Thursday, 17 April 2014 hacked, used in pharma spam run

Overnight I received about 500 messages similar to this:

Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Bethany Briseno, Support Team manager.


Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Silas Mixon, Support Team manager.


Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Jenna Golden, Support Team manager.


Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Fredricka Palacios, Support Team manager.
In each case the message was from either "Support Center" or "Ticket Support" with a subject in the form of "Ticket [#5409290]" (the number is random).

The links in the email go to a legitimate site belonging to Omrom Healthcare which has been hacked to serve illegal pharmacy pages, for example:

The landing page does not appear to be malicious, but care should be taken. See this URLquery report for an example.

Omron is a multibillion dollar Japanese corporation, but it appears to have been hacked through an insecure WordPress installation which is rather shabby.

One amusing sidenote, the server that hosts also hosts another Omron-owned site Enough said.

Wednesday, 16 April 2014

Something still evil on

Last week I wrote about a rogue netblock hosted by Network Operation Center in the US. Well, it's still spreading malware but now there are more domains active on this range.

A full list of the subdomains I can find are listed here [pastebin]. I would recommend that you apply the following blocklist:

Tuesday, 15 April 2014 "Statement of account" spam

Another fake email with a malicious payload..

Date:      Tue, 15 Apr 2014 19:40:23 +0800 [07:40:23 EDT]
From:      "" []
Subject:      Statement of account


Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for


This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 
Attached is a file which contains a malicious executable Statement.scr which has a VirusTotal detection rate of 9/51. Automated analysis tools [1] [2] [3] show an attempted download from the following locations:

A number of other IPs are contacted as well, indicating this this is P2P/Gameover Zeus.

Friday, 11 April 2014

Something evil on,, and,

This set of IPs is being used to push the Angler EK [1] [2]:

Intergenia, Germany

Network Operations Center (HostNOC), US

A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to and

Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range. I would recommend that you block the following:



Thursday, 10 April 2014

"CCAHC: Climate Change And Health Conference 2014" scam

This spam is a form of advanced fee fraud scam:

From:     CCAHC
Date:     10 April 2014 16:04
Subject:     Call for Poster

CCAHC: Climate Change And Health Conference 2014

Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014. 
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues.
The main theme for this year's poster session is:  "Impacts of Climate Change in Health and Nutrition"
While this is the main theme for the poster session it is not exclusive and you are welcome to submit a poster outside of this theme.
CCAHC 2014 showcases yet another exceptional programme with the latest scientific and best practice consensus on sustainable environment, biometeorological adaptation, global warming, climate change, waste management, greenhouse gas, pollution control, heart health, obesity, weight management, diabetes, child health, gut health, food sensitivity, healthy living and many other hot topics.
Why Attend:
  • Receive current updates on a range of topics, from leaders and expert practitioners.
  • Understand the latest scientific research in detail and discover its implications for your work.
  • Explore and debate controversial topics, discuss what is best for your clients and patients.
  • Sponsorship of air ticket, travel insurance, visa fees and per diem.
  • Enhance your skill set and progress your career.
  • Network with hundreds of other professionals involved in diet, nutrition, environment, health and lifestyle.
  • Participate in the Exhibitor Trail and win prizes!
  • Present your research, project, product or campaign, attract attention and promote your achievements
  • Registration is free of charge for participants from developing countries.
Paper Submissions:
Fax or e-mail up to 300 words describing your proposed paper on or before 18th April 2014. The paper will then be sent to the Advisory Board for evaluation and authors will be given feedback on or before 25th April 2014. The highest rated papers will be invited to present at the conference.
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom.
Tel: +44 (0)70 8764 2424 | +44 (0)70 2404 4920
Fax: +44 (0)843 562 2173
The email originates from (Airtel, Nigeria) via in Bangladesh. Note that the sender is using free email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap.

According to this article at the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will vanish, taking their mythical conference with them.


Wednesday, 9 April 2014

Something evil on

There seems to be some exploit activity today on the IP range (a customer of Network Operations Center, US). Most domains are already flagged as malicious by Google, and I've reported on bad IPs in this range before.

A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here [csv].

I would recommend applying the following blocklist:

Tuesday, 8 April 2014

Michael Price and BizSummits get ROKSO listed, scurry under the spotlight

Recently I wrote about a spam run being sent by Michael Price and/or BizSummits and examined the high level of fake material on their "Summits" websites.

In the past few days, BizSummits and Michael Price have the very dubious distinction of being listed in the Spamhaus ROKSO list of what they consider to be the worst spammers worldwide.

A ROKSO listing is bad news because it means that reputable web hosts will not do business with them.

So what happened next?

Well, basically most of the domains listed here have suddenly changed registrar and IP address, and the WHOIS details have been changed to something that looks rather fake (in my opinion). For example, the domain has the WHOIS details changed from:

Registrant ID:CR38175629
Registrant Name:DNS Administrator
Registrant Organization:BizSummits
Registrant Street: 1200 Abernathy Rd, 17th Floor
Registrant City:Atlanta
Registrant State/Province:Georgia
Registrant Postal Code:30328
Registrant Country:US
Registrant Phone:+1.8006003389
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:


Registrant ID:NS-b48b7b229f5dc
Registrant Name:Michael Loeloff
Registrant Organization:
Registrant Street: 8380 Lagos De Campo Blvd
Registrant City:Tamarac
Registrant State/Province:FL
Registrant Postal Code:33321
Registrant Country:US
Registrant Phone:+1.2025688305
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:

..which is an anonymous-looking apartment in Florida. Most of the other domains have been geographically scattered to different addresses and names. Strangely none of the registrants seem to have a web footprint. In my personal opinion, these addresses are deliberately fake, and they have been changed by someone working for BizSummits.

It isn't just the WHOIS details that changed, the registrar in the case of has changed from GoDaddy to NameSilo for unknown reasons. And also the IP address has changed from (GoDaddy) to (Digital Ocean). To me that looks like GoDaddy booted them off their network, although there could be other explanations I suppose.

Conversely, most of the domains used in the spam run listed here appear to have been deleted, either by the registrar or by the owner. It doesn't really matter as far as evidence is concerned because services such as DomainTools maintain historical WHOIS records.

Overall, there seems to be a great deal of scurrying around as the spotlight has been shone on their activities.

I'm curious as to whether or not Michael Price or BizSummits think that the spam run sent from their servers was legitimate and legal, and as to whether or not they believe that the use of the images from other companies is justified.

It does appear that someone using Michael Price's photograph and name tried to post a comment, and then thought better of it. Hmmm.

Sage "Please see attached copy of the original invoice" spam

This fake Sage spam comes with a malicious attachment:

Date:      Tue, 8 Apr 2014 08:65:82 GMT
From:      Sage []
Subject:      RE: BACs #3421309

Please see attached copy of the original invoice. 

Attached is a file which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51.

The Malwr analysis shows that it attempts to download a configuration file from [donotclick] and then it attempts to connect to a number of other domains and IP addresses.

Recommended blocklist: