Sponsored by..

Wednesday 24 February 2021

Updated 3NT Solutions LLP / inferno.name / V3Servers.net IP ranges (2021 edition)


It's been about a zillion years (well, OK it was 2017) when I last published a list of IPs belonging to 3NT Solutions LLP that you probably want to block. Their name came up yet again in something I was looking at, and I was slightly surprised to see that the old list was still somewhat valid. However a bit of research found some new ranges and some that have been potentially cleaned up.

Current

5.45.64.0/19
5.61.32.0/19
37.1.192.0/19
37.252.0.0/20
46.22.211.0/25
46.22.211.128/26
80.79.124.128/26
91.193.180.0/22
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
130.0.232.0/21
185.4.64.0/22
188.116.27.0/24
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

Potentially clean

95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
184.154.38.40/29

Tuesday 24 November 2020

Websites owned by Philip John Sabin and associated companies

Apropos of nothing, all these websites are hosted on 212.230.207.100 to 213.230.207.109 (Netcalibre, UK) and appear to be owned and controlled by Philip John Sabin and/or Luxury Sleuth Ltd (11482506), We Just Compare Ltd (12485232). Funnily enough I can't find an ICO registration for these companies, maybe that just me doing it wrong. Perhaps anyone who knows it can add something to the comments?

www.britishluxuries.com
www.couponsleuth.co.uk
www.delivermeevents.co.uk
www.delivermeoffers.co.uk
www.delivermeoffers.com
www.distinguishedclub.co.uk
www.distinguisheddata.co.uk
www.distinguishedtraveller.co.uk
www.easylawnsltd.com
www.eventsleuth.co.uk
www.exclusive-travel-club.com
www.filmsleuth.co.uk
www.fusina.co.uk
www.grandcartours.com
www.homeimprovementsleuth.co.uk
www.investingtrends.co.uk
www.investmentsleuth.com
www.journeysofdistinction.co.uk
www.leads4sale.co.uk
www.leadsleuth.co.uk
www.luxurycartours.com
www.luxury-rallies.co.uk
www.luxuryrallies.com
www.luxurysleuth.co.uk
www.luxurysleuth.com
www.luxuryupdates.co.uk
www.mailhubs.co.uk
www.mxchecker.com
www.payhound.co.uk
www.savvyinvesting.co.uk
www.sleuth.media.
www.sleuthmarketing.co.uk
www.thepropertysleuth.co.uk
www.thriveland.co.uk
www.travellead.uk.
www.travellerstrust.com
www.travelsleuth.co.uk
www.travelsleuth.com
www.travelsleuth.uk.
www.usesend.co.uk
www.wejustcompare.co.uk
www.wejustcompare.com
www.wejustentertain.com
www.wejustinsure.com
www.wejustinvest.com
www.whichfuneralplans.wejustcompare.com
www.worldtradingpartners.com
www.worldtravelpartners.co.
www.worldtravelpartners.co.uk
www.wtplimited.com
www.youaregorgeous.co.uk
www.yourpricecomparison.com

Monday 18 March 2019

"Central Intelligence Agency - Case #79238516" extortion spam

I've seen various extortion spams over the past 12 months or so, but this one has a particularly vicious twist.

If you haven't seen one of these before - it's just a spam, randomly sent to your email address. You can safely ignore it.

From:    Liza Guest [liza-guest@eosj.cia-gov-it.tk]
Reply-To:    liza-guest@eosj.cia-gov-it.tk
To:    [redacted]
Date:    18 Mar 2019, 06:33
Subject:    Central Intelligence Agency - Case #79238516

Case #79238516
Distribution and storage of pornographic electronic materials involving underage children.
   
   
My name is Liza Guest and I am a technical collection officer working for Central Intelligence Agency.
   
It has come to my attention that your personal details including your email address ([redacted]) are listed in case #79238516.
   
The following details are listed in the document's attachment:
   
  • Your personal details,
  • Home address,
  • Work address,
  • List of relatives and their contact information.
   
   
Case #79238516 is part of a large international operation set to arrest more than 2000 individuals suspected of paedophilia in 27 countries.
   
