Dynamoo's Blog

More fake ad networks

2010-02-05T17:03:00.002Z

The German news site Handelsblatt was recently the victim of a malvertising campaign:

02.02.2010 Handelsblatt malware on Web site

Update: Infection banners confirmed!

The S-CERT was able to reproduce the infection in its test laboratory on the IHT website. Infection occurs through an advertising banner, which is from "Doubleclick.net. This will in turn include advertisements from the domain "muentely.com" in the Handelsblatt-page insert. The latter site is obviously manipulated and contains malicious JavaScript code.

Further investigations in the S-CERT laboratory testing have confirmed that will be used including a PDF vulnerability to the spread of malware. The studies also show that there is an alternative to the vulnerability, attempts to exploit gaps by further appropriate attack code to install a malware onto vulnerable PCs.

According to the investigations of the S-CERT is the malware with the accessing PCs will eventually become infected, a so-called Scareware: Users are informed by insertion of appropriate dialogue, that their PC is infected with malware wide area. To remove this malware, an appropriate protective software is available for purchase. To give emphasis to the malware message that ensures Scareware that can be started on any new applications over infected PCs. Relevant information of users may also indicate an infection.

The malware campaign was running via Doubleclick and Nuggad.net, directing through a bunch of domains that look like ad agencies but aren't before ending up in a server in Panama.

The fake ad agencies are in the 213.163.75.x range, all recently registered through BIZCN.COM in China, a fairly well known black hat registrar.

Note that while the domains appear to be fake, the registration data may include the details of innocent third parties, so I have not published it here. I would recommend avoiding doing business with them unless you can absolutely verify their credentials.
Synopsystd.com

Namdoline.com
Quintat.com
Bradfortnd.com
Ealana.com
Rovitalt.com
Favorti.com
Muentely.com
Briarmod.com
Deltamsc.com
Jessiereet.com
Startrailrs.com
Connata.com
Vehiced.com
Essiell.com
Holdrism.com
Bellwaynetworks.com
Forlifemedia.com
Revoltechmarketing.com
Hickoryhs.com
Ingramctc.com
Luxortd.com
Morrelmedia.com
Gappion.com
Savoyee.com
Goldbaynetwork.com

"Hello, this is Icon calling on behalf of BT.."

2010-02-04T19:33:00.003Z

The phone rings from an undisclosed International number.. an automated voice say "Hello, this is Icon calling on behalf of BT.." and it then goes on to explain that there's nobody to talk to me and I should call back on 0800 980 0127 to unsubscribe. Except of course that I'm bloody on TPS.

So who are they? Icon Communications Centers are based in Prague and have a website at www.icon-cc.com (no, I'm not giving them a link). In fact, the crummy job is advertised right here. OK, I say crummy.. the good thing is that Prague is a very nice place, but you probably won't see to much of it in a call centre.

In the important spirit of pissing cold callers off, here are a couple of contact email addresses you can use to tell them where to go: helen.hickin@icon-cc.com and moses.velasco@icon-cc.com.

Enjoy.

Sergey Ryabov / director@climbing-games.com strikes again

2010-02-04T15:32:00.003Z

There's a somewhat unusual spate of injection attacks doing the rounds, code is being injected into the middle of victim pages through an unknown flaw, starting document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D and then going on for a bit.. deobfuscating the code actually leads to a second layer of obfuscation, but once that is decoded it becomes clearer.

The injected code points to itsallbreaksoft.net

This then bounces through paymoneysystem.info/in.cgi?michaeleknowlton before hitting a seemingly random PPC search engine site hosted on 95.211.27.154, for example sdeh.net/iframe.html. Sophos have an excellent write-up of the anatomyof the injection attack here, and it's pretty clear that somebody is ripping somebody else off for PPC traffic.. its hard to say who the victims actually are.

The domains itsallbreaksoft.net and paymoneysystem.info belong to the same person, these are interesting because of the registration details:

Nexton Limited
Ryabov Sergey (director@climbing-games.com)
+79219270961
Fax: +79219270961
Scherbakova st., 6-38
Saint-Petersburg, 197375
RU

These contact details are very well known for very bad things. Incidentally, the registrar is ruler-domains.com, also an enterprise registered to "Sergey Ryabov" (if that's a real person).

It's all kind of strange as there doesn't appear to be a malware payload, which is good. But because of the way click arbitrage works, finding the real victims and villains is tricky, although interested researchers may want to have a poke around.

Using Google Images to fight fraud

2010-02-04T15:19:00.002Z

A great post from the guys at F-Secure about how an employee used Google Images to stop being ripped off. Probably a good tip to stop getting defrauded at auction sites.

Pathetic

2010-02-02T22:20:00.002Z

A multibillion dollar company operated by a bunch of f*cking amateurs.

In particular.. the bit that says "We are building a migration tool", but for some unfathomable reason we have decided to kick off this change before it's ready. Sure, Blogger is a free platform and I could always ask for my money back.

Another favourite is: "only .5% of active blogs are published via FTP".. and the reason for this is that for the past couple of years Blogger's FTP service has become increasingly unreliable for no particular reason.

Unfortunately, anyone who had business dealings with Google that involve real money will know that the the f*ck you attitude to customer service is very much ingrained in Google. To a certain extent, being jerked around when you are not paying for the service is one thing.. but business partners in things like advertising, YouTube and enterprise applications also suffer the same thing.

Yes, Google is still often awesome. But sometimes, like this time, it's just pathetic.

AdSlash.com is a bogus ad network

2010-01-20T15:19:00.002Z

We've seen a number of ads being punted through AdSlash.com to legitimate ad networks, but it appears that these are leading to a PDF Exploit (don't visit these sites, obviously!).

