Sponsored by..

Friday 31 January 2014

Something evil on 192.95.10.208/28

192.95.10.208/28 (OVH, Canada) is being used to deliver exploit kits utlising .pw domains, for an example see this URLquery report.  The following domains are being used in these attack (although there may be more):

accountantillustrator.pw
actuarydancer.pw
ambassadoradvisor.pw
animatorcarpenter.pw
animatorgovernor.pw
archeractor.pw
archerclub.pw
archerlecturer.pw
archerycartoonist.pw
arenacycling.pw
arenalandlord.pw
arrowcompete.pw
arrowfitness.pw
artistgovernor.pw
athleteexplorer.pw
athleteexterminator.pw
athletehandyman.pw
athleticsbanker.pw
athleticsdrycleaner.pw
attorneygeologist.pw
ballballerina.pw
ballcoroner.pw
ballerinaconsul.pw
ballerinalaundress.pw
balllobbyist.pw
ballracer.pw
baseballdefense.pw
baseballhardball.pw
baseballmechanic.pw
basketballdj.pw
basketballillustrator.pw
batdart.pw
batdj.pw
batmonk.pw
batolympics.pw
batterpool.pw
battingconcierge.pw
battingrunning.pw
biathlonlandscaper.pw
bicyclebarber.pw
bicyclechaplain.pw
bicycleracket.pw
bikegeneral.pw
bikingoptician.pw
biologistcabdriver.pw
bobsleighcaterer.pw
bobsleighcop.pw
bobsleighfirefighter.pw
bobsleighjockey.pw
boccebowling.pw
boccepercussionist.pw
boomerangbobsleigh.pw
boomerangcompete.pw
bowcobbler.pw
bowlerkayaking.pw
boxercashier.pw
bronzehairdresser.pw
buntcop.pw
buntexporter.pw
buntgymnastics.pw
butchernegotiator.pw
canoegardener.pw
carpenterorderly.pw
cartographerlandscaper.pw
catchergeologist.pw
catchlandscaper.pw
championbatting.pw
championshipcobbler.pw
championshipdoorman.pw
championshipgear.pw
championshipjester.pw
championshipjockey.pw
championshipmarketer.pw
clubfarmer.pw
coachbarber.pw
coachgolfer.pw
competeexporter.pw
competepediatrician.pw
competingbowler.pw
competingcoach.pw
competitioncryptographer.pw
competitionexplorer.pw
competitorhairdresser.pw
competitornovelist.pw
conciergemanufacturer.pw
contractorexterminator.pw
crewastronaut.pw
crewmusician.pw
cricketgoalie.pw
cricketjailer.pw
custodiancobbler.pw
cyclebellhop.pw
cyclistcaptain.pw
dartboardequipment.pw
dartboardnavigator.pw
dartboardpathologist.pw
dartlifeguard.pw
decathlonbellhop.pw
decathlondriver.pw
defensenet.pw
defensepaleontologist.pw
dermatologistinstructor.pw
designerbabysitter.pw
designercoach.pw
diamondgolfer.pw
diamondlobbyist.pw
divecycle.pw
diveeconomist.pw
divepainter.pw
diverbabysitter.pw
diverbowler.pw
divingauthor.pw
djnegotiator.pw
dodgeballgolfer.pw
doormanparkranger.pw
driverpawnbroker.pw
editordictator.pw
electricianbaker.pw
engineerastronaut.pw
entomologistbowler.pw
entrepreneurpatrol.pw
epeebowler.pw
epeeintern.pw
epeelandlord.pw
epeelinguist.pw
epeerunning.pw
exercisebatter.pw
exportercatcher.pw
farmerlecturer.pw
fencinghandball.pw
fieldercartographer.pw
fielderpaleontologist.pw
fielderpercussionist.pw
fieldingauctioneer.pw
figureskatingbuilder.pw
figureskatingchemist.pw
footballbunt.pw
footballcustodian.pw
footballlyricist.pw
frisbeebike.pw
gamenurse.pw
gearathlete.pw
generalillustrator.pw
geneticisteconomist.pw
geneticistgolfer.pw
goalbicycling.pw
goalcatcher.pw
goaldj.pw
goalhardball.pw
goaliebilliards.pw
goalielocksmith.pw
goalmedal.pw
goalmedal.pw
goalpawnbroker.pw
goalpercussionist.pw
golferdoorman.pw
golferentomologist.pw
golfingfirefighter.pw
guardcryptographer.pw
guardextra.pw
guardhandyman.pw
gymeducator.pw
gymmarketer.pw
gymnastcardiologist.pw
gymnasticsarchery.pw
gymnasticscobbler.pw
gymnasticsdictator.pw
gymnastnun.pw
halftimeillustrator.pw
handballhome.pw
hardballactress.pw
hardballastronomer.pw
hardballjumper.pw
helmetgolfer.pw
helmetjailer.pw
highjumpbiologist.pw
highjumpcashier.pw
highjumpguide.pw
hoboexporter.pw
hoopbiking.pw
hoopgear.pw
huddlecompete.pw
huddleparalegal.pw
hurdlebutler.pw
hurdlecompetitor.pw
hurdleforeman.pw
hurdlemove.pw
jailercardiologist.pw
javelinskate.pw
joggerdirector.pw
journalisthairdresser.pw
judomayor.pw
jumperfisherman.pw
jumperlibrarian.pw
jumpingorderly.pw
jumpingreferee.pw
karatemanufacturer.pw
karateparalegal.pw
kayakathlete.pw
kayakballerina.pw
kayakerbiologist.pw
kayakercabdriver.pw
kayakingconsul.pw
kayakingoperator.pw
kayakingskating.pw
kayaknurse.pw
kickballnurse.pw
lacrossemuralist.pw
lacrosseorderly.pw
landlordexterminator.pw
landlordgardener.pw
landscapercook.pw
landscaperoptician.pw
lecturergatherer.pw
linguistdetective.pw
locksmithillustrator.pw
maidblacksmith.pw
maidornithologist.pw
marinecellist.pw
martialartslinguist.pw
mayordrummer.pw
monklyricist.pw
movemedal.pw
oboistbowler.pw
olympicscompetition.pw
olympicsengineer.pw
opticiannegotiator.pw
orienteeringjanitor.pw
paintergeneral.pw
paralegalbuilder.pw
paralegaleconomist.pw
pawnbrokermanufacturer.pw
peddlerbellhop.pw
pingpongathlete.pw
pingpongbasketball.pw
pingpongempress.pw
pingponghelmet.pw
pitchactor.pw
pitchdart.pw
pitchjanitor.pw
pitchlifeguard.pw
playchauffeur.pw
playerskate.pw
playingoboist.pw
playoffscycle.pw
playoffspeddler.pw
playorienteering.pw
polekayaking.pw
poolgeneticist.pw
poolnegotiator.pw
quarterbackgeneral.pw
quartergeographer.pw
racedrummer.pw
raceengineer.pw
racercellist.pw
racketarcher.pw
racketbaseball.pw
racketdart.pw
racketleague.pw
racketskate.pw
raftingbarber.pw
raftingdancer.pw
raftingfrisbee.pw
raftingkayaker.pw
relaydrycleaner.pw
relayrace.pw
ridingcabdriver.pw
ridingnurse.pw
runbasketball.pw
rundrummer.pw
runningaccountant.pw
runningactuary.pw
skatepole.pw
skatingmuralist.pw
teacherjockey.pw
toolmakerfisherman.pw

