Thursday, 24 April 2014

"Balance Scheet" spam

This terse spam has a malicious attachment:

Date:      Thu, 24 Apr 2014 12:80:56 GMT [08:08:00 EDT]
From:      Admin@victimdomain
Subject:      FW: Balance Scheet

Please save the attached file to your hard drive before deleting this message. Thank you.
The mail headers in the email have been faked to make it look like it originated inside the victim's own internal network. Attached to the email is an archive file Balance-Sheet.zip which in turn contains a malicious executable Balance-Sheet.exe which has a VirusTotal detection rate of just 3/51.

Automated analysis tools [1] [2] [3] show an attempted download from the following locations:
[donotclick]tmupi.com/media/images/icons/team/Targ-2404USm.tar
[donotclick]altpowerpro.com/images/stories/highslide/Targ-2404USm.tar




"Atlanta Consulting" fake job offer, atlantaconsulting.net / atlantaconsulting.us / atlantaconsulting.co

This fake job offer comes from a bunch of scammers passing themselves off as "Atlanta Consulting" (not to be confused with several legitimate firms of similar names)

From:     Gertrude Holden [multivariate88@afes.com]
Date:     24 April 2014 14:16
Subject:     Vacancy

Good Day!

A new advanced vacant position is available!

I am a chief personnel officer of an Australian consulting company. We deal with non-typical business solutions. Also we introduce different outsourcing solutions. Presently we have many clients in Europe. To anticipate our cooperation with them, we need to find few regional managers.
We offer a part-time employment and opportunity to advance. Also we provide free elementary training. Initial salary is 2000 euro. If our offer is interesting to you, please send your answer on our e-mail:

info @ atlantaconsulting . net   (remove spaces before sending email)

specifying your country, city of residence, contact telephone number and desired time for call. Our managers work 24 hours for you!

Best regards!
GERALD DAMIEN
The following domains are all part of the same scam:
atlantaconsulting.net
atlantaconsulting.co
atlantaconsulting.us


The WHOIS details for the domains are undoubtedly fake and are certainly not Australian:

Administrative Contact ID:                   COCO-5041
Administrative Contact Name:                 John Carpenter
Administrative Contact Address1:             831 Ridgeview Dr
Administrative Contact City:                 Frankfort
Administrative Contact State/Province:       KY
Administrative Contact Postal Code:          40601
Administrative Contact Country:              United States
Administrative Contact Country Code:         US
Administrative Contact Phone Number:         +1.6064521498
Administrative Contact Email:                jjcarp9@gmail.com


There's a flashy website with no real substance..


The sites are hosted on 151.236.22.16 (EDIS GmbH, US) and the email in this case originated from 190.67.150.55 in Colombia.

The so-called job is going to be money laundering, or perhaps parcel reshipping (described in the video below) or some other scam which will involve you doing something illegal. Avoid.


"freshmarketinguk.com" spam from Sally Gaskell and Darren Gaskell and Ekmsystems.co.uk

The Sally and Darren Gaskell spamming team strikes again, with another pitch for their perenially "closing down" company.. which has been closing down since 2012 (at least!)

From:     UK Data Portfolio [info@fresh-marketinguk.com]
Date:     24 April 2014 11:00
Subject:     UK Data Portfolio

UK Business Database

dynamoo@spamcop.net

We have decided to cease our data broking service to concentrate on our increasing consultancy work.

We have built and developed a UK business portfolio of 550,000 records. It is opted in at decision maker level and contains full business profiles along with the decision makers direct email address.  It has been verified monthly and is extremely accurate.

We normally sell this information for over £2000 but as we are only permitted to sell another four copies due to opt in agreements and due to the fact that we are closing this division we thought we would offer it to a few businesses at a lower cost of £475.

Sales will close either when four sales are achieved or on Friday 25th April when we aim to finalise things.

We have changed the price of the database on our website to £475 so you just need to purchase the Full UK Database.

Website: freshmarketinguk (.) com

We’ve included the (.) as links can compromise delivery and we are only sending this email to a small number of recipients so we want to make sure they are delivered.

Please reply to this email with any queries or call us on 0114 4055999.  There is also live chat on the website.

Many thanks

Fresh

Unsubscribe by email
The email is sent (as always) to an address scraped off the internet, so the mailing list there are selling is probably of a similar low quality, or alternatively the list might be stolen off someone else. In any case, the pitch about "closing" is a flat lie as they were using the same line two years ago. There's a very good chance that using this list will get you blacklisted for spamming.

