Sponsored by..

Tuesday 31 January 2012

NACHA Spam / sulusate.com

More NACHA spam leading to a malicious payload:

Date: 31 January 2012 22:55
Subject: ACH transaction fault

The ACH transaction ID: 415864020375, that had been effectuated from your banking account lately, was rejected by the the bank of the recipient.

ACH transfer declined
Transaction ID:     415864020375
Details:     please see the report below for details
Transaction Report     report_415864020375.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

This leads to a malicious payload at sulusate.com/search.php?page=977334ca118fcb8c, hosted on 209.59.220.98 (Endurance International Group, US). A Wepawet report for the malicious page is here.

Blocking the IP will prevent other malicious sites on the same server from doing their stuff. Endurance International has hosted several such malicious sites recently.

NACHA Spam / matoreria.com

Another NACHA spam run leading to a malicious payload..

Date:      Tue, 30 Jan 2012 11:02:13 +0000
From:      info@nacha.org
Subject:      Your ACH transaction

The ACH transaction (ID: 8519169560300), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     8519169560300
Rejection Reason     See details in the report below
Transaction Report     report_8519169560300.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association
The payload is on matoreria.com/search.php?page=73a07bcb51f4be71 hosted on 66.150.164.137 (Nuclear Fallout Enterprises, Seattle). We've seen this ISP before. At the moment the payload seems not to be working properly.

Blocking access to the IP address will also block access to any other malicious sites on the same server.

Sunday 29 January 2012

Fake jobs: euro@ultraups.com

The "Lapatasker" money mule recruiters have been fairly quiet for a while, but here is a new one:

From:  Barrmanager@pacbell.net maurogonzal22@gmail.com
Date: 28 January 2012 01:39
Subject: Parttime Job

Compliments

I am the personnel department manager and I am appealing to you in the name of the large-scale and first-rate partnership.

Our company is met in many departments, such as:
- property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.

We need a person to fill the vacancy of a regional manager in Europe:
- salary 2.600 euro + bonus
- 2 - 3 working hours per day
- individual time-table


If our offer is interesting for you email us the required information:
e u r o @ u l t r a u p s . c o m (Please Delete Spaces In Email Address Before Mailing Us)
Full name:
Country:
City
E-mail:
Contact phone number:



Attention! We need just the people residing in EU.

Please, write your Telephone Number and our manager will contact with you and answer all your questions. 

The "jobs" offered are illegal activities such as money laundering, so signing up to them could land you in serious trouble with law enforcement and seriously out of pocket.

The domain was registered a while ago, probably with fake registrant details:
    Alexis Putt
    Email: alexisputt@yahoo.co.uk
    Organization: Alexis Putt
    Address: St Katharine's Way 12
    City: London
    State: London
    ZIP: E1W 1DD
    Country: GB
    Phone: +44.0113343341

If you have any more example emails, please consider sharing them in the comments.

Friday 27 January 2012

Oh yeah..


..chicka chickaaah!

"INTUIT INC" malicious spam and {int_link} fail

A new version of a familiar spam that is meant to have a malicious payload:

Date:      Thu, 25 Jan 2012 20:43:03 +0100
From:      "INTUIT INC." [onlinebanking@ealerts.bankofamerica.com]
Subject:      Your tax information needs verification.

Dear Sir/Madam,

In our continuing effort to assure that exact information is being kept up on our systems, as well as to provide you better quality of service; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or Employer Identification Number, that is indicated on your account is different from the information on file with the IRS.

In order to check and update your account, please enter the secure section.

Yours sincerely,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

OK, the sharp eyed amongst you will have noticd that "INTUIT" and "bankofamerica.com" are two different entities. What you can't see is that the moron spammer has sent out all the links pointing to just http://{int_link}/ rather than remembering to include the spam URL. No doubt the next version of this will have a malicious payload, so take care.

Thursday 26 January 2012

Some malware sites to block 26/1/12

Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.

Eonix, Canada
173.213.93.203
clostescape.com

Zerigo, US
173.248.190.37
chilleloot.com

Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com

Ixvar, Canada
174.142.247.164
clostery.com

Hostforweb, US
205.234.187.6
sulusient.com

Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com

Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com

Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com

Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com

Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com

Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com

NACHA Spam / chillechart.com and chillepay.com

More fake NACHA spam leading to malware, this time the malicious payload is at chillechart.com on 96.126.96.123 (Linode, New Jersey).

