Tuesday, 28 July 2009

MS09-034 is coming..

Just a reminder that Microsoft are announcing an out-of-band patch today to fix a critical IE / Visual Studio flaw. If you manually authorise updates to client PCs via WSUS, then you will need to break the usual schedule and deploy this as soon as you can.

More info here and here.

Friday, 24 July 2009

"Best Crisis Prices": / fake shops

I mentioned a few weeks ago, and it seems that they have a new domain called which is also a fake ecommerce site.

Both sites are hosted on an an anonymous hosting account at in Malaysia, the domain contact details are either anonymous or fake. The contact details on the website are also fake, and have been stolen from legitimate businesses.

It claims to be a member of the BBB, but it isn't as the BBB reports that it is mis-using their logo.

This is part of a large organized crime ring, nominally connected with China. Although it claims to be based in Louisiana, there is no evidence at all that this is a US operation. Avoid dealing with them at all costs.

Thursday, 23 July 2009

Even the bad guys need a back office

Last November, I posted a warning about Ran-De-Vou which was recruiting for translators.. the problem being that the company was part of an organised crime ring and the translations themselves were aided phishing and the like.

Well, "Juice" gave them a go and the result is this interesting insight into the bad guys' back office functions.. enjoy!

"Real Host Ltd" is a real sewer

"Real Host Ltd" occupies 256 IP addresses in the 213.182.197.* range, hosted in Latvia in an address space apparently leased from Junik Ltd.

The netblock registration details claim to belong to an address in Kazakhstan:

person: Alex Spiridonov
address: Kazakhstan, Almaty , Abay street 2a
phone: + 87771697576
nic-hdl: SA5926-RIPE
source: RIPE # Filtered

This block is of interest because out of hundreds of web sites hosted, there appear to be none at all which are legitimate. And out of all of these, is one of the most interesting because it is currently being used for a zero day Flash/PDF exploit. Many domains are registered to who has featured on this blog many times before.

Some other interesting domains are, and which are pretty much openly operating as black hat sites.

All of these sites are either fraudulent, dangerous to visit or both - so if you receive an email or link pointing to them, leave well alone!, Private Person,, Registration suspended, Private Person,, Brad Higginbotham,, KuserElizabeth,, realmaria teresa,, Private Person,,, alan pakerson,, Lorraine Hoguseir / LueMettterTeam,, Private Person,,, Mark Cristy,, Sergey V Levitskiy,, John A Backham ,, Private Person,,,, Gordon Freeman,,,, Tamara Polishuk,,, Budulay Romale,,,, Carl Lee,, Yuri,,, Private Person,, GuferDerek,,,,,, Breitenbach Margery,, Carl Lee,, Igor Bogdanov, Igor, Registration suspended, Private Person,, Djon Digan,, Carl Padilla,,, Whois Privacy Protection Service,, Budulay Romale,,,, Андрей Дехтяренко / Andrei Dehtyareno,,, Tamara Polishuk,, Private Person,, konstantin ololo,, Bob AKKAWA,,,,, Dedinan Galena,, N/A,, LucasSteven / Cehhost,, LucasSteven,, Chen Poon,, LucasSteven,, Michell,,, Igor Durov,, Oleg Demin,, Private Person,, Private Person,, IveevPlansky / SerjCOm,, Michell,,,, Oleg Demin,, Grigory Panin,, Private Person,, Private Person,,, Oleg Demin,, MichellGregory,, Oleg Demin,, Mark Nefidov,, Damir Stolbische,, Steven Lucas,, Grigory Panin,, IveevPlansky / SerjCOm,, Grigory Panin,, Oleg Demin,, Oleg Demin,, Igor Durov,, Igor Durov,, Igor Durov,, Igor Durov,, IveevPlansky / SerjCOm,,, LucasSteven /, Aprichev Igor,, Igor Durov,, IveevPlansky / SerjCOm,, Igor Durov,, Private Person,, Private Person,, Private Person, Chen Poon,, IveevPlansky / SerjCOm,, Chen Poon,, TiankaiCui,, Denis Pupkin,, Klan Jored,, Private Person,, Private Person,, Private Person,, null,, via, Private Person,, Nikolay Viktorovich Stepashin,, Real Host,, Klan Jored,, Klan Jored, [note, domain has been seized by the trademark holder], Petr Karlov,, Private Person,, Private Person,, SharedHSD,, Olah Istvan,, Aleksej Bagrov,, Private Person,, Alexey MIRKINO,, Jhon Balsmen,, Jhon Balsmen,, Private Person,, Private Person,, Private Person,,,, LucasSteven,, Real Host LTD,, Private Person,, Private Person,, Klan Jored,, Caroline Krajka,, Olah Istvan,, Robert Baker,, Nungoyanrgrr Pimdulya,, Anton A Baklanov,, Private Person,, Private Person,, Bryony,, Private Person,, Private Person,, Private Person,, Private Person,, Private Person,, Private Person,, Private Person,, Private Person,, Private Person,, LucasSteven,, Private Person,, Private Person,, Klan Jored,, Private Person,, Real Host,, Private Person,, Klan Jored,, Gregory,, Real Host,, Olah Istvan,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, Chen Poon,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, Private Person,, Sean McCann,, Anya Montague,, Chen Poon,, Real Host LTD,, Real Host LTD,, Private Person,, Nikolai Vukolov,, Aleksej D Brozdov,, Andrey G Zubkov,, Vicky Chan,, Vicky Chan,, Vicky Chan,, Vicky Chan,, Vicky Chan,, Vicky Chan,, Vicky Chan,,, Aleksey Melnikov,, Aleksey Melnikov,, Chen Poon,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, TiankaiCui,, Private Person,, Hau Cheng,, Aleksey Melnikov,, Chen Poon,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, Aleksey Melnikov,, Aurore Hetu,,, Artur G Antonov,, Aleksey Melnikov,, Hau Cheng,, Hau Cheng,, Aleksey Melnikov,, Puprov Ivan,, Vladim Ivanov,, Vladimir Ivanovich,, Sergeev Kirill Nikolaevich,, Private Person,, Gregory,, Gregory,, Chen Poon,, Chen Poon,, Dmitry Ostupin,, Dmitry Ostupin,, Dmitry Ostupin,, Dmitry Ostupin,, Dmitry Ostupin,, Dmitry Ostupin,, Dmitry Ostupin,, Mihail V Morozov,, Real Host LTD,, LucasSteven,, LucasSteven,, Real Host LTD,, LucasSteven / Cehhost,, Real Host LTD,, Grigoriy M Aleksandrov,

