Sponsored by..

Showing posts with label India. Show all posts
Showing posts with label India. Show all posts

Wednesday 17 July 2013

02086 547426 "PC Wizard" tech support scam

Just a quick one.. some Indian scammers routing through a UK number 02086 547426 (02086547426) and purporting to be from a company "PC Wizard" just called and tried to convince me that something was wrong with my PC.

I'll do a write up later.. but in the mean time their MO is to get you to look at your Event Viewer for errors (there are always) errors, and then visit ammyy.com to run some remote control software. DO NOT LET THEM DO THIS!

Update:
I know this type of scam is quite common, and ammyy.com even admits that it is often abused in this way. There was a degree of sophistication here though in that they had a close approximation of my wife's name and we have an unlisted telephone number.

There were two operatives, the first one handles the initial part of the call and makes you open up your Event Viewer to look for errors and warnings (there are always some of those) and then warns you not to open the warnings or you will damage the computer. Operative number one had an Indian accent and sounded like they were coming in over a voice-over-IP connection.

Once they have you hooked, you get connected to a second Indian operator who attempts to connect to your computer with the ammyy.com remote control software. In this case it was operator 6070592.

After mucking the operator around for 20 minutes I confronted them with what they were doing. He was unapologetic and full of bullshit, and was still trying to connect to my machine.

Of course, the whole thing is a scam. I don't have a support contract for my version of Windows, the errors in my Event Viewer were harmless.. but if I had let the operator take control of my machine then he could have installed any sort of malware on it, or trashed the machine and then charge me a fortune to fix it.

I've been working in the IT field for almost 25 years and frankly it was obvious in the first few seconds that this was a scam. But for a naive user it might seem credible. If (like me) you end up doing tech support for your relatives, it might be a good idea to edit the PC's hosts file to block ammyy.com and www.ammyy.com:

0.0.0.0     ammyy.com
0.0.0.0     www.ammyy.com 



Tuesday 16 July 2013

Malware sites to block 16/7/13

These domains and IPs are associated with this gang. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them all though.

24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson, Turkey)
38.96.42.60 (PSInet / WiLogic Inc, US)
41.196.17.252 (Link Egypt, Egypt)
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
46.246.41.68 (Portlane Networks, Sweden)
46.38.51.162 (TCTEL, Russia)
50.97.253.162 (Softlayer, US)
58.196.7.174 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA, India)
61.220.221.92 (HINET / Chungwa Telecom, Taiwan)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.93.56.83 (Comcast Business Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
80.52.135.172 (TPNET, Poland)
81.17.140.138 (Velton.telecom, Ukraine)
82.165.41.13 (1&1, Philippines)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UNIWEB, Belgium)
87.236.211.159 (Azar Online, Iran)
88.86.100.2 (Supernetwork, Czech Republic)
89.161.255.30 (Home.pl, Poland)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel / Megalan, Bulgaria)
98.192.168.80 (Comcast Communications, US)
103.9.23.34 (TPL Trakker, Pakistan)
108.179.8.103 (Tyco / Cablevision, US)
111.121.193.198 (China Telecom, China)
111.121.193.199 (China Telecom, China)
111.121.193.200 (China Telecom, China)
114.32.97.58 (HINET / Chungwa Telecom, Taiwan)
119.1.109.40 (QianXiNan County, China)
119.1.109.48 (QianXiNan County, China)
119.92.209.120 (Philippine Long Distance Telephone Company, Philippines)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.115.43.187 (TANET, Taiwan)
143.239.87.38 (University College Cork, Ireland)
150.244.233.146 (Universidad Autonoma De Madrid , Spain)
151.155.25.109 (Novell, US)
151.155.25.111 (Novell, US)
172.255.106.17 (Nobis Technology Group, US)
173.167.54.139 (Iceweb Storage Corp / Comcast, US)
176.31.46.7 (OVH, France)
180.166.172.122 (China Telecom, China)
184.105.135.29 (Hurricane Electric, US)
188.132.213.115 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.241.205.26 (Digital Ocean, US)
193.95.91.78 (Agence Tunisienne Internet, Tunisia)
195.225.58.122 (C&A Connect SRL, Romania)
198.56.238.36 (Enzu Inc, US)
201.163.145.125 (Alestra, S. de R.L. de C.V., Mexico)
202.28.69.195 (UniNet, Thailand)
202.63.210.182 (CubeXS Private Lmited, Pakistan)
203.122.26.124 (Citycom Networks Pvt Ltd, India)
203.235.181.181 (Sejong Telecom, Korea)
203.236.232.42 (KINX, Korea)
207.254.1.17 (Virtacore Systems Inc, US)
208.115.114.68 (Wowrack, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services Inc., Taiwan)
212.143.233.159 (013 Netvision Network, Israel)
222.20.90.25 (CERNET, China)

