Advertisement

Friday, 29 April 2011

Fake jobs: wug-newhire.com and wug-consulting.net

Two more fake "Lapatasker" domains, registered on 27/4/11 but otherwise the same as these.

wug-consulting.net
wug-newhire.com

These will no doubt be used to push money laundering "jobs" and the like, avoid.

Thursday, 28 April 2011

infernomag.com / gtracking.org nastiness

Some sort of .htaccess hack is going on, redirecting users to infernomag.com and then on to a malicious site that looks like it's downloading a Zbot variant. It only seems to work with Internet Explorer, and only when the page is accessed from a search engine (like Google). infernomag.com is hosted on 85.17.132.194 (Leaseweb) which is the same server as gtracking.org which alters the .htaccess file as described here.

infernomag.com then redirects users to one of at least two Leaseweb-hosted servers at 85.17.19.201 and 85.17.19.203 (possibly others). These servers have a number of domains on them that appear to belong to legitimate domains registered at GoDaddy by (mostly) UK users - it is likely that their domain control panels have been compromised. Examples are:

actually2.weddingphotographersurrey.net
amount9.gwdempseyjr.com
are5.gwdempseyjr.com
background1.photographbcn.com
brought0.gwdempseyjr.com
captain5.photographbcn.com
captain6.gwdempseyjr.com
charge7.photographbcn.com
signal6.photographbcn.com
completely8.gwdempseyjr.com
congress1.airduct-ventcleaning-mn.com
hard9.photographbcn.com
leading1.airduct-ventcleaning-mn.com
party4.gwdempseyjr.com
providence5.gwdempseyjr.com
safe1.gwdempseyjr.com
she1.weddingphotographerkent.net
tax6.weddingphotographersurrey.net
theory7.weddingphotographerkent.net
am1.theimperialsuspects.com
area6.bettyjaneware.com
belief7.theimperialsuspects.com
contact2.theimperialsuspects.com
cultural5.boneki.com
direct2.theimperialsuspects.com
enemy2.theimperialsuspects.com
baby3.trycue.com
liberal6.trycue.com
most0.ladyofvirtuestore.com
professional0.ladyofvirtuestore.com

Two domains on those servers that do not fit the pattern are:
gfaster.net
fortreecom.net

The WHOIS details are probably fake, for infernomag.com and gtracking.org they are:

   Felix Maurer
   sherman66@ymail.com
   Waldowstr. 61
   Gschwend   Gschwend
   74417   DE
   +49 98466101

fortreecom.net uses the same email address but a different name:

    Bernd Austerlit        (sherman66@ymail.com)
    Alt Reinickendorf 94
    Ziemetshausen
    Bayern,86471
    DE
    Tel. +82.84991251

Detection rates are rubbish. AntiVir detects the payload as TR/Dropper.Gen, BitDefender as Gen:Variant.Zbot.34, Ikarus as Trojan.Win32.Pirminay and Sophos as Mal/Ponmocup-A. Other products do not seem to detect anything at all.

Blocking those IPs of 85.17.132.194, 85.17.19.201 and 85.17.19.203 is safer than trying to block the domains. Blocking the whole /24s instead would probably cause very little inconvenience.

Fake "Lapatasker" job domains 28/4/11

This particular scam has been around for a couple of years and is so common now that I've christened this group of scam domains "Lapatasker" after the email address used in some of the older WHOIS details.


New domains for this scam (all registered on 26/4/11) are:

1job-europ.com
consult-europ.com
middle-consult.com
westconsult-eu.com

The (probably fake) contact details on the domains are:

    Vilechka Pelka
    Email: rewerta12@yahoo.com
    Organization: Nord Atlantic.
    Address: 15 Av Albert Ier 143
    City: Braine l'Alleud
    State: Braine l'Alleud
    ZIP: 1420
    Country: BE
    Phone: +3.3223874153
    Fax: +3.3223874152

As ever, avoid.

