Sponsored by..

Thursday, 30 August 2007

"Harvey Investment Company" bogus emails


The Harvey Investment Company is a wholly legitimate organisation with a domain name of harveyinvestment.com. However, there are also a series of fake sites run by the people behind the Syndey Car Centre scam which are trying to recruit for fake jobs. The "jobs" offered are illegal money mule designed either to launder stolen money or to cash bogus cheques.

The .ph domain for the website is a Philippines domain, and in this case the bogus site is hosted on 89.38.194.67 in Romania. The fake company claims an address of 32 Route Francois-Peyrot, Geneva, 1218 Switzerland ph: +41225948581, fx: +41225948571 - the REAL company is based in Kentucky in the US.

Subject: our company has announced additional openings for new employees [letter id: xxxxxxxxxxx]

Join Harvey Investment Company team. Our customized employment solutions and personalized approach give job seekers access to great opportunities with competitive salaries. Our company offers comprehensive benefits that allow making good money, without spending too much time for that. Don't put your career in the hands of just anyone; put it in the hands of a specialist. Launch or rejuvenate your career today with Harvey Investment Company and its subsidiaries are equal opportunity employers.

Today we are looking for customer service associates who share our command spirit and are looking to land an outstanding position with a company who has consistently been recognized on the national level for their work in the investment and securities area. We work tirelessly to build solid relationships with well-recognized organizations across the nation to learn about projects and opportunities.

Take a look at the job responsibilities and qualifications below and if you think you would be an asset to the team, we invite you to apply for the position.

Customer service associate is responsible for being in close touch with the staff from the head office, accepting customer payments to his bank account and making further calculations regarding them. The associate should deduct his 10% interest out of every transaction he is going to deal with, as well as all the related charges. The associate further makes a Western Union/MoneyGram transfer of the balance left to the company's regional department.

A position requires excellent customer service skills, employee's ability to manage time and accomplish duties with a minimum of supervision. Ideal candidate should possess 1-2 free hours a day, a bank account, available to be used for the company needs, should be outgoing, dedicated to meeting deadlines and objectives and able to follow procedures.

Whether you're interested in short-term temporary work or full-time permanent hire, we are confident that we have the right job for you. Apply today and let Harvey Investment Company help you realize your true potential.

For further, more detailed information, please visit our web site http://hinvestment.ph/job.php

We are looking forward to hearing from you!

Tuesday, 28 August 2007

"Vegas Casino World" trojan

This is yet another variant of the Storm worm which has been sending out bogus postcard notifications and the like for some time now. The email is completely bogus and is not related to any real organisation with the name "Vegas Casino World" or similar variants.

Subject: Could you give us a hand?

We could sure use your opinion of our new program Vegas Casino World

Your help will get us ready for our market release. For helping out, you
will receive a free edition and 5 years of updates.

Just download the program, Check it out, and let us know your opinion.
Ready to be a beta tester? Just follow the link to our easy download
center: http://aa.bb.cc.dd/setup.exe
This is fairly widely detected by AV scanners, apart from McAfee. VirusTotal detects it as the following:

File setup.exe received on 08.28.2007 16:33:57 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32007.8.29.02007.08.28-
AntiVir7.4.1.632007.08.28WORM/Zhelatin.Gen
Authentium4.93.82007.08.28Possibly a new variant of W32/Fathom.3-based!Maximus
Avast4.7.1029.02007.08.27Win32:Tibs-BFG
AVG7.5.0.4842007.08.27Downloader.Tibs.7.X
BitDefender7.22007.08.28DeepScan:Generic.Zlob.38F48A71
CAT-QuickHeal9.002007.08.25(Suspicious) - DNAScan
ClamAV0.91.22007.08.28Trojan.Small-3637
DrWeb4.332007.08.28Trojan.Packed.142
eSafe7.0.15.02007.08.28Win32.Zhelatin.hq
eTrust-Vet31.1.50912007.08.28Win32/Sintun.AE
Ewido4.02007.08.28Worm.Zhelatin.hq
FileAdvisor12007.08.28-
Fortinet2.91.0.02007.08.28W32/Tibs.GN@mm
F-Prot4.3.2.482007.08.28W32/Fathom.3-based!Maximus
F-Secure6.70.13030.02007.08.28Email-Worm.Win32.Zhelatin.hs
IkarusT3.1.1.122007.08.28Email-Worm.Win32.Zhelatin.hq
Kaspersky4.0.2.242007.08.28Email-Worm.Win32.Zhelatin.hs
McAfee51062007.08.27-
Microsoft1.28032007.08.28Trojan:Win32/Tibs.DV
NOD32v224882007.08.28Win32/Nuwar.Gen
Norman5.80.022007.08.28W32/Tibs.ASFB
Panda9.0.0.42007.08.28-
Prevx1V22007.08.28-
Rising19.38.12.002007.08.28-
Sophos4.21.02007.08.28Mal/Dorf-E
Sunbelt2.2.907.02007.08.25VIPRE.Suspicious
Symantec102007.08.28Trojan.Packed.13
TheHacker6.1.9.1752007.08.28W32/Zhelatin.genw
VBA323.12.2.32007.08.28-
VirusBuster4.3.26:92007.08.27Trojan.Tibs.Gen!Pac.132
Webwasher-Gateway6.0.12007.08.28Worm.Zhelatin.Gen

