Sponsored by..

Showing posts with label Joe Job. Show all posts
Showing posts with label Joe Job. Show all posts

Wednesday 6 September 2017

QTUM Cryptocurrency spam

This spam email appears to be sent by the Necurs botnet, advertising a new Bitcoin-like cryptocurrency called QTUM. Necurs is often used to pump malware, pharma and data spam and sometimes stock pump and dump.

There is no guarantee that this is actually being sent by the people running QTUM, it could simply be a Joe Job to disrupt operations. Given some of the wording alluding to illegal marketplaces, I suspect this could be the case.

Subject:       Qtum Main Network Launches September 13th, 2017
From:       "Lou Roberson"
Date:       Wed, September 6, 2017 6:37 am
Priority:       Normal


The Blockchain Made Ready for Business
Build Anonymous Decentralized Applications that Simply Work
Executable on mobile devices, compatible with major existing blockchain
ecosystems
TESTNET NOW LIVE!
   
    About
     
The Qtum Foundation is a Singapore based entity that promotes
adoption of the Qtum Blockchain. Project inception began in
March 2016, leading up to a successful crowdsale a year later.
Over 10,000 BTC and 72,000 ETH were raised in less than 5 days,
making Qtum one of the largest crowdfunded projects in history,
at $15.6 million dollars.

Investors received 51,000,000 Qtum tokens which will be
available for withdrawal on September 13, 2017.


The Qtum Foundation plans to be the anonymous blockchain for
business. Development efforts will allow us to market this
platform tovarious industries, such as: Mobile
Telecommunications, Counterfeit Protection, Finance, Industrial
Logistics (shipping, warranty,etc), Manufacturing, P2P Anonymous
Transfers and Anonymous Market Management from phone.
Build anonymous decentralized applications you can trust
     
Smart Contracts that Mean Business
Qtum makes it easier than ever for established sectors and
legacy institutions to interface with blockchain technology.
Create your own tokens, automate supply chain management and
engage in self-executing agreements in a standardized
environment, verified and tested for stability.

   
    Specification

    Total QTUM Supply: 100,000,000
    Block Target: 128 seconds
    Stake Return: ~4 QTUM
    Algorithm: SHA256

     
   
   
    QTUM SPARKNET
   
SPARKNET
          
Sparknet is designed primarily for developers, and as such
documentation at this point will be technical and suited more
for developers.  Testnet tokens do not hold any value and should
not be traded for any monetary instruments. The testnet can be
reset or forked at anytime as deemed necessary for development.

Forum Announcement:
https://bitcointalk.org/index.php?topic=1720632.4220

Release on github:
https://github.com/qtumproject/qtum/releases/tag/testnet-sparknet

Qtum Sparknet Usage and Information: Please see:
https://github.com/qtumproject/qtum/blob/testnet-1/doc/sparknet-guide.md
   
    QTUM SPYNET

Aug 15 The 2nd Qtum Test Network, Skynet, is now live: SKYNET
   
     
Qtum Skynet, the second public testnet for the Qtum blockchain.
All tokens aqcuired during the testnet will cease to exist 
when the mainnet is released which actually has tokens which
hold value. The purpose of the public testnet is to allow
developers to begin testing and developing applications, allow
early adopters to see a preview of how the network will behave,
and for the Qtum development team to run several load tests
which are not directly comparable when done on a private and
controlled network. Qtum Skynet will ideally have the same
consensus features and parameters as the Qtum mainnet.


Qtum Skynet Usage and Information:
Please see:
https://github.com/qtumproject/qtum/releases/tag/testnet-skynet
Please see:
https://github.com/qtumproject/qtum/releases/tag/testnet-skynet-v1.2

As soon as Main Network will be launched, you will be availaible
to build your own applications (DApps) or marketplaces. Fully
scalable and anonymous, so you can easy made any anonymous
marketplace which can be manage from your phone!

Just imagine, your own silkroad made on Qtum blockchain and
managed from your phone with fully anonymous transactions!

    No matter what kind of business you are building, all
transactions will be anonymous, and the network will never
reveal the ip addresses of the applications that are running
on it.

    Even if you sell weapons, drugs, trade in people and are
going to organize a coup d'?tat, you can be sure that you
will remain anonymous.

    Another thing is that it is illegal and sooner or later you
will receive the punishment that you deserve. But everyone
want to know how deep the rabbit hole goes.

    For our part, we can only provide a reliable, scalable and
anonymous ecosystem thanks to which any business can be
built on it and we guarantee that we will do everything
possible to make it sucesfull.

    We give you a choice - "blue pill or red pill"
       
        What Will your choice be?

