Tuesday, 29 May 2012

Orwellian Black Opel II

Google's Orwellian Black Opels are back on the prowl, updating Street View. Here's me watching them watching me :)


I don't know this one (LJ08 VVC) is the same Opel Astra I pictured in 2009, but the camera assembly has certainly changed since then.

Monday, 28 May 2012

Amazon.com spam / anarodas.net

Perhaps I spoke too soon about the quietness on the malware spam front. Here's a spam pretending to be from Amazon.com leading to malware on anarodas.net:

From: digital-no-reply@amazon.com [mailto:Amazon.com]
Sent: 25 May 2012 19:02
To: XXXXXXX
Subject: Your Kindle e-book Amazon.com receipt.

Thanks for your order, XXXXXXX!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address:  XXXXXXX
Billing Address:
Jerry Vance
503-8878 Vel Avenue
GAHANNA
United States
Phone: 614-361-9914   
Order Grand Total: $ 54.99

   

Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     T29-2192561-6011996
Subtotal of items:     $ 54.99
    ------
Total before tax:     $ 54.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 50.00
Gift Certificates:     $ 4.99
    ------
Total for this Order:    $ 54.99

The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 54.99
Sold By: Random House Digital, Inc.
________________________________________

You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
Thanks again for shopping with us.
Amazon.com
Earth's Biggest Selection
Prefer not to receive HTML mail? Click here

The malicious payload is on [do not click]anarodas.net/xor/index.php?showtopic=249281 (report here). The site is hosted on the familiar IP address of 41.64.21.71 which is an ADSL line in Cairo.

Sunday, 27 May 2012

When idiots attack

The Wikipedia article for the Ripoff Report is one of those battlegrounds that combines edits from fans of the site, scammers who have been exposed by the site who are trying to settle scores, some people with genuine grievances and concerns about the way the site operates and neutral parties just trying to keep the whole thing together.

Usually, the edits are quite small. But then someone replaced the article with this edit with following text containing a number of obviously false allegations:

Ripoff Report is a privately owned and operated for-profit website founded by consumer advocate Ed Magedson. Who is a fraud star and he is also a Child molester. He used to live in Tampa, Florida, people say he is hiding now in Arizona but actually he lives out side of the USA. FBI is looking for him as well. He claims that he is the consumer advocate. In reality he is actually a communist and he does now not want to Free market to spread out. He is a real scammer and extortionist! People be care full!! The Ripoff Report has been online since December 1998 and is operated by Xcentric Ventures, LLC is a fradulent company which is based in Tempe, Arizona.[1] Ed Magedson is the site's current Editor-in-Chief.

If we want to grow Free Economy and grow America we must stop this fraudulent monster. He caused a serious damage too many good people. All he cares about his own money! He must be brought to justice!

At the same token Google, Yahoo and Bing are supporting him! He must be black listed in all search engines!

Almost all the old text from the article was deleted, and the highlighted section above added. What the heck is a "Fraud star" anyway? So who wrote this illiterate drivel? Well, Wikipedia helpfully records the editor's IP address of 74.92.194.46, which is..

Network
NetRange74.92.194.40 - 74.92.194.47
CIDR74.92.194.40/29
NameNATIONS-WARRANTY-GROUP
HandleNET-74-92-194-40-1
ParentCBC-ATLANTA-6 (NET-74-92-192-0-1)
Net TypeReassigned
Origin AS
CustomerNations Warranty Group (C01796119)
Registration Date2007-11-20
Last Updated2007-11-20
Comments


Customer
NameNations Warranty Group
HandleC01796119
Street2820 Lassiter RdC ,
Citymarietta
State/ProvinceGA
Postal Code30062
CountryUS
Registration Date2007-11-20
Last Updated2011-03-19
Comments

Googling for "nations warranty" marietta is pretty revealing and it leads us to this SEC complaint from 2008 which says:

The Commission alleges that since approximately January 2008, Mikula, a recidivist securities law violator, and Craddock, acting individually or through Nations Warranty or JW&P Consulting, have used misrepresentations and omissions of material fact to offer and sell approximately $2.8 million of securities issued by Nations Warranty in unregistered transactions to approximately 120 investors.

The Complaint alleges that Mikula, operating through his wholly-owned entity JW&P Consulting, and Craddock used material misrepresentations and omissions of material facts to offer and sell short-term promissory notes issued by Nations Warranty. The notes were sold with terms of either 100 or 220 days, and promised rates of return of 4% or 5% per month, respectively. Among the misrepresentations and omissions, the defendants described Nations Warranty to investors as a profitable company when, in fact, Nations Warranty has incurred a net loss of at least $1.2 million during 2008. Defendants also claimed the Nations Warranty notes were "guaranteed" when, in fact, they were not.

Furthermore, Defendants represented that JW&P Consulting had evaluated the risks of investing in Nations Warranty notes and had found the risks acceptable. However, Defendants failed to disclose that JW&P Consulting was nothing more than Mikula himself and that Mikula had been enjoined in a Commission action in July 2007 for operating a Ponzi scheme.

