Malware spam: "UKMail 988271023 tracking information" / no-reply@ukmail.com

NOTE:  as of 22nd January 2016, a new version of this spam email is in circulation, described here.

This fake delivery email does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    no-reply@ukmail.com
Date:    23 November 2015 at 11:06
Subject:    UKMail 988271023 tracking information

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attachment is named 988271023-PRCL.doc and so far I have come across three different versions of this (VirusTotal results [1] [2] [3]), containing a malicious macro like this [pastebin] which according to these Hybrid Analysis reports [4] [5] [6] downloads a malware binary from the following locations:

www.capodorlandoweb.it/u654g/76j5h4g.exe
xsnoiseccs.bigpondhosting.com/u654g/76j5h4g.exe
cr9090worldrecord.wz.cz/u654g/76j5h4g.exe

This binary has a VirusTotal detection rate of 5/54. That VirusTotal report plus this Hybrid Analysis report and Malwr report indicate malicious traffic to the following IPs:

157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
89.108.71.148 (Agava Ltd, Russia)
91.212.89.239 (UZINFOCOM, Uzbekistan)
89.189.174.19 (Sibirskie Seti, Russia)
122.151.73.216 (M2 Telecommunications, Australia)
37.128.132.96 (Memset Ltd, UK)
195.187.111.11 (SGGW, Poland)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
77.221.140.99 (Infobox.ru, Russia)
195.251.145.79 (University Of The Aegean, Greece)

The payload is likely to be the Dridex banking trojan.

MD5s:
37f025e70ee90e40589e7a3fd763817c
3e25ba0c709f1b9e399e228d302dd732
e6f1003e4572691493ab1845cb983417
5b6c01ea40acfb7dff4337710cf0a56c

Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79

Malware spam: "Scanned document from HP/Brother/Epson Scanner [87654321]"

These fake scanner emails follow a well-established pattern. Instead of containing a scanned document they have a malicious attachment.

Now.. if you are reading this then you are probably not the sort of person who would open an unsolicited message of this sort. Would you?

From:    Cindy Pate [Caroline.dfd@flexmail.eu]
Date:    2 April 2015 at 11:09
Subject:    Scanned document from HP Scanner [66684798]

Reply to: HP-Scanner@flexmail.eu
Model:KX-240NGZDC
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Sterling Hoffman [Lara.dc4@astroexports.com]
Date:    2 April 2015 at 11:00
Subject:    Scanned document from Brother Scanner [07623989]

Reply to: Brother-Scanner@astroexports.com
Model:CG-240NWDUL
Location: 1st Floor Office

File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Manuel Velez [Yesenia.10@acv.nl]
Date:    2 April 2015 at 12:04
Subject:    Scanned document from Epson Scanner [81829722]

Reply to: Epson-Scanner@acv.nl
Model:JS-240NRZYV
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

I have seen three different malicious attachments with low detection rates [1] [2] [3] which appear to contain one of two macros [1] [2] which download a further component from one of the following locations:

http://93.158.117.163:8080/bz1gs9/kansp.jpg
http://78.47.87.131:8080/bz1gs9/kansp.jpg

Those servers are almost definitely malicious in other ways, the IPs are allocated to:

93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)

This is then saved as %TEMP%\sdfsdffff.exe which has a VirusTotal detection rate of just 1/56. Automated analysis [1] [2] [3] indicates that it calls home to:

188.120.225.17 (TheFirst-RU, Russia)
92.63.88.83 (MWTV, Latvia)
121.50.43.175 (Tsukaeru.net, Japan)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
82.151.131.129 (Doruknet, Turkey)
46.19.143.151 (Private Layer Inc, Switzerland)
45.55.154.235 (Digital Ocean, US)
195.130.118.92 (University Of Ioannina, Greece)
199.201.121.169 (Synaptica, Canada)
95.211.168.10 (Leaseweb, Netherlands)
222.234.230.239 (Hanaro Telecom, Korea)

Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.

Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131

MD5s:
96f3aa2402daf9093ef0b47943361231
cff4b8b7f9adf1f5964b495a8116d196
68fb9aadda63d18f1b085d5bd8815223
64fa6501bd4d32b2958922598008ca96

"Requested Reset of Yoyr PayPal Password" spam / frustrationpostcards.biz

This fake PayPal spam leads to malware on frustrationpostcards.biz:

 Date:      Mon, 29 Apr 2013 13:22:03 -0500
From:      "service@paypalmail.com" [chichisaq0@emlreq.paypalmail.com]
Subject:      Requested Reset of Yoyr PayPal Password
  
Your account will stay on hold untill password reset.
How to reset your PayPal password

Hello [redacted],

To get back into your PayPal account, you'll have to create a new password.

It's easy:

    Click the link below to open a secure browser window.
    Confirm that you're the owner of the account, and then follow the instructions.

  Reset your password now

If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.

  
Help Center | Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.

PayPal Email ID 2A7X1

The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards.biz/news/institutions-trusted.php (report here) hosted on the following IPs:

82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)


TheWHOIS details identify this domain as belonging to the Amerika gang:

Registrant ID:                          INTEGOY3JBV8IIHG
Registrant Name:                        Shouli Cowper
Registrant Address1:                    40 W 17th St
Registrant City:                        New York
Registrant Postal Code:                 10011
Registrant Country:                     United States
Registrant Country Code:                US
Registrant Phone Number:                +1.4682697453
Registrant Email:                       shouli_cowper563@bikeracer.com
 
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
miniscule.pl
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
priorityclub.pl
smartsecurity-app.com
zonebar.net

AVB Logistic Company (avb-logistic.com) is a scam

AVB Logistic Company (avb-logistic.com) looks very much like a real company from the website, but in fact it is a scam operation laundering money, targeted primarily at people in Greece and Italy. It also appears to be related to a similar scam site called Landexpo Logistic (landexpo-logistic.com).

This fake company came to my notice because of a series of comments in another thread (original / Google Translated) which indicates that they may have been recruited through a spam run last year.

The AVB Logistics web site looks professional enough, but there's a reason for that which will become apparent:

AVB gives the following "facts" about itself on the web site:

As an external partner, AVB (Manchester), develops a comprehensive range of logistics and service solutions for trade and industry. In 2007, the group generated sales of 2.0 billion euros and currently employs approximately 8,500 staff in 44 countries. AVB operates in all important markets worldwide and has over 400 locations across all continents

It also claims its address to be:

United Kingdom:     AVB
Zenith,
Paycocke Road,
Basildon, Essex
SS14 3DW
   
E-Mail:     contact@avb-logistic.com

Although there is some evidence that they recently changed this from:

AVB Norris road 57. M29 8FH Manchester. Tel.: +44 161 408 1090.

They claim that their shares have been listed in London since 2000 under the stock ticker symbol TGH.

So, what's wrong with this picture. Well, in reverse order..

TGH is indeed a share on the London Stock market, but it belongs to Textainer Group Holdings Limited (as you might expect a with share with those initials).

There is no such company visible in the list of UK Companies (Companies House Webcheck) as AVB Logistic or AVB (Manchester) although there are plenty of innocent companies with the same name.

The address in Basildon belongs to a different company, Cosco Logistics. There are several companies nearby, none of which are called AVB. There appears to be no company called AVB in Basildon at all according to business listings.

There is no Norris Road in the postcode M29 8FH, but there is a Norris Street. Norris Street is very short, it only has about 4 properties on it, so there is no number 57. A Google search for "44 161 408 1090" reveals no credible references, but it does reveal an apparent scam site called landexpo-logistic.com sharing the same number.

According to their website, AVB Logistic has been in business since at least 2000, but their domain name was only registered on 15th January 2012 through a registrar in Russia with anonymous details:

Registration Service Provided By: RU-TLD.RU
Contact: +007.4012971111

Domain Name: AVB-LOGISTIC.COM

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Creation Date: 15-Jan-2012 
Expiration Date: 15-Jan-2013

Domain servers in listed order:
    ns1.avb-logistic.com
    ns2.avb-logistic.com

It is unlikely that a large and well-established company would only just have created their web site.

The site is hosted on 46.4.30.11, an IP address allocated to Hetzner in Germany, but then rented out to a Russian hosting company called reserver.ru. 

And the reason the site looks so professional? Most of it has been copied directly from a legitimate company called Logwin Logistics, you can see this very clearly on some pages. For example, Logwin's page about Graduates looks like this.