For example:
fwlink.nx7.zedo.com.adslash.com/?alx=a27131939386&td=qcbp71pz=42834&sz=728x90&_zm=359161&st=n1n4&id=131939386&zcw=gh17chl277&xryr=3913771&mp=1460h1
fwlink.nx7.zedo.com.adslash.com/stats_js_e.php?id=131939386
fwlink.nx7.zedo.com.adslash.com/bdb/Health/banner_728.gif
fridayalways.com/kven/index.php
fridayalways.com/kven/js/common.js
fridayalways.com/kven/pdfadmnplay.php
fridayalways.com/kven/files/backoutblack.pdf

or

fwlink.nx7.zedo.com.adslash.com/?alx=a27131959519&td=qcbp71pz=42834&sz=120x600&_zm=359161&st=n1n4&id=131959519&zcw=gh17chl277&xryr=3913771&mp=1460h1
uparms.com/uparmglde/index.php
uparms.com/uparmglde/js/zingvaz.js
uparms.com/uparmglde/sexxhsdtk.php
which then loads a PDF exploit

or

fwlink.nx7.zedo.com.adslash.com/?alx=a27131958218&td=qcbp71pz=42834&sz=300x250&_zm=359161&st=n1n4&id=131958218&zcw=gh17chl277&xryr=3913771&mp=1460h1
setsup.com/setglde/index.php
setsup.com/setglde/js/common.js
setsup.com/setglde/ffcollab.php
setsup.com/setglde/files/slob.pdf

Despite the use of "zedo.com" in the subdomain, there is no evidence that these are being syndicated through Zedo.

Let's look at the WHOIS entry for AdSlash.com first:

Domain name: adslash.com

Registrant Contact:
PublishingAlert
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Administrative Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Technical Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Billing Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

DNS:
ns1.everydns.net
ns2.everydns.net

Created: 2010-01-04
Expires: 2011-01-04

The address looks kind of legitimate, but there's no Duck Creek Road in Oakland and the phone number is most likely Los Altos, not Oakland. Also the fact that it has been registered just days ago is a clue.. and it turns out that the registrar is BIZCN.COM of China which is an odd choice for a California company.. in other words, the domain registration details are fake.

AdSlash.com is hosted on 217.23.7.6 which is reportedly a Worldstream Data Center in Faro, Portugal. There's a cluster of servers with fake registration details which are probably related:

217.23.7.6
Adslash.com
Dc2way.com
Ispmns.com
Rtcohost.com
Vpsroll.com

217.23.7.7
Net-wisp.com
Realhgost.com
Slhoste.com

217.23.7.8
Inhostin.com
Nx7tech.com
Vpbyte.com

217.23.7.9
Eywtech.com
Qhostin.com
Sslcode.com

Blocking the entire 217.23.7.x range will probably do no harm at all, it is full of typosquatting domains and other crap.

The PDF exploit itself is hosted in Russia on 213.108.56.18 at Infoteh Ltd (UNNET-LINER), there are a bunch of domains serving these exploits up:

alwaysinwork.com
fridayalways.com
runsup.com
uparms.com
upmostly.com

WHOIS details show the infamous moldavimo@safe-mail.net email address.

Registrant:
Name: dannis
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610

Administrative Contact:
Name: dannis
Organization: privat person
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610
Phone: +7.9957737737
Fax: +7.9957737737
Email: moldavimo@safe-mail.net

Technical Contact:
Name: dannis
Organization: privat person
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610

The whole UNNET-LINER netblock of 213.108.56.0 - 213.108.63.255 looks fairly sordid, blocking access to it will probably do no harm.

As a side note, AdSlash.com did used to be owned by a hosting company called RackSlash, but it expired and was re-registered.

If you are accepting new ad banners - always remember to look closely at WHOIS details and other credentials to ensure that you are dealing with who you think you are.

Is Q-dating.com a fake?

2010-01-18T18:30:00.005Z

At first this looks like some random spam:

Subject: Find a sexdate - Free registration!
From: "Q-dating" <info@qdates.net>
Date: Mon, January 18, 2010 3:19 pm

Having trouble reading this email?

FIND A SEXDATE IN YOUR OWN AREA?

www.Q-Dating.com
[http://mailings.email-pro.net/link.php?M=000&N=143&L=118&F=T]

Chantal 24 jaaronline

Single, searching for sexdate!
I'm not ready to settle down
and looking for a sexbuddy
Irene 34 jaaronline

Married, looking for date.
I am a loving wife of 34 years looking for a nice man.
The best dating site of the UK. Advanced searching, Instant chat, test it
now FREE! Click here

Click here to unsubscribe
[http://mailings.email-pro.net/unsubscribe.php?M=000&C=00000&L=7&N=143]

After a bit of "wtf" I decided to check out the WHOIS details to see who was spamming:

Company: Realcom Limited
Name: Andy Ling
Address: 33, Throgmorton street
City: LONDON
Country: UNITED KINGDOM
Postal Code: EC2N 2BR
Phone: +44 7937 082 210
Fax:
Email: realcomltd@hotmail.com

Oh, well that's kind interesting.. they appear to be based in the UK. A quick check at Companies House does come up with a Realcom Ltd.. but it's a wholly innocent and unconnected company in Oxfordshire.

There's not much of a web presence about from this Dutch-language review [autotranslated] which also complains that the site is a fake and that unauthorised credit card transactions have been made.

A bit of searching around finds some related domains:
Q-dating.com [94.229.169.102]
Q-dating.eu [78.109.162.121]
Qdates.net [78.109.162.122]
Q-dating.be [78.109.162.119]
Q-dating.de [78.109.162.119]
Q-dating.net [78.109.162.119]
Credifact.net [94.229.169.102]
Megacasting.eu [94.229.169.102]
Email-pro.net [Parked].. mailings.email-pro.net is on 78.109.162.119

All infrastructure is supplied by UKFast (abuse -at- ukfast.co.uk)

There are plenty of other dating sites to choose from.. some of them may even be genuine. But given the complaints and the questionable WHOIS details, then probably best to avoid this one.

Is trafficbuyer@gmail.com Bryan Hunter of Modena, Inc?

2010-01-18T14:41:00.004Z

We have seen quite a lot of the domain registrant trafficbuyer@gmail.com lately [1] [2] [3] and it would be fair to say that this email address has been connected with malware domains for a few months [4] [5].

