Sponsored by..

Showing posts with label Netherlands. Show all posts
Showing posts with label Netherlands. Show all posts

Tuesday, 9 July 2013

Malware sites to block 9/7/13

These are the current IPs and domains that appear to be in use by this gang. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting:
5.135.198.41 (OVH, France)
14.63.198.119 (Korea Telecom, Korea)
24.173.170.230 (Time Warner Cable, US)
46.14.182.109 (Swisscom, Switzerland)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
54.232.86.91 (Amazon AWS, Brazil)
59.124.33.215 (Chungwa Telecom, Taiwan)
62.165.254.220 (Tvnetwork, Hungary)
62.169.58.22 (Phoenix Informatica, Italy)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.63.195.131 (Limestone Networks, US)
74.93.56.83 (Comcast Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
80.52.135.172 (Telekomunikacja Polska, Poland)
80.218.115.92 (Cablecom, Switzerland)
82.79.4.33 (RCS & RDS Business, Romania)
82.165.41.13 (1&1 Internet, Philippines)
89.45.83.92 (Nlink SRL, Romania)
89.93.219.156 (Bouygues Telecom, France)
89.96.141.43 (IPS SRL, Italy)
89.248.161.137 (Ecatel, Netherlands)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel, Bulgaria)
95.173.187.8 (Netinternet Bilgisayar Telekominukasyo, Turkey)
97.79.214.75 (Time Warner Cable, US)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
109.169.86.196 (iomart / ThrustVPS, UK)
109.234.84.213 (Servicleop, Spain)
113.161.207.101 (VNPT, Vietnam)
115.28.45.30 (HiChina Web Solutions / Alibaba, China)
115.146.93.25 (Nectar Research Cloud, Australia)
116.251.213.12 (OneAsiaHost, Singapore)
117.102.102.170 (Servo Buana Resources, Indonesia)
117.239.224.145 (ZAD Institute, India)
123.30.50.245 (VNPT, Vietnam)
129.64.95.45 (Brandeis University, US)
134.159.143.12 (Telstra-Telewhite, Hong Kong)
138.80.14.27 (Charles Darwin University, Australia)
143.239.87.38 (University College Cork, Ireland)
151.155.25.111 (Novell Inc, US)
172.246.122.111 (Enzu Inc, US)
173.167.54.139 (Iceweb Storage Corp, US)
173.245.7.158 (Leland Private Systems, US)
177.87.104.21 (Alberto Torres Barreto, Brazil)
181.54.174.204 (Telmex Colombia, Colombia)
184.22.36.4 (HostNOC, US)
184.105.135.29 (Hurricane Electric, US)
186.227.53.43 (Via Cabo Provedor de Internet e Informática Ltda, Brazil)
189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (TDP ERX, Peru)
192.210.205.208 (New Wave Netconnect / Colocrossing, US)
193.242.126.78 (Lemminkainen Oyj, Finland)
195.241.208.160 (Telfort / Tiscali / KPN, Netherlands)
198.46.131.100 (New Wave Netconnect / Colocrossing, US)
198.50.136.166 (OVH, Brazil)
198.175.124.17 (DNSSLAVE.COM, US)
198.199.70.149 (Digital Ocean, US)
199.233.234.83 (Nodedeploy, US)
202.28.69.195 (UniNet, Thailand)
202.56.170.28 (Ningnet, Indonesia)
203.235.181.181 (GNGAS Enterprise Networks, Korea)
207.254.1.17 (Virtacore Systems, US)
210.200.0.95 (Asia Pacific On-line Services Inc, Taiwan)
213.56.125.97 (OBS, France)
222.20.90.25 (HuaZhong University of Science and Technology, China)

5.135.198.41
14.63.198.119
24.173.170.230
46.14.182.109
46.45.182.27
54.232.86.91
59.124.33.215
62.165.254.220
62.169.58.22
64.49.246.226
69.162.76.10
74.63.195.131
74.93.56.83
77.240.118.69
78.108.86.169
80.52.135.172
80.218.115.92
82.79.4.33
82.165.41.13
89.45.83.92
89.93.219.156
89.96.141.43
89.248.161.137
89.248.161.146
95.111.32.249
95.173.187.8
97.79.214.75
103.9.23.34
109.169.86.196
109.234.84.213
113.161.207.101
115.28.45.30
115.146.93.25
116.251.213.12
117.102.102.170
117.239.224.145
123.30.50.245
129.64.95.45
134.159.143.12
138.80.14.27
143.239.87.38
151.155.25.111
172.246.122.111
173.167.54.139
173.245.7.158
177.87.104.21
181.54.174.204
184.22.36.4
184.105.135.29
186.227.53.43
189.84.25.188
190.85.249.159
190.238.107.240
192.210.205.208
193.242.126.78
195.241.208.160
198.46.131.100
198.50.136.166
198.175.124.17
198.199.70.149
199.233.234.83
202.28.69.195
202.56.170.28
203.235.181.181
207.254.1.17
210.200.0.95
213.56.125.97
222.20.90.25
101ndstreetymha.com
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
andertiua200.com
androv.pl
aniolyfarmacij.com
astarts.ru
auditbodies.net
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
blacklistsvignet.pl
bnamecorni.com
boats-sale.net
brandeddepend.com
buycushion.net
cardpalooza.su
centow.ru
centsvisualcaf.net
chairsantique.net
chrismortonlaw.net
ciriengrozniyivdd.ru
cirienkoidrugied50.ru
cirormdnivneinted40.ru
cocainism.net
collegialwar.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
datapadsinthi.net
delines.ru
dirvers.net
doorandstoned.com
driversupdate.pw
editionscode.com
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
enchantingfluid.com
enuhhdijsnenbude40.ru
ergopets.com
feminineperceiv.pl
filmstripstyl.com
fincal.pl
firefoxupd.pw
first4supplies.net
freakable.net
fulty.net
gamnnbienwndd70.net
gatorovnskeinbueed60.ru
genie-enterprises.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanisienviwjunlp.ru
gnanosnugivnehu.ru
grivnichesvkisejj50.ru
hdmltextvoice.net
heidipinks.com
hexactos.com
hingpressplay.net
hospitalinstitutee.com
hotkoyou.net
independinsy.net
infostarter.net
initiationtune.su
insectiore.net
joinproportio.com
jonkrut.ru
letsgofit.net
lexus-lfa.net
libulionstreet.su
lifeline-tv.net
lifestylelbinfo.com
linefisher.com
liocolostrum.net
magiklovsterd.net
mail1.infostarter.net
modshows.net
mychildrenss.com
ns1.infostarter.net
nvufvwieg.com
organizerrescui.pl
oydahrenlitu346357.ru
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.com
quipbox.com
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
reveck.com
salesplaytime.net
sartorilaw.net
secrettapess.com
securednshooki.com
sendkick.com
smartsecurity-app.com
soberimages.com
spros.pl
streetgreenlj.com
susubaby.net
syncbinderanalog.net
tagcentriccent.net
tagcentriccent.pl
telecomerra.com
tor-connect-secure.com
transplantee.net
tstatbox.ru
ukbash.ru
usenet4ever.net
utraining.us
vahvahchicas.ru
ventstandart.net
vip-proxy-to-tor.com
voippromotion.su
webhelphighestp.net
wic-office.com
widnows.net
winodwsupd.pw
wow-included.com
zestrecommend.com