Blocklist:
24.173.170.230
31.145.19.17
38.96.42.60
41.196.17.252
46.45.182.27
46.246.41.68
46.38.51.162
50.97.253.162
58.196.7.174
59.124.33.215
59.126.142.186
59.160.69.74
61.220.221.92
64.49.246.226
69.162.76.10
74.93.56.83
77.240.118.69
80.52.135.172
81.17.140.138
82.165.41.13
85.17.224.131
85.119.187.145
87.236.211.159
88.86.100.2
89.161.255.30
89.248.161.146
95.111.32.249
98.192.168.80
103.9.23.34
108.179.8.103
111.121.193.198
111.121.193.199
111.121.193.200
114.32.97.58
119.1.109.40
119.1.109.48
119.92.209.120
128.252.158.57
138.80.14.27
140.115.43.187
143.239.87.38
148.81.111.91
148.81.111.92
150.244.233.146
151.155.25.109
151.155.25.111
172.255.106.17
173.167.54.139
176.31.46.7
180.166.172.122
184.105.135.29
188.132.213.115
190.85.249.159
192.241.205.26
193.95.91.78
195.225.58.122
198.56.238.36
201.163.145.125
202.28.69.195
202.63.210.182
203.122.26.124
203.235.181.181
203.236.232.42
207.254.1.17
208.115.114.68
209.222.67.251
210.200.0.95
212.143.233.159
222.20.90.25
abundanceguys.net
allgstat.ru
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
americimblog.com
amimeseason.net
androv.pl
aniolyfarmacij.com
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
augel.pl
autocompletiondel.net
autorize.net.models-and-kits.net
autotradeguide.net
avenues.pl
basedbreakpark.su
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
bestofallforallas.pl
blacklistsvignet.pl
blindsay-law.net
bnamecorni.com
boats-sale.net
brandeddepend.com
brasilmatics.net
businessdocu.net
buty24-cool.com
buycushion.net
cabby.pl
centow.ru
chairsantique.net
charismasalonme.net
childrensuck.net
cirormdnivneinted40.ru
clik-kids.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
cotime.pl
cpa.state.tx.us.tax-returns.mattwaltererie.net
cryoroyal.net
dasay.pl
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
editionscode.com
e-eleves.net
effectivenesspre.com
eftps.gov.charismasalonme.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
eliroots.ru
enchantingfluid.com
ensutringscal.net
enuhhdijsnenbude40.ru
ergopets.com
estateandpropertty.com
exterms.pl
faststream.pl
feminineperceiv.pl
filmstripstyl.com
fincal.pl
first4supplies.net
foremostorgand.su
freakable.net
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
genie-enterprises.com
gentonoesleep.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
gotip.pl
grivnichesvkisejj50.ru
guardianforyou.pl
gumfart.ru
hdmltextvoice.net
heidipinks.com
hemorelief.net
highsecure155.com
hingpressplay.net
hospitalinstitutee.com
hotautoflot.com
hotkoyou.net
hotpubblici.com
how-about-we.net
huang.pl
independinsy.net
info-for-health.net
initiationtune.su
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kirki.pl
krasalco.com
ledfordlawoffice.net
letsgofit.net
libulionstreet.su
linefisher.com
linkedin.com-update-report.taltondark.net
m.krasalco.com
made-bali.net
magiklovsterd.net
mantuma.pl
mattwaltererie.net
maxapps.pl
microsoftnotification.net
missdigitalworld.net
models-and-kits.net
modshows.net
morphed.ru
mosher.pl
nailapp.pl
namastelearning.net
ns3.thebodyfatsolutioncb.pl
nvufvwieg.com
offeringshowt.com
ompute.pl
oneday-movie.net
organizerrescui.pl
oupwareplanets.su
oydahrenlitu346357.ru
pinterest.com.reports0701.net
polymerplanet.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.net
questphoneservice.net
quipbox.com
ratenames.net
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
rustin.pl
safebrowse.pw
scourswarriors.su
secrettapess.com
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
sitemax.pl
sklephoreca.pl
soberimages.com
spros.pl
stilos.pl
streetgreenlj.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
telecomerra.com
thebodyfatsolutioncb.pl
thebodyfatsolutionoi.pl
thegalaxyatwork.com
theguardian-newspaper.pl
therichboysmail.net
thetimesforyou.pl
thosetemperat.net
toetotoetimef.net
tor-connect-secure.com
treehouse-dreams.net
trymaximumslimbaba.pl
trymaximumslimbia.pl
trymaximumslimboa.pl
trymaximumslimbua.pl
trymaximumslimbuta.pl
trymaximumslimdel.pl
trymaximumslimeta.pl
trymaximumslimfea.pl
trymaximumslimfoa.pl
trymaximumslimfol.pl
trymaximumslimhoa.pl
trymaximumslimhol.pl
trymaximumslimhowa.pl
trymaximumsliminl.pl
trymaximumslimlacl.pl
trymaximumslimlal.pl
trymaximumslimlea.pl
trymaximumslimleta.pl
trymaximumslimlitta.pl
trymaximumslimmaa.pl
trymaximumslimmal.pl
trymaximumslimmea.pl
trymaximumslimmia.pl
trymaximumslimnel.pl
trymaximumslimnota.pl
trymaximumslimota.pl
trymaximumslimpaa.pl
trymaximumslimpal.pl
trymaximumslimpara.pl
trymaximumslimrata.pl
trymaximumslimroba.pl
trymaximumslimroll.pl
trymaximumslimroma.pl
trymaximumslimsaa.pl
trymaximumslimsal.pl
trymaximumslimsanda.pl
trymaximumslimsil.pl
trymaximumslimsina.pl
trymaximumslimsofa.pl
trymaximumslimsofl.pl
trymaximumslimsparl.pl
trymaximumslimteda.pl
trymaximumslimulda.pl
trymaximumslimundl.pl
tstatbox.ru
tvblips.net
u-janusa.net
ukbash.ru
unabox.pl
usenet4ever.net
usergateproxy.net
vahvahchicas.ru
vip-proxy-to-tor.com
vivendacalangute.net
wickedpl.com
wic-office.com
wordstudio.pl
wow-included.com
yourbodyfatsolutionaningm.pl
yourbodyfatsolutionharm.pl
yourbodyfatsolutionhom.pl
yourbodyfatsolutionlgf.pl
yourbodyfatsolutionlittm.pl
yourbodyfatsolutionlpa.pl
yourbodyfatsolutionlub.pl
yourbodyfatsolutionlui.pl
yourbodyfatsolutionmem.pl
yourbodyfatsolutionnak.pl
yourbodyfatsolutionncb.pl
yourbodyfatsolutionnff.pl
yourbodyfatsolutionnzk.pl
yourbodyfatsolutionronm.pl
yourbodyfatsolutionsam.pl
yourbodyfatsolutionsim.pl
yourbodyfatsolutionterm.pl
yourbodyfatsolutiontinm.pl
yourbodyfatsolutionuca.pl
yourbodyfatsolutionucb.pl
yourbodyfatsolutionuee.pl
yourbodyfatsolutionufd.pl
yourbodyfatsolutionuff.pl
yourbodyfatsolutionufg.pl
yourbodyfatsolutionugd.pl
yourbodyfatsolutionugf.pl
yourbodyfatsolutionuhh.pl
yourbodyfatsolutionukk.pl
yourbodyfatsolutionunb.pl
yourbodyfatsolutionunc.pl
yourbodyfatsolutionuoi.pl
yourbodyfatsolutionupa.pl
yourbodyfatsolutionusd.pl
yourbodyfatsolutionuub.pl
yourbodyfatsolutionuui.pl
yourbodyfatsolutionuvb.pl
yourbodyfatsolutionuvc.pl
yourbodyfatsolutionuzk.pl
yourbodyfatsolutionwam.pl
zestrecommend.com

