Sponsored by..

Tuesday 21 December 2010

uk-resum.com fake job offer

This fake job offer originated from an IP address in Latvia (84.245.203.63) and solicits replies to a domain uk-resum.com registered in Russia. Most likely it is money laundering and/or a parcel reshipping scam. Also in this cluster are the domains usa-resum.com and resum-europe.com. It seems to be part of a long-running series of job scams going back several years.

From: no-reply229@jobsearch.co.uk
Date: 21 December 2010 17:25
subject: We're hiring an additional 15 representatives!
   
Welcome!
I am writing to you in the name of the corporation the Human Resources department of which I represent.

The business occupation of our corporation is quite significant.
-tangible property
-organization and reorganization of business
-bank account support
-etc

We’re seeking for regional managers in the UK.
- wage packet 2.600 GBP + bonus
- bonus-job
- no fixed office hours

If our proposition is attractive to you, please kindly send your details so that we can contact you: stewart@uk-resum.com
1) First Name:
2) Country of living
3) City
4) E-mail address:
5) Contact telephone number


Important! We deal with UK citizens only!

Please e-mail your name and phone number and we will invite you for interview.
jobsearch.co.uk is nothing to do with the scam, the email address is faked. The domain is registered to:

Registrar: Regtime Ltd.
Creation date: 2010-12-20
Expiration date: 2011-12-20
Status: active

Registrant:
    Pavel Rogozin
    Email: rogoznaks@mail.com
    Organization: Private person
    Address: Nagatinskaya naberezhnaya d.4 kv.12
    City: Moskva
    State: Moskovskaya
    ZIP: 127456
    Country: RU
    Phone: +7.4954556713 


Avoid this one at all costs.

Monday 20 December 2010

Gawker related attack from 174.132.178.37

The recent Gawker media hack is probably related to a spate of malicious activity from 174.132.178.37, trying to log into forums, according to a couple of different reports on the web -  [1] [2] -  and my own experience of someone trying to get into a forum, presumably with Gawker harvested credentials. The purpose is unknown, but the person behind it may well be trying to use established accounts to spam forums.

Here is a sample email that you might get:

Dear ----------,

Your account on ---------- has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 174.132.178.37

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
http://forums.----------.com/login.php?do=lostpw

I advise you to contact the web host responsible at abuse -at- theplanet.com with a copy of any evidence. Incidentally, the listed owner of that IP address (although remember that it may have hack) is:

network:Class-Name:network
network:ID:NETBLK-THEPLANET-BLK-15
network:Auth-Area:174.132.0.0/15
network:Network-Name:TPIS-BLK-174-132-178-0
network:IP-Network:174.132.178.32/28
network:IP-Network-Block:174.132.178.32 - 174.132.178.47
network:Organization-Name:Michael Strouse
network:Organization-City:winter springs
network:Organization-State:FL
network:Organization-Zip:32708
network:Organization-Country:USA
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:

If this has happened to you, why not post a comment below so that ThePlanet.com can see what it going on.

Friday 3 December 2010

Beware of worid-of-books.com

worid-of-books.com is a fake book download site punting malicious executables. The strange name can be explained if you substitute the lowercase "i" with an uppercase one, giving worId-of-books.com which is presumably meant to fool people.



The site looks reasonably credible and appears to have about a million downloadable books, but they are not all that they seem to be. If you try to download a book, you get an EXE file instead of a PDF. What's in the EXE file? Well, malware of course! Detection is fairly patchy according to VirusTotal, but this appears to be a Cycbot variant.

Download it a second time and you actually do get a PDF file.. well, an 8 byte file that just says "PDF file" and nothing else. Subsequent attempts seem to fail with an error message of "We are sorry, this book is now being checked. Try to download it later!". It's pretty clear that worid-of-books.com is tracking visitors (perhaps by IP address) to stop them being able to repeat the infection.

The site is hosted on 95.64.111.12 which is Asociatia Family Network Connections / FAMILY-NETWORK in Romania, along with a whole load of other sites. It's worth blocking everything in this IP range.

The ThreatExpert report is here, it might help you clean up your machine if infected.

Evil network: Asociatia Family Network Connections / FAMILY-NETWORK AS49253 (95.64.110.0/23)

Asociatia Family Network Connections / FAMILY-NETWORK is a Romanian network, and their AS49253 netblock seems to have suddenly turned evil.

The SiteVet report for this AS shows a sudden increase in recent weeks, with over 1500 sites that may be malicious included in the 95.64.110.0/23 block. Most of these evil sites are on just one host, 95.64.110.100. There may be some legitimate sites here, but probably too few to worry about.

