Sponsored by..

Showing posts with label Canada. Show all posts
Showing posts with label Canada. Show all posts

Monday, 15 September 2014

Inspiration Mining Corporation (T.ISM / ISM.TO) pump-and-dump spam

This pump-and-dump spam for Inspiration Mining Corporation (T.ISM) follows on from this recent spam run, but this time it is pushing it under a different stock ticker.
From:     YahooFinance Canada
Date:     15 September 2014 08:14
Subject:     Biggest Trade Of 2014

YahooFinance Canada
View this email in your browser
Hurry! Biggest Trade Of 2014

Hey [redacted]
I have a new stock recommendation for you.
The company is called inspirationmining and it's trading in canada under the symbol ISM. Currently it's priced at right under 10 cents but by next week it should hit 30 or 40 even. I know this because my wife's uncle is the geologist at the company and they literaly just struck gold.

Move quickly on this.
Copyright (c) 2014 YahooFinance Canada Monthly, All rights reserved.
You have been sent this email as a friend of the Monthly.

Our mailing address is:
The Monthly 37-39 Langridge St Collingwood, Victoria 3066 Australia
unsubscribe from this list update subscription preferences

According to reports here the shares were recently suspended due to the pump-and-dump run that the company denies is anything to do with them. However, my previous analysis is that the P&D run is (in my personal opinion) most likely being orchestrated by an existing major stockholder rather that someone buying into the stock in order to manipulate it.

The pump and dump spam does seem to have raised the stock price from about 7.5 cents to 10.5 cents [source] but the chances are that the stock is worth much closer to zero. Avoid.


UPDATE 2014-09-16:
More spam has turned up overnight..

From:     Financial Post | Canadian
Date:     16 September 2014 07:35
Subject:     ISM.TO Is Back In Position For A Huge Jump

Financial Post | Canadian Business News, Investing and Commentary


One Cent Alert That's Ready To Pop
Tuesday, 16th September 2014

    The only company that should be on your trading screen today
    This stock can double fast

the more you wait the more it'll cost you to pick up shares of InspiraitonMinnig Corporation ( ISM . TO on the canadian exchange). this junior miner has been soaring the last few weeks since their discovery of billions in precious metals on one of their properties. act fast before cheapies run out.




All content is (c) 2005 - 2014 Port Phillip Publishing Pty Ltd All Rights Reserved
To remove your name from Money Morning and associated external offers sent from Money Morning, click here.
Port Phillip Publishing
Attn: Money Morning
PO Box 713 South Melbourne VIC 3205
Tel: 1300 667 481 Fax: (03) 9558 2219

From:     NYTimes Finance
Date:     15 September 2014 17:01
Subject:     ISM.TO Alert: Possible +280pct Rally This Week

If you have trouble reading this email, please click here


Monday, September 15, 2014
Morning Report

Did you catch my report on already?  | Believe me when I tell you that this rare chance only comes once a year, if we're lucky. There is an amazing company trading on the canadian market called InspirtaionMiningCorp (symbol is ISM.TO) and they are sitting on hundreds of millions of precious metals reserves. From Copper to Gold and Silver. As they begin extracting them soon we expect investors to take notice and the share price to soar past a dollar!
About This Email

You received this message because you signed up for NYTimes.com's Finance Email newsletter. As a member of the Truste privacy program, we are committed to protecting your privacy.
Manage Subscriptions| Unsubscribe| Change Your Email| Privacy Policy| Contact| Advertise
Copyright 2014 | The New York Times Company |NYTimes.com 620 Eighth Avenue New York, NY 10018
From:     BNN Financial News
Date:     15 September 2014 21:57
Subject:     The Race Is On!

Update Profile / Unsubscribe

BNN - Business and Financial News, Analysis.
Good Morning Readers!

Did you catch my report already?

...as you can see my latest stokc tip is going up like never before. i told you to take a look at [-ISM.TO-] (inpsirationMining) trading on the canadian exchange and since i contacted you about it we have seen tremendous gains. that company is literaly sitting on gold and other precious metals. make sure to buy it before it goes nuts. 


Wednesday, 11 June 2014

Fake RBS spam spreads malware via Cubby.com

This fake bank spam downloads malware from file sharing site cubby.com:

From:     Sammie Aaron [Sammie@rbs.com]
Date:     11 June 2014 12:20
Subject:     Important Docs

Please review attached documents regarding your account.

To view/download your documents please click here

Tel:  01322 215660
Fax: 01322 796957
email: Sammie@rbs.com

This information is classified as Confidential unless otherwise stated. 

The download location is [donotclick]www.cubby.com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54.

Automated analysis tools [1] [2] [3] [4] show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs:
85.25.148.6 (Intergenia AG, Germany)
192.99.6.61 (OVH, Canada)
217.12.207.151 (ITL Company, Ukraine)

(Plain list)
85.25.148.6
192.99.6.61
217.12.207.151

Friday, 28 March 2014

Something evil on 192.95.44.0/27 (OVH Canada)

192.95.44.0/27 (spotted by Frank Denis) is another evil OVH Canada netblock which I assume belongs to their black hat customer r5x.org / Penziatki although now OVH seem to be masking the customer details.

