Sponsored by..

Showing posts with label LinkedIn. Show all posts
Showing posts with label LinkedIn. Show all posts

Monday, 6 August 2012

LinkedIn spam / headtoheadblaster.org

This LinkedIn spam attempts to load malware from headtoheadblaster.org:

Date:      Mon, 6 Aug 2012 17:07:08 +0300
From:      "LinkedIn Invitations" [invitations@linkedin.com]
To:      [redacted]
Subject:      Your friend sent you an invitation to join LinkedIn group.

  
This is a notification that on August 5, Gage Herring sent you an invitation to become part of their professional network at LinkedIn.
Accept Gage Herring Invitation
  
On August 5, Gage Herring wrote:

> To: [redacted]
>
> I'd like to add you to my professional network on LinkedIn.
>
> Gage Herring   
  
You are receiving Reminder emails for pending invitations. Unsubscribe.
� 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.

==========


Date:      Mon, 6 Aug 2012 10:02:02 -0400
From:      "LinkedIn Invitations" [invitations@linkedin.com]
To:      [redacted]
Subject:      LinkedIn inviation notificaltion.

  
This is a notification that on August 5, Daniel Martinez sent you an invitation to join their professional network at LinkedIn.
Accept Daniel Martinez Invitation
  
On August 5, Daniel Martinez wrote:

> To: [redacted]
>
> I'd like to add you to my professional network on LinkedIn.
>
> Daniel Martinez   
  
You are receiving Reminder emails for pending invitations. Unsubscribe.
� 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.


The malicious payload is at [donotclick]headtoheadblaster.org/main.php?page=f6857febef53e332 (report here) although at the time of writing it does not seem to be resolving.

Thursday, 2 August 2012

"Reset Your LinkedIn Password" spam / mysqlfordummys.ru

This fake LinkedIn email leads to malware on the oddly named domain of mysqlfordummys.ru:

Date:      Thu, 2 Aug 2012 02:27:38 -0300
From:      LinkedIn Password [password@linkedin.com]
Subject:      Reset Your LinkedIn Password

LinkedIn

Hi altera,

Can’t remember your LinkedIn password? No problem - it happens.

Please use this link to reset your password within the next 1 day:
Click here

Then sign in to LinkedIn with your new password and the email address where you received this message.

Thanks for using LinkedIn!

Flaws in SQL server implementations are a hacker's favourite target, so perhaps there is a wry sense of humour here. Anyway, the malicious payload is at [donotclick]mysqlfordummys.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on 203.80.16.81 (MYREN Infrastructure, Malaysia)

The following domains and IPs are all related, you should block access to them if you can:

ipadvssonyx.ru
mysqlfordummys.ru
onerussiaboard.ru
online-cammunity.ru
online-gaminatore.ru
switched-games.ru
zenedin-zidane.ru

41.66.137.155
41.168.5.140
62.76.188.138
62.76.190.208
62.213.64.161
78.83.233.242
85.143.166.243
87.120.41.155
87.204.199.100
173.224.208.60
184.106.189.124
199.71.212.78
203.80.16.81
203.172.140.202

Monday, 16 July 2012

"Intuit Payroll Services" spam / cms-wideopendns.com

These (rather confused) spam emails lead to malware on cms-wideopendns.com:

From: LinkedIn Communication [mailto:support@intuit.com]
Sent: 16 July 2012 15:12
Subject: We have received your payroll processing request.




Direct Deposit Service Communication
Status update

Dear victim
We received your payroll on July 16, 2012 at 1:16 AM Pacific Time.
•    Funds will be withdrawn from the bank account number ending in: XXXX on July 17, 2012.
•    Amount to be withdrawn: $2,476.11
•    Paychecks will be deposited to your employees' accounts on: July 17, 2012
•    Please download your payroll here.
Funds are as a rule processed before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m. Pacific time, two banking days before your payment date or your employees will fail to be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be downloaded at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services



IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter concerning your current service or software. Please note that if you previously opted out of receiving marketing materials from Intuit, you may continue to receive notifications similar to this communication that affect your service or software.
If you have any questions or comments about this email, please DO NOT REPLY to this email. If you need additional information please contact us.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it to immediately to spoof@intuit.com.
Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries. This notification is not intended to supplement, modify, or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706


====================

From: LinkedIn Communication [support@intuit.com]
Sent: Mon 16/07/2012 15:12
Subject: Your payroll processing is initiated by Intuit.

Direct Deposit Service Communication
Status update

Dear victim
We obtained your payroll on July 16, 2012 at 7:36 AM Pacific Time.
•    Funds will be withdrawn from the bank account number ending in: XXXX on July 17, 2012.
•    Amount to be withdrawn: $5,582.11
•    Paychecks will be deposited to your employees' accounts on: July 17, 2012
•    Please download your payroll here.
Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m. Pacific time, two banking days before your payment date or your employees will fail to be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be downloaded at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services



IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter concerning your current service or software. Please note that if you previously opted out of receiving marketing materials from Intuit, you may continue to receive notifications similar to this communication that affect your service or software.
If you have any questions or comments about this email, please DO NOT REPLY to this email. If you need additional information please contact us.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it to immediately to spoof@intuit.com.
Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries. This notification is not intended to supplement, modify, or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706


LinkedIn? Intuit? The bad guys are confused, but these are dangerous emails nonetheless. The malicious payload is at [donotclick]cms-wideopendns.com/main.php?page=bfc8be54a0120bca (report here) hosted on the following IPs:

211.157.105.160 (Chinacomm, China)
109.164.221.176 (Swisscom, Switzerland)



The following IPs and domains are all connected and should be blocked:
46.20.33.131
62.109.26.35
80.77.87.185
108.76.72.229
109.164.221.176
164.15.250.148
195.54.32.91
198.144.189.51
211.157.105.160

afriget.net
cms-wideopendns.com
fonografs.net
peace-computer.com
proamd-inc.com
thaidescribed.com

Thursday, 28 June 2012

LinkedIn spam / 74.63.252.106

This fake LinkedIn spam leads to malware on 74.63.252.106:

Date:      Thu, 28 Jun 2012 00:52:04 +0200
From:      "2012, LinkedIn Corporation" [sdexheimer@itrs.com.br]
To:      [y009-xc6.ftdsf@catchamail.com]
Subject:      Relationship LinkedIn Mail

LinkedIn
REMINDERS

Invitation reminders:
• From Kevin Sellers (VP Analytic Services at Glencore)


PENDING MESSAGES

• There are a total of 9 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.


The malicious payload is at [donotclick]74.63.252.106/getfile.php?u=71fd37ed (report here) which is part of a small netblock of 74.63.252.96/27 rented out by Limestone Networks in the US. Some attempt has been made to prevent analysis by generating a fake 403 page if you try to analyse it directly.

Wednesday, 13 June 2012

LinkedIn spam / 74.91.112.248

This fake LinkedIn spam appears to lead to a malicious payload on 74.91.112.248:

Date:      Wed, 13 Jun 2012 14:58:15 +0200
From:      "LinkedIn©" [mvclient@mediavisions.net]
Subject:      Express LinkedIn Mail

LinkedIn
REMINDERS

Invitation reminders:
• From kristen redshaw (Country General Manager at Toshiba)


PENDING MESSAGES

• There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.

The malicious payload is on [donotclick]74.91.112.248/page.php?p=88fe38de which is hosted on Nuclear Fallout Enterprises in the US.

Friday, 1 June 2012

LinkedIn spam / immerialtv.ru

This fake LinkedIn spam leads to malware:

Date:      Fri, 1 Jun 2012 02:45:50 +0000
From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject:      Please confirm your email address

LinkedIn

Click here to confirm your email address.

If the above link does not work, you can paste the following address into your browser:

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

Thank you for using LinkedIn!

