Malware sites to block 29/5/13

These domains and IP addresses are connected to this malware spam run and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian).

It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting, finally a list of IPs that are advertised as nameservers within this group for research purposes only.

You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm..

Domains:
adverstindotanes.com
assumedwhacked.su
auditbodies.net
autocanonicals.com
aviachecki.ru
avtotracki.ru
balckanweb.com
bebomsn.net
bednotlonely.com
beveragerefine.su
biati.net
businessdocu.net
buyparrots.net
carambatv.net
chairsantique.net
cocainism.net
condalinaradushko.ru
condalinaradushko5.ru
condalinradishevo.ru
confideracia.ru
coping-capacity.com
crossdissstep.com
crushandflussh.net
curilkofskie.ru
decimallogme.com
docudat.ru
doorandstoned.com
down-vid.net
e-eleves.net
ernutkskiepro.ru
exrexycheck.ru
fastkrug.ru
federal-credit-union.com
fenvid.com
flipboardre-late.com
gangrenablin.ru
garohoviesupi.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
heavygear.net
heidipinks.com
hiddenhacks.com
hotamortisation.net
iberiti.com
icensol.net
independinsy.net
initiationtune.su
insectiore.net
jounglehoodeze.su
letsgofit.net
linguaape.net
metalcrew.net
mgdooling.ru
mortolkr4.com
multipliedfor.com
mydkarsy.com
myfreecamgirls.net
nitrogrenberd.net
normansvenn.com
notyetratedwort.com
nvufvwieg.com
ochengorit.ru
otoperhone.com
outbounduk.net
outlookexpres.net
peertag.com
penetratedsync.su
pizdecnujzno.ru
proxy-tor-service.com
recorderbooks.net
relectsdispla.net
reportingglan.com
restaurantequipmentparadise.net
roobihhooerses.at
rusistema.ru
salesplaytime.net
sbliteratedtum.su
scanskype.pl
secrettapess.com
secureaction120.com
sludgekeychai.net
smartsecurity-app.com
smartsecurityapp2013.com
smurfberrieswd.su
solidlettersiz.su
stackltiplied.net
streetgreenlj.com
streetlookups.com
susubaby.net
sweetcarsinkas.at
tasteh-pux.com
techno5room.ru
testerpro5.ru
timeschedulin.com
time-update.com
time-update.net
trackerpro5.ru
twintrade.net
uestsradiates.net
usergateproxy.net
virgin-altantic.net
xenaidaivanov.ru
yelpwapphoned.com
zeouk-gt.com
zoohits.net

IPs and hosts:
5.175.155.183 (GHOSTnet, Germany)
37.131.214.69 (Interra Ltd, Russia)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal, China)
50.193.197.178 (Comcast, US)
54.214.22.177 (Amazon AWS, US)
62.109.30.168 (TheFirst-RU, Russia)
77.237.190.22 (Parsun Network Solutions, Iran)
82.50.45.42 (Telecom Italia, Italy)
91.93.151.127 (Global Iletisim Hizmetleri, Turkey)
91.193.75.55 (KGB Hosting, Serbia)
94.249.208.228 (GHOSTnet, Germany)
95.43.161.50 (BTC, Bulgaria)
99.61.57.201 (AT&T, US)
103.7.251.36 (Fiberathome, Bangladesh)
109.169.64.170 (ThrustVPS, US)
112.196.2.39 (Quadrant Televentures / HFCL Infotel, India)
114.4.27.219 (Indosat, Indonesia)
114.247.121.139 (China Unicom, China)
115.28.35.163 (HiChina Web Solutions, China)
122.160.51.9 (ABTS, Delhia)
128.174.240.37 (University of Illinois, US)
128.174.240.52 (University of Illinois, US)
128.174.240.74 (University of Illinois, US)
128.174.240.153 (University of Illinois, US)
128.174.240.213 (University of Illinois, US)
140.117.164.154 (Sun Yat-sen University, Taiwan)
151.1.224.118 (Itnet, Italy)
159.253.18.253 (FastVPS, Russia)
162.209.12.86 (Rackspace, US)
166.78.136.235 (Rackspace, US)
177.5.244.236 (Brasil Telecom, Brazil)
178.20.231.214 (Salay Telekomunikasyon Ticaret Limited, Turkey)
178.209.126.87 (WestCall Ltd, Russia)
181.52.237.17 (Telmex, Colmbia)
183.82.221.13 (Hitech, India)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
190.106.207.25 (Comcel, Guatemala)
192.154.103.81 (Gorillaservers, US)
192.210.216.53 (ColoCrossing, US)
197.246.3.196 (The Noor Group, Egypt)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
201.170.148.171 (Telefonos del Noroeste, Mexico)
204.45.7.213 (FDCservers.net, US)
208.68.36.11 (Digital Ocean, US)
210.61.8.50 (Chunghwa Telecom, Taiwan)
212.179.221.31 (Bezeq International, Israel)
213.113.120.211 (Telenor, Sweden)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83