I can see the following active subdomains within this range, all of which can be assumed to be malicious:

2gj95630ug7y42qc1-3.advanceservere.ru
2689xn49409xt8t-c3ho.gatheradvertisinge.ru
4022800068-3.acquireconnectionse.ru
6j2o7eo032s53sb0mx-l3.acquireconnectionse.ru
1635860128-6.reachmape.ru
2081021085-6.reachmape.ru
2401174936-7.reachmape.ru
2856584186-7.reachmape.ru
3430887989-6.reachmape.ru
3518242412-6.reachmape.ru
3912597189-7.reachmape.ru
w617131vc75-6.reachmape.ru
370r20to0282ph-y7.reachmape.ru
u1942lf033q46pr-6.reachmape.ru
37l7li34g8c990r3-7.reachmape.ru
qg285868sh2t65s6-6.reachmape.ru
167ef0p379w2y86-r6x.reachmape.ru
2ox085sv7899en16-6s.reachmape.ru
3i20et519228u9qf-j6.reachmape.ru
1400m6j1pf74a9w6-z6f.reachmape.ru
15v84492j0v8km9w-zw6.reachmape.ru
ql2f1c90s9u0h6210u-a7.reachmape.ru
ys1r0oi5cj2jz907340x-ai6.reachmape.ru
y1c8cw2ng90eh8ag8553q-6tg.reachmape.ru
117062511-6.reachprotectione.ru
719921944-6.reachprotectione.ru
3938936024-6.reachprotectione.ru
4019504775-7.reachprotectione.ru
3la26x1462a78-6le.reachprotectione.ru
n237qk5iv7rm34u7r5-7.reachprotectione.ru
2uk6u7g41q8051jd8r-6x.reachprotectione.ru
34d6na3b67vc4gn893c-zi6.reachprotectione.ru
1eu1q1l2k5kd2l73fn2j8f-6.reachprotectione.ru
2nn3x7f57at3fs4o7zj5s-7e.reachprotectione.ru
af4n0aw17pp96b82o2-oz6ag.reachprotectione.ru
rv3459hf4i7pt7x93jj3zy-7.reachprotectione.ru
158209179-6.accruespecialiste.ru
1833575162-6.accruespecialiste.ru
3201225904-6.accruespecialiste.ru
3475495830-6.accruespecialiste.ru
3594898209-6.accruespecialiste.ru
3783691616-6.accruespecialiste.ru
4084210708-6.accruespecialiste.ru
2174bi44g602tq8-6.accruespecialiste.ru
uh95eu436f34n87-6.accruespecialiste.ru
430pr3eq0pe0x422-n6f.accruespecialiste.ru
oc43yq0300l4o2wb2-6fk.accruespecialiste.ru
vd1j61155bu2j43m5er-6.accruespecialiste.ru
ed13202bx94a4k28pz-6mr.accruespecialiste.ru
ii66bd84z63oi5bp18am-6.accruespecialiste.ru
u1n1nf1w64j3jt57ip2-6g.accruespecialiste.ru
t3gs5c6me71ky6031wi0-l6s.accruespecialiste.ru
kt1ft42qg5rm6q5g47q8f1-e6w.accruespecialiste.ru
jj2ca4zb72iy56ue57tz4r5nv-te6.accruespecialiste.ru

I recommend that you apply the following blocklist:
192.95.44.0/27
accruespecialiste.ru
reachprotectione.ru
reachmape.ru
acquireconnectionse.ru

Thursday, 20 March 2014

Evil network: OVH Canada / r5x.org / Penziatki (updated)

I've covered OVH Canada and their black hat customer r5x.org aka "Penziatki" before. They consistently host exploit kits, and the way that the bad hosts are spread over OVH's network looks like a deliberate attempt at snowshoeing.

The following blocks in the OVH range have hosted malware from this customer. Some of the IPs are identified through my own research, others through OSINT from others, notably Frank Denis, @ReverseChris and .

192.95.6.24/29
192.95.6.92/30
192.95.6.196/30
192.95.7.8/30
192.95.7.224/28
192.95.10.16/29
192.95.10.208/28
192.95.12.56/30
192.95.40.240/30
192.95.41.88/29
192.95.43.160/28
192.95.44.0/27
192.95.46.56/30
192.95.46.60/30
192.95.46.132/30
192.95.47.232/30
192.95.47.236/30
192.95.51.164/30
192.95.58.176/30

198.27.96.132/30
198.27.103.204/30
198.27.114.16/30
198.27.114.64/27

198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.177.120/30
198.50.185.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.116/30
198.50.212.172/30
198.50.216.144/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.231.204/30
198.50.235.196/30
198.50.241.120/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

Given the large number of exploits, you might want to consider a larger pre-emptive block on the OVH Canada ranges if you are in a security-sensitive environment and can live with blocking some of the legitimate sites that OVH also host.

192.95.0.0/16
198.27.0.0/16
198.50.0.0/16


I'll try to keep this blog post updated with more bad OVH Canada ranges as they are brought to my attention. Please consider adding any new information to the Comments if you have some. Thanks!

Wednesday, 19 March 2014

More OVH Canada hosted exploit kits

I've been a bit tardy with this look at the new OVH Canada ranges exposed by Frank Denis so some of these domains may already been dead.

Yesterday Frank identified three new OVH Canada ranges being used to host the Nuclear EK, again the customer is "r5x.org / Penziatki"

198.50.212.116/30
198.50.131.220/30
192.95.40.240/30


Update: also 192.95.51.164/30 according to this Tweet.

A full list of everything I can find is here [pastebin] but the abused domains that I have identified are:

shallowsvent.ru
riastrait.ru
chasmdell.ru
bararete.ru
overlooktableland.ru
volcanogully.ru
oceanhollow.ru
lavaisthmus.ru
overhangcoastline.ru
archipelagoriver.ru
coralreeflagoon.ru
rivermainland.ru
latitudebayou.ru
playacaldera.ru
morainegulch.ru
loesslakebed.ru
landformvale.ru
domehillside.ru
arroyogulch.ru
firthswamp.ru
coastmound.ru
atolllava.ru
passcove.ru


At a mininum I recommend that you block those IP ranges and/or domains.

Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
192.95.0.0/16

Monday, 17 March 2014

Something evil on 192.95.6.196/30

Another useful tip by Frank Denis on evil in the OVH Canada IP ranges, suballocated to their black hat customer "r5x.org / Penziatki", this time on 192.95.6.196/30.

The following domains should be considered as dangerous and I would recommend blocking them as soon as possible:
shoalfault.ru
addrela.eu
backinl.org


A full list of the domains I can find in this /30 can be found here [pastebin].

Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
192.95.0.0/16

Something evil on 198.50.140.64/27

Thanks again to Frank Denis (@jedisct1) for this heads up involving grubby web host OVH Canada and their black hat customer "r5x.org / Penziatki" hosting the Nuclear EK in 198.50.140.64/27.

A full list of all the web sites I can find associated with this range can be found here, but the simplest thing to do is block 198.50.140.64/27 completely (or if you are paranoid about security and don't mind some collateral damage block 198.27.0.0/16 and 198.50.0.0/16).

Domains in use that I can identify are listed below. I recommend you block all of them. Domains listed as malicious by Google are in red, those listed as suspect by SURBL are in italics.

Recommended blocklist:

198.50.140.64/27
ingsat.eu
kingro.biz

allnew-overstocked-items.us
auto-policy-june.us
creditscorerangeadvice.com
endenergy-bills.us
endundereyedarkcircles.us
getmatch-on-line.us
godating-thurs.us
gomarine-nows.us
neweyehealth-now.us
new-omeganew.us
nowreverse-new.us
topomegafi-x.us
calculated1.us
advisoracct.us
auto9spec.us
autocquotes.us
brightmangroup.us
car04212.us
dailytips4health.us
estrexpe.eu
facts4burningfat.us
fallspecials1.us
freereview.us
fsaccounting.us
homes1research.us
homesavngs.us
hometactics.us
ieligible.us
imusiche.biz
kleycast.biz
kunstar.eu
maoride.eu
micklet.com
my3newscores.us
myreport3card.us
newdaily-health-tip.us
new-healthtip-today.us
newomegaheartfix.us
newoverstock-now.us
newproprate.us
newvisionsummer.us
note018271.us
rate-changes1.us
ratedropps.us
ratenotice09182.us
renew-autoprotection.us
reportcenter3.us
repostcc.us
sandersonhomes.us
spauto1.us
theactivity3.us
unifiedregister1.us
updateon3report.us
updateratehr.us
updscore03.us
uptodate-records3.us

Thursday, 13 March 2014

Evil network: OVH Canada / r5x.org / Penziatki

Note: a more up-to-date list can be found here.

Hat tip to Frank Denis (@jedisct1) for this report on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x.org. The blocks have been identified as belonging to that customer and I would recommend that you block them:

198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30


OVH Canada have repeatedly hosted exploit kits for this customer to the extent that I am suspicious that either they have been compromised in some way. These following blocks have been identified as serving up malware in the recent past:

192.95.6.24/29
192.95.7.8/30
192.95.7.224/28
192.95.10.16/29
192.95.10.208/28
192.95.41.88/29
192.95.43.160/28
192.95.46.56/30
192.95.46.60/30
192.95.46.132/30
192.95.47.232/30
192.95.47.236/30
198.27.96.132/30
198.27.103.204/30
198.27.114.16/30
198.27.114.64/27
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.231.204/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

Obviously there is a problem here. If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:

198.27.0.0/16
198.50.0.0/16

Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:

198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24


OVH must be aware of the reputation of their customer. I wonder why they keep tolerating them on their network?



Friday, 14 February 2014

Malware sites to block 14/2/14

This bunch of OVH Canada hosted nameserver and IP ranges are supporting malware distribution via the Nuclear Exploit Kit (as described here by Umbrella Labs).

OVH Canada have a long history with this bad actor (who I believe to be r5x.org), and these /29 and /30 blocks spread throughout OVH's range make it more difficult to block the IPs. Are OVH providing snowshoe malware distribution services? It does look like it. Perhaps OVH can prove me wrong by banishing this bad customer once and for all.

First of all, we have a set of nameservers being used to support mostly .pw domains hosting the Nuclear EK. The nameservers I can see that are active are:

dns1.alcogylogyc.com
dns2.alcogylogyc.com

dns1.bedroklow.com
dns2.bedroklow.com

dns1.boobledns.com
dns2.boobledns.com

dns1.dedains.com
dns2.dedains.com

dns1.dnshelpers.com
dns2.dnshelpers.com

dns1.eleziks.info
dns2.eleziks.info

dns1.europinghome.com
dns2.europinghome.com

dns1.flouwping.com
dns2.flouwping.com

dns1.geovipns.com
dns2.geovipns.com

dns1.glousby.com
dns2.glousby.com

dns1.goldrushns.net
dns2.goldrushns.net

dns1.goupfaster.info
dns2.goupfaster.info

dns1.grephipst.com
dns2.grephipst.com

dns1.hazahaza.net
dns2.hazahaza.net

dns1.highlinerservices.com
dns2.highlinerservices.com

dns1.hiporq.com
dns2.hiporq.com

dns1.hopsups.com
dns2.hopsups.com

dns1.hyperbola.info
dns2.hyperbola.info

dns1.kakzumi.com
dns2.kakzumi.com

dns1.masscarete.com
dns2.masscarete.com

dns1.koljong.com
dns2.koljong.com

dns1.masssilk.com
dns2.masssilk.com

dns1.mifthme.net
dns2.mifthme.net

dns1.mitilean.net
dns2.mitilean.net

dns1.muslibusli.org
dns2.muslibusli.org

dns1.neitronefx.org
dns2.neitronefx.org

dns1.nutizk.org
dns2.nutizk.org

dns1.performanced.net
dns2.performanced.net

dns1.platusinplatus.org
dns2.platusinplatus.org

dns1.plemians.org
dns2.plemians.org

dns1.poeglu.net
dns2.poeglu.net

dns1.popkirko.com
dns2.popkirko.com

dns1.portfoliorealtors.com
dns2.portfoliorealtors.com

dns1.seburingo.net
dns2.seburingo.net

dns1.sretunset.net
dns2.sretunset.net

dns1.timverbahdd.net
dns2.timverbahdd.net

dns1.telalcobuh.info
dns2.telalcobuh.info

dns1.vinigretov.net
dns2.vinigretov.net

dns1.yakuns.net
dns2.yakuns.net

Those nameservers are hosted in the following ranges, exclusively supplied by OVH Canada. If you are in a security-sensitive environment then I would recommend using larger blocks.

