Sponsored by..

Showing posts with label China. Show all posts
Showing posts with label China. Show all posts

Wednesday 29 May 2013

Malware sites to block 29/5/13

These domains and IP addresses are connected to this malware spam run and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian).

It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting, finally a list of IPs that are advertised as nameservers within this group for research purposes only.

You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm..

Domains:
adverstindotanes.com
assumedwhacked.su
auditbodies.net
autocanonicals.com
aviachecki.ru
avtotracki.ru
balckanweb.com
bebomsn.net
bednotlonely.com
beveragerefine.su
biati.net
businessdocu.net
buyparrots.net
carambatv.net
chairsantique.net
cocainism.net
condalinaradushko.ru
condalinaradushko5.ru
condalinradishevo.ru
confideracia.ru
coping-capacity.com
crossdissstep.com
crushandflussh.net
curilkofskie.ru
decimallogme.com
docudat.ru
doorandstoned.com
down-vid.net
e-eleves.net
ernutkskiepro.ru
exrexycheck.ru
fastkrug.ru
federal-credit-union.com
fenvid.com
flipboardre-late.com
gangrenablin.ru
garohoviesupi.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
heavygear.net
heidipinks.com
hiddenhacks.com
hotamortisation.net
iberiti.com
icensol.net
independinsy.net
initiationtune.su
insectiore.net
jounglehoodeze.su
letsgofit.net
linguaape.net
metalcrew.net
mgdooling.ru
mortolkr4.com
multipliedfor.com
mydkarsy.com
myfreecamgirls.net
nitrogrenberd.net
normansvenn.com
notyetratedwort.com
nvufvwieg.com
ochengorit.ru
otoperhone.com
outbounduk.net
outlookexpres.net
peertag.com
penetratedsync.su
pizdecnujzno.ru
proxy-tor-service.com
recorderbooks.net
relectsdispla.net
reportingglan.com
restaurantequipmentparadise.net
roobihhooerses.at
rusistema.ru
salesplaytime.net
sbliteratedtum.su
scanskype.pl
secrettapess.com
secureaction120.com
sludgekeychai.net
smartsecurity-app.com
smartsecurityapp2013.com
smurfberrieswd.su
solidlettersiz.su
stackltiplied.net
streetgreenlj.com
streetlookups.com
susubaby.net
sweetcarsinkas.at
tasteh-pux.com
techno5room.ru
testerpro5.ru
timeschedulin.com
time-update.com
time-update.net
trackerpro5.ru
twintrade.net
uestsradiates.net
usergateproxy.net
virgin-altantic.net
xenaidaivanov.ru
yelpwapphoned.com
zeouk-gt.com
zoohits.net

IPs and hosts:
5.175.155.183 (GHOSTnet, Germany)
37.131.214.69 (Interra Ltd, Russia)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal, China)
50.193.197.178 (Comcast, US)
54.214.22.177 (Amazon AWS, US)
62.109.30.168 (TheFirst-RU, Russia)
77.237.190.22 (Parsun Network Solutions, Iran)
82.50.45.42 (Telecom Italia, Italy)
91.93.151.127 (Global Iletisim Hizmetleri, Turkey)
91.193.75.55 (KGB Hosting, Serbia)
94.249.208.228 (GHOSTnet, Germany)
95.43.161.50 (BTC, Bulgaria)
99.61.57.201 (AT&T, US)
103.7.251.36 (Fiberathome, Bangladesh)
109.169.64.170 (ThrustVPS, US)
112.196.2.39 (Quadrant Televentures / HFCL Infotel, India)
114.4.27.219 (Indosat, Indonesia)
114.247.121.139 (China Unicom, China)
115.28.35.163 (HiChina Web Solutions, China)
122.160.51.9 (ABTS, Delhia)
128.174.240.37 (University of Illinois, US)
128.174.240.52 (University of Illinois, US)
128.174.240.74 (University of Illinois, US)
128.174.240.153 (University of Illinois, US)
128.174.240.213 (University of Illinois, US)
140.117.164.154 (Sun Yat-sen University, Taiwan)
151.1.224.118 (Itnet, Italy)
159.253.18.253 (FastVPS, Russia)
162.209.12.86 (Rackspace, US)
166.78.136.235 (Rackspace, US)
177.5.244.236 (Brasil Telecom, Brazil)
178.20.231.214 (Salay Telekomunikasyon Ticaret Limited, Turkey)
178.209.126.87 (WestCall Ltd, Russia)
181.52.237.17 (Telmex, Colmbia)
183.82.221.13 (Hitech, India)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
190.106.207.25 (Comcel, Guatemala)
192.154.103.81 (Gorillaservers, US)
192.210.216.53 (ColoCrossing, US)
197.246.3.196 (The Noor Group, Egypt)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
201.170.148.171 (Telefonos del Noroeste, Mexico)
204.45.7.213 (FDCservers.net, US)
208.68.36.11 (Digital Ocean, US)
210.61.8.50 (Chunghwa Telecom, Taiwan)
212.179.221.31 (Bezeq International, Israel)
213.113.120.211 (Telenor, Sweden)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83

