Sponsored by..

Wednesday 23 July 2014

Birminghammail / Paul Fulford "Redirected message" spam

This spam pretends to be from a journalist called Paul Fulford at the Birmingham Mail. However, it isn't.. it is a forgery with a malicious attachment.

Date:      Wed, 23 Jul 2014 20:59:48 +0800 [08:59:48 EDT]
From:      Birminghammail [paul.fulford@birminghammail.co.uk]
Subject:      Redirected message

Dear [redacted]!

Please find attached the original letter received by our system.
I only have two samples of this, the originating IP addresses are:
1.34.211.10 (HINET, Taiwan)
117.212.18.140 (BSNL, India)

Poor Mr Fulford thinks that his email has been hacked.. it hasn't, but I suspect that he has pissed off some Russian spammers somewhere.


Attached is an archive file 1.zip which contains a malicious executable original_letter_234389_193.scr.exe which has a VirusTotal detection rate of 5/53. The Malwr report shows that this part reaches out to the following IPs:

37.139.47.103
37.139.47.117


Both of these belong to Comfortel Ltd in Russia. From there another file 2.exe is download which has a VT detection rate of just 3/53. The Malwr report is inconclusive.

I'm not familiar with the Russian host, but having two bad IPs in close proximity makes me think that you probably want to block at least 37.139.47.0/24 or the whole 37.139.40.0/21 (almost all sites are in the /24 anyway). This netblock contains a mix of what look like legitimate Russian-language sites and obvious phishing sites.

inetnum:        37.139.40.0 - 37.139.47.255
netname:        COMFORTEL-NET
descr:          COMFORTEL ltd.
country:        RU
admin-c:        ME3174-RIPE
tech-c:         RASS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     MNT-PIN
mnt-domains:    PIRIX-MNT
source:         RIPE # Filtered

person:         Mikhail Evdokimov
address:        PIRIX
address:        Obukhovskoy Oborony, 120-Z
address:        192012, St.Petersburg
address:        Russia
phone:          +7 812 3343610
fax-no:         +7 812 6002014
nic-hdl:        ME3174-RIPE
mnt-by:         RUNNET-MNT
source:         RIPE # Filtered

person:         Dmitry Rassohin
address:        194156, St.Petersburg, Russia
address:        Bolshoy Sampsonievskiy prospekt 106A, apt. 304
phone:          +7 931 2700021
nic-hdl:        RASS-RIPE
mnt-by:         RASS-MNT
source:         RIPE # Filtered

route:          37.139.40.0/21
descr:          PIRIXROUTE
origin:         AS56534
mnt-by:         MNT-PIN
source:         RIPE # Filtered


UPDATE: a slightly different version of the spam is doing the rounds today, with the fake senders being Allyson.Mays@birminghammail.co.uk and Troy.Short@birminghammail.co.uk (there seems to be nobody working for the Birmingham Mail with that name).

The attachment is in the format letter_549588.zip and letter_235708.zip and which unzips to a folder original_letter_234389_193.eml containing a malicious executable original_letter_234389_193.eml.exe which has a VirusTotal detection rate of 4/54.

The Malwr analysis shows that this reaches out to the following sites:

www.zag.com.ua
daisyblue.ru
37.139.47.117


This drops a further file called mss3.exe with an MD5 of 8e5ea3a1805df3aea28c76adb13b3d9e which is still pending analysis.



Tuesday 22 July 2014

IGPK (Integrated Cannabis Solutions Inc) pump-and-dump spam

There seems to be a low-volume pump-and-dump spam run promoting IGPK (Integrated Cannabis Solutions Inc), the second recent spam I've seen for a cannabis company after this one.

Date:      Mon, 21 Jul 2014 21:15:06 +0400 [07/21/14 13:15:06 EDT]
From:      carolinehopkinsd@arcusinvest.com
Subject:      Check out this company that investors buy

Dear Classified Investor,
If you have been watching to the news, I am sure you have
learned about this new and exciting gigantic business that
everyone is talking about, right in USA! We're talking about
medical marijuana and the colossal Dot Bong Boom currently
underway. INTEGRATED CANNABIS SOLUTIONS INC I G_P-K, offers
a secret, backdoor way to get some of the best potentially
lucrative marijuana investments in the world! Published by
the WSJ, legal marijuana could be the next big thing. This
legal marijuana company is, effortlessly, the utmost
possibly lucrative purchase in this domain right now. I
G_P-K +4% on Friday the 18th of July, seems is groomed
totally for a popular surge up the graphs that can bring
openly compensate us five hundred percent or more. Don't
wait, take 5 minutes and invest early this week, while I
G_P-K is still available for purchase before Wall Street
learns about it! 
IGPK has a turnover of about $2m but is haemorrhaging cash which is not a good sign, but it doesn't mean that the company is necessarily going to fold.

It looks like some sort of stock promotion started last month, but this is simply low-grade spam. However a look a the stock chart shows that the spam run has pushed up the price by 45% to $0.08.. but that is down from $0.74 in May so the price has certainly slumped.

The mail originates from 61.234.227.151 (Railcom, China) via a mailserver at 185.8.3.210 (GNC, Armenia). Despite the "arcusinvest.com" domain in the email there is no evidence that it actually comes from this domain (that belongs to Arcus Investment Ltd, a real UK investment company).

Unless you want to lose out, you should never buy stock promoted by spam as the price tends to collapse as soon as the promotion stops.. or even while the promotion is still going on!

Monday 21 July 2014

Something evil on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic)

Here another bunch of Cushion Redirect sites closely related to this attack a few weeks ago but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the redirect in action in this URLquery report and VirusTotal has a clear indication of badness on this IP.

All the sites are hijacked subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer. Domains in use are:

e-meskiesprawy24.com.pl
dora-explorer.co.uk
adultvideoz.net
alsancakescort.org
anadoluyakasiescort.asia


To give credit to the owners of dora-explorer.co.uk, they have spotted that something is wrong, although it looks like the nameservers of their webhost (eu1.downtownhost.com and eu2.downtownhost.com) are improperly secured.


A full list of all the subdomains I can find is here [pastebin] but I would recommend applying a temporary block to these domains until the webhost secures them, although the most effective way of securing your network is to permablock 188.120.198.1.

Recommended blocklist:
188.120.198.1
e-meskiesprawy24.com.pl
dora-explorer.co.uk
adultvideoz.net
alsancakescort.org
anadoluyakasiescort.asia

UPDATE: It definitely appears that downtownhost.com have not secured their nameservers as a few more customer sites are being abused in this way. It appears that the attackers are going through downtownhost.com's customers in alphabetical order. For example, the following subdomain are in use:

dfmgjne934eod8khquq1axg.elluse.com
280pfzhnb4usz3hajazvtlw.eaila.com
zefh96abfex1r32md0jdh7p.e-oman.me

Additional sites to block:
elluse.com
eaila.com
e-oman.me

UPDATE 2: it looks like downtownhost.com have fixed the problem. These recently-flagged domains can now be considered to be safe.

4-cheap.co.uk
aandelenblog.be
apteka-erekcja.pl
arcadehaven.co.uk
bewegwijzeringborden.nl
bitfrog.co.uk
carpediemcosmetics.de
cewh-cesf.ca
charlie-lola.co.uk
check-email.org
cialis25.pl
cialis25.pl
clashofclanshackdownload.com
deepfryershop.co.uk
designwonen.be
dora-explorer.co.uk
eaila.com
elluse.com
e-meskiesprawy24.com.pl
e-meskiesprawy24.pl
e-oman.me

Friday 18 July 2014

Something evil on 5.135.211.52 and 195.154.69.123

This is some sort of malware using insecure OpenX ad servers to spread. Oh wait, insecure is pretty much the default configuration for OpenX servers..

..anyway, I don't know quite what it is, but it's running on a bunch of hijacked GoDaddy subdomains and is triggering a generic Javascript detection on my gateway. Domains spotted in this cluster are:

fart.somerspointnjinsurance.com
farms.somerspointnjinsurance.com
farming.somerspointnjinsurance.com
farma.risleyhouse.net
farmer.risleyhouse.net
farmers.risleyhouse.net
par.ecofloridian.info
papers.ecofloridian.com
papa.trustedelderlyhomecare.net
paper.trustedelderlyhomecare.org
pap.trustedelderlyhomecare.info
fas.theinboxexpert.com
fashion.theinboxexpert.com

The two IPs in use both belong to OVH France, but 5.135.211.52 is suballocated to QHoster Ltd (Bulgaria) [VT] and 195.154.69.123 is suballocated to Iliad Entreprises (France) [VT]. This second IP has also been used to host "one two three" malware sites back in May.

Recommended blocklist:
5.135.211.52
195.154.69.123
somerspointnjinsurance.com
risleyhouse.net
ecofloridian.info
ecofloridian.com
trustedelderlyhomecare.net
trustedelderlyhomecare.org
trustedelderlyhomecare.info
theinboxexpert.com

Thursday 17 July 2014

"Notificación de transferencia de fondos a su favor" spam

This Spanish-language spam has a malicious Word document as an attachment.

From:     HSBC Transferencias [Mexico_contacto@hsbc.com.mx]
Reply-To:     respuesta@hsbc.com.mx
Date:     17 July 2014 11:01

¡BIENVENIDO A HSBC!

El motivo de este correo es informarle que el día de hoy recibió una transferencia SPEI la cual se encuentra retenida debido a anomalías en su cuenta. Para mas detalles sobre esta situación le adjuntamos un documento en formato Microsoft Word donde explicamos el motivo de la retención y los pasos a seguir.



Banco emisor: BBVA BANCOMER
Importe: $94,000.00
Fecha: 17/07/2014
Folio: 89413


Estatus: Retenida
Recomendamos seguir los pasos descritos en el documento adjunto en este correo.


Para cualquier duda o aclaración  nos ponemos a sus órdenes en contacto@hsbc.com.mx o si lo prefiere,  puede comunicarse a Banca por Internet en los siguientes teléfonos:
     México D.F. (55) 5721 1635
     Desde cualquier estado de la República al 01800 4722 638 LADA sin costo.

Con gusto le atenderemos

The attachment is essentially the same as the one mentioned here which tries to lure the victim into removing their Word security settings so that a malicious macro can run.

The VirusTotal detection rate is a pretty poor 4/54. You can see some of the text strings in the Malwr report which feature a reverse URL of exe.ss/pw/arc/lc.paip//:ptth which is reverse to try to download a file from http://piap.cl/cra/wp/ss.exe (currently 404ing). The VBA in the document can be found here [pastebin].

As mentioned before, this is a long-running campaign apparently targeting users in Mexico, and as yet I have not seen this in any language except Spanish.

