These domains and IP addresses are connected to this malware spam run and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian).
It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting, finally a list of IPs that are advertised as nameservers within this group for research purposes only.
You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm..
Domains:
adverstindotanes.com
assumedwhacked.su
auditbodies.net
autocanonicals.com
aviachecki.ru
avtotracki.ru
balckanweb.com
bebomsn.net
bednotlonely.com
beveragerefine.su
biati.net
businessdocu.net
buyparrots.net
carambatv.net
chairsantique.net
cocainism.net
condalinaradushko.ru
condalinaradushko5.ru
condalinradishevo.ru
confideracia.ru
coping-capacity.com
crossdissstep.com
crushandflussh.net
curilkofskie.ru
decimallogme.com
docudat.ru
doorandstoned.com
down-vid.net
e-eleves.net
ernutkskiepro.ru
exrexycheck.ru
fastkrug.ru
federal-credit-union.com
fenvid.com
flipboardre-late.com
gangrenablin.ru
garohoviesupi.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
heavygear.net
heidipinks.com
hiddenhacks.com
hotamortisation.net
iberiti.com
icensol.net
independinsy.net
initiationtune.su
insectiore.net
jounglehoodeze.su
letsgofit.net
linguaape.net
metalcrew.net
mgdooling.ru
mortolkr4.com
multipliedfor.com
mydkarsy.com
myfreecamgirls.net
nitrogrenberd.net
normansvenn.com
notyetratedwort.com
nvufvwieg.com
ochengorit.ru
otoperhone.com
outbounduk.net
outlookexpres.net
peertag.com
penetratedsync.su
pizdecnujzno.ru
proxy-tor-service.com
recorderbooks.net
relectsdispla.net
reportingglan.com
restaurantequipmentparadise.net
roobihhooerses.at
rusistema.ru
salesplaytime.net
sbliteratedtum.su
scanskype.pl
secrettapess.com
secureaction120.com
sludgekeychai.net
smartsecurity-app.com
smartsecurityapp2013.com
smurfberrieswd.su
solidlettersiz.su
stackltiplied.net
streetgreenlj.com
streetlookups.com
susubaby.net
sweetcarsinkas.at
tasteh-pux.com
techno5room.ru
testerpro5.ru
timeschedulin.com
time-update.com
time-update.net
trackerpro5.ru
twintrade.net
uestsradiates.net
usergateproxy.net
virgin-altantic.net
xenaidaivanov.ru
yelpwapphoned.com
zeouk-gt.com
zoohits.net
IPs and hosts:
5.175.155.183 (GHOSTnet, Germany)
37.131.214.69 (Interra Ltd, Russia)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal, China)
50.193.197.178 (Comcast, US)
54.214.22.177 (Amazon AWS, US)
62.109.30.168 (TheFirst-RU, Russia)
77.237.190.22 (Parsun Network Solutions, Iran)
82.50.45.42 (Telecom Italia, Italy)
91.93.151.127 (Global Iletisim Hizmetleri, Turkey)
91.193.75.55 (KGB Hosting, Serbia)
94.249.208.228 (GHOSTnet, Germany)
95.43.161.50 (BTC, Bulgaria)
99.61.57.201 (AT&T, US)
103.7.251.36 (Fiberathome, Bangladesh)
109.169.64.170 (ThrustVPS, US)
112.196.2.39 (Quadrant Televentures / HFCL Infotel, India)
114.4.27.219 (Indosat, Indonesia)
114.247.121.139 (China Unicom, China)
115.28.35.163 (HiChina Web Solutions, China)
122.160.51.9 (ABTS, Delhia)
128.174.240.37 (University of Illinois, US)
128.174.240.52 (University of Illinois, US)
128.174.240.74 (University of Illinois, US)
128.174.240.153 (University of Illinois, US)
128.174.240.213 (University of Illinois, US)
140.117.164.154 (Sun Yat-sen University, Taiwan)
151.1.224.118 (Itnet, Italy)
159.253.18.253 (FastVPS, Russia)
162.209.12.86 (Rackspace, US)
166.78.136.235 (Rackspace, US)
177.5.244.236 (Brasil Telecom, Brazil)
178.20.231.214 (Salay Telekomunikasyon Ticaret Limited, Turkey)
178.209.126.87 (WestCall Ltd, Russia)
181.52.237.17 (Telmex, Colmbia)
183.82.221.13 (Hitech, India)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
190.106.207.25 (Comcel, Guatemala)
192.154.103.81 (Gorillaservers, US)
192.210.216.53 (ColoCrossing, US)
197.246.3.196 (The Noor Group, Egypt)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
201.170.148.171 (Telefonos del Noroeste, Mexico)
204.45.7.213 (FDCservers.net, US)
208.68.36.11 (Digital Ocean, US)
210.61.8.50 (Chunghwa Telecom, Taiwan)
212.179.221.31 (Bezeq International, Israel)
213.113.120.211 (Telenor, Sweden)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)
Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83
IPs advertising as nameservers (I'm pretty sure some of these are bogus, so use these for research purposes only):
2.121.229.200 (Sky Broadband, UK)
5.175.146.153 (GHOSTnet, Germany)
5.175.154.17 (GHOSTnet, Germany)
5.175.154.149 (GHOSTnet, Germany)
5.231.18.4 (GHOSTnet, Germany)
6.18.199.178 (Department of Defense, US)
6.20.13.25 (Department of Defense, US)
8.13.139.1 (Level 3 Communications, US)
8.18.19.15 (Level 3 Communications, US)
8.18.19.16 (Level 3 Communications, US)
11.3.51.158 (Department of Defense, US)
12.179.132.98 (Intuit, US)
14.139.209.13 (National Institute Of Technology, India)
15.78.78.23 (Hewlett Packard, US)
15.84.23.131 (Hewlett Packard, US)
17.19.12.100 (Apple Inc, US)
20.2.45.143 (CSC, US)
22.100.28.100 (Department of Defense, US)
29.125.31.77 (Department of Defense, US)
42.96.142.17 (Alibaba, China)
42.96.194.13 (Alibaba, China)
46.254.18.79 (Internet-Hosting Ltd, Russia)
65.34.1.1 (RoadRunner / Bright House, US)
65.180.199.2 (Sprint, US)
66.100.109.112 (Savvis, US)
71.123.11.14 (Verizon, US)
77.99.44.18 (Virgin Media, UK)
80.249.65.80 (Djaweb, Algeria)
81.31.227.60 (Chapar Raseneg, Iran)
85.25.189.163 (Intergenia / PlusServer AG, Germany)
91.215.156.62 (Infinite Technologies, Netherlands)
91.242.214.33 (Hostcircle, India)
92.190.190.191 (France Telecom, France)
95.143.41.41 (Inline Internet / VPS4less, Germany)
112.72.64.217 (VTC Wireless Broadband Company, Vietnam)
114.199.141.85 (Hyundai Communications, Korea)
125.39.104.86 (Beijing Sinainternetinformationservice, China)
153.127.248.205 (Kagoya Japan Corporation, Japan)
162.209.14.28 (Rackspace, US)
173.1.12.57 (GoGrid LLC, US)
175.102.0.187 (Shanghai Yovole Networks, China)
176.19.224.180 (Mobily, Saudi Arabia)
177.5.230.242 (Brasil Telecom, Brazil)
184.106.229.74 (Rackspace, US)
186.25.27.65 (Telcel, Venezuela)
186.25.27.66 (Telcel, Venezuela)
201.101.98.89 (UniNet, Mexico)
202.63.105.86 (Southern Online Bio Technologies, India)
202.93.114.90 (FirstasiaNet, Indonesia)
207.58.158.186 (Servint, US)
207.182.146.247 (Xlhost, US)
209.140.18.37 (Landis Holdings, US)
210.25.137.197 (China Education and Research Network, China)
211.20.45.138 (Chunghwa Telecom, Taiwan)
214.191.12.134 (Department of Defense, US)
214.191.102.34 (Department of Defense, US)
Showing posts with label Amerika. Show all posts
Showing posts with label Amerika. Show all posts
Wednesday 29 May 2013
55-Inch TV Amazon.com spam / federal-credit-union.com
This fake Amazon.com spam leads to malware on federal-credit-union.com:
From: auto-confirm@email.amazon.net [loyolay3@emalsrv.amazonmail.com]
Reply-To: "auto-confirm@email.amazon.net" [loyolay3@emalsrv.amazonmail.com]
Date: 29 May 2013 16:55
Subject: Amazon.com order of Samsung UN554X6050 55-Inch
I have also seen a similar spam with the subject "Amazon.com order of Sharp UN55EH5080 55-Inch" and I guess there are others. The spam goes through a legitimate hacked site and ends up on [donotclick]federal-credit-union.com/news/basic_dream-goods.php (report here). Luckily right at the moment this domain is suspended and won't work, however. There is a very large number of connected domains though which I am compiling a blocklist for and will post later..
Update: some other subjects include "Amazon.com order of Panasonic UN55EH6030 55-Inch" and "Amazon.com order of Akai NPK55KR9070 55-Inch".
Update 2: the malicious landing page has been replaced with one using the domain ozonatorz.com.
From: auto-confirm@email.amazon.net [loyolay3@emalsrv.amazonmail.com]
Reply-To: "auto-confirm@email.amazon.net" [loyolay3@emalsrv.amazonmail.com]
Date: 29 May 2013 16:55
Subject: Amazon.com order of Samsung UN554X6050 55-Inch
|
||||||||||||||||||||||
|
||||||||||||||||||||||
Order Details |
||||||||||||||||||||||
|
||||||||||||||||||||||
|
||||||||||||||||||||||
|
||||||||||||||||||||||
|
||||||||||||||||||||||
|
||||||||||||||||||||||
|
Update: some other subjects include "Amazon.com order of Panasonic UN55EH6030 55-Inch" and "Amazon.com order of Akai NPK55KR9070 55-Inch".
Update 2: the malicious landing page has been replaced with one using the domain ozonatorz.com.
Thursday 16 May 2013
Walmart.com spam / virgin-altantic.net
Another variant of this spam is doing the rounds, this time leading to a landing page on virgin-altantic.net:
The malicious payload is at [donotclick]virgin-altantic.net/news/ask-index.php (report here). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic.net too.
From: Wallmart.com [mailto:sculptsu@complains.wallmartmail.com]
Sent: 16 May 2013 15:35
Subject: Thanks for your Walmart.com Order 3450995-348882
Visit Walmart.com |
Help |
My Account |
Track My Orders
[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping
• You'll receive another email, with tracking information, when your order ships.
• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
Ship to Home
Gabriel Miller
1881 Granada Dr
Washington, NC 68025-3157
USA
Walmart.com Order Number: 3450995-348882
Ship to Home - Standard
Items Qty Arrival Date Price
Samsung UN55EH9050 42" 1080p 600Hz Class LED (3.7" ultra-slim) 3D HDTV 1 Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home. $898.00
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service
Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team
www.walmart.com
Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
The malicious payload is at [donotclick]virgin-altantic.net/news/ask-index.php (report here). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic.net too.
Walmart.com spam / bestunallowable.com
This fake Walmart spam leads to malware on bestunallowable.com:
The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable.com/news/ask-index.php (report here) hosted on:
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
The WHOIS details are characterstic of the Amerika gang:
Administrative Contact:
McDonough, Tara ukcastlee@mail.com
38 Wee Burn Lane
DARIEN, CO 06820
US
2036566697
Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net
From: Wallmart.com [deviledm978@news.wallmart.com]
Date: 16 May 2013 14:02
Subject: Thanks for your Walmart.com Order 3795695-976140
Walmart
Visit Walmartcom | Help | My Account | Track My Orders
[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping
• You'll receive another email, with tracking information, when your order ships.
• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
Ship to Home
Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
Walmart.com Order Number: 3795695-976140
Ship to Home - Standard
Items Qty Arrival Date Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV 1 Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home. $898.00
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team
www.walmart.com
Rollbacks Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
©Walmart.com USA, LLC, All Rights Reserved.
The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable.com/news/ask-index.php (report here) hosted on:
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
The WHOIS details are characterstic of the Amerika gang:
Administrative Contact:
McDonough, Tara ukcastlee@mail.com
38 Wee Burn Lane
DARIEN, CO 06820
US
2036566697
Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net
Wednesday 15 May 2013
ADP spam / outlookexpres.net
This fake ADP spam leads to malware on outlookexpres.net:
The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres.net/news/estimate_promising.php (report here) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
smartsecurity-app.com
twintrade.net
zonebar.net
Date: Wed, 15 May 2013 22:39:26 +0400
From: "donotreply@adp.com" [phrasingr6@news.adpmail.org]
Subject: adp_subj
ADP Instant Warning
Report #: 55233
Respected ADP Client May, 15 2013
Your Processed Transaction Report(s) have been uploaded to the website:
Sign In here
Please see the following information:
• Please note that your bank account will be charged within 1 business banking day for the sum shown on the Statement(s).
• Please don't try to reply to this message. automative notification system not configured to accept incoming email. Please Contact your ADP Benefits Expert.
This email was sent to existing users in your company that access ADP Netsecure.
As every time, thank you for using ADP as your business affiliate!
Rep: 55233 [redacted]
The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres.net/news/estimate_promising.php (report here) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
smartsecurity-app.com
twintrade.net
zonebar.net
Wednesday 8 May 2013
Amazon.com spam / ehrap.net
This fake Amazon spam leads to malware on ehrap.net:
85.41.88.24 (Telecom Italia, Italy)
98.210.212.79 (Comcast, US)
140.121.140.92 (TANet, Taiwan)
178.175.140.185 (Trabia-Network, Moldova)
197.246.3.196 (The Noor Group, Egypt)
216.70.110.21 (Media Temple, US)
The domains involved indicate that this is the gang behind what I call the Amerika series of spam emails.
Blocklist:
85.41.88.24
98.210.212.79
140.121.140.92
178.175.140.185
197.246.3.196
216.70.110.21
airticketscanada.net
contonskovkiys.ru
curilkofskie.ru
ehrap.net
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
peertag.com
smartsecurity-app.com
zonebar.net
Date: Tue, 7 May 2013 22:54:26 +0100 [05/07/13 17:54:26 EDT]The link in the email goes through a legitimate hacked site and ends up on [donotclick]ehrap.net/news/days_electric-sources.php (report here) hosted on (or with nameservers on) the following IPs:
From: "Amazon.com" [drudgingb50@m.amazonmail.com]
Subject: Your Amazon.com order confirmation.
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address: [redacted]
Billing Address:
216 CROSSING CRK N
GAHANNA
United States
Phone: 1-747-289-5672
Order Grand Total: $ 53.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: I12-4392835-6098844
Subtotal of items: $ 53.99
------
Total before tax: $ 53.99
Tax Collected: $0.00
------
Grand Total: $ 50.00
Gift Certificates: $ 3.99
------
Total for this Order: $ 53.99
The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 53.99
Sold By: Random House Digital, Inc.
Give Kindle books to anyone with an e-mail address - no Kindle required!
You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
Thanks again for shopping with us.
Amazon.com
Earth's Biggest Selection
Prefer not to receive HTML mail? Click here
85.41.88.24 (Telecom Italia, Italy)
98.210.212.79 (Comcast, US)
140.121.140.92 (TANet, Taiwan)
178.175.140.185 (Trabia-Network, Moldova)
197.246.3.196 (The Noor Group, Egypt)
216.70.110.21 (Media Temple, US)
The domains involved indicate that this is the gang behind what I call the Amerika series of spam emails.
Blocklist:
85.41.88.24
98.210.212.79
140.121.140.92
178.175.140.185
197.246.3.196
216.70.110.21
airticketscanada.net
contonskovkiys.ru
curilkofskie.ru
ehrap.net
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
peertag.com
smartsecurity-app.com
zonebar.net
Thursday 2 May 2013
LinkedIn spam / guessworkcontentprotect.biz
This fake LinkedIn email leads to malware on guessworkcontentprotect.biz:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
203.190.36.201 (Kementerian Pertanian, Indonesia)
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
203.190.36.201
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
guessworkcontentprotect.biz
janefgort.net
klosotro9.net
miniscule.pl
mortolkr4.com
peertag.com
priorityclub.pl
smartsecurity-app.com
zonebar.net
From: LinkedIn Invitations [giuseppeah5@mail.paypal.com]The malicious payload is at [donotclick]guessworkcontentprotect.biz/news/pattern-brother.php (report here) hosted on:
Date: 2 May 2013 16:49
Subject: LinkedIn inviation notificaltion.
This is a note that on May 2, Lewis Padilla sent you an invitation to join their professional network at LinkedIn.
Accept Lewis Padilla Invitation
On May 2, Lewis Padilla wrote:
> To: [redacted]
>
> I'd like to join you to my professional network on LinkedIn.
>
> Lewis Padilla
You are receiving Reminder emails for pending invitations. Unsubscribe.
© 2013 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
203.190.36.201 (Kementerian Pertanian, Indonesia)
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
203.190.36.201
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
guessworkcontentprotect.biz
janefgort.net
klosotro9.net
miniscule.pl
mortolkr4.com
peertag.com
priorityclub.pl
smartsecurity-app.com
zonebar.net
Monday 29 April 2013
"Requested Reset of Yoyr PayPal Password" spam / frustrationpostcards.biz
This fake PayPal spam leads to malware on frustrationpostcards.biz:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
TheWHOIS details identify this domain as belonging to the Amerika gang:
Registrant ID: INTEGOY3JBV8IIHG
Registrant Name: Shouli Cowper
Registrant Address1: 40 W 17th St
Registrant City: New York
Registrant Postal Code: 10011
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.4682697453
Registrant Email: shouli_cowper563@bikeracer.com
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
miniscule.pl
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
priorityclub.pl
smartsecurity-app.com
zonebar.net
Date: Mon, 29 Apr 2013 13:22:03 -0500The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards.biz/news/institutions-trusted.php (report here) hosted on the following IPs:
From: "service@paypalmail.com" [chichisaq0@emlreq.paypalmail.com]
Subject: Requested Reset of Yoyr PayPal Password
Your account will stay on hold untill password reset.
How to reset your PayPal password
Hello [redacted],
To get back into your PayPal account, you'll have to create a new password.
It's easy:
Click the link below to open a secure browser window.
Confirm that you're the owner of the account, and then follow the instructions.
Reset your password now
If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.
PayPal Email ID 2A7X1
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
TheWHOIS details identify this domain as belonging to the Amerika gang:
Registrant ID: INTEGOY3JBV8IIHG
Registrant Name: Shouli Cowper
Registrant Address1: 40 W 17th St
Registrant City: New York
Registrant Postal Code: 10011
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.4682697453
Registrant Email: shouli_cowper563@bikeracer.com
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
miniscule.pl
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
priorityclub.pl
smartsecurity-app.com
zonebar.net
Wednesday 24 April 2013
"New Secure Message" spam / pricesgettos.info
This spam leads to malware on pricesgettos.info:
1.235.183.241 (SK Broadband, Korea)
130.239.163.24 (Umea University, Sweden)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
203.64.101.145 (Taiwan Academic Network, Taiwan)
Blocklist:
1.235.183.241
130.239.163.24
155.239.247.247
202.31.139.173
203.64.101.145
airtrantran.com
antidoterskief.net
app-smartsystem.com
app-smart-system.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
docudat.ru
dyntic.com
egetraktovony.ru
excuticoble.ru
exrexycheck.ru
fenvid.com
freedblacks.net
gangrenablin.ru
gatareykahera.ru
independinsy.net
janefgort.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net
Date: Wed, 24 Apr 2013 16:41:50 +0100 [11:41:50 EDT]The link displayed in the email is fake and actually goes to a legitimate (but hacked) site and is then forwarded to the Blackhole payload site at [donotclick]pricesgettos.info/news/done-heavy_hall_meant.php (report here) hosted on the following IPs:
From: Cooper.Anderson@csiweb.com
Subject: New Secure Message Received from Cooper.Anderson@csiweb.com
New Secure Message
Respective [redacted],
You have received a new secure message from Cooper.Anderson@csiweb.com.
If you are using the Secure Message Plugin in Lotus Notes this message will be in your SecureMessages Inbox.
If you are NOT using the Secure Message Plugin, you are able to view it by clicking https://www.csiweb.com/5890424-13QZUR797870/?inbox_idf3795430A7NO9 to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.
Sincerely Yours,
CSIe
1.235.183.241 (SK Broadband, Korea)
130.239.163.24 (Umea University, Sweden)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
203.64.101.145 (Taiwan Academic Network, Taiwan)
Blocklist:
1.235.183.241
130.239.163.24
155.239.247.247
202.31.139.173
203.64.101.145
airtrantran.com
antidoterskief.net
app-smartsystem.com
app-smart-system.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
docudat.ru
dyntic.com
egetraktovony.ru
excuticoble.ru
exrexycheck.ru
fenvid.com
freedblacks.net
gangrenablin.ru
gatareykahera.ru
independinsy.net
janefgort.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net
Monday 22 April 2013
"Loss Avoidance Alerts" spam / tempandhost.com
I haven't seen this particular spam before. It leads to malware on tempandhost.com:
The link in the email appears to point to www.lossavoidancealert.org but actually goes through a legitimate hacked site (in this case [donotclick]samadaan.com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost.com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here and here) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this. Anyway, tempandhost.com is hosted on the following servers:
1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
The WHOIS details indicate that this is the Amerika crew:
Administrative Contact:
clark, emily twinetourt@aol.com
38b butman st
beverly, MA 01915
US
9784734033
Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173
airtrantran.com
antidoterskief.net
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
excuticoble.ru
fenvid.com
fenvid.com
gatareykahera.ru
hurienothing.ru
independinsy.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
peertag.com
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net
Date: Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
From: personableop641@swacha.org
Subject: 4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet
Loss Avoidance Alert System
April 22, 2013
Loss Avoidance Report:
The Loss Avoidance Alerts that was processed are now available on a secure website at:
www.lossavoidancealert.org
http://www.lossavoidancealert.org
Alerts:
CL0017279 – Sham Checks (ALL)
Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
enter the Alert Number and hit Go.
Thank you for your participation!
Loss Avoidance Alert System Administrator
This email is confidential and intended for the use of the individual to whom it is addressed. Any views or opinions presented are solely
those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource. SWACHA will not be held
responsible for the information contained in this email if it is not used for its original intent. Before taking action on any information contained
in this email, please consult legal counsel. If you are not the intended recipient, be advised that you have received this email in error and that any use,
dissemination, forwarding, printing or copying of this email is strictly prohibited.
If you received this email in error, please contact the sender.
The link in the email appears to point to www.lossavoidancealert.org but actually goes through a legitimate hacked site (in this case [donotclick]samadaan.com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost.com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here and here) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this. Anyway, tempandhost.com is hosted on the following servers:
1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
The WHOIS details indicate that this is the Amerika crew:
Administrative Contact:
clark, emily twinetourt@aol.com
38b butman st
beverly, MA 01915
US
9784734033
Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173
airtrantran.com
antidoterskief.net
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
excuticoble.ru
fenvid.com
fenvid.com
gatareykahera.ru
hurienothing.ru
independinsy.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
peertag.com
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net
Wednesday 17 April 2013
PayPal spam / dialupwily.org
This fake PayPal spam leads to malware on dialupwily.org:
The link in the email goes through a hacked Wordpress site to a malicious landing page at [donotclick]dialupwily.org/closest/incomming_message.php (report here) hosted on 188.225.34.36 (Transit Telecom, Russia). More malware domains to come..
From: service@paypal.com [mailto:criticizea@seneseassociates.com]
Sent: Wed 17/04/2013 18:49
Subject: Receipt for your PayPal payment to Konrad Rotuski
Feb 18, 2013 10:54:32 PDT
Transaction ID: 4F1UGYHLFMRAG1AVY
Hello,
You sent a payment of $149.49 USD to Konrad Rotuski (criticizea@seneseassociates.com)
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.
It may take a few moments for this transaction to appear in your account.
--------------------------------------------------------------------------------
Seller
Konrad Rotuski
criticizea@seneseassociates.com Note to seller
You haven't included a note.
Shipping address - unconfirmed
218 E CHURCH ST
FAYETTEVILLE, TX 09557-2446
United States
Shipping details
USPS Priority Mail
Description Unit price Qty Amount
TAG Heuer Men's WAU6277.BA3900 Formula 1 White Dial Stainless Steel Watch
Item# 566741455709 $149.49 USD 1 $149.49 USD
Shipping and handling $0.00 USD
Insurance - not offered ----
Total $149.49 USD
Payment $149.49 USD
Charge will appear on your credit card statement as PAYPAL Konrad Rotuski
Payment sent to criticizea@seneseassociates.com
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Questions? Go to the Help Center at: www.paypal.com/help.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.
To receive email notifications in plain text instead of HTML, log in to your PayPal account, go to your Profile, and click Notifications.
PayPal Email ID PP387
The link in the email goes through a hacked Wordpress site to a malicious landing page at [donotclick]dialupwily.org/closest/incomming_message.php (report here) hosted on 188.225.34.36 (Transit Telecom, Russia). More malware domains to come..
CNN.com Boston Marathon spam / thesecondincomee.com
This Boston Marathon themed spam leads to malware on thesecondincomee.com:
Example 1:
Example 2:
The malicious payload is at [donotclick]thesecondincomee.com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
The recommended blocklist is the same as used in this earlier attack.
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com
Example 1:
Date: Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
From: CNN Breaking News [BreakingNews@mail.cnn.com]
Subject: Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews@mail.cnn.com:
Click the following to access the sent link:
Boston Marathon Explosions - Obama Benefits? - CNN.com*
SAVE THIS link FORWARD THIS link
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
Example 2:
Date: Wed, 17 Apr 2013 22:32:56 +0600
From: behring401@mail.cnn.com
Subject: Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews@mail.cnn.com:
Click the following to access the sent link:
Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
The malicious payload is at [donotclick]thesecondincomee.com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
The recommended blocklist is the same as used in this earlier attack.
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com
Wednesday 10 April 2013
Malware sites to block 10/4/13 - part II
With a hat tip to a correspondent, here are some more domains connected with this and this. Enjoy.
adamseasytoimplement.org
perfectlylikeness.org
detailingfiletransfer.com
safeguardingencarta.org
netdocumentsidl.org
bluraysphotographers.org
cathedralati.org
diasly.org
trelixwebprice.org
chaptersthegorilla.org
facilitiesbrrrr.org
idyllictoptier.org
fullscalemethod.org
deviceasciences.org
realizewhole.org
sdbbefvw.com
cwfviwgg.com
ddskcwdk.com
groupcycle.biz
kousrytcbqdids.org
uamawhyfonwofua.org
bgdnmbapnahteul.net
hgalevwtwmba.biz
apbojfsktijjhek.org
alreadysnorkeling.biz
xibfwucletrc.biz
rgngsdqwcemxbn.biz
sposwrsbswlynqc.biz
twiytmbbusrktys.org
blkwjoqfmhftd.org
combatthemednexus.biz
rankprediction.biz
artlogistic.net
textingavz.biz
lmlgqnxdjuyis.biz
wcsgdvxlhmxhd.org
syqdvpsmmpvq.biz
dwjlypydywlt.biz
iriengyhgadgt.org
aisjpqgemanskow.org
uspofnlqbyugv.org
cfkuptmplgrqh.biz
bjhwkbkqhbmq.biz
ulkbhsxywwnua.org
oksolomonprices.biz
hitandwillow.biz
randomwireless.biz
demandthings.biz
sitebandweathers.biz
nonadministrativematerial.biz
gamblerspayroll.biz
jfkshaken.biz
fullduplexioss.biz
sgijdxds.com
localcommittee.biz
vialigthroom.biz
limocoupons.biz
bikeplease.biz
fanaticsbuzz.biz
gnawamama.net
metrodemand.biz
headsync.biz
huntershindrance.biz
b7cb9b6e9.org
forecastssystemworks.biz
skillblissfully.biz
amazondarken.biz
foruminsert.biz
toofrequentextraneous.biz
protectoremail.biz
pinoyexchange.biz
concernsvideocentric.biz
toneadvertising.biz
rainbowsfilmstriplike.biz
franciscodish.biz
catastrophicautobiography.biz
fruitdicingsitting.org
monotoneswift.biz
braineravast.biz
metaphorsuite.biz
navigationalsignup.biz
seekerreporter.biz
uploaderaddressa.biz
dedicatedgerm.biz
blendingdiversity.biz
motivationrevenues.biz
nodeswordpresscom.biz
rdiocruises.biz
paymentground.biz
topiwebbased.biz
sharpspool.biz
directtime.biz
purportswarping.biz
diesulead.biz
mailedspokesperson.biz
adamseasytoimplement.org
perfectlylikeness.org
detailingfiletransfer.com
safeguardingencarta.org
netdocumentsidl.org
bluraysphotographers.org
cathedralati.org
diasly.org
trelixwebprice.org
chaptersthegorilla.org
facilitiesbrrrr.org
idyllictoptier.org
fullscalemethod.org
deviceasciences.org
realizewhole.org
sdbbefvw.com
cwfviwgg.com
ddskcwdk.com
groupcycle.biz
kousrytcbqdids.org
uamawhyfonwofua.org
bgdnmbapnahteul.net
hgalevwtwmba.biz
apbojfsktijjhek.org
alreadysnorkeling.biz
xibfwucletrc.biz
rgngsdqwcemxbn.biz
sposwrsbswlynqc.biz
twiytmbbusrktys.org
blkwjoqfmhftd.org
combatthemednexus.biz
rankprediction.biz
artlogistic.net
textingavz.biz
lmlgqnxdjuyis.biz
wcsgdvxlhmxhd.org
syqdvpsmmpvq.biz
dwjlypydywlt.biz
iriengyhgadgt.org
aisjpqgemanskow.org
uspofnlqbyugv.org
cfkuptmplgrqh.biz
bjhwkbkqhbmq.biz
ulkbhsxywwnua.org
oksolomonprices.biz
hitandwillow.biz
randomwireless.biz
demandthings.biz
sitebandweathers.biz
nonadministrativematerial.biz
gamblerspayroll.biz
jfkshaken.biz
fullduplexioss.biz
sgijdxds.com
localcommittee.biz
vialigthroom.biz
limocoupons.biz
bikeplease.biz
fanaticsbuzz.biz
gnawamama.net
metrodemand.biz
headsync.biz
huntershindrance.biz
b7cb9b6e9.org
forecastssystemworks.biz
skillblissfully.biz
amazondarken.biz
foruminsert.biz
toofrequentextraneous.biz
protectoremail.biz
pinoyexchange.biz
concernsvideocentric.biz
toneadvertising.biz
rainbowsfilmstriplike.biz
franciscodish.biz
catastrophicautobiography.biz
fruitdicingsitting.org
monotoneswift.biz
braineravast.biz
metaphorsuite.biz
navigationalsignup.biz
seekerreporter.biz
uploaderaddressa.biz
dedicatedgerm.biz
blendingdiversity.biz
motivationrevenues.biz
nodeswordpresscom.biz
rdiocruises.biz
paymentground.biz
topiwebbased.biz
sharpspool.biz
directtime.biz
purportswarping.biz
diesulead.biz
mailedspokesperson.biz
Malware sites to block 10/4/13
These domains and IPs are associated with the Amerika gang and are related to this spam run. Blocking them would be prudent.
46.4.150.96/27
46.161.0.235
93.170.130.241
1thyntyny.itemdb.com
accelerationshrinkwrapped.net
advancementshardofhearing.org
affectingdesktoplevel.net
airplanesreleases.org
androidenabledprivacyx.net
andthisisthird.com
automatedversion.biz
awokeierelated.net
bernardsunhelpful.net
bigstepspinpointing.net
blogsobjectslets.biz
blogsobjectslets.net
blogsobjectslets.org
bruceengaging.org
bustappmosphere.biz
campgroundsdays.org
chappellsuites.org
characteristicsmarking.com
chromewarm.biz
citrixsgp.biz
claimedbizarre.biz
cleanedtravel.biz
clouditcomplaintsome.net
cmsstatements.net
commentstimelimited.biz
couplesubway.biz
courselastused.net
crhazards.org
deactivatingtga.org
denotenag.biz
diesulead.biz
dogsiir.net
dozenmymagicjackcom.net
druidwwwlinux.net
eccentricitiessweep.biz
editdvsmyfitnesspal.biz
editionsglow.net
editorssave.org
educationnonfullscreen.net
eggtasteful.org
enhancementssuunto.biz
exegeneral.net
filedclassics.org
fournightanswering.net
geographicadjustments.net
givegrownups.biz
givesexact.net
hintstrust.org
illinoisnets.net
inaptlyinterviews.org
insightsclout.org
interactivesforensics.org
invoicedaredevil.net
ipodsbegun.biz
lawinsight.biz
limitedwar.net
lionsfusionones.biz
locatestiming.biz
mailedspokesperson.biz
mashedindescribing.net
midtieralmost.org
mtvintrigued.net
multistorypublishers.net
mydruidwwwlinux.biz
occurrelocates.com
ogghunt.org
ogghuntonline.net
ogghunt-shop.net
onstreamdifficulty.biz
outrightclever.net
overkillwhile.net
pageturnneedless.biz
pndclifford.biz
priorteacher.net
quizmfp.biz
rookiedatapad.org
shouldinvoice.org
shranksafetyweb.net
sloppynetbooks.net
snippetscompleted.org
studioinaboxlayer.org
subdividedstripped.org
sweepersigdrs.net
tageditingaction.net
terrainmodeling.net
theatersbears.biz
themadministration.net
thisisspartaaa.com
threesignaling.biz
thresholdingmultiaccount.biz
topiwebbased.biz
totalmediamaking.biz
toutedhints.org
transformedmontana.org
tryingrefers.org
tweetdecksigns.com
uninspiredperspectives.org
uninterruptedlightbox.org
upperrighthandpartner.net
46.4.150.96/27
46.161.0.235
93.170.130.241
1thyntyny.itemdb.com
accelerationshrinkwrapped.net
advancementshardofhearing.org
