Sponsored by..

Showing posts with label China. Show all posts
Showing posts with label China. Show all posts

Thursday 24 August 2017

Multiple badness on metoristrontgui.info / 119.28.100.249

Two massive fake "Bill" spam runs seem to be under way, one claiming to be from BT and the other being more generic.

Subject:       New BT Bill
From:       "BT Business" [btbusiness@bttconnect.com]
Date:       Thu, August 24, 2017 6:08 pm
Priority:       Normal

From BT
New BT Bill

Your bill amount is: $106.84
This doesn't include any amounts brought forward from any other bills.

We've put your latest BT bill for you to view. See your bill here


We'll take your payment from your account as usual by Direct Debit.

Reduce paper waste
You're still getting paper bills by post. Why not go paper-free, and stop storing and shredding them once and for all?


Need some help?
Go to www.bt.com/business/support.

Thanks for choosing BT.

Robena Morath
CEO, BT Business

Payment processing fee: BT Payment Services Ltd, a BT Group Company, charges this fee.
This or confidential. It's meant only for the individual(s) email contains BT information, which may be privileged or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails.

And a simpler one..

From:    Dianna Mcgrew
Date:    24 August 2017 at 14:50
Subject:    Bill-9835

Hi,

Here is a copy of your bill.

Thank you & have a great weekend!
Most (but not all) of the samples I  have seen then lead to a single website to download the malicious payload, for example:

http://metoristrontgui.info/af/download.php
http://metoristrontgui.info/af/bill-201708.rar
http://metoristrontgui.info/af/bill-201708.7z

metoristrontgui.info is hosted on 119.28.100.249 (Tencent, China) which is an IP we've seen a few times recently [1] [2]. Let's check out that WHOIS:

Domain Name: METORISTRONTGUI.INFO
Registry Domain ID: D503300000042955753-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.eranet.com
Updated Date: 2017-08-24T14:02:07Z
Creation Date: 2017-08-24T13:24:23Z
Registry Expiry Date: 2018-08-24T13:24:23Z
Registrar Registration Expiration Date:
Registrar: Eranet International Limited
Registrar IANA ID: 1868
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: C208152073-LRMS
Registrant Name: Robert Ruthven
Registrant Organization: Gamblin Artists Colors
Registrant Street: 323 SE Division Pl
Registrant City: Portland
Registrant State/Province: OR
Registrant Postal Code: 97202
Registrant Country: US
Registrant Phone: +1.5034359411
Registrant Phone Ext:
Registrant Fax: +1.5034359411
Registrant Fax Ext:
Registrant Email: jenniemarc@mail.com
Registry Admin ID: C208152073-LRMS
Admin Name: Robert Ruthven
Admin Organization: Gamblin Artists Colors
Admin Street: 323 SE Division Pl
Admin City: Portland
Admin State/Province: OR
Admin Postal Code: 97202
Admin Country: US
Admin Phone: +1.5034359411
Admin Phone Ext:
Admin Fax: +1.5034359411
Admin Fax Ext:
Admin Email: jenniemarc@mail.com
Registry Tech ID: C208152073-LRMS
Tech Name: Robert Ruthven
Tech Organization: Gamblin Artists Colors
Tech Street: 323 SE Division Pl
Tech City: Portland
Tech State/Province: OR
Tech Postal Code: 97202
Tech Country: US
Tech Phone: +1.5034359411
Tech Phone Ext:
Tech Fax: +1.5034359411
Tech Fax Ext:
Tech Email: jenniemarc@mail.com
Registry Billing ID: C208152073-LRMS
Billing Name: Robert Ruthven
Billing Organization: Gamblin Artists Colors
Billing Street: 323 SE Division Pl
Billing City: Portland
Billing State/Province: OR
Billing Postal Code: 97202
Billing Country: US
Billing Phone: +1.5034359411
Billing Phone Ext:
Billing Fax: +1.5034359411
Billing Fax Ext:
Billing Email: jenniemarc@mail.com
Name Server: A.DNSPOD.COM
Name Server: B.DNSPOD.COM
Name Server: C.DNSPOD.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/


VirusTotal confirms a lot of badness here, with all of these evil domains on the same server:

drommazxitnnd7gsl.com
74jhdrommdtyis.net
rtozottosdossder.net
kabbionionsesions.net
ttytreffdrorseder.net
tyytrddofjrntions.net
mjhsdgc872bf432rdf.net
yrns7sg3kdn94hskxhbf.net
trmbobodortyuoiyrt.org
metoristrontgui.info
fsroosionsoulsda.info
aldirommestorr887.info
droohsdronfhystgfh.info

Downloads from this site can be a bit slow, unsurprisingly. The dropped EXE seems to be Locky ransomware with a detection rate of 19/65. Hybrid Analysis shows the sample POSTing to 185.179.190.31/imageload.cgi (Webhost LLC, Russia)

Recommended minimum blocklist:
185.179.190.31
119.28.100.249




Wednesday 23 August 2017

Malware spam: "Voice Message Attached from 0xxxxxxxxxxx - name unavailable"

This fake voice mail message leads to malware. It comes in two slightly different versions, one with a RAR file download and the other with a ZIP.

