Sponsored by..

Friday, 24 April 2009

"WorldPay CARD transaction Confirmation" (again)

A repeat of a trojan spam run from a few months ago ,this fake "WorldPay CARD transaction Confirmation" email comes with a nasty payload.

Subject: WorldPay CARD transaction Confirmation
Date: Fri, April 24, 2009 5:28 pm

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team

This confirmation only indicates that your transaction has been processed
successfully.
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that
your order has been accepted, and to deliver any goods or services you have ordered.
In this case there was a ZIP file called WorldPay_NR9712.zip (the filename may vary) with an executable in named WorldPay_NR9712.exe. When unzipped it looks a bit like a Windows Help file.

Detection rates are very poor, with only Microsoft flagging it up as something specific (PWS:Win32/Zbot.M). The ThreatExpert prognosis also indicates that it is malware (by the way, if you are dealing with an infected machine the ThreatExpert report can help you clean it up).

If you can, it is always a good idea to block EXE-in-ZIP attachments at the perimeter.

"IBC Group" fake job offer

There are lots of wholly legitimate firms called "IBC Group" or something similar. This one claims to be an "international business consultancy".. and yet they are using a free Google Mail address rather than a corporate one. It is just another money mule scam, although the 5% fee they are offering is surprisingly low (of course, this is stolen money so all you will end up with is a jail sentence).

Subject: Business
Date: Fri, April 24, 2009 12:29 pm

Dear SMALL BUSINESS OWNER
We are being a private international business consultancy (IBC GROUP) striving hard to perform the best to achieve optimal results in gaining efficiency of our client’s ventures. In this global economy crash time we turn to alternative solutions for our clients from Eastern Europe who are obliged to pay off US or Western Europe originated transfer taxes, which at times may be as much as 35%.
Therefore, we are raising up this appeal to those small business owners who have both desire and possibility to stand up as our partners and who may use their business accounts to operate internal transactions for their further remittance to our clients . As being held on a larger scale, your personal benefit will be 5% off every payment posted to your account (or company’s). It may become a considerable upgrade for you and your company.
If this comes up your alley, please, come back for details by: Katherin.Mills@gmail.com

with the following:
First Name:
Last Name:
Country:
State:
City:
Phone (Landline):
Phone (CELL):
Email:

Thank you in advance,
IBC GROUP.


Originating IP is 88.242.82.65 in Turkey.

Wednesday, 22 April 2009

Russian / Italian spam

One of the major hurdles that spammers and scammers face is language. A typical eastern bloc scammer usually won't be able to speak any language like a native other than their own, and a poorly worded pitch is often an obvious sign of a scam.

Machine translations rarely make sense, and the best translators are always native speakers of that language. So, a professional fraud crew will often try to recruit linguistic experts to give their message more of an edge.

In this case, the spammers are trying to recruit someone who speaks Italian and presumably Russian. That's a target audience of around 60 to 70 million people who might well fall for an Italian language scam.

В наше бюро переводов требуются специалисты по итальянскому языку.
Если Вам нужен дополнительный заработок (~1000$ в месяц) - эта вакансия для Вас!
Ездить и ходить - никуда не нужно! Достаточно просто иметь доступ к интернету и телефон!
Никаких финансовых вложений с вашей стороны не нужно! И это не тендер!

Если Вам все еще интересно наше предложение - просто кратко ответьте на следующие
вопросы:
1. Имя
2. Город проживания
3. Где обучались языку и на каком уровне им владеете.

Наш e-mail: lONicholsonbronze@gmail.com

После этого в течении некоторого времени мы обязательно свяжемся с Вами!

Всего хорошего, надеемя на долгое сотрудничество!
This translates approximately to:

We need specialists to provide translations to the Italian language. If you need additional income (about $1000 per month) - this position is for you! You do not need to drive or walk anywhere! You just need to have access to the Internet and a telephone.

If you are interested in our offer - just briefly answer the following questions:
1. Name
2. City of residence
3. Where did you learn the language and how proficient are you.

Out email is: [random Gmail account]

After this we will contact you in a short while.

Have a good time, hoping for a long cooperation!