IPs advertising as nameservers (I'm pretty sure some of these are bogus, so use these for research purposes only):
2.121.229.200 (Sky Broadband, UK)
5.175.146.153 (GHOSTnet, Germany)
5.175.154.17 (GHOSTnet, Germany)
5.175.154.149 (GHOSTnet, Germany)
5.231.18.4 (GHOSTnet, Germany)
6.18.199.178 (Department of Defense, US)
6.20.13.25 (Department of Defense, US)
8.13.139.1 (Level 3 Communications, US)
8.18.19.15 (Level 3 Communications, US)
8.18.19.16 (Level 3 Communications, US)
11.3.51.158 (Department of Defense, US)
12.179.132.98 (Intuit, US)
14.139.209.13 (National Institute Of Technology, India)
15.78.78.23 (Hewlett Packard, US)
15.84.23.131 (Hewlett Packard, US)
17.19.12.100 (Apple Inc, US)
20.2.45.143 (CSC, US)
22.100.28.100 (Department of Defense, US)
29.125.31.77 (Department of Defense, US)
42.96.142.17 (Alibaba, China)
42.96.194.13 (Alibaba, China)
46.254.18.79 (Internet-Hosting Ltd, Russia)
65.34.1.1 (RoadRunner / Bright House, US)
65.180.199.2 (Sprint, US)
66.100.109.112 (Savvis, US)
71.123.11.14 (Verizon, US)
77.99.44.18 (Virgin Media, UK)
80.249.65.80 (Djaweb, Algeria)
81.31.227.60 (Chapar Raseneg, Iran)
85.25.189.163 (Intergenia / PlusServer AG, Germany)
91.215.156.62 (Infinite Technologies, Netherlands)
91.242.214.33 (Hostcircle, India)
92.190.190.191 (France Telecom, France)
95.143.41.41 (Inline Internet / VPS4less, Germany)
112.72.64.217 (VTC Wireless Broadband Company, Vietnam)
114.199.141.85 (Hyundai Communications, Korea)
125.39.104.86 (Beijing Sinainternetinformationservice, China)
153.127.248.205 (Kagoya Japan Corporation, Japan)
162.209.14.28 (Rackspace, US)
173.1.12.57 (GoGrid LLC, US)
175.102.0.187 (Shanghai Yovole Networks, China)
176.19.224.180 (Mobily, Saudi Arabia)
177.5.230.242 (Brasil Telecom, Brazil)
184.106.229.74 (Rackspace, US)
186.25.27.65 (Telcel, Venezuela)
186.25.27.66 (Telcel, Venezuela)
201.101.98.89 (UniNet, Mexico)
202.63.105.86 (Southern Online Bio Technologies, India)
202.93.114.90 (FirstasiaNet, Indonesia)
207.58.158.186 (Servint, US)
207.182.146.247 (Xlhost, US)
209.140.18.37 (Landis Holdings, US)
210.25.137.197 (China Education and Research Network, China)
211.20.45.138 (Chunghwa Telecom, Taiwan)
214.191.12.134 (Department of Defense, US)
214.191.102.34 (Department of Defense, US)


Wednesday 27 March 2013

"British Airways E-ticket receipts" spam / illuminataf.ru

This fake airline ticket spam leads to malware on illuminataf.ru:


Date:      Wed, 27 Mar 2013 03:23:05 +0100
From:      "Xanga" [noreply@xanga.com]
Subject:      British Airways E-ticket receipts
Attachments:     E-Ticket-Receipt.htm

e-ticket receipt
Booking reference: JQ15191488
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 51298446. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The attackment E-Ticket-Receipt.htm (which has a poor detection rate) leads to a malicious payload at [donotclick]illuminataf.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)

Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
heepsteronst.ru
hjuiopsdbgp.ru
hondatravel.ru
illuminataf.ru
iliminattii.ru

Saturday 29 December 2012

FedACH Announcement spam / incinteractive.net

This fake whatever-the-heck-it-is spam leads to malware on incinteractive.net:
Date:      Fri, 28 Dec 2012 22:45:28 +0900
From:      "Federal Reserve Banking Services@sys.frb.org" [ACHR_58976105@FedMail.frb.org]
Subject:      FedMail (R): FedACH Announcement - End of Day - 12/27/12

Please overview the ACH Advice Statement from the Federal Reserve System by clicking here.
The malicious payload is at [donotclick]incinteractive.net/detects/wishs_continually.php hosted on the well-known IP of 59.57.247.185 in China which also hosts these following malicious domains:

sessionid0147239047829578349578239077.pl
tv-usib.com
atsushitani.com
proxfied.net
incinteractive.net
timesofnorth.net
latticesoft.net
incinteractive.net


Friday 28 December 2012

IRS Spam / tv-usib.com

This fake IRS spam leads to malware on tv-usib.com:
Date:      Thu, 27 Dec 2012 22:14:44 +0400
From:      Internal Revenue Service [information@irs.gov]
Subject:      Your transaction is not approved

Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.

