Sponsored by..

Showing posts with label Canada. Show all posts
Showing posts with label Canada. Show all posts

Monday 8 April 2013

"Kissinger: Thatcher's strong beliefs" spam / ighjaooru.ru

It didn't take long for the Margaret Thatcher themed malware to start after her death. This one leads to malware on ighjaooru.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Josefa Jimenez via LinkedIn
Sent: 08 April 2013 05:41
Subject: Fwd: Re: Kissinger: Thatcher's strong beliefs

Hi, bad news.
Kissinger: Thatcher's strong beliefs

The payload and associated domains and IPs are exactly the same as used in this attack.

"M&I Bank bankruptcy" spam / ighjaooru.ru

I've never heard of M&I Bank but this is quite an old school spam campaign that leads to malware on ighjaooru.ru:

Date:      Mon, 8 Apr 2013 -01:41:06 -0800
From:      Coral Randolph via LinkedIn [member@linkedin.com]
Subject:      Re: Fwd: M&I Bank bankruptcy

Hi, bad news.

M&I Bank bankruptcy
The malicious payload is at [donotclick]ighjaooru.ru:8080/forum/links/column.php (report here) hosted on a whole load of IPs:
72.167.254.194 (GoDaddy, US)
80.246.62.143 (Alfahosting, Germany)
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
72.167.254.194
80.246.62.143
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238
hillaryklinton.ru
hiskinta.ru
humaniopa.ru
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
ilianorkin.ru
illuminataf.ru
imanraiodl.ru
imbrigilia.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru
iztakor.ru

Friday 5 April 2013

"Copies of Policies" spam / ifikangloo.ru

This spam leads to malware on ifikangloo.ru:

From: KaelSaine@mail.com [mailto:KaelSaine@mail.com]
Sent: 05 April 2013 11:43
Subject: Fwd: LATONYA - Copies of Policies

Unfortunately, I cannot obtain electronic copies of the SPII policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.


LATONYA Richmond, 
The link in the email leads to a legitimate hacked site and then on to [donotclick]ifikangloo.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)

Blocklist:
91.191.170.26
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru


"End of Aug. Statement" spam / ijsiokolo.ru

This fake invoice spam leads to malware on ijsiokolo.ru:
Date:      Fri, 5 Apr 2013 07:57:37 +0300
From:      "Account Services ups" [upsdelivercompanyb@ups.com]
Subject:      Re: End of Aug. Statement Required
Attachments:     Invoice_AF146989113.htm

Good morning,

I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).

Regards

DAYLE PRIEST

=================

Date:      Fri, 5 Apr 2013 07:56:53 -0300
From:      "Tracking" [ups-account-services@ups.com]
Subject:      Re: FW: End of Aug. Stat.

Hallo,

I give you inovices issued to you per Feb. (Microsoft Internet Explorer format).

Regards

Mariano LEE 
The .htm attachment in the email leads to malware at [donotclick]ijsiokolo.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Germany)

Blocklist:
91.191.170.26
208.94.108.238
ifinaksiao.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru

"Speech.doc" legal spam / itriopea.ru

This fake legal spam leads to malware on itriopea.ru:
Date:      Thu, 4 Apr 2013 07:44:02 -0500
From:      Malaki Brown via LinkedIn [member@linkedin.com]
Subject:      Fwd: Our chances to gain a cause are better than ever.

We conversed with the administration representatives, and if we acknowledge our non-essential contempt for the sake of their statistics increase , the key suit will be closed due to the lack of the state interest to the action. We have executed your elucidative text for the court. Please read it carefully and if anything in it disagrees with you, let us know.

Speech.doc 458kb


With respect to you
Malaki Brown

=====================

Date:      Thu, 4 Apr 2013 05:37:47 -0600
From:      Talisha Sprague via LinkedIn [member@linkedin.com]
Subject:      Re: Fwd: Our chances to gain a suit are higher than ever.

We talked to the administration representatives, and if we admit our minor infringements for the sake of their statistics increase , the main cause will be closed due to the lack of the government interest to the proceedings. We have executed your explicatory text for the court. Please read it carefully and if anything in it dissatisfies you, advise us.

Speech.doc 698kb


With Best Regards
Talisha Sprague

The attachment Speech.doc leads to a malicious payload is at [donotclick]itriopea.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Turkey)

Blocklist (including active nameservers):
62.76.40.244
62.76.41.245
91.191.170.26
93.187.200.250
109.70.4.231
188.65.178.27
199.66.224.130
199.191.59.60
208.94.108.238
ifinaksiao.ru
igionkialo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru

Thursday 4 April 2013

"British Airways" spam / igionkialo.ru

This fake British Airways spam leads to malware on igionkialo.ru:
Date:      Thu, 4 Apr 2013 10:19:48 +0330
From:      Marleen Camacho via LinkedIn [member@linkedin.com]
Subject:      British Airways E-ticket receipts
Attachments:     E-Receipt.htm



e-ticket receipt
Booking reference: UMA7760047
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 69315274. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The attachment E-Receipt.htm leads to a malicious landing page at [donotclick]igionkialo.ru:8080/forum/links/column.php (report here) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
hillaryklinton.ru
hiskinta.ru
humaniopa.ru
ifinaksiao.ru
igionkialo.ru
ilianorkin.ru
illuminataf.ru
imanraiodl.ru
imbrigilia.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru

Wednesday 3 April 2013

"Have you seen how much money has Cameron spent on his new movie?" spam / ixxtigang.ru

This old-fashioned spam leads to malware on ixxtigang.ru:

Date:      Wed, 3 Apr 2013 11:29:19 +0400
From:      LinkedIn Password [password@linkedin.com]
Subject:      I??�m shocked!

Have you seen how much money has Cameron spent on his new movie?
What a graphics, check out the trailer!
The malicous payload is at [donotclick]ixxtigang.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
izamalok.ru
imbrigilia.ru
humaniopa.ru
hiskinta.ru
illuminataf.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanikako.ru
ixxtigang.ru

eFax spam / ivanikako.ru

This fake eFax spam leads to malware on ivanikako.ru:

From: Global Express UPS [mailto:admin@ups.com]
Sent: 02 April 2013 21:12
Subject: Efax Corporate

Fax Message [Caller-ID: 189609656]

You have received a 40 pages fax at Wed, 3 Apr 2013 02:11:58 +0600, (708)-009-8464.

* The reference number for this fax is [eFAX-698329221].

View attached fax using your Internet Browser.

________________________________________
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax Ž is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Ž Customer Agreement. 
The malicious payload is at [donotclick]ivanikako.ru:8080/forum/links/column.php (report here) hosted on:
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
93.187.200.250
94.103.45.34
208.94.108.238
izamalok.ru
imbrigilia.ru
humaniopa.ru
hiskinta.ru
illuminataf.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanikako.ru

Friday 29 March 2013

"Please respond - overdue payment" spam / INVOICE_28781731.zip

This spam comes with a malware-laden attachment called INVOICE_28781731.zip:

Date:      Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
From:      Victor_Lindsey@key.com
Subject:      Please respond - overdue payment

Please find attached your invoices for the past months. Remit the payment by 02/04/2013
as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Victor Lindsey

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer. Thank you. 
Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports a callback to topcancernews.com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack. Looking for that IP in your logs might show if any of your clients.

Wednesday 14 November 2012

promotesmetasearch.net promotes malware

From the WeAreSpammers blog:

This looks like a fake get-rich-quick scam email which is actually intended to distribute malware.

Originating IP is 5.39.101.233 (OVH, Germany). Spamvertised domains are 8mailer.com on 5.39.101.225 (OVH, Germany) and promotesmetasearch.net on 46.249.38.27 (Serverius Holding, Netherlands).

This last one is kind of interesting, because a) it's all in French and b) it contains a virus. The malware attempts to download an exploit kit from [donotclick]vodkkaredbuuull.chickenkiller.com/trm/requesting/requesting-pass_been_loaded.php which is kind of unfriendly, hosted on the same IP address.