--The LinkedIn Team

� 2012, LinkedIn Corporation

The payload is on [donotclick]immerialtv.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:


50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)
184.106.200.65 (Slicehost, US)
187.85.160.106 (Ksys Soluções Web, Brazil)

Plain list for copy-and-pasting:
50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106

Those IPs host the following domains which can also be assumed to be hostile:
immerialtv.ru
opimmerialtv.ru
piloramamoskow.ru

Friday, 4 May 2012

LinkedIn spam / 184.154.220.226

This fake LinkedIn spam leads to malware on 184.154.220.226:

Date:      Fri, 4 May 2012 -04:52:32 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Reset Your LinkedIn Password

LinkedIn

Hi hippy,

Can’t remember your LinkedIn password? No problem - it happens.

Please use this link to reset your password within the next 1 day:
Click here

Then sign in to LinkedIn with your new password and the email address where you received this message.

Thanks for using LinkedIn!
The malware is hosted on 184.154.220.226/showthread.php?t=34c79594e8b8ac0f (Singlehop, US) which is a very heavily obfuscated exploit page with a not very impressive VirusTotal detection rate of 2/42. Blocking the IP is a good proactive step to stop this from being a problem.

Monday, 30 April 2012

LinkedIn spam / 74.91.120.210

This fake LinkedIn spam leads to malware on 74.91.120.210:

Date:      Mon, 30 Apr 2012 17:51:37 +0530
From:      "LinkedIn reminder" [reminder@linkedin.com]
Subject:      LInkedin pending messages

LinkedIn
REMINDERS

Invitation reminders:
• From Scott Burwell (Colleague at Nortel)


PENDING MESSAGES

• There are a total of 36 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.


The malicious payload is at 74.91.120.210/showthread.php?t=9d77a9163cda8dbe (report here) hosted by Nuclearfallout Enterprises in the US.

Friday, 27 April 2012

LinkedIn spam / 50.116.23.176 and 64.244.61.40

Another LinkedIn spam leading to malware, this time on 50.116.23.176 and 64.244.61.40:

Date:      Fri, 27 Apr 2012 16:19:17 +0800
From:      "LinkedIn reminder" [reminder@linkedin.com]
Subject:      LInkedin pending messages

LinkedIn
REMINDERS

Invitation reminders:
• From Scott Burwell (Colleague at Nortel)


PENDING MESSAGES

• There are a total of 50 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.
The malicious payload is on 50.116.23.176/showthread.php?t=9d77a9163cda8dbe (report here) hosted by Linode in the US. There is a subsequent download attempted from 64.244.61.40/rUPYeVt0.exe which appears to be a legitimate hacked server belonging to cheekyshare.com.

Thursday, 26 April 2012

LinkedIn spam / 199.115.229.55

This LinkedIn spam leads to malware on 199.115.229.55 after bouncing through a couple of legitimate hacked sites, a technique that we haven't seen for a couple of weeks.

Subject:     Signal LinkedIn Mail

LinkedIn
REMINDERS

Invitation reminders:
•  From Scott Burwell (Product Director at SNCF)



PENDING MESSAGES

• There are a total of 44 messages awaiting your response. Visit your InBox now.


Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.
The malware is on 199.115.229.55/showthread.php?t=977334ca118fcb8c (report here) hosted by Volumedrive in the US, which subsequently tries to download further malware from electrosa.com/8zvW2XE.exe (a site that has been used a lot in recent days). That domain and IP are worth blocking.

Tuesday, 24 April 2012

LinkedIn Spam / leckrefotzen.net

Oh my. Yet another LinkedIn spam run..

Date:      Tue, 24 Apr 2012 16:31:34 -0300
From:      "Russ Connor" [enviousnessi07@linkedin.com]
Subject:      LinkedIn Reminder


LinkedIn
REMINDERS

Invitation notifications:
? From Chaney Cameron (Your Colleague)


PENDING MESSAGES

? There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

The link in the message goes to a malware site at leckrefotzen.net/main.php?page=b7ff54d52bf8dd24 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt. Blocking this IP address would be an excellent idea. Or you could just block linkedin.com emails altogether which would be no great loss either.

