Sponsored by..

Showing posts with label South Africa. Show all posts
Showing posts with label South Africa. Show all posts

Sunday, 8 October 2017

Scam: "Help Your Child To Be A Professional Footballer." / info@champ-footballacademyagency.co.uk

This spam email is a scam:

Subject:       Help Your Child To Be A Professional Footballer.
From:       "FC Academy" [csa@sargas-tm.eu]
Date:       Sun, October 8, 2017 10:30 am
To:       "Recipients" [fcsa@sargas-tm.eu]
Priority:       Normal

Hello,
Does your child desire to become a professional footballer?

Our football academy are currently scouting for young football player to participate in 3-6 months training and  our main purpose is to recruit young and talented footballers to help become a great football  player in Life and become a great star .  Our agent will train and linked your child up with big clubs in United Kingdom and Europe.

We will also help your child to get Visa and Work Permit once the admission into our football academy is approved.

Our aim is to provide a wide range of opportunities to complement a successful playing career. We will help your child to find the best route to fulfilling their ambitions of becoming a professional footballer in United Kingdom and Europe.

If you want to help your child achieve their soccer dream, reply us for more information.
Best Regards,
CFAA.

At the time of writing the domain sargas-tm.eu does not exist, but the Reply-To address is actually info@champ-footballacademyagency.co.uk which is a registered domain. The WHOIS details for this say:

Domain name:
        champ-footballacademyagency.co.uk

    Registrant:
        NELSON OZI

    Registrant type:
        Unknown

    Registrant's address:
        404 sapphire tower
        404 sapphire tower
        USA
        Kentucky
        97101
        United States

    Data validation:
        Nominet was not able to match the registrant's name and/or address against a 3rd party
source on 19-Sep-2017

    Registrar:
        Web4Africa Ltd. t/a Web4Africa [Tag = WEB4AFRICA-GH]
        URL: https://www.web4africa.net

    Relevant dates:
        Registered on: 19-Sep-2017
        Expiry date:  19-Sep-2018
        Last updated:  19-Sep-2017

    Registration status:
        Registered until expiry date.

    Name servers:
        dns1.yandex.net
        dns2.yandex.net

Disclaimer
WHOIS lookup made at 10:50:09 08-Oct-2017


There are lots of suspect things about this domain registration - the address is clearly fake, the registrar is based in South Africa and the nameservers are in Russia, and also it was registered just a few weeks ago. A quick bit of Googling around shows that "Nelson Ozi" is also linked to the following probably fraudulent domains:

svbfib.com
svbfibem.com
globalcreditsus.com

These all seem to be connected with an IP range 169.255.59.0/24 (Web4Africa again) which does seem to have a lot of scammy sites hosted on it. Blocking access to that range might be prudent.

The spam email itself comes via another Russian server mail.elmeh.ru but this particular email originated from 103.207.37.101 in Vietnam. Replies to the champ-footballacademyagency.co.uk email would be set to mx.yandex.net which is in Russia again.

It would probably be quite difficult to stuff any more dodgy indicators into this spam. What the scam actually is isn't 100% clear, it could be anything from a simple advanced fee fraud all the way up to child abduction. Avoid.

Monday, 30 November 2015

Malware spam: "Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD" / "orders@kidd-uk.com"

This fake financial spam is not from James F Kidd, but is instead a simple forgery with a malicious attachment:
From:    orders@kidd-uk.com
Date:    30 November 2015 at 13:42
Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD

 Please see enclosed Sales Invoice for your attention.

 Regards from Accounts at James F Kidd
 ( email: accounts@kidd-uk.com )
I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.

This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.