    So, you have to prepare for Main Network launch  Qtum Custom
Token Walkthrough
   
    CROWDSALE
     
The QTUM token supply will be allocated as follows:

    - 51% of Qtum tokens (51,000,000) will be distributed
through the crowdsale
    - 20% of Qtum tokens (20,000,000 QTUM) will be distributed
among founders, early backers and the development team
    - 29% of Qtum tokens (29,000,000 QTUM) will be allocated to
community initiatives concerning business development, as
    well as academic research, education, and market expansion

For a more detailed overview of QTUM token allocation visit our
website: https://qtum.org/en/crowdsale#question-2
   
    Exchanges
     
Coinone:   https://coinone.co.kr/exchange/trade/qtum/
Yunbi: https://yunbi.com/markets/qtumcny
Bittrex: https://bittrex.com/Market/Index?MarketName=BTC-QTUM
https://bittrex.com/Market/Index?MarketName=ETH-QTUM
CHBTC: https://www.chbtc.com/qtum
BTER: https://bter.com/trade/qtum_cny
https://bter.com/trade/qtum_eth
https://bter.com/trade/qtum_btc

Yubi: https://www.jubi.com/coin/qtum/
Yuanbao:   https://www.yuanbao.com/trade/qtum2cny
Binance:   https://www.binance.com/trade.html?symbol=QTUM_ETH
Allcoin: https://allcoin.com/markets/QTUM-BTC/0/
BTC9: https://btc9.com/trade/22
Biduobao: https://www.biduobao.com/market-qtum.html
Liqui: https://liqui.io/#/exchange/QTUM_USDT
https://liqui.io/#/exchange/QTUM_ETH     
https://liqui.io/#/exchange/QTUM_BTC
Cryptopia: https://www.cryptopia.co.nz/Exchange?market=QTUM_BTC
COSS: https://exchange.coss.io/pair/qtum-eth
https://exchange.coss.io/pair/qtum-btc
HitBTC: https://hitbtc.com/exchange/QTUM-to-ETH/size
Novaexchange: https://novaexchange.com/market/BTC_QTUM/
   
    TEAM
   
   
     
See the full team at: https://qtum.org/en/team

    We are looking for developers to build the next generation
DApps on top of Qtum and invite you all to give our testnet
a try.

    We are always on the lookout to enrich our very talented
team, the next team member can be you!

    SEND YOUR RESUME TO OUR EMAIL: CAREERS@QTUM.ORG

    currently 4500+ Chinese community members

As far as I can see, there are no malicious links anywhere. This one can probably be marked down as an annoyance, and it should be easy enough to block or filter.

Thursday 17 December 2015

Malware spam: "James Wheatley sent you an document file!" / wheatjam@gmail.com

Poor old James Wheatley is a real person who must have pissed off some Russians somewhere (perhaps it is a Joe Job). This fake WhatsApp spam in his name has a malicious attachment.

From:    James Wheatley [wheatjam@gmail.com]
Date:    17 December 2015 at 09:50
Subject:    James Wheatley sent you an document file!

---
---
Sent by WhatsApp
There seem to be a few variants of the attachment, these have a detection rate of about 4/55 [1] [2] and analysis of those two examples [3] [4] download a malicious binary from:

www.nz77.de/65dfg77/kmn653.exe
old.durchgegorene-weine.de/65dfg77/kmn653.exe


This payload is the same as the one found in this spam run earlier today.


Friday 20 June 2014

bumerang.cc spam - possible Joe Job?

As with the writer of the excellent My Online Security blog I had a couple of odd-looking spams that looked like they might be malicious.

The first spam was a bit of a fail as it didn't have the link, the second spam contained a link the the bumerang.cc website.

From:     News
Date:     19 June 2014 21:40
subject:     World Political News

You can see all World Political News at our web site.Just click on link below

Invoice

------

From:     Customer support
Date:     19 June 2014 13:43
Subject:     Your invoice for June 2014

See your invoice for June 2014 by click on link below

Invoice


The link in the second email goes to the amusingly-named www.bumerang.cc/asdaa/sploit.php - amusing because "sploit" is of course slang for "exploit". Although I have seen exploit kits that contain obvious things like this as a sort of joke, it is also a bit obvious don't you think?

But there is no exploit kit at this "sploit.php" location.. it 404s. But in fact I can see no evidence that there has ever been an exploit in this location, this URLquery report from yesterday (the earliest I can find) also shows a 404. So perhaps the exploit has been deleted? Or perhaps it was never there in the first place..


As I mentioned, there are a pair of emails. The one with the working link looks like a fake invoice malspam, but the other one has the subject "World Political News" and the body "You can see all World Political News at our web site.Just click on link below".

It turns out that bumerang.cc is a news site, covering topics of interest in Moldova in the Romanian, English and Russian languages. Unlike most multilingual news sites, the content is different depending on the language.. and the default Russian language part of the site has a lot of articles on the rather corrupt breakaway region of Transnistria which is strongly pro-Russian and which seems to be getting drawn in to the godawful mess that is the Ukraine crisis.

Transnistria has a reputation for corruption and organised crime, so perhaps bumerang.cc has published something that somebody in Transnistria doesn't like. Joe Jobs against sites dealing in Russian politics are quite common, and the messages do bear several hallmarks of being fakes.

Given that there is no evidence of malware on this site, the fishy nature of the spam and the topic areas of the site itself then I am minded to think that this is a Joe Job and bumerang.cc are not behind this spam run.