Subject:       Voice Message Attached from 001396445685 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:22 am

Time: Wed, 23 Aug 2017 14:52:12 +0530
Download <http://tyytrddofjrntions.net/af/VM20170823_193908.zip> file to listen
Voice Message

Subject:       Voice Message Attached from 055237805419 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:21 am

Time: Wed, 23 Aug 2017 14:51:13 +0530
Download <http://mjhsdgc872bf432rdf.net/af/VM20170823_193908.rar> file to listen
Voice Message
Both download locations of tyytrddofjrntions.net and mjhsdgc872bf432rdf.net are hosted on 119.28.100.249 (Tencent, CN). This same IP was seen in this other recent spam run. Both the RAR and ZIP downloads (detection rate about 18/59 [1] [2]) contain the same malicious VBS script [pastebin]. The script tries to download an additional component from one of the following locations:

grlarquitectura.com/Mvgjh67?
grundschulmarkt.com/Mvgjh67?
aldirommestorr887.info/af/Mvgjh67?
grupoegeria.net/Mvgjh67?
gestionale-orbit.it/Mvgjh67?
gdrural.com.au/Mvgjh67?
geocean.co.id/Mvgjh67?
grupoajedrecisticoaleph.com/Mvgjh67?
grupofergus.com.bo/Mvgjh67?
gruppostolfaedilizia.it/Mvgjh67?

You'll note that most of those download locations start with "gr" which indicates that this is just a small subset of hacked servers under the control of the bad guys.

Automated analysis [3] [4] shows a dropped file with a VirusTotal detection rate of 14/64 (probably Locky). Those same analyses show traffic being sent to:

62.109.16.214/imageload.cgi (TheFirst-RU, RU - hostname: gpodlinov.letohost.com)
5.196.99.239/imageload.cgi (Just Hosting, RU - hostname: noproblem.one)

UPDATE:  Several other IPs in the 5.196.99.0/24 range have been used to host malware in the past. I would recommend blocking the entire /24.

Recommended blocklist:
119.28.100.249
62.109.16.214
5.196.99.0/24


Monday 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--

*Sophia Passmore*


Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--
*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:
46.4.91.144
119.28.100.249

Monday 17 April 2017

Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund


It seems we can claim a refund from the FTC.
Check this out and give me a call.
https://www.ftc.gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ftccomplaintassistant.com
212-0061570

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.


Automated analysis [1] [2] shows network traffic to:

wasstalwihis.com/bdk/gate.php
littperevengpa.com/ls5/forum.php
littperevengpa.com/mlu/forum.php
littperevengpa.com/d1/about.php
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/a1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/2


It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:

soinwarep.com
ronwronsednot.com
withwasnothar.com
dingandrinfe.com
troverylit.com
derby-au.com
utonerutoft.com
situghlacsof.com
tinjecofsand.com
fortotrolhec.com
fydoratot.com
redwronwassdo.com
ronkeddari.com
littperevengpa.com
suranfortrep.com
newbillingplace.com
usps-daily-delivery.com
ringcentral-fax-inbox.com
wassheckgehan.com
wasstalwihis.com
meredondidn.com
satertdiut.com
vernothesled.com
veuntedund.com
ranwithtorsdo.com
notwipaar.com
dintrogela.com
adp-monthly-billling.com
rigakeddo.com
random-billing.com
hetoftinbut.com
hemlittratdidn.com

Perhaps more usefully, we can associate that registrant with the following IPs:

178.170.189.254 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
185.146.1.4 (PS Internet Company LLC, Kazakhstan)
185.48.56.63 (Sinarohost, Netherlands)
185.80.53.76 (HZ Hosting, Bulgaria)
188.127.237.232 (SmartApe, Russia)
193.105.240.2 (Sia Vps Hosting, Latvia)
194.1.239.63 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
195.54.163.94 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
212.116.113.108 (Prometey Ltd, Russia)
46.148.26.87 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
47.90.202.88 (Alibaba.com, China)
77.246.149.100 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
87.118.126.207 (Keyweb AG, Germany)
88.214.236.158 (Overoptic Systems, Russia)
91.230.211.67 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
93.189.43.36 (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36




Wednesday 27 January 2016

Malware spam: "Enterprise Invoices No.91786" / Enterprise Security Distribution (South West) Limited

This fake financial spam does not come from Enterprise Security Distribution (South West) Limited but is instead a simple forgery with a malicious attachment.

From:    Vicki Harvey
Date:    27 January 2016 at 15:30
Subject:    Enterprise Invoices No.91786

Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE


Vicki Harvey
Accountant
Tel: 0117 977 5373

The name of the sender and references will vary. There seem to be several different versions of the attachment named in a format Canon-mf30102A13A@altel.kz_2615524.xls, some example results at VirusTotal are here [1] [2] [3] [4].

The attachments are malformed. You may not be able to download them, or it may appear there are no attachments. It will vary from email client to email client.

Analysis of the attachments is pending, although these Malwr analyses [1] [2] [3] attempted downloads from:

109.234.35.37/californication/ninite.php
5.189.216.105/californication/ninite.php

This binary has a zero detection rate at VirusTotal.  That VirusTotal report and this Malwr report indicate network traffic to:

8.254.218.46 (Level 3, US)

I strongly recommend that you block traffic to that IP. This will be some variant of the Dridex banking trojan.

[UPDATE]

This additional Malwr report shows another IP worth blocking:

103.224.83.130 (#2 of Group 1, Lingshan, China)

Monday 11 January 2016

Malware spam: "E-Service (Europe) Ltd Invoice No: 10013405" / "Andrew Williams [andrew.williams@eurocoin.co.uk]"

This fake financial spam does not come from E-Service (Europe) Ltd but is instead a simple forgery with a malicious attachment:

From     Andrew Williams [andrew.williams@eurocoin.co.uk]
Date     Mon, 11 Jan 2016 17:07:38 +0700
Subject     E-Service (Europe) Ltd Invoice No: 10013405

Dear Customer,

Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.

Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment on:

Tel (44) 01707 280000
Email: accounts@e-service.co.uk
Or logon and register to access your  customer portal where you can view all historic
orders & transactions on www.e-service.co.uk

PLEASE NOTE NEW E-SERVICE (EUROPE)  BANK DETAILS:

Currency        A/C No.         Sort Code         Swift Code      IBAN No.

GBP               21698613         40-04-37         MIDLGB22            GB48MIDL40043721698613
EUR               71685997         40-05-15         MIDLGB22           GB75MIDL40051571685997

Kind regards

E-Service (Europe) Accounts Team
E-Service have been exceptionally quick about posting an update on their Twitter page. However, they have not been hacked at all as it is trivially easy to forge an email message. The attachment is a malicious Excel spreadsheet which leads to the Dridex banking trojan.

So far, I have seen five different versions of the attachment, all named Invoice 10013405.XLS and with detection rates of about 8/55 [1] [2] [3] [4] [5]. Analysis of the attachments is pending, please check back later.

UPDATE

The Malwr reports for the attachment [1] [2] [3] [4] [5] show that the macro in the spreadsheet downloads a file from the following locations:

arellano.biz/5fgbn/7tfr6kj.exe
pastorsschoolinternational.org/5fgbn/7tfr6kj.exe
www.c0-qadevtest.net/5fgbn/7tfr6kj.exe


This dropped file has a detection rate of 1/55. It is the same binary as found in this earlier spam run which phones home to:

114.215.108.157 (Aliyun Computing Co, China)

This is an IP that I strongly recommend blocking.

Dropped file MD5:
3d59b913f823314ca85839b60a9d563a

Attachment MD5s:
0a4cf4956f7725cc48809bf19759371c
b1bbced1425bcba77735017f6da21659
8f2803bb7564e85e4a5db6c877067a9f
295fe8083a872b9c3edf4439f3a00c67
9440167e49553f2a1d8aa1e38752e497


Malware spam: "Your latest invoice from UKFast No.1228407" / UKFast Accounts [accounts@ukfast.co.uk]

This fake financial spam does not come from UKFast but is instead a simple forgery with a malicious attachment.
From     UKFast Accounts [accounts@ukfast.co.uk]
Date     Mon, 11 Jan 2016 11:00:10 +0300
Subject     Your latest invoice from UKFast No.1228407
I am unable to determine what the body text is at the moment. In this case, the attachment was named Invoice-1228407.doc and has a VirusTotal detection rate of 3/54. The Malwr report shows that the malicious macro [pastebin] downloads an executable from:

www.vmodal.mx/5fgbn/7tfr6kj.exe

This binary has a detection rate of 2/54 and an MD5 of 3d59b913f823314ca85839b60a9d563a.  This Malwr report for the dropped file indicates network traffic to:

114.215.108.157 (Aliyun Computing Co, China)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

Wednesday 16 December 2015

Domain registration scan: cn-registry.net / "Huabao Ltd"

This type of Chinese domain registration scam has been around for years.

From:    Jim Gong [jim.gong@cnregistry.net]
Date:    15 December 2015 at 13:40
Subject:    "petroldirect"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.

We received an application from Huabao Ltd on December 14, 2015. They want to register " petroldirect " as their Internet Keyword and " petroldirect .cn "、" petroldirect .com.cn " 、" petroldirect .net.cn "、" petroldirect .org.cn " 、" petroldirect .asia " domain names etc.., they are in China and Asia domain names. But after checking it, we find " petroldirect " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

 
Best Regards,
  Jim
General Manager 
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Shanghai, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cn-registry.net
In fact, there is no Huabao Ltd - it's just a made-up name that the scammers use to try to persuade you into buying some overpriced and worthless domains. Nobody is interested in buying these domains, and no domain registrar would contact you before registration in any case as it is not the responsibility of registrar to do so*.

I certainly don't recommend forwarding this to your CEO, as many CEOs will not understand the scam and may fall for it. If you do forward it, make you that you point out that this is a scam.

This scam has been around for so long, that I even made a video about it..


These following domains are all variations of the same rogue Chinese registrar:

cnregistry.net
cn-registry.net
cnwebregistry.net
cn-registry.com
cnweb-registry.com
cnwebregistry.com
cnwebregistry.org
cnweb-registry.org
cnregistry.com.cn
cn-registry.org.cn
cnweb.org.cn
webregistry.org.cn


* except in specific and limited circumstances (e.g sunrise applications) that do not apply here.


Saturday 10 October 2015

Scam: "Jim Bing [jim.bing@cn-registry.cn]" / "Huayin Ltd"


This email is part of a long-running Chinese domain scam:
From:    Jim Bing [jim.bing@cn-registry.cn]
Date:    10 October 2015 at 13:52
Subject:    Re:"slimeware"





Dear CEO,
(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.

We received an application from Huayin Ltd on October 9, 2015. They want to register " slimeware " as their Internet Keyword and " slimeware .cn "、" slimeware .com.cn " 、" slimeware .net.cn "、" slimeware .org.cn " 、" slimeware .asia " domain names etc.., they are in China and Asia domain names. But after checking it, we find " slimeware " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?


Best Regards,

Jim
General Manager 
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cn-registry.cn

Slimeware.com is an ancient site of mine that parodies adware companies. I doubt very much that anyone is trying to use this as a domain name for a legitimate business, and I couldn't care less if they did anyway. In fact, what is happening here is that the scammer "Jim Bing" (is he related to Terry Google?) is just trying to get you to panic and buy and overpriced and worthless domain name.

It's a pretty common scam, and I have explained the basics in the video below..


Wednesday 29 April 2015

cnwebregistry.cn / chinaygregistry.com scam and "Huayu Ltd"

This spam email is actually part of a long-running Chinese scam.

From:    Jim Bing [jim.bing@cnwebregistry.cn]
Date:    29 April 2015 at 14:27
Subject:    Re:"[redacted]"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.
We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cnwebregistry.cn
Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a rogue Chinese domain registrar to get you to buy overpriced and worthless domains.

In this case the spam mentions the domain cnwebregistry.cn, but chinaygregistry.com is also on the same server and will be similarly fraudulent.

This video I made a while ago explains the scam in more detail:



Wednesday 15 April 2015

pdatamc.org / publicdmc.cn domain scam

This email message is actually a spam promoting a long-running scam where an unscrupulous party is attempting to sell overpriced and worthless domains to their intended victim.

From: Bruce Lo [mailto:bruce@publicdmc.cn]
Date: 14:59 Wednesday 15th April 2015
Subject: [victimdomain] Registration
Priority: High

To whom it may concern:

We are the Registrars accredited by China Internet Network Information Center. We have something to confirm with you. On April 7, 2015, we received an application in which a company by the name Presg Group applied to register " victimdomain " as their Brand Name and some Asia domain names through our firm.

Now we are handling this registration. After our initial checking, we found that the name are identical to your company's. We need to check with you whether your company has authorized that company to register these names. If you have authorized this, we will finish the registration at once. If not, please let us know within 7 workdays, in which case we will dicuss the matter more thoroughly. If not otherwise advised within that time limit we will proceed with the registration for Presg Group . We will be waiting for your reply. Have a nice day!

Best Regards

Bruce Lo
Registration Dept.
Phone: +86.55165184482
Fax:    +86.55165128724
Website:http://www.pdatamc.org/
Address: No. 789, XiYou Road, Zhengwu District, HeFei City, AnHui Province, China  
I've explained this particular scam so many times that I made a video explaining it..

businessexecutives01.com / theexecutivesbrand.com scam

This is a grubby "Who's Who scam"

From:    Sterling Hudson
Date:    15 April 2015 at 14:12
Subject:    Re: you were chosen as a potential candidate...

Dear,

You were recently chosen as a potential candidate to represent 2015 Worldwide Branding Registry of Distinguished Professionals and Executives.
We are pleased to inform you that your candidacy was formally approved May 2nd. Congratulations. The Publishing Committee selects potential candidates based not only upon their current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals.
Given your background, the Director believes your profile makes a fitting addition to our publication. There is no fee nor obligation to be listed. As we are working off of secondary sources, we must receive verification from you that your profile is accurate. After receiving verification, we will validate your registry listing within seven business days.
Once finalized, your listing will share prominent registry space with thousands of fellow accomplished individuals across the globe, each representing accomplishments within their own geographical area.
To verify your profile and accept the candidacy, please visit here.

Our registration deadline for this year's candidates is May 28th. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee, I salute your achievement and look forward to welcoming you to our association.
Sincerely,

Benjamin Morisson
Editor in Chief
Worldwide Selection Committee 2015

If you don't want to receive emails any more, please Unsubscribe
The link in the email does to www.businessexecutives01.com:8133/wayne/ which is an anonymously registered domain hosted on a spam server at 123.249.39.89 in China. The links on businessexecutives01.com  website all lead to theexecutivesbrand.com which is basically a mirror of the content.

There are a number of this scammy spam sites on the same servers. I recommend that you block all the following sites as spam:

businessexecutives01.com
dirtyemojis.ru
foldemholdem.com
ironchampusa.ru
truepeptide.net
theexecutivesbrand.com




Tuesday 25 November 2014

What the heck is with 104.152.215.0/25?

A contact gave me the heads up to an exploit kit running on 104.152.215.90 [virustotal] which appears to be using MS16-064 among other things [urlquery].

104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer:

NetRange:       104.152.215.0 - 104.152.215.127
CIDR:           104.152.215.0/25
NetName:        QUERYFOUNDRY
NetHandle:      NET-104-152-215-0-1
Parent:         QUERYFOUNDRY-06 (NET-104-152-212-0-1)
NetType:        Reassigned
OriginAS:       AS62638
Customer:       Shanghe Yang (C05354145)
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/net/NET-104-152-215-0-1

CustName:       Shanghe Yang
Address:        707 Wilshire Blvd
City:           Los Angeles
StateProv:      CA
PostalCode:     90017
Country:        US
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/customer/C05354145
707 Wilshire Boulevard is a massive office block  but I suspect that this is just an accommodation address, so there's no real lead on who this customer is.

A look at the contents of the /25 is puzzling, because I can see almost 1500 sites [csv] on a number of active IPs [txt], almost none of which have any kind of discernible web presence or reputation. 

Drilling down into the domains and registrants [csv] shows a list of either Chinese or US registrants, but in the vast majority of cases they look to be fake. The key indicator is that the email addresses listed are all of a similar format and bear no relationship whatsoever to the name of the registrant.

