Sponsored by..

Wednesday 12 February 2014

"Track shipments/FedEx" spam

This fake FedEx spam leads to malware:

Date:      Wed, 12 Feb 2014 07:53:36 -0700 [09:53:36 EST]
From:      FedEx [yama@rickyz.jp]
Subject:      Track shipments/FedEx 7487214609167750150131 results: Delivered

Track shipments/FedEx Office orders summary results:
-----------------------------------------------------------------------
Tracking number        Status              Date/Time
7487214609167750150131  Delivered           Feb 11, 2014     
                                           11:20 AM     

Track shipments/FedEx Office orders detailed results:
-----------------------------------------------------------------------
Tracking number       7487214609167750150131

Reference             304562545939440100902500000000
Ship date             Feb 03, 2014
Ship From           NEW YORK, NY
Delivery date         Feb 11, 2014 11:20 AM
Service type          FedEx SmartPost

Tracking results as of Feb 11, 2014 3:37 PM CST


Click Here and get Travel History
-----------------------------------------------------------------------


Disclaimer
-----------------------------------------------------------------------

FedEx has not validated the authenticity of any email address.

In this case, the link in the email goes to [donotclick]pceninternet.net/tracking.php?id_7487214609167750150131 which downloads an archive file track_shipments_FedEx.zip.


In turn, this ZIP file contains the malicious executable with the lovely name of Track_shipments_FedEx_Office_orders_summary_results_Delivered_tracking_number_9384758293431234834312_idju2f83f9hjv78fh7899382r7f9sdh8wf.doc.exe
which has an icon that makes it look like a Word document. This has a VirusTotal detection rate of 15/49, but automated analysis tools are inconclusive as to its payload [1] [2] [3].




Malware (Neutrino EK?) sites to block 12/2/14

The following IPs and domains appear to be in use for spreading exploit kits via injection attacks - 108.178.7.118 (Singlehop, US) [1] [2] and 212.83.164.87 (Online SAS, France) [3] [4]. The payload isn't clear, but some of the URLquery reports indicate Neutrino.

In the case I saw, the victim was directed to the EK from a compromised site at greetingstext.com. I cannot reproduce the problem with URLquery or any other tool, but log files do not lie.

I would recommend that you block these following IPs and domains as a precaution:

108.178.7.118
212.83.164.87
jakiewebs.com
sheethoo.com
chaefooh.com
goldnclouds.com
nofledno.com
zeuriele.com
wqywdo.xip.io
glindeb.com

Video: Somnath Bharti's links to TopSites LLC

Articles on Somnath Bharti and TopSites LLC

You can find some of the history about TopSites LLC and Mr Bharti's involvement in my old "diary" articles written between 2003 and 2007.
Later articles can be found by looking for the Somnath Bharti tag on this blog.

Monday 10 February 2014

81.4.106.132 / oochooch.com / 10qnbkh.xip.io

I don't like the look of this [urlquery], seems to be the payload site for some sort of injection attack. Might be worth blocklisting 81.4.106.132.




Evil .pw domains on 31.41.221.131 to 31.41.221.135

Thanks to Malekal for the heads up, the current batch of evil .pw domains that have been distributing malware appear to have shifted to the following IP addresses:

31.41.221.131
31.41.221.132
31.41.221.133
31.41.221.134
31.41.221.135

These IP addresses belong to Besthosting in Ukraine. A typical payload of one of these malicious sites looks like this URLquery report.

The evil .pw domains in use all use a subdomain of one of the following:
arrowjogger.pw
athleticsarchery.pw
athleticsjudo.pw
ballkayaker.pw
baseballcompetition.pw
basketballplaying.pw
batongoal.pw
battingfield.pw
battinggymnast.pw
boulesplaying.pw
boxerfielder.pw
boxerplay.pw
canoeingbaton.pw
canoekarate.pw
competearena.pw
competitiongolfer.pw
crewjumping.pw
dartgym.pw
defensebicycle.pw
diamondracer.pw
discushurdle.pw
divemedal.pw
diverbiking.pw
diverracket.pw
dodgeballkayaker.pw
fielddefense.pw
gearcompetitor.pw
golfbow.pw
golfercyclist.pw
golfingchampionship.pw
golfingorienteering.pw
halftimedecathlon.pw
handballdart.pw
huddledart.pw
huddledartboard.pw
javelinbaton.pw
leaguedart.pw
medaljogger.pw
medaljogger.pw
movementarchery.pw
pitchbiathlon.pw
pitchexercise.pw
playbunt.pw
playmove.pw
playoffschampion.pw
polediver.pw
polofencing.pw
pooljump.pw
racketrunning.pw
relaycompete.pw
rungymnastics.pw

 I would recommend blocking those domains and the above-listed IPs (or alternatively 31.41.221.128/29 or 31.41.221.128/25). A full list of all the subdomains I can find is here [pastebin]

Saturday 8 February 2014

Somnath Bharti's allwebhunt.com linked to pro-pedophilia sites

Delhi minister Somnath Bharti's allwebhunt.com site was linking to pro-pedophilia sites as late as 31st December 2013, according to Google [warning: I do not advise that you click on the links in that page]. Here is a screenshot (some descriptions may offend) (if you have difficulty with seeing the text, try this version). The ownership link between allwebhunt.com and Mr Bharti is described here.

That content was most likely taken from a controversial category at The Open Directory Project which no longer exists.

The Open Directory Project does try to be all-inclusive in what it catalogues, but I suspect that pro-paedophile sites were something that it felt it could not condone.

Friday 7 February 2014

Headlines Today (India): Somnath Bharti's spammer connection

I'm not sure what all this fascination is with Mr Bharti's alleged connections to porn.. I've never found any evidence that he has hosted or owned sites with pornographic content. But there's certainly a great deal of evidence linking him with spam outfit TopSites LLC.