Tuesday, 2 July 2013

Malware sites to block 2/7/13

These sites belong to this gang and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block.

37.123.103.159 (Salay Telekomunikasyon, Turkey)
38.64.161.163 (Stratonexus Technologies Corp, Canada)
58.196.7.174 (CERNET, China)
77.237.190.22 (Parsun Network Solutions, Iran)
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
85.214.53.47 (Strato AG, Germany)
87.255.149.99 (Societe Francaise du Radiotelephone, France)
88.81.239.98 (Top Net PJSC, Ukraine)
88.86.100.2 (Supernetwork, Czech Republic)
89.248.161.148 (Ecatel, Netherlands)
95.111.32.249 (Mobitel EAD, Bulgaria)
98.223.199.185 (Comcast Communications, US)
108.174.61.198 (FTN Services, US)
108.177.140.2 (Nobis Technology Group, US)
113.161.207.101 (VietNam Post and Telecom Corporation, Vietnam)
114.4.27.219 (IDIA Kantor Arsip, Indonesia)
114.130.5.145 (MANGO CA Service, Bangladesh)
119.147.137.31 (China Telecom, China)
120.124.28.131 (TANet, Taiwan)
124.232.165.52 (China Telecom, China)
134.159.143.12 (Telstra Telewhite, Hong Kong)
140.122.184.45 (TANet, Taiwan)
140.135.112.169 (TANet, Taiwan)
151.155.25.111 (Novell, US)
172.245.216.69 (Colocrossing, US)
172.246.122.110 (Enzu Inc, US)
173.232.105.66 (Blue Deals Fly, US)
174.140.166.239 (Directspace, US)
176.67.10.163 (McLaut ISP, Ukraine)
178.211.46.123 (Radore Veri Merkezi Hizmetleri, Turkey)
181.54.174.204 (Telmex Colombia, Colombia)
186.103.163.222 (Telefonica Empresas, Chile)
186.227.53.43 (Via Cabo Provedor de Internet e Informática, Brazil)
188.32.153.31 (National Cable Networks, Russia)
188.120.235.236 (TheFirst-RU, Russia)
189.1.144.243 (Silva & Silveira, Brazil)
195.241.208.160 (Koninklijke / Tiscali / Telfort, Netherlands)
198.46.136.86 (New Wave NetConnect, US)
202.56.170.28 (Ning Internet, Indonesia)
203.80.17.155 (MYREN, Malaysia)
203.185.97.126 (ThaiSARN, Thailand)
208.81.165.252 (Gamewave Hongkong Holdings, US)
210.42.103.141 (CERNET, China)


37.123.103.159
38.64.161.163
58.196.7.174
77.237.190.22
77.240.118.69
78.108.86.169
85.214.53.47
87.255.149.99
88.81.239.98
88.86.100.2
89.248.161.148
95.111.32.249
98.223.199.185
108.174.61.198
108.177.140.2
113.161.207.101
114.4.27.219
114.130.5.145
119.147.137.31
120.124.28.131
124.232.165.52
134.159.143.12
140.122.184.45
140.135.112.169
151.155.25.111
172.245.216.69
172.246.122.110
173.232.105.66
174.140.166.239
176.67.10.163
178.211.46.123
181.54.174.204
186.103.163.222
186.227.53.43
188.32.153.31
188.120.235.236
189.1.144.243
195.241.208.160
198.46.136.86
202.56.170.28
203.80.17.155
203.185.97.126
208.81.165.252
210.42.103.141


