Saturday, 22 November 2014

Oplamo Herbal Root scam

As far as I can tell, there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.

From:     Mr. Tom Good Hope []
Date:     22 November 2014 02:24

My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company.

I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase.

OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD,while they supply to our company at the rate of $430 USD.

Recently i got the contact information of a local producer in India that preserve {OPLAMO} herbal root to the quality our company needs for production and i came to know that this product can be purchase at rate of $280 US dollar per sachet in India.

Note that i can not release the contact information of the local producer easily to anybody that can not follow up with guidelines on how to make this supply on this first supply,because if any mistake occurs and my company finds out that i'm involve in given information to someone to supply this product to them they will consult a legal petition against me and i can not go to India to buy and supply this product to our company because i do not have money to handle this business and i don't want to release this information to our company management.

Our company buys 3000 sachets (each sachet contains 5 grams),but on the first order with any producer they want to give a trial order of 300 or 500 sachets and payment method for this first order is COD- cash on delivery, upon their satisfaction on this first order they would be making payment on T/T in advance.

Please read this business proposal very well before you reply me,if you can not handle this business according to my guideline its better you don't reply me,because i want you and i to be on safer side in this transaction.

Upon your reply i will clarify you more on how to start this business immediately,please drop your contact phone number for me to be able to contact you ASAP.


Mr Tom Goodhope

Company Secretary
"Tom Goodhope" sounds more Nigerian than British, but the originating IP address is actually in Delhi, sent via [] in the US.

Given that all the search results I can find for "Oplamo Herbal Root" or "Oplamo Root" seem to be similar scams, I would suggest that this doesn't even qualify as snake oil and I would give it a very wide berth.

"Ihr Zahlungsauftrag - 41401236123" spam

This German-language spam leads to malware.

Von: Sparkasse IT AG []
Gesendet: Freitag, 21. November 2014 15:03
Betreff: Ihr Zahlungsauftrag - 41401236123

Der Auftrag wurde entgegengenommen.
 21. November 2014, 02:02:17 Uhr

 Sie haben eine Zahlung über 2735,15 EUR an Miss Elita Zirne veranlasst.
 Wir haben die Sparkasse über die Versandbereitschaft des Artikels in Kenntnis gesetzt. Weitere Details zu diesem

In this case the link goes to where it downloads a file which in turn contains a malicious executable 2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe which has a VirusTotal detection rate of 14/55.

Automated analysis tools [1] [2] [3] are not particularly revealing, but similar recent malspam runs have been linked to Geodo.

Friday, 21 November 2014 spam.. or Joe Job?

When I saw this spam, I assumed that it was a pump-and-dump scam.

Date:     21 November 2014 07:58
Subject:     Sign up now


Want to make money with stocks?
Sign up at for a small monthly fee only.

© 2001-2012 All Rights Reserved. is operated by Amerada Corp

Here is another version of the body text:


Stock Tips Delivered to your Inbox!
Stock Tips is the #1 stock alert service... As always membership is 100% FREE!

© 2001-2012 All Rights Reserved. is operated by Amerada Corp

The spam was sent to an account that often receives pump-and-dump spam, and it has never signed up for anything like this. The most likely source for the email address in question is from the virus-infected computer of a contact.

So what is this? A virus? There's nothing malicious about this email. A Joe Job? Well, I've had a LOT of these, and even the most stupid email marketer tend not spam the same recipients over and over again. So perhaps it is a Joe Job.

IP address analysis

The IP addresses used to send the spam seem to be a mix of compromised PCs and servers, possibly forming part of a botnet. Legitimate companies don't use this kind of technique (obviously), but even real companies that do send spam tend to find a proper web host somewhere. This is another indicate that it might be a Joe Job. Unitymedia, Germany Project Honeypot shows that it has only been used for spam quite recently.  It looks to be a server rented from a legitimate company, although obviously for illegitimate purposes. Possibly the server has been compromised. Gamma Telecom, UK Project Honeypot shows just how spammy this IP is. And it has been used for stock spam in the past as well, which indicates this is not a one-off. It looks like this may be a compromised server. Telefonica de Espana SAU, Spain Resolves as, so a static IP rather than a DSL connection. Project Honeypot says that it used to be used for spam some time ago but has been clean for a long time. Vectra S.A., Poland Description is "Vectra Broadband Users" which indicates a DSL or cable connection. Project Honeypot has no data. Feliz Acesse Comunicacao Ltda, Brazil No data on this, could be a domestic IP address. Bezeq International Ltd, Israel Appears to be a domestic broadband user. TurkTelekom, Turkey ADSL subscriber Arcor AG, Germany Arcor / Vodafone DE business customer.