The IP forms part of a /28 block belonging to a known bad actor:
NetRange:       192.95.10.208 - 192.95.10.223
CIDR:           192.95.10.208/28
OriginAS:       AS16276
NetName:        OVH-CUST-413973
NetHandle:      NET-192-95-10-208-1
Parent:         NET-192-95-0-0-1
NetType:        Reassigned
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/net/NET-192-95-10-208-1

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859113


I believe that these IPs are connected with a black hat host r5x.org and IPs with these WHOIS details are very often used in exploit kit attacks. I would strongly recommend that you block 192.95.10.208/28 in addition to the domains listed above.

"Windsor Telecom Fax2Email" spam

Another day, another fake Fax spam with a malicious payload:

Date:      Fri, 31 Jan 2014 10:00:23 +0000 [05:00:23 EST]
From:      Windsor Telecom Fax2Email [no-reply@windsor-telecom.co.uk]
Subject:      Fax Message on 08983092722 from

FAX MESSAGEYou have received a fax on your fax number: 08983092722 from.The fax is
attached to this email.PLEASE DO NOT REPLY BACK TO THIS MESSAGE. 
Attached is an archive file FAX MESSAGE.ZIP which in turn contains a malicious executable FAX MESSAGE.EXE with a VirusTotal detection rate of 4/50. Well, I say malicious but both Malwr and Anubis report that the payload does not execute properly, however that might just be an issue with those particular sandboxes and it does not mean that it will fail to run on all systems.

Thursday 30 January 2014

"Last Month Remit" spam

This fake "Last Month Remit" spam does a pretty good job of looking like it comes from your own organisation..

Date:      Thu, 30 Jan 2014 12:22:05 +0000 [07:22:05 EST]
From:      Administrator [victimdomain]
>
Subject:      FW: Last Month Remit

File Validity:Thu, 30 Jan 2014 12:22:05 +0000
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ? Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it. The deception even goes as far as faking the mail headers:

Received:     

    (qmail 6160 invoked from network); 30 Jan 2014 12:22:06 -0000
    from unknown (192.168.1.88) by [redacted] with QMQP; 30 Jan 2014 12:22:06 -0000
    from 95-177-119-126.aurora.managedbroadband.co.uk (95.177.119.126) by [redacted] with SMTP; 30 Jan 2014 12:22:05 -0000
    from docs743.
[victimdomain] (10.0.0.170) by [victimdomain] (10.0.0.31) with Microsoft SMTP Server (TLS) id U5G10C1E; Thu, 30 Jan 2014 12:22:05 +0000
    from docs7075.[victimdomain] (10.39.36.29) by smtp.
[victimdomain] (10.0.0.131) with Microsoft SMTP Server id MJ25NOGJ; Thu, 30 Jan 2014 12:22:05 +0000
Going to to bother of inserting fake mail headers is odd, because anyone who knew enough to check the headers would probably also realist that the attached ZIP file with an EXE in it was probably bad news.

In this case, the attachment is called Remit_[victimdomain].zip  which in turn contains a malicious executable called Remit.exe which has an icon that makes it look like a PDF file.

This file has a VirusTotal detection rate of 10/49. Automated analysis tools [1] [2] [3] show an attempted connection to poragdas.com  on 182.18.143.140 (Pioneer Elabs, India) which is a server that has been seen before, and excelbizsolutions.com on 103.13.99.167 on (CtrlS Private, India).