UPDATE 1 2014-06-24. Another variant..

From:     Bumerang News
Date:     24 June 2014 21:24
Subject:     SENSATION NEWS!Ukraine Will Wage War With Russia

Russia's War Against Ukraine! All at our web site. Just click on link below

">http://www.bumerang.cc/



Thursday 5 June 2014

dedicatedpool.com.. spam or Joe Job?

I received a number of spam emails mentioning a Bitcoin mining website dedicatedpool.com, subjects spotted are:

Subject: Bitcoins are around you - don't miss the train!
Subject: Dedicatedpool.com business proposal (Save up on taxes)
Subject: Make money with darkcoin and bitcoin now!
Body text:

Hello,
Have you heard about bitcoins? I bet you did. Do you know how to make
money on it? Don.t worry, we are professionals in bitcoin and alternative
cryptocurrencies world and we will help you monetize your computing
hardware into bitcoins in no time. Come and joins us at
http://dedicatedpool.com and join our IRC chat at
http://dedicatedpool.com/?page=about&action=chat
--
Ryan, dedicatedpool.com support/admin

------------------------

Don't want Government to steal your money?
Join us at http://dedicatedpool.com and learn how you can save up on
taxes by using bitcoin, darkcoin and other cryptocurrencies!
We will provide you with detailed instructions on how to set up all
hardware in your house and start keeping your money instead of paying
taxes. 100% legal!
Please register at http://dedicatedpool.com

--
Ryan, dedicatedpool.com support/admin

------------------------

Do you have income but you don't want Obama to steal it from you? Come and
join us and turn your electricity cost into cash!
The only pool you can trust - come and mine bitcoins/altcoins with us. We
will provide you detailed guide on how to setup equipment in your house
that will turn electricity into bitcoins!
No taxes no problems: http://Dedicatedpool.com/
--
Ryan, dedicatedpool.com support/admin

However, the pattern of the spam looks like a Joe Job rather than some horribly misguided attempt to market the website. There are several signs that make it look like someone is trying to cause trouble for the site operators:
  1. The spam was sent repeatedly to a spamcop.net address, the type of address that would have a high probability of filing an abuse report. I call this a "reverse listwash".
  2. The spam mentions the established dedicatedpool.com website repeatedly (rather than using some sort of redirector) but the originating IPs appear to be from an illegal botnet (see note 1). The use of a botnet indicates a malicious intent.
  3. Spammers don't tend to include personal details of any sort in their messages, but the inclusion of "Ryan" (who does genuinely appear to be the administrator) seems suspicious.
 In my opinion, the balance of probabilities is that this is not sent out by dedicatedpool.com themselves, but is sent out by someone wanting to disrupt their business.

Note 1: I have seen the following IPs as originating the spam..
188.54.89.107
92.83.156.130
31.192.3.89
37.99.127.11
87.109.78.213


Monday 19 August 2013

Malekal.com Joe Job part II

There has been a Joe Job being run against Malekal.com for some time now. However, the joe job has now morphed and includes a reference to this blog (which is kind of annoying).

Date:      Sun, 18 Aug 2013 14:35:33 +0300 [08/18/13 07:35:33 EDT]
Subject:      Email SPAM for malekal.com

Theses emails SPAM are sent from a botnet (check the mails headers), im not
responsible of theses spam emails.
Someone is probably trying to get the site blacklisted or to get bad reputation
(called this "a Joe Job" - see :
http://blog.dynamoo.com/2013/08/malekalcom-joe-job.html )

The responsible is " Reveton Guy ", try to get revenge after a mass shutdown of
their malvertising :

http://www.malekal.com/2013/07/30/en-juicyads-reveton-malvertising/
http://www.malekal.com/2013/07/28/en-plugrush-reveton-malvertising/
http://www.malekal.com/2013/07/26/en-reveton-adxpansion-com-malvertising/

The August 11, they tried to get my website blacklisted using hacked website :
http://www.malekal.com/2013/08/12/en-reveton-go-now-by-hacked-website/
This is rather more subtle than the previous Joe Job, as it appears to be from the Malekal administrator themselves. However, it is being sent by a botnet (probably the same botnet sending the original spam) and is just another way to cause trouble.

These spam emails are tightly targeted to addresses that are most likely to make complaints. If you are going to report these, then I'd appreciate it if you would report the sending IP only rather than just copy-and-pasting all the links in.

Friday 2 August 2013

redwoodoptions.com "Joe Job" spam

I don't know anything about "Redwood Options" redwoodoptions.com but it seems to deal in binary options. In my personal opinion, this kind of derivative trading helped to lead to the banking collapse and should be outlawed.

Subject: For Trader
Subject: For Investor
Subject: Start Trading Now

Trade Forex, Commodities, Stocks and Indices with Up to 81% Return!
- Exclusive 60 second option
- Onetouch weekly options up to 500% return
- Up to $5000 welcome bonus

Start trading: http://www.redwoodoptions.com

That having been said, this spam run is almost definitely nothing to do with them and is instead someone trying to disrupt their (apparently lawful) business.

My advice.. ignore it and delete it.

cpro.su "Joe Job" spam run

This spam run is aimed at disrupting the underground forum cpro.su:
Subject: International carding board on new domain
Subject: Private Hacking and Carding Forum / New Domain

Welcome to Private Hacking and Carding Forum. We talking and sharing about
CVV, Paypal, Accounts, Bank Logs, Hacking Tools and Carding Tips. Newbie is
not allowed here. Do not enter if you don't know what to do...
http://cpro.su/ (*NEW domain!) 
People involved in this sort of stuff don't advertise it, but as far as I can tell cpro.su actually does deal in some unsavoury things.

What should you do about it? Nothing. The spam run will probably finish soon enough, and there's no point picking a fight with either side unless you really know what you are doing.



Malekal.com "Joe Job" spam

Update: there is a new version of this Joe Job spam, now mentioning this post in the body text (more info).

Malekal's Site  is a French-language site covering malware and spam. This particular spam run (called a "Joe Job") is not from Malekal, but is instead attempting to disrupt the site. Presumably the bad guys have found something the don't like.

Here are some examples:
Subject: Trojan Fake Police
Subject: Virus Gendarmerie
Subject: Virus Gendarmerie Nationale
Subject: Trojan Ransomware

Trojan Fake Police / Virus Gendarmerie Nationale : violation de la loi
francaise http://www.malekal.com/

If you are getting these, it is because you have been flagged up via a "reverse listwashing" process as somebody who is likely to complain about spam. Reporting the originating IP of the spam email would probably be helpful, reporting malekal.com on the other hand will only help the bad guys to remove a useful resource.

Thursday 6 June 2013

rxlogs.net: spam or Joe Job?

I've had nearly one hundred of these this morning. Is it a genuine spam run or a Joe Job?

Date:      Thu, 6 Jun 2013 09:44:18 -0700 [12:44:18 EDT]
From:      Admin [whisis101@gmail.com]
Reply-To:      ec2-abuse@amazon.com

facebook   
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 4 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.

If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team



The link in the emails goes to multiple pages on rxlogs.net which as far I as can tell is not malware, but is a blog about online pharmacies. But is is spam? Well, let's dig a little deeper..

Each email comes from a different IP, probably being sent by a botnet. That's pretty normal for pharma spam, but in this case there appear to be some anomalous addition headers..

The mildly munged headers from an example email are quite revealing. It appears that there are references to Amazon ECS (Amazon's cloud service) and a valid sender address of whisis101 -at- gmail.com injected into the headers, along with a load of other elements that you'd expect from botnet spam. The email has at no point hit either Gmail or Amazon, but the headers appear to have been faked in order to generate reports to Amazon and/or Gmail. It's worth noting that rxlogs.net is hosted on 107.20.147.122 which is an Amazon IP, so this is beginning to look like a Joe Job.
Received: from lsh410.van.ca.siteprotect.com (204.174.223.206)
  by [redacted] with SMTP; 6 Jun 2013 07:37:53 -0000
Date: Thu, 6 Jun 2013 00:37:53 -0700
To: [redacted]
From: Admin [whisis101 -at- gmail.com]
Return-Path: [bantstreetpottery -at- sctelco.net.au]
Reply-To: ec2-abuse -at- amazon.com
Subject: Reminder: Reset your password
Message-Id: [2cc3f11ac2ce3aa7d59d8682eee6df05@notify.amazon.com]
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
So what do we know about the domain rxlogs.net? Well, the WHOIS details appear to be genuine and not hidden, I've redacted the most of the personal information but some of the key details are:

domain:       rxlogs.net
owner:        Stephen K. Walker
email:        whisis101 -at- gmail.com
address:      [redacted]
city:         [redacted]
postal-code:  [redacted]
country:      US
phone:        +7.[redacted]


The "From" address in the email matches the registration address in the WHOIS. Does that make it a genuine email? No, because no spammer is stupid enough to use their real email address in a spam run like this. Again, this smells like a Joe Job.

Another key indicator that this is a Joe Job is that all the dozens of emails have been sent to a spamcop.net email address, and there are far more emails that you would normally see for this type of spam run. This behaviour is typical for a Joe Job attack, the spammer pick the people who are most likely to complain and then hit them repeatedly to get try to get them to file a complaint with the victim's web host.

If you use Gmail, the email links back to a spare but apparently genuine Google+ profile, which links back to rxlogs.net. Which really leads to the next question.. what is rxlogs.net about?


rxlogs.net appears to be a genuine attempt to look at and rate online pharmacies using secondary sources to judge reliability and trustworthiness. The sites carries some paid advertising, but doesn't appear to deal with prescription medications directly, it looks like an affiliate site.

I'm not an expert in the US online pharmacy market, but I do know that you can check the legitimacy of online pharmacies with LegitScript but this is not without criticism.