Date:      Thu, 25 Jan 2012 10:40:06 +0100
From:      "alerts@nacha.org" [alerts@nacha.org]
Subject:      Your pending ACH debit transfer

Dear Account Holder,

This message includes an important notice about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    766253676295142
Transaction status:    pending

In order to resolve this matter, we prompt you to check the details of your transaction using the link below.

Faithfully yours,
Stephanie Barrera
Accounting Department

This follows the same pattern we have seen over the past few days. A Wepawet report for the malicious page is here. Blocking the IP address rather than the domain should block any other malicious sites on the server.

Update:  chillepay.com is also being used in this spam run, hosted on 69.164.199.231 (also Linode)

Wednesday 25 January 2012

Lazy BBB / "ACH transfer pending" spam, chillestruct.com and closteation.com

Here's a lazy spam about an "ACH transfer" that appears to come from the BBB, because the spammers have mixed up the campaigns.

Date:      Wed, 24 Jan 2012 13:31:58 +0100
From:      "manager@bbb.org" [manager@bbb.org]
Subject:      ACH transfer pending

Dear Sir or Madam,

This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:

Transaction ID: 471209863177939
Transaction status: pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours faithfully,
Kathy Quirk
Accounting Department

The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.

Blocking the IPs will prevent any other malicious sites on those servers from causing problems.

Tuesday 24 January 2012

BBB Spam / chillebucks.com, sulusize.com and sulusity.com

More fake BBB spam leading to a malicious payload, this time hosted on the domain sulusize.com on 174.136.4.211 (Colo4, US). The server appears to be a legitimate hacked server, but blocking traffic to that IP is probably a wise idea if you can do it.

Some sample emails (the usual fake BBB approach):

Date:      Tue, 23 Jan 2012 11:51:58 +0100
From:      "BBB" [info@bbb.org]
Subject:      Better Business Bureau service
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 23387543) from your customer with respect to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this question and suggest us about your position as soon as possible.

We hope to hear from you very soon.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==============

Date:      Tue, 23 Jan 2012 12:16:00 +0100
From:      "Better Business Bureau" [risk.manager@bbb.org]
Subject:      Re: your customer�s complaint ID 83031311
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau notifies you that we have received a complaint (ID 83031311) from one of your customers in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this question and suggest us about your point of view as soon as possible.

We hope to hear from you very soon.

Regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau

The malware tries to download further code from sulusity.com on 209.59.220.65 (Endurance International Group, US).. another one to block. A Wepawet analysis is here.

Update #1:  another version is doing the rounds with the initial malware hosted on chillebucks.com (69.163.37.22, Bula Networks California).

Update #2: The Wepawet analysis indicates that this might do something with the user's Facebook account as well as the usual malware payload.

Monday 23 January 2012

Virus: "I'm in trouble!" spam (again)

This is an email with a link leading to malware. We've seen this pitch before:

Subject: Re: I'm in trouble!

I was at a party yesterday, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light!
I've just got the pictures, maybe you know him???
Here is the photo

I need to find him urgently!

Thank you
Belita
The link goes to a legitimate hacked site, then to a multihomed .ru site on the following IPs:
  125.214.74.8
  129.67.100.11
  173.201.187.225
  173.230.137.129
  173.255.229.33
  174.122.121.154
  209.59.222.145
  211.44.250.173
  213.193.231.210
  24.37.34.163
  46.105.28.61
  50.57.77.119
  50.57.118.247
  74.208.205.185
  78.47.135.105
  78.129.233.8
  80.90.199.196
  81.31.43.43
  82.165.197.58
  83.170.91.152
  84.246.210.87
  85.214.204.32
  87.106.201.119
  93.189.88.198
  97.74.87.3

This is pretty much the same IP list as seen last week (new IPs highlighted). It's unclear at the moment which domains are on the  IPs (though there are some Redret domains here), so blocking the addresses is the safest bet.

Tylers Coffees (tylerscoffees.com) tastes of spam

Here's an annoying spam I have been getting lately:

From:      "Coffee News" [news.coffee@yahoo.com]
Subject:      Check out this coffee

       
Acid Free Coffee
A little cup of java can mean a big problem for stomachs. Acid levels in coffee, as well as impurities and resins, may wreak havoc on the digestive tract. Our customers with sensitive stomachs are relieved to learn that they can still continue enjoying a great cup of coffee whenever they want.

Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
    for $5
      
Where it Comes From


The Finest hand-picked Arabica beans are shipped from South America to our roasting factory in Arizona.We use Swiss Water Based Process to decaffeinate our Arabica coffee beans
Read more
How We Make It
       
We use a “Z-Roasting” process that optimizes the time the coffee beans are cooked; the result is high levels of caffeine and free of acid. Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
Read more
Regular vs. Decaf
       
Regular: Rockets you forward with level of caffeine that exceeds most other coffee brands.

Decaf: Same great taste as the regular coffee minus the rocket energy, so that you can finally take that sleep you deserve.

Either way - you will LOVE IT !!

Read more

If you want us to take you off our mailing list, please click on the link below
Not interested anymore? Unsubscribe here.

I've seen this several times, to begin with they were trying to use tinyurl.com to mask their URL, but they're pretty good at terminating spammers.

Subsequent runs use the domain justcoffee-noacid.com in the emails. Although the domain has anonymous WHOIS details, it's notable that the spammer is using Piradius Net, a black hat web host from Malaysia as a host. We've seen these guys before.

justcoffee-noacid.com has a miminal amount of content, and depending on which link you click through, you either get redirected to tylerscoffees.com or you get a spammy page tempting you to click through.

In all cases the spam comes through 118.123.6.123  in China.

tylerscoffees.com is a website belonging to Tylers Coffee, a firm in Arizona.

The domain is registered to:

      ornsteins, ian  ian@innovativeformulations.com
      1810 s 6th ave
      tucson, Arizona 85713
      United States
      (520) 628-1553      Fax -- (520) 628-1580

The company seems to be legitimate (although personally I have doubts about their claims over "acidic coffee"), but it looks like someone has decided to try some web site promotion without fully checking what was being done. Spamming out from China via a black hat host in Malaysia is one very easy way to damage your brand..

Friday 20 January 2012

0catch.com and malicious BBB spam

We're currently seeing a spate of malicious BBB spam (like this) being routed through free web hosting sites operated by 0catch.com.

A simple way of blocking this attack is to block the 0catch.com domains. I've never found anything really valuable hosted by this firm, so you probably won't be missing much.

These are all the domains that I can find, if you know of any others then please consider sharing them in the comments:

00freehost.com
00freeweb.com
012webpages.com
0catch.com
0-catch.com
100freemb.com
100megsfree5.com
150m.com
1freewebspace.com
1sweethost.com
741.com
angelcities.com
arcadepages.com
bigheadhosting.net
builtfree.org
designcarthosting.com
digitalzones.com
dreamstation.com
easyfreehosting.com
envy.nu
exactpages.com
ez-sites.ws
fcpages.com
freecities.com
freehostyou.com
freesite.org
freewaywebhost.com
freewebpages.org
freewebportal.com
freewebsitehosting.com
fw.bz
greatnow.com
instantwebgenius.com
just-allen.com
justicewasgreen.com
maddsites.com
megz-bytes.com
mindnmagick.com
o-f.com
parknhost.com
reco.ws
servetown.com
usafreespace.com
virtue.nu
website-home.ws
wtcsites.com

Thursday 19 January 2012

Wire transfer malicious spam / monikabestolucci.ru:8801 and 78.159.118.226

More malicious spam doing the rounds, but this time it's more complicated than before.

From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)

Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652
CURRENT STATUS: PENDING

Please Review your transaction as soon as possible.

The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.

monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.

24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)

Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.

Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173

BBB Spam / freecities.com and 78.129.132.82

A couple of BBB spams, both leading to malware on different domains on the same IP of 78.129.132.82 (Rapidswitch / Iomart Hosting, UK).

Example 1:

Date:      Thu, 18 Jan 2012 10:24:33 +0000
From:      "Better Business Bureau"
Subject:      Urgent information from BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have received a complaint (ID 38423165) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.

We are looking forward to your prompt reply.

Regards,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Example 2:

Date:      Thu, 18 Jan 2012 11:27:55 +0100
From:      "Better Business Bureau"
Subject:      BBB complaint report
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 52266668) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to find more information on this issue and let us know of your point of view as soon as possible.

We hope to hear from you very soon.

