Sponsored by..

Sunday, 30 March 2014

Naughty, naughty: BizSummits, CFO Summit, CIO Summit, CMO Summit rip off photos from other sites.

[Note, BizSummits replaced all of the unlicensed photographs shortly after I pointed them out on this blog]

I've been tracking the spammy activity of BizSummits on and off for a while, most recently with a very annoying spam run that has been plaguing website operators with fake notifications.

I'd never really looked that deeply into the BizSummits operation though, but even though it promotes itself through spam I had assumed that there was a real business at the end of it.

But when I started to look into their websites, it quickly became apparent that a great deal of the material was faked.

Most of the sites use the same material, so let's start with forwd.net/cfosummit/about.html which is an "About Us" page.

It features a photo of a group of people.. you'd assume that it was one of the "Summits" that BizSummits promotes. After all, if you have all these people meeting up all the time then surely it would be easy to snap a photo.

Let's look more closely.

It turns out that the picture is stolen from the blog of the US Ambassador to Iceland and it shows a group of Icelandic executives meeting with an organisation called the Young Presidents' Organization which is completely unrelated to BizSummits.

So let's look at the "Why Join" page at forwd.net/cfosummit/whyjoin.html which features a bunch of happy-looking individuals.

Let's look more closely..

This image is stolen from a company called Deceuninck nv. And it isn't just a generic stock photo, their website lists everyone in the photograph and identifies them as being employees.


Let's look at the "Members" page next at forwd.net/cfosummit/members.html

It shows a photograph of someone who is presumably speaking at one of these Summit events.

Errr... no. This is Professor Michael Porter speaking at the World Economic Forum. Professor Porter would be a highly influential and important person to have on board. But his name doesn't appear on the list of "Members & Speakers".

Let's look at the "Topics" page at forwd.net/cfosummit/topics.html


Who's in the photo?


That's a publicity photo of Niels Stolberg. Stolberg's company collapsed and is the focus of fraud investigations. Given the controversy surrounding Mr Stolberg, would it be appropriate to have a picture of him on your site? Odder still, Mr Stolberg seems to have no connection at all to BizSummits.

Now we turn our attention to the "What's New" page. Who are the people having a discussion? People at a BizSummits seminar?


Let's look more closely.

This image can be found on the page of the NG Utilities Summit in Australia (open the lightbox). If you look carefully, you can see the NG Utilities logo on the woman's badge on the right. Despite having "Summit" in the name, this is nothing at all to do with BizSummits. If BizSummits really held any meetings then a photo like this would be trivial to take.

The next page is "Questions" at forwd.net/cfosummit/questions.html. Well.. we have a few already.


Who's in the picture?

These are a couple of executives from WebTrends. As far as I can tell they have nothing to do with BizSummits, and the photo has just been stolen.

Incidentally this page contains what I consider to be a flat lie:

Why was I Invited to Join?

Either a member nominated you, or we specifically wanted your company involved and researched the best executive.
The evidence I have provided about this firm shows that they simply scraped your name from your company website and guessed your email address. Is that research? I don't think so.

The next picture to deconstruct is on the "My Login" page at forwd.net/cfosummit/login.html


You probably already guessed that the guy in the photo has nothing to do with BizSummits.

That's because this is Dr. Thomas R. Insel who again has nothing to do with BizSummits.

Finally, we come back to the home page.


Who is in the photo?


These are apparently the senior management of BHP taken in an AAP photo. What do they have to do with BizSummits? It seems nothing at all.

In fact, the only original piece of imagery I can find is this promotional video:


The video is meant to be an endorsement. But who is this woman? Who does she represent? What exactly is she endorsing? The video is professional looking but deliberately vague.

Incidentally, if you want to see what Michael Price, the CEO of BizSummits looks like, here he is:


This copied material doesn't just exist on a few websites, it exists on a LOT of cookie-cutter sites, all presumably marketed through the same spammy approach.

  • CFO Summit (www.cfosummit.org)
  • CIO Summit (www.ciosummit.org)
  • CMO Summit (www.cmosummit.net)
  • COO)Operations Summit (www.theoperationssummit.net)
  • Corporate Counsel Summit (www.thecorporatecounselsummit.org)
  • Corporate Development Summit (www.corpdevsummit.org)
  • Customer Service Summit (www.customerservicesummit.org)
  • Engineering Summit (www.theengineeringsummit.net)
  • Executive Summits (www.executivesummits.org)
  • Hospital Growth & Excellence Summit (www.hospitalgrowthsummit.org)
  • HR Summit (www.hrsummit.org)
  • Product Development Summit (www.productdevsummit.org)
  • Project Management Summit (www.projectmanagementsummit.org)
  • Public Relations Summit (www.thepublicrelationssummit.org)
  • Procurement Summit (www.procurementsummit.org)
  • Quality Management Summit (www.qualitymanagementsummit.org)
  • Risk Management Summit (www.riskmanagementsummit.org)
  • Safety Management Summit (www.safetymanagementsummit.org)
  • Sales Summit (www.salessummit.org)
  • Supply Chain Summit (www.supplychainsummit.org)
  • Training Summit (www.trainingsummit.org)
Ask yourself this question.. why is it that a company such as BizSummits, that is supposed to organise all of these meetings, cannot get around to taking any photographs of those meetings themselves? Surely it wouldn't be difficult to do? And yet almost every image is copied from somewhere else. What kind of company does that? Is it one that you feel comfortable doing business with?

Friday, 28 March 2014

BizSummits "Early closing due to poor weather" / "Early closing due to bad conditions" spam

Here are a pair of odd spam email messages:

Message 1
From:     Tim Williams Tim@myteamex.com
To:     Tony Blair [tony@victimdomain]
Date:     28 March 2014 14:09
Subject:     Early closing due to bad conditions.

Early closing due to bad conditions.


This will be the only notification to tony@victimdomain and just disregard if sent to the incorrect individual. Thank you.
Message 2
From:     Michael Miller Michael@leadbyinnovation.com
To:     Victor Echo [vecho@victimdomain]
Date:     28 March 2014 11:12
Subject:     Early closing due to poor weather.

Early closing due to poor weather.


This will be the only notification to vecho@victimdomain and just disregard if sent to the incorrect person. Thank you.
The email contains no link and no attachment. So what it is it?

A close look at to "To" field is interesting. Tony Blair? Well, he's an ex-Prime Minister of Britain, and he just happens to be mentioned on my website here. And Victor Echo? Well, that's not a person at all but is mentioned on this page about the NATO Phonetic Alphabet.

So, in each case a name has been harvested from my web site and an email address guessed (tony@ and vecho@) in order to send the spam.

I've seen this process of scraping my web site and guessing email addresses before by a business called CIO Summits which is part of a spammy business called BizSummits run by a gentleman called Michael Price. But perhaps this is a coincidence?