The AVB page at avb-logistic.com/university.htm looks like this:

There are several other pages that are a direct copy.

It's obvious that AVB Logisitic is a fake. But what does it do? Basically, it is a money mule operating being used to launder stolen money - typically from hacked bank accounts.

The "mule" is recruited to receive the stolen money from one account, and then send it out via Wire Transfer (for example, Western Union), taking a percentage of the money as commission along the way. So, for example, a bank account is hacked with €10,000 in it, the money is transferred to the "mule" who keeps 10 (€1000) and wires €9000 off to somewhere else (typically Russia or Ukraine).

But what happens next is that the original theft of €10,000 is discovered - but the mule is liable for the whole amount of money, and often this is where the police get involved. At best, the mule has to repay all €10,000, at worst there could be a criminal investigation.

So.. if approached by these people, probably the best thing to do is ignore them completely and do not reply. If you have moved money through your accounts for these people, then the best thing to do is speak to your bank right away.

Fake jobs: jobbslists.com, jobbsearcher.com, gbjobb.com and greecejobb.com

Yet more fake job offers, following on from this long-running scam. This time the following domains are in use to solicit replies:

jobbslists.com
jobbsearcher.com
gbjobb.com
greecejobb.com

The spam emails adveritising these may appear to come from your own email account (here's why). The "jobs" on offer are actually illegal activities such as money laundering.

For the record, the registrant details for those domains (which are almost definitely fake) are:

    Lorian Kern
    Email: loorjaan@yahoo.dk
    Organization: Lorian Kern
    Address: Sonderskovvej 22
    City: Lystrup
    State: Lystrup
    ZIP: 8124
    Country: DK
    Phone: +45.83743412 

If you have any example emails, please consider sharing them in the Comments. Thanks!

Something evil on 194.219.29.139

There's something evil on 194.219.29.139 [Forthnet SA, Athens], in this case it appears to related to the SpyEye trojan. In particular, a lot of traffic seems to be going to ce.ms sites, searching your logs for references to ce.ms/main.php might prove fruitful.

All these following sites are malicious:

2fdf2asolhost.cx.cc
3lshegijlsjelsf.ce.ms
3rdkjhgtuhryt67.ce.ms
75pe.be.ma
aficaekooy.qpoe.com
anupadwxst.x24hr.com
arumakhbyu.ygto.com
asgdfsewsd.co.cc
ashlpdfsqf.qpoe.com
avddhzvg.instanthq.com
bestdatastore1.com
bprvnnpqyc.ygto.com
bqafbink.cx.cc
calnlwwofb.yourtrap.com
cgadrhvi.qpoe.com
clothingbusinessstore.info
clothingforyoushop.info
clothingtraffic.info
convenientpayment.info
covgeokzq.instanthq.com
crowpe.servepics.com
cxjigz.my03.com
databusinessone.com
datamallone.com
datamarketone.com
dataoutletone.com
datashopone.com
datashowroomone.com
data-store-1.com
datastore1blog.com
datastore1online.com
datastore1s.com
datastore1shop.com
datastore1site.com
datastore1store.com
datastoreone.com
dhdhdhjh54hh.co.cc
djdqexcw.isasecret.com
dloqfgcio.mefound.com
dpqriw.isasecret.com
dqxylh.my03.com
dttnablz.qpoe.com
ecebvi.my03.com
ednmzirslh.ygto.com
entrari.com
eoxsme.isasecret.com
euvhdowvp.instanthq.com
ewxdemz.isasecret.com
exdlyy.qpoe.com
ezhwsc.yourtrap.com
faduwav.freetcp.com
fipvbsttod.qpoe.com
flytrpp.mefound.com
fmafyj.ygto.com
fokhebfjfh.ygto.com
fqyfbigboi.x24hr.com
freedatastore1.com
free-download-therandomslovo.info
funezgmxl.my03.com
gaagvay.yourtrap.com
gchiebsojm.x24hr.com
gdoyvgieb.qpoe.com
georhur.fartit.com
gjxpgxg.ygto.com
gkgfmca.freetcp.com
gkkdgqfmy.instanthq.com
glyluf.mefound.com
gnmtls.instanthq.com
gtxxczmsb.isasecret.com
gxpeah.isasecret.com
gzadbqwc.my03.com
hbsopvyj.mefound.com
hellomyfriends67.com
hqxrukctww.instanthq.com
hsjhbqto.yourtrap.com
hspeqss.ygto.com
ifkeqj.freetcp.com
ihpvfu.yourtrap.com
ilqwzsqq.my03.com
informationstore1.com
informationstoreone.com
infostoreone.com
irqokfb.yourtrap.com
ivdtqmm.freetcp.com
jbnyvv.fartit.com
jdqcacl.ygto.com
jfdbdh.yourtrap.com
jfexczhud.freetcp.com
jiwxii.x24hr.com
jjqumfo.yourtrap.com
jkfyoik.qpoe.com
jntvkefj.ygto.com
jpxaxin.ygto.com
jtimtp.isasecret.com
kavlnhld.qpoe.com
kntvftiy.fartit.com
kssldi.my03.com
kstxdc.fartit.com
kucbmkpeth.qpoe.com
kumtbzg.freetcp.com
kvsxvfhgd.freetcp.com
kweghfjkgejfrwerjkasdfpo.ce.ms
lagotgdf.yourtrap.com
leemask.in
lenxwlkwn.x24hr.com
lgufpaq.isasecret.com
lhoefbmqpm.my03.com
ljutyucawp.my03.com
lmraufougs.x24hr.com
lqpara.freetcp.com
mahqgq.mefound.com
mail.byteworks.gr
mail.pcc.com.gr
mail.pcchellas.gr
mggzpjujp.my03.com
miwpcp.instanthq.com
mkktnracrl.freetcp.com
mklesklo.x24hr.com
mohlvpn.yourtrap.com
mydatastore1.com
mzxvdj.ygto.com
nacha-onlinereports.com
nerocambodia-megafakahero.org
newdatastore1.com
newthelargestsize.info
nlq1.cx.cc
nlq2.cx.cc
nlq3.cx.cc
nluyaupv.mefound.com
nshyxr.mefound.com
nslvpounp.instanthq.com
nzlprarwhe.yourtrap.com
obalhtwnni.ygto.com
obeaejh.fartit.com
obnihfya.qpoe.com
oisgrqyfbd.yourtrap.com
omrzzn.freetcp.com
onronmx.cx.cc
oodklht.mefound.com
oprwbnwneg.mefound.com
otgnzxhnr.my03.com
pfgphuwrog.yourtrap.com
pleasekindlyuse.com
pmchvicoe.qpoe.com
pnarfrkph.x24hr.com
psilzbwaoj.x24hr.com
qagcqzz.isasecret.com
qdcunen.mefound.com
qeexwxol.instanthq.com
qerfhgkadhsfukhertgrpotgjpoidfg.ce.ms
qerfyhufghasdfvyugeqrtrgpoi.ce.ms
qibmjf.x24hr.com
qorohel.yourtrap.com
qpwnbrxqwv.ygto.com
quickandeasypayment.com
qyldimwv.instanthq.com
qyrcrqd.isasecret.com
rcelrfitq.yourtrap.com
rdumycvvac.instanthq.com
rgrdpxd.instanthq.com
rgstvqjazj.ygto.com
rivehq.cx.cc
rncqdqqflz.instanthq.com
rphhsr.freetcp.com
rvqulvz.instanthq.com
searchengine-8.co.cc
sjwzptjmzs.ygto.com
spkusrqst.isasecret.com
tbpwhmo.instanthq.com
thedatastore1.com
thesmallestextent.info
thmofp.isasecret.com
tijymwgz.ygto.com
tlikndvz.my03.com
tnnlip.fartit.com
tohkdecuz.my03.com
tqurhuysr.freetcp.com
tqykpgzz.freetcp.com
tyfnjdyz.freetcp.com
uajvdsz.x24hr.com
uaziensc.isasecret.com
udtogltty.my03.com
ukrnfo.mefound.com
uqeotsfdy.yourtrap.com
us-creditsecurity.com
uwpozd.fartit.com
vedsxpph.isasecret.com
vlktxk.yourtrap.com
vvbuecbh.yourtrap.com
vxhwkdjli.mefound.com
vzubdvp.x24hr.com
wewnpmee.qpoe.com
wiigzu.instanthq.com
wmvutsa.mefound.com
wnaqyhxxjt.isasecret.com
wwpeacethroughmoderation.cx.cc
wwwapp-ups.net
wwwapp-ups.org
wztmhm.fartit.com
xapxtgkdf.x24hr.com
xezzktfzc.ygto.com
xhqkercj.yourtrap.com
xkvawo.x24hr.com
xndlgcthsf.x24hr.com
xngwbvt.isasecret.com
xqjgutso.qpoe.com
xxotjjgaqp.instanthq.com
yaktijc.instanthq.com
ycmylomyi.yourtrap.com
yfsicntu.my03.com
ygtrejyadk.qpoe.com
yoyljwmmw.qpoe.com
yvzhxbs.yourtrap.com
ywkxvgt.ygto.com
yxghgxfx.isasecret.com
yxhuzn.instanthq.com
zmlrikykf.ygto.com
zngbeeidwd.x24hr.com
zshogenmd.qpoe.com
ztgdtmz.qpoe.com