Domains operated by trafficbuyer@gmail.com appear to be part of the routing mechanism to bad sites, but there's no indication of who the email address actually belongs to. Is it an ad network, or is it the bad guys themselves.. and if it's an ad network, why are they hiding their name?

This post at Spyware Sucks gave a clue. There are several domains which are interesting because they have changed hands during their lifetime from a firm called Modena Inc (modenainc.com) owned by one Bryan Hunter of Oregon and are now in the hands of "trafficbuyer".

banner0609.com
banner0709.com [6] [7] [8]
banner07092.com
banner08091.com
banner08092.com [9]
banner08093.com [10]
bannersulike.com [11] [12] [13]
extrabanner.com [14]
islandbanner.com
foobanner.com
greenlightbanner.com [15] [16]
more-banners.com [17] [18] [19] [20]
paperbanner.com
trendbanner.com [21]
yellowlinebanner.com [22] [23]
zoombanner.com [24]

In July 2009, these domains were registered to:

Manager, Domain domains@modenainc.com
Modena Inc.
921 SW Washington ST
Suite 228
Portland, Oregon 97205
United States
(503) 241-1091 Fax --

By September 2009 they had all changed to:

Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

So, who are Modena Inc of Oregon? According to the State of Oregon, the two key people here are Bryan Hunter and Andrew Vilcauskas, although Mr Hunter's name is most often associated with Modena, Inc. The official status for Modena, Inc shows "Administrative Dissolution" which means that the state dissolved the company for non-filing of paperwork.. this seems to be a common issue. If we look at businesses related to Bryan Hunter then we see:

Big Truck Autobody (dissolved, failed to renew in 2004)
CreditYes, Inc (administrative dissolution in 2008, though still trading at CreditYes.com)
Diminished Value, Inc (filings overdue as of November 2009, trading at DiminishedValue.com)
ExitExchange Corporation (still active, although check the rating at WOT for ExitExchange.com or simple Google it)
Modena Homes, Inc (administrative dissolution in 2008)
Modena, Inc (administrative dissolution in 2009)
Modena, Inc (older incorporation, administrative dissolution in 2004)
Pro Web Design LLC (administrative dissolution in 2004)
Wind Song Creek Estates LLC (administrative dissolution in 2009)

Now, given the WHOIS history of these domains we would suggest that either Bryan Hunter is trafficbuyer@gmail.com or he sold the domains on to this person. If they are the same person, then perhaps he would like to review his business relationships and clean them up...

zoombanner.com / YieldManager malvertisement on ebuddy.com

2010-01-15T15:53:00.003Z

ebuddy.com is running a malicious ad on the zoombanner.com domain, apparently managed by Yieldmanager.

First, the "legitimate" end of the malware chain loads at ad.zoombanner.com/content?campaign=1171557&sz=6
This forwards to deliver.commismanderakis.com/rotate?m=2;b=6;c=1;z=585778
Which goes to content.fishpotboutademalled.com/track/3388182/S_IT?[snip]
Then img.commismanderakis.com/img?XAhIPWtICDkJX0FVHXUDKFoRYhYlRxFCNlsBGEhLBEtVdRdiCRYKBA8kKV9RHBEaXFJfXFMHAQ
Followed by the payload domain at jduvazuc.info/cgi-bin/dep
then jduvazuc.info/cgi-bin/dep/j006102Hd793447cR55e239b8T9cc338b5V0100f060203L69740000000000000000
then jduvazuc.info/cgi-bin/dep/o006102203317l0010Hd793447cR55e239b8T9cc338b6V0100f060
Finally jduvazuc.info/cgi-bin/dep/e006102203318l0010Hd793447cJ0d000601R55e239b8T9cc338a4U0ec2fc77V0100f0600

This last hop tries to load an executable (and probably some other crap I haven't spotted), not very well detected according to VirusTotal. Oh yes, there's a PDF exploit too.

The malicious ad is an Italian language vacation banner in this case.

Most of the domains have anonymous registration details, except zoombanner.com which has the same details that were used in the malicous ads featured here and here.

zoombanner.com

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Domain Name: ZOOMBANNER.COM
Created on: 24-Jul-09
Expires on: 24-Jul-10
Last Updated on: 24-Jul-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Domain servers in listed order:
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

A search for the IP addresses show Linode is providing most of the infrastructure (again) with ezzi.net providing the payload server.

ad.zoombanner.com
69.164.215.205, 69.164.215.204 [Linode]

deliver.commismanderakis.com
74.207.232.205, 74.207.232.206, 74.207.232.248, 74.207.232.249, 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203 [Linode]

content.fishpotboutademalled.com
69.164.196.55 [Linode]

jduvazuc.info
216.150.79.74 [AccessIT / ezzi.net]

Incidentally, 69.164.196.55 also hosts a bunch of domains which are probably malicious:

Aspoutceringlapham.com
Baalcootymalachi.com
Bangywhoaswaikiki.com
Bertbleepedupsurge.com
Bluegumgodfulfrowzly.com
Bookletjigsawsenam.com
Boursesdeployporomas.com
Cabullacoexertstephen.com
Camastuthbroomer.com
Camocaexcidealaric.com
Cursarophitkamass.com
Dunnishbribesteen.com
Dusaexsurgeenzed.com
Eelfishminibusdaniel.com
Enyopensilflux.com
Fishpotboutademalled.com
Galasynjingkoendoss.com
Gombayuranidetripper.com
Haileschoralephydra.com
Haredjuvenalalkyds.com
Hoofishsmutsdela.com
Jigmenbrasschaves.com
Jumnamontanodillon.com
Limanadernaggly.com
Malabarvoiotiahsln.com
Mashlampeasewahima.com
Miauwbustianraynold.com
Mowewindsortejo.com
Nahshufrosterpappus.com
Negreetflurtagma.com
Nitrotowelvidovic.com
Oaterhabeasroyalet.com
Ospswraxledfummel.com
Oundycelticrecomb.com
Pcdosbahnerdalea.com
Pealedlupulicdunker.com
Polarlyfoetiskart.com
Potwareabipondeana.com
Psatchargeehewart.com
Puddyolderrippon.com
Sallierdiaushawed.com
Sarddieterchuted.com
Scullogmooerslarking.com
Siwardupttorntrib.com
Skouthlazordurning.com
Suttenbnetifla.com
Tacomanheathsdisodic.com
Temperabiceswayaka.com
Teughlyhesperegerek.com
Toterterrenobrasero.com
Vaccarykakkakcaddoan.com
Viperanmeatsoths.com
Viznomyboohoorigs.com
Voluntyseventechny.com
Wartedbiterhunter.com
Woodardvirgetoruli.com
Yawybottlersuccahs.com
Zirklehalavahhaunchy.com

I suspect that you probably wouldn't miss much by null-routing Linode completely at the moment.

