Sponsored by..

Thursday, 9 April 2009

"Body parts" murder

One mystery gripping this part of the UK is the mysterious "body parts" murder, where part of a dismembered victim have been left near the roadside in several locations: Wheathampstead, Puckeridge and Cottered in Hertfordshire and the head was dumped in Asfordby, Leicestershire.

Given that the Puckeridge part was reportedly left by the northbound carriageway, that gives a clue as the the direction that the "dumper" was travelling. And making an assumption that the head was the last part to be dumped because it was the furthest away from the others, then you can take these four data points and plot them into Google Maps.

You can see more here. Of course, speculation is just that, but if does appear that the dumper did a loop around Hertfordshire perhaps near the A414, A10, A507 and then drove up the A1 for about an hour before turning off. Yes, there's a technology aspect here - a tool like Google Maps makes it very easy to visualise this sort of data.

OK, this is all pretty gruesome and don't forget that someone has lost their life. But there's a grim fascination as to where the next discovery will be. Will that fit into the pattern?

Wednesday, 8 April 2009

secretdesiresuk.com spam

Yuck.

Subject: SecretDesires - The Ultimate Social Networking for Singles and Couples
From: "Secret Desires"
Date: Wed, April 8, 2009 5:25 pm

Are you a couple or single looking for FUN??

Worldwide Coverage with Audio and Video Cam Chat Rooms!

Virtual Kisses and Profile Voting!

Profile Pictures and Videos!

Massive Video Database growing Daily!

Come and Enjoy the Ride!!

You must add at least one valid profile picture to remain a FREE member!!

Secret Desires - What's Yours??
Originating IP is 78.145.126.63, secretdesiresuk.com is hosted on 174.132.193.251. The domain is registered to HostGator rather than the actual registrants, who are..


Debbie 'n' Paul. They say: "SecretDesiresUK is the culmination of 3 years of false starts and hard work by Debbie and Paul, of Orion Network Designs. We are both Swingers and have worked in the Adult Industry long enough to understand exactly what people want from an Adult Social Networking Site."

What? Like spam?

Let's log in. No confirmation of email address is needed. Bad luck Mr President.

67 members. And yes, the photograph gallery shows plenty of "members". Including some nudie shots of Debbie 'n' Paul. Yuk.

I'm not prudish, and frankly I believe that consenting adults should be able to get on with whatever they want to in private. But spamming this crap out at random is just going to get the wrong kind of attention.

If you get one of these, forward the email to security -at- hostgator.com.

Saturday, 4 April 2009

luxgroupnz.com / LuxGroup scam

There are lots of legitimate ocmpanies with the name LuxGroup or Lux Group or something similar. This particular fake "LuxGroup" uses the domain luxgroupnz.com to push some sort of fraudulent job offer, probably a money mule or some other criminal activity.

Subject: A better career with LuxGroup

Good Day,

Major International Company is ready to offer you part(1-2 hours a day) and full time(5-8 hours per day) job in the USA. If you are interested, get back to us by email and send your resume or a short description of your former activities. Excellent career growth perspectives and merited salary.

For more info about terms, conditions and financial remuneration, get back ONLY to our corporative email address below: advjob@luxgroupnz.com

With regards,
Lux Group, Hiring Department
The luxgroupnz.com domain was registered on April 1st 2009 through XIN NET TECHNOLOGY CORPORATION to:

Name : Michell
Organization : Michell
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
Country :
Postal Code : 85230
Phone Number : 86--56343365
Fax : 86--56343365
Email : Michell.Gregory2009@yahoo.com

Site is hosted on 222.73.37.250, name services are proved by NS1.CHOSTSERVICE.COM and NS2.CHOSTSERVICE.COM. Other domains hosted on that server are:

  • A-finance.net
  • A-finance.org
  • Aiminfo.info
  • Careertrip.cn
  • Danunafig.ru
  • Dessgif.com
  • Hot-jobster.cn
  • I-love-pets.ru
  • Icm-mail.biz
  • Icm-network.net
  • Isearchword.info
  • Itellu.info
  • Itellu.ru
  • Lastyp.ru
  • Mountain-travel.ru
  • Mycotteges.ru
  • Oceananswers.info
  • Oceanofsearches.info
  • Pinigeliai.com
  • Temp-biz.cn
  • U-search.info
  • Yadrenamat.ru
  • Yaponamat.ru
Some of these other domains have also been used for fraudulent offers.

If you get one of these ignore it.

Friday, 3 April 2009

Hostfresh dead?

Sandi reports that Hostfresh has been de-peered, the latest organized criminal web host to be removed from the interwebs.

This Hong-Kong based outfit provided the back end hosting for malware infections including early versions of Conficker. It has been increasing apparent that they are basically an outpost of the Russian Business Network.

Hostfresh-hosted domains have scattered, but it probably won't be long until they find another RBN-friendly host that doesn't know what happened to Atrivo, McCole, Ukrtelegroup and Estdomains.

Thursday, 2 April 2009

BlizzardImageHosting.com - possible Joe Job

We have an email trap that seems to be hit exclusively by a low number of Waledac related spam (fake "terror reports", pharma spam, penis enlargement etc). We know that this particular address was harvested from a compromised PC, so the only people who have the address are the Bad Guys.

Unexpectedly then, the following email turned up:

From: (removed)
Sent: 01 April 2009 20:33
To: (removed)
Subject: Free Image Hosting

BlizzardImageHosting.com is a new leader in online image & photo hosting,
portfolios, and slideshow creation. We offer features you wont find
at other image hosting sites and we offer it FOR FREE!

- Upload Unlimited Images
- Share Images With Anyone and Anywhere
- Get Gigabytes of Monthly Bandwidth

and much more...

Sign up now!
http://blizzardimagehosting.com/index.php

(c) 2003-2009 Blizzard Image Hosting All Rights Reserved

So, my initial thoughts were that blizzardimagehosting.com were in league with the bad guys. Let's check out their WHOIS details:

Marquee, Media Networks webmaster -at- marqueemediaonline.com
Marquee Media Networks
6741 Sprinkle Road, Ste 293
Portage
MI
49002
US
Phone: +1.2694929957
Fax: +1.2694929958
The address is actually a branch of PakMail, but that probably means in this case that Marquee Media Networks rents a post box. The WHOIS details for marqueemediaonline.com indicate a name of Christopher Maher. So do these WHOIS details look suspicious? Not really. Usually, Waledac related domains come with WHOIS details that indicate telltale traces in China or Russia, the details for blizzardimagehosting.com are not inherently suspicious.

Marquee Media operates a web server at 216.17.107.72, which contains an ill-advised mix of adult sites and general interest sites (porn sites and fishing on the same server?) all the WHOIS details are consistent, and there seems to be nothing illegal going on.

Here's the thing - nothing at all about blizzardimagehosting.com fits the Waledac profile. This seems to be a small business running out of Illinois, nothing more. At a best guess, Marquee Media has somehow displeased the Waledac gang, either through something to do with adult content or web hosting.

So.. if you get a spam for blizzardimagehosting.com then treat it with scepticism, and as far as I am concerned this company is probably not guilty of this spam run and instead it looks like a Joe Job.

Friday, 27 March 2009

"Shanghai QiPeng Network Information Technology" / "Sopper Investment Co. LTD"

This particular pitch has been around for a long time - a domain name registrar (or reseller) who is "checking" about a domain registration that might infringe on your trademarks. Of course, registrars are not responsible for checking trademarks (can you imagine how complicated and expensive the process would be!)

Usually this approach is an attempt to get you to register useless domain names at inflated prices.. and in all probability these domain names they are warning about will never even be registered. If you really are concerned, then register them through a reputable registrar, else you are best off ignoring it.

