Sponsored by..

Showing posts with label Spam. Show all posts
Showing posts with label Spam. Show all posts

Wednesday, 19 April 2017

Malware spam: "Copy of your 123-reg invoice" / no-reply@123-reg.co.uk

This fake financial spam does not come from 123-Reg (nor is it sent to 123-Reg customers). It has a malicious attachment.

From     no-reply@123-reg.co.uk
Date     Wed, 19 Apr 2017 17:19:51 +0500
Subject     Copy of your 123-reg invoice ( 123-093702027 )

Hi [redacted],

Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg
Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.
https://www.123-reg.co.uk
The invoice number is randomly generated. The attachment is a PDF file with a name matching the invoice number (e.g. 123-093702027-reg-invoice.pdf).

This PDF file appears to drop an Office document according to VirusTotal results.

Hybrid Analysis shows the document dropping a malicious executable with a detection rate of 15/61. It appears to contact the following IPs (some of which contain legitimate sites):

216.87.186.15 (Affinity Internet, US)
216.177.132.93 (Alentus Corporation, US)
152.66.249.132 (Budapest University of Technology and Economics, Budapest)
85.214.113.207 (Strato AG, Germany)
192.184.84.119 (RamNode LLC, US)

The general prognosis seems to be that this is dropping the Dridex banking trojan.

Recommended blocklist:
216.87.186.15
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119



Monday, 17 April 2017

Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund


It seems we can claim a refund from the FTC.
Check this out and give me a call.
https://www.ftc.gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ftccomplaintassistant.com
212-0061570

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.


Automated analysis [1] [2] shows network traffic to:

wasstalwihis.com/bdk/gate.php
littperevengpa.com/ls5/forum.php
littperevengpa.com/mlu/forum.php
littperevengpa.com/d1/about.php
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/a1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/2


It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:

soinwarep.com
ronwronsednot.com
withwasnothar.com
dingandrinfe.com
troverylit.com
derby-au.com
utonerutoft.com
situghlacsof.com
tinjecofsand.com
fortotrolhec.com
fydoratot.com
redwronwassdo.com
ronkeddari.com
littperevengpa.com
suranfortrep.com
newbillingplace.com
usps-daily-delivery.com
ringcentral-fax-inbox.com
wassheckgehan.com
wasstalwihis.com
meredondidn.com
satertdiut.com
vernothesled.com
veuntedund.com
ranwithtorsdo.com
notwipaar.com
dintrogela.com
adp-monthly-billling.com
rigakeddo.com
random-billing.com
hetoftinbut.com
hemlittratdidn.com

Perhaps more usefully, we can associate that registrant with the following IPs:

178.170.189.254 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
185.146.1.4 (PS Internet Company LLC, Kazakhstan)
185.48.56.63 (Sinarohost, Netherlands)
185.80.53.76 (HZ Hosting, Bulgaria)
188.127.237.232 (SmartApe, Russia)
193.105.240.2 (Sia Vps Hosting, Latvia)
194.1.239.63 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
195.54.163.94 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
212.116.113.108 (Prometey Ltd, Russia)
46.148.26.87 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
47.90.202.88 (Alibaba.com, China)
77.246.149.100 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
87.118.126.207 (Keyweb AG, Germany)
88.214.236.158 (Overoptic Systems, Russia)
91.230.211.67 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
93.189.43.36 (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36




Thursday, 13 April 2017

Malware spam: "Company Documents" / WebFilling@companieshousemail.co.uk and companieshouseemail.co.uk plus others

This spam email does not come from Companies House, but is instead a simple forgery with a malicious attachment:

From:    Companies House [WebFilling@companieshousemail.co.uk]
Date:    13 April 2017 at 11:10
Subject:    Company Documents
Signed by:    companieshousemail.co.uk



CH Logo

Company Documents

This message has been generated in response to the company complaint submitted to Companies House WebFiling service.

Please note: all forms must be answered or the form will be returned.

Service Desk tel +44 (0)303 8097 432 or email enquiries@companieshouse.gov.uk

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
 
Companies House 
Crown way
Maindy
Cardiff
CF14 3UZ
Crown Logo



Documents.doc
48K



---

I observed the email coming from the fake domains companieshousemail.co.uk and companieshouseemail.co.uk  but it looks like there may be more. Email is being send from servers in the 94.237.36.0/24 range (Upcloud Ltd, Finland) and I can see other servers set up to do the same thing:

companieshouseemail.co.uk  94.237.36.104
companieshouseemail.co.uk  94.237.36.145
companieshousemail.co.uk  94.237.36.146
companieshousemail.co.uk  94.237.36.147
companieshousesecure.co.uk  94.237.36.150
companieshousesecure.co.uk  94.237.36.151


Blocking email from the entire 94.237.36.0/24 range at least temporarily might be prudent.