"Croft Pole Distributors Limited" bogus job offer

2010-01-15T13:36:00.002Z

Croft Pole Distributors Ltd (www.croftpoles.co.nz) are a wholly legitimate business based in Whangarei, New Zealand. This is a fake offer that falsely used Croft Pole's name in order to recruit into a money mule scam.

Subject: Online Job Offer
From: "Croft Pole Distributors Limited" <croftpole.update@gmail.com>
Date: Fri, January 15, 2010 10:52 am

Dear Sir/Ma,

Croft Timber Company Limited is a family owned business that began in 1905 and is still in Croft family hands today.

CTC moved more towards the specialised production of timber poles approximately 20 years ago and now trades locally as Croft Pole Distributors Limited with pole supply outlets in both Northland, Rodney and Auckland.

Within the last ten years CTC has grown considerably with investments in a new and larger site, plant modernisation/expansion and the introduction of equipment such as the Bezner Rounding Machine, Fogarty Kiln, Automatic Stacker, Machine stress grader and edge tester, planer and dry-mill department as well as the constant replacement and upgrading of existing plant and machinery.

The mill site is on about thirty acres of land with rail facilities adjacent and is approximately 25 minutes from the deep water port of Marsden Point. The plant ispresently capable of processing around 2,500-3,000 m3 per month.

We are committed to customer service and our aim is to remain flexible to meet the ever changing market needs with product and service unparalleled in the timber pole industry to date..

Most of our customers from Australia, Canada,United States & United Kingdom pay through various terms of payment which some are not negotiable here in New Zealand. This brings our quest to employ a credible and trustworthy fellow as our representative to coordinate our payments. This would not affect your present job but add more to your income.

Being our representative and assisting us in processing the payments from our clients should earn you a commission of 10% of every payment you coordinate.

Once we makes a sale we deliver the product to a customer (usually through UPS).The customer receives and check the products. After this has been done, the customer has to pay for the products. About 90 percent of our customers prefer to pay through Bank Wire Transfers or certified cheque. We have decided to open this new job position for solving this problem.

Your tasks are;

1. Receive payment from Customers through your Bank Accounts

2. Deduct 10% which will be your percentage/pay on Payments processed

3. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to. (Payment is to forwarded by Local transfers (Western Union only). A local Money transfer takes barely hours, so it will give us a possibility to get customers payment almost immediately.

For example you have got �50,000.00

You take your income: �5,000.00

You will be able to operate with larger orders and you will be able to earn more.

Our payments will be sent into your Bank account that you provided, deduct your 10%(Salary) and forward the balance to the company via Western Union only.

We understand it is an unusual and incredible job position. This job takes only 3-7 hours per week.

You Will have a lot of free time doing another job, you will get good income and regular job. But this job is very challenging and you should understand it. We are looking only for the worker who satisfies our requirements and will be an earnest assistant, We are glad to offer this job position to you. If you feel that you are serious about this and be an earnest worker, All we will need for recording you to our database is below:

Full Name:-
Address:-
Age:-
Your Phone Number(s):-

Chris Moyle
Branch Manager
Croft Pole Distributors Limited
www.croftpoles.co.nz

The reply-to address is croftpole.update@gmail.com rather than croftpoles.co.nz, originating IP is 213.132.197.149 in the Netherlands, which hosts three porn sites but has probably been compromised. It is nothing at all to do with Croft Poles.

Of course, this 10% fee is a "too good to be true" scam which could well wind up with you going to prison, so it should be avoided at all costs.

Aurora

2010-01-15T00:11:00.003Z

According to McAfee, the attack on Google and several other tech companies that led to the likelihood that Google will quit China was called "Aurora" by the bad guys.

The cruiser "Aurora" signalled the start of the Russian Revolution in St Petersburg in 1917.. I wonder if this name was chosen deliberately when the attackers targeted some of the West's biggest tech companies?

Image source

More malvertisment domains

2010-01-14T23:42:00.003Z

The malicious ads were running through (and I understand now terminated by) bootcampmedia.com, related to this post, according to commenter cerdo:

Blogger cerdo said...

bootcampmedia.com was also likely hosting a malicious campaign yesterday afternoon, and perhaps still ongoing. I'd contact you Jamie, but I don't have contact info for you. This all is clearly closely related to Dynamoo's post...

traffic.worldseescolor.com is an obvious bad actor. The other related domains:
deliver.bailagequinismregrow.com
img.bailagequinismregrow.com
content.cabullacoexertstephen.com

as well as:
aanserver88.com
bonnapet.com
afkenai.com
bfskul.com

14 January 2010 18:40

Blogger cerdo said...

Yep - saw traffic.worldseescolor.com via bootcamp again less than 30 minutes ago.