So let's look at the mail headers of the two messages:

Message 1

Received: from [64.21.19.104] (port=59519 helo=mail.myteamex.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Tim@myteamex.com>)
    id 1WTXTM-00062J-14
    for tony@[redacted]; Fri, 28 Mar 2014 14:09:32 +0000
Received: from 76809236.myteamex.com
        by mail.myteamex.com (Merak 8.9.1) with ASMTP id ORL87326
        for <tony@[redacted]>; Fri, 28 Mar 2014 07:09:26 -0700
Message-ID: <20140328070921.6e9e4d6b5e@5d7e>
From: "Tim Williams" <Tim@myteamex.com>
To: "Tony Blair" <tony@[redacted]>
Subject: Early closing due to bad conditions.
Date: Fri, 28 Mar 2014 07:09:21 -0700
X-Priority: 3
X-Mailer: Host
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Tim@myteamex.com designates 64.21.19.104 as permitted sender) client-ip=64.21.19.104 envelope-from=Tim@myteamex.com helo=mail.myteamex.com

Message 2

Received: from [64.21.70.64] (port=1970 helo=mail.leadbyinnovation.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Michael@leadbyinnovation.com>)
    id 1WTUi8-0007x8-KZ
    for vecho@[redacted]; Fri, 28 Mar 2014 11:12:38 +0000
Received: from 37649152.leadbyinnovation.com
        by mail.leadbyinnovation.com (Merak 8.9.1) with ASMTP id OOO71531
        for <vecho@[redacted]>; Fri, 28 Mar 2014 04:12:31 -0700
Message-ID: <20140328041226.3f8f7d6c7b@9e8c>
From: "Michael Miller" <Michael@leadbyinnovation.com>
To: "Victor Echo" <vecho@[redacted]>
Subject: Early closing due to poor weather.
Date: Fri, 28 Mar 2014 04:12:26 -0700
X-Priority: 3
X-Mailer: SMTP Forwarder v.9
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Michael@leadbyinnovation.com designates 64.21.70.64 as permitted sender) client-ip=64.21.70.64 envelope-from=Michael@leadbyinnovation.com helo=mail.leadbyinnovation.com
What these headers tell us is that the emails originated from 64.21.70.64 and 64.21.19.104 (Net Access Corporation, US), and that those servers are genuine mail relays for the domains leadbyinnovation.com and myteamex.com.. in other words the message is not spoofed and whoever owns these domains is responsible for the mail.


The WHOIS contain the following details:

leadbyinnovation.com
Registrant Name: DNS Administrator
Registrant Organization: LeadByInnovation
Registrant Street: 1200-Abernathy  Rd
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30328
Registrant Country: United States
Registrant Phone: +1.7705552343
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@leadbyinnovation.com
Registry Admin ID: 
myteamex.com
Registrant Name: DNS Admin
Registrant Organization: MyTeamEx
Registrant Street: 17th Floor
Registrant Street: 1200  Abernathy
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30328
Registrant Country: United States
Registrant Phone: +1.4044983847
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@myteamex.com

Perhaps is is just a coincidence that the WHOIS details for bizsummits.org are very similar:

Registrant ID:CR38175629
Registrant Name:DNS Administrator
Registrant Organization:BizSummits
Registrant Street: 1200 Abernathy Rd, 17th Floor
Registrant City:Atlanta
Registrant State/Province:Georgia
Registrant Postal Code:30328
Registrant Country:US
Registrant Phone:+1.8006003389
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@bizsummits.org

1200 Abernathy Rd is a big office building in Atlanta, and the office address could well be a virtual office in any case. But isn't it a coincidence that all three companies are based in the same building?

Well.. no, it's not a coincidence because if you look at the historical WHOIS details for myteamex.com for just last month we see they are:

Registrant Name: Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City: Marietta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: +1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: MPrice@mobilesoft.com

Michael Price? Yes, that's the same Michael Price who runs BizSummits. So, it's not a coincidence at all, is it?

This particular spam run has also been discussed on the SpamCop forum which  indentifies the four following domains in connection with this spam run:
trainingleadership.org
zipscheduler.net
gotofacts.net
openames.com

Each one of these tells a different story.  trainingleadership.org has the same semi-anonymous registration details as the others, but just a few days ago (20th March 2014) the registrant was "Biz Summits".  gotofacts.net has also had the registrant details changed.. on 18th March that was registered to "Michael Price".

Finally,  openames.com is a bit odder. It too has had the registrant details change (it was "Michael Price" on 18th January 2014), but it is hosted on an IP address belonging to a children's hospital in Illinois (199.125.18.11: Illinois - Chicago - Children's Memorial Medical Center)

So what are these messages? I believe that BizSummits (or whatever Mr Price's current operation is called, perhaps mobilesoft.com / mobilebriefs.com) is probing mail servers to see what sort of format email addresses are so that further spam can be sent. Most mail systems will reject invalid messages, so basically this is a sort of enumeration exercise. Is this illegal? It's hard to say. But in my opinion it is certainly unethical.

Incidentally BizSummits has a rotten reputation at the BBB, and in my personal opinion offer business summits of very little worth, and that they prey upon the vanity of the people who receive the email (which is just a basically just spam). A quick a Google for bizsummits spam comes up with a large number of complaints, and I must recommend this particular blog entry if you want an overview of how BizSummits allegedly pitch their business.

The BBB lists the following domains as being part of BizSummits. I would recommend avoiding them:
cfosummit.org
ciosummit.org
thecmosummit.net
trainingsummit.org
csosummit.org
corpdevsummit.org
hrsummit.org
theoperationssummit.net
productdevsummit.org
thepublicrelationssummit.org
qualitymanagementsummit.org
risingexecutivesummit.org
riskmanagementsummit.org
thecorpdevsummit.org
associationgrowthsummit.net

UPDATE: more information about BizSummits and some of it's websites can be found here.

Update (2300 GMT 2014-03-28): another "Tony Blair" one..

From:     Stan Moore Stan@texasbusinesschamber.org
To:     Tony Blair tblair@[redacted]
Date:     28 March 2014 22:52
Subject:     Closed early due to poor weather.

Closed early due to poor weather.


This will be the only notification to tblair@[redacted] and just disregard if sent in error. Thank you.
The mail headers confirm that texasbusinesschamber.org was the sender, this time from 64.21.70.72 (Net Access Corporation again):

Received: from [64.21.70.72] (port=3018 helo=mail.texasbusinesschamber.org)
    by [redacted]with esmtp (Exim 4.80)
    (envelope-from <Stan@texasbusinesschamber.org>)
    id 1WTfdq-0002i5-AG
    for tblair@[redacted]; Fri, 28 Mar 2014 22:52:50 +0000
Received: from 37402341.texasbusinesschamber.org
        by mail.texasbusinesschamber.org (Merak 8.9.1) with ASMTP id OZC63549
        for <tblair@[redacted]>; Fri, 28 Mar 2014 15:52:49 -0700
Message-ID: <20140328155244.5b6c3d3e2c@2e5c>
From: "Stan Moore" <Stan@texasbusinesschamber.org>
To: "Tony Blair" <tblair@[redacted]>
Subject: Closed early due to poor weather.
Date: Fri, 28 Mar 2014 15:52:44 -0700
X-Priority: 3
X-Mailer: System-Forwarder
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Stan@texasbusinesschamber.org designates 64.21.70.72 as permitted sender) client-ip=64.21.70.72 envelope-from=Stan@texasbusinesschamber.org helo=mail.texasbusinesschamber.org
texasbusinesschamber.org WHOIS today:

Registrant ID:CR156687418
Registrant Name:DNS Admin
Registrant Organization:Texas Business Chamber
Registrant Street: Floor 17
Registrant City:Atlanta
Registrant State/Province:Georgia
Registrant Postal Code:30327
Registrant Country:US
Registrant Phone:+1.7705863645
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@texasbusinesschamber.org
texasbusinesschamber.org WHOIS on 22nd February (just over one month ago)

Registrant ID:CR156687418
Registrant Name:Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City:Marietta
Registrant State/Province:Georgia
Registrant Postal Code:30068
Registrant Country:US
Registrant Phone:+1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:MPrice@mobilesoft.com

Update (0700 GMT 2014-03-29):  A slightly different one..