Somnath Bharti denies link to TopSites LLC in 2004

This is Somnath Bharti's denial of any involvement in TopSites LLC (explored here and in other posts). I believe that the evidence of Mr Bharti's involvement is overwhelming. However, here is a copy of the original email he sent me complete with mail headers so that independent individuals can look into its authenticity.

Return-Path: <somnath.bharti@gmail.com>
Received: from unknown (HELO blade5.cesmail.net) (192.168.1.215)
  by c60.cesmail.net with SMTP; 14 Nov 2004 13:43:23 -0500
Received: (qmail 5069 invoked by uid 1010); 14 Nov 2004 18:43:22 -0000
Delivered-To: spamcop-net-dynamoo@spamcop.net
Received: (qmail 5045 invoked from network); 14 Nov 2004 18:43:21 -0000
Received: from unknown (192.168.1.101)
  by blade5.cesmail.net with QMQP; 14 Nov 2004 18:43:21 -0000
Received: from rproxy.gmail.com (64.233.170.197)
  by mailgate.cesmail.net with SMTP; 14 Nov 2004 18:43:21 -0000
Received: by rproxy.gmail.com with SMTP id r35so540853rna
        for <dynamoo@spamcop.net>; Sun, 14 Nov 2004 10:43:20 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
        b=AItQWQnfUOPREzb2USZ1AAdfuMy54ME4VonsHz7VdB93Wd8apOkFSOrdqjkbLLFqI6nUaFy2cKrbLXTrFSLC0p5Kj2ZdwK0Qb6CFZjbS24HecjymNLUahhMUBp3AbEb0M/t/EXhC4N0HZeCD06YP/TK7XF0dZaqNweevm4cXL4E=
Received: by 10.38.102.45 with SMTP id z45mr1019046rnb;
        Sun, 14 Nov 2004 10:43:20 -0800 (PST)
Received: by 10.38.151.16 with HTTP; Sun, 14 Nov 2004 10:43:20 -0800 (PST)
Message-ID: <4e0e2d5304111410431d08a7bb@mail.gmail.com>
Date: Sun, 14 Nov 2004 10:43:20 -0800
From: Somnath <somnath.bharti@gmail.com>
Reply-To: Somnath <somnath.bharti@gmail.com>
To: dynamoo@spamcop.net
Subject: surprising and serious
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade5
X-Spam-Level:
X-Spam-Status: hits=0.0 tests=RCVD_BY_IP version=3.0.0
X-SpamCop-Checked: 192.168.1.101 64.233.170.197 10.38.102.45 10.38.151.16

Hi Conrad,

I was taken by surprise to find you listing my name, one of my
properties address and my picture in an article on a company named
"TopSites LLC" on your site. I don't know on what basis you have been
talking so emphatic without cross verifying with the person you are
talking about. To my utter surprise, you have been having this article
on your site accusing me of being related to a company I have heard
only through your article. Please have the same removed ASAP and
explain to me what made you write all this about a person, not even
remotely attached to any such company.
Please acknowledge of this email and have any and everything related
my name, my pic and c-28 address removed. I am available at
+91-9891819893, if you have anything to talk about. Also, post on the
same page an apology for this grievous mistake on your part.


--
Regards,
Somnath Bharti

Something evil on 69.64.39.166

69.64.39.166 (Hosting Solutions International, US) appears to be hosting an exploit kit (possibly Fiesta) according to URLquery reports such as this one.

The code is being injected into target websites, possibly through a malvertising campaign. I would recommend blocking the IP address as the simplest option, although I can identify the following domains on that same IP, all of which are likely to be malicious.


advrzc.myftp.org
amyoau.myftp.biz
aokljwwsap.serveftp.com
bgocodwsiu.myftp.org
bpknbvmc.serveftp.com
cjhkxfpdw.serveftp.com
cvxeitw.serveftp.com
cxrhtcau.myftp.biz
czwaiys.myftp.org
dhdwjwve.myftp.org
djqlcce.myftp.org
drituglgjh.serveftp.com
drpmsmt.serveftp.com
ehetlmna.myftp.biz
euimho.serveftp.com
fvyzhy.serveftp.com
hljozqutc.myftp.org
hlwswbaap.serveftp.com
hwtlzdxic.serveftp.com
idoplhj.serveftp.com
iyrseedlt.myftp.biz
lkuvivr.myftp.biz
lxeoic.myftp.org
orrlnypdvz.myftp.biz
osuqlc.myftp.org
plwxycxij.myftp.org
pmkawqgvob.myftp.org
puifnjav.myftp.biz
sbrckuod.serveftp.com
thtnuj.myftp.biz
ucuqgd.myftp.org
uqqyscgq.myftp.org
uuzkpb.myftp.biz
welfcsuybw.serveftp.com
ykypxoub.myftp.org
yrziqui.serveftp.com
yxoiyjbjt.myftp.biz

"Authorization to Use Privately Owned Vehicle on State Business" spam

We've seen this particular type of malware-laden spam before..

Date:      Fri, 7 Feb 2014 17:08:16 +0700 [05:08:16 EST]
From:      Callie Figueroa [Callie@victimdomain]
Subject:      Annual Form - Authorization to Use Privately Owned Vehicle on State Business

All employees need to have on file this form STD 261 (attached).  The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.

Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file.  Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim. 
The email appears to originate from within the victim's own domain but doesn't. Attached is an archive file Form_STD261.zip which in turn contains a malicious executable Form_STD261.scr which has a VirusTotal detection rate of just 3/51.

Anubis reports an attempted connection to faneema.com on 198.38.82.223 (Mochahost, US). I recommend blocking both the domain and IP address in this case.

rbs.co.uk "Important Docs" spam

This fake spam claiming to be from the Royal Bank of Scotland has a malicious attachment:

Date:      Fri, 7 Feb 2014 15:44:19 +0530 [05:14:19 EST]
From:      Doris Clay [Doris@rbs.co.uk]
Subject:      Important Docs

Account report.