Wednesday 12 June 2013

Malware sites to block 12/6/13

This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway.

Hosts involved:
5.175.157.110 (GHOSTnet, Germany)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal Communication Tech. Co., China)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
46.165.248.117 (Leaseweb, Germany)
49.212.221.29 (Sakura Internet Inc., Japan)
50.56.216.124 (Rackspace, US)
50.57.166.222 (Slicehost, US)
59.42.10.172 (Guangdong Tuosi Software Science Garden, China)
67.159.12.94 (FDCservers, US)
67.202.109.141 (Steadfast Networks, US)
67.215.2.251 (Colo-Serv Communications, Canada)
77.237.190.22 (Parsun Network Solutions, Iran)
81.252.120.250 (Collectivit Locale , France)
83.136.249.108 (Sigmatic Oy, Finland)
85.17.178.56 (Leaseweb, Netherlands)
85.26.31.60 (Brutele SC, Belgium)
85.201.12.244 (Brutele SC, Belgium)
86.84.0.11 (Planet Technologies, Netherlands)
88.80.222.73 (Alfahosting, Germany)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
95.143.41.16 (Inline Internet / VPS4less, Germany)
95.170.95.142 (TransIP, Netherlands)
109.95.23.4 (Kvartal Plus Ltd, Russia)
109.129.225.68 (Belgacom / Skynet, Belgium)
110.78.147.173 (CAT Telecom, Thailand)
111.93.156.171 (Tata Teleservices, India)
112.170.169.56 (Korea Telecom, Korea)
114.4.27.219 (IDIA Kantor Arsip MKS, Indonesia)
116.3.3.200 (China Unicom, China)
119.147.137.31 (China Telecom, China)
141.28.126.201 (Hochschule Furtwangen, Germany)
143.107.220.160 (Universidade De Sao Paulo, Brazil)
151.1.224.118 (ITnet, Italy)
159.90.91.179 (Universidad Simon Bolivar, Venezuela)
159.253.18.253 (FastVPS, Estonia)
160.75.169.49 (Istanbul Technical University, Turkey)
164.77.149.237 (Isapre Banmedica, Chile)
172.8.24.9 (Angela Curtolo DBA / AT&T, US)
172.246.16.27 (Enzu Inc, US)
177.84.128.54 (Informática Ltda, Brazil)
177.86.131.18 (Prime Telecomunicacoes Ltda, Brazil)
177.124.195.202 (Mundivox Do Brasil Ltda, Brazil)
178.16.216.66 (Gabrielson Invest AB, Sweden)
181.52.237.17 (Telmex, Colombia)
183.82.221.13 (Hitech / Beam Telecom, India)
184.82.115.37 (HostNOC, US)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
187.33.48.12 (GTi Telecomunicacoes Ltda, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
192.64.80.143 (Interserver, US)
192.210.216.90 (ColoCrossing, US)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.199.93.55 (Digital Ocean, US)
200.3.153.91 (Pontificia Universidad Javeriana, Colombia)
200.87.177.124 (EntelNet, Bolivia)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
202.29.242.249 (UniNet, Thailand)
202.31.139.173 (Kum Oh National University Of Technology, Korea)
203.64.69.52 (Taiwan Academic Network, Taiwan)
203.157.216.77 (Information Technology Office, Thailand)
208.68.36.11 (Digital Ocean, US)
210.42.103.141 (Wuhan Urban Construction Institute, China)
213.74.79.236 (Superonline, Turkey)
216.172.102.230 (EBL Global Networks, US)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Plain IPlist for copy-and-pasting:
5.175.157.110
41.89.6.179
42.62.29.4
46.18.160.86
46.165.248.117
49.212.221.29
50.56.216.124
50.57.166.222
59.42.10.172
67.159.12.94
67.202.109.141
67.215.2.251
77.237.190.22
81.252.120.250
83.136.249.108
85.17.178.56
85.26.31.60
85.201.12.244
86.84.0.11
88.80.222.73
93.89.235.13
95.143.41.16
95.170.95.142
109.95.23.4
109.129.225.68
110.78.147.173
111.93.156.171
112.170.169.56
114.4.27.219
116.3.3.200
119.147.137.31
141.28.126.201
143.107.220.160
151.1.224.118
159.90.91.179
159.253.18.253
160.75.169.49
164.77.149.237
172.8.24.9
172.246.16.27
177.84.128.54
177.86.131.18
177.124.195.202
178.16.216.66
181.52.237.17
183.82.221.13
184.82.115.37
186.215.126.52
188.32.153.31
187.33.48.12
190.93.23.10
192.64.80.143
192.210.216.90
193.254.231.51
196.1.95.44
198.199.93.55
200.3.153.91
200.87.177.124
201.65.23.153
202.29.242.249
202.31.139.173
203.64.69.52
203.157.216.77
208.68.36.11
210.42.103.141
213.74.79.236
216.172.102.230
217.174.211.1
222.200.187.83