Additional information
File size: 140367 bytes
MD5: 1ef03f4830c530799c57d67e1ccadc59
SHA1: 7d4677db2b158ba0296d112a696fecf2880167bd
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Tuesday, 14 August 2007

Netgear WG511 V2 Review


What do I think of the Netgear WG511 V2? This is what I think of the Netgear WG511 V2.. a completely and utterly useless wireless networking card let down by very poor drivers and bad reliability. Even when using a Netgear router, the WG511 V2 will drop out randomly, the supplied drivers are poor but the drivers from the website are positively dangerous and will cause all sorts of unexpected problems with your PC.

If you're having problems with the Netgear WG511 V2 then I suggest that you take the approach as pictured, where I have upgraded it hammer, the excellent Draper Model 9001 (stock nunmber 51223). This Draper hammer is a 16 ounce model with a soft grip that makes it easy to handle and very good all-around characteristics. Recommended for dealing with heavy-duty problems, such as permanently decommissioning the Netgear WG511 V2.

Extreme measures? Perhaps, but the Netgear WG511 V2 has played me up for 18 months now in an environment where every other network card works perfectly. I have wasted a significant amount of time on this unreliable piece of junk. Good riddance, and I certainly will give Netgear NICs like this a wide berth in the future.

(PS, as you might guess.. I'm in the market for a new wireless NIC. Any recommendations would be appreciated!)

Thursday, 9 August 2007

Email "dating scams"


Sometimes scammers will try to lure you with a "dating scam" - usually a trick to gain money or possibly a visa. The basic setup is described here at Hoax-Slayer.com.

Often, these scams will use a throwaway email address at Hotmail, Yahoo or Gmail for responses, however these are often shut down so the latest trick is to register domains that look like genuine webmail addresses but aren't. Here's an example:

Hello! I am bored this afternoon. I am nice girl that would like to chat with you. Email me at mcmm@mailmessagecenter.info only, because I am writing not from my personal email. Don't miss some of my naughty pictures.
(Note the phrase "I am writing not from my personal email", because this comes from a spoofed address to make it harder to block.)

Now, mailmessagecenter.info looks like the sort of domain name you'd associate with a webmail account. In fact, it's hosted on a Chinese server at 124.254.2.226 along with a number of other domains. It appears that all of these domain names have been created to pursue this scam, so if you receive and email from any of them then just delete it.

  • Freemailwap.info
  • Imailmessage.info
  • Imailvision.info
  • Jumpcutpost.info
  • Jumpemail.info
  • Latinmailemail.info
  • Lonelyheartwaiting.com
  • Lovegalaxys.com
  • Loveisspecial.com
  • Loveonlylove.com
  • Mailmessagecenter.info
  • Mailmessageonline.info
  • Mailownemail.info
  • Mailvisionworld.info
  • Outmaildirect.info
  • Penmailpro.info
  • Postionvision.info
  • Presummermail.info
  • Romanticloveforever.com
  • Simpleitislove.com
  • Thaibestmail.info
  • Theamericanmail.info
  • Thefriendlymail.info
  • Thelovingplace.net
  • Tonsofloves.com
  • Worldmeetlove.com
Some of these sites are fake mail sites, others are fake dating sites. Unlike many scams, there's a fair level of sophistication to this one so it's quite possible to see that it might drag in some unsuspecting victims.

