Sponsored by..

Thursday 31 March 2011

alleurope-consult.com job scam

Another fake job offer in this long running job scam, alleurope-consult.com is probably another money mule operation. The email is pretty terse and doesn't allude to much:

Subject: Work for specialists!

Good day.

Our company would like to offer you a Good day part-time job.


Location:  the Europe Union

If you are interested, please reply to : Ladonna@alleurope-consult.com

All the best.
HR department,
LadonnaGore

WHOIS details don't tell you much either as the could be fake, they're the same as for west-ugroup.net:

    Aleksej Iliin
    Email: abolan@mail.org
    Organization: Private person
    Address: Okruzhnaya ul. d.5 kv.4
    City: Moskva
    State: Moskovskaya obl.
    ZIP: 183124
    Country: RU
    Phone: +7.4959424617
    Fax: +7.4959424617

Avoid, basically.

Monday 28 March 2011

Wanna buy an aircraft carrier?

Because we British have decided that we don't need to have aircraft carriers, because we're not bombing anywhere in particular at the moment.. apart from Libya.. and maybe a few other countries that we noticed along the way, then we've put the ex-flagship Ark Royal up on an auction site.

What cracks me up is the "Add to Wishlist" and "Add to Cart" buttons on the bottom.

Before you get over excited, these pocket aircraft carriers are mostly suitable for helicopters or V/STOL jets which aren't included in the price.

Saturday 26 March 2011

Mango Ideas / gsid.net is now clean

Just a quick note to say that Mango Ideas cleaned up their network from this incident which was possibly due to a reseller or perhaps a compromised server which is excellent news.

Thursday 24 March 2011

west-ugroup.net (and other) fake job offers

Another fake job offer in this very long running scam, the job involved is actually in support of organised crime and may involve such things as money laundering and fraudulent parcel reshipping, in addition to being the "front" person for various fraudulent activities.. and the first person the police will drag in when it all goes wrong.

Date: 24 March 2011 04:34
Subject: We need employees in Europe
   
Good day!

I am writing to you in the name of the corporation the Human Resources department of which I represent.

Our corporation has a great scope of business activities.
-real property
-business support
-company dissolution
-private firm service
-etc

There is a vacancy of a Regional manager in Europe:
-compansation 2.600 euro + bonus
-bonus-job
- no fixed office hours

If you have an intention to cooperate with our company, please send your contact information on our e-mail: Josiah@west-ugroup.net
Name
Surname
Counrty
City
E-mail
Sell phone number

Remark! Applicants with the permission to work in Netherlands & Portugal only!

Please inform your name and phone number so that we can find you for further communication.

The domains will vary, but these are all closely related:

west-ugroup.net
cl-ugroup.com
resume-eur.com
au-vacancy.com
usa-vacancy.com
wugconsult.com
wug-consulting.com
wug-myvacancy.com
wug-cv.com
wug-consult.com
wug-offer.com
wug-position.com
wug-vacancy.com
us-myvacancy.com
center-position.com
east-european.net

The (possibly fake) domain registration details are:

    Aleksej Iliin
    Email: abolan@mail.org
    Organization: Private person
    Address: Okruzhnaya ul. d.5 kv.4
    City: Moskva
    State: Moskovskaya obl.
    ZIP: 183124
    Country: RU
    Phone: +7.4959424617
    Fax: +7.4959424617

There are some other fraudulent and/or malicious domains connected with the registrant:

109.196.134.18   - VLine Ltd, Moscow
bestandxast.com
besternax.com
joprestons.net
russian-post.net
trafallbest.com
xalentarna.net
(Incidentally, pretty much all of Vline is evil so blocking 109.196.128.0 - 109.196.143.255 is an excellent idea)

195.170.178.76 - allocation unclear
abolzaka.com
allnettraf.com
basletboll.com
bests-tracks.com
climersnet.com
nonstopsen.com

Monday 21 March 2011

Evil network: Intermedia Top SRL / INTERMEDIA-TOP AS49873 (95.64.8.0/24)

Intermedia Top SRL is a Romanian host operating a network in the 95.64.8.0/24 range. This range appears to contain nothing but malicious sites, including malware distribution, fake news sites (designed to help sell fake products), and fake anti-virus and utility applications.

