Sponsored by..

Tuesday, 27 October 2009

"Facebook Password Reset Confirmation" trojan

This trojan claims to be something to do with a Facebook password reset, but it's a plain old EXE-in-ZIP trojan attack.


Subject: Facebook Password Reset Confirmation.
From: "The Facebook Team" <service@facebook.com>


Hey fortunes ,


Because of the measures taken to provide safety to our clients, your password has
been changed.

You can find your new password in attached document.


Thanks,
The Facebook Team

Attachments:
Facebook_Password_6c6eb.zip

The Trojan is widely detected as a version of Bredolab. ThreatExpert report is here.

Remember, if you can block EXE-in-ZIP files at your mail gateway, it is well worth doing.

Saturday, 24 October 2009

Uh.. what?

A case of "WTF is this spam trying to do"? It looks like this noobie spammer thinks that sending out millions of copies of their banking details is going to be the path for riches.. rather than (say) identity theft. Spam originates from 123.139.106.235 in Shannxi Province, China which matches with the banking details.

Out of a possibly misguided sense of pity, I have omitted some of the digits from the account number!

Subject: Electronic mail messages webmaster:
From: "The webmaster"

HELLO:
You will actively support god. Each user donated $500 a lifelong use
email. As senior members...

You are christians, please send email forwarded others thirty times,
and charitable donations to me, god will bless you! God will
organization

hello:

Please send money into my account at Bank of China.
Bank name: the bank of China
A/CNO£º 2979 7702 0007 xxx
INA/CWITH£º Zhang Lu Xi
Address: 38 Juhua Yuan, Xi'an 710001, Shaanxi Prov., China
Swiftcode: BKCH CN BJ 620

You can use high-speed does not capture email


E-mail the webmaster 2009.10.23.

Tuesday, 20 October 2009

Police Fail


Never mind the slightly dubious issue of mapping crime hotspots, the announcement of a new service using data from the UK's police force to map crime was always going to generate a lot of interest.

The map is meant to look something like the image on the right (click to enlarge), but because this is the UK the server is clearly underspecified for the amount of interest that it is generating, because anyone who actually tries to visit maps.police.uk gets the rather predictable result below:


It's all a bit reminiscent of when the 1901 Census site went offline for months. Is it beyond the capabilities of the people implementing to judge demand?

Incidentally, the Met have a similar mapping system sensibly powered by Google, which seems to work quite well.

Monday, 19 October 2009

Google indexing private Google Voice transcripts?

A disturbing item from the Boy Genius Report indicates that seemingly private Google Voice transcripts are appearing in Google search results with a seemingly simple search string. Although some of these are "test" messages, one or two do seem to be the real deal. Oops.









Wednesday, 14 October 2009

"A new settings file for the blah@blah.blah mailbox"

A clever bit of social engineering, looks like Zbot:

From: alert@blahblah.tld
Subject: A new settings file for the name@blahblah.tld mailbox

Dear user of the blahblah.tld mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (name@blahblah.tld) settings were changed. In order to apply the new set of settings click on the following link:

http://blahblah.tld/owa/service_directory/settingsphp
?email=name@blahblah.tld&from=blahblag.tld&fromname=name
Best regards, blahblah.tld Technical Support.


The link is a forgery, underneath it is actually blahblah.tld.polikka.eu/owa/service_directory/settings.php
?email=name@blahblah.tld&from=blahblah.tld&fromname=name

polikka.eu was registered just today, the registration details are:

Domäne
Name
polikka
Status
REGISTRIERT
Registriert
October 14, 2009
Letzte Aktualisierung
October 14, 2009, 4:35 pm

Registrant
Name
Spasova, Galia
Unternehmen/Organisation
Galia Spasova
Sprache
Englisch
Adresse
j.k. Droujba-1
44231 paris
Frankreich
Telefon
+32.8834336218
E-Mail
gsmailva@ge-88.com

Probably fake you might think, except that "j.k. Droujba-1" is an address in Sofia, not Paris. And it belongs to a company called GE-88 Ltd who have a website of ge-88.com. So, the email address in the WHOIS does seem to trace back to a Bulgarian company. And what does GE-88 Ltd do? Ummm.. well, it appears to manufacture alloys. It could be fake, perhaps their mailserver is compromised..

Nameservers are ns1.supranull.com and ns1.trapsing.net (96.31.81.80 - Noc4Hosts Inc) (although the site is not resolving at the moment).

Just as I was typing this in, another one came through using the domain oikkkkua.co.uk as a redirector:

Domain name:
oikkkkua.co.uk

Registrant:
Evelyn Wilson

Registrant type:
Non-UK Individual

Registrant's address:
805 E. Stocker
paris
68554
Belgium

Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:
Registered on: 14-Oct-2009
Renewal date: 14-Oct-2011
Last updated: 14-Oct-2009

Registration status:
Registration request being processed.

Name servers:
ns1.horstsolution.net
ns1.soon-moon.com

Again, this one isn't resolving yet but it was just registered today.

Suspect ad network leads to PDF exploit

This was picked up from an ad apparently running on grooveshark.com

An ad from ad.technoratimedia.com loads an ad from ad.yieldmanager.com.. so far, pretty normal.

The next step is:
ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?ajecscp=1254835789307&z=BootCamp&dim=335848

This domain is protected by DomainsByProxy, registered in December 2007 and is hosted 208.113.133.105.

The site has the following contact details:
Address

Bootcamp Media
121 Wyndham St. N.
Suite 202
Guelph, Ontario, Canada
N1H 4E9
Phone

1-519-515-0094
Fax

1-519-515-0151


Bootcampmedia.com has a near-zero profile, but it may well be a legitimate company.

After this, the visitor starts to go well off the beaten track. The next hop is traffic.firedogred.com/content?campaign=1219131&sz=2

firedogred.com is registered to:

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --


That email address of trafficbuyer@gmail.com is well known. The subdomain traffic.firedogred.com is dual-homed on 207.57.97.233 and 161.58.56.25 (both NTT America, Inc).

The next hop is show.sheathssubtotal.info/rotate?m=3;b=2;c=0;z=406377

sheathssubtotal.info was regisitered on 17th September with the same "trafficbuyer@gmail.com" contact details as firedogred.com.

show.sheathssubtotal.info is dual homed on 140.174.93.100, 161.58.192.228 (both NTT America, Inc).

Yet another hop, this time to content.neighbanner882.info/track/3388081/S_SE?{munged}

neighbanner882.info was created on 7th August 2009, registered to trafficbuyer@gmail.com (again). content.neighbanner882.info is hosted on 69.164.196.55 at some outfit called Linode.

Yet another hop, this time to winckag.com which is currently down but was hosted on 89.149.251.71 (Netdirekt E.k) who are pretty well known for hosting bad sites (but they may well have nuked this one already, and if so.. well done!)

The owners of winckag.com have something to hide..

Registrant:
Contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA

Domain name: WINCKAG.COM


Administrative Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
Technical Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457


Registration Service Provider:
domainsnext.com, Sales@DomainsNext.com
+1.9494979623
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.


Registrar of Record: TUCOWS, INC.
Record last updated on 04-Oct-2009.
Record expires on 04-Oct-2010.
Record created on 04-Oct-2009.

Registrar Domain Name Help Center:
http://domainhelp.tucows.com

Domain servers in listed order:
NS1.WINCKAG.COM 200.63.45.62
NS2.WINCKAG.COM 200.63.45.62


This loads an image from img.sheathssubtotal.info/120x600/54019.gif multihomed on 174.143.241.174, 174.143.243.90, 174.143.243.162 (some sort of cloud hosting) and then loads the following:
winckag.com/base/data/p29.php
winckag.com/base/data/vou.png

Those nameservers on 200.63.45.62 are interesting, that's PanamaServer.com who are well known for supporting malware.

Finally, winckag.com appears to try to load a Troj/PDFJs-DY trojan onto the victim's machine.

You should certainly avoid ads running on firedogred.com, sheathssubtotal.info, neighbanner882.info, winckag.com or any domain registered to trafficbuyer@gmail.com. Make up your own mind about Boot Camp Media - these small ad networks are very often targeted by the bad guys, but they really need to get their act together.

Tuesday, 13 October 2009

Piradius.net running Zbot infrastructure servers

Piradius.net appears to be up to its dark grey hat antics again with a server at 124.217.251.179 which is providing services to the current run of Zbot trojans, as seen (for example) with this recent ThreatExpert report.

Robtex reports the the server is also being used as the NS for a number of Zbot related domains, notably x2dns.ru, cedns.ru, updata-1.com, admin-systems.com, db-1.net, upd01.net, ssl-updates.net and several others connected with this spam run. 124.217.251.179 is also the download server for various Zbot components.

Although Piradius.net probably has many legitimate customers (primarily from Malaysia, Thailand and South-East Asia), it seems to have a lot of bad ones too (including Yohost.org). Prudent network administrators may want to consider blocking 124.217.224.0 - 124.217.255.255 which will probably not cause too many problems.

Wednesday, 7 October 2009

Orwellian Black Opel


I thought I'd get a photo of the Google Streetview car while it was having a rest.. and before it got me :)

Tuesday, 6 October 2009

htmlads.ru injection attack

Another injection attack following on from this one, htmlads.js looks like it is being injected into IIS 6.0 servers. In this case, the string to look for in your logs in htmlads.js/ads. js which is worth checking for and blocking if you can.

For the records, the domain registration details are:

domain: HTMLADS.RU
type: CORPORATE
nserver: ns1.htmlads.ru. 75.34.216.140
nserver: ns2.htmlads.ru. 216.119.45.147
nserver: ns3.htmlads.ru. 72.48.193.152
nserver: ns4.htmlads.ru. 71.108.37.140
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private person
phone: +7 496 4047474
e-mail: tau@8081.ru
registrar: REGRU-REG-RIPN
created: 2009.10.05
paid-till: 2010.10.05
source: TC-RIPN

Monday, 5 October 2009

Are your personal details on Jigsaw.com?

An interesting post caught my eye about a site called Jigsaw.com over at the CluBlog. It's a sort of collective where people trade other people's business card information, and it might well be the reason why my number of irrelevant direct marketing calls has gone through the roof.

The blog post also usefully tells you how to remove your details - recommended reading!

Sunday, 4 October 2009

Injection attacks: adbnr.ru

adbnr.ru seems to be the latest domain to be used by the bad guys in this current round of injection attacks. The injected code to look for is adbnr.ru/ads.js (obviously don't visit that page unless you know what you are doing). That leads to a heavily obfuscated piece of Javascript which I haven't dissected yet.. but really there is no doubt that it is going to try to do something very bad to your computer!

