Sponsored by..

Sunday, 11 July 2010

Evil network: Pegashosting Network / pegashosting.com 178.162.135.0/24 (AS28753)

This summary is not available. Please click here to view the post.

hiring-westunion.com scam email

This scam email is recruiting people for money laundering and other criminal activities using the fraudulent domain hiring-westunion.com:

From: Molly Leary
Date: 11 July 2010 01:23
subject: Open Positions

Greetings


I’m addressing you on behalf of the HR department of a large company. Our company covers a wide range of businesses:
- real estate
– accounts opening
– undertaking services
– etc.

We need a person to fill the vacancy of a regional manager in Europe:
- salary 2.400 euro + bonus
- 2–3 working hours per day
- flexible work time


If you are ready to work as a regional manager in Europe send us the below information on email:
c v @ h i r i n g - w e s t u n i o n . c o m [please delete spaces before sending]
Full name:
Country:
E-mail:
Mobile phone-number:



Note! We are searching Europeans only!

Please, write your name and Telephone Number so that our manager could contact you and conduct an interview. 
This domain attempts to pass itself off as the legitimate Western Union company, it was registered a few days ago to what appears to be a real address but is almost definitely fake too:

Domain name: hiring-westunion.com

Registrant Contact:
   PBsoft, inc
   Harry Bishop Harry.PBishop@yahoo.com
   818372-9865 fax: 818372-9865
   2850 Luna Pl
   Granada Hills CA 91344-1644
   us

Administrative Contact:
   Harry Bishop Harry.PBishop@yahoo.com
   818372-9865 fax: 818372-9865
   2850 Luna Pl
   Granada Hills CA 91344-1644
   us

Technical Contact:
   Harry Bishop Harry.PBishop@yahoo.com
   818372-9865 fax: 818372-9865
   2850 Luna Pl
   Granada Hills CA 91344-1644
   us

Billing Contact:
   Harry Bishop Harry.PBishop@yahoo.com
   818372-9865 fax: 818372-9865
   2850 Luna Pl
   Granada Hills CA 91344-1644
   us

DNS:
ns1.pegas-dns.org
ns2.pegas-dns.org

Created: 2010-06-22
Expires: 2011-06-22

The registrar is the scammer's favourite, BIZCN.com of China. The web server and mail is hosted on 178.162.135.108 on PegasHosting Network in the Ukraine. Email originated from 201.246.77.170, an ADSL subscriber in Chile.

This is not a real job, anything that they offer is likely to be some sort of criminal activity such as money laundering, parcel reshipping and other fraudulent back office functions.

Update 19/7/10: the spam is being sent out again, now hosted on 79.119.213.2 in Romania along with  Westunionhiring.com - if you get this, send an abuse complain to the host at abuse -at- rcs-rds.ro

Wednesday, 7 July 2010

Tuesday, 6 July 2010

"Blackberry Storm Promotion" scam email

is fake email appears to have been created to flood an innocent party's mailbox with spam and generate unwanted phone calls (the number may well be a real one belonging to RIM in South Africa). BlackBerry / Research In Motion are nothing to do with this email, it is a hoax.. please ignore it and do not try to contact "Amanda". More on this scam here.


Subject: Blackberry Storm Promotion.


http://www.mobilegazette.com/handsets/blackberry/blackberry-9500/blackberry-storm-9500-combo.jpg
 
Dear All,

 
Blackberry is giving away  free phones as part of their promotional drive.

 
All you need to do is send a copy of this email to 8 people; and you will receive your phone in less than 24 hrs.

Please note that if you send to more than 20 people you will receive two phones.

 
 
Please do not forget to send a copy to: amanda.lee@blackberry.com
 
With Regards,

 
Amanda Lee (Marketing Manager)

Office Number: 0027 11 7838512


Evil network: AS49544 (195.78.108.0/23) / GlobalRouting.eu

AS49544 is a network with IP addresses ranging from 195.78.108.1 - 195.78.109.255 which claims to be in the Netherlands, but may actually be in the Ukraine. The WHOIS details for the range are suspect as they refer to a domain globalrouting.eu which actually appears to be a legitimate weather forecasting service. Everything about the domain registration details smells of a hijack.. I would strongly suggest that contacting ipadmin@globalrouting.eu would be counter-productive in this instance, it may even be dangerous.