UPDATE

I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:

bjdennehy.ie/~upload/89u87/454sd.exe

This has a VirusTotal detection rate of 3/54. Automated analysis tools [1] [2] [3] [4] show malicious traffic to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
91.223.9.70 (Elive Ltd, Ireland)
41.136.36.148 (Mauritius Telecom, Mauritius)
185.92.222.13 (Choopa LLC, Netherlands)
42.117.2.85 (FPT Telecom Company, Vietnam)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
37.128.132.96 (Memset Ltd, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
41.38.18.230 (TE Data, Egypt)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
122.151.73.216 (M2 Telecommunications Group Ltd, Australia)
185.87.51.41 (Marosnet Telecommunication Company LLC, Russia)
217.197.159.37 (NWT a.s., Czech Republic)
41.56.123.235 (Wireless Business Solutions, South Africa)
91.212.89.239 (Uzinfocom, Uzbekistan)


MD5s:
495d47eedde6566a12b74c652857887e
182db9fc18c5db0bfcb7dbe0cf61cae5
177948c68bc2d67218cde032cdaf1239
07c90e44adcf8b181b55d001cd495b7f


Recommended blocklist:
94.73.155.12
103.252.100.44
89.108.71.148
91.223.9.70
41.136.36.148
185.92.222.13
42.117.2.85
195.187.111.11
37.128.132.96
37.99.146.27
41.38.18.230
89.189.174.19
122.151.73.216
185.87.51.41
217.197.159.37
41.56.123.235
91.212.89.239

Malware spam: "INTUIT QB" / "QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]" leads to ransomware

This fake Intuit QuickBooks spam leads to malware:

From:    QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date:    30 November 2015 at 10:42
Subject:    INTUIT QB


As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 
The spam is almost identical to this one which led to Nymaim ransomware.

In this particular spam, the email went to a landing page at updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a fake Firefox update

This executable has a VirusTotal detection rate of 3/55, the MD5 is 592899e0eb3c06fb9fda59d03e4b5b53. The Hybrid Analysis report shows the malware attempting to POST to mlewipzrm.in which is multihomed on:

89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)


The nameservers for mlewipzrm.in are NS1.REBELLECLUB.NET and NS2.REBELLECLUB.NET which are hosted on the following IPs:

210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)


These nameservers support the following malicious domains:

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The download location uses a pair of nameservers, NS1.MOMEDEFER.PW and NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:

5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)


These nameservers support the following malicious domains:

browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com

As far as I can tell, these domains are hosted on the following IPs:

52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)


I recommend that you block the following IPs and/or domains:

52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212

mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw


Tuesday, 14 April 2015

Malware spam: "Kairen Varker [mailto:kvarker@notifications.kashflow.com]" / "Invoice from"

This fake invoice has a malicious attachment:
From: Kairen Varker [mailto:kvarker@notifications.kashflow.com] On Behalf Of Kairen Varker
Sent: Tuesday, April 14, 2015 9:26 AM
Subject: Invoice from

I have made the changes need and the site is now mobile ready . Invoice is attached
In this case the attachment is called Invoice-83230.xls which is currently undetected by AV vendors. It contains this malicious macro [pastebin] which downloads a component from the following location (although there are probably more than this):

http://925balibeads.com/94/053.exe

This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] [4] shows the malware phoning home to:

78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)

The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57.

Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228

MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995

Sunday, 2 March 2014

Malware sites to block 2/3/14

These domains and IPs are all connected with this gang, some of it appears to be involved in malware distribution, fraud or other illegal activities. I recommend that you block these IPs and domains.

Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting.

accounting-kent.net
aerostat-adventures.net
aim-darts.net
airnavrace.net
amia.cc
aqu.su
artplat.com
binfile.net
brigadiramoon170.com
ccl.su
clubkindergarten.net
combonicer200.com
ehk.su
flatroom.net
gefesosexwithjimmy.org
iceselinsgrove.com
kartaby.com
keksnownikolle.biz
kirr.cc
lollipollyboobs.org
lostpetutah.net
macdegredo.com
mecheti.com
megemind.com
onetimedns.com
orimylife.net
pcg.su
quarter.su
sandwars.net
sec-one-dns.com
security-apps24.com
securityappsmart.com
security-safedomains.com
security-trust.com
smis.cc
stepnitres.ru
studio-sands.net
unicttaskforce.com
usgunlavs.net
webercountyfairr.net
wildscot-tv.com
world-motorhome.net