101ndstreetymha.com
abacs.pl
addressadatal.net
afabind.com
all24hours.net
amimeseason.net
andertiua200.com
antidoctorpj.com
antitationed200.com
auditbodies.net
avastsurveyor.com
bebomsn.net
beirutyinfo.comu
bermudcity.net
bestsloankettering.com
biati.net
blackragnarok.net
blindsay-law.net
boats-sale.net
boyd-lawyer.net
brasilmatics.net
buycushion.net
cardpalooza.su
chairsantique.net
chinadollars.net
ciriengrozniyivdd.ru
cirienkoidrugied50.ru
cocainism.net
condalinarad72234652.ru
condalinaradushko.ru
condalinaradushko5.ru
condalinneuwu5.ru
condalinra2735.ru
condalinradishevo.ru
condalnua745746.ru
condalnuashyochetto.ru
confideracia.ru
controlnieprognoz.ru
cyberwoodlike.com
dirvers.net
dollsinterfer.net
doorandstoned.com
drivesr.com
dulethcentury.net
e-eleves.net
ehchernomorskihu.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
elrrueitoenidd10.ru
enway.pl
ergopets.com
ermitajohrmited.ru
ernutkskiepro.ru
estimateddeta.com
extichetvorish.ru
fenvid.com
firefoxupd.pw
garohoviesupi.ru
gatoversignie.ru
genown.ru
ghroumingoviede.ru
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
gondatskenbiehu.ru
gorondibndiiend10.ru
greli.net
gromimolniushed.ru
gstoryofmygame.ru
headbuttingfo.net
heavygear.net
heidipinks.com
highsecure155.com
historuronded.com
hotamortisation.net
hotkoyou.net
huang.pl
iberiti.com
icensol.net
independinsy.net
ingrestrained.com
insectiore.net
inutesnetworks.su
itracrions.pl
joinproportio.com
jsecure5.com
letsgofit.net
linguaape.net
lmbcakes.com
mantrapura.net
metalcrew.net
meticulousmus.net
meynerlandislaw.net
mifiesta.ru
mmafightsearch.net
myfreecamgirls.net
newtimedescriptor.com
obovate.net
ochengorit.ru
outbounduk.net
oxfordxtg.net
oydahrenlitutskazata.ru
patrihotel.net
patriotskit.ru
pc-liquidations.net
peertag.com
photosuitechos.su
pinterest.com.reports0701.net
pizdecnujzno.ru
pleak.pl
pnpnews.net
porschetr-ml.com
potteryconvention.ru
radiovaweonearch.com
ratenames.net
recorderbooks.net
rentipod.ru
reportingglan.com
reports0701.net
reveck.com
safe-browser.biz
safe-time.net
sartorilaw.net
secrettapess.com
secureaction120.com
securepanel35.com
sendkick.com
sensetegej100.com
shopkeepersne.net
smartsecurity-app.com
soberimages.com
spanishafair.com
stilos.pl
susubaby.net
televisionhunter.com
time-update.net
toldia.com
trleaart.net
ukbash.ru
unabox.pl
unitmusiceditior.com
unreality.biz
vahvahchicas.ru
wic-office.com
widnows.net
winne2000.net
winodwsupd.pw
winudpater.com
wow-included.com
xenaidaivanov.ru
zoneagainstre.com

Thursday, 27 June 2013

OfficeWorld.com spam / sartorilaw.net

This fake OfficeWorld spam leads to malware on sartorilaw.net:

Date:      Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]
From:      customerservice@emalsrv.officeworldmail.net
Subject:      Confirmation notification for order 1265953

Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!

Please review your order details below. If you have any questions, please Contact Us


Helpful Tips:
--------------------------------------------------------------------
- Please SAVE or PRINT this confirmation for your records.
- ORDER STATUS is available online! Login and click "My Orders" to obtain UPS tracking information, etc.
- If you skipped registration, or forgot your password, simply enter your Login ID (normally your full e-mail address) and click [ forgot password ] to access your account.
--------------------------------------------------------------------

Order:  1265953
Date:           6/27/2013
Ship To:        My Default

Credit Card:    MasterCard


Product Qty     Price   Unit    Extended
--------------------------------------------------------------------
HEWCC392A    1       $9703.09  EA      $15.15         
AVE5366 1       $27.49  BX      $27.49         
SAF3081 2       $56.29  EA      $112.58        


Product Total:     $9855.22
--------------------------------------------------------------------
Total:          $9855.22

OfficeWorld.com values your business!
The link in the email goes through a legitimate hacked site and then on to [donotclick]sartorilaw.net/news/source_fishs.php (report here) hosted on the following IPs:
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
89.248.161.148 (Ecatel, Netherlands)
108.177.140.2 (Nobis Technology Group, US)

Recommended blocklist:
77.240.118.69
78.108.86.169
89.248.161.148
108.177.140.2
afabind.com
chinadollars.net
condalnuashyochetto.ru
ejoingrespubldpl.ru
gindonszkjchaijj.ru
greli.net
gstoryofmygame.ru
meynerlandislaw.net
oydahrenlitutskazata.ru
reveck.com
sartorilaw.net
sendkick.com
spanishafair.com



Wednesday, 12 June 2013

Malware sites to block 12/6/13

This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway.