IPs advertising as nameservers (I'm pretty sure some of these are bogus, so use these for research purposes only):
2.121.229.200 (Sky Broadband, UK)
5.175.146.153 (GHOSTnet, Germany)
5.175.154.17 (GHOSTnet, Germany)
5.175.154.149 (GHOSTnet, Germany)
5.231.18.4 (GHOSTnet, Germany)
6.18.199.178 (Department of Defense, US)
6.20.13.25 (Department of Defense, US)
8.13.139.1 (Level 3 Communications, US)
8.18.19.15 (Level 3 Communications, US)
8.18.19.16 (Level 3 Communications, US)
11.3.51.158 (Department of Defense, US)
12.179.132.98 (Intuit, US)
14.139.209.13 (National Institute Of Technology, India)
15.78.78.23 (Hewlett Packard, US)
15.84.23.131 (Hewlett Packard, US)
17.19.12.100 (Apple Inc, US)
20.2.45.143 (CSC, US)
22.100.28.100 (Department of Defense, US)
29.125.31.77 (Department of Defense, US)
42.96.142.17 (Alibaba, China)
42.96.194.13 (Alibaba, China)
46.254.18.79 (Internet-Hosting Ltd, Russia)
65.34.1.1 (RoadRunner / Bright House, US)
65.180.199.2 (Sprint, US)
66.100.109.112 (Savvis, US)
71.123.11.14 (Verizon, US)
77.99.44.18 (Virgin Media, UK)
80.249.65.80 (Djaweb, Algeria)
81.31.227.60 (Chapar Raseneg, Iran)
85.25.189.163 (Intergenia / PlusServer AG, Germany)
91.215.156.62 (Infinite Technologies, Netherlands)
91.242.214.33 (Hostcircle, India)
92.190.190.191 (France Telecom, France)
95.143.41.41 (Inline Internet / VPS4less, Germany)
112.72.64.217 (VTC Wireless Broadband Company, Vietnam)
114.199.141.85 (Hyundai Communications, Korea)
125.39.104.86 (Beijing Sinainternetinformationservice, China)
153.127.248.205 (Kagoya Japan Corporation, Japan)
162.209.14.28 (Rackspace, US)
173.1.12.57 (GoGrid LLC, US)
175.102.0.187 (Shanghai Yovole Networks, China)
176.19.224.180 (Mobily, Saudi Arabia)
177.5.230.242 (Brasil Telecom, Brazil)
184.106.229.74 (Rackspace, US)
186.25.27.65 (Telcel, Venezuela)
186.25.27.66 (Telcel, Venezuela)
201.101.98.89 (UniNet, Mexico)
202.63.105.86 (Southern Online Bio Technologies, India)
202.93.114.90 (FirstasiaNet, Indonesia)
207.58.158.186 (Servint, US)
207.182.146.247 (Xlhost, US)
209.140.18.37 (Landis Holdings, US)
210.25.137.197 (China Education and Research Network, China)
211.20.45.138 (Chunghwa Telecom, Taiwan)
214.191.12.134 (Department of Defense, US)
214.191.102.34 (Department of Defense, US)

55-Inch TV Amazon.com spam / federal-credit-union.com

This fake Amazon.com spam leads to malware on federal-credit-union.com:


From:     auto-confirm@email.amazon.net [loyolay3@emalsrv.amazonmail.com]
Reply-To:     "auto-confirm@email.amazon.net" [loyolay3@emalsrv.amazonmail.com]
Date:     29 May 2013 16:55
Subject:     Amazon.com order of Samsung UN554X6050 55-Inch

Kindle Store  |  Your Account  |  Amazon.com Order Confirmation Order #134-8080453-8538443

[redacted] Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.