12.42.61.221    (AT&T, US)   
19.214.121.54    (Ford Motor Company, US)    [ns]
22.15.199.21    (DOD, US)    [ns]
23.253.75.234    (Rackspace, US)   
31.210.107.33    (Radore Veri Merkezi Hizmetleri, Turkey)   
32.21.129.43    (AT&T, US)    [ns]
32.90.65.25    (AT&T, US)    [ns]
37.255.241.29    (TCE, Iran)   
41.66.55.3    (Cote d'Ivoire Telecom, Cote d'Ivoire)    [ns]
41.106.3.132    (FTTH, Algeria)    [ns]
42.96.195.183    (Alibaba, China)    [ns]
54.81.32.208    (Amazon AWS, US)   
65.27.155.176    (Time Warner Cable, US)   
79.88.112.206    (Societe Francaise du Radiotelephone, France)   
83.239.90.244    (OJSC Rostelecom Macroregional Branch South, Russia)   
89.39.83.177    (C&A Connect SRL, Romania)   
89.69.138.91    (UPC, Poland)   
92.84.13.131    (Romtelecom, Romania)    [ns]
93.190.137.5    (Worldstream, Netherlands)   
95.57.118.56    (Dmitry Davydenko / Goldhost LLC, Kazakhstan)   
96.44.143.179    (Quadranet Inc, US)   
103.31.251.202    (Argon Data Communication, Indonesia)   
108.81.248.139    (William Allard / AT&T, US)   
109.24.255.129    (Societe Francaise du Radiotelephone, France)   
112.222.201.43    (LG DACOM Corporation, Korea)   
115.28.39.216    (Hichina Web Solutions, China)   
128.101.154.25    (University of Minnesota, US)    [ns]
128.199.235.196    (DigitialOcean Cloud, Singapore)   
130.255.185.19    (Bradler & Krantz, Germany)   
147.249.171.10    (IDD Information Services, US)    [ns]
152.46.17.236    (North Carolina Research and Education Network, US)   
162.243.39.118    (Digital Ocean, US)   
167.15.26.219    (Munich Reinsurance America Inc, US)    [ns]
167.120.25.43    (The Dow Chemical Company, US)    [ns]
171.76.101.11    (Bharti Cellular Ltd, India)    [ns]
175.107.192.56    (Cyber Internet Services Pakistan, Pakistan)   
176.53.125.6    (Radore Veri Merkezi Hizmetleri, Turkey)   
181.41.194.253    (HOST1FREE at Brazil, Brazil)   
184.154.170.10    (SingleHop, US)    [ns]
185.9.159.205    (Salay Telekomunikasyon Ticaret Limited Sirketi, Turkey)   
186.194.39.139    (FMG Macabuense com serv distrib ltda-me, Brazil)    [ns]
186.202.184.178    (Locaweb Servi├žos de Internet S/A, Brazil)   
186.214.212.64    (Global Village Telecom, Brazil)   
188.165.91.216    (OVH, France / DoHost, Egypt)    [ns]
188.168.142.57    (Transtelecom CJSC, Russia)   
193.17.184.247    (Biznes-Host.pl, Poland)   
194.209.82.222    (blue-infinity, Switzerland)    [ns]
203.235.181.138    (KRNIC, Korea)   
208.167.238.115    (Choopa LLC, US)   
209.203.50.200    (Vox Telecom, South Africa)   
222.218.13.91    (Chinanet Guangxi Province Network , China)    [ns]


