Sponsored by..

Showing posts with label Bulgaria. Show all posts
Showing posts with label Bulgaria. Show all posts

Monday, 9 September 2013

Malware sites to block 9/9/13

These domains and IPs are associated with this gang, this list supersedes (or complements) the one I made last week.

1.209.108.29 (BORANET, Korea)
24.173.170.230 (Time Warner Cable, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
74.63.233.79 (Limestone Networks Inc / 123Systems Solutions, US)
74.207.231.42 (Linode, US)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
95.242.252.26 (Telecom Italia, Italy)103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
111.93.115.216 (Tata Teleservices, India)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
130.63.110.159 (York University, Canada)
140.116.72.75 (TANET, Taiwan)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
148.204.64.107 (Instituto Politecnico Nacional, Mexico)
173.254.250.218 (OC3 Networks, US)
184.23.8.7 (Sonic.net, US)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
190.145.25.126 (Telmex Colombia, Colombia)
190.152.149.85 (Consejo De Participacion Ciudadana Y Control Soci, Ecuador)
192.241.199.191 (Digital Ocean, US)
194.42.83.60 (Interoute Communications, UK)
194.158.4.42 (Interoute Communications, France)
198.224.81.54 (AT&T, US)
199.115.228.213 (VolumeDrive, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.69.42.50 (Bay Area Video Coalition, US)
208.180.134.20 (Suddenlink Communications, US)
212.169.49.234 (Claranet, UK)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
222.35.102.133 (China TieTong Telecommunications Corporation, China)
223.30.27.251 (Sify Limited, India)

1.209.108.29
24.173.170.230
37.153.192.72
42.121.84.12
58.68.228.148
58.246.240.122
61.36.178.236
66.230.163.86
66.230.190.249
74.63.233.79
74.207.231.42
95.87.1.19
95.111.32.249
95.242.252.26
103.20.166.67
111.93.115.216
115.78.233.220
115.160.146.142
130.63.110.159
140.116.72.75
141.20.102.73
148.204.64.107
173.254.250.218
184.23.8.7
186.251.180.205
187.60.172.18
190.145.25.126
190.152.149.85
192.241.199.191
194.42.83.60
194.158.4.42
198.224.81.54
199.115.228.213
208.52.185.178
208.69.42.50
208.180.134.20
212.169.49.234
213.156.91.110
222.35.102.133
223.30.27.251
achrezervations.com
agence-moret.net
altertraveldream.com
amimeseason.net
bnamecorni.com
boardsxmeta.com
brasilmatics.net
bundle.su
casualcare.net
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chairsantique.net
checklistsseesmics.su
chernigovskievojninua55.net
controlsalthoug.com
credit-find.net
crovliivseoslniepodmore83.net
deepsealinks.com
dotier.net
dvdramrautosel.su
ehnihujasebenahujchtoza27.net
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
email.pinterest.com.lacave-enlignes.com
ergopets.com
ermitajniedelaincityof40.net
explic.net
facebook.com.achrezervations.com
favar.net
fender.su
ffupdate.pw
fulty.net
gaphotoid.net
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gonulpalace.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
gormovskieafrterskioepr30.net
grannyhair.ru
higherpricedan.com
hobox.net
hotbitscan.com
icentis-finance.net
insectiore.net
invoices.ulsmart.net
istatsking.ru
jessesautobody.net.rcom-dns.eu
kpsart.net
lacave-enlignes.com
lights-awake.net
liliputttt9999.info
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mobile-unlocked.net
molul.com
multiachprocessor.com
myaxioms.com
mywebsitetips.net
nacha-ach-processor.com
namastelearning.net
ns1.namastelearning.net
ns2.namastelearning.net
nvufvwieg.com
oadims.net
ordersdeluxe.com
oversearadios.net
paypal.com.us.cmd.stjamesang.net
perkindomname.com
photos.walmart.com.orders.stjamesang.net
porschetr-ml.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
redsox.com.tickets-service.lindoliveryct.net
relectsdispla.net
rentipod.ru
saucancafe.net
scoutmoor.net
secureprotection5.com
soberimages.com
stjamesang.net
stonewallspwt.net
strutterradio.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
trans-staronline.net
treesmustdownload.su
u-janusa.net
ulsmart.net
uprisingquicks.net
video-withtext.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
weekings.com
wildgames-orb.net
wow-included.com
www.facebook.com.achrezervations.com
www.linkedin.com.achrezervations.com
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net
zinvolarstikel.com

Friday, 6 September 2013

Facebook spam / www.facebook.com.achrezervations.com

This fake Facebook spam leads to malware on www.facebook.com.achrezervations.com:

Date:      Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]
From:      Facebook [notification+puppies9@mail.facebookmail.net]
Reply-To:      noreply [noreply@postmaster.facebookmail.org]
Subject:      Cole Butler confirmed your Facebook friend request

facebook
   
Cole Butler has confirmed that you're friends on Facebook.
You may know some of Cole's Friends
    Daren Douglas
1 mutual friends
   
Add Friend
   
    Gertrude Souza
14 mutual friends
   
Add Friend
    Brice Kelly
3 mutual friends
   
Add Friend
   
    Beverly Howard
12 mutual friends
   
Add Friend
    Julia Metz
6 mutual friends
   
Add Friend
   
    Nora Belanger
6 mutual friends
   
Add Friend
View Timeline
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate hacked site and then to an exploit kit on [donotclick]www.facebook.com.achrezervations.com/news/implement-circuit-false.php (report here) hosted on the following servers:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
115.78.233.220 (Vietel Corporation, Vietnam)
194.42.83.60 (Interoute Hosting, UK)

The following IPs and domains are all malicious and belong to this gang, I recommend you block them:
66.230.163.86
95.111.32.249
115.78.233.220
194.42.83.60
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
achrezervations.com
actiry.com
appsmartsecurity.com
askfox.net
bnamecorni.com
boxbass.com
casualcare.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chernigovskievojninua55.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
crobnivmocanriendi56.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
ehtiebanishkeobprienrt25.net
email.pinterest.com.lacave-enlignes.com
ermitajniedelaincityof40.net
evarse.com
explic.net
facebook.com.achrezervations.com
facebook.com.n.find-friends.lindoliveryct.net
favar.net
ffupdate.pw
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gormovskieafrterskioepr30.net
grannyhair.ru
gromoviepechiniegierskie.net
herbergers.com.content.customer-service.laptopsinstalled.net
hotbitscan.com
hyatt.com.reservations.reservation.roccoscollar.net
invoices.ulsmart.net
istatsking.ru
lacave-enlignes.com
liliputttt9999.info
maxichip.com
micnetwork100.com
microsoftstore.com.store.msusa.en_us.displaydownloadhistorypage.kemingpri.com
mirrorsupply.com
molul.com
multiachprocessor.com
musicstudioseattle.net
nacha-ach-processor.com
nvufvwieg.com
oleannyinsurance.net
paypal.com.us.cmd.stjamesang.net
photographysmile.net
photos.walmart.com.orders.stjamesang.net
redsox.com.tickets-service.lindoliveryct.net
smartsecureconnect.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
weekings.com
wingdress.net
www.appsmartsecurity.com
www.facebook.com.achrezervations.com
www.hyatt.com.reservations.reservation.roccoscollar.net
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net

Thursday, 5 September 2013

NACHA spam / nacha-ach-processor.com

This fake NACHA spam (I thought these were out of fashion!) leads to malware on nacha-ach-processor.com:

From:     The Electronic Payments Association - NACHA [leansz35@inbound.nacha.com]
Date:     5 September 2013 17:55
Subject:     Rejected ACH transfer

The ACH transaction (ID: 985284643257), yesterday sent from your account (by one of your account members), was cancelled by the recipient's bank.

Cancelled transaction
ACH ID:     985284643257
Rejection Reason     See additional info in the statement below
Transaction Detailed Report     View Report 985284643257

About NACHA

NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:

The NACHA Operating Rules provide the legal foundation for the exchange of ACH payments and ensure that the ACH Network remains efficient, reliable, and secure for the benefit of all participants. In its role as Network administrator, NACHA manages the rulemaking process and ensures that proposed ACH applications are consistent with the Guiding Principles of the ACH Network. The rulemaking process provides a disciplined, well-defined methodology to propose and develop and propose rules amendments to the NACHA voting membership, the decision makers for the NACHA Operating Rules.

NACHA develops and implements a comprehensive, end-to-end risk management framework that includes network entry requirements, ongoing requirements, enforcement, and ACH Operator tools and services. Collectively, the strategy addresses risk and quality in the ACH Network by minimizing unauthorized entries and customer services costs to all Network participants.

14560 Sunny Valley Drive, Suite 204
Herndon, VA 20171

© 2013 NACHA - The Electronic Payments Association
The link in the email goes through a legitimate hacked site and then attempts to direct visitors to [donotclick]www.nacha-ach-processor.com/news/ach-report.php (report here) which is hosted on the following IPs:

66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
194.42.83.60 (Interoute Hosting, UK)

The IPs in use identify it as belonging to what I call the Amerika gang. There are several other malicious domains on these same IPs, and they form part of this larger group of dangerous IPs and domains.

Recommended blocklist:
66.230.163.86
95.111.32.249
194.42.83.60
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
actiry.com
appsmartsecurity.com
askfox.net
bnamecorni.com
boxbass.com
casualcare.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chernigovskievojninua55.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
crobnivmocanriendi56.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
ehtiebanishkeobprienrt25.net
email.pinterest.com.lacave-enlignes.com
ermitajniedelaincityof40.net
etitkadritenskiefori.net
evarse.com
explic.net
facebook.com.n.find-friends.lindoliveryct.net
favar.net
ffupdate.pw
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gormovskieafrterskioepr30.net
grannyhair.ru
gromoviepechiniegierskie.net
herbergers.com.content.customer-service.laptopsinstalled.net
hotbitscan.com
hyatt.com.reservations.reservation.roccoscollar.net
immediatechecking.su
istatsking.ru
lacave-enlignes.com
liliputttt9999.info
maxichip.com
micnetwork100.com
microsoftstore.com.store.msusa.en_us.displaydownloadhistorypage.kemingpri.com
mirrorsupply.com
molul.com
multiachprocessor.com
musicstudioseattle.net
nacha-ach-processor.com
nvufvwieg.com
oleannyinsurance.net
paypal.com.us.cmd.stjamesang.net
photographysmile.net
photos.walmart.com.orders.stjamesang.net
redsox.com.tickets-service.lindoliveryct.net
smartsecureconnect.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
viperestats.ru
vip-proxy-to-tor.com
weekings.com
wingdress.net
www.appsmartsecurity.com
www.hyatt.com.reservations.reservation.roccoscollar.net
www.nacha.org.multiachprocessor.com
www.redsox.com.tickets-service.lindoliveryct.net

Monday, 19 August 2013

Malware sites to block 19/8/13

These sites and IPs belong to this gang, and this list follows one from this one:

5.39.14.148 (OVH, France)
24.173.170.230 (Time Warner Cable, US)
31.52.14.209 (BT Broadband, UK)
37.200.69.43 (Selectel Ltd, Russia)
42.121.84.12 (Aliyun Computing Co, China)
59.124.33.215 (Chunghwa Telecom Co, Taiwan)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime Inc, US)
70.184.34.191 (Cox Communications, US)
74.207.251.67 (Linode, US)
75.147.133.49 (Comcast Business Communications, US)
78.47.248.101 (Hetzner, Germany)
86.183.191.35 (BT, UK)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Megalan Mobiltel EAD, Bulgaria)
95.188.76.14 (Sibirtelecom OJSC, Russia)
114.112.172.34 (Beijing STTD Communication Technology Co, China)
140.113.160.149 (TANET, Taiwan)
140.116.72.75 (TANET, Taiwan)
173.242.123.152 (Volumedrive, US)
177.53.80.39 (Telecom Cordeirópolis Ltda, Brazil)
185.5.54.162 (Interneto Vizija UAB, Lithunia)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
188.132.213.115 (Mars Global Datacenter Services LLC, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
193.147.49.154 (Universidad Rey Juan Carlos, Spain)
196.1.95.44 (Ensut-computer Department, Senegal)
198.52.243.229 (Centarra Networks Inc, US)
198.211.115.228 (Digital Ocean, US)
212.68.34.88 (Mars Global Datacenter Services LLC, Turkey)
216.158.67.42 (TMZHosting LLC, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)
221.133.1.21 (Saigon Postel Corporation, Vietnam)
222.35.102.133 (China Tietong Telecommunications Corporation, China)

5.39.14.148
24.173.170.230
31.52.14.209
37.200.69.43
42.121.84.12
59.124.33.215
61.36.178.236
66.230.163.86
66.230.190.249
70.184.34.191
74.207.251.67
75.147.133.49
78.47.248.101
86.183.191.35
95.87.1.19
95.111.32.249
95.188.76.14
114.112.172.34
140.113.160.149
140.116.72.75
173.242.123.152
177.53.80.39
185.5.54.162
186.251.180.205
188.132.213.115
188.134.26.172
190.85.249.159
193.147.49.154
196.1.95.44
198.52.243.229
198.211.115.228
212.68.34.88
216.158.67.42
217.64.107.108
221.133.1.21
222.35.102.133
actiry.com
amnsreiuojy.ru
arriowzzetobe.net
askfox.net
avini.ru
bbmasterbuilders.net
beachfiretald.com
beldenindcontacts.net
bluavoughogma.com
bnamecorni.com
boardsxmeta.com
breakfast.su
businessdocu.net
calenderlabor.net
casinocnn.net
cbstechcorp.net
checklistsseesmics.su
condalekskajaunini77.net
condrskajaumaksa66.net
controlsalthoug.com
cosamortranas.com
countyforsetttttt21.net
credit-find.net
culturalasia.net
cyberflorists.su
devicesta.ru
dolekotoukart.com
dulethcentury.net
ehnihjrkenpj.ru
evishop.net
exhilaratingwiki.net
facebook.com.n.find-friends.lindoliveryct.net
fitstimekeepe.net
fivelinenarro.net
frutpass.ru
gaphotoid.net
garmonievieraboti50.net
gatumi.com
gonulpalace.net
hdmltextvoice.net
hotkoyou.net
includedtight.com
isightbiowares.su
jdbcandschema.su
jessesautobody.net.rcom-dns.eu
kneeslapperz.net
komsetup.com
labscaner.com
legalizacionez.com
liliputttt9999.info
lindoliveryct.net
logovend.net
lsstats.ru
lucams.net
magiklovsterd.net
mcneillseptictall.net
medusascream.net
melexcia.com
micnetwork100.com
mirris.ru
mobile-unlocked.net
musicstudioseattle.net
myaxioms.com
namastelearning.net
netbeirut.net
nightclubdisab.su
nvufvwieg.com
oneuppositions.net
ordersdeluxe.com
partyspecialty.su
pure-botanical.net
qualysguardviewin.su
quill.com.account.settings.musicstudioseattle.net
raekownholida.com
relectsdispla.net
restless.su
restlesz.su
ringosfulmobile.com
secureprotection5.com
shawnlautzlaw.net
srddesigns.net
suburban.su
tagcentriccent.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com
u-janusa.net
uprisingquicks.net
vip-proxy-to-tor.com
wildgames-orb.net
x-pertwindscreens.net
zestrecommend.com
zinvolarstikel.com



Thursday, 8 August 2013

TigerDirect.com spam / palmer-ford.net

This fake TigerDirect.com spam leads to malware on palmer-ford.net:

Date:      Thu, 8 Aug 2013 21:54:14 +0400 [13:54:14 EDT]
From:      "TigerDirect.com" [noreply@tigerdirect.com]
Subject:      Your TigerDirect.com Order I9179488 Shipment Update

ComputersComputer PartsElectronicsTV & VideoCameras & SurveillanceCell Phones
Order Shipped:
   
08/07/2013
Order No.
   
I9179488
Shipment Total:
   
$732.20
Shipment Confirmation

[redacted],

Your order shipped on 08/07/2013 and is on its way to you. Click here to log in to MY ACCOUNT for the latest information on your order.

Below, you’ll find a recap of the shipped item(s):

TRACKING NUMBER(S):
1Z2V811KO067774417
(Note: Tracking information may not be available immediately; it may take up to 1 full business day for packages that have reached the shipper to have activity associated with the tracking number. Shipping confirmations for USPS and international shipments as well as for some special order items will not include a tracking number.)
Shipped Items:
   
Quantity
Lenovo H718 Desktop PC - 2nd Gen. Intel Core i3-1130 3.2GHz, 4GB DDR3, 500GB HDD, DVDRW, Windows 8 64-bit, Keyboard & Mouse, (65412680) (T56-C5300 )
   
   
1
   
   
(Click Image Above To Track Your Order) Allow 24 hours for the tracking # to appear in the Shippers' System.
Manufacturer Tech Support: 1-877-453-6686
Manufacturer Tech URL: www.lenovo.com


Again, for the latest information on your order, please click here to log in to MY ACCOUNT. You can also view your Order History, get Invoice Copies, Return Authorizations, add Product Reviews and much more.

Regards,

TigerDirect.com
Customer Care Team

CHECK OUT THE LATEST DEALS - CLICK HERE

Shipment Information
Abigail Hall
2864 N Bell Rd

Pasadena, SC 72936
Your shipping method varies. Please view the chart below for approximate transit times.

Transit Times
Truck Delivery: 7 - 10 Business Days
EconoShip Delivery: 4 - 9 Business Days
UPS Ground: 2 - 7 Business Days
UPS Second Day: 2 Business Days
UPS Next Day Air: 1 Business Day
US Postal Service: 2-3 Business Day Including Saturdays

Saturdays, Sundays and holidays do not count toward the estimated transit days. Packages that leave our fulfillment center on Saturdays, Sundays or holidays will not actually reach the shipper until Monday or the next business day.

Should you have any additional questions regarding your order, please feel free to visit our customer help pages at http://www.tigerdirect.com/help/.

Should you need to exchange or return a product, please visit http://www.tigerdirect.com/sectors/help/return.asp
   
Other Items to Consider

Home Theater Week

Search over 100,000 Products in Stock...
            Refer-A-Friend            
Deal Alerts via
    Sign up for RSS

TigerDirect.com is not responsible for typographical errors or omissions. This email was sent to dynamoo@spamcop.net in response to Order # I9179488.

Note that TigerDirect.com never sells, rents, or shares your email address For more information, please review the TigerDirect.com Privacy Policy at: http://www.tigerdirect.com/sectors/aboutus/privacy.asp

Call Center Hours of Operation: Mon - Fri: 7am til 1am ET and Sat - Sun: 8am til Midnight ET

For Merchandise Returns: c/o TigerDirect Warehouse - 175 Ambassador Drive, Naperville, IL 60540

Copyright © 2013 - TigerDirect, Inc. 7795 West Flagler Street, Suite 35, Miami, FL 33144 (Corporate Headquarters: No Returns Accepted)
LEGAL NOTICES| PRIVACY POLICY
The email looks pretty convincing:


Clicking on the links in the email takes you to a legitimate hacked site and then on to a malware landing page at [donotclick]www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net/news/tiger-direct.php (report here) which contains an exploit kit.

Although it looks a bit like the link is actually on the tigerdirect.com site, it is actually hosted on the recently registered domain palmer-ford.net which has characteristically fake WHOIS details that mark it out as belonging to the Amerika gang.

   Administrative Contact, Technical Contact:
   Mills, Lawrence  rexona1948@live.com
   5700 Arlington Ave
   Bronx, NY 10471
   US
   7185432402


The malware domain is hosted on the following IPs along with some other malicious domains:
95.111.32.249 (Mobitel EAD, Bulgaria)
199.231.188.226 (Interserver Inc, US)
216.158.67.42 (Webnx Inc, US)

Recommended blocklist:
95.111.32.249
199.231.188.226
216.158.67.42
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
askfox.net
briltox.com
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
condalinneuwu37.net
condrskajaumaksa66.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
evishop.net
exnihujatreetrichmand77.net
facebook.com.n.find-friends.oncologistoncology.net
firefoxupd.pw
firerice.com
fulty.net
gnanosnugivnehu.ru
gotoraininthecharefare88.net
klwines.com.order.complete.prysmm.net
liliputttt8888.info
links.emails.bmwusa.com.open.pagebuoy.net
lucams.net
merchantcenter.intuit.com.click-for-click.com
micnetwork100.com
mifiesta.ru
onemessage.verizonwireless.com.verizonwirelessreports.com
onsayoga.net
partyspecialty.su
paypal.com.us.planetherl.net
pinterest.com.onsayoga.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
sai-uka-sai.com
sartorilaw.net
seoworkblog.net
tintencenter.net
verizonwirelessreports.com
vitans.net
www.aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
www.klwines.com.order.complete.prysmm.net
www.linkedin.com.e.v2.kennebunkauto.net
www.paypal.com.us.planetherl.net
www.pinterest.com.onsayoga.net
www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
www.verizonwirelessreports.com

Tuesday, 6 August 2013

Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew.

5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
41.196.17.252 (Link Egypt, Egypt)
54.218.249.132 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
61.36.178.236 (DACOM Corp, Korea)
68.174.239.70 (Time Warner Cable, US)
78.47.248.101 (Hetzner, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
140.116.72.75 (TANET, Taiwan)
182.72.216.173 (Cusdelight Consultancy SE, India)
190.85.249.159 (Telmex Colombia, Colombia)
202.197.127.42 (CERNET, China)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

5.175.191.124
24.173.170.230
41.196.17.252
54.218.249.132
59.124.33.215
61.36.178.236
68.174.239.70
78.47.248.101
95.87.1.19
114.112.172.34
140.116.72.75
182.72.216.173
190.85.249.159
202.197.127.42
208.115.237.88
217.64.107.108
abundanceguys.net
amods.net
annot.pl
autocompletiondel.net
avini.ru
badstylecorps.com
beachfiretald.com
cbstechcorp.net
crossplatformcons.com
datapadsinthi.net
dulethcentury.net
endom.net
exhilaratingwiki.net
exowaps.com
explicitlyred.com
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
hdmltextvoice.net
housesales.pl
ignitedannual.com
includedtight.com
jdbcandschema.su
lhobbyrelated.com
magiklovsterd.net
onsespotlight.net
operapoland.com
ordersdeluxe.com
organizerrescui.pl
playtimepixelating.su
prgpowertoolse.su
relectsdispla.net
ringosfulmobile.com
scourswarriors.su
sludgekeychai.net
streetgreenlj.com
tagcentriccent.net
tagcentriccent.pl
wildgames-orb.net
zestrecommend.com
zukkoholsresv.pl

Tuesday, 30 July 2013

"Your password on Pinterest was Successfully modified!" spam / onsayoga.net

This fake Pinterest spam leads to malware on onsayoga.net:

Date:      Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]
From:      Pinterest [caulksf8195@customercare.pinterrest.net]
Subject:      Your password on Pinterest was Successfully modified!

A Few Updates...
[redacted]
  
[redacted]  

Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password to email.
  
Ask for a New Password  
            
Pinterest is a tool for collecting and organizing things you love.

This email was sent to [redacted].
Don’t want activity notifications? Change your email preferences.

©2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions

The link goes through a legitimate hacked site and then on to [donotclick]www.pinterest.com.onsayoga.net/news/pinterest-paswword-changes.php (report here) which is hosted on the following IPs:
95.111.32.249 (Megalan EAD, Bulgaria)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
209.222.67.251 (Razor Inc, US)

These IPs are controlled by this gang and form part of this large network of malicious IPs and domains. I recommend you use that list in conjunction with blocking onsayoga.net.

Malware sites to block 30/7/13

These sites and IPs are associated with this gang, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block.

5.175.191.106 (GHOSTnet, Germany)
5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
24.188.19.227 (Optimum Online, US)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
50.97.253.162 (Softlayer Networks, US / ucvhost.com, India)
54.225.124.116 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
68.174.239.70 (Time Warner Cable, US)
69.60.115.92 (Colopronto, US)
75.147.133.49 (Comcast Business Communications, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork, Czech Republic)
88.150.191.194 (Redstation, UK)
89.145.185.121 (Yeni Telekom Internet Hizmetleri, Turkey)
89.163.170.134 (Unitedcolo, Germany)
91.200.13.16 (SKS-Lugan, Ukraine)
91.210.189.157 (Eqvia LLC, Ukraine)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Megalan EAD, Bulgaria)
108.170.32.179 (Secured Servers, US / tudohost, Spain)
109.123.125.68 (UK2.NET, UK)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
120.124.132.123 (TANET, Taiwan)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
162.209.80.221 (Rackspace, US)
166.78.124.4 (Rackspace, US)
182.72.216.173 (Cusdelight Consultancy SE, India)
185.4.252.124 (Eaglenet, Lebanon)
185.10.200.89 (GBServers Ltd, UK)
188.132.213.115 (Mars Global Datacenter Services LLC, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.162.100.225 (MediaServicePlus Ltd, Russia)
192.162.102.225 (MediaServicePlus Ltd, Russia)
193.105.210.211 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.239.242.83 (TRN Telecom, Russia)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu Inc, US)
202.197.127.42 (CERNET, China)
208.115.114.68 (Wowrack, US)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
209.222.67.251 (Razor Inc, US)
211.224.204.141 (Korea Telecom, Korea)

Recommended blocklist:
5.175.191.106
5.175.191.124
24.173.170.230
24.188.19.227
41.196.17.252
46.246.41.68
50.97.253.160/27
54.225.124.116
59.124.33.215
59.160.69.74
68.174.239.70
69.60.115.92
75.147.133.49
78.47.248.101
88.86.100.2
88.150.191.194
89.145.185.121
89.163.170.134
91.200.13.0/24
91.210.189.157
95.87.1.19
95.111.32.249
108.170.32.176/29
109.123.125.68
114.112.172.34
120.124.132.123
122.128.109.46
162.209.80.221
166.78.124.4
182.72.216.173
185.4.252.124
185.10.200.89
188.132.213.115
190.85.249.159
192.162.100.225
192.162.102.225
193.105.210.0/24
193.239.242.83
196.1.95.44
198.61.213.12
198.98.102.165
202.197.127.42
208.115.114.68
208.115.237.88
209.222.67.251
211.224.204.141
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
acehheadline.net
aldenizturizm.com
allgstat.ru
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
beachfiretald.com
bebomsn.net
blindsay-law.net
bnamecorni.com
boats-sale.net
buffalonyroofers.net
businessdocu.net
businessua.com
buycushion.net
casinocnn.net
cbstechcorp.net
centow.ru
chromeupd.pw
cirriantisationsansidd79.net
condaleunvjdlp55.net
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalnua745746.ru
condrskajaumaksa66.net
crossplatformcons.com
doorandstoned.com
dulethcentury.net
duzybiust.net
ehnihjrkenpj.ru
eliroots.ru
erminwanbuernantion20.net
ermitirationifyouwau30.net
evenyouseemeinmin49.net
explicitlyred.com
facebook.com.n.find-friends.oncologistoncology.net
firerice.com
foremostorgand.su
fulty.net
generationpasswaua40.net
goingtothestreetofive59.net
gormoshkeniation68.net
gotoraininthecharefare88.net
greenleaf-investment.net
gromovieotvodidiejj40.net
hdmltextvoice.net
heidipinks.com
hotkoyou.net
housesales.pl
independinsy.net
info-for-health.net
jessesautobody.net
jonkrut.ru
kennebunkauto.net
klermont.net
klwines.com.order.complete.prysmm.net
kneeslapperz.net
linkedin.com.e.v2.kennebunkauto.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
lsstats.ru
made-bali.net
medusascream.net
metanoiaonline.com
microsoftnotification.net
mifiesta.ru
mobile-unlocked.net
modshows.net
moonopenomy.com
motobrio.net
neplohsec.com
ns3.ozyurtdesign.com
ns4.ozyurtdesign.com
nvufvwieg.com
oncologistoncology.net
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
oydahrenlitu346357.ru
pagebuoy.net
paypal.com.us.planetherl.net
playtimepixelating.su
prgpowertoolse.su
privat-tor-service.com
prothericsplk.com
prysmm.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
relectsdispla.net
renouveaugatinois.com
saberig.net
sai-uka-sai.com
scourswarriors.su
secureprotection5.com
sendkick.com
sensetegej100.com
sludgekeychai.net
templateswell.net
thegalaxyatwork.com
thosetemperat.net
thybrothers.net
tintencenter.net
tor-connect-secure.com
tvblips.net
u-janusa.net
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
whitegocteenviet.com
wow-included.com
zestrecommend.com
zinvolarstikel.com
zukkoholsresv.pl

Monday, 22 July 2013

American Airlines spam / sai-uka-sai.com

This fake American Airlines spam leads to malware on www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com:

From:     American.Airlines@aa.net
Date:     22 July 2013 17:22
Subject:     AA.com Itinerary Summary On Hold

Dear customer,

Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.

To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www.aa.com.

left corners         left corners

 

This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) .

Record Locator: LEBBGM             Purchase

 

left corners         left corners

Passengers

   Isabella  Green
NOTE: This is not a ticket or electronic receipt
Carrier Flight
Number
Departing Arriving Cabin

Booking Code
Seats Meals
City Date & Time City Date & Time

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES
2879 SPS Wichita Falls July 24, 2013 10:50 AM DFW Dallas/ Fort Worth July 24, 2013 11:43 AM Economy

M
32A  Food For Purchase 

AMERICAN AIRLINES
1795 DFW Dallas/ Fort Worth July 24, 2013 12:35 PM IAH Houston July 24, 2013 01:43 PM Economy

M
23A 

AMERICAN AIRLINES
1690 IAH Houston July 26, 2013 02:20 PM DFW Dallas/ Fort Worth July 26, 2013 03:35 PM Economy

M
20C 

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES
3294 DFW Dallas/ Fort Worth July 26, 2013 04:20 PM SPS Wichita Falls July 26, 2013 05:10 PM Economy

M
27B  Food For Purchase 
spacer
  Fare Summary help
Average Fare per Person - 444.00 USD
Passenger Type Used in Pricing Fare per Person Additional Taxes and Fees per Person Total Price
1  Adult 442.90 USD 34.25 USD 490.95 USD
Total Price 495.49 USD
spacer
  Merchandising Summary help
Flight Number Seat Number Seat Price Taxes Total Price
2879 0.00 USD 0.00 USD 0.00 USD
1795 14.00 USD 1.05 USD 15.05 USD
1690 14.00 USD 1.05 USD 15.05 USD
3294 0.00 USD 0.00 USD 0.00 USD
Total Price 30.10 USD
  Purchase
Please note the following:
 • View Fare rules.
 • Fares are only guaranteed up to 24 hours.
 • Additional foreign taxes may apply.
 • Additional fees may also apply for tickets not purchased through AA.com.


This is not the itinerary receipt that is required for identification purposes at the airport check-in. That receipt will be furnished upon purchase of this reservation.

In order to proceed to your gate you must present a government issued photo I.D. and either your boarding pass or a priority verification card at the screening security checkpoint.

If you are not a resident of the U.S., U.K., Canada or select countries in Latin America and the Caribbean, tickets must be purchased at an American Airlines ticketing location/airport, or by calling an American Airlines International Reservations office. Flights booked on carriers other than American Airlines, American Eagle® or AmericanConnection® are on a request basis only.

You've got payment options at AA.com! Make your dream vacation come true with the Fly Now Payment Plan, speed through checkout with PayPal, or use electronic checks to pay directly from your checking account. You can also pay in cash at participating Western Union locations or use a credit/debit card. Available payment options may vary by country.

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com/news/american-airlines-hold.php (report here) hosted on the following IPs:


50.97.253.162 (Softlayer, US)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)

The WHOIS details for that domain are the characteristically fake ones associated with this gang:
        Michael Fenwick freehotjob@yahoo.com
        21 Fredricksburg Court
        State College
        PA
        16803
        US
        Phone: +1.8144411445




Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
allgstat.ru
autorize.net.models-and-kits.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
firefoxupd.pw
firerice.com
fulty.net
gamnnbienwndd70.net
gebelikokulu.net
generationpasswaua40.net
gnanosnugivnehu.ru
gondamtvibnejnepl.net
greenleaf-investment.net
housesales.pl
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
mifiesta.ru
motobrio.net
mycanoweb.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
privat-tor-service.com
prysmm.net
quipbox.com
rentipod.ru
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
sendkick.com
shanghaiherald.net
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net

Tuesday, 2 July 2013

Malware sites to block 2/7/13

These sites belong to this gang and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block.

37.123.103.159 (Salay Telekomunikasyon, Turkey)
38.64.161.163 (Stratonexus Technologies Corp, Canada)
58.196.7.174 (CERNET, China)
77.237.190.22 (Parsun Network Solutions, Iran)
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
85.214.53.47 (Strato AG, Germany)
87.255.149.99 (Societe Francaise du Radiotelephone, France)
88.81.239.98 (Top Net PJSC, Ukraine)
88.86.100.2 (Supernetwork, Czech Republic)
89.248.161.148 (Ecatel, Netherlands)
95.111.32.249 (Mobitel EAD, Bulgaria)
98.223.199.185 (Comcast Communications, US)
108.174.61.198 (FTN Services, US)
108.177.140.2 (Nobis Technology Group, US)
113.161.207.101 (VietNam Post and Telecom Corporation, Vietnam)
114.4.27.219 (IDIA Kantor Arsip, Indonesia)
114.130.5.145 (MANGO CA Service, Bangladesh)
119.147.137.31 (China Telecom, China)
120.124.28.131 (TANet, Taiwan)
124.232.165.52 (China Telecom, China)
134.159.143.12 (Telstra Telewhite, Hong Kong)
140.122.184.45 (TANet, Taiwan)
140.135.112.169 (TANet, Taiwan)
151.155.25.111 (Novell, US)
172.245.216.69 (Colocrossing, US)
172.246.122.110 (Enzu Inc, US)
173.232.105.66 (Blue Deals Fly, US)
174.140.166.239 (Directspace, US)
176.67.10.163 (McLaut ISP, Ukraine)
178.211.46.123 (Radore Veri Merkezi Hizmetleri, Turkey)
181.54.174.204 (Telmex Colombia, Colombia)
186.103.163.222 (Telefonica Empresas, Chile)
186.227.53.43 (Via Cabo Provedor de Internet e Informática, Brazil)
188.32.153.31 (National Cable Networks, Russia)
188.120.235.236 (TheFirst-RU, Russia)
189.1.144.243 (Silva & Silveira, Brazil)
195.241.208.160 (Koninklijke / Tiscali / Telfort, Netherlands)
198.46.136.86 (New Wave NetConnect, US)
202.56.170.28 (Ning Internet, Indonesia)
203.80.17.155 (MYREN, Malaysia)
203.185.97.126 (ThaiSARN, Thailand)
208.81.165.252 (Gamewave Hongkong Holdings, US)
210.42.103.141 (CERNET, China)


37.123.103.159
38.64.161.163
58.196.7.174
77.237.190.22
77.240.118.69
78.108.86.169
85.214.53.47
87.255.149.99
88.81.239.98
88.86.100.2
89.248.161.148
95.111.32.249
98.223.199.185
108.174.61.198
108.177.140.2
113.161.207.101
114.4.27.219
114.130.5.145
119.147.137.31
120.124.28.131
124.232.165.52
134.159.143.12
140.122.184.45
140.135.112.169
151.155.25.111
172.245.216.69
172.246.122.110
173.232.105.66
174.140.166.239
176.67.10.163
178.211.46.123
181.54.174.204
186.103.163.222
186.227.53.43
188.32.153.31
188.120.235.236
189.1.144.243
195.241.208.160
198.46.136.86
202.56.170.28
203.80.17.155
203.185.97.126
208.81.165.252
210.42.103.141


101ndstreetymha.com
abacs.pl
addressadatal.net
afabind.com
all24hours.net
amimeseason.net
andertiua200.com
antidoctorpj.com
antitationed200.com
auditbodies.net
avastsurveyor.com
bebomsn.net
beirutyinfo.comu
bermudcity.net
bestsloankettering.com
biati.net
blackragnarok.net
blindsay-law.net
boats-sale.net
boyd-lawyer.net
brasilmatics.net
buycushion.net
cardpalooza.su
chairsantique.net
chinadollars.net
ciriengrozniyivdd.ru
cirienkoidrugied50.ru
cocainism.net
condalinarad72234652.ru
condalinaradushko.ru
condalinaradushko5.ru
condalinneuwu5.ru
condalinra2735.ru
condalinradishevo.ru
condalnua745746.ru
condalnuashyochetto.ru
confideracia.ru
controlnieprognoz.ru
cyberwoodlike.com
dirvers.net
dollsinterfer.net
doorandstoned.com
drivesr.com
dulethcentury.net
e-eleves.net
ehchernomorskihu.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
elrrueitoenidd10.ru
enway.pl
ergopets.com
ermitajohrmited.ru
ernutkskiepro.ru
estimateddeta.com
extichetvorish.ru
fenvid.com
firefoxupd.pw
garohoviesupi.ru
gatoversignie.ru
genown.ru
ghroumingoviede.ru
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
gondatskenbiehu.ru
gorondibndiiend10.ru
greli.net
gromimolniushed.ru
gstoryofmygame.ru
headbuttingfo.net
heavygear.net
heidipinks.com
highsecure155.com
historuronded.com
hotamortisation.net
hotkoyou.net
huang.pl
iberiti.com
icensol.net
independinsy.net
ingrestrained.com
insectiore.net
inutesnetworks.su
itracrions.pl
joinproportio.com
jsecure5.com
letsgofit.net
linguaape.net
lmbcakes.com
mantrapura.net
metalcrew.net
meticulousmus.net
meynerlandislaw.net
mifiesta.ru
mmafightsearch.net
myfreecamgirls.net
newtimedescriptor.com
obovate.net
ochengorit.ru
outbounduk.net
oxfordxtg.net
oydahrenlitutskazata.ru
patrihotel.net
patriotskit.ru
pc-liquidations.net
peertag.com
photosuitechos.su
pinterest.com.reports0701.net
pizdecnujzno.ru
pleak.pl
pnpnews.net
porschetr-ml.com
potteryconvention.ru
radiovaweonearch.com
ratenames.net
recorderbooks.net
rentipod.ru
reportingglan.com
reports0701.net
reveck.com
safe-browser.biz
safe-time.net
sartorilaw.net
secrettapess.com
secureaction120.com
securepanel35.com
sendkick.com
sensetegej100.com
shopkeepersne.net
smartsecurity-app.com
soberimages.com
spanishafair.com
stilos.pl
susubaby.net
televisionhunter.com
time-update.net
toldia.com
trleaart.net
ukbash.ru
unabox.pl
unitmusiceditior.com
unreality.biz
vahvahchicas.ru
wic-office.com
widnows.net
winne2000.net
winodwsupd.pw
winudpater.com
wow-included.com
xenaidaivanov.ru
zoneagainstre.com

Tuesday, 22 January 2013

Cheeky exploit kit on avirasecureserver.com

What is avirasecureserver.com? Well, it's not Avira that's for sure.. it is in fact a server for the Blackhole Exploit Kit.