Your estimated delivery date is: Thursday, May 30, 2013 - Friday, May 31, 2013 Your shipping speed: Next Day Air Your order was sent to: Tyler Scott 2516 Columbia Dr Washington, WA 40830-9361 United States

Order Details

Order #134-8080453-8538443 Placed on Wensday, May 29, 2013

Samsung UN554X6050 55-Inch 1080p 120Hz LED 3D HDTV (Dark Grey) Electronics In Stock Sold by World Wide Stereo, Inc. $1,099.99

Item Subtotal: $1,099.99 Shipping & Handling: $0.00 Total Before Tax: $1,099.99 Estimated Tax: $0.00 Order Total: $1,099.99

To learn more about ordering, go to Ordering from Amazon.com. If you want more information or need more assistance, go to Help.

Thank you for shopping with us. Amazon.com

Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information. This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

I have also seen a similar spam with the subject "Amazon.com order of Sharp UN55EH5080 55-Inch" and I guess there are others. The spam goes through a legitimate hacked site and ends up on [donotclick]federal-credit-union.com/news/basic_dream-goods.php (report here). Luckily right at the moment this domain is suspended and won't work, however. There is a very large number of connected domains though which I am compiling a blocklist for and will post later..

Update: some other subjects include "Amazon.com order of Panasonic UN55EH6030 55-Inch" and "Amazon.com order of Akai NPK55KR9070 55-Inch".

Update 2: the malicious landing page has been replaced  with one using the domain ozonatorz.com.

Walmart.com spam / virgin-altantic.net

Another variant of this spam is doing the rounds, this time leading to a landing page on virgin-altantic.net:

From: Wallmart.com [mailto:sculptsu@complains.wallmartmail.com]
Sent: 16 May 2013 15:35
Subject: Thanks for your Walmart.com Order 3450995-348882


Visit Walmart.com  |
Help  |
My Account  |
Track My Orders


[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping
• You'll receive another email, with tracking information, when your order ships.
• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
     Ship to Home   
    Gabriel Miller
1881 Granada Dr
Washington, NC 68025-3157
USA    



Walmart.com     Order Number: 3450995-348882

Ship to Home - Standard
Items    Qty    Arrival Date     Price
Samsung UN55EH9050 42" 1080p 600Hz Class LED (3.7" ultra-slim) 3D HDTV    1     Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home.     $898.00

Subtotal:    $898.00
Shipping:    Free
Tax:     $62.86
See our Returns Policy or
contact Customer Service
Walmart.com Total:    $960.86
Order Summary
Order Date:    05/15/2013
Subtotal:    $898.00
Shipping:    Free
Tax:     $62.86
Order Total:    $960.86
Credit card:    $960.86
        Billing Information
Payment Method:
Credit card

If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,

Your Walmart.com Customer Service Team
www.walmart.com

 
Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!     

The malicious payload is at [donotclick]virgin-altantic.net/news/ask-index.php (report here). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic.net too.

Walmart.com spam / bestunallowable.com

This fake Walmart spam leads to malware on bestunallowable.com:

From:     Wallmart.com [deviledm978@news.wallmart.com]
Date:     16 May 2013 14:02
Subject:     Thanks for your Walmart.com Order 3795695-976140

Walmart    
Visit Walmartcom  |     Help  |     My Account  |     Track My Orders

[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping

• You'll receive another email, with tracking information, when your order ships.

• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
      Ship to Home    
   

Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
   

Walmart.com     Order Number: 3795695-976140
Ship to Home - Standard
Items     Qty     Arrival Date     Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV     1     Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home.     $898.00
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
See our Returns Policy or
contact Customer Service     Walmart.com Total:     $960.86
Order Summary
Order Date:     05/15/2013
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
Order Total:     $960.86
Credit card:     $960.86
       
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,

Your Walmart.com Customer Service Team
www.walmart.com


Rollbacks     Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
   
©Walmart.com USA, LLC, All Rights Reserved.

 The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable.com/news/ask-index.php (report here) hosted on:

108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

The WHOIS details are characterstic of the Amerika gang:
   Administrative Contact:
   McDonough, Tara  ukcastlee@mail.com
   38 Wee Burn Lane
   DARIEN, CO 06820
   US
   2036566697

Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net

ADP spam / outlookexpres.net

This fake ADP spam leads to malware on outlookexpres.net:

Date:      Wed, 15 May 2013 22:39:26 +0400
From:      "donotreply@adp.com" [phrasingr6@news.adpmail.org]
Subject:      adp_subj


ADP Instant Warning

Report #: 55233

Respected ADP Client May, 15 2013

Your Processed Transaction Report(s) have been uploaded to the website:

Sign In here

Please see the following information:

• Please note that your bank account will be charged within 1 business banking day for the sum shown on the Statement(s).