Wednesday, 8 August 2007

"Comcast Automated Systems" Trojan

A trojan embedded in a ZIP file this time. It's attempting to use a filename of statement.pdf[lots of spaces].exe


Subject: Important Notice-July 2007 Statement 0000000


PLEASE DO NOT REPLY TO THIS E-MAIL. THIS E-MAIL ADDRESS IS USED BY
COMCAST AUTOMATED SYSTEMS AND IS NOT MONITORED.

Your August 07, 2007 Bank billing statement is ready for viewing. To
view your bill download attached Adobe Acrobat PDF file.

If you would like to discontinue receiving a hard copy billing
statement in the mail, you may do so by selecting the UPDATE STATEMENT METHOD
link once you have logged into your account. From there, simply select
the option for Electronic Statement Only.

You received this e-mail because you enrolled Account feature.
If you no longer wish to receive these e-mails, you will
need to cancel your enrollment. To cancel your enrollment, please log
in to your account and from the Update Profile screen, select the cancel
link from the bottom of the page.

As far as we can tell, the filename enclosed in the ZIP file won't extract properly because there are too many spaces and the filename it too long, but the spammers will probably figure it out eventually.

If you're using Postini, then the attachment manager can be easily configured to block all .exe files, and this also applied to .exe-in-.zip files.

Detections are patchy with some AV products picking up the executable packer. When the .exe files run it will attempt to install other malware, some of which will be picked up by AV products. According to VirusTotal:


File statement.pdf____________________ received on 08.08.2007 17:44:19 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32007.8.3.02007.08.08-
AntiVir7.4.0.572007.08.08TR/Crypt.XPACK.Gen
Authentium4.93.82007.08.08-
Avast4.7.1029.02007.08.07-
AVG7.5.0.4762007.08.07-
BitDefender7.22007.08.08-
CAT-QuickHeal9.002007.08.08(Suspicious) - DNAScan
ClamAV0.912007.08.08-
DrWeb4.332007.08.08-
eSafe7.0.15.02007.07.31suspicious Trojan/Worm
eTrust-Vet31.1.50432007.08.08-
Ewido4.02007.08.08Downloader.Agent.bhl
FileAdvisor12007.08.08-
Fortinet2.91.0.02007.08.08-
F-Prot4.3.2.482007.08.08-
F-Secure6.70.13030.02007.08.08Trojan-Downloader.
Win32.Small.ehe
IkarusT3.1.1.122007.08.08-
Kaspersky4.0.2.242007.08.08Trojan-Downloader.
Win32.Small.ehe
McAfee50922007.08.07-
Microsoft1.27042007.08.08VirTool:Win32/Obfuscator.C
NOD32v224442007.08.08a variant of Win32/Spy.Nuklus
Norman5.80.022007.08.08-
Panda9.0.0.42007.08.08Suspicious file
Prevx1V22007.08.08-
Rising19.35.22.002007.08.08-
Sophos4.19.02007.08.01-
Sunbelt2.2.907.02007.08.07Infostealer.Nuklus
Symantec102007.08.08-
TheHacker6.1.7.1642007.08.08-
VBA323.12.2.22007.08.07Trojan-Spy.Win32.Small.gv
VirusBuster4.3.26:92007.08.08Trojan.DL.Small.Gen!Pac25
Webwasher-Gateway6.0.12007.08.08Trojan.Crypt.XPACK.Gen

Additional information
File size: 13824 bytes
MD5: 38ac63f8b7ef22d9a07138ba73de7178
SHA1: 6337e3178eba2859fd0e2e1188eab8b528696933
packers: UPack


-----

Sunday, 5 August 2007

"S-Pharm" scam

Another money laundering/money mule scam, this time from "S-Farm". As before, money transfers of this type are illegal and you will get into serious trouble if you get involved.

Dear Sir/Madam,

S-Pharm is a USA company selling medical and consumer goods. We have
reached big sales volume of pharmaceuticals in the UK and now are trying
to penetrate the European market. Quite soon we will open
representative offices and pharmacies or authorized sales centers in the UK and
therefore we are currently looking for people who will assist us in
establishing a new distribution network there. The fact that despite the
British market is new for us we already have regular clients also speaks for
itself.