This site is hosted on 82.145.57.3, an Iomart / Rapidswitch IP that appears to have been reallocated to:
person:         Dimitar Kolev
address:        QHoster Ltd
address:        Apt 1859
address:        Chynoweth House
address:        Trevissome Park
address:        Truro
address:        TR4 8UN
address:        GB
phone:          +13232180069
abuse-mailbox:  abuse@qhoster.com
nic-hdl:        DK5560-RIPE
mnt-by:         RAPIDSWITCH-MNT
source:         RIPE # Filtered


Trevissome Park is a small business park in Cornwall, there certainly isn't a building with over 1000 apartments there, so we can assume that "Apt" is a euphemism for a post box. There's also no company in the UK called QHoster Ltd. In fact, if we check the QHoster.com domain we can see that it is a Bulgarian firm:

    QHoster Ltd.
    Dimitar Kolev        (domains@qhoster.net)
    27 Nikola D. Petkov Str.
    Sevlievo
    Gabrovo,5400
    BG
    Tel. +359.898547122
    Fax. +359.67535954

QHoster has an IP block of 82.145.57.0/25 suballocated to it. A quick poke around indicates not much of value in this range, you may want to consider blocking the /25 as a precaution.



Sunday, 3 June 2012

"Digg Verification" spam / dietpilldrugstore.com

This spam appears to be from Digg, but it leads to a fake pharmacy. It could easily be adapted to distribute malware though, and this is the first time that I have seen a fake Digg message such as this.

From: Digg [mailto:noreply@e.digg.com]
Sent: Sun 03/06/2012 13:00
Subject: Digg Verification


  Problem viewing this email?
View it in your browser.
Hi xxxxxx@xxx.xxx
Thank you for registering with us at Facebook social sharing. We look forward to seeing you around the site.

Now your friends can see what you're reading around the web. Also you can add or delete any article from your activity. Click the Social button to turn this off.

What is Facebook Social Share?

Share your Digg experience with your Facebook friends. Let your friends see what you're reading as you discover the best news around the web.

The email looks pretty convincing, but the link in it is a redirector to a bogus pharamacy site at dietpilldrugstore.com on 94.155.49.57 (ITD Network, Bulgaria). That IP address has a number of other fake pharma sites (listed below) and is probably worth blocking.

genericspillsgroup.com
hightramplate.com
levitrameds.com
medcontab.com
medicaremedsgroup.com
medicarewelnessdebt.com
medslevitraleiby.com
medsmedicinegroup.com
movietestworld.com
mycanadatablet.com
mypillhealthcare.com
myprescriptionmedicine.com
myrxhealthcare.com
mytabdiet.com
newcanadatablet.com
newhealthprescription.com
newherbalpharmacy.com
newpharmacymedicare.com
newtabletdrugstore.com
newtablethealthcare.com
newviagrasale.com
pakistanlispharmacy.com
patientsviagracare.com
pharmacyhealthcarepatients.com

Wednesday, 21 December 2011

b*redret.ru domains to block (updated)

Another set of "Redret" domains, the b*redret.ru series is used in malware distribution. It has some new IP addresses since the last time.

89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru

91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru

94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru

No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru

Tuesday, 20 December 2011

"Scan from a Xerox WorkCentre Pro" / cfredret.ru

This is a fairly common malware spam, pointing to malicious code on cfredret.ru/main.php.

Date:      Tue, 20 Dec 2011 05:42:20 +0300
From:      victimname@gmail.com
Subject:      Re: Fwd: Re: Scan from a Xerox WorkCentre Pro #2966272

A Document was sent to you using a Xerox WKC1296130.



Sent by: SHIRLEY
Images : 5
Image (.JPEG) Download

Device: UM85256LL6P68270479



bfe116b5-7dcccccc

cfredret.ru is hosted on 78.47.193.36, exactly the same IP address as this BBB themed malware spam. Blocking access to 78.47.198.32/29 is a fabulous idea if you can.

BBB Spam / blumtam.com

More BBB spam, this time attempting to deliver users to a malicious payload on blumtam.com. A couple of samples:

Date:      Tue, 20 Dec 2011 00:34:38 -0800
From:      "BBB" [alerts@bbb.org]
Subject:      Re: your customer�s complaint ID 82235322
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have been sent a complaint (ID 82235322) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this case and let us know of your position as soon as possible.

We hope to hear from you shortly.

Kind regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
and
Date:      Tue, 20 Dec 2011 11:09:23 +0200
From:      "BBB" [alerts@bbb.org]
Subject:      BBB case ID 59988329
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have been filed a complaint (ID 59988329) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to view more information on this matter and let us know of your opinion as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Payload is on blumtam.com/main.php?page=69dbd5a1e3ed6ae9 hosted on 78.47.198.36, a Hetzner AG address suballocated to an outfit called QHoster Ltd in Bulgaria. Blocking access to 78.47.198.32/29 would probably be prudent.