Sincerely,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

In these two examples, the malicious payload is on wihdshop.net/main.php?page=c61c8ae4358e765e and ionsclinics.net/main.php?page=4875f07aa6fe472a (Wepawet report is here) , reached through a page on a freecities.com web site (apparently part of 0catch.com). You could consider blocking access to the entire freecities.com domain, but you should certainly block 78.129.132.82 if you can.

These other domains are hosted on 78.129.132.82 and are probably malicious:

0riginalcheck.net
ambasadorka.com
centerjobdepart.com
comparmory.org
digitalarmory.net
gitadocs.com
gitafiles.com
ionsclinics.net
lifesdigi.org
marketjob.net
nextddefence.com
originalsyst.org
ourdefence.net
stafffire.net
stub-search.net
systemdwall.com
theyardesale.com
wihdshop.net
yourdefse.com


Update:  angelcities.com is also being used as an intermediate infection step, also part of 0catch.com. It looks like the intermediate sites might be freshly created, there is no indication that 0catch.com sites have been breached.

Wednesday 18 January 2012

Something evil on 95.211.115.228 and 46.249.37.22.

A set of malicious sites, linked to the Redret gang, hosted on 95.211.115.228 (Leaseweb, Netherlands). Blocking the IP rather than the individual domains will also protect against other malicious sites on the same server.

child-re-ninth-ebusiness.com
childregardingninthebusiness.com
childreninthebusiness.com
childsubjectninthcompany.com
childsubjectninthebiz.com
childsubjectninthebusiness.com
custom-t-shirtsfromhansen.com
extentthahansen.com
freeholidaynew.com
hirtsfromhansen.com
holidaygreat.com
holidaynewsite.com
myholidaynew.com
range-the-hansen.com


Another server in this same network is 46.249.37.22 (Serverius Holding, Netherlands)

1o345.info
1op45.info
2012-my-happy.com
2012myownhappy.com
543oh.info
54mo1.info
54po1.info
akvitea.com
alurbrilance.com
arowipes.com
avangeit.com
bitcast.in
bitcube.in
bitechnica.in
bitfire.in
bitware.in
bitwire.in
businessnfamily.com
companynfamily.com
companynpeople.com
customtshirtsfromhansen.com
domtrixsov.com
drinki.in
familycommercial.com
freeautomag.info
funnytshirtsfromhansen.com
glad-year.com
globaltracking02234.info
great-happy.com
happy-period.com
happy-term.com
happychock.biz
happytwelvemonths.com
ho345.info
iflos.com
ivairiu.com
joyful-year.com
jsijdewhg.com
kalalog-testov.com
latest-happy.com
makdacs00.com
makiajdleavseh.com
merry-year.com
modern-happy.com
muravied222.com
odnonoshnicy.com
plsk3mme.com
q234.info
s00n.in
safe-t-shirtsfromhansen.com
safetshirtsfromhansen.com
serdjuchka.biz
stop-prysham.com
timetracking02234.info
uskoriteliinterneta.biz
xxxtubedirty.com


The third server in the group is 203.170.193.102, which has already been identified here.

doofyonmycolg.ru / coolwebzuzuzu.ru now on 203.170.193.102

The malicious domains doofyonmycolg.ru and coolwebzuzuzu.ru have now shifted IPs since yesterday. The new address is 203.170.193.102 (IDC Cyberworld, Thailand). This server also hosts two "Redret" domains, also as identified yesterday, so these malicious emails are presumably from the same crew.

The following domains appear to be hosted on 203.170.193.102, all of which appear to be malicious in some way:

1god.in
aerostrips.com
arrayhansen.com
available78.de.ms
backozifice.net
betbits.com
boeingmiles.com
ccredret.ru
chronvofu.dlinkddns.com
ckredret.ru
collection-hansen.com
companyandfamily.com
ease.breastedchestedboobiestits.com
familyownedcompany.com
family-ownedcompany.com
filkso.in
freemmsservice.com
freetracking02234.info
greatglad.com
krasivayfigura.com
latestglad.com
libraryhansen.com
lkskjje43d.com
mc-3.in
metropannolike.in
mobiletracking02234.info
myskyinfo.in
oeit.in
olanuc.dlinkddns.com
onlinetelephonika.info
orfasde.dlinkddns.com
p38-adsrv.nl.ai
p66-adservices.nl.ai
pedastera.cu.cc
portfoliohansen.com
rifalogs.com
saldo7.us
schenledi.dlinkddns.com
seifancold.dlinkddns.com
sgsk43tgsdlflfbcbg.uni.me
skyinfo.in
tanildirtystories.com
tshirtsfromhansen.com
usaloaosns.com
zadpol.cu.cc
zareqah.cu.cc
zverovod.in