Domain is registered to:
domain: ADBNR.RU
type: CORPORATE
nserver: ns1.adbnr.ru. 75.155.243.39
nserver: ns2.adbnr.ru. 173.93.171.160
nserver: ns3.adbnr.ru. 71.108.37.140
nserver: ns4.adbnr.ru. 67.84.154.208
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private person
phone: +7 812 5706062
e-mail: omit@blogbuddy.ru
registrar: REGRU-REG-RIPN
created: 2009.09.29
paid-till: 2010.09.29
source: TC-RIPN

Both the telephone number and email address have been connected with malware attacks before.

Looks like it is using a fast flux botnet for hosting, but blocking adbnr.ru should be effective.

Thursday, 1 October 2009

ads-t.ru and adtcp.ru: Asprox is back

I haven't had time to look at this fully, but it seems that a fresh round of Asprox attacks have started after several months of inactivity - in this case the domains ads-t.ru and adtcp.ru are in use.

Read more at CyberCrime & Doing Time.

Wednesday, 23 September 2009

max-apprais.com and top-name.net scam

max-apprais.com and top-name.net appear to be two fake domain appraisal companies being "recommended" to domain owners as part of a long-running scam which we have touched on many times before.

max-apprais.com was created on 12th September to an anonymous registrant, hosted on 202.157.181.9 at Katz Global Singapore. It's a copy of max-appraisal.com which is hosted on 124.217.231.209 at well-known black hat hosts YoHost.org.

top-name.net is a very familiar template hosted on 66.7.196.186 (Hostdime, Florida) also to an anonymous registrant (although it appears to be a Canadian resident behind all of this spam).


sedo.com are a well-known and wholly legitimate company and are nothing do to with the spam or scam.

The "pitch" email looks like this:

From: "Domain Trade LLC"
Date: Wed, September 23, 2009 4:26 am

Dear sir,
we are interested to purchase your domain [redacted] and offer between 50% and 65% of the appraised value.
We accept appraisals from companies such as

http://www.sedo.com/
http://top-name.net/
http://max-apprais.com/


If you already have an appraisal please forward it to us.

Please let us know whether you are interested. Upon review of your valuation and in case of an agreement we send payments via PayPal for amounts less than $2,000 and via Escrow.com for amounts above $2,000, as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Domain Trade LLC
Originating IP for the spam is 74.55.131.10

Of course, once they have taken your money for the appraisal, then you will never hear from them again.

If you have been conned by these scammers then start a PayPal dispute to get your money back. We understand that Sedo may offer a refund in any case as they are well aware of this scam. You might also want to file a complaint with the police, especially if you live in Canada where the perp appears to be based.

Tuesday, 15 September 2009

Rogue ads on answers.com: dotastoc.com

I'm still trying to track this one down, but somewhere on answers.com is a rogue ad that does through several hops to reach a fake anti-virus application. Don't visit any of the following sites unless you know what you are doing!
  1. dotastoc.com/442417.js?sid=bWtuamJoX2NvZmZlZS1jODMuZG90YXN0b2MuY29t [212.95.56.102, Germany - Netdirekt E.k]
  2. mknjbhyju.exxl.pl/coffee-c83/xalei.html [209.51.196.244, Ohio - XLHost.com Inc]
  3. mknjbh_coffee-c83.dotastoc.com/index.html ?Ref=http%3A%2F%2Fwww.google.co.uk %2Fsearch%3Fhl%3Den%26q%3D[redacted]%26btnG%3DSearch%26meta%3D
  4. myth-busters.cn/go.php?id=2009-01&key=cd19f5036&p=1 [94.102.48.29, Netherlands - Ecatel]
  5. 09computerquickscan.com [multihomed at 78.46.118.1, 78.46.201.89, 78.46.251.41, 88.198.81.153, 88.198.120.177, Germany Hetzner Online AG]
Step 3 requires a referer string to work, depending on the string you may get redirected, for example to usdisturbed.cn/?pid=229&sid=4b5855 [193.169.12.70, Belize "Financial Company Titan Ltd"] then fast-virus-scan4.com [91.213.126.100, Costa Rica Centerinfocom Ltd or 93.169.12.70 again]

Lots of suspect IP addresses there, 212.95.56.102 is the first step and also hosts these following domains that also look suspect:

  • Anidmenonpderche.com
  • Dotastoc.com
  • Ewyuewssf.com
  • Fishbiss.com
  • Iggiksc.com
  • Lur2cont.com
  • Niuk.ru
  • Pornokogu.com
  • Uewiosdasda.com
fast-virus-scan4.com is also being used in some .htaccess attacks, where the hacked site only redirects to the fake virus scanner if accessed through Google or some other search engine, not if it is visited directly.

Update: answers.com appear to have tracked down and removed the ad, although some other sites have been hit by a very similar attack.

YoHost.org on the move to Dragonara.net

It looks like black-hat host YoHost.org is on the move to a set of IP addresses owned by "Dragonara Alliance Ltd" (dragonara.net) - a company that claims to be Swiss (and appears to use hosting in Switzerland) but is registered in the British Virgin Islands.

Dragonara claims to be a high-reliability host where clients can weather out DDOS attacks, which is a useful service. However, a lot of the sites it host seem to be quite dubious, and a lot of sites seems to be pushing "replica" (i.e. fake) Swiss watches. The fact that a Swiss company is hosting sites in Switzerland that appear to be selling fake Swiss watches is something that might end up in an interesting conversation with some Swiss lawyers.