Tuesday, 26 April 2011

Some German scam sites

These are allegedly German companies, but:
  • They are all very recently registered (4th and 17th April 2011)
  • The registrar is in China (BIZCN.COM)
  • The web host is in Romania
  • In each case a Yahoo email address has been used
The host is "Enter Net Team" / "Power Host" in Romania. Blocking 86.55.96.0/23 is a quick win if you can do it.

blocher-finance.com
dxxm-group.com
eg-finanzen.com
eseira-finanzen.com
eseira-gruppe.com
esse-gruppe.com
fil-finanzen.com
frost-finanzen.com
geissler-finance.com
geld-group.com
genser-group.com
grueneberg-and-partners.com
hanza-gruppe.com
hod-group.com
horst-finanzen.com
jix-finance.com
koeppl-finanzen.com
krenosz-finance.com
nitte-gruppe.com
nogl-group.com
pius-group.com
puemmler-and-partners.com
schem-group.com
somex-gruppe.com
temi-group.com
volkse-finanzen.com
wedi-group.com
werx-finanzen.com
werx-gruppe.com
wolgast-and-partners.com

More details:
jix-finance.com
86.55.96.11
Guenter Frost guenterfrost@yahoo.com
+49.1745053607 fax: +49.1745053607
Frauenlobstr.32
Berlin Berlin 12437
de

frost-finanzen.com
86.55.96.13
Georgios Mavridis georgiosmavridis50@yahoo.com
+49.1773305251 fax: +49.1773305251
Gerolsteiner Str. 119
Cologne Nordrhein-Westfalen 50937
de

puemmler-and-partners.com
86.55.96.15
Tanja Geissler geisslertanja@yahoo.com
+49.1776444216 fax: +49.1776444216
Lindenstr.38
Kreuzau Nordrhein-Westfalen 52372
de

eseira-finanzen.com
86.55.96.17
Christos Papachristou papachristou.christos@yahoo.com
+49.15202603534 fax: +49.15202603534
Haubersbronnerstr. 6
Urbach Thueringen 73660
de

wolgast-and-partners.com
86.55.96.19
Mike Grueneberg gruenebergmike@yahoo.com
+49.15223628764 fax: +49.15223628764
Walter friedrich str.56
Berlin Berlin 13125
de

somex-gruppe.com
86.55.96.21
Heidrun Lorenz heidrunlorenz@yahoo.com
+49.16099222185 fax: +49.16099222185
Flutgrabenweg 1a
Neumarkt Bayern 92318
de

schem-group.com
86.55.96.23
Ludwig Detlef ludwigdetlef@ymail.com
+49.15203113478 fax: +49.15203113478
Kalk-Muelheimerstr.210
Koeln Nordrhein-Westfalen 51103
de

werx-finanzen.com
86.55.96.25
Daniel Koeppl daniel.koeppl@yahoo.com
+49.15111521688 fax: +49.15111521688
Reinhardsleiten 8
Pielenhofen Bayern 93188
de

nitte-gruppe.com
86.55.96.27
Hans Mausolff hansmausolff@yahoo.com
+49.17649615986 fax: +49.17649615986
Potsdamer Str. 41
Berlin Berlin 14163
de

eseira-gruppe.com
86.55.96.29
Juliane Mausolff julianemausolff@yahoo.com
+49.3031808844 fax: +49.3031808844
Potsdamer Str. 41
Berlin Berlin 14163
de

hanza-gruppe.com
86.55.96.31
Denis Wolgast deniswolgast@yahoo.com
+49.16098119639 fax: +49.16098119639
Am Heidberg 34
Henstedt-Ulzburg Schleswig-Holstein 24558
de

nogl-group.com
86.55.96.33
Lena Puemmler lenapuemmler@yahoo.com
+49.17663727804 fax: +49.17663727804
Neuer Kamp 2
Drebber Niedersachsen 49457
de

dxxm-group.com
86.55.96.35
Bianka Sturhahn biankasturhahn@ymail.com
+49.1723276172 fax: +49.1723276172
Plass 3
Doerentrup Nordrhein-Westfalen 32694
de

geld-group.com
86.55.96.37
Frank Swoboda polskeswine@yahoo.com
+49.15776817588 fax: +49.15776817588
Otto-Hahn-Str. 7a
Alsdorf Nordrhein-Westfalen 52477
de