The WHOIS details for these indicate they were registered today with presumably fake details, but that the registrar Nominet have somehow "verified".

Registrant:
Charlene hogg

Registrant type:
Unknown

Registrant's address:
37 Maberley Road
London
SE19 2JA
United Kingdom

Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data source on 13-Apr-2017

Registrar:
GoDaddy.com, LLP. [Tag = GODADDY]
URL: http://uk.godaddy.com

Relevant dates:
Registered on: 13-Apr-2017
Expiry date:  13-Apr-2019
Last updated:  13-Apr-2017

Registration status:
Registered until expiry date.

Name servers:
ns29.domaincontrol.com
ns30.domaincontrol.com
All the attachments I have seen are the same with a current detection rate of 6/55. Hybrid Analysis of the document shows it downloading a component from shuswapcomputer.ca/images/banners/bannerlogo.png and a malicious executable %APPDATA%\pnwshqr.exe is dropped with a detection rate of 14/62.

Automated analysis of the binary [1] [2] show potentially malicious traffic going to:

107.181.161.221 (Total Server Solutions, US)
185.25.51.118 (Informacines sistemos ir technologijos UAB aka bacloud,com, Lithuania)


There are probably other destinations too. The payload appears to be Dyre / Dyreza.

Recommended blocklist:
94.237.36.0/24 (temporary email block only)
shuswapcomputer.ca
185.25.51.118
107.181.161.221





Tuesday, 11 April 2017

Pump and dump spam: Quest Management Inc (QSMG) stock

Following on from last month's INCT pump and dump spam the Necurs botnet is now promoting a Latvian company Quest Management Inc (QSMG) instead.

From:    Jenna Goff
Date:    11 April 2017 at 13:37
Subject:    FDA approval is about to send this stock up fifty fold

Why is Quest Management (Symbol: QSMG) guaranteed to jump 5,000% this month?

They have a cure for cancer.

This biotech is run by some of the most prolific scientists in America. Together, they have more than 400 years of experience in the field and have more diplomas than we can even imagine.

Cancer kills 1 out of 4 people in our country and we have all been affected by it either directly or indirectly.

Who doesn't know someone who's died from it?

The company's scientists are targeting cancer using stem cells. They are able to identify the bad cells and destroy them without radiating the entire body (like is common with chemo).

Apart from saving millions of lives, their treatment will surely become the No1 selling drug on earth.

The company has already made serious headway thanks to nearly two decades of research.

This cutting edge biotech company has completed animal trials successfully and just wrapped up FDA-approved human trials last week.

The next step is the public announcement of those results, which we hear through the grapevine have beat all expectations and will change the world of medicine forever.

The results will be announced this month, and once they are out the stock will jump to $25 a share overnight and will continue up to $50 or more quickly after.

"Quest"'s biotech arm could have a cancer cure that can be totally effective in killing tumors in more than 40% of patients worldwide available in hospitals throughout the globe by the end of the year.

Once that happens, we're talking about a $1000 a share stock.

We're literally coming in at the last mile, out of no where, and grabbing profits from their last 2 decades of hard work.

Consider buying QSMG right now while it's still at under 5 dollars and make sure to tell all your friends to do the same before the price explodes.
You can guarantee that the promise of a future big payout is a lie. For comparison, the INCT stock promoted last month crashed from 13 cents to 3 cents now and the promised buy-out of that company never happened.

But surely this is different? QSMG stock went up 60% yesterday..

Well, as you can see from the chart.. it took a sudden dive and then shot up again. It looks like someone sold 26,000 shares and maybe more (maybe at a discount last week), followed by a small purchase of just 100 shares at apparently a higher price. A casual passer-by might think that that was someone trying to manipulate the stock price.


Financials indicate that QSMG has never really done much in the way of business, and the stock price nosedived from an epic $2000 a share a year ago to less than $2 today.


Market cap is currently quoted at $119m with 70 million shares outstanding, which is a lot for a company with a turnover of a few thousand dollars a quarter. There's a 1000:1 reverse split in there from October. So a year ago, the company appears to have been valued at an even more insane amount.

Probably utterly coincidentally, an agreement was recently made for a legitimate US investment company to acquire 46 million shares of QSMG. Perhaps someone else holding QSMG stock is looking for a payday?