From:     Jim Moore Jim@ituckins.com
To:     Victor Echo
Date:     29 March 2014 03:17
Subject:     Closed early due to expected snow.

Closed early due to expected snow.

This will be the only notification to victor@[redacted] and just ignore if sent to the wrong person. Thank you.
This time the spammers are probing "Victor Echo" using the victor@ address. Mail headers are:

Received: from [209.200.118.35] (port=2643 helo=mail.ituckins.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Jim@ituckins.com>)
    id 1WTjm8-0001jI-Ia
    for victor@[redacted]; Sat, 29 Mar 2014 03:17:45 +0000
Received: from 34460524.ituckins.com
        by mail.ituckins.com (Merak 8.9.1) with ASMTP id PGU70938
        for <victor@[redacted]>; Fri, 28 Mar 2014 20:17:38 -0700
Message-ID: <20140328201734.5b7d6b2f9d@2e2e>
From: "Jim Moore" <Jim@ituckins.com>
To: "Victor Echo" <victor@[redacted]>
Subject: Closed early due to expected snow.
Date: Fri, 28 Mar 2014 20:17:34 -0700
X-Priority: 3
X-Mailer: Package Forwarder 6.3
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Jim@ituckins.com designates 209.200.118.35 as permitted sender) client-ip=209.200.118.35 envelope-from=Jim@ituckins.com helo=mail.ituckins.com
This domain has been excised of useful details in the WHOIS records, but it follows the same pattern and is undoubtedly Michael Price and BizSummits.

Registry Registrant ID:
Registrant Name: Dns Admin
Registrant Organization: eTuckins
Registrant Street: 1200 Abernathy Rd
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: +1.7705763847
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@etuckins.com
Note that ituckins.com refers to etuckins.com in the WHOIS record, revealing yet another spam site in the chain.

Update (1800 GMT 2014-03-29): two more spams from the same domain..

From:     Stan Davis Stan@opendetails.com
To:     Oscar Yankee <oscar@[redacted]>
Date:     29 March 2014 12:39
Subject:     Early closing due to poor weather.

Early closing due to poor weather.

This will be the only notification to oscar@[redacted] and disregard if sent to the incorrect individual. Thank you.

-----

From:     Steve Williams Steve@opendetails.com
To:     Oscar Yankee <oyankee@[redacted]>
Date:     29 March 2014 11:54
Subject:     Closed early due to inclement weather.

Closed early due to inclement weather.

This will be the only notification to oyankee@[redacted] and please ignore if sent to the incorrect person. Thank you.
This time they are sent to "Oscar Yankee" (using a name scraped from this page) using both observed variants of oyankee@ and oscar@. The mail headers again verify that the message isn't spoofed, and opendetails.com is the actual sender.

Received: from [208.52.161.186] (port=59373 helo=mail.opendetails.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Steve@opendetails.com>)
    id 1WTrqb-0001rc-3u
    for oyankee@[redacted]; Sat, 29 Mar 2014 11:54:53 +0000
Received: from 97584292.opendetails.com
        by mail.opendetails.com (Merak 8.9.1) with ASMTP id POG42002
        for <oyankee@[redacted]>; Sat, 29 Mar 2014 04:55:02 -0700
Message-ID: <20140329045456.3f2b7e1b4b@5c5f>
From: "Steve Williams" <Steve@opendetails.com>
To: "Oscar Yankee" <oyankee@[redacted]>
Subject: Closed early due to inclement weather.
Date: Sat, 29 Mar 2014 04:54:56 -0700
X-Priority: 3
X-Mailer: Perpetual Host v.1
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Steve@opendetails.com designates 208.52.161.186 as permitted sender) client-ip=208.52.161.186 envelope-from=Steve@opendetails.com helo=mail.opendetails.com
The WHOIS details have been altered in an attempt to hide the sender, but it still shows Michael Price's email address. Oops.

Registrant Name: DNS Admin
Registrant Organization: OpenDetails.com
Registrant Street: Floor  17
Registrant Street: 12O0 Abernathy
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30329
Registrant Country: United States
Registrant Phone: +1.7705643366
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: mprice@mobilesoft.com
If we go back to the registration details in January 2014 then Michael Price's name and address are on them.

Registry Registrant ID:
Registrant Name: Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City: Marietta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: +1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: MPrice@mobilesoft.com
So again, there is very little doubt as to who is sending this rather large spam run.

Update (0200 GMT 2014-03-30): the spam shows no signs of letting up. Subjects include the following:

Closing early due to bad weather.
Closed tomorrow due to inclement weather.
Closed tomorrow due to poor weather.
Closing early due to bad conditions.


Names scraped from my website include "Juliet Tango", "Michael Moore" and "Mark Tape". This spam run has two new domains, texasbusinesschamber.com and opendetailz.com , the first of which has valid SPF records, the second does not.

Received: from [207.36.209.108] (port=4719 helo=mail.texasbusinesschamber.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Tony@texasbusinesschamber.com>)
    id 1WU2JB-0005bA-EE
    for michael@[redacted]; Sat, 29 Mar 2014 23:05:02 +0000
Received: from 47912934.texasbusinesschamber.com
        by mail.texasbusinesschamber.com (Merak 8.9.1) with ASMTP id PAI19600
        for <michael@[redacted]>; Sat, 29 Mar 2014 16:05:00 -0700
Message-ID: <20140329160458.6b8c5e8f4d@7e5d>
From: "Tony Moore" <Tony@texasbusinesschamber.com>
To: "Michael Moore" <michael@[redacted]>
Subject: Closing early due to bad weather.
Date: Sat, 29 Mar 2014 16:04:58 -0700
X-Priority: 3
X-Mailer: EmailRemitter v.8
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Tony@texasbusinesschamber.com designates 207.36.209.108 as permitted sender) client-ip=207.36.209.108 envelope-from=Tony@texasbusinesschamber.com helo=mail.texasbusinesschamber.com

Received: from [208.52.168.58] (port=58797 helo=mail.opendetailz.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Brad@opendetailz.com>)
    id 1WU0hT-0004Z3-MB
    for juliet@[redacted]; Sat, 29 Mar 2014 21:22:03 +0000
Received: from 20646396.opendetailz.com
        by mail.opendetailz.com (Merak 8.9.1) with ASMTP id PYZ68711
        for <juliet@[redacted]>; Sat, 29 Mar 2014 14:22:11 -0700
Message-ID: <20140329142206.1f6f5b7b2e@2d3f>
From: "Brad Johnson" <Brad@opendetailz.com>
To: "Juliet Tango" <juliet@[redacted]>
Subject: Closing early due to bad conditions.
Date: Sat, 29 Mar 2014 14:22:06 -0700
X-Priority: 3
X-Mailer: MailServer 5.2
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: none ([redacted]: domain of Brad@opendetailz.com does not designate permitted sender hosts) client-ip=208.52.168.58 envelope-from=Brad@opendetailz.com helo=mail.opendetailz.com
The WHOIS records for texasbusinesschamber.com have been stripped of any identifying details:

Registry Registrant ID:
Registrant Name: DNS Admin
Registrant Organization: Texas Business Chamber
Registrant Street: Suite 1700
Registrant Street: 1200 -Abernathy
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30328
Registrant Country: United States
Registrant Phone: +1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@texasbusinesschamber.com

But back in February, it was registered to Michael Price:

Registry Registrant ID:
Registrant Name: Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City: Marietta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: (770) 998-9999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: MPrice@mobilesoft.com
Registry Admin ID: 
opendetailz.com doesn't pass the SPF check, but it is sufficiently close to the verified domain of opendetails.com seen previously that it is almost certainly genuine. The WHOIS details are:

Registry Registrant ID:
Registrant Name: DNS Admin
Registrant Organization: OpenDetailsz.com
Registrant Street: Floor-17
Registrant Street: 12OO Abernathy
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30327
Registrant Country: United States
Registrant Phone: +1.6783843388
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@opendetailz.com
On the 18th March 2014 they were:

Registry Registrant ID:
Registrant Name: Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City: Marietta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: +1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: MPrice@mobilesoft.com
Registry Admin ID: 
Update (2300 GMT 2014-03-30): yet more evidence linking this spam run to BizSummit's Michael Price..
From:     Stan Miller Stan@gotofacts.net
To:     George Bush <george@[redacted]>
Date:     30 March 2014 18:29
Subject:     Will be closed due to bad conditions.

Will be closed due to bad conditions.

This will be the only notification to george@[redacted] and ignore if sent to the wrong email. Thank you.
----------------
From:     John Moore John@gotofacts.net
To:     George Bush <[redacted]>
Date:     30 March 2014 23:11
Subject:     Will be closed due to bad weather.

Will be closed due to bad weather.

This will be the only notification to gbush@[redacted] and disregard if sent to the wrong person. Thank you.

These messages are sent to George Bush (!). Again, the mail headers reveal that there is a valid SPF record, therefore gotofacts.net really did send the message:

Received: from [64.21.19.120] (port=64747 helo=mail.gotofacts.net)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Stan@gotofacts.net>)
    id 1WUJXi-0001yE-Iq
    for george@[redacted]; Sun, 30 Mar 2014 18:29:14 +0100
Received: from 78693058.gotofacts.net
        by mail.gotofacts.net (Merak 8.9.1) with ASMTP id QUH61409
        for <george@[redacted]>; Sun, 30 Mar 2014 10:29:09 -0700
Message-ID: <20140330102904.4d9e7f4e6f@7d6f>
From: "Stan Miller" <Stan@gotofacts.net>
To: "George Bush" <george@[redacted]>
Subject: Will be closed due to bad conditions.
Date: Sun, 30 Mar 2014 10:29:04 -0700
X-Priority: 3
X-Mailer: FlashTransmitter version 8.1
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Stan@gotofacts.net designates 64.21.19.120 as permitted sender) client-ip=64.21.19.120 envelope-from=Stan@gotofacts.net helo=mail.gotofacts.net
The WHOIS records for gotofacts.net have been stripped of useful data:

Registry Registrant ID:
Registrant Name: DNS Admin
Registrant Organization: GoToFacts
Registrant Street: 1200 Abernathy
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30328
Registrant Country: United States
Registrant Phone: +1.7705863984
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@gotofacts.net
But on March 18th it was registered to:

Registry Registrant ID:
Registrant Name: Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City: Marietta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: +1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: MPrice@mobilesoft.com
Registry Admin ID: 

Sky.com "Statement of account" spam leads to Gameover Zeus

This fake Sky spam has a malicious attachment:

Date:      Fri, 28 Mar 2014 07:16:43 -0300 [06:16:43 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for
payment.

Regards,
Darrel

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 
The attachment is a ZIP file which contains an exectable Statement_03282014.exe (note that the date is encoded into the file). This has a VirusTotal detection rate of 8/51.

The Malwr analysis shows several attempted network connections. Firstly there's a download of a configration file from [donotclick]igsoa.net/Book/2803UKd.wer and then subsequently an attempted connection aulbbiwslxpvvphxnjij.biz on 50.116.4.71 (a Linode IP which has been seen before) and a number of other autogenerated domains.

Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij.biz
lpuoztsdsnvyxdyvwpnlzwg.com
pmneyqgaifcmxwwgbagewkpzsin.info
wgsmbxtphamhahbyjnjrydfe.org
eapqolveqsorwfehvkuojnojyluwk.biz
pbpnylskojlaufmmjfiaih.com
knrtdyypwonzljyzhfyyijknzof.ru
womrofxylirlwgcqzxsgjrfqzttm.com
binrpfdeequwrgydmrovzhkjongcnz.net
igsoa.net

Something evil on 192.95.44.0/27 (OVH Canada)

192.95.44.0/27 (spotted by Frank Denis) is another evil OVH Canada netblock which I assume belongs to their black hat customer r5x.org / Penziatki although now OVH seem to be masking the customer details.

I can see the following active subdomains within this range, all of which can be assumed to be malicious:

2gj95630ug7y42qc1-3.advanceservere.ru
2689xn49409xt8t-c3ho.gatheradvertisinge.ru
4022800068-3.acquireconnectionse.ru
6j2o7eo032s53sb0mx-l3.acquireconnectionse.ru
1635860128-6.reachmape.ru
2081021085-6.reachmape.ru
2401174936-7.reachmape.ru
2856584186-7.reachmape.ru
3430887989-6.reachmape.ru
3518242412-6.reachmape.ru
3912597189-7.reachmape.ru
w617131vc75-6.reachmape.ru
370r20to0282ph-y7.reachmape.ru
u1942lf033q46pr-6.reachmape.ru
37l7li34g8c990r3-7.reachmape.ru
qg285868sh2t65s6-6.reachmape.ru
167ef0p379w2y86-r6x.reachmape.ru
2ox085sv7899en16-6s.reachmape.ru
3i20et519228u9qf-j6.reachmape.ru
1400m6j1pf74a9w6-z6f.reachmape.ru
15v84492j0v8km9w-zw6.reachmape.ru
ql2f1c90s9u0h6210u-a7.reachmape.ru
ys1r0oi5cj2jz907340x-ai6.reachmape.ru
y1c8cw2ng90eh8ag8553q-6tg.reachmape.ru
117062511-6.reachprotectione.ru
719921944-6.reachprotectione.ru
3938936024-6.reachprotectione.ru
4019504775-7.reachprotectione.ru
3la26x1462a78-6le.reachprotectione.ru
n237qk5iv7rm34u7r5-7.reachprotectione.ru
2uk6u7g41q8051jd8r-6x.reachprotectione.ru
34d6na3b67vc4gn893c-zi6.reachprotectione.ru
1eu1q1l2k5kd2l73fn2j8f-6.reachprotectione.ru
2nn3x7f57at3fs4o7zj5s-7e.reachprotectione.ru
af4n0aw17pp96b82o2-oz6ag.reachprotectione.ru
rv3459hf4i7pt7x93jj3zy-7.reachprotectione.ru
158209179-6.accruespecialiste.ru
1833575162-6.accruespecialiste.ru
3201225904-6.accruespecialiste.ru
3475495830-6.accruespecialiste.ru
3594898209-6.accruespecialiste.ru
3783691616-6.accruespecialiste.ru
4084210708-6.accruespecialiste.ru
2174bi44g602tq8-6.accruespecialiste.ru
uh95eu436f34n87-6.accruespecialiste.ru
430pr3eq0pe0x422-n6f.accruespecialiste.ru
oc43yq0300l4o2wb2-6fk.accruespecialiste.ru
vd1j61155bu2j43m5er-6.accruespecialiste.ru
ed13202bx94a4k28pz-6mr.accruespecialiste.ru
ii66bd84z63oi5bp18am-6.accruespecialiste.ru
u1n1nf1w64j3jt57ip2-6g.accruespecialiste.ru
t3gs5c6me71ky6031wi0-l6s.accruespecialiste.ru
kt1ft42qg5rm6q5g47q8f1-e6w.accruespecialiste.ru
jj2ca4zb72iy56ue57tz4r5nv-te6.accruespecialiste.ru