The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France:


address:     13, rue de rohrwiller bischwiller,67240 Bas-Rhin, France 139 a
address:     67240 Bischwiller
address:     Bas-Rhin
country:     FR


It isn't a big place according to Google.  I doubt if there is a Assad Sfdsadsfw, Yfdsjshfk Ynagkjhk, Qewqewq Sfwad or Poiug Pppobflgk living in that location.

Although there is not much data about the range, there are a couple of domains that are also flagged a malicious:

sxzav.xyz [Google diagnostics]
klioz.xyz [Google diagnostics]

Quite why they are flagged as malicious is a puzzle.

My personal opinion is that there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains.

Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it, alternatively these are the domains being used in this network block:

izhse.com.cn
nmfcd.com.cn
szeeo.com.cn
trfqg.com.cn
uzwqy.com.cn
ycrlru.cn
yifxu.cn
yivuu.cn
yoezuu.cn
yrmhmu.cn
yszrru.cn
yyknu.cn
bcczrvo.com
bzvod.com
cyhgeqm.com
dgudwco.com
dhidzbo.com
dhwgfub.com
dnzwafr.com
dqlivdc.com
enndmfy.com
eufxdtc.com
eugutxh.com
fprtrsz.com
fytwhsw.com
gwrvwed.com
heghsbq.com
hotkii.com
hsephqf.com
iondydc.com
jeyztjy.com
jjfnshu.com
jpkwin.com
jtgypou.com
jtvkrv.com
kudnzpq.com
lgyudpy.com
mhmzyqf.com
mhxipaw.com
mtqlgko.com
nekclhr.com
ngieznn.com
nwnfbmn.com
okjepel.com
pbqbgkd.com
pcerrxh.com
plqrwgl.com
qebywad.com
qtknjnb.com
ripyiht.com
scauyfs.com
svyqkuu.com
sxfkzgf.com
tfwvtxy.com
ubqyfht.com
uewswa.com
umremdh.com
uuyrvtf.com
vdblrqb.com
vjqmryt.com
wgsunfk.com
wubpcb.com
xjgvtvs.com
xqyvqtx.com
ypnmxpe.com
ysmryfm.com
yyxkaqs.com
zakagps.com
zbecfan.com
mudanguojiyulecheng.eu
feldo-luxury.fr
latable-brasserie.fr
lestudio-orthez.fr
limpid.fr
mariepapier.fr
mobile-prepaye.fr
piscines-spas-95.fr
taxi-saint-medard-de-guizieres.fr
thermoservices.fr
tout-com-magny.fr
vansboutique.fr
fxy101.org
fxy102.org
fxy103.org
fxy105.org
fxy106.org
fxy107.org
fxy108.org
fxy109.org
sz101.org
sz103.org
sz118.org
sz188.org
tz100.org
tz110.org
7381.pw
97897.pw
417700.pw
ccbjz.pw
cdjgey.pw
dfjglr.pw
dfojy.pw
dgkjgy.pw
dlgjt.pw
hljbjz.pw
hrbbz.pw
hzkhj.pw
jlbzj.pw
jsbzj.pw
kdjjt.pw
kjdkg.pw
lnbzj.pw
njkuy.pw
sdbzj.pw
sdjkls.pw
sdljog.pw
sjaux.pw
sldjog.pw
sxbzj.pw
sybzj.pw
szjbzj.pw
tjbyee.pw
whgiut.pw
cmslj.xyz
fdslj.xyz
fjdxz.xyz
hbdxz.xyz
hkdxz.xyz
hljdxz.xyz
hndxz.xyz
klioz.xyz
myslj.xyz
nhslj.xyz
njdxz.xyz
sxzav.xyz
tlslj.xyz
tnslj.xyz
whslj.xyz
wzslj.xyz
ycslj.xyz
yqslj.xyz
yyslj.xyz
zwslj.xyz

Thursday 9 October 2014

chinaregistry.org.cn domain scam

This is an old scam that can safely be ignored.
From:     Henry Liu [henry.liu@chinaregistry.org.cn]
Date:     9 October 2014 07:53
Subject:     [redacted] domain and keyword in CN

(Please forward this to your CEO, because this is urgent. Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 7, 2014, we received an application from Huaya Holdings Ltd requested "[redacted]" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?Kind regards

Henry Liu 
General Manager 
China Registry (Headquarters)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai, China
Tel: +86 21 6191 8696
Mobile: +86 138 1642 8671
Fax: +86 21 6191 8697
Web:
www.chinaregistry.org.cn

Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either.

I created a brief video explaining the scam that you can view below:

Monday 14 July 2014

Scam: "CNnet Dispute Solutions Ltd" cn-network.com / cn-network.org

This email from a Chinese domain registrar styling itself as "CNnet Dispute Solutions Ltd" is a scam.

From:     james@cn-network.org
Date:     14 July 2014 11:12
Subject:     About Internet Trademark Issue: [redacted]


Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

We are a organization specializing in trademark consulting and domain name registration services in China. We just received an application sent from "HaiTon Importing Co., Ltd" on 13/07/2014, requesting for applying the "[redacted]" as the Internet Brand and some Chinese domains such as .cn/.com.cn/.hk/.asia ect... for their business running. Though our preliminary review and verification, we found that this keyword is currently being used by your company and is applied as your domain name. In order to avoid any potential risks in terms of trademark dispute and impact on your market businesses in China and Asia in future, we need to confirm with you whether "HaiTon Importing Co., Ltd" is your own subsidiary or partner.

Will your businesses in China and Asia be impacted potentially if they apply for this trademark? And will you agree this company to apply for this trademark? Please contact us immediately within 10 working days, otherwise, you will be deemed as waived by default.

Please contact us in time in order that we can handle this issue better.


Best Regards,

James Tan

Auditing Department.

Registration Department Manager
4/F,No.9 XingHui West Street,

JinNiu ChenDu, China

Office: +86 2887662861

Fax: +86 2887783286

Web: http://www.cn-network.com



Please consider the environment before you print this e-mail.
Don't worry, this is a scam. There is no such company as "HaiTon Importing Co". Nobody is trying to register these worthless domains, there is really nothing to worry about. I've explained it all in this video.

They have a website at cn-network.com and are soliciting replies to cn-network.org. Registration details are as follows:

Registry Registrant ID:
Registrant Name: Wang XiaoGang
Registrant Organization: Cheng Du Chuang Ning Wang Luo Ke Ji You Xian Gong Si
Registrant Address: No. 69  JinFangYuanDong Road  ChengDuJinNiu District
Registrant City: ChengDuShi
Registrant Province/state: SC
Registrant Country: CN
Registrant Postal Code: 610000
Registrant Phone: +86.2887783286
Registrant Phone EXT: +86.2887783286
Registrant Fax: +86.2887783286
Registrant Fax EXT: +86.2887783286
Registrant Email: 253885777@qq.com
Registrant Email EXT: 253885777@qq.com
Registry Admin ID: 42771277


I can find the following domains that use the same contact details:

cn-nic.org
cn-network.org
cn-network.com
cn-network.net
cnnetcor.com
cnnetpro.com


This scam has been going around for years, and it is just being randomly spammed out and you should simply ignore it.

Video: Chinese Domain Scams


Monday 23 June 2014

Obama sends me an important message about surveillance

Obama sends me an important message about surveillance. No, really. But perhaps not the Obama you are thinking of.

Date:      Mon, 23 Jun 2014 23:36:02 +0800 [11:36:02 EDT]
From:      CCTV Surveillance [mail@globalsourcescctv.com]
Reply-To:      mail@globalsourcescctv.com
Subject:      [IMPORTANT] Surveillance

Hi,
Good day

We would like to take this opportunity to introduce our company.
WEISKYTECH founded in 2006.
Export 90% products to developed countries in North America and Europe,
established close business relationship with many famous security companies around the world.

Our Products Line
| CCTV camera. (IP CAMERA.HD-CVI CAMERA.ANALOG CMOS/CCD.)
| NVTKITs. DVRKITs.CVRKITs. (4CH,8CH,16CH)
| POE SWITCH (4.8.16.24CH POE SWITCH. 15W.25W POE MODULE).
| NVR.CVR.DVR

We want to give to you GOOD - CHEAP - FAST Surveillance products.
Obama here, looking for your reply needs and questions.

Reply me & quality products can be stand your inspection!

Best Regards,

Mr Obama, 
There's no website, so this spam is soliciting replies via email so globalsourcescctv.com must be valid for receiving mail (indeed, the MXes are mxbiz1.qq.com and mxbiz2.qq.com). Let's have a look at those WHOIS details then..

Registry Registrant ID: 1821794
Registrant Name: WILSON
Registrant Organization: Obama
Registrant Street: LONGHUA
Registrant City: shenzhen
Registrant State/Province: Guangdong
Registrant Postal Code: 518000   
Registrant Country: China
Registrant Phone: +86.75536956066                        
Registrant Phone Ext:
Registrant Fax: +86.75536956066                        
Registrant Fax Ext:
Registrant Email: 595642135@qq.com                       
Registry Admin ID: 1821795


Wow.. Obama again. Must be legit. Or perhaps not..

Sunday 2 March 2014

Malware sites to block 2/3/14

These domains and IPs are all connected with this gang, some of it appears to be involved in malware distribution, fraud or other illegal activities. I recommend that you block these IPs and domains.

Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting.

accounting-kent.net
aerostat-adventures.net
aim-darts.net
airnavrace.net
amia.cc
aqu.su
artplat.com
binfile.net
brigadiramoon170.com
ccl.su
clubkindergarten.net
combonicer200.com
ehk.su
flatroom.net
gefesosexwithjimmy.org
iceselinsgrove.com
kartaby.com
keksnownikolle.biz
kirr.cc
lollipollyboobs.org
lostpetutah.net
macdegredo.com
mecheti.com
megemind.com
onetimedns.com
orimylife.net
pcg.su
quarter.su
sandwars.net
sec-one-dns.com
security-apps24.com
securityappsmart.com
security-safedomains.com
security-trust.com
smis.cc
stepnitres.ru
studio-sands.net
unicttaskforce.com
usgunlavs.net
webercountyfairr.net
wildscot-tv.com
world-motorhome.net