Anyway.. most stocks promoted by pump and dump spam crash and burn. Buying stocks based on a tip from an illegal spam run would be extremely unwise in my personal opinion.

UPDATE 1

We'll probably see several different versions of this illegal botnet-driven spam. Here is the second one..

From:    Lottie Nash
Date:    11 April 2017 at 19:31
Subject:    This biotech has developed a cure for cancer and its shares are soaring.

One of my friends at Goldman told me to buy QSMG this morning.

He is an expert at this stuff and has never let me down before. After researching the company, it seems that he may be right.

I am going to buy 5,000 shares now because it's all I can afford, but you should buy as little or as many as you possibly can...

Their biotech arm, Stemvax has developed a cure for cancer and just completed successful human trials under the FDA's supervision.

The stock has jumped 3X already since last week and is guaranteed to go to at least 20 dollars this month based on his research.

Once QSMG's official announcements for the cure become public, there's no saying how high their share price will go.

I expect some very serious stuff to be announced in the coming 2 weeks. Act quickly so you don't miss out.

UPDATE 2

Another one. Incidentally, the email address used for some of these illegal spam emails appears to have been obtained from CompareTheMarket.com. Nice.

From:    Fay Vinson
Date:    12 April 2017 at 09:19
Subject:    An imminent green light from the fda will send this drug maker soaring.

There are very few times in life when we truly get the chance to be part of something big, and profitable at the same time.

The doctors at QSMG have been working nonstop for more than 20 years to get to this moment a cure for cancer.

They completed animal trials last year which were very positive, and completed human trials just a few days ago with the fda's blessing.

The results are not out yet but according to my sources, the human trials were very successful as well and cancer cells were successfully killed in 40% of all cases.

40% might not seem like a passing grade, but it is above and beyond what everyone was expecting. This makes it the most successful cancer drug on earth, and best of all it is non-invasive.

The results will be announced this month, and once they are out the stock will jump to $25 a share overnight and will continue up to $50 or more quickly after.

Want to feel like a genius? Buy QSMG right now while it's still at just 2 dollars, and wait it out 2 weeks. You will be rewarded handsomely.

UPDATE 3

Another version of this spam is attached below. This "Stemvax" company is not actually part of QSMG, but according to a press release yesterday it's an intended acquistion. I wonder how they're paying for that company? Cash? Stocks? More after this spam..

From:    Araceli Rutledge
Date:    12 April 2017 at 15:34
Subject:    This company found a cure for cancer. Their stock is flying.

This is a super rare opportunity that may never come again. This biotech company has finally found a cure for cancer after more than 20 years of stem cells and immunotherapy research.

They had very positive trials both on animals and humans (according to my sources) where tumors got killed at a rate of 41%

Their medicine is going to change the world once it gets rolled out in a few months. We are awaiting an official announcement form the company in the next couple of weeks, but it seems I am not the only one in the know because their stock has quadrupled since last week.

QSMG is guaranteed to hit 25 bucks a share overnight once they release their announcement to the public. You really need to think about buying shares right now before it shoots up higher.
So.. I was researching this whole takeover thing and also found a similar but rather promotional commentary on a site oracledispatch.com which attributes the bump in QSMG shares to the Stemvax acquisition rather than the spam run.
Quest Management Inc (OTCMKTS:QSMG) had a nice day yesterday moving higher by 15% adding some needed liquidity. The driver for this move came from a Letter of Intent to acquire immunotherapy Biotech company Stemvax, Inc., from Dr. Dwain Morris-Irvin PhD. Upon Closing, Dr. Morris-Irvin will simultaneously become CEO of the newly formed Biotech division of Quest.
 Wait a minute. Let's look at that logo on this "news" site.



 My goodness, that looks very much like the logo of the entirely unrelated Oracle Corporation.

Anyway, every stock on that mentioned on that site looks like it could be a part of a paid promotion. That's not illegal per se. Spamming out millions of emails from a botnet of hacked machines is.

UPDATE 4

Another spam.. this time it's a "friend at the FDA" rather than "One of my friends at Goldman". Yead right.

From:    Teri Dunn
Date:    13 April 2017 at 08:58
Subject:    An imminent event is sending this stock price through the roof.

What if I told you that I know of a company that has actually found a cure for cancer.

They have proven its efficacy in animal tests and have recently just completed their testing on humans.

The results of the tests on the human subjects are not out yet, we are expecting them to become public some time in the next two to three weeks,
but a friend of mine who works at the FDA told me that they are life changing.