Scam sites to block on 209.25.137.196

Here's a site of very professional looking scam sites, incuding fake investment firms and escrow companies. Most of these have been registered over the past few weeks with anonymous details.

atlasconsultancyltd.com
bfsauthority.org
bltradinggrp.com
chicagobgllc.com
crawfordcapitalpartners.com
fidelitycorporategroup.com
grenfellassociates.com
johnsonsterlingconsultancy.com
knowltonadvisors.com
mediatransfersltd.com
millerconsultancyservices.com
morganpremiergrp.com
notanordinarysite.com
peregrineintlgroup.com
scmrcom.org
sftcommission.org
tatecarverconsultancy.com
toddwhitefinancial.com
warrenfisherassociates.com
wellsconsultancy.com
winchesterconsultancygrp.com


also hosted on the same server:
mentemptation.com
webhostingbreaker.com

Some of the trading names used by these scammers (some may be similar to legitimate companies):
  • Atlas Consultancy
  • Brussels Financial Supervisory Authority
  • BL Trading Group
  • Chicago Business Group LLC
  • Crawford Capital Partners
  • Fidelity Corporate Group
  • Grenfell and Blackrock Associates
  • Johnson Sterling Consultancy
  • Knowlton Group
  • Media Transfers Limited
  • Miller Counsulting Group
  • Morgan Premier Group
  • Peregrine International Group
  • Swiss Commodity Market Regulatory Commission
  • Swiss Financial Trading Commission
  • Tate and Carver Consultancy Group
  • Todd and White Financial Marketing Services
  • Warren Fisher and Associates
  • Wells Capital Management
  • Winchester Consultancy Group
Do not be fooled by how good the sites look.. they are very, very convincing. Here is are some examples:



The sites are all hosted on 209.25.137.196 which looks like a rented server from LiquidNet, Florida. Also hosted on the same server is webhostingbreaker.com (possibly based in the Philippines) which might be the black hat reseller involved.

Part of this network was fingered a few weeks ago here, and it still appears to be active. Avoid at all costs.

How to access Wikipedia during the blackout

Wikipedia is blacked out because of a protest about SOPA. But what happens if you really, really need Wikipedia?

The good news is that you can still access it on your smartphone, or by accessing the mobile site directly. You can also temporarily by disabling Javascript in your browser when visiting the site (specifically blocking scripts from bits.wikimedia.org). Using Firefox + NoScript is an easy way to do this.

The Wikimedia foundation have a technical description of how the blackout is implemented here.

Added: the stylesheet itself appears to be at http://bits.wikimedia.org/en.wikipedia.org/load.php?debug=false&lang=en&modules=site&only=styles&skin=vector&*  so blocking that temporarily might help.

If you are managing a large number of users who need access, you can block access to bits.wikimedia.org/en.wikipedia.org/ which will allow access to content but screws up the layout.

Tuesday 17 January 2012

Scan from a Xerox W. Pro spam / coolwebzuzuzu.ru

Another malicious spam, this time leading to an exploit page on coolwebzuzuzu.ru/main.php.

Date:      Tue, 16 Jan 2012 02:50:00 +0000
From:      officejet@victimdomain.com
Subject:      Fwd: Fwd: Scan from a Xerox W. Pro #9522304

A Document was sent to you using a XEROX OFFICE N220337423.

SENT BY: LAURA
IMAGES : 6
FORMAT (.JPG) DOWNLOAD

DEVICE: PD55695SK7AO559107L

coolwebzuzuzu.ru is hosted on 66.225.237.222, HostForWeb in Chicago. There is another malware site on an adjacent IP. You might want to block both IPs or even the whole /24 to be on the safe side.

UPS Spam / doofyonmycolg.ru

This UPS (or is it USPS?) spam is attempting to direct visitors to a malicious web page at doofyonmycolg.ru/main.php. This looks like a variant of the Redret campaign we have seen recently.

Date:      Tue, 16 Jan 2012 02:16:45 -0300
From:      "UPS TEAM 121" [support.350@ups.com]
Subject:      UPS Tracking Number H4825887305

Your USPS .US for big savings!     Can't see images? CLICK HERE.   
UPS UPS TEAM 477   
UPS - UPS MANAGER 559 >>
  
Not Ready to Open an Account?   
      