As a result of this fraud, the company was liquidated. Presumably whoever posted the Wikipedia edits confuses free market economics with fraud.

Here's the odd thing.. the SEC actions took place in 2008, so why start griping four years later? There's only a single entry that I can find on Ripoff Report here, and that dates from other three years ago. Not really very current, is it? Or perhaps Nations Warranty have popped up again under a new name?

Zinio spam wastes everyone's time

I've never heard of Zinio before, but apparently they produce electronic versions of magazines or something. I've certainly never opted in to receiving mail from them, but they do seem to be a legitimate company. Presumably they bought my email address from a third party in good faith.


But the annoying this is that if you're going to spam out advertisement emails.. well, at least check the basics.


Date:      26 May 2012 09:38:52 -0400
From:      "Zinio Digital Magazines" [zinio@pgs.zinio.com]
Subject:      Limited Time Offer: Make a purchase on Zinio and get $5 in Zinio Perks!

Exclusive Offers From Zinio! � View as a web page �
   
shop     |     featured     |     my library     |     tell a friend            

Get Credit For Purchasing What You Love!

For a limited time, make a purchase on Zinio and get $5 in Zino Perks, good towards over 5000 digital publications!

Simply choose your favorite magazines anytime before April 30, 2012 midnight PST and receive your Zinio Perks within 72 hours.

Click here and choose from thousands of titles now!

           
National Geographic Interactive

Subscribe and Save 67%!
Buy Now �

    Us Weekly

Subscribe and Save 68%!
Buy Now �

    Harvard Business Review

Subscribe and Save 53%!
Buy Now �

    Maxim

Subscribe and Save 79%!
Buy Now �

           
New Scientist

Subscribe and Save 76%!
Buy Now �

    Macworld

Subscribe and Save 76%!
Buy Now �

Subscribe and Save 48%!
Buy Now �

    HELLO! magazine

Subscribe and Save 50%!
Buy Now �

This email was sent to: xxxxxxxxxxxxxxxxxxx@xxxxx.xxx

We respect your right to privacy, please manage your preferences here.

Zinio LLC - 114 Sansome Street, 4th Floor, San Francisco, CA 94104


There's some horribly mangled HTML that prevents it from loading properly, but the key annoyance is that this so-called special offer expired on "April 30, 2012 midnight PST" but the email was only sent on the 26th May from an IP address of 66.150.202.2. The email is digitally signed as being from zinio@pgs.zinio.com.

Well, Zinio.. I might just pass you up on your craptastic offer.

Thursday, 24 May 2012

24by7technohelp.com / 24by7onlinesolution.com scam

Technical support scammers call the wrong person in this video..


The website involved is 24by7technohelp.com (there is another site on the same server called 24by7onlinesolution.com doing the same thing). These sites are hosted on 208.91.199.77 (Confluence Networks, British Virgin Islands). I've had the Confluence Networks range of 208.91.196.0/22 blocked for some time with no ill effects..

More on this story here.

[Via]

Where's the malware spam?

You might have noticed that I haven't posted details of any malware spam in the past few days. This is because.. well, there really hasn't been much in the way of malware spam, with only one major campaign in the past three weeks.

When malware spam drops, I notice that fake pharma spam pops up instead, and furthermore malware spam runs are hardly ever at weekends when pharma takes over. And yes.. there's been an uptick of pharma spam lately which follows the pattern.

This malware spam run has been going on for months now, with a few breaks of a few weeks each time. I can't believe that anything fundamental has changed. So stay alert!

Monday, 21 May 2012

Synovate / Avios "Share your opinion and win an iPad!" spam

Here's an annoying piece of spam:
   
From:     Loyalty Research loyaltyresearch@synovate.net
Reply-To:     loyaltyresearch@synovate.net
Date:     21 May 2012 08:41
Subject:     Share your opinion and win an iPad!


Dear Mr Xxxxx,

We are contacting you from Synovate, an independent market research agency and would like to invite you to take part in a survey on behalf of a leading loyalty rewards programme, that you are a member of.

Your name has been given to us in good faith by this company and their loyalty programme name will be revealed to you at the end of the survey.

As a thank you for your participation we will enter you into a prize draw to win a fantastic iPad. Your opinions will be used to improve products and services.

This survey should take less than 20 minutes to complete, and will close on the 30th May 2012

Please click on the link below to begin the survey (CLICK ONCE ONLY):
https://wbint6web.synovate.net/syn.asp?s=XXXXX&p=XXXXX&i=XXXXX&w=XXXXX

Your identity will not be revealed to any third party

All information that we collect is strictly confidential and participation will not lead to any unsolicited mail, phone calls, or e-mails.

Your name will never be associated with your specific responses as they will be combined with those of other respondents. You can view our privacy policy at: http://www.synovate.com/legal/

If the survey link does not open, close the browser window then copy and paste the link into the address line of a new browser window and press enter.