Recommended blocklist:
103.13.99.167
182.18.143.140
poragdas.com
excelbizsolutions.com




WTF is s15443877[.]onlinehome-server[.]info?

Something that caught my eye was this Google Safebrowsing diagnostic for [donotclick]s15443877.onlinehome-server.info:

Safe Browsing

Diagnostic page for s15443877.onlinehome-server.info

What is the current listing status for s15443877.onlinehome-server.info?
This site is not currently listed as suspicious.
What happened when Google visited this site?
Of the 1746 pages we tested on the site over the past 90 days, 582 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-01-29, and the last time suspicious content was found on this site was on 2014-01-29.Malicious software includes 166 scripting exploit(s), 166 trojan(s), 89 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 198 domain(s), including mendozaempleos.com/, e-veleta.com/, forogozoropoto.2waky.com/.
155 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chebro.es/, formandfinishpdr.com/, mendozaempleos.com/.
This site was hosted on 1 network(s) including AS8560 (ONEANDONE-AS).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, s15443877.onlinehome-server.info did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.


Not only are (exactly) one third of the pages crawled hosting malware, but there are a staggering 198 domains spreading it. Usually it's just a handful of sites, but this is the most I've ever seen.

VirusTotal also shows some historical evil going on with the IP of 212.227.141.247 (1&1, Germany) and a Google of the site contents shows thousands of hits of what appears to be scraped content in Spanish.

It's hard to say just what this site is, but with Google diagnostics like that then it is unlikely to be anything good and blocking s15443877.onlinehome-server.info or 212.227.141.247 might be prudent.

"Adopt a puppy scam" is a new twist

This offer to adopt a puppy for free is a scam:

From:     Shirley Eason shirleyeason5@gmail.com
Reply-To:     shirleyeason5@gmail.com
Date:     30 January 2014 09:29
Subject:     Adopt this little puppy @ 0$

My name is Shirley Eason, Presently diagnosed of acute brain injury from a ghastly car accident that led to lost of my son and husband 3 years ago.

I'm looking for a good heart fellow to take over my 9weeks English Bulldog,right now I have been ask to move to Aged home. ofcourse I'm not allowed to take webster.

I'm willing to send Webster overseas if you can convince me he's on good hands.

I want to share the love I have for Webster across the world to anyone who have passion for animals.

You will receive more photos on response to this mail.
http://www.sendspace.com/file/pa5p12
http://www.sendspace.com/file/ytalxs

Hugs and kisses from a beautiful heart

Warm Regards
What's on the end of those Sendspace links? Well, indeed there are a couple of pictures of a puppy.

So.. it's a free puppy? What could possibly go wrong? Well, lots..

Let's do a bit of detective work starting with finding the origin of those photos. A trip to Google Images followed by a click of the camera icon allows you to upload a picture to do a reverse image search. We can easily find a match for that photo here and here, and it turns out that although the dog really is called Webster he's not up for adoption at all, but is for sale by a reputable and unconnected party who has had their photo stolen.

So, what is the scam? Bearing in mind that poor old Webster is worth a couple of thousand dollars but the scammer is asking for nothing? Well, as with all advanced fee fraud scams there are going to be up-front expenses that aren't mentioned, such as shipping fees, vet bills, certificates and all sort of other things.. and once the victim has paid all the money then Webster will still not turn up because of course the scammer doesn't actually have the dog to begin with.

Now, we're pretty sure that you won't try to acquire a dog advertised by spam.. but if you are, well.. don't.

Incidentally, the origins of the email appear to be a computer at 75.130.67.30 (Charter Communicaations, Tennessee) via a server at 68.15.225.129 (ommailex1.iiiinc.com) although it is unlikely that the owner of either of those two systems is aware of the scam either.

Fake Vodafone MMS spam comes with a malicious attachment

This fake Vodafone MMS spam comes with a nasty payload:
Date:      Thu, 30 Jan 2014 03:55:04 -0500 [03:55:04 EST]
From:      mms.service6885@mms.Vodafone.co.uk
Subject:      image Id 312109638-PicOS97F TYPE==MMS

Received from: 447219637920 | TYPE=MMS 
Despite the Vodafone references in the header, this message comes from a random infected PC somewhere and not the Vodafone network.

The email doesn't quite render properly in my sample:


The spam is probably preying on the fact that most people have heard of MMS but very rarely use it. Attached is a file IMG0000008849902.zip which in turn contains a malicious executable IMG0000008849902.exe, this has a VirusTotal detection rate of just 2/50.  Automated analysis tools are inconclusive [1] [2] as the sample appears to time out.

Wednesday 29 January 2014

"Voice Message from Unknown" spam (again)

This fake voice message spam comes with a malicious attachment:

Date:      Wed, 29 Jan 2014 14:45:36 +0100 [08:45:36 EST]
From:      Administrator [docs0@victimdomain.net]
Subject:      Voice Message from Unknown (644-999-4348)

 Unity Messaging System

- - -Original Message- - -

From: 644-999-4348

Sent: Wed, 29 Jan 2014 14:45:36 +0100

To: [redacted]

Subject: Important Message to All Employees 
Attached is an archive Message.zip which in turn contains a malicious executable VoiceMessage.exe which has a VirusTotal detection rate of just 6/50. Automated analysis tools [1] [2] [3] show attempted connections to kitchenrescue.com on 184.107.74.34 (iWeb, Canada) and ask-migration.com on 173.192.21.195 (Softlayer, US). In particular, it attempts to download some sort of encrypted file [donotclick]kitchenrescue.com/login.kitchenrescue.com/images/items/wav.enc which I have not been able to identify.