• Please don't try to reply to this message. automative notification system not configured to accept incoming email. Please Contact your ADP Benefits Expert.

This email was sent to existing users in your company that access ADP Netsecure.

As every time, thank you for using ADP as your business affiliate!

Rep: 55233 [redacted]

The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres.net/news/estimate_promising.php (report here) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
smartsecurity-app.com
twintrade.net
zonebar.net

Amazon.com spam / ehrap.net

This fake Amazon spam leads to malware on ehrap.net:

Date:      Tue, 7 May 2013 22:54:26 +0100 [05/07/13 17:54:26 EDT]
From:      "Amazon.com" [drudgingb50@m.amazonmail.com]
Subject:      Your Amazon.com order confirmation.

Thanks for your order, [redacted]!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Information:

E-mail Address:  [redacted]
Billing Address:
216 CROSSING CRK N
GAHANNA
United States
Phone: 1-747-289-5672

Order Grand Total: $ 53.99
   
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     I12-4392835-6098844
Subtotal of items:     $ 53.99
    ------
Total before tax:     $ 53.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 50.00
Gift Certificates:     $ 3.99
    ------
Total for this Order:     $ 53.99

The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 53.99
Sold By: Random House Digital, Inc.
Give Kindle books to anyone with an e-mail address - no Kindle required!

You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.

Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

Thanks again for shopping with us.

Amazon.com
Earth's Biggest Selection

Prefer not to receive HTML mail? Click here

The link in the email goes through a legitimate hacked site and ends up on [donotclick]ehrap.net/news/days_electric-sources.php (report here) hosted on (or with nameservers on) the following IPs:
85.41.88.24 (Telecom Italia, Italy)
98.210.212.79 (Comcast, US)
140.121.140.92 (TANet, Taiwan)
178.175.140.185 (Trabia-Network, Moldova)
197.246.3.196 (The Noor Group, Egypt)
216.70.110.21 (Media Temple, US)

The domains involved indicate that this is the gang behind what I call the Amerika series of spam emails.

Blocklist:
85.41.88.24
98.210.212.79
140.121.140.92
178.175.140.185
197.246.3.196
216.70.110.21
airticketscanada.net
contonskovkiys.ru
curilkofskie.ru
ehrap.net
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
peertag.com
smartsecurity-app.com
zonebar.net

LinkedIn spam / guessworkcontentprotect.biz

This fake LinkedIn email leads to malware on guessworkcontentprotect.biz:

From:     LinkedIn Invitations [giuseppeah5@mail.paypal.com]
Date:     2 May 2013 16:49
Subject:     LinkedIn inviation notificaltion.
   
LinkedIn
This is a note that on May 2, Lewis Padilla sent you an invitation to join their professional network at LinkedIn.
Accept Lewis Padilla Invitation
   
On May 2, Lewis Padilla wrote:

> To: [redacted]
>
> I'd like to join you to my professional network on LinkedIn.
>
> Lewis Padilla    
   
You are receiving Reminder emails for pending invitations. Unsubscribe.
© 2013 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA. 

The malicious payload is at [donotclick]guessworkcontentprotect.biz/news/pattern-brother.php (report here) hosted on:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
203.190.36.201 (Kementerian Pertanian, Indonesia)

Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
203.190.36.201
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
guessworkcontentprotect.biz
janefgort.net
klosotro9.net
miniscule.pl
mortolkr4.com
peertag.com
priorityclub.pl
smartsecurity-app.com
zonebar.net

"Requested Reset of Yoyr PayPal Password" spam / frustrationpostcards.biz

This fake PayPal spam leads to malware on frustrationpostcards.biz:

 Date:      Mon, 29 Apr 2013 13:22:03 -0500
From:      "service@paypalmail.com" [chichisaq0@emlreq.paypalmail.com]
Subject:      Requested Reset of Yoyr PayPal Password
  
Your account will stay on hold untill password reset.
How to reset your PayPal password

Hello [redacted],

To get back into your PayPal account, you'll have to create a new password.

It's easy:

    Click the link below to open a secure browser window.
    Confirm that you're the owner of the account, and then follow the instructions.

  Reset your password now

If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.

  
Help Center | Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.