142.4.194.0/29
192.95.6.24/29
192.95.10.16/29
192.95.46.56/30
192.95.46.60/30
192.95.47.232/30
192.95.47.236/30
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

I can see the following domains being actively supported by these nameservers, all of which should be considered hostile:

activresa.biz
airlead.biz
allbat.biz
battingkayaking.pw
bikinghighs.pw
blackconstruction.biz
blizzardfielder.pw
bowpollutant.pw
bronzefoger.pw
cardiologistfastlane.pw
choiceshell.biz
clubdewef.pw
coachmacroburst.pw
competitordownburst.pw
competitormist.pw
competitormoisture.pw
cookray.pw
creativegeo.biz
cricketslush.pw
cricketsmoke.pw
curlingdefense.pw
dailyaqua.biz
decemberboxer.pw
digitalra.biz
drummerballerina.pw
epeeradar.pw
evergreenplay.pw
exercisebreeze.pw
experptware.biz
expertsurvey.biz
eyefreeze.biz
fieldingboxer.pw
fieldingdrizzle.pw
fieldingrainbands.pw
firstozip.biz
fitnessrafting.pw
flypanda.biz
furnacerace.pw
galekarate.pw
gamecoldfront.pw
glacierfootball.pw
glacierhelmet.pw
goalsnowstorm.pw
goldhailey.pw
heaterboxing.pw
hibernatebatting.pw
hibernateguard.pw
homesteamz.pw
hotchocolatefield.pw
hotchocolateplayoffs.pw
icebergcatcher.pw
icecaprace.pw
icehockeyair.pw
jacketcyclist.pw
januarygame.pw
javelinmicroburst.pw
jockeycustodian.pw
judodegreeo.pw
kayakermacroburst.pw
kayakingleeward.pw
kickballeyer.pw
lacrossebarometer.pw
lightcasa.biz
magicse.biz
manufacturerpresto.pw
mapmove.biz
mittensrafting.pw
movieprice.biz
negotiatorsecond.pw
netfogert.pw
novelistflutist.pw
onbytce.biz
onlincerobo.biz
playingsnowflake.pw
polarkayaking.pw
poolridgeq.pw
quiltcanoe.pw
quiltquarter.pw
racketforecast.pw
ridingmacroburst.pw
safemeta.biz
scanbeat.biz
snowflakereferee.pw
snowyboules.pw
stovecricket.pw
stovegolfer.pw
thermometerequipment.pw
thinkisoftware.biz
winterdefense.pw
zerocompetition.pw



Monday, 3 February 2014

Something evil on 192.95.43.160/28

More badness hosted by OVH Canada, this time 192.95.43.160/28 which contains pretty much the same set of evil described here. Here is a typical IP flagged by VirusTotal and a failed resolution by URLquery which frankly gives enough information to make it suspicious.

However, the key thing is the registrant details which have been used in many malware attacks before.

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859116


I can see the following .pw domains active in this range:
basecoach.pw
crewcloud.pw
boomerangfair.pw
kickballmonsoon.pw
martialartsclub.pw
runningracer.pw


All those domains are flagged by Google as malicious and I recommend that you block them along with 192.95.43.160/28.

(Hat tip to my source, you know who you are!)

Something evil on 192.95.7.224/28

Another OVH Canada range hosting criminal activity, 192.95.7.224/28 is being used for several malicious .pw domains being used to distribute malware (as used in this attack). The malware domains seem to rotate through subdomains very quickly, possibly in an attempt to block analysis of their payload.  This block is carrying out the same malicious activity that I wrote about a few days ago.

OVH have suballocated this IP block to an entity that I believe is connected with black hat host r5x.org.

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859114


These IPs are particularly active:
192.95.7.232
192.95.7.233
192.95.7.234

There is nothing of value in this /28 block and I recommend that you block the entire IP range plus the following domains (which are all already flagged as being malicious by Google)

Recommended blocklist:
192.95.7.224/28
archerbocce.pw
athleticsmove.pw
battingrelay.pw
bicyclecompete.pw
bicyclingcrew.pw
billiardsdiver.pw
bronzecatcher.pw
competitionathletics.pw
competitionexercise.pw
dartboardolympics.pw
dartfield.pw
divebicycling.pw
divingrelay.pw
fieldergymnast.pw
golferboomerang.pw
hardballkayaker.pw
hockeyarchery.pw
hoopjudo.pw
javelinbowler.pw
leaguehockey.pw
netarcher.pw
playingriding.pw
racerathlete.pw
racerbronze.pw
runrafting.pw



Friday, 31 January 2014

Something evil on 192.95.10.208/28

192.95.10.208/28 (OVH, Canada) is being used to deliver exploit kits utlising .pw domains, for an example see this URLquery report.  The following domains are being used in these attack (although there may be more):