If you exit the survey unexpectedly or accidentally close your Internet browser, clicking on the link above will allow you to re-enter the survey and continue where you left off.

If you have any comments or questions about this survey, please e-mail loyaltyresearch@synovate.net and include this survey ID number XXXXX along with any correspondence.

Kind regards,

The Synovate Team

This e-mail is being sent to you by Synovate on behalf of a leading customer loyalty company. Synovate and this company attempt to comply with all governmental laws for commercial e-mail. We have contacted you specifically either because you agreed to be on their mailing list to receive correspondence such as this, or you have previously participated in a survey on behalf of this company. Who this company is will be revealed at the end of the interview. If you do not wish to receive further communication from us, please reply to this email and let us know.

Terms & Conditions


1.    The prize is a 16gb iPad with wi-fi
2.    The prize draw is open to participants of this survey aged 18 or over resident in the UK, excluding employees and past employees of Synovate or anyone materially connected to the administration of the prize draw.
3.    Entry to the draw is by completion and submission of the survey. No purchase is required.
4.    Closing date for all entries into the prize draw is 30th May 2012 at 12pm. No responsibility will be taken for entries lost, damaged, incomplete or illegible. Proof of submitting will not be accepted as proof of delivery. Entries may be disqualified if incomplete or illegible.
5.    Only one entry per person may be submitted.
6.    The draw will take place by 30.06.12.
7.    The prize will be awarded to the first eligible entry drawn.
8.    The winner will be notified in writing by 06.07.12.
9.    The winner will receive their prize by post no later than 20.07.12.
10.    If a winner cannot be contacted within 14 days from the draw date, an alternative winner will be drawn.
11.    The name and county of the winner will be available to anyone sending a stamped addressed envelope to Ipsos, Prize Draw Winner, c/o Toby Rogers, Minerva House, 5 Montague Close, London, SE1 9AY within 28 days of the published closing date.
12.    All entrants to the prize draw will be deemed to have accepted the rules.
13.    No alternatives to the prize offered will be given
.


The bit that says "Who this company is will be revealed at the end of the interview" is particular appalling as the only way to find out who sold your contact details is to do the suvey! Well, not quite.. because the email address Synovate sent to is only used for registration at Avios (formerly Airmiles). So Avios sold on my contact details for the survey.

Oh well, easily fixed. We just need to change the privacy settings in Avios to stop this happening.. oh wait, third party emails don't appear in the "contact preferences" section of their site at all:


So what does their privacy policy say? Well:

Direct Marketing and who your data may be passed to

Your data may be passed to carefully selected companies that distribute Avios or companies that we think may be of interest to you. We may also pass your details to suppliers that process data on our behalf. On occasion we may use and disclose data on a collective basis for marketing and research cases but will not in such cases provide individual customer data.
So, you passed my contact details to Synovate for market research purposes, and there's no apparent opt out. Unless perhaps I do it in writing as you can't opt out on the web site..

How to remove yourself from our communication listings

If you do not wish to receive promotional mailings, simply inform us by writing to the address below. Please note that you may still receive an Avios statement as part of your membership.

Customer Account Management
PO Box 90,
Birchwood,
Warrington,
WA3 7XA.
This is really shabby marketing. Avios haven't breached their own privacy policy as it allows them to sell your contact details on in this way, but most consumers won't be expecting it. You should never, ever click on an unsolicited link like this (because it could lead to malware) and Avios and Synovate should at least make their relationship clear in the email rather than keeping it as a secret until you do the survey.

And why is this spam? Well, in my opinion the email is unsolicited, Avios members cannot apparently opt-out or control these, and the relationship of the recipient to the sender is unclear. Avios and Synovate serious need to clean up their act IMO.

Friday, 18 May 2012

Myspace "Security updates" lead to fake pharma

This is a persistent spam run that has been going for a couple of days:

Date:      Fri, 18 May 2012 13:44:44 -0700
From:      "Myspace" [noreply@message.myspace.com]
Subject:      Security updates

myspace

We have recently updated our website to improve our security.

Please follow the instructions to ensure your account is enable and not blocked.

If you need immediate assistance, please contact our support team.

Note: It is important that your personal information is accurate and complete. This information may later be used to help verify the owner of the account. We does not sell or provide your personal information to third party companies.
Thank you for using Myspace!

The Myspace Team
http://www.myspace.com/

Have questions? Visit our help page. Myspace, 8391 Beverly Blvd, #349, Los Angeles, CA 90048.
� Myspace Inc. All Rights Reserved.

The link in the email goes to a variety of fake pharma sites, all of which appear to be hosted on 91.212.124.152 in a block registered to one Aleksandr Nikolaevich Nikultsev in the Ukraine. The doesn't seem to be much you would want to visit in 91.212.124.0/24 so blocking the whole lot might be prudent.

These are the sites I can find hosted on 91.212.124.152:
acefsynqe.com
amwafudicbia.com
badgestabmedicine.com
biolpharmacy.com
boquihcu.net
carepharmedical.com
carepharmgroup.com
cialisviagracounterpunch.com
curot.ru
cvaxvaso.com
dietabletouchpad.com
dietprescriptionfat.com
diong.ru
duski.ru
dzepojkarny.com
ecstasyherbal.com
epoth.ru
ettoicbynn.com
familymedicineviagra.com
fdamedicalprescription.mobi
genericsteva.com
healthtabgroup.com
hospitallnessmedical.mobi
kdffg.ru
kdfgd.ru
leibypharmacylevitra.com
levitrabrooklyn.com
levitracontab.com
levitrapause.com
lkdsfh.ru
lkhj.ru
loug.ru
lupp.ru
medicarewelnessdebt.com
medsdietgroup.com
medslevitraleiby.com
medsmedicinegroup.com
movietestworld.com
mymedicaremeds.com
mypharmacyherbal.com
mypharmed.com
mypillhealth.com
mypillmedical.com
mypillsale.com
newcanadatablet.com
newmedpharmacy.com
newpillscare.com
newrxhealth.com
newrxmed.com
newrxmedicine.com
newtabhealth.com
newtabletcare.com
nyctyckap.com
oedy.ru
patientsviagracare.com
phad.ru
pharmacycarepatients.com
pharmacycifrazier.com
pillsmedicalhospital.com
plew.ru
pohjgh.ru
prescriptiondrugslevitra.com
radicalmediadata.com
sdfhsj.ru
sescahpyff.com
sexualevitra.com
sexualpillsmed.com
sexualwelnessmed.com
simjicwar.com
sleaxmobca.com
smoruroy.com
sniggahcar.com
soylovde.com
sreadafet.com
srenusoxhui.com
stationbeta.com
steelevitra.com
storepharm.com
straussrx.com
tamy.ru
tbin.ru
thow.ru
viagrahalfmile.com
vikingsnotdead.com
vjkcvl.ru
vkgtq.ru
walgreenspillsrx.eu

Monday, 14 May 2012

TaxSlayer.com spam / hseclub.net

After a quiet few days where most of the incoming spam I've seen has been pharma spam, the exploit kits have reared their ugly heads again with this new campaign:

Date:      Mon, 14 May 2012 12:02:23 -0300
From:      "Joann Crowley" [alert@taxslayer.com]
Subject:      Don't make grave tax mistakes.

View Online | View Mobile | Unsubscribe from TaxSlayer e-mails.    

    Avoid tax deadline mistakes that delay your tax return

With the tax deadline looming, it is essential to make sure that you prevent any errors on your tax return that could delay the filing and processing of your returns. The IRS recently released a list of their most commonly seen errors.

Read More
    
FREE TAX ADVICE x96
with TaxSlayer.com
Do you have a tax-related question that you would like to ask someone? Try our newest feature!

Read More          Do you need
more time to file?
The deadline for filing your tax return will be April 17th this year. See what you can do if you need more time.

Read More          Do you need a last minute deduction?
If you are in need of another tax deduction, you may be able to deduct some or all of your IRA contributions.

Read More

This email was sent to xxxxxxxxx by notification@taxslayer.com.
Click here to unsubscribe from TaxSlayer.com e-mails.
TaxSlayer.com | 610 Ronald Reagan Drive | Evans, GA 30809

Needless to say, this spam isn't from TaxSlayer.com but it leads to malware, this time with a malicious payload at [donotclick]hseclub.net/main.php?page=3d45d0a0fe805ff8 (report here) hosted on 37.59.68.23 (OVH, UK). Blocking that IP will probably do you no harm.

Saturday, 12 May 2012

Nadine Dorries: Where's My Shotgun?

You're not in Florida, Nadine. My MP (who I've never actually seen in the flesh at anything I've been to) Tweets about Reginald D Hunter (after being on Have I Got News For You):
"I have now left the HIGNFY after party. As I looked over my shoulder, Reginald D Hunter was talking to my daughter.#wheresmyshotgunman"

Usually when Tory MPs are involved in online death threats, it's the other way around..

Friday, 11 May 2012

Scamworld: 'Get rich quick' schemes mutate into an online monster

Here's a long and very detailed article from The Verge on how the current crop of get-rich-quick schemes on the Internet work. If it's a case of tl;dr then you can get a flavour of it from this video:


Thursday, 10 May 2012

Fake job and credit check sites to avoid

A little cluster of spam/scam sites on 95.142.173.176, running a scam related to this one. Avoid.

creditdealmanagement.com
creditlevelreport.com
hotdealsmanagement.com
hotoffermanagement.com
rockingdealmanagement.com
rockingdealmanagements.com
rockingoffermanagement.com
rockingscoremanagement.com
tql-billing.com