Friday, 20 April 2012

LinkedIn spam / mysalepharmacy.com

Here's a very convincing looking LinkedIn spam:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Email Confirmation
Sent: 20 April 2012 09:54
Subject: Please confirm your email address

LinkedIn
Click here to confirm your email address.
If the above link does not work, you can paste the following address into your browser:
https://www.linkedin.com/e/vAIspiNMa9UrLxwLy8OkxtE3ZZ5hfZkRMg0f2bmzDWANi
You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.
If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
Thank you for using LinkedIn!
--The LinkedIn Team
http://www.linkedin.com/
© 2012, LinkedIn Corporation

There are three hyperlinks in the message, two of them are to LinkedIn and one of them is to a fake pharma site on mysalepharmacy.com on 178.19.108.195 in Poland.

Personally, I hate LinkedIn emails. Blocking everything that appears to be from linkedin.com will not have any adverse impact on your life.

Thursday, 19 April 2012

LinkedIn Spam / springrheumatology.net

Another LinkedIn spam run leading to malware, this time on springrheumatology.net

Date:      Thu, 19 Apr 2012 19:34:55 +0100
From:      "Callie Holland" [donor@linkedin.com]
Subject:      LinkedIn Invitation from your co-worker


LinkedIn
REMINDERS

Invitation notifications:
? From Patrick Mcdaniel (Your co-worker)


PENDING MESSAGES

? There are a total of 2 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

=========================

Date:      Thu, 19 Apr 2012 14:57:47 -0300
From:      "Jane Gaston" [lulu9@linkedin.com]
Subject:      LinkedIn Reminder


LinkedIn
REMINDERS

Invitation reminders:
? From Solomon Goff (Your Colleague)


PENDING MESSAGES

? There are a total of 2 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

The malicious payload is at springrheumatology.net/main.php?page=9e32768587b0d9a8 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt, a very good IP address to block.

Thursday, 12 April 2012

LinkedIn Spam / prospero-marketing.net

This spam leads to malware:

From:     Patrice Burke premonition9@linkedin.com
Date:     12 April 2012 16:33
Subject:     LinkedIn Nofitication service message

LinkedIn
REMINDERS

Invitation reminders:
•  From Kadeem Ruiz (Your classmate)



PENDING MESSAGES

• There are a total of 2 messages awaiting your response. Visit your InBox now.


Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.

The malicious payload is on prospero-marketing.net/main.php?page=5ab26a646c9cf178 (report here) hosted on 85.189.11.134 and 41.64.21.71 which are the same IPs as seen in this attack yesterday.

Wednesday, 11 April 2012

LinkedIn Spam / baiparz.com

This fake LinkedIn message leads to malware:

Date:      Wed, 11 Apr 2012 15:09:48 -0300
From:      "Pasquale Nieves" [warthogv@linkedin.com]
Subject:      LinkedIn Nofitication service message


LinkedIn
REMINDERS

Invitation reminders:
? From Felix Byers (Your Colleague)


PENDING MESSAGES

? There are a total of 2 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

There's a malicious payload at baiparz.com/main.php?page=f93de12c807d28df (report here) which is hosted by Griffin Internet in the UK on 85.189.11.134 and also can be found on the familiar IP address of 41.64.21.71 which is an ADSL subscriber in Egypt.

Thursday, 22 March 2012

LinkedIn Spam / cyancellular.com and browncellular.com

Another load of LinkedIn Spam is doing the rounds, this time the payload is at cyancellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.217.78 (Endurance International, US) and also browncellular.com/showthread.php?t=d7ad916d1c0396ff hosted on 174.140.168.207 (Directspace, US)


Be on the lookout for other domains of a similar pattern, if you known of more then please consider adding a comment.. thanks!

Update: indigocellular.com is also part of this same pattern.