I recommend that you apply the following blocklist:
192.95.44.0/27
accruespecialiste.ru
reachprotectione.ru
reachmape.ru
acquireconnectionse.ru

Wednesday, 26 March 2014

Something evil on 173.212.223.249

There's some sort of evil at work here, but I can't quite replicate it.. however I would recommend that you put a block in for 173.212.223.249 (Network Operations Center, US).

The infection chain I have spotted here starts with a typical compromised website, in this case:

[donotclick]onerecipedaily.com/prawn-patia-from-anjum-anands-i-love-curry/

A quick look at the URLquery report shows a general alert, but no smoking gun..

Is there some trickery at work here? Yes, there's a telltale sign in the HTTP Transactions graph:


Right at the end you can see a redirect to google.no..

This is a tell-tale sign that some malware is redirecting the URLquery probe to Google to protect itself. Usually it means that we don't have the right user agent, referrer string or perhaps the IP is blocked by the bad guys.

However, I can look at the log files of the incident and I see that the next step is a jump to another compromised site:

[donotclick]autoselectosperu.com/de11edf0bcf9b7ce8d3a128934acda75.php?q=d6f53936c38ddad58c5a69d1d36c4904

This then jumps to the presumed payload site at:

[donotclick]bkbr.beuqnyrtz.com/gikhqqkdjc

What is the payload... errr.. I don't know. The incident logs come up with a generic detection and my query-fu isn't working today. You'll just have to trust me that it's going to be malicious.

The following malicious subdomains are also active on 173.212.223.249:
bkbr.beuqnyrtz.com
syb.beuqnyrtz.com
sxxmxv.beuqnyrtz.info

The simplest thing to do to protect yourself against this particular threat is to use the following blocklist:
173.212.223.249
beuqnyrtz.com
beuqnyrtz.info

Tuesday, 25 March 2014

"You have received new messages from HMRC" spam

This fake HMRC spam comes with a malicious attachment:

Date:      Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices. For further details, please visit our website
http://www.qualitysolicitors.com/punchrobson
The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51.

According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
[donotclick]sandsca.com.au/directions/2503UKp.tis
[donotclick]www.sandsca.com.au/directions/2503UKp.tis

Subsequent communications are made with aulbbiwslxpvvphxnjij.biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq.biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf.org which does not resolve.

One odd thing in the Anubis report is this dialog box entititled "seconddial" and containing the word "diminutiveness".


I don't know what that is.. it reminds me of Hatefulness/Hatefulness though :)

Recommended blocklist:
50.116.4.71
178.79.178.243
sandsca.com
aulbbiwslxpvvphxnjij.biz
qkdapcqinizsczxrwaelaimznfbqq.biz
hzdmjjneyeuxkpzkrunrgyqgcukf.org

.js injection leads to Fake Flash update hosted on OneDrive

This kind of attack is nothing new, but there has been a sharp uptick recently in injection attacks that alter .js files on vulnerable systems. The payload is a fake Flash update with a surprisingly low detection rate, hosted on Microsoft OneDrive.

The first step in the attack is through a vulnerable site such as this one [urlquery]. In turn, the infected .js file leads to [donotclick]alientechdesigns.com/NLBFH8ZG.php?id=88473423 which in turn leads to a fake Flash popup hosted at [donotclick]alientechdesigns.com/NLBFH8ZG.php?html=27 which you can see an approximation of here [urlquery].

The link in the popup goes to a download loction at [donotclick]onedrive.live.com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21111 which downloads a file flashplayerinstaller.exe.

flashplayerinstaller.exe is the first stage in the infection, it has a VirusTotal detection rate of just 3/51. The Malwr report shows that this then downloads two additional components, from:
[donotclick]onedrive.live.com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21112
[donotclick]onedrive.live.com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21108

The first one of these is called flashplayer2.exe which has a VirusTotal detection rate of 4/51. Malwr, Anubis and Comodo CAMAS show some working of this malware.

The second file is called update2.exe with a VirusTotal detection rate of 5/49. This seems somewhat resistant to automated analysis tools [1] [2] [3].

This sort of attack is hard to block from a network point of view as it leverages legitimate sites. Perhaps the best way to protect yourself is a bit of user education about where it is appropriate to download updates from.

Slartiblartfast "I see dead people" watch spam

I get a lot of watch spam, but I have to say this from Slartibartfast quoting the movie The Sixth Sense just tickled me somewhat..
Date:      Mon, 24 Mar 2014 23:45:50 -0500 [00:45:50 EDT]
From:      Slartiblartfast [dalero@pwc.utc.com]
Subject:      I see dead people.

WHY SHOULDN’T YOU WEAR ONE?
www.[redacted].com

If you are serious about placing an order with us then use the below coupon:

WEBSITE COUPON:
20save


Slartiblartfast
My real name is Arlen, Magill
S.R. Replications © 2014 
Well, Slarti. Thanks for the offer, but not thanks. So long and thanks for all the spam.

Sunday, 23 March 2014

Malware sites to block 23/3/14 (P2P/Gameover Zeus)

These domains and IPs are associated with the Peer-to-peer / Gameover variant of Zeus as described in this blog post at MalwareMustDie. I recommend that you block the IPs and/or domains listed as they are all malicious:

50.116.4.71 (Linode, US) [also mentioned here, here and here]
178.79.178.243 (Linode, UK)
212.71.235.232 (Linode, UK)
23.239.140.156 (Root Level Technology, US)

50.116.4.71
aqllbfahiivcelzqcfmdmoqhwc.com
aulbbiwslxpvvphxnjij.biz
balodcmzlqtcjbhllfwcmmb.biz
batlrintscnbytinqsqgbyvs.info
bqpwkxwsaudhehjzpwsvowcobqk.com
dahzlwskgileyplljlhq.org
ddxwnbusvwtwtcfizdmskxso.biz
dgqzkzxsmzqggiwccattorwobfu.ru
duonxdivrwbahpxdpmbzdhm.org
dwsirwclqopforlqkjrdpncqkr.net
gefifqtwgydaivpjbubuaiwglsrg.org
gqvwwcgqnjrkteyqacrkthfmxk.org
kblfxnrltorstolxcgqugbyyl.com
li430-71.members.linode.com
lxpvyhnbbmvkkfpbayuomnaqzx.org
lzrrgfmeuucvtpzpvhxdaqcbyay.info
pvgrkzdcidybihtsqweqnbgztjb.com
pypfyinnfhyvxkujlfbmkbdq.com
qmrowchvdejfaauclrfqhx.org
rgvoxwhtamqwbuhdvonbnjhytuo.org
rsaspfpzmzrobonylxp.biz
tceeaaetvgcypqfysqctam.com
twdepffvwpxxnbqyhgmtcx.org
xaqfmfzxvoxglzofedmjskhatwsw.net
xfmheaqdepbyinkfjbnztemhmvkvk.com
xmjdjbucxwztqoojordmfmzfexc.com
xoxllplffmaknofjbjnkbdisw.com
xpjrvoddmfempuwbymwhejbt.com
yxmfpffqhdyfyydcmpnifusrckjrkby.biz