My guess is that what has happened here is that Mr Walker has posted something on rxlogs.net which exposes a bogus pharma operation run by the same spammers sending out these emails. In other words, I believe this is a Joe Job and not a "genuine" spam run, and rxlogs.net is simply another victim of the bad guys.


Tuesday 2 April 2013

"Russian Hackers" spam / kidala.info / hack-sell.su

These spam messages appear to be promoting the underground websites kidala.info and hack-sell.su, both of which appear to be engaged in hacking, crimeware and fraud. But is there something else going on here?

Date:      Tue, 2 Apr 2013 18:07:48 +0700 [07:07:48 EDT]
Subject:      Russian hackers has you neo!

Russian hackers has you neo!
kidala dot info
or this kidala.info

==========================

Date:      Tue, 2 Apr 2013 17:17:29 +0700 [06:17:29 EDT]
Subject:      Russian hackers has you neo!

Need buy some shells?
http://kidala.info

==========================

Date:      Tue, 2 Apr 2013 16:27:24 +0700 [05:27:24 EDT]
Subject:      Russian hackers has anything you need.

World Best hack conference hereurl here: kidala.info

==========================

Date:      Tue, 2 Apr 2013 12:30:09 +0530 [03:00:09 EDT]
Subject:      World Interesting hack site here

Hi Manurl here: http://hack-sell.su

==========================

Date:      Tue, 2 Apr 2013 02:58:24 +0200 [04/01/13 20:58:24 EDT]
Subject:      Russian hackers mafia OWNS YOU!

Russian mafia has you...
hack-sell.su
or this hack-sell dot su

==========================

Subject:      Russian bad boys forum here, come join!

World baddest hackers join us hereurl here: hack-sell .su

==========================

Date:      Mon, 1 Apr 2013 16:01:59 -0400 [04/01/13 16:01:59 EDT]
Subject:      Russian hackers has anything you need.

Prime hack portal here!
hack-sell dot su
or this hack-sell dot su 

(Note that the emails may appear to be "from" your own account or someone in your own organisation. Don't worry, you have not been hacked.. forging an email address is trivially easy (described here).

But there's something unusual because these spams are being sent repeatedly to SpamCop.net email addresses, and I haven't seen them anywhere else. So why send spam emails to people who are very likely to file an abuse complaint.. unless you want the recipient to file an abuse complaint, that is.

This sort of attack pattern looks like a Joe Job, perhaps from a rival to these two underground forums. Targeting addresses that will likely file a complaint is a sort of reverse listwashing, and the pattern of repeated emails to the same address is also a Joe Job characteristic. And the thing about underground forums.. well, they don't tend to spam at all because they like to remain under the radar.

The sites don't appear to be hosting malware, if you've accidentally clicked through then there you are probably OK, although both sites look like they are down at the moment. There may well be more Joe Jobs after this one though, so don't be surprised if more rubbish floods your inbox.

Update: these subject lines are in use at the moment..
Best crack phorum so far!
Best hack conference so far!
Need buy some abuseimmune servers?
Need buy some injects?
Need buy some loads?
Need buy some socks?
Need buy some traffic?
Russian bad boys forum here, come join!
Russian hackers has anything you need.
Russian hackers has you neo!
Russian mafia has you...
Russian hackers mafia OWNS YOU!
Superior crack site so far!
World baddest hackers join us here
World Best hack website here
World Superior hack conference here

Wednesday 21 September 2011

dossier-ua.com Joe Job

dossier-ua.com is a site that is critical about politics in the Ukraine, and names several individuals and governmental bodies in connection with alleged wrongdoing.

Obviously, they have upset somebody because there is currently a Joe Job campaign against the site, presumably in an attempt to have the site shut down:

Subject: {Snuff filmes|Snuff films}
From: david -at- davidbreach.co.uk
Reply-To: dossieruacom -at- gmail.com

{Hi!|Hello!|Good day!}
You can {see|watch|download} child {pron|porn} and snuff {filmes|films} now for free and without registration.
Just email us what do you want to see (child {pron|porn} or some snuff {filmes|films}) and we will
send you back what did you ordered. Only hardcore cam murders, children fukcing,
awesome bloody maniacs and vrigins may brind you a lot of brillian hours! This is
happened in reality and no any montage so be the one who seen this!

http://dossier-ua.com/?p=852

Contact us to pay for pron:
politblok -at- gmail.com

In this case, the email came from a server called davidbreach.co.uk, a wholly legitimate domain that appears to have been hacked, hosted at Node 4 in the UK. The mail originates from 93.174.141.52 (also Node 4). An examination of the mail headers indicates that it may originally have come from 151.16.60.68, an IP address in Milan, probably a compromised PC.

Dossier-ua.com is a political blog. There is no evidence at all that it is involved in distributing pornography or illegal material. If you receive an email of this nature, you should report it to the abuse address of the sender's IP, it is probably not worth bothering dossier-ua.com's web host.