The originating IP is a satellite provider on 176.227.129.197, it has been sent via serv03.emsmtp.info (95.47.156.249) and is hosted on spam-friendly provider Ekmsystems.co.uk on 85.159.56.230 who have been providing support to the Gaskells for some time.

The Gaskells have to change their websites as often as they do their underwear. The following sites use the contact phone number of 0843 289 9034 and all offer basically the same (probably) worthless product.

freshdatauk.com
freshmarketinguk.com
1st-data.com
ukbusinessemaildata.com



OnePlus One

[Via]

Expected Q2 201423rd April 2014

Possibly the greatest smartphone you have never heard of, the OnePlus One is an attractive, premium smartphone without the expensive price-tag.



OnePlus is a startup founded late last year by Pete Lau, vice-president of up-and-coming Chinese firm OPPO. The stated design philosophy of OnePlus is "Never Settle" which is reflected in an apparently very high quality of product design. The OnePlus One manages to look both smart and distinctive at the same time.

Elegance is sometimes only skin-deep, so what lies underneath the One's pleasing exterior? Inside is a 2.5GHz quad-core Qualcomm Snapdragon CPU with 3GB of RAM, 16 or 64GB of storage and a large 3100 mAh battery. On the front is a 5.5" 1080 x 1920 pixel full HD display with a 13 megapixel camera on the back and a 5 megapixel one on the front. It's worth noting that the main camera is a Sony Exmor unit which has a proven track record in this type of device.

This is an LTE-capable device with NFC support and all the usual high-end features. But there are some more unusual features too.. prefer on-screen navigation buttons? You can have those. Prefer the buttons at the bottom? Well, you can switch on those instead. Want to personalise your phone? You can change the back of the device, and you can even use a wooden panel like the Moto X. In fact, the OnePlus One seems to be full of little design details that lift it way above the run-of-the-mill and allow it to compete with leaders such as the HTC One M8 and Apple iPhone 5S.

The operating system is Cyanogenmod 11S which is a reworking of Android 4.4. Cyanogenmod is popular with people who like to create custom ROMs for their Android devices, and it has a dedicated following of users and developers. You can control the OnePlus with gesture control and pretty much customise it in exactly they way you want.. something that can be difficult with other Android handsets.

The hardware and software look appealing.. but what about the price? OnePlus say that the One will cost $299 / €269 for the 16GB Silk White version or $349 / €299 for the 64GB Sandstone Black version. Initial markets will be the US most of Western Europe* plus Hong Kong and Taiwan.


 That price is about half that of the HTC One M8 which is probably the best handset on the market at the time of writing. OnePlus say that the One should be available during Q2 although the initial release looks like it will be through invitation only. More details can be found on their website at oneplus.net.

One word of warning though - OnePlus are a completely new startup and the company has no track record in getting products to market (although many of their employees do). It's quite possible that the product might ship late (or not at all), the price might change or the quality might not be up to scratch. But we certainly hope that this handset is as good as it promises to be.

* Austria, Belgium, Denmark, Finland, France, Germany, Italy, Netherlands, Portugal, Spain, Sweden, United Kingdom.

OnePlus One at a glance
Available:
Q2 2014
Network:
GSM 850 / 900 / 1800 / 1900
UMTS 850 / 900 / 1700 / 1900 / 2100
LTE Bands 1 / 3 / 4 / 7 / 17 / 38 / 40
Data:
GPRS + EDGE + UMTS (3G) + HSPA+ +
LTE + WiFi
Screen:
5.5" 1080 x 1920 pixels
Camera:
13 megapixels (main)
5 megapixels (sub)
Size:
Large smartphone
153 x 76 x 8.9mm / 162 grams
Bluetooth:
Yes
Internal memory:
16GB / 64GB
Memory card:
None
CPU:
2.5GHz quad-core
RAM:
3GB
Java:
Optional
GPS:
Yes (plus GLONASS)
OS:
Cyanogenmod 11S / Android 4.4
Battery life:
Not specified (3100 mAh cell)


Wednesday, 23 April 2014

"Broad Oak Toiletries Ltd" fake invoice spam

This spam purports to be from a legitimate company called Broad Oak Toiletries Ltd, but in fact it is a fake with a malicious payload and it does not come from Broad Oak Toiletries at all (some other reports say their email has been hacked, it has not.. this is a forgery)

Date:      Wed, 23 Apr 2014 08:13:19 +0000 [04:13:19 EDT]
From:      Sue Mockridge [smockridges2@Broad-oak.co.uk]
Subject:      Invoice 739545

Hello,

Please can you let me have a payment date for the attached March Invoice?