The IP address range to look out for is 194.8.74.1 - 194.8.75.255. The sites listed below are for information purposes only, many may well be perfectly legitimate. If you have any observations, then please use the comments.


194.8.75.34
Liberty72.com
Music-ultra.net
Virtuelldigitale.net

194.8.75.66
Filmkeuze.org
Superadult.org

194.8.75.77
Tyolaly.com

194.8.75.80
Ireplicastore.com

194.8.75.82
Billing-sat.tv

194.8.75.90
Bkjace.com
Jessicareplicas.com
Swissreplicastore.com

194.8.75.94
Good-good-movie.com
I-want-she.com
Oem-workshop.org
Online-oem-store.com
Red-paradise.com
Russian-paradise.com
Net-doktor.eu

194.8.75.98
Highrisefinance.com


194.8.75.107
Watch-replica.net

194.8.75.116
Yohost.org

194.8.75.118
Sadelae.com
Tiffanysets.com
Tyakcek.com

194.8.75.119
Apoace11.com
Beanells.com
Mymodelwatches.com

194.8.75.120
Gaemacs.com
Replicasmart.com

194.8.75.121
Brangelinareplicas.com
Geakcon.com

194.8.75.122
Kejhlle.com
Watch-replicas.com

194.8.75.123
Akeean.com
Brandreplica.com
Sharesdigger.com

194.8.75.124
Beauhi.com
Tiffanylovers.com

194.8.75.125
50st.ru

194.8.75.126
Ppoeatt.com

194.8.75.127
Tyaopce.com

194.8.75.128
Bieaken.com

194.8.75.129
Dakealls.com

194.8.75.135
Replicawatchesreviews.com

194.8.75.141
Agent-service.info
Barlenelectronics.com
Iluvtotravel.com
Sapnastudio.org
Strahovoy-partner.info
Strahovoypartner.ru
Thefbo.com

194.8.75.143
Csmfinance.com

194.8.75.165
Halarona.com

194.8.75.180
Replicas99.com

194.8.75.181
79eurovilla.com

194.8.75.199
Dvd4play.com

194.8.75.202
Thc-torrents.org

*********

194.8.74.12
Aowei.net.ru
Babytrance.us
House-of-friendship.com
Jurassic.net.ru
Kemcua.net
Lightning.net.ru
Tiroteen.net

194.8.74.45
Odnoixniki.com

194.8.74.100
Shara.info

194.8.74.101
Dw-plus.tv

194.8.74.120
Battlenetlogins.com
Directransfer.net
Diyxbox360.com
Flexfolders.com
Hygetropin-hgh.com
Immune-research.com
Premiuma.net
Privacysecured.com
Reversephonenet.com
Tiffanybazaar.com
Topregfix.com
Uc-forum.com
Ucdownloads.com
Vintagevdb.com
Xbox360redlightsguide.com

194.8.74.127
Dw24.tv

194.8.74.129
Anyshop.ch
Huasi.ch
Sowa.ch
Swisstuerk.ch

194.8.74.132
Hotelinsider.info

194.8.74.135
Dw-mobile.org

194.8.74.154
Vaultinvestment.com

194.8.74.158
Fi-success.com
Financijskabuducnost.com
Financijskabuducnost.net
Forexdonos.com
Forexdonos.net
Forexdonos.org
Forexnalozba.com
Forexnalozba.org
Forexnalozbe.com
Forexnalozbe.net
Forexnalozbe.org
Fx-donos.com
Fx-donos.net
Fx-donos.org
Tx-invest.net
Ultra-forex.com
Ultra-forex.net

194.8.74.190
Parnenairdesign.com
Rs-promotion.com
Syjsw.com

194.8.74.193
Practicalsilver.com
Silverurban.com
Solid925silver.com
Tiffanynsnow.com

194.8.74.231
Relsat.org

Thursday, 10 September 2009

Fake HMRC tax refund messages

Looks like there's a spam run in progress with the following fake tax refund message:
From: HM Revenue & Customs [mailto:rsa.messages@hmrc.rsamessages.co.uk]
Sent: 10 September 2009 10:16
Subject: [ HMRC MESSAGE ID NUMBER: 381716209 ]

(This is an outbound message only. Please do not reply.)



Dear Applicant,

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs. Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I'm writing to confirm that after the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 327.54 GBP

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

If you have any questions, please refer to our Frequently Asked Questions (FAQs) or visit our head office address can be found on our web site at http://www.hmrc.co.uk/

Yours sincerely,
Kevin Taylor
Manager, HM Revenue & Customs Tax Credit

TAX RETURN FOR THE YEAR 2009
RECALCULATION OF YOUR TAX REFUND
HMRC 2008-2009
LOCAL OFFICE No. 3819
TAX CREDIT OFFICER: Kevin Taylor
TAX REFUND ID NUMBER: 381716209
REFUND AMOUNT: 327.54 GBP


This e-mail is generated by RSA Security United Kingdom on behalf of HM Renenue & Customs


Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.


or another variant:


From: HM Revenue & Customs [mailto:officer.robinson@hmrc.co.uk]
Sent: 10 September 2009 10:23
Subject: TAX REFUND ID NUMBER: 381716209

TAX RETURN FOR THE YEAR 2009

RECALCULATION OF YOUR TAX REFUND

HMRC 2008-2009

LOCAL OFFICE No. 3819

TAX CREDIT OFFICER: NEIL ROBINSON

TAX REFUND ID NUMBER: 381716209

REFUND AMOUNT: 344.79

Dear Applicant,

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs.

Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I am sending this email to announce: After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 344.79

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

Our head office address can be found on our web site at http://www.hmrc.co.uk/

Sincerely,

NEIL ROBINSON

HMRC Tax Credit Officer

officer.robinson@hmrc.co.uk

Preston

PR1 0SB



There's an attachment in both cases that attempt to harvest personal details (basically everything you need for identity theft) and sends it off to the attacker. In this case, domains used are jub23bi.biz and xgen99.biz although there are probably others. Scanning your outbound log files for /luk.php or /luk1.php or .biz/luk might reveal anyone who has fallen for it.


Obviously, if you've entered you details into something like this then you need to contact your bank as soon as possible and explain that your account has been compromised.

Friday, 4 September 2009

Macez.com domain scam

Yet another fake domain appraisal scam following on from this one, macez.com has actually been registered for a while but only came into use in September. If you receive an email recommending this appraisal site, delete it. If you have paid for a fake appraisal with PayPal, then you should open up a dispute about the transaction.

Wednesday, 26 August 2009

Razor blade spam

Here's a new one.. razor blade spam! Gillette Mach 3 Blades are apparently the most stolen retail product in the world, so perhaps it is unsurprising to see spam for what is bound to be fake Mach 3 razor blades.


Subject: Gillette Mach 3 Razor Blades - Best Prices 28414010
Date: Wed, August 26, 2009 10:37 pm

9732866
If you have trouble viewing this email click here. You could make a gift for you boy
friend,farther or sell the items on Ebay.

7657
If you are not a member, or received this email from a friend, and would like to
join our Rewards program, click here.

You've received this message because you've registered to receive email from M3mach.
If you no longer wish to receive email from us click here.

View our privacy policy.
Please don't direct response this mail box.
Contact Us click here.
www.M3mach.com


A pack of 8 Mach 3 blades retails for about $18 in the US, these folks claim to be selling them for less than $7..


..which means that these are fakes. Fake razor blades are just fine if you don't mind facial lacerations, rashes and nasty blood diseases. Looks like they also sell fake condoms too.

This may well be the start of a new trend. Who knows what the spammers will try to sell next? Tinned meat?

Tuesday, 25 August 2009

CurrencyVendor.com: can you trust it?

Another doubtful World of Warcraft site is currencyvendor.com hosted on the same server as these other WoW scam sites.

Does it look trustworthy? Well, no. It's hosted by YoHost.org on the same server as a load of WoW scams sites, phishing sites, fake internet companies, bogus pharmacies and all sorts of other things. The domain was set up a few days ago, and is hosted on an anonymous server with anonymous contact details. Given the very high number of scam sites on this server, the lack of history and the anonymous contact details we would strongly recommend that extreme caution be taken if dealing with this site.


Update: the people behind CurrencyVendor.com deny that it is a scam, but acknowledge that their web host does host scam sites. They also decline to identify themselves. Draw your own conclusions, but as a general rule doing business with someone who refuses to identity themselves is a bad idea.

$1 + $3 + $8 + $20 + $52 = $84

This is a interesting gambling spam which tries to entice you to an online casino called worldelitecasino.net hosted in China.

Subject: Re: yo mate
Date: Tue, August 25, 2009 5:19 pm

yo mate..


ok I`ll give you my trick but if you give it someone else I`ll fuckin kill you :)
you know in roulete you can bet on blacks or reds. If you bet $1 on black and it goes black you win $1 but if it goes red you loose your $1.
So I found a way you win everytime:

bet $1 on black if it goes black you win $1

now again bet $1 on black, if it goes red bet $3 on black, if it goes red again bet $8 on black, if red again bet $20 on black, red again bet $52 on black (always multiple you previous lost bet around 2.5) if now is black you win $52 so you have $104 and you bet:

$1 + $3 + $8 + $20 + $52 = $84 So you just won $20 :)

now when you won you start with $1 on blacks again etc etc. its always bound to go black eventually (it`s 50 / 50) so that way you eventually always win. But there`s a catch. If you win too much (like $800 a day) casino will finally notice something and can ban you. I was banned once on red teaching casino. So don`t be too greedy and don`t win more then $200 a day and you can do it for years. I think bigger casios know that trick so I play for real money on smaller ones, right now I play on elite world casino: www.worldelitecasino.net for more then 3 months, I win $50-$200 a day and my account still works. You`ll find roulette there when you log in go to "specialt games" - "american roulete". And don`t you dare talling about it anyone else, if too many people knows about it casinos will finally found a way to block that trick. If you have any questions just drop me a line here or on skype.

c ya

In brief, the spam is pitching a roulette "system" that guarantees that you will win, and recommends an online casino where you can use it. The target site has an executable called SmartDowload.exe which was written by RealTime Gaming, Inc.

So, in fact the "Casino" doesn't exist - it leads to a legitimate (but potentially unwanted) desktop gambling application, the executable itself looks like part of Realtime Gaming's affiliate program of something (the Download ID is 1273059)


Presumably the spammer gets some payment per signup or something.. and this can actually be a lot of money in some cases.