12.42.61.221    (AT&T, US)   
19.214.121.54    (Ford Motor Company, US)    [ns]
22.15.199.21    (DOD, US)    [ns]
23.253.75.234    (Rackspace, US)   
31.210.107.33    (Radore Veri Merkezi Hizmetleri, Turkey)   
32.21.129.43    (AT&T, US)    [ns]
32.90.65.25    (AT&T, US)    [ns]
37.255.241.29    (TCE, Iran)   
41.66.55.3    (Cote d'Ivoire Telecom, Cote d'Ivoire)    [ns]
41.106.3.132    (FTTH, Algeria)    [ns]
42.96.195.183    (Alibaba, China)    [ns]
54.81.32.208    (Amazon AWS, US)   
65.27.155.176    (Time Warner Cable, US)   
79.88.112.206    (Societe Francaise du Radiotelephone, France)   
83.239.90.244    (OJSC Rostelecom Macroregional Branch South, Russia)   
89.39.83.177    (C&A Connect SRL, Romania)   
89.69.138.91    (UPC, Poland)   
92.84.13.131    (Romtelecom, Romania)    [ns]
93.190.137.5    (Worldstream, Netherlands)   
95.57.118.56    (Dmitry Davydenko / Goldhost LLC, Kazakhstan)   
96.44.143.179    (Quadranet Inc, US)   
103.31.251.202    (Argon Data Communication, Indonesia)   
108.81.248.139    (William Allard / AT&T, US)   
109.24.255.129    (Societe Francaise du Radiotelephone, France)   
112.222.201.43    (LG DACOM Corporation, Korea)   
115.28.39.216    (Hichina Web Solutions, China)   
128.101.154.25    (University of Minnesota, US)    [ns]
128.199.235.196    (DigitialOcean Cloud, Singapore)   
130.255.185.19    (Bradler & Krantz, Germany)   
147.249.171.10    (IDD Information Services, US)    [ns]
152.46.17.236    (North Carolina Research and Education Network, US)   
162.243.39.118    (Digital Ocean, US)   
167.15.26.219    (Munich Reinsurance America Inc, US)    [ns]
167.120.25.43    (The Dow Chemical Company, US)    [ns]
171.76.101.11    (Bharti Cellular Ltd, India)    [ns]
175.107.192.56    (Cyber Internet Services Pakistan, Pakistan)   
176.53.125.6    (Radore Veri Merkezi Hizmetleri, Turkey)   
181.41.194.253    (HOST1FREE at Brazil, Brazil)   
184.154.170.10    (SingleHop, US)    [ns]
185.9.159.205    (Salay Telekomunikasyon Ticaret Limited Sirketi, Turkey)   
186.194.39.139    (FMG Macabuense com serv distrib ltda-me, Brazil)    [ns]
186.202.184.178    (Locaweb Serviços de Internet S/A, Brazil)   
186.214.212.64    (Global Village Telecom, Brazil)   
188.165.91.216    (OVH, France / DoHost, Egypt)    [ns]
188.168.142.57    (Transtelecom CJSC, Russia)   
193.17.184.247    (Biznes-Host.pl, Poland)   
194.209.82.222    (blue-infinity, Switzerland)    [ns]
203.235.181.138    (KRNIC, Korea)   
208.167.238.115    (Choopa LLC, US)   
209.203.50.200    (Vox Telecom, South Africa)   
222.218.13.91    (Chinanet Guangxi Province Network , China)    [ns]


12.42.61.221
19.214.121.54
22.15.199.21
23.253.75.234
31.210.107.33
32.21.129.43
32.90.65.25
37.255.241.29
41.66.55.3
41.106.3.132
42.96.195.183
54.81.32.208
65.27.155.176
79.88.112.206
83.239.90.244
89.39.83.177
89.69.138.91
92.84.13.131
93.190.137.5
95.57.118.56
96.44.143.179
103.31.251.202
108.81.248.139
109.24.255.129
112.222.201.43
115.28.39.216
128.101.154.25
128.199.235.196
130.255.185.19
147.249.171.10
152.46.17.236
162.243.39.118
167.15.26.219
167.120.25.43
171.76.101.11
175.107.192.56
176.53.125.6
181.41.194.253
184.154.170.10
185.9.159.205
186.194.39.139
186.202.184.178
186.214.212.64
188.165.91.216
188.168.142.57
193.17.184.247
194.209.82.222
203.235.181.138
208.167.238.115
209.203.50.200
222.218.13.91

Monday 16 December 2013

Video: Chinese domain scams


yiyu-ipr.org domain scam

Yet another Chinese domain scam, this time trying to punt the "Tiger Direct" trademark (which I don't own!).

From:     lisa [lisa@yiyu-ipr.org]
Date:     16 December 2013 04:04
Subject:     International Trademark " tigerdirect"

(Please forward this to your CEO or President, because this is urgent. Thank you.)

Dear President & CEO,

We are an IPR registration service law office in China. On Dec.13, 2013, we received an application from "TD Investment Co., Ltd." wants to register the following Trademark and Domains:

Trademark:
tigerdirect

Domains:
 tigerdirect.com.hk
 tigerdirect.com.tw
 tigerdirect.hk
 tigerdirect.net.cn
 tigerdirect.org.cn
 tigerdirect.tw

Based on the registration procedure, we found that the name is the same as your company's name,and we must check these for you. If your company and this "TD Investment Co., Ltd." are the same company,there is no need to reply to us,We will accept their application and will register those for them soon. If your company has no relationships with that company nor authorized,please reply to us asap at latest within 7 workdays. But if we can't get any information from your side over 7 workdays,we will unconditionally approve the application submitted by "TD Investment Co., Ltd." Thanks for your cooperation.


Kind Regards,

Lisa Zeng

***************************************************
Lisa Zeng / Attorney
YIYU Chengdu Office(Head Office)
3/F,1st Building Citang Street No.8,
Qingyang District, ChengDu, China.
Tel: +86 28 8777 5008
Fax: +86 28 6246 5008
Web: http://www.yiyu-ipr.org
This e-mail contains information (including any attachments) intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient or the authorized employee or agent responsible for delivering it to the intended recipient, any dissemination, publication or copying of this e-mail is strictly prohibited and may be illegal. If you have received this communication in error, please notify the sender. Thank you for your cooperation.
P Please consider the environment before you print this e-mail.
This scam has been running for a long time. In reality registrars are in no way responsible for checking trademarks before registration, and my experience is that even after these dire warnings nobody actually registers the domains in any case.