Wednesday 16 July 2014

"You've received a new fax" / "You have a new Secure Message" spam

This pair of spam messages leads to a malicious ZIP file downloaded via goo.gl (and not Dropbox as the spam says)

From:     Fax [fax@victimdomain]
Date:     16 July 2014 16:12
Subject:     You've received a new fax

New fax at SCAN7905518 from EPSON by https://victimdomain
Scan date: Wed, 16 Jul 2014 23:12:29 +0800

Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

https://goo.gl/8AanL9

(Dropbox is a file hosting service operated by Dropbox, Inc.)

-------------

From:     NatWest [secure.message@natwest.com]
Date:     16 July 2014 14:47
Subject:     You have a new Secure Message

You have received a encrypted message from NatWest Customer Support

In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )

Please download your ecnrypted message at:

https://goo.gl/8AanL9


(Dropbox is a file hosting service operated by Dropbox, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4612.
I have seen three goo.gl URLs leading to three different download locations, as follows

https://goo.gl/1dlcL3 leads to
http://webbedenterprisesinc.com/message/Document-6936124.zip

https://goo.gl/8AanL9 leads to
http://rollermodena.it/Document-2816409172.zip

https://goo.gl/pwgQID leads to
http://www.vetsaudeanimal.net/Document-9879091.zip

In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54. The Malwr report shows that this then downloads components form the following locations (hosted by OVH France):
http://94.23.247.202/1607h/HOME/0/51Service%20Pack%203/0/
http://94.23.247.202/1607h/HOME/1/0/0/


An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54. The Malwr report for that is inconclusive.

Recommended blocklist:
94.23.247.202
vetsaudeanimal.net
rollermodena.it
webbedenterprisesinc.com

Tuesday 15 July 2014

Scam? thejointventuregroup.com (The Joint Venture Group) and other domains

This slimy proposition plopped into my spamtrap:

From:     Lori Henderson [info@loriwiththejointventuregroup.com]
Date:     15 July 2014 02:11
Subject:     Attention Investors
Sailing list:     xkuqlvkqlvveull of 1541

Investment opportunities like the one I am about to share comes along once every twenty years. Companies that produce earnings of billions annually are not the norm. This proprietary product is that will do just that. We have already received letters of interest to purchase this unique product from:

Mercedes Benz

General Motors

Caterpillar

Pep Boys

The U.S. Army, just to name a few.

If you are an accredited investor and would like to own a portion of with an estimated gross volume in the billions, then reply to this email and you will receive the details. Please be advised, this is a limited.

Regards,

Haven Henderson

 info@loriwiththejointventuregroup.com

 To stop getting mails
The email originates from 76.182.212.168, an IP address in Arlington, Texas. The domain "loriwiththejointventuregroup.com" is registered with anonymous details. The same content is mirrored on several sites:

thejointventuregroup.com
loriwiththejointventuregroup.com
thomwiththejointventuregroup.com
walterwiththejointventuregroup.com
tiarrawiththejointventuregroup.com
marvawiththejointventuregroup.com


The site has been knocked together using a sitebuilding tool by a 12 year old (by the looks of it).


The site quotes a company name and address as follows:
The Joint Venture Group P.O. BOX 1063 CEDAR HILL TX 75106

..but I can find no verifiable proof about the existence of a firm of this name in Texas.

Perhaps a clue into the operation can be found on a page labelled "Consulting Position"

The Joint Venture Group is looking for self-motivated individuals who are experienced in marketing to project developers and business owners who need private funding.

    In addition to providing funding capital for project developers and business owners who cannot qualify for conventional bank financing, The Joint Venture Group also provides a safe investment opportunity to accredited investors. This private investment fund pays $2,500 in monthly commissions, for every client that is enrolled by the consultant into the fund. The commission percentage is based on a minimum investment of $1,000,000. Click here to learn more.

    If you are a motivated individual looking for a great opportunity to receive a consistent monthly income in the amount of $2,500  on every enrolled client, than fill out the application below and please name the consultant that referred you to this page. 
 


Let's have a look at that "handshake" picture more closely..


It says: "If you're not a part of the solution, there's good money to be made in prolonging the problem". Funny, yes. Something that a consulting firm would have on their site? Definitely not.

It could well be that Lori, Thom, Walter, Tiarra and Marva are real people who have fallen for this sham and the promise of easy riches.

So, it it a scam? My personal opinion that it is. "The Joint Venture" group offer easy money - loans for just about any project, a rate of return for investors that is unrealistic, and of course it is promoted via spam by a company that hides all its real contact details. It certainly looks scammy according to the duck test.

Perhaps a clue can be found on the "Procedures page".


Please be advise, there is a 100% REFUNDABLE deposit of $20K which is a Success Fee. The deposit will be returned when funding is arranged. The deposit is also refundable if The Joint Venture Group fails to arrange funding by the end of 365 days. Proof of funds are required on all funding submissions. There will be no exceptions made.
So, this is saying: you give us twenty thousand bucks and we'll sort out your finance. Honest. You can trust us. We have a domain name and everything.


The Joint Venture Group is comprised of pf private investors who will provide funding for a variety of commercial developments and business projects to those who do not qualify for traditional bank financing.  We also offer a safe investment fund to accredited investor which pays 12% annually, 1% each month. The minimum entry amount is $1M. The investment also provides funding for our clients that require funding. Our minimum funding amount is $1M with no maximum. You can review the details and funding procedures by clicking here.
Say after me.. one meelion dollars!


The Joint Venture Group claim to be a multibillion dollar outfit, but their web design (and spelling) is awful.