Wednesday, 22 July 2009

Even more pathetic phish

I thought that phishing emails couldn't get more rubbish than this but it turns out that I was wrong. Enjoy:

Date: Wed, July 22, 2009 7:15 pm

Dear Subscriber,

We are currently carrying-out a mantainace
process to your account, to
complete this, you must reply to
this mail immediately, and enter your
User Name here (,,,,,,,,) And Password here
(.......) if you are the rightful owner of
this account.

This process we help us to fight against
spam mails.Failure to summit your password,
will render your email address
in-active from our database.

NOTE: If your have done this before, you may ignore
this mail. You will be send a password reset
messenge in next seven (7)
working days after undergoing this process
for security reasons.

Thank you for using!

The Reply-To email address is, originating IP is

Tuesday, 14 July 2009 massive Google SERPs poisoning

I can't tell if this is accidental or deliberate, but there are a whole bunch of spam entries in Google for the domain as you can see from this search.

It looks like some sort of redirect or copy, but the odd thing is that the subdomain actually points to the legitimate server.

For example, resolves as which belongs to the US Centers for Disease Control (CDC). For some reason, the CDC server accepts requests for as a request to display the genuine website.

As a result, Google has about 3.2 million results for subdomains, all of which are duplicates of existing sites.

It looks like offers some sort of legitimate URL shortening service based on subdomain names rather than the more common tinurl/ Have the bad guys found a way to use this to their advantage? Are they suddenly going to switch traffic to somewhere bad? is showing a small bump in traffic recently, perhaps as a result of this?

Presumably there is a way of telling your web server to reject this kind of request.

Really pathetic webmail phish

Probably the most pathetic phish ever - the bad guys nicely provide a space in the email for you to put your username and password and then email it back. Combined with a fairly vague grasp of the English language, then it's hard to see that this would fool anyone at all.

From: "SpamCop Webmaster online" <>
Date: Tue, July 14, 2009 4:11 pm
Cc: recipient list not shown:;
Priority: Normal

Dear SpamCop Webmail online Email Account Owner,

Important notice, harmful virus was detected in your account which can be harmful to our subscriber unit.You are to enter your Username and Password here {____________, __________} to enable us set in an anti virus in your user account to clear up this virus. we do need your co-operation in this, Providing us with this information we enable us insert in your account an anti virus machine for clean up.