Our samples originate from ADSL and dial-up subscribers in Turkey and India. The Gmail address is different in each one.

Don't be tempted by an unsolicited "job offer" like this. You are extremely unlikely to be paid, and you could end up in serious trouble with the police.

Tuesday, 21 April 2009

"August Insurance USA" scam

Another fraudulent job offer, this time originating from 190.43.155.148 in Peru. It doesn't really matter what the exact fraud is, this could well be a "back office" operation. But it's a scam nonetheless. Avoid.

Subject: Good vacancy August Insurance USA.
Date: Tue, April 21, 2009 12:07 am
Priority: High

College degree but not enough experience?

Responsible for managing the day to day operations of various facilities to ensure the operations,
maintenance, and vendor management standards of the contract are met in a cost effective, safe and efficient manner.

Requirements
Candidates must possess the following:

- Effective interpersonal skills & communication skills
- Demonstrated leadership and team building abilities
- Self-confidence, flexibility and a positive attitude
- U.S. work authorization

Selected individuals will be trained to enhance leadership and networking skills in
preparation for an executive role within our company.

Compensation based solely on personal performance. For immediate consideration
please contact.

All positions will be filled immediately due to our recent expansion.

You may email your resume in Word to: CHmayHooper@gmail.com
Needless to say, don't send 'em anything. And if you have agreed to "work" for them, demand some verifiable proof that they exist.

Monday, 20 April 2009

barefootsies.com: possible Joe Job.

The Waledac gang strike again with an uncharacteristic spam advertising a foot fetish site.

From: [redacted]
Sent: 19 April 2009 22:53
To: [redacted]
Subject: Free foot fetish pics

Amatuer, girl-girl feet tickling movies, and foot worship movies at http://barefootsies.com/
Spammers sending out links to porn sites is not exactly big news. Except in this case, the registrant and the hosting server is identical the the blizzardimagehosting.com spam run from a few days ago. What's more, the WHOIS details for barefootsies.com appear to be valid.

Studios, First Choice
1st Choice Studios
6741 Sprinkle Rd, Ste 293
Portage, Michigan 49002
United States
2694929957 Fax --

It turns out that this domain is for sale along with some others.

But, as the the blizzardimagehosting.com run, this doesn't exactly fit into the usual Waledac approach and it could well be a Joe Job attack.

Friday, 17 April 2009

Waledac: freeservesms.com

Waledac is pretty common these days, and it usually tries to point the victim to a fake video codec that is actually a trojan, often through a sensational "news" headline or the promise of nudity.

This particular pitch promises something quite different:
Do you want to test your partner or just to read somebody's SMS? This program is exactly what you need then!
It's so easy! You don't need to install it at the mobile phone of your partner.
Just download the program and you will able to read all SMS when you are online.
Be aware of everything! This is an extremely new service!


The download file is called smstrap.exe. So this magical piece of software can read someone else's SMS messages without having to install software on the phone, right? Wrong.. it's just another variant of the Waledac trojan (see the VirusTotal results, ThreatExpert prognosis).

In this case the domain in use is freeservesms.com although it is likely that there will be others. For the records, the WHOIS details are:

Domain Name : freeservesms.com

Registrant Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Administrative Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Technical Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Billing Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Status :
clientDeleteProhibited
clientTransferProhibited

Domain Name Server :
ns1.moneymedal.com
ns2.moneymedal.com
ns3.moneymedal.com
ns4.moneymedal.com
ns5.moneymedal.com
ns6.moneymedal.com

Registration Date :2009-4-13
Expiration Date : 2010-4-13
Added: downloadfreesms.com is punting the same malware.


Wednesday, 15 April 2009

"Yadu Investment Co., Ltd." / ntwifinetwork.com / tech-wifi.com

This email (supposedly from a Chinese domain registrar) follows a well-worn path of trying to sell useless names to owners of existing dot coms.