Tel:  01322 589422
Fax: 01322 296116
email: Doris@rbs.co.uk

This information is classified as Confidential unless otherwise stated.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
Attached is a file AccountReport.zip which in turn contains a malicious executable AccountReport.scr which has a VirusTotal detection rate of 4/50.

Automated analysis tools [1] [2] show a downlad of en encrypted file from the following locations:
[donotclick]professionalonlineediting.com/theme/cc/images/07UKex.enc
[donotclick]mararu.ro/Media/07UKex.enc

Both those sites are hosted by Mochanin Corp in the US, indicating perhaps a wider problem with that host.

Recommended blocklist:
204.93.165.33
50.31.147.54
professionalonlineediting.com
mararu.ro

I love Google's home page..

I love Google's home page today..


Thursday 6 February 2014

Trouble at CtrlS?

CtrlS is a large Indian hosting provider who seldom feature in this blog which is always a positive sign. However, the last two Zeus spam smail runs exclusively use CtrlS servers to host encrypted malware.

Three of the four domains are easy to spot:
wahidexpress.com is on 182.18.188.191
bsitacademy.com is on 103.8.127.189
oilwellme.com is on 182.18.151.160

The last one of the four domains is hosted on a Cloudflare IP.. but Cloudflare is only a reverse proxy and a bit of digging at IP records show that newz24x.com appears to be hosted on another CtrlS IP of 182.18.189.71.

So, four out of four IPs belong to CtrlS. It could be a coincidence, but I wonder if anybody else is seeing traffic (especially for downloads of .enc files) in CtrlS IP ranges?

Fake HMRC "VAT Return" spam

This fake HMRC spam comes with a malicious attachment:

Date:      Thu, 6 Feb 2014 20:32:34 +0100 [14:32:34 EST]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      Successful Receipt of Online Submission for Reference 3608005

Thank you for sending your VAT Return online. The submission for reference 3608005 was
successfully received on Thu, 6 Feb 2014 20:32:34 +0100  and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.
I love the "certified virus-free" bit, because of course this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50.

Automated analysis tools [1] [2] [3] [4] show an encrypted file being downloaded from:
[donotclick]wahidexpress.com/scripts/ie.enc[donotclick]bsitacademy.com/img/events/ie.enc

Recommended blocklist:
182.18.188.191
wahidexpress.com
bsitacademy.com

Update:
second version of the email is circulating with the following body text:

The submission for reference 485/GB1392709 was successfully received and was not
processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.

Fake "TNT UK Limited " spam with zero detections


This fake TNT spam comes with a malicious attachment that is currently not detected by any AV vendors.

Date:      Thu, 6 Feb 2014 11:48:18 +0100 [05:48:18 EST]
From:      TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject:      TNT UK Limited - Package tracking 798950432737

Your package have been picked up and is ready for dispatch.

Connote #    :    798950432737
Service Type    :    Export Non Documents - Intl
Shipped on    :    05 Feb 14 00:00
Order No            :    2819122
Status            :       Driver's Return Description      :       Wrong Address
Service Options: You are required to select a service option below.

TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.

DETAILS OF PACKAGE
Reg order no: 798950432737

The options, together with their associated conditions
Attached is a file Label_798950432737.zip which contains a malicious executable Label02062014.scr (an executable despite the .scr extension) with a VirusTotal detection rate of 0/41.

Despite the zero detection rate, there is plenty of badness going on [1] [2] [3] [4] including downloads of an encrypted file from the following locations:

[donotclick]newz24x.com/wp-content/uploads/2014/02/pdf.enc
[donotclick]oilwellme.com/images/banners/pdf.enc

The Malwr report indicates lots of IPs being communicated with, some of these look like Cloudflare addresses where newz24x.com is hosted. Take care with these if you are thinking about blocking them.

Recommended blocklist:
182.18.151.160
newz24x.com
oilwellme.com

Wednesday 5 February 2014

"Payment Fund" spam with Wire.Transfer.rar attachment

It's rare to see malware with a .RAR attachment, but this is one of those unusual beasts..

From:     Alison George allison.george@transferduc.nl
Date:     5 February 2014 22:41
Subject:     Payment Fund

ALERT! A bank Wire transaction, Has just been rejected from checking 656778*** account.
to your bank confirmed by the FedWire.
Transaction ID: 99076900
Date: 2/3/2014
Transfer Origination: Fedline

Please review the attached copy of transaction report,
Federal Reserve Financial Services
Creating Nationwide Solutions for Your Payment Needs
20th Street and Constitution Avenue N.W.
Washington, D.C. 20551
Attached is a file Wire.Transfer.rar which you will need to unpack with a suitable application. In turn this creates a file Wire-Report which is actually an executable, but missing the .exe extension.. so you have to add that to get infected. Hmmm.. the phrase "some assembly required" springs to mind.

The VirusTotal detection rate is 7/50 but most automated analysis tools seem to be having problems with the executable, so perhaps it is hardened against analysis or is simply corrupt. The ThreatExpert report (for some reason not showing in their database right now) has the following details:


Submission Summary:

  • Submission details:
    • Submission received: 5 February 2014, 04:39:38 PM
    • Processing time: 6 min 0 sec
    • Submitted sample:
      • File MD5: 0x12F1265162AAD712C271DAC6A9B5E564
      • Filesize: 248,320 bytes
  • Summary of the findings:
What's been found Severity Level
Creates a startup registry entry.