Fake jobs: allworld-career.com, greece-newcareer.com, new-joboffers.com and worldjob-career.com

Four new domains offering a variety of fake and illegal jobs, part of a very long running series of scam emails.

allworld-career.com
greece-newcareer.com
new-joboffers.com
worldjob-career.com

These fake domains have been set up to solicit replies to bogus job offers, including money laundering and other illegal activities. The emails may appear to have been sent from your own account, but this is a simple forgery and does not mean that your email account has been compromised.

The registrant details are no doubt fake:

    Alexey Kernel
    Email: johnkernel26@yahoo.co.uk
    Organization: Alexey Kernel
    Address: Kreshchatyk Street 34
    City: Kiev
    State: Kiev
    ZIP: 01090
    Country: UA
    Phone: +38.00442794512 

All these domains have been registered in the past couple of days.

If you have a sample spam with one of these in, please consider sharing it in the Comments. Thanks!

Fake jobs: greece-career.com, il-career.com, mc-jobs.com and oae-career.com

Four new domains peddling fake jobs today, forming part of this very long running scam.

greece-career.com
il-career.com
mc-jobs.com
oae-career.com

The "jobs" offered are actually criminal activities such as money laundering. It may be that the email appears to come "from" you as well (the from address is trivially easy to fake, it doesn't mean that your machine is infected with anything).

Domains were registered two days ago to "Alexey Kernel", which is no doubt a fake name.

greece-career.com presumably targets Greek nationals, and il-career.com looks to be targeting Israelis. The other two are less clear, but our best guess is that mc-jobs.com might be targeting Macedonia (but the TLD is .mk) and oae-career.com might be the UAE and is just a typo. This continues the pattern of going after non-English speaking victims who might be fooled more easily by a scam email in their own language.

If you have any examples of this spam, please consider sharing them in the Comments. Thanks!

Fake jobs: eur-cvlist.com, gr-hire.com and world-cvlist.com

Three new fake jobs domains following this pattern, offering bogus jobs which will actually turn out to be money laundering or some other criminal activity.

eur-cvlist.com
gr-hire.com
world-cvlist.com

One characteristic of recent emails is that they appear to come "from" the recipient, as the spammers have forged the "from" field (which is very easy to do).

The registrant details for the domain are no doubt fake:

    Ricardo Lopez
    Email: ricardolip2@yahoo.com
    Organization: Ricardo Lopez
    Address: ul. Liivalaia 34-10
    City: Tallin
    State: Tallin
    ZIP: 15040
    Country: EE
    Phone: +3.726317190 

The domains were registered two days ago on 15th July. If you have samples of spam using these domains, please consider sharing them in the comments.

Fake jobs: greece-joblist.com and italia-lavoro.net

A pair of domains offering fake money mule jobs or reshipping mule jobs, the greece-joblist.com and italia-lavoro.net domains seem to be targeting Italian and Greek victims and form part of this long running scam.

If you have any examples (especially non-English ones) please share them in the comments!

Evil network: Didjief LLC / DIGIEF-NET AS48709 (91.200.242.0/23)

Didjief  LLC - or to give its full (and presumably fake) name "Didjief Internation Kulinari Koncept LLC" - runs a wholly malicious netblock in the 91.200.242.0/23 (91.200.240.0 - 91.200.243.255) range which includes a variety of malware sites, fake businesses, fake software and other malicious sites that should be blocked.