PayPal Email ID 2A7X1

The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards.biz/news/institutions-trusted.php (report here) hosted on the following IPs:

82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)


TheWHOIS details identify this domain as belonging to the Amerika gang:

Registrant ID:                          INTEGOY3JBV8IIHG
Registrant Name:                        Shouli Cowper
Registrant Address1:                    40 W 17th St
Registrant City:                        New York
Registrant Postal Code:                 10011
Registrant Country:                     United States
Registrant Country Code:                US
Registrant Phone Number:                +1.4682697453
Registrant Email:                       shouli_cowper563@bikeracer.com
 
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
miniscule.pl
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
priorityclub.pl
smartsecurity-app.com
zonebar.net

"New Secure Message" spam / pricesgettos.info

This spam leads to malware on pricesgettos.info:

Date:      Wed, 24 Apr 2013 16:41:50 +0100 [11:41:50 EDT]
From:      Cooper.Anderson@csiweb.com
Subject:      New Secure Message Received from Cooper.Anderson@csiweb.com

New Secure Message
Respective [redacted],

You have received a new secure message from Cooper.Anderson@csiweb.com.

If you are using the Secure Message Plugin in Lotus Notes this message will be in your SecureMessages Inbox.

If you are NOT using the Secure Message Plugin, you are able to view it by clicking https://www.csiweb.com/5890424-13QZUR797870/?inbox_idf3795430A7NO9 to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.


Sincerely Yours,

CSIe

The link displayed in the email is fake and actually goes to a legitimate (but hacked) site and is then forwarded to the Blackhole payload site at [donotclick]pricesgettos.info/news/done-heavy_hall_meant.php (report here) hosted on the following IPs:

1.235.183.241 (SK Broadband, Korea)
130.239.163.24 (Umea University, Sweden)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
203.64.101.145 (Taiwan Academic Network, Taiwan)

Blocklist:
1.235.183.241
130.239.163.24
155.239.247.247
202.31.139.173
203.64.101.145
airtrantran.com
antidoterskief.net
app-smartsystem.com
app-smart-system.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
docudat.ru
dyntic.com
egetraktovony.ru
excuticoble.ru
exrexycheck.ru
fenvid.com
freedblacks.net
gangrenablin.ru
gatareykahera.ru
independinsy.net
janefgort.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net

"Loss Avoidance Alerts" spam / tempandhost.com

I haven't seen this particular spam before. It leads to malware on tempandhost.com:

Date:      Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
From:      personableop641@swacha.org
Subject:      4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet

Loss Avoidance Alert System

April 22, 2013
  
Loss Avoidance Report:
The Loss Avoidance Alerts that was processed are now available   on a secure website at:

www.lossavoidancealert.org

http://www.lossavoidancealert.org

Alerts:

CL0017279 – Sham Checks (ALL)

Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
enter the Alert Number and hit Go.


Thank you for your participation!
Loss Avoidance Alert System Administrator

This email is confidential and intended for the use of the individual to whom it is addressed.  Any views or opinions presented are solely
those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource.   SWACHA will not be held
responsible for the information contained in this email if it is not used for its original intent.  Before taking action on any information contained
in this email, please consult legal counsel.   If you are not the intended recipient, be advised that you have received this email in error and that any use,
dissemination, forwarding, printing or copying of this email is strictly prohibited.
If you received this email in error, please contact the sender.

The link in the email appears to point to www.lossavoidancealert.org but actually goes through a legitimate hacked site (in this case [donotclick]samadaan.com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost.com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here and here) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this. Anyway, tempandhost.com is hosted on the following servers:

1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)

The WHOIS details indicate that this is the Amerika crew:

   Administrative Contact:
   clark, emily                twinetourt@aol.com
   38b butman st
   beverly, MA 01915
   US
   9784734033

Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173
airtrantran.com
antidoterskief.net
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
excuticoble.ru
fenvid.com
fenvid.com
gatareykahera.ru
hurienothing.ru
independinsy.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
peertag.com
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net

PayPal spam / dialupwily.org

This fake PayPal spam leads to malware on dialupwily.org:

From: service@paypal.com [mailto:criticizea@seneseassociates.com]
Sent: Wed 17/04/2013 18:49
Subject: Receipt for your PayPal payment to Konrad Rotuski

Feb 18, 2013 10:54:32 PDT
Transaction ID: 4F1UGYHLFMRAG1AVY

Hello,

You sent a payment of $149.49 USD to Konrad Rotuski (criticizea@seneseassociates.com)
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.

It may take a few moments for this transaction to appear in your account.