Thursday 1 July 2010

ultrasantifa.blogspot.com apparent Joe Job

This strange looking email plopped into my mailbox:

Date: 1 July 2010 07:31
subject: hola
   
We are european fascists ! Fight for racial purity ! Our time begins! We are strong and can build new Reich! Join to us! We call on all people visit out sites. On them you will find information about war against system! Sieg heil fascist, nordic nazi! Adresses of our sites you can see below: http://ultrasantifa.blogspot.com
Given that fascists rarely seem to advertise themselves via spam and the whole language seems over the top I thought it looked a but suspect and worth of some further investigation.

ultrasantifa.blogspot.com is (or rather was) a blog entitled "Antifa Ultras and Hooligans". Antifa means "anti-fascist", and this Russian language blog featured radical anti-fascist ideas and football, usually both at the same time. The blog linked to some other sites that might well be advocating violence, but there was certainly no way that this was a pro-fascist blog.

So, this appears to be a Joe Job and it also appears to have been successful as ultrasantifa.blogspot.com is currently 404ing. So, presumably neither Google (who hosted the blog) nor the people complaining about the spam actually checked the site..

Just for the record the email originated from 41.145.224.130, an IP address in South Africa, but I guess it's just part of a botnet-for-hire.

Friday 26 February 2010

Stupid spammer? Or Joe Job?

Sometimes it's hard to say if a spam is a really stupid spammer, or a very sophisicated Joe Job.



From: "Human resources" <list@weekendsoff.info>
Reply-To: HR@internet-marketing.com
Subject: Thank you for your application

This is an automated response; please do not reply to this email

Thank you for your application, this will be reviewed shortly

The Job You Have applied for is

>>

Internet Marketing - Work from home Unlimited income

An Irish based company is looking for a motivated and dynamic individual to head up the local operations in UK, USA, Canada, Australia and New Zealand, Must be computer literate, Dynamic, and a self starter.

Previous marketing experience is desirable but not essential as
Full training is given.

For details on how to apply please click the link below

http://ec2e68oy1e-p-g0mu8cbhzr5ke.hop.clickbank.net/

>>

Many thanks

The HR Team


This email is intended for the addressee only If you have received this email in error please treat its contents as confidential and delete it immediately





Clickbank spam is pretty rare, simply because Clickbank will terminate spamming affiliates. Clickbank redirects to http://www.theaffiliatecode.com/cb.php?hop=bharrsunny which then affiliates to one of those stupid eBook sites called "TheAffiliateCode.com" that promises untold riches. The name "bharrsunny" is almost definitely the name of the affiliate account.

The email routes via a server at 94.136.62.178 [Webfusion - UK and currently blacklisted] and appears to originate from a Sky broadband subscriber at 90.221.179.176 (currently blacklisted). A look at the server at 94.136.62.178 throws up a number of websites, including "weekendsoff.info" (listed in the headers) and "weekendsoff.co.uk". The WHOIS details for these domains is as follows:

Domain name:
weekendsoff.co.uk

Registrant:
Bob Harris

Registrant type:
UK Individual

Registrant's address:
27 old tatham
york
YO43 4BN
United Kingdom

Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:
Registered on: 14-May-2009
Renewal date: 14-May-2011

Registration status:
Registered until renewal date.

Name servers:
ns.123-reg.co.uk
ns2.123-reg.co.uk
The .info domain also reveals:
Registrant Phone:+44.1430861312
Registrant Email:bh861839@aol.com

weekendsoff.co.uk is a web design outfit with some familiar looking templates (e.g. www.weekendsoff.co.uk/Shop-sites/shop3/index.html is the same as this page on Quackit) as it seems are all the other pages. Still, I guess this is all above board, isn't it?

Now, there's an uncanny match between the name "Bob Harris" and the affiliate name "bharrsunny". So, is Bob Harris really stupid? Or has someone hacked his server with a sophisticated Joe Job? But this isn't the only time this person has been fingered for spamming. I'm sure you can make up your own mind..

Monday 20 April 2009

Thursday 2 April 2009

BlizzardImageHosting.com - possible Joe Job

We have an email trap that seems to be hit exclusively by a low number of Waledac related spam (fake "terror reports", pharma spam, penis enlargement etc). We know that this particular address was harvested from a compromised PC, so the only people who have the address are the Bad Guys.

Unexpectedly then, the following email turned up:

From: (removed)
Sent: 01 April 2009 20:33
To: (removed)
Subject: Free Image Hosting

BlizzardImageHosting.com is a new leader in online image & photo hosting,
portfolios, and slideshow creation. We offer features you wont find
at other image hosting sites and we offer it FOR FREE!

- Upload Unlimited Images
- Share Images With Anyone and Anywhere
- Get Gigabytes of Monthly Bandwidth

and much more...

Sign up now!
http://blizzardimagehosting.com/index.php

(c) 2003-2009 Blizzard Image Hosting All Rights Reserved

So, my initial thoughts were that blizzardimagehosting.com were in league with the bad guys. Let's check out their WHOIS details:

Marquee, Media Networks webmaster -at- marqueemediaonline.com
Marquee Media Networks
6741 Sprinkle Road, Ste 293
Portage
MI
49002
US
Phone: +1.2694929957
Fax: +1.2694929958
The address is actually a branch of PakMail, but that probably means in this case that Marquee Media Networks rents a post box. The WHOIS details for marqueemediaonline.com indicate a name of Christopher Maher. So do these WHOIS details look suspicious? Not really. Usually, Waledac related domains come with WHOIS details that indicate telltale traces in China or Russia, the details for blizzardimagehosting.com are not inherently suspicious.