It seems that in around forty percent of cases, tumors were successfully destroyed. This number is absolutely huge!
It means that more than a third of the people with cancer can be cured with this therapy.

This is going to change the world, and once the announcement becomes public,
it is guaranteed that their stock price will go to more than 24 to 30 bucks in a matter of hours.

This is why I highly, highly recommend that you buy QSMG as soon as you can today. Get in ahead of the herd.
UPDATE 5

Another one. Perhaps the "I have a good friend who works at the fda" part should read "I have a good friend who is going to jail for securities fraud"?

From:    Socorro Conrad
Date:    13 April 2017 at 18:48
Subject:    Here is a tip that could change your life

I have a good friend who works at the fda, and from time to time he tells me about things before they happen.

This is why I am sending you this message today. Earlier this week he told me about a
company that has found a way to kill cancer tumors in 40% of all breast and prostate cases.

While this isn't a one hundred percent method, it works good enough to save over 50 million lives a year.
The company just completed human trials a couple of weeks ago and have yet to release the results.

Once those positive results hit the public, the company's shares are going to go nuts.

QSMG is currently at under 3 bucks a share. I can guarantee that it will pass 25 to 30 before the end of the
month when those results are out.

Act quickly by getting in now and securing yourself a position ahead of the herd.
UPDATE 6

Surprisingly, the US stock markets are open on Easter Monday so yet another version of this illegal pump-and-dump spam is coming out to prime people. In this case the P&D spam has driven the stock price up.. expect a sharp drop when people realise that it is bullshit.

From:    Milagros Galloway
Date:    17 April 2017 at 09:47
Subject:    This trading idea could tenfold your portfolio this month

In case you missed my email last week, timing is getting very tight now.

You must read on to understand why you must act quickly for your benefit, and the benefit of your friends and family.

If you recall, I told you that I have a friend who works at the food and drug administration who told me about a small company that has just completed human trials for a life-saving cancer therapy.

It seems that in about forty percent in instances, cancer receded. This is an enormous number.

There is nothing else on the market at the moment that can save 40% of patients with breast or prostate cancer.

This drug does.

The small company’s stock is going to go up from 2 dollars to over 30 dollars the moment that this announcement is made public within the next two weeks.

Your window opportunity to buy shares of QSMG is quickly closing. You must act quickly before you miss out.
UPDATE 7

It looks like the bubble has burst on this P&D spam, as there is a note of desperation here..

From:    Alta Stewart
Date:    17 April 2017 at 17:15
Subject:    Do not miss on this chance to triple your money in the market

There is a rare opportunity in the market right now, so rare that it may only happen once in a lifetime.

I have it on good information that a small biotech company is about to receive approval from the f d a for a life-saving medicine.

This medicine is poised to become the next biggest seller in the world as it has just been shown to kill cancer.

This is why there has been a lot of activity surrounding the stock. People are trading it on wrong information, and it's in the red today because of that.

I highly suggest that you buy in right now while fools are getting out, and the stock is cheap because it's going to go up twenty fold in the next 2 weeks

when the public announcement comes out, and the medicine is officially approved. Move quickly though, because otherwise you will miss out.

The opportunity to buy QSMG at these discounts will not last long, and you will regret you didn't jump in when you had the chance.
Yup.. the stock has crashed and burned today. Hardly surprising..


(Even as I am writing this the stock has just crashed below the $1 barrier). Ah well, anyone fooling enough to pay over the odds for this stock has just been burned. But who is actually making money from this stock manipulation?


UPDATE 8

QSMG stock continues to crater, but it hasn't stopped the spammers trying again..

From:    Jesus Cote
Date:    18 April 2017 at 09:39
Subject:    This stock tip is for your eyes only. The chance may never come again

I know of a cutting edge company that has just completed the development of a new life saving medicine. A friend who works at a high position, at a secretive place told me about it.

This medicine has been proven in both lab tests, and human tests to destroy tumors in almost 50% of of instances.

For all practical purposes, I would call it a cure for one of the most deadly diseases of our times.

Being the type of person that I am, I asked myself how we can profit from this information.

The answer is very simple. Within the next week or two, QSMG will make the announcement public and once they do, their stock will go up to over 20 bucks overnight.

So the trick is to grab shares right now, while their price is still dirt cheap and while nobody knows what's about to come.

This is how you get your big break. This is how your life will finally change. Take the leap forward.


---
Best Regards,
Jesus Cote

Yesterday it dropped 73%. It will be interesting to see if it continues its race to the bottom today.