Hosts involved:
5.175.157.110 (GHOSTnet, Germany)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal Communication Tech. Co., China)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
46.165.248.117 (Leaseweb, Germany)
49.212.221.29 (Sakura Internet Inc., Japan)
50.56.216.124 (Rackspace, US)
50.57.166.222 (Slicehost, US)
59.42.10.172 (Guangdong Tuosi Software Science Garden, China)
67.159.12.94 (FDCservers, US)
67.202.109.141 (Steadfast Networks, US)
67.215.2.251 (Colo-Serv Communications, Canada)
77.237.190.22 (Parsun Network Solutions, Iran)
81.252.120.250 (Collectivit Locale , France)
83.136.249.108 (Sigmatic Oy, Finland)
85.17.178.56 (Leaseweb, Netherlands)
85.26.31.60 (Brutele SC, Belgium)
85.201.12.244 (Brutele SC, Belgium)
86.84.0.11 (Planet Technologies, Netherlands)
88.80.222.73 (Alfahosting, Germany)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
95.143.41.16 (Inline Internet / VPS4less, Germany)
95.170.95.142 (TransIP, Netherlands)
109.95.23.4 (Kvartal Plus Ltd, Russia)
109.129.225.68 (Belgacom / Skynet, Belgium)
110.78.147.173 (CAT Telecom, Thailand)
111.93.156.171 (Tata Teleservices, India)
112.170.169.56 (Korea Telecom, Korea)
114.4.27.219 (IDIA Kantor Arsip MKS, Indonesia)
116.3.3.200 (China Unicom, China)
119.147.137.31 (China Telecom, China)
141.28.126.201 (Hochschule Furtwangen, Germany)
143.107.220.160 (Universidade De Sao Paulo, Brazil)
151.1.224.118 (ITnet, Italy)
159.90.91.179 (Universidad Simon Bolivar, Venezuela)
159.253.18.253 (FastVPS, Estonia)
160.75.169.49 (Istanbul Technical University, Turkey)
164.77.149.237 (Isapre Banmedica, Chile)
172.8.24.9 (Angela Curtolo DBA / AT&T, US)
172.246.16.27 (Enzu Inc, US)
177.84.128.54 (Informática Ltda, Brazil)
177.86.131.18 (Prime Telecomunicacoes Ltda, Brazil)
177.124.195.202 (Mundivox Do Brasil Ltda, Brazil)
178.16.216.66 (Gabrielson Invest AB, Sweden)
181.52.237.17 (Telmex, Colombia)
183.82.221.13 (Hitech / Beam Telecom, India)
184.82.115.37 (HostNOC, US)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
187.33.48.12 (GTi Telecomunicacoes Ltda, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
192.64.80.143 (Interserver, US)
192.210.216.90 (ColoCrossing, US)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.199.93.55 (Digital Ocean, US)
200.3.153.91 (Pontificia Universidad Javeriana, Colombia)
200.87.177.124 (EntelNet, Bolivia)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
202.29.242.249 (UniNet, Thailand)
202.31.139.173 (Kum Oh National University Of Technology, Korea)
203.64.69.52 (Taiwan Academic Network, Taiwan)
203.157.216.77 (Information Technology Office, Thailand)
208.68.36.11 (Digital Ocean, US)
210.42.103.141 (Wuhan Urban Construction Institute, China)
213.74.79.236 (Superonline, Turkey)
216.172.102.230 (EBL Global Networks, US)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Plain IPlist for copy-and-pasting:
5.175.157.110
41.89.6.179
42.62.29.4
46.18.160.86
46.165.248.117
49.212.221.29
50.56.216.124
50.57.166.222
59.42.10.172
67.159.12.94
67.202.109.141
67.215.2.251
77.237.190.22
81.252.120.250
83.136.249.108
85.17.178.56
85.26.31.60
85.201.12.244
86.84.0.11
88.80.222.73
93.89.235.13
95.143.41.16
95.170.95.142
109.95.23.4
109.129.225.68
110.78.147.173
111.93.156.171
112.170.169.56
114.4.27.219
116.3.3.200
119.147.137.31
141.28.126.201
143.107.220.160
151.1.224.118
159.90.91.179
159.253.18.253
160.75.169.49
164.77.149.237
172.8.24.9
172.246.16.27
177.84.128.54
177.86.131.18
177.124.195.202
178.16.216.66
181.52.237.17
183.82.221.13
184.82.115.37
186.215.126.52
188.32.153.31
187.33.48.12
190.93.23.10
192.64.80.143
192.210.216.90
193.254.231.51
196.1.95.44
198.199.93.55
200.3.153.91
200.87.177.124
201.65.23.153
202.29.242.249
202.31.139.173
203.64.69.52
203.157.216.77
208.68.36.11
210.42.103.141
213.74.79.236
216.172.102.230
217.174.211.1
222.200.187.83

Identified malicious domains:
abacs.pl
autotradeguide.net
avastsurveyor.com
balckanweb.com
biati.net
bnamecorni.com
businessdocu.net
buyparrots.net
citysubway.net
cocainism.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
diodmobilered.com
docudat.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
fastkrug.ru
federal-credit-union.com
freemart.pl
freenico.net
genown.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
hiddenhacks.com
historuronded.com
icensol.net
ingrestrained.com
inutesnetworks.su
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
lorganizedcue.com
ludena.ru
mantuma.pl
marvelfilms.net
mortolkr4.com
mslatearrival.com
multipliedfor.com
myhispress.com
nipiel.com
nvufvwieg.com
onlinedatingblueprint.net
otoperhone.com
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
privat-tor-service.com
proxy-tor-service.com
relectsdispla.com
relectsdispla.net
reportingglan.com
safe-browser.biz
safe-time.net
salesplaytime.net
secondfiddleu.com
securepro7.ru
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
smurfberrieswd.su
sngroup.pl
solarmiracles.net
techno5room.ru
televisionhunter.com
testerpro5.ru
thinkindi.net
tor-connect-secure.com
trleaart.net
twinkniche.net
twintrade.net
ukbarbers.net
unixawards.net
usergateproxy.net
usforclosedhomes.net
vip-proxy-to-tor.com
well-tailored.net
wmlawoffice.net
yelpwapphoned.com

Friday, 31 May 2013

Medfos sites to block 31/5/13

The following domains and IPs are currently being used as C&C servers by the Medfos family of trojans (this one in particular):

84.32.116.110
85.25.132.55
173.224.210.244
184.82.62.16
188.95.48.152
ehistats.su
emstats.su
ieguards.su
iestats.cc
inetprotections.su
iprotections.su
netprotections.cc
sysinfo.cc
sysinfonet.cc
westats.cc

The hosts involved are:
84.32.116.110 (LIX Solutions, Lithunia)
85.25.132.55 (Intergenia / PlusServer AG, Germany)
173.224.210.244 (Psychz Networks, US)
184.82.62.16 (HostNOC, US)
188.95.48.152 (Globab Layer, Netherlands)

The domains listed are used in conjunction with hundreds of subdomains. Blocking the main domain will be the best approach, else the ones that I have been able to determine are listed here.

Tuesday, 22 January 2013

Dutch language Swiss tax spam / africanbeat.net

This Nederlands language spam appears to be from some Swiss tax authority, but in fact it leads to the Blackhole Exploit kit on africanbeat.net:

From:     report@ag.ch via bernina.co.il
Date:     22 January 2013 13:48
Subject:     Re: je NAT3799 belastingformulier
Mailed-by:     bernina.co.il

[redacted]

Wij willen brengen aan uw bericht dat je hebt fouten gemaakt bij het invullen van de meest recente belastingformulier NAT3799 (ID: 023520).
vindt u aanbevelingen en tips van onze fiscalisten HIER
( Wacht 2 minuten op het verslag te laden)

Wij verzoeken u om corrigeer de fouten en verzenden de gecorrigeerd aangifte aan uw belastingadviseur zo snel mogelijk.