Well, OK I have seen the website for Berkshire Hathaway which is has nearly half a trillion dollars worth of assets but also has a website that looks like it was designed in 30 minutes in 1994. But at least Warren Buffett knows how to spell.

Nothing about The Joint Venture Group looks legitimate. I would give it a wide berth if I were you.

Monday 14 July 2014

"Important - Internal Only" spam

This spam comes with a malicious payload:

Date:      Mon, 14 Jul 2014 16:12:49 +0000 [12:12:49 EDT]
From:      Administrator [Administrator@victimdomain]
Subject:      Important - Internal Only

File Validity: 07/14/2014
Company : http://victimdomain
File Format: Office - Excel ,PDF
Name: Internal Only
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: Internal Only.pdf

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the
person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by
intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any
dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and
may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this
e-mail and any printouts immediately from
your system and destroy all copies of it. 
Attached to the message is an archive file Internal Only - victimdomain which in turn contains a malicious executable Internal Only.scr which has a VirusTotal detection rate of 9/54 which indicates that this is a variant of Upatre. The Malwr analysis shows that it contacts the following URLs:

http://renovarweb.com/comprar/css/404.tar
http://vivatsaultppc.com/421w52q4ok9
http://vivatsaultppc.com/tv8m80f8d8d0


This drops a few files, including mkird.exe which has a VirusTotal detection rate of 6/54 (Malwr analysis here) and an encoded file 404[1].tar which only McAfee spots as being suspect (Upatre-Enc.b).

Blocking the following domains may give some protection:
renovarweb.com
vivatsaultppc.com


Spam from Institute of Project Management America (instituteofprojectmanagementamerica.org)

I wrote about the so-called Institute of Project Management America last month along with their principals Anthony Christopher Jones (aka Tony Jones) and Patchree Patchchrint (aka Patty Jones), who have been running what I personally consider to be fake seminars for the best part of a decade. Previous versions of this same outfit were called The Grant Institute and the North American Program Planning and Policy Academy [NAPPPA] (just Google 'em).

This spam is advertising a course in Seattle. In my opinion I would give this a very wide berth indeed.
From:     Institute of Project Management America
Date:     12 July 2014 10:48
Subject:     Project Management Masters Certification Program (August 5 - 8, 2014: Seattle, WA)


The Project Management Masters Certification Program will be offered August 5-8, 2014 in Seattle, Washington. Project management professionals, business and technology professionals, students, and educators are invited to register online at the Institute of Project Management America website.

August 5-8, 2014
Seattle Public Library

Seattle, Washington
 
The PMMC is designed for those seeking professional project management certification. It serves as both a thorough professional education and recognized certification. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development.  

Project Management Masters Certification program provides 36 hours of project management education, meeting education requirements for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 36 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials.

The program meets the education requirement for all professional designations through the Project Management Institute and other professional agencies. Additionally, the program awards 3.6 Continuing Education Units (CEUs) upon request. 

Program Description

Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.

The skills developed in the Project Management Masters Certification program apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets.  

Our approach to project management education offers proven, results-focused learning.

Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.

Tuition

Tuition for the four-day Project Management Masters Certification program is $995.00

Program Schedule and Content
1. Project Initiation, Costing, and Selection, Day 1
2. Project Organization and Leadership, Day 2 
3. Detailed Project Planning, Day 2 and 3 
4. Project Monitoring and Control, Day 3 and 4 
5. Project Risk Management, Day 4  

Benefits
·   A PMMC certificate of accomplishment is awarded upon completion of the four day program of five courses. Completion letters are given for each course.
·   Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.
·   Each class is highly focused and promotes maximum interaction.
·   You can network with other project management professionals from a variety of industries.
·   Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.
·    Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will have met all education requirements for eligibility.

Registration

Participants may reserve a seat online at the Institute of Project Management America website, by calling the Program Office toll-free at (888) 859-5659, or by sending their name and contact information via email to the Program Registrar .

Upon receiving your registration, a confirmation email is sent to registrants that includes session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.
 
Click Here to be removed from this mailing list.
The email originated from a Verizon IP 173.55.195.165 which is in Los Angeles. Previous research has shown that Jones and Patchrint are strongly associated with LA in general and the Hacienda Heights area in particular. The SMTP server was at 167.160.94.170 (Corey Manshack, Texas). The spamvertised site is instituteofprojectmanagementamerica.org (as discussed here)

I advise you to research the so-called Institute of Project Management America (along with The Grant Institute and the North American Program Planning and Policy Academy [NAPPPA) yourself. In particular, I would personally recommend not booking a course with them, and not accepting a job offer as a trainer.

Scam: "CNnet Dispute Solutions Ltd" cn-network.com / cn-network.org

This email from a Chinese domain registrar styling itself as "CNnet Dispute Solutions Ltd" is a scam.

From:     james@cn-network.org
Date:     14 July 2014 11:12
Subject:     About Internet Trademark Issue: [redacted]


Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

We are a organization specializing in trademark consulting and domain name registration services in China. We just received an application sent from "HaiTon Importing Co., Ltd" on 13/07/2014, requesting for applying the "[redacted]" as the Internet Brand and some Chinese domains such as .cn/.com.cn/.hk/.asia ect... for their business running. Though our preliminary review and verification, we found that this keyword is currently being used by your company and is applied as your domain name. In order to avoid any potential risks in terms of trademark dispute and impact on your market businesses in China and Asia in future, we need to confirm with you whether "HaiTon Importing Co., Ltd" is your own subsidiary or partner.