UPDATE 9

After a few days off, the pump and dump spammers are trying again at the share price sticks at 72 cents. It says "This is probably the last time that I will contact you  with this information".. we can only hope. Perhaps coincidentally, QSMG announced they are in negotiations to buy another company.

From:    Arlene Sanders
Date:    24 April 2017 at 09:27
Subject:    This time sensitive information could make you very wealthy

If you missed my heads up over this last week and a half, this is finally your time to act because in just 48 hours something big is going to happen.

This is probably the last time that I will contact you  with this information.

My friend at goldman gave me a call over the weekend and told me that the big acquisition we’ve been waiting for is going to occur on Wednesday. The day after tomorrow.

Pfizer is going to complete the purchase of QSMG (a small, public company) at a price of 23.79 dollars a share. For those of you doing the math out there, that's approximately 30 times higher than where the stock is at now.

If you're wondering why it's happening at such a high price, that’s because these guys just completed human trials on a cancer drug which has proved to be effective in around 40% of cases, and big pharma wants this for itself.

I suspect that I am not the only one who might have heard of this news so the stock may start climbing today and tomorrow before the big announcement becomes public on Wednesday evening.

This is quite literally the chance of a lifetime. If you miss out, you'll probably never be able to make 30x on your money so fast again.

Ten grand into QSMG today will turn into a quarter million bucks by Thursday.


***
King Regards,
Arlene Sanders

UPDATE 10

It turns out that the last one wasn't the last one! You might even think that they are lying. And wait.. QSMG doesn't stand for Quest Science Management Gate at all, does it?

From:    Jeanne David
Date:    24 April 2017 at 16:30
Subject:    I have a tip to share with you

In less than 2 days, this stock will go up 20 times overnight.


I've done a lot for you over the years and you've made an insane amount of profits listening to me.

Today and tomorrow is your last chance to seize the opportunity before it disappears.

My good friend who works at a firm I will not mention in upstate NY told me that a big takeover is about to happen.

A little American biopharma company discovered a new treatment for cancerous tumors and one of the biggest companies (starts with a P) is going to announce the official takeover on Wednesday (in 2 days).

The price at which this will happen more than 20 times what their stock is trading at now. Literally at 23 bucks a share from a current 80 cents.

Write this symbol down, it's the first letter of each word: Quest Science Management Gate that's q followed by s then m and g

This is the 4 letter symbol you need to tell your broker you want to buy, or just type it in yourself in your brokerage.

I hope you're ready to make it big. I expect a big thank you and an invite for steak this weekend.




---
Best Regards,
Jeanne David

UPDATE 11

This spam mentions "Wednesday night" as being when this nonexistant takeover of this crappy stock will take place. Will the spam stop then?

From:    Patsy Sandoval
Date:    25 April 2017 at 09:24
Subject:    By tomorrow evening this stock will be twenty times higher

Did you read my urgent email yesterday?

I outlined very specifically a game plan for you to make more than 20 times on your principle within the next 48 hours.

Let me hit you with the gravy and leave out all the boring details… there's a friend of mine who works at a top 50 firm upstate and he was privy to details of a take over.

In a nutshell there is a very large pharmaceutical company (its name starts with a P) who is finalizing the acquisition of a small public corporation that is currently trading at around 80 cents.

The take over price will be a little over 20 bucks and the official announcement is coming tomorrow night (wed night).

They're paying this much for it because of a novel stem cell treatment which eradicates cancer.

I don't need to tell you what will happen to the share price when this announcement hits the news outlets.

The company's trading symbol is Q as in Quest, S as in Sam, M as in Mother, G as in Great.

These are the 4 letters you need to type into your brokerage account to buy the stock or give to your broker over the phone.

Just ten thousand bucks into this will turn into over two hundred grand by Thursday morning.

You need to act quickly though because it seems I may not be the only one with this information, as I am seeing the price creep up a little already since Monday.



-----
Best Regards,
Patsy Sandoval 
UPDATE 12

This one claims QSMG's "share price is going through the stratosphere". Umm no, it's just bouncing around in the somewhat volatile pumped range that it has been in all week. In my opinion the true value is probably rather closer to $0.00.



From:    Dante Odonnell
Date:    25 April 2017 at 15:54
Subject:    This company's being acquired tomorrow

Its share price is going through the stratosphere.



The cat might be out of the bag now but there is still a massive opportunity to benefit.

I say that the secret is out because the stock price has gone up two days in a row but the reality is that it must be very few people who know information otherwise it would've gone ten times higher.