Canceled Tax transfer
Tax Transaction ID:     3870703170305
Rejection ID     See details in the report below
Federal Tax Transaction Report     tax_report_3870703170305.pdf (Adobe Acrobat Document)

Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon
The malicious payload is at [donotclick]tv-usib.com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:


sessionid0147239047829578349578239077.pl
tv-usib.com
proxfied.net
timesofnorth.net
latticesoft.net

Wednesday 26 December 2012

E-billing spam / proxfied.net

There are various e-billing spam emails circulating today, pointing to malware on proxfied.net:


Date:      Wed, 26 Dec 2012 18:49:37 +0300
From:      alets-no-reply@customercenter.citibank.com
Subject:      Your Further eBill from Citibank Credit Card


       
Member: [redacted]

Add alerts@serviceemail2.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
New eBill Available

   
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 175.36
Minimum Amount Due: 175.36

How do I view this bill?
1. Sign on to Citibank Online using this link.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to review your bill details. Select the icon to see your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on by clicking this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care Service
P. O. Box 6200
Sioux Hills, SD 57870

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

3843054050826645

1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187

====================


Date:      Wed, 26 Dec 2012 10:50:38 -0500
From:      alerts@serviceemail6.citibank.com
To:      [redacted]
Subject:      Your got Renewed eBill Available from AT&T Bill


       
Member: [redacted]

Add citibankonline@customercenter.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
Fresh eBill Available

   
Account Number: **************4
Due Date: 12/28/2012
Amount Due: 74.93
Minimum Amount Due: 74.93

How do I view this bill?
1. Sign on to Citibank Online clicking this link.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to overview your bill details. Select the icon to see your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact AT&T Bill directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its objective is to help you check that the e-mail was real sent by Citibank. If you have questions, please click "Contact Us" link at the nottom of this message. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on clicking here and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

Should you going to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 9000
Sioux Falls, SD 57897

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at this link and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

7835212473101882

8/6J/472774/910/JM/TK/XD/9078/SYSTE2T /GI793670607303856/5644

====================


Date:      Wed, 26 Dec 2012 17:37:12 +0200
From:      alerts@customercenter.citibank.com
To:      <[redacted]>
Subject:      Your just received Fresh eBill Ready for review from Citibank Credit Card


       
Member: [redacted]

Add customerservice@serviceemail9.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
Fresh eBill Should Be Complete

   
Account Number: **************0
Due Date: 28/22/2012
Amount Due: 529.80
Minimum Amount Due: 529.80

How do I view this bill?
1. Sign on to Citibank Online by clicking here.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to see your bill details. Select the icon to get your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its aim is to help you check that the e-mail was actually sent by Citibank. If you have questions, please visit our Contact Us page. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on clicking here and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 9000
Sioux Falls, SD 30415

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at click here and clicking on "Contact Us" from the "Help / Contact Us" menu.

© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

3612654275931761

2/IC/009813/854/GU/7J/5F/0102/SYSTE0T /J4044525669689549/3261

====================


Date:      Wed, 26 Dec 2012 09:04:44 -0600
From:      alets-no-reply@serviceemail6.citibank.com
To:      <[redacted]>
Subject:      New eBill is Now Available. From: AT&T Bill


       
Member: [redacted]

Add customerservice@citibank.com to your address book to ensure delivery.

Your Account: Important Notification
   
Fresh eBill Ready for review

   
Account Number: **************4
Due Date: 12/28/2012
Amount Due: 232.34
Minimum Amount Due: 232.34

How do I view this bill?
1. Sign on to Citibank Online by clicking here.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to see your bill details. Select the icon to get your bill summary.

Please not try to reply to this message.

If you have any questions about your bill, please contact AT&T Bill directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you be sure that the e-mail was in reality sent by Citibank. If you have questions, please visit our Contact Us page. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign in using this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care Service
P. O. Box 5800
Sioux Hills, NC 52846

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at click to open and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

5252192738554872

8/B8/851199/374/4J/PL/0Y/1754/SYSTEYZ /S7493944434265957/9990

====================


Date:      Wed, 26 Dec 2012 09:54:12 -0500
From:      customerservice@citibank.com
To:      <[redacted]>
Subject:      Your Further eBill from American Express


       
Member: [redacted]

Add customerservice@serviceemail8.citibank.com to your address book to ensure delivery.

Your Account: Important Note
   
Fresh eBill Available

   
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 56.92
Minimum Amount Due: 56.92

How do I view this bill?
1. Sign on to Citibank Online clicking this link.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to overview your bill details. Select the icon to show your bill summary.

Please do not reply to this message.

If you have any questions about your bill, please contact American Express directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its target is to help you check that the e-mail was really sent by Citibank. If you have questions, please click "Contact Us" link at the nottom of this message. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on with this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 6000
Sioux Wheels, NC 56012

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at this link and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

4530267461705664

6/2P/193057/917/70/O0/HE/0121/SYSTER5 /9I438409026123046/3702
The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:

sessionid0147239047829578349578239077.pl
latticesoft.net
proxfied.net

Wednesday 12 December 2012

Citibank spam / platinumbristol.net

This fake Citibank spam leads to malware on platinumbristol.net:

From:     citibankonline@serviceemail1.citibank.com via pado.com.br
Date:     12 December 2012 15:38
Subject:     Account Alert
Mailed-by:     pado.com.br

Citi    
Email Security Zone     EMAIL SECURITY AREA    
   
ATM/Credit card ending in: XXX7      
 
Alerting System
   
Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX2
Amount Debited: $2,973.22
Date: 12/12/12

Log In to Overview Transaction
       
Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX2
Amount Credited: $.97
Date: 12/12/12

Visit this link to Overview Detailed information
   
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auomatic informational system unable to accept incoming messages.
              