Will your businesses in China and Asia be impacted potentially if they apply for this trademark? And will you agree this company to apply for this trademark? Please contact us immediately within 10 working days, otherwise, you will be deemed as waived by default.

Please contact us in time in order that we can handle this issue better.


Best Regards,

James Tan

Auditing Department.

Registration Department Manager
4/F,No.9 XingHui West Street,

JinNiu ChenDu, China

Office: +86 2887662861

Fax: +86 2887783286

Web: http://www.cn-network.com



Please consider the environment before you print this e-mail.
Don't worry, this is a scam. There is no such company as "HaiTon Importing Co". Nobody is trying to register these worthless domains, there is really nothing to worry about. I've explained it all in this video.

They have a website at cn-network.com and are soliciting replies to cn-network.org. Registration details are as follows:

Registry Registrant ID:
Registrant Name: Wang XiaoGang
Registrant Organization: Cheng Du Chuang Ning Wang Luo Ke Ji You Xian Gong Si
Registrant Address: No. 69  JinFangYuanDong Road  ChengDuJinNiu District
Registrant City: ChengDuShi
Registrant Province/state: SC
Registrant Country: CN
Registrant Postal Code: 610000
Registrant Phone: +86.2887783286
Registrant Phone EXT: +86.2887783286
Registrant Fax: +86.2887783286
Registrant Fax EXT: +86.2887783286
Registrant Email: 253885777@qq.com
Registrant Email EXT: 253885777@qq.com
Registry Admin ID: 42771277


I can find the following domains that use the same contact details:

cn-nic.org
cn-network.org
cn-network.com
cn-network.net
cnnetcor.com
cnnetpro.com


This scam has been going around for years, and it is just being randomly spammed out and you should simply ignore it.

Video: Chinese Domain Scams


Thursday 10 July 2014

"TT PAYMENT COPY" spam

We've seen spam like this before. It comes with a malicious attachment.

Date:      Thu, 10 Jul 2014 00:09:28 -0700 [03:09:28 EDT]
From:      "PGS Global Express Co, Ltd." [pgsglobal1960@gmail.com]
Subject:      Re TT PAYMENT COPY

ATTN:

Good day sir,here is the copy of the transfer slip ,kindly find the attach copy and please check with your bank to confirm the receipt of the payment and do the needful by dispatching the material as early as possible.

We hope you will do the needful and let us know the dispatch details.

(purchase) Manager.
                   ------sent from my iphone5s-------
 It comes with an attachment TT PAYMENT COPY.ZIP containing the malicious executable TT PAYMENT COPY.exe which has a VirusTotal detection rate of 19/54. According to Malwr this appears to be a self-extractive archive file which then drops (inter alia) a file iyKwmsYRtDlN.com which has a very low detection rate of 1/52. It isn't clear what this file does according to the report.

"Estado de Cuenta Datallado en Línea (Statement Datallado Online)" spam contains a Macro virus

This Spanish-language spam comes with a Word document containing a Macro virus.

From:     Banco Santander [altacuentas_cash@santander.com.mx]
Reply-to:     noreply@santander.com.mx
Date:     10 July 2014 09:52
Subject:     Estado de Cuenta Datallado en Línea


Estimado Cliente:

Por este medio le enviamos el estado de su cuenta del día 08/Jul/2014.
Le recomendamos descargarlo y así mantener un registro de sus activos.

El estado de cuenta se encuentra adjunto en este correo en formato Microsoft Word.

Para cualquier duda o aclaración puede comunicarse a Súper Línea Empresarial.

Atentamente,
BANCO SANTANDER.

******************PRIVACIDAD DE ESTE MENSAJE**********************
Este mensaje esta dirigido exclusivamente a las personas que tienen las direcciones de correo electronico especificadas en los destinatarios dentro de su encabezado. Si por error usted ha recibido este mensaje, por ningun motivo debe revelar su contenido, copiarlo, distribuirlo o utilizarlo. Le solicitamos por favor elimine dicho mensaje junto con cualquier documento adjunto que pudiera contener. Los derechos de privacidad y confidencialidad de la informacion en este mensaje no deben perderse por el hecho de haberse trasmitido erroneamente o por causas de interferencias en el funcionamiento de los sistemas de correo y canales de comunicacion. Toda opinion que se expresa en este mensaje pertenece a la persona remitente por lo que no debe entenderse necesariamente como una opinion del Grupo Financiero Santander y/o de las entidades que lo integran, a menos que el remitente este autorizado para hacerlo o expresamente lo diga en el mismo mensaje. En consideracion a que los mensajes enviados de manera electronica pueden ser interceptados y manipulados, el Grupo Financiero Santander y las entidades que lo integran no se hacen responsables si los mensajes llegan con demora, incompletos, eliminados o con algun programa malicioso denominado como virus informatico. Este mensaje no debe interpretarse, por ningun motivo como una oferta de venta o de compra de valores ni de instrumentos financieros relacionados. Los acentos en la leyenda de confidencialidad se han suprimido para una mejor lectura
This translates roughly as:
I hereby send you the status of your account on 08/Jul/2014.
We recommend you download and keep track of your assets.

The statement is attached to this email in Microsoft Word format.

For any question you can contact Super Business Line.

Best regards,
BANCO SANTANDER. 
Attached is a file ESTADOCUENTA_2457.doc which contains a Word Macro virus. However, because most people's settings would stop a Macro virus running then it actually contains detailed instructions on how to remove your security settings.


