Friday, 29 April 2011

Fake jobs: and

Two more fake "Lapatasker" domains, registered on 27/4/11 but otherwise the same as these.

These will no doubt be used to push money laundering "jobs" and the like, avoid.

Thursday, 28 April 2011 / nastiness

Some sort of .htaccess hack is going on, redirecting users to and then on to a malicious site that looks like it's downloading a Zbot variant. It only seems to work with Internet Explorer, and only when the page is accessed from a search engine (like Google). is hosted on (Leaseweb) which is the same server as which alters the .htaccess file as described here. then redirects users to one of at least two Leaseweb-hosted servers at and (possibly others). These servers have a number of domains on them that appear to belong to legitimate domains registered at GoDaddy by (mostly) UK users - it is likely that their domain control panels have been compromised. Examples are:

Two domains on those servers that do not fit the pattern are:

The WHOIS details are probably fake, for and they are:

   Felix Maurer
   Waldowstr. 61
   Gschwend   Gschwend
   74417   DE
   +49 98466101 uses the same email address but a different name:

    Bernd Austerlit        (
    Alt Reinickendorf 94
    Tel. +82.84991251

Detection rates are rubbish. AntiVir detects the payload as TR/Dropper.Gen, BitDefender as Gen:Variant.Zbot.34, Ikarus as Trojan.Win32.Pirminay and Sophos as Mal/Ponmocup-A. Other products do not seem to detect anything at all.

Blocking those IPs of, and is safer than trying to block the domains. Blocking the whole /24s instead would probably cause very little inconvenience.

Fake "Lapatasker" job domains 28/4/11

This particular scam has been around for a couple of years and is so common now that I've christened this group of scam domains "Lapatasker" after the email address used in some of the older WHOIS details.

New domains for this scam (all registered on 26/4/11) are:

The (probably fake) contact details on the domains are:

    Vilechka Pelka
    Organization: Nord Atlantic.
    Address: 15 Av Albert Ier 143
    City: Braine l'Alleud
    State: Braine l'Alleud
    ZIP: 1420
    Country: BE
    Phone: +3.3223874153
    Fax: +3.3223874152

As ever, avoid.

Tuesday, 26 April 2011

Some German scam sites

These are allegedly German companies, but:
  • They are all very recently registered (4th and 17th April 2011)
  • The registrar is in China (BIZCN.COM)
  • The web host is in Romania
  • In each case a Yahoo email address has been used
The host is "Enter Net Team" / "Power Host" in Romania. Blocking is a quick win if you can do it.

More details:
Guenter Frost
+49.1745053607 fax: +49.1745053607
Berlin Berlin 12437
Georgios Mavridis
+49.1773305251 fax: +49.1773305251
Gerolsteiner Str. 119
Cologne Nordrhein-Westfalen 50937
Tanja Geissler
+49.1776444216 fax: +49.1776444216
Kreuzau Nordrhein-Westfalen 52372
Christos Papachristou
+49.15202603534 fax: +49.15202603534
Haubersbronnerstr. 6
Urbach Thueringen 73660
Mike Grueneberg
+49.15223628764 fax: +49.15223628764
Walter friedrich str.56
Berlin Berlin 13125
Heidrun Lorenz
+49.16099222185 fax: +49.16099222185
Flutgrabenweg 1a
Neumarkt Bayern 92318
Ludwig Detlef
+49.15203113478 fax: +49.15203113478
Koeln Nordrhein-Westfalen 51103
Daniel Koeppl
+49.15111521688 fax: +49.15111521688
Reinhardsleiten 8
Pielenhofen Bayern 93188
Hans Mausolff
+49.17649615986 fax: +49.17649615986
Potsdamer Str. 41
Berlin Berlin 14163
Juliane Mausolff
+49.3031808844 fax: +49.3031808844
Potsdamer Str. 41
Berlin Berlin 14163
Denis Wolgast
+49.16098119639 fax: +49.16098119639
Am Heidberg 34
Henstedt-Ulzburg Schleswig-Holstein 24558
Lena Puemmler
+49.17663727804 fax: +49.17663727804
Neuer Kamp 2
Drebber Niedersachsen 49457
Bianka Sturhahn
+49.1723276172 fax: +49.1723276172
Plass 3
Doerentrup Nordrhein-Westfalen 32694
Frank Swoboda
+49.15776817588 fax: +49.15776817588
Otto-Hahn-Str. 7a
Alsdorf Nordrhein-Westfalen 52477
Olaf Sedello
+49.2254847434 fax: +49.2254847434
Triftstrasse 42
Weilerswist Nordrhein-Westfalen 53919
Andreas Kubasik
+49.15229234145 fax: +49.15229234145
Gartenstrasse 24a
Pleinfeld Bayern 91785
Josef Schedlbauer
+49.1712755823 fax: +49.1712755823
Bergstrasse 21a
Regen Bayern 94209
Vadim Kruglov
+49.1629098777 fax: +49.1629098777
Schuetzenstrasse 23
Friesoythe Niedersachsen 26169
Gerhard Krenosz
+49.21117806832 fax: +49.21117806832
Ludolf Strasse 15
Duesseldorf Nordrhein-Westfalen 40597
Holm Mrazek
+49.17685370230 fax: +49.17685370230
Sonnenstrasse 222
Dortmund Nordrhein-Westfalen 44137
Gisela Huber
+49.17666649956 fax: +49.17666649956
Althoehensteigstr. 7
Stephanskirchen Hessen 83071
Denis Goertz
+49.1639836914 fax: +49.1639836914
hochstr. 61
Nettetal Lobberich Sachsenanhalt 41334
Helmut Koenig
+49.1733201046 fax: +49.1733201046
Oberhofer Str. 26
Zella-Mehlis Thuringen 98544
Bernecker Josef
+49.9422859853 fax: +49.9422859853
Stadtplatz 42
Bogen Bayern 94327
Pius Walleser
+49.1754218358 fax: +49.1754218358
Kesslerstrasse 5
Breisach Sachsen-Anhalt 79206
Horst Werner
+49.1728189733 fax: +49.1728189733
Rilkestrasse 3
Bad Schussenried Rheinland-Pfalz 88427
Kai Hermann
+49.9942808801 fax: +49.9942808801
Tafertsbergstrasse 12
Prackenbach Rheinland-Pfalz 94267
Joseph Bauer
+49.8555941395 fax: +49.8555941395
Hofaecker 4
Grafenau Hamburg 94481
Daniela Habermann
+49.17694209180 fax: +49.17694209180
tecklenburgerstrasse 29
Ladbergen Bayern 49549
Armin Blocher
+49.02771801325 fax: +49.02771801325
Langgasse 1
Dillenburg Niedersachsen 35685