The Green Organisation (thegreenorganisation.info) spam

Perhaps The Green Organisation (thegreenorganisation.info) has good intentions, but sending out unsolicited bulk email is just going to get them regarded as The Spam Organisation.

From:     Green Organisation greenorganisation@rkwmail.co.uk
Date:     29 January 2014 02:43
Subject:     FAO: The Chief Executive and anyone involved with the built environment


FREE ENTRIES FOR BUILT ENVIRONMENT AWARDS

You can submit a free entry in the Green Apple Built Environment and Architectural Heritage Awards, as long as it arrives by February 28.

The top prize is a holiday for two in the world’s greenest resort – AquaCity in the High Tatras mountains of Slovakia.
There are three chances to win in each category, with Gold, Silver and Bronze trophies for the top three.
You also have the chance to represent your country in the European Business Awards for the Environment, as the Green Apple Awards is one of the few UK campaigns accepted as an official feeder scheme into the Brussels-led initiative.

If any of your building/construction projects helps the environment in any way, you are invited to submit an entry.

Every company or council is entitled to a free entry and all winners receive invitations for the glittering presentation ceremony at the Crystal, London in June, with food and drink included.

You can win…

  • A prestigious trophy and certificate
  • A holiday for two in the world’s greenest resort
  • International recognition
  • Qualification into Europe
  • Massive publicity
  • And we will plant a tree on behalf of each company submitting an entry.

And all free of charge!

The Green Apple Awards for the Built Environment 2014
 You can enter online, by email or by post and you will find more information at www.thegreenorganisation.info or you can phone 01604 810507.
CLOSING DATE FEBRUARY 28, 2014

It’s free – and easy!
The Green Organisation, The Mill House, Mill Lane, Earls Barton, Northampton NN6 0NR.
Unsubscribe
The email originates from 81.168.114.179 which resolves as rkwmail.co.uk (hosted by Eclipse Internet in the UK). The WHOIS details for that domain are:

Domain name:
        rkwmail.co.uk

    Registrant:
        Roger Wolens

    Registrant type:
        UK Individual

    Registrant's address:
        Mill House
        Earls Barton
        Northamptonshire
        NN6 0NR
        United Kingdom


When we look at the spamvertised domain thegreenorganisation.info we see some broadly similar details:

Registrant ID:DI_9170956
Registrant Name:Domain Contact (103845)
Registrant Organization:The Green Organisation
Registrant Street1:The Mill Barn, Mill Lane
Registrant Street2:
Registrant Street3:
Registrant City:Earls Barton
Registrant State/Province:Northants
Registrant Postal Code:NN6 0NR
Registrant Country:GB
Registrant Phone:+44.1604810507
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:rogerwolens@btconnect.com


So whois is Roger Wolens? Well, he appears to be the owner of The Green Organisation. So the next thing I wondered is.. exactly what is The Green Organisation. They answer this question on their own website:
THE GREEN ORGANISATION  has been established since 1994 as an international, independent, non-profit, non-political, non-activist environment group, dedicated to recognising, rewarding and promoting environmental best practice around the world.
Note that The Green Organisation is not a charity but a business. We can look that up on DueDil to see what it thinks:


OK, that seems to look like a non-profit to me. In fact a hunt around their website shows nothing suspect or untowards, although if it is really the hugely successful enterprise that it claims to be then I wonder why it is promoting itself through spam.

"Urgent eviction notification No2621" spam

This particularly cruel spam is a variation of the Court Notice spam that has been around for a few weeks. Thankfully it is very poorly worded which should alert at least some potential victims that it is a fake.

Date:      Tue, 28 Jan 2014 17:40:16 -0400 [16:40:16 EST]
From:      Eviction Notification [support.7@riduscourt.com]
Subject:      Urgent eviction notification No2621

 Eviction Notification,
   Please be advised that you are obliged to
   vacate the living space you occupy until March 28, 2014, 11 a.m.
   If you do not vacate it in the specified terms,
   the court will have to assign the forcible eviction for April 26,
   2014, 11 a.m.
   If nobody is home we will not be responsible for safe keeping of your
   belongings.
   Besides, if you fail to comply with the requirements of the court
   bailiff
   you will be fined for up to 200 minimum wage amounts
   with a subsequent doubling of the penalty amount
   and can be made criminally or administratively liable.
   The details of the circumstances that caused the judicial decision
   of eviction are attached herewith.
   Court bailiff,
   GOODWIN Bass
Attached is an archive file Copy_Of_The_Court_Statement_N1801.zip which in turn contains a malicious file Copy_of_the_court_statement_us_28_01_2014.exe.

For some reason the ZIP file that I have is corrupt and will not open, but I suspect that other versions may be valid. If anyone has a reliable analysis of this file it might be worth leaving a note in the Comments... thanks!