Subject: Domain Issues for "[redacted]"
From: "Ramon zhang"
Date: Fri, March 27, 2009 9:20 am

If you are not the person who is in charge of this, please forward to the right person/department. Thank you)

Dear CEO,

We , a registrar organization in China, have something to check with you. We received an application today One South Korea company called " Sopper Investment Co. LTD" is applying for "[redacted]" as internet brand and following Asian/.CN domain names to use.
[redacted].com.tw
[redacted].hk
[redacted].in
[redacted].net.cn
[redacted].org.cn
[redacted].tw

After our initial checking, we found the internet brand and keyword of these domain names are as same as your company¡¯s.Because of it involves your company's intellectual property, so we need to check this with your company. If the aforesaid company is your subsidiary company or your business partner, please DO NOT reply us, we will approve the application automatically. If you have no any relationship with this company, please contact us within 7 workdays. If out of the deadline, we will approve the application submitted by "Sopper Investment Co. LTD" unconditionally.
Look forwarding to hearing from you.Thanks.

Best Regards,

Ramon Zhang
Leader Checker
Shanghai QiPeng Network Information Technology Co.,Ltd
Tel£º +86-21-6992-9440 Fax£º +86-21-6992-9447

Postal Code£º 200063
website:http://www.qipeng.org.cn


Shanghai QPNIC Web Property Solutions Limited is a comprehensive company engaged in the Internet intellectual property services that mainly provides network-based service, network intellectual property service.
Company objective: The good faith first, the customer is supreme.

The same approach can be seen here and here.

Thursday, 26 March 2009

dns@nisource.com Joe Job

NiSource is a US electricity and gas provider. This spam appears to be a Joe Job aimed at the DNS support mailbox at that company. In this case the originating IP is 166.156.53.33.

From: Mabel Mcdaniel [mailto:dns@nisource.com]
Sent: 26 March 2009 14:55
To: [redacted]
Subject: Replica Watches

A lot of brands, 100-300 usd.
Mail to order: dns@nisource.com

Since the email is soliciting replies via email, it is most likely a revenge attack for something or other.

Monday, 23 March 2009

Video: Beware of the Monkeys

Don't give the monkeys a socket set (source: IET)

songmeanings.net compromised?

songmeanings.net is a popular and relatively crud-free lyrics site that attracts millions of visitors a year. Alexa ranks it as about the 5000th most popular site in the world (dynamoo.com ranks in at about 290,000).

Unfortunately, the email database at songmeanings.net appears to have been compromised and the email addresses are now receiving "Canadian Pharmacy" spam routed via spaces.live.com. It is unknown if any other details have been taken, in all likelihood this is probably a trojan that has taken email addresses only.

(They are not the only one. Tradedoubler is an advertising network that has been similarly compromised).

Pozde.com domain valuation scam

A copy of the recent Pedma.com domain appraisal scam, this time with the name pozde.com. The pitch is something similar to the following:

Dear sir,

we are interested to buy your domain name [REDACTED] and offer to buy it from you for 70% of the appraised market value.

As of now we accept appraisals from either one of the following leading appraisal companies:

sedo.com
pozde.com
moniker.com
accuratedomains.com

If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use Paypal for amounts less than $2,000 and escrow.com for amounts above $2,000) as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Thanks,

P. Jackson
Pozde.com is the fake appraisal site, and because it is cheaper than the others (which are legitimate) there's a chance you will try to use it. Although this time they have remembered to give you a box to specify your domain (they didn't with the old version), you should be under no doubt that this is an attempt to defraud.

The WHOIS entry for pozde.com is a crude fake:

Registrant:
Richard Smith
563 queen st
bruckberg, er 54767
Iceland

Domain Name: POZDE.COM
Created on: 19-Nov-08
Expires on: 19-Nov-09
Last Updated on: 20-Mar-09

Administrative Contact:
Smith, Richard admin@bizing.biz
563 queen st
bruckberg, er 54767
Iceland
+1.9024312570 Fax --

Technical Contact:
Smith, Richard admin@bizing.biz
563 queen st
bruckberg, er 54767
Iceland
+1.9024312570 Fax --

Domain servers in listed order:
NS1.IPNAMES.NET
NS2.IPNAMES.NET
In fact, it is actually registered to:

Registrant:
Manuel Fichter
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada

Domain Name: POZDE.COM
Created on: 19-Nov-08
Expires on: 19-Nov-09
Last Updated on: 05-Mar-09

Administrative Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024312570 Fax --

Technical Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024312570 Fax --
You should also consider the domains tysoo.com (recently bought by Manuel Fichter) and dexpay.com as suspect, because it seems that there is a pattern emerging here.

So why is it a scam? Pedma.com was definitely a scam - when you sent off your PayPal payment there was no way to specify what you wanted appraising, the fact that Pozde.com has added this in is immaterial. The WHOIS entry is fake (the registrant is in Canada, not Iceland).

Site is hosted on 124.217.231.173 in Kuala Lumpur. Send abuse reports to abuse -at- piradius.net.

If you feel that you have been defrauded and you live in Canada, you can file a complaint with the RCMP.

Added: some other domains to watch out for, owned by the same person are:

  • veecs.com
  • grooc.com
  • usbabes.info
  • tysoo.com (being transferred)
  • dexpay.com
  • bizing.biz
  • fastbooster.com
  • moviesforme.org
  • casinocrew.com

Tuesday, 17 March 2009

pedma.com domain appraisals?

From time-to-time I get a unsolicited offers to buy domains that I hold, so it isn't wholly unexpected to get the occasional email about them. Here's one that came in today:

Subject: Regarding your domain [REDACTED].COM
From: "James Johnson" j.johnson98@rocketmail.com

Hello,
I came across your domain name [REDACTED]COM and I would be interested in buying it from you.
Here is my offer, you have to send me a professional appraisal from one of the following companies. and I will pay you 85% of the appraised price.
For payments under $2000 I prefer to use paypal. And for larger amounts of money I prefer if we used escrow.com

I accept appraisals from any of these companies:

-sedo.com
-pedma.com
-accuratedomains.com

If you already have an appraisal from one of those companies please forward it to me, and we will do business.

Regards,
James Johnson
For reference, the relevant mail headers are:

Received: from eatfire.nexcess.net (208.69.122.200)
by [redacted] with SMTP; 17 Mar 2009 10:07:22 -0000
Received: (qmail 10697 invoked by uid 108); 17 Mar 2009 10:06:16 -0000
Received: from unknown (HELO LYNKSIS) (admin@1nb0x.com@174.133.179.205)
by eatfire.nexcess.net with ESMTPA; 17 Mar 2009 10:06:16 -0000
From: "James Johnson"
Subject: Regarding your domain [redacted]
To: [redacted]
Well, my spidey sense started to tingle. The domain in question is not great and I'm really holding it for a future project that I haven't gotten around to. So I have certainly never had it professionally appraised.

So, let's say that I'm interesting in selling this domain and want to get a professional appraisal. Sedo charge $29, Accurate Domains charge $27 and Pedma charges $22.95. What's more, Pedma promises to refund your appraisal money or buy the domain itself if you don't sell it within 6 months.

Pedma looks like the best option. But who are they exactly?

Here's the thing - there is almost nothing about them in Google. It looks like they have been in the domain appraisal business for hardly any time at all. So isn't it odd that they are being recommended?

Let's look at the WHOIS details:

Registrant:
Billy McDOW
366 Kingswood Dr
Bedford, Nova Scotia B4B 1T8
Canada

Domain Name: PEDMA.COM
Created on: 01-Jul-08
Expires on: 01-Jul-09
Last Updated on: 12-Mar-09

Administrative Contact:
McDOW, Billy support@pedma.com
366 Kingswood Dr
Bedford, Nova Scotia B4B 1T8
Canada
9024950112 Fax --

Technical Contact:
McDOW, Billy support@pedma.com
366 Kingswood Dr
Bedford, Nova Scotia B4B 1T8
Canada
9024950112 Fax --

Domain servers in listed order:
NS1501.HOSTGATOR.COM
NS1502.HOSTGATOR.COM
It's hard to say if the details are genuine or not, but it certainly isn't an obvious fake. But a few days ago, pedma.com was registered to someone else:

Registrant:
Manuel Fichter
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada

Domain Name: PEDMA.COM
Created on: 01-Jul-08
Expires on: 01-Jul-09
Last Updated on: 05-Mar-09

Administrative Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024950112 Fax --

Technical Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024950112 Fax --

Domain servers in listed order:
DNS53-1.NEXCESS.NET
DNS53-2.NEXCESS.NET
About the same time, the IP address of pedma.com changed from 208.69.122.200 to 174.132.194.58. Now, the 208.x.x.x address was mentioned a few days ago on another blog for questionable domain practices, so you might suggest that this is not a coincidence.

The site itself seems to be free of malware, so poking around at the pedma.com site reveals a few other interesting things.

Click through to the Contact page:

The following contact details are listed:

20 Crawford Street
London
W1H 1PJ
United Kingdom

Email: support@pedma.com
It looks like this may be an accommodation address or perhaps a virtual office of some sort, probably located above a shop [sorry, IE required]. Definitely not Canada. (Update: it looks like a branch of Mail Boxes Etc thanks to Google's new UK streetview.)

Clicking through on the "Buy Now" link takes you to a PayPal page, also mentioning Canada:


The payee is "Unique Desktop". Whoever they are. This is one of the weakness of PayPal - I don't really have an idea who I am dealing with here. I don't advise that you pay them anything, indeed there is no part of the payment process that actually specified what domain you want appraising or your contact details.

A further clue that something is wrong comes from their "Service" page which contains the following text:


How much is your domain really worth? An expert evaluation of a domain name's value is critical intelligence for domain buyers and sellers looking to determine a fair market price. An appraisal is your first step to making a great sale!

Every appraisal individually researched by domain industry pros, because no software is a substitute for real-world experience.

Your domain name could be worth thousands of dollars and may even be tax deductible!

Join many others who discovered what their domains were worth using our Domain Name Appraisal Service! Your domain will be appraised based on a number of separate factors including marketability, brand recognition, unique type in traffic, and comparison with other domain name sales. In addition to the following criteria:

* TLD Value
* Length
* Hyphen
* Web Frequency
* Search Frequency
* Industry Value

After you make your first purchase we will email you your Pedma Account log in information. Once you are logged in, you will find all your domain appraisals neatly organized (including appraisal reports, and appraisal banners). We make it easy to keep track of all your appraisals!
In fact, the majority of this text is stolen directly from Sedo and Moniker - it's a straight copy-and-paste job.

So: this "appraisal" site appears to have been active for just a few days, the site content is stolen from others, the contact details on the page do not match the WHOIS, the payment process does not allow you to specify the domain to appraise and your contact details, and the IPs have recently been connected to another dubious domain name pitch.

It looks on the surface as if this is an attempt to get people to sign up for this so-called appraisal service, and nothing more. Pedma.com is certainly not a recognised or trustworthy site, so it is likely that the offer to buy the domain is similarly dubious. Of course, if you work for Pedma.com, please feel free to correct any errors in the comments section below.

If you have spent any money on the appraisal, then I would advise you to start a PayPal dispute to recover the money as there is some evidence to suggest that the original offer is not genuine.

Additional information:
a bit more research shows indicates the domain pedma.com was sold via eBay item #170253846100 in August 2008 to a member called unique*money, presumably this is Manuel Fichter.





Now, it might be that Mr Fichter sold the domain on and perhaps it is a coincidence that the new owner lives in the same area and has used exactly the same telephone number. Note that the seller "bargaindomains" is a reputable eBay seller who just sold the domain on in August.

About the London address: there is no company by the name of "Pedma" operating in the UK, according to Companies House.

The PayPal billing name of "Unique Desktop" is connected with the domain "fastbooster.com". The terse WHOIS details for that mention an email address of willyfichter@googlemail.com, but earlier last year it had a rather more full domain description:

Owner Contact:
Willy Fichter
Immo-World24 Limited
Am Soeldnermoos 17
Hallbergmoos, 85399, DE

Punycode Name: fastbooster.com
Unicode Name: fastbooster.com

Admin Contact
Willy Fichter

willyfichter@googlemail.com
Am Soeldnermoos 17
Hallbergmoos, 85399, DE
phone: +49 89381684552

Technical Contact
Hostmaster Strato Rechenzentrum
Cronon AG Professional IT-Services
hostmaster@cronon-isp.net
Emmy-Noether-Str. 10
Karlsruhe, D-76131, DE
phone: +49 72166320305

Zone Contact
Hostmaster Strato Rechenzentrum
Cronon AG Professional IT-Services
hostmaster@cronon-isp.net
Emmy-Noether-Str. 10
Karlsruhe, D-76131, DE
phone: +49 72166320305

Record expires on: 2009-05-04 20:35:24

Domain servers in listed order:

shades02.rzone.de
docks18.rzone.de

It is hard to be 100% certain who is sending out these "offers". But at a guess, one of these Mr Fichters might have an idea.

Update:
pedma.com has been suspended by HostGator. Yeay.



Another update (18/3):
The owner of pedma.com is now desperately trying to punt the domain name on Sedo for $1000, which is a bit rich considering that he ripped off Sedo's text for the fake appraisal site!


Friday, 13 March 2009

Adobe9.0-PDF.com

Here's an oddity when typing "Adobe" into Google.

The first ad refers to a web site called Adobe9.0-PDF.com - that's not Adobe, surely?


Nope.. it doesn't look like Adobe. Let's scroll down a bit


The bit at the bottom is interesting:


All tademarks and copyrights are used for comparison and/or compatibility purposes only and are the property of their respective owners. This website has no affiliation whatsoever with the owner of this software program and does not re-sell or license software. All software is freeware and/or shareware with the understanding that the user may need or want to pay for it later. Membership is for unlimited access to our site's resources. We provide an organized website with links to third party freeware and shareware software, technical support, tutorials and step by step guides.
To cut a long story short, you have to pay to download this free software (this is for "support").. of course you could just download it directly from Adobe.

So, this is kind of curious. Who's running this site? A look at the WHOIS for 0-pdf.com shows an anonymous registration, so no clue there.

The site is hosted on 208.118.54.244 along with several others:

  • 0-pdf.com
  • 1-pdf.com
  • Burning-toolz.com
  • Downzfree.com
  • E-s0ftware.com
  • Es0ftware.com
  • Freedownloadhq.com
  • Freedownloadsnow.net
  • Grafix-viewer.com
  • Internet-callz.com
  • Mediaplayer-stop.com
  • Populartitlez.com
  • Security-bundle.com
  • Virus-tools.com
  • Xtremesoftware-ltd.com
They are all anonymous registrations apart from the last one:

Registrant: Xtreme Software Ltd.
7 Petworth Road

Haslemere,
Surrey GU27 2JB

United Kingdom

Domain Name: XTREMESOFTWARE-LTD.COM
Created on: 13-Apr-07
Expires on: 13-Apr-09
Last Updated on: 13-Apr-08
Administrative Contact:
Software Ltd, Xtreme Support@XtremeSoftware-Ltd.com
Xtreme Software Ltd.
7 Petworth Road
Haslemere,
Surrey GU27 2JB
United Kingdom
8007843167 Fax --
Technical Contact: Software Ltd, Xtreme Support@XtremeSoftware-Ltd.com
Xtreme Software Ltd.

7 Petworth Road

Haslemere,
Surrey GU27 2JB

United Kingdom

8007843167 Fax --

Domain servers in listed order:

NS1.COVERTTECHNOLOGY.NET
NS3.COVERTTECHNOLOGY.NET
NS2.COVERTTECHNOLOGY.NET


Incidentally, shuffle across a few IPs to 208.118.54.247 and there seems to be another server belonging to the same outfit.
  • 11-now.com
  • 7-now.com
  • 8-now.com
  • 8-pdf.com
  • 8-software.com
  • 8-ultra.com
  • 9-express.com
  • 9-now.com
  • 9-ultra.com
  • Anti-viruz.net
  • Antiviruz-now.com
  • Avast-hq.com
  • D0wnloadz.net
  • Download-9.com
  • Downloadcenterz.com
  • Downloadzcenter.com
  • Downloadznow.net
  • Downloadzsoftware.com
  • Dvdshrink-hq.com
  • Ed0wnloads.com
  • Esoftware-now.com
  • Irfanview-center.com
  • Irfanview-hq.com
  • Mediaplayer-hq.com
  • Panda-hq.com
  • Pdf-now.com
  • Pdf-soft.net
  • Powerdvd-7.com
  • Rarsoftware.com
  • S0ftware-now.com
  • S0ftware.com
  • S0ftwarez.com
  • Software-hq.net
  • Softwarecenterz.com
  • Swhq-cs.com
  • Tutorial-hq.com
  • Winamp-hq.com
  • Winrar-hq.com
So, it looks like a UK company - and indeed Companies House lists XTREME SOFTWARE LTD (company 05604124) at being associated with that address, but states that it is dissolved. Another company, XTREME-SOFT LTD 05723281 is listed at the same address.

Company records for Xtreme Software Ltd indicate that it was forcibly dissolved, and the director was:

DIRECTOR: SHULLICK, DAVE
Appointed: 07/11/2005
Date of Birth: (redacted)
Nationality: HUNGARIAN
No. of Appointments: 1
Address: 6434 BAY CEDAR LANE
BRADENTON
MANATEE
FLORIDA 34203
USA

Dave Shullick is also linked with the domain xtremetransactions.com and Xtreme Innovations, LLC of Ohio. Shullick and another site was mentioned in the Guardian article enetitled Money for nothing in 2006. But as the company was forcibly dissolved in December 2008, the who is running these web sites?

Xtremetransactions.com is also linked to from the Adobe9.0-PDF.com site, showing that the two are closely related.



The UK address isn't much of a clue - it belongs to a company called Fletcher Kennedy, who specialise in forming other companies. Fletcher Kennedy are nothing to do with the site, but they have fulfilled the legal role of company secretary for both "Xtreme" companies, but they appear to have terminated that relationship.

Is the other XTREME-SOFT company any relation? It's odd that they both have very similar names and the same address, but the only director listed for XTREME-SOFT LTD is in Saudi Arabia:

DIRECTOR: QUBAISI, MOHSEN
Appointed: 22/03/2006
Nationality: SAUDI
No. of Appointments: 1
Address: 31952 KOBAR STREET
SAUDI ARABIA
It's not clear if these two entities are actually related in any way.

So, here's an outfit that is hiding its details and appears to have been operating by a firm that had been forcibly dissolved. So who exactly is running it now?

Anyway, that's enough foreplay. Let's get down to the money shot. Let's say that you want to download the software, first there's a registration screen.. then you get to see what this is all about:

Yup, they're trying to stiff you with a £27 charge plus 83p per month to download a free bit of software. Goodness only knows what "download accelerator plus" is.

Here we go.. £37 for something that you can get for free. My advice? Avoid this one at all costs!



If you have paid money to this company any want a refund, this RipoffReport suggests the following:

MONEY RETRIEVED!

Don't let these people get away with what they do.

Keep on emailing them as well as the third-party that bills their accounts. I got a full refund, including the so-called $5.99 service charge.

Explore you options on the next. Report them to the internet fraud site. Contact your bank and report them. In fact, do everything that you need to do.

I did not stop, until I got everything back.
Allegedly, the contact email address is support@software-hq.net (and that domain seems to have generated a lot of complaints) but you may be better off contacting your bank if you believe that you have been misled in any way.

Thursday, 12 March 2009

Did the BBC just break the law?

The BBC's lightweight tech program "Click" took over a botnet of 20,000 machines to demonstrate the perils of zombie PCs. The BBC insists that this is perfectly legal: "If this exercise had been done with criminal intent it would be breaking the law."

So was it legal? Well, not according to the Computer Misuse Act. The BBC states that "the owners of unprotected PCs have been made aware that they are vulnerable to future attacks" and
"Click advised them on what steps to take to make their systems more secure". In fact, you can see precisely what they did on this video clip.

So.. did they just alter the data on the compromised PCs? It certainly looks like it - and because they have both gained unauthorised access to a PC and have altered information on it, then that is potentially a criminal offence under section 3 of the act.

3 Unauthorised modification of computer material

(1) A person is guilty of an offence if—

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
Certainly the BBC carried out an unauthorised modification. But did they have the requisite intent?

(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data.
Clearly, the BBC did not have malicious intent to carry out a) b) or c), so under UK law they are probably just about in the clear.

But that's just UK law (and they are skating on thin ice as it is). In some other countries, unauthorised access and alteration of data for any reason is likely to be a criminal offence. The BBC probably did this with good intent, but it was quite possibly an ill-advised thing to do.

Added:
Copied from the comments (thanks Joel!)

Erm... why did you miss out the important bit - which is (1):

(Computer Misuse Act 1990)

1 Unauthorised access to computer material (1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

As I understand it, this means that you only have to secure access to a program or data (i.e. ANY ACCESS AT ALL) without authorisation to have acted illegally. Hence, what they have done is certainly illegal. I doubt anyone will be punished though...

Joel

El Reg is covering this here, they quote Graham Cluley of Sophos who says that he believes the BBC did break the law. It looks like there is a storm brewing.

Now, I don't think the BBC breached security to access any data. Unauthorised access to a bot application is tricky, but the question revolves around them changing the wallpaper. It was certainly ill-advised in my view.

Tuesday, 10 March 2009

PIFTS.EXE

Well, this is interesting. Users of Norton Antivirus are finding an application calls PIFTS.EXE that is try to call out. But every time anyone posts a query on the Norton support forum, it gets deleted immediately (see this search).

PIFTS.EXE appears to be a part of a patching application. The executable itself is unencrypted and contains several interesting bits of text such as:

  • http://stats.norton.com/n/p?module=2667
  • The ping url is %s PATCH021809DB
  • d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb
  • SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine
When run, it calls home to the following URL: http://stats.norton.com/n/p?module=2667&product=unknown&version=-1&e=-1&f=-1&g=-1&h=-1&i=0&j=-1 hosted on 67.134.208.160 at Swapdrive in Washington. Swapdrive is owned by Symantec, who make Norton.. so there's nothing suspicious there.

One odd thing is that the PIFTS.EXE executable is padded out to precisely 100KB (102,400 bytes) with a string saying "XXPADDINGPADDINGXX" several times. Presumably Symantec have their own reason for making sure that the file is exactly this length.

PIFTS.EXE appears to be contacting a statisitical tracking server, possibly to report back on the installed version. Perhaps this violates Symantec's privacy policy, perhaps it's part of the testing process that was accidentally included in the update.

Some people might say that the way Symantec is deleting posts indicates a cover-up. It is certainly suspicious, but my best guess is that there's a quality control issue here and the PIFTS.EXE process was never meant to be released.

VirusTotal gives it a clean bill of health. ThreatExpert shows that it doesn't do much except call home.

Classmates trojan: "Should I leave my Crazy Fat Wife for a younger woman?"

An unusual bit of social engineering here:

Subject: Classmates personal message: Please help me to decide which way to choose
From: "Gold - Classmates" online@groups.classmates.com

Special video report March 10, 2009
Message from your group member:

"Should I leave my Crazy Fat Wife for a younger woman? Please look video and Help me
to decide, please ........I need your help,
if possible - Write your opinion on the page wall"


Proceed to open full message text:

(removed)

Sincerely, Leslie Burks.
2009 Classmates Message Center.

If you click on the link (not advisable) you get the following page (hosted on a botnet somewhere):



You are then prompted to install and run a file called Adobemedia10.exe at which things will start to go seriously wrong.

The VirusTotal report indicates a very low detection rate for the binary (VBA32 flags it up as Embedded.Rootkit.Win32.Agent.ex). However, the ThreatExpert prognosis shows just how much damage this does, and identifies a C&C server at 58.65.232.17 which is a well-known malware server hosted by black hat hosting outfit Hostfresh.

This looks like a fairly horrible thing to try to clean up, and probably best to recover data, reformat and reinstall.

Friday, 27 February 2009

MikeCahil@gmail.com: "New Jobs"

There are several different layers of fraud and deception when it comes to offering and applying for jobs.

This particular approach is via a spam, and seems to be a deceptive way of offering cheap Indian contractors to companies. India is very much a centre for spam because of very lax laws, in this case "Mike Cahil" is offering to fill roles in a variety of fields, but why would you want to do business with a spammer in any case? Remember the Boulder Pledge.

Originating IP is 59.164.72.134, a subscriber to TATA Communications in India. The netblock is widely listed as being very spammy. A poke around at blacklists indicates that 59.164.0.0/16 is a real spam sewer, and strict mail administrators could consider blocking the entire lot.

From: "Mike Cahil" MikeCahil@gmail.com
Subject: New Jobs

Hi ,

I am doing a check with you, to see if there are any IT or Engineering jobs, I can help you today at [redacted]. I can help fill any Contractor positions or Direct-Hire positions or Contract-to-Hire positions.

Additionally, I can also help in the Accounting / HR / Sales / Management positions too.

Please do reply.

Thanks … Mike

email: [redacted]

Thursday, 26 February 2009

Strange Tripod phish

Why anyone would want to phish for a Tripod account is beyond me, but for some reason webmail accounts seem to be a target. This phish for Tripod credentials has (so far) the following subjects:

Subject: For Tripod user
Subject: Important information from Tripod Team
Subject: Tripod Confirmation Form

The rest of the email is similar to the following:

From: "Tripod Customer Service" support@support.lycos.com


Dear Tripod user!Due to technical issues, the new Tripod software release is
currently on hold. However, a series of enhancements have been made. The new
client-server protocol is one of them. Now you need to complete Tripod Confirmation
Form to update your Tripod account.Please use the link below to access Tripod
Confirmation
Form:http://www.tripod.lycos.com/adm/redirect/www/form/tripodcf.aspx?[redacted]

Sincerely,
The Tripod Team
This message has been automatically generated.
Please do not reply to this message.
For information about the Lycos Privacy Policy Please see:
http://info.lycos.com/privacy
For information about the Terms and Conditions of this service Please see:
http://info.lycos.com/legal
The "http" link is fake, underneath the real URLs are www.tripod.lycos.comttlfile.eu/adm/redirect/www/form/tripodcf.aspx?=[redacted] and www.tripod.lycos.comproftd.tw/adm/redirect/www/form/tripodcf.aspx?=[redacted]. (I have redacted tracking information).

Oddly, the .eu and .tw hosts in question do not resolve at the moment, presumably these will be registered later. A trick that spammers sometimes use is to send out the spam and THEN register the domains, in order to trick spam filters.

It's probably a phish, it could be a drive-by download. In any case, best avoided and if you HAVE entered details into one of these phishing accounts then you should change your Tripod password and the password on any other site that uses the same username / password combination.

Wednesday, 25 February 2009

SQL injection attack: telecom.dgnet.net

This seems to be an emergent threat at this moment - a number of ASP / SQL / Windows site have been hit with a SQL injection attack with the following injected Javascript: telecom.dgnet.net/images/pen.gif. Yeah it says GIF, but it isn't.

The site telecom.dgnet.net is at 121.14.137.36, this forwards to another site at www.batnigt.com/ver.htm (on obviously, do NOT visit that site) which tries to run a number of exploits on visitors PCs, including what appears to be an old ADODB.stream exploit (perhaps MS04-024), the Snapshot viewer exploit (MS08-041) and some sort of exploit for RealPlayer plus what MIGHT be an exploit for MS05-020 (but I need to look at this further). If a visitor's PC is up-to-date on Microsoft patches and does not have RealPlayer then it should probably be OK.

If you manage client PCs, then block or monitor for telecom.dgnet.net and batnigt.com. If your server has been infected with this attack then you need to clean up the database and then sanitize your SQL inputs.. try Googling for that term.

Friday, 20 February 2009

CA eTrust woes, Win32/Tnega.AC and widespead update failure

CA eTrust has thrown up a couple of problems - first a false positive identifying Win32/Tnega.AC in the setup.exe for Office 2000 Professional, with signature version 31.6.6361.0.

However, when having a poke at this it turns out that the current version is 31.6.6367 and 6361 is a few days old. A check of our distribution servers show that every single one of them worldwide failed to download version 31.6.6362 from the CA servers and fell over. This happened at around 2245 GMT on 17/2/09.

Log files are showing the following error: Error [0xc0010003] initializing redistribution job.

If you are running CA eTrust ITM, then it's worth checking that your signatures are up-to-date.

Point Focus LLC: "The offer you can not say no to!"

"The offer you can not say no to!" Really. I betcha I can. My notes are in bold.


Subject: The offer you can not say no to! ["No": just did, did you see that?]

Point Focus LLC is now expanding!

To deal with the international payments processings we are now looking for people willing to facilitate establishing of our all-round-the-globe business connections and assist saving considerably by tax disbursing reduction. This position of the Financial Assistant involves accepting payments from our Australian, UK and US ( rarer Spanish) clients to your account and resending to our partners.

You are getting paid right by the moment you cash the payment. It's the commission in amount equal to 4% out the sum posted on your account. This very amount you're deducting before sending anything out. So, estimated roughly, you can make up to 2000$ extra monthly.
[A straight money mule operation then, laundering stolen money. 4% for basically doing nothing. Except you will never actually get to keep the 4% when the police catch up with you]

Plus, you get:

- flexi-time (usually 2-3 hours a day)
- Saturdays & Sundays off [woo!]

Requirements:

- Have to be aged 21 or above
- No criminal record [don't worry, you will soon get a criminal record if you participate in this scheme]
- Regular Internet access
- Ability to accept payments using your bank account [for the transfer of stolen money, which will be nice and traceable for the cops]
- Ability to resend the money through Western Union [which is NOT traceable, and is therefore money laundering]


If feel qualified, please, attach the following info to start up with:
[information that we should have known if we were offering you a job]
- Fist Name:
- Last Name:
- Age:
- Sex:
- Country
- State, City, Zip
- Phone number (home and cell)
- Valid email address

NOTE!!!! the email address you use to contact us for the first time is: IBCGroup0@gmail.com , in the subject field put "interested".
[odd that the email address doesn't match the one you sent from]

Please, use only mentioned email address, otherwise we'll fail to receive your response.
Originating IP is 92.84.13.66 in Romania. Just say "no".

Tuesday, 17 February 2009

Weird spam #2: "BREAKING NEWS - The Pope has been discharged from his office"

A genuine "wtf" spam here:

Subject: BREAKING NEWS - The Pope has been discharged from his office
From: "Press Officer"

BREAKING NEWS

Feb. 2009 - The Pope has been discharged from his office!

Find out more at Urgent news
[http://208.91.200.49/interspire/link.php?M=00000&N=5&L=1&F=T]

Unsubscribe me from this contact list
[http://208.91.200.49/interspire/link.php?M=00000&N=5&L=2&F=T]

Powered by Interspire

The page 404s. But wait.. the email was sent from 208.91.200.49 and points to the same IP address. And the domain rcigi.com is hosted a few IPs over at 208.91.200.35.

What is rcigi.com? It calls itself the RC-Institute for Global Individuation and hides behind an anonymous domain registration. The site is either a spoof, or perhaps the domain of some religious nutters. It is hard to tell. Interesting, it is in English and German, and the way the English is written makes me think that it might be a native German speaker writing it.

The site indicates that it is run by a "Dr" Eduard Schellhammer of either Barcelona or Alicante. All the sites linking FROM rcigi.com are registered to Eduard Schellhammer, however it is possible that this is a sophisticated Joe Job and Herr Schellhammer is completely innocent. Still, all very odd.

Weird spam #1: "Warning! Virus detected"

A couple of bits of weird spam today, number one:

Subject: Warning! Virus detected

A possible virus was found in this message.
The virus name is: W32/Netskyb@MM!zip

-----Original Message-----
Hello, check my postcard!
[skipped]
--------------------------

In all cases leading to what appears to be a page on a compromised PHP-powered site, but in each case the page is coming up with a 404. Is it related to this?

Monday, 16 February 2009

UNYK.com: spam or what?

I really, really hate these contact managers that spam out invites to everyone's contacts. UNYK.com seems to be the latest of these:

Subject: Personal invitation from ****************

Hello,

This is a way to never lose contact.

Finally, a smart and simple way to manage your contacts!

With UNYK, I put all my contacts together in one address book that is automatically updated. One of my contacts changes his or her information at UNYK.com: My address book is updated. I change information at UNYK.com: My contacts’ address books are updated. Simple, but life-changing!

Can I add you as one of my contacts? To accept, click here!

You too can create your own smart address book.

Life-changing my arse.. Plaxo has been doing this for years and that's a pretty worthless application to.

If you are a corporate mail administrator, then my advice has always been to block this kind of rubbish. As you might expect, it comes with some downloads that you probably don't want to let anywhere near your users' PCs, and it is bound to generate a load of support calls asking "is this spam?" / "this looks like a good idea, doesn't it?" / "is this a virus?" / "how do I install this?" etcetera.

No, I'm not saying that UNYK.com is evil in any way, it is just that for many sysadmins this sort of stuff costs real money when the users latch onto it. The best thing to do is apply an IP block to 204.92.8.159 to 204.92.8.220, and hopefully you will never be bothered by UNYK.com again.

Friday, 13 February 2009

BitDefender: Trojan.Generic.1423603 in winlogon.exe

This looks like a false positive: BitDefender is reporting Trojan.Generic.1423603 in C:\windows\system32\winlogon.exe. This name is sometimes used by malware, but in this case no other product is detecting anything malicious.

Current pattern is for BitDefender is 2640654, pushed out on Friday 13th February (!).

I will post the ThreatExpert prognosis when I get it.. in the mean time I would suggest that you do NOT try to remove winlogon.exe as you will render your system unbootable. (NOTE: Do NOT reboot your machine as this will most likely break it!)

Update: ThreatExpert indicates that it is clean. Several comments confirm that it is a false positive. The problem seems to be on Windows XP SP3, SP2 does not seem to have the same issue. The MD5 for this file is ed0ef0a136dec83df69f04118870003e

It seems that there are several reports at the BitDefender forum. I would guess that BitDefender are aware of the problem, temporarily disabling the anti-virus scanner may be a good idea else your system may become unusable. Usually these issues are fixed in 24 hours.

Update 2:
If you can't get the winlogon.exe out of quarantine, then this is a copy of the original (English US) file for XP SP3. Use at your own risk - password is "bitdefender".
winlogon_xpsp3.zip

Sunday, 8 February 2009

Good new. Bad news.

A couple of items of interest from The Register:

OpenDNS rolls out Conficker tracking, blocking
This seems like a great idea, especially for small organisations without IDS or traffic monitoring. The problem.. well, OpenDNS has been awfully slow recently and personally I had to stop using it.

Kaspersky breach exposes sensitive database, hacker claims
This looks like a case of an insecure SQL database, leading to a potentially nasty compromise. Kaspersky isn't the first AV vendor to be shown to have poor SQL security. Trend was hit last year, as was CA. In this case, it looks like a potential data breach which is embarrassing. There's no evidence that any Kaspersky product has been compromised, but you can see that it might be possible to leverage credentials exposed in the SQL injection attack and use them elsewhere.

Thursday, 5 February 2009

Snow

It really doesn't usually snow this much around here...








Monday, 2 February 2009

Snow bear

The heaviest snowfall for a zillion years or something in the UK.. it appears to have brought out this snow bear which is lurking in the garden.


I think he's probably harmless enough.

Drive-by cloning of RFID passports

Here's a different type of drive-by attack than the usual one.. security researcher Chris Paget shows that it is possible to read RFID tages from a passing moving vehicle and clone all the information they contain.. for the price of $250 worth of kit off eBay.




UkrTeleGroup vanishes, morphs.

First some good news (via the WaPo Security Fix blog): well known black hat web host UkrTeleGroup appears to have vanished from the internet. The bad news is that seems to have morphed into a company called Internet Path which is masquerading as a US company.

Unfortunately, it does not appear that this is an Atrivo / McColo / Estdomains style situation where the bad guys are permanently shut down.. yet. But perhaps continued pressure on upstream providers might have some effect.. who knows?

Sunday, 1 February 2009

Uh-oh

No doubt the whole of the south of England will grind to a halt under this stuff, to the amusement of people who get REAL snow.. but a rear wheel drive sports car with no snow tyres is not exactly ideal for these conditions.

"Zhudian Machinery" / zhudian-m.com scam

A strange, tersely worded email from some scammer or other:

Subject: Representative Needed
From: "ZHUDIAN MACHINERY"

How would you feel to work for the Zhudian Machinery and earn good money? Contact Qi
Par via email: employment@zhudian-m.com
How would I feel? Well, alarmed and upset probably when the police kick down my door with a warrant because of the money laundering I've been doing for this so called "Zhudian Machinery".

Oddly, the domain is registered with a set of fake details pointing at the UK:

Domain name: ZHUDIAN-M.COM
Created on: 2008-11-05
Updated on: 2008-11-05
Expires on: 2009-11-05
Registrant Name: PETER LLEWELLYN-JONES
Contact: Peter Llewellyn-Jones
Registrant Address: no 43567 broad street
Registrant City: england
Registrant Postal Code: ch1 1lt
Registrant Country: GB
Administrative Contact Organization: Peter Llewellyn-Jones
Administrative Contact Name: Peter Llewellyn-Jones
Administrative Contact Address: no 43567 broad street
Administrative Contact City: england
Administrative Contact Postal Code: ch1 1lt
Administrative Contact Country: GB
Administrative Contact Email: kedenor@gmail.com
Administrative Contact Tel: +44 701 1130444
Administrative Contact Fax: +44 701 1130444
Technical Contact Organization: Technical Support
Technical Contact Name:
Technical Contact Address: Via A Ponti, 6
Technical Contact City: Bergamo
Technical Contact Postal Code: 24126
Technical Contact Country: IT
Technical Contact Email: support@register.it
Technical Contact Phone: +39 035 3230400
Technical Contact Fax: +39 035 3230312
Primary Name Server Hostname: NS1.REGISTER.IT
Secondary Name Server Hostname: NS2.REGISTER.IT

The "CH1 1LT" postcode given is the Chester Grosvenor Hotel but the rest of the address doesn't match and is clearly nonsense. The +44 701 1130444 number given looks like a UK number, but in fact it's a "follow me anywhere" number that is probably just forwarding to another number outside the UK.

Originating IP address is 206.47.199.87 which is well known for spam. Email address was harvested from a "free webspace provider".

Friday, 23 January 2009

Asprox: dbrgf.ru

Another domain to look for in SQL injection attacks is dbrgf.ru, still calling script.js. Checking your proxy logs for ".ru/script.js" is a good idea at the moment.

It might also be worth checking for the string "google-analitycs" as the attacks redirect through a subdomain containing that mis-spelled phrase.

Wednesday, 21 January 2009

Asprox: lijg.ru and dbrgf.ru

A fresh round of SQL injections seem to be on the march, with (at least) two new domains being injected into vulnerable sites: www.lijg.ru and www.dbrgf.ru, calling a script named script.js.

This script redirects through an IFRAME pointing to google-analitycs.lijg.ru, although the payload is unclear.

Including some older domains, the following list seem to be active, either calling script.js or style.js.

  • www.lijg.ru
  • www.dbrgf.ru
  • www.bnmd.kz
  • www.nvepe.ru
  • www.mtno.ru
  • www.wmpd.ru
  • www.msngk6.ru
  • www.dft6s.kz
For the record, the domain registrations are as follows:

domain: LIJG.RU
type: CORPORATE
nserver: ns2.lijg.ru. 68.4.124.142
nserver: ns5.lijg.ru. 74.129.255.164
nserver: ns1.lijg.ru. 68.6.180.109
nserver: ns3.lijg.ru. 67.38.2.113
nserver: ns4.lijg.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN


domain: DBRGF.RU
type: CORPORATE
nserver: ns5.dbrgf.ru. 74.196.121.117
nserver: ns4.dbrgf.ru. 68.105.25.64
nserver: ns1.dbrgf.ru. 75.156.152.67
nserver: ns2.dbrgf.ru. 68.197.137.239
nserver: ns3.dbrgf.ru. 146.57.249.100
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN

Tuesday, 20 January 2009

"Soft Fund Ltd" scam

Soft Fund Ltd is a wholly legitimate Ukrainian company. This email claims to be from Soft Fund Ltd, but isn't.

From: support.softfund@gmail.com

Hello Sir/Madam.

I Alex Feigin,
Director of Soft Fund Ltd specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.

Please contact me for more information via email: SoftFundjob@gmail.com

and send us the following information about yourself:

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.

Thank you,
Director
Alex Feigin ,
Soft Fund Ltd
Alexander Feigin is a director of the REAL Soft Fund Ltd, but this email is completely fake. It is a standard money mule scam, one of many pretending to be from legitimate IT firms in the Ukraine. Soft Fund Ltd have nothing to do with the email, and you should not respond to it.

The originating IP is 209.239.38.111. Two sample subject lines are "Not give a convenient time for you extra income" and "We work closely together! Additional income for you!". Avoid.

"Polish fine art studio" scam

Is this a money mule scam? A package reshipping scam? Something else? It's certainly a scam.. perhaps an art scam designed to process fraudulently obtained artwork. Jennifer's "from" address says "Max" and the email originates from 189.68.40.112 in Brazil.

Subject: I'm looking for somebody to replace me, A

Hello. I am really sorry to bothering you. I am going to get married and leaving to my husband to Cyprus. I have been working with a reliable partner from Poland for 2 years. I had an additional income of 2.000$-4.000$ per month. Because I am not going to live in the USA I offer my friends to cover this position. I have sent emails to all contacts in my address-book. In the USA I was a representative of a Polish fine art studio. I'm not an artist and don't know a lot about it. I controlled pictures acceptance and customers' payments. I got rejected pictures and then I was sending them to other customers with discounts. Sometimes I had to do little things. 2% turnover award fee is usually was paid in addition to $2000.00 month earning , to keep the team spirit. Before Christmas I earned over $5.000,00. If you are interested, please send your CV and Cover Letter directly to the manager at e-mail vitoldklepatski73@gmail.com . I'll be very pleased if you or somebody of your relatives or friends get this position, but not a strange person from an employment agency. When I first walked in it seemed to me that this work is very difficult, but it is not like that, this is very easy job and they showed and taught me everything about my job, and it took me 2 days to learn. People are very nice there and helpful. I think you don't have to miss an opportunity like this. My Best Regards to you my friends and I hope your had a great holidays.
Good luck! Jennifer

Amusing 419 from "EFCC Investigation Office Nigeria"


A novel take on the 419 scam:

Subject: DID YOU AUTHORIZE MR. JOHN WHEELER FOR YOUR FUND CLAIMS
From: Mooreh Rose {mrsrosemooreh44@yahoo.com.hk}
Date: Tue, January 20, 2009 10:51 am

- Attention; Beneficiary, I am Mrs. Rose Moore (Assistance) Chairman from Efcc Investigation Office Nigeria, there is presently a counter claims on your funds by one MR.JOHN WHEELER, who is presently trying to make us believe that you are dead and even explained that you entered into an agreement with him, to help you in receiving your fund, So here comes the big question. Did you sign any Deed of Assignment in favor of (JOHN WHEELER). thereby making him the current beneficiary
with his following account details: MR JOHN WHEELER, AC/NUMBER: 6503809428. ROUTING/122006743, B/NAME:CITI BANK, ADDRESS:NEW YORK,USA, we shall proceed to issue all payments details to the said Mr. John Wheeler, if we do not hear from you within
the next two working days from today Thanks Mrs. Rose Moore (Assistance) Chairman Efcc Investigation Office Nigeria

Clearly if I was dead then I wouldn't be reading the email. Just to wind this particular scammer up, I replied with the one word "yes". That should confuse them.

Originating IP is 83.138.172.72 which seems to be a favourite with 419ers.

Friday, 16 January 2009

Spamcop.net phish

Here's a phish being sent to Spamcop webmail users - the approach has also been used for other webmail systems, so it isn't just Spamcop being targeted:

Subject: UPDATE YOUR SPAMCOP.NET ACCOUNT NOW
From: "spamcop.net webmail update" {info@yahoo.com}

Dear spamcop.net E-mail owners,

This message is from spamcop.net messaging center to all our email account
owners.
We are currently upgrading our data base and e-mail center due to an unusual
activities identified in our email system. We are de-activating all unused
spamcop.net accounts to create space for new accounts. To prevent your account
from being de-activated, you will have to verify your webmail account by
confirming your Webmail identity So that we will know that it's presently a
used account. We have been sending this notice to all our email account owners
and this is the last notice/verification exercise.

CONFIRM YOUR EMAIL IDENTITY BELOW
Last Name: ...........
Username: .......... .
Password : ...........

YOU ARE REQUIRED TO SEND THESE DETAILS TO THE UPDATE TEAM BY SIMPLY
REPLYING TO THIS EMAIL WITH THE REQUESTED DETAILS.

Warning!!! Account owners who fails to update his or her account on receiving
this notice might loose his or her account.

Warning Code:VX2G99AAJ.spamcop.net
Thank you.
"SPAMCOP.NET IT TEAM"

Replying to the email gives a reply-to address of account_up_grade@hotmail.com and the originating IP is 216.241.36.13.

Wednesday, 14 January 2009

MS09-001 prognosis. Install it now? Leave it for later?

It's patch Tuesday again, with just a single update from Microsoft: MS09-001.

If you are administering a corporate network, then the question that you probably ask yourself each week is "do I need to patch my servers"?

The prognosis for this one seems to be.. "maybe". Microsoft's own bulletin summary gives MS09-001 an exploitability index of "3 - Functioning exploit code unlikely". But the flaw itself is rated "Critical" and could lead to remote code execution.. so there is a low probability of a very serious exploit.

It turns out that it is much more likely that an attempted attack using MS09-001 would blue screen the target system - and that is more likely to be a worry, especially on delicate servers. The Microsoft Security blog has a good writeup and recommends the following priorities:

In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly.

Some further reading gives mixed signals: Sophos labels this as a medium threat, SC Magazine reports differing opinions, ZDnet also mentions the denial of service risk, ISC rates it as "Critical" but not "Patch now".

Given that it doesn't take long for the bad guys to implement an exploit for these flaws, and the recent well-publicised spread of the Downadup / Conficker worm then perhaps Microsoft's advice is very pertinent - start by protecting those systems that would suffer the most if they crashed, but there is perhaps not the urgency of the MS08-067 patch that came late last year.

Tuesday, 13 January 2009

"SLG-Logistics Company" scam

Not to be confused with the legitimate S L G Logistics Ltd based in the UK, "SLG-Logistics Company" is a wholly bogus outfit, probably offering a job in money laundering, parcel reshipping or another criminal enterprise.

Originating IP is 87.205.253.77 in Poland, "from" address is Singapore and doesn't match the name or address in the email. A pretty poor attempt overall.

Subject: Job opportunity
From: "Elma Ford" ncbk@pacific.net.sg

Hi, if you are interested in a well-paid part-time(2-3 hours a day) job in a large transportation & logistics company please contact me at e-mail:
pammorrison366@hotmail.com

With best regards,
Pamela Morrison,
Project manager,
SLG-Logistics Company.

Tuesday, 6 January 2009

Ongoing injection attacks against Chinese domains

This looks like a case of the Chinese hacking the Chinese again, with a very large number of domains being injected into legitimate sites. Two IPs to block are 121.14.152.154 and 59.34.197.15. For most companies outside of AsiaPac it may well be feasible to block or monitor all traffic to .cn domains.

The following domains are being used in the injection attacks (there are probably many others in a similar format):

  • Aznylsf.cn
  • Bznylsf.cn
  • Ccswzx3.cn
  • Ccswzx9.cn
  • Cznylsf.cn
  • Eqw002.cn
  • Eqw003.cn
  • Eqw004.cn
  • Eqw006.cn
  • Eqw008.cn
  • Eqw009.cn
  • Eznylsf.cn
  • Falaliee.cn
  • Falaliii.cn
  • Falalioo.cn
  • Falaliqq.cn
  • Falalitt.cn
  • Fznylsf.cn
  • Gznylsf.cn
  • Hhj2.cn
  • Hhj3.cn
  • Hryspac.cn
  • Hryspah.cn
  • Hryspan.cn
  • Hryspao.cn
  • Hryspap.cn
  • Hryspaq.cn
  • Hryspav.cn
  • Hznylsf.cn
  • Iznylsf.cn
  • Jym562.cn
  • Jzll-1.cn
  • Jzll-2.cn
  • Jzll-4.cn
  • Jzll-9.cn
  • Jznylsf.cn
  • Kznylsf.cn
  • Rxgsslla.cn
  • Rxgsslld.cn
  • Rxgsslll.cn
  • Rxgssllt.cn
  • Sllanmb.cn
  • Sllbnmb.cn
  • Slldnmb.cn
  • Sllinmb.cn
  • Sznylsf.cn
  • Tznylsf.cn
  • Vvk2.cn
  • Wrmfwa.cn
  • Wrmfwb.cn
  • Wrmfwc.cn
  • Wrmfwd.cn
  • Wrmfwe.cn
  • Wrmfwf.cn
  • Wrmfwg.cn
  • Wrmfwi.cn
  • Wrmfwj.cn
  • Wrmfwl.cn
  • Wrmfwn.cn
  • Wrmfwo.cn
  • Wrmfwp.cn
  • Wrmfwq.cn
  • Wrmfwt.cn
  • Wrmfwu.cn
  • Wrmfwz.cn
  • Wxjyb.cn
  • Wznylsf.cn
  • Xznylsf.cn
  • Yznylsf.cn
  • Zdq004.cn
  • Zdq005.cn
  • Zdq009.cn
  • Zdq010.cn
  • Zgcgsslle.cn
  • Zgcgssllf.cn
  • Zghncsa.cn
  • Zghncsi.cn
  • Zghncsj.cn
  • Zghncsl.cn
  • Zghncsm.cn
  • Zghncsp.cn
  • Zghncsr.cn
  • Zghncst.cn
  • Zgynkmb.cn
  • Zgynkmd.cn
  • Zgynkmf.cn
  • Zgynkmg.cn
  • Zgynkmk.cn
  • Zgynkms.cn
  • Zznylsf.cn

Monday, 5 January 2009

"Dating Service" bogus job offer

This is most likely a money mule operation, or perhaps one of those sophisticated scams where the bad guys recruit a whole virtual office staff to run the scam for them. Either way, avoid at all costs.

Subject: Available positions for new year. Reg.ID: SGF-SF7S8

To Your Attention,

Dating Service announces new job openings in 2009:

Part time employment is now available in our company for USA people.

Feel free to request an application by e-mailing us only at: Dating.Srvc@gmail.com

Best Regards,
Dating Service

Sunday, 4 January 2009

"Your new e-mail has been successfuly added" PayPal phish


A slightly different approach from the usual PayPal phish rubbish:

Subject: Your new e-mail has been successfuly added
From: "service@paypal.com" noreply@vodafone.net

Dear PayPal member,

You have added joemontgo85@sbcglobal.net as a new email address for your PayPal account.

If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your PayPal account.


Thank you for using PayPal!
The PayPal Team

Please do not reply to this email.
This mailbox is not monitored and you will not receive a response.

----------------------------------------------------------------------------------------
Copyright © 1999-2009 PayPal. All rights reserved.

PayPal Email ID PP007
Quite when PayPal started to send email from a vodafone.net account passed me by. The phish jumps through two legitimate but compromised web sites at ol4b.com and imuze.co.uk before it hits a standard PayPal phishing page. It looks like joemontgo85@sbcglobal.net might be consistent for this spam run though.

Friday, 2 January 2009

"podmena traffica test" spam

There seem to be some strange spam emails doing the rounds, with a body text of "podmena traffica test".. what gives?

It makes a bit more sense if you transliterate it into Cyrillic, which leaves you with a Russlish phrase "подмена трафика тест" and that simply translates as "spoofing traffic test".

The subject is a random spammy one, the originating IP looks like part of a botnet.

I'm pretty sure these are coming through "to" and "from" the same email address, so it may well be someone enumerating mailservers looking for SMTP spoofing protection.. in other words, testing addresses to see if they work and then recording the server's SMTP response.

Why? Who knows.. spammers don't usually care about efficiency if they are using a botnet, because they are not paying for bandwidth or equipment. These type of "probes" are seen sometimes and can be safely deleted.

Monday, 29 December 2008

SQL injection: msngk6.ru, dft6s.kz and mcuve.cn

A new bunch of domains being used in SQL injection attacks at the moment:
  • www.msngk6.ru
  • www.dft6s.kz
These are calling a script called style.js and follow on from these, most likely the work of the Asprox gang. The registration details are probably fake, but for the record are:

domain: MSNGK6.RU
type: CORPORATE
nserver: ns2.msngk6.ru. 75.63.155.106
nserver: ns3.msngk6.ru. 146.57.249.100
nserver: ns1.msngk6.ru. 76.240.151.177
nserver: ns4.msngk6.ru. 24.247.215.75
state: REGISTERED, DELEGATED
person: Aleksandr A Zamaraev
phone: +7 495 7412992
e-mail: zamaraev@namebanana.net
registrar: NAUNET-REG-RIPN
created: 2008.12.17
paid-till: 2009.12.17
source: TC-RIPN
The domain mcuve.cn is different, calling 1.js. This is related to the recent 17gamo.com domain which exploits a number of things including this recent IE7 vulnerability.

Check your proxy logs for .cn/1.js and .ru/style.js plus .kz/style.js to keep on top of these. It is often worth monitoring all traffic to .cn, .ru and .kz domains for manual review.