Related sites, accessed immediately after traffic.worldseescolor.com:

deliver.boaterdunnagechicot.com
img.boaterdunnagechicot.com

14 January 2010 18:45

Worth checking your logs for and blocking in case they turn up on another network. Checking IPs comes up with:

traffic.worldseescolor.com
69.164.215.208, 69.164.215.210, 69.164.215.205, 69.164.215.207, 69.164.215.204 [Linode]

deliver.bailagequinismregrow.com
74.207.232.205, 74.207.232.250, 74.207.232.249, 74.207.232.248, 74.207.232.203, 74.207.232.30, 74.207.232.206, 74.207.232.31, 74.207.232.39, 74.207.232.25, 74.207.232.202, 74.207.232.35 [Linode]

img.bailagequinismregrow.com
174.143.243.220, 98.129.238.102, 98.129.238.106, 98.129.236.239, 174.143.245.236, 98.129.237.14, 174.143.242.109, 174.143.243.90, 98.129.236.154, 98.129.238.101, 98.129.238.112, 98.129.236.254, 174.143.241.174, 98.129.238.105, 98.129.238.103, 174.143.243.162, 174.143.242.58, 98.129.238.99
[Slicehost / Rackspace]

content.cabullacoexertstephen.com
69.164.196.55 [Linode]

aanserver88.com
67.225.149.152 [Liquid Web]

bonnapet.com
Was 217.20.114.40 [Netdirekt / internetserviceteam.com] now appears to be down.

afkenai.com
195.2.253.93 [Madet Ltd, Moscow]

bfskul.com
195.2.253.93 [Madet Ltd, Moscow]

I don't have the full trace of these, so it's not exactly clear what these domains are doing in the reported chain.

More malicious OWA domains

2010-01-14T16:29:00.001Z

In addition to these and these.

yht30.net.pl
yht36.com.pl
yht37.com.pl
yht38.com.pl
yht39.net.pl
yht3e.net.pl
yht3q.net.pl
yht3r.pl
yht3t.pl
yht3w.net.pl

And there's more..

2010-01-13T17:16:00.000Z

More domains relating to this Zbot attack:

ui7772.co.kr
ui7772.kr
ui7772.ne.kr
ui7772.or.kr
ui7772co.kr
ui777f.kr
ui777f.ne.kr
ui777f.or.kr
ui777for.kr
ui777l.co.kr
ui777l.co.kr
ui777lco.kr
ui777p.co.kr
ui777p.kr
ui777p.or.kr
vcrtp.eu
vcrtp1.eu
vcrtp21.eu
vcrtprsa21.eu
vcrtps21.eu
vcrtpsa21.eu
vcrtrsa21.eu
vcrtrsr21.eu
vcrtrsrp2.eu
vcrtrsrp21.eu

Convincing look OWA fake leads to PDF exploit

2010-01-13T13:50:00.003Z

There are getting spammed out at the moment:

From: automailer@blahblah.blah [mailto:automailer@blahblah.blah]
Sent: 13 January 2010 11:08
To: Victim Username
Subject: The settings for the username@blahblah.blah mailbox were changed

Dear user of the blahblah.blah mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (username@blahblah.blah) settings were changed. In order to apply the new set of settings click on the following link:

http://blahblah.blah/owa/service_directory/settings.php?email=username@blahblah.blah&from=blahblah.blah&fromname=username

Best regards, blahblah.blah Technical Support.

Letter ID#NGTS7OTY8XPZX8FEUYTTTZ1PF

The displayed link isn't the actual link, underneath it points to something like:
http://blahblah.blah.vcrtp21.eu/owa/service_directory/settings.php?email=username@blahblah.bah&from=blahblah.blah&fromname=username

Clicking through the link takes you to a convincing looking OWA (Outlook Web Access) forgery page, populated with the victim's domain name and email address.

There are two exploits on the page, the first one is a drive-by download of an infected PDF file called pdf.pdf for which VirusTotal detection is only 10/41, detected by McAfee as Exploit-PDF.ac and various others. The executable file you are directed to download is also a bit patchy on detections.

Sender names include:

operator@
support@
notifications@
no-reply@
system@
alert@
info@

..all on your local domain, obviously.

Subjects include:

The settings for the blah@blah.blah mailbox were changed
The settings for the blah@blah.blah were changed
A new settings file for the blah@blah.blah mailbox
A new settings file for the blah@blah.blah has just been released
For the owner of the blah@blah.blah e-mail account
For the owner of the blah@blah.blah mailbox

Some domains in use on this are:

vcrtp1.eu
vcrtp21.eu
vcrtprsa21.eu
vcrtpsa21.eu
vcrtrsa21.eu
vcrtrsr21.eu
vcrtrsrp2.eu
vcrtrsrp21.eu

..there are probably many more of a similar pattern.

WHOIS details are fake:

Name:
Quezada, Ramon
Address:
1800 N. Bayshore Drive
33132 Roma
Roma
Italy
Email:
wawddhaepny@yahoo.com

Domains are on a fast flux botnet, so there's no point listing IPs. However, nameservers are as follows:
ns1.raddoor.com
84.243.201.159 [Netrouting Data Facilities, Amsterdam]
ns2.raddoor.com
71.123.51.158 [Verizon Internet Services Inc, Aston]
ns1.elkins-realty.net
84.243.201.159 [Netrouting Data Facilities, Amsterdam]
ns2.elkins-realty.net
71.123.17.61 [Verizon Internet Services Inc, Whitesboro]

Registrant details for raddoor.com are probably bogus:

edmund pang figarro77@gmail.com
751 kinau st. #30
honolulu
HI
96813
US
Phone: +1.8085362450

Registration details for elkins-realty.net are DEFINITELY bogus:

Name : B O
Organization : B O
Address : 123 elm str.
City : Los Angeles
Province/State : beijing
Country :
Postal Code : 23456
Phone Number : 86--8586104812
Fax : 86--8586104819
Email : BO.la@yahoo.com

Once your machine is infected, it probably gets infected with a Zbot variant as in these two previous examples.

More on malvertisements running through Bootcampmedia.com

2010-01-13T10:06:00.002Z

Sandi at Spyware Sucks has a closer look at the malvertisements running through Bootcampmedia.com and comes up with some more details, following up from this post yesterday.

In this case the endpoint of the infection has switched to bonnapet.com hosted on 217.20.114.40 which is hosted by netdirekt e.K. / internetserviceteam.com, hardly surprising as they are one of the more common havens for crimeware. The internetserviceteam.com name appears to be a sub-brand used for black hat hosting .. perhaps it is time for a visit from the Bundespolizei?

Google to quit China?

2010-01-13T09:48:00.002Z

"We're mad as hell and we're not going to take this any more!"

More here and here.