178.79.178.243
aefaeamofemugdieddphebijb.org
aemfyldumrlithbaayzhib.com
auldivpzxeahilvcyvckrzpbepv.com
bjnovqmbkfqodiqiuwsqst.biz
jnhqtodhhgakndacuvojizdm.org
krwklrffanjydbimvbmgadmfydei.info
qkdapcqinizsczxrwaelaimznfbqq.biz
qkljydlcikfqktsunraynji.org
swsmjuseadpmrozdljofpddx.biz
tltdhasweiuorolzqweydmtdjr.biz
towohjnpxozxqwvbyxgayvc.info
usrgwobmqsxmruscudtgvwuccqvgwg.biz
vclytzcizhtyplbkrmfayburc.org
vwojamfqcipjnbobeafelvqprjzgacu.org
wceydihqmjexgtkvtqkdeh.com
yhzpojvizpbiztkjdaxzib.org
zxjzaypibnjayfmpzpalkbaunzl.com

212.71.235.232
ambaorbynbjrxwdeumvqohiytp.com
amxgeaehmpirsczhtdebunsc.info
fuambuvktwcnfddadytzrccmrsg.info
gajbceobcpvnvjbxomrnfgqlcu.org
hapeysdqhpjntcwcmrpqtcu.biz
hayzscyddatgfeyvwxgcuxifcy.org
izsodajzhrsingdygyvsvcmzlhyx.com
ldmbcqwsfuhebqlrfqmjpjtbm.net
lnipjrijfamnxkgenzypusztpnxhi.org
mbdaaywcbikbnzdiaebnzgaph.biz
peucehqxsgmzhgujfsoeihmpvhiz.info
pnfxwvsgqvctqkypwghlbnbiz.biz
qwlamzprordqxcyltgbqxqctgkfq.biz
rougorsxgeeiaqqclrmnxcnbdig.com
swhyijskpdxkzdfqeqlduydaet.org
uzhoxeuukrgprcxwjbdymbir.info
wcrydrkgzhqoeunduhttayh.biz
wsauqohqevirkreaocyzh.info
yfamzskpcikveahhynrztfa.org
ytsgugkfgadtkpjhmxsmjlkrnv.com
yxmfpffqhdyfyydcmpnifusrckjrkby.biz

23.239.140.156
cedivwojozpjnmzphdmgscrkcqgq.info
dmeiljtpjfnrwolrucyppbqnjmn.biz
dqdycmfqbuxabufqhehejngapcy.biz
dtuwswgunvgayzpxolvclzaiw.com
hguvmrrgljldtkfcuuwmfhda.com
hqzdwauwkrvcpifdontobbat.org
hywkvojryttvwvkxccehmbadtcepz.biz
jnhqtodhhgakndacuvojizdm.org
lduemshmhceamlflrvoehrw.org
ltmbcqyheqjnrcuucwbipqsjnbe.biz
ojdqolcirkamyhursqozxin.com
pfceceprcxzhqstcyvodepzx.info
qcejrvgsydqpzzdixonvugysktk.com
qkfeutkgmfqxrwmbxgxcdymz.biz
tcvkwsbqnjhjobgyttklnfxo.com
udewxdqkxtwqwjvhvgbuzhx.org
vclytzcizhtyplbkrmfayburc.org
vxwdtkfjfqotkdaivkfqgaedx.biz
wslhrwfmwkhmozhambvwhuzpnb.net
xcvshidqgwotvfetvcydfajnof.com
zludaswlfrwphijtkknya.info

Friday, 21 March 2014

"CSR EXCELLENCE AWARD 2014" / csrawards.co.uk spam

Rule one of good customer service.. don't spam people like these jokers do:

From:     Green Organisation greenorganisation@rkwmail.co.uk
Date:     21 March 2014 07:02
Subject:     AO Corporate Social Responsibility Manager,

Is yours a company that cares?

     Do you help colleagues to reach their full potential?
     Are you a good neighbour in your local community?
     Do you show loyalty to your suppliers and customers?
    Are you reducing your negative impact on the environment?
    Do you support good causes and goodwill initiatives?

If you can answer YES to any of these questions,
you could win an

INTERNATIONAL CSR EXCELLENCE AWARD 2014

THIS is the perfect time to get the recognition you deserve for your Corporate Social Responsibility initiatives. NOW is the time to submit your free entry for an

INTERNATIONAL CSR EXCELLENCE AWARD

CLOSING DATE FOR FREE ENTRIES – MARCH 31

The CSR Excellence Awards are presented to companies that have a heart -

caring companies that use their privileged position to help their colleagues, communities, customers, suppliers, the environment and the less fortunate.

Caring companies can be a realistic force for good and change-for-the-better, and we want to recognise and reward their efforts with the CSR Excellence Awards

        Every company is entitled to a free entry

        All winners will be invited to the glittering presentation ceremony at The Crystal, Royal Victoria Docks, London

        The closing date for free entries is March 31, 2014

    We will plant a tree for every entry received.

There are THREE chances of success for each entry, as we will be presenting Gold, Silver and Bronze awards in every category – plus an overall winner.

If you are a company that cares, send your entry NOW!

    You can enter
        online at www.csrawards.co.uk
        by email to rich@eco-brand.co.uk
        or by post to

CSR Awards, Ecobrand, 97 Cock Lane, High Wycombe, Bucks HP13 7DZ

Responsible businesses can make an enormous difference to the quality of life and prospects of everyone touched by their corporate activities.

Show you care! Win a CSR Excellence Award!

Good luck with your entry.
Richard Collins
Campaign Organiser

I particularly like the address of 97 Cock Lane. Nuff said.

"Companies House" spam and 50.116.4.71 (again)

This fake Companies House spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      Incident 8435407 - Companies House

The submission number is: 8435407

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500

Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49.

The Malwr analysis again shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij.biz.

The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine.co.uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below).

I would recommend that you the following blocklist in combination with this one.

50.116.4.71
aulbbiwslxpvvphxnjij.biz
rovlvhixgqcelzlxheonpfxy.info
hybytqwscguvowbbgwgxijdq.com
jryxtbujvdmceodbegyofrkkr.ru
lncuhmnvlytwsuceijaifaqjrpz.com
mrdlormvvotimfhecueminydrs.info
fytwsqkgindatoahtnbnrzhe.org
tqsdudemkfrcrcutdmvpbuzd.net
doskgacutmvbeztmrirlc.biz
rgolcuhgqsqkgivckfbud.ru
auldivpzxeahilvcyvckrzpbepv.com
hegersdihurwwsdqxkdatclbmryd.net
qwrgldhqtcifymnfyhimjhqdbmir.org
ljxaededaljnrytonhzkzsg.biz
wgtfauchlnhmvskblhiovxwpvh.com
ifwbxfylaimzuwgdyeqgiupl.ru
premiercrufinewine.co.uk

Amazon.co.uk spam, something evil on 50.116.4.71

This fake Amazon.co.uk spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
From:      "AMAZON.CO.UK" [SALES@AMAZON.CO.UK]
Cc:      ; Fri, 21 Mar 2014 13:40:05 +0530
Subject:      Your Amazon.co.uk order ID841-6379889-7781077

Hello,  Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.  

