tag:blogger.com,1999:blog-8047144376730090032024-03-13T19:09:23.203+00:00Dynamoo's BlogMalware, spam, scams and random stuff, by Conrad Longmore.Unknownnoreply@blogger.comBlogger2907125tag:blogger.com,1999:blog-804714437673009003.post-70497450497242830252021-02-24T17:08:00.005+00:002021-02-24T17:08:50.637+00:00Updated 3NT Solutions LLP / inferno.name / V3Servers.net IP ranges (2021 edition)It's been about a zillion years (well, OK it was 2017) when I last published a list of IPs belonging to 3NT Solutions LLP that you probably want to block. Their name came up yet again in something I was looking at, and I was slightly surprised to see that the old list was still somewhat valid. However a bit of research found some new ranges and some that have been potentially cleaned Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-68218515953650165942020-11-24T10:16:00.000+00:002020-11-24T10:16:18.553+00:00Websites owned by Philip John Sabin and associated companiesApropos of nothing, all these websites are hosted on 212.230.207.100 to 213.230.207.109 (Netcalibre, UK) and appear to be owned and controlled by Philip John Sabin and/or Luxury Sleuth Ltd (11482506), We Just Compare Ltd (12485232). Funnily enough I can't find an ICO registration for these companies, maybe that just me doing it wrong. Perhaps anyone who knows it can add something to the comments?Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-23446995574200723922019-03-18T15:57:00.001+00:002019-03-18T15:59:16.345+00:00"Central Intelligence Agency - Case #79238516" extortion spam
I've seen various extortion spams over the past 12 months or so, but this one has a particularly vicious twist.
If you haven't seen one of these before - it's just a spam, randomly sent to your email address. You can safely ignore it.
From: Liza Guest [liza-guest@eosj.cia-gov-it.tk]
Reply-To: liza-guest@eosj.cia-gov-it.tk
To: [redacted]
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-804714437673009003.post-91730408035431669872018-05-22T11:01:00.004+01:002018-05-22T11:01:53.342+01:00Phishing and fraudulent sites hosted on 188.241.58.60 (Qhoster)
Nigerian registrants. Dodgy Eastern European host offering bulletproof and anonymous hosting. Yup, I very much doubt there is anything legitimate at all hosted on 188.241.58.60.. or indeed any part of Qhoster's network.
237buzz.com255page.ga702mine.com779999977.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-23126365153813589652018-05-10T15:10:00.001+01:002018-05-10T15:10:03.378+01:00Malware spam: "New documents available for download" / service@barclaysdownloads.co.uk / barclaysdownloads.com
This fake Barclays spam seems to lead to the Trickbot banking trojan.
From: Barclays [service@barclaysdownloads.co.uk]Date: 10 May 2018, 13:16Subject: New documents available for downloadSigned by: barclaysdownloads.co.ukSecurity: Standard encryption (TLS) Learn moreBarclays Bank PLC Has Sent You Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-804714437673009003.post-71506872132347779682018-05-04T12:14:00.000+01:002018-05-04T12:14:25.689+01:00"Best porno ever" Necurs spam
This spam (apparently from the Necurs botnet) promises much, but seems not to deliver.
From: Susanne@victimdomain.tld [Susanne@victimdomain.tld]Date: 4 May 2018, 10:22Subject: Best porno everHi [redacted],Best gay,teen,animal porno everPlease click the following link to activate your account.hxxp:||46.161.40.145:3314Regards,Susanne
The Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-804714437673009003.post-62260437167797115512018-04-01T00:10:00.000+01:002018-04-01T10:35:23.934+01:00New Traffic Light Protocol (TLP) levels for 2018The Traffic Light Protocol should be familiar to anyone working with sensitive data, with levels RED, AMBER, GREEN and WHITE being used to specify how far information can be shared. In recent years it has become clear that these four levels are not enough, so the United Nations International Committee on Responsible Naming (UN/ICoRN) has introduced nine new TLP levels for implementation from the Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-804714437673009003.post-92046769784940709582018-03-08T23:03:00.000+00:002018-03-13T11:37:47.295+00:00"Faster payment" scam is not quite what it seems
I see a lot of "fake boss" fraud emails in my day job, but it's rare that I see them sent to my personal email address. These four emails all look like fake boss fraud emails, but there's something more going on here.