affectingdesktoplevel.net
airplanesreleases.org
androidenabledprivacyx.net
andthisisthird.com
automatedversion.biz
awokeierelated.net
bernardsunhelpful.net
bigstepspinpointing.net
blogsobjectslets.biz
blogsobjectslets.net
blogsobjectslets.org
bruceengaging.org
bustappmosphere.biz
campgroundsdays.org
chappellsuites.org
characteristicsmarking.com
chromewarm.biz
citrixsgp.biz
claimedbizarre.biz
cleanedtravel.biz
clouditcomplaintsome.net
cmsstatements.net
commentstimelimited.biz
couplesubway.biz
courselastused.net
crhazards.org
deactivatingtga.org
denotenag.biz
diesulead.biz
dogsiir.net
dozenmymagicjackcom.net
druidwwwlinux.net
eccentricitiessweep.biz
editdvsmyfitnesspal.biz
editionsglow.net
editorssave.org
educationnonfullscreen.net
eggtasteful.org
enhancementssuunto.biz
exegeneral.net
filedclassics.org
fournightanswering.net
geographicadjustments.net
givegrownups.biz
givesexact.net
hintstrust.org
illinoisnets.net
inaptlyinterviews.org
insightsclout.org
interactivesforensics.org
invoicedaredevil.net
ipodsbegun.biz
lawinsight.biz
limitedwar.net
lionsfusionones.biz
locatestiming.biz
mailedspokesperson.biz
mashedindescribing.net
midtieralmost.org
mtvintrigued.net
multistorypublishers.net
mydruidwwwlinux.biz
occurrelocates.com
ogghunt.org
ogghuntonline.net
ogghunt-shop.net
onstreamdifficulty.biz
outrightclever.net
overkillwhile.net
pageturnneedless.biz
pndclifford.biz
priorteacher.net
quizmfp.biz
rookiedatapad.org
shouldinvoice.org
shranksafetyweb.net
sloppynetbooks.net
snippetscompleted.org
studioinaboxlayer.org
subdividedstripped.org
sweepersigdrs.net
tageditingaction.net
terrainmodeling.net
theatersbears.biz
themadministration.net
thisisspartaaa.com
threesignaling.biz
thresholdingmultiaccount.biz
topiwebbased.biz
totalmediamaking.biz
toutedhints.org
transformedmontana.org
tryingrefers.org
tweetdecksigns.com
uninspiredperspectives.org
uninterruptedlightbox.org
upperrighthandpartner.net
ICANN: thanks for the malware spam / mailedspokesperson.biz
This is a pretty straightforward LinkedIn themed spam that leads to malware on mailedspokesperson.biz:
Anyway, this has a link to a legitimate hacked site and thence on to [donotclick]mailedspokesperson.biz/closest/f2ihoiwegjowiejf230hfaj.php (report here) hosted on 46.4.150.117 (Siteko Ltd / Hetzner Online, Germany). The WHOIS details are characteristic of the Amerika gang:
Registrant ID: INTEUMYC18TPLDWG
Registrant Name: Hunter Afkham
Registrant Address1: 181 Sullivan St #4
Registrant City: New York
Registrant Postal Code: 10012
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.7914260046
Registrant Email: hunter_afkham8428@aristotle.org
There are a couple of other bad looking sites on the same server, so this is my recommended blocklist:
46.4.150.117
1thyntyny.itemdb.com
diesulead.biz
mailedspokesperson.biz
From: Leonide Saad - LinkedIn [dreamland@beutelschneiderhamburg.de]The catch with this is that the email address being used is one used only to file WHOIS Compliance Reports with ICANN. If you file reports of inaccurate WHOIS data, then you need to be aware that by default ICANN will forward your contact details to the bad guys.. you can request that this be suppressed, but using an alias is (ironically) probably the best bet. So in this case, the bad guys have presumably just added the email in the complaint to their spam list..
Date: 10 April 2013 15:19
Subject: Join my network on LinkedIn
REMINDERS
Invitation reminders:
From Leonide Saad (Developer at Perot Systems)
PENDING MESSAGES
There are a total of 8 messages awaiting your response. Go to InBox now.
This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.
Anyway, this has a link to a legitimate hacked site and thence on to [donotclick]mailedspokesperson.biz/closest/f2ihoiwegjowiejf230hfaj.php (report here) hosted on 46.4.150.117 (Siteko Ltd / Hetzner Online, Germany). The WHOIS details are characteristic of the Amerika gang:
Registrant ID: INTEUMYC18TPLDWG
Registrant Name: Hunter Afkham
Registrant Address1: 181 Sullivan St #4
Registrant City: New York
Registrant Postal Code: 10012
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.7914260046
Registrant Email: hunter_afkham8428@aristotle.org
There are a couple of other bad looking sites on the same server, so this is my recommended blocklist:
46.4.150.117
1thyntyny.itemdb.com
diesulead.biz
mailedspokesperson.biz
Wednesday 27 March 2013
NACHA spam / mgithessia.biz
This fake NACHA spam leads to malware on mgithessia.biz:
DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).
Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
mgithessia.biz
justintvfreefall.org
From: "Олег.Тихонов@direct.nacha.org" [mailto:universe87@mmsrealestate.com]The malicious payload is at [donotclick]mgithessia.biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this.
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High
To whom it may concern:
We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::
Click here for more information
Please consult with your financial institution to obtain the updated version of the software.
Kind regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894
DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).
Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
mgithessia.biz
justintvfreefall.org
Tuesday 26 March 2013
NACHA spam / breathtakingundistinguished.biz
This fake NACHA spam leads to malware on breathtakingundistinguished.biz:
The malicious payload is at [donotclick]breathtakingundistinguished.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:
necessarytimealtering.biz
hitwiseintelligence.biz
breathtakingundistinguished.biz
From: "Гена.Симонов@direct.nacha.org" [mailto:corruptnessljx953@bsilogistik.com]
Sent: 25 March 2013 22:26
Subject: Re: Your Direct Deposit disallowance
Importance: High
Attn: Accounting Department
We are sorry to notify you, that your latest Direct Deposit transaction (#963417979218) was disallowed,because your business software package was out of date. The detailed information about this matter is available in the secure section of our web site:
Click here for more information
Please consult with your financial institution to acquire the updated version of the software.
Yours truly,
ACH Network Rules Department
NACHA - The Electronic Payments Association
19681 Sunrise Valley Drive, Suite 275
Herndon, VA 20135
Phone: 703-561-1796 Fax: 703-787-1698
The malicious payload is at [donotclick]breathtakingundistinguished.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 62.173.138.71 (Internet-Cosmos Ltd., Russia). The following malicious sites are also hosted on the same server:
necessarytimealtering.biz
hitwiseintelligence.biz
breathtakingundistinguished.biz
Friday 22 March 2013
Wire Transfer spam / dataprocessingservice-alerts.com
This fake Wire Transfer spam leads to malware on dataprocessingservice-alerts.com:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
bestffriendquotes.com
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
dataprocessingservice-alerts.com
fenvid.com
heavygear.net
hotels-guru.net
neo-webnet.com
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
rockbandsongs.net
teenlocal.net
webpageparking.net
Date: Fri, 22 Mar 2013 10:42:22 -0600The payload is at [donotclick]dataprocessingservice-alerts.com/kill/chosen_wishs_refuses-limits.php (report here) hosted on:
From: support@digitalinsight.com
Subject: Terminated Wire Transfer Notification - Ref: 54133
Immediate Transfers Processing Service
STATUS Notification
The following wire transfer has been submitted for approval. Please visit this link to review the transaction details (ref '54133' submitted by user '[redacted]' ).
TRANSACTION SUMMARY:
Initiated By: [redacted]
Initiated Date & Time: 2013-03-21 4:00:46 PM PST
Reference Number: 54133
For addidional info visit this link
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (TMNet, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
bestffriendquotes.com
buxarsurf.net
buyersusaremote.net
cyberage-poker.net
dataprocessingservice-alerts.com
fenvid.com
heavygear.net
hotels-guru.net
neo-webnet.com
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
rockbandsongs.net
teenlocal.net
webpageparking.net
Labels:
Amerika,
Malware,
South Africa,
Spam,
Viruses
Thursday 21 March 2013
Facebook spam / scriptuserreported.org
This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported.org:
inetnum: 5.39.37.24 - 5.39.37.31
netname: n2p3DoHost
descr: DoHost n2 p3
country: FR
admin-c: OTC2-RIPE
tech-c: OTC2-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here). This server also hosts the following potentially malicious domains:
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com
Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01.com
workhomeheres02.com
There's also a work-at-home scam on 5.39.37.24:
makeworkhome12.pl
5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels.info
supermyadminspanels.info
So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host.net. The WHOIS details for rl-host.net are anonymised, but on the day of registration were:
Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..
Minimum blocklist:
5.39.37.31
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com
Recommended blocklist:
5.39.37.24/29
makeworkhome12.pl
myadminspanels.info
supermyadminspanels.info
workhomeheres01.com
workhomeheres02.com
rl-host.net
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com
Date: Thu, 21 Mar 2013 10:56:28 -0500The malicious payload is at [donotclick]scriptuserreported.org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:
From: Facebook [update+oi=MKW63Z@facebookmail.com]
Subject: John Jenkins commented photo of you.
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.
facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}
inetnum: 5.39.37.24 - 5.39.37.31
netname: n2p3DoHost
descr: DoHost n2 p3
country: FR
admin-c: OTC2-RIPE
tech-c: OTC2-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here). This server also hosts the following potentially malicious domains:
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com
Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01.com
workhomeheres02.com
There's also a work-at-home scam on 5.39.37.24:
makeworkhome12.pl
5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels.info
supermyadminspanels.info
So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host.net. The WHOIS details for rl-host.net are anonymised, but on the day of registration were:
Queste Julien Email:julien@queste.fr 50 rue Arthur lamendin 62330 isbergues France Tel: +33.649836105
Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..
Minimum blocklist:
5.39.37.31
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com
Recommended blocklist:
5.39.37.24/29
makeworkhome12.pl
myadminspanels.info
supermyadminspanels.info
workhomeheres01.com
workhomeheres02.com
rl-host.net
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com
NACHA spam / encodeshole.org
This fake NACHA spam leads to malware on encodeshole.org:
91.234.33.187
encodeshole.org
rotariesnotify.org
rigidembraces.info
storeboughtmodelers.info
From: "Тимур.Родионов@direct.nacha.org" [mailto:biker@wmuttkecompany.com]The malicious payload is at [donotclick]encodeshole.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 91.234.33.187 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine). The following suspect domains are on the same IP:
Sent: 20 March 2013 18:51
Subject: Payment ID 454806207096 rejected
Importance: High
Dear Sirs,
Herewith we are informing you, that your latest Direct Deposit payment (ID431989197078) was cancelled,due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Click here for more information
Please apply to your financial institution to get the necessary updates of the Direct Deposit software.
Best regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
10933 Sunrise Valley Drive, Suite 771
Herndon, VA 20190
Phone: 703-561-0849 Fax: 703-787-0548
91.234.33.187
encodeshole.org
rotariesnotify.org
rigidembraces.info
storeboughtmodelers.info
Subscribe to:
Posts (Atom)