krenosz-finance.com
86.55.96.39
Olaf Sedello olafsedello@yahoo.com
+49.2254847434 fax: +49.2254847434
Triftstrasse 42
Weilerswist Nordrhein-Westfalen 53919
de

werx-gruppe.com
86.55.96.41
Andreas Kubasik andreaskubasik@ymail.com
+49.15229234145 fax: +49.15229234145
Gartenstrasse 24a
Pleinfeld Bayern 91785
de

grueneberg-and-partners.com
86.55.96.43
Josef Schedlbauer josefschedlbauer@yahoo.com
+49.1712755823 fax: +49.1712755823
Bergstrasse 21a
Regen Bayern 94209
de

geissler-finance.com
86.55.96.45
Vadim Kruglov vadimkruglov@rocketmail.com
+49.1629098777 fax: +49.1629098777
Schuetzenstrasse 23
Friesoythe Niedersachsen 26169
de

esse-gruppe.com
86.55.96.47
Gerhard Krenosz gerhardkrenosz@yahoo.com
+49.21117806832 fax: +49.21117806832
Ludolf Strasse 15
Duesseldorf Nordrhein-Westfalen 40597
de

koeppl-finanzen.com
86.55.96.49
Holm Mrazek holmmrazek@yahoo.com
+49.17685370230 fax: +49.17685370230
Sonnenstrasse 222
Dortmund Nordrhein-Westfalen 44137
de

hod-group.com
86.55.96.51
Gisela Huber ghuber56@yahoo.com
+49.17666649956 fax: +49.17666649956
Althoehensteigstr. 7
Stephanskirchen Hessen 83071
de

volkse-finanzen.com
86.55.96.53
Denis Goertz denis.goertz@yahoo.com
+49.1639836914 fax: +49.1639836914
hochstr. 61
Nettetal Lobberich Sachsenanhalt 41334
de

blocher-finance.com
86.55.96.55
Helmut Koenig koenighelmut@yahoo.com
+49.1733201046 fax: +49.1733201046
Oberhofer Str. 26
Zella-Mehlis Thuringen 98544
de

fil-finanzen.com
86.55.96.57
Bernecker Josef berneckerjosef@yahoo.com
+49.9422859853 fax: +49.9422859853
Stadtplatz 42
Bogen Bayern 94327
de

eg-finanzen.com
86.55.96.59
Pius Walleser walleser32@yahoo.com
+49.1754218358 fax: +49.1754218358
Kesslerstrasse 5
Breisach Sachsen-Anhalt 79206
de

temi-group.com
86.55.96.61
Horst Werner woerner963@yahoo.com
+49.1728189733 fax: +49.1728189733
Rilkestrasse 3
Bad Schussenried Rheinland-Pfalz 88427
de

horst-finanzen.com
86.55.96.63
Kai Hermann hkaihermann@yahoo.com
+49.9942808801 fax: +49.9942808801
Tafertsbergstrasse 12
Prackenbach Rheinland-Pfalz 94267
de

wedi-group.com
86.55.96.65
Joseph Bauer bauer.joseph81@yahoo.com
+49.8555941395 fax: +49.8555941395
Hofaecker 4
Grafenau Hamburg 94481
de

pius-group.com
86.55.96.67
Daniela Habermann habermann_d@yahoo.com
+49.17694209180 fax: +49.17694209180
tecklenburgerstrasse 29
Ladbergen Bayern 49549
de

genser-group.com
86.55.96.69
Armin Blocher arminblocher@rocketmail.com
+49.02771801325 fax: +49.02771801325
Langgasse 1
Dillenburg Niedersachsen 35685
de

Evil network: Leksim Ltd / RELNET-NET AS5577 (62.122.72.0/21)

Implicated in malware distribution, botnet C&Cs and spam, the network range 62.122.72.0/21 (62.122.72.0 - 62.122.79.255) is currently quite active in evil activities (you can find examples here and here and the SiteVet report here).