From: Ravi [Redacted] <ravi@victimdomain.com>
Reply-To: Ravi [Redacted] <ravi@victimdomain.com-3.eu>
To: Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-804714437673009003.post-78868567729285941092018-01-15T11:14:00.001+00:002018-01-17T08:29:12.464+00:00Swisscoin [SIC] cryptocurrency spam
Swisscoin is a fairly low-volume self-styled cryptocurrency that has been the target of a Necurs-based spam run starting on Saturday 13th January, and increasing in volume to huge levels on Monday.
From: Florine Fray [Fray.419@redacted.tld]
Date: 15 January 2018 at 10:51
Subject: Could this digital currency actually make you a millionaire?Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-18608810614871331282017-12-04T19:04:00.000+00:002017-12-04T19:04:00.724+00:00Some random thoughts on Damian Green and those porn allegations
If you live in the UK then you might have noticed the somewhat bizarre furore over Damian Green MP and his alleged viewing of pornography on house his Parliament computer. Now, I don't know for certain if he did or didn't, but to put it in context his private email address also allegedly turned up in the Ashley Madison leak and on top of that there are sexual harassment allegations too. But Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-81497105014568141402017-10-31T15:47:00.000+00:002017-10-31T15:52:07.886+00:00Bogus porn blackmail attempt from adulthehappytimes.com
This blackmail attempt is completely bogus, sent from a server belonging to the adulthehappytimes.com domain.
From: Hannah Taylor [bill@adulthehappytimes.com]
Reply-To: bill@adulthehappytimes.com
To: contact@victimdomail.tld
Date: 31 October 2017 at 15:06
Subject: ✓ Tiскеt ID: DMS-883-97867 [contact@Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-804714437673009003.post-14863984412853370652017-10-25T10:13:00.001+01:002021-02-24T17:10:05.085+00:00Updated 3NT Solutions LLP / inferno.name / V3Servers.net IP ranges
[For the February 2021 version of this list, click here] When I was investigating IOCs for the recent outbreak of BadRabbit ransomware I discovered that it downloaded from a domain 1dnscontrol.com hosted on 5.61.37.209. This IP belongs to a company called 3NT Solutions LLP that I have blogged about before.
It had been three-and-a-half years since I looked at their IP address ranges so I Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-58421355729831018902017-10-24T09:43:00.000+01:002017-10-24T09:43:07.205+01:00Malware spam: "Order acknowledgement for BEPO/N1/380006006(2)"
A change to the usual Necurs rubbish, this fake order has a malformed .z archive file which contains a malicious executable with an icon to make it look like an Office document.
Reply-To: purchase@animalagriculture.orgTo: Recipients [DY]Date: 24 October 2017 at 06:48Subject: FW: Order acknowledgement for BEPO/N1/380006006Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-4326619436725842302017-10-17T13:31:00.003+01:002017-10-17T13:31:55.924+01:00Evil network: Fast Serv Inc / Qhoster.com
Checking these IOCs for this latest Flash 0-day came up with an interesting IP address of 89.45.67.107 which belongs to Fast Serv Inc aka Qhoster, probably of Bulgaria but masquerading themselves as a Belize outfit.
I came across Fast Serv / Qhoster a lot last year during the Angler EK epidemic, where they had entire ranges full of badness, often with no discernable legitimate sites at all. ItUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-55149909071538599012017-10-08T14:03:00.000+01:002017-10-08T14:03:26.326+01:00Scam: "Help Your Child To Be A Professional Footballer." / info@champ-footballacademyagency.co.uk
This spam email is a scam:
Subject: Help Your Child To Be A Professional Footballer.From: "FC Academy" [csa@sargas-tm.eu]Date: Sun, October 8, 2017 10:30 amTo: "Recipients" [fcsa@sargas-tm.eu]Priority: NormalHello,Does your child desire to Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-804714437673009003.post-59110944514538273612017-09-28T11:20:00.001+01:002017-09-28T13:53:55.181+01:00Malware spam: "Emailing: Scan0xxx" from "Sales" delivers Locky or Trickbot
This fake document scan delivers different malware depending on the victim's location:
Subject: Emailing: Scan0963
From: "Sales" [sales@victimdomain.tld]
Date: Thu, September 28, 2017 10:31 am
Your message is ready to be sent with the following file or link
attachments:
Scan0963
Note: To protect Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-804714437673009003.post-90572200248972956252017-09-26T18:46:00.001+01:002017-09-26T18:46:21.156+01:00Malware spam: "AutoPosted PI Notifier"
This spam has a .7z file leading to Locky ransomware.