Technical Details:


Memory Modifications
  • There was a new process created in the system:
Process Name Process Filename Main Module Size
server.exe %Temp%\server.exe 57,344 bytes

Registry Modifications
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."

      so that %Temp%\server.exe runs every time Windows starts
    • [HKEY_CURRENT_USER\Environment]
      • SEE_MASK_NOZONECHECKS = "1"
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • 5PmM1jWi05 = "%AppData%\y183imD2\java.exe.lnk"
      • babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."

      so that %Temp%\server.exe runs every time Windows starts

Other details
  • To mark the presence in the system, the following Mutex object was created:
    • babe8364d0b44de2ea6e4bcccd70281e



"LloydsLink reference" spam comes with a malicious attachment

This fake Lloyds TSB spam comes with a malicous payload:

Date:      Wed, 5 Feb 2014 20:38:29 +0100 [14:38:29 EST]
From:      GRP Lloydslink Tech [GRPLloydslinkTech@LLOYDSBANKING.COM]
Subject:      LloydsLink reference: 8255820 follow up email and actions to be taken


Lloyds TSB    
    Help

(New users may need to verify their email address)

If you do not see or cannot click / tap the Download attachment button:
Desktop Users:
   

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Mobile Users:
   

Install the mobile application.

Protected by the Voltage SecureMail Cloud

SecureMail has a NEW LOOK to better support mobile devices!

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.

Email Security Powered by Voltage IBE™

Copyright 2002-2014 Voltage Security, Inc. All rights reserved.

Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500

Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000.  Telephone: 08457 21 31 41

Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales  2299428. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.

Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it  (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.

Telephone calls may be monitored or recorded.

The attachment is SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has an icon that looks like Internet Explorer. Despire the .scr suffix, this file is a plain old .exe file and will execute if you double-click it (don't!).

VirusTotal detections are 11/51, and automated analysis between ThreatExpert, Malwr and Anubis show an attempted download from [donotclick]asianfarm.org/images/pdf.enc and [donotclick]ideasempurna.com.my/wp-content/uploads/2014/02/pdf.enc with the following IPs being involved:

108.90.186.161 (AT&T, US)
111.90.133.246 (Piradius Net, Malaysia)
121.117.209.51 (NTT, Japan)
124.217.241.34 (Piradius Net, Malaysia)
174.103.25.199 (Time Warner Cable, US)

The .enc file is an encoded executable, explained in detail here. I haven't tried to decode it but obviously that too will be malicious.

Recommended blocklist:
asianfarm.org
ideasempurna.com.my
108.90.186.161
111.90.133.246
121.117.209.51
124.217.241.34
174.103.25.199

"Barclays transaction notification" spam

This fake Barclays spam comes with a malicious payload:

Date:      Wed, 5 Feb 2014 03:02:52 -0500 [03:02:52 EST]
From:      Barclays Bank [support@barclays.net]
Subject:      Barclays transaction notification #002601

Transaction is completed. £9685 has been successfully transfered.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.

Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). Registered in England. Registered Number is 1026167 with registered office at 1 Churchill Place, London E14 5HP.
Attached is a file Payment receipt Barclays PA77392733.zip which is turn contains a malicious executable Payment receipt Barclays PA77392733.exe with a surprisingly poor VirusTotal detection rate of just 1/51 (only Sophos detects it). Automated analysis tools are pretty inconclusive about the payload [1] [2] [3] with only the Malwr report having any real detail.

Tuesday 4 February 2014

WTF? WFP.org spam? Or is it emailciti.com?

This spam is promoting the UN's World Food Programme. I'm surprised the the WFP should sink so low, but perhaps they engaged the services of spammers without realising.

From:     World Food Programme newsletter@newsletter.loyaltyciti.com
Reply-To:     newsletter@newsletter.loyaltyciti.com
Date:     4 February 2014 09:58
Subject:     60% of people here don't have food
Signed by:     newsletter.loyaltyciti.com

If you are unable to see the message below, click here to view.

Share:     Delicious    Digg    Facebook    LinkedIn    Twitter   

world food programme
There’s a common link between a mother in Central African Republic, a father in South Sudan, and a child in Syria. Hunger. Fortunately, there’s also a common solution – The World Food Programme (WFP)..
WFP provides food assistance so families can break the cycle of poverty and hunger. Our goal? Zero hunger. We rely on the support of our online community to make this a reality.
Will you join us? Sign up at wfp.org/join to receive monthly updates and info about how you can help achieve a zero hunger world.
When conflict erupts, hunger soon follows. In CAR, South Sudan, and Syria, WFP is fighting for families who are being pushed to the brink. Find out how we’re responding to ensure families have the security that comes with a daily meal.
central african republic
level 3 emergency
See where we’re sounding the alarm.
remembering what matters         delivering despite
WFP’s Rasmus Egendal reflects on what really matters in Syria: The People.         Thanks to our supporters like you, WFP has been able to deliver food in South Sudan rom the start.
starting stars from car         reporting from damascus
Get the facts & figures you should know: 60% of families in Central African Republic have no food.         Watch an update from WFP’s Executive Director who met Syrian families relying on WFP assistance.
follow wfp     facebook     twitter

You have received this email message from EmailCiti, the leading Email Behavior and Lead Generation Company in the GCC & Middle East. Your email address has been recorded because you have subscribed to one of our email &newsletters services or are registered with one of our Partner and affiliate sites. For more information, visit www.emailciti.com
If you don't wish to receive these emails anymore please click here.
The email originates from 208.95.135.84 [mail3345.emailciti.mkt3942.com] (Silverpop Systems, US) and spamvertises an intermediate site at links.emailciti.mkt3941.com on 74.112.69.20 (Silverpop again) and then forwards to www.wfp.org/hunger-hot-spots if you click through.