  
Order Details
Order #799-5059801-3688207  Placed on March 21, 2014 Order details and invoice in attached file.
  
Need to make changes to your order? Visit our Help page for more information and video guides.  
  
We hope to see you again soon.   Amazon.co.uk 

There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51.

The Malwr analysisis the most comprehensive, and shows that it attempts to phone home to the following domains:

aulbbiwslxpvvphxnjij.biz
hxlbjvgmfzwcbyijzxojcugizd.info
mneudhugiorkbhtpaiuoemydzll.org
mfcyqgeupknhqrwljrprotufm.net
jzfetwydrfachqwgnylbu.com
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
pbzdofdxwokbnrvodiirzqshaem.net
hyvoydfadyxfmjnhmzjbxkgurcbu.org
dacahylpzylydlbgujruzxxrseyt.info
knpzqcaygabuxkcynjaidudceu.biz
soinlzhxohtcazlqkgegtcvxkr.ru
fuzllbxkzhqgrbaonivkzjjzdmjn.com
thicazjzxtxhknyeusx.info
afaxdlrnjdevgddqrcvkdmvemwo.org
kfmfpxtcmrnjgeusirylhrcqfe.biz
hmbcyromzibkpuxfiaetx.com
qoluciztogagugergdqqclxwkaekr.ru
payypdmhxcxxvgvsojdqs.com
pscxwztdudidivhixksrrduda.net
wgpztgpxgonhalcjrpxkau.biz
nrdiqotuoxcbaxokrfqcilcal.info
fycquworzhlmhqthixphq.com
uqgheqtozhrsjqfiaizci.ru
zdeiswsdqnvhleijfzltvwdxc.com

Out of these, aulbbiwslxpvvphxnjij.biz seems to be active on 50.116.4.71 (Linode, US)

Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
50.116.4.71
afaxdlrnjdevgddqrcvkdmvemwo.org
aqllbfahiivcelzqcfmdmoqhwc.com
aulbbiwslxpvvphxnjij.biz
balodcmzlqtcjbhllfwcmmb.biz
batlrintscnbytinqsqgbyvs.info
bqpwkxwsaudhehjzpwsvowcobqk.com
dacahylpzylydlbgujruzxxrseyt.info
dahzlwskgileyplljlhq.org
ddxwnbusvwtwtcfizdmskxso.biz
dgqzkzxsmzqggiwccattorwobfu.ru
duonxdivrwbahpxdpmbzdhm.org
dwsirwclqopforlqkjrdpncqkr.net
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
fuzllbxkzhqgrbaonivkzjjzdmjn.com
fycquworzhlmhqthixphq.com
gefifqtwgydaivpjbubuaiwglsrg.org
gqvwwcgqnjrkteyqacrkthfmxk.org
hmbcyromzibkpuxfiaetx.com
hxlbjvgmfzwcbyijzxojcugizd.info
hyvoydfadyxfmjnhmzjbxkgurcbu.org
jzfetwydrfachqwgnylbu.com
kblfxnrltorstolxcgqugbyyl.com
kfmfpxtcmrnjgeusirylhrcqfe.biz
knpzqcaygabuxkcynjaidudceu.biz
li430-71.members.linode.com
lxpvyhnbbmvkkfpbayuomnaqzx.org
lzrrgfmeuucvtpzpvhxdaqcbyay.info
mfcyqgeupknhqrwljrprotufm.net
mneudhugiorkbhtpaiuoemydzll.org
nrdiqotuoxcbaxokrfqcilcal.info
payypdmhxcxxvgvsojdqs.com
pbzdofdxwokbnrvodiirzqshaem.net
pscxwztdudidivhixksrrduda.net
pvgrkzdcidybihtsqweqnbgztjb.com
pypfyinnfhyvxkujlfbmkbdq.com
qmrowchvdejfaauclrfqhx.org
qoluciztogagugergdqqclxwkaekr.ru
rgvoxwhtamqwbuhdvonbnjhytuo.org
rsaspfpzmzrobonylxp.biz
soinlzhxohtcazlqkgegtcvxkr.ru
tceeaaetvgcypqfysqctam.com
thicazjzxtxhknyeusx.info
twdepffvwpxxnbqyhgmtcx.org
uqgheqtozhrsjqfiaizci.ru
wgpztgpxgonhalcjrpxkau.biz
www.aulbbiwslxpvvphxnjij.biz
xaqfmfzxvoxglzofedmjskhatwsw.net
xfmheaqdepbyinkfjbnztemhmvkvk.com
xmjdjbucxwztqoojordmfmzfexc.com
xoxllplffmaknofjbjnkbdisw.com
xpjrvoddmfempuwbymwhejbt.com
zdeiswsdqnvhleijfzltvwdxc.com


Porn site beeg.com hacked, aadserver.com and malware sites to block

The folks at Malwarebytes posted an exellent and interesting blog entry on the hack of porn site beeg.com. The technical analysis is spot on.. but sometimes you need actionable intelligence too.

Let's rush towards the climax of the infection chain for a moment. Malwarebytes identify a couple of malicious domains, both hosted on 92.63.109.45 (TheFirst-RU, Russia).

mdquhrp.clark4houk.eu
ipquqoh.lapierre3dudley.eu

Source: Malwarebytes blog
That IP actually contains a lot more bad domains that have all been recently registered with hidden details:

mdquhrp.clark4houk.eu
boqmkwe.lapierre3dudley.eu
wjlxuxt.artola1brodgen.eu
jqeqt.kundel2klimas.eu
ocsck.amar1krauel.eu
qeuhn.kusmider3bossert.eu
ipquqoh.lapierre3dudley.eu
mnsblx.kempffer7hazeldine.eu
alxrjqo.julian7hoscheid.eu
nnmkeseu.clark4houk.eu
jtwwnu.amar1krauel.eu
wbxrufy.hsiang4akai.eu
tanhts.contardo1jak.eu
gcumqix.hazen1ceponis.eu
lgyqyfos.kundel2klimas.eu
qymvauk.artola1brodgen.eu
rugoo.farant4diperna.eu
iyttjqaa.farant4diperna.eu
ekgdb.julian7hoscheid.eu
bteqspe.labranche9allan.eu
pwdulvt.labranche9allan.eu
noslpt.eriksson5akhavan.eu
ywata.kusmider3bossert.eu
yqovf.lamirande9buhler.eu
oidgvrz.kepekci8billoteau.eu
www.kundel2klimas.eu

But how did visitors get delivered to the payload site in the first place? The previous step in the Malwarebytes chain was a site called miofitching3.com on 217.174.108.33 (Domishko Hosting, Russia). A look at the sites recently hosted on that IP shows the following:

aadserver.com
miofetcher1.com
miofitching3.com
miofleiming1.com
miofleiming2.com
miofleiming3.com
miofleiming4.com
miofleiming5.com
miofleiming6.com

One of these things is not like the others. Yes, aadserver.com doesn't match. But the name makes it sound like an advertising network. The domain has hidden WHOIS details but was only registered on 13th February.

