Some malware sites to block

These sites and IPs seem to be distributing some sort of Zeus variant. In this case users are being enticed to download a file called Fattura.zip (Italian for "invoice") which then contains an executable with the name Fattura.Doc_________________________________________________________________.exe (there are 65 underscores in the filename). That seems daft until you realise that all those underscores are designed to hide the .exe extension by making the filename so big that it is truncated.

At the moment, the malware (MD5 09886612d542e1b354aeda6a16f9ccf5)  is poorly detected (4/43 at VirusTotal). ThreatExpert's prognosis is here.

The back end is a big more interesting and gives a large number of IPs and domains to block if you want to be proactive about stopping this sort of thing.

The back end servers are primarly:
41.189.229.65 (Djibouti Telecom)
60.19.30.131 (China Unicom)
60.19.30.135 (China Unicom)
67.40.211.116 (Qwest Communications, Seattle)
71.217.16.11 (Qwest Communications, Seattle)
82.210.157.9 (Aster, Poland)
113.161.87.176 (VietNam Post and Telecom Corporation)
195.214.238.241 (Interphone, Ukraine)
202.199.160.107 (Dongbei University of Finance and Economics, China)
218.24.113.3 (China Unicom)

Associated domains:

axeswizardepx.ru
bellicbridge.ru
bellicoreturbo.ru
blackofspogus.com
booksforbool.com
brentnallfg.com
dartzofmybpull.ru
digibeetlesop.ru
dontstop21523510.com
duffiduffid.ru
duklio.com
dzmeritelshop.ru
ebaliu.com
esperadooptic.ru
fabsnot.ru
fgrag3.com
financialactivson.com
financialpoet.com
fitle8.com
florianarray.ru
freakcan.ru
getinmo.net
gorycup.ru
hoperjulia.com
itchysauce.ru
jetsetflysystems.asia
koklip.com
krufop.com
linkmoduledso.com
lu4isa.com
lurofletzhen.com
microhousezez.com
musicframeit.com
n3ot6op.com
naughtywifepal.ru
onepet.ru
paperrain.net
papertulip.ru
pellicslotersa.ru
plasticinetec.ru
poczta.orgmasz.pl
popspostenkple.ru
recruitaimsfg.com
routerstructo.ru
rudeink.ru
runnystorm.ru
secondconcert.ru
sichererautoverkauf.net
simulatormage.ru
so47nop.com
softmarkets.ru
steelcinetecs.ru
t3a4ano.com
tamilworldinfo.net
tinpiano.com
tradesystemsy.com
vanilaprojectlive.com
weaktrash.ru
widuop.com

Fake jobs: it-jobsearch.com

Another fake job domain, it-jobsearch.com follows on directly from these two reported yesterday. The domain is registered to the same fake address in France as yesterday.

As usual, the email soliciting replies to this domain is trying to recruit people for money laundering. The email may appear to come from your own email address (here's why).

If you have example emails soliciting replies to this domain, please consider sharing them in the Comments. Thanks!

Fake jobs: greece-joblist.com and italia-lavoro.net

A pair of domains offering fake money mule jobs or reshipping mule jobs, the greece-joblist.com and italia-lavoro.net domains seem to be targeting Italian and Greek victims and form part of this long running scam.

If you have any examples (especially non-English ones) please share them in the comments!

Russian / Italian spam

One of the major hurdles that spammers and scammers face is language. A typical eastern bloc scammer usually won't be able to speak any language like a native other than their own, and a poorly worded pitch is often an obvious sign of a scam.

Machine translations rarely make sense, and the best translators are always native speakers of that language. So, a professional fraud crew will often try to recruit linguistic experts to give their message more of an edge.

In this case, the spammers are trying to recruit someone who speaks Italian and presumably Russian. That's a target audience of around 60 to 70 million people who might well fall for an Italian language scam.

В наше бюро переводов требуются специалисты по итальянскому языку.
Если Вам нужен дополнительный заработок (~1000$ в месяц) - эта вакансия для Вас!
Ездить и ходить - никуда не нужно! Достаточно просто иметь доступ к интернету и телефон!
Никаких финансовых вложений с вашей стороны не нужно! И это не тендер!

Если Вам все еще интересно наше предложение - просто кратко ответьте на следующие
вопросы:
1. Имя
2. Город проживания
3. Где обучались языку и на каком уровне им владеете.

Наш e-mail: lONicholsonbronze@gmail.com

После этого в течении некоторого времени мы обязательно свяжемся с Вами!

Всего хорошего, надеемя на долгое сотрудничество!

This translates approximately to:

We need specialists to provide translations to the Italian language. If you need additional income (about $1000 per month) - this position is for you! You do not need to drive or walk anywhere! You just need to have access to the Internet and a telephone.

If you are interested in our offer - just briefly answer the following questions:
1. Name
2. City of residence
3. Where did you learn the language and how proficient are you.

Out email is: [random Gmail account]

After this we will contact you in a short while.

Have a good time, hoping for a long cooperation!

Our samples originate from ADSL and dial-up subscribers in Turkey and India. The Gmail address is different in each one.

Don't be tempted by an unsolicited "job offer" like this. You are extremely unlikely to be paid, and you could end up in serious trouble with the police.