--------------------------------------------------------------------------------

Seller
Konrad Rotuski
criticizea@seneseassociates.com Note to seller
You haven't included a note.
Shipping address - unconfirmed
218 E CHURCH ST
FAYETTEVILLE, TX 09557-2446
United States
 Shipping details
USPS Priority Mail
Description Unit price Qty Amount
TAG Heuer Men's WAU6277.BA3900 Formula 1 White Dial Stainless Steel Watch
Item# 566741455709 $149.49 USD 1 $149.49 USD
 Shipping and handling $0.00 USD
Insurance - not offered ----
Total $149.49 USD
Payment $149.49 USD
Charge will appear on your credit card statement as PAYPAL Konrad Rotuski
Payment sent to criticizea@seneseassociates.com 


Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

To receive email notifications in plain text instead of HTML, log in to your PayPal account, go to your Profile, and click Notifications.


PayPal Email ID PP387

The link in the email goes through a hacked Wordpress site to a malicious landing page at [donotclick]dialupwily.org/closest/incomming_message.php (report here) hosted on 188.225.34.36 (Transit Telecom, Russia). More malware domains to come..

CNN.com Boston Marathon spam / thesecondincomee.com

This Boston Marathon themed spam leads to malware on thesecondincomee.com:

Example 1:

Date:      Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
From:      CNN Breaking News [BreakingNews@mail.cnn.com]
Subject:      Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com   
     
CNN.com    
Powered by    
* Please note, the sender's email address has not been verified.
            
You have received the following link from BreakingNews@mail.cnn.com:    
           
Click the following to access the sent link:
            
Boston Marathon Explosions - Obama Benefits? - CNN.com*
                 
SAVE THIS link     FORWARD THIS link
           
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
     
     
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

Example 2:

Date:      Wed, 17 Apr 2013 22:32:56 +0600
From:      behring401@mail.cnn.com
Subject:      Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
   
Powered by    
* Please note, the sender's email address has not been verified.
   
You have received the following link from BreakingNews@mail.cnn.com:    
   
Click the following to access the sent link:
   
Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
       
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

The malicious payload is at [donotclick]thesecondincomee.com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)

The recommended blocklist is the same as used in this earlier attack.
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com

Malware sites to block 10/4/13 - part II

With a hat tip to a correspondent, here are some more domains connected with this and this. Enjoy.

adamseasytoimplement.org
perfectlylikeness.org
detailingfiletransfer.com
safeguardingencarta.org
netdocumentsidl.org
bluraysphotographers.org
cathedralati.org
diasly.org
trelixwebprice.org
chaptersthegorilla.org
facilitiesbrrrr.org
idyllictoptier.org
fullscalemethod.org
deviceasciences.org
realizewhole.org
sdbbefvw.com
cwfviwgg.com
ddskcwdk.com
groupcycle.biz
kousrytcbqdids.org
uamawhyfonwofua.org
bgdnmbapnahteul.net
hgalevwtwmba.biz
apbojfsktijjhek.org
alreadysnorkeling.biz
xibfwucletrc.biz
rgngsdqwcemxbn.biz
sposwrsbswlynqc.biz
twiytmbbusrktys.org
blkwjoqfmhftd.org
combatthemednexus.biz
rankprediction.biz
artlogistic.net
textingavz.biz
lmlgqnxdjuyis.biz
wcsgdvxlhmxhd.org
syqdvpsmmpvq.biz
dwjlypydywlt.biz
iriengyhgadgt.org
aisjpqgemanskow.org
uspofnlqbyugv.org
cfkuptmplgrqh.biz
bjhwkbkqhbmq.biz
ulkbhsxywwnua.org
oksolomonprices.biz
hitandwillow.biz
randomwireless.biz
demandthings.biz
sitebandweathers.biz
nonadministrativematerial.biz
gamblerspayroll.biz
jfkshaken.biz
fullduplexioss.biz
sgijdxds.com
localcommittee.biz
vialigthroom.biz
limocoupons.biz
bikeplease.biz
fanaticsbuzz.biz
gnawamama.net
metrodemand.biz
headsync.biz
huntershindrance.biz
b7cb9b6e9.org
forecastssystemworks.biz
skillblissfully.biz
amazondarken.biz
foruminsert.biz
toofrequentextraneous.biz
protectoremail.biz
pinoyexchange.biz
concernsvideocentric.biz
toneadvertising.biz
rainbowsfilmstriplike.biz
franciscodish.biz
catastrophicautobiography.biz
fruitdicingsitting.org
monotoneswift.biz
braineravast.biz
metaphorsuite.biz
navigationalsignup.biz
seekerreporter.biz
uploaderaddressa.biz
dedicatedgerm.biz
blendingdiversity.biz
motivationrevenues.biz
nodeswordpresscom.biz
rdiocruises.biz
paymentground.biz
topiwebbased.biz
sharpspool.biz
directtime.biz
purportswarping.biz
diesulead.biz
mailedspokesperson.biz

Malware sites to block 10/4/13

These domains and IPs are associated with the Amerika gang and are related to this spam run. Blocking them would be prudent.