Update (30/1/14): here is a second version doing the rounds:

Date:      Wed, 29 Jan 2014 18:11:43 -0500 [01/29/14 18:11:43 EST]
From:      Notice To Quit [service_notice@mnduscourt.com]
Subject:      Notice to quit No5759

 Notice to quit,
   Hereby you are informed you have to quit the premises you hold until
   March, 21, 2014.
   If you stay in the currently occupied premises for a longer period of
   time,
   you will be assigned by court for forced eviction scheduled for April
   5, 2014.
   If court executives do not find you at home on the specified date,
   the court will disclaim any responsibility for safe keeping
   of your property left in the premises.
   Whether you fail to fulfill the requirements of the court
   you might be held liable to a fine equal to 100 minimum wage amounts.
   Attention.
   The adjudication details can be found attached to this notice.
   Bailiff of the court,
   RUSSELL ORTIZ 

In the case there is a ZIP file Details_For_Arrears_Document_29-01-2014_Copy_N5146.zip which contains a malicious executable Details_For_Arrears_Document_29-01-2014.exe which has an icon that makes it look like a Word document. The VirusTotal detection for this is 17/49. ThreatExpert reports a connection to 77.72.26.97 (Tesene SRL, Italy).

Update (31/1/14): Another couple of variations with a slightly different payload:

Date:      Fri, 31 Jan 2014 00:30:51 -0400 [01/30/14 23:30:51 EST]
From:      Eviction Notice [support.5@perkinscoie.com]
Subject:      Eviction notification No8423

 Eviction notice,

   Hereby you are notified that you have to move to another
   location from the currently occupied premises within
   the next three weeks.

   Please find the lawsuit details attached to this letter.

   If you do not move within this period of time,
   we will have no other alternative than to have you
   physically removed from the property per order of the Judge.

   If we can be of any assistance to you during your relocation,
   please feel free to contact us any time.

   Court representative,
   Emma Mason

---

Date:      Thu, 30 Jan 2014 14:23:27 -0500 [01/30/14 14:23:27 EST]
From:      Eviction Notice [support.7@perkinscoie.com]
Subject:      Notice to quit No8116

 Eviction notice,
   Hereby you are notified that you have to move to another
   location from the currently occupied premises within
   the next three weeks.
   Please find the lawsuit details attached to this letter.
   If you do not move within this period of time,
   we will have no other alternative than to have you
   physically removed from the property per order of the Judge.
   If we can be of any assistance to you during your relocation,
   please feel free to contact us any time.
   Court representative,
   Mary Tailor
The attachments on these two samples were Lawsuit_Details _Attache_ID88-175.zip and Lawsuit_Details _Attache_ID91-380.zip in turn containing a malicious executable Lawsuit_Details _Court_Representative.exe which has a VirusTotal detection rate of 16/50.  The ThreatExpert analysis shows an outbound connection to 41.86.112.12 (Mweb Connect, South Africa) also other analysis tools don't spot this [1] [2] [3].

Update (4/2/14): the spam run is ongoing with a couple of news ones spotted..

Date:      Mon, 03 Feb 2014 22:57:06 -0400 [02/03/14 21:57:06 EST]
From:      Eviction Notification [notice_support.7@littler.com]
Subject:      Evition notice No3998

 Eviction notification,
   You are hereby given notice that you are in breach
   of your tenancy of the premises you currently occupy.
   To remedy the breach you have to quit
   the premises within the following four weeks.
   If you fail to comply you will be physically removed
   and fined for up to 100 minimum monthly wages.
   Detailed information is attached herewith.
   Court secretary,
   RUSSO Anthony

-----------------------

Date:      Tue, 04 Feb 2014 10:29:55 -0500 [10:29:55 EST]
From:      Notice to quit [notice_service@kirkland.com]
Subject:      Notice to exit the premises No8527

 Notice to quit,
   We regret to inform you that in the period until 04/02/14
   you will have to relocate from the currently occupied premises.
   If the property is not timely vacated we will have to apply sanctions
   against you.
   Case details are attached to the present notice.
   Court secretary,
   JENSEN TATE 
Two sample attachment names are Lawsuit_Details _Copy_ID131-06.zip and Lawsuit_Details _Copy_SN_98-273.zip only one of which seems unzippable to Lawsuit_Details _Court Secretary_02-03-2014.exe which has a VirusTotal detection rate of 28/51. Most automated analysis tools are pretty inconclusive about what it does [1] [2] [3], but ThreatExpert reports an attempted connection to a server at 77.72.26.97 (Tesene, Italy) which has been used before in this attack.



Tuesday 28 January 2014

RingCentral "New Fax Message on 01/22/2013" spam

This fake RingCentral fax spam has a malicious attachment:
Date:      Tue, 28 Jan 2014 14:28:24 +0000 [09:28:24 EST]
From:      Sheila Wise [client@financesup.ru]
Subject:      New Fax Message on 01/22/2013

You Have a New Fax Message
From:     (691) 770-2954
Received:     Wednesday, January 22, 2014 at 11:31 AM
Pages:     5
   

To view this message, please open the attachment

Thank you for using RingCentral.
Attached is a file fax.zip which in turn contains a malicious exectable fax.doc.exe with an icon to make it look like a Word document. The VirusTotal detection rate for the document is 10/50, and the Malwr analysis shows an attempted callback to ren7oaks.co.uk on 91.238.164.2 (Enix Ltd, UK).