There aren't many sites in this block, and they are almost all either in 62.122.73.0/24 and 62.122.75.0/24 (but blocking the /21 is safer).. but the vast majority of sites are rated deep red at MyWOT (a full list of sites and ratings can be downloaded here).

Who owns the block? The RIPE WHOIS details are:

inetnum:         62.122.72.0 - 62.122.79.255
netname:         RELNET-NET
descr:           "Leksim" Ltd.
country:         EU
remarks:         trouble: spam/scam/abuse issues send *ONLY* to: abuse@rel-net.eu
org:             ORG-TA388-RIPE
admin-c:         JT384-RIPE
tech-c:          BS594-RIPE
tech-c:          MR10655-RIPE
status:          ASSIGNED PI
mnt-by:          RELNET
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-routes:      RELNET
mnt-domains:     RELNET
source:          RIPE # Filtered
mnt-routes:      ROOT-MNT

organisation:    ORG-TA388-RIPE
org-name:        "Leksim" Ltd.
org-type:        OTHER
address:         Stationsplein 30, 2910 MJ Capelle aan den IJssel,  The Netherlands
phone:           +31 10 2391391
fax-no:          +31 10 2391392
admin-c:         JT384-RIPE
tech-c:          BS594-RIPE
mnt-ref:         RELNET
mnt-by:          RELNET
source:          RIPE # Filtered

person:          Justin Thomson
address:         Stationsplein 30
address:         2910 MJ Capelle aan den IJssel
address:         THE NETHERLANDS
abuse-mailbox:   abuse@rel-net.eu
mnt-by:          RELNET
phone:           +31 10 2391391
nic-hdl:         JT384-RIPE
source:          RIPE # Filtered

person:          Bernd Spiess
address:         Gabelsberger Strasse 15
address:         9021 Klagenfurt
address:         AUSTRIA
mnt-by:          RELNET
phone:           +43 46 3223501
nic-hdl:         BS594-RIPE
source:          RIPE # Filtered

person:          Marcel Russo
address:         31, z.a. am Bann
address:         L-3375 Leudelange
address:         LUXEMBURG
mnt-by:          RELNET
phone:           + 352 2551301
nic-hdl:         MR10655-RIPE
source:          RIPE # Filtered


But is this "Leksim Ltd" or Relnet? Relnet's contact details (for rel-net.eu, relnet.eu, relnet.hu) are very different:

domain:        relnet.hu
registrant:    Relnet Technologia Ltd.
registrant:    Relnet Technológia Kft.
    
tech-c:    Dávid András
address:   Véső 7
address:   1133 Budapest
address:   HU
phone:     06-70-452-4603
fax-no:    06-1-350-1355
e-mail:    hostmaster@relnet.hu
hun-id:    2000466058

If you Google the first three names you get some very telling results.

Blocking the /21 is probably the best idea. I can identify the following domains in this block in case you want to block by domain name, or for more detail download the CSV version.

abussgf.com
adnologi.com
apicurl.com
asherhiftn.com
banner-count.com
belliali.com
best-figure.com
biznage.com
blank-record.com
cahodofo.com
chethole.com
clckil.com
clckli.com
cr0zybaner.com
cr0zybanner.com
croozybannir.com
crozybannir.com
data-saver.org
denizab.com
dhfodminmont.com
eleophy.com
fathone.com
fr0udsafetycheck0n.com
goodse.org
gredigns.com
gulderpoin.com
ineloitond.com
kicksho.com
krasivoe-telo.com
lineacount.info
lineweather.com
livesecpayment.com
livesecsuite.com
live-sec-suite.com
live-security-suite.com
liveslicense.com
livespayment.com
livessupport.com
lkckclckli1i.com
lsspayment.com
lsssupport.com
luffer.info
majusef.com
maketh.info
minteddi.com
mizaterp.com
monitor-info.com
mypersonalhttp.com
nonepersonal.com
nuensmidts.com
onlinedietolog.net
osago-msk.com
perleme.com
pinokolder.com
sileeber.com
spy-soft.org
tangoing.info
telemarker.ru
thestopbadware.com
thyrogl.com
tinnily.info
uatwdminmont.com
umogultvon.com
unmarine.info
virtepgulm.com
vkontacte.org
vkontakle.net
warwork.info
w-opay.com
w-optim.com
wovens.info
yafraudcheckonline.com
yledmanager.com
zblvdminmont.com
zumugolter.com