LinkedIn Spam / bluecellular.com

The second LinkedIn spam of the day is underway, which is almost exactly identical to this one. In this case, the malicious payload is on bluecellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 96.126.122.240 (Linode, US)

"LinkedIn Invitation from your co-worker" spam / slickcurve.com and bluecellular.com

Another malicious fake email from LinkedIn leading to malware hosted on slickcurve.com.

Date:      Thu, 22 Mar 2012 13:35:48 +0200
From:      "Dominique Benitez" [peripherals698@linkedin.com]
Subject:      LinkedIn Invitation from your co-worker


LinkedIn
REMINDERS

Invitation reminders:
? From Timothy Vega (Your classmate)


PENDING MESSAGES

? There are a total of 1 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

The malware payload is on slickcurve.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 173.255.195.167 (Linode, US). Blocking that IP address will block any other malicious sites on the same server.

Wednesday, 21 March 2012

"LinkedIn Invitation from your colleague" spam / closteage.com

A fake LinkedIn spam leading to malware hosted at closteage.com:

Date:      Wed, 21 Mar 2012 16:24:04 +0200
From:      "Stacy Goss"
Subject:      LinkedIn Invitation from your colleague


LinkedIn
REMINDERS

Invitation notifications:
? From Kadeem Ruiz (Your Colleague)


PENDING MESSAGES

? There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. Š 2010, LinkedIn Corporation.
The payload is at closteage.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 209.59.217.101 (Endurance International, US). Blocking that IP will block any other malicious sites on the same server.

Thursday, 15 March 2012

goo.gl/FP84h link leads to malware

Another malware campaign using the goo.gl redirector leading to a malicious payload, this time on 66.151.138.87.

From:     OP 25939760 Y tuelkv60@yahoo.com
To:     ptofomen@elpuertosm.net
Date:     15 March 2012 08:35
Subject:     LinkedIn Corporation account on Hold Ref78087257
Signed by:     yahoo.com

CaseȌ99-4582982-70209467-8-373
< !--PZ 62188868 V

http://goo.gl/FP84h



XR 28309138 C

The goo.gl redirector goes to shfd19za.roversmolina.ru (multihomed, see below) and then ends up on a malicious page at 66.151.138.87/showthread.php?t=72d268be707a5fb7 (Nuclear Fallout Enterprises, US again).

The intermediate site is multihomed on what looks like a botnet:

1.170.145.188 (HINET, Tawian)
37.99.3.131 (2day Telecom, Kazakhstan)
46.158.89.63 (Rostelecom, Russia)
46.166.89.234 (Sibtranstelecom, Russia)
59.161.112.144 (Tata Communications, India)
61.90.53.87 (True Internet, Thailand)
94.41.81.55 (Ufanet, Russia)
95.28.225.180 (Vimpelcom, Russia)
95.57.1.107 (Kazakhtelecom, Kazakhstan)
95.58.88.151 (Kazakhtelecom, Kazakhstan)
95.58.106.240 (Kazakhtelecom, Kazakhstan)
95.176.193.129 (Telekom Slovenije, Slovenia)
109.194.43.62 (ER-Telecom Holding, Russia)
112.110.219.218 (Pune Mobile Subscriber, India)
114.43.145.75 (HINET, Taiwan)
117.195.168.49 (BSNL Internet, India)
122.179.171.126 (Airtel, India)
123.17.240.127 (VNPT, Vietnam)
123.18.190.230 (VNPT, Vietnam)
178.46.12.159 (Rostelecom, Russia)

Plain list for copy-and-pasting:
1.170.145.188
37.99.3.131
46.158.89.63
46.166.89.234
59.161.112.144
61.90.53.87
94.41.81.55
95.28.225.180
95.57.1.107
95.58.88.151
95.58.106.240
95.176.193.129
109.194.43.62
112.110.219.218
114.43.145.75
117.195.168.49
122.179.171.126
123.17.240.127
123.18.190.230
178.46.12.159
66.151.138.87