What about itself? is a snazzy looking site..

But there is not one single piece of information that identifies who runs it, except for a reference to Amerada Corp which is also mentioned in the spam email. The WHOIS details for the domain are also hidden, so it is impossible to determine who actually owns the site.

A search for "Amerada Corp" comes up with nothing except that it is a former name of Hess Corporation who are clearly nothing to do with this.

Scrolling down the page gives a clue as to what this might be about..

A $37 signup fee? No thanks.. but it says it is a one time fee but the spam says a monthly fee. That's inconsistent. Another indicator of a Joe Job? Perhaps.

Something else caught me eye.

HAIR was the subject of a massive pump-and-dump spam run last year. After recommended HAIR in May of 2012, the share price basically fell off a cliff.


A bit of Googling around shows a lot of negative comment about There are some accusations that I have not been able to verify that they are involved in paid stock promotions for the penny stocks that they list.

The Penny Stock market has a lot of legitimate players, but there are also a lot of people who try to manipulate the market for their own gains. It is possible that has clashed in some way with the sort of people who run pump-and-dump scams, and they have decided to take their revenge by creating this fake spam run.

Perhaps if you have some experience with this outfit, you would like to share it in the comments? Note that all comments are owned by the people posting them.

"Duplicate Payment Received" spam from "Enid Tyson" has a malicious DOC

This fake financial spam has a malicious Word document attached.

From:     Enid Tyson
Date:     21 November 2014 15:36
Subject:     INV209473A Duplicate Payment Received

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks

Enid Tyson
Accounts Department
In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive). This contains a malicious macro [pastebin] which connects to the following URL:

I only have one sample at the moment, there are probably other download locations, the This then downloads a file test.exe which is saved to %TEMP%\VYEJIUNSXLI.exe.

This has a VirusTotal detection rate of just 1/55. The malware is hardened against analysis in a Sandbox so automated results are inconclusive [1] [2] [3] [4].

A second version is going the rounds, with zero detections  and a download location of

A copy of the malicious macro can be found here.

Something evil on (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort.

The following subdomains have been active on that server, they are ALL hijacked GoDaddy domains:

Domains spotted so far with malicious subdomains:

The best thing to do is to block traffic to because these domains seem to change every few minutes.

Tuesday, 18 November 2014

"INCOMING FAX REPORT" spam, let's party like it's 1999

Hang on, I think I need to load some more papyrus into the facsimile machine, the 1990s are back!

From:     Incoming Fax []
Date:     18 November 2014 13:16
Subject:     INCOMING FAX REPORT : Remote ID: 766-868-5553


Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

This is (of course) utter bollocks, and the link in the email downloads a ZIP file which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54. According to the Malwr report it makes these following HTTP requests:

It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55. You can see the Malwr report for that here.

Recommended blocklist:

Monday, 17 November 2014

"Test message" spam plague continues..

This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125" which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses.

If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.

From: Hollie <>
Date: 17 November 2014 19:04
Subject: Test 8657443T

test message.

Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard.


From: Bethany <>
Date: 17 November 2014 20:00
Subject: Test 513081H

test message.

George Washington's existing building was constructed in 1960 and has had many renovations since its opening. His parents ran a restaurant, but his father emigrated to South America and never returned.
From 1971 to 1975, he was head of the Semiconductor Electronics Research Department. AIDS, which marked one of the most painful parts of Blotzer's life.


From: Lilly <>
Date: 17 November 2014 19:18
Subject: Test 547004K

test message.

On its full length, it passes through 14 provinces of Turkey. During the night, Dudu develops a cough and in the morning he is rushed to a local hospital.
The regular season was won by the Sevilla FC Puerto Rico, which became the first team to win two regular season cups. Letter to the World Narcotic Defense Association.


From: Eddie <>
Date: 17 November 2014 19:20
Subject: Test 769978N

test message.