The data which could be used to acquire your personal information:
   
  • Your ISP web browsing history,
  • DNS queries history and connection logs,
  • Deep web .onion browsing and/or connection sharing,
  • Online chat-room logs,
  • Social media activity log.
   
The first arrests are scheduled for April 8, 2019.
   
Why am I contacting you ?
   
I read the documentation and I know you are a wealthy person who may be concerned about reputation.
   
I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case. Here is my proposition.
   
Transfer exactly $10,000 USD (ten thousand dollars - about 2.5 BTC) through Bitcoin network to this special bitcoin address:
   
3QTV16BBsaEBVuwZv8wCjEgWZTKVVQPJ3h
   
You can transfer funds with online bitcoin exchanges such as Coinbase, Bitstamp or Coinmama. The deadline is March 27, 2019 (I need few days to access and edit the files).
   
Upon confirming your transfer I will take care of all the files linked to you and you can rest assured no one will bother you.
   
Please do not contact me. I will contact you and confirm only when I see the valid transfer.
   
Regards,
Liza Guest
   
Technical Collection Officer
Directorate of Science and Technology
Central Intelligence Agency

Another version comes "from" tannerlynch@oiks.cia-gov-it.gq and solicits payments to 32ngJWq6YYGUfvCbj3Ji7MNSnqi3rdM5qa. There are probably others. At the time of writing, neither of these two Bitcoin wallets had received any payment.

Tuesday 22 May 2018

Phishing and fraudulent sites hosted on 188.241.58.60 (Qhoster)

Nigerian registrants. Dodgy Eastern European  host offering bulletproof and anonymous hosting. Yup, I very much doubt there is anything legitimate at all hosted on 188.241.58.60.. or indeed any part of Qhoster's network.