accountantillustrator.pw
actuarydancer.pw
ambassadoradvisor.pw
animatorcarpenter.pw
animatorgovernor.pw
archeractor.pw
archerclub.pw
archerlecturer.pw
archerycartoonist.pw
arenacycling.pw
arenalandlord.pw
arrowcompete.pw
arrowfitness.pw
artistgovernor.pw
athleteexplorer.pw
athleteexterminator.pw
athletehandyman.pw
athleticsbanker.pw
athleticsdrycleaner.pw
attorneygeologist.pw
ballballerina.pw
ballcoroner.pw
ballerinaconsul.pw
ballerinalaundress.pw
balllobbyist.pw
ballracer.pw
baseballdefense.pw
baseballhardball.pw
baseballmechanic.pw
basketballdj.pw
basketballillustrator.pw
batdart.pw
batdj.pw
batmonk.pw
batolympics.pw
batterpool.pw
battingconcierge.pw
battingrunning.pw
biathlonlandscaper.pw
bicyclebarber.pw
bicyclechaplain.pw
bicycleracket.pw
bikegeneral.pw
bikingoptician.pw
biologistcabdriver.pw
bobsleighcaterer.pw
bobsleighcop.pw
bobsleighfirefighter.pw
bobsleighjockey.pw
boccebowling.pw
boccepercussionist.pw
boomerangbobsleigh.pw
boomerangcompete.pw
bowcobbler.pw
bowlerkayaking.pw
boxercashier.pw
bronzehairdresser.pw
buntcop.pw
buntexporter.pw
buntgymnastics.pw
butchernegotiator.pw
canoegardener.pw
carpenterorderly.pw
cartographerlandscaper.pw
catchergeologist.pw
catchlandscaper.pw
championbatting.pw
championshipcobbler.pw
championshipdoorman.pw
championshipgear.pw
championshipjester.pw
championshipjockey.pw
championshipmarketer.pw
clubfarmer.pw
coachbarber.pw
coachgolfer.pw
competeexporter.pw
competepediatrician.pw
competingbowler.pw
competingcoach.pw
competitioncryptographer.pw
competitionexplorer.pw
competitorhairdresser.pw
competitornovelist.pw
conciergemanufacturer.pw
contractorexterminator.pw
crewastronaut.pw
crewmusician.pw
cricketgoalie.pw
cricketjailer.pw
custodiancobbler.pw
cyclebellhop.pw
cyclistcaptain.pw
dartboardequipment.pw
dartboardnavigator.pw
dartboardpathologist.pw
dartlifeguard.pw
decathlonbellhop.pw
decathlondriver.pw
defensenet.pw
defensepaleontologist.pw
dermatologistinstructor.pw
designerbabysitter.pw
designercoach.pw
diamondgolfer.pw
diamondlobbyist.pw
divecycle.pw
diveeconomist.pw
divepainter.pw
diverbabysitter.pw
diverbowler.pw
divingauthor.pw
djnegotiator.pw
dodgeballgolfer.pw
doormanparkranger.pw
driverpawnbroker.pw
editordictator.pw
electricianbaker.pw
engineerastronaut.pw
entomologistbowler.pw
entrepreneurpatrol.pw
epeebowler.pw
epeeintern.pw
epeelandlord.pw
epeelinguist.pw
epeerunning.pw
exercisebatter.pw
exportercatcher.pw
farmerlecturer.pw
fencinghandball.pw
fieldercartographer.pw
fielderpaleontologist.pw
fielderpercussionist.pw
fieldingauctioneer.pw
figureskatingbuilder.pw
figureskatingchemist.pw
footballbunt.pw
footballcustodian.pw
footballlyricist.pw
frisbeebike.pw
gamenurse.pw
gearathlete.pw
generalillustrator.pw
geneticisteconomist.pw
geneticistgolfer.pw
goalbicycling.pw
goalcatcher.pw
goaldj.pw
goalhardball.pw
goaliebilliards.pw
goalielocksmith.pw
goalmedal.pw
goalmedal.pw
goalpawnbroker.pw
goalpercussionist.pw
golferdoorman.pw
golferentomologist.pw
golfingfirefighter.pw
guardcryptographer.pw
guardextra.pw
guardhandyman.pw
gymeducator.pw
gymmarketer.pw
gymnastcardiologist.pw
gymnasticsarchery.pw
gymnasticscobbler.pw
gymnasticsdictator.pw
gymnastnun.pw
halftimeillustrator.pw
handballhome.pw
hardballactress.pw
hardballastronomer.pw
hardballjumper.pw
helmetgolfer.pw
helmetjailer.pw
highjumpbiologist.pw
highjumpcashier.pw
highjumpguide.pw
hoboexporter.pw
hoopbiking.pw
hoopgear.pw
huddlecompete.pw
huddleparalegal.pw
hurdlebutler.pw
hurdlecompetitor.pw
hurdleforeman.pw
hurdlemove.pw
jailercardiologist.pw
javelinskate.pw
joggerdirector.pw
journalisthairdresser.pw
judomayor.pw
jumperfisherman.pw
jumperlibrarian.pw
jumpingorderly.pw
jumpingreferee.pw
karatemanufacturer.pw
karateparalegal.pw
kayakathlete.pw
kayakballerina.pw
kayakerbiologist.pw
kayakercabdriver.pw
kayakingconsul.pw
kayakingoperator.pw
kayakingskating.pw
kayaknurse.pw
kickballnurse.pw
lacrossemuralist.pw
lacrosseorderly.pw
landlordexterminator.pw
landlordgardener.pw
landscapercook.pw
landscaperoptician.pw
lecturergatherer.pw
linguistdetective.pw
locksmithillustrator.pw
maidblacksmith.pw
maidornithologist.pw
marinecellist.pw
martialartslinguist.pw
mayordrummer.pw
monklyricist.pw
movemedal.pw
oboistbowler.pw
olympicscompetition.pw
olympicsengineer.pw
opticiannegotiator.pw
orienteeringjanitor.pw
paintergeneral.pw
paralegalbuilder.pw
paralegaleconomist.pw
pawnbrokermanufacturer.pw
peddlerbellhop.pw
pingpongathlete.pw
pingpongbasketball.pw
pingpongempress.pw
pingponghelmet.pw
pitchactor.pw
pitchdart.pw
pitchjanitor.pw
pitchlifeguard.pw
playchauffeur.pw
playerskate.pw
playingoboist.pw
playoffscycle.pw
playoffspeddler.pw
playorienteering.pw
polekayaking.pw
poolgeneticist.pw
poolnegotiator.pw
quarterbackgeneral.pw
quartergeographer.pw
racedrummer.pw
raceengineer.pw
racercellist.pw
racketarcher.pw
racketbaseball.pw
racketdart.pw
racketleague.pw
racketskate.pw
raftingbarber.pw
raftingdancer.pw
raftingfrisbee.pw
raftingkayaker.pw
relaydrycleaner.pw
relayrace.pw
ridingcabdriver.pw
ridingnurse.pw
runbasketball.pw
rundrummer.pw
runningaccountant.pw
runningactuary.pw
skatepole.pw
skatingmuralist.pw
teacherjockey.pw
toolmakerfisherman.pw

The IP forms part of a /28 block belonging to a known bad actor:
NetRange:       192.95.10.208 - 192.95.10.223
CIDR:           192.95.10.208/28
OriginAS:       AS16276
NetName:        OVH-CUST-413973
NetHandle:      NET-192-95-10-208-1
Parent:         NET-192-95-0-0-1
NetType:        Reassigned
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/net/NET-192-95-10-208-1

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859113


I believe that these IPs are connected with a black hat host r5x.org and IPs with these WHOIS details are very often used in exploit kit attacks. I would strongly recommend that you block 192.95.10.208/28 in addition to the domains listed above.