District 16 in the upper chamber. These allegations were followed by a long investigation of the convent that caused much inner strife amongst the nuns.
The teams alternate turns on who will pick first depending on the night. Bellona's report on RTG lighthouses.


From: Alba <>
Date: 17 November 2014 20:18
Subject: Test 7900710A

test message.

DR B1 and DQ B1 polymorphisms in patients with coronary artery ectasia. The Thames at Brentford.
Chi world GNI percapita. Little known gems are unearthed.


From: Neal <>
Date: 17 November 2014 19:03
Subject: Test 974193J

test message.

It is a very good preparation for further studies in law, literature and linguistics. IPSC and USPSA provide for two power factors, major and minor.
Lake Agassiz can also be seen today. He threatened her, saying that if she told anyone, he would kill her too.


From: Sabrina <>
Date: 17 November 2014 19:17
Subject: Test 685552L

test message.

The episode starts with girls comments about Alyona's leaving. US 52 leaves the highway here.
Cwmgors Community Centre by Aberdare Blog. Darcy invites Spinner over after she finishes packing for summer camp so they can spend time together before she leaves.


From: Debora <>
Date: 17 November 2014 20:22
Subject: Test 409258E

test message.

Combined with manual transmission, these cars were often used as drag racers due to their light weight. A break in his health led to his retirement in 1920.
The company milled lumber and ground flour. Improving the existing headroom under the bridge from 3.

Interfax "Failed Fax Transmission" spam comes with malicious .DOCM file

This fake fax spam comes with a malicious attachment

From:     Interfax []
Date:     13 November 2014 20:29
Subject:     Failed Fax Transmission to<00441616133969>

Transmission Results
Destination Fax:  00441616133969
Contact Name:
Start Time:  2014/11/13 20:05:27
End Time:  2014/11/13 20:29:00
Transmission Result:  3220 - Communication error
Pages sent:  0
Subject:  140186561.XLS
Duration (In Seconds):  103
Message ID:  485646629

Thank you for using Interfax
Home page:

Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from

This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:$slf%2B%20l%3D%7E

It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53

If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.

Friday, 14 November 2014

Dear spammers.. alotbqobutarkwqechsdovmzfwa to you too.

Dear spammers,

Sending links out like this to drive people to your fake meds site does not work.

From: Tudu []
Sent: 15 November 2014 03:42

Even if you stuff your page with what you think are unique keywords such as:

uokhkuqvwrxrpijbdxfw isn't going to stop awkward bastards like me from hijacking your search results.

[FYI.. I did not send out the spam you clicked. Somebody sent out a spam advertising a fake meds site - I am merely hijacking their attempts to direct people to the site through superiour search engine optimisation]

Thursday, 13 November 2014

"Test mesage" / "hi there" spam

Here's an unusual spam run coming through right now.. it doesn't seem to have a payload at all..

From:     Bryon Jimenez []
Date:     13 November 2014 12:09
Subject:     Test mesage 612985B

hi there

Where the valley narrows into the cleft of the mountains, a lake lies surrounded by lush grasses. Putting another image may not reflect the article's subject logo.
Genesee and Flushing Townships where split off on March 6, 1838. French missionary and philosopher.
We did a lot of shows to 20 people in a bar who were more interested in cheap drinks than they were the band. Camps and social works.
Commented out because it's imprecise and contains false information. It is given to those who do not actively seek it. After the transfer period ended, Guerreiro apologised to Bajevic and was given another chance and is now a member of the squad.


From:     Ruben Randall []
Date:     13 November 2014 11:06
Subject:     Test mesage 3144664L

hi there

Player 1 then presses any one of the top red phrase buttons and listens to the beginning half of a phrase. Peter Murray on Debrett's website.
Asopus had twenty daughters but he provides no list. It supports a 240 MW power station.
Profilo di architettura italiana del Novecento, Marsilio, Venezia, 1999, pp. Then the teacher posts the assignment.
American born electronic music producer and DJ now residing in Berlin, Germany. The role of Cio Cio San like most other characters she has portrayed is quickly becoming a signature for her. Williamson, Garner and Musgrove Company, and the Cagli and Paoli Opera Company.


From:     Selma Carter []
Date:     13 November 2014 12:11
Subject:     Test mesage 0254082S

hi there

It was Federer's 3rd title of the year and the 3rd of his career. EL to see if your link meets the Wikipedia style guide.
Squadron Leader Pentland in New Guinea, c. Users can stream music directly from ZumoDrive to iPhone, iPod Touch, Android and WebOS devices.
The work received little critical attention. Saura also attempts to strengthen autobiographical themes found in the original story.
Methodists, in the area. Today it is not uncommon to find early Corgi models with such additions still intact. Edmund Sebastian Joseph van der Straeten.
In all cases "Test mesage" is spelled incorrectly and the body is just "hi there". Because there is no malicious payload (such as an attachment or link) and the message lacks the sort of trigger words that might get it blocked then there is a high probability that at least some of these will get through your spam filter/

Vodafone D2 "Ihre Festnetz-Rechnung für November 2014" spam

This fake Vodafone spam seems to be widely distributed, even though it is obviously targeted at German speakers.

From:     Vodafone D2 [] [pm2053em1]
Date:     13 November 2014 09:13
Subject:     Ihre Festnetz-Rechnung für November 2014

Ihre Kundennummer: 883286157

Sehr geehrte Damen und Herren,

anbei erhalten Sie Ihre Rechnung vom 13.11.2014.


Der Rechnungsbetrag in Höhe von 357,26 EUR wird am 23.11.2014 von Ihrem Konto abgebucht.

Ihre Rechnung ist im PDF-Format erstellt worden. Um sich Ihre Rechnung anschauen zu können, klicken Sie auf den Anhang und es öffnet sich automatisch der Acrobat Reader.

Freundliche Grüße
Ihr Vodafone Team

In this case, the link in the email goes to where it downloads a file which contains a malicious binary 2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe

This file has a very low detection rate at VirusTotal of 1/53. Most automated analysis tools [1] [2] [3]  don't say much, however the ThreatTrack report [pdf] is more details and apparently shows the malware phoning home to: (DataClub, Latvia) (Markum Bilisim Teknolojileri, Turkey)

Additionally, the following IPs and active domains are queried: (Ken Thomas, US) (GleSYS Internet Services, Sweden) (Hetzner, Germany) (WDI Solucoes Ltda, Brazil) (ANW GmbH, Germany) (Balticservers, Lithunia) (RCS & RDS Business, Romania) (Cyberverse, US) (Privatelayer, Switzerland) (Privatelayer, Switzerland) (Softlayer, US)

Some of these DGA domains have been sinkholed, I have removed obvious ones but not that some of these IP addresses may not actually be malicious. However, if you are a network administrator there is no harm in blocking or monitoring sinkholes from your network, so I would recommend the following blocklist:

UPDATE 2014-11-20
I previously recommended blocking the following IPs which it turns out are legitimate, possible added by the malware authors to create false positives. If you have blocked them then I recommend unblocking them.

Wednesday, 12 November 2014

"ADP Past Due Invoice#39911564" spam

I haven't seen ADP-themed spam for a very long time, mostly because it gets filtered into a deep dark hole that even I can't see into.

From: []
Sent: 12 November 2014 16:28
Subject: ADP Past Due Invoice#39911564

 Your ADP past due invoice is ready for your review at ADP Online Invoice Management .

 If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

 Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Review your ADP past due invoice here.

 Important: Please do not respond to this message. It comes from an unattended mailbox.
Most of the ones that I have seen are malformed and instead of a link they just say <html> which is one reason that it is getting through the spam filter. I have seen one live one, leading to [donotclick]

This downloads a ZIP file which in turn contains a malicious executable invoice1211_pdf.exe which has a VirusTotal detection rate of 6/54.

It then contacts the following URLs according to the Malwr report:

Recommended blocklist:

Exchange House Fraud (Police Headquaters) / spam

I got a lot of these yesterday that I've only just noticed..

Subject:     Exchange House Fraud (Police Headquaters)

please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.

Note: come along with your report as it will be needed

Police headquarters.
Investigtion dept. 

Attached is a file EXCH DETAILS PR which contains two files:


This is some sort of malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably don't need it). It has a VirusTotal detection rate of 7/55 and the Malwr report has some screenshots of something odd happening, but not much more data.