From: Joy [mailto:Joy@ntwifinetwork.com]
Sent: 10 April 2009 07:47
To: [redacted]
Subject: Notice of Intellectual Property Protection

Dear Sir/Madam: 2009-4-10

We are a domain name registration service company in Asia,
Last week we received a formal application submited by “Yadu Investment Co., Ltd.” Which wanted to use the keyword " [redacted]" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.
After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren’t sure whether you have any relation with this company. Because these domain names would produce possible dispute, now we have hold down this registration, but if we do not get your company’s an reply in the next 5 working days, we will approve his application
In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.

Yours sincerely

Joy

Checking Department


Tel: 86 513 8532 2060
Fax: 86 513 8532 2065
Email :Joy@ntwifinetwork.com
Website: www.ntwifinetwork.com
Mail No.: [redacted]

Registrars DO NOT check trademarks before registrations (the exception is "sunrise registrations" for completely new top-level domains). This is an attempt to get you to buy an overpriced domain name that you don't need.

This mail may come from twifinetwork.com, tech-wifi.com or other domains, the domains are hosted on 174.138.60.95, some of the wording is lifted from asiaregistry.com although it is not possible to tell if they are affiliated.

If you are concerned about securing these domains, then most registrars now deal in Asian TLDs and can register them for you, else you are probably same to ignore it.

btw, the pitch is not new and has been used here, here and here.

Monday, 13 April 2009

Tropicalnames.com scam

tropicalnames.com is the new name for the pedma.com domain appraisal scam. The basic pitch is that you get an unsolicited offer for a domain name, along with a list of recognised appraisal companies. The cheapest company is controlled by the scammers who sent the email (apparently operating out of Canada).

Domain was registered on 3rd April 2008 with anonymised details and is hosted on 124.217.231.173 in Malaysia. If you get one of these, treat it as spam and file a complaint with abuse -at- piradius.net.

Sunday, 12 April 2009

"Mikeyy Mooney" / StalkDaily.com - someone is lying

The rules of spam are a semi-humorous and semi-serious look at the behavior of spammers.

Well, one hot spam topic is the recent StalkDaily.com XSS attack on Twitter. This cross-site attack basically spams out ads via a victim's contact list, and although it is arguable if this is "hacking", it certainly is spamming.

So, let's look at the "rules of spam" and how they apply in this case.

Rule #0: Spam is theft.
Using Twitter's services to send spam is theft. But perhaps the main financial cost to Twitter is that this kind of rubbish will put people of using the service. Of course, Twitter doesn't actually seem to make any money, but that's another issue..

Rule #1: Spammers lie.
So, when the spam attack took place, some people must have started to make complaints about StalkDaily.com, a domain registered on 22nd March to an anonymous registrant. The owner of StalkDaily.com responded as follows:

For everyone wondering, I did NOT promote and/or was involved with the spamming ON Twitter. All bad things you are hearing about this site is not true. Please reconsider as I am not the person who did this.
So, that clearly states that StalkDaily.com is not behind the XSS attack. So what's going on? Is it a Joe Job? Here's the odd thing.. Joe Jobs normally target established sites (not one less than a month old), and why waste an XSS exploit like this on a Joe Job when Twitter will probably close it?

We didn't have to wait long for an answer:

I have came clean and have accepted the responsibility for the worm, read the interview here, http://www.bnonews.com/news/242.html.

That's kind of 100% different from the last denial. The operator of StalkDaily.com is clearly lying about something, perhaps everything.

Rule #2: If a spammer seems to be telling the truth, see Rule #1.
As we have discovered, StalkDaily.com's denial was proved to be a lie. Or perhaps there denial is a lie. In any case, you should not do business with liars or spammers.

Rule #3: Spammers are stupid.
And this dude is as stupid as they get. Sure, stupid in a very smart kind of way.. but the kind of stupid that doesn't thing what the consequences might be.

Rule #4: The natural course of a spamming business is to go bankrupt.
I can hear the sound of Twitter lawyering up. Hahahah.


The StalkDaily.com website points to a pseudo-news article at BNOnews fingering someone called "Mikeyy Mooney". And there's a large collection of material relating to "Mikeyy Mooney" at sqworl. But is it really "Mikeyy Mooney"? The admission itself comes from whoever operaters StalkDaily.com.. and we have already established that they are a liar. The sqworl documents point to someone in Louisiana.. the BNOnews article says New York. Last time I looked at a map, these were two different places.