    The UPS Store® can help with full service packing and shipping.  
    Learn More >>  
  
UPS - Your UPS Customer Services

DEAR, victim@victimdomain.com.

DEAR CLIENT , Delivery Confirmation: Failed

Track your Shipment now!

With best regards , Your UPS Services.
  
                      
Shipping         Tracking         Calculate Time & Cost         Open an Account
                      
@ 2011 United Parcel Service of America, Inc. USPS CUSTOMER SERVICES, the UPS brandmark, and the color brown are

trademarks of United Parcel Service of America, Inc. All rights reserved.


This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to

Your USPS .US marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.

Your USPS .US, 1 Glenlake Parkway, NE - Atlanta, GA 30331

Attn: Customer Communications Department 

doofyonmycolg.ru is hosted on 66.225.237.223. There is another malicious site on 66.225.237.222, there may be others. This IP is allocated to HostForWeb Inc, Chicago. Blocking the IP rather than the domain may help protect against other malicious sites on the same server.

Redret domains to block 17/1/12

The Redret domains have shifted around a little since last week, indicating perhaps more malicious activity to come.

Of note, cvredret.ru and cxredret.ru are both multihomed on several IP addresses (both domains are on the same set of addresses). Those domains can be found on 91.208.181.205, 93.189.88.198, 213.193.231.210, 78.47.135.105, 78.129.233.8, 85.214.204.32, and 87.106.201.119.

Changes since last time are highlighted.

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru
clredret.ru

78.47.135.105 (Hetzner Online, Germany)
cvredret.ru
cxredret.ru

78.129.233.8 (Rapidswitch, UK)
cvredret.ru
cxredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

85.214.204.32 (Strato AG, Germany)
cvredret.ru
cxredret.ru

87.106.201.119 (1&1, Spain)
cvredret.ru
cxredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
aredirect.ru
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.208.181.205 (Oxalide, France)
cvredret.ru
cxredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
aaredret.ru
abredret.ru
acredret.ru
adredret.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

93.189.88.198 (Silicontower, Spain)
cvredret.ru
cxredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

203.170.193.102 (IDC Cyberworld, Thailand)
cbredret.ru
ccredret.ru

213.193.213.210 (Trueserver, Netherlands)
cvredret.ru
cxredret.ru

No IP at present
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cwredret.ru
cyredret.ru

Friday 13 January 2012

"Your order for helicopter for the weekend" / ccredret.ru

Another Redret spam leading to a malicious payload..


Date:      Fri, 12 Jan 2012 04:53:25 +0100
From:      "Keila Farley" [HannaMarcelino@ameritrade.com]
Subject:      Your order for helicopter for the weekend

Your order for our air carriage services has been received and processed. The chopper will be at your disposal from 3.30 a.m. sunday to 16.00 wednesday. Once again, the rates are as follows:
1 hour in the air: 794$
Takeoff / Landing: 163$
1 hour idle time on the ground: 166$
Longest flight is 3 hours.
When flying for longer distances, a co-pilot is needed, and the cost accordingly grows by 114$ per hour.


Invoice.doc 581kb
With Best Regards
Keila Farley
The malicious payload is delivered via a legitimate hacked site which redirects to ccredret.ru/main.php, hosted on 67.215.3.153 (GloboTech, California). That same IP was seen recently with another Redret domain, and you should block access to it if you can.

fff

Thursday 12 January 2012

"John Dillinger" / "Apple Store - Important information about your Apple ID"

This email was actually sent by Apple, apparently to a famous bank robber, John Dillinger.