Kind Regards

Sue Mockridge
Accounts Administrator

' (Main) 01884 242626  ' (Direct Dial) 01884 250764

Please consider the environment before printing

Broad Oak Toiletries Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602


CONFIDENTIALITY:
The information in this email and any attachments is confidential. It is intended solely for the attention and use of the named addressee(s). The unauthorised copying, retransmission, dissemination and other use of, or taking of any action in reliance upon, this information is prohibited. Unless explicitly stated otherwise, the contents of this message are strictly subject to contract; any views expressed may be personal and shall not create a binding legal contract or other commitment on the part of Broad Oak Toiletries Ltd.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
The attachment is Invoice 493234 March 2014.zip which in turn contains a malicious executable Invoice 288910 March 2014.exe which has a VirusTotal detection rate of just 2/51.

Automated analysis tools [1] [2] show attempted connections to the following URLs:
72.34.47.163/11
91.99.102.154/11
yourmedialinkonline.com/11
dframirez.com/11
duvarikapla.com/11
duvallet.eu/11
24hr-ro.com/11
edwardalba.com/11
ekodin.rs/11
exorcist.go.ro/11
kuikencareercoaching.nl/11
sic-choppers.goracer.de/11
chriswolf.be/11
colorcopysite.com/11
mashhadsir.com/11
akirkpatrick.com/11
www.amelias-decoration.nl/11
netvietpro.com/11
guaempresas.com/11
hayatreklam.net/11
acenber.sbkml.k12.tr/11
how-hayonwye.com/11
iconservices.biz/11
idede.sbkml.k12.tr/11
www.tcrwharen.homepage.t-online.de/11
ec2-107-20-241-193.compute-1.amazonaws.com/11
www.derileq.com.mx/11
iaimrich.com/11
joyscenter.com/11
josip-stadler.org/11
www.kalkantzakos.com/11
files.karamellasa.gr/11
krptb.org.tr/11
legraff.com.tr/11
jieyi.com.ar/11
m.pcdbd.info/11
maestroevent.com/11
www2.makefur.co.jp/11
marcin_dybek.fm.interia.pl/11
marzenamaks.eu.interia.pl/11
mehmetunal.ztml.k12.tr/11
job.yesyo.com/11
mofilms.com/11
multimarge.ph/11
nbd.xon.pl/11
netset.ir/11
allforlove.de/11
ncapkur.sbkml.k12.tr/11
neumandina.com/11
209.217.235.25/~nanakram/11
home.planet.nl/~monst021/11
masterdiskeurope.com/~mooch/11
members.aon.at/~mredsche/11

Recommended blocklist:
72.34.47.163
91.99.102.154
yourmedialinkonline.com
dframirez.com
duvarikapla.com
duvallet.eu
24hr-ro.com
edwardalba.com
ekodin.rs
exorcist.go.ro
kuikencareercoaching.nl
sic-choppers.goracer.de
chriswolf.be
colorcopysite.com
mashhadsir.com
akirkpatrick.com
www.amelias-decoration.nl
netvietpro.com
guaempresas.com
hayatreklam.net
acenber.sbkml.k12.tr
how-hayonwye.com
iconservices.biz
idede.sbkml.k12.tr
www.tcrwharen.homepage.t-online.de
ec2-107-20-241-193.compute-1.amazonaws.com
www.derileq.com.mx
iaimrich.com
joyscenter.com
josip-stadler.org
www.kalkantzakos.com
files.karamellasa.gr
krptb.org.tr
legraff.com.tr
jieyi.com.ar
m.pcdbd.info
maestroevent.com
www2.makefur.co.jp
marcin_dybek.fm.interia.pl
marzenamaks.eu.interia.pl
mehmetunal.ztml.k12.tr
job.yesyo.com
mofilms.com
multimarge.ph
nbd.xon.pl
netset.ir
allforlove.de
ncapkur.sbkml.k12.tr
neumandina.com

Thursday, 17 April 2014

omronfitness.com hacked, used in pharma spam run

Overnight I received about 500 messages similar to this:

Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Bethany Briseno, Support Team manager.

---------

Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Silas Mixon, Support Team manager.

---------

Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Jenna Golden, Support Team manager.

---------


Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Fredricka Palacios, Support Team manager.
In each case the message was from either "Support Center" or "Ticket Support" with a subject in the form of "Ticket [#5409290]" (the number is random).



The links in the email go to a legitimate site omronfitness.com belonging to Omrom Healthcare which has been hacked to serve illegal pharmacy pages, for example:
[donotclick]omronfitness.com/buyaccutane/
[donotclick]omronfitness.com/buyflomax/


The landing page does not appear to be malicious, but care should be taken. See this URLquery report for an example.

Omron is a multibillion dollar Japanese corporation, but it appears to have been hacked through an insecure WordPress installation which is rather shabby.

One amusing sidenote, the server 23.21.115.143 that hosts omronfitness.com also hosts another Omron-owned site moronfitness.co. Enough said.

Update 22/4/2014: Omron say that they have now fixed the issue.

Wednesday, 16 April 2014

Something still evil on 66.96.223.192/27

Last week I wrote about a rogue netblock hosted by Network Operation Center in the US. Well, it's still spreading malware but now there are more domains active on this range.

A full list of the subdomains I can find are listed here [pastebin]. I would recommend that you apply the following blocklist:

66.96.223.192/27
andracia.net
beyfiersd.com
beyfiersd.info
beyfiersd.net
capcomcom.com
chebuesx.com
chebuesx.info
chebuesx.net
clicksuntruck.org
damaumsw.net
damaumsx.com
damaumsx.info
damaumsx.net
denovlib.com
denovlib.info
denovlib.net
ehgaugysd.com
ehgaugysd.info
ehgaugysd.net
epdiyfetzs.com
epdiyfetzs.info
epdiyfetzs.net
estebasw.com
estebasw.info
estebasw.net
estebasx.com
estebasx.info
estebasx.net
euvllali.com
euvllali.net
falaporto.com
fortynineseven.com
freemiewgrow.org
garrupyotpq.com
garrupyotpq.info
garrupyotpq.net
geortogils.com
geortogils.info
geortogils.net
gykrabowss.com
gykrabowss.info
gykrabowss.net
hacynkraihc.com
hacynkraihc.info
hacynkraihc.net
helloadultking.biz
hellotreeboom.org
hepiqs.com
hepiqs.info
hepiqs.net
hukelmsqs.info
hukelmsqs.net
jalihs.com
jalihs.info
jalihs.net
jeyjoyjang.org
jisoss.com
jisoss.info
jisoss.net
jkuacobijs.com
joduebey.com
joduebey.net
julynosw.com
julynosx.com
kenkyissd.com
kenkyissd.info
kenkyissd.net
kewennub.com
kewennub.info
kewennub.net
klitryujk.org
lalaghoqs.com
lalaghoqs.info
lalaghoqs.net
loryneaqs.com
loryneaqs.info
loryneaqs.net
maifrchsd.com
maifrcwe.info
maifrcwe.net
mallwysq.net
matsumwe.com
matsumwe.info
matsumwe.net
megasuperduper.org
mibradburnb.com
mibradburnb.info
mibradburnb.net
moarlejitta.com
mopcapcap.com
musxiicqs.com
musxiicqs.info
myruvs.com
njooixrc.com
njooixrc.info
njooixrc.net
oatgirle.com
oatgirle.info
oatgirle.net
odtoidcasz.info
odtoidcasz.net
penapolj.com
penapolj.info
penapolj.net
sakoboresz.com
sakoboresz.info
sakoboresz.net
serenesq.com
serenesq.info
serenesq.net
simarosq.com
simarosq.info
simarosq.net
singsongsing.org
soontrilkittra.biz
sweethouseinc.org
tenynnilsz.com
tenynnilsz.info
tenynnilsz.net
tnirinsq.com
tnirinsq.info
tnirinsq.net
tralalaone.biz
tralalatwo.biz
tuanhefesz.com
tuanhefesz.info
tuanhefesz.net
tynepompling.org
ukrheynasz.com
ukrheynasz.info
ukrheynasz.net
viewtickshot.org
wladimirmosk.com
xuboutwesz.com
xuboutwesz.info
xuboutwesz.net
ynccyrousz.com
ynccyrousz.info
ynccyrousz.net
zeedirfung.org
zeigfridtank.biz

Tuesday, 15 April 2014

Sky.com "Statement of account" spam

Another fake sky.com email with a malicious payload..

Date:      Tue, 15 Apr 2014 19:40:23 +0800 [07:40:23 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for
payment.