The email itself is digitally signed, so we can be reasonable assure that it originates from loyaltyciti.com who are in Dubai:

Registry Registrant ID:
Registrant Name: mohammad Lahlouh
Registrant Organization: Emailciti
Registrant Street: Dubai Media City, Building #8
Registrant City: Dubai
Registrant State/Province: Dubai
Registrant Postal Code: 502382
Registrant Country: United Arab Emirates
Registrant Phone: +971.507735717
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: mlahlouh@emailciti.com
Registry Admin ID: 


These people are persistent spammers who usually send through some unsolicited crap several times a week, using an email address that is effectively a spamtrap. What is really annoying is the the WFP is paying these spammers to run a campaign of dubious value when they could be helping to fee starving people.

Monday 3 February 2014

Something evil on 192.95.43.160/28

More badness hosted by OVH Canada, this time 192.95.43.160/28 which contains pretty much the same set of evil described here. Here is a typical IP flagged by VirusTotal and a failed resolution by URLquery which frankly gives enough information to make it suspicious.

However, the key thing is the registrant details which have been used in many malware attacks before.

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859116


I can see the following .pw domains active in this range:
basecoach.pw
crewcloud.pw
boomerangfair.pw
kickballmonsoon.pw
martialartsclub.pw
runningracer.pw


All those domains are flagged by Google as malicious and I recommend that you block them along with 192.95.43.160/28.

(Hat tip to my source, you know who you are!)

Something evil on 64.120.137.32/27

64.120.137.32/27 is a range of IP addresses belonging to Network Operations Center Inc in the US and suballocated to a customer which is currently being used in malware attacks as an intermediate step in sending victims to this malicious OVH range.You can see an example of some of the badness in action here.

The range was formerly used by a company called TixDepot but may have been hijacked or reassigned. NOC report the following contact details for the block:

%rwhois V-1.5:003fff:00 rwhois.hostnoc.net (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NET-64.120.137.32/27
network:Auth-Area:64.120.128.0/17
network:network:NET-64.120.137.32/27
network:block:64.120.137.32/27
network:organization;I:T0000027307
network:address:1205 Oneill Highway
network:city:Dunmore
network:state:PA
network:postalcode:18512
network:country:US
network:admin-c;I:A9000000001
network:tech-c;I:T0000027307
network:abuse-c;I:I9000000001
network:created:20120208221612
network:Updated:20140203010039


About half the domains in this /27 have been flagged as malicious by Google, concentrated on the three IP addresses:
64.120.137.53
64.120.137.55
64.120.137.56

I would recommend blocking the entire /27, but this is the breakdown by IP address with domains tagged by Google highlighted (there's a plain list here)

64.120.137.34
kasorla.biz
kolyamba.biz

64.120.137.35
verybery.biz
dristohren.biz
vedmedical.biz
teasertease.biz

64.120.137.38
koshak.biz

64.120.137.39
meef.biz
www.meef.biz
chubanak.biz

64.120.137.41
jinkee.biz
tongpo.biz
kunuki.biz
omlette.biz

64.120.137.42
war-fear.biz
sleeping-rough.biz
www.war-fear.biz

64.120.137.47
searchsecurely.biz
whitehestence.com

64.120.137.48
webconnection.biz
trafficstatsanalytics.com

64.120.137.51
lohotron.biz
domainishere.biz
happygreentree.biz
plomaternia.com
greendo.biz
continuedomain.biz
personaldomain.biz
trafficqualitycheck.biz

64.120.137.52
swint.biz
elhooase.biz
fazatron.biz
peperrony.biz
pistorios.biz
papabudet.biz
papazdesj.biz
paparjadom.biz
besthitbotfilter.biz

64.120.137.53
hairyegg.biz
eegogo.biz
ilanus.biz
baldball.biz
moisturre.biz
mongoloid.biz
barbarisus.biz
damoinster.biz
horseinwood.biz

64.120.137.54
swineherd.biz
traffzilla.biz
blackfatcat.biz
trafficstation.biz

64.120.137.55
smokeme.biz
domentus.biz
yyynetlop.biz
goodweather.biz
hellparadise.biz
blog.bitcareer.com
bitewixibib.com
cuqerexejef.com
xocysibekyn.com
25blv.xocysibekyn.com
buy.si8a.net
tejedinehyh.net
68qn.tejedinehyh.net
vynifyqicedy.net
7dww.vynifyqicedy.net
vyzogosukoqy.net
ekc63s.vyzogosukoqy.net
bitewixibib.org
qyzuliponag.org
4ah781.qyzuliponag.org
xinuvytevem.org
s6pnl.xinuvytevem.org
xocysibekyn.org
ee5.xocysibekyn.org
hcm.xocysibekyn.org
vynifyqicedy.org
tejedinehyh.info
w0r4n.tejedinehyh.info
vyzogosukoqy.info
n45p6.vyzogosukoqy.info

nolericutis.com
qyzuliponag.com
xinuvytevem.com
cuqerexejef.org
nolericutis.org
tejedinehyh.org
iu1wxx.tejedinehyh.org
nvlrlh.tejedinehyh.org
vyzogosukoqy.org
wotunelurex.info
vynifyqicedy.info