The WHOIS details are as follows:
creditdealmanagement.com
  Aleje Ujazdowskie 88-44
  Warszawa
  Warszawa,
  PL
  00545
  name:(Sophie Ellis)
  mail:(admin@creditdealmanagement.com)
  +022.8260898
  +022.8260898
  Hot Date

creditlevelreport.com
   NA
   Torrie Ots admin@creditlevelreport.com
   +14122666060 fax: +14122666060
   123 6th Street
   Pittsburgh PA 64213
   us

hotdealsmanagement.com
  name:(Sophie Ellis)
  Email:(admin@creditdealmanagement.com)
  tel-- +022.8260898  
  fax:(+022.8260898)
  Hot Date
  Aleje Ujazdowskie 88-44
  Warszawa
  Warszawa,
  PL
  zipcode:00545

hotoffermanagement.com
  Aleje Ujazdowskie 88-44
  Warszawa
  Warszawa,
  PL
  00545
  name:(Sophie Ellis)
  mail:(admin@creditdealmanagement.com)
  +022.8260898
  +022.8260898
  Hot Date

rockingdealmanagement.com
  name:(Niko Irlung)
  Email:(admin@rockingoffermanagement.com)
  tel-- +022.4860345
  fax:(+022.4860345)
  Rockinig
  Aleje Ujazdowskie 54C
  Warszawa
  Warszawa,
  PL
  zipcode:00541

rockingdealmanagements.com
   NA
   Yawn Paul admin@rockingscoremanagement.com
   +14122821060 fax: +14122821060
   34G W C Jobs
   Pittsburgh PA 64421
   us

rockingoffermanagement.com
  Niko Irlung admin@rockingoffermanagement.com
  +022.4860345
  +022.4860345
  Rockinig
  Aleje Ujazdowskie 54C
  Warszawa,
  Warszawa,
  PL 00541

rockingscoremanagement.com
   NA
   Yawn Paul admin@rockingscoremanagement.com
   +14122821060 fax: +14122821060
   34G W C Jobs
   Pittsburgh PA 64421
   us

tql-billing.com
  Aleje Ujazdowskie 87-44
  Warszawa
  Warszawa,
  PL
  00540
  name:(Dill Nilson)
  mail:(admin@tql-billing.com)
 +022.8277528
 +022.8277528    TQL

Wednesday, 9 May 2012

Something evil on 50.30.47.81

There are a bunch of sites on 50.30.47.81 (Hosting Solutions International, Inc., US) being used to serve Java exploits via injection attacks. Probably worth blocking this one (obviously, don't visit these sites)..

www.gredsa.in
www.bbadkf.in
www.bernitto.in
www.hfsless.in
www.burness.in

Tuesday, 8 May 2012

Something odd

One of those odd things you see in proxy logs.. in this case, a load of outbound access attempts from guest machine like this:

http://69.60.122.18269.60.122.182/
http://85.25.130.1285.25.130.12/
http://89.207.129.789.207.129.7/
http://91.230.147.23191.230.147.231/
http://174.37.202.166174.37.202.166/
http://184.22.165.50184.22.165.50/
http://204.45.70.162204.45.70.162/
http://207.244.209.239207.244.209.239/
http://209.85.148.101209.85.148.101/

Obviously, these URLs are malformed because the IP address is listed twice. But one of these stands out:

http://91.230.147.23191.230.147.231/ is clearly "91.230.147.231" twice. This IP belongs to Adevir Invest in Russia, and we've seen that name before. The other IPs seem innocent enough, but this traffic pattern is highly suspicious and I can only assume that these IPs are some sort of C&C server.

If you want to block the correctly formed IPs then they are as follows:

69.60.122.18
85.25.130.12
89.207.129.7
91.230.147.231
174.37.202.166
184.22.165.50
204.45.70.162
207.244.209.239
209.85.148.10

Saturday, 5 May 2012

Fake job offer: HRT F1 TEAM

The HRT F1 Team is a real team engaged in motor racing. This email is not from the HRT F1 Team.

Date:      Sat, 5 May 2012 16:43:33 +0300
From:      "Rebecca Hoffmeister / HRT F1 TEAM" [gormon.82@digiton.ru]
Subject:      Job Offer - Payment Department

Hello !


We are a first-rate company specializing in the implementation of accessories for cars. Apart from this primary mission, we also provide full support to our clients during all stages of the purchase of our product, from the resolution of the contract to the payment and delivery of the product to the customer. To that end, the subdivisions of our company form a quite large network.

At the present time, there is one position open in our company as an agent in the department of payment control. The first month of work will be probationary and will include training programs on corporate ethics and also the basics of inspection and control of payment between parties in a transaction.

We guarantee:
- A suitable wage

- We guarantee you sufficient money to be added to your main salary, provided you have a wish to work hard and to follow all our instructions on time

- Benefits package
- Free training

Our requirements for candidates:
- Punctual and diligent fulfillment of directions from the manager
- Ability to effectively organize work time

- Process work requests necessary to maintain an effective payments transfer program

- Close access to the infrastructure of our city
- Uphold a high level of integrity and ethics
- Good time management skills


If you are interested in this position, send us a short resume by e-mail: hrtf1team@juno.com

Rebecca Hoffmeister - Payment Manager
HRT F1 TEAM


Instead this is a money mule (money laundering) operation which will end up with serious trouble with the police and your bank. Avoid.

