Sponsored by..

Wednesday 31 August 2011

dpolg-bundespolizei.org is not DPolG or the Bundespolizei

DPolG is a staff a association of the German Federal Police (Bundespolizei). So you might expect that dpolg-bundespolizei.org is something to do with the DPolG.. especially when the www.dpolg-bundespolizei.org resolves to 77.87.229.14, which is the same IP address as bundespolizei.de which is the German Federal Police.

But something is very wrong with this domain.Let's start with the WHOIS details:

Domain ID:D163178250-LROR
Domain Name:DPOLG-BUNDESPOLIZEI.ORG
Created On:30-Aug-2011 11:02:35 UTC
Last Updated On:30-Aug-2011 11:02:35 UTC
Expiration Date:30-Aug-2012 11:02:35 UTC
Sponsoring Registrar:Regtime Ltd. (R1602-LROR)
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CO1014850-RT
Registrant Name:ALex Potolot
Registrant Organization:ALex Potolot
Registrant Street1:49-12 Shepherd Street
Registrant Street2:
Registrant Street3:
Registrant City:London
Registrant State/Province:London
Registrant Postal Code:W12 7HF
Registrant Country:GB
Registrant Phone:+44.2073290240
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:apotolot@yahoo.com

It's kind of odd that a German police domain should be registered to a person in the UK using a free email address. But what is odder is that the address does not exist. Although there is a Shepherd Street in London, the postcode is not W12 7HF, that's the postcode for Stanlake Road in Hammersmith. Shepherd Street's postcode begins W1J 7Jx in any case, and there's no number 49 on that road (it is approximately the location of the Park Lane Mews Hotel).

Let's check the nameservers:
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
Nameself.com is DNS service for Russian registrar WebNames.ru. (aka Regtime Ltd) who are also the domain registrar. Why would the German police use a Russian registrar?

The next clue is in the MX handlers - these are the servers that handle mail for dpolg-bundespolizei.org:

  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT1.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT2.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX2.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX3.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX4.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX5.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 10 ASPMX.L.GOOGLE.COM
So, the domain is using Google for mail handling. DPolG use their own mailservers, not Google.

Something is definitely amiss here, and it wouldn't be the first time that the Bundespolizei name was used for malicious purposes as there has been a recent rash of malware using it. On balance, a domain with a fake UK address registered via a Russian registrar and using Google for mail handling is unlikely to be legitimate. Avoid.




Monday 29 August 2011

Fake jobs: consult-position.com, instant-job.com, newweb-career.com, uk-bestjob.com and web-newcarer.com

A new set of domains pushing illegal money laundering jobs and other criminal activities as part of this long running operation.

consult-position.com
instant-job.com
newweb-career.com
uk-bestjob.com
web-newcarer.com


Typically, these emails will appear to be "from" you as well as "to" you.. this is just a forgery and it doesn't mean that your mail is hacked.

Don't be tempted by the jobs on offer, typical positions are for money mules, reshipping scams or sometimes back-office functions such as translating emails or signing paperwork. Don't bother replying to the email as no good will come of it.

If you have an example of any emails using this address, please consider sharing it in the Comments. Thanks!

Friday 26 August 2011

Fake jobs: us-newcareer.com

Operating the same money laundering scam/spam as this batch of domains, and forming part of this very long running scam, the domain us-newcareer.com was freshly registered two days ago.

The jobs offered by anyone soliciting replies to this email address are all criminal activities and should be avoided. The spam email messages may appear to be coming from your own email address, but this is a simple forgery and it does not mean that your computer or mail account is compromised.

If you have examples of spam emails using the domain, please consider sharing them in the Comments. Thanks!

Wednesday 24 August 2011

Fake jobs: greece-career.com, il-career.com, mc-jobs.com and oae-career.com

Four new domains peddling fake jobs today, forming part of this very long running scam.

greece-career.com
il-career.com
mc-jobs.com
oae-career.com

The "jobs" offered are actually criminal activities such as money laundering. It may be that the email appears to come "from" you as well (the from address is trivially easy to fake, it doesn't mean that your machine is infected with anything).

Domains were registered two days ago to "Alexey Kernel", which is no doubt a fake name.

greece-career.com presumably targets Greek nationals, and il-career.com looks to be targeting Israelis. The other two are less clear, but our best guess is that mc-jobs.com might be targeting Macedonia (but the TLD is .mk) and oae-career.com might be the UAE and is just a typo. This continues the pattern of going after non-English speaking victims who might be fooled more easily by a scam email in their own language.

If you have any examples of this spam, please consider sharing them in the Comments. Thanks!