Friday, 22 April 2011

Fake job domains 22/4/11

Another list of fake job domains relating to this long running scam and in addition to these recent ones. Solicitations are sent by spam are are attempting to recruit people for money laundering etc, so best avoided.

australia-union.com
europ-hire.com
europ-union.com
next-jobb.com
usa-1job.com


Registrant details (no doubt fake) are:

    Vilechka Pelka
    Email: rewerta12@yahoo.com
    Organization: Nord Atlantic.
    Address: 15 Av Albert Ier 143
    City: Braine l'Alleud
    State: Braine l'Alleud
    ZIP: 1420
    Country: BE
    Phone: +3.3223874153
    Fax: +3.3223874152

ygnetwork-ltd.com domain scam

This scam has been around for years - basically, you get an unsolicited email from a company claiming to be a domain registrar in China (it is usually China) that says that someone is trying to register a domain similar to one that you already own. The idea is that the recipient will panic and buy an overpriced and basically worthless domain from them.

If you are worried about domain poaching, then usually the best place to start is your own domain registrar or another well-known reliable vendor, rather than responding to this unsolicited approach.


From: John <john.chen@ygnetwork-ltd.com>
Date: 22 April 2011 06:26
Subject: Urgent notice of Intellectual Property protection

Dear Manager:

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On April 21st 2011. We received HAITONG  company's application, they want to register " dynamoo" as its Internet keyword and CN/Asia domain names. It is china and Asia domain names. But after checking we find this domain name conflict with your company, in order to deal with this matter better, so we send you email, and want to confirm whether this company is your distributor or business partner in China?

I'm looking forward to hearing from you!

Best Regards,

John
Oversea marketing manager
Office: +86(0)21 6191 8696
Mobile: +86 1366152 9704
Fax: +86(0)21 6191 8697
web: www.ygnetwork-ltd.com

Friday, 15 April 2011

"Cake Decoration Lesson" spam

I can only assume that this is some sort of strange scam. The email originates from 74.55.158.162 which is flagged as being quite spammy.

Subject: CAKE DECORATION LESSON::::::::::::::::::
From: Omiky Aneke <omikychartin@blumail.org>
Reply-To: omiky1aneke@yahoo.co.uk

Hello,
How are you doing today ?  My name is OMIKY ANEKE I want to book for CAKE DECORATION LESSON Workshops Classes with you while on a 2weeks holidays in your
country.We are a group of 10 people seeking for CAKE DECORATION LESSON: Workshops
training while on holidays and as part of our plans we need CAKE DECORATION LESSON for the whole 2weeks in
your area.
I would like to book for 2weeks classes for 3 hours each day Monday to
Saturday (morning hours) for a group of 10. We are asking for 3 hours per
day for 2weeks - Monday - Saturday. A total of 36 hrs
Do you have a training facility where you conduct classes? We can arrange
for this,if not available.   Do you have rooms or is there any hotel close
to your facility?
DATE: 7TH JUNE 2011 TO 21 JUNE 2011
I would love to know the possibility of working with you during this
period.Kindly get back to me with your proposals so that we can make booking
asap.
The group would be performing for a group of family members over there. I
would love to get the total cost or a quote/estate. What are your payment
options?  Do you accept credit cards? I would be grateful if you will be
willing to do the work to teach quality classes and make us happy

Regards
OMIKY

Beats the heck outta me.

Sunday, 10 April 2011

More fake job domains

Another list of fake job domains, almost identical to this one. Avoid.

1best-position.com
1consulting-online.com
allweb-consulting.com
besteuro-hire.com
consult-wugposition.com
first-newoffer.com
world-hire.com
wug-hire.com
wug-myoffer.com

wug-hire.com fake job offer

Yet another installment in this endless series of fake job offers, the domain wug-hire.com is being used as a reply-to address for this particular scam. The "wug" name has been used before in this spam run.

