Sponsored by..

Showing posts with label Bulgaria. Show all posts
Showing posts with label Bulgaria. Show all posts

Thursday 8 August 2013

TigerDirect.com spam / palmer-ford.net

This fake TigerDirect.com spam leads to malware on palmer-ford.net:

Date:      Thu, 8 Aug 2013 21:54:14 +0400 [13:54:14 EDT]
From:      "TigerDirect.com" [noreply@tigerdirect.com]
Subject:      Your TigerDirect.com Order I9179488 Shipment Update

ComputersComputer PartsElectronicsTV & VideoCameras & SurveillanceCell Phones
Order Shipped:
   
08/07/2013
Order No.
   
I9179488
Shipment Total:
   
$732.20
Shipment Confirmation

[redacted],

Your order shipped on 08/07/2013 and is on its way to you. Click here to log in to MY ACCOUNT for the latest information on your order.

Below, you’ll find a recap of the shipped item(s):

TRACKING NUMBER(S):
1Z2V811KO067774417
(Note: Tracking information may not be available immediately; it may take up to 1 full business day for packages that have reached the shipper to have activity associated with the tracking number. Shipping confirmations for USPS and international shipments as well as for some special order items will not include a tracking number.)
Shipped Items:
   
Quantity
Lenovo H718 Desktop PC - 2nd Gen. Intel Core i3-1130 3.2GHz, 4GB DDR3, 500GB HDD, DVDRW, Windows 8 64-bit, Keyboard & Mouse, (65412680) (T56-C5300 )
   
   
1
   
   
(Click Image Above To Track Your Order) Allow 24 hours for the tracking # to appear in the Shippers' System.
Manufacturer Tech Support: 1-877-453-6686
Manufacturer Tech URL: www.lenovo.com


Again, for the latest information on your order, please click here to log in to MY ACCOUNT. You can also view your Order History, get Invoice Copies, Return Authorizations, add Product Reviews and much more.

Regards,

TigerDirect.com
Customer Care Team

CHECK OUT THE LATEST DEALS - CLICK HERE

Shipment Information
Abigail Hall
2864 N Bell Rd

Pasadena, SC 72936
Your shipping method varies. Please view the chart below for approximate transit times.

Transit Times
Truck Delivery: 7 - 10 Business Days
EconoShip Delivery: 4 - 9 Business Days
UPS Ground: 2 - 7 Business Days
UPS Second Day: 2 Business Days
UPS Next Day Air: 1 Business Day
US Postal Service: 2-3 Business Day Including Saturdays

Saturdays, Sundays and holidays do not count toward the estimated transit days. Packages that leave our fulfillment center on Saturdays, Sundays or holidays will not actually reach the shipper until Monday or the next business day.

Should you have any additional questions regarding your order, please feel free to visit our customer help pages at http://www.tigerdirect.com/help/.

Should you need to exchange or return a product, please visit http://www.tigerdirect.com/sectors/help/return.asp
   
Other Items to Consider

Home Theater Week

Search over 100,000 Products in Stock...
            Refer-A-Friend            
Deal Alerts via
    Sign up for RSS

TigerDirect.com is not responsible for typographical errors or omissions. This email was sent to dynamoo@spamcop.net in response to Order # I9179488.

Note that TigerDirect.com never sells, rents, or shares your email address For more information, please review the TigerDirect.com Privacy Policy at: http://www.tigerdirect.com/sectors/aboutus/privacy.asp

Call Center Hours of Operation: Mon - Fri: 7am til 1am ET and Sat - Sun: 8am til Midnight ET

For Merchandise Returns: c/o TigerDirect Warehouse - 175 Ambassador Drive, Naperville, IL 60540

Copyright © 2013 - TigerDirect, Inc. 7795 West Flagler Street, Suite 35, Miami, FL 33144 (Corporate Headquarters: No Returns Accepted)
LEGAL NOTICES| PRIVACY POLICY
The email looks pretty convincing:


Clicking on the links in the email takes you to a legitimate hacked site and then on to a malware landing page at [donotclick]www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net/news/tiger-direct.php (report here) which contains an exploit kit.

Although it looks a bit like the link is actually on the tigerdirect.com site, it is actually hosted on the recently registered domain palmer-ford.net which has characteristically fake WHOIS details that mark it out as belonging to the Amerika gang.