Monday 22 August 2011

HMRC phish: refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com

Here's a bunch of web sites and domains being used to peddle fake HMRC (UK tax office) refunds:

www.refund1-hmrc.com
www.refund2-hmrc.com
www.refund3-hmrc.com
www.refund4-hmrc.com
www.handler123.com

The fake emails look something like this:

From: HM Revenue & Customs Billing Department [mailto:hmrc@refund1-hmrc.com]
Sent: 22 August 2011 09:36
To: [redacted]
Subject: Billing Notifcation


Refund Notification


This e-mail has been sent to you by HM Revenue & Customs to inform you that we must pay you back 478 GBP.
Please complete all the information to process your refund

Please allow 2 weeks for you money to be availabe in your account. (eg: address, phone)
Total refund amount: 478 GBP

To ensure that your service is not interrupted, we request you to confirm and update your information today by following the link below:

Refund Notification


Thank you for your prompt attention to this matter. Do not reply to this e-mail.
Mail sent to this address cannot be answered.

Member [redacted]

© HM Revenue & Customs 2011 

The emails actually come from  refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com so

If you click through the link then you get a pretty standard phishing page trying to get credit card details, personal information and passwords.

The HMRC don't send tax refund messages by email, so any such notification should be considered bogus.

The phishing sites are hosted on 211.154.91.246 in China, blocking that IP would be a good idea, but you could go further and block 211.154.64.0/19 as it looks like a cable modem range and there shouldn't really be any legitimate sites hosted here.

Domain registration details are clearly fake:


Domain Name.......... refund1-hmrc.com
  Creation Date........ 2011-08-22
  Registration Date.... 2011-08-22
  Expiry Date.......... 2012-08-22
  Organisation Name.... scotia bank
  Organisation Address. hah
  Organisation Address.
  Organisation Address. there
  Organisation Address. 123131
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... scotia bank
  Admin Address........ hah
  Admin Address........
  Admin Address........ there
  Admin Address........ 123131
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... bbuubbh2@yahoo.com
  Admin Phone.......... +1.1233213121
  Admin Fax............

Tech Name............ scotia bank
  Tech Address......... hah
  Tech Address.........
  Tech Address......... there
  Tech Address......... 123131
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... bbuubbh2@yahoo.com
  Tech Phone........... +1.1233213121
  Tech Fax.............
  Name Server.......... ns1.refund1-hmrc.com
  Name Server.......... ns2.refund1-hmrc.com



The nameservers are hosted on 200.29.238.90 in Colombia (CONSULNETWORK LTDA).

Thursday 11 August 2011

Fake jobs: unionhire.net, wugcareer.com and wugoffers.net

Three new fake job domains registered in the past couple of days to the fake "Alexey Kernel" registrant, forming part of this very long running scam.

unionhire.net
wugcareer.com
wugoffers.net


As before, there is a series of spam messages advertising so-called "jobs" from these companies, but in reality they are criminal activities such as money laundering.

If you have a sample email, please consider sharing it in the Comments. Thanks!


Something evil on 95.168.177.144: reddingtaxcm.com and inferno.name

reddingtaxcm.com is a legitimate domain that is registered at GoDaddy and has been hijacked to serve up malware, hosted on 95.168.177.144 (NetDirekt, Germany but more below..).

The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.

Although the IP 95.168.177.144 is allocated to NetDirekt (now Leaseweb Germany), it belongs to part of a range suballocated to inferno.name of Serbia (apparently also known as v3Servers.net). Inferno featured recently in this blog with another similar malware attack, that time on 95.168.178.206. 95.168.177.0/4 seems to be full of (possibly fake) pharma sites.

A lot of other IP addresses associated with this company are implicated with forum spamming.

Just in case you want to block traffic to/from inferno.name (although there may well be legitimate sites and servers in these ranges) then I have identified the following IP ranges, although there may well be more:

46.22.211.0/25
80.79.124.128/26
92.48.122.32/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
188.143.232.0/23
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

As for 95.168.177.144, watch for traffic going to subdomains of reddingtaxcm.com, for example:

command0.reddingtaxcm.com
danger0.reddingtaxcm.com
costs0.reddingtaxcm.com
fifteen1.reddingtaxcm.com
countries1.reddingtaxcm.com
evil3.reddingtaxcm.com
placed4.reddingtaxcm.com
itself4.reddingtaxcm.com
democratic5.reddingtaxcm.com
dark5.reddingtaxcm.com
original5.reddingtaxcm.com
tuesday5.reddingtaxcm.com
source6.reddingtaxcm.com
cover6.reddingtaxcm.com
highest6.reddingtaxcm.com
college7.reddingtaxcm.com
during9.reddingtaxcm.com
condition9.reddingtaxcm.com
complex9.reddingtaxcm.com
headed0.reddingtaxcm.com

Thursday 4 August 2011

Something evil on 79.133.196.124

I don't quite have the full picture on this, but it looks like some Scandinavian sites have been compromised in some way and are redirecting to a malware server on 79.133.196.124 in Poland which is serving up fake AV applications.