So.. what about this "system" then? Well, in reality it doesn't work. It's a version of the Martingale System which basically says that you should double your bet each time you lose (in this case double-and-a-bit).. because eventually you will win your money back. That sounds fine in theory, but eventually you either:

  1. Run out of money - because the value increases expontentially, in the example in the spam the next levels to bet would be $130, $325, $813, $2031, $5078, $12,595, $31,738, $79,345, $198,364, $495,910 and then $1,239,776). You will always run out of money before the casino does.
  2. Hit the house limit - most casinos have a limit beyond which you cannot bet, usually a few thousand dollars. So, you'd hit the house limit before the Martingale system ever paid off, even if you did have nearly unlimited funds.
There's a more detailed writeup at Greg Kochanski's blog explaining the maths behind it.

Personally, I think there's only one thing to remember about casinos: the house always wins!

Friday, 14 August 2009

"PD Domains": topnameappraisals.com and greatestnamesonline.com scam

Two more scam domain appraisal sites - greatestnamesonline.com and topnameappraisals.com following on from pddomains.com and countless other ones.

If you receive an unsolicited email listing either of these two companies as appraisal outfits, then it's a scam. More information here.

Update: there's also topnameappraisal.com which is another domain doing exactly the same thing.

dia-company.net scam

Another job scam from Michell.Gregory2009@yahoo.com. It's not clear exactly what "job" they are offering, but it will definitely be a scam and probably be illegal.

Subject: Job Search Results on Monster.com

Greetings,

Our Company is ready to offer full and part time work in your region. We are among top managing companies in North America and Europe.

If you are interested in career growth and good salary, send your resume ONLY to the Company?s email address: hd@dia-company.net

Reply only via corporate email, so please just use this one for further contact and
correspondence: hd@dia-company.net

With best regards,
HD department
DIAGROUP

The domain registration details are:

Domain name: dia-company.net

Registrant Contact:
NA
Gregory Michell Michell.Gregory2009@yahoo.com
+1.3023892438 fax: +1.3023892438
5215/2 SW 152 Court
Beaverton NA 97011
us

Administrative Contact:
Gregory Michell Michell.Gregory2009@yahoo.com
+1.3023892438 fax: +1.3023892438
5215/2 SW 152 Court
Beaverton NA 97011
us

Technical Contact:
Gregory Michell Michell.Gregory2009@yahoo.com
+1.3023892438 fax: +1.3023892438
5215/2 SW 152 Court
Beaverton NA 97011
us

Billing Contact:
Gregory Michell Michell.Gregory2009@yahoo.com
+1.3023892438 fax: +1.3023892438
5215/2 SW 152 Court
Beaverton NA 97011
us

DNS:
ns1.freedns.ws
ns2.freedns.ws

Created: 2009-06-25
Expires: 2010-06-25
That email address is well-known.

The site is hosted on 121.12.127.241 in China, it is probably safe to assume that every other site is similarly some sort of scam or malware site and should be avoided.

  • 00freewebhost.cn
  • Anilyclickux.com
  • Anilydclick.com
  • Anilymclicks.com
  • Armor1.info
  • Armor2.info
  • Autohitssite.com
  • Bote-abfertigung.com
  • Ckinter.cn
  • Ckinter.ru
  • Compy.info
  • Dia-company.net
  • Earntoclicklr.com
  • Festgroup.net
  • Googleautohits.com
  • Googledolis.com
  • Googledues.com
  • Googleehits.com
  • Googleipad.com
  • Googleledal.com
  • Googlepayclicks.com
  • Googlepayhits.com
  • Googlepaylr.com
  • Googlesrx.com
  • Ilos-group.com
  • Ilos-group.net
  • Inzo-group.com
  • Inzogroup.net
  • Inzo-group.net
  • Jethitclicks.com
  • Makemogoogle.com
  • Mavr-best.com
  • Medikmenty.com
  • Mybotnet.org
  • Perenils.cn
  • Prex-group.com
  • Prex-group.net
  • Resogroup.net
  • Smallclicks.net
  • Spyware-file.info
  • Spywarehome.info
  • Spywarepc.info
  • Spyware-systems.info
  • Taxvac.com
  • Thjgoogle.com
  • Tincash.cn
  • Varnagroup.net
  • Vicogroup.net
  • Viphack.ru
  • Vsehorosho.info
  • Zentin.net.cn

Thursday, 13 August 2009

Some "World of Warcraft" Scam sites

I don't play WoW myself, but there are a whole bunch of bad guys out there trying to rip off player accounts for money. Here are some recent domains hosted at scam-friendly YoHost.org that you should avoid.. if you HAVE entered your password into one of these sites, then change it NOW.

  • Blizzard-battle.net
  • Blizzard-promotion.com
  • Promotions-battle.net
  • Promotions-worldofwarcraft.com
  • Worldotwarcaft.net
  • Wowmovieteaser.com
  • Wowtcgpromotion.com

Wednesday, 12 August 2009

CA eTrust goes nuts with StdWin32 and other false positives

CA eTrust ITM has gone completely nuts today, with a load of seemingly random false positives mostly for StdWin32 in a large number of binaries, including some components of eTrust itself.

The core problem seems to be a signature update from 31.6.6672 to 33.3.7051, there seems to be little consistency in what is being detected as a false positive although there are multiple occurrences of Nokia software, VNC and event DLLs and EXEs belonging to eTrust's core components.

Probably the best thing to do is block the update or change the Realtime scanning behaviour to "disabled" or "report only".

Update: problem seems to have started at about 0525 GMT when the new signature pattern applied. There no consistent pattern to the infected files, it looks like it happens at random. Several other people seem to be having the same issue!