Kanton Aargau
Sonja Urech
Sachbearbeiterin Wehrpflichtersatzverwaltung
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 6253 Aarau
Tel.: +41 (0)62 332 31 62
Fax: +41 (0)62 332 33 18

Translated as:

We want to bring to your notice that you have made mistakes when completing the most recent tax form NAT3799 (ID: 023520).
You can find recommendations and tips from our tax specialists HERE
(Wait 2 minutes for the report to load)

We ask you to correct the error and send the corrected report to your tax advisor as soon as possible. 
The link leads to an exploit kit at [donotclick]africanbeat.net/detects/urgent.php (report here) hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea). The following domains are active on this server:

africanbeat.net
seoseoonwe.com
alphabeticalwin.com
bestwesttest.com
prepadav.com
masterseoprodnew.com
cocolspottersqwery.com
teamrobotmusic.net
shininghill.net
terkamerenbos.net

Tuesday, 8 January 2013

BBB Spam / royalwinnipegballet.net

This fake BBB spam leads to malware on royalwinnipegballet.net:

Date:      Tue, 8 Jan 2013 19:18:34 +0200 [12:18:34 EST]
From:      Better Business Bureau <information@bbb.org>
To:      [redacted]Subject:      BBB information regarding your customer's appeal ¹ 96682901

Better Business Bureau ©
Start With Trust ©

Mon, 7 Jan 2013

RE: Complaint # 96682901

[redacted]

The Better Business Bureau has been registered the above mentioned appeal from one of your clients as regards their business contacts with you. The details of the consumer's worry are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.

We graciously ask you to open the CLAIM REPORT to answer on this reclamation.

We are looking forward to your prompt answer.

Faithfully yours
Alex Green
Dispute Counselor
Better Business Bureau

Better Business Bureau
3063  Wilson Blvd, Suite 600  Arlington, VA 27201
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277
 

This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

====================

Date:      Tue, 8 Jan 2013 19:12:58 +0200 [12:12:58 EST]
From:      Better Business Bureau <donotreply@bbb.org>
Subject:      Better Business Beareau   Pretense ¹ C6273504
Priority:      High Priority 1

 Better Business Bureau ©
Start With Trust ©

Mon, 7 Jan 2013

RE: Issue No. C6273504

[redacted]

The Better Business Bureau has been registered the above said reclamation from one of your users in respect of their business contacts with you. The information about the consumer's anxiety are available visiting a link below. Please give attention to this problem and notify us about your mind as soon as possible.

We kindly ask you to overview the APPEAL REPORT to meet on this claim letter.

We are looking forward to your prompt rebound.

Yours respectfully
Julian Morales
Dispute Advisor
Better Business Bureau

Better Business Bureau
3013   Wilson Blvd, Suite 600  Arlington, VA 20701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277


This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is on [donotclick]royalwinnipegballet.net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)


"Federal ACH Announcement" spam / cookingcarlog.net

This rather terse spam leads to malware on cookingcarlog.net:

From:     Federal Reserve Services@sys.frb.org [ACHR_59273219@fedmail.frb.org]
Date:     8 January 2013 15:11
Subject:     FedMail (R): Federal ACH Announcement - End of Day - 12/27/12

Please find the ACH Letter of Advice Reporting from the Federal Reserve System clicking here. 
The link in the email goes to an exploit kit on [donotclick]cookingcarlog.net/detects/occasional-average-fairly.php (report here) which is hosted on 89.207.132.144 (Snel Internet Services, Netherlands).

Added - a BBB spam is also doing the rounds with the same payload:

 Better Business Bureau ©
Start With Trust �

Mon, 7 Jan 2013

RE: Case N. 54809787

[redacted]

The Better Business Bureau has been recorded the above said claim from one of your customers in respect to their dealings with you. The detailed description of the consumer's worry are available for review at a link below. Please pay attention to this issue and communicate with us about your judgment as soon as possible.

We pleasantly ask you to click and review the CLAIM REPORT to meet on this claim letter.

We are looking forward to your prompt response.

WBR
Mason Turner
Dispute Consultant
Better Business Bureau

Better Business Bureau
3063   Wilson Blvd, Suite 600  Arlington, VA 22701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277

Tuesday, 20 November 2012

Malware sites to block 20/11/12

This huge pile of malware sites and IPs is connected with these malicious emails being distributed in the Netherlands. All the sites are interconnected through their black hat infrastructure and are eith er being used for malware distribution or some other evil activity:

5.39.8.105 (OVH, Ireland)
46.249.38.27 (Hotkey, Russia)
62.109.31.36 (TheFirst, Russia)
64.79.64.170 (XLHost, US)
78.46.198.143 (GPI Holding,US)
78.110.61.186 (Hosting Telesystems, Russia)
91.220.35.42 (Zamahost, Russia)
91.220.35.74 (Zamahost, Russia)
91.231.156.55 (Sevzapkanat-Unimars, Russia)
93.174.90.81 (Ecatel, Netherlands)
95.211.9.46 (Leaseweb, Netherlands)
95.211.9.55 (Leaseweb, Netherlands)
149.154.67.103 (TheFirst, Russia)
176.9.179.170 (Siteko, Russia)
178.63.226.203 (Avist, Russia)
178.63.247.189 (GPI Holding,US)
178.162.134.205 (AlfaInternet, Russia)
184.82.101.52 (HostNOC, US)
193.161.86.43 (Host-Telecom, Czech Republic)
194.62.233.19 (Stils-Grupp, Russia)
198.23.139.199 (Chicago VPS, US)
208.88.226.231 (WZ Communications, US)

If you want to block those Russian hosts more widely, perhaps use the following list:
46.249.38.0/24
62.109.28.0/22
64.79.64.170
78.46.198.136/29
78.110.61.186
91.220.35.0/24
91.231.156.0/24
93.174.90.81
95.211.9.46
95.211.9.55
149.154.66.0/23
176.9.179.128/26
178.63.226.192/26
178.63.247.128/26
178.162.134.192/26
184.82.101.52
193.161.86.43
194.62.233.0/24
198.23.139.199