237buzz.com
255page.ga
702mine.com
779999977.com
a1cargomovers.com
abtprinting.com
adassco.com
admincamac.co.uk
afazendaideal.ml
afflluenceindia.com
africheck.com
alamiranut.com
alexandrahospitals.com
alliarnce.org.uk
allseaship.com
amba-medias.com
amiicogroup.com
andrzejkupnopark.eu
anook.info
ansaexpress.com
antrackdiplomaticcs.com
apidexconstruction.com
aramexbe.com
arshland.com
artyschat.com
atlanticfforum.com
aughana.com
battlegrounds-arena.com
baugeruest-handel.com
bevadgmbh.com
billdiamondfinance.co.uk
binaryoptionsmonitor.com
binco-sale.com
bit-masters.com
bitcoincashold.com
bitcoinsdrugsrehab.com
bitmain-alliances.com
bitmamashop.com
blecoman.com
bmpro.info
bourseafrique.com
britannia-pharmaceutical.co.uk
btccap.biz
btctriplermachine.com
buycounterfeitmoneys.com
calvinscott.biz
cameroonianbeauties.com
candodvillahotel.com
carphonewarehouse-eu.com
centroculturadigital.com
certificatesshop.com
chainconnect.co
chaseoffshoreonline.tk
chondomonitor.com
citydiaryfarms.com
classicdeliverycourier.com
clickhereforgiveaway.site
clickhereforgiveaway.xyz
cloud-bigfile.com
cncoslight-zh.com
cnximgang.com
coca-colafinancedept.com
coflaxfluidhandling.com
coinminners.com
coinrxstore.com
compasseguip.com
confirmedsoft.us
cosm0-hk.com
cosmosport24.com
creditonfcu.com
crewlinked.com
criagent.com
crypto023.com
cryptominingtechnology.com
cryptoshifters.com
cs-oilfeild.com
cureonlinepharmacy.org
denverlaserhairremoval.co
divecastle.com
dlnamicatrade.com
double-bitcoins-legit.com
eastmanimpex.cam
ebid-tg.com
efceosaudi.com
elitecertifiedhack.com
emailtime.info
ethiopianairilines.com
eurocertificationcentre.eu
fabftifun.com
faircloths.co.uk
fastcoine.com
fastestfingersfirst.com
fidelity-investment.co.uk
findingthepropercode.com
firstsuorceinc.com
forvisitingthankyou.com
fotesale.com
front-dashboard.com
gdp-international.com
general-funds.com
generate-dcash.biz
gettinginonthelow.com
global-news.center
globalinkscobsult.com
globalinksconsult.com
gmb-trade.com
goimsa.info
grand-sale.com
grantersmultiservices.com
greetapex.com
guaranteecds.com
hackers-list.com.de
harpack-ulma.com
heraeu.com
hereweareonit.com
hlroyoung.com
horizonpartnerrsltd.com
houseofspells.com
hsbrands-int.ml
humer1adminka.com
hyip.co.in
hyipcave.com
idexpresscargo.com
inlinefornine.com
interseadrill.com
item-desc.com
jdfrencis.com
jonihoppershowcase.com
kcf-th.com
kececiprofile.com
kencanafishing.com
kiingsay.com
kindres.com
kindres.de
kippaskagit.com
kmsinfoservice.com
ks-prod.com
lane-pres.com
legitrxonline.club
lifegoalsdevelopmentschool.com
litbitcoinembassy.com
littlerockbitcoins.com
live-rx-store.com
loactrippleser.ga
loan-assistance.com
loan-dealer.com
loudiclear.com
lurnentum.com
luwiex.com
manarpso.com
mannhiem.in
maomanlodocs.cf
marshawoifesquire.com
mcmg-tech.com
meetcameroonians.com
meetup4real.com
megachemstoreonline.com
miamibeachcoin.com
microclicker.com
mile22-casting.com
miningcrux.com
mission4christministry.com
movimientorevolucionariodelpueblo.org
ms-fi.com
mst4sale.com
mysite111.com
neatwaytogettheninth.com
neusportltd.com
news-world.center
nexttys.com
nightcapdice.com
ninthinline.com
nlsteinweg.com
nomuta.com
noworri.com
obsgruop.com
offshoreseadrill.com
onehereisreservedforyou.com
online-citibankgroup.com
ontothenextgame.com
opcolage.com
orifiameglobal.com
ourskynet.com
oxfords-pay.com
parcelservicess.com
pharmas4plus.com
plccsolutions.com
psypharm.com
ptochart.com
quicktitletransfer.com
rashedal-wataniagroup.com
rawgarner.com
realbuyrx.com
recordspharm.com
researchchem4us.com
resumedatabase11.xyz
rnailb.com
rnarhaba.com
ro-noutati-mondene.ml
robnsaconsult.com
rock-sale.com
rosenbaumcontemporarygroup.com
royalstandard.ga
rumlt.in
rush-sale.com
seachiefs.com
seguradoravirtual.com
seosenior.com
service-infoo.com
she-afro.com
shippingdynamics.com
showbarghana.com
siglobal.org
simplyitaly.dk
simplyitaly.it
skillocademy.com
sms-red-online.ga
solid-sale.com
southchina-sea.net
srcoin.ca
srnec-cn.com
stacksign.ga
superenterprise.work
superwhiteningpills.org
svclnlk.com
tax-gov.com
tccholdng-th.com
tecebusiness.com
techfronst.com
thebinaryoptionmonitor.org
thecolumbiabanks.com
thefutureofkitchen.com
theninthisin.com
thewomoorsfestival.co.uk
thisistheninth.com
tienhongjs.com
timetorefillthestock.com
torromodel.de
trans-atlanticdrilling.com
trustedhackers.com
turkiyenews247.tk
turkiyenews27.tk
twhe48.online
uk-pharmcay.com
ulmaparkaging.com
ultronnews.com
unipharma.bz
urnalaxmi-organics.com
usr-acc-serv.com
vendadebitcoin.com
visteonogbonnagroup.com
vpox.ru
vwork.pw
walletsofcoolandhip.com
weather-livenews.com
webs-host.pro
xcesstel.com
xopen.cc
yahoomailservice.com
youngcompamies.com
yoyooo.xyz
zestcrypto.com

Thursday 10 May 2018

Malware spam: "New documents available for download" / service@barclaysdownloads.co.uk / barclaysdownloads.com

This fake Barclays spam seems to lead to the Trickbot banking trojan.

