Sponsored by..

Showing posts with label Fake Pharma. Show all posts
Showing posts with label Fake Pharma. Show all posts

Tuesday 24 June 2014

doctorydvu.ru pharma spam has a .VCF attachment

This pharmacy spam comes with a .VCF attachment to try to bypass spam filters and common sense. In case you didn't know, a .VCF file is a vCard contact file that can be imported into your email application.
From:     Leticia Boyer M. D.
Date:     24 June 2014 10:25
Subject:     I'm your new family physician

Hello, my name is Leticia Boyer, M. D., and I'm your new family physician.

I want to recommend you online pharmacy with great amount of medicine and 70% discount.
I haven't believed till I checked it by myself. I'm sending you my vCard,
so you are able to find more info about me as well as link of mentioned pharmacy. 

The attachment is Leticia_Boyer_MD.vcf although probably it will change from spam-to-spam. The contents of this particular .vcf file are:

BEGIN:VCARD
VERSION;TYPE=WORK:3.0
FN:Leticia Boyer
N:Leticia Boyer;;;;
PROFILE:VCARD
ADR:;;He goes on to explain his pimping experience gave him the ability to get into new businesses.;NY;NY;28006;USA
EMAIL:[redacted]b90d3@pol.ir
ORG:TopPharmacy
URL:http://[redacted].doctorydvu.ru/?1113E36D0FED4E75BD169B5698E88
NOTE:The station was located to the south of Raglan street and between Evans street and Station street.
END:VCARD
The link in the email isn't malicious as it is just a fake pill site.. but it could be. This is a fairly novel approach at spamming though (I first saw it a couple of days ago) and it could well trick people into adding a contact.. although whether or not they would be daft enough to believe that this "new physician" would really be recommending a pharmacy with a Russian domain name remains to be seen.


Tuesday 6 May 2014

ccccooa.org - another hacked WordPress site

ccccooa.org ("Cumberland County Council on Older Adults") is another hacked WordPress site being used to serve pharma spam. I got 82 of these all at the same time..

From:     Linkedln Email Confirmation [emailing@compumundo.info]
Reply-To:     emailing@compumundo.info
To:     topsailes@gmail.com
Date:     6 May 2014 13:41
Subject:     Please confirm your email address

Linkedln

Click here to confirm your email address.

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at Linkedln. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

Thank you for using Linkedln!

--The Linkedln Team


This email was intended for [redacted]. Learn why we included this. © 2012, East Middlefield Road. Mountain View, CA 94043, USA 
One example landing URL is [donotclick]www.ccccooa.org/buyphentermine/ which leads to a sort of intermediary landing page..


This is turn goes to a redirected at [donotclick]stylespanel.com/h/go/phentermine.php and then to [donotclick]www.hq-pharmacy-online.com/search.html?q=phentermine which is a fake pharmacy site hosted on 95.211.228.240 (LeaseWeb, Netherlands) which is registered to a probably fake address in Argentina.


Avoid.. oh, and if you run a WordPress site please make sure the software is up-to-date.

Tuesday 13 August 2013

Pharma sites to block

These fake pharma sites and IPs seem related to these malware domains, and follows on from this list last week.

31.184.241.32 (Petersburg Internet Network, Russia)
46.29.18.176 (Sprint SA, Poland)
61.57.103.241 (Taoyuan TBC, Taiwan)
61.133.234.105 (Haidong Telecom, China)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.204.162.81 (Network Communication, Poland)
91.204.162.95 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)
185.5.99.145 (Biznes-host.pl, Poland)
185.8.106.161 (HybridServers, Lithunia)
197.231.210.165 (Inspiring Networks LTD, Seychelles)
199.180.100.82 (PEG TECH INC, US)
199.180.100.85 (PEG TECH INC, US)

Recommended blocklist:
31.184.241.0/24
46.29.18.176
61.57.103.241
61.133.234.105
91.199.149.0/24
91.204.162.0/24
91.216.163.92
185.5.99.145
185.8.106.161
197.231.210.165
199.180.100.82
199.180.100.85
0xm0v3t1.mediastoreplus.com
17z2h9ue.mediastoreplus.com
1dsnx7pjs.mediastoreplus.com
2hdija03.mediastoreplus.com
2pillsonline.com
353.mediastoreplus.com
3qtpidpzlw.mediastoreplus.com
4ow5mu5.mediastoreplus.com
53zx71we.mediastoreplus.com
6gi.mediastoreplus.com
7boma.mediastoreplus.com
7umio9jjc.mediastoreplus.com
8hk0oib.mediastoreplus.com
8vi8.mediastoreplus.com
androidrugstoretablet.com
b6m0z.mediastoreplus.com
benedictaselie.com
bidh.ru
biotechealthcarepills.pl
boschmedicaremeds.com
briannecarlotta.com
b-wfkif3p.mediastoreplus.com
canadaipad.com
canadiancanada.com
coopaq.ru
danyetteeaster.com
dehxqc.elut.ru
dieein.com
dietrxhcg.com
dl6xmehg.mediastoreplus.com
drugslnessmedicine.com
drugstorepillsdrugs.com
drugstorepillwalgreens.com
dysm.ru
eyg.mediastoreplus.com
fvecare.com
gtyktdli.com
hece.ru
herbalburdette.com
herbalpillecstasy.com
htta.ru
inningmedicare.com
inningmedicare.pl
jdok.mediastoreplus.com
joam.ru
jsp0.mediastoreplus.com
jvtbkpmtkv.mediastoreplus.com
kaleic.ru
knei.ru
kxh.mediastoreplus.com
l3l1h.mediastoreplus.com
laug.ru
li2.mediastoreplus.com
mbid.ru
medicaidarmedicare.com
medicaretabletandroid.com
medicinetabletsurface.com
medopioid.pl
menono.ru
menutabmed.com
mwpzi.mediastoreplus.com
myviagragenerics.pl
n3zb4o5u9.mediastoreplus.com
nexuslevitra.com
nispw96.mediastoreplus.com
oshu.ru
patientsviagramedicare.com
pharmedtransplant.com
pharmreit.com
pharmysmartrend.com
pilldrugprescription.net
pillsstreetinsider.com
prescriptioncarecenter.com
prescriptionmedicinepatients.com
prescriptionmedwalgreen.com
qgb7zxj.mediastoreplus.com
quzkobeox.com
ruld.ru
rxdrugspills.ru
rxnicu.com
rzu1b.mediastoreplus.com
s5bw.mediastoreplus.com
shelbieleni.com
sieh.ru
skah.ru
tabcialbenghazi.com
tabherbalsummary.com
thegenericsprescription.com
torontocanadapharm.com
torontotab.pl
us0cyezkn.mediastoreplus.com
viagramedicaid.com
viagramedicineveterinary.com
viagramedicineveterinary.pl
vsn268zo3.mediastoreplus.com
w5lpytop.mediastoreplus.com
weightdietpharm.com
welnesslevinikita.com
welnessnsmt.com
wpakq.mediastoreplus.com
wroo.ru
ya3zwmrmgk.mediastoreplus.com
zva4p7457.mediastoreplus.com
zwig.ru

Tuesday 6 August 2013

Pharma sites to block 6/8/13

A new list of pharma sites and IPs, related to this bunch.

61.150.109.186 (China Telecom, China)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)
178.88.64.149 (Kazakh Telecom, Kazakhstan)
185.5.99.145 (Biznes-host.pl, Poland)
185.8.106.161 (HybridServers, Lithunia)
190.55.85.133 (Telecentro S.A., Argentina)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
200.185.230.32 (Ajato Telecomunicacao Ltda, Brazil)
202.197.127.42 (CERNET, China)
218.92.160.138 (Funing Tianlong Netbar, China)

61.150.109.186
91.199.149.0/24
91.204.162.81
91.204.162.96
91.216.163.92
178.88.64.149
185.5.99.145
185.8.106.161
190.55.85.133
192.162.19.0/24
200.185.230.32
202.197.127.42
218.92.160.138
1bqmv6ir.tabletmedicinert.com
1n77x6up.mediastoreplus.com
54djq7gs.tabletmedicinert.com
5n2f.mediastoreplus.com
6tpvvfwl.mediastoreplus.com
6un8dtnf.mediastoreplus.com
7geh.mediastoreplus.com
8u4lrx6.mediastoreplus.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
avagdezc.net
biotechealthcarepills.pl
boschwelness.com
caloriesviagra.com
canadaipad.com
canadaviagracanadas.com
canadaviagracent.com
canadiancanada.com
canadian-pharmacy-ltd.org
carerxpatient.com
coopaq.ru
d5pz5c35.tabletmedicinert.com
d8chph3.mediastoreplus.com
dacl3uy1.tabletmedicinert.com
deii.ru
dieein.com
dietarymeds.com
dietwelweight.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
eari.ru
familymedicinerx.com
finding.dietpillgenerics.com
genericswelloch.com
ghwfloaf.com
gied.ru
gtyktdli.com
healthcarebiotechnology.net
hece.ru
herbalburdette.com
herbalprescriptiondrugs.com
htta.ru
iald.ru
in.taxwelnesslevitra.com
inningmedicare.pl
isoe.ru
jmwxxvyj.com
joam.ru
judact.ru
jx5nqjzf.tabletmedicinert.com
kindredhealthcaretab.pl
knei.ru
knr78b16.tabletmedicinert.com
korsinskytrarx.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanamedicalviagra.com
marl.myherbalpharmacy.com
mbid.ru
mediastoreplus.com
medicaltabgroup.com
medicaresupplementrx.net
medicinetabletsurface.com
medicinevitamin.com
mediterraneanpharmacydiet.com
medopioid.pl
medsherbalbosch.nl
myherbalpharmacy.com
myviagragenerics.pl
newpillcialis.eu
nmvwta.mediastoreplus.com
nrytgyxvom.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pharmedtransplant.com
phof.ru
pillcanadian.com
pillgenericsgroup.com
pillsmedicinepatients.com
pillssmartrend.com
pillsstreetinsider.com
pillstabletspharmacy.ru
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
rggrjipn.com
ruld.ru
satishmeds.pl
siew.ru
skah.ru
smartrendsale.com
sutasu.ru
tabletcareandroid.nl
tabletmedicaid.pl
tlar.ru
tmedf7c4j.mediastoreplus.com
torontotab.pl
tuo.mediastoreplus.com
tys.mediastoreplus.com
u0s3oqf6.tabletmedicinert.com
uney.ru
virv.ru
vitaminnutritionherbal.com
vomise.ru
welnessnsmt.com
wroo.ru
xior.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru



Tuesday 30 July 2013

Pharma sites to block 30/7/13

This IPs host (fake) pharma sites which seem to be associated with this gang and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent.

88.190.218.27 (PROXAD Free SAS, France)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.200.13.15 (SKS-Lugan, Ukraine)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
94.152.188.165 (KEI, Poland)
94.242.239.4 (root SA, Luxemburg)
109.107.203.45 (Vodafone, Czech Republic)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
198.23.59.79 (LiquidNet US LLC, US)

Recommended blocklist:
88.190.218.27
91.199.149.0/24
91.200.13.0/24
91.204.162.81
91.204.162.96
94.152.188.165
94.242.239.4
109.107.203.45
192.162.19.0/24
198.23.59.79
1bqmv6ir.tabletmedicinert.com
3hpd38kt.tabletmedicinert.com
3j2ilmza.tabletmedicinert.com
3taa0484.tabletmedicinert.com
54djq7gs.tabletmedicinert.com
6tpvvfwl.mediastoreplus.com
6w8vrnw1.tabletmedicinert.com
9351s3cc.tabletmedicinert.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
androidsaletablet.com
bbji3ka1.tabletmedicinert.com
biotechpharmhealthcare.com
boschtrameds.com
caloriesviagra.com
canadaipad.com
canadamedsopioid.com
canadapharmcanadian.com
canadaviagracent.com
canadiancanada.com
carerxpatient.com
chof.ru
d5pz5c35.tabletmedicinert.com
dacl3uy1.tabletmedicinert.com
deii.ru
dispensariesrx.com
drugenericswelness.com
druggenericspharmacy.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
e66y531e.tabletmedicinert.com
familymedicinerx.com
flefdukt.com
gied.ru
healthcarebiotechnology.net
herbalburdette.com
iald.ru
in.taxwelnesslevitra.com
innovatory.vitaminnutritionherbal.com
isoe.ru
jaid.ru
jx5nqjzf.tabletmedicinert.com
knr78b16.tabletmedicinert.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanadispensariesmedical.com
marijuanamedicalviagra.com
mediastoreplus.com
medicaltabgroup.com
medicarewiqi.pl
medicinetabletsurface.com
medopioid.pl
medsherbalbosch.nl
mentalevitrapill.com
mymedicaretablet.com
mypharmacyherbal.com
myviagragenerics.pl
newpharmacyherbal.com
nmvwta.mediastoreplus.com
nrytgyxvom.com
nureri.ru
oc597g5g.tabletmedicinert.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pepras.ru
phof.ru
pillgenericsgroup.com
pillscialistorture.com
pillssmartrend.com
pillsstreetinsider.com
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
ro3dk20p.tabletmedicinert.com
ruld.ru
rxsmartrend.com
satishmeds.pl
siew.ru
skah.ru
sugh.ru
tabbosch.com
tabletmedicaid.pl
tabletmedicinert.com
taxwelnesslevitra.com
tlar.ru
tmdtmnv5.tabletmedicinert.com
ttds2eew.tabletmedicinert.com
u0s3oqf6.tabletmedicinert.com
uney.ru
vitaminnutritionherbal.com
vomise.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru

Saturday 6 April 2013

Facebook "Reminder: Reset your password" spam / accooma.org

Another very aggressive spam run promoting accooma.org which is a fake pharma site..

Date:      Sat, 6 Apr 2013 13:16:59 -0700 [16:16:59 EDT]
From:      Facebook
Subject:      Reminder: Reset your password

facebook   
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 2 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.

If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team

The emails vary somewhat in content. I've received 60+ of these today to one email account alone, so this site is being pushed very hard indeed. Although the email is annoying, it does not seem to be harmful. For more details, see this earlier post about another spam run for the same domain.

"Updated information" spam / accooma.org / classic-pharmacy.com

This scary looking spam is nothing more than an attempt to get you to click through to a fake pharmacy site:

Date:      Mon, 9 Feb 2004 13:00:35 +0000 (GMT)
From:      "Account Info Change" [info@virtualregistrar.com]
Subject:      Updated information

    Updated information

Hello,

The following information for your ID [redacted] was updated on 02/09/2012: Date of birth, Security question and answer.

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately.

This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.

Thanks,
Customer Support

The link in the email goes to a landing page on accooma.org (184.82.155.18 - HostNOC, US) which clicks through to classic-pharmacy.com (184.82.155.20 - also HostNOC). These two IPs are very close together which indicates a bad block.

There does not appear to be any malware involved (see here and here) and of course nobody has changed any details on your account. You can safely ignore these emails.

A closer examination shows that HostNOC have suballocated 184.82.155.16/29 (184.82.155.16 - 184.82.155.23) to an unknown party. The following fake pharma sites are active in this range:
accooma.org
classic-pills.net
fdapharmacy.net
iorderpills.net
justpills-com.com
pill-max.net
fdapharmacy-com.com
internetpharmacyreview.com
iorderpills-com.com
just-pills.net
pharmacyfinder.net
pillmax-com.com
classic-pharmacy.com
comparedrugprices-com.com
emedsource-com.com
justmypills-com.com
l-md.info
pharmacheap-com.com
pills-md.net
clinicmeds.info
kamagrafast2.info
pillorder-com.com
zpharmacy-com.com
buymeds-com.com
generics4u.info
rx-cs.info

Friday 22 March 2013

Zendesk "An important notice about security" spam / vagh.ru / pillshighest.com

This unusual spam leads to a fake pharma site on pillshighest.com via vagh.ru and an intermediate hacked site.

Date:      Fri, 22 Mar 2013 13:52:08 -0700
From:      Support Team [pinbot@schwegler.com]
To:      [redacted]
Subject:      An important notice about security

We recently learned that the vendor we use to answer support requests and other emails (Zendesk) experienced a security breach.

We're sending you this email because we received or answered a message from you using Zendesk. Unfortunately your name, email address and subject line of your message were improperly accessed during their security breach. To help keep your account secure, please:

    Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away.
    Beware of suspicious emails. If you get any emails that look like they're from our Support Team but don't feel right, please let us know - especially if they include details about your support request.
    Use a strong password. If your password is weak, you can create a new one.

We're really sorry this happened, and we'll keep working with law enforcement and our vendors to ensure your information is protected.

Support Team


Questions? See our FAQ.

This email was sent to [redacted].

�2013 Zendesk, Inc. | All Rights Reserved

Privacy Policy | Terms and Conditions

There appears to be no malware involved in this attack. After the user has clicked through to the hacked site (in this case [donotclick]www.2001hockey.com/promo/page/ - report here) the victim is bounced to [donotclick]vagh.ru on 193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine) and then on to [donotclick]pillshighest.com on 91.217.53.30 (Fanjcom, Czech Republic).

Some IPs and domains you might want to block:
91.217.53.30
193.105.210.212
abolade_lillian.rbluhozq.com
andycolley1.rbluhozq.com
cre8aworld.rbluhozq.com
deanna_ware.rbluhozq.com
diane.iverson.rbluhozq.com
j_minchey.rbluhozq.com
jackie.rbluhozq.com
jenkoto.rbluhozq.com
jjlock100.rbluhozq.com
jude256.rbluhozq.com
karenjbentley.rbluhozq.com
krister66.rbluhozq.com
lmatthews.rbluhozq.com
longhorn_97.rbluhozq.com
marcbigelow.rbluhozq.com
marijuanapillsmedical.com
migraineskiherbal.net
mram0523.rbluhozq.com
ns1.vtinodrutry.com
ns2.vtinodrutry.com
pillcarney.com
pillshighest.com
prescriptiondrugwalgreens.com
rjrepp.rbluhozq.com
sophie.ashcroft.rbluhozq.com
storyfullscreen.com
streetinsiderpharmhealth.com
supplementspillherbal.com
tabletlevipad.com
tabletspillspharmacy.ru
vagh.ru
vtinodrutry.com

Tuesday 19 February 2013

Cyberbunker fake pharma spam / 84.22.104.123

Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:

Date:      Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From:      Apple [noreply@bellona.wg.saar.de]
To:      [redacted]
Subject:      Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5

   
Dear Customer,
Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.
   
Privacy Policy
Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.
The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets.ru hosted on 84.22.104.123 along with these following spammy sites:

medicalhealthcaretab.com
washealthcare.com
presenthiring.com
prescriptionfiscal.com
salelindahl.com
pillcarney.com
healthviagraobesity.com
sdewyuvze.net
lxie.ru
ongy.ru
drugstorepillstablets.ru

Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.

Monday 11 February 2013

"Support Center" spam / phticker.com

Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker.com:

Date:      Mon, 11 Feb 2013 06:13:52 -0700
From:      "Brinda Wimberly" [noreply@mdsconsulting.be]
Subject:      Support Center

    Welcome to Help Support Center

Hello,

You have been successfully registered in our Ticketing System

Please, login and check status of your ticket, or report new ticket here

See All tickets
   
Go To Profile

This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with these other fake pharma sites:

nislevitra.com
tablethealthipad.com
tivozanibkimedicine.com
marijuanarxmedicine.com
drugstorepharmacycenterline.com
medicalwelhealthcare.com
physicianslnesshealth.com
newhealthpharm.com
gokeyscan.com
medpillsprescription.com
wichigenerics.com
boschmeds.com
pillcarney.com
healthviagraobesity.com
pharmedicinehat.net
rxlevitrainc.eu
tabletdrugipad.eu
pillsphysicpharma.ru
xree.ru
lxie.ru
zeap.ru
tabspharmacytablets.ru
pillsmedicalsrx.ru
poey.ru
ongy.ru
phticker.com

Monday 4 February 2013

StumbleUpon spam / drugstorepillstablets.ru

This fake StumbleUpon spam is something new, it leads to a fake pharma site on drugstorepillstablets.ru:

Date:      Mon, 4 Feb 2013 01:01:46 -0600 (CST)
From:      StumbleUpon [no-reply@stumblemail.com]
Subject:      Update: Changes to Your Email Settings

   

Hi [redacted],

This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've created a bunch of new notification options that allow you to have more control over what types of emails you'll receive from us. These new notification options are not compatible with the old settings, so your settings have been reset. We apologize for any inconvenience, and want to make sure we only send you the emails you want to receive.

Now what? Please click here to head over to your email settings and update your preferences, so we know exactly what emails you'd like to receive from StumbleUpon.

Want to receive all notifications about shares from friends, recommended Stumbles, and more? Great, you don't have to do anything at all!

Thanks for Stumbling,

The StumbleUpon Team

P.S. Haven't signed in for a while and can't remember your password? You can reset it here by entering the email address used in this email.
   
   

Please don't reply to this message - for all questions, check out our Help Center. To visit your email settings, please click here.

StumbleUpon | 301 Brannan Street, 6th Floor, San Francisco, CA 94107
There's no surprise to see that the IP address of the spamvertised site is 92.48.119.139 (Simply Transit, UK) along with the following other possibly spammy sites:

ariseharsh.info
biah.ru
birthmed.com
carepillshealthcare.com
climbedwelness.com
drugripdrugshealth.ru
drugstorepharmacycenterline.com
drugstorepillstablets.ru
dvicemedicalrx.net
fatdietrx.com
genericsperrigo.com
goaddscan.com
gokeyscan.com
gorayscan.com
healthviagracare.com
healthwiblackwell.com
herbalwelgarcinia.net
ipadiet.net
ladenlismeds.com
lxie.ru
mail.carepillshealthcare.com
mediamoviestar.com
medicalwelhealthcare.com
medicaremedsromney.net
medpillsprescription.com
movietestworld.com
mytabhealth.com
ongy.ru
pharmacycialismeningitis.net
physicianslnesshealth.com
pilltabletsfitness.eu
rxdrugstorewalgreens.com
tabletspharmacynutrition.ru
tabletspharmacywellbeing.ru
tabpharmacyhealth.ru
theviagrahealth.com
treatmentsdrugstorepharmacy.ru
vikingsnotdead.com


Thursday 24 January 2013

Fake pharma sites 24/1/13

Here's an updated list of fake RX sites being promoted through vague spam like this:


Date:      Thu, 24 Jan 2013 04:44:45 +0000 (GMT)
From:      "Account Info Change" [noreply@etraxx.com]
Subject:      Updated information

Attention please:


- Over 50 new positions added (view recently added products)
- Free positions included with all accounts (read more here)
- The hottest products awaiting you in the first weeks of the new year (read more here)
- We want you to feel as comfortable as possible while you?re at our portal.


Click Here to Unsubscribe
As with a few days ago, these sites are hosted on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)

Currently active spamvertised sites are as follows:
adderallsprescription.com
annotatedtabmed.com
caloriesab.com
canadaviagracent.com
caregiverskicare.net
centerlinedrugstore.net
cheaptabletsdrugstore.ru
clubmedspills.ru
dosedrugstorepills.ru
drugriphealthdrugs.ru
drugshealthpharmacy.ru
drugshealthrx.ru
drugstabletsfitness.ru
drugstorecapspills.ru
drugstoredosespills.ru
drugstorepharmacycenterline.com
drugstorepharmacypillstablets.ru
drugstorepill.com
drugstorepillsrx.ru
drugstorerxhealth.ru
drugstorerxpills.ru
drugtorehealthmeds.ru
drugtoremedicinesrx.ru
drugtorenutritiontablets.ru
drugtorepillsfitness.ru
drugtorepillsnutrition.ru
drugtoretabletsdrugstore.ru
drugtoretabletspharmacy.ru
drugtoretabletsrx.ru
experienced.healthcarewimedical.com
fitnessmedsrx.ru
fitnesspharmacypills.ru
fitnesspillsrx.ru
genericpillstablets.ru
gokeyscan.com
healthcarehealthcare.com
healthcarerxpharmacy.ru
healthmedsrx.ru
healthpillsrx.ru
israeltrapharm.com
kzqaooiw.com
marijuanarxmedicine.com
medicaidmeds.com
medicalmedspatients.com
medicinetoretabletspharmacy.ru
medpillsprescription.com
memoglobalmedia.com
nislevitra.com
northwesternlevitrapills.net
nutritionpill.ru
ozzaltinza.com
parisdrugstore.ru
patientswelnesshealthcare.com
pharmacyhealthcarerx.ru
pharmacypillspharmacy.ru
pharmacytabletstabs.ru
pharmacytabletstreatments.ru
pharmacywellbeing.ru
pilldrugstoregroup.com
pillmedicalhospital.pl
pillpharmacymeds.ru
pillsaleshoppers.com
pillsmedicalsrx.ru
pillsphysicpharma.ru
prescriptioncialteens.com
prescriptiondrugwalmart.com
ricecialis.com
rxcaution.com
sedationmed.com
tabcalories.com
tabspharmacytablets.ru
zury.ru

Tuesday 15 January 2013

xree.ru and the persistent pharma spam

Do doubt sent out by the same crew who are pushing malware, this pharma spam seems to have hit new highs.

Date:      Tue, 15 Jan 2013 05:35:04 -0500 (EST)
From:      Account Mail Sender [invoice@erlas.hu]
Subject:      Invoice confirmation

Hello. Thank you for your order.

We greatly appreciate your time and look forward to a mutually rewarding business relationship with our company well into the future.

At present, our records indicate that we have an order or several orders outstanding that we have not received confirmation from you. If you have any questions regarding your account, please contact us.

We will be happy to answer any questions that you may have.

Your Customer Login Page

Customer login: [redacted]

Thanking you in advance for your attention to this matter.

Sincerely, Justa Dayton
The link in the email goes through a legitimate hacked site to [donotclick]xree.ru/?contactus but then it redirects to a seemingly random fake pharma site. However, the redirect only works if you have the referrer set correctly.

The landing sites are on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)

I can't find any malware on these sites, but you may as well block them if you can as they seem to have a lot of domains on them:

birthmed.com
canadapharmcanadian.net
caregiverskicare.net
centerlinedrugstore.net
cialisviagrapetraeus.com
cialiswelloch.net
cizaqussish.com
climbedwelness.com
contabmedicine.eu
cucy.ru
dietpillpepsi.eu
dietprescriptionpharmacy.net
dietwelness.com
djyfammerco.com
drugenericsmeds.com
drugprescriptionmedical.com
drugstoremedicalsrx.ru
drugstorepharmacycenterline.com
drugstorerxfitness.ru
exerciseprescriptiondiet.com
fitnessdrugstorepharmacy.ru
genericswelnesspharmaceutical.eu
healthcarelnessmedical.net
healthdrugstorepharmacy.ru
healthwiblackwell.com
israeltrapharm.com
levitratab.com
levitraviagraron.net
mail.tabletsdrugstoredrugstore.ru
marijuanarxmedicine.com
medicaredrugstoreprescription.eu
medicarewitax.com
mytabhealth.com
nislevitra.com
northwesternlevitrapills.net
nutritiondrugstorepharmacy.ru
parisdrugstore.ru
patientsharmedical.com
patientsharmedical.eu
pillcent.nl
pillmedicalhospital.pl
prescriptioncialteens.com
prescriptiondrugwalmart.com
prescriptionryan.eu
rxnutrition.ru
tabcalories.com
tabletdrugshealth.ru
tabletdrugstoretabs.ru
tabletlevitrapp.com
tabletpharmacypharmacy.ru
tabletpillspills.ru
tabletsdrugstoredrugstore.ru
tabletspharmacyjobs.ru
tabletspharmacypharmacy.ru
tabletspillsshop.ru
tabrxtablets.ru
thecaretab.com
viagraprogene.net
xree.ru
zury.ru

Tuesday 25 December 2012

Godless Eastern bloc commie athiests

Honestly, who sends this sort of crap out on Christmas day? Umm.. equally, who checks their spam filter on Christmas day. Anyway, this is what the godless eastern bloc pinko commies athiests spammers are sending out today.

Date:      Tue, 25 Dec 2012 22:56:51 -0700
From:      "Ticket Support"
Subject:      Password Assistance

Thank you for your letter of Dec 25, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Regards, Yuonne Ferro, Support Team manager.
Some variants of the body text:
"Thank you for contacting us, your information arrived today."
"Thank you for your letter regarding our products and services, your information arrived today."
"Thank you for considering our products and services, your information arrived today."

Some alternative sender names:
"Jonie Gunther", "Noreen Macklin", "Bonny Oconnell"

The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker. Given their awful reputation, I am surprised that they haven't been de-peered. Yet.

There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP:

bloodgenerics.com
canadapharmcanadian.net
canadawelnesscent.com
comprisingmeds.pl
dietwelness.com
drugherbalpills.com
drugstorebp.com
drugtoretabletsfitness.ru
eijmnssh.net
ewggesaj.net
garciniaherbal.com
healthcaremedprescription.com
herbalwelgarcinia.net
isvlhnvo.com
jozejhyqn.com
kbcbhgdw.com
kidneyprescriptiondiet.com
labwydehyj.com
levitrakbw.com
medsbp.com
medsmedicinedisease.com
medsprotein.com
mydrugstorerx.com
outlooklnessasale.com
patientswelnesshealthcare.com
pharmacycialismeningitis.net
pharmacydrugstablets.ru
pharmacyhealthpharmacy.ru
pillmedshealth.ru
pillscarehealthcare.com
pillsdrugstoredrugs.ru
pillsdrugstorepills.ru
pillspharmacyrx.ru
pillstabletshealthdrugstore.ru
pilltabletsfitness.ru
reliablerxpillstablets.ru
remedycutrxpills.ru
retailersmeds.com
romneyrx.net
rxcatholic.com
rxdiscounttabletspharmacy.ru
rxdrugstoremedicines.ru
rxdrugstoretreatments.ru
rxpharmacycaremeds.ru
rxpharmacytabletspharmacy.ru
rxpharmacytechmeds.ru
rxpharmacytreatments.ru
rxwellbeing.ru
sabonatabmed.com
swissrxpharmacy.ru
tabdisease.nl
tabletdropsrx.ru
tabletdrugsfitness.ru
tabletdrugstorehealth.ru
tabletgenerics.com
tablethealthphysicians.net
tabletlevitripad.com
tabletpillsdrugs.ru
tabletpillspills.ru
tabletrxdrugs.ru
tabletrxtreatments.ru
tsunamipill.com
viagraherbaltea.com

Monday 17 December 2012

pillscarehealthcare.com spam

There has been a massive amount of pharma spam pointing to pillscarehealthcare.com over the past 48 hours or so. Here are some examples:


Date:      Mon, 17 Dec 2012 02:47:56 +0000 (GMT)
From:      "Account Info Change" [tyjinc@palmerlakearttour.com]
To:      [redacted]
Subject:      Updated information

    Updated information

Hello,

The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.

This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.

Thanks,
Customer Support

==================


Date:      Mon, 17 Dec 2012 01:22:56 -0700
From:      "Angela Snider" [directsales@tyroo.com]
To:      [redacted]
Subject:      Pending ticket status

Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or close the ticket here
Go To Profile
   
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.


==================


Date:      Sat, 15 Dec 2012 21:37:47 -0700
From:      "Alexis Houston" [cmassuda@agf.com.br]
To:      [redacted]
Subject:      Pending ticket notification

Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
Go To Profile
   
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.

==================


Date:      Sat, 15 Dec 2012 07:06:30 -0800
From:      "Account Sender Mail" [daresco@excite.com]
To:      [redacted]
Subject:      Account is now available

    Login unavailable due to maintenance ([redacted])

Hello,

Your Account is now available.

Our systems were unavailable due to maintenance and upgrading system. We apologizes for any inconvenience and appreciates the patience while this critical maintenance was performed. If you still face the problem then it would be better if you contact our team.

Access Your Account

Hope this information helps you.

Thanks,
Support team

==================

From: Kennedi Marquez [mailto:cwtroutn@naturalskincarereviews.info]
Sent: 17 December 2012 11:18
Subject: Updated information


    Updated information

Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.

This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.

Thanks,
Customer Support
This appears to be punting fake drugs rather than malware. pillscarehealthcare.com is hosted on 95.58.254.74 (Kazakh Telecom, Kazakhstan). In my opinion blocking 95.58.254.0/24 will probably do you no harm. These other fake pharma web sites can be found on the same IP address:


retailersviagrasale.nl
tabdisease.nl
viagralberta.com
medmedsepub.com
tabletlevitripad.com
newpharmsale.com
pillscarehealthcare.com
qrigzh.themedsdrugstore.com
medsmedicinedisease.com
pillsmedicinedrug.com
medmedsceccoli.com
garciniaherbal.com
medicinepharmedical.com
viagraherbalflavor.com
drugenericsmeds.com
petraeuslismeds.com
patientsmedicinepills.com
tabpatients.com
tabhealthpatients.com
cialispetraeus.com
dietwifat.com
viagradiet.com
weightprescriptiondiet.com
kidneyprescriptiondiet.com
www.welnesskidney.com
www.medicaremedsromney.com
herbalapple.at
levitratcu.at
welnessgenerics.net
romneyrx.net
pillspharmamedicine.ru
pillsdrugstoredrugstore.ru
parisdrugstore.ru
pharmacypresciption.ru
pillpharmacydrugs.ru
controlpills.ru
drugtorefitnesspills.ru
pharmacypillstreatments.ru
drugstorehealthcarerx.ru
drugstorehealthrx.ru
drugstoretabsrx.ru
pharmacymedsrx.ru
fitnessdrugstorepharmacy.ru
dosehealthpharmacy.ru
medicinerxpharmacy.ru
caprxpharmacy.ru
cappharmacypharmacy.ru


Tuesday 6 November 2012

Apple "Account Info Change" spam / welnessmedical.com

Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical.com.


From: Apple [mailto:appleid@id.arcadiadesign.it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change

Hello,

The following information for your Apple ID [redacted] was updated on 11/06/2012:

Date of birth
Security question(s) and answer(s)

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.

To review and update your security settings, sign in to appleid.apple.com.

This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.

Thanks,
Apple Customer Support



TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID 


The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44:

medmedsepub.com
newpharmsale.com
virustrapill.com
medicalmedprescription.com
medpillprescription.com
walgreensprescription.com
pilldrugstoregroup.com
medicineonlinephysic.ru
zkflwf.ru
ytti.ru
healthtabstablets.ru
healthcaremedstablets.ru
fitnesspillspharmacy.ru
mycareviagra.pl
diseasepillsmedicine.com
medicareryan.com
cialiswiladen.com
pharmvitamins.com
crashtab.net
healthtabsdrugstore.ru
ghem.ru
jium.ru
epoo.ru
ghas.ru
buymedicinepharmacy.ru
pillpillspharmacy.ru
onlinepharmabuy.ru

Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is:

inetnum:         84.22.127.0 - 84.22.127.7
netname:         A84-22-127-0
descr:           BLACK OPERATIONS
admin-c:         CBMT1-RIPE
tech-c:          CBMT1-RIPE
country:         NL
status:          ASSIGNED PA
mnt-by:          MNT-CB3ROB
mnt-lower:       MNT-CB3ROB
mnt-routes:      MNT-CB3ROB
source:          RIPE # Filtered

role:            Ministery of Telecommunications
address:         One CyberBunker Avenue
address:         CB-31337
address:         CyberBunker-1
address:         Republic CyberBunker
mnt-by:          MNT-CB3ROB
admin-c:         CBMT1-RIPE
tech-c:          CBMT1-RIPE
nic-hdl:         CBMT1-RIPE
source:          RIPE # Filtered

route:          84.22.96.0/19
descr:          R84-22-96-0
origin:         AS34109
mnt-by:         MNT-CB3ROB
source:         RIPE # Filtered


It's our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia if you want more information.

Thursday 28 June 2012

Pinterest Spam / medicarewichi.com

Spammers will try anything.. this email pretends to be from Pinterest but it actually appears to lead to a fake pharma site at medicarewichi.com.

From: Pinterest [mailto:pinbot@pinterest.com]
Sent: 28 June 2012 14:41
Subject: New pins added

Hi!

    With millions of new pins added every week, we connecting people all over the world based on shared tastes and interests.        Explore pins   

©2012 Pinterest, Inc. | All Rights Reserved.
Privacy Policy | Terms and Conditions


The spamvertised site is hosted on 91.238.180.92 which looks like a cesspit of toxic sites and is probably best blocked.

Saturday 9 June 2012

IMDB "Your password is too weak" spam / thepharmhealth.com

This spam leads to a fake pharma site at thepharmhealth.com:

Date:      Sat, 9 Jun 2012 18:20:35 -0700 (PDT)
From:      IMDb User Protection [do-not-reply-here@imdb.com]
Subject:      Your password is too weak

This is an automatic message from the Internet Movie Database (IMDb) registration system.
Our system detected your password is too weak. Short passwords are easy to guess.

Please follow this link :

https://secure.imdb.com/password_update/imdb/74129625140408804050

If you used your IMDb password at any other sites, you'll need to change those passwords as well.

Regards,
IMDb User Protection help
http://imdb.com/register/

It's an interesting and novel approach, and it could easily be adapted for malware rather than fake prescriptions. thepharmhealth.com is hosted on 80.232.131.201 (SIA Lattelecom, Latvia).

Sunday 3 June 2012

"Digg Verification" spam / dietpilldrugstore.com

This spam appears to be from Digg, but it leads to a fake pharmacy. It could easily be adapted to distribute malware though, and this is the first time that I have seen a fake Digg message such as this.

From: Digg [mailto:noreply@e.digg.com]
Sent: Sun 03/06/2012 13:00
Subject: Digg Verification


  Problem viewing this email?
View it in your browser.
Hi xxxxxx@xxx.xxx
Thank you for registering with us at Facebook social sharing. We look forward to seeing you around the site.

Now your friends can see what you're reading around the web. Also you can add or delete any article from your activity. Click the Social button to turn this off.

What is Facebook Social Share?

Share your Digg experience with your Facebook friends. Let your friends see what you're reading as you discover the best news around the web.

The email looks pretty convincing, but the link in it is a redirector to a bogus pharamacy site at dietpilldrugstore.com on 94.155.49.57 (ITD Network, Bulgaria). That IP address has a number of other fake pharma sites (listed below) and is probably worth blocking.

genericspillsgroup.com
hightramplate.com
levitrameds.com
medcontab.com
medicaremedsgroup.com
medicarewelnessdebt.com
medslevitraleiby.com
medsmedicinegroup.com
movietestworld.com
mycanadatablet.com
mypillhealthcare.com
myprescriptionmedicine.com
myrxhealthcare.com
mytabdiet.com
newcanadatablet.com
newhealthprescription.com
newherbalpharmacy.com
newpharmacymedicare.com
newtabletdrugstore.com
newtablethealthcare.com
newviagrasale.com
pakistanlispharmacy.com
patientsviagracare.com
pharmacyhealthcarepatients.com

Friday 18 May 2012

Myspace "Security updates" lead to fake pharma

This is a persistent spam run that has been going for a couple of days:

Date:      Fri, 18 May 2012 13:44:44 -0700
From:      "Myspace" [noreply@message.myspace.com]
Subject:      Security updates

myspace

We have recently updated our website to improve our security.

Please follow the instructions to ensure your account is enable and not blocked.

If you need immediate assistance, please contact our support team.

Note: It is important that your personal information is accurate and complete. This information may later be used to help verify the owner of the account. We does not sell or provide your personal information to third party companies.
Thank you for using Myspace!

The Myspace Team
http://www.myspace.com/

Have questions? Visit our help page. Myspace, 8391 Beverly Blvd, #349, Los Angeles, CA 90048.
� Myspace Inc. All Rights Reserved.

The link in the email goes to a variety of fake pharma sites, all of which appear to be hosted on 91.212.124.152 in a block registered to one Aleksandr Nikolaevich Nikultsev in the Ukraine. The doesn't seem to be much you would want to visit in 91.212.124.0/24 so blocking the whole lot might be prudent.

These are the sites I can find hosted on 91.212.124.152:
acefsynqe.com
amwafudicbia.com
badgestabmedicine.com
biolpharmacy.com
boquihcu.net
carepharmedical.com
carepharmgroup.com
cialisviagracounterpunch.com
curot.ru
cvaxvaso.com
dietabletouchpad.com
dietprescriptionfat.com
diong.ru
duski.ru
dzepojkarny.com
ecstasyherbal.com
epoth.ru
ettoicbynn.com
familymedicineviagra.com
fdamedicalprescription.mobi
genericsteva.com
healthtabgroup.com
hospitallnessmedical.mobi
kdffg.ru
kdfgd.ru
leibypharmacylevitra.com
levitrabrooklyn.com
levitracontab.com
levitrapause.com
lkdsfh.ru
lkhj.ru
loug.ru
lupp.ru
medicarewelnessdebt.com
medsdietgroup.com
medslevitraleiby.com
medsmedicinegroup.com
movietestworld.com
mymedicaremeds.com
mypharmacyherbal.com
mypharmed.com
mypillhealth.com
mypillmedical.com
mypillsale.com
newcanadatablet.com
newmedpharmacy.com
newpillscare.com
newrxhealth.com
newrxmed.com
newrxmedicine.com
newtabhealth.com
newtabletcare.com
nyctyckap.com
oedy.ru
patientsviagracare.com
phad.ru
pharmacycarepatients.com
pharmacycifrazier.com
pillsmedicalhospital.com
plew.ru
pohjgh.ru
prescriptiondrugslevitra.com
radicalmediadata.com
sdfhsj.ru
sescahpyff.com
sexualevitra.com
sexualpillsmed.com
sexualwelnessmed.com
simjicwar.com
sleaxmobca.com
smoruroy.com
sniggahcar.com
soylovde.com
sreadafet.com
srenusoxhui.com
stationbeta.com
steelevitra.com
storepharm.com
straussrx.com
tamy.ru
tbin.ru
thow.ru
viagrahalfmile.com
vikingsnotdead.com
vjkcvl.ru
vkgtq.ru
walgreenspillsrx.eu