Marquee Media operates a web server at 216.17.107.72, which contains an ill-advised mix of adult sites and general interest sites (porn sites and fishing on the same server?) all the WHOIS details are consistent, and there seems to be nothing illegal going on.

Here's the thing - nothing at all about blizzardimagehosting.com fits the Waledac profile. This seems to be a small business running out of Illinois, nothing more. At a best guess, Marquee Media has somehow displeased the Waledac gang, either through something to do with adult content or web hosting.

So.. if you get a spam for blizzardimagehosting.com then treat it with scepticism, and as far as I am concerned this company is probably not guilty of this spam run and instead it looks like a Joe Job.

Thursday 26 March 2009

dns@nisource.com Joe Job

NiSource is a US electricity and gas provider. This spam appears to be a Joe Job aimed at the DNS support mailbox at that company. In this case the originating IP is 166.156.53.33.

From: Mabel Mcdaniel [mailto:dns@nisource.com]
Sent: 26 March 2009 14:55
To: [redacted]
Subject: Replica Watches

A lot of brands, 100-300 usd.
Mail to order: dns@nisource.com

Since the email is soliciting replies via email, it is most likely a revenge attack for something or other.

Saturday 6 December 2008

Joe Job against GoldPoll.com: welcome to the murky world of HYIP

GoldPoll.com is a web site about HYIPs (High Yield Investment Programs) that is hosted in the British Virgin Islands to an anonymous (possibly Panamanian) registrant, and until recently the registrar was the well-known fraudster's friend EstDomains. Despite this unpromising pedigree, it does appear that GoldPoll.com is legitimate..

..well, as legitimate as anything is in the world of HYIPs. Most HYIPs are generally just a front for Ponzi schemes and offer ridiculous payout rates such as 2% interest per day (about 624% per year) which are clearly unsustainable.

Anyway, as you can imagine there are a LOT of fraudulent HYIP schemes (are there any that are actually legitimate?) GoldPoll.com attempts to flag up schemes that aren't paying up.. which means that they have obviously annoyed some HYIP scammer somewhere who has decided to carry out a Joe Job against GoldPoll.com:

Subject: Gold Poll
From: goldpoll.com.ads@gmail.com
Date: Sat, December 6, 2008 3:57 pm

The most relevant information about the top HYIP programs from the best hyip monitoring. http://www.goldpoll.com


We personally invest in each HYIP and check the reliability of everyday payments. Click on any HYIP name to be redirected to it. Click on Program Details to get further information about a HYIP, find other members' posts and vote yourself.

goldpoll.com

Now GoldPoll.com states: "We never send SPAM and hate SPAMmers. Please don't trust in any e-mail that appeared to be from us and not stated on our Newsletters Archive!" which of course doesn't mean that much.. but a close investigation of the offending email indicates that it came from 211.95.78.71 in China. Now, 211.95.78.71 isn't just any IP address, it happens to be a server where a number of HYIP related domains are hosted:

  • Accuramoney.com
  • Bestinvestfar.com
  • Bestnethosta.com
  • Dalamonda.com
  • Google-analyser.com
  • Google-optimise.com
  • Google-spider.com
  • Healthcarem.com
  • Heroesadvent.com
  • Homegome.com
  • Injektus.com
  • Jampadventures.com
  • Libertyreiserve.com
  • Libertyrescerve.com
  • Luckautomachine.com
  • Luckjewel.com
  • Maxcargotrade.com
  • Ordtechnologies.com
  • Platinumtvonline.com
  • Sekermen.com
  • Toguessgame.com
  • Trancgroup.com
  • Webtradersite.com

It seems that there is a related server to this at 64.63.1.204, at least one of the domains (nasdaq-invest.com) is on GoldPoll.com's blacklist (there may be others).

  • Al-moeed.com
  • Boodjewel.com
  • Deluxeinvestment.org
  • E-investbank.net
  • Fastprofit-2008.com
  • Futureinvest.biz
  • Gpttalkpro.com
  • Higaintrade.com
  • Hyip-profits.com
  • Hyip-world.com
  • Hyipchecking.com
  • Hyipozaurus.biz
  • Katyadumper.com
  • Libertyrieserve.com
  • Mcdump.com
  • Monemoke.com
  • Moneyinvests.biz
  • More-invest-2009.com
  • Nasdaq-invest.com
  • Pensioninsurancefund.com
  • Perfectservers1.us
  • Photos-vn.com
  • Realforex.us
  • Sectrustbonline.com
  • Solid-fund.com
  • Supervirtualcards.com
  • Teekypleaze.com
  • Tieudiemchinh.com
  • Tomerbusiness.com
  • Tophyipsite.com
  • Ukoblos.com
  • Userinvest.com
  • Wertor.info
  • Wmrub.com
If you are an HYIP investor, then take some of these domain names and Google for them, and you'll get the measure of [un]reliable they are. You can pretty much guarantee that they are closely related.