   Administrative Contact, Technical Contact:
   Mills, Lawrence  rexona1948@live.com
   5700 Arlington Ave
   Bronx, NY 10471
   US
   7185432402


The malware domain is hosted on the following IPs along with some other malicious domains:
95.111.32.249 (Mobitel EAD, Bulgaria)
199.231.188.226 (Interserver Inc, US)
216.158.67.42 (Webnx Inc, US)

Recommended blocklist:
95.111.32.249
199.231.188.226
216.158.67.42
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
askfox.net
briltox.com
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
condalinneuwu37.net
condrskajaumaksa66.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
evishop.net
exnihujatreetrichmand77.net
facebook.com.n.find-friends.oncologistoncology.net
firefoxupd.pw
firerice.com
fulty.net
gnanosnugivnehu.ru
gotoraininthecharefare88.net
klwines.com.order.complete.prysmm.net
liliputttt8888.info
links.emails.bmwusa.com.open.pagebuoy.net
lucams.net
merchantcenter.intuit.com.click-for-click.com
micnetwork100.com
mifiesta.ru
onemessage.verizonwireless.com.verizonwirelessreports.com
onsayoga.net
partyspecialty.su
paypal.com.us.planetherl.net
pinterest.com.onsayoga.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
sai-uka-sai.com
sartorilaw.net
seoworkblog.net
tintencenter.net
verizonwirelessreports.com
vitans.net
www.aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
www.klwines.com.order.complete.prysmm.net
www.linkedin.com.e.v2.kennebunkauto.net
www.paypal.com.us.planetherl.net
www.pinterest.com.onsayoga.net
www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
www.verizonwirelessreports.com

Tuesday 6 August 2013

Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew.

5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
41.196.17.252 (Link Egypt, Egypt)
54.218.249.132 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
61.36.178.236 (DACOM Corp, Korea)
68.174.239.70 (Time Warner Cable, US)
78.47.248.101 (Hetzner, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
140.116.72.75 (TANET, Taiwan)
182.72.216.173 (Cusdelight Consultancy SE, India)
190.85.249.159 (Telmex Colombia, Colombia)
202.197.127.42 (CERNET, China)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

5.175.191.124
24.173.170.230
41.196.17.252
54.218.249.132
59.124.33.215
61.36.178.236
68.174.239.70
78.47.248.101
95.87.1.19
114.112.172.34
140.116.72.75
182.72.216.173
190.85.249.159
202.197.127.42
208.115.237.88
217.64.107.108
abundanceguys.net
amods.net
annot.pl
autocompletiondel.net
avini.ru
badstylecorps.com
beachfiretald.com
cbstechcorp.net
crossplatformcons.com
datapadsinthi.net
dulethcentury.net
endom.net
exhilaratingwiki.net
exowaps.com
explicitlyred.com
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
hdmltextvoice.net
housesales.pl
ignitedannual.com
includedtight.com
jdbcandschema.su
lhobbyrelated.com
magiklovsterd.net
onsespotlight.net
operapoland.com
ordersdeluxe.com
organizerrescui.pl
playtimepixelating.su
prgpowertoolse.su
relectsdispla.net
ringosfulmobile.com
scourswarriors.su
sludgekeychai.net
streetgreenlj.com
tagcentriccent.net
tagcentriccent.pl
wildgames-orb.net
zestrecommend.com
zukkoholsresv.pl

Tuesday 30 July 2013

"Your password on Pinterest was Successfully modified!" spam / onsayoga.net

This fake Pinterest spam leads to malware on onsayoga.net:

Date:      Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]
From:      Pinterest [caulksf8195@customercare.pinterrest.net]
Subject:      Your password on Pinterest was Successfully modified!

A Few Updates...
[redacted]
  
[redacted]  

Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password to email.
  
Ask for a New Password  
            
Pinterest is a tool for collecting and organizing things you love.

This email was sent to [redacted].
Don’t want activity notifications? Change your email preferences.

©2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions

The link goes through a legitimate hacked site and then on to [donotclick]www.pinterest.com.onsayoga.net/news/pinterest-paswword-changes.php (report here) which is hosted on the following IPs:
95.111.32.249 (Megalan EAD, Bulgaria)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
209.222.67.251 (Razor Inc, US)

These IPs are controlled by this gang and form part of this large network of malicious IPs and domains. I recommend you use that list in conjunction with blocking onsayoga.net.

Malware sites to block 30/7/13

These sites and IPs are associated with this gang, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block.

