Thursday, 17 April 2014

omronfitness.com hacked, used in pharma spam run

Overnight I received about 500 messages similar to this:

Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Bethany Briseno, Support Team manager.

---------

Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Silas Mixon, Support Team manager.

---------

Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Jenna Golden, Support Team manager.

---------


Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Fredricka Palacios, Support Team manager.
In each case the message was from either "Support Center" or "Ticket Support" with a subject in the form of "Ticket [#5409290]" (the number is random).



The links in the email go to a legitimate site omronfitness.com belonging to Omrom Healthcare which has been hacked to serve illegal pharmacy pages, for example:
[donotclick]omronfitness.com/buyaccutane/
[donotclick]omronfitness.com/buyflomax/


The landing page does not appear to be malicious, but care should be taken. See this URLquery report for an example.

Omron is a multibillion dollar Japanese corporation, but it appears to have been hacked through an insecure WordPress installation which is rather shabby.

One amusing sidenote, the server 23.21.115.143 that hosts omronfitness.com also hosts another Omron-owned site moronfitness.co. Enough said.



Wednesday, 16 April 2014

Something still evil on 66.96.223.192/27

Last week I wrote about a rogue netblock hosted by Network Operation Center in the US. Well, it's still spreading malware but now there are more domains active on this range.

A full list of the subdomains I can find are listed here [pastebin]. I would recommend that you apply the following blocklist:

66.96.223.192/27
andracia.net
beyfiersd.com
beyfiersd.info
beyfiersd.net
capcomcom.com
chebuesx.com
chebuesx.info
chebuesx.net
clicksuntruck.org
damaumsw.net
damaumsx.com
damaumsx.info
damaumsx.net
denovlib.com
denovlib.info
denovlib.net
ehgaugysd.com
ehgaugysd.info
ehgaugysd.net
epdiyfetzs.com
epdiyfetzs.info
epdiyfetzs.net
estebasw.com
estebasw.info
estebasw.net
estebasx.com
estebasx.info
estebasx.net
euvllali.com
euvllali.net
falaporto.com
fortynineseven.com
freemiewgrow.org
garrupyotpq.com
garrupyotpq.info
garrupyotpq.net
geortogils.com
geortogils.info
geortogils.net
gykrabowss.com
gykrabowss.info
gykrabowss.net
hacynkraihc.com
hacynkraihc.info
hacynkraihc.net
helloadultking.biz
hellotreeboom.org
hepiqs.com
hepiqs.info
hepiqs.net
hukelmsqs.info
hukelmsqs.net
jalihs.com
jalihs.info
jalihs.net
jeyjoyjang.org
jisoss.com
jisoss.info
jisoss.net
jkuacobijs.com
joduebey.com
joduebey.net
julynosw.com
julynosx.com
kenkyissd.com
kenkyissd.info
kenkyissd.net
kewennub.com
kewennub.info
kewennub.net
klitryujk.org
lalaghoqs.com
lalaghoqs.info
lalaghoqs.net
loryneaqs.com
loryneaqs.info
loryneaqs.net
maifrchsd.com
maifrcwe.info
maifrcwe.net
mallwysq.net
matsumwe.com
matsumwe.info
matsumwe.net
megasuperduper.org
mibradburnb.com
mibradburnb.info
mibradburnb.net
moarlejitta.com
mopcapcap.com
musxiicqs.com
musxiicqs.info
myruvs.com
njooixrc.com
njooixrc.info
njooixrc.net
oatgirle.com
oatgirle.info
oatgirle.net
odtoidcasz.info
odtoidcasz.net
penapolj.com
penapolj.info
penapolj.net
sakoboresz.com
sakoboresz.info
sakoboresz.net
serenesq.com
serenesq.info
serenesq.net
simarosq.com
simarosq.info
simarosq.net
singsongsing.org
soontrilkittra.biz
sweethouseinc.org
tenynnilsz.com
tenynnilsz.info
tenynnilsz.net
tnirinsq.com
tnirinsq.info
tnirinsq.net
tralalaone.biz
tralalatwo.biz
tuanhefesz.com
tuanhefesz.info
tuanhefesz.net
tynepompling.org
ukrheynasz.com
ukrheynasz.info
ukrheynasz.net
viewtickshot.org
wladimirmosk.com
xuboutwesz.com
xuboutwesz.info
xuboutwesz.net
ynccyrousz.com
ynccyrousz.info
ynccyrousz.net
zeedirfung.org
zeigfridtank.biz

Tuesday, 15 April 2014

Sky.com "Statement of account" spam

Another fake sky.com email with a malicious payload..

Date:      Tue, 15 Apr 2014 19:40:23 +0800 [07:40:23 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for
payment.