64.120.137.56
en.xzhao.cc
us.yongbao.cc
ca.zhengerle.cc
me.transportesmelladogutierrez.cl
br.youu-and.me
dns.v9v8.com
gr.wew444.com
ls.wew999.com
dns.thejpg1.com
dns.acidcrud.com
dns.agoteenak.com
qajadyhizuli.com
fr.whenisthenextnhllockout.com
dns.uhgy.net
banewyjubuk.net
1qcz.banewyjubuk.net
diwopiroseq.net
7zz.diwopiroseq.net
gulumegesus.net
daij.gulumegesus.net
jadivyludal.net
pnps.jadivyludal.net
kafitetysyr.net
71sdqa.kafitetysyr.net
bucupyfomome.net
8q7.bucupyfomome.net
byqyrabewuti.net
iv3oj.byqyrabewuti.net
qajadyhizuli.net
symirijibimu.net
tusudygonipo.net
qjcd.tusudygonipo.net
banewyjubuk.org
9s33.banewyjubuk.org
ycooet.banewyjubuk.org
gulumegesus.org
8jek7.gulumegesus.org
jadivyludal.org
k64yx9.jadivyludal.org
kafitetysyr.org
hida.kafitetysyr.org
jyc8i.kafitetysyr.org
bucupyfomome.org
rdjjnh.bucupyfomome.org
byqyrabewuti.org
3v7opv.byqyrabewuti.org
qajadyhizuli.org
k8gcj.qajadyhizuli.org
symirijibimu.org
jadivyludal.com
pumiqudiqer.com
vemusiwubixe.com
kecynikamoc.net
3srjc.kecynikamoc.net
komikuxoced.net
pumiqudiqer.net
lejyvicuvagi.net
vemusiwubixe.net
kecynikamoc.org
komikuxoced.org
pumiqudiqer.org
lejyvicuvagi.org
vemusiwubixe.org

Headlines Today (India) "Investigation report: Interesting history of Somnath aka Spamster Bharti"

Something evil on 192.95.7.224/28

Another OVH Canada range hosting criminal activity, 192.95.7.224/28 is being used for several malicious .pw domains being used to distribute malware (as used in this attack). The malware domains seem to rotate through subdomains very quickly, possibly in an attempt to block analysis of their payload.  This block is carrying out the same malicious activity that I wrote about a few days ago.

OVH have suballocated this IP block to an entity that I believe is connected with black hat host r5x.org.

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859114


These IPs are particularly active:
192.95.7.232
192.95.7.233
192.95.7.234

There is nothing of value in this /28 block and I recommend that you block the entire IP range plus the following domains (which are all already flagged as being malicious by Google)

Recommended blocklist:
192.95.7.224/28
archerbocce.pw
athleticsmove.pw
battingrelay.pw
bicyclecompete.pw
bicyclingcrew.pw
billiardsdiver.pw
bronzecatcher.pw
competitionathletics.pw
competitionexercise.pw
dartboardolympics.pw
dartfield.pw
divebicycling.pw
divingrelay.pw
fieldergymnast.pw
golferboomerang.pw
hardballkayaker.pw
hockeyarchery.pw
hoopjudo.pw
javelinbowler.pw
leaguehockey.pw
netarcher.pw
playingriding.pw
racerathlete.pw
racerbronze.pw
runrafting.pw



Sunday 2 February 2014

Times Now covers the Somnath Bharti story


Somnath Bharti's allwebhunt.com site exposes inner working of spam outfit

Recently I covered the somewhat surprising news that a former top spammer Somnath Bharti is now a minister in the Delhi regional government in India. That story has now made it to the front page of the Times of India, deepening the controversy about Mr Bharti's ethical standards.

I was interested to see Mr Bharti's response to these accusations:

Denying involvement in spamming, Bharti emailed TOI saying: "Back in early 2000, server of Madgen Solutions Pvt Ltd was entrusted with an associate by me who misused it without my consent/knowledge. When the matter cropped up, I came to know that the said associate had generated mass emails soliciting business and had also impersonated me on multiple occasions. On exploring I found out that the emails generated were for a legitimate business, originating from a valid traceable IP address and in proper compliance with the laws applicable in the US, ie CANSPAM Act, then... hence this breach of trust between me and this associate of mine was not pursued in a court of law."
I have to rely on the accuracy of the Times of India with this quote, although the way the TOI has presented it this does like a direct quote from Mr Bharti himself.

Before I start picking apart what Somath Bharti said, it is worth pointing out that the only time I have ever heard anything from him was when he made a flat-out lie claiming that he had never ever heard of the company involved (TopSites LLC), despite having his name listed as CEO on the company business card.


Just for good luck, the person sending me that information also sent me a copy of a very young looking Mr Bharti to prove his identity.

He looks a bit different today (source)


The evidence linking Mr Bharti's Madgen solutions with spam is overwhelming and does not seem to have been denied in the TOI interview, although you can see the reports made at the time here.

But let's look at Mr Bharti's statement to the TOI more closely..
"Back in early 2000, server of Madgen Solutions Pvt Ltd was entrusted with an associate by me who misused it without my consent/knowledge."
Well, this is kind of odd because the TopSites LLC spam did not start until 2002 at the earliest, and and Bharti's outfit was only identified much later than that (see this example). So Mr Bharti's memory is either faulty, or this is just an poorly though-out excuse, or maybe he meant the "early 2000s"?

But Mr Bharti's fingers have always been all over the TopSites business, such as the WHOIS details for the original domain used in the spam, topsites.us:


However, that is just a name on the WHOIS records. We can also see his name on the internal databases of one of the many clone sites of TopSites that was set up:


That information comes from a poorly-secured TopSites clone called allwebhunt.com hosted on a server at 119.82.71.132 (Citycom Networks, India) along with Mr Bharti's own personal website of somnathbharti.com.


allwebhunt.com was rapidly taken down after it was exposed in the Times of India, but you can still see an archived copy here, indicating that the operation was running until at least 2011.


The website was exceptionally poorly coded and exposed all of its internal details to the internet. Here's a screenshot of some of the code listing internal users.


The names of Mr Bharti are all over this particular operation, so it is unlikely that he did not know exactly what was happening. He even went as far as to use a TopSites domain on his somnathbharti.com home page back in 2003.

My conclusion is that despite Mr Bharti's protests, I believe that he was intimately involved in the spamming operation that his company Madgen Solutions was performing on behalf of TopSites LLC.