Citibank, N.A. Member FDIC.
Š 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

========================

From:     citibankonline@serviceemail5.citibank.com via clickz.com
Date:     12 December 2012 15:39
Subject:     Account Notify
Mailed-by:     clickz.com

Citi    
Email Security Zone     EMAIL SAFETY AREA      
            
ATM/Debit card ending in: XXX7      
 
Alerting System

Money Transfer Report

Savings Account XXXXXXXXX8
Amount Withdrawn: $3,620.11
Date: 12/12/12

Visit this link to Cancel Details

Money Transfer Report

Savings Account XXXXXXXXX8
Amount Withdrawn: $.38
Date: 12/12/12

Sign In to Overview Details

ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system unable to accept incoming messages.
      
Citibank, N.A. Member FDIC.
© 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc. 

========================

Date:      Wed, 12 Dec 2012 23:16:15 +0700
From:      alets-no-reply@serviceemail6.citibank.com
Subject:      Account Insufficient funds

EMAIL SAFETY ZONE    
       
ATM/Debit card ending in: XXX0    
       
Notifications System
   
Transaction Announcement

Ultimate Savings Account (USA) XXXXXXXXX4
Amount Debited: $4,222.19
Date: 12/12/12

Login to Abort Detailed information

Transaction Announcement

Ultimate Savings Account (USA) XXXXXXXXX4
Amount Credited: $.41
Date: 12/12/12

Go to web site by clicking here to See Operation

ABOUT THIS MESSAGE

Please Not try to reply to this message. automative notification system cannot accept incoming mail.
   
Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

========================


Date:      Wed, 12 Dec 2012 20:07:46 +0400
From:      citibankonline@serviceemail8.citibank.com
Subject:      Account Operation Alert

EMAIL SECURITY ZONE    
       
Credit card ending in: XXX0    
       
Notifications System
   
Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX3
Amount Credited: $5,970.51
Date: 12/12/12

Click Here to Review Transaction

Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX3
Amount Withdrawn: $.11
Date: 12/12/12

Sign In to View Operation

ABOUT THIS MESSAGE

Please don't reply to this message. auomatic informational system cannot accept incoming mail.
   
Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
The malicious payload is at [donotclick]platinumbristol.net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.

I can see the following evil domains on that same server:
eaglepointecondo.org
sessionid0147239047829578349578239077.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
eaglepointecondo.co
naky.net
ygsecured.ru
romoviebabenki.ru
robertokarlosskiy.su
platinumbristol.net

Monday 10 December 2012

AICPA spam / eaglepointecondo.org

Yet another fake AICPA spam run today with a slightly different domain from before, now on eaglepointecondo.org:


Date:      Mon, 10 Dec 2012 18:51:38 +0100
From:      "AICPA" [info@aicpa.org]
Subject:      Tax return assistance fraud.

You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having any issues reading this email? Overview it in your favorite browser.

Suspension of CPA license due to income tax indictment

Valued AICPA participant,

We have been notified of your potential participation in income tax refund shady transactions for one of your customers. In concordance with AICPA Bylaw Head # 740 your Certified Public Accountant status can be terminated in case of the act of submitting of a phony or fraudulent tax return for your client or employer.

Please be informed of the complaint below and respond to it within 7 work days. The refusal to respond within this period will finish in cancellation of your Accountant status.

Delation.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===================


Date:      Mon, 10 Dec 2012 14:50:40 -0300
From:      "AICPA" [noreply@aicpa.org]
Subject:      Your accountant license can be end off.

You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having problems reading this email? Review it in your browser.

Suspension of Accountant status due to tax return fraud prosecution

Respected AICPA member,

We have received a complaint about your alleged participation in income tax return fraudulent activity for one of your employees. In accordance with AICPA Bylaw Section No. 500 your Certified Public Accountant license can be terminated in case of the event of presenting of a false or fraudulent tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 3 work days. The rejection to provide the clarifications within this time-frame would abide in end off of your Certified Accountant Career.

SubmittedReport.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

In this case the malicious payload is at [donotclick]eaglepointecondo.org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today.

AICPA spam / eaglepointecondo.co

This fake AICPA spam leads to malware on eaglepointecondo.co:


Date:      Mon, 10 Dec 2012 19:29:21 +0400
From:      "AICPA" [alerts@aicpa.org]
Subject:      Income fake tax return accusations.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having difficulties reading this email? Take a look at it in your browser.

Termination of Public Account Status due to income tax fraud allegations

Respected accountant officer,

We have received a denouncement about your probable interest in income tax return swindle for one of your customers. In concordance with AICPA Bylaw Head # 500 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a faked or fraudulent income tax return for your client or employer.

Please be notified below and provide explanation of this issue to it within 21 business days. The rejection to provide elucidation within this period would finish in end off of your CPA license.

SubmittedReport.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The malicious payload is at [donotclick]eaglepointecondo.co/detects/denouncement-reports.php hosted on 59.57.247.185 in China, which has been used a few times recently for malware distribution.



