Friday, 30 April 2010

What is this I don’t even

Seriously, no.

Why doesn't Windows include native PDF reader support?

F-Secure asks: Why doesn't Windows include native PDF reader support? Perhaps it's time for Microsoft to act in character and help kill off Acrobat Reader for good.

"I am looking for the second half"

A straightforward dating scam email, but one notable for including a picture of a pretty Russian girl, which most spammers don't bother with. In any case, if you respond to "Natalia" (who is probably note even a woman in real life) then you'll soon find that she has unexpected "expenses" that will require you to send money..


Subject: I am looking for the second half

HELLO!!! My name is Natalia! I live in Russia, dating site, I am looking for the second half. I want to find true love, I loved your profile, I would like to continue with you dialogue.

If you do not mind to write me an e-mail: mamaevanatalia20@HotPOP.com

I am very tired of being single. I really want to build a serious relationship. I'll be glad to communicate ..... Natalia



Friday, 23 April 2010

"Twitter Support" phish

This phish claims to be from Twitter, but it actually redirects to a fake site at adcopy.awbweb.com/differential.html hosted on 216.81.74.9 which appears to be a legitimate site that has been hijacked.

From: Twitter Support <support@twitter.com;>
Subject: Undelivered Message 52-629

Hi,

You have 1 unread message(s)
http://twitter.com/account/message/0C5B9-C2FEF

The Twitter Team

Please do not reply to this message; it was sent from an unmonitored email address. This message is a service email related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support.

Wednesday, 21 April 2010

nettempsin.co.uk / NetTemps Inc scam

There are probably plenty of legitimate companies with names like "NetTemps Inc", but this money mule scam email soliciting replies to nettempsin.co.uk is not from one of them.

From: "Polly Richardson"
Subject: representatives wanted

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.

Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.

If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number.

We are eager to help you find a better job and improve your career!

If you have questions, please do not hesitate to e-mail me on:

c v @ n e t t e m p s i n . c o . u k [please delete spaces in the email address before sending it to us]

Yours sincerely,
Juliette Barnes
NetTemps Inc


==================================

Unusually, the mail server that deals with replies is multihomed:
  • 79.125.134.191 [ADSL subscriber, Macedonia]
  • 91.41.145.247 [Deutsche Telekom dial-up subscriber, Germany]
  • 83.132.68.62 [TVCABO cable modem, Portugal]
  • 87.116.150.117 [Broadband customer, Serbia]
  • 186.137.3.195 [Cablevision customer, Argentina]
Nameservers are ns1.santroperz.net (domain suspended by registrar for fraud) and ns1.seerdanee.com hosted on 204.12.237.52 at WholeSale Internet, Inc. in Kansas City.

In any case, this is just a Money Mule scam and it should be avoided.

Tuesday, 20 April 2010

martin-argiento.eu / Martin Argiento scam

A slight remix of this money mule scam from last month, but with a slightly different name.

Subject: The Italian company is looking for reliable partners
From: "Cindy Jeffers"
Date: Tue, April 20, 2010 6:03 pm

Dear Mr\Ms
My name is Martin Argiento. I am the manager in international real estate agency Europe Real Estate.

At present, we increase the number of part-time employees on the territory of England and other regions. In this connection, we carry on hiring new employees for the post of the regional real estate Agent.

Activity of the agent:
The search of the clients, advertising of the company.
Purchase \sale of the elite real estate.
Talks.
The monitoring of the market in several region.

Required qualities for the post:
Practical knowledge of the program Microsoft Office Word.
Ability to communicate, intelligence.
Experience in commercial activity is welcomed.
The knowledge of the Italian language and of other languages is welcomed.

The minimum salary is 2000 euro. Frequently the monthly income exceeds 10.000 euro.
It all depends on intelligence of the Agent and on his desire and ability to work to his full extent.

For the additional information refer to the electronic address:
realestate@martin-argiento.eu

Yours faithfully, on behalf of all employees Europe Real Estate.

Mail is directed to 85.112.126.89 in Russia [colocat.ru] but there is also a website hosted at 188.130.250.248 in Latvia [Fastmedia].

