Sponsored by..

Showing posts with label Chile. Show all posts
Showing posts with label Chile. Show all posts

Tuesday, 18 July 2017

Malware spam: UK Fuels Collection / "invoices@ebillinvoice.com"

This fake invoice comes with a malicious attachment:

From:    invoices@ebillinvoice.com
Date:    18 July 2017 at 09:37
Subject:    UK Fuels Collection

Velocity
   
   
ACCOUNT NO
******969    
   
Dear CUSTOMER,
Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.

How to view your invoices

Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy

We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.

       
    Your safety is our priority

Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.
   
       
If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com

Thank you for using this service.
Yours sincerely,

UK Fuels Limited Customer Services

   
Spam Policy   |  Customer Services: 0344 880 2468

This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.


In the sample I saw there were two attachments, one was a simple text file that looked like this:

Filetype: Microsoft Office Word
Filename: 11969_201727.doc
Creation date: Tue, 18 Jul 2017 14:07:26 +0530
Modification date: Tue, 18 Jul 2017 14:07:26 +0530
To: [redacted]
The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.

Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to:

37.120.182.208 (Netcup, Germany)
186.103.161.204 (Telefonica , Chile)
194.87.235.155 (Mediasoft Ekspert, Russia)
195.2.253.95 (Sphere Ltd, Russia)


Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.

Recommended blocklist:
37.120.182.208
186.103.161.204
194.87.235.155
195.2.253.95




Friday, 2 January 2015

binarysmoney.com / clickmoneys.com / thinkedmoney.com "job" spam

I've been plagued with these for the past few days:

Date:    2 January 2015 at 11:02
Subject:    response

Good day!

We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

We cooperate with different countries and currently we have many clients in the world.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1500 up to $5000 per month.

The job offers a good salary so, interested candidates please registration on the our site: www.binarysmoney.com

Attention! Accept applications only on this and next week.

Respectively submitted
Personnel department

Subject lines include:

New employment opportunities
Staff Wanted
Employment invitation
new job
New job offer
Interesting Job

response

Spamvertised sites seen so far are binarysmoney.com, clickmoneys.com and thinkedmoney.com, all multihomed on the following IPs:

46.108.40.76 (Adnet Telecom / "Oancea Mihai Gabriel Intreprindere Individuala", Romania)
201.215.67.43 (VTR Banda Ancha S.A., Chile)
31.210.63.94 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)

Another site hosted on these IPs is moneyproff.com. All the domains have apparently fake WHOIS details.

It looks like a money mule spam, but in fact it leads to some binary options trading crap.


There is no identifying information on the page at all. Trustworthy? Nope. But let's look at that relaxed looking chap at the top of the page, in a picture called matthew.png.

Well, that's just a Shutterstock stock photo that is pretty widely used on the web. In fact, everything about this whole thing is a cookie-cutter site with text and images copied from elsewhere.

Binary options are a haven for scammers, and my opinion is that this is such a scam given the spammy promotion and hidden identity of the operators. I would recommend that you avoid this and also block traffic to the following IPs and domains:

46.108.40.76
201.215.67.43
31.210.63.94
clickmoneys.com
thinkedmoney.com
binarysmoney.com
moneyproff.com

Tuesday, 2 July 2013

Malware sites to block 2/7/13

These sites belong to this gang and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block.