We are sorry for the inconveniences this might have cost you. Failure to do this, we are sorry to let you know that your account will be deleted immediately to prevent it from arming our subscriber unit.

Thank you for using SpamCop Webmail,
We are glad at your service,
SpamCop Webmaster online.
Originating IP is an open proxy at

Korea DDOS - run for the hills!

The recent DDOS attacks against Korean and US government sites is well known, with calls for reprisals ranging from "cyber-attacks" to the occasional nutjob suggesting that real bombs are used.

Unfortunately, it turns out that the C&C server for the botnet carrying out the attack may well be in the UK. So perhaps we can expect a rush of malformed packets and/or Tomahawk cruise missiles heading the the UK soon..


Monday, 6 July 2009

Phorm: hahahahah

With a bit of luck, it appears that Phorm may be going down the toilet, as BT announce that they are not going to deploy Phorm's deep packet inspection technology. More at the BBC News site.

With a bit of luck, Phorm's share price will end up as a penny stock very soon.

Saturday, 4 July 2009 / - black hat hosting? is a web host in Malaysia that has cropped up a few times as hosts for this long-running scam.

It seems that this isn't an isolated case. Looking just one server at gives us a number of other fraudulent domains:

  • - fake ecommerce site registered to that has been used for this fraud, this fraud and many others.
  • - fake "World of Warcraft" login page, presumably designed to harvest usernames and passwords.
  • - claims to be a German medical company, in reality it isn't. Purpose unclear, probably run by Manuel Fichter.
  • - front-end for the fraudware site.
  • - registered to who is connected with many fraudulent and/or suspect sites.
  • - smart looking but suspect "get rich quick" site, apparently based in Panama.
  • - fake domain appraisals.
  • - fake domain appraisals.
  • - currently displaying text from the domain scam.
  • - appears to sell knock-off designer goods.
  • - "Warez" as in illegal software downloads.
  • - Claims to export prescription drugs from China.
  • - another "Kingston Smith" domain.
  • - suspiciously cheap software.
  • - another "Kingston Smith" domain.
  • - fake domain appraisals.
  • - unconvincing "pharmacy" that claims to be in the US, but hosts in Malaysia
  • - fake domain appraisals.
  • - fake domain appraisals.
  • - Kingston Smith again.
  • - fake domain appraisals.
  • - with prices in pounds sterling, it appears to be passing itself off as a UK-based electronics retailer. In reality, everything is anonymised and it could be based anywhere.
  • - claims to be a Canadian supplier of steroids, a Google search on the domain is enlightening.
  • - fake designer watches.
  • - fake domain appraisals.
  • - anonymous hosting.
In fact, it's the last domain "" which gives a clue as to what is really going on. looks like a reseller of's hosting and it advertises itself as "100% anonymous hosting and anonymous DNS and domain name services" which is "beyond the reach of virtually any government or law enforcement agency."

If you Google for "anonymous hosting" then comes up as #4. So you can see where their customers are coming from. also rents other servers from, and they show a mix of sites that appear to be very dodgy indeed, through to sites that appear legitimate.

They appear to run the following IPs and probably others too:

Hosting rubbish like this does not enhanced's reputation, they would really be better off booting in order to clean up their IP range.

Thursday, 2 July 2009

Domain scam: /

The old Chinese domain scam has been around for years, but these guys are getting lazy because they haven't changed their domains for months, this is esentially unchanged from April.

Subject: Domain Dispute and Registration
From: "Sunny"
Date: Thu, July 2, 2009 4:07 am

To whom it may concern: 2009-7-2

We are a domain name registration service company in Asia,

Last week we received a formal application submited by Justin Lin who wanted to use the keyword "REDACTED" to register the Internet Brand and with suffix such as .cn / / .asia/ domain names.

After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren¡¯t sure whether you have any relation with him. Because these domain names would produce possible dispute, now we have hold down his registration, but if we do not get your company¡¯s an reply in the next 5 working days, we will approve his company's application

In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.

Yours sincerely


Checking Department

Tel: 86 513 8532 1087
Fax: 86 513 8532 2065

Our File No.:2272363

Originating IP is

As ever, legitimate domain registrars do not send out this type of email because they are NOT responsible for this activity. Sometimes the Chinese domains get registered, sometimes they are ALREADY registered, and often they never get registered. But before you panic and pay money to these scammers, consider this: there are hundreds of top-level domains in the world. Do you really want to buy your domain for all of them? The answer is probably "no".

The best advice is to ignore this email completely.