There's a whole bunch of badness on the same server in Russia, all of which should probably be avoided:

  • agency-sunsea.com
  • allinwondernews.com
  • apolcentral.com
  • apolonline.com
  • argiento.com
  • argiento.eu
  • argiento.net
  • beastdat.com
  • beinorder.com
  • bgrealty.org
  • bm-holding.com
  • cannibalcannibalistic.com
  • catcherscatherine.com
  • cemeterycentaurus.com
  • cephaliccerebrum.com
  • cesspoolchainsaw.com
  • chelseacinderblock.com
  • clubdatingckoo.com
  • coleldatingcom.com
  • comdatinghorse.com
  • comecloserit.com
  • confessionconducting.com
  • corporectomycorpus.com
  • crowpathcuernos.com
  • cunthuntcraniotomy.com
  • dacelie.com
  • datdos.com
  • datingfooool.com
  • datinggogocolelc.com
  • datingord.com
  • datingsermon.com
  • datingswot.com
  • datomg.com
  • datyandel.com
  • decapitationcattle.com
  • forurelax.com
  • freedom-dating.com
  • gaterk.com
  • goforitdear.com
  • gogodatinghorn.com
  • gskcorp.com
  • handshakesharvest.com
  • hatebeakhereafter.com
  • hereufame.com
  • hornydatingyou.com
  • ise-sl.com
  • itmakesuhappier.com
  • josetxe-financiero.com
  • klaipedetis.com
  • lovesexdatings.com
  • mail.swpost.net
  • martin-argiento.eu
  • myapol.com
  • negligentcondemned.com
  • new-crash.com
  • olsen-rossi.com
  • oppsmyhotty.com
  • orddating.com
  • prime-techno.net
  • pro-job24.com
  • qgraphicinstalls.com
  • rdnets.com
  • reallyforu.com
  • shekelsta.com
  • shufersalta.com
  • swpost.net
  • umap-btl.com
  • uwillhappy.com
  • youthesuperman.com
  • znakomilka.com

Monday, 19 April 2010

MICROSOFT WINDOWS-2010 lottery scam


A French language advanced fee fraud scam email with a colourful PDF file attached. The PDF does seem to be free of viruses, but you should never open unsolicited Acrobat documents from untrusted sources as they often carry a virus.

Subject: BONJOUR Mr/Mme
From: "DOMINIQUE LOVERS"
Date: Mon, April 19, 2010 10:44 am

BONSOIR Mr/Mme

Nous sommes heureux de vous annoncer que vous faites partie des heureux
gagnants de la loterie MICROSOFT WINDOWS-2010, veuillez prendre connaissance du message en pièce jointe, ensuite contacter l'huissier de justice du Maître JEAN MICHEL .
E-MAIL: jean-michel.brousseau@live.fr

Veuillez surtout lui faire parvenir votre numéro de lot et vos informations
Ci-dessous en vue de vous donner la procédure de retrait de votre gain.
Recevez nos sincères félicitations.

Bonne compréhension à vous

MICROSOFT WINDOWS
Direction Marketing
Mr WEI ANDRE

Saturday, 17 April 2010

euvacant.com job offer scam

This is some sort of money mule operation, euvacant.com has the domain registered with hidden details though a registrat in China, the website and mail server are hosted at 178.162.135.100 which is Pegashosting Network in the Ukraine.

Subject: part-time employment in Europe
From: "Katheryn.Parra"
Date: Sat, April 17, 2010 7:38 am

Hi,
West Union Group is searching for a European representative in order to satisfy the
requests of our well respected costumer. To be welcome to our team you need to be a
communicative person and to possess the skills in proper customer care.
We provide you with:
- Flexible schedule
- Good salary
- We pay-off all taxes for you
- Insurance
To obtain more information, please fill up the form below and send it to:

r e p l y 9 @ e u v a c a n t . c o m [please delete spaces in the email
address before sending it to us]

First Name:
Last Name:
Country:
E-Mail:
Contact Number:
Best time to contact you:
Attached resume is preferable

Our operators will contact you and will assist all your questions.

Position available for European citizens only!

Best Regards HR Management of West Union Group

In this case the originating IP was 190.22.247.165 in Chile. Avoid.

Note that the return email address varies, another example used "c v 2 @ e u v a c a n t . c o m" but in all cases the domain seems to be the same.

Wednesday, 14 April 2010

"IMPORTANT: Royal Mail Delivery Invoice #1092817" Virus / Trojan

The wording may vary, but this is a PDF exploit currently doing the rounds pretending to be from Royal Mail. Sophos, F-Secure and Avast detect it along with some other products (VT results here) but otherwise detection is patchy.

Subject: IMPORTANT: Royal Mail Delivery Invoice #1092817
From: "Royal Mail" <delivery@royalmail.com>
Date: Wed, April 14, 2010 11:28 am

We missed you, when trying to deliver.

Please view the invoice and contact us with any questions.

We will try to deliver again the following business day.

Royal Mail.

Attachments:
Royal_Mail_Delivery_Invoice_1092817.pdf

The bad PDF file looks like some sort of calendar, I have not yet been able to analyse exactly what sort of evil things it does.

If you still use Adobe Acrobat then you should make sure that you update to the latest version which is 9.3.2, or use an alternative like Sumatra.