A look around the aadserver.com site shows something that looks slick.




It looks slick, but the spelling is terrible and some of the body text has been copied from Wikipedia.. even including a [citation needed] tag. The email contact details are all free webmail providers, and despite promoting itself as an "Australian Ad Server" it has a Russian IP address.

It's pretty obvious that aadserver.com is a fake. The Russian IP address (odd for an Australian business), recent domain registration with hidden WHOIS details, email addresses and poor spelling should have been red flags for an experience media buyer.

So how did these ads end up on beeg.com? Well, if we go back to the first step in the infection chain, we see a reference to a site staticloads.com. This has the same WHOIS details as beeg.com, so my best guess it that the owners of beeg.com were contacted by aadserver.com with a proposition to sell advertising, and a lack of expertise led to fake ads being placed on the site.

So, I mentioned actionable intelligence. Apart from making sure that you properly train media buyers in detecting fake ad agencies, I would strongly recommend applying the following blocklist to your networks to stop any more bad ads from these criminals causing a problems:

92.63.109.45
217.174.108.33
clark4houk.eu
lapierre3dudley.eu
artola1brodgen.eu
kundel2klimas.eu
amar1krauel.eu
kusmider3bossert.eu
kempffer7hazeldine.eu
julian7hoscheid.eu
hsiang4akai.eu
contardo1jak.eu
hazen1ceponis.eu
farant4diperna.eu
labranche9allan.eu
eriksson5akhavan.eu
lamirande9buhler.eu
kepekci8billoteau.eu
aadserver.com
miofetcher1.com
miofitching3.com
miofleiming1.com
miofleiming2.com
miofleiming3.com
miofleiming4.com
miofleiming5.com
miofleiming6.com

Thursday, 20 March 2014

Something evil on 66.96.195.32/27

Another bad bunch of IPs hosted by Network Operations Center in Scranton following on from yesterday, this time 66.96.195.32/27 which seems to be more of the same thing.

The exploit kit in question is the Goon EK, as shown in this URLquery report. It seems that it spreads by malicious SWF files being injected into legitimate websites (I think this one, for example).

The easiest thing to do would be to block traffic to 66.96.195.32/27, but I can see the following malicious websites active in that range (all on 66.96.195.49):

uvz.akovikisk.com
ovfvr.akovikisk.com
qn65l.akovikisk.com
ac1e0.alessakyndraenho.com
8dyh.akovikisk.net
y6aoj.akovikisk.net
0hzl.akovikisk.info
cx6n.akovikisk.info
xdxr2.akovikisk.info
where.hotspotingtram.org

Experience with this particular type of exploit kit shows that the bad guys will rotate IPs in the block, so blocking the entire /27 is advised.

At present that consists of just three domains to block, although I suspect there will be more:

akovikisk.com
alessakyndraenho.com
hotspotingtram.org

prospectlist.com / prospectlist.co.uk spam

Never buy email marketing services from spammers.. unless you want your website suspended and reputation trashed. Here's a grubby little spammer using the domains prospectlist.co.uk and prospectlist.com to drive traffic to their grubby little business.

From:     Prospectlist prospectlist@cardwellmarketing.ctml2.com
Reply-To:     sarah.brazier@cardwellmarketing.co.uk
Date:     20 March 2014 10:00
Subject:     Here's the Deal!
Signed by:     ctml2.com

! DOUBLE YOUR TOP 50 CLIENTS!

*Give us the details of your best clients and we will find an additional 50*

ProspectList is the best business partner to supply up to date and accurate data, for you to use on direct mailing or telemarketing campaigns. PLUS, as we are now part of the Cardwell Group, we can even carry out your campaigns for you– offering a One Stop service.

WHY CHOOSE PROSPECTLIST?

With a database of over 2.6 million UK businesses, along with senior decision maker contacts, telephone numbers and emails, we can offer a comprehensive database on many business sectors. Our file is fully compliant to DMA guidelines, is tele-researched, has an update cycle of just 12 months and is ready for you to access TODAY!

CALL US NOW ON 01926 462 917 TO FIND OUT HOW YOU CAN BENEFIT FROM:

Direct Mail | Telemarketing  |  Email Lists  | International Data  |  Consumer Data

Bespoke Researched Data  |  Email Broadcasting  |  Mailing Fulfilment  |  Telemarketing

CONTACT US BY EMAIL
   

REQUEST A CALLBACK

2.6 million trading UK businesses                      Senior decision makers

Fully compliant with MPS/TPS/CTPS                 900k emails

12 months update cycle on 98% of our file       2.1 million contacts

If this email doesn't display properly, you can view it in your web browser

ProspectList | One Athena Court | Athena Drive | Warwick | CV34 6RT
If you no longer wish to receive emails from us, please follow this link

ProspectList claim to be compliant with DMA guidelines, but I certainly never opted-in to this crap. However the DMA is a prime example of why self-regulation fails.. it is run by the direct marketers themselves and in my opinion their regulations don't go far enough to protect people from this sort of unsolicited bulk email.

I've never heard of ProspectList or the Cardwell Group, and they would probably argue that everything they are doing is legal and above board yadayada. I certainly won't be sending any business their way though.

The domain in use for the spam is email.prospectlist.co.uk which forwards to prospectlist.com.
Let's have a look at the WHOIS details to see who exactly is responsible for this domain:

Registrant Name: Ian Merriman
Registrant Organization: Cardwell Intelligence Limited
Registrant Street: Cardwell House, Hook Norton Road
Registrant City: Chipping Norton
Registrant State/Province:
Registrant Postal Code: OX7 5SB
Registrant Country: GB
Registrant Phone: +44.8451306634
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ian.merriman@cardwellmarketing.co.uk


The site is hosted on 176.32.230.28 (Heart Internet, UK). The email is sent through mail132.sgml3.com (37.221.219.132).




Evil network: OVH Canada / r5x.org / Penziatki (updated)

I've covered OVH Canada and their black hat customer r5x.org aka "Penziatki" before. They consistently host exploit kits, and the way that the bad hosts are spread over OVH's network looks like a deliberate attempt at snowshoeing.

The following blocks in the OVH range have hosted malware from this customer. Some of the IPs are identified through my own research, others through OSINT from others, notably Frank Denis, @ReverseChris and .

192.95.6.24/29
192.95.6.92/30
192.95.6.196/30
192.95.7.8/30
192.95.7.224/28
192.95.10.16/29
192.95.10.208/28
192.95.12.56/30
192.95.40.240/30
192.95.41.88/29
192.95.43.160/28
192.95.44.0/27
192.95.46.56/30
192.95.46.60/30
192.95.46.132/30
192.95.47.232/30
192.95.47.236/30
192.95.51.164/30
192.95.58.176/30

198.27.96.132/30
198.27.103.204/30
198.27.114.16/30
198.27.114.64/27

198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.177.120/30
198.50.185.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.116/30
198.50.212.172/30
198.50.216.144/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.231.204/30
198.50.235.196/30
198.50.241.120/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

Given the large number of exploits, you might want to consider a larger pre-emptive block on the OVH Canada ranges if you are in a security-sensitive environment and can live with blocking some of the legitimate sites that OVH also host.

192.95.0.0/16
198.27.0.0/16
198.50.0.0/16


I'll try to keep this blog post updated with more bad OVH Canada ranges as they are brought to my attention. Please consider adding any new information to the Comments if you have some. Thanks!