate controversial topics, discuss what is best for your clients and patients.
  • Sponsorship of air ticket, travel insurance, visa fees and per diem.
  • Enhance your skill set and progress your career.
  • Network with hundreds of other professionals involved in diet, nutrition, environment, health and lifestyle.
  • Participate in the Exhibitor Trail and win prizes!
  • Present your research, project, product or campaign, attract attention and promote your achievements
  • Registration is free of charge for participants from developing countries.
Paper Submissions:
Fax or e-mail up to 300 words describing your proposed paper on or before 18th April 2014. The paper will then be sent to the Advisory Board for evaluation and authors will be given feedback on or before 25th April 2014. The highest rated papers will be invited to present at the conference.
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom.
Tel: +44 (0)70 8764 2424 | +44 (0)70 2404 4920
Fax: +44 (0)843 562 2173
The email originates from (Airtel, Nigeria) via in Bangladesh. Note that the sender is using free email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap.

According to this article at the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will vanish, taking their mythical conference with them.