The executable then downloads an apparently encrypted file from [donotclick]ren7oaks.co.uk/images/al2701.enc which has defied my half-hearted attempts an analysis.




fff

Ongoing Fake flash update via .js injection and SkyDrive, Part II

A few days ago I wrote about some ongoing injection attacks that were leading to Adscend Media LLC ads. Adscend say that the affiliate using their ad system was banned, although the ad code is still showing in the injection attacks themselves (update: you can see their take on this in the comments below). F-Secure also covered the attacks from a different aspect.

Although these injection attacks have died down a little they are still ongoing, but usually by the time I get to have a look at them part of the infection chain has been cleaned up. However, this infection is still current and shows what it going on at the moment.

In the case the code has been injected into the legitimate website sotralu.fr (report here) by altering the site's JS files, for example [donotclick]www.sotralu.fr/local/cache-js/fc1bd2678ffcf630f1ab8e56bda3ce7b.js

The code is fairly distinctive being attached at the bottom of the .js file, and it has a limited and fairly generic set of results at VirusTotal.

In this case the injection attempts to run a script from [donotclick]adsrr.home.pl/_vti_txt/rNn3m1K9.php?id=47276976 which in turn tries to download most of its content from [donotclick]adsrr.home.pl/_vti_txt/imgfiles/b.html (report here) which presents itself as a fake Flash update banner.


As well as the Adscend Media ad, this directs the user to download flashplayerinstaller.exe from [donotclick-https]skydrive.live.com/download.aspx?cid=cafe68e3dcbe2d33&resid=CAFE68E3DCBE2D33%21111 which has a VirusTotal detection rate of just 2/50. The Malwr analysis of this file shows a subsequent download from [donotclick-https]skydrive.live.com/download.aspx?cid=cafe68e3dcbe2d33&resid=CAFE68E3DCBE2D33%21112 which has a VirusTotal detection rate of 7/50 but a rather inconclusive Malwr report showing that it modifies the computer to run at startup.

Other researchers might want to grab those files and have a poke at them, so I haven't reported them yet. I'd be interested if anybody can get more intel on whoever is behind it.

The use of SkyDrive is sneaky, but you might decide that it's the sort of thing that you want to block in your corporate environment anyway. It might just be that the best way to counter this sort of attack is to apply a bit of user education about the threat.

Monday 27 January 2014

"Skype Missed voice message" spam

This fake Skype email has a malicious attachment:

Date:      Mon, 27 Jan 2014 19:37:11 +0300 [11:37:11 EST]
From:      Administrator [docs1@victimdomain.com]
Subject:      Skype Missed voice message

Skype system:
You have received a voice mail message.
Date 01/27/2014
Message length is 00:01:18. 

Attached to the email message is an archive file Skype-message.zip which in turn contains a malicious executable Voice_Mail_Message.exe which has a VirusTotal detection rate of 13/49. Malwr reports that the malware calls home to rockthecasbah.eu on  64.50.166.122 (LunarPages, US). This server has been compromised before and I recommend you block traffic to it.

"Your FED TAX payment" spam

This fake "Tax payment" spam comes with a malicious attachment:

Date:      Mon, 27 Jan 2014 14:24:42 +0100 [08:24:42 EST]
From:      "TaxPro_PTIN@irs.gov" [TaxPro_PTIN@irs.gov]
Subject:      Your FED TAX payment ( ID : 34KIRS821217111 ) was Rejected

*** PLEASE DO NOT RESPOND TO THIS EMAIL ***

Your federal Tax payment (ID: 34KIRS821217111), recently sent from your checking account was returned by the your financial institution.

For more information, please download notification, using your security PIN 55178.

Transaction Number:     34KIRS821217111

Payment Amount:     $ 9712.00

Transaction status:     Rejected

ACH Trace Number:     768339074172506

Transaction Type:     ACH Debit Payment-DDA

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.

Attached is a file Tax payment.zip which in turn contains a malicious executable Tax payment.exe which has a VirusTotal detection rate of 11/50. Automated analysis by Malwr is inconclusive, other analysis tools are currently down or under DDOS at the moment.

"Carnival Cruise Line Australia" fake job offer

This fake job offer does NOT come from Carnival Cruise lines:

From:     Mrs Vivian Mrs Vivian carnjob80@wp.pl
Date:     27 January 2014 09:59
Subject:     JOB ID: AU/CCL/AMPM/359/14-00
Signed by:     wp.pl

Carnival Cruise Line Australia
15 Mount Street North Sydney
NSW 2060, Australia
Tel (2) 8424 88000

JOB ID: AU/CCL/AMPM/359/14-00

What is your idea of a great career? Is it a job that allows you to travel to beautiful destinations on a spectacular floating resort, being part of a multi-cultural team with co-workers from more than 120 different nationalities? Or is it a job that allows you to earn great money while you learn, grow and fulfill your dreams and career ambitions?
It’s Carnival Cruise Line policy not to discriminate against any employee or applicant for employment because of RACE, COLOR, RELIGION, SEX, NATIONAL ORIGIN, AGE, DISABILITY, MARITAL OR VETERAN STATUS.
PLEASE NOTE THESE FOLLOWING: 
Employment Type:               Full-Time/Part-Time
Salary:                                  USD $45,000/ USD $125,000 per annual
Preferred Language of Resume/Application: English
Type of work:            Permanent / Temporary
Status:                        All Vacancies
Job Location:              Australia
Contract Period:          6 Months, 1 Year, 2 Years and 3 Years
Visa Type:                  Three Years working permit


The management will secure a visa/working permit for any qualified applicant. VISA FEE, ACCOMMODATION & FLIGHT TICKET will be paid by the company
We have more than 320 different positions available, interested applicants should forward their RESUME/CV or application letter to Mrs Vivian Oshea via email on (carnivalcareer@globomail.comso we can forward the list of positions available and our employment application form
Note: Applicants from AMERICA, EUROPE, ASIAN, CARIBBEAN and AFRICA can apply for these vacancies.