Identified malicious domains:
abacs.pl
autotradeguide.net
avastsurveyor.com
balckanweb.com
biati.net
bnamecorni.com
businessdocu.net
buyparrots.net
citysubway.net
cocainism.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
diodmobilered.com
docudat.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
fastkrug.ru
federal-credit-union.com
freemart.pl
freenico.net
genown.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
hiddenhacks.com
historuronded.com
icensol.net
ingrestrained.com
inutesnetworks.su
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
lorganizedcue.com
ludena.ru
mantuma.pl
marvelfilms.net
mortolkr4.com
mslatearrival.com
multipliedfor.com
myhispress.com
nipiel.com
nvufvwieg.com
onlinedatingblueprint.net
otoperhone.com
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
privat-tor-service.com
proxy-tor-service.com
relectsdispla.com
relectsdispla.net
reportingglan.com
safe-browser.biz
safe-time.net
salesplaytime.net
secondfiddleu.com
securepro7.ru
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
smurfberrieswd.su
sngroup.pl
solarmiracles.net
techno5room.ru
televisionhunter.com
testerpro5.ru
thinkindi.net
tor-connect-secure.com
trleaart.net
twinkniche.net
twintrade.net
ukbarbers.net
unixawards.net
usergateproxy.net
usforclosedhomes.net
vip-proxy-to-tor.com
well-tailored.net
wmlawoffice.net
yelpwapphoned.com

Wednesday 29 May 2013

Malware sites to block 29/5/13

These domains and IP addresses are connected to this malware spam run and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian).

It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting, finally a list of IPs that are advertised as nameservers within this group for research purposes only.

You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm..

Domains:
adverstindotanes.com
assumedwhacked.su
auditbodies.net
autocanonicals.com
aviachecki.ru
avtotracki.ru
balckanweb.com
bebomsn.net
bednotlonely.com
beveragerefine.su
biati.net
businessdocu.net
buyparrots.net
carambatv.net
chairsantique.net
cocainism.net
condalinaradushko.ru
condalinaradushko5.ru
condalinradishevo.ru
confideracia.ru
coping-capacity.com
crossdissstep.com
crushandflussh.net
curilkofskie.ru
decimallogme.com
docudat.ru
doorandstoned.com
down-vid.net
e-eleves.net
ernutkskiepro.ru
exrexycheck.ru
fastkrug.ru
federal-credit-union.com
fenvid.com
flipboardre-late.com
gangrenablin.ru
garohoviesupi.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
heavygear.net
heidipinks.com
hiddenhacks.com
hotamortisation.net
iberiti.com
icensol.net
independinsy.net
initiationtune.su
insectiore.net
jounglehoodeze.su
letsgofit.net
linguaape.net
metalcrew.net
mgdooling.ru
mortolkr4.com
multipliedfor.com
mydkarsy.com
myfreecamgirls.net
nitrogrenberd.net
normansvenn.com
notyetratedwort.com
nvufvwieg.com
ochengorit.ru
otoperhone.com
outbounduk.net
outlookexpres.net
peertag.com
penetratedsync.su
pizdecnujzno.ru
proxy-tor-service.com
recorderbooks.net
relectsdispla.net
reportingglan.com
restaurantequipmentparadise.net
roobihhooerses.at
rusistema.ru
salesplaytime.net
sbliteratedtum.su
scanskype.pl
secrettapess.com
secureaction120.com
sludgekeychai.net
smartsecurity-app.com
smartsecurityapp2013.com
smurfberrieswd.su
solidlettersiz.su
stackltiplied.net
streetgreenlj.com
streetlookups.com
susubaby.net
sweetcarsinkas.at
tasteh-pux.com
techno5room.ru
testerpro5.ru
timeschedulin.com
time-update.com
time-update.net
trackerpro5.ru
twintrade.net
uestsradiates.net
usergateproxy.net
virgin-altantic.net
xenaidaivanov.ru
yelpwapphoned.com
zeouk-gt.com
zoohits.net

IPs and hosts:
5.175.155.183 (GHOSTnet, Germany)
37.131.214.69 (Interra Ltd, Russia)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal, China)
50.193.197.178 (Comcast, US)
54.214.22.177 (Amazon AWS, US)
62.109.30.168 (TheFirst-RU, Russia)
77.237.190.22 (Parsun Network Solutions, Iran)
82.50.45.42 (Telecom Italia, Italy)
91.93.151.127 (Global Iletisim Hizmetleri, Turkey)
91.193.75.55 (KGB Hosting, Serbia)
94.249.208.228 (GHOSTnet, Germany)
95.43.161.50 (BTC, Bulgaria)
99.61.57.201 (AT&T, US)
103.7.251.36 (Fiberathome, Bangladesh)
109.169.64.170 (ThrustVPS, US)
112.196.2.39 (Quadrant Televentures / HFCL Infotel, India)
114.4.27.219 (Indosat, Indonesia)
114.247.121.139 (China Unicom, China)
115.28.35.163 (HiChina Web Solutions, China)
122.160.51.9 (ABTS, Delhia)
128.174.240.37 (University of Illinois, US)
128.174.240.52 (University of Illinois, US)
128.174.240.74 (University of Illinois, US)
128.174.240.153 (University of Illinois, US)
128.174.240.213 (University of Illinois, US)
140.117.164.154 (Sun Yat-sen University, Taiwan)
151.1.224.118 (Itnet, Italy)
159.253.18.253 (FastVPS, Russia)
162.209.12.86 (Rackspace, US)
166.78.136.235 (Rackspace, US)
177.5.244.236 (Brasil Telecom, Brazil)
178.20.231.214 (Salay Telekomunikasyon Ticaret Limited, Turkey)
178.209.126.87 (WestCall Ltd, Russia)
181.52.237.17 (Telmex, Colmbia)
183.82.221.13 (Hitech, India)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
190.106.207.25 (Comcel, Guatemala)
192.154.103.81 (Gorillaservers, US)
192.210.216.53 (ColoCrossing, US)
197.246.3.196 (The Noor Group, Egypt)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
201.170.148.171 (Telefonos del Noroeste, Mexico)
204.45.7.213 (FDCservers.net, US)
208.68.36.11 (Digital Ocean, US)
210.61.8.50 (Chunghwa Telecom, Taiwan)
212.179.221.31 (Bezeq International, Israel)
213.113.120.211 (Telenor, Sweden)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83

IPs advertising as nameservers (I'm pretty sure some of these are bogus, so use these for research purposes only):
2.121.229.200 (Sky Broadband, UK)
5.175.146.153 (GHOSTnet, Germany)
5.175.154.17 (GHOSTnet, Germany)
5.175.154.149 (GHOSTnet, Germany)
5.231.18.4 (GHOSTnet, Germany)
6.18.199.178 (Department of Defense, US)
6.20.13.25 (Department of Defense, US)
8.13.139.1 (Level 3 Communications, US)
8.18.19.15 (Level 3 Communications, US)
8.18.19.16 (Level 3 Communications, US)
11.3.51.158 (Department of Defense, US)
12.179.132.98 (Intuit, US)
14.139.209.13 (National Institute Of Technology, India)
15.78.78.23 (Hewlett Packard, US)
15.84.23.131 (Hewlett Packard, US)
17.19.12.100 (Apple Inc, US)
20.2.45.143 (CSC, US)
22.100.28.100 (Department of Defense, US)
29.125.31.77 (Department of Defense, US)
42.96.142.17 (Alibaba, China)
42.96.194.13 (Alibaba, China)
46.254.18.79 (Internet-Hosting Ltd, Russia)
65.34.1.1 (RoadRunner / Bright House, US)
65.180.199.2 (Sprint, US)
66.100.109.112 (Savvis, US)
71.123.11.14 (Verizon, US)
77.99.44.18 (Virgin Media, UK)
80.249.65.80 (Djaweb, Algeria)
81.31.227.60 (Chapar Raseneg, Iran)
85.25.189.163 (Intergenia / PlusServer AG, Germany)
91.215.156.62 (Infinite Technologies, Netherlands)
91.242.214.33 (Hostcircle, India)
92.190.190.191 (France Telecom, France)
95.143.41.41 (Inline Internet / VPS4less, Germany)
112.72.64.217 (VTC Wireless Broadband Company, Vietnam)
114.199.141.85 (Hyundai Communications, Korea)
125.39.104.86 (Beijing Sinainternetinformationservice, China)
153.127.248.205 (Kagoya Japan Corporation, Japan)
162.209.14.28 (Rackspace, US)
173.1.12.57 (GoGrid LLC, US)
175.102.0.187 (Shanghai Yovole Networks, China)
176.19.224.180 (Mobily, Saudi Arabia)
177.5.230.242 (Brasil Telecom, Brazil)
184.106.229.74 (Rackspace, US)
186.25.27.65 (Telcel, Venezuela)
186.25.27.66 (Telcel, Venezuela)
201.101.98.89 (UniNet, Mexico)
202.63.105.86 (Southern Online Bio Technologies, India)
202.93.114.90 (FirstasiaNet, Indonesia)
207.58.158.186 (Servint, US)
207.182.146.247 (Xlhost, US)
209.140.18.37 (Landis Holdings, US)
210.25.137.197 (China Education and Research Network, China)
211.20.45.138 (Chunghwa Telecom, Taiwan)
214.191.12.134 (Department of Defense, US)
214.191.102.34 (Department of Defense, US)


Tuesday 16 April 2013

Disgraceful Arif Khan / Mak Media spam

For some time now I've been plagued with spam that looks like this:

Date:      Tue, 16 Apr 2013 09:11:37 -0400
From:      "Mesothelioma"
To:      [redacted]
Subject:      Learn The Link Between Asbestos and Mesothelioma

5670242064119134040....02158166418942886316dc91aae549f7.02158166418942886316dc91aae549f7.5670242064119134040..02158166418942886316dc91aae549f7.. 33100457.5670242064119134040..02158166418942886316dc91aae549f7.5670242064119134040..

Learn The Link Between Asbestos and Mesothelioma

Rebosiet riwan ducufaf. 02158166418942886316dc91aae549f7 Rire ti 5670242064119134040 sasah 33100457 totetes 33100457 tela. 33100457 Woc 02158166418942886316dc91aae549f7 esic 02158166418942886316dc91aae549f7 sew 02158166418942886316dc91aae549f7 se 02158166418942886316dc91aae549f7 icin 02158166418942886316dc91aae549f7 icat 33100457 worag 33100457 ne 02158166418942886316dc91aae549f7 tedit 33100457 kodu. 02158166418942886316dc91aae549f7 Eca cehag 33100457 kose. 02158166418942886316dc91aae549f7 Adodiner 5670242064119134040 nure 33100457 bebose aleri ira 02158166418942886316dc91aae549f7 malitu noharie ituror [this crap goes on and on to try to get past spam filters]
The spam is on a variety of topics, but one thing that makes me cross is seeing spam on this particular topic. Why? Well, this particular illness is linked to many high-paying lawsuits, and as a result advertisers can pay out a surprising amount of cash per click estimated here to be worth over $80 for some individual clicks. But in this case, they will be essentially worthless clicks to the advertiser. And who ends up paying for these worthless clicks? Well, ultimately the costs get extracted from the sufferers of this illness from their settlements.