The WHOIS details show a completely different name and address from the one quoted on the email:

    Florence Buker
    florence_buker05@rockfan.com
    7043 W Avenue A4
    93536 Lancaster
    United States
    Tel: +1.4219588211

Clearly the owner of promotemetasearch.net is up to no good, and I would suggest the Anthony Tomei connection might well be completely bogus.

From: Anthony Tomei admin@8mailer.com
Reply-To: info@promotesmetasearch.net
To: donotemail@wearespammers.com
Date: 14 November 2012 18:22
Subject: launch of

Dear Future Millionaire,

Making $100,000 per month is not hard. In fact, there are 2 ways you accomplish this easy task of making money in a short period of time.

The first way is to...

Click HERE for the complete article>

Anthony Tomei is an Expert Internet Network Marketer. Anthony is known as the Master Marketer and practically gives away all of his secrets, methods and marketing techniques.

This email was sent by Promotes Metasearch, 710 E. Steve Wariner Dr., Vancouver, BC g1x3h4
Click here to unsubscribe
You should probably regard the domain chickenkiller.com as compromised and blog it. Additionall, allt he following IPs and domains are related and a probably malicious.

46.249.38.21
46.249.78.23
46.249.38.27
deficiencieshiss.net
personaloverly.net
spaceyourfilesbig.chickenkiller.com
vodkkaredbuuull.chickenkiller.com
firefoxslacker.pro
personaloverly.net
wowteammy113.org
logicalforced.org
flashkeyed.org
incidentindie.org
sufficeextensible.org
laughspadstyle.org
check-update.org
softtwareupdate.org
internallycontentchecking.org
cordlesssandboxing.org
westsearch.org
perclickbank.org
trayscoffeecup.org
agreedovetails.org
commencemessengers.org
dfgs453t.org
disappointmentcontent.org
whiskeyhdx.org
uhgng43fgjl82309dfg99df1.com
rethnds732.com
odiushb327.com
a6q7.com
makosl.com
noticablyccleaner.com
leisurelyadventures.com
invitedns.com
srv50.in
flacleaderboard.in
frwdlink.in
tgy56fd3fj.firm.in
warrantynetwork.co.in
kclicksnet.in
reelshandsoff.info
scatteredavtestorg.info
ap34.pro
trafficgid.pro
stop2crimepeople.pro
huge4floorhouse.pro
exportlite.pro
weeembedding.pro
layer-grosshandel.pro
firefoxslacker.pro
s1topcrimefor.pro
opera-soft.pro
brauser-soft.pro
mp3soft.pro
pornokuca.net
licencesoftwareupda.net
settlementstored.net
licencesoftwareuppd.net
compartmentalizationwere.net
seniorhog.net
coinbatches.net
isnbreathy.net
mrautorun.ru
askedvisor.ru
srv50.biz
vimeosseeing.biz
threatwalkthrough.biz
promotemetasearch.net

Monday 22 October 2012

"Copies of Policies" spam / fidelocastroo.ru

This spam leads to malware on fidelocastroo.ru:

Date:      Mon, 22 Oct 2012 08:05:10 -0500
From:      Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
Subject:      RE: Charley - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.


Charley HEALY,

The malicious payload is on [donotclick]fidelocastroo.ru:8080/forum/links/column.php hosted on the following IPs:

68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (Interneto Vizija, Lithunia)
190.10.14.196 (RACSA, Costa Rica)
202.3.245.13 (MANA, French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)

Plain list for copy and pasting:
68.67.42.41
79.98.27.9
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247

Blocking these IPs should prevent any other attacks on the same server.


Monday 15 October 2012

"Copies of Policies" spam / linkrdin.ru

Another "Copies of Policies" spam, this time leading to malware on linkrdin.ru:

From: [support@victimdomain.com]
Date: 15 October 2012 07:15
Subject: RE: SANTOS - Copies of Policies.


Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,
and a copy of the most recent schedule.

The malicious payload is on [donotclick]linkrdin.ru:8080/forum/links/column.php (report here) hosted on the same IPs as this spam:

68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)

Tuesday 14 February 2012

NACHA Spam / biggestloop.com

Another NACHA spam leading to a malicious payload, this time on biggestloop.com.