Wednesday, 8 January 2014

More "Voice Message from Unknown" spam

Another bunch of fake "voice message" spams with a malicious payload are doing the rounds, for example:

Subject: Voice Message from Unknown (996-743-6568)
Subject: Voice Message from Unknown (433-358-8977)
Subject: Voice Message from Unknown (357-973-7738)

Body:
- - -Original Message- - -

From: 996-743-6568

Sent: Wed, 8 Jan 2014 12:06:38 +0000

To: [redacted]

Subject: Important Message to All Employees  
Attached is a file VoiceMessage.zip which in turn contains VoiceMessage.exe which has a VirusTotal detection rate of 11/47. Automated analysis tools [1] [2] show an attempted connection to casbir.com.au on 67.22.142.68 (Cologlobal, Canada). This appears to be the only server on this IP address, so blocking or monitoring it for the time being may be prudent.

Friday, 15 November 2013

Malware sites to block 15/11/2013 (Caphaw)

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains:

5.175.173.219 (GHOSTnet, Germany)
5.231.66.192 (GHOSTnet, Germany)
23.90.28.12 (ServerHub Dallas, US)
46.4.47.20 (Hetzner, Germany)
46.4.47.21 (Hetzner, Germany)
46.4.47.22 (Hetzner, Germany)
88.198.57.178 (Hetzner, Germany)
88.200.98.137 (Studentski domovi v Ljubljani, Slovenia)
91.186.19.48 (Simply Transit, UK)
92.48.122.132 (Simply Transit, UK)
108.170.54.251 (eWebGuru, India / Secured Servers, US)
109.200.4.114 (Redstation, UK)
109.123.127.228 (UK2, UK)
141.8.225.5 (Rook Media, Switzerland)
151.236.49.136 (Simply Transit, UK)
153.153.19.23 (Open Computer Network, Japan)
181.41.193.168 (Host1plus Brazil, Chile)
184.22.246.31 (Network Operations Center, US)
184.82.62.95 (Network Operations Center, US)
188.227.161.26 (Redstation, UK)
198.52.243.229 (Centarra Networks, US)
199.68.199.178 (Lightwave Networking, US)
213.229.90.199 (Simply Transit, UK)

The following hosts appear to be hosting nameservers for these domains (note that USAISC has been identified doing this before):

1.165.101.158 (Chunghwa Telecom, Taiwan)
6.79.15.154 (USAISC, US)
31.83.89.143 (Orange PCS, UK)
62.75.232.182 (Eurostream, Lithunia / Intergenia AG, Germany)
78.188.5.201 (Turk Telekom, Turkey)
85.25.152.130 (Intergenia AG, Germany)
87.98.136.239 (OVH, France)
91.121.199.45 (OVH, France)
95.143.32.212 (Inline Internet, Germany)
188.138.10.29 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.10.30 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.78.229 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.232 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.248 (Stepan Alexander Mereuta, Moldova / Intergenia AG, Germany)
196.44.161.31 (Dar Es Salaam University, Tanzania)
198.52.240.8 (Avante Hosting Services, Canada)
217.172.187.9 (Intergenia AG, Germany)

These are the domains involved (I would strongly recommend blocking them):

afn.cc
akf.cc
alphard-info.net
astats.su
bai.su
blinking-imgs.su
caf.su
careservice.su
ciz.cc
collectserv.su
digital-in-one.cc
dig-services.at
dmf.su
eewuiwiu.cc
eguards.cc
enp.cc
e-statistics.su
estatus.cc
estatus.su
eux.cc
exy.su
fey.su
fooyuo.cc
frnm.su
g4-maxservice.su
giuchito.cc
guodeira.cc
gva.cc
higuards.su
ieguards.cc
iestat.cc
imgscores.cc
inetprotections.cc
infoenv.cc
invisibleski.com
iostat.su
istat.cc
iwebstats.cc
iwebstats.su
klr.su
lbb.su
lbp.cc
lil-web-svcs.su
limited-hsbc.com
llc-services.su
low-rates.su
lrnm.su
main2woo.su
nitecapvideo.net
nmbc.cc
nomorefees.cc
ognelisblog.net
online-verification.su
oprn.su
ormu.su
peguards.cc
pmr.cc
protected-onlinebanking.net
sj148-storage.net
standartextens.net
stat-service.net
sys-img-stores.cc
sysinfo.su
uceebeel.cc
up-stores.cc
veeceefi.cc
visite-mexico.net
webstats.su
wgate.su
wgate.su
wownthing.cc
wsysinfonet.su
zprn.su


Recommend IP blocklist (nameservers are in italics):

5.175.173.219
5.231.66.192
23.90.28.12
46.4.47.0/27
88.198.57.178
88.200.98.137
91.186.19.48
92.48.122.132
108.170.54.251
109.200.4.114
109.123.127.228
141.8.225.5
151.236.49.136
153.153.19.23
181.41.193.168
184.22.246.31
184.82.62.95
188.227.161.26
198.52.243.229
199.68.199.178
213.229.90.199

1.165.101.158
6.79.15.154
31.83.89.143
62.75.232.182
78.188.5.201
85.25.152.130
87.98.136.239
91.121.199.45
95.143.32.212
188.138.10.29
188.138.10.30
188.138.78.229
188.138.78.232
188.138.78.248
196.44.161.31
198.52.240.8
217.172.187.9

Tuesday, 17 September 2013

Malware sites to block 17/9/13

This set of malicious IPs and domains is associate with this gang, and the list replaces the last one published here.