Friday, 4 May 2012

USPS Spam / computerpills.net

This fake USPS spam leads to malware on computerpills.net:

Date:      Fri, 4 May 2012 08:50:52 -0500
From:      "Cathryn Small" [USPS_Shipping_Support@usps.com]
Subject:      Your USPS shipment postage labels receipt.


Acct #: 0443907

Dear client:

This is an email confirmation for your order of 3 online shipping label(s) with postage. Your credit card will be charged the following amount:

Transaction ID: #1537194
Print Date/Time: 03/15/2012 02:30 PM CST
Postage Amount: $43.70
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 5153 9371 4727 8289 2238 (Sequence Number 1 of 1)

   

If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is a post-only message

The malicious payload is an exploit kit at computerpills.net/main.php?page=beb0bb4c8ebd96e5 hosted on 37.59.68.23 (OVH, UK) which is the same server used in this attack, the payload looks to be the same as the one used in this other attack, with a very low detection rate at VirusTotal of just 3/42.

LinkedIn spam / 184.154.220.226

This fake LinkedIn spam leads to malware on 184.154.220.226:

Date:      Fri, 4 May 2012 -04:52:32 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Reset Your LinkedIn Password

LinkedIn

Hi hippy,

Can’t remember your LinkedIn password? No problem - it happens.

Please use this link to reset your password within the next 1 day:
Click here

Then sign in to LinkedIn with your new password and the email address where you received this message.

Thanks for using LinkedIn!
The malware is hosted on 184.154.220.226/showthread.php?t=34c79594e8b8ac0f (Singlehop, US) which is a very heavily obfuscated exploit page with a not very impressive VirusTotal detection rate of 2/42. Blocking the IP is a good proactive step to stop this from being a problem.

Xvideos.com IP hosting malware C&C servers

For the latest analysis, see the update at the bottom of this post.

I've written about malware on xvideos.com before.. this is the 52nd most popular site in the world, and is one of the world's most popular porn sites. The last time, the xvideos.com site itself was infecting visitors. This time it's something a bit more subtle, and if affects Android smartphone users.

The Naked Security blog and Lookout Security blog analyse a report on Reddit about an infected web page that appeared to impact Android devices. The analysis by the two blogs comes up with two different C&C servers for the malware - 3na3budet9.ru and notcompatibleapp.eu, both hosted on 141.0.172.199.

This IP address is significant, because it is one used by Xvideos.com:

05/04/12 10:50:08 dns xvideos.com
Mail for xvideos.com is handled by aspmx3.googlemail.com aspmx2.googlemail.com alt2.aspmx.l.google.com alt1.aspmx.l.google.com aspmx.l.google.com aspmx5.googlemail.com aspmx4.googlemail.com
Canonical name: xvideos.com
Addresses:
  141.0.172.197
  141.0.172.198
  141.0.172.199
  141.0.172.200
  141.0.172.201
  141.0.172.202
  141.0.172.204
  141.0.172.205
  141.0.172.206
  141.0.172.207
  141.0.172.208
  141.0.172.209
  141.0.172.210
  141.0.172.211

You can probably safely block the whole 141.0.172.0/24 if you want. Do who exactly is xvideos.com? Well, it claims to be a Hong Kong company called Copypaste Ltd:

Handle..............: CLI-299346
    Name................: Copypaste Limited
    Street..............: 3/F, 65 Wyndham street, Central district
    Postalcode..........: N/A
    City................: Hong Kong
    Province............: HK
    Country.............: HK
    E-mail..............: domain@copypaste-limited.com
    Phone...............: +852 2530 1793
 
These IPs are operated by Reality Check Network, and form part of AS46652 which doesn't have a stellar reputation:

Safe Browsing

Diagnostic page for AS46652 (RCN)

What happened when Google visited sites hosted on this network?
Of the 414 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, xnxx.com/, porn.to/, burningcamel.com/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2012-05-04, and the last time suspicious content was found was on 2012-04-23.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 3 site(s) on this network, including, for example, egameads.com/, plugrush.com/, jshell.net/, that appeared to function as intermediaries for the infection of 6 other site(s) including, for example, bestof-youtube.com/, jsfiddle.net/, zff.co/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 1 site(s), including, for example, jshell.net/, that infected 1 other site(s), including, for example, jsfiddle.net/.
The question is.. are xvideos.com deliberately hosting these malware C&C servers, or have they been compromised in some way? It's difficult to say, but I would certainly recommend that you do your porn surfing elsewhere as long as this carries on.