Evil network: Leksim Ltd / RELNET-NET AS5577 (

Implicated in malware distribution, botnet C&Cs and spam, the network range ( - is currently quite active in evil activities (you can find examples here and here and the SiteVet report here).

There aren't many sites in this block, and they are almost all either in and (but blocking the /21 is safer).. but the vast majority of sites are rated deep red at MyWOT (a full list of sites and ratings can be downloaded here).

Who owns the block? The RIPE WHOIS details are:

inetnum: -
netname:         RELNET-NET
descr:           "Leksim" Ltd.
country:         EU
remarks:         trouble: spam/scam/abuse issues send *ONLY* to:
org:             ORG-TA388-RIPE
admin-c:         JT384-RIPE
tech-c:          BS594-RIPE
tech-c:          MR10655-RIPE
status:          ASSIGNED PI
mnt-by:          RELNET
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-routes:      RELNET
mnt-domains:     RELNET
source:          RIPE # Filtered
mnt-routes:      ROOT-MNT

organisation:    ORG-TA388-RIPE
org-name:        "Leksim" Ltd.
org-type:        OTHER
address:         Stationsplein 30, 2910 MJ Capelle aan den IJssel,  The Netherlands
phone:           +31 10 2391391
fax-no:          +31 10 2391392
admin-c:         JT384-RIPE
tech-c:          BS594-RIPE
mnt-ref:         RELNET
mnt-by:          RELNET
source:          RIPE # Filtered

person:          Justin Thomson
address:         Stationsplein 30
address:         2910 MJ Capelle aan den IJssel
address:         THE NETHERLANDS
mnt-by:          RELNET
phone:           +31 10 2391391
nic-hdl:         JT384-RIPE
source:          RIPE # Filtered

person:          Bernd Spiess
address:         Gabelsberger Strasse 15
address:         9021 Klagenfurt
address:         AUSTRIA
mnt-by:          RELNET
phone:           +43 46 3223501
nic-hdl:         BS594-RIPE
source:          RIPE # Filtered

person:          Marcel Russo
address:         31, z.a. am Bann
address:         L-3375 Leudelange
address:         LUXEMBURG
mnt-by:          RELNET
phone:           + 352 2551301
nic-hdl:         MR10655-RIPE
source:          RIPE # Filtered

But is this "Leksim Ltd" or Relnet? Relnet's contact details (for,, are very different:

registrant:    Relnet Technologia Ltd.
registrant:    Relnet Technológia Kft.
tech-c:    Dávid András
address:   Véső 7
address:   1133 Budapest
address:   HU
phone:     06-70-452-4603
fax-no:    06-1-350-1355
hun-id:    2000466058

If you Google the first three names you get some very telling results.

Blocking the /21 is probably the best idea. I can identify the following domains in this block in case you want to block by domain name, or for more detail download the CSV version.