I don't know if the WHOIS details for this domain are genuine, but there are:
Registrant ID:f0dda025f296d026
Registrant Name:David Tang
Registrant Organization:YIYU LAW OFFICE
Registrant Street1:chengdushi
Registrant Street2:
Registrant Street3:
Registrant City:chengdushi
Registrant State/Province:sichuan
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.2887775008
Registrant Phone Ext.:
Registrant FAX:+86.2862465008
Registrant FAX Ext.:
Registrant Email:296304138@qq.com


These other domains are all associated with the same outfit and you can probably assume that any similar pitch from them is a scam.

yiyu-ipr.org
yiyuinternational.com
yiyuit.org
yiyuiprlaw.com
yiyulaw.com
yiyullc.com
yy-ipr.org
yyipr.org
chadlaw.asia
chadlaw.org
chadlawoffice.org
chadiprlaw.org
marchiorousa.asia
wanbaojisige.com

Tuesday 10 December 2013

"EUROPOL" scareware / something evil on 193.169.87.247

193.169.87.247 ("PE Ivanov Vitaliy Sergeevich", Ukraine) is currently serving up scareware claiming that the victim's PC is locked, using the following domains:

a1751.com
b4326.com
d2178.com
f1207.com
h5841.com
k6369.com

The scareware is multilingual and detects the country that the visitor is calling from. In this case I visited from the UK and got the following:


Europol   EUROPEAN CYBERCRIME CENTRE    Europol EC3

All activities of this computer have been recorded. All your files are encrypted.

ATTENTION!

All your files are encrypted to prevent their distribution and use.
Due to violations of the law, your browser has been blocked
because of at least one of the reasons below.

1. You have been subjected to violation of Copyright and Related Rights Law and illegally using or distributing copyrighted contents such as Video, Music or\and Software (files were found in your browser's temporary files and your documents), thus conflicting with Article 1, Section 8, Clause 8 of the Criminal Code of the United Kingdom.
Article 1, Section 8, Cause 8 of the Criminal Code states a fine or two hundred minimal wages or a deprivation of liberty of two to eight years.
2. You have been viewing or distributing prohibited Pornographic contents: Child Porno photos and such, were found in browser's temporary files and your documents.
Thus, you are violating article 202 of the Criminal Code of the United Kingdom. Article 202 of the Criminal Code states a deprivation of liberty of four to twelve years.
3. Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected with malware, thus you are violating the law of Neglectful Use of your Personal Computer. Article 210 of the Criminal Code declares a fine of up to £50,000 and/or deprivation of liberty of four to nine years.
Pursuant to the amendment of the Criminal Code of the United Kingdom of May 28, 2011, this law infringement (if it is a first time offence) may be considered as conditional in case you pay the fine.

To unlock your computer and avoid other legal consequences, you are obliged to pay a release fee of £200, payable through Ukash (you must purchase the Ukash card and enter the code). You can buy the card at any store or gas station, payzone or paypoint.

Find the nearest epay or payzone location.
Go to any location with a PayPoint or Payzone terminal.
Ask for Ukash: £200.00 (one voucher code).

Please note: Fine can only be paid within 12 hours. As soon as 12 hours expire, the possibility to pay the fine is lost forever. All your PC data will be detained and criminal's procedure will be initiated against you if the fine will not be paid!

The text varies depending on the country the visitor is in, for example URLquery displays the text in Norwegian.

 The bad guys use subdomains to obfuscate the domain somewhat, so instead of just getting f1207.com (for example), you get europol.europe.eu.id176630100-8047697129.f1207.com instead which looks a little more official. You can see some more examples here.

All the domains in use are registered through scam-friendly registrar BIZCN to:

Registrant Name: Zhong Si
Registrant Organization: Xicheng Co.
Registrant Street: Huixindongjie 15  2
Registrant City: Beijing
Registrant State/Province: Chaoyang
Registrant Postal Code: 101402
Registrant Country: cn
Registrant Phone: 01066569215
Registrant Phone Ext:
Registrant Fax: 01066549216
Registrant Fax Ext:
Registrant Email: zhongguancun@yahoo.com


Now, I would normally suggest that the WHOIS details were fake but a Google search for the email address shows that it has been active for over two years including this injection attack I documented in September 2011. It is possible therefore that Zhong Si and Xicheng Co are actually responsible.

193.169.87.247 is regiesterd to "PE Ivanov Vitaliy Sergeevich" (i.e. Vitaliy Ivanov or Виталий Сергеевич Иванов) as follows:

organisation:   ORG-IV2-RIPE
org-name:       PE Ivanov Vitaliy Sergeevich
org-type:       OTHER
address:        42-A Tobolskaya street, office 230, Kharkov, Ukraine
mnt-ref:        MNT-IV25
mnt-by:         MNT-IV25
source:         RIPE # Filtered


193.169.87.247 forms part of 193.169.86.0/23 AS48031 which has a so-so reputation according to Google, it does look like there are a lot of legitimate sites in the neighbourhood as well as these malicious ones.

Recommended blocklist:
193.169.87.247
a1751.com
b4326.com
d2178.com
f1207.com
h5841.com
k6369.com

Update: a similar attack has also taken place on 193.169.86.250 on the same netblock.