Most sites registered here appeared to be Russian, some are registered through Chinese registars. The owner of this block is listed as:

inetnum:        95.64.110.0 - 95.64.111.255
netname:        FAMILY-NETWORK
descr:          Asociatia Family Network Connections
country:        RO
admin-c:        CS6903-RIPE
tech-c:         CS6903-RIPE
status:         ASSIGNED PA
mnt-by:         NETSERV-MNT
mnt-routes:     FAMILY-NETWORK-MNT
mnt-domains:    FAMILY-NETWORK-MNT
source:         RIPE # Filtered

person:         Claudiu Sandulescu
remarks:        Asociatia Family Network Connections
address:        Str. Vlahita nr.4, Bl. PM8, Ap. 72
address:        Sector 3, Bucuresti
phone:          +40728188052
mnt-by:         FAMILY-NETWORK-MNT
abuse-mailbox:  claudiusandulescu@gmail.com
nic-hdl:        CS6903-RIPE
source:         RIPE # Filtered

route:          95.64.110.0/23
descr:          FAMILY-NETWORK
origin:         AS49253
mnt-by:         FAMILY-NETWORK-MNT
source:         RIPE # Filtered

Added: the owner of this netblock says that it is no longer in use, so it does appear that it has been hijacked somehow.. that would be consistent with the suddenly bad rankings.

You can see a CSV of domains and MyWOT ratings here, but there are too many domains to list here. Some of the domains have come from MD-ISP-MONITORING in Moldova.

Currently active IPs are:
95.64.110.36
95.64.110.37
95.64.110.43
95.64.110.45
95.64.110.48
95.64.110.50
95.64.110.66
95.64.110.100
95.64.110.105
95.64.111.11
95.64.111.12
95.64.111.14
95.64.111.15
95.64.111.16
..although to be honest, you should just block the lot of them.

Wednesday 1 December 2010

Evil network: Informex / INFORMEX-NET AS20564 (193.178.172.0/24)

Informex on AS20564 (193.178.172.0/24) is a Ukranian operation implicated in a lot of bad things including banking trojans.

SiteVet.com fingers this as the 27th worst network on the net,  and links it to various malware domains and Zeus servers. There are a couple of hundred domains in this block, all worth blocking.. either by the whole IP address range or use this CSV file with MyWOT rankings, or see the list below.

Their own web server at informex.net is currently suspended (I wonder why), but it shows consistent details with the netblock owner, so at least we can see who allegedly is responsible.

      Informex Ltd.
      Andriy Lyasota
      28 Predslavinskaya Str.
      Kiev,   03680
      UA
      Phone: +1.380442528798
      Email: lyasota@terra.es

As I said, there's nothing at all of value here so blocking the entire lot will probably be safest for your client PCs.