From:    Barclays [service@barclaysdownloads.co.uk]
Date:    10 May 2018, 13:16
Subject:    New documents available for download
Signed by:    barclaysdownloads.co.uk
Security:    Standard encryption (TLS) Learn more

Barclays Bank PLC Has Sent You Important Account Documents to Sign

You can view the document in your Barclays Cloud account. For additional security, the sender has set an open password for this document.

Documents assigned to: jlines@[redacted]
Your unique download password: "CJ98oZOwye"

To view or download the document please click here.

The submission number is id: bc7729-272sec912-91navc.
Please quote this number in any communications with Barclays.

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.

Email Security Powered by Barclays IBE.

Copyright 2018 Barclays PLC. All rights reserved. 

The download password and submission number are the same in all cases I have seen. Clicking the link leads to a landing page at barclaysdownloads.com.


Entering the password downloads a document AccountDocuments.doc with a VirusTotal detection rate of 14/58, and Hybrid Analysis indicates that this uses an Equation Editor flaw to run a Powershell that downloads an additional component from:

http://basedow-bilder.de/kporto.bin
http://crimefiles.net/logo.bin


The .bin file is saved as %TEMP%\lovemete.exe and this currently has a detection rate of 15/65. Hybrid Analysis indicates this is Trickbot.

barclaysdownloads.co.uk and barclaysdownloads.com have both been registered for this purpose, the latter of which is hosted at Cloudflare.

Friday 4 May 2018

"Best porno ever" Necurs spam

This spam (apparently from the Necurs botnet) promises much, but seems not to deliver.

From:    Susanne@victimdomain.tld [Susanne@victimdomain.tld]
Date:    4 May 2018, 10:22
Subject:    Best porno ever

Hi [redacted],

Best gay,teen,animal porno ever
Please click the following link to activate your account.

hxxp:||46.161.40.145:3314

Regards,
Susanne
The sender's name varies, but is always in the same domain as the victim.

I only saw four different links in the body text:
Warning live links - do not click
http://46.161.40.145:3314/
http://37.1.211.221:1699/
http://31.207.47.125/3FgtbvCf
http://77.72.84.115/

None of these sites were working when I tested them. Hosting IPs are:

46.161.40.145 (Ankas Ltd, Moldova)
37.1.211.221 (3NT Solutions, UK)
31.207.47.125 (Hostkey, Netherlands)
77.72.84.115 (Netup, UK)

3NT Solutions are a well-known purveyor of badness and I recommend blocking everthing, What the payload is here is unclear, but you can guarantee that's it's nothing good. And probably not smut either.


Sunday 1 April 2018

New Traffic Light Protocol (TLP) levels for 2018

The Traffic Light Protocol should be familiar to anyone working with sensitive data, with levels RED, AMBER, GREEN and WHITE being used to specify how far information can be shared. In recent years it has become clear that these four levels are not enough, so the United Nations International Committee on Responsible Naming (UN/ICoRN) has introduced nine new TLP levels for implementation from the first day of April 2018.

It seems to me that these new levels do offer a much more nuanced approach to sensitive data and are in alignment with real-world needs. What do you think?


TLP Level
Description
RED
Information cannot be disclosed to anyone other than the current participants.
AMBER
Information can be disclosed within participant’s organisations where appropriate.
GREEN
Information can be shared within the community but not published.
WHITE
Information can be published subject to copyright.
BLACK
Information can be retained by participants until the end of the meeting when their minds will be wiped with a Neuralyzer.
BROWN
Knowledge of this information may cause recipients to soil themselves.
PINK
Information is intended to be TLP:RED but someone will inevitably treat it as TLP:WHITE.
BLUE
Knowledge of this information entitles recipients to a free ride in a police car.
BEIGE
Information is so unmemorable that participants will not be able to recall it even if they try (cf. TLP:BLACK)
TARTAN
Information is a complex mix of different TLP levels that cannot be easily separated.
YELLOW
Knowledge of this information may cause recipients to wet themselves. (cf. TLP:BROWN)
GREY
It is not known if participants should have knowledge of this information or not.
RAINBOW
Information pertains to the existence of unicorns.