Sponsored by..

Monday, 21 November 2016

Something evil on 64.20.51.16/29 (customer of Interserver, Inc)

I wrote about this evil network on 64.20.51.16/29 (a customer of Interserver, Inc) over a year ago, identifying it as a hotbed of fraud. Usually these bad networks don't hang around for very long, but in this case it seems to be very persistent.

This time it came to notice from a terse spam with a PDF attached:

From:    Lisa Liang [ineedu98@hanmail.net]
To:    me@yahoo.com
Date:    20 November 2016 at 23:23
Subject:    11/21/2016 Amended

FYI
Attached is a file Amended copy.pdf which when you open it (not recommended) looks blurry with "VIEW" in big red letters.

The link in the email goes to bit.ly/2fJbyol - if you put the "+" on the end of a Bitly link then you can see the number of clickthroughs and what the landing page is (www.serviceupgrade.tech/pdf.php in this case).

Clicking through gives you a login page for "Adobe PDF Online" which is of course a generic phishing page.


Analysis of the 64.20.51.16/29 range finds 193 sites historically connected with it marked as being phishing or some other malicious activity. There are at least 284 sites currently within that range, of which the following are both hosted in that range currently and are malicious:

sparvicharityfoundation.com
ftp.eurocontrol-int.net
eurocontrol-int.net
bocusin.com
eurocontrol-int.net
meclp.com
lntedg.com
bs-shipmanagements.com
rolloninz.com
outlook-excell.com
safetech-online.com
lrbis.com
stmposlka.com
combinaparts.com
gsctechinology.com
writverify-online.com
ubsinvbnk.com
kiy-carbon.com
hsbcoffshores.com
natural-live.top
ftp.daemon-mail.com
ftp.paypalcenter.com
mobile-secure.us
zharmonics-online.com
nahpa-vn.com
djhexport.com
paypalcenter.com
victorialmpex.com
schmiditsports.com
lindner-stofftiere.com
novady.top

11% of the total sites in the range have been tagged by SURBL or Google as being bad, and to be honest there are probably a LOT more but those services haven't caught up yet.

In any case, there seems to be nothing of value in 64.20.51.16/29 and I strongly recommend that you block traffic to the entire range.




No comments: