Sponsored by..

Showing posts with label Pakistan. Show all posts
Showing posts with label Pakistan. Show all posts

Monday 18 January 2016

Malware spam FAIL: "Invoice January" / "A . Baird" [ABaird@jtcp.co.uk]

This fake financial spam does not come from J. Thomson Colour Printers but is instead a simple forgery with a malicious attachment.

From     "A . Baird" [ABaird@jtcp.co.uk]
Date     Mon, 18 Jan 2016 16:17:20 +0530
Subject     Invoice January


We have been paid for much later invoices but still have the attached invoice as

Can you please confirm it is on your system and not under query.


  Alastair Baird
  Financial Controller

  Registered in Scotland 29216
  14 Carnoustie Place
  Glasgow G5 8PB
  Direct Dial: 0141 418 5303
  Tel: 0141 429 1094

 P Save Paper - Do you really need to print this e-mail?
Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday [1] [2] [3]. The payload is meant to be the Dridex banking trojan.

If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..


A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:


This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54. The same source identifies the following C2 servers whcih are worth blocking: (WebSiteWelcome, US) (CAT BB Net, Thailand) (Advanced Internet Technologies Inc, US) (Gerrys Information Technology (pvt) Ltd, Pakistan)

Recommended blocklist:

Monday 21 December 2015

Malware spam: "INVOICE" / "Brenda Howcroft [accounts@swaledalefoods.co.uk]"

This fake financial spam does not come from Swaledale Foods but is instead a simple forgery with a malicious attachment.

From:    Brenda Howcroft [accounts@swaledalefoods.co.uk]
Date:    21 December 2015 at 10:46
Subject:    INVOICE

Your report is attached in DOC format. To load the report, you will need the free Microsoft® Word® reader, available to download at http://www.microsoft.com/

Many thanks,

Brenda Howcroft
Office Manager

t 01756 793335 sales
t 01756 790160 accounts


This email transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient or have received this e-mail in error please delete it immediately and notify the sender, Any disclosure including copying or distribution of the information contained herein is strictly prohibited. Any opinions, instructions or advice contained in this email may not necessarily be those of the company. Although this email and any attachments are believed to be free of any virus or other defects, which might affect any computer or system it is the responsibility of the recipient to ensure they are virus free. E&OE.

Invoice 14702.doc

Attached is a file Invoice 14702.doc which comes in at least 9 different versions (VirusTotal results [1] [2] [3] [4] [5] [6] [7] [8] [9]). I haven't had the chance to analyse them, but my sources say that at least some versions download from the following locations:

This dropped file has a detection rate of 6/54. The Hybrid Analysis report plus some other sources indicate network traffic to: (Megawire, Canada) (OVH, France) (Gerrys Information Technology (pvt) Ltd, Pakistan) (Hetzner, Germany)

The payload is the Dridex banking trojan.


Recommended blocklist:

Wednesday 16 December 2015

Malware spam: "Invoice No. 22696240" / "Sharon Samuels" [sharons463@brunel-promotions.co.uk]

This fake financial email does not come from Brunel Promotions but is instead a simple forgery with a malicious attachment.

From     "Sharon Samuels" [sharons463@brunel-promotions.co.uk]
Date     Wed, 16 Dec 2015 14:46:12 +0300
Subject     Invoice No. 22696240

  Good morning

Please find attached your latest invoice, for your attention.

Please be advised that your goods have been despatched for delivery.


Calendars and Diaries of Bristol Limited
Hope Road

United Kingdom
Various details in the message change, such as the invoice number. I have seen two attachments with detection rates of 4/55 [1] [2] which according to Malwr [3] [4] download a malicious binary from the following locations:


This executable has a detection rate of 3/52 and these automated analyses [1] [2] [3] [4] indicate network traffic to: (Megawire, Canada) (Gerrys Information Technology (PVT) Ltd, Pakistan) (Ho Chi Minh City Post and Telecom Company, Vietnam)

The payload is the Dridex banking trojan, probably.


Recommended blocklist:

Monday 14 December 2015

Malware spam: "Scan from a Samsung MFP" / "Gareth Evans [gareth@cardiffgalvanizers.co.uk]"

This fake scanned document does not come from Cardiff Galvanizers but is instead a simple forgery with a malicious attachment.
From:    Gareth Evans [gareth@cardiffgalvanizers.co.uk]
Date:    14 December 2015 at 10:43
Subject:    FW: Scan from a Samsung MFP



-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.

This message has been scanned for malware by Websense. www.websense.com
I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54. It contains a malicious macro [pastebin] which according to this Malwr report downloads a malicious binary from:


There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to the following malicious IPs: (Megawire, Canada) (Ho Chi Minh City Post And Telecom Company, Vietnam) (Gerrys Information Technology (PVT) Ltd, Pakistan) (Hetzner, Germany)

The payload is likely to be the Dridex banking trojan.


Recommended blocklist:

Thursday 24 September 2015

Evil network: (Interserver Inc and Muhammad Naeem Nasir)

This DHL-themed phish got me looking at an IP address range of which is a range belonging to Interserver Inc in the US, but which has been reallocated to a customer. But who? Because the WHOIS details for that block are not valid..
%rwhois V-1.5:003fff:00 city.trouble-free.net (by Network Solutions, Inc. V-
network:Org-Name:N/A N/A
Well, that's quite a sloppy move by Interserver to allow that, but it doesn't mean that the block is evil. However, an analysis of the sites currently and formerly hosted in that range indicate a very high proportion of phishing sites.. in fact, the range is a hotbed of sophisticated fraud sites, many of which seem to be undiscovered.

I combined current reverse IP data from DomainTools and current and historical data from DNSDB and then ran them through an IP lookup and a check against the Google Safe Browsing and SURBL reputations. The results [csv] show a very large number of sites flagged by SURBL in particular, amounting to 47 out of 167 sites (i.e. 28%) that I can identify as being currently hosted in that range.

In addition, a large number of phishing and other malicious sites have been hosted on in the past and are now hosted elsewhere.

nswo.co.uk / "La Casa Limpia - a Balaeric Island Villa"

At first glance, some of the remaining sites look legitimate. Consider nswo.co.uk entitled "La Casa Limpia - a Balaeric Island Villa".

It looks utterly legitmate, although it is an odd domain name for a villa in Spain. Let's check those WHOIS details..

    Domain name:

        P J Green

    Registrant type:
        UK Sole Trader

    Registrant's address:
        100 Malderen Road
        Greater London
        LN23 6AU
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data source on 10-Dec-2012
Despite Nominet claiming to verify the address, there is no such road as "Malderen Road" anywhere in the United Kingdom, and the post code of "LN23 6AU" is also completely invalid and exists nowhere in the UK. A bit of investigation shows that the site is almost a complete rip-off of  a legitimate site at palmyramenorca.com.. but with different contact details.

dominioncollege.ca / "Dominion College"

Consider also dominioncollege.ca - a professional looking website billing itself as Dominion College of Canada.

Apparently, Dominion College is the "Highest Ranking Creative Arts University". But there is no such university in Canada, and the domain for this "150 year old" institution was only registered in August 2015.

Domain name:           dominioncollege.ca
Domain status:         registered
Creation date:         2015/08/14
Expiry date:           2016/08/14
Updated date:          2015/08/19
DNSSEC:                Unsigned

    Name:              PublicDomainRegistry.com Inc
    Number:            3059041
The "About Us" page gives another clue.

That is actually Old Dominion University in Virginia, United States. A completely different and wholly legitimate institution.

hkbbr.org / "Hong Kong Business Bureau Registry"

Consider hkbbr.org billing itself as the Hong Kong Business Bureau Registry..

Yet a Google search for that term only returns hardly anything except content from the site itself, indicating that there is no such organisation.

The domain was registered in 2013 to an anonymous registrant. What is the point of this site? Well, it looks like it is a register of legitimate Hong Kong businesses. You can search for business in their online services page..

Well, it looks like a search.. but in fact it just loads results from a page www.hkbbr.org/entity/ which has an open directory.. so you can see that there actually only 43 companies in the database. One or more of which will be fake.

Presumably this forms part of a scam where the victim has to deal with a fake company, and the scammers use this web site to try to convince the victim that they are dealing with a legitimate company.

tricountysalesmexia.com / "Tri County Sales Mexia"

Consider tricountysalesmexia.com, entitled "Tri County Sales Mexia's Premier Pre-Owned Late Model Luxury and Exotic Vehicle Dealer - Mexia | Texas"

We added up the value of the cars listed on this "Tri County Sales" site. There were 218 cars valued at around $13.2 million, or around $60,000 per car.

Their website shows plush offices..

Now, Tri County Sales is a real company and I suspect a reliable vendor of used vehicles. But in reality the company's premises look like this:

Does it look like somewhere that stocks $13 million dollars worth of high-end exotic vehicles? Of course not. Let's take a look at one of the more notable cars on the website.

This is a pretty rare car. But look closely at the partial logo in the top left hand corner of the large photo..

It's the logo of Southlake Motorcars, where the image was stolen from..

Several of the other vehicles also turn up on other sites. You can be assured that although Tri County Sales is a real company, this website does not belong to them and is a scam.

goldwestgroup.com / "Gold West Group"

Consider goldwestgroup.com calling itself "Gold West Group"..

It's a bit vague about where it has mines, but the facility pictured at the top is the Obuasi Gold Mine in Ghana belonging exclusively to AngloGold Ashanti and no-one else.

The site itself mentions a Chile address, and the WHOIS details are consistent.

Registrant Name: Manu DeSouza
Registrant Organization: Gold West Group
Registrant Street: Europa Oficinas
Registrant Street: Guardia Vieja 255
Registrant City: Providencia
Registrant State/Province: Santiago
Registrant Postal Code: 2103
Registrant Country: Chile
Registrant Phone: +56.22997704
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: webmaster@goldwestgroup.com
But AngloGold Ashanti have no operations in Chile. This site is a scam.

edichem.com / "Edible Chemical Inc"

Consider edichem.com describing itself as "Edible Chemical Inc"..

This site is riddle with spelling errors and has some comically bad photo manipulation.

The offices in the picture actually belong to a company called APAG.

Let's have a look at that so-called CEO..

"Birningham University"? Quite a typo. And that photo is of a completely different person called Peter Westenthaler.

This fake company has even gone to the effort of setting up a Facebook page at www.facebook.com/edichem.biz:

cllinternational.com / "Courier Logistics Limited"

Consider cllinternational.com calling itself "Courier Logistics Limited":

In what way is this logo meant to reflect "Courier Logistics Limited"?

It doesn't.. it belongs to the IEEE Robotics and Automation Society.

The purpose of this site appears to be to generate fake courier tracking numbers, so a victim who has ordered a product will assume that it is actually on it's way. The tracking lookup seems to respond to a six-digit tracking code. The fake tracking site is on another IP, in Ireland.

steadyprivateloan.com / "Steady Private Loan"

Most of the fake companies I have found so far have zero internet footprint. This fake finance company has at least attractive a couple of complaints:

Edmond L.
Beware !!! Do not deal with TERRANCE CLARK / CLARK BRIAN of Goldmine Private Loan now with a new name "Steady Private Loan". These are scam artist.
8 months ago

Sharon Todd
I agree. We fell for their Goldmine Loan and now Steady Private Loan owe us $21,195 ...They look fantastic but do not fall for them. We are reporting them to the FBI
7 months ago

Unlike some of the other sites, this is a bit more amateurish and generic.

It claims to be based in Delaware.

The bottom line here is that there is no such corporation as "Steady Private Loan" in Delaware. This site is a scam.

madrewson.net / "Madrewson Consult"

Consider madrewson.net calling itself "Madrewson Consult". This bills itself as some sort of HR consultancy, but you can guarantee that everythig it touches is fake.

There are a bunch of testimonials on the "About Us" page.

These are all attractive, well-photographed people aren't they? And they pop up in so many places. The photo of "Helen Pyzowski" turns up in a bunch of places. "Adam Smith" is a stock image. "Kristin Malie" turns up in a bunch of places. "John L. Skelley" turns up in a bunch of places. The testimonials are fake, as is this so-called company.

mobgifts.net / "Coca Cola Promo"

"Coca Cola" themed prize scams are well known (and documented on the Coca Cola corporate site) but I've never seen anyone go to the effort of creating a fake website to go with it.

There are several photos of people being handed cheques. But what is that cheque exactly?

This is someone winning a prize alright.. but for developing a mobile app, not a lottery. All the other pictures of people getting cheques are similarly bogus. There is no such thing a the Coca Cola Promo free lottery.

braincure-biotech.com / "Braincure Biotech"

Consider this so-called Taiwanese biochemistry firm, "Braincure Biotech" (braincure-biotech.com)

The site looks professional but very generic. But is it genuine? Unfortunately, the Taiwanese companies registry is in Chinese only and is quite difficult to use. So let's just Google it.

There are virtually zero references to this "company" apart from its own website. And by the time you look, probably this blog. A quick check of the body text of the site reveals that it is copied from other genuine biotech sites. This company does not exist, but presumably is there as part of an investment or employment scam.

What else is there?

Trawling through the IP address range shows many fake blogs (set up to promote goodness only knows what), some Bitcoin and make-money-fast sites and a whole load of sites that appear to be suspended. I cannot confirm a single legitimate site in this range.

Who is behind this?

Although the IP address range is owned by Interserver Inc it is allocated to a customer. However, Interserver seems to have displayed poor governance here because it not only has allocated the range to an anonymous registrant, but it has not acted on the extremely high concentration of fraudulent sites.

Looking at the range, I can see several nameservers..






ok2host.com has anonymous WHOIS details, but the other two are related:

Registry Registrant ID:
Registrant Name: Abdul Razzaq
Registrant Organization: Boldhosts
Registrant Street: Street 18 Clifton Block 8  
Registrant City: Karachi
Registrant State/Province: Sind(en)
Registrant Postal Code: 75500
Registrant Country: PK
Registrant Phone: +92.2135491130
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@boldhosts.com

Registrant Name: Sajid Mahmood
Registrant Organization: GroomHost
Registrant Street: Progressive Center Shahrah e Faisal  
Registrant City: Karachi
Registrant State/Province: Sind(en)
Registrant Postal Code: 75400
Registrant Country: PK
Registrant Phone: +92.215681734
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@boldhosts.com

Although paidhoster.com does not resolve, both boldhosts.com and ok2host.com do and are hosted on adjacent IPs of and respectively, indicating that they might be the same company. Groomhost.com is also mentioned in the WHOIS details above, and that is hosted on

It turns out that there is another IP block of hosting a variety of possibly white-label web hosts:

network:OrgName:Naeem Nasir
network:Address:Street number 18 clifton block 8
network:NetRange: -

The WHOIS details for the IP range don't give a lot of data, but we can also find the same registrant details for the domain sandhost.com:

Registry Registrant ID:
Registrant Name: Muhammad Naeem Nasir
Registrant Organization:
Registrant Street: Street  18  clifton block 8
Registrant City: Karachi
Registrant State/Province: Sindh
Registrant Postal Code: 75500
Registrant Country: Pakistan
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: naeem.nasir@yahoo.com
The AA419 database shows several hits for this email address going back to 2011, so it seems that whoever this Pakistani web host is, they have been tolerating this activity on their network for several years, even if they are just providing hosting services rather than perpetrating fraud.


I really just skimmed the surface with my analysis here, but it is clear that the block is being used almost exclusively for fraud. Moreover, the fraud is extremely sophisticated involving things like fake business registries and couriers. It is also clear that the Pakistani web hosts apparently providing these services have been doing so for some time.

Recommended blocklist:

Saturday 28 February 2015

Fake job offer: tradeconstruction.co.uk, spoofing the legitimate Trade Construction Company LLC

This fake job offer claimed to be from a UK-based company called Trade Construction Company LLC using a website at tradeconstruction.co.uk. However, no such company exists in the UK, and this is a rip-off of a wholly legitimate US firm that is actually called Trade Construction Company LLC who are not involved in this scam at all.

From:    JOB ALERT [klakogroups@gmail.com]
Reply-To:    klakogroups@gmail.com
To:    Recipients [klakogroups@gmail.com]
Date:    27 February 2015 at 18:37

Trade Construction Company,
70 Gracechurch Street.
EC3V 0XL, London. UK

We require the services of devoted and hardworking workers, who are ready to work after undergoing enlistment training. in all sectors
as The Trade Construction Company Management intends to increase its man power base due to increasing number of customers and contract in the Company.

Available Positions


The Company Management would be responsible to pay for your Flight Ticket and Accommodation.

All other information about benefits which would be received by new employees would be given in their application process.

So if interested, kindly send your CV/Resume via email to recruitment@tradeconstruction.co.uk

You can also apply directly at.

website: http://www.tradeconstruction.co.uk
Phone: +447990402584
The tradeconstruction.co.uk site is almost a bit-by-bit copy of the genuine tradeconstruction.com website.

The difference in content is minimal, but the fake site contains the following contact details:

Office Address:
TRADE Company House
70 Gracechurch Street London
United Kingdom
Phone: +447990402584

Shop Addresses:
Office 208
3 Brindley Place
Birmingham, West Midlands
B1 2JB
United Kingdom
Fax: 225-658-8067 
These are actually the contact details for XL Insurance, who are obviously completely unconnected to this scam.

The fax number is invalid for the UK, and is actually just copied-and-pasted from the genuine site. The telephone number +447990402584  (07990 402584) is valid for the UK but it's a mobile phone number (possibly an untraceable prepay handset) so it could be anywhere.

As I said before, there is no company in the UK called Trade Construction Company and "LLC" is not a recognised type of UK company (typically they would be "Ltd", "PLC" or "LLP").

The WHOIS details for the domain are incomplete and unverified:

Domain name:


    Registrant type:

    Registrant's address:
        SOUTH ROAD
        B23 6EL
        United Kingdom

    Data validation:
        Registrant name and address awaiting validation

This is a residential area of Birmingham in the UK, but there is no house number and "Erdington" is spelled incorrectly. It certainly doesn't match the other contact addresses given.

Let's have a look at the mail headers to see if we can determine where this email actually came from.

Received: from mx.giki.edu.pk (mx.giki.edu.pk [])
    by [redacted] (Postfix) with ESMTP id 91B60ED199
    for [redacted]; Sat, 28 Feb 2015 06:29:19 +0000 (UTC)
X-ASG-Debug-ID: 1425104952-04b09a633509b40001-Ozk3QL
Received: from mail.giki.edu.pk (mail.giki.edu.pk []) by mx.giki.edu.pk with ESMTP id 6NnzvLRyt5l62CxM; Sat, 28 Feb 2015 11:29:12 +0500 (PKT)
X-Barracuda-Envelope-From: klakogroups@gmail.com
Received: from localhost (localhost.localdomain [])
    by mail.giki.edu.pk (Postfix) with ESMTP id 1127A11414ED;
    Sat, 28 Feb 2015 06:42:31 +0500 (PKT)
Received: from mail.giki.edu.pk ([])
    by localhost (mail.giki.edu.pk []) (amavisd-new, port 10032)
    with ESMTP id m27tNjcw-XxF; Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
Received: from localhost (localhost.localdomain [])
    by mail.giki.edu.pk (Postfix) with ESMTP id 9E5A111414D7;
    Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
X-Virus-Scanned: amavisd-new at mail.giki.edu.pk
Received: from mail.giki.edu.pk ([])
    by localhost (mail.giki.edu.pk []) (amavisd-new, port 10026)
    with ESMTP id n3YhjtqX2niQ; Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
Received: from [] (unknown [])
    by mail.giki.edu.pk (Postfix) with ESMTPSA id 214E611414ED;
    Sat, 28 Feb 2015 06:42:23 +0500 (PKT)
We can definitely say that this email spent a while bouncing around the Ghulam Ishaq Khan Institute of Engineering Sciences and Technology in Pakistan. It appears that it originated from a server at which is a ColoCrossing IP suballocated to:

NetRange: -
NetName:        CC-172-245-45-0-27
NetHandle:      NET-172-245-45-0-1
Parent:         CC-14 (NET-172-245-0-0-1)
NetType:        Reallocated
OriginAS:       AS36352
Organization:   naa (NAA-21)
RegDate:        2013-06-07
Updated:        2013-06-07
Ref:            http://whois.arin.net/rest/net/NET-172-245-45-0-1

OrgName:        naa
OrgId:          NAA-21
Address:        530 W. 6th Street Suite 901
City:           Los Angeles
StateProv:      CA
PostalCode:     90014
Country:        US
RegDate:        2013-06-07
Updated:        2013-06-07
Ref:            http://whois.arin.net/rest/org/NAA-21

OrgAbuseHandle: BRBA-ARIN
OrgAbuseName:   Baker, Rusdi bin abu
OrgAbusePhone:  +1-940-238-5499
OrgAbuseEmail:  rusdi.bin.abu.bakar@gmail.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/BRBA-ARIN

OrgTechHandle: BRBA-ARIN
OrgTechName:   Baker, Rusdi bin abu
OrgTechPhone:  +1-940-238-5499
OrgTechEmail:  rusdi.bin.abu.bakar@gmail.com
OrgTechRef:    http://whois.arin.net/rest/poc/BRBA-ARIN

Note that this isn't saying that this "Rusdi bin abu Bakar" is sending the email, but a customer of theirs is.

Nothing about this job offer is legitimate. It does not come from who it appears to come from and should be considered to be a scam, and avoided.

Sunday 2 March 2014

Malware sites to block 2/3/14

These domains and IPs are all connected with this gang, some of it appears to be involved in malware distribution, fraud or other illegal activities. I recommend that you block these IPs and domains.

Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting.

world-motorhome.net    (AT&T, US)    (Ford Motor Company, US)    [ns]    (DOD, US)    [ns]    (Rackspace, US)    (Radore Veri Merkezi Hizmetleri, Turkey)    (AT&T, US)    [ns]    (AT&T, US)    [ns]    (TCE, Iran)    (Cote d'Ivoire Telecom, Cote d'Ivoire)    [ns]    (FTTH, Algeria)    [ns]    (Alibaba, China)    [ns]    (Amazon AWS, US)    (Time Warner Cable, US)    (Societe Francaise du Radiotelephone, France)    (OJSC Rostelecom Macroregional Branch South, Russia)    (C&A Connect SRL, Romania)    (UPC, Poland)    (Romtelecom, Romania)    [ns]    (Worldstream, Netherlands)    (Dmitry Davydenko / Goldhost LLC, Kazakhstan)    (Quadranet Inc, US)    (Argon Data Communication, Indonesia)    (William Allard / AT&T, US)    (Societe Francaise du Radiotelephone, France)    (LG DACOM Corporation, Korea)    (Hichina Web Solutions, China)    (University of Minnesota, US)    [ns]    (DigitialOcean Cloud, Singapore)    (Bradler & Krantz, Germany)    (IDD Information Services, US)    [ns]    (North Carolina Research and Education Network, US)    (Digital Ocean, US)    (Munich Reinsurance America Inc, US)    [ns]    (The Dow Chemical Company, US)    [ns]    (Bharti Cellular Ltd, India)    [ns]    (Cyber Internet Services Pakistan, Pakistan)    (Radore Veri Merkezi Hizmetleri, Turkey)    (HOST1FREE at Brazil, Brazil)    (SingleHop, US)    [ns]    (Salay Telekomunikasyon Ticaret Limited Sirketi, Turkey)    (FMG Macabuense com serv distrib ltda-me, Brazil)    [ns]    (Locaweb Servi├žos de Internet S/A, Brazil)    (Global Village Telecom, Brazil)    (OVH, France / DoHost, Egypt)    [ns]    (Transtelecom CJSC, Russia)    (Biznes-Host.pl, Poland)    (blue-infinity, Switzerland)    [ns]    (KRNIC, Korea)    (Choopa LLC, US)    (Vox Telecom, South Africa)    (Chinanet Guangxi Province Network , China)    [ns]

Sunday 16 February 2014

"Account Credited" / TTCOPY.jar spam

This spam email comes with a malicious .JAR attachment:

From:     Tariq Bashir muimran@giki.edu.pk
Reply-To:     Tariq Bashir [ta.ba@hot-shot.com]
Date:     15 February 2014 11:03
Subject:     Account Credited

Dear Sir,

I am sorry for my late response; our bank has credited 50% of Total amount on invoice to your bank account, the balance will be paid against BOL.

Find attached Bank TT  and update us on delivery schedule.


Tariq Bashir
Remal Al Emarat Travel & Tourism L.L.C.
Al Muteena Street, Salsabeel Building, 103
P.O. Box 56260, Dubai, UAE
Tel: +971 4 271 54 06
Fax: +971 4 271 50 65
Mobile: +971 50 624 62 05
e-mail: ta.ba@hot-shot.com

The spam email originates from (mail.giki.edu.pk) and comes with a malicious attachment TTCOPY.jar which is a Java application. This has a VirusTotal detection rate of 12/50 and the Malwr analysis reports an attempted connection to clintiny.no-ip.biz on (GloboTech, Canada / MaXX Ltd, Germany).

Although this is an unusual threat, Java attacks are one of the  main ways that an attacker will gain access to your system. I strongly recommend deinstalling Java if you have it installed.

I can find two highly suspect IP blocks belonging to MaXX Ltd which I recommend blocking, along with the domains specified below:

Thursday 7 November 2013

Fake "Financial Times Survey Team" spam / ft-survey.com and AlfainHost

This fake Financial Times spam is a bit of a mystery:

From: The Financial Times [mailto:ft448516@surveymonkey.com]
Sent: Thu 07/11/2013 18:58
Subject: We value your opinion and we need your help

Dear British businessman,

We at the Financial Times are doing a survey among British business owners and managers regarding Euroscepticism.

As you are currently aware David Cameron on Monday confronted critics in his party who want to withdraw from the EU and close Britains borders, arguing there was no use hiding away from the world. And a lot more will follow.

We are contacting as many subscribers and people who commented on our business related articles to ask for their own opinion.

If you would like to be heard and help us build an article that will be on the first page in the next few weeks please help us.

Send us an E-mail at eu@ft-survey.com with the following information:

If your business is connected by import or export with the European Union, if it is Export please add us a few more details like what do you sell, or the services you provide;
What countries do you trade within the European Union;
Your opinion on Euroscepticism and the effect it has on your business;

Thank you so much for your help and contribution.

The Financial Times Survey Team,
There are no links in the email apart from a mailto: for the email address, and there are no attachments. The email was sent to a UK user and concerns a matter specific to people in the UK, so it appears to be targeted in some way.

So, what's wrong with this email? Let's start by looking at the domain ft-survey.com which was registered just one day ago on 6th November to a registrant using the Panamanian privatewhois.net service to hide their details. The real Financial Times site at ft.com clearly identifies its owner. If you visit ft-survey.com (not recommended) then you get a 302 redirect to the legitimate ft.com website.

Next, ft-survey.com is hosted and receives mail on which nominally belongs to some outfit called Sharktech in Las Vegas, but is actually suballocated to a customer in Pakistan:

%rwhois V-1.5:003eff:00 rwhois.sharktech.net (by Network Solutions, Inc. V-
network:Address:Clifton Court #16
network:NetRange: -
network:OrgAbuseName:ABUSE department
network:OrgNOCName:Network Operations Center
network:OrgTechName:Tim Timrawi

It would be unlikely that the Financial Times would be using such a small outfit. Furthermore, appears to contain a number of scam domains that look like phishing or money mule recruitment sites, as indeed does the entire block.. more of which below.

The email headers are also suspect, and appear to show an originating IP of (A Digi Ltd Customer in Hungary) mis-using a PHP script on rockyourworldsummit.com (Unified Layer, US) which then bounces mail through a mailserver on (also Unified Layer).

Received: from oproxy14-pub.mail.unifiedlayer.com (HELO oproxy14-pub.mail.unifiedlayer.com) (
  by [redacted] with SMTP; 7 Nov 2013 18:59:02 -0000
Received: (qmail 24735 invoked by uid 0); 7 Nov 2013 18:59:00 -0000
Received: from unknown (HELO box487.bluehost.com) (
  by oproxy14.mail.unifiedlayer.com with SMTP; 7 Nov 2013 18:59:00 -0000
Received: from localhost ([]:41772 helo=box487.bluehost.com)
    by box487.bluehost.com with esmtp (Exim 4.80)
    (envelope-from <bigspark@box487.bluehost.com>)
    id 1VeUnD-0006y7-Se
    for [redacted]; Thu, 07 Nov 2013 11:58:59 -0700
Date: Thu, 07 Nov 2013 11:58:59 -0700
To: [redacted]
Subject: We value your opinion and we need your help
X-PHP-Script: www.rockyourworldsummit.com/wp-content/editor/help-text.php for
From:  The Financial Times <ft448516@surveymonkey.com>
Reply-To: <ft448516@surveymonkey.com>
Message-ID: <c06381c27d6d17e9f0e266ea45bae788@live.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Identified-User: {:box487.bluehost.com:bigspark:box487.bluehost.com} {sentby:program running on server}
X-OriginalArrivalTime: 07 Nov 2013 19:03:53.0922 (UTC) FILETIME=[1A3BE220:01CEDBEC]

The domains hosted on look rather phishy and spammy, download the report here in a CSV file. WOT ratings indicate low trustworthiness, Google has identified a number of malware and phishing sites and the SURBL codes also indicate some spam and malware. However, a look at some of the domains in use will lead you in no doubt that there are a large number of phishing domains hosted in this block. I would strongly recommend that you block it.

Quite what the point of this spam is I do not know, however I suspect that answering the so-called survery will open you up to other attacks including spear phishing.

Friday 18 October 2013

Malware sites to block 18/10/2013

These IPs and domains are associated with this spam run. Some of these servers have been compromised for some time by the looks of things. There's a plain list for copy-and-pasting at the end. (Compact Information Systems / AT&T, US) (Hetzner, South Africa) (Intergenia, Germany) (Clodo-Cloud / IT House, Russia) (RapidDSL & Wireless, US) (F G Wilson / AT&T , US) (TOV Adamant-Bild, Ukraine) (Netinternet , Turkey) (NTT Communications, Japan) (Chunghwa Telecom, Taiwan) (Chunghwa Telecom, Taiwan) (NTT America, US) (TANET, Taiwan) (Uclix, India) (Alestra, Mexico) (TSKL, Kiribati) (MYREN, Malaysia) (PhetchaboonHospital, Thailand) (Commission For Science And Technology, Pakistan) (Prox Communicator, Japan) (Hoster.KZ, Kazakhstan) (RackSRV Communications, UK) (Wien Energie, Austria) (BBC Cable, Bulgaria)

hankoksuper.ru is now active on those same IPs.