Alternatively, this is a plain list of all the IPs and domains that I can identify in this cluster. There are a LOT of them, sorry..
5.39.8.105
46.249.38.27
62.109.31.36
64.79.64.170
78.46.198.143
78.110.61.186
91.220.35.42
91.220.35.74
91.231.156.55
93.174.90.81
95.211.9.46
95.211.9.55
149.154.67.103
176.9.179.170
178.63.226.203
178.63.247.189
178.162.134.205
184.82.101.52
193.161.86.43
194.62.233.19
198.23.139.199
208.88.226.231
3dsec.4pu.com
617.ddns.info
617c.ddns.info
623c.ddns.info
95ccc.com
aboutmailmerging.net
achieve8searcherscom.com
achieve8searcherscom.net
adventureslh.net
advert01.wwwapp-myups.net
advert02.wwwapp-myups.net
alhmzpxsdtj.net
almanaccategorycommercial.org
aloha.4mydomain.com
alwaysallowdream.net
amalgamagain.info
analogmodemtittering.info
angleheadlines.info
anonymizerbookstore.pro
anxdn.info
anytimetunnel.biz
aol.adswrapper.com
appenoughceleronbased.org
artclipsamet.com
artistsbannerlike.pro
askplus.com
atstreetside.info
augmxqkfile.info
austerecam.net
aybqlgximi.info
babeqapa.tk
backgroundpioneered.org
bad2gooddog.com
badgestargetshaped.info
bannedbarefoot.info
barrenislandbeads.com
basetavo.tk
bcwud.info
bender.ddns.info
berasta.org
beregans.com
bestlermecg.info
bestmakingbreadonline.com
bestsearch.info
big-tube.info
blackboardcomodos.info
blizzardcwopp.net
bmjxsqrs.info
bombastikso.org
bonesgargamel.info
bothbe.org
brieffaith.info
brokenearparent.info
brounsnastles.com
builderskating.net
burdeningyp.org
businezzz.com
camimia.asia
cannotkubrick.info
caseroutinely.net
cassettesbeauty.org
castlerockcare.com
castlerockholiday.com
cdn.milstone.org
cdn2.milstone.org
chalais.com
chasidydil.mobi
cjsmweubiwy.info
clientyestab.biz
clipsvuze.info
clusterconference.com
cocktailpipeline.org
collapsesorenson.info
collegesorcerer.org
coloradopinolo.com
companypinolo.com
compellingpartition.org
conandeliberately.pro
constructionverified.org
coolhottube.net
copyahnlabs.info
countess.com
coupledqiks.org
crystalsave.net
ctosmamas.org
cuttinggoghs.info
cyberlinkspaypass.info
daertnop.ftp1.biz
dandyapples.pro
daoakxuko.info
darvuha.info
ddntruc.info
ddred.ddns.info
decreasesnotable.net
deductedsweatinducing.org
degreeswiftly.pro
deluxearpeggiated.info
delvingchromakey.info
demandededitions.info
densepromissory.info
dependthreelicense.info
desktopbasedwolfish.net
devidugo.tk
dialinlengths.info
discoverleaving.net
districtagenda.net
diyoyowo.tk
dkpdistrib.com
dns5number.com
dnsnumber4.com
docktoolsthe.org
doggedapril.info
dpljrtcsvva.info
dqnmuraq.info
dqnoctx.info
dreamflaunt.pro
drillup.itemdb.com
dsmxxqyh.info
dwall.info
ebaymoat.pro
echurchstrategies.com
emgsiavpjrlx.info
enemiesfocuses.org
epbdkhoacl.info
ergonomicbegging.net
eservicetimesyncing.org
everevolvingredact.info
excellentinternetmoney.com
executiveshours.org
exkcrch.info
experiencegraphical.net
extchangeable.net
eyecolorreserve.pro
faqseer.ddns.info
fdknklmlmb.pro
fejyvrhd.info
ffiae.info
fgypodecxg.info
figuringdictating.net
findrevenue.net
fireddependence.net
firefoxslacker.pro
fix-lite.info
fix-online.info
fklnbiokjemiwovpe.pro
fkvwtviospticmvjbhkae.usa.cc
flapshrill.net
flyswatinterestingly.info
fortraff.ddns.info
fqxxifs.info
fredamm4.cu.cc
freesnonintegral.net
fresh.otzo.com
frwdlink.in
ftpfreame.ddns.info
gadogube.tk
gdzwqbg.info
geodeskilar.info
geossh.net
geotagspogoplugs.org
getdnscheck.info
getestore.org
gfnsdntgb.info
ghrptvjb.info
gipifequ.tk
google123.flu.cc
google-script.net
gospodin.co.uk
governingjerk.org
green-suntech.com
grewforks.info
gromdemn77bert.pro
gudangbrankas.com
gymybrbcmfe.info
handishades.com
heartedmessaging.info
hemptalk.net
hmdvebvs.info
holdingshitech.info
homescastlerock.com
hostingmir.net
hourlyfyis.info
hsskvmg.info
humanitiesinstitute.com
hwpwecgl.info
ibabkmm.info
iftttcore.info
igadgetcapable.net
igtoydlufrpq.info
ihamehq.info
imagereport470x80.net
img.businessboomerflorida.com
img.chappellroberts.biz
img.chappellroberts.com
img.growmycash.com
img.ksyc1039.com
img.ksyc1039.info
img.ksyc1039.org
img.mitchcota.com
img.powerisfun.com
img.thefriar.com
img2.theqrpros.com
indiesblinks.com
influxtechnologies.com
innertextbosher.com
instructedtabtastic.org
interpretondemand.pro
intervalviicompatible.info
invadeinsecure.org
invitationsdoand.pro
iogdbsxmtk.pro
ipoiuhipowuujhwrtvas.flu.cc
iqyzfevrf.info
itouchsilence.net
jackerdesktopstyle.info
janomeku.tk
jdkthinkfree.net
jeuae.info
jeyhjrif.info
jfbwzb.info
jltwphu.info
josaheb.tk
junkwifi.com
jywkymar.info
jzmpmdodijj.info
karudozu.tk
kcgysjg.info
kcqobilky.info
kdvltguzobyj.info
kdvxojwpyzna.info
keystransactions.com
keyxdgpi.info
khdnqjau.info