46.4.150.96/27
46.161.0.235
93.170.130.241
1thyntyny.itemdb.com
accelerationshrinkwrapped.net
advancementshardofhearing.org
affectingdesktoplevel.net
airplanesreleases.org
androidenabledprivacyx.net
andthisisthird.com
automatedversion.biz
awokeierelated.net
bernardsunhelpful.net
bigstepspinpointing.net
blogsobjectslets.biz
blogsobjectslets.net
blogsobjectslets.org
bruceengaging.org
bustappmosphere.biz
campgroundsdays.org
chappellsuites.org
characteristicsmarking.com
chromewarm.biz
citrixsgp.biz
claimedbizarre.biz
cleanedtravel.biz
clouditcomplaintsome.net
cmsstatements.net
commentstimelimited.biz
couplesubway.biz
courselastused.net
crhazards.org
deactivatingtga.org
denotenag.biz
diesulead.biz
dogsiir.net
dozenmymagicjackcom.net
druidwwwlinux.net
eccentricitiessweep.biz
editdvsmyfitnesspal.biz
editionsglow.net
editorssave.org
educationnonfullscreen.net
eggtasteful.org
enhancementssuunto.biz
exegeneral.net
filedclassics.org
fournightanswering.net
geographicadjustments.net
givegrownups.biz
givesexact.net
hintstrust.org
illinoisnets.net
inaptlyinterviews.org
insightsclout.org
interactivesforensics.org
invoicedaredevil.net
ipodsbegun.biz
lawinsight.biz
limitedwar.net
lionsfusionones.biz
locatestiming.biz
mailedspokesperson.biz
mashedindescribing.net
midtieralmost.org
mtvintrigued.net
multistorypublishers.net
mydruidwwwlinux.biz
occurrelocates.com
ogghunt.org
ogghuntonline.net
ogghunt-shop.net
onstreamdifficulty.biz
outrightclever.net
overkillwhile.net
pageturnneedless.biz
pndclifford.biz
priorteacher.net
quizmfp.biz
rookiedatapad.org
shouldinvoice.org
shranksafetyweb.net
sloppynetbooks.net
snippetscompleted.org
studioinaboxlayer.org
subdividedstripped.org
sweepersigdrs.net
tageditingaction.net
terrainmodeling.net
theatersbears.biz
themadministration.net
thisisspartaaa.com
threesignaling.biz
thresholdingmultiaccount.biz
topiwebbased.biz
totalmediamaking.biz
toutedhints.org
transformedmontana.org
tryingrefers.org
tweetdecksigns.com
uninspiredperspectives.org
uninterruptedlightbox.org
upperrighthandpartner.net

ICANN: thanks for the malware spam / mailedspokesperson.biz

This is a pretty straightforward LinkedIn themed spam that leads to malware on mailedspokesperson.biz:

From:     Leonide Saad - LinkedIn [dreamland@beutelschneiderhamburg.de]
Date:     10 April 2013 15:19
Subject:     Join my network on LinkedIn

LinkedIn
REMINDERS

Invitation reminders:
 From Leonide Saad (Developer at Perot Systems)



PENDING MESSAGES

 There are a total of 8 messages awaiting your response. Go to InBox now.


This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.

The catch with this is that the email address being used is one used only to file WHOIS Compliance Reports with ICANN. If you file reports of inaccurate WHOIS data, then you need to be aware that by default ICANN will forward your contact details to the bad guys.. you can request that this be suppressed, but using an alias is (ironically) probably the best bet. So in this case, the bad guys have presumably just added the email in the complaint to their spam list..