37.123.103.159 (Salay Telekomunikasyon, Turkey)
38.64.161.163 (Stratonexus Technologies Corp, Canada)
58.196.7.174 (CERNET, China)
77.237.190.22 (Parsun Network Solutions, Iran)
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
85.214.53.47 (Strato AG, Germany)
87.255.149.99 (Societe Francaise du Radiotelephone, France)
88.81.239.98 (Top Net PJSC, Ukraine)
88.86.100.2 (Supernetwork, Czech Republic)
89.248.161.148 (Ecatel, Netherlands)
95.111.32.249 (Mobitel EAD, Bulgaria)
98.223.199.185 (Comcast Communications, US)
108.174.61.198 (FTN Services, US)
108.177.140.2 (Nobis Technology Group, US)
113.161.207.101 (VietNam Post and Telecom Corporation, Vietnam)
114.4.27.219 (IDIA Kantor Arsip, Indonesia)
114.130.5.145 (MANGO CA Service, Bangladesh)
119.147.137.31 (China Telecom, China)
120.124.28.131 (TANet, Taiwan)
124.232.165.52 (China Telecom, China)
134.159.143.12 (Telstra Telewhite, Hong Kong)
140.122.184.45 (TANet, Taiwan)
140.135.112.169 (TANet, Taiwan)
151.155.25.111 (Novell, US)
172.245.216.69 (Colocrossing, US)
172.246.122.110 (Enzu Inc, US)
173.232.105.66 (Blue Deals Fly, US)
174.140.166.239 (Directspace, US)
176.67.10.163 (McLaut ISP, Ukraine)
178.211.46.123 (Radore Veri Merkezi Hizmetleri, Turkey)
181.54.174.204 (Telmex Colombia, Colombia)
186.103.163.222 (Telefonica Empresas, Chile)
186.227.53.43 (Via Cabo Provedor de Internet e Informática, Brazil)
188.32.153.31 (National Cable Networks, Russia)
188.120.235.236 (TheFirst-RU, Russia)
189.1.144.243 (Silva & Silveira, Brazil)
195.241.208.160 (Koninklijke / Tiscali / Telfort, Netherlands)
198.46.136.86 (New Wave NetConnect, US)
202.56.170.28 (Ning Internet, Indonesia)
203.80.17.155 (MYREN, Malaysia)
203.185.97.126 (ThaiSARN, Thailand)
208.81.165.252 (Gamewave Hongkong Holdings, US)
210.42.103.141 (CERNET, China)


37.123.103.159
38.64.161.163
58.196.7.174
77.237.190.22
77.240.118.69
78.108.86.169
85.214.53.47
87.255.149.99
88.81.239.98
88.86.100.2
89.248.161.148
95.111.32.249
98.223.199.185
108.174.61.198
108.177.140.2
113.161.207.101
114.4.27.219
114.130.5.145
119.147.137.31
120.124.28.131
124.232.165.52
134.159.143.12
140.122.184.45
140.135.112.169
151.155.25.111
172.245.216.69
172.246.122.110
173.232.105.66
174.140.166.239
176.67.10.163
178.211.46.123
181.54.174.204
186.103.163.222
186.227.53.43
188.32.153.31
188.120.235.236
189.1.144.243
195.241.208.160
198.46.136.86
202.56.170.28
203.80.17.155
203.185.97.126
208.81.165.252
210.42.103.141


101ndstreetymha.com
abacs.pl
addressadatal.net
afabind.com
all24hours.net
amimeseason.net
andertiua200.com
antidoctorpj.com
antitationed200.com
auditbodies.net
avastsurveyor.com
bebomsn.net
beirutyinfo.comu
bermudcity.net
bestsloankettering.com
biati.net
blackragnarok.net
blindsay-law.net
boats-sale.net
boyd-lawyer.net
brasilmatics.net
buycushion.net
cardpalooza.su
chairsantique.net
chinadollars.net
ciriengrozniyivdd.ru
cirienkoidrugied50.ru
cocainism.net
condalinarad72234652.ru
condalinaradushko.ru
condalinaradushko5.ru
condalinneuwu5.ru
condalinra2735.ru
condalinradishevo.ru
condalnua745746.ru
condalnuashyochetto.ru
confideracia.ru
controlnieprognoz.ru
cyberwoodlike.com
dirvers.net
dollsinterfer.net
doorandstoned.com
drivesr.com
dulethcentury.net
e-eleves.net
ehchernomorskihu.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
elrrueitoenidd10.ru
enway.pl
ergopets.com
ermitajohrmited.ru
ernutkskiepro.ru
estimateddeta.com
extichetvorish.ru
fenvid.com
firefoxupd.pw
garohoviesupi.ru
gatoversignie.ru
genown.ru
ghroumingoviede.ru
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
gondatskenbiehu.ru
gorondibndiiend10.ru
greli.net
gromimolniushed.ru
gstoryofmygame.ru
headbuttingfo.net
heavygear.net
heidipinks.com
highsecure155.com
historuronded.com
hotamortisation.net
hotkoyou.net
huang.pl
iberiti.com
icensol.net
independinsy.net
ingrestrained.com
insectiore.net
inutesnetworks.su
itracrions.pl
joinproportio.com
jsecure5.com
letsgofit.net
linguaape.net
lmbcakes.com
mantrapura.net
metalcrew.net
meticulousmus.net
meynerlandislaw.net
mifiesta.ru
mmafightsearch.net
myfreecamgirls.net
newtimedescriptor.com
obovate.net
ochengorit.ru
outbounduk.net
oxfordxtg.net
oydahrenlitutskazata.ru
patrihotel.net
patriotskit.ru
pc-liquidations.net
peertag.com
photosuitechos.su
pinterest.com.reports0701.net
pizdecnujzno.ru
pleak.pl
pnpnews.net
porschetr-ml.com
potteryconvention.ru
radiovaweonearch.com
ratenames.net
recorderbooks.net
rentipod.ru
reportingglan.com
reports0701.net
reveck.com
safe-browser.biz
safe-time.net
sartorilaw.net
secrettapess.com
secureaction120.com
securepanel35.com
sendkick.com
sensetegej100.com
shopkeepersne.net
smartsecurity-app.com
soberimages.com
spanishafair.com
stilos.pl
susubaby.net
televisionhunter.com
time-update.net
toldia.com
trleaart.net
ukbash.ru
unabox.pl
unitmusiceditior.com
unreality.biz
vahvahchicas.ru
wic-office.com
widnows.net
winne2000.net
winodwsupd.pw
winudpater.com
wow-included.com
xenaidaivanov.ru
zoneagainstre.com