Subject: We have vacancies to be filled by Europe residents only

Good afternoon!

I am writing to you in the name of the corporation the Human Resources department of which I represent.

Our enterprise has a lot of different lines of business.
-real property
-business support
-company dissolution
-private firm service
-etc

We propose the opportunity for jobseekers in Europe:
-compansation 2.600 euro + bonus
-taskwork
- flexible hours

If our offer kindled your interest, please feel free to contact us. Brooks@wug-hire.com
First Name:
Country of living
City
mail address:
Contact telephone number



Attn! You can apply for this vacancy if you have a permission to work in Europe!

Please e-mail your name and phone number and we will invite you for interview. 

Usually these fake jobs involve laundering stolen money via wire transfer, but sometimes they involve other "back office" functions such as registering fake businesses, identity theft, auction fraud and many other things which are best avoided unless you really want to spend time in jail.

The WHOIS details are almost definitely fake, but for the record they are:

    Vilechka Pelka
    Email: rewerta12@yahoo.com
    Organization: Nord Atlantic.
    Address: 15 Av Albert Ier 143
    City: Braine l'Alleud
    State: Braine l'Alleud
    ZIP: 1420
    Country: BE
    Phone: +3.3223874153
    Fax: +3.3223874152

Saturday, 2 April 2011

alisa-carter.com, lizamoon.com and worid-of-books.com

The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these sites appear to be on the same server at 95.64.9.18 belonging to Intermedia TOP SRL.

The following sites are on that malicious server:
alexblane.com
alisa-carter.com
lizamoon.com
t6ryt56.info
tadygus.com
worid-of-books.com


Right now the safest thing to do is block traffic to 95.64.8.0/23 (95.64.8.0 - 95.64.9.255) at the very least. But given that there are several bad networks now within the mostly Romanian 95.64.0.0/16, there's very little to lose in blocking the whole /16 for now if you don't have dealings with Romania.

If you need to block by domain, then the list below is everything that I can identify in this block.

abrogatesdv.info
antiviric.net
atlaty.com
atydut.com
bancard.cc
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
buroti.com
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fileac.com
financeprogramm.com
fop22.info
fre94.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
itapos.com
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
lsrato.com
machmit.cc
mag20.info
memhys.com
mia16.info
mineral-beauty.net
morafu.com
mupoga.com
muposs.com
nlosaf.com
nuzzlefgf.info
nwolbcom.cc
nyb90.info
obduratexv.info
obfuscate98y.info
onfiro.com
online-security.cc
opa63.info
ova22.info
pes89.info
plauditaz.info
plethoradtb.info
podyme.com
poisor.com
posjuc.com
posunn.com
prettyharp.ru
qertys.com
reprieve8mf.info
scoolq.com
ser55.info
servat.cc
serwaz.com
testaz.cc
tmwars.com
usudom.com
xxxpornteensex.com
advancedwebanalytic.com
alexblane.com
alisa-carter.com
alternative-art-ltd.net
alternativeart-ltd.com
artmarket-llc.net
artsolveltd.cc
artsolveltdco.at
astech-groupde.cc
blitznet-de.eu
chelpgroup-llc.net
chepl-groupllc.biz
competitor-uk-group.net
competitorgroup-ltd.com
ddk100.com
ddk2200.com
deemno.com
drakulaworld.net
drysdale-antcorp.at
drysdale-group-inc.cc
findsubstantial.org
foto-album-mnck.tk
fotoshare-2dknc.com
google-1aa.com
googlesite.ws
joomlaext.org
kunde.ws
lizamoon.com
mailwbg6.com
micr0updates.com
myblog-search.com
ocservice-de.net
oregon-ltd-uk.net
qead-llc.biz
saleoke.com
squit-group-llc.biz
surprise-knsma.tk
surprise-knsmd.tk
surprise-knsmf.tk
surprise-knsmo.tk
surprise-knsmp.tk
surprise-knsmq.tk
surprise-knsmr.tk
surprise-knsms.tk
surprise-knsmt.tk
surprise-knsmu.tk
surprise-knsmw.tk
t6ryt56.info
tadygus.com
worid-of-books.com