The first page reads:
El contenido no puede ser mostrado.
Para poder ver el contenido de este documento debe habilitar los Macros de Microsoft Word, luego cerrar y abrir el documento.

Pruebe lo siguiente:
Habilite los Macros y luego vuelva a abrir el documento.
En este documento podrá encontrar una guía proporcionada por www.santander.com para poder habilitar los macros en su Microsoft Word.

Grupo Financiero Santander México - 2014
which roughly translates to:
The content can not be shown.
To view the content of this document should enable macros Microsoft Word, then close and reopen the document.

Try the following:
Enable Macros and then reopen the document.
In this document you will find a guide provided by www.santander.com to enable macros in your Microsoft Word.

Grupo Financiero Santander Mexico - 2014

There then follows several pages with screenshots on how to disable the security in Word and Excel.. doing which of course is a bad idea. Reloading the document will then execute the Macro virus. I have defanged the document and converted it to a PDF file here. A copy of the VBA code is here (thanks to @Techhelplistcom).


The VirusTotal analysis shows just 1/54 virus scanners detect it. The Malwr analysis gives some clues as to what is going on in the string dump, especially the reference to baulretro.cl/tienda/cache/wp/ss.exe (186.64.120.59 / Zam Ltda, Chile) which appears to be a malicious binary (at the moment the file is 404ing, but it was working recently).

The properties of the Word document don't give much of a clue:



Authors are "OFEyDV", last saved by "clein" which matches to a few other recent malicious Spanish-language documents [1] [2] [3] [4]. The creation date indicates that perhaps this started off life as a genuine document and has been adapted for evil purposes.

Originating IP for the spam is 124.42.127.221 (Langfang University, China) via 199.192.145.152 (web17.gohost.com).

It's a lot of hard work to get your computer infected, but it does also look quite convincing. Word Macros are very rarely used by anything and you should definitely not fiddle with them if you don't need to.

Wednesday 9 July 2014

NatWest fails when it comes to basic phishing precautions - report

It's late, so I'll just copy-and-paste this release about a rather stupid failure by NatWest to set an SPF record for one of their critical domains..

NatWest Fail To Adequately Protect Customers Online From Increasingly Sophisticated Cyber Crime Threats 

London UK, Wednesday 9th July 2014 – A leading email security specialist organisation has identified a simple yet important flaw in online banking systems which could be exposing unknowing customers to cyber-orientated threats.

Graeme Batsman, director of the London based IT and email security company 'Atbash', has identified a vulnerability in the system used by NatWest – highlighting a susceptibility to phishing emails (spoofed) and malware.

The flaw identified in the current email security set up employed by NatWest bank has been found to decrease the possibility of phishing emails being identified and filtered out safely, thus protecting online customers.

Mr Batsman commented “Being a security techy, I spent time pulling software, spoofed emails or viruses apart to see exactly how they work and where the possible flaws can be seen. During early July I was handed a sample of an email from NatWest which slipped past the security system. After inspecting the problem and testing the vulnerability I identified that the problem was a missing SPF record.”
A 'Sender Policy Framework' (known as an SPF) is a free, open source method of identifying and capturing dangerous and compromised emails by comparing records saved online against the actual email received. A full configuration to close the vulnerability would have taken around 30 minutes and costs nothing to implement.
Graeme Batsman continued “To put it simply NatWest’s email servers are based within the United Kingdom, so if someone was sending an email from New Zealand pretending to be NatWest, it should get blocked. When an email is sent there is a simple check done in the background to see where the email should come from (in this case UK) and where is actually comes from (in this case New Zealand), If the 2 do not tie up then email servers will determine the email to be fake and it will be blocked.”

Unlike other cyber threats facing large corporations with an obligation to protect customer data, this particular vulnerability in the NatWest system would have cost nothing to address. By integrating an SPF record on the system, the bank would have increased the chance of email spam filters detecting that the email is a fake and as a result, offering better protection for their customers.
Whilst NatWest.com does have SPF records set up, the critical domain nwolb.com which is used for online banking login does not. This leads to cyber criminals being particularly attracted to the nwolb.com domain.

This is obviously a major concern to NatWest online banking customers, however other major banks such as Metro Bank, Barclays, Santander and Lloyds already have SPF records setup for their domains which relate to online banking login paths.
Knowing banks it would have taken a lot more than 30 minutes to fix this and millions of pounds of money. Oh yes.. taxpayer's money in the case of NatWest. But it certainly does look like a basic security failure that makes me glad that I bank elsewhere..

Tuesday 8 July 2014

Scam: "All Company Formation" (allcompanyformation.com / businessformation247.com)

Sometimes it isn't easy to see what a scam is, but this email hit my spamtrap advertising an outfit that can allegedly create offshore companies and acquire all sorts of trading licences and things like SSL certificates.