There are three parties involved in this scam. Working backwards, the ads displayed on the landing page are run by Google, the landing page itself is owned by an outfit called Adilizer.com who claim to be based in Texas. But the spamming itself seems to be the work of one Arif Khan who is the CEO of an Indian company called Mak Media.

Let's look at when clicking on the link on that spam gets us..
hxxp:||rng172.fuldbate.us/2437a38863ab64aa3397118536dc91aae549f7
leads to
hxxp:||rng172.fuldbate.us/98F22437a38863ab64aa3397118536dc91aae549f7
leads to
hxxp:||rk3231.com/m/ec.php?k=651&kc=78236&ks=0&pc=547&tt=1&t1=yogesh&t2=&t3=&t4=&u=&u2=
leads to
hxxp:||obmedia.com/m/ec.php?k=651&kc=78236&ks=0&pc=547&tt=1&t1=yogesh&t2=&t3=&t4=&u=&u2=
leads to
hxxp:||www.myown-big-find-tool.com/

The domains myown-big-find-tool.com, obmedia.com and rk3231.com belong to Adilizer and look like they could be some sort of affiliate link. So, we can perhaps assume that Adilizer are not directly responsible for the spam.

The domain fuldbate.us is owned by Arif Khan, and rng172.fuldbate.us is hosted on 198.84.76.172 which is where this spam originates. These are the pertinent WHOIS details for the domain:

Registrant ID:                               FF70EC5B09E3DC10
Registrant Name:                             Arif Khan
Registrant Organization:                     Gravity Media
Registrant Address1:                         Bhopal
Registrant Address2:                         Bhopal
Registrant City:                             Bhopal
Registrant State/Province:                   MP
Registrant Postal Code:                      462001
Registrant Country:                          India
Registrant Country Code:                     IN
Registrant Phone Number:                     +91.9425677527
Registrant Email:                            praveen.shukla4015@gmail.com
Registrant Application Purpose:              P1


"Gravity Media" may or may not exist, but domain WHOIS details are easy to fake. But if we look at who the IP address is allocated to then we can see a bit more information.

%rwhois V-1.5:003fff:00 rwhois.hostwinds.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:Hostwinds Block-198.84.76.172/32
network:Auth-Area:198.84.76.172/32
network:Network-Name:Mak Media Network
network:IP-Network:198.84.76.172/32
network:IP-Network-Block:198.84.76.172 - 198.84.76.172
network:Customer Organization:Mak Media
network:Customer Address;I:Plot N0 4 , Kerma Tower
network:Customer City;I:BHopal
network:Customer State/Province;I:Madhya Pradesh
network:Customer Postal Code;I:462001
network:Customer Country Code;I:IN
network:Organization;I:Hostwinds LLC
network:Tech-Contact;I:abuse@hostwinds.com
network:Admin-Contact;I:abuse@hostwinds.com
network:Abuse-Contact;I:abuse@hostwinds.com


This reveals the apparently genuine organisation of Mak Media, of which Arif Khan is CEO according to his LinkedIn page. Note that there are several companies of a similar name, but this one seems to be based in Bhopal.


To quote Mr Khan, his background is of:
Intense drive and overachieving mentality with a track record of consistently meeting and exceeding goals. Dedicated work ethic, and intense desire to succeed in achieving an aggressive career and financial growth.

Specialties: Email Marketing, lead generation,database management, email marketing, list management, Email Monetization, Affiliate Marketer!!
In other words, he takes advantage of India's non-existent spam laws and blasts as many mailboxes as he can with crappy affiliate links.

But the spam doesn't come from just one domain and IP. Arif Khan uses hundreds of throwaway .us addresses and multiple IPs. These are the ones I have seen in the past week:
fuldbate.us
excrep.us
buidep.us
xlitisew.us
trunalk.us
ryismeth.us
fjouck.us
duptous.us
certious.us
grembing.us
bablump.us
ghtchity.us
fluitice.us
fjoutte.us
cabatki.us
asatuary.us
echead.us
brooto.us
falert.us
eurness.us
djasynt.us
abubcum.us
emenger.us
ograst.us
hapric.us

Each one comes from a different IP address in the 198.84.76.0/24 range suballocated from Hostwinds to Mak Media. But there's something weird, because Hostwinds haven't allocated a 256-address /24 block at all.. they've allocated 256 /32 blocks of a single IP address each. This is presumably a trick to make sure that the whole /24 range doesn't get blacklisted at once.

If you are plagued with this spam and have the capability to do so, block all incoming email from and web traffic to 198.84.76.0/24 and it should effectively block it for now. And reporting any spam to abuse -at- hostwinds.com will probably do no harm.. although I suspect it will do little good.


"Fiserv Secure Email Notification" spam

This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.


From: Fiserv Secure Notification [mailto:secure.notification@fiserv.com]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification - CC3DK9WJW8IG0F5


You have received a secure message

Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password -  KsUs3Z921mA

To read the encrypted message, complete the following steps:

 -  Double-click the encrypted message file attachment to download the file to your computer.
 -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 -  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).

At the time of writing, VirusTotal results are just 5/46. The Comodo CAMAS report is here, the ThreatExpert report here and the ThreatTrack sandbox report can be downloaded from here (this is the most detailed one). This seems to be a Zbot variant.