Update 2: Signature pattern 34.0.6674 appears to fix this problem. You can then enjoy repairing your faulty machines.. thanks CA!

Update 3: Amusingly, CA eTrust seems to have deleted its own key components in many cases. I don't know if this is the first recorded case of an anti-virus application mistaking itself as malware!

Update 4: CA have released a statment as follows:

Last night, CA released a new updated antimalware engine. This new release has resulted in false positive detections of a number of files. CA Threat Manager customers are the only customers being affected by this issue. This is not a result of signature updates and does not impact CA consumer Internet security products.

To resolve the issue, CA has rolled back the new engine and re-released its previous antimalware engine. CA customer support representatives are on call to answer customer questions and to provide remediation support. A remediation tool to rename the quarantined files is now available through CA support and will soon be accessible online.

CA is aggressively working to resolve the issue, assist any customers who have been affected, as well as identify the root cause of the incident. We apologize for this inconvenience and look forward to the roll out of our new antimalware engine, which will ultimately offer our customers many benefits including enhanced malware protection and improved performance.

Update 5: Got a mention on El Reg.. funny thing is that I went in to work today wearing my El Reg T-Shirt. Coincidence? Consiparacy? Cockup?

PS: Please remember to read the comments if you are still having problems!

Sunday, 9 August 2009

Fleos.com and Flyappraisal.com scams

Two more domain appraisal scams following on from this one, Fleos.com has been around for a few days and is a copy of the flyappraisals.com / flyrating.com fraud.

In the same vein, the scammers have also registered Flyappraisal.com which will not doubt be used for another batch of fake domain appraisal fraud soon.



Avoid these, and if you have paid for a so-called appraisal via PayPal, then use the PayPal dispute procedure to get your money back.

pddomains.com scam

This is part of a long-running scam where you receive an unsolicited offer for a domain name.. the scam is that you are offered a choice of three appraisal services, the cheapest of which is controlled by the scammer. Once you have paid for your appraisal, the offer to buy the domain mysteriously dries up.

Subject: Offer to buy [redacted]
From: "Resale Domain" <resaledomain@gmail.com>
Date: Sun, August 9, 2009 6:00 am

Dear Sir,

we are interested to buy your domain name [redacted] and offer 65% of the appraised market value.
As of now we accept appraisals from either one of the following leading appraisal companies:

sedo.com
pddomains.com
accuratedomains.com

If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use Paypal for amounts less than $2,000 and escrow.com for amounts above $2,000) as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Thank you,

B. Phillips
Resale Domain


The site looks professional enough, but it's a cookie-cutter design that has been used for previous frauds here, here, here and here although sometimes the same crew use this design.

Email originates from 64.186.128.191 in the US and points to a domain on 124.217.231.209 in Malaysia. WHOIS details are anonymised and the domain was only registered on 7th August, nontheless the most likely perpetrator is detailed here.

If you have paid for an appraisal, then you should start a PayPal dispute to get a refund. Hopefully, that will also get the fraudster's account shut down.

Tuesday, 28 July 2009

MS09-034 is coming..

Just a reminder that Microsoft are announcing an out-of-band patch today to fix a critical IE / Visual Studio flaw. If you manually authorise updates to client PCs via WSUS, then you will need to break the usual schedule and deploy this as soon as you can.

More info here and here.

Friday, 24 July 2009

"Best Crisis Prices": dotbestshop.com / bestcrisisprices.com fake shops

I mentioned bestcrisesprices.com a few weeks ago, and it seems that they have a new domain called dotbestshop.com which is also a fake ecommerce site.


Both sites are hosted on an an anonymous hosting account at 124.217.231.121 in Malaysia, the domain contact details are either anonymous or fake. The contact details on the website are also fake, and have been stolen from legitimate businesses.

It claims to be a member of the BBB, but it isn't as the BBB reports that it is mis-using their logo.

This is part of a large organized crime ring, nominally connected with China. Although it claims to be based in Louisiana, there is no evidence at all that this is a US operation. Avoid dealing with them at all costs.

Thursday, 23 July 2009

Even the bad guys need a back office

Last November, I posted a warning about Ran-De-Vou which was recruiting for translators.. the problem being that the company was part of an organised crime ring and the translations themselves were aided phishing and the like.

Well, "Juice" gave them a go and the result is this interesting insight into the bad guys' back office functions.. enjoy!

"Real Host Ltd" is a real sewer

This summary is not available. Please click here to view the post.

Wednesday, 22 July 2009

Even more pathetic SpamCop.net phish

I thought that phishing emails couldn't get more rubbish than this but it turns out that I was wrong. Enjoy:

Subject: FINAL ACCOUNT UPDATE!!!
From: "SPAMCOP SUPPORT TEAM" <helpdesk@spamcop.net>
Date: Wed, July 22, 2009 7:15 pm

Dear spamcop.net Subscriber,

We are currently carrying-out a mantainace
process to your spamcop.net account, to
complete this, you must reply to
this mail immediately, and enter your
User Name here (,,,,,,,,) And Password here
(.......) if you are the rightful owner of
this account.

This process we help us to fight against
spam mails.Failure to summit your password,
will render your email address
in-active from our database.

NOTE: If your have done this before, you may ignore
this mail. You will be send a password reset
messenge in next seven (7)
working days after undergoing this process
for security reasons.

Thank you for using spamcop.net!
THE SPAMCOP TEAM


The Reply-To email address is verification_teamss12@yahoo.com.hk, originating IP is 203.59.222.34.