Regards,
Kathy

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 
Attached is a file Statement.zip which contains a malicious executable Statement.scr which has a VirusTotal detection rate of 9/51. Automated analysis tools [1] [2] [3] show an attempted download from the following locations:
[donotclick]pelicansea.com/css/1504UKd.zip
[donotclick]twinest.com/images/1504UKd.zip


A number of other IPs are contacted as well, indicating this this is P2P/Gameover Zeus.


Friday, 11 April 2014

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254

This set of IPs is being used to push the Angler EK [1] [2]:

Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238

Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254

A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.

Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range. I would recommend that you block the following:

(Intergenia)
casga.sogesca.al
enetian.reddigitalonline.com
southerly.rademsis.com
smallpox.purehealthforyou.com
vender.puteando.com.ar
tender.revsanders.com
lordly.pxz55.com
plumbing.ranperhar.com
flatness.radioxto.com.ar
implement.webshark.com.br
incendiary.whitennerdy.com
instructor.valiza.com
penal.unhasdeouro.com.br
afia.fotigrafia.com.ar
fanny.gamesgamesgames.eu
fug.fugusg.com
intermediary.roboticdreamblog.com
lithium.thiersheetmetal.com
lyrical.thoitrangtre360.com
maximum.riversofgrog.com.au
meaty.vvw5.com
sevice.fuzzyservice.ru
tough.thingiebox.com
transfigure.rmtradinggroup.com
vibrate.saltaland.com.ar
ford.somerford.me
recoil.quintafeira.com.br
solaris.solartrailers.net
surgery.replikacctv.com
wore.quietbytes.com
all.inews4all.com
andre.andro-tech2.info
andy.animadeco.pl
back.bbb-tl.com
begun.beatrizcarrillo.com
belsu.benda.si
binolyt.diymodstore.net
bird.mjdpe.net
bunny.doctorcat.org
bvirtual.t25workoutsale.com
creat.hijac-creative.com
dario.casio-c.com
dd.adamknight.info
desolate.soarstudio.com
dolly.shoppingadvisor.com.ar
emoc.cccuauhtemoc.mx
facilitator.tricksshop.com.br
ff.advidlabs.com
ff.variedades.info
fina.canecafina.com.br

(HostNOC)
odtoidcwe.info
odtoidcwe.com
odtoidcwe.net
bychemawe.info
bychemawe.net
bychemawe.com
cunideawe.net
cunideawe.com
cunideawe.info

Thursday, 10 April 2014

"CCAHC: Climate Change And Health Conference 2014" scam

This spam is a form of advanced fee fraud scam:

From:     CCAHC ccahc@live.com
Reply-To:     ccahc@e-mile.co.uk
Date:     10 April 2014 16:04
Subject:     Call for Poster

CCAHC: Climate Change And Health Conference 2014


Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014. 
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues.
The main theme for this year's poster session is:  "Impacts of Climate Change in Health and Nutrition"
While this is the main theme for the poster session it is not exclusive and you are welcome to submit a poster outside of this theme.
CCAHC 2014 showcases yet another exceptional programme with the latest scientific and best practice consensus on sustainable environment, biometeorological adaptation, global warming, climate change, waste management, greenhouse gas, pollution control, heart health, obesity, weight management, diabetes, child health, gut health, food sensitivity, healthy living and many other hot topics.
Why Attend:
  • Receive current updates on a range of topics, from leaders and expert practitioners.
  • Understand the latest scientific research in detail and discover its implications for your work.
  • Explore and debate controversial topics, discuss what is best for your clients and patients.
  • Sponsorship of air ticket, travel insurance, visa fees and per diem.
  • Enhance your skill set and progress your career.
  • Network with hundreds of other professionals involved in diet, nutrition, environment, health and lifestyle.
  • Participate in the Exhibitor Trail and win prizes!
  • Present your research, project, product or campaign, attract attention and promote your achievements
  • Registration is free of charge for participants from developing countries.
Paper Submissions:
Fax or e-mail up to 300 words describing your proposed paper on or before 18th April 2014. The paper will then be sent to the Advisory Board for evaluation and authors will be given feedback on or before 25th April 2014. The highest rated papers will be invited to present at the conference.
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom.
Tel: +44 (0)70 8764 2424 | +44 (0)70 2404 4920
Fax: +44 (0)843 562 2173
The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using free email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap.

According to this article at 419scam.org the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will vanish, taking their mythical conference with them.

Avoid.

Wednesday, 9 April 2014

Something evil on 66.96.223.192/27

There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already flagged as malicious by Google, and I've reported on bad IPs in this range before.

A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here [csv].