The bad IPs involved are:
50.116.15.209 (Linode, US)
62.103.27.242 (OTEnet, Greece)
78.139.187.6 (Caucasus Online Ltd, Georgia)
87.106.3.129 (1&1, Germany)
108.94.154.77 (AT&T, US)
117.212.83.248 (BSNL Internet, India)
120.61.212.73 (MTNL, India)
122.165.219.71 (ABTS Tamilnadu, India)
123.237.187.126 (Reliance Communications, India)
176.73.145.22 (Caucasus Online Ltd, Georgia)
186.134.148.36 (Telefonica de Argentina, Argentina)
190.39.197.150 (CANTV Servicios, Venezuela)
195.77.194.130 (Telefonica, Spain)
199.59.157.124 (Kyvon, US)
201.211.224.46 (CANTV Servicios, Venezuela)
212.58.4.13 (Doruknet, Turkey)

Recommended blocklist:
korbi.va-techniker.de
mail.yaklasim.com
phdsurvey.org
vbzmiami.com
user1557864.sites.myregisteredsite.com
50.116.15.209
62.103.27.242
78.139.187.6
87.106.3.129
108.94.154.77
117.212.83.248
120.61.212.73
122.165.219.71
123.237.187.126
176.73.145.22
186.134.148.36
190.39.197.150
195.77.194.130
199.59.157.124
201.211.224.46
212.58.4.13

Friday 22 February 2013

"End of Aug. Stat." spam / forummersedec.ru

This fake invoice email leads to malware on forummersedec.ru:

Date:      Fri, 22 Feb 2013 11:33:38 +0530
From:      AlissonNistler@[victimdomain]
Subject:      Re: FW: End of Aug. Stat.
Attachments:     Invoices-1207-2012.htm

Hallo,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)

Regards


The attachment attempts to redirect the victim to a malicious payload at [donotclick]forummersedec.ru:8080/forum/links/column.php (report here) hosted on

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)

The following IPs and domains are related and should be blocked:
84.23.66.74
122.160.168.219
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
familanar.ru
faneroomk.ru
filialkas.ru
finalions.ru
forummersedec.ru
fuigadosi.ru
fulinaohps.ru
fzukungda.ru

Thursday 21 February 2013

"Efax Corporate" spam / fuigadosi.ru

This fake eFax spam leads to malware on fuigadosi.ru:

Date:      Thu, 21 Feb 2013 -05:24:35 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Efax Corporate
Attachments:     EFAX_Corporate.htm



Fax Message [Caller-ID: 705646877]

You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.

* The reference number for this fax is [eFAX-806896385].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]fuigadosi.ru:8080/forum/links/column.php (report here) hosted on:

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)

The following domains and IPs are malicious and should be blocked:
84.23.66.74
122.160.168.219
210.71.250.131
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
faneroomk.ru
finalions.ru
fuigadosi.ru
fulinaohps.ru
fzukungda.ru

Tuesday 27 November 2012

BeyondTek IT / Beyond Tek IT / beyondtekit.com spam

Here's an annoying spammer.. but who are they exactly?


From:     Nick Snow ---- BeyondTekIT Nick@beyondtekit.com
Date:     27 November 2012 10:24
Subject:     Your IT Jobs - HR

Hello:

The IT market is extremely HOT right now and there is no doubt that, there is a severe shortage of qualified, experienced IT candidates and an over-abundance of IT jobs being advertised by companies all over the country. It seems, most qualified candidates are in such high demand that they are getting multiple offers, which is making it difficult for companies to fill certain positions.

That being said please let me know if you currently have any hard-to-fill IT positions at  that we could provide candidates for. We can assist with contract, contract-to-hire/temp-to-perm, or permanent positions.

We have candidates available across all technologies and skill-sets, including (this is only a partial list):
Programmers/Developers - Java, C++, .Net, Ruby, Web, Perl, Python, PHP, ColdFusion, etc
Systems Analysts / Business Analysts
QA Engineers/Analysts/Testers
DBA's - SQL Server, Oracle, MySQL, etc
SAP Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Oracle Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Data Warehouse/Business Intelligence Developers/Engineers - ETL, SSIS, SSAS, SSRS, Cognos, etc
Project Managers
Systems Administrators - Linux, Window, etc
Executive - CIO, CTO, VP of IT, etc

PS - We have just started offering our clients a business model of hiring off-site developers, who can be your employees but working from our office in India. Please ask me for more details, and I can send you our PowerPoint presentation.

Thank you.

Nick Snow
BeyondTek IT
Tel: 714-572-1544
nick@beyondtekit.com
www.BeyondTekIT.com
The spam (and it is spam) originates from a server on 216.14.62.75 (Telepacific Communications, Los Angeles) which also hosts the beyondtekit.com and beyondtechit.com domains.

So who are BeyondTekIT? (They also spell their name Beyond Tek IT and BeyondTek IT). The WHOIS details for the beyondtekit.com (and beyondtechit.com) are no help because they are anonymised. So, perhaps their website gives a clue.. and indeed they give the following contact details:

BeyondTek IT
1057 E. Imperial Highway, Suite 509
Placentia, CA 92870

Phone: 714-572-1544
Fax:     714-364-9705

General Inquiries:                     info@beyondtekit.com
Candidate Resume Submittals: resume@beyondtekit.com
So, this is a California company. So it must be registered in the State of California? Err.. no. There is no business entity of this name. So let's check out the address.. well, that turns out to be a store called Postal Max that rents out mailboxes.

A bit of hard searching around shows that this is not a US based company at all, but is actually based in India (the email mentions an Indian connection). Their real website is at beyondtech.in and clearly mentions the maildrop address on their contact page.