kidasivi.tk
kinkosfragile.pro
kiwkemw.info
kohvragbmen.info
kqjoxyoe.info
kxxmnafgjeg.info
lasttube.info
lawbureau.com
leakedla.net
leddate.net
lesnegra.info
lgiqe.info
lslouxjrp.info
lunivusu.tk
lycyybse.info
mafpsqen.info
mandyeffect.com
mcclam.com
mdacparticular.org
mechcomm.net
mekanuki.tk
menugibberish.net
microsoftformatnuts.com
mixmoney.info
mkbeun.info
mkvpcsgg.info
moejpizdeprivet.org
mofaxeq5.cu.cc
moneysold.net
moneysporchefancy.net
moviehong.net
mugalkzr.info
my-best-tube.net
mydnsmask.info
mygreentube.net
mynewtube.net
nameshistory.info
ndwlmifgtox.info
nerosuptodate.org
netbooksmcafees.org
netboosterbreathe.net
new-browser1.ru
newcomersocialmediaminded.info
ngjfwcex.info
nicschleck5.com
nioterlybwma.info
nocejose.tk
nofussdonuts.org
notchedidrive.info
nxybedq.info
obitalkcomemptied.pro
obstacledogcams.org
occupyrent.com
ojkuxrfnwd.net
onedreamnetwork.com
oozeeven.org
opelcbgy.info
opwaksumd.info
ottnejwtsyn.info
ouviqqiift.info
overseassouth.net
oyparncfzw.info
packsos.info
paintsg.net
paisdhcgwrjklasdrt.usa.cc
palmwellreceived.net
panelsadvise.net
paqruwzktc.info
passesdemocratic.net
pathnamemypogoplugcom.net
pazza-inter.com
pdvfywomxtl.net
pervasivefootage.org
php.telwire.net
pihbqmtyjlz.info
piwroicybwyvnatywqerf.flu.cc
pizadaivanonaprivet.org
pksfxserverclass.net
plancentrallaura.org
planesmeasuring.pro
playpiano.info
plusesquotes.info
poishealthcare.info
polarizebit.org
polneska.ipq.co
posduet.org
pqdefywsxova.org
pregnancytestpaper.com
privacyparentalintersections.pro
processedinserting.info
proddingappsumo.info
projectthermometerstyle.net
promotesmetasearch.net
pxanwmcqod.info
pzoibqzb.info
qchtvjpmyfo.info
qesigafu.tk
qkfrcptayzj.info
qomazime.tk
qonla.info
qoxeciw.tk
qpflbmakjwe.info
qqpyzahqpqw.info
quxozife.tk
qzeryra.info
racksschools.pro
radialinfested.net
ragoose.ipq.co
ratiofollows.pro
rbgyoxngr.info
rdparentalcontrol.net
recorderscaloriecounting.net
recordingbarcelonas.info
reflectshello.info
resemblesvisa.info
resultsreacts.pro
retweetstasteful.net
retzaser.com
rfktgh.info
rhymingtravelocity.info
rhythmsstuttering.net
rivzdktjw.info
romanticring.com
royalmojito.org
rpfstorage.org
ruralnoise.info
saavihaunting.net
salzgrrckpa.info
scan-domain.org
sdavey.com
secondarydatapad.info
seguhuqo.tk
selectivelylanguages.info
semlnqzn.info
senetef.tk
servicesinstitute.com
sexintheroom.net
sgmlscreensavers.biz
sharpeyedresizable.net
shava.sytes.net
shownheadphone.net
silentpentest.com
sivoyase.tk
sjdwugpxnb.info
slewhovering.net
soft-tube.net
solicitationattorney.com
songbookterrified.pro
sorryintellicookie.net
spaceyourfilesbig.chickenkiller.com
speedanymore.net
spousechaptersthe.net
ssbigpicture.net
sscnvcxkcsh.info
startinternetmarketing4u.com
stats-tracking.ibiz.cc
storyboardonlysplines.info
stped.dnset.com
streamlinespaging.org
substitutesjeani.net
suitautorun.in
sundayhammered.net
superfasthardcopy.net
svqzmfcapho.info
svrealestates.com
swqocit.info
syenial.com
syncreticorder.com
sytghikbl.info
szjzico.info
tatibeg.tk
tceeeuq.info
teleprompterenglish.net
tenscrub.net
tethertremendous.info
tewnrpvxbdjc.info
texturesbusinesslevel.in
tiesink.net
tiffanylplee.com
tiffciscos.biz
tiledblacks.biz
tllnerim.info
tnciayzr.info
tobackupmxp.info
totesynopsis.net
traaf.ddns.info
traf13.ddns.info
trafferss.ddns.info
trafficstock.net
translucentattractive.net
trendmicrosemulate.info
trento.ikwb.com
tropicrentals.com
truestrategic.biz
tubeltd.net
tuhabos.tk
turocigu.tk
txhyzguwbdia.info
u83s.info
u86s.info
u87s.info
ufifkfwsnml.info
uigazjmeb.info
uihvdjf.info
uiolehvrfb.info
ukhercules.org
ultimate-boobs.com
ultqpdnrxh.info
umtxsx.info
unbootablemassively.info
undpower.co.uk
uninstallationcassette.net
urbansoulentertainment.com
user1.ddns.info
user3.ddns.info
useruploadedhumorist.info
usuiu.info
uyund.info
vansalivate.org
vendendoaqui.com
vennwake.info
viewcastlerock.com
vkdlbfh.info
vlbxty.info
vodkkaredbuuull.chickenkiller.com
wallarticles.com
wallmountedsubprojects.info
webcheckfinalizing.net
webcoupons2.com
weednav.info
weehourbravia.net
whicheverwe.info
win8searcherscom.com
wittierhoning.org
wnpagain.info
wogepil.tk
wrapeyeopening.info
wsrqeyqq.info
wupikbtq.info
www.obitalkcomemptied.pro
wwwapp-myups.com
wyllruoeueo.info
xcomctrlb.pro
xesidijo.tk
xhikjbtr.info
xidthronpemf.info
xijigaf.tk
xltube.info
xnqamke.info
x-red-tube.net
xszrccmve.info
ybnbqgqe.info
ybpekhvp.info
ydsvkx.info
yevetoma.tk
yfbthpdivlc.net
ylhwygggiy.info
yndgh.info
your-best-tube.net
yournewtube.net
zenithoutdoors.com
ziallow1990.com
zonermtbf.net
zqdrtnkhzd.info
ztmyno.info
zuretiy.tk
zvhtkpsnmdy.info
zvoxzgdrza.info