From: "AutoPosted PI Notifier" [NoReplyMailbox@redacted.tld]
Subject: Invoice PIS9344608
Date: Tue, September 26, 2017 5:29 pm
Please find Invoice PIS9344608 attached.
The number referenced in the spam varies, but attached is a .7z archive file with a matching Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-45416137221279247742017-09-21T09:51:00.000+01:002017-09-21T10:16:10.677+01:00Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"
This fake Amazon spam comes with a malicious attachment:
Subject: Invoice RE-2017-09-21-00794
From: "Amazon Marketplace" [yAhbPDAoufvZE@marketplace.amazon.co.uk]
Date: Thu, September 21, 2017 9:21 am
Priority: Normal
------------- Begin message -------------
Dear Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-804714437673009003.post-2303528667952168872017-09-18T10:11:00.001+01:002017-09-18T10:24:38.552+01:00Malware spam: "Status of invoice" with .7z attachment
This spam leads to Locky ransomware:
Subject: Status of invoice
From: "Rosella Setter" ordering@[redacted]
Date: Mon, September 18, 2017 9:30 am
Hello,
Could you please let me know the status of the attached invoice? I
appreciate your help!
Best regards,
Rosella Setter
Tel: 206-575-8068 x 100
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-24084214818501299372017-09-06T07:39:00.001+01:002017-09-06T07:39:54.910+01:00QTUM Cryptocurrency spam
This spam email appears to be sent by the Necurs botnet, advertising a new Bitcoin-like cryptocurrency called QTUM. Necurs is often used to pump malware, pharma and data spam and sometimes stock pump and dump.
There is no guarantee that this is actually being sent by the people running QTUM, it could simply be a Joe Job to disrupt operations. Given some of the wording alluding to illegal Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-804714437673009003.post-53715262217842058942017-09-05T11:21:00.001+01:002017-09-05T11:21:56.932+01:00Malware spam: "Scanning" pretending to be from tayloredgroup.co.uk
This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.
Subject: ScanningFrom: "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]Date: Thu,Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-71199771168680144352017-08-25T13:44:00.000+01:002017-08-25T13:44:39.190+01:00Malware spam: "Voicemail Service" / "New voice message.."
The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.
Subject: New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>From: "Voicemail Service" [vmservice@victimdomain.tdl]Date: Fri, August 25, 2017 Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-14914022864604145692017-08-25T09:53:00.003+01:002017-08-25T09:53:53.288+01:00Malware spam: "Your Sage subscription invoice is ready" / noreply@sagetop.com
This fake Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much by the bad guys is a bit of a mystery.
Subject: Your Sage subscription invoice is readyFrom: "noreply@sagetop.com" [noreply@sagetop.com]Date: Thu, August 24, 2017 8:49 pmDear CustomerYour Sage subscription invoice Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-24349391033437109872017-08-24T19:21:00.003+01:002017-08-24T19:21:52.641+01:00Multiple badness on metoristrontgui.info / 119.28.100.249
Two massive fake "Bill" spam runs seem to be under way, one claiming to be from BT and the other being more generic.
Subject: New BT BillFrom: "BT Business" [btbusiness@bttconnect.com]Date: Thu, August 24, 2017 6:08 pmPriority: NormalFrom BTNew BT BillYour bill amount isUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-804714437673009003.post-49600577989508974882017-08-23T22:01:00.001+01:002017-08-23T22:01:36.778+01:00Malware spam: "Customer Service" / "Copy of Invoice xxxx"
This fairly generic spam leads to the Locky ransomware:
Subject: Copy of Invoice 3206From: "Customer Service" Date: Wed, August 23, 2017 9:12 pmPlease download file containing your order information.If you have any further questions regarding your invoice, please call Customer Service.Please do not Unknownnoreply@blogger.com0