Monday, 12 April 2010

FarmTown, impressionclub.com and justimpression.com

Sandi at Spyware Sucks reports that the popular(ish) Facebook game of FarmTown (not FarmVille) has be compromised, possibly through a malicious banner.

The domain justimpression.com has been fingered as part of the malware chain, registered to the infamous "Private person" of:

Registrant:
Private person
Armand Gregori (armandgregory3@gmail.com)
Federicsshopen via 3
Katowice
Katowice,S589FG
PL
Tel. +34.41528965

Creation Date: 17-Dec-2009
Expiration Date: 17-Dec-2010

Domain servers in listed order:
ns2.reg.ru
ns1.reg.ru
That email address is pretty well known for malware distribution.

The site is hosted on 64.120.176.42 along with a site called impressionclub.com. "Impression Club" claims to be a Pennsylvania based company that has been in business for four year, except the domain was only registered in January 2010 with anonymous contact details, and Russian nameservers.


You can probably count impressionclub.com as a rogue ad network and one to avoid.

The FarmTown developers have a forum thread about the problem (one poster identifies an ad for greetingcards.com as the culprit) and there are several threads on Facebook about this [1] [2] [3] [4] [5] which also point at the following domains as being part of the chain

  • scan-and-protect3.com
  • scan-and-protect5.com
  • scan-and-protect7.com
  • scan-and-protect8.com
  • scan-and-remove10.com
  • scan-and-remove55.com
  • scan-and-remove99.com
  • 1server-antivirus.com
  • 2server-antivirus.com
  • 4server-antivirus.com
  • 6server-antivirus.com
  • 1web-antivirus.com
  • 2web-antivirus.com
  • try6-your-scanner.com
  • 111-your-scanner.com
  • 222-your-scanner.com
  • basketballtickets2.com
  • batman2010.com
  • spread2010.com
  • terminator-2010.com

All these domains are registered with apparently false details, there are probably a bunch more but I'm having difficult resolving the IPs at the moment.

This could be a fairly big deal, Quantcast reports that justimpression.com has a traffic rank of 6,227 and pulled in 329,000 US visitors during February.


This is another good reason to block Facebook in corporate enviroments, and also a useful warning that you need to be very, very careful when selling ad space!

Tuesday, 6 April 2010

reycorporacion.com - bogus job offer

A slightly unusual twist to bogus job offers, this one solicits replies to reycorporacion.com which appears to be a legitimate company, but it looks like the mail has somehow been compromised.

Subject: Position Opening

Speech of welcome

I am a representative of the HR department of a large international company. Our company has been working in different fields, such as:
- real estate companies setting-up and winding-up bank accounts opening and maintenance logistics private undertaking services etc.


We are making a regional managers team in Europe now:
- salary 2.600 euro + bonus
- part-time employment
- flexible work time

If our offer is interesting for you send us the below information on our e-mail address: marta.urzola@reycorporacion.com
Name:Surname:Country:E-mail:Mobile phone-number:

Note! We are searching Europeans only!

Please, write you
Nothing in the registration details, IP address or MX records looks particularly suspect, so it is likely that the reycorporacion.com server has been compromised in some way. In any case, avoid this job offer as it will be some sort of Money Mule operation. If you get one of these, then I recommend alerting the web host abuse-server -at- strato.de to the problem.

"Represent Party" / representparty.org spam

Sent to a postmaster role account.. classy.

From: Represent [mailto:ben.lynch@representparty.org]
Sent: 05 April 2010 16:22
To: UK Postmaster
Subject: How would you improve the UK - we need your ideas.

Hi,

How would you improve the UK - we need your ideas.

We have just launched a new website ‘Represent’ – and we are looking for ideas on how to make the UK a better place - any ideas will do as long as they are positive.

All ideas submitted will be published on the website where they can be rated to find the most popular ideas for improving the country.

Go to http://www.representparty.org <http://www.representparty.org/>, register (this does not mean you are joining any organisation it helps you to add ideas and rate other ideas) and add your ideas. Remember the website is new so there may not be many ides at the moment but bear with us as we process the ideas uploaded and we’ll get more ideas published as soon as possible.

Thank you for your time.

Regards

Ben Lynch
Represent

PS – If you believe that this email was intrusive please accept my apologies. If you do not want to receive any further emails from us please click on the link below.
http://www.representparty.org/unregister.aspx?action=unsubscribe&value=[redacted]
Originating IP is 109.228.0.79 which also hosts representparty.org and representparty.com. It will probably come as no surprise to see that this IP address belongs to Fasthosts in the UK who are very tolerant of bulk emailers like this.

Anyway, how's this for a positive idea.. stop f**king spamming me.