But there remains one further unanswered question. Back in 2005 the TopSites business was put up for sale claiming an annual turnover of 1.8 million US dollars. And although Mr Bharti's business partners would probably have pocketed the majority of that money, it would seem highly unlikely that Mr Bharti himself did not share in some of those profits.


Exactly how much did Mr Bharti make from this spamming operation? Even the people who did payment processing got a 9% cut..

..I have no idea. But perhaps somebody might like to find out :)

Saturday 1 February 2014

"Unsure if you qualify for a refund of PPI paid on a loan or credit card?" SMS spam

This scumbag scammers are still at it, pumping away lead generation spam to persuade people to make PPI claims to which they are not entitled.
Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out. TPPCO
In this case the scammers used the contact number +447743623103 but they burn through dozens of SIM cards every day with their illegal spamming operations.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

You can also report persistent spam like this via the ICO's page on the subject.  With any luck these spammers will end up on the receiving end of a massive fine.

African Human Right and Refugees Protection Council (AHRRPC) scam

This spam email is actually part of an advanced fee fraud setup:

From:     fernando derossi fernandderossi59@gmail.com
To:     fernandderossi59@gmail.com
Date:     1 February 2014 13:22
Subject:     URGENT FOOD STUFF SUPPLY NEED FOR REFUGEES
Signed by:     gmail.com

Dear Sir:

My company has been mandated to look for a company capable of
supplying food stuffs product listed bellow by the  AFRICAN HUMAN
RIGHT AND REFUGEES PROTECTION COUNCIL (AHRRPC) for  assisting of the
refugee within the war affected countries IN middle east and Africa
like MALI,SYRIA, SOMALIA, CENTRAL AFRICA, and SOUTH SUDAN, which after
going through your company's profile, have decided to know if your
company is interested.

            Below are the list of food Stuffs and the targeted value
needed by (AHRRPC)

1.  Rice
2.  Beans
3.  Milk powder
4.  Sugar
5.  Vegetable Oil
6.  Used Cloths
7.  Wheat Flour
8.  White corn meal
9.  Corn Cooking oil
10. Cumin seed oil
11. Ground nut
12. Sage Oil
13. Soya bean oil
14. Palm oil
15.  Fresh Vegetables
16.  Fresh fruits
17.  Cocoa powder.

We will be happy to work with you company only as representing agent
to secure an allocation for your company while in return your company
will give us comission as soon as your receive your contract value. We
will give you more details about the contract when we recieve your
reply.

Regards,

Mr.Fernando Derossi
AHRRPC AGENT
Website:www.ahrrpc.8k.com
Bamako-Mali in West Africa.
The email links to a website at www.ahrrpc.8k.com which set off all sorts of alarms on my virus scanner, but I think it is just an ad-laden free web hosting site, and purports to be from the African Human Right and Refugees Protection Council (AHRRPC).


Of course, there is no such organisation as this and probably the main thrust of the scam is that there will be an "arrangement fee" payable in order to sell these goods.. and once the fee is paid the scammers will disappear.

One thing that I noticed is that "Mr Fenando Derossi" has a Google+ profile.. so is it a case the the Google account has been hijacked? Well, a simple way to find out is to take the image and upload it to Google Images (by clicking the little camera icon). That gives several positive matches for the photo which has been stolen from a French model and actor called Jean-Georges Brunet. In fact, poor Monsieur Brunet has had his picture stolen before for other types of scam.

Give any approaches from the so-called African Human Right and Refugees Protection Council (AHRRPC) a very wide berth. And remember, if you want to verify who a photo actually belongs to then Google Images is an excellent resource.

Friday 31 January 2014

Something evil on 192.95.10.208/28

192.95.10.208/28 (OVH, Canada) is being used to deliver exploit kits utlising .pw domains, for an example see this URLquery report.  The following domains are being used in these attack (although there may be more):