Date:      Tue, 13 Feb 2012 19:06:18 +0100
From:      "The Electronic Payments Association"
Subject:      Your ACH transfer
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 54525654754524), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     54525654754524
Rejection Reason     See details in the report below
Transaction Report     report_54525654754524.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

I can't believe that there is a person in the world receiving this who will not have received hundreds of versions of the same thing before, but the spammers continue. The malicious payload is at biggestloop.com/main.php?page=27f6207e33edeeca (analysis here) on 206.214.68.57 (B2Net Solutions, Canada). Block the IP if you can. Better still, write some filters for your email system to keep the things far, far away.

Monday 12 December 2011

BBB Spam / eryirs.com

This is the second BBB malware spam run of the day, with a new domain and IP address.

Date:      Mon, 12 Dec 2011 14:10:59 +0100
From:      "service@bbb.org" [service@bbb.org]
Subject:      BBB assistance Re: Case # 52010425
Attachments:     main_logo.jpg

Attn: Owner/Manager
The Better Business Bureau has been sent the above mentioned complaint from one of your clients on the subject of their business relations with you.
The detailed information about the consumer's concern is contained in attached file.
Please examine this question and let us know about your opinion.
We encourage you to click here to reply this complaint.

We look forward to your urgent response.

Faithfully yours,
Roland Dani
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

The malicious payload is eryirs.com/main.php?page=69dbd5a1e3ed6ae9 which is hosted on 67.211.195.169 (Arima Networks, Canada). Blocking access to 67.211.195.169 is probably a good idea in case there are other malicious sites on the server.

The no-doubt-fake WHOIS details for the domain are:

Damian Masuicca
Damian Masuicca
damott st
lacona
NY
13083
US
Phone:         +1.2022392869
Email Address: stopgop@ymail.com

Saturday 26 November 2011

Fake jobs: working-ca.com

Another fake job domain, working-ca.com seems to be part of this long-running scam. I hadn't spotted this one before, so thanks to our reader who sent it in. Note that this is not connected with the legitimate site WorkingCA.com . The jobs offered are actually illegal activities such as money laundering.


Hello, We have an excellent opportunity for an apprentice applicant to
join a rapidly expanding company.

An at home Key Account Manager Position is a great opportunity for stay
at home parents
or anyone who wants to work in the comfort of their own home.

This is a part time job / flexible hrs for Canadians only,This is in
view of our not having a branch office presently in Canada,
also becouse of paypal and ebay policies wich is prohibit to work
directly with residents of some countries.

Requirements: computer with Internet access, valid email address, good
typing skills.
If you fit the above description and meet the requirements, please apply
to this ad stating your location.

You will be processing orders from your computer. How much you earn is
up to you.
The average is in the region of CA$750- CA$1000 per week, depending on
whether you work full or part time.

Region: Canada only.

If you would like more information, please contact us stating where you
are located and our job reference number - 70570-868/4HR.
Please only SERIOUS applicants.

If you are interested, please reply to: Weldon@working-ca.com

and

Hello, We have an excellent opportunity for an apprentice applicant to
join a rapidly expanding company.

An at home Key Account Manager Position is a great opportunity for stay
at home parents
or anyone who wants to work in the comfort of their own home.

This is a part time job / flexible hrs for Canadians only,This is in
view of our not having a branch office presently in Canada,
also becouse of paypal and ebay policies wich is prohibit to work
directly with residents of some countries.

Requirements: computer with Internet access, valid email address, good
typing skills.
If you fit the above description and meet the requirements, please apply
to this ad stating your location.

You will be processing orders from your computer. How much you earn is
up to you.
The average is in the region of CA$750- CA$1000 per week, depending on
whether you work full or part time.

Region: Canada only.

If you would like more information, please contact us stating where you
are located and our job reference number - 35097-781/2HR.
Please only SERIOUS applicants.