24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
83.148.208.151 (Salon Seudun Puhelin Oy, Finland)
84.52.66.244 (West Call Ltd, Russia)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
112.124.55.133 (Hangzhou Alibaba Advertising Co.,Ltd., China)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
119.78.243.74 (CSTNET, China)
125.20.14.222 (Price Water House Cooperation, India)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
153.127.243.80 (Kagoya Japan Corporation, Japan)
159.226.51.161 (CSTNET, China)
172.245.62.181 (Colocrossing, US)
173.230.130.69 (Linode, US)
174.142.186.89 (iWeb Technologies, Canada)
178.33.132.103 (OVH, France)
178.239.180.211 (Enter S.r.l., Italy)
184.82.233.29 (Network Operations Center, US)
185.19.95.170 (TTNETDC, Turkey)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Servi├žos Online LTDA, Brazil)
192.210.198.198 (Valley Host, US)
192.237.186.71 (Rackspace, US)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.180.134.20 (Suddenlink Communications, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
212.169.49.234 (Claranet, UK)
216.218.208.55 (Hurricane Electric, US)
220.68.231.30 (Hansei University, Korea)
223.30.27.251 (Sify Limited, India)

Blocklist:
24.173.170.230
32.64.143.79
37.153.192.72
42.121.84.12
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
66.230.163.86
66.230.190.249
77.123.54.28
83.148.208.151
84.52.66.244
95.87.1.19
95.111.32.249
103.20.166.67
112.124.55.133
115.78.233.220
115.160.146.142
119.78.243.74
125.20.14.222
141.20.102.73
153.127.243.80
159.226.51.161
172.245.62.181
173.230.130.69
174.142.186.89
178.33.132.103
178.239.180.211
184.82.233.29
185.19.95.170
186.251.180.205
187.60.172.18
192.210.198.198
192.237.186.71
194.158.4.42
198.71.90.239
208.52.185.178
208.180.134.20
211.71.99.66
212.169.49.234
216.218.208.55
220.68.231.30
223.30.27.251
achrezervations.com
aconsturcioneoftherive677.net
airfare-ticketscheap.com
aristonmontecarlo.net
berylhowell.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
clothestaxact.com
consistingsec.net
crovliivseoslniepodmore83.net
crovniedelamjdusaboye73.net
crovvirnskieertater55.net
deepsealinks.com
demuronline.net
diggingentert.com
dotier.net
dulethcentury.net
ehnihjrkenpj.ru
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
ermiarmirovanieyye46.net
ermitajnierisunkiane45.net
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
fiscdp.com.airfare-ticketscheap.com
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germoshanyofthesity72.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
grannyhair.ru
gromovierashodyna73.net
gstarstats.ru
hdmltextvoice.net
higherpricedan.com
imagoindia.net
infomashe.com
irs.gov.successsaturday.net
isightbiowares.su
joyrideengend.net
kneeslapperz.net
lacave-enlignes.com
lights-awake.net
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mirrorsupply.com
mobile-unlocked.net
multiachprocessor.com
myaxioms.com
nacha.org.samsung-galaxy-games.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
onsayoga.net
ordersdeluxe.com
oversearadios.net
perkindomname.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
samsung-galaxy-games.net
smartolen.com
smartsecureconnect.com
softwareup.pw
spottingculde.com
stjamesang.net
successsaturday.net
taltondark.net
theamberroomct.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vineostat.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.fiscdp.com.airfare-ticketscheap.com
www.irs.gov.successsaturday.net
www.nacha.org.demuronline.net
www.nacha.org.multiachprocessor.com
www.nacha.org.samsung-galaxy-games.net



Monday, 9 September 2013

Malware sites to block 9/9/13

These domains and IPs are associated with this gang, this list supersedes (or complements) the one I made last week.

1.209.108.29 (BORANET, Korea)
24.173.170.230 (Time Warner Cable, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
74.63.233.79 (Limestone Networks Inc / 123Systems Solutions, US)
74.207.231.42 (Linode, US)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
95.242.252.26 (Telecom Italia, Italy)103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
111.93.115.216 (Tata Teleservices, India)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
130.63.110.159 (York University, Canada)
140.116.72.75 (TANET, Taiwan)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
148.204.64.107 (Instituto Politecnico Nacional, Mexico)
173.254.250.218 (OC3 Networks, US)
184.23.8.7 (Sonic.net, US)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Servi├žos Online LTDA, Brazil)
190.145.25.126 (Telmex Colombia, Colombia)
190.152.149.85 (Consejo De Participacion Ciudadana Y Control Soci, Ecuador)
192.241.199.191 (Digital Ocean, US)
194.42.83.60 (Interoute Communications, UK)
194.158.4.42 (Interoute Communications, France)
198.224.81.54 (AT&T, US)
199.115.228.213 (VolumeDrive, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.69.42.50 (Bay Area Video Coalition, US)
208.180.134.20 (Suddenlink Communications, US)
212.169.49.234 (Claranet, UK)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
222.35.102.133 (China TieTong Telecommunications Corporation, China)
223.30.27.251 (Sify Limited, India)