Perhaps a closer look at StalkDaily.com's server might be interesting. 74.200.253.195 hosts the following domains:

  • Haxyou.com
  • Michangelomooney.com
  • Stalkdaily.com
Wait.. Michangelo? Is this guy a teenage mutant ninja turtle?

Most of these sites have anonymous WHOIS details, except for Haxyou.com which is registered to some guy called Ryan who appears to be a distinctly different biological entity.

This is the bottom line - the operator of StalkDaily.com is a liar. They may even be lying that they are "Mikeyy Mooney." Perhaps Twitter can do us all a favour and subpoena the domain records before suing this idiot into the ground.

"Body parts" murder II

The gruesome body parts murder has a new installment with the discovery of a fifth body part, quite near to some of the others. You can see a the distribution of finds on Google Maps.

This adds another element to the data set. The route between points "A" and "B" is curious and uses a lot of back roads, if that IS the route. Clearly these grisly finds have a pattern, but can they be traced back to the origin?

Thursday, 9 April 2009

"Body parts" murder

One mystery gripping this part of the UK is the mysterious "body parts" murder, where part of a dismembered victim have been left near the roadside in several locations: Wheathampstead, Puckeridge and Cottered in Hertfordshire and the head was dumped in Asfordby, Leicestershire.

Given that the Puckeridge part was reportedly left by the northbound carriageway, that gives a clue as the the direction that the "dumper" was travelling. And making an assumption that the head was the last part to be dumped because it was the furthest away from the others, then you can take these four data points and plot them into Google Maps.

You can see more here. Of course, speculation is just that, but if does appear that the dumper did a loop around Hertfordshire perhaps near the A414, A10, A507 and then drove up the A1 for about an hour before turning off. Yes, there's a technology aspect here - a tool like Google Maps makes it very easy to visualise this sort of data.

OK, this is all pretty gruesome and don't forget that someone has lost their life. But there's a grim fascination as to where the next discovery will be. Will that fit into the pattern?

Wednesday, 8 April 2009

secretdesiresuk.com spam

Yuck.

Subject: SecretDesires - The Ultimate Social Networking for Singles and Couples
From: "Secret Desires"
Date: Wed, April 8, 2009 5:25 pm

Are you a couple or single looking for FUN??

Worldwide Coverage with Audio and Video Cam Chat Rooms!

Virtual Kisses and Profile Voting!

Profile Pictures and Videos!

Massive Video Database growing Daily!

Come and Enjoy the Ride!!

You must add at least one valid profile picture to remain a FREE member!!

Secret Desires - What's Yours??
Originating IP is 78.145.126.63, secretdesiresuk.com is hosted on 174.132.193.251. The domain is registered to HostGator rather than the actual registrants, who are..


Debbie 'n' Paul. They say: "SecretDesiresUK is the culmination of 3 years of false starts and hard work by Debbie and Paul, of Orion Network Designs. We are both Swingers and have worked in the Adult Industry long enough to understand exactly what people want from an Adult Social Networking Site."

What? Like spam?

Let's log in. No confirmation of email address is needed. Bad luck Mr President.

67 members. And yes, the photograph gallery shows plenty of "members". Including some nudie shots of Debbie 'n' Paul. Yuk.

I'm not prudish, and frankly I believe that consenting adults should be able to get on with whatever they want to in private. But spamming this crap out at random is just going to get the wrong kind of attention.

If you get one of these, forward the email to security -at- hostgator.com.

Saturday, 4 April 2009

luxgroupnz.com / LuxGroup scam

There are lots of legitimate ocmpanies with the name LuxGroup or Lux Group or something similar. This particular fake "LuxGroup" uses the domain luxgroupnz.com to push some sort of fraudulent job offer, probably a money mule or some other criminal activity.

Subject: A better career with LuxGroup

Good Day,

Major International Company is ready to offer you part(1-2 hours a day) and full time(5-8 hours per day) job in the USA. If you are interested, get back to us by email and send your resume or a short description of your former activities. Excellent career growth perspectives and merited salary.