Image credit

BoingBoing.net / Bootcampmedia.com ad leads to malware

2010-01-12T10:53:00.005Z

A malicious ad running on BoingBoing.net is delivering visitors to a PDF exploit.

Given the complicated state of advertising arbitrage, it is unlikely that BoingBoing.net have much control over it. The ad appears to be loading in from ad.yieldmanager.com (which is Yahoo!) and/or ad.z5x.net (DSNR Media Group) both of which are hosted on the same multihomed IP addresses.

The ad itself (pictured) appears to be some sort of get-rich-quick scheme or other.

This ad then directs through ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?z=BootCamp&dim=335848 to traffic.firedogred.com/content?campaign=1219131&sz=2 (this combination of bootcampmedia.com and firedogred.com has been noted before)

The ad then hops to deliver.amerchibchapowered.com/rotate?m=5;b=2;c=1;z=243826 then content.baalcootymalachi.com/track/3388182/S_SE?[snip] loading an image from img.amerchibchapowered.com along the way.

Finally, the visitor is directed to chohivyb.info/cgi-bin/aer/[snip] which contains an exploit detected as Troj/PDFJs-GI by Sophos.

"Boot Camp Media" is run by a guy called Jamie Dalgetty of Guelph, Ontario in Canada. It's unlikely that he's a bad guy, more likely that his ad network is being exploited by a malcious third party.

traffic.firedogred.com is rather more interesting, multihomed on 69.164.215.204, 69.164.215.205, 69.164.215.207, 69.164.215.208 and 69.164.215.210 at Linode, New Jersey. The domain firedogred.com is slightly interesting:

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)

Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM

trafficbuyer@gmail.com has been used for these malicious domains for some months and is well known.

deliver.amerchibchapowered.com is also multihomed at Linode on 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203, 74.207.232.205, 74.207.232.206, 74.207.232.248 and 74.207.232.249. The domain was registered on 7th January 2010 and is hidden by DomainsByProxy.

content.baalcootymalachi.com is hosted on 69.164.196.55 at Linode again, again registered on 7th January via DomainsByProxy.

img.amerchibchapowered.com is hosted on a large number of servers at 174.143.243.90, 174.143.243.162, 174.143.243.220, 174.143.245.236, 98.129.236.154, 98.129.236.239, 98.129.236.254, 98.129.237.14, 98.129.238.99, 98.129.238.101, 98.129.238.102, 98.129.238.103, 98.129.238.105, 98.129.238.106, 98.129.238.112, 174.143.241.174, 174.143.242.58, 174.143.242.109 - these are all hosted at Slicehost.com which is a customer of Rackspace.

Finally, chohivyb.info is hosted on 216.150.79.74 which is some outfit called ezzi.net of New York owned by another outfit called AccessIT. No prizes for guessing that chohivyb.info has been registered only very recently with anonymous details.

216.150.79.74 is a well-known malware server, and that hosts the following domains which you can assume are malicious:

Ablxsr.info
Ajgdrt.info
Alevfq.info
Alfwqr.info
Alrpsl.info
Ameronada.info
Bnzbfz.info
Bodxmt.info
Bplimo.info
Briliantio.info
Bvqlag.info
Bzjsqk.info
Ccwarj.info
Cityopicos.info
Clthth.info
Ctksji.info
Dasyxe.info
Dbivoh.info
Dgltup.info
Dpuefh.info
Dtjblp.info
Enhmqq.info
Enqpqk.info
Euespj.info
Exmxfd.info
Fblooe.info
Fdwghs.info
Fopqde.info
Fprvsu.info
Frgbat.info
Fymjjz.info
Gelvmf.info
Gnautw.info
Gnysgg.info
Gredotcom.info
Grupodanot.info
Grxqog.info
Gukuny.info
Gyckjq.info
Hagijd.info
Haqdsc.info
Hgtbng.info
Hjdnps.info
Hyiyyi.info
Iakecg.info
Iaoaxz.info
Iewwpn.info
Ijaflj.info
Iohbvo.info
Jhrubd.info
Jokirator.info
Kbwstb.info
Kibfsz.info
Klamniton.info
Ktebkx.info
Kxlglw.info
Leeloe.info
Lgcezx.info
Lkraat.info
Lktcaj.info
Llchqs.info
Lnmrjz.info
Lokitoreni.info
Lqhczk.info
Lywavy.info
Lyzocu.info
Mallstern.info
Manaratora.info
Megafrontan.info
Mesxql.info
Mngmjc.info
Monsatrik.info
Montrealt.info
Mruvienno.info
Mrvsnq.info
Nalszu.info
Ncnzfh.info
Neiaea.info
Nigrandara.info
Njcmug.info
Npmkrr.info
Ntaxkj.info
Obzdkn.info
Ocftfa.info
Optugj.info
Otfcco.info
Owpwhi.info
Pbrugb.info
Plxxii.info
Pncgfd.info
Ppusmb.info
Prbakn.info
Qdinql.info
Qgxelo.info
Qqtwft.info
Realuqitor.info
Refrentora.info
Retuvarot.info
Rfouce.info
Rljysj.info
Rocqdn.info
Roeaaj.info
Semqef.info
Snosrz.info
Spgsgh.info
Stqvqw.info
Swrapz.info
Tcoqgo.info
Tehfnn.info
Top-lister1.info
Transforltd.info
Tsfxzg.info
Tyenxv.info
Ugrdzf.info
Uliganoinc.info
Urupnk.info
Utpxno.info
Uyguau.info
Vbqfdm.info
Veqibp.info
Vkfaao.info
Vwwtlp.info
Wddifv.info
Wdhcvv.info
Wdokxd.info
Wevoratora.info
Wtstds.info
Wvkjxx.info
Wvlsam.info
Xbhmws.info
Xbxynl.info
Xcisup.info
Xxiyrv.info
Ybeaxd.info
Yfntrg.info
Yqjxkj.info
Ywbxen.info
Zdkaki.info
Zhwtqz.info
Zlpbha.info
Znkwjc.info
Zqpwco.info

Unlocker.org.uk is located on the same server, but it doesn't seem to fit in with the malware delivery and perhaps it is best to assume that it is a coincidence.