Date: Thu, 12 Jan 2012 01:37:23 +0000 (GMT)
From: Apple [appleid@id.apple.com]
Subject: Apple Store - Important information about your Apple ID

    Apple Online Store   
Order Status     Account     Help    
   
   
Dear John Dillinger
Welcome to the Apple Online Store. We wanted to share some information with you about your Apple ID, which allows you to personalize your Apple Online Store experience and helps you access other Apple resources.
Your Apple ID is your current email address.  You can use the password you created when you set up your account online. If you forget or need to reset your password, go to My Apple ID.
By using your Apple ID on the Apple Online Store, you have access to your account information online.  You can save carts until you're ready to place an order, check the status of or change your order, track your shipments, view your order history, maintain your account information, check Apple Gift Card balances, and much more.
Additionally, your Apple ID gives you access to other Apple resources, including:
• Buying music, movies, TV shows, and more at the iTunes Store
• Buying or downloading applications for your iPod touch or iPhone using the App Store
• Ordering photos and photobooks through iPhoto
• Registering your Apple products
• Accessing support for your products from AppleCare
• Getting One to One personal training and other services at an Apple Retail Store
Sign in to Your Account, to take advantages of the benefits of your Apple ID on the Apple Online Store. To learn more about your Apple ID, visit the Your Account section of online Help.
We also want you to know that the security of your personal information is important to us.  For more information on how Apple protects your personal information, please refer to the Apple Customer Privacy Policy.
Thank you for choosing Apple,
The Apple Store Team
http://store.apple.com
1-800-MY-APPLE


Indeed, an Apple account has been created for this email address. But not by me. Upon inspection, the Apple account has no information in it apart from the "John Dillinger" name, and it's a simple matter to reset the password to thwart whatever it going on here.

The email is quite genuine, coming from an Apple IP (17.254.6.195) and with all the links pointing to Apple and not another site. And it seems that I am not alone in receiving this email.

If you have had the same email, please consider letting me know in the comments!

Tuesday 10 January 2012

"Our chances to win an action are higher than ever" spam / clredret.ru

A weird spam, leading to a malicious download at clredret.ru/main.php via a random hacked site.
Date:      Tue, 9 Jan 2012 08:39:05 +0300
From:      victimname@gmail.com
Subject:      Re: Our chances to win an action are higher than ever.

We discussed it with the administration representatives, and if we confess our non-essential faults to improve their statistics, the key cause will be closed due to the lack of the government interest to the action We have prepared your declaratory text for the court. Please read it carefully and if anything in it dissatisfies you, inform us.

Speech.doc 489kb


With Respect To You
Jeramiah Cohen

As mentioned earlier, clredret.ru is on 46.249.37.22 (Serverius Holdings, Netherlands) and that IP is well worth blocking.

Redret domains to block 10/1/12

After a quite couple of weeks, the Redret spam has started again using the domains and IPs listed below. Some are familiar, some are new. In some cases blocking whole IP ranges is the best idea.

46.249.37.22 (Serverius Holdings, Netherlands)
clredret.ru

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
aredirect.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

No IP at present
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
cbredret.ru
ccredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru

Airline ticket spam / ckredret.ru

Despite a whole pile of Redret malware spam at the end of the year, the past couple of weeks have been very quiet. However, a new campaign has started up directing visitors via a hacked legitimate site to ckredret.ru/main.php which is hosted on 203.170.193.102 (IDC Cyberworld, Thailand).

Date:      Tue, 9 Jan 2012 08:33:24 +0700
From:      sales1@victimdomain.com
Subject:      Re: Your Flight N US966-282315527

Dear Customer,



FLIGHT NUMBER 5821-5704164

DATE/TIME : JANUARY 23, 2011, 16:12 PM

ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT

PRICE : 552.06 USD



Download your ticket here:

VIEW



KAYCEE Ramirez,

American Airlines

Right at the moment the site is failing to resolve, but that could simply be a loading issue. Blocking the 203.170.193.102 IP address would be a good idea as it will stop any other malicious sites on the same server.

Friday 6 January 2012

"Elavon 2012 Update" phish

Elavon deals with payment processing. This email is not from Evalon.

From: "Elavon, Inc." [sobolan@myvirtualmerchan-02.com]
Date:Fri, 06 Jan 2012 16:09:48 +0100
Subject: Urgent-Notification

--Elavon 2012 Update--
Dear Customer,

We regret to inform you that your retail merchant account is locked.
To re-activate it please download the file attached to this e-mail and update your login information.

2012 Elavon Inc,
-Please note only RETAIL account are locked-
-Example : Market Segmet : Retail-

Attached is a file called myvirtualmerchant_login.html which is the phish itself, displaying the following screen.

The form itself sends the details to mail.xinsanjing.com on 220.189.213.181. (HangZhou XinSanJing Food Co. Ltd. China) which is possibly a hacked server. In this case the email originated from 209.91.252.206 in Puerto Rico.

If you use Elavon's services, watch out for this phish.