Friday, 22 April 2011

Fake job domains 22/4/11

Another list of fake job domains relating to this long running scam and in addition to these recent ones. Solicitations are sent by spam are are attempting to recruit people for money laundering etc, so best avoided.

Registrant details (no doubt fake) are:

    Vilechka Pelka
    Organization: Nord Atlantic.
    Address: 15 Av Albert Ier 143
    City: Braine l'Alleud
    State: Braine l'Alleud
    ZIP: 1420
    Country: BE
    Phone: +3.3223874153
    Fax: +3.3223874152 domain scam

This scam has been around for years - basically, you get an unsolicited email from a company claiming to be a domain registrar in China (it is usually China) that says that someone is trying to register a domain similar to one that you already own. The idea is that the recipient will panic and buy an overpriced and basically worthless domain from them.

If you are worried about domain poaching, then usually the best place to start is your own domain registrar or another well-known reliable vendor, rather than responding to this unsolicited approach.

From: John <>
Date: 22 April 2011 06:26
Subject: Urgent notice of Intellectual Property protection

Dear Manager:

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On April 21st 2011. We received HAITONG  company's application, they want to register " dynamoo" as its Internet keyword and CN/Asia domain names. It is china and Asia domain names. But after checking we find this domain name conflict with your company, in order to deal with this matter better, so we send you email, and want to confirm whether this company is your distributor or business partner in China?

I'm looking forward to hearing from you!

Best Regards,

Oversea marketing manager
Office: +86(0)21 6191 8696
Mobile: +86 1366152 9704
Fax: +86(0)21 6191 8697

Friday, 15 April 2011

"Cake Decoration Lesson" spam

I can only assume that this is some sort of strange scam. The email originates from which is flagged as being quite spammy.

Subject: CAKE DECORATION LESSON::::::::::::::::::
From: Omiky Aneke <>

How are you doing today ?  My name is OMIKY ANEKE I want to book for CAKE DECORATION LESSON Workshops Classes with you while on a 2weeks holidays in your
country.We are a group of 10 people seeking for CAKE DECORATION LESSON: Workshops
training while on holidays and as part of our plans we need CAKE DECORATION LESSON for the whole 2weeks in
your area.
I would like to book for 2weeks classes for 3 hours each day Monday to
Saturday (morning hours) for a group of 10. We are asking for 3 hours per
day for 2weeks - Monday - Saturday. A total of 36 hrs
Do you have a training facility where you conduct classes? We can arrange
for this,if not available.   Do you have rooms or is there any hotel close
to your facility?
DATE: 7TH JUNE 2011 TO 21 JUNE 2011
I would love to know the possibility of working with you during this
period.Kindly get back to me with your proposals so that we can make booking
The group would be performing for a group of family members over there. I
would love to get the total cost or a quote/estate. What are your payment
options?  Do you accept credit cards? I would be grateful if you will be
willing to do the work to teach quality classes and make us happy


Beats the heck outta me.

Sunday, 10 April 2011

More fake job domains

Another list of fake job domains, almost identical to this one. Avoid. fake job offer

Yet another installment in this endless series of fake job offers, the domain is being used as a reply-to address for this particular scam. The "wug" name has been used before in this spam run.

Subject: We have vacancies to be filled by Europe residents only

Good afternoon!

I am writing to you in the name of the corporation the Human Resources department of which I represent.

Our enterprise has a lot of different lines of business.
-real property
-business support
-company dissolution
-private firm service

We propose the opportunity for jobseekers in Europe:
-compansation 2.600 euro + bonus
- flexible hours

If our offer kindled your interest, please feel free to contact us.
First Name:
Country of living
mail address:
Contact telephone number

Attn! You can apply for this vacancy if you have a permission to work in Europe!

Please e-mail your name and phone number and we will invite you for interview. 

Usually these fake jobs involve laundering stolen money via wire transfer, but sometimes they involve other "back office" functions such as registering fake businesses, identity theft, auction fraud and many other things which are best avoided unless you really want to spend time in jail.

The WHOIS details are almost definitely fake, but for the record they are:

    Vilechka Pelka
    Organization: Nord Atlantic.
    Address: 15 Av Albert Ier 143
    City: Braine l'Alleud
    State: Braine l'Alleud
    ZIP: 1420
    Country: BE
    Phone: +3.3223874153
    Fax: +3.3223874152

Saturday, 2 April 2011, and

The injection attacks from and other domains continue.. and they link back to a popular blog post about a very different attack site at because at the moment, all these sites appear to be on the same server at belonging to Intermedia TOP SRL.

The following sites are on that malicious server:

Right now the safest thing to do is block traffic to ( - at the very least. But given that there are several bad networks now within the mostly Romanian, there's very little to lose in blocking the whole /16 for now if you don't have dealings with Romania.

If you need to block by domain, then the list below is everything that I can identify in this block.