Date: Tue, 20 Feb 2012 22:31:55 -0300
From: "Gilbert Ayers"
Subject: Termination of your accountant license.
You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Cancellation of CPA license due to tax return fraud allegations
Valued accountant officer,
We have received a notice of your possible assistance in income tax refund fraudulent activity for one of your employers. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the fact of filing of a false or fraudulent income tax return on the member's or a client's behalf.
Please be informed of the complaint below and provide your feedback to it within 14 days. The failure to do so within this term will result in termination of your Accountant status.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
Showing posts with label Endurance International Group. Show all posts
Showing posts with label Endurance International Group. Show all posts
Wednesday 22 February 2012
AICPA Spam / favoriteburger.net
Following on from yesterday's AICPA spam run, a new domain is in use for the malicious payload, favoriteburger.net/search.php?page=73a07bcb51f4be71 on 209.59.212.14 (Endurance International Group again). The IP is worth blocking, and you may want to consider blocking larger ranges of this ISP who seem to have a problem with this type of malicious site.
Wednesday 1 February 2012
NACHA Spam / sulusify.com
More NACHA spam leading to a malicious payload..
This is on 209.59.221.65 which is the Endurance International Group.. again. There are several malicious IPs in the 209.59.192.0/19 range now, perhaps indicating a deeper problem with this host.
Date: Wed, 31 Jan 2012 10:43:44 +0200In this case, the malware is at sulusify.com/search.php?page=73a07bcb51f4be71 (it goes through a couple of redirectors first). A Wepawet report is here.
From: transactions@nacha.org
Subject: ACH payment canceled
The ACH transfer (ID: 64930940909169), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.
Canceled transfer
Transaction ID: 64930940909169
Reason of rejection See details in the report below
Transaction Report report_64930940909169.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association
This is on 209.59.221.65 which is the Endurance International Group.. again. There are several malicious IPs in the 209.59.192.0/19 range now, perhaps indicating a deeper problem with this host.
Tuesday 31 January 2012
NACHA Spam / sulusate.com
More NACHA spam leading to a malicious payload:
This leads to a malicious payload at sulusate.com/search.php?page=977334ca118fcb8c, hosted on 209.59.220.98 (Endurance International Group, US). A Wepawet report for the malicious page is here.
Blocking the IP will prevent other malicious sites on the same server from doing their stuff. Endurance International has hosted several such malicious sites recently.
Date: 31 January 2012 22:55
Subject: ACH transaction fault
The ACH transaction ID: 415864020375, that had been effectuated from your banking account lately, was rejected by the the bank of the recipient.
ACH transfer declined
Transaction ID: 415864020375
Details: please see the report below for details
Transaction Report report_415864020375.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association
This leads to a malicious payload at sulusate.com/search.php?page=977334ca118fcb8c, hosted on 209.59.220.98 (Endurance International Group, US). A Wepawet report for the malicious page is here.
Blocking the IP will prevent other malicious sites on the same server from doing their stuff. Endurance International has hosted several such malicious sites recently.
Labels:
Amerika,
Endurance International Group,
Malware,
NACHA,
Spam
Thursday 26 January 2012
Some malware sites to block 26/1/12
Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.
Eonix, Canada
173.213.93.203
clostescape.com
Zerigo, US
173.248.190.37
chilleloot.com
Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com
Ixvar, Canada
174.142.247.164
clostery.com
Hostforweb, US
205.234.187.6
sulusient.com
Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com
Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com
Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com
Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com
Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com
Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com
Eonix, Canada
173.213.93.203
clostescape.com
Zerigo, US
173.248.190.37
chilleloot.com
Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com
Ixvar, Canada
174.142.247.164
clostery.com
Hostforweb, US
205.234.187.6
sulusient.com
Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com
Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com
Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com
Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com
Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com
Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com
Wednesday 25 January 2012
Lazy BBB / "ACH transfer pending" spam, chillestruct.com and closteation.com
Here's a lazy spam about an "ACH transfer" that appears to come from the BBB, because the spammers have mixed up the campaigns.
The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.
Blocking the IPs will prevent any other malicious sites on those servers from causing problems.
Date: Wed, 24 Jan 2012 13:31:58 +0100
From: "manager@bbb.org" [manager@bbb.org]
Subject: ACH transfer pending
Dear Sir or Madam,
This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:
Transaction ID: 471209863177939
Transaction status: pending
In order to resolve this matter, please review the transaction details using the link below as soon as possible.
Yours faithfully,
Kathy Quirk
Accounting Department
The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.
Blocking the IPs will prevent any other malicious sites on those servers from causing problems.
Tuesday 24 January 2012
BBB Spam / chillebucks.com, sulusize.com and sulusity.com
More fake BBB spam leading to a malicious payload, this time hosted on the domain sulusize.com on 174.136.4.211 (Colo4, US). The server appears to be a legitimate hacked server, but blocking traffic to that IP is probably a wise idea if you can do it.
Some sample emails (the usual fake BBB approach):
The malware tries to download further code from sulusity.com on 209.59.220.65 (Endurance International Group, US).. another one to block. A Wepawet analysis is here.
Update #1: another version is doing the rounds with the initial malware hosted on chillebucks.com (69.163.37.22, Bula Networks California).
Update #2: The Wepawet analysis indicates that this might do something with the user's Facebook account as well as the usual malware payload.
Some sample emails (the usual fake BBB approach):
Date: Tue, 23 Jan 2012 11:51:58 +0100
From: "BBB" [info@bbb.org]
Subject: Better Business Bureau service
Attachments: betterbb_logo.jpg
Attn: Owner/Manager
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 23387543) from your customer with respect to their dealership with you.
Please open the COMPLAINT REPORT below to find the details on this question and suggest us about your position as soon as possible.
We hope to hear from you very soon.
Sincerely,
Rebecca Wilcox
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
==============
Date: Tue, 23 Jan 2012 12:16:00 +0100
From: "Better Business Bureau" [risk.manager@bbb.org]
Subject: Re: your customer�s complaint ID 83031311
Attachments: betterbb_logo.jpg
Hello,
Here with the Better Business Bureau notifies you that we have received a complaint (ID 83031311) from one of your customers in regard to their dealership with you.
Please open the COMPLAINT REPORT below to obtain the details on this question and suggest us about your point of view as soon as possible.
We hope to hear from you very soon.
Regards,
Fernando Grodhaus
Dispute Counselor
Better Business Bureau
The malware tries to download further code from sulusity.com on 209.59.220.65 (Endurance International Group, US).. another one to block. A Wepawet analysis is here.
Update #1: another version is doing the rounds with the initial malware hosted on chillebucks.com (69.163.37.22, Bula Networks California).
Update #2: The Wepawet analysis indicates that this might do something with the user's Facebook account as well as the usual malware payload.
Thursday 19 January 2012
Wire transfer malicious spam / monikabestolucci.ru:8801 and 78.159.118.226
More malicious spam doing the rounds, but this time it's more complicated than before.
The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.
monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.
24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)
Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.
Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173
From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)
Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652
CURRENT STATUS: PENDING
Please Review your transaction as soon as possible.
The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.
monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.
24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)
Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.
Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173
Subscribe to:
Posts (Atom)