Update 2/4/11: you should also block  95.64.9.0/24 which is allocated to the same people.

AS49873 is flagged as having Zeus C&C servers, and has a pretty bad reputation at SiteVet which shows that badness shot up at the beginning of March.

Google says:

Safe Browsing
Diagnostic page for AS49873 (TELECOMPO)

What happened when Google visited sites hosted on this network?

    Of the 640 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, absolutiovbf2n.info/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-03-19, and the last time suspicious content was found was on 2011-03-19.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 17 site(s) on this network, including, for example, zelwwu4kk.info/, tawdry4d.info/, gru12.info/, that appeared to function as intermediaries for the infection of 33 other site(s) including, for example, nowatermark.net/, itanil.com/, itcomputerservers.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 611 site(s), including, for example, sasae.co.cc/, slumbes.tk/, clemowceer.cz.cc/, that infected 1143 other site(s), including, for example, iwilltellyouhow.com/, saatihajj.com/, icabbies.org/.
Contact details for the block are:

inetnum:        95.64.8.0 - 95.64.8.255
netname:        INTERMEDIA-TOP
descr:          INTERMEDIA TOP SRL
descr:          BDUL. 1 DECEMBRIE 1918 nr. 105
descr:          Alba Iulia, Jud. Alba
country:        RO
admin-c:        AP13061-RIPE
tech-c:         AP13061-RIPE
status:         ASSIGNED PA
mnt-by:         NETSERV-MNT
mnt-routes:     MNT-TELECOMPO
mnt-domains:    MNT-TELECOMPO
source:         RIPE # Filtered

person:         Adrian Popa
remarks:        INTERMEDIA TOP SRL
address:        BDUL. 1 DECEMBRIE 1918 nr. 105
address:        Alba Iulia, Jud. Alba
phone:          +40214302223
abuse-mailbox:  imintermediatop90@gmail.com
mnt-by:         NETSERV-MNT
nic-hdl:        AP13061-RIPE
source:         RIPE # Filtered

route:          95.64.8.0/24
descr:          INTERMEDIA TOP SRL
origin:         AS49873
mnt-by:         MNT-TELECOMPO
source:         RIPE # Filtered


Below is a partial list of sites found on this network, although there are a lot of others not listed here. Blocking the whole 95.64.8.0/24 is probably the best approach. A CSV of the list plus MyWOT ratings can be downloaded from here.

machmit.cc
servat.cc
serwaz.com
testaz.cc
financeprogramm.com
localnews47.com
localnews69.com
mmtrx.com
newslocal64.com
newslocal74.com
newslocal89.com
nwolbcom.cc
atlaty.com
atydut.com
buroti.com
fileac.com
itapos.com
lsrato.com
memhys.com
morafu.com
mupoga.com
muposs.com
nlosaf.com
onfiro.com
podyme.com
poisor.com
posjuc.com
posunn.com
qertys.com
scoolq.com
tmwars.com
usudom.com
abrogatesdv.info
absolutiovbf2n.info
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fop22.info
fre94.info
gez20.info
gru12.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
her33.info
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
mag20.info
mia16.info
mineral-beauty.net
nuzzlefgf.info
nyb90.info
obduratexv.info
obfuscate98y.info
opa63.info
ova22.info
plauditaz.info
plethoradtb.info
reprieve8mf.info
tedium34n.info
xxxpornteensex.com

Tuesday 8 March 2011

"Debt Advice UK" Sussex

You know when you are dealing with a dodgy outfit when they robo-call your mobile from a supressed number with a recorded message that starts "Please do not hangup" and then blabbers on about debt management, inviting you to press "2" to talk to an adviser.

The dodginess continued when the "adviser" at the other end could not confirm the name of the company he worked for (he claimed not to know!) except for a name of "Debt Advice UK" and didn't give any address other than "Sussex". There is no company in the UK of this name, and since I'm TPS registered then they should not even have been calling.