For more info about terms, conditions and financial remuneration, get back ONLY to our corporative email address below: advjob@luxgroupnz.com

With regards,
Lux Group, Hiring Department
The luxgroupnz.com domain was registered on April 1st 2009 through XIN NET TECHNOLOGY CORPORATION to:

Name : Michell
Organization : Michell
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
Country :
Postal Code : 85230
Phone Number : 86--56343365
Fax : 86--56343365
Email : Michell.Gregory2009@yahoo.com

Site is hosted on 222.73.37.250, name services are proved by NS1.CHOSTSERVICE.COM and NS2.CHOSTSERVICE.COM. Other domains hosted on that server are:

  • A-finance.net
  • A-finance.org
  • Aiminfo.info
  • Careertrip.cn
  • Danunafig.ru
  • Dessgif.com
  • Hot-jobster.cn
  • I-love-pets.ru
  • Icm-mail.biz
  • Icm-network.net
  • Isearchword.info
  • Itellu.info
  • Itellu.ru
  • Lastyp.ru
  • Mountain-travel.ru
  • Mycotteges.ru
  • Oceananswers.info
  • Oceanofsearches.info
  • Pinigeliai.com
  • Temp-biz.cn
  • U-search.info
  • Yadrenamat.ru
  • Yaponamat.ru
Some of these other domains have also been used for fraudulent offers.

If you get one of these ignore it.

Friday, 3 April 2009

Hostfresh dead?

Sandi reports that Hostfresh has been de-peered, the latest organized criminal web host to be removed from the interwebs.

This Hong-Kong based outfit provided the back end hosting for malware infections including early versions of Conficker. It has been increasing apparent that they are basically an outpost of the Russian Business Network.

Hostfresh-hosted domains have scattered, but it probably won't be long until they find another RBN-friendly host that doesn't know what happened to Atrivo, McCole, Ukrtelegroup and Estdomains.

Thursday, 2 April 2009

BlizzardImageHosting.com - possible Joe Job

We have an email trap that seems to be hit exclusively by a low number of Waledac related spam (fake "terror reports", pharma spam, penis enlargement etc). We know that this particular address was harvested from a compromised PC, so the only people who have the address are the Bad Guys.

Unexpectedly then, the following email turned up:

From: (removed)
Sent: 01 April 2009 20:33
To: (removed)
Subject: Free Image Hosting

BlizzardImageHosting.com is a new leader in online image & photo hosting,
portfolios, and slideshow creation. We offer features you wont find
at other image hosting sites and we offer it FOR FREE!

- Upload Unlimited Images
- Share Images With Anyone and Anywhere
- Get Gigabytes of Monthly Bandwidth

and much more...

Sign up now!
http://blizzardimagehosting.com/index.php

(c) 2003-2009 Blizzard Image Hosting All Rights Reserved

So, my initial thoughts were that blizzardimagehosting.com were in league with the bad guys. Let's check out their WHOIS details:

Marquee, Media Networks webmaster -at- marqueemediaonline.com
Marquee Media Networks
6741 Sprinkle Road, Ste 293
Portage
MI
49002
US
Phone: +1.2694929957
Fax: +1.2694929958
The address is actually a branch of PakMail, but that probably means in this case that Marquee Media Networks rents a post box. The WHOIS details for marqueemediaonline.com indicate a name of Christopher Maher. So do these WHOIS details look suspicious? Not really. Usually, Waledac related domains come with WHOIS details that indicate telltale traces in China or Russia, the details for blizzardimagehosting.com are not inherently suspicious.

Marquee Media operates a web server at 216.17.107.72, which contains an ill-advised mix of adult sites and general interest sites (porn sites and fishing on the same server?) all the WHOIS details are consistent, and there seems to be nothing illegal going on.

Here's the thing - nothing at all about blizzardimagehosting.com fits the Waledac profile. This seems to be a small business running out of Illinois, nothing more. At a best guess, Marquee Media has somehow displeased the Waledac gang, either through something to do with adult content or web hosting.

So.. if you get a spam for blizzardimagehosting.com then treat it with scepticism, and as far as I am concerned this company is probably not guilty of this spam run and instead it looks like a Joe Job.