Many of these sites have wholly ficticious WHOIS entries or are registered through known black hat registrars. Some examples and references are:

A simple Google search bring up lots of matches that indicate malicious activity, for example 91.200.240 and 91.200.242. There are also fake business sites such as Adclickmarket.com which gives WHOIS contact details as:

    Ad Click Market Ltd.
    AdClickMarket        (info@adclickmarket.com)
    PO Box 279
    Alderley Edge
    Cheshire,SK9 7UQ
    GB
    Tel. +44.2854327

There is no company in the UK with the name Ad Click Market Ltd according to Companies House.

There is also another group of fake businesses using the "Advertising German Group" name, such as traveleshop.biz (also implicated in malware distribution here):

    Advertising German Group (AGG)
    Niclas Kappel        (niclas.kappel@yahoo.com)
    Kurt-Schumacher-Str. 5
    Bonn
    Nordrhein-Westfalen,D-53110
    DE
    Tel. +490.2284290

According to SiteVet, the AS48709 block has been bad ever since it was allocated late last year. The digief.eu domain associated with it is currently suspended, and it isn't clear if the WHOIS details for the netblock are accurate (they are probably not).

inetnum:        91.200.240.0 - 91.200.243.255
netname:        DIGIEF-NET
descr:          Didjief internation kulinari koncept LLC
address:        112 Kifissias Ave & Sina Str.Marousi
address:        Athens, Greece
phone:          +30 210 6159812
fax-no:         +30 210 6159812
person:         Adonis Mozanakis

abuse-mailbox:  abuse@digief.eu

On the subject of reputation, Google's safe browsing diagnostics for this block are pretty horrible:

Safe Browsing
Diagnostic page for AS48709 (XISOFT)

What happened when Google visited sites hosted on this network?

    Of the 114 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, waistor.com/, 91.200.240.0/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-02-05, and the last time suspicious content was found was on 2011-02-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 21 site(s) on this network, including, for example, geodemy.com/, waistor.com/, 91.200.240.0/, that appeared to function as intermediaries for the infection of 2096 other site(s) including, for example, marchex.com/, semettreauvert.com/, fcolimpi.ge/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 58 site(s), including, for example, waistor.com/, searchalthough.org/, pushot.com/, that infected 4866 other site(s), including, for example, fcolimpi.ge/, interhosting.kr/, schoenweb.nl/.

This is the full list of sites that I have found in this block (or are associated with it) , or you can download a more complete list with MyWOT ratings from here.

49oo.info
Abouthealth.name
Adclickmarket.com
Adobesoft.net
Adobesoftware.net
Allrequestsallowed.com
Allrequestsallowed.net
Animegarrett.com
Arinstasche.com
Avsk.ws
Bubendotcom.com
Chyoexte.com
Clickabundant.org
Clickcareless.org
Clickclumsy.org
Coffeescorer.com
Disdarred.info
Dontess.com
Easyregcleaner.net
Easysellerguide.net
Findcopper.org
Findcousin.org
Findfight.org
Findwild.org
Flashupdates.net
Gampbel.biz
Gnarenyawr.com
Guglionesi.net
Iaqhuberschewis.com
Juiceamount.com
Jukdoout0.com
Julianoserhio.com
Ltc-center.com
Montanessi.com
Negnsrevers.com
Nemotired.org
Offpaymentbiz.com
Olarkstats.com
Pipisutka.com
Qgceneuknash.com
Rammjyuke.com
Ranmjyuke.com
Result-lookup.info
Rinderwayr.com
Searchaddition.org
Searchadvertisement.org
Searchaffect.org
Searchafrica.org
Searchafter.org
Searchalthough.org
Searcharound.org
Searchcold.org
Searchdefeated.org
Searchfindaggressive.org
Searchjewel.org
Searchquiet.org
Searchrainy.org
Searchraspy.org
Selinect.ru
Superbulkmanager.com
Swltcho0.com
Teameter.net
Traveleshop.biz
Turbochange.com
Turboprotect.com
Vvps.ws
Xylylon.ru
Zoness.biz