Friday, 29 July 2011

Fake jobs: chile-hh.com, cl-joblists.com, pt-joblist.com and spain-joblist.com

Four new fake job domains today, targeting victims in South America, Spain and Portugal.

chile-hh.com
cl-joblists.com
pt-joblist.com
spain-joblist.com

These domains were all registered in the past few days. The standard email approach seems to be "from" the victim, and they are often badly translated into Portuguese and Spanish.

The "jobs" on offer are not jobs at all, they usually involve money laundering and other criminal activities. They form part of this very long running scam that has been going on for years.

Three of the four domains have a new (fake) registrant that we haven't seen before:

Alexey Kernel
    Email: johnkernel26@yahoo.co.uk
    Organization: Alexey Kernel
    Address: Kreshchatyk Street 34
    City: Kiev
    State: Kiev
    ZIP: 01090
    Country: UA
    Phone: +38.00442794512 

If you have an example email, please consider sharing it in the comments.

Wednesday, 27 July 2011

Fake jobs: chile-hh.com, cv-trabalho.com, espana-hh.com and worldjoblists.com

These domains are being used to advertise fake jobs and appear to be targeting Spanish and Portuguese speakers. They form part of this long-running series of domains associated with fake job offers.

chile-hh.com
cv-trabalho.com
espana-hh.com
worldjoblists.com


The jobs being offered are typically money laundering (lavado de dinero / lavagem de dinheiro) which are highly illegal. It is possible that some other jobs offered may be "back office" functions, including translation into local languages.

The domains are very new, registered in the past two days to:

Ricardo Lopez
    Email: ricardolip2@yahoo.com
    Organization: Ricardo Lopez
    Address: ul. Liivalaia 34-10
    City: Tallin
    State: Tallin
    ZIP: 15040
    Country: EE
    Phone: +3.726317190 

If you have any examples of mail using these domains, please consider sharing them in the Comments section. Thanks.

Thursday, 21 July 2011

Fake jobs: world-chilecv.com

Just a single fake job domain today, world-chilecv.com is an addition to this long-running series of so-called job offers which actually turn out to be money laundering or some other criminal activity.

The domain in question was registered just yesterday to the no-doubt fake reigstrant:

Ricardo Lopez
    Email: ricardolip2@yahoo.com
    Organization: Ricardo Lopez
    Address: ul. Liivalaia 34-10
    City: Tallin
    State: Tallin
    ZIP: 15040
    Country: EE
    Phone: +3.726317190 


This domain was registered only yesterday. Avoid.

Wednesday, 13 July 2011

Fake jobs: cl-exlusive.com, europ-exlusive.com, totalworld-job.com, uk-cvlists.com and uk-exlusive.com

Five new domains offering fake jobs (actually money laundering and other illegal activities), forming part of this long running series of scams.

cl-exlusive.com
europ-exlusive.com
totalworld-job.com
uk-cvlists.com
uk-exlusive.com


The domains were created yesterday, registered to a no-doubt fake registrant:

Registrant:
    Luca Drue
    Email: lucadrue@yahoo.fr
    Organization: Luca Drue
    Address: 27, BERESTYANSKAYA STR
    City: Minsk
    State: Minsk
    ZIP: BY-220123
    Country: BY
    Phone: +37.5172749317
    Fax: +37.5172749311

If you have a sample email soliciting replies to one of these domains, please consider sharing it in the comments.