5.175.191.106 (GHOSTnet, Germany)
5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
24.188.19.227 (Optimum Online, US)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
50.97.253.162 (Softlayer Networks, US / ucvhost.com, India)
54.225.124.116 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
68.174.239.70 (Time Warner Cable, US)
69.60.115.92 (Colopronto, US)
75.147.133.49 (Comcast Business Communications, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork, Czech Republic)
88.150.191.194 (Redstation, UK)
89.145.185.121 (Yeni Telekom Internet Hizmetleri, Turkey)
89.163.170.134 (Unitedcolo, Germany)
91.200.13.16 (SKS-Lugan, Ukraine)
91.210.189.157 (Eqvia LLC, Ukraine)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Megalan EAD, Bulgaria)
108.170.32.179 (Secured Servers, US / tudohost, Spain)
109.123.125.68 (UK2.NET, UK)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
120.124.132.123 (TANET, Taiwan)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
162.209.80.221 (Rackspace, US)
166.78.124.4 (Rackspace, US)
182.72.216.173 (Cusdelight Consultancy SE, India)
185.4.252.124 (Eaglenet, Lebanon)
185.10.200.89 (GBServers Ltd, UK)
188.132.213.115 (Mars Global Datacenter Services LLC, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.162.100.225 (MediaServicePlus Ltd, Russia)
192.162.102.225 (MediaServicePlus Ltd, Russia)
193.105.210.211 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.239.242.83 (TRN Telecom, Russia)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu Inc, US)
202.197.127.42 (CERNET, China)
208.115.114.68 (Wowrack, US)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
209.222.67.251 (Razor Inc, US)
211.224.204.141 (Korea Telecom, Korea)

Recommended blocklist:
5.175.191.106
5.175.191.124
24.173.170.230
24.188.19.227
41.196.17.252
46.246.41.68
50.97.253.160/27
54.225.124.116
59.124.33.215
59.160.69.74
68.174.239.70
69.60.115.92
75.147.133.49
78.47.248.101
88.86.100.2
88.150.191.194
89.145.185.121
89.163.170.134
91.200.13.0/24
91.210.189.157
95.87.1.19
95.111.32.249
108.170.32.176/29
109.123.125.68
114.112.172.34
120.124.132.123
122.128.109.46
162.209.80.221
166.78.124.4
182.72.216.173
185.4.252.124
185.10.200.89
188.132.213.115
190.85.249.159
192.162.100.225
192.162.102.225
193.105.210.0/24
193.239.242.83
196.1.95.44
198.61.213.12
198.98.102.165
202.197.127.42
208.115.114.68
208.115.237.88
209.222.67.251
211.224.204.141
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
acehheadline.net
aldenizturizm.com
allgstat.ru
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
beachfiretald.com
bebomsn.net
blindsay-law.net
bnamecorni.com
boats-sale.net
buffalonyroofers.net
businessdocu.net
businessua.com
buycushion.net
casinocnn.net
cbstechcorp.net
centow.ru
chromeupd.pw
cirriantisationsansidd79.net
condaleunvjdlp55.net
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalnua745746.ru
condrskajaumaksa66.net
crossplatformcons.com
doorandstoned.com
dulethcentury.net
duzybiust.net
ehnihjrkenpj.ru
eliroots.ru
erminwanbuernantion20.net
ermitirationifyouwau30.net
evenyouseemeinmin49.net
explicitlyred.com
facebook.com.n.find-friends.oncologistoncology.net
firerice.com
foremostorgand.su
fulty.net
generationpasswaua40.net
goingtothestreetofive59.net
gormoshkeniation68.net
gotoraininthecharefare88.net
greenleaf-investment.net
gromovieotvodidiejj40.net
hdmltextvoice.net
heidipinks.com
hotkoyou.net
housesales.pl
independinsy.net
info-for-health.net
jessesautobody.net
jonkrut.ru
kennebunkauto.net
klermont.net
klwines.com.order.complete.prysmm.net
kneeslapperz.net
linkedin.com.e.v2.kennebunkauto.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
lsstats.ru
made-bali.net
medusascream.net
metanoiaonline.com
microsoftnotification.net
mifiesta.ru
mobile-unlocked.net
modshows.net
moonopenomy.com
motobrio.net
neplohsec.com
ns3.ozyurtdesign.com
ns4.ozyurtdesign.com
nvufvwieg.com
oncologistoncology.net
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
oydahrenlitu346357.ru
pagebuoy.net
paypal.com.us.planetherl.net
playtimepixelating.su
prgpowertoolse.su
privat-tor-service.com
prothericsplk.com
prysmm.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
relectsdispla.net
renouveaugatinois.com
saberig.net
sai-uka-sai.com
scourswarriors.su
secureprotection5.com
sendkick.com
sensetegej100.com
sludgekeychai.net
templateswell.net
thegalaxyatwork.com
thosetemperat.net
thybrothers.net
tintencenter.net
tor-connect-secure.com
tvblips.net
u-janusa.net
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
whitegocteenviet.com
wow-included.com
zestrecommend.com
zinvolarstikel.com
zukkoholsresv.pl

Monday 22 July 2013

American Airlines spam / sai-uka-sai.com

This fake American Airlines spam leads to malware on www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com:

From:     American.Airlines@aa.net
Date:     22 July 2013 17:22
Subject:     AA.com Itinerary Summary On Hold

Dear customer,

Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.

To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www.aa.com.

left corners         left corners

 

This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) .

Record Locator: LEBBGM             Purchase

 

left corners         left corners

Passengers

   Isabella  Green
NOTE: This is not a ticket or electronic receipt
Carrier Flight
Number
Departing Arriving Cabin

Booking Code
Seats Meals
City Date & Time City Date & Time

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES
2879 SPS Wichita Falls July 24, 2013 10:50 AM DFW Dallas/ Fort Worth July 24, 2013 11:43 AM Economy

M
32A  Food For Purchase 

AMERICAN AIRLINES
1795 DFW Dallas/ Fort Worth July 24, 2013 12:35 PM IAH Houston July 24, 2013 01:43 PM Economy

M
23A 

AMERICAN AIRLINES
1690 IAH Houston July 26, 2013 02:20 PM DFW Dallas/ Fort Worth July 26, 2013 03:35 PM Economy

M
20C 

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES
3294 DFW Dallas/ Fort Worth July 26, 2013 04:20 PM SPS Wichita Falls July 26, 2013 05:10 PM Economy

M
27B  Food For Purchase 
spacer
  Fare Summary help
Average Fare per Person - 444.00 USD
Passenger Type Used in Pricing Fare per Person Additional Taxes and Fees per Person Total Price
1  Adult 442.90 USD 34.25 USD 490.95 USD
Total Price 495.49 USD
spacer
  Merchandising Summary help
Flight Number Seat Number Seat Price Taxes Total Price
2879 0.00 USD 0.00 USD 0.00 USD
1795 14.00 USD 1.05 USD 15.05 USD
1690 14.00 USD 1.05 USD 15.05 USD
3294 0.00 USD 0.00 USD 0.00 USD
Total Price 30.10 USD
  Purchase
Please note the following:
 • View Fare rules.
 • Fares are only guaranteed up to 24 hours.
 • Additional foreign taxes may apply.
 • Additional fees may also apply for tickets not purchased through AA.com.


This is not the itinerary receipt that is required for identification purposes at the airport check-in. That receipt will be furnished upon purchase of this reservation.

In order to proceed to your gate you must present a government issued photo I.D. and either your boarding pass or a priority verification card at the screening security checkpoint.

If you are not a resident of the U.S., U.K., Canada or select countries in Latin America and the Caribbean, tickets must be purchased at an American Airlines ticketing location/airport, or by calling an American Airlines International Reservations office. Flights booked on carriers other than American Airlines, American Eagle® or AmericanConnection® are on a request basis only.

You've got payment options at AA.com! Make your dream vacation come true with the Fly Now Payment Plan, speed through checkout with PayPal, or use electronic checks to pay directly from your checking account. You can also pay in cash at participating Western Union locations or use a credit/debit card. Available payment options may vary by country.

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com/news/american-airlines-hold.php (report here) hosted on the following IPs:


50.97.253.162 (Softlayer, US)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)

The WHOIS details for that domain are the characteristically fake ones associated with this gang:
        Michael Fenwick freehotjob@yahoo.com
        21 Fredricksburg Court
        State College
        PA
        16803
        US
        Phone: +1.8144411445




Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
allgstat.ru
autorize.net.models-and-kits.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
firefoxupd.pw
firerice.com
fulty.net
gamnnbienwndd70.net
gebelikokulu.net
generationpasswaua40.net
gnanosnugivnehu.ru
gondamtvibnejnepl.net
greenleaf-investment.net
housesales.pl
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
mifiesta.ru
motobrio.net
mycanoweb.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
privat-tor-service.com
prysmm.net
quipbox.com
rentipod.ru
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
sendkick.com
shanghaiherald.net
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net

Tuesday 22 January 2013

Cheeky exploit kit on avirasecureserver.com

What is avirasecureserver.com? Well, it's not Avira that's for sure.. it is in fact a server for the Blackhole Exploit Kit.