WHY YOU?
The international money transfer tax for legal entities (companies) in
USA is 25%, whereas for the individual it is only 7%. That.s why we
need you! We need agents to receive payment for our products (by
electronic money transfer) and to resend the money to us. This
way we will save money because of tax decreasing.

HOW MUCH WILL YOU EARN?
7%-9% from each sale/resale operation! For instance: you receive 1000
GBP to your bank account. You will withdraw the money and keep 70GBP (7%
from 1000GBP) for yourself! At the beginning your commission will
equal 7%, though later it will increase up to 9%!

ADVANTAGES
You do not have to go out as you will work as an independent contractor
right from your home office. Your job is absolutely legal. You can
earn up to 3000 GBP-4000 depending on time you will spend for this job.
You do not need any capital to start. The employees who make efforts and
work hard have a strong possibility to become managers. Anyway our
employees never leave us.

If you are interested in our offer, please feel free to ask for the
general provisions of the Contract.

Best regards,
S-Pharm Manager

Wednesday, 1 August 2007

Wheredidyoubuythat.com spam - update

I got a nice comment from the company on this one:

My name is Karine Kong, Director from www.wheredidyoubuythat.com
First of all, please accept our sincere apologies for the inconvenience you are experiencing.
Unfortunately we have never received your email mentionning this spam issue, otherwise we would have responded to you within 48 hours. However, now we are aware of it, our technical team is looking into this to see how & why this is happening.
I would like to reassure you that for security reasons, our database does not hold customers card details so even if some malicious virus have broken into our database, there is little they could do except annoying our customers with spam emails. I shall let you know how this is resolved as soon as possible. In the meantime, do not hesitate to contact me if you have any queries.
Kind regards
I must say that this sounds 100% plausible. It looks as if the email addresses have been harvested off an infected machine.

Incidentally, wheredidyoubuythat.com does have some really nice stuff :)

"Syndey Car Centre" scam


This particular scam has been around for a few weeks now, for a wholly fictitious company called the Syndey Car Centre. Although they do have a website, it's a copy of the legitimate Stratford Car Centre in the UK who are not connected in any way with the scam.

Just to prove that spammers are actually morons, this was sent to the abuse role account.

The scam is the usual money laundering / money mule operation - if you have received one of these delete it, if you have been "recruited" then you need to speak to your local police before they speak to you.

While we may have high expectations of our associates, we also give them high rewards. Imagine being part of a stable organization with a sterling reputation - a place where the Sydney Car Centre is an integral part of all that we do. With our car centre personality, you'll not just succeed - you'll thrive. And, with our strong commitment to promoting from within, you'll definitely enjoy your rise to the top.

Today the Sydney Car Centre is looking for an industrious regional assistant to fasten the process of the delivery of customer payments to the suppliers. The position offered is a part-time job, and will only require from you to be available for 1-2 hours a day.

As a regional assistant, you will be supposed to operate with the payments from those customers, based in your country. You will be expected to accept 2-3 transactions to your bank account every week, make certain calculations about every transaction (you will be precisely instructed about it), & transfer the funds to the suppliers by means of western Union/Money Gram less your fee & the charges of the Western Union/Money Gram. You will be continuously communicating with the manager from the head office, who will instruct you & give advice regarding every new payment.

The ideal candidate will be industrious, goal-oriented person, with the availability of a personal/business bank account suitable to be used for the company needs. Knowledge of English, computer literacy and sociability are appreciated.

The company guarantees to pay NET 10% fee out of the amount of every payment you dealt with and to provide you with the regular income & flexible schedule. All the related expenses you might have (like the Western Union/Money Gram chargers, related expenses on traveling) are covered by the company.

The more detailed information is available on our web-site http://vacancy-024788504.sydncar.kg/vacancies.php, where you can fill in the on-line application form for this position.

We would be glad to welcome you in our team!

We are looking forward to hearing from you as soon as possible!

Yours sincerely, Octavio Mcnair

One odd thing is the use of a .kg domain which is Kyrgyzstan. No doubt the scammers don't come from there, they've just found a registry that is easy for them to do business with. In this particular case, the website was hosted on a compromised DSL-connected machine in the UK.