Regards
Management
Carnival Cruise Line Australia

Despite the appearance of Carnival's actual web sites in the email, the reply address is NOT a genuine Carnival address and is instead a free email account. The email actually originates from 212.77.101.7 in Poland.

The basic idea behind this scam is to offer a job and then charge the applicant for some sort of processing fees or police check or come up with some other reason why the applicant needs to pay money. Once the money has been taken (and perhaps even the victim's passport or other personal documents stolen) then the job offer will evaporate.

More information on this type of scam can be found here and here.

Saturday 25 January 2014

"MVL Company" fake job offer

This job offer is a fake, and in reality probably involves money laundering or handling stolen goods:

From: Downard Bergstrom [downardkrjbergstrom@outlook.com]
Subject: Longmore
Date: Fri, 24 Jan 2014 18:52:49 +0000

Hello,
Today our Company, MVL Company, is in need of sales representatives in United Kingdom.

Our Company deals with designer goods and branded items. We've been providing our customers with exclusive products for more than five years, and we believe that the applicant for the position must have great communication skills, motivation, desire to earn money and will to go up the ladder. All charges related to this opening are covered by the Company. Your main duties include administrative support on orders and correspondence, controlling purchase orders and expense reports.

Part-time job salary constitutes 460GBP a week.
Full-time job is up to 750GBP per week .
Plus we have bonus system for the best workers!

To apply for the vacancy or to get more details about it, please email us directly back to this email.

Hope to hear from you soon!
Best regards,
Downard Bergstrom
The spam is somewhat unusual in that it addresses me by my surname, indicating that the email data might have been stolen from a data breach (Adobe perhaps). The email originates from a freee Microsoft Outlook.com account and gives no clues as to its real origins. A look at Companies House Webcheck confirms that there is no company of this exact name, although there are several innocent companies with similar names.

Avoid.

Friday 24 January 2014

Somnath Bharti: when a spammer becomes a government minister

More than a decade ago I came across an outfit called TopSites LLC which was running a spam operation which was pestering webmasters to renew their listings in the Topsites directory which was basically an unlicensed rip-off of the Open Directory Project in what was basically a business directory scam.

I documented the saga in a five-part series (plus a couple of follow-ups) and eventually TopSites shut up shop, with the main person behind it (Paul Aunger) cashing out from the business and buying into another firm called Inova Technology instead. There's a long story to that particular business and its I won't cover it here, but if you're really interested a trip to InvestorsHub is kind of interesting.

Part way through the TopSites spamming operation, they picked up a partner in India called Somnath Bharti. India was an ideal place to send spam from because it had no anti-spam laws at the time (and is still very lax in this area), so the act of spamming by itself was not illegal.. although the act of selling paid directory listings when they were actually free is a lot more questionable.


Mr Bharti denied any involvement, but since I had a copy of his business card it was pretty clear that he was lying. After I identified him, Mr Bharti was listed in the Spamhaus ROKSO list which is basically a list of the world's worst spammers. An example of the spam can be found here, linking Topsites to Mr Bharti's Madgen Solutions.

I didn't really pay much attention to Mr Bharti after that, although for a long time my site was the number one result in Google for Somnath Bharti which must have irritated him, and I did learn that he moved from IT to become a lawyer.

So I was rather surprised to find that Mr Bharti is now a government minister at the centre of a growing political storm in India, and now journalists are beginning to check his background, which is leading some of them back to what I wrote a decade ago.

Now, I'm not an expert in Indian law (and detractors of Mr Bharti say that he isn't either) but anti-spam laws in India basically do not exist, and certainly a decade ago I don't think that there was anything under Indian law that Mr Bharti was doing wrong. Even so, he was successfully sued in California [doc] for those same spam emails. Rather more seriously, being involved in a business that sells worthless directory listings is certainly legally questionable, although no case about that aspect was ever brought against Topsites or Mr Bharti.

One thing is certain - Mr Bharti lied about his involvement with TopSites. After I published details of his connection, he sent a somewhat threatening email denying involvement but inadventendly confirming it at the same time:
    Subject: surprising and serious
    From: Somnath [somnath.bharti@gmail.com]

     
    Hi Conrad,
    I was taken by surprise to find you listing my name, one of my properties address and my picture in an article on a company named "TopSites LLC" on your site. I don't know on what basis you have been talking so emphatic without cross verifying with the person you are talking about. To my utter surprise, you have been having this article on your site accusing me of being related to a company I have heard only through your article. Please have the same removed ASAP and explain to me what made you write all this about a person, not even remotely attached to any such company.
    Please acknowledge of this email and have any and everything related my name, my pic and c-28 address removed. I am available at +91-9891819893, if you have anything to talk about. Also, post on the same page an apology for this grievous mistake on your part.
    --
    Regards,
    Somnath Bharti

In that email, Mr Bharti emphatically denies involvement, but confirms that the photograph and address I published of him are correct.

What Mr Bharti didn't know was that I had a copy of his business card, not only confirming his connection, but listing him as CEO.