This site is hosted on 82.145.57.3, an Iomart / Rapidswitch IP that appears to have been reallocated to:
person:         Dimitar Kolev
address:        QHoster Ltd
address:        Apt 1859
address:        Chynoweth House
address:        Trevissome Park
address:        Truro
address:        TR4 8UN
address:        GB
phone:          +13232180069
abuse-mailbox:  abuse@qhoster.com
nic-hdl:        DK5560-RIPE
mnt-by:         RAPIDSWITCH-MNT
source:         RIPE # Filtered


Trevissome Park is a small business park in Cornwall, there certainly isn't a building with over 1000 apartments there, so we can assume that "Apt" is a euphemism for a post box. There's also no company in the UK called QHoster Ltd. In fact, if we check the QHoster.com domain we can see that it is a Bulgarian firm:

    QHoster Ltd.
    Dimitar Kolev        (domains@qhoster.net)
    27 Nikola D. Petkov Str.
    Sevlievo
    Gabrovo,5400
    BG
    Tel. +359.898547122
    Fax. +359.67535954

QHoster has an IP block of 82.145.57.0/25 suballocated to it. A quick poke around indicates not much of value in this range, you may want to consider blocking the /25 as a precaution.



Sunday 3 June 2012

"Digg Verification" spam / dietpilldrugstore.com

This spam appears to be from Digg, but it leads to a fake pharmacy. It could easily be adapted to distribute malware though, and this is the first time that I have seen a fake Digg message such as this.

From: Digg [mailto:noreply@e.digg.com]
Sent: Sun 03/06/2012 13:00
Subject: Digg Verification


  Problem viewing this email?
View it in your browser.
Hi xxxxxx@xxx.xxx
Thank you for registering with us at Facebook social sharing. We look forward to seeing you around the site.

Now your friends can see what you're reading around the web. Also you can add or delete any article from your activity. Click the Social button to turn this off.

What is Facebook Social Share?

Share your Digg experience with your Facebook friends. Let your friends see what you're reading as you discover the best news around the web.

The email looks pretty convincing, but the link in it is a redirector to a bogus pharamacy site at dietpilldrugstore.com on 94.155.49.57 (ITD Network, Bulgaria). That IP address has a number of other fake pharma sites (listed below) and is probably worth blocking.

genericspillsgroup.com
hightramplate.com
levitrameds.com
medcontab.com
medicaremedsgroup.com
medicarewelnessdebt.com
medslevitraleiby.com
medsmedicinegroup.com
movietestworld.com
mycanadatablet.com
mypillhealthcare.com
myprescriptionmedicine.com
myrxhealthcare.com
mytabdiet.com
newcanadatablet.com
newhealthprescription.com
newherbalpharmacy.com
newpharmacymedicare.com
newtabletdrugstore.com
newtablethealthcare.com
newviagrasale.com
pakistanlispharmacy.com
patientsviagracare.com
pharmacyhealthcarepatients.com

Wednesday 21 December 2011

b*redret.ru domains to block (updated)

Another set of "Redret" domains, the b*redret.ru series is used in malware distribution. It has some new IP addresses since the last time.

89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru

91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru

94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru

No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru

Tuesday 20 December 2011

"Scan from a Xerox WorkCentre Pro" / cfredret.ru

This is a fairly common malware spam, pointing to malicious code on cfredret.ru/main.php.

Date:      Tue, 20 Dec 2011 05:42:20 +0300
From:      victimname@gmail.com
Subject:      Re: Fwd: Re: Scan from a Xerox WorkCentre Pro #2966272

A Document was sent to you using a Xerox WKC1296130.



Sent by: SHIRLEY
Images : 5
Image (.JPEG) Download

Device: UM85256LL6P68270479



bfe116b5-7dcccccc

cfredret.ru is hosted on 78.47.193.36, exactly the same IP address as this BBB themed malware spam. Blocking access to 78.47.198.32/29 is a fabulous idea if you can.

BBB Spam / blumtam.com

More BBB spam, this time attempting to deliver users to a malicious payload on blumtam.com. A couple of samples:

Date:      Tue, 20 Dec 2011 00:34:38 -0800
From:      "BBB" [alerts@bbb.org]
Subject:      Re: your customer�s complaint ID 82235322
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have been sent a complaint (ID 82235322) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this case and let us know of your position as soon as possible.

We hope to hear from you shortly.

Kind regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
and
Date:      Tue, 20 Dec 2011 11:09:23 +0200
From:      "BBB" [alerts@bbb.org]
Subject:      BBB case ID 59988329
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have been filed a complaint (ID 59988329) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to view more information on this matter and let us know of your opinion as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Payload is on blumtam.com/main.php?page=69dbd5a1e3ed6ae9 hosted on 78.47.198.36, a Hetzner AG address suballocated to an outfit called QHoster Ltd in Bulgaria. Blocking access to 78.47.198.32/29 would probably be prudent.