Anyway, this has a link to a legitimate hacked site and thence on to [donotclick]mailedspokesperson.biz/closest/f2ihoiwegjowiejf230hfaj.php (report here) hosted on 46.4.150.117 (Siteko Ltd / Hetzner Online, Germany). The WHOIS details are characteristic of the Amerika gang:


Registrant ID:            INTEUMYC18TPLDWG
Registrant Name:          Hunter Afkham
Registrant Address1:      181 Sullivan St #4
Registrant City:          New York
Registrant Postal Code:   10012
Registrant Country:       United States
Registrant Country Code:  US
Registrant Phone Number:  +1.7914260046
Registrant Email:         hunter_afkham8428@aristotle.org

There are a couple of other bad looking sites on the same server, so this is my recommended blocklist:
46.4.150.117
1thyntyny.itemdb.com
diesulead.biz
mailedspokesperson.biz

NACHA spam / mgithessia.biz

This fake NACHA spam leads to malware on mgithessia.biz:

From: "Олег.Тихонов@direct.nacha.org" [mailto:universe87@mmsrealestate.com]
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High

To whom it may concern:

We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::

Click here for more information

Please consult with your financial institution to obtain the updated version of the software.

Kind regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894

The malicious payload is at [donotclick]mgithessia.biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this.

DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and  5.187.4.58 (the same).

Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
mgithessia.biz
justintvfreefall.org

NACHA spam / breathtakingundistinguished.biz

This fake NACHA spam leads to malware on breathtakingundistinguished.biz:

From: "Гена.Симонов@direct.nacha.org" [mailto:corruptnessljx953@bsilogistik.com]
Sent: 25 March 2013 22:26
Subject: Re: Your Direct Deposit disallowance
Importance: High

Attn: Accounting Department

We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:

Click here for more information

Please consult with your financial institution to acquire the updated version of the software.

Yours truly,

ACH Network Rules Department
NACHA - The Electronic Payments Association


19681 Sunrise Valley Drive, Suite 275
Herndon, VA 20135
Phone: 703-561-1796 Fax: 703-787-1698

The malicious payload is at [donotclick]breathtakingundistinguished.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:


necessarytimealtering.biz
hitwiseintelligence.biz
breathtakingundistinguished.biz

Wire Transfer spam / dataprocessingservice-alerts.com

This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts.com:

Date:      Fri, 22 Mar 2013 10:42:22 -0600
From:      support@digitalinsight.com
Subject:      Terminated Wire Transfer Notification - Ref: 54133

Immediate Transfers Processing Service

STATUS Notification
The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
TRANSACTION SUMMARY:

Initiated By: [redacted]

Initiated Date & Time: 2013-03-21 4:00:46 PM PST

Reference Number: 54133

For addidional info visit this link

The payload is at [donotclick]dataprocessingservice-alerts.com/kill/chosen_wishs_refuses-limits.php  (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
bestffriendquotes.com
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
dataprocessingservice-alerts.com
fenvid.com
heavygear.net
hotels-guru.net
neo-webnet.com
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
rockbandsongs.net
teenlocal.net
webpageparking.net

Facebook spam / scriptuserreported.org

This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported.org:

Date:      Thu, 21 Mar 2013 10:56:28 -0500
From:      Facebook [update+oi=MKW63Z@facebookmail.com]
Subject:      John Jenkins commented photo of you.

facebook
   
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.

facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}

The malicious payload is at [donotclick]scriptuserreported.org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:

inetnum:        5.39.37.24 - 5.39.37.31
netname:        n2p3DoHost
descr:          DoHost n2 p3
country:        FR
admin-c:        OTC2-RIPE
tech-c:         OTC2-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered

Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here). This server also hosts the following potentially malicious domains:
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01.com
workhomeheres02.com

There's also a work-at-home scam on 5.39.37.24:
makeworkhome12.pl

5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels.info
supermyadminspanels.info

So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host.net. The WHOIS details for rl-host.net are anonymised, but on the day of registration were:

    Queste Julien
    Email:julien@queste.fr
    50 rue Arthur lamendin
    62330 isbergues
    France
    Tel: +33.649836105

Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..

Minimum blocklist:
5.39.37.31
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Recommended blocklist:
5.39.37.24/29
makeworkhome12.pl
myadminspanels.info
supermyadminspanels.info
workhomeheres01.com
workhomeheres02.com
rl-host.net
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

NACHA spam / encodeshole.org

This fake NACHA spam leads to malware on encodeshole.org:

From: "Тимур.Родионов@direct.nacha.org" [mailto:biker@wmuttkecompany.com]
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High

Dear Sirs,

Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::

Click here for more information

Please apply to your financial institution to get the necessary updates of the Direct Deposit software.

Best regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


10933 Sunrise Valley Drive, Suite 771
Herndon, VA 20190
Phone: 703-561-0849 Fax: 703-787-0548

The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:

91.234.33.187
encodeshole.org
rotariesnotify.org
rigidembraces.info
storeboughtmodelers.info