In case you missed my message yesterday, here is what is happening.. A big pharma corp is acquiring a minuscule public co and this is happening at a price that is 20 times greater than where it currently is.

This means that if you can put 10 thousand in right now, you will take out 200 grand by Thursday morning.

This info is solid. It comes from an attorney who's a long time friend of mine and who literally saw the acquisition documents with his own eyes.

You must be wondering what the company's trading symbol is, and I will not tease you any longer… it's Q like in Quality, S like in Straight, M like Mary and G like Gold

These four letters together make up the company's ticker and that's what you will need to give to your broker, or type into your online account to purchase the stock.

I highly recommend you do this as quickly as possible because there is no guarantee that the price will remain this low much longer.

I expect it'll continue to rise and rise as the insider information spreads. Nonetheless the potential to benefit is absolutely gigantic here.




-----
Best Regards,
Dante Odonnell
UPDATE 13

If you believe the lies this spam is pushing, QSMG are going to be the subject of a takeover bid by Pfizer today. Obviously this is crap, but the spam still keeps trying to pump the share price up nevertheless.

From:    Reba Sykes
Date:    26 April 2017 at 07:28
Subject:    Your chance to make an amazing move is quickly slipping away

There is reason for excitement. A good friend of mine who works at a high place which I will not name told me about a crazy opportunity...

There is an acquisition about to be completed by a very large company.

They're buying out a small medical firm at more than 20 times what it's currently trading at.

This means that every ten thousand bucks you put in will turn into two hundred grand the moment the announcement becomes public.

The symbol for this company is the first letter of each of the following words: Quick, Should, Must, Get.

These 4 letters are what you must type in to your brokerage account or tell your broker in order to get the shares.

I really, really recommend you move on it quickly because the announcement will become public at any day now and this may be your last chance to get in before it's too late.


-------
Best Wishes,
Reba Sykes
UPDATE 15

This one (the 16th version) says (amongst other crap) "This guy has always been right so far. In fact if you remember, the tip I gave you last year… the one on which you made 15x in 2 weeks was from him. Yes, that's right." Funny I don't remember that particular investment. 'Cos it didn't happen.

From:    Jeromy Humphrey
Date:    26 April 2017 at 14:42
Subject:    This is your opportunity to get a 20 bagger in the market very fast

One of my closest buddies, who happens to be a banker, let me in on a little tip earlier on.

There's this really awesome small bio technology firm which has discovered something ground breaking,

and because of this unprecedented discovery they're about to be bought out for a little over 20 times their current value.

One of the most prominent large firms in America is about to make this news public.

When that happens, the small company's stock is going to virtually go up more than twenty three fold overnight.

Let me put this in perspective for you. It means that every 10 thousand bucks you put in this will turn into almost a quarter million when the news is out.

This guy has always been right so far. In fact if you remember, the tip I gave you last year… the one on which you made 15x in 2 weeks was from him. Yes, that's right.

So before I forget, here is the stock symbol.. It's the 1st letter of each of the following words: Quickly Super Mouse Green

I'm giving it to you in “code” in order to avoid potentially prying eyes, in case you are at the office, a cafe or something.

So with the first letter of each of these words, you've got your four letter symbol.

Input this in your online account to buy the stock or call your broker and give it to him and he will make the purchase for you.

One last thing, I don't know if I am the only one who knows this information so it's possible that the price will go up on other people buying,

but nonetheless if you can get in at under a buck twenty, I really recommend you jump on it as soon as physically possible.



--
Best Wishes,
Jeromy Humphrey



Malware spam: "DHL Urgent Delivery"

This fake DHL spam includes the recipients real name. In this case it was sent to someone in Germany, but written in English. The malware payload is identical to this one in Polish.

Von: DHL Parcel [mailto:info@glaefcke.de]
Gesendet: Dienstag, 11. April 2017 11:03
An: [redacted]
Betreff: DHL Urgent Delivery

YOUR DELIVERY IS TODAY


Hi, [redacted]

The scheduled delivery is Tue Apr 11 2017 before End of Day.

Please check your shipment and contact details below. If you need to make a change or track your shipment, click

http://nolp.dhl.com/set_identcodes.do&email=[redacted] . (JS-Document)
SHIPMENT CONTENTS:DELIVERY INFORMATION


Shipment number: 9670515551
Scheduled Delivery Date: Tue Apr 11 2017
Delivery Time: before End of Day
Email Address: [redacted]

Thank you for using On Demand Delivery.