The WHOIS details for this domain are:

Registrant ID:SB23414228
Registrant Name:Nishant Rastogi
Registrant Organization:One MG
Registrant Street1:23, North Boag Road, TNagar
Registrant Street2:
Registrant Street3:
Registrant City:Chennai
Registrant State/Province:Tamil Nadu
Registrant Postal Code:600017
Registrant Country:IN
Registrant Phone:+91.9444034408
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:mail@onemg.in


I personally wouldn't recommend giving any personal details to spammers, and I certainly wouldn't recommend giving details to a company that seems to spend some effort to conceal who they really are. But, bear in mind that there are no anti-spam laws in India which explains the high level of Indian spam messages (think SEO spam) that we see, so under Indian law they are probably not doing anything wrong, but surely if they are trading as a California entity then they need to be registered?


Monday 6 August 2012

autoaxident.com spam / Lalchand Sobhani

This spam is preying on people in the UK who have had a accident, but it is actually based in India. It starts off with a pitch similar to this one:

From:     UL05 UL05@app12.sarvdns.org
Reply-To:     UL05@app12.sarvdns.org
Date:     3 August 2012 17:26
Subject:     Accident Injuries

Auto Axident
Claim Comfort

    Home
    Injury / Claim types
    Contact Us

Welcome
Header Image

We are the accident claim specialists, offering free advice, downloads and access to top no win no fee personal injury solicitors.There are many types of Personal Injury like

    Road Traffic Accident
    Work Accident
    Accident at Sea
    Aircraft Accident
    Faulty Product Accident
    Hairdressing Accident
    Holiday Accident
    Medical Negligency Accident
    Public Place Accident

Did you have an injury in the last two years?
If yes, Apply for Compensation below.
Apply for Claim here
Step 1
     
   RTA ( SELF MEDICATING CLAIMANT )
     
[snipped]

© Copyright 2012 autoaxident.com. All Rights Reserved.


Powered by SARV Mail

Click here to unsubscribe

The spam leads you to a side called autoaxident.com on 174.122.93.250 which appears to belong to Confluence Networks in the UAE. The WHOIS details are privacy protected (never a good sign for this type of site). Nameservers show an Indian connection, they are dns1.bigrock.in and dns2.bigrock.in. The spam is sent through a relay service at 74.117.60.126 (lbsmtp.org, India).

The website has no contact details or privacy policy, it is basically just a collector. However, sending a query does generate a response..

from:     AnnieThomas alaska05@rediffmail.com
date:     6 August 2012 08:15
subject:     Re: RTA - Injuries

Awaiting your reply.

Annie Thomas




From: "Swati"[alaska05@rediffmail.com]
Sent: Sat, 04 Aug 2012 14:11:40
Subject: RTA - Injuries
Dear Mr. Xxxx Xxxx

Thanks for sending us your message.

Please send your contact phone number and address.

Also if you have time please fill up form available at www.autoaxident.com and press continue button instead of submit to get the full claim form to be filled.

Upon receipt of your phone number solicitor Mr. Lamb Brook will contact you for compensation for your injury
---

 Annie Thomas
Customer Care Executive

Auto Accident Claim Company
London
Phone No. +44 20 3286 4645
Website - www.autoaxident.com 

The originating IP was 14.98.247.162 (TATA Indicom, India), so there's the Indian connection again.

Several things don't stand up with this pitch. One of them is the solicitor's name of "Mr. Lamb Brook". That's quite an unusual name, and it probably comes as no surprise to find that there is no such solicitor listed by the Law Society in the UK. Oddly, the telephone number quoted seems potentially valid and is a London number. Update: the name of the law firm is Lamb Brooks and not an individual solicitor, note however that Lamb Brooks are not sending out this unsolicited mail, I suspect that they are not even aware of it.

The email address of "Annie Thomas" alaska05@rediffmail.com also gives some clues. rediffmail.com is almost exclusively used in India, thus confirming that this is an Indian-based scam again, Googling this email address shows several clues with a background of buying and selling leads.

This thread ties the email address up with a user called lalchand38 and this is linked to a Twitter account at https://twitter.com/LCS38 (Lalchand / @LCS38) who appears to be Lalchand Sobhani who also uses an email address of lalchand38@yahoo.com. You can see his dating profile here and there are several other matches on Google for the same email address which show an interesting variety of enterprises including shipping prescription medications from India to the US.


So Annie Thomas is either Lalchand Sobhani or someone working for him. The solicitor in the UK does not exist. Mr Sobhani has gone to some efforts to hide his involvement here too.

What is probably going on here is lead generation through spam. Lalchand Sobhani is probably trying to generate personal injury leads to resell on to others. In any case, dealing with spammers is unlikely to be beneficial and it could lead to you being seriously out of pocket.

Friday 27 February 2009

MikeCahil@gmail.com: "New Jobs"

There are several different layers of fraud and deception when it comes to offering and applying for jobs.

This particular approach is via a spam, and seems to be a deceptive way of offering cheap Indian contractors to companies. India is very much a centre for spam because of very lax laws, in this case "Mike Cahil" is offering to fill roles in a variety of fields, but why would you want to do business with a spammer in any case? Remember the Boulder Pledge.

Originating IP is 59.164.72.134, a subscriber to TATA Communications in India. The netblock is widely listed as being very spammy. A poke around at blacklists indicates that 59.164.0.0/16 is a real spam sewer, and strict mail administrators could consider blocking the entire lot.

From: "Mike Cahil" MikeCahil@gmail.com
Subject: New Jobs

Hi ,

I am doing a check with you, to see if there are any IT or Engineering jobs, I can help you today at [redacted]. I can help fill any Contractor positions or Direct-Hire positions or Contract-to-Hire positions.

Additionally, I can also help in the Accounting / HR / Sales / Management positions too.

Please do reply.

Thanks … Mike

email: [redacted]