Mypctech.net
Dynamicnetwork.ru
Inethunter.ru
Mservicesonline.ru
Mystaticdatas.ru
Dontchangeurmind.com
Seven7news.net
Mistesr.com
Dlphonethems.com
Goodsandserv.com
Jscmsdev.com
Oversportresults.com
Az-investment.org
P2p-group.com
Wrg34gwww333.com
Trusted001.com
Atlantisc.net
Inetercs.com
1change-your-life.com
Be-rock-steady.com
Big-strong-feeling.com
Creative-in-bed.com
Freedom-performance.com
Lookgreat-now.com
Make-me-skinny.com
Master-in-bed.com
Master-in-bed1.com
Natural-performance.com
Nice-white-smiles.com
Presstopgo.com
Pump-reality.com
Pure-natural-power.com
Smooth-movements.com
Sweet-fire-power.com
Sweet-success1.com
Tiger-powers.com
Transform-bedtime.com
Triple-powersa.com
True-in-bed.com
Ultimate-perform.com
Vital-solutionsa.com
White-smile-center.com
1sweet-success.com
Be-always-ready.com
Bedtime-heroes.com
Change-your-life1.com
Dream-kings1.com
Feel-tight-now.com
Freedom-of-age.com
Get-her-happy.com
Goprepackum.com
Greatest-feeling.com
Greenlight-perform.com
Juiced-performance.com
Just-like-gold.com
Make-greatness.com
Make-greatness1.com
Master-of-performance.com
Mister-stronger.com
Only-your-love.com
Perform-magic.com
Perform-magic1.com
Prepackum.com
Winners-perform.com
Fgjlookstmbypxpq.org
Hmkhlviounvozy.org
Hpzoqkpjptqtwro.biz
Icqmgointiwlxo.biz
Jdqqmrtxqvhay.org
Jwymehkjtnrjkrqu.org
Koupvrnospqiluip.info
Lkimqsreoetvqnnv.org
Lxigeqglsfbyyle.net
Mnmmkswxuvlqep.net
Muxklfmqnhzkorsq.net
Nlxhhudkvxziktu.com
Odpjsdqtdumnmj.com
Oqrgtnsqoleyfnn.info
Osyrpcewsuwufw.info
Oszkhkxvmrqrxgp.info
Pcsrtnklvddwnqvp.biz
Pdgwvengffyqdv.biz
Pgioznuvfrgmhwqe.biz
Pmgmzxreftplqnk.com
Pnoeitglysiqq.com
Poxpmrusrdsnlp.com
Qnqlorgefiyrrirs.biz
Qpqugpjnuykqdr.info
Qqikrwpuhdssplu.info
Quysrnkcpjgmk.info
Rpmukxmppxqps.biz
Rrtopnnrmxtulsu.com
Rvgkcpvhnsrix.com
Soinuswqbkwvomp.org
Strlonntjnrexnnt.com
Svphksoppxdkzxva.net
Uwvtlfdoygrtmuvn.org
Vkfkqtwliuwrzs.biz
Vrnhlmoxsqntnzuy.org
Wrdkrkttmlsmxf.org
Xtgpiqullqonpq.biz
Yjhqnlssfpepjgu.info
Yzpqkplwqmpqlem.com
Zbttlmsrwrqeokq.net
Zupfomstceuqxh.com
Irvnseqtnprwekc.info
Jrpdqvjnusnxm.org
Nynqponxkinmoq.com
Piuzlhtwjcfqtpg.net
Smljqmotnovtvt.org
Uoepjgfhkkowizr.biz
Dmpvrxqvqvlmpw.net
Hljuzkosrunitgp.net
Ofojwmovourkkg.net
Syedgulzptgqgp.info
Wrnlfbmjsshqk.com
Cmxqqzproplonnx.info
Malzpeltoquvlp.com
Nlvmyxeqosdtkp.org
Bowlufpyzvvirl.biz
Dnxlxohozwoopr.org
Emkihmmxvgmtkcgl.com
Hgkqngxllqrrnmiz.info
Htmyyyipmkekuynr.com
Hwdouwuknqqpsxmd.com
Ionrssqxsvstzivs.net
Iuxjkahsqrwpyox.org
Jhpkyooltuxqsjhm.info
Jsjyjpsfobqgkg.org
Jtepwqyeuvioouz.biz
Jtlhisjmurjllhti.biz
Jwegwyvqsiejvql.net
Kfvhtqpbqxldgso.org
Klitonyplwwzgg.com
Kmkkblefthoqglpg.info
Kobnjdiimqdolvh.org
Kpqowrbumptldl.org
Kvkkhmrlqylvfpon.com
Llkmtmldfheouhs.info
Ltlzvdtkraspchuj.org
Ndhsmnkqrftkulx.biz
Nijldtopnyogqbwv.com
Nnjwoxtlkjpqom.biz
Nyqnrynqhijmyjs.org
Olepnsytepgvmzep.biz
Opnqhjwpnmmmogwr.org
Ospihkkjvpmeogs.com
Pgjmysmupmbtx.com
Plkrpmjhenxulq.com
Qjlzmqlujmenop.net
Qoyrlzihqqlmwpo.org
Rolktmkupuvretpp.info
Rolwrlwthqpvri.info
Rooggmxuopjgmq.com
Rxmuyhntwfqfyth.org
Sepvsjywabgsupys.org
Snhcykqpytqwrs.info
Snpyrsdprknjrm.org
Snrnrnluokjdsqms.org
Spiotsftcqchqgow.info
Svpoqmonfpxtghfw.net
Upswzirptwvfqs.info
Vbskivpfonknoenp.net
Vhkfuwmqzowhobds.com
Vncnwhkkrsffhlwr.com
Vnfjgutpslxwifpe.org
Vnzfunomqvoznv.org
Vsnwnrnfgpntp.biz
Wdyvkpwfprmrwjrp.com
Dnlosvqsuopnqse.info
Jdwfskrtlqmrvodu.org
Rqhgfkojltsoj.net
Uvzqwuzrnrnhnlm.com
Vsqfpixstrwupl.biz
Yoonelhpvgdpkcx.net
Fmotffizsnjookju.biz
Lcknxpybqzpwmj.com
Qktlvumlcpvgmzju.com
Txqtuiltmsqqjerr.com
Kylvxwjxuypjpix.com
Qehmknmprxrvmwp.info
Trjvprpivnkxcad.biz
Vwloihjzoorjjyp.com
Simpsonstoys.info
Kjgkjbkjbk.com
Maf1sdwe1yu.com
Dualexstream.info
Hp3qvb.in
Alperinathon.com
Ca100jsadsgd.com
Ca300dsahdkjsah.com
Half-living-for-us.com
Jolly-teaside2000.com
Looking4heather.com
Mk200kdshdg.com
Pa200skjdhsg.com
Sj100asdjsh.com
Sj82hags6.com
Us100asdjnagdsajd.com
Appchoko23.com
Vazzterax.net
C3n.ru
Gamemarinost.net
Gamemarisik.net
Dakpowj.com
Iciq.biz
Primegcorp.com
Sdoajd.com