The hidden phone number, blatant disregard of TPS and refusal to give a company name or address definitely has all the hallmarks of something highly unethical.

If anyone has details of these scumbags, please feel free to add a comment!

Monday 7 March 2011

Evil network: Sagade Latvia AS52055 (46.252.130.0/23) and traff4you.info

I've covered Sagade before, which appears to be a completely black hat web host with no legitimate domains at all. Sagade appear to have a new IP range in the 46.252.130.0 - 46.252.131.255 range which are completely full of toxic sites that should be blocked.

This IP range forms AS52055, of which Google says:

Safe Browsing
Diagnostic page for AS52055 (RELIKT)

What happened when Google visited sites hosted on this network?

    Of the 159 site(s) we tested on this network over the past 90 days, 9 site(s), including, for example, opanaw.com/, videospartyh.info/, galleryhotf.info/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-02-23, and the last time suspicious content was found was on 2011-02-23.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 16 site(s) on this network, including, for example, welcometotheglobalisnet.com/, 46.252.129.0/, welcometotheglobaliscom.com/, that appeared to function as intermediaries for the infection of 507 other site(s) including, for example, ctwatchdog.com/, deewanapan.com/, thedailyherald.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 55 site(s), including, for example, 46.252.129.0/, sontollones.co.cc/, toney.co.cc/, that infected 2312 other site(s), including, for example, cmsocial.com/, mediafire.com/, aotsargentina.org.ar/.

SiteVet oddly shows the AS as being offline, but the accompanying "badness" chart shows a big leap in evilness since the beginning of the year, so perhaps the block was reallocated.

As well as .com domains and the like, the block hosts several hard-to-spot .cz.cc and .vv.cc domains which host malware, much of which is being distributed through an apparently bogus ad network at traff4you.info.

So far, I can see see the following domains in the block (a list with IP addresses and MyWOT ratings can be downloaded from here):

ertmovs.com
lkjsnfs.com
antivirussystem2011get.com
bbuydelivery.com
berrydush.net
brewtonconsult.net
collach.com
ddk2200.com
enter-way.net
euro2012corp.com
facebook-surprise-njwo.tk
facebook-surprise-njww.tk
fire6495ksd.com
fotoshare-2dknc.com
gigomark.com
grapndet.com
htss.su
hyipl.info
ibifit.com
lokia.info
lost-pass.ru
lostpass.ru
mailx.su
mittmax.com
nanosearchpro.net
novasystemutils2011.com
sentex10zx.in
shabgdr.com
softstoreinc.com
spy4.net
stylus2641fm.com
trabniyd.com
turb-o-search.com
x-pass.ru
xaker.me
nalmeron.cz.cc
agamaris.vv.cc
dalalore.vv.cc
thetakus.vv.cc
maribandis.vv.cc
mogrinn.vv.cc

Registration details for this block are:

inetnum:        46.252.130.0 - 46.252.131.255
netname:        Sagade
descr:          users
country:        LV
admin-c:        AK6804-RIPE
tech-c:         AK6804-RIPE
status:         ASSIGNED PA
mnt-by:         andrejskaminskis-mnt
source:         RIPE # Filtered

person:         Andrejs Kaminskis
address:        Latgales 32/34, Rezekne, Latvia
phone:          +37127580487
e-mail:         reliktbvk@gmail.com
nic-hdl:        AK6804-RIPE
mnt-by:         andrejskaminskis-mnt
source:         RIPE # Filtered

route:          46.252.130.0/23
descr:          users
origin:         AS52055
mnt-by:         andrejskaminskis-mnt
source:         RIPE # Filtered

As I said, traffic seems to be fed through traff4you.info, registered on 10th Decemeber 2010 with anonymous registration details and currently hosted on a dedicated server at 206.161.200.11, but until recently it was on a shared server on 69.65.48.218. This is probably a good domain to block, and I can't see much harm in blocking access to 206.161.200.0/24 and 69.95.48.0/24 while you're at it too.