Regards,
Kathy

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 
Attached is a file Statement.zip which contains a malicious executable Statement.scr which has a VirusTotal detection rate of 9/51. Automated analysis tools [1] [2] [3] show an attempted download from the following locations:
[donotclick]pelicansea.com/css/1504UKd.zip
[donotclick]twinest.com/images/1504UKd.zip


A number of other IPs are contacted as well, indicating this this is P2P/Gameover Zeus.


Friday, 11 April 2014

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254

This set of IPs is being used to push the Angler EK [1] [2]:

Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238

Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254

A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.

Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range. I would recommend that you block the following:

(Intergenia)
casga.sogesca.al
enetian.reddigitalonline.com
southerly.rademsis.com
smallpox.purehealthforyou.com
vender.puteando.com.ar
tender.revsanders.com
lordly.pxz55.com
plumbing.ranperhar.com
flatness.radioxto.com.ar
implement.webshark.com.br
incendiary.whitennerdy.com
instructor.valiza.com
penal.unhasdeouro.com.br
afia.fotigrafia.com.ar
fanny.gamesgamesgames.eu
fug.fugusg.com
intermediary.roboticdreamblog.com
lithium.thiersheetmetal.com
lyrical.thoitrangtre360.com
maximum.riversofgrog.com.au
meaty.vvw5.com
sevice.fuzzyservice.ru
tough.thingiebox.com
transfigure.rmtradinggroup.com
vibrate.saltaland.com.ar
ford.somerford.me
recoil.quintafeira.com.br
solaris.solartrailers.net
surgery.replikacctv.com
wore.quietbytes.com
all.inews4all.com
andre.andro-tech2.info
andy.animadeco.pl
back.bbb-tl.com
begun.beatrizcarrillo.com
belsu.benda.si
binolyt.diymodstore.net
bird.mjdpe.net
bunny.doctorcat.org
bvirtual.t25workoutsale.com
creat.hijac-creative.com
dario.casio-c.com
dd.adamknight.info
desolate.soarstudio.com
dolly.shoppingadvisor.com.ar
emoc.cccuauhtemoc.mx
facilitator.tricksshop.com.br
ff.advidlabs.com
ff.variedades.info
fina.canecafina.com.br

(HostNOC)
odtoidcwe.info
odtoidcwe.com
odtoidcwe.net
bychemawe.info
bychemawe.net
bychemawe.com
cunideawe.net
cunideawe.com
cunideawe.info

Thursday, 10 April 2014

"CCAHC: Climate Change And Health Conference 2014" scam

This spam is a form of advanced fee fraud scam:

From:     CCAHC ccahc@live.com
Reply-To:     ccahc@e-mile.co.uk
Date:     10 April 2014 16:04
Subject:     Call for Poster

CCAHC: Climate Change And Health Conference 2014


Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014. 
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues.
The main theme for this year's poster session is:  "Impacts of Climate Change in Health and Nutrition"
While this is the main theme for the poster session it is not exclusive and you are welcome to submit a poster outside of this theme.
CCAHC 2014 showcases yet another exceptional programme with the latest scientific and best practice consensus on sustainable environment, biometeorological adaptation, global warming, climate change, waste management, greenhouse gas, pollution control, heart health, obesity, weight management, diabetes, child health, gut health, food sensitivity, healthy living and many other hot topics.
Why Attend:
  • Receive current updates on a range of topics, from leaders and expert practitioners.
  • Understand the latest scientific research in detail and discover its implications for your work.
  • Explore and debate controversial topics, discuss what is best for your clients and patients.
  • Sponsorship of air ticket, travel insurance, visa fees and per diem.
  • Enhance your skill set and progress your career.
  • Network with hundreds of other professionals involved in diet, nutrition, environment, health and lifestyle.
  • Participate in the Exhibitor Trail and win prizes!
  • Present your research, project, product or campaign, attract attention and promote your achievements
  • Registration is free of charge for participants from developing countries.
Paper Submissions:
Fax or e-mail up to 300 words describing your proposed paper on or before 18th April 2014. The paper will then be sent to the Advisory Board for evaluation and authors will be given feedback on or before 25th April 2014. The highest rated papers will be invited to present at the conference.
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom.
Tel: +44 (0)70 8764 2424 | +44 (0)70 2404 4920
Fax: +44 (0)843 562 2173
The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using free email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap.

According to this article at 419scam.org the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will vanish, taking their mythical conference with them.

Avoid.