Blocking access to 79.133.196.124 is probably a very good idea. The following sites appear to be hosted on that server and should be blocked if you can't do so by IP address, alternatively just block access to all .co.cc and .rr.nu domains if you can.


www1.aideray.in
www1.bestrusprotect.rr.nu
www1.bestshprotect.rr.nu
www1.besturprotect.rr.nu
www1.bestzoprotect.rr.nu
www1.bestzyprotect.rr.nu
www1.fastcowsecure.rr.nu
www1.fastengsecure.rr.nu
www1.fastjeasecure.in
www1.firstytholder.in
www1.mystedguard.rr.nu
www1.novirotall.rr.nu
www1.novirtyall.rr.nu
www1.personal-wantivir.com
www1.savefslf-holder.co.cc
www1.simpleermaster.com
www1.test.thebest-poscaner.in
www1.thebestarmydhec.co.cc
www2.bestshchecker.rr.nu
www2.firstlrnetwork.rr.nu
www2.hardobcleaner.rr.nu
www2.hard-sentineluuu.rr.nu
www2.harduvscaner.rr.nu
www2.powerab-army.rr.nu
www2.powerarmycv.rr.nu
www2.safeholderbp.rr.nu
www2.safeholdergv.rr.nu
www2.safeichecker.rr.nu
www2.safe-softgr.rr.nu
www2.savednscaner.rr.nu
www2.saveojnetwork.rr.nu
www2.simplejnsoft.rr.nu
www2.smartsentinelmc.rr.nu
www2.strongckguard.rr.nu
www2.strongnetworkcj.rr.nu
www2.strongyhcleaner.rr.nu
www2.topdefensehg.rr.nu
www2.topiy-security.rr.nu
www2.top-suitele.rr.nu

Tuesday 2 August 2011

virtualmapping.org redirect

The domain name virtualmapping.org sounds legitimate, but isn't.. it's a redirector used on hacked websites. The first time you visit one of these hacked sites via a Google search, you get redirected to a URL at virtualmapping.org/cgi-bin/r.cgi. Subsequent visits don't seem to trigger this, nor does visiting the site directly. It could be an altered .htaccess file.

virtualmapping.org is hosted on 94.63.149.246 which is unsurprisingly enough in Romania, in a Cobalt IT SRL block suballocated to SC Coral IT Office SRL / xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire 94.60.0.0/14 range.. at the very least, block 94.63.149.0/24, 94.63.244.0/24 and 94.60.123.0/24 which are especially toxic.

After hitting virtualmapping.org, visitors are then redirected to one of the following sites on 95.168.178.206, hosted at Netdirekt in Frankfurt but actually allocated to a host called inferno.name (Sogreev Anton, Serbia). 95.168.178.0/24 is full of Russian porn sites, so probably a good thing to block in any case.

Some of the domains that are loading the malware are:
could0.nc-9.com
gets1.nc-9.com
realized2.nc-9.com
summer3.nc-9.com
principle4.nc-9.com
watching4.nc-9.com
and5.nc-9.com
electric6.nc-9.com
plane6.nc-9.com
show7.nc-9.com
fig8.nc-9.com
ever8.nc-9.com
feet8.nc-9.com
league9.nc-9.com
event9.nc-9.com
became0.nc-9.com
sense4.nc-9.com

Basically, anything in the nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.

The payload is a nasty trojan according to various analysis tools (ThreatExpert, Comodo, Anubis). Detection rates are very low. The analysis tools might help you to clean up your PC if you have somehow become infected.

Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains, assistancebeside.com (78.159.100.32) and imagehut4.cn which was actually deleted last year, but was registered to the scumbags at Real Host Ltd.

There's quite a lot to block here, the highest priorities are:
94.63.149.246
95.168.178.206
78.159.100.32
*.nc-9.com
assistancebeside.com
virtualmapping.org

I see no harm in blocking the following /24s:
94.63.149.0/24
95.168.178.0/24

And if you're not afraid to block really quite large address ranges:
94.60.0.0/14

Monday 1 August 2011

Fake jobs: careers-canada.com

One fake job domain today, and the scammers seem to have shifted to a new target - Canada. This time, the domain is careers-canada.com, registered only yesterday to the fictitious "Alexey Kernel" in the Ukraine.

The standard approach with these scammers is to spoof an email "from" the target's email address (don't worry if you see this, your email account has not been compromised) and the emails offer a variety of illegal jobs including money laundering. It forms part of this long-running scam.

If you have any examples of emails using this domain, please consider sharing them in the Comments.. thanks!