DHL Express - Excellence. Simply delivered. 


Malware spam: "Sprawdź stan przesylki DHL"

This spam targeting Polish victims seems quite widespread. It leads to malware. The email is personalised with the victim's real name which has been harvested from somewhere.

From: DHL Express (Poland) [mailto:biuro@nawigatorxxi.pl]
Sent: Monday, April 10, 2017 7:09 PM
To: [redacted]
Subject: Sprawdź stan przesylki DHL

Sprawdź stan przesylki DHL
Szanowny Kliencie, [redacted]

Informujemy, że w serwisie DHL24 zostało zarejestrowane zlecenie realizacji przesyłki, której jesteś odbiorcą.

Dane zlecenia:
- numer zlecenia:
9653788657

- data złożenia zlecenia:
poniedziałek, 10. kwietnia

Informacje o aktualnym statusie przesyłki znajdziesz na http://dhl24.com.pl/report.html&report=JavaScript&email=[redacted]. (JavaScript Raport)

Niniejsza wiadomość została wygenerowana automatycznie.

Dziękujemy za skorzystanie z naszych usług i aplikacji DHL24.

DHL Parcel (Poland)

UWAGA: Wiadomość ta została wygenerowana automatycznie. Prosimy nie odpowiadać funkcją Reply/Odpowiedz 

The link goes to a malicious Javascript [example here] [Malwr report] which downloads a binary from:

freight.eu.com/download3696 (159.100.181.107 - World Wide Web Hosting LLC, Netherlands)

..this has a detection rate of 10/60. This Malwr report plus observed activity show traffic to the following IPs and ports:

5.196.73.150:443 (OVH, France)
31.220.44.11:8080 (HostHatch, Netherlands)
46.165.212.76:8080 (Leaseweb, Germany)
109.228.13.169:443 (Fasthosts, UK)
119.82.27.246:8080 (Tsukaeru.net, Japan)
173.230.137.155:8080 (Linode, US)
173.255.229.121:443 (Linode, US)
203.121.145.40:8080 (Pacific Internet, Thailand)
206.214.220.79:8080 (ServInt, US)


There may be other phone home locations not observed.

Recommended blocklist:
5.196.73.150
31.220.44.11
46.165.212.76
109.228.13.169
119.82.27.246
159.100.181.107
173.230.137.155
173.255.229.121
203.121.145.40
206.214.220.79





Monday, 3 April 2017

borezo.info - spam selling anti-spam services

If you are in the business of selling spam filtering.. it is probably not a good idea to do it by sending out spam..

From:    Camille Arpaillange [contact@borezo.info]
To:    contact@[redacted]
Date:    3 April 2017 at 15:55
Subject:    [redacted] - Protect emails received on your domain name
Signed by:    sg.borezo.info

Discover our SaaS solution

Anti-Virus, Anti-Spam and Anti-Phishing SMTP Gateway
Try for free

Bonjour,

This email is intended for your IT service, if any. If you are working with an external partener, feel free to forward him this message.

Your current situation

Today, you are using your provider to handle incoming emails on [redacted].

Often, protection against viruses, spam, phishing and all other threats is not the strong point of this kind of solution.

Our proposal:

free trial without obligation

We offer you to try for free and without obligation our email filtering solution, compatible with your provider.

Easy setup

To filter your emails, you only have to update the MX entry in your DNS records, replacing entry of your provider by the one we will provide you after your subscription. Emails will then be filtered by our infrastructure, and then redistributed to your provider, so you can consult them like before.

Functions

Anti-Virus

You won't have to be afraid of ransomwares anymore

Anti-Spam

No more spam, and you stay in control of settings

Anti-Phishing

Your users will not be exposed to credentials theft

Services

Backup

Each user can access himself his personal backup

Statistics

You can have an overview of incoming email trafic

Settings

Anytime, you can change your filtering settings

Advantages

Simplicity

    No configuration change on your SMTP server or the one of your provider.
    No configuration change on users side.
    No maintenance on your side, we take care of everything (hosting, high availability, upgrade, etc.).

Protection

    Anti-Virus, Anti-Spam and Anti-Phishing protection, without raising the load of your infrastructure or the one of your provider.
    Content-Filtering feature, to filter attachments based on their type and/or extension.

Personalized

    For each domain, you can define options of each modules (Anti-Virus, Anti-Spam, etc.).

Security

    In case of unavailability of your SMTP server or the one of your provider, your emails are stored in security on our infrastructure, and delivred as soon as SMTP is back online.