The following malicious domains appear to be on the same server:
moid.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
zindt.net
naky.net
svictrorymedia.ru
ygsecured.ru
romoviebabenki.ru
addon.su
robertokarlosskiy.su
eaglepointecondo.co

Friday 7 December 2012

BBB spam / ibertomoralles.org

This bizarrely worded fake BBB spam leads to malware on ibertomoralles.org:


Date:      Fri, 7 Dec 2012 18:43:08 +0100
From:      "Better Business Bureau" [complaint@bbb.org]
Subject:      BBB Complaint No.65183683

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau �
Start With Trust �

Fri, 7 Dec 2012

RE: Complaint N. 65183683

Hello

The Better Business Bureau has been booked the above said complaint from one of your purchasers in regard to their business relations with you. The detailed description of the consumer's disturbance are available visiting a link below. Please give attention to this point and let us know about your mind as soon as possible.

We amiably ask you to overview the GRIEVANCE REPORT to reply on this claim letter.

We are looking forward to your prompt reaction.

Faithfully yours
Natalie Richardson
Dispute Councilor
Better Business Bureau

Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 28201
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

====================


Date:      Fri, 7 Dec 2012 19:42:23 +0200
From:      "Better Business Bureau" [noreply@bbb.org]
Subject:      BBB Appeal No.05P610Q78

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau �
Start With Trust �

Fri, 7 Dec 2012

RE: Case # 05P610Q78

Hello

The Better Business Bureau has been filed the above said reclamation from one of your customers in respect of their dealings with you. The details of the consumer's disturbance are available at the link below. Please pay attention to this issue and notify us about your sight as soon as possible.

We politely ask you to visit the PLAINT REPORT to meet on this claim.

We are looking forward to your prompt reaction.

Yours respectfully
Dylan Peterson
Dispute Councilor
Better Business Bureau

Better Business Bureau
3003 Wilson Blvd, Suite 600 Arlington, VA 25301
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This message was delivered to [redacted] Don't want to receive these emails anymore? You can unsubscribe

====================

From: Better Business Bureau [mailto:information@bbb.org]
Sent: Fri 07/12/2012 17:01
Subject: Better Business Beareau Pretension No.S8598593


Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser

Better Business Bureau ©

Start With Trust 
Fri, 7 Dec 2012

RE: Complaint N. S8598593


Valued client

The Better Business Bureau has been entered the above mentioned grievance from one of your clientes with reference to their dealings with you. The details of the consumer's worry are available at the link below. Please give attention to this problem and let us know about your opinion as soon as possible.

We pleasantly ask you to click and review the CLAIM LETTER REPORT to respond on this grievance.

We awaits to your prompt response.

WBR
Aiden Thompson
Dispute Advisor
Better Business Bureau

Better Business Bureau
3003   Wilson Blvd, Suite 600  Arlington, VA 26701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277

  
This letter was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The payload and IP addresses are exactly the same as the ones found in this spam run.

AICPA spam / ibertomoralles.org

I haven't seen fake AICPA spam like this for a while, it leads to malware on ibertomoralles.org:

From:     AICPA [noreply@aicpa.org]
Date:     7 December 2012 16:55
Subject:     Your accountant license can be cancelled.

You're receiving this information as a Certified Public Accountant and a member of AICPA.
Having any problems reading this email? See it in your favorite browser.

AICPA logo
    
Revocation of CPA license due to income tax fraud accusations
Dear AICPA participant,

We have been informed of your potential involvement in tax return swindle   on behalf of one of your employers. In obedience to AICPA Bylaw Article 700 your Certified Public Accountant position can be discontinued in case of the aiding of filing of a phony or fraudulent income tax return for your client or employer.

Please be notified below and provide explanation of this issue to it within 14 work days. The rejection to provide elucidation within this time-frame would finish in decline of your Accountant status.

Delation.pdf


The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
===================

Date:      Fri, 7 Dec 2012 18:31:58 +0100
From:      "AICPA" [do-not-reply@aicpa.org]
Subject:      Tax return assistance contrivance.

You're receiving this note as a Certified Public Accountant and a part of AICPA.
Having any problems reading this email? See it in your favorite browser.

Cancellation of Public Account Status due to tax return indictment

Respected accountant officer,

We have received a note of your presumable interest in income tax fraud for one of your clients. In concordance with AICPA Bylaw Article 600 your Certified Public Accountant status can be discontinued in case of the event of submitting of a fake or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the complaint below and provide your feedback to it within 14 work days. The rejection to respond within this time-frame will result in end off of your CPA license.

Delation.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The malicious payload is at [donotclick]ibertomoralles.org/detects/five-wise_leads_ditto.php hosted on the same Chinese IP address of 59.57.247.185 as used in this spam yesterday.

Thursday 6 December 2012

eBay, PayPal spam / ibertomoralles.com

These spam messages lead to malware on ibertomoralles.com:


Date:      Thu, 6 Dec 2012 13:12:16 -0600
From:      "PayPal" [service@paypal.com]
Subject:      Your Ebay.com transaction details.

    Dec 5, 2012 09:31:49 CST

Transaction ID: U5WZP603SNLLWR5DT
Hello [redacted],

You sent a payment of $363.48 USD to Normand Akers.

It may take a several minutes for this transaction to appear in your transactions history.

Seller

Normand-Akers@aol.com

    Instructions to seller

You haven't entered any instructions.
Shipping address - confirmed
Hyde Rd
Glendale SC 58037-0659
United States
    Shipping details
The seller hasn't provided any shipping details yet.
Description     Qty.     Amount
NordicTrack Mini Cycle

Item# 118770508253     24     $363.48 USD
Shipping and handling     $24.99 USD
Insurance - not offered     ----
Total     $363.48 USD
Payment     $363.48 USD

Payment sent to Normand Akers    

Receipt ID: D-69NQRGN113A3A9UQ3

Issues with this transaction?