If you are interested, please reply to: Tristan@working-ca.com


The registrant details for the domain are probably fake, but here they are anyway:

Kevin Tesalo
    Email: kevintesalo@yahoo.fr
    Organization: Kevin Tesalo
    Address: 2 avenue des Beguines
    City: Cergy Saint Christophe
    State: Cergy Saint Christophe
    ZIP: 95811
    Country: FR
    Phone: +33.124335612 

Thursday 20 October 2011

Fake jobs: canada-newjob.com, netherlandjobb.com and newjobrecruit.com

Another bunch of domains being used to peddle fake jobs:

canada-newjob.com
netherlandjobb.com
newjobrecruit.com

These domains form part of this long running scam. You may find that the emails appear to come from your own email address (here's why).

The domain registrant details are no doubt fake:

    Adolf Nureng
    Email: adolfnureng@yahoo.dk
    Organization: Adolf Nureng
    Address: Spellingevej 3 Ro
    City: Gudhjem
    State: Gudhjem
    ZIP: 3703
    Country: DK
    Phone: +45.70225632

The jobs offered will actually be criminal activities such as money laundering. If you have any examples of emails using these domains, please consider sharing them in the Comments. Thanks!

Here is one example:

Date: 20 October 2011 13:17
Subject: Huidige vacature

Wij werven aan!

Wij bieden part-time of full-time posities in de EU.
Momenteel is onze team van specialisten is het ontwikkelen van vooruitstrevende en innovatieve
manier van samenwerking met onze klant dus breiden we ons netwerk van vertegenwoordigers in heel Europa.

Wij bieden volledig betaalde trainingen om u te begeleiden door uw werk, competitief salaris,
vrij werk schema en andere voordelen die uw samenwerking met ons zeer aangenaam.
Wilt u bij ons bedrijf te sluiten, moet u ervoor zorgen dat u houdt de Europese verblijf
en je bezit een sterk verlangen om te werken.

Als je eenmaal hebt besloten om ons aan te sluiten, gelieve ons dan uw contactgegevens
en wij nemen zo spoedig contact met u op om een interview te plannen.

Onze contactgegevens: Rolland@netherlandjobb.com

Hartelijk dank voor uw interesse!

In this case, the email originated from 178.172.136.117 in Belarus.

Wednesday 5 October 2011

Fake jobs: all-cajobs.com, all-ukjobs.com and alleur-positions.com

Here we go again.. three new domains that form part of this long-running scam.

all-cajobs.coma
all-ukjobs.com
alleur-positions.com

The "jobs" offered are actually illegal activities such as money laundering. You may note that the email appears to come from yourself (here's why).

The domains are registered to a no-doubt fake registrant:

    Hose Sanches
    Email: hosesancges@yahoo.com
    Organization: Hose Sanches
    Address: Campo Grande, 83 1749-812
    City: Lisboa
    State: Lisboa
    ZIP: 1749-812
    Country: PT
    Phone: +35.1217982140

If you have any examples of emails soliciting replies to these domains, please consider sharing them in the Comments. Thanks!

Thursday 15 September 2011

Fake jobs: ca-jobcareer.com, uk-jobcareer.com and usa-jobcareer.com

Three new domains offering fake jobs, targeting US, UK and Canadian victims:

ca-jobcareer.com
uk-jobcareer.com
usa-jobcareer.com

The "jobs" on offer are typically money laundering and other illegal activities, and form part of this long running scam. The emails may appear to have been sent from your own account (here's why).

The domains were registered two days ago to "Alexey Kernel" in Kiev, although this is probably a fake name and address.

If you have samples of spam emails using these domains, please consider sharing them in the comments. Thanks!

Monday 1 August 2011

Fake jobs: careers-canada.com

One fake job domain today, and the scammers seem to have shifted to a new target - Canada. This time, the domain is careers-canada.com, registered only yesterday to the fictitious "Alexey Kernel" in the Ukraine.

The standard approach with these scammers is to spoof an email "from" the target's email address (don't worry if you see this, your email account has not been compromised) and the emails offer a variety of illegal jobs including money laundering. It forms part of this long-running scam.

If you have any examples of emails using this domain, please consider sharing them in the Comments.. thanks!

Saturday 26 March 2011

Mango Ideas / gsid.net is now clean

Just a quick note to say that Mango Ideas cleaned up their network from this incident which was possibly due to a reseller or perhaps a compromised server which is excellent news.