1.209.108.29
24.173.170.230
37.153.192.72
42.121.84.12
58.68.228.148
58.246.240.122
61.36.178.236
66.230.163.86
66.230.190.249
74.63.233.79
74.207.231.42
95.87.1.19
95.111.32.249
95.242.252.26
103.20.166.67
111.93.115.216
115.78.233.220
115.160.146.142
130.63.110.159
140.116.72.75
141.20.102.73
148.204.64.107
173.254.250.218
184.23.8.7
186.251.180.205
187.60.172.18
190.145.25.126
190.152.149.85
192.241.199.191
194.42.83.60
194.158.4.42
198.224.81.54
199.115.228.213
208.52.185.178
208.69.42.50
208.180.134.20
212.169.49.234
213.156.91.110
222.35.102.133
223.30.27.251
achrezervations.com
agence-moret.net
altertraveldream.com
amimeseason.net
bnamecorni.com
boardsxmeta.com
brasilmatics.net
bundle.su
casualcare.net
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chairsantique.net
checklistsseesmics.su
chernigovskievojninua55.net
controlsalthoug.com
credit-find.net
crovliivseoslniepodmore83.net
deepsealinks.com
dotier.net
dvdramrautosel.su
ehnihujasebenahujchtoza27.net
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
email.pinterest.com.lacave-enlignes.com
ergopets.com
ermitajniedelaincityof40.net
explic.net
facebook.com.achrezervations.com
favar.net
fender.su
ffupdate.pw
fulty.net
gaphotoid.net
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gonulpalace.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
gormovskieafrterskioepr30.net
grannyhair.ru
higherpricedan.com
hobox.net
hotbitscan.com
icentis-finance.net
insectiore.net
invoices.ulsmart.net
istatsking.ru
jessesautobody.net.rcom-dns.eu
kpsart.net
lacave-enlignes.com
lights-awake.net
liliputttt9999.info
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mobile-unlocked.net
molul.com
multiachprocessor.com
myaxioms.com
mywebsitetips.net
nacha-ach-processor.com
namastelearning.net
ns1.namastelearning.net
ns2.namastelearning.net
nvufvwieg.com
oadims.net
ordersdeluxe.com
oversearadios.net
paypal.com.us.cmd.stjamesang.net
perkindomname.com
photos.walmart.com.orders.stjamesang.net
porschetr-ml.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
redsox.com.tickets-service.lindoliveryct.net
relectsdispla.net
rentipod.ru
saucancafe.net
scoutmoor.net
secureprotection5.com
soberimages.com
stjamesang.net
stonewallspwt.net
strutterradio.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
trans-staronline.net
treesmustdownload.su
u-janusa.net
ulsmart.net
uprisingquicks.net
video-withtext.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
weekings.com
wildgames-orb.net
wow-included.com
www.facebook.com.achrezervations.com
www.linkedin.com.achrezervations.com
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net
zinvolarstikel.com

Wednesday, 17 April 2013

BBB Spam / janariamko.ru

After a few quiet days on the RU:8080 spam front it has started again..

Date:      Wed, 17 Apr 2013 20:18:14 +0800
From:      "Better Business Bureau" [guttersnipeg792@ema1lsv100249121.bbb.org]
Subject:      Better Business Beareau accreditation Terminated 64A488W04

    Case N. 64A488W04

Respective Owner/Responsive Person:

The Better Business Bureau has been filed the above said reclamation from one of your clients with reference to their business relations with you. The information about the consumer's trouble are available at the link below. Please give attention to this matter and communicate with us about your opinion as soon as possible.

We graciously ask you to visit the COMPLAINT REPORT to respond on this reclamation. Click here to be taken directly to your report today:
http://www.bbb.org/business-claims/customercare/report-65896564

If you think you got this email by mistake - please forward this message to your principal or accountant

We are looking forward to your prompt answer.

Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.

Sincerely,

Gabriel Reyes - Online Communication Specialist

bbb.org - Start With Trust
The malicious payload is at [donotclick]janariamko.ru:8080/forum/links/public_version.php (report here) hosted on the following IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izjianokr.ru
iztakor.ru
jamtientop.ru
janariamko.ru
janasika.ru
jindiank.ru
jubakupra.ru
judianko.ru
juhajuhaa.ru
juliamanako.ru
juliaroberzs.ru
jundaio.ru

Tuesday, 9 April 2013

Intuit spam / juhajuhaa.ru

This fake Intuit spam leads to malware on juhajuhaa.ru:

Date:      Tue, 9 Apr 2013 11:21:18 -0430 [11:51:18 EDT]
From:      Tagged [Tagged@taggedmail.com]
Subject:      Payroll Account Holded by Intuit

Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 9 Apr 2013 11:21:18 -0430.

    Finances would be gone away from below account # ending in 6780 on Tue, 9 Apr 2013 11:21:18 -0430
    amount to be seceded: 4053 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 9 Apr 2013 11:21:18 -0430
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services 

The link in the email goes through a legitimate but hacked site to a malware landing page at [donotclick]juhajuhaa.ru:8080/forum/links/column.php (report here) hosted on some familiar-looking IP addresses that we saw earlier:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jonahgkio.ru
juhajuhaa.ru
jundaio.ru

LinkedIn spam / jonahgkio.ru

This fake LinkedIn spam leads to malware on jonahgkio.ru:

Date:      Tue, 9 Apr 2013 10:03:31 -0300
From:      "service@paypal.com" [service@paypal.com]
Subject:      Join my network on LinkedIn

LinkedIn
Marcelene Bruno has indicated you are a Friend

I'd like to add you to my professional network on LinkedIn.



- Marcelene Bruno
Accept
    View invitation from Marcelene Bruno


WHY MIGHT CONNECTING WITH Marcelene Bruno BE A GOOD IDEA?

Marcelene Bruno's connections could be useful to you

After accepting Marcelene Bruno's invitation, check Marcelene Bruno's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

© 2012, LinkedIn Corporation
The link leads to a malicious payload on [donotclick]jonahgkio.ru:8080/forum/links/column.php which doesn't seem to be working at the moment. However, it is multihomed on some familiar looking IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
itriopea.ru
illuminataf.ru
izamalok.ru
imanraiodl.ru
ifinaksiao.ru
jonahgkio.ru
ivanikako.ru
igionkialo.ru
ijsiokolo.ru
ifikangloo.ru
izjianokr.ru
iztakor.ru
ighjaooru.ru
jundaio.ru

HP ScanJet spam / jundaio.ru

This fake printer spam leads to malware on jundaio.ru:

Date:      Tue, 9 Apr 2013 10:07:40 +0500 [01:07:40 EDT]
From:      Scot Crump [ScotCrump@hotmail.com]
Subject: Re: Scan from a Hewlett-Packard ScanJet  #0437
Attachment: HP-ScannedDoc.htm

Attached document was scanned and sent

to you using a HP HPAD-400812P.
SENT BY : Scot S.
PAGES : 9
FILETYPE: .HTM [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment HP-ScannedDoc.htm leads to malware on [donotclick]jundaio.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
ilianorkin.ru
illuminataf.ru
imanraiodl.ru
imbrigilia.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jundaio.ru