Update 13/6/12: these domains still resolve to the xvideos.com IP, but the C&C servers appear not to be functioning. As some of the commenters say, it could be that the bad guys simply pointed their DNS to xvideos.com at random, although out of all the IP addresses they could choose it's odd that they chose the one they did. At the moment, xvideos.com appears clean but there are several related sites and netblocks which should be avoided.

In particular, the AS46652 block is extremely dangerous. Google's diagnostic page says that 181 out of 603 sites in that block serve malware. If you want to block this AS then the IPs appear to be:
69.55.48.0/20
141.0.168.0/24   
141.0.172.0/22   
38.74.208.0/20

Thursday, 3 May 2012

How to access The Pirate Bay on Virgin Media

I don't approve of pirating copyrighted material, but I also don't approve of censorship.On balance I think that censorship is the worst of the two, so I was quite annoyed to find that Virgin Media is censoring the Pirate Bay.

Sorry, the web page you have requested is not available through Virgin Media.

Virgin Media has received an order from the Courts requiring us to prevent access to this site in order to help protect against copyright infringement.

If you are a Virgin Media home broadband customer, for more information on why certain web pages are blocked, please click here.

If you are a Virgin Media Business customer, or are trying to view this page through your company's internet connection, please click here.
It isn't Virgin Media's fault (they have a shedload of their own, this is not one of them), but something they've been obliged to do through the courts.

Here's a newsflash. Not everything listed on the Pirate Bay is actually subject to copyright. As with many things, it's what you do with a tool like the Pirate Bay that counts. So, let's say that you have a legitimate use for looking at the Pirate Bay and you're a Virgin Media customer (or another UK ISP that has blocked TPB).. how do you do it?

Well, there's a mirror of The Pirate Bay hosted on the same IP address and domain as the UK's Pirate Party at https://tpb.pirateparty.org.uk/. Not many people know that all UK political parties have to be registered at the Electoral Commission, and the Pirate Party is indeed a properly registered political party (click to enlarge)..


Although the technology employed by Virgin Media is perfectly capable of blocking part of a website and leaving the rest accessible, it's quite possible that censoring part of a website belonging to a legally constituted political party might just be a step too far..

Samsung Galaxy S III

I think it's fair to say.. that this is a very, very nice device indeed. Quad-core CPU, Android 4.0, a big HD screen and lots of goodies that will distract you from the (presumably) wallet emptying price. Yes.. it's the Samsung Galaxy S III which is probably the second most anticipated device of the year after the iPhone 5!

[Via]

Facebook spam / chicleart.net

These fake Facebook messages lead to malware on chicleart.net:

Date:      Thu, 3 May 2012 11:57:48 -0300
From:      "Facebook" [noreply@facebookmail.com]
Subject:      Most recent events on Facebook

facebook   
Hi xxxxxxxxxx,
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site as before.
Thanks and regards,
The Facebook Team
   
Sign in to Facebook and start connecting
Sign in

follow the link below :
http://www.facebook.com/home.php
This message was sent to xxxxxxxxx@xxx.xxx. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

==================

Date:      Thu, 3 May 2012 15:53:38 +0100
From:      "Facebook" [noreply@facebookmail.com]
Subject:      New comment on your status update

facebook   
Hi xxxxxxxxxx,
You have blocked your Facebook account. You can resume your account at any time by logging into Facebook with your old login email address and password. You will then be able to use the site as before.
Thanks and regards,
The Facebook Team
   
Sign in to Facebook and start connecting
Sign in

follow the link below :
http://www.facebook.com/home.php
This message was sent to xxxxxxxxx@xxx.xxx. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

==================

Date:      Thu, 3 May 2012 14:09:11 +0000
From:      "Facebook" [alert@facebookmail.com]
Subject:      New comment on your status update

facebook   
Hi xxxxxxxxxx,
You have deactivated your Facebook account. You can reactivate your account whenever you wish by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in the same way as before.
Best regards,
The Facebook Team
   
Sign in to Facebook and start connecting
Sign in

follow the link below :
http://www.facebook.com/home.php
This message was sent to xxxxxxxxx@xxx.xxx. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is on chicleart.net/main.php?page=8decfe38488713cc on 37.59.68.23 hosted by OVH in the UK.

tsnet-china.com / "Klver Industrial Co. Ltd" domain scam.

This domain scam has been around for years..

From:     jeff jeff@tsnet-china.com
To:   
Date:     3 May 2012 10:02
Subject:     Regarding " dynamoo " Dispute

(If you are not in charge of this please transfer this email to your President or appropriate person, thanks)

Dear President,

We are the department of Asian Domain registration service in china, have something to confirm with you. We formally received an application on May 2, 2012. One company which self-styled "Klver Industrial Co. Ltd" were applying to register "dynamoo" as Network Brand and following domain names:

 dynamoo.asia 
 dynamoo.cn 
 dynamoo.com.cn 
 dynamoo.com.tw 
 dynamoo.hk 
 dynamoo.in 
 dynamoo.net.cn 
 dynamoo.org.cn 
 dynamoo.tw

After our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we will finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we will handle this issue better. Out of the time limit we will unconditionally finish the registration for "Klver Industrial Co. Ltd".