You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Please do not reply to this message. auto informer system unable to accept incoming messages. For immediate answers to your issues, visit our Help Center by clicking "Help" located on any PayPal page.

PayPal Email ID PZ147

==========


Date:      Thu, 6 Dec 2012 19:57:37 +0100
From:      "PayPal" [noreply@paypal.com]
Subject:      Your Paypal.com transaction confirmation.

    Dec 5, 2012 09:50:54 CST

Transaction ID: 8P7D295HFIIIMUC4Q
Hello [redacted],


You done a payment of $894.48 USD to Carol Brewster.

It may take a few moments for this transfer to appear in your transactions history.

Merchant

Carol-Brewster@aol.com

    Instructions to seller

You haven't entered any instructions.
Shipping address - confirmed
Pharetra Street
Manlius NY 74251-6442
United States
    Shipping details
The seller hasn't provided any shipping details yet.
Description     Qty.     Amount
TaylorMade R11 Driver Golf Club

Item# 703099838857     54     $894.48 USD
Shipping and handling     $14.49 USD
Insurance - not offered     ----
Total     $894.48 USD
Payment     $894.48 USD

Payment sent to Carol Brewster    

Receipt ID: H-K01U2WSTLZZMRAB90

Issues with this transaction?
You have 45 days from the date of the purchase to issue a dispute in the Resolution Center.

Please DO NOT reply to this message. auto-notification system can't accept incoming mail. For fast answers to your subjects, visit our Help Center by clicking "Help" located on any PayPal page.

PayPal Email ID P8695

The malicious payload is at [donotclick]ibertomoralles.com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server:

addon.su
ansncm.org
codemark.net
hfeitu.net
ibertomoralles.com
icobag.com
labpr.com
minevi.com
moid.pl
naky.net
namelesscorn.net
porkystory.net
proscitomash.com
robertokarlosskiy.su
roketlauncherskiy.org
romoviebabenki.ru
securityday.pl
seldomname.com
shopgreatvideonax.com
svictrorymedia.ru
tradenext.net
winterskyserf.ru
ygsecured.ru
zindt.net


Monday 22 October 2012

Scam: tsnetint.com and tsnetint.org

Another episode in a long-running domain scam, which attempts to get you to buy worthless domain names by scaremongering. In this case the fake company is called "Kenal investment Co. Ltd" (there are several legitimate firms with a similar name). If you get one of these, ignore it and don't give the scammers any money.

The domains quoted are tsnetint.com and tsnetint.org and the originating IP is 117.27.141.168, all hosted in deepest China.


From:     bertram bertram@tsnetint.com
Date:     22 October 2012 06:02
Subject:     Confirmation of Registration

(Letter to the President or Brand Owner, thanks)

Dear President,

We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on October  19, 2012 that a company claimed Kenal investment Co. Ltd were applying to register "dynamoo" as their Net Brand and some domain names through our firm.

Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for Kenal investment Co. Ltd. Looking forward to your prompt reply.

Best Regards,

Bertram  Hong

Registration Dept.

Office:Tel: 86 2885915586 || Fax: +86 2885912116
Address:9/F Libao building No,62 Kehua North Road,Wuhou District,Chengdu City,China
P Please consider the environment before you print this e-mail

Wednesday 10 October 2012

union-trans.com employment scam

This fake job offer is for a "forwarding agent". What is a forwarding agent? Well, basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble.

From:     alex Ford@un-trans.info
Reply-To:     alex@union-trans.com.cn
Date:     8 October 2012 14:46
Subject:     forwarder agent 2012-10-10 15:02:33

Hello,

It is glad to write to you with keen hope to open a business relationship with you.

union-trans (china) International Freight Co,. Ltd is always provide the best service and good price for Import and Export both of ocean and air freight.
These services include: FCL Import and Export, LCL Consolidation, Break-Bulk; Air Freight Import and Export, Sea-Land Transportation; as well as arranging booking, clearance, inspection,loading and evanning, storage, consultation, insurance, etc, forwarding supported services.Our business has extended all over the globe, including in Middle East, Red Sea, India, Europe, and East, Africa, Central and South America, Australia and Southeast Asia etc.
For more information,Please review to our website as below:
http://www.union-trans.com


We are looking forwarder to you reply!


Best regards

union-trans (china) International Freight Co,. Ltd
addr:Room 18B-2,East China Sea Dawn Building,Zhongshan Road 455, Ningbo Jiangdong area,Ningbo,China
directort manager:Alex Huang
Tel:+86-0574-89086653
Fax:+86-0574-89086659
Mbl:+86-0-13957424347 +86-0-15306636688
SKYPE:alex_huang58
Msn:alex_huang58@hotmail.com   Email:alex@union-trans.com.cn
There appear to be several scam domains in this same email.

union-trans.com is hosted on 180.178.32.238 (Simcentric, Hong Kong). The WHOIS details are:

Admin Name........... huang yijiang
  Admin Address........ Ningbo
  Admin Address........
  Admin Address........ Ningbo
  Admin Address........ 200000
  Admin Address........ ZJ
  Admin Address........ CN
  Admin Email.......... sunpt@qq.com
  Admin Phone.......... +86.13957424347
  Admin Fax............ +86.13957424347

un-trans.info is parked on 68.178.232.100, and is registered to another owner:

Registrant ID:CR117221338
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+86.057481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com

union-trans.com.cn seems to be just a mail handler:
Domain Name: union-trans.com.cn
ROID: 20120401s10011s18721153-cn
Domain Status: ok
Registrant ID: ctr4rtfs2aq58an
Registrant: 宁波瀚联国际货运代理有限公司
Registrant Contact Email: hyjbbs@163.com
Sponsoring Registrar: 北京新网互联科技有限公司
Name Server: ns1.dns.com.cn
Name Server: ns2.dns.com.cn
Registration Date: 2012-04-01 12:05:06
Expiration Date: 2019-04-01 12:05:06
DNSSEC: unsigned

uni-transglobal.info is an intermediary mail system using an expired domain name:
Registrant ID:CR75845753
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+57.481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com

Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China).

The subscribe/unsubscribe links in the email also reference these addresses: hyjbbs@gmail.com
and cncxrdy001@gmail.com

Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided..

Friday 3 August 2012

yg-network.org / Keyya Ltd domain scam

This is part of a domain scam that has been going on for years..

from:     Angela info@gytrademark.com
to:     sales@[redacted].com
date:     3 August 2012 03:21
subject:     Notice of Internet Intellectual Property



Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On July 30th 2012, We received Keyya Ltd's application that they are registering the name "[redacted]" as their Internet Keyword and "[redacted].cn "、"[redacted].com.cn " 、"[redacted].asia "domain names etc.., they are China and ASIA domain names. But after auditing we found the brand name been used by your company. As the domain name registrar in China, it is our duty to notice you, so we are sending you this email to check. According to the principle in China, your company is the owner of the trademark, In our auditing time we can keep the domain names safe for you firstly, but our audit period is limited, if you object the third party application these domain names and need to protect the brand in china and Asia by yourself, please let the responsible officer contact us as soon as possible. Thank you!

Best Regards,

Angela Zhang



General Manager
Anhui Office (Head Office)
Registration Department Manager
Room 1008 Shenhui Building 
Haitian Road, Huli Anhui, China
Office:  +86 0553 4994789
Fax:     +86 0553 4994789
web:  www.yg-network.org

Basically the idea is to panic you into buying worthless domains from a dodgy Chinese registrar. Of course, there is no company actually trying to register these domains.. and even if there was there is no responsibility for the registrar to check trademark ownership (except in a tiny handful of cases such as sunrise registrations).

What's more.. I already own the .asia version of this domain name, so it is impossible that someone else is trying to register it.

So, this one is definitely a scam. Stay away.

Thursday 2 August 2012

"Pay your AT&T bill online" spam / unboxhibernation.org

This fake AT&T spam leads to malware on unboxhibernation.org:

 From: Tonya Bates [mailto:robot@craigslist.org]
Sent: 02 August 2012 14:08
Subject: Pay your AT&T bill online
Importance: High

att.com | Support | My AT&T Account


Your online bill is ready to be downloaded
Dear Valued Customer,

A new bill for your AT&T account is ready.

Any operations completed after your bill period expires will not be reflected in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.
Service     Account ending in     Bill Amount     Due Date
Home Phone     6     $355.26     08/06/2012

Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.



Thank you for choosing AT&T. We value your business and look forward to serving you!

Thank you,
AT&T Online Services
www.att.com

Contact Us
AT&T Support - quick & easy support is available 24/7.

 




Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.


AT&T Online Services
Get more time to do what you want. What would you do?
 Show me how

    Automatic Payments
Save time and pay your monthly bill automatically!
 Sign up now

    Special Offers
Visit our Special Offers to check out our best promotions.
 Learn more


  
Online Information
AT&T Community
Repair
Home Phone
Special Offers

________________________________________
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.

2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy

The malicious payload is at [donotclick]unboxhibernation.org/main.php?page=19152be46559e39d (report here) hosted on 78.87.123.114 (CYTA Hellas, Greece) which also hosts the apparently legitimate site infosector.gr, although some DNS results are coming back with 211.157.105.160 in China instead.. and this IP address is definitely malicious as it contains the following malware domains:

advancementwowcom.org
damidc.com
retweetadministrator.org
stafffire.net
unboxhibernation.org

Blocking both IPs may well be prudent.

Also, the following nameservers are indicative of an evil host, keep an eye out for them..
ns1.ashton-pitt.net
64.37.54.215

ns2.ashton-pitt.net
111.214.135.11

Thursday 3 May 2012

tsnet-china.com / "Klver Industrial Co. Ltd" domain scam.

This domain scam has been around for years..

From:     jeff jeff@tsnet-china.com
To:   
Date:     3 May 2012 10:02
Subject:     Regarding " dynamoo " Dispute

(If you are not in charge of this please transfer this email to your President or appropriate person, thanks)

Dear President,

We are the department of Asian Domain registration service in china, have something to confirm with you. We formally received an application on May 2, 2012. One company which self-styled "Klver Industrial Co. Ltd" were applying to register "dynamoo" as Network Brand and following domain names:

 dynamoo.asia 
 dynamoo.cn 
 dynamoo.com.cn 
 dynamoo.com.tw 
 dynamoo.hk 
 dynamoo.in 
 dynamoo.net.cn 
 dynamoo.org.cn 
 dynamoo.tw

After our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we will finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we will handle this issue better. Out of the time limit we will unconditionally finish the registration for "Klver Industrial Co. Ltd".