accountantillustrator.pw
actuarydancer.pw
ambassadoradvisor.pw
animatorcarpenter.pw
animatorgovernor.pw
archeractor.pw
archerclub.pw
archerlecturer.pw
archerycartoonist.pw
arenacycling.pw
arenalandlord.pw
arrowcompete.pw
arrowfitness.pw
artistgovernor.pw
athleteexplorer.pw
athleteexterminator.pw
athletehandyman.pw
athleticsbanker.pw
athleticsdrycleaner.pw
attorneygeologist.pw
ballballerina.pw
ballcoroner.pw
ballerinaconsul.pw
ballerinalaundress.pw
balllobbyist.pw
ballracer.pw
baseballdefense.pw
baseballhardball.pw
baseballmechanic.pw
basketballdj.pw
basketballillustrator.pw
batdart.pw
batdj.pw
batmonk.pw
batolympics.pw
batterpool.pw
battingconcierge.pw
battingrunning.pw
biathlonlandscaper.pw
bicyclebarber.pw
bicyclechaplain.pw
bicycleracket.pw
bikegeneral.pw
bikingoptician.pw
biologistcabdriver.pw
bobsleighcaterer.pw
bobsleighcop.pw
bobsleighfirefighter.pw
bobsleighjockey.pw
boccebowling.pw
boccepercussionist.pw
boomerangbobsleigh.pw
boomerangcompete.pw
bowcobbler.pw
bowlerkayaking.pw
boxercashier.pw
bronzehairdresser.pw
buntcop.pw
buntexporter.pw
buntgymnastics.pw
butchernegotiator.pw
canoegardener.pw
carpenterorderly.pw
cartographerlandscaper.pw
catchergeologist.pw
catchlandscaper.pw
championbatting.pw
championshipcobbler.pw
championshipdoorman.pw
championshipgear.pw
championshipjester.pw
championshipjockey.pw
championshipmarketer.pw
clubfarmer.pw
coachbarber.pw
coachgolfer.pw
competeexporter.pw
competepediatrician.pw
competingbowler.pw
competingcoach.pw
competitioncryptographer.pw
competitionexplorer.pw
competitorhairdresser.pw
competitornovelist.pw
conciergemanufacturer.pw
contractorexterminator.pw
crewastronaut.pw
crewmusician.pw
cricketgoalie.pw
cricketjailer.pw
custodiancobbler.pw
cyclebellhop.pw
cyclistcaptain.pw
dartboardequipment.pw
dartboardnavigator.pw
dartboardpathologist.pw
dartlifeguard.pw
decathlonbellhop.pw
decathlondriver.pw
defensenet.pw
defensepaleontologist.pw
dermatologistinstructor.pw
designerbabysitter.pw
designercoach.pw
diamondgolfer.pw
diamondlobbyist.pw
divecycle.pw
diveeconomist.pw
divepainter.pw
diverbabysitter.pw
diverbowler.pw
divingauthor.pw
djnegotiator.pw
dodgeballgolfer.pw
doormanparkranger.pw
driverpawnbroker.pw
editordictator.pw
electricianbaker.pw
engineerastronaut.pw
entomologistbowler.pw
entrepreneurpatrol.pw
epeebowler.pw
epeeintern.pw
epeelandlord.pw
epeelinguist.pw
epeerunning.pw
exercisebatter.pw
exportercatcher.pw
farmerlecturer.pw
fencinghandball.pw
fieldercartographer.pw
fielderpaleontologist.pw
fielderpercussionist.pw
fieldingauctioneer.pw
figureskatingbuilder.pw
figureskatingchemist.pw
footballbunt.pw
footballcustodian.pw
footballlyricist.pw
frisbeebike.pw
gamenurse.pw
gearathlete.pw
generalillustrator.pw
geneticisteconomist.pw
geneticistgolfer.pw
goalbicycling.pw
goalcatcher.pw
goaldj.pw
goalhardball.pw
goaliebilliards.pw
goalielocksmith.pw
goalmedal.pw
goalmedal.pw
goalpawnbroker.pw
goalpercussionist.pw
golferdoorman.pw
golferentomologist.pw
golfingfirefighter.pw
guardcryptographer.pw
guardextra.pw
guardhandyman.pw
gymeducator.pw
gymmarketer.pw
gymnastcardiologist.pw
gymnasticsarchery.pw
gymnasticscobbler.pw
gymnasticsdictator.pw
gymnastnun.pw
halftimeillustrator.pw
handballhome.pw
hardballactress.pw
hardballastronomer.pw
hardballjumper.pw
helmetgolfer.pw
helmetjailer.pw
highjumpbiologist.pw
highjumpcashier.pw
highjumpguide.pw
hoboexporter.pw
hoopbiking.pw
hoopgear.pw
huddlecompete.pw
huddleparalegal.pw
hurdlebutler.pw
hurdlecompetitor.pw
hurdleforeman.pw
hurdlemove.pw
jailercardiologist.pw
javelinskate.pw
joggerdirector.pw
journalisthairdresser.pw
judomayor.pw
jumperfisherman.pw
jumperlibrarian.pw
jumpingorderly.pw
jumpingreferee.pw
karatemanufacturer.pw
karateparalegal.pw
kayakathlete.pw
kayakballerina.pw
kayakerbiologist.pw
kayakercabdriver.pw
kayakingconsul.pw
kayakingoperator.pw
kayakingskating.pw
kayaknurse.pw
kickballnurse.pw
lacrossemuralist.pw
lacrosseorderly.pw
landlordexterminator.pw
landlordgardener.pw
landscapercook.pw
landscaperoptician.pw
lecturergatherer.pw
linguistdetective.pw
locksmithillustrator.pw
maidblacksmith.pw
maidornithologist.pw
marinecellist.pw
martialartslinguist.pw
mayordrummer.pw
monklyricist.pw
movemedal.pw
oboistbowler.pw
olympicscompetition.pw
olympicsengineer.pw
opticiannegotiator.pw
orienteeringjanitor.pw
paintergeneral.pw
paralegalbuilder.pw
paralegaleconomist.pw
pawnbrokermanufacturer.pw
peddlerbellhop.pw
pingpongathlete.pw
pingpongbasketball.pw
pingpongempress.pw
pingponghelmet.pw
pitchactor.pw
pitchdart.pw
pitchjanitor.pw
pitchlifeguard.pw
playchauffeur.pw
playerskate.pw
playingoboist.pw
playoffscycle.pw
playoffspeddler.pw
playorienteering.pw
polekayaking.pw
poolgeneticist.pw
poolnegotiator.pw
quarterbackgeneral.pw
quartergeographer.pw
racedrummer.pw
raceengineer.pw
racercellist.pw
racketarcher.pw
racketbaseball.pw
racketdart.pw
racketleague.pw
racketskate.pw
raftingbarber.pw
raftingdancer.pw
raftingfrisbee.pw
raftingkayaker.pw
relaydrycleaner.pw
relayrace.pw
ridingcabdriver.pw
ridingnurse.pw
runbasketball.pw
rundrummer.pw
runningaccountant.pw
runningactuary.pw
skatepole.pw
skatingmuralist.pw
teacherjockey.pw
toolmakerfisherman.pw

The IP forms part of a /28 block belonging to a known bad actor:
NetRange:       192.95.10.208 - 192.95.10.223
CIDR:           192.95.10.208/28
OriginAS:       AS16276
NetName:        OVH-CUST-413973
NetHandle:      NET-192-95-10-208-1
Parent:         NET-192-95-0-0-1
NetType:        Reassigned
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/net/NET-192-95-10-208-1

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859113


I believe that these IPs are connected with a black hat host r5x.org and IPs with these WHOIS details are very often used in exploit kit attacks. I would strongly recommend that you block 192.95.10.208/28 in addition to the domains listed above.