Tuesday, 14 July 2009

43.gs: massive Google SERPs poisoning

I can't tell if this is accidental or deliberate, but there are a whole bunch of spam entries in Google for the 43.gs domain as you can see from this search.

It looks like some sort of redirect or copy, but the odd thing is that the 43.gs subdomain actually points to the legitimate server.

For example, ethviumvthvie.43.gs resolves as 198.246.98.21 which belongs to the US Centers for Disease Control (CDC). For some reason, the CDC server accepts requests for ethviumvthvie.43.gs as a request to display the genuine website.

As a result, Google has about 3.2 million results for 43.gs subdomains, all of which are duplicates of existing sites.

It looks like 43.gs offers some sort of legitimate URL shortening service based on subdomain names rather than the more common tinurl/bit.ly. Have the bad guys found a way to use this to their advantage? Are they suddenly going to switch traffic to somewhere bad?

43.gs is showing a small bump in traffic recently, perhaps as a result of this?

Presumably there is a way of telling your web server to reject this kind of request.

Really pathetic SpamCop.net webmail phish

Probably the most pathetic phish ever - the bad guys nicely provide a space in the email for you to put your username and password and then email it back. Combined with a fairly vague grasp of the English language, then it's hard to see that this would fool anyone at all.

From: "SpamCop Webmaster online" <spamcop.net.webmaster@mchsi.com>
Date: Tue, July 14, 2009 4:11 pm
Cc: recipient list not shown:;
Priority: Normal

Dear SpamCop Webmail online Email Account Owner,

Important notice, harmful virus was detected in your account which can be harmful to our subscriber unit.You are to enter your Username and Password here {____________, __________} to enable us set in an anti virus in your user account to clear up this virus. we do need your co-operation in this, Providing us with this information we enable us insert in your account an anti virus machine for clean up.

We are sorry for the inconveniences this might have cost you. Failure to do this, we are sorry to let you know that your account will be deleted immediately to prevent it from arming our subscriber unit.

Thank you for using SpamCop Webmail,
We are glad at your service,
SpamCop Webmaster online.
Originating IP is an open proxy at 200.65.129.2.

Korea DDOS - run for the hills!

The recent DDOS attacks against Korean and US government sites is well known, with calls for reprisals ranging from "cyber-attacks" to the occasional nutjob suggesting that real bombs are used.

Unfortunately, it turns out that the C&C server for the botnet carrying out the attack may well be in the UK. So perhaps we can expect a rush of malformed packets and/or Tomahawk cruise missiles heading the the UK soon..

via

Monday, 6 July 2009

Phorm: hahahahah

With a bit of luck, it appears that Phorm may be going down the toilet, as BT announce that they are not going to deploy Phorm's deep packet inspection technology. More at the BBC News site.

With a bit of luck, Phorm's share price will end up as a penny stock very soon.

Thursday, 2 July 2009

Domain scam: ntwifinetwork.com / js-wifi.cn

The old Chinese domain scam has been around for years, but these guys are getting lazy because they haven't changed their domains for months, this is esentially unchanged from April.

Subject: Domain Dispute and Registration
From: "Sunny"
Date: Thu, July 2, 2009 4:07 am

To whom it may concern: 2009-7-2

We are a domain name registration service company in Asia,

Last week we received a formal application submited by Justin Lin who wanted to use the keyword "REDACTED" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.

After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren¡¯t sure whether you have any relation with him. Because these domain names would produce possible dispute, now we have hold down his registration, but if we do not get your company¡¯s an reply in the next 5 working days, we will approve his company's application

In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.



Yours sincerely

Sunny

Checking Department

Tel: 86 513 8532 1087
Fax: 86 513 8532 2065
Email:Sunny@ntwifinetwork.com
Website: www.js-wifi.cn

Our File No.:2272363

Originating IP is 122.193.216.10.

As ever, legitimate domain registrars do not send out this type of email because they are NOT responsible for this activity. Sometimes the Chinese domains get registered, sometimes they are ALREADY registered, and often they never get registered. But before you panic and pay money to these scammers, consider this: there are hundreds of top-level domains in the world. Do you really want to buy your domain for all of them? The answer is probably "no".

The best advice is to ignore this email completely.

Tuesday, 30 June 2009

%SI_subj: miserable spam failure

Possibly one of the most miserable spam failures I have ever seen - the idiot spammer somehow forgot to populate the % fields with actual data. It just goes to reinforce that spammers are stupid.

Subject: %SI_subj
From: "Lily Lovett"
Date: Tue, June 30, 2009 2:47 pm

You don’t need to %SI3_rnd10
rod’s %SI3_rnd11 and %SI3_rnd12 %SI3_rnd13’ jokes!

This is a %SI3_rnd14 for
%SI3_rnd15 your
%SI3_rnd16! It will
%SI3_rnd17 in seconds after she %SI3_rnd18 and %SI3_rnd19 as good as if it was
a %SI3_rnd20 rod!

No more jokes – you will always get %SI3_rnd21 and moans! The huge pack
costs less than 30 %SI3_rnd22!

%SI3_rnd23 can be a %SI3_rnd24! No one will know about your %SI3_rnd25!

%SI3_rnd26 now and save more than $10 regardless of
your order’s size!

The hypertext link goes to %SI_link3 rather than a valid address.

Presumably this is a penile enhancement product. By the looks of it, the spammer you do with an intelligence enhancement product.