From:     All Company Formation [info@allcompanyformation.com]
Date:     7 July 2014 12:58
Subject:     [Info] Worldwide Company Formation Services - EV SSL Approval Services


We have a team of agents in different countries we are providing Company Registration services in the following Countries:

-United Kingdom
-USA
-Malaysia
-Syschelles
-Hong Kong
-Indonesia
-Dominica
-UAE
-South Africa
-switzerland
-Singapore
-India
-Panama
-Anguilla
-Belize
-Nevis
-Cyprus

If you need other than above countries so please contact us for more information..we are also providing offshore bank account services:

Bank locations are :

-Mauritius
-Belize
-Seychelles
-Cayman Islands
-Cyprus
-Hong Kong
-St. Vincent & Grenadines
-Latvia
-St. Lucia
-Brokerage Account in Panama
-Nevis Bank Account

other services:

-Comodo EV ssl Approval and documentation
-Geo Trust ssl Approval and documentation
-Symantec ssl Approval and documentation
-Veri Sign Approval and documentation
-Trustwave Approval and documentation
-Trust Guard Approval and documentation
-Valid safe Approval and documentation
-Truste Approval and documentation
-Others (as per your request)


For order and need more informations kindly contact us : www.allcompanyformation.com

Email: info@allcompanyformation.com

skype : companiesformations
The spam originates from 209.208.109.225 which belongs to Internet Connect Company in Orlando, Florida.. Orlando being a hotbed of fraud which would make it ideal for twinning with Lagos. The spam then bounces through a WebSiteWelcome IP of 192.185.82.77. None of those IP give a clue as the the real ownership of the site.

The spamvertised site of allcompanyformation.com (also mirrored at businessformation247.com) looks generic but professional.


It is plastered with logos from legitimate organisations, presumably to give it an air of respectability.


You can pay for these "services" using any one of a number of obscure payment methods:

EgoPay: e.allcompanyformation@gmail.com
OK Pay: ondrejpavilic@gmail.com
Perfect Money: U3128238


I wouldn't bet on "ondrejpavilic" being a real person, it sounds suspiciously like this ice hockey player.

The contact information seems deliberately vague and there are no physical contact addresses or company registration details anywhere on the website:

E-mail: info@allcompanyformation.com
Telephone: 315-944-0992
Skype: CompaniesFormations


The telephone number looks like a US one, but on closer examination appears to be a Bandwidth.com VOIP forwarder to another number (which could be anywhere in the world). These 315-944 numbers seem to be often abused by scammers.

The WHOIS details are anonymous, and the website has been carefully excised of any identifying information.

Most of the text (and indeed the whole concept) has been copy-and-pasted from Slogold.net who seem to be a real company with real contact details. They even go so far as to warn people of various scams using the Slogold name.

The following factors indicate that this is a scam, and sending them money would be a hugely bad idea:
  1. The site is promoted through spam (this sample was sent to a spamtrap)
  2. The domain allcompanyformation.com has anonymous registration details and was created only in December 2013.
  3. There are no real contact details anywhere on the site.
  4. The text is copy and pasted (i.e. stolen) from other sites, primarily Slogold.net.
Avoid.


Friday 4 July 2014

Scam: advocatesforyouths.org, Eem Moura, Tee Bello and other fake sites

Advocates for Youth is a legitimate campaign organisation that says that it "champions efforts to help young people make informed and responsible decisions about their reproductive and sexual health." It has a website at www.advocatesforyouth.org which was registered in 1996.

However, the domain advocatesforyouths.org is a completely fake rip-off of the legitimate advocatesforyouth.org site (note the extra "s") which is advertising itself through spam:

From:     Advocates for Youth [inboxteam6@gmail.com]
Reply-To:     Advocates for Youth [ljdavidson@advocatesforyouths.org]
Date:     2 July 2014 21:52
Subject:     Say No to FORCED MARRIAGE and HIV/AIDS
Mailing list:     xkukllsbhgeel of 668
Signed by:     gmail.com

Invitation Ref No: OB-22-52-30-J

OUR 12TH INTERNATIONAL YOUTH CONFERENCE ON “ EFFECTS OF TEENAGE MARRIAGE AND HIV/AIDS "

Advocates for Youth and co-organizers of the 12th international NGO's & CBO's conference on community Development and Development Planning have the pleasure to invite Youth Organizations, Socio Cultural Organizations, Community Based Organizations (CBO) Scholars, Researchers, Health Organizations, Professionals, Business Organizations (NGOs) Religion Organizations, Human Right Organizations & Women Groups to the International Conference on" Effects of Teenage Marriage and HIV/AIDS " taking place from Wednesday 20th - Friday 22nd August 2014 in U.S.A and Monday 25th August - Friday 29th August 2014 in The NETHERLANDS respectively.

This is the most important event in the framework of the fight to Educate the Youth on HIV/AIDS, Child Abuse, human and community development which will take place in Washington DC, United States of America from Wednesday 20th - Friday 22nd August 2014 in U.S.A and Monday 25th August - Friday 29th August 2014 in The NETHERLANDS respectively.

Advocates for Youth is registered 501(c) Non profit international organization whose aims & objectives are to empower individuals and communities worldwide through offering grants for business, education, economic enhancement, community development and environmental conservation, to support groups and organizations addressing social issues, youth ad women empowerment, and a variety of philanthropic projects through grants to non-profit organization; to provide education & information with view of limiting abuse and child molestation, to support and advocate on behalf of those infected and affected by the menace or abuse and neglect to promote the well-being of mankind by empowering the capacity of charitable organization to provide effective programs of quality.

This conference will bring together 1026 representatives of NGOs/CBOs and numerous numbers of interested individual participants from all over the world. The conference will be conducted on participatory bases with satellite plenary and simultaneous sessions followed by general and small group discussions.

SUPPORT: The conference receives financial support from CitiBank New York and United Nations Youth Commission etc. This sponsorship covers the following:

1. Return Airplane travel tickets for selected delegates from their home countries to venues of the event in Washington DC ( United States of America ) and The Hague City (The Netherlands), then back to their home countries.

2. Hotel accommodations in Washington DC ( United States ) only for selected delegates and their friends.

3. Medical insurance cover for delegates throughout the entire conference duration.

Advocates for Youth will not assume the responsibilities of any other costs other than those listed above.