Try for free

This email has been sent to contact@[redacted], click here to unsubscribe.

https://borezo.info/in-k/ - SIRET 53021905400026

Clicking on the link does appear to take you to some sort of business site at https://borezo.info/in-k/

Mail headers match the domain, borezo.info does seem to be the culprit..

Received: from dc3-1.borezo.info (dc3-1.borezo.info [212.83.146.78]) by [redacted] (Postfix) with ESMTP id 191E44A38D for <contact@[redacted]>; Mon,
  3 Apr 2017 15:55:08 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; s=dkim; d=sg.borezo.info; t=1491231308; h=from:subject:date: message-id; bh=IfD7xgIgVLQy8yLzdCSO+L7mXRn/PImws7LTh1D1pws=; b=j9sTfOH7r3XUTaSD5urHMd1b5EUDq1P9chByrurkie+ckpZjyHojSRUJKSF0lj7OvZ1ze2 Yjlsfl7Q/UQ+U+F2IlFrcMseqXbPLB8xhOVPPh3Ei39qNIgyO+MVApaxDt1WhXcf/npcle 6GjoCgCAGPXFLoTogZGqI3RBB5JBbdE=
Received: tmail deliverd remote 302c5d48ea2a327a67769562d3ece1ce930df6bd; 03 Apr 2017 16:55:08 +0200
X-Env-From: Ym91bmNlLTEtY29udGFjdEBkeW5hbW9vLmNvLnVr@sg.borezo.info
Received: from 212.83.146.78 (dc3-1.borezo.info.) (localhost) (authenticated
   as noreply@borezo.info) by 212.83.146.78 (dc3-1.borezo.info.) with ESMTPS TLS
   1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; tmail 0.1.7;
   4a5b9f00fa05b580ff586bd74659fbea91085dce; 03 Apr 2017 16:55:02 +0200
WHOIS details seem valid.

Registry Registrant ID: C199006566-LRMS
Registrant Name: Romain Lauret
Registrant Organization:
Registrant Street: office #855805
Registrant Street: c/o OwO, BP80157
Registrant City: Roubaix Cedex 1
Registrant State/Province:
Registrant Postal Code: 59053
Registrant Country: FR
Registrant Phone: +33.972101007
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: pwa3o3znv0b53h47bo8c@v.o-w-o.info


The "Camille Arpaillange" name in the email matches the imprint on the website..


Company registration data is here. I think I will pass on this particular offer..



Thursday, 30 March 2017

Malware spam: "Re:Payment Remittance Copy"

This fake financial spam leads to malware.


From:    AL HUDA LTD [ap.office@triumftools.sk]
Date:    30 March 2017 at 09:05
Subject:    Re:Payment Remittance Copy
Signed by:    triumftools.sk

Dear Sir,

As instructed by your customer for your payment,

Find attached formal remittance copy received from our bank and contact your  client for payment confirmation. All payment details is in the attached HSBC TT-Copy.

Please Confirm
Best regards,
================================
Alan Bostock
Manager - Finance and Administration
HSBC Exchanger
TEL: (965) 24338094 -620                                  
FAX: (965) 24332815 Mobile: (965) 600-11-868
==================================


Attached is a .GZ archive HSBC TT-Copy.pdf.gz (this assumes you have a program on your Windows PC that can handle .gz files). This contains a malicious executable doc9876543234500001.exe which currently has a VirusTotal detection rate of 32/60.

Analysis of the binary is pending. You can be certain that it is nothing good.

Monday, 20 March 2017

More highly personalised malspam using hijacked domains

Following on from this spam some weeks ago, another one comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).

From: customerservice@newshocks.com [mailto:customerservice@newshocks.com]
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details




Hello [redacted],
We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.
If you have an online account with us, you can log in here to see the current status of your order.
You will receive another e-mail from us when we have despatched your order.
Information on order 003009 status here
All prices include VAT at the current rate. A full VAT receipt will be included with your order.
Delivery Address:

[Name and address redacted]

If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.
Best regards and many thanks,

Contact Us Opening Times Delivery Options Returns Policy Privacy Policy Terms & Conditions


The newshocks.com domain used in the "From" field matches the sending server of rel209.newshocks.com (also mail.newshocks.com) on 185.141.164.209. This appears to be a legitimate but unused domain belonging to a distributor of car parts.

The link in the email goes to clipartwin.com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit or similar. This is using another hijacked but apparently legitimate web server.

I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient. If you have seen something similar or have an idea of where the data came from, please leave a comment below.