Wednesday, 18 January 2012

Something evil on 95.211.115.228 and 46.249.37.22.

A set of malicious sites, linked to the Redret gang, hosted on 95.211.115.228 (Leaseweb, Netherlands). Blocking the IP rather than the individual domains will also protect against other malicious sites on the same server.

child-re-ninth-ebusiness.com
childregardingninthebusiness.com
childreninthebusiness.com
childsubjectninthcompany.com
childsubjectninthebiz.com
childsubjectninthebusiness.com
custom-t-shirtsfromhansen.com
extentthahansen.com
freeholidaynew.com
hirtsfromhansen.com
holidaygreat.com
holidaynewsite.com
myholidaynew.com
range-the-hansen.com


Another server in this same network is 46.249.37.22 (Serverius Holding, Netherlands)

1o345.info
1op45.info
2012-my-happy.com
2012myownhappy.com
543oh.info
54mo1.info
54po1.info
akvitea.com
alurbrilance.com
arowipes.com
avangeit.com
bitcast.in
bitcube.in
bitechnica.in
bitfire.in
bitware.in
bitwire.in
businessnfamily.com
companynfamily.com
companynpeople.com
customtshirtsfromhansen.com
domtrixsov.com
drinki.in
familycommercial.com
freeautomag.info
funnytshirtsfromhansen.com
glad-year.com
globaltracking02234.info
great-happy.com
happy-period.com
happy-term.com
happychock.biz
happytwelvemonths.com
ho345.info
iflos.com
ivairiu.com
joyful-year.com
jsijdewhg.com
kalalog-testov.com
latest-happy.com
makdacs00.com
makiajdleavseh.com
merry-year.com
modern-happy.com
muravied222.com
odnonoshnicy.com
plsk3mme.com
q234.info
s00n.in
safe-t-shirtsfromhansen.com
safetshirtsfromhansen.com
serdjuchka.biz
stop-prysham.com
timetracking02234.info
uskoriteliinterneta.biz
xxxtubedirty.com


The third server in the group is 203.170.193.102, which has already been identified here.

Tuesday, 27 December 2011

Contract spam / chredret.ru

Another fake "contract" spam leading to malware, hosted on chredret.ru .

Date:      Tue, 27 Dec 2011 06:06:18 +0700
From:      "Destinee Mills"
Subject:      The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
NEW_Contract.doc 44kb


With best wishes
Destinee Mills
Another name used on the spam is "Ramiro Howell", although there are probably hundreds of fake names. The malicious payload is at chredret.ru/main.php, hosted on 46.249.37.22 (Serverius Holding BV, Netherlands). This is the second "redret" domain in this /24, so blocking 46.249.37.0/24 might be prudent.

Monday, 24 October 2011

mailukrsoft.com: job scammers in action

A post over at woozoo.nl caught my eye (in Nederlands, Google Translated to English) about the netherlandjobb.com scam. Robert Krom goes several steps further than I usually do with a good investigation into how the scammers try to rope people in.

Robert identifies mailukrsoft.com  as the next stage in the scam. To me, it looks like it is run by a different crew, but scammers tend to oursource activities to others these days. It appears that one group of scammers may be looking for money mules and then selling them on to others.

Thursday, 20 October 2011

Fake jobs: canada-newjob.com, netherlandjobb.com and newjobrecruit.com

Another bunch of domains being used to peddle fake jobs:

canada-newjob.com
netherlandjobb.com
newjobrecruit.com

These domains form part of this long running scam. You may find that the emails appear to come from your own email address (here's why).

The domain registrant details are no doubt fake:

    Adolf Nureng
    Email: adolfnureng@yahoo.dk
    Organization: Adolf Nureng
    Address: Spellingevej 3 Ro
    City: Gudhjem
    State: Gudhjem
    ZIP: 3703
    Country: DK
    Phone: +45.70225632

The jobs offered will actually be criminal activities such as money laundering. If you have any examples of emails using these domains, please consider sharing them in the Comments. Thanks!

Here is one example:

Date: 20 October 2011 13:17
Subject: Huidige vacature

Wij werven aan!

Wij bieden part-time of full-time posities in de EU.
Momenteel is onze team van specialisten is het ontwikkelen van vooruitstrevende en innovatieve
manier van samenwerking met onze klant dus breiden we ons netwerk van vertegenwoordigers in heel Europa.

Wij bieden volledig betaalde trainingen om u te begeleiden door uw werk, competitief salaris,
vrij werk schema en andere voordelen die uw samenwerking met ons zeer aangenaam.
Wilt u bij ons bedrijf te sluiten, moet u ervoor zorgen dat u houdt de Europese verblijf
en je bezit een sterk verlangen om te werken.

Als je eenmaal hebt besloten om ons aan te sluiten, gelieve ons dan uw contactgegevens
en wij nemen zo spoedig contact met u op om een interview te plannen.

Onze contactgegevens: Rolland@netherlandjobb.com

Hartelijk dank voor uw interesse!

In this case, the email originated from 178.172.136.117 in Belarus.