12.42.61.221
19.214.121.54
22.15.199.21
23.253.75.234
31.210.107.33
32.21.129.43
32.90.65.25
37.255.241.29
41.66.55.3
41.106.3.132
42.96.195.183
54.81.32.208
65.27.155.176
79.88.112.206
83.239.90.244
89.39.83.177
89.69.138.91
92.84.13.131
93.190.137.5
95.57.118.56
96.44.143.179
103.31.251.202
108.81.248.139
109.24.255.129
112.222.201.43
115.28.39.216
128.101.154.25
128.199.235.196
130.255.185.19
147.249.171.10
152.46.17.236
162.243.39.118
167.15.26.219
167.120.25.43
171.76.101.11
175.107.192.56
176.53.125.6
181.41.194.253
184.154.170.10
185.9.159.205
186.194.39.139
186.202.184.178
186.214.212.64
188.165.91.216
188.168.142.57
193.17.184.247
194.209.82.222
203.235.181.138
208.167.238.115
209.203.50.200
222.218.13.91

Wednesday, 24 April 2013

"New Secure Message" spam / pricesgettos.info

This spam leads to malware on pricesgettos.info:

Date:      Wed, 24 Apr 2013 16:41:50 +0100 [11:41:50 EDT]
From:      Cooper.Anderson@csiweb.com
Subject:      New Secure Message Received from Cooper.Anderson@csiweb.com

New Secure Message
Respective [redacted],

You have received a new secure message from Cooper.Anderson@csiweb.com.

If you are using the Secure Message Plugin in Lotus Notes this message will be in your SecureMessages Inbox.

If you are NOT using the Secure Message Plugin, you are able to view it by clicking https://www.csiweb.com/5890424-13QZUR797870/?inbox_idf3795430A7NO9 to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.


Sincerely Yours,

CSIe
The link displayed in the email is fake and actually goes to a legitimate (but hacked) site and is then forwarded to the Blackhole payload site at [donotclick]pricesgettos.info/news/done-heavy_hall_meant.php (report here) hosted on the following IPs:

1.235.183.241 (SK Broadband, Korea)
130.239.163.24 (Umea University, Sweden)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
203.64.101.145 (Taiwan Academic Network, Taiwan)

Blocklist:
1.235.183.241
130.239.163.24
155.239.247.247
202.31.139.173
203.64.101.145
airtrantran.com
antidoterskief.net
app-smartsystem.com
app-smart-system.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
docudat.ru
dyntic.com
egetraktovony.ru
excuticoble.ru
exrexycheck.ru
fenvid.com
freedblacks.net
gangrenablin.ru
gatareykahera.ru
independinsy.net
janefgort.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net



Monday, 22 April 2013

"Loss Avoidance Alerts" spam / tempandhost.com

I haven't seen this particular spam before. It leads to malware on tempandhost.com:

Date:      Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
From:      personableop641@swacha.org
Subject:      4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet

Loss Avoidance Alert System

April 22, 2013
  
Loss Avoidance Report:
The Loss Avoidance Alerts that was processed are now available   on a secure website at:

www.lossavoidancealert.org

http://www.lossavoidancealert.org

Alerts:

CL0017279 – Sham Checks (ALL)

Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
enter the Alert Number and hit Go.


Thank you for your participation!
Loss Avoidance Alert System Administrator

This email is confidential and intended for the use of the individual to whom it is addressed.  Any views or opinions presented are solely
those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource.   SWACHA will not be held
responsible for the information contained in this email if it is not used for its original intent.  Before taking action on any information contained
in this email, please consult legal counsel.   If you are not the intended recipient, be advised that you have received this email in error and that any use,
dissemination, forwarding, printing or copying of this email is strictly prohibited.
If you received this email in error, please contact the sender.



The link in the email appears to point to www.lossavoidancealert.org but actually goes through a legitimate hacked site (in this case [donotclick]samadaan.com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost.com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here and here) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this. Anyway, tempandhost.com is hosted on the following servers:

1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)

The WHOIS details indicate that this is the Amerika crew:

   Administrative Contact:
   clark, emily                twinetourt@aol.com
   38b butman st
   beverly, MA 01915
   US
   9784734033

Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173
airtrantran.com
antidoterskief.net
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
excuticoble.ru
fenvid.com
fenvid.com
gatareykahera.ru
hurienothing.ru
independinsy.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
peertag.com
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net


Wednesday, 17 April 2013

BBB Spam / freedblacks.net

Another BBB spam run today, although this time not an RU:8080 spam we saw earlier but an "Amerika" spam run instead. Interestingly, both mis-spell "Beareau" which indicates they are using the same software, even if they are different gangs. The link in the email leads to malware on freedblacks.net.