NOMINATION & SELECTION OF PARTICIPANTS: Intending participants are requested to nominate between Five (5) to Ten (15) active members to participate. Participants should be from 14 years and above (Male or Female).

REGISTRATION PROCESS: To register to take part in this Conference, please request for the International Delegates Registration form and other conference information. The request for registration form and other conference information should be addressed to the Secretary:

Linara J. Davidson
Secretary, Advocates for youth
2000 M Street, NW Suite 750,
Washington DC 20036,
United States of America,
Tel: +1 202.600.9543
Fax: + 1 650.747.4401
Email: ljdavidson@advocatesforyouths.org
Website: http://www.advocatesforyouths.org

While we anticipate your earliest response, you are advised to contact the Secretary by email and we look forward to meeting up with you and your group in Washington DC and The Hague City to assert a new change for a stronger society.

Announcer !!!

Debra Hauser
President, Advocates for youth,
Washington DC
U.S.A.
Email: debra.hauser@advocatesforyouths.org

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer: The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask mailers to stop spamming them. The above mail is in accordance to the Can Spam act of 2003: There are no deceptive subject lines and is a manual process through our efforts on World Wide Web. You can opt out by sending mail to email id mention here and we ensure you will not receive any such mails.
In this case the email originates from 217.120.44.73 (Ziggo / Groningen, Netherlands) and was sent to a spam trap.

The fake site is almost a bit-for-bit copy of the fake site, but things like the Contact Details page are slightly different:


The fake site has a telephone number of 202.600.9543 and a fax number of 650.747.4401. The fax number is in California, but the "202" telephone number appears to be Washington.. but on closer examination it looks like a VOIP (internet phone) number which could possibly be anywhere in the world.


But the fake site looks utterly convincing. Mostly because it is cloned directly from the legitimate site. (See screenshot above)

The domain advocatesforyouths.org was registered on 24th May 2014 with anonymous details, and the mail handler is mailhostbox.com who are a legitimate commercial provider. But what most visitors to advocatesforyouths.org will not spot is that the domain just does a framed forward to another site googleones.in/advocates4youth/ which is where things get more complicated.

googleones.in is hosted on 74.122.193.45  a Continuum Data Centers IP reallocated to:

OrgName:        Ajay Kumar
OrgId:          AK-7
Address:        801 Main St NW
City:           Lenoir
StateProv:      NC
PostalCode:     28645
Country:        US
RegDate:        2012-11-30
Updated:        2012-11-30
Ref:            http://whois.arin.net/rest/org/AK-7

OrgAbuseHandle: SNM9-ARIN
OrgAbuseName:   machiwala, shazim nizar
OrgAbusePhone:  91 22 26782833
OrgAbuseEmail:  shazim@ideastack.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/SNM9-ARIN

OrgTechHandle: SNM9-ARIN
OrgTechName:   machiwala, shazim nizar
OrgTechPhone:  91 22 26782833
OrgTechEmail:  shazim@ideastack.com
OrgTechRef:    http://whois.arin.net/rest/poc/SNM9-ARIN


The domain is registered to:

Registrant Name:Ziggo Ziggo
Registrant Organization:N/A
Registrant Street1:stadhoudersstraat
Registrant Street2:
Registrant Street3:
Registrant City:rijswijk
Registrant State/Province:Zuid-Holland
Registrant Postal Code:2282pm
Registrant Country:NL
Registrant Phone:+31.0657392939
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:alzaidaemirates@hotmail.com


The "alzaidaemirates@hotmail.com" doesn't really seem to tally with the Netherlands address, but it does link in with some other contents of the server. Incidentally, Rijswijk isn't very close to Groningen being a 233Km drive so the spammer's IP doesn't match the WHOIS details.

Interesting, the root directory of googleones.in is open and this is where it gets complicated.

We can see folders with the following names:
  • advocates4youth/
  • alz/
  • cgi-bin/
  • eem/
  • eemtholland/
  • tbello/
"advocates4youth" contains the fake Advocates For Youth Siteas already discussed

Al-zaida Emirates

"alz" is a site called "Al-zaida Emirates" which is a ripoff of the legitimate Zamil Group Holding Company. Probably the obvious different to that the "Al-zaida" site has an "Apply For Loan" button which marks it out as some sort of finance scam.

EEM Moura and TEE Bello (part 1)

The next fake site is under "eem" which advertises itself as "EEM MOURA & TEE BELLO Group of Companies". This site is a slightly-altered copy of the legitimate Alpha Group.


There is perhaps a clue here under "Shipping" which could be advertising for a Parcel Mule job (i.e. laundering stolen goods).

EEM MOURA & TEE BELLO (part 2) [eemthollandbv.nl]

There is another fake "EEM MOURA & TEE BELLO" site in the folder "eemtholland" (and using the forwarder domain eemthollandbv.nl). This is different from the other site being a fake shopping site, a poor copy of the legitimate HollandForYou.com site.


This fake site is also likely to be recruiting people for a parcel reshipping scam.

Hotel T. Bello

The final fake site is filed under "tbello" (sounds familiar?) and is supposedly the "Hotel T. Bello" in Den Haag (The Hague). It is a poor copy of the InterContinental Amstel Amsterdam.


Perhaps the "Hotel T Bello" is a fake hotel for the delegates to the fake "Advocates for Youth" conference that was advertised in the original spam.. that is certainly one way that these conference scams work.

There is not a single legitimate site on this server. Avoid.