But really my best advice is to avoid HYIP altogether. It's basically just a form of gambling, but with much worse odds in the long run.

Tuesday 25 November 2008

bobbear.co.uk "Joe Job" attack

This summary is not available. Please click here to view the post.

Thursday 6 March 2008

StampOffers.com - Spam or Joe Job?



There's a whole bunch of spam doing the rounds as follows:

Subject: Sell for FREE Forever !!!!!!!!!!!!!!
From: stampoffers@yahoo.com
Date: Thu, March 6, 2008 3:21 pm

The idea for StampOffers.com developed in the summer of 2002.
It all started with the creation of a chat board outside of eBay that would allow fellow philatelist the ability to talk about anything without being criticized for not maintaining a strictly philatelic conversation. Those who have made a non-philatelic post to the eBay stamp chat board know what it is like. There was a discovery on this new chat board that collectors would like to buy, sell, and trade among those who visited the chat and a few of the frequent users asked about someone starting an auction site just for stamp collectors. In January of 2003, StampOffers.com was launched!

There was much back and forth about whether StampOffers.com would be able to draw enough users and continue a steady growth and it was decided that the only way to do this was to operate with one philosophy – provide a viable alternative on the world wide web in which collectors from around the world could buy, sell, and trade stamps in an effort to further the hobby. Oh yeah…..and do it for FREE!!

To this day, StampOffers.com provides a site that allows sellers to enter a basic listing with NO INSERTION FEE and NO FINAL VALUE FEE. So how does StampOffers.com continue to operate without collecting fees? Well, let’s just say it is a combination of fellow collectors who are very appreciative of StampOffers.com’s existence combined with StampOffers.com’s desire to contribute to the hobby of philately!

Therefore, go ahead and use the site as much as you wish! The only real favor that is asked is that you pass the word about StampOffers.com. Tell your customers, your fellow collectors, your stamp club friends, your local stamp dealer, and anyone else whom you believe would be as appreciative of the site as those who are using it today.

Thank you,

StampOffers.com - The World Is Finding Us!

Join Now

James Munch

You are receiving this mailing because you agreed to be a part of our opt in mailing list.
As you would expect, no such "opt in" authorisation has been given.

There are a couple of things that are odd about the spam - first of all it seems quite unlikely that a philately site would send out this type of email, the mail is sent out repeatedly to the same address (in an apparent attempt to annoy the recipient), and it has been aimed at a spamcop.net account which perhaps indicates that "reverse listwashing" is taking place to ensure that the mail does get reported as spam.

These are all classic indications of a Joe Job - a fake spam message sent by a third party in order to cause trouble, presumably in an attempt to shut StampOffers.com down. Joe Jobs can be hard to spot, but this certainly seems to tick all the boxes.

As of 6th March 2008, the emails are being sent from a server at 74.86.158.8 through a PHP script which fingers 64.74.124.39 as the possible sending IP. This latter email address is interesting because it belongs to an Autosurf scheme called autosurfunion.com - interestingly the same server has been used for this other apparent stamp related Job Job, presumably the autosurf server is being used as a proxy.

The line in the header to look for is:
X-PHP-Script: 74.86.158.8/~ez123/conf.php for 64.74.124.39

64.74.124.39 is operated by Globalcon.net (contact email appears to be reyner -at- globalcon.net), so try sending any abuse reports their way. Also the 74.86.158.8 server with the insecure redirector should be reported to abuse -at- greenolivetree.net or perhaps via their web form.

Incidentally, this is what StampOffers.com has to say on the subject:

24 February 2008 - SPAM EMAILS

This is a special announcement about a rash of SPAM emails going out.

First, let me apologize for this occurring. StampOffers.com does NOT send out SPAM emails!! The only emails that are sent are to those who are members of StampOffers.com.

Recently, there was an individual who gained access to the site as a bidder and placed a number of fake/fradulent bids. This user created 3 different ID's and attempted to wreak havoc with each one. It appears we have finally been able to block this person from accessing the site and thus has turned to another form of cowardly entertainment.

These emails ARE NOT coming from StampOffers.com, our host, nor any server that our host runs. Our host is working with me to file the proper complaints as seen below:

I am trying everything I can to stop this and apologize to everyone. I would like to ask your assistance. When receiving these emails, contact the ISP you find in the header and point them to this board.

I am a private individual who has been running this site for 5 years. I have no interest in making money (I provide the site for FREE for everyone to use) and definitely have no desire to send out SPAM emails.

Please, if you have any questions, feel free to use the contact button below and let me know.

Thank you for your patience and understanding.

James C. Munch
I tend to concur with StampOffers.com - there are lots of signs to indicate that this is a Joe Job attack, so if you receive on, please analyse the headers carefully and report to the correct service provider.