Best Regards,
                                   
Jeff  Yang
Registration Dept.

Tel: +862885915586  ||  Fax: +862885912116
Address:8/F XiYu building No,52 JinDun Road,QingYang District,Chengdu City,China.

The idea here is to panic the domain owner into registering a bunch of worthless domains. Do I really care if someone registers a bunch of Asian domain names (sub of which are on really crappy second level domains)? No, I don't. And neither should you.

Here's the thing: domain registrars for common domains* like this DO NOT carry out these checks. It isn't their responsibility. In reality, they will NOT contact you prior to registration. There is almost definitely no company interested in buying these domains. And remember, there are hundreds of top-level domains.. you could spend a LOT of money securing worthless variations for no reason.

Give this one a wide berth. If you really do want to find a registrar for additional domains, shop around to find a reliable and inexpensive registrar rather than dealing with spammers.

* some "sunrise" registrations for new top-level domains do check trademark ownership when they are launched.

Tuesday, 1 May 2012

Isn't it amazing..

Isn't it amazing how everything sometimes comes together. I came across this particularly well researched article at a blog called Cultivated Drivel.

Sometimes people make those connections that you should have seen your case. In this case, the post managed to link together several strands of my own blog that I hadn't managed to do myself.. namely: Inter Financial Ltd, Gary NcNeish and Piradius.net

It looks like Mr McNeish might have his fingers in quite a few spam pies..

"Invitation FACEBOOK" hoax

There are a lot of genuine malware-laden fake Facebook emails about, but this one is a hoax.. and a very old one at that, going all the way back to the 1990s in one form or another.

Subject: Fwd: FW: PLEASE CIRCULATE

PLEASE CIRCULATE THIS NOTICE TO FRIENDS AND FAMILY ON YOUR CONTACT LIST

In the coming days, you should be aware…

Do not open any message with an attachment called:

"Invitation FACEBOOK"

Regardless of who sent it

It is a virus that opens an Olympic torch and burns the whole hard
disc C of your computer

This virus will be received from someone you have in your address book


That's why you should send this message to all your contacts.  It is
better to receive this email 25 times than to receive the virus and
open it

If you receive email called: "Invitation FACEBOOK", though sent by a friend,

do not open but delete it immediately

CNN said it is a new virus discovered recently and that has been
classified by Microsoft as the most destructive virus ever

It is a Trojan Horse that asks you to install an adobe flash plug-in.
Once you install it, it's all over. And there is no repair yet for
this kind of virus. This virus simply destroys the Zero Sector of the
Hard Disc, where the vital information of their function is saved



THE INFORMATION HAS BEEN CHECKED WITH SNOPES
http://www.snopes.com/computer/virus/youtube.asp

DO exercise caution with emails that appear to be from Facebook, PayPal, LinkedIn or any one of a variety of services.. you can usually check the true destination of a link in an email by floating the pointer over it. DON'T circulate silly hoaxes like this because it simply wastes everybody's time.

PayPal Spam / 72.46.140.14

This fake PayPal spam leads to malware on 72.46.140.14:

Date:      Tue, 1 May 2012 14:31:26 +0300
From:      "PayPal" [notify@paypal.com]
Subject:      RE:You just sent a payment to Enrique Peterson

   
You just sent a payment
    Transaction ID: 2SM69324P0770102B
Hello xxxxxxxxxxxxxx,
Thanks for using PayPal. It may take a few moments for this transaction to appear in your account.
Merchant
Enrique Peterson
wcEnrique22@hotmail.com
    Note to Thad Peterson
You haven't sent a note.
Shipping address - confirmed
Michael Pepe
P.O. Box 173
Cheektowaga, NY�14225
United States
Total     $140.00 USD
Payment     $60.00 USD
Payment sent to Enrique Peterson

   
Help Centre | Resolution Centre | Security Centre

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP1526

The malicious payload is on 72.46.140.14/showthread.php?t=9d77a9163cda8dbe (report here) and is hosted by Versaweb in the US, suballocated to "Silver Knight Enterprises Corp" of Las Vegas.

Update: here is another variant

Date:      Tue, 1 May 2012 19:54:34 +0700
From:      "PayPal" [notify@paypal.com]
Subject:      RE:You just sent a payment to Jame Peterson


   
You just sent a payment
    Transaction ID: 2SM69324P0770102B
Hello xxxxxxxxxxxxxxx,
Thanks for using PayPal. It may take a few moments for this transaction to appear in your account.
Merchant
Jame Peterson
wcJame22@hotmail.com
    Note to Thad Peterson
You haven't sent a note.
Shipping address - confirmed
Michael Pepe
P.O. Box 173
Cheektowaga, NY�14225
United States
Total     $100.00 USD
Payment     $60.00 USD
Payment sent to Jame Peterson

   
Help Centre | Resolution Centre | Security Centre

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP1526