I would recommend applying the following blocklist:
66.96.223.192/27
capcomcom.com
chebuesx.com
damaumsx.com
denovlib.com
epdiyfetzs.com
estebasw.com
euvllali.com
falaporto.com
fortynineseven.com
geortogils.com
gykrabowss.com
hepiqs.com
jalihs.com
jisoss.com
jkuacobijs.com
joduebey.com
kewennub.com
moarlejitta.com
mopcapcap.com
myruvs.com
njooixrc.com
oatgirle.com
penapolj.com
wladimirmosk.com
chebuesx.info
damaumsx.info
denovlib.info
epdiyfetzs.info
estebasx.info
garrupyotpq.info
geortogils.info
gykrabowss.info
hepiqs.info
jalihs.info
jisoss.info
njooixrc.info
oatgirle.info
penapolj.info
andracia.net
damaumsx.net
denovlib.net
epdiyfetzs.net
estebasx.net
euvllali.net
garrupyotpq.net
geortogils.net
gykrabowss.net
hepiqs.net
jalihs.net
jisoss.net
joduebey.net
kewennub.net
mibradburnb.net
njooixrc.net
oatgirle.net
penapolj.net
clicksuntruck.org
freemiewgrow.org
hellotreeboom.org
jeyjoyjang.org
klitryujk.org
megasuperduper.org
singsongsing.org
sweethouseinc.org
tynepompling.org
zeedirfung.org
estebasx.com
garrupyotpq.com
hacynkraihc.com
julynosw.com
julynosx.com
mibradburnb.com
estebasw.info
hacynkraihc.info
kewennub.info
mibradburnb.info
chebuesx.net
damaumsw.net
estebasw.net
hacynkraihc.net

Tuesday, 8 April 2014

Michael Price and BizSummits get ROKSO listed, scurry under the spotlight

Recently I wrote about a spam run being sent by Michael Price and/or BizSummits and examined the high level of fake material on their "Summits" websites.

In the past few days, BizSummits and Michael Price have the very dubious distinction of being listed in the Spamhaus ROKSO list of what they consider to be the worst spammers worldwide.

A ROKSO listing is bad news because it means that reputable web hosts will not do business with them.

So what happened next?

Well, basically most of the domains listed here have suddenly changed registrar and IP address, and the WHOIS details have been changed to something that looks rather fake (in my opinion). For example, the domain BizSummits.org has the WHOIS details changed from:

Registrant ID:CR38175629
Registrant Name:DNS Administrator
Registrant Organization:BizSummits
Registrant Street: 1200 Abernathy Rd, 17th Floor
Registrant City:Atlanta
Registrant State/Province:Georgia
Registrant Postal Code:30328
Registrant Country:US
Registrant Phone:+1.8006003389
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@bizsummits.org


to

Registrant ID:NS-b48b7b229f5dc
Registrant Name:Michael Loeloff
Registrant Organization:
Registrant Street: 8380 Lagos De Campo Blvd
Registrant City:Tamarac
Registrant State/Province:FL
Registrant Postal Code:33321
Registrant Country:US
Registrant Phone:+1.2025688305
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@bizsummits.org


..which is an anonymous-looking apartment in Florida. Most of the other domains have been geographically scattered to different addresses and names. Strangely none of the registrants seem to have a web footprint. In my personal opinion, these addresses are deliberately fake, and they have been changed by someone working for BizSummits.

It isn't just the WHOIS details that changed, the registrar in the case of BizSummits.org has changed from GoDaddy to NameSilo for unknown reasons. And also the IP address has changed from 184.168.221.27 (GoDaddy) to 198.199.112.47 (Digital Ocean). To me that looks like GoDaddy booted them off their network, although there could be other explanations I suppose.

Conversely, most of the domains used in the spam run listed here appear to have been deleted, either by the registrar or by the owner. It doesn't really matter as far as evidence is concerned because services such as DomainTools maintain historical WHOIS records.

Overall, there seems to be a great deal of scurrying around as the spotlight has been shone on their activities.

I'm curious as to whether or not Michael Price or BizSummits think that the spam run sent from their servers was legitimate and legal, and as to whether or not they believe that the use of the images from other companies is justified.

It does appear that someone using Michael Price's photograph and name tried to post a comment, and then thought better of it. Hmmm.


Sage "Please see attached copy of the original invoice" spam

This fake Sage spam comes with a malicious attachment:

Date:      Tue, 8 Apr 2014 08:65:82 GMT
From:      Sage [Merrill.Sterling@sage-mail.com]
Subject:      RE: BACs #3421309

Please see attached copy of the original invoice. 

Attached is a file BACs-3421309.zip which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51.

The Malwr analysis shows that it attempts to download a configuration file from [donotclick]hemblecreations.com/images/n0804UKd.dim and then it attempts to connect to a number of other domains and IP addresses.

Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij.biz
twplfztldagaydcacebqpypm.net
aidyhnzrkqomndihmttglrcmpf.com
jnojswlbzdxondfahwgbmluyl.ru
wcaebnfwljamemlzhqwqsovzlfq.com
skirtrslbtjrjfphemnnjqowuus.biz
uobihirghyscvswgwolneuscyamh.org
hvchqgyzfitaiugmbmifdwclrk.info
hemblecreations.com