Date:      Wed, 17 Apr 2013 21:20:20 +0800 [09:20:20 EDT]
From:      BBB [bridegroomc@m.bbb.org]
Subject:      Better Business Beareau accreditation Cancelled P5088819
Case No. P5088819

Respective Owner/Responsive Person:

The Better Business Bureau has been registered the above said claim letter from one of your users as regards their business contacts with you. The information about the consumer's worry are available for review at a link below. Please pay attention to this issue and inform us about your sight as soon as possible.

We amiably ask you to click and review the APPEAL REPORT to respond on this claim letter. Click here to be taken directly to your report today:
http://www.bbb.org/business-claims/customercare/report-02111671

If you think you recieved this email by mistake - please forward this message to your principal or accountant

We are looking forward to your prompt answer.

Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
Sincerely,

Ian Wilson - Online Communication Specialist

bbb.org - Start With Trust

The link goes to a legitimate hacked site and then to a malicious landing page at [donotclick]freedblacks.net/news/agency_row_fixed.php (report here) hosted on the following IPs:


65.34.160.10 (Comcast, US)
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)

Blocklist:
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com



Friday, 22 March 2013

Wire Transfer spam / dataprocessingservice-alerts.com

This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts.com:

Date:      Fri, 22 Mar 2013 10:42:22 -0600
From:      support@digitalinsight.com
Subject:      Terminated Wire Transfer Notification - Ref: 54133

Immediate Transfers Processing Service

STATUS Notification
The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
TRANSACTION SUMMARY:

Initiated By: [redacted]

Initiated Date & Time: 2013-03-21 4:00:46 PM PST

Reference Number: 54133

For addidional info visit this link
The payload is at [donotclick]dataprocessingservice-alerts.com/kill/chosen_wishs_refuses-limits.php  (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
bestffriendquotes.com
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
dataprocessingservice-alerts.com
fenvid.com
heavygear.net
hotels-guru.net
neo-webnet.com
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
rockbandsongs.net
teenlocal.net
webpageparking.net

Thursday, 21 March 2013

"Data Processing Service" spam / airtrantran.com

This spam leads to malware on

Date:      Thu, 21 Mar 2013 15:55:22 +0000 [11:55:22 EDT]
From:      Data Processing Service [customerservice@dataprocessingservice.com]
Subject:      ACH file ID "973.995"  has been processed successfully

Files Processing Service

SUCCESS Notification
We have successfully complete ACH file 'ACH2013-03-20-8.txt' (id '973.995') submitted by user '[redacted]' on '2013-03-20 23:24:14.9'.
FILE SUMMARY:
Item count: 21
Total debits: $17,903.59
Total credits: $17,903.59

For addidional info    review it here

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247
airtrantran.com
basic-printers.com
bestffriendquotes.com
buxarsurf.net
buyersusaremote.net
crackedserverz.com
cyberage-poker.net
dyntic.com
fenvid.com
heavygear.net
hotels-guru.net
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
ricepad.net
rockbandsongs.net
smartsecurityapp.com
teenlocal.net
webpageparking.net

Monday, 18 March 2013

Malware spam "New Pope Sued For Not Wearing Seat Belt In Popemobile" / webpageparking.net

This pope themed spam leads to malware on webpageparking.net:

Date:      Mon, 18 Mar 2013 20:20:54 +0200
From:      "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:      Opinion: New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com


Powered by    
* Please note, the sender's email address has not been verified.

You have received the following link from BreakingNews@mail.cnn.com:    
       
Click the following to access the sent link:
       
New Pope Sued For Not Wearing Seat Belt In Popemobile ... - CNN.com*
   
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
   
   
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

The link goes through a legitimate hacked site and leads to a malicious payload at [donotclick]webpageparking.net/kill/borrowing_feeding_gather-interesting.php (report here) hosted on:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMnet, Malaysia)
109.74.61.59 (Ace Telecom KFT, Hungary)
155.239.247.247 (Centurion Telkom, South Africa)

BLOCKLIST:
24.111.157.113
58.26.233.175
109.74.61.59
155.239.247.247
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
fenvid.com
gatovskiedelishki.ru
heavygear.net
hotels-guru.net
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
porftechasgorupd.ru
sawlexmicroupdates.ru
secureaction120.com
secureaction150.com
teenlocal.net

UPDATE: another version of this is doing the rounds with a subject "Opinion: Can New-Pope Benedict be Sued for the Sex Abuse Cases? - CNN.com"

Friday, 17 September 2010

Networking4Africa.com - scam, spam or Joe Job?

Update: networking4africa.com's response is at the bottom of this post

One of the more interesting things that popped into my spam filter today was this.. at first glance it appears to be some sort of MLM scam spam:
From: steve@networking4.africa.com
Reply-To: steve@networking4.africa.com
Date: 17 September 2010 10:41
Subject: WOW 6 grand a month from your home

STOP!!! what your doing...do you know 3 people that have  $15.00?

And do those people know 3 people that have $15.00?

and what about those people and the ones after that? Join Me With 3 subscribers

and when each subscriber does the same through 10 levels

your income would be $63,982.50 per month

http://www.networking4africa.com

Join Now Pay Nothing Until  September 1st.

just get in now before we open to the public.

What if you just did 10% of that.
could you use and extra $6300.00 a month?****
all that for $15.00....
WoW that's the power of People Knowing People, Knowing People Knowing People....

www.networking4africa.com

Steven McGregor Owner and Ceo of www.Networking4africa.com and www.networking4afica.net
[personal address redacted]
+27.[personal number redacted]

Chat with me on face book http://www.facebook.com/smcgregor3

www.networking4africa.com

Please Note You will get Very rich with This program
So wtf is this? It looks like it is promoting a site called networking4africa.com (and networking4africa.net) which does exist (but more of that in a moment). But there are a couple of anomalies (highlighted) where the domain is quoted wrongly.. kind of odd for a promotional message. Oh, and September 1st is long gone..

Another odd thing is the inclusion of a telephone number and full postal, because be in no doubt that this email is spam. Typically we see this sort of thing when a Joe Job is in progress.. in other words, the spam is being sent maliciously by a third party and the telephone number is included to cause harassment for the victim.

The email originates from 216.59.18.30 which is a dedicated server some outfit called WebExxpurts who are assigned 216.59.18.0/24. A look around the netblock shows something interesting though, a site called iunmetered.com a few IPs away at 216.59.18.10 which is an anonymous VPN service. Given that the originating IP for the spam is a dedicated server (which appears to have no active web sites)  then there's a fair possibility that someone is using iunmetered.com to mask their IP address. But why mask your IP address if you are including a telephone number? It seems bizarre, and again perhaps evidence that "Steven McGregor" did not send the email.

Networking4Africa.com itself is hosted on 12.201.193.120 (a completely different network from the email sender), and the WHOIS details do largely match the ones in the spam, but that proves nothing. But now the plot thickens..

12.201.193.120 is in an IP address range which is allocated to "TEK CHANNEL CONSULTING LLC DBA WHOLSALE BANDWITH" (sic). Tek Channel / Wholesale Bandwidth are a very well known spam-friendly firm that has a ROKSO file at Spamhaus. This range has then been reassigned again to Global Virtual Opportunities Inc of Schert, Texas. This range forms part of AS46549 which has been fingered by Google as being pretty evil:

What happened when Google visited sites hosted on this network?