Best Regards,
                                   
Jeff  Yang
Registration Dept.

Tel: +862885915586  ||  Fax: +862885912116
Address:8/F XiYu building No,52 JinDun Road,QingYang District,Chengdu City,China.

The idea here is to panic the domain owner into registering a bunch of worthless domains. Do I really care if someone registers a bunch of Asian domain names (sub of which are on really crappy second level domains)? No, I don't. And neither should you.

Here's the thing: domain registrars for common domains* like this DO NOT carry out these checks. It isn't their responsibility. In reality, they will NOT contact you prior to registration. There is almost definitely no company interested in buying these domains. And remember, there are hundreds of top-level domains.. you could spend a LOT of money securing worthless variations for no reason.

Give this one a wide berth. If you really do want to find a registrar for additional domains, shop around to find a reliable and inexpensive registrar rather than dealing with spammers.

* some "sunrise" registrations for new top-level domains do check trademark ownership when they are launched.

Thursday 26 April 2012

Facebook spam / bioldrugstore.com

This fake Facebook spam leads to a fake pharma site, but it could easily be adapted for malware.

Date:      Thu, 26 Apr 2012 09:33:46 -0700
From:      "Facebook" [notification+xxxxxxxxxxx@facebookemail.com]
Subject:      Welcome back to Facebook

Hello,

The Facebook account associated with xxxxxxxxxxx was recently reactivated.

If you were not the one who reactivated this account, please visit our Help Center to cancel the request.

http://www.facebook.com/help/?topic=security

Thanks,
The Facebook Team

The payload is a pharma site at bioldrugstore.com hosted on 61.132.200.24 and 111.123.180.9 in China (two IPs that are full of fake pharma stores) and 213.162.209.177 in Spain.

This type of spam run can easily be adapted for malware, so keep an eye out for unexpected Facebook notifications.

Friday 6 January 2012

"Elavon 2012 Update" phish

Elavon deals with payment processing. This email is not from Evalon.

From: "Elavon, Inc." [sobolan@myvirtualmerchan-02.com]
Date:Fri, 06 Jan 2012 16:09:48 +0100
Subject: Urgent-Notification

--Elavon 2012 Update--
Dear Customer,

We regret to inform you that your retail merchant account is locked.
To re-activate it please download the file attached to this e-mail and update your login information.

2012 Elavon Inc,
-Please note only RETAIL account are locked-
-Example : Market Segmet : Retail-

Attached is a file called myvirtualmerchant_login.html which is the phish itself, displaying the following screen.

The form itself sends the details to mail.xinsanjing.com on 220.189.213.181. (HangZhou XinSanJing Food Co. Ltd. China) which is possibly a hacked server. In this case the email originated from 209.91.252.206 in Puerto Rico.

If you use Elavon's services, watch out for this phish.

Tuesday 13 December 2011

"PAYROLL LOGS" Spam

This spam is obviously trying to do something evil, but I'm not quite sure what.


Date:      Tue, 13 Dec 2011 15:23:00 -0600
From:      "Helen Oconnell" [terminationsm@migtel.ru]

Subject:      11122011 PAYROLL INDICES

http://jazzon.nl/YK4VUSWQ.html Please access the URL below to reveal PAYROLL LOGS. It was submitted to you using a Xerox WorkCentre. Pro

==================================================================================================================

Confidential E-Mail: This e-Mail is proposed only for the username to that it is addressed and may be composed data that is intimate or otherwise preserved from exposal.If you have take this email in confusion, please notify the support by respond the present e-Mail and erase the original e-Mail and each copy..

The email is a piece of social engineering that relies on you wanting to know how much your colleagues are earning. Click the link and you get redirected to cms-wideopendns.com (a DSL subscriber in Span) then trackorder.commercialday-net.com (in China). It doesn't seem to work properly, but then it might just be resisting the tools I am throwing at it.

In any case.. avoid this one.

Wednesday 14 September 2011

Some fake Bundeskriminalamt and Bundespolizei sites

Here are some more fake sites pretending to be the Bundeskriminalamt and Bundespolizei (agencies of the German Federal Police) which are probably worth blocking, following on from these.

193.105.240.204 [Sia Vps Hosting, Latvia]
bundespolizei-de.net
bundespolizei-de.org
bundespolizei-online.com
dpolg-bundespolizei.org
inter-bundeskriminalamt.org

77.87.229.14 [Invalid pointer to bundespolizei.de]
inter-bundeskriminalamt.eu
dpolg-bundespolizei.org [also on 193.105.240.204]
inter-bundeskriminalamt.org [also on 193.105.240.204]

211.154.153.49 [China Motion Network Communication]
agentbundeskriminalamt.net
bundeskriminalamtde.net
onlinebundeskriminalamt.net
torrentbundeskriminalamt.net

Note that 77.87.229.14 is actually the real IP for bundespolizei.de, but the scammers are pointing their DNS records to it, presumably to cause confusion.

You can safely block access to 193.105.240.0/24 (Sia VPS) without much fear of losing anything important. The Chinese netblock is more mixed, but blocking at least 211.154.153.49 might be a good idea if you are in Germany.