Obviously block or null-route these destinations as you feel fit, and do not purchase any ads from firedogred.com!

Added: You probably want to block these too..

216.150.79.76

Cacorq.info
Clxhbz.info
Dgrxqh.info
Diwiowano.info
Dmdurz.info
Funkol.info
Geetol.info
Gitoer.info
Gondiroda.info
Gutrandin.info
Hizfek.info
Hopore.info
Ivgzda.info
Jopqae.info
Kolpao.info
Nadotraza.info
Niraynome.info
Ofahitino.info
Oirjsa.info
Ornotivec.info
Pirtaf.info
Popsto.info
Rellok.info
Ruhcsy.info
Sacmtf.info
Sdoras.info
Tapiroten.info
Tiizwb.info
Traxemere.info
Ulmqmq.info
Vivibt.info
Xsxydj.info
Yuncdjbiw.info
Yyoqny.info

216.150.79.77

Bnodas.info
Brasilianstoree.info
Byzypub.info
Depahugu.info
Gionasodor.info
Giratunes.info
Gyreal.info
Hlopki.info
Huerin.info
Igerinsar.info
Jcafuzixa.info
Joketarona.info
Koevoru.info
L-iza.info
Laryju.info
Manocoraz.info
Nbuuf.info
Npefu.info
Nvihobepo.info
Pe-aqemop.info
Pyneh.info
Retiof.info
Rzajexu.info
Tolkienad.info
Tymane.info
Typolazu.info
Vfoxoe.info
Wanitale.info
Yawibyve.info
Ydiuvy.info
Zoimie.info

"Testkauf" - German language "mystery shopper" scam

2010-01-07T13:22:00.002Z

For some reason, I've been getting a lot of these German-language spams, mostly originating from Brazil..

Subject: Testkauf

Mitarbeiter fuer Testeinkauf bundesweit gesucht.
Bewerbung bitte an blahblah@yahoo.de

This roughly translates as:

Subject: Test Shopping
Searching nationwide for employees to do test purchasing.
To apply, please contact blahblah@yahoo.de

In each case, the header contain a fake "from" address, the Yahoo! email address changes constantly.. and the mail seems to come from Brazil. This is most likely just a version of the mystery shopper scam, and should be avoided.

mailbox-email.com scam

2009-12-22T23:15:00.002Z

Part of a long running dating scam, mailbox-email.com looks like a free email service, but isn't. Hosted on 222.170.127.122 in China, the server also hosts various fake dating and prescription sites.

All of these following sites are some scam or another, avoid them:

Adltfuntime.com
Adultmeetspot.com
Amazmail.com
Aprofilepage.com
Blowingawaytherestnow.com
Email-mailbox.com
Findallthebestherenow.com
Findnewfriend.net
Free-email-chat.com
Free-email-connect.com
Free-email-fun.com
Free-email-live.com
Freeextender.net
Freemailaccounts.net
Freemailnow.net
Getitatrxcenternow.com
Greatestofrxznow.com
Happeningrxcenternow.com
Hotlivemailchat.com
Kingofthekingofrxznow.com
Myemailhome.net
Netherlandsdns.com
Nodocneededforrxmedznow.com
Plygroundadlt.com
Realdealrxbrandnamesnow.com
Sexyhotlivechat.com
Skinny-me.info
Ysjhdfjd.com
Zeuhiuer.com

Piradius.Net / Adobe Zero-Day threat

2009-12-15T22:52:00.002Z

Another good reason not to have Adobe Reader on your PC - the ISC is reporting yet another zero-day threat being exploited by the bad guys, using the domain foruminspace.com.

And guess who is hosting it.. yes, our old friends at Piradius.net, going to show just how dark grey their hat is and demonstrating another very good reason to block 124.217.224.0 - 124.217.255.255.

"freeemailnow.net" scam

2009-12-05T13:32:00.002Z

The domain freeemailnow.net looks like.. well, it looks like a free e-mail provider. But it isn't, it's part of some sort of fraudulent scheme, most likely a dating scam.

The pitch arrives something like this:

Subject: your profile
From: "Pasquale Clay"
Date: Fri, December 4, 2009 11:55 pm

Hey!
I know you dont know me, but I d like to get to know you.
I stumbled upon your contact information, am looking for a chat friend and maybe more.
Write me back at: snowfall1@freeemailnow.net

i am anxious to talk with you

A look at the SOA records points to ns1.netherlandsdns.com and admin.affilnet.net - affilnet.net is familiar, indicating that this is a re-run of the warmfuzzylove.com scam but again annoyingly missing a picture of a pretty Russian girl.

The registration details for freeemailnow.net are anonymous, nameservers are ns1.netherlandsdns.com and ns2.netherlandsdns.com, both on 222.170.127.122 in China along with freeemailnow.net itself.

There's a bunch of fake pharma sites sharing the same server:

Acquireflowherenow.com
Acquirerxmedzherenow.com
Allthebestatyourfingertips.com
Alwaysbetterrx.com
Anyrxmedications.com
Beatingallcompetition.com
Besatifiedmedsnow.com
Bestrxbuyshere.com
Blowingawaytherestnow.com
Championrxsource.com
Cheapcodeines.com
Choosefr0mthebest.com
Codeineoffers.com
Codeinepromo.com
Crazymedsupplyforyou.com
Discount-codeine.com
Easyrxhere.com
Expressmedz4u.com
Findallthebestherenow.com
Fingtertiprxmedacces.com
Firerxmedication.com
Flowagerofgood.com
G00dsonline.com
Getallyourfavorites.com
Getitatrxcenternow.com
Getmedicatedonline.com
Getrxeasily.com
Getrxeasilyonline.com
Getrxmedicationsherenow.com
Goodzchoices.com
Greatestofrxznow.com
Greatmedicalshere.com
Greatrxdepot.com
Greatrxg00ds.com
Greatrxonline4u.com
Grillindealz4u.com
Happeninggoodtime.com
Happeningrxcenternow.com
Honorablechoice.com
Incrediblerx4u.com
Kingofthekingofrxznow.com
Maxsav3r.com
Maxsaverz.com
Meddiezcenter.com
Medzfromonlinetoyourhome.com
Mosthighlysoughtafter.com
Neverendingflowages.com
Neverwaitrx.com
Newrx4champions.com
Niceflowofmedz.com
Nodocneededforrxmedznow.com
Nomorewaitinginlinenow.com
Onpointflowage.com
Qualitycodeine.com
Quickrxmedications.com
Readysetgetmedz.com
Realdealrxbrandnames.com
Realdealrxbrandnamesnow.com
Realdealrxrefills.com
Refillrx-depot.com
Reliableflowagehere.com
Reliablemedsource4u.com
Reliablerx4uonline.com
Rightrxchoice.com
Rx-refilldepot.com
Rxmainsource.com
Rxmedsolution4unow.com
Rxmedzatthefingers.com
Rxmedzinnotime.com
Rxremedies4u.com
Rxthatbeatsallothers.com
Rxwindowonline.com
Rxsourceforwinners.com
Selectfromallthebestmeds.com
Selectionfromthebest.com
Simeplyarx.com
Smokingdealz4u.com
Swiftestmedz.com
Theeasyreliablesourcenow.com
Theflowageoccurshere.com
Themybetterrx.com
Toprxsuppliers.com
Toprxsupplierz.com
Uniqueflowagesnow.com
Wehaveallyourfavorites.com
Wehavethemforyou.com
Wehavewhaturlookingfornow.com
Wehavewhatyourlooking4.com
Your-rxs.com
Netherlandsdns.com

Anyway, this is the same old scam and it should be avoided along with the fake RX sites that go with it.

"Bank of England" scam email

2009-12-03T22:39:00.002Z

This is some sort of fraud or phishing attempt, the email originates from richardscott269@msn.com but solicits replies to richardscott555@rediffmail.com - both of these are free email providers, and I'm pretty sure that the Bank of England can afford its own email servers. Avoid.

Subject: Payment Notification
From: "Richard Scott" <richardscott269@msn.com>
Date: Thu, December 3, 2009 10:12 pm

From: Richard Scott
International Settlement Dept.
Bank of England
http://www.bankofengland.co.uk/
Ref: BOE/ISD/ACD/4556/09

ATTN :

The International Settlement department of Bank of England is obligated to contact you for the immediate release of your fund whose account has be come dormant and subsequently transferred to this department as unclaimed fund.Our findings have revealed that the problem behind your inability to have received your fund from the corresponding bank resulted from lack of transparency, insincerity and incessant demand for money by your representative(s) for unusual payments. We have therefore decided to establish a direct transfer payment system (DIPS) with you for the prompt release of your funds without any hitch.

We therefore request that you respond to this email immediately ( forwarding your direct contact telephone number) to enable us proceed with the release of your fund accordingly.

Yours in service,
Richard Scott.

Incisive Media / writeathomesystems.com spam

2009-12-02T22:15:00.002Z

Incisive Media is a little-known firm that comprises the rump of the much better known VNU Publications that was sold off into private equity a few years ago.

You might know the name "Incisive Media" through their miserable failure to sustain Personal Computer World which was one of the oldest computer magazines in the world, but they also own several other professional publications.

So, I was a little surprised to see that Incisive now seems to be in the business of sending out get-rich-quick spam.

Subject: Private Equity Europe
From: "Chesther Jane" <mcjane99@gmail.com>
Date: Wed, December 2, 2009 7:21 pm

Respected Friends,
“Who else wants to earn a full-time income writing on the INTERNET? You can start earning money writing online even if you have no prior experience.” If you can write at a 9th grade level, you could easily earn a full time income writing online.
Companies are desperately looking for entry level writers. If you want to start
earning money writing at home, this may be the most important page on the Internet you’ll read all year. Right now, you can make really good money, quickly and easily.
http://miniurl.com/22939
Chesther Jane
to unsubscribe reply REMOVE

Thank you for visiting my site!

http://www.incisivemedia.com/public/showPage.html?page=330349

DISCLAIMER
Private Equity Europe and Incisive Media do not take any responsibility for the
content of this email

The spam originates from 62.140.213.241 which is an Incisive Media IP address, and a close look at the mail headers shows more evidence:

Message-ID: <02 Dec 2009 19:21 IncisiveMailer@www.incisivemedia.com>

The URL miniurl.com/22939 forwards to Caroline.mikepsanderswri.click2sell.eu which is a laughably pathetic work-at-home scheme on the click2sell.eu affiliate network. To give click2sell.eu some credit, they are pretty good at terminating spammers.. which is why spammers try to mask their affiliate URLs.

I said "laughably pathetic", because you end up at writeathomesystems.com which attempts to recruit people to part with cold hard cash in order to learn how to write and market articles on the web.

Now, I'm not the best writer in the world.. and we all make tpyos now and again, but this one has a howler:

Yes, that says "(Prize will be changed tomorrow from $34.95 to $64.95)" when I'm really pretty sure that they mean "price".

Incidentally, a check of the Google cache shows that it was still referring to a price change "tomorrow" six days ago. I think there's a word for that.

Anyway, despite writeathomesystems.com truly crappy ad copy and highly dubious marketing techniques, they are not responsible for the spam. And as already mentioned, I know that click2sell.eu are pretty good at terminating spammers... so who is responsible?

Well, obviously the affiliate is responsible.. but also the people who strenuously deny responsibility are right in the frame.. remember the footer from the Incisive Media spam?

DISCLAIMER
Private Equity Europe and Incisive Media do not take any responsibility for the
content of this email

That's a bit like saying "I don't take any responsibility for taking a shit in your shoes" even though you have just left a big steaming turd in someone's footwear. And one vital question is.. where did the spammers get their email addresses from? Did Incisive sell them on? Or were they scraped?

"Please design a logo for me. With pie charts. For free."

2009-11-27T12:58:00.003Z

Classic.. but wait, there's more to this story too! Language possibly NSFW.

This is the guy who tried to pay a bill with a drawing of a spider.