    Of the 2755 site(s) we tested on this network over the past 90 days, 371 site(s), including, for example, dontforward.com/, helpfulbackpaintips.com/, ultimatesneakers.com/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-09-17, and the last time suspicious content was found was on 2010-09-16.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 16 site(s) on this network, including, for example, latenightwarriors.com/, tricitieslifeinsurance.com/, networkonlinereviews.com/, that appeared to function as intermediaries for the infection of 67 other site(s) including, for example, ccll-gtyarmouth.co.uk/, rogersvillelifeinsurance.com/, mediascout.kr/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 16 site(s), including, for example, aardvarkville.com/, extraganancias.com/, latenightwarriors.com/, that infected 253 other site(s), including, for example, meb.gov.tr/, anakku.com/, tottochan.jp/.


In other words, this doesn't  look like the sort of place a legitimate web site would want to be hosted.
But then what about networking4africa.com itself? Does it tally with the ridiculous "get rich quick" scheme outlined in the email?

It turns out that the site offers an MLM program which gives part of its proceeds to charity. Now, I've never come across any MLM program that is not some sort of scam.. either an out-and-out Ponzi or something that simply fails to deliver what it seems to be promising.

The basic deal is that you join up for $15 of which $5 goes into a fund called the "Helping Portion" which is meant to eventually help children in Africa. What you get for this is unclear, but on the "Products" page are a couple of eBooks (you know the sort of thing).The idea is that if you sign up enough people then you can make a shedload of cash, and some of this will go to the "helping portion".

It gives an example that if 88,572 joined, then it woudl generate $442,860.00 a month for these good causes. But then if 88,572 people simply ponied up $5 a month to Oxfam or a similar charity then it would also generate $442,860.00 a month without participating in some crappy MLM scheme.

And yes.. it is a crappy MLM scheme that is little other than a pyramid scam, according to its own description:

Commissions are paid through a simple unlimited width, 10 level matrix.

This means that you can introduce as many Subscribers as you want and they will appear on your level 1. The subscribers that they refer will be on your level 2 and so on.

You will receive commissions at the following rates for each level:
Level 1 - $2.00
Level 2 - $0.75
Level 3 - $0.75
Level 4 - $0.50
Level 5 - $0.50
Level 6 - $0.50
Level 7 - $0.50
Level 8 - $0.50
Level 9 - $0.75
Level 10 - $0.75

As an example, if you were to only introduce 3 Subscribers and each Subscriber did the same through 10 levels, your income would be $63,982.50 per month. Results will vary from person to person but with a deep matrix your income can be very stable and with unlimited width your potential income is unlimited. 
That's 1 - 3 - 9 - 27 - 81 - 243 - 729 - 2187 - 6561 - 19683 - 59049. Having difficulties visualising that? Well, it looks like this:

..wait, isn't that one of these..?

..yup, it looks like a Pyramid to me.

Now, I don't know South African law and I have absolutely no idea to the legality of this scheme.. but legal or not, it is certainly bullshit and dangling the carrot of starving African children is nothing short of dispicable.

Which brings us full circle to the spam email.. it does bear all the hallmarks of a Joe Job, but the target site is a stain on the Internet anyway..

Update: Steven McGregor emailed me to say:

I apologise for the spam e-mail that you received. We have been under attack by a spammer based in the Philippines who has been trying to shut us down, but I believe that we have put a stop to it now.
Just a couple of points:

    * The email address that you show in the article does not exist and never has.
    * If you look at the full header of the e-mail you will notice that it did not originate from our domain or IP.
    * We have authentication protection so it you contact our provider they will verify the above.
    * If it was a marketing e-mail their would have been a referral link.
    * If I was going to spam I would not include my personal contact details.



[...] We have had everything that we are doing confirmed by an actuary and I don't really care to go into details. The site and our actions cover this sufficiently.[...] Network Marketing is a completely legal business model and not a pyramid scheme.