If you are interested in researching the topic for youself, a good place to start is Google Groups, especially searches relating Topsites, Bharti and Madgen Solutions (Bharti's IT company). I don't know if Mr Bharti is still denying his involvement in Topsites, but the evidence is damning if you look for it.

By TopSites LLC's own admission, they were turning in $1.8 million a year by 2005. How much of that money made its way to Mr Bharti is a mystery. And quite how Mr Bharti reconciles his questionable past business practices with his membership of an anti-corruption political party is also a mystery.

I don't know if Mr Bharti accepts or denies his role as a spammer for TopSites LLC, but his name is all over several public records and I also have private unpublished data that places him firmly near the centre of the operation. Perhaps he thinks that selling something that should be free is also an ethical way to do business, I don't know. And how does he explain a blatant and rather pathetic lie about involvement? That's something I don't know either. But I would certainly be interested in seeing what he has to say for himself..

Update:  after being exposed in the Times of India, Mr Bharti denies being reponsible.. but I look deeper at his involvment with the spamming operation here.

Thursday 23 January 2014

"Legal Business Proposal" spam has a malicious attachment

This email looks like it should be an advanced fee fraud, but instead it comes with a malicious attachment. I love the fact that this is a Legal Business Proposal as opposed to an Illegal one.
Date:      Thu, 23 Jan 2014 12:45:11 +0000 [07:45:11 EST]
From:      Webster Bank [WebsterWeb-LinkNotifications@WebsterBank.com]
Subject:      Legal Business Proposal

Hello, I'm Norman Chan Tak-Lam, S.B.S., J.P, Chief Executive, Hong Kong Monetary Authority (HKMA).

I have a Business worth $47.1M USD for you to handle with me.

 Detailed scheme of business can be seen in the attached file.
Attached is a file business-info.zip which in turn contains a malicious executable business-info.exe with a VirusTotal detection rate of 16/49.

Automated analysis tools [1] [2] [3] show attempted connections to dallasautoinsurance1.com on 38.102.226.239 and wiwab.com on 38.102.226.82. Both those IPs are Cogent Communications ones that appear to be rented out to a small web hosting firm called HostTheName.com. For information only, that host has these other IPs in the same range:
38.102.226.82
38.102.226.5
38.102.226.7
38.102.226.10
38.102.226.12
38.102.226.14
38.102.226.17
38.102.226.19
38.102.226.21

Wednesday 22 January 2014

Password hand-wringing misses the point

Recently doing the rounds of news outlets is a list compiled by SplashData of weak passwords found in data breaches in 2013. There's nothing wrong with this list, but as ever, the media completely miss the point.

SplashData's list is as follows:


Rank
Password
Change from 2012
1
123456
Up 1
2
password
Down 1
3
12345678
Unchanged
4
qwerty
Up 1
5
abc123
Down 1
6
123456789
New
7
111111
Up 2
8
1234567
Up 5
9
iloveyou
Up 2
10
adobe123
New
11
123123
Up 5
12
admin
New
13
1234567890
New
14
letmein
Down 7
15
photoshop
New
16
1234
New
17
monkey
Down 11
18
shadow
Unchanged
19
sunshine
Down 5
20
12345
New
21
password1
Up 4
22
princess
New
23
azerty
New
24
trustno1
Down 12
25
000000
New


The presence of "adobe123" and "photoshop" as passwords show the influence of the Adobe data breach on the list. Back in 2010 when Gawker was breached, one of the popular passwords was.. you guessed it.. "gawker".

The media has a habit of picking up the wrong point.. they look at a password of "123456" and ask how can anyone be so stupid to use it? But my somewhat NSFW response is what the fuck does it matter?

Almost everything these days requires registration for which you need to supply an email address and password, and often for trivial things. One of the reasons that gawker featured so highly in the Gawker breach was that to the vast majority of users it matters not one jot if someone hacks into their account. The same is true for a lot of Adobe users.. in most cases the accounts are of absolutely no value to an attacker, so it really doesn't matter if you have adobe123 as a password or not.

So, the media (or at least some of it) says that you should choose a secure password such as fJ4C62GY0I8C15D but their advice is misleading because the real problem is password re-use and not the security of the password per se.

Despite the obvious security problems in doing so, many sites store passwords in plain text or in an insufficiently encrypted format. In these cases, it doesn't matter how secure your password is because the attackers will just be able to read it. Even in cases where the password is encrypted, with enough time and/or rainbow tables the password can often be determined, even it is a complex one.

And if you have re-used that email address and password on other sites.. well, you're buggered basically.

In an ideal world, you would have a nicely secure password for each site and you would remember it in your head. But of course, that's practically impossible, so one option is to use a password manager (SplashData themselves make these) to remember them all for you. There are several different password managers available, but of course there is always the possibility that one of these tools might get hacked itself which could be catastrophic for users.

If you don't want to use a password manager, then you'll have to do it the old-fashioned way, and either remember your passwords or store them in some other manner. You should always have a secure and unique password for your web mail, banking/finance, work and major shopping sites. But for all the cruft that you have to register, there's probably little harm in using a password that it easy to remember. Does it matter if the password I use for ranting at the BBC is abc123? Perhaps it doesn't.

But perhaps one problem is that there are simply too many times that you have to create an account in the first place. Sometimes it is nice to come across a retailer (for example) that will allow you to order stuff without creating a damned account.. something that seems to go against the grain, but it does mean that there's one less password to worry about..