Out of the /23 there seem to be exactly zero legitimate sites, many of them are involved in malware distribution. It is probably worth blocking the entire IP address range. Google's safe browsing diagnostic for the AS is damning:

What happened when Google visited sites hosted on this network?

Of the 4157 site(s) we tested on this network over the past 90 days, 96 site(s), including, for example, stimulus.nu/, turisticki-aranzmani.com/, webconsulenti.net/, served content that resulted in malicious software being downloaded and installed without user consent.

The last time Google tested a site on this network was on 2010-07-05, and the last time suspicious content was found was on 2010-07-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

Over the past 90 days, we found 73 site(s) on this network, including, for example, skottles.com/, baidustatz.com/, pinalbal.com/, that appeared to function as intermediaries for the infection of 9529 other site(s) including, for example, managerz.nl/, 189ppc.com/, czonline.net/.

Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 182 site(s), including, for example, convart.com/, skottles.com/, augami.net/, that infected 11610 other site(s), including, for example, managerz.nl/, forosdz.com/, 189ppc.com/.
The suspect WHOIS details for the range are:


inetnum:        195.78.108.0 - 195.78.109.255
netname:        GlobalRouting-NL-NET
mnt-routes:     SERVERBOOST-MNT
remarks:        Global Routing
remarks:        i3d rotterdam route
remarks:        for abuse please contact ipadmin@globalrouting.eu
org:            ORG-POIS1-RIPE
country:        EU
admin-c:        greu
tech-c:         greu
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         globalrouting
mnt-lower:      RIPE-NCC-END-MNT
mnt-routes:     globalrouting
mnt-domains:    globalrouting
source:         RIPE # Filtered
descr:          PI Obodovsky Ivan Sergeevich

organisation:   ORG-POIS1-RIPE
org-name:       Global Routing
org-type:       OTHER
address:        Piet Paaltjensplein 70, 3030 TZ Rotterdam, The Netherlands
e-mail:         ipadmin@globalrouting.eu
mnt-ref:        globalrouting
mnt-by:         globalrouting
source:         RIPE # Filtered

role:           GlobalRouting contact role
address:        Piet Paaltjensplein 70, 3030 TZ Rotterdam, The Netherlands
mnt-by:         globalrouting
e-mail:         ipadmin@globalrouting.eu
admin-c:        rkgr
tech-c:         rkgr
nic-hdl:        greu
source:         RIPE # Filtered

route:          195.78.108.0/23
descr:          GLOBALROUTING
origin:         AS49544
mnt-by:         SERVERBOOST-MNT
source:         RIPE # Filtered

Sites hosted on the range include:

8porn-tube-free.info
All-tube-porn.biz
All-tube-porn.com
All-tube-porn.info
All-tube-porn.net
All-tube-porn.org
Free-checker-spyware.com
Free-checker-spyware.net
Free-checker-spyware.org
Free-download-host.info
Free-porn-tube8.biz
Free-spyware-checker.biz
Free-tube-adult.com
Free-tube-porn.net
Hot-porn-online.com
Hot-porn-tube.biz
Hot-porn-tube.info
Hot-porn-tube.net
Hot-porn-tube.org
Hot-tube-porn.com
Jeasoftware.info
My-adult-tube.com
My-free-tube.com
Now-download-host.com
Now-download-host.info
Now-download-host.net
Now-download-host.org
Now-download-hosting.biz
Now-download-hosting.com
Now-download-hosting.info
Now-download-hosting.net
Now-download-hosting.org
Online-porn-tube.com
Online-tube-porn.com
Pohsoft.info
Porn-tube-adult.com
Porn-tube-free.com
Porn-tube-free.info
Porn-tube-free.net
Porn-tube-free.org
Porn-tube8-free.biz
Porn-tube8-free.com
Porn-tube8-free.info
Porn-tube8-free.net
Porn-tube8-free.org
Retdownload.info
Riupdate.info
Spyware-checker.org
Spyware-free-checker.biz
Spyware-free-checker.com
Spyware-free-checker.info
Spyware-free-checker.net
Spyware-free-checker.org
Tmclean.info
Turboshare.biz
Goodelizrl.info
Kenyeiiaiqmyrick.info
Ligiaglrrandi.info
Milionarybook.info
Mynewgf.biz
Newgetpayday.com
Nyrmurrayriaci.info
Peierqqvangelena.info
Shopiping.com
Thissdomainwassoldd.com
Enrierrarell.info
Ath8net.com
Messorg.com
Adskape.biz
Adskape.com
Adskape.info
Adskape.net
Adskape.ru
Iner.kz
Misa.kz
Zragore.info
Afran.org
Augami.net
Otilard.com
Btgwert.net
Download-host-free.biz
Download-host-free.com
Download-host-free.org
Download-host-now.biz
Free-checker-malware.com
Free-checker-malware.net
Free-checker-malware.org
Free-checker-spyware.biz
Free-checker-spyware.info
Free-malware-checker.info
Free-malware-checker.net
Free-porn-tube8.info
Free-porn-tube8.net
Free-tube8-porn.com
Free-tube8-porn.info
Jkeowq.in
Kterot.in
Ktoewp.in
Kyjoer.in
Kypync.in
Kyuorr.in
Kyuwew.in
Leotpu.in
Lkctjo.in
Malware-checker-free.org
Malware-free-checker.com
Malware-free-checker.net
Malware-free-checker.org
Uwfjti.in
Myitunesclub.com
Mytunesclubs.com
Camption.com
Icpa-network.com
Matsion.com
Newitunesclub.com
Bogleanalytics.net
Pop-under.ru
Popunder.ru
4vodka.ru
Bastion.in
Bestgoldshow.com
Favarote.com
Freeodnoklassniki.info
Fullgsmcontrol.com
Goldsdirect.com
Homeinteriorview.com
Lastingviewestates.com
Mobiread.info
Myodnoklassniki.info
Odspy.com
Odspy.net
Odspy.org
Oknolens.info
Phonereader.ru
Proguard.in
Secretodnoklassniki.com
Sexsekret.com
Shpionodnoklassniki.com
Shpionvkontakte.com
Spy-odnoklassniki.com
Spy-vkontakte.com
Spyod.com
Spyvkontakte.info
Syserror.ru
Theodnoklassniki.info
V2kontakte.info
Viewbarworld.com
Vkontaktespy.info
Vkontaktus.ru
1000-ga.ru
1000-gektar.ru
1000g.ru
1001-ga.ru
1designs.ru
5vn.ru
B2b-site.ru
Chudomira.ru
Diplom-vam.ru
G1000.ru
Gek1000.ru
Gotovki77.ru
Hombrus.ru
Images-web.ru
Imagesweb.ru
Karkas-2900.ru
Karkas4dom.ru
Kredit-russia.info
Logvian.ru
M505.net
Mnogo-vakansii.ru
Mnogvak.ru
Netpost.su
Nsvp.ru
Prdomen.mobi
Prestiged.ru
Rabota-dlya-vas.ru
Royalmall.ru
Seminartut.ru
Uznaiseo.ru
Vam-pismo.su
Vip-osobnyak.ru
Yandex-top10.ru
Yandextop10.com
Z303.net
Liveinjamaika.info
Looking4reserve.com
Antivirus-on-line.net
Updates-online.net
Widnow-scanning-online.net
Golivnik.com
Ndnsgw.net
2u-panama.com
Big-push2010.com
Digitalway10.net
Drain-brain2.com
Foxcox555.com
Grainstudy.com
Kexpex123.com
Realdream4me.com
Admikasdom.com
Formgrabb.com
Kislota2010.com
Msmsmm.com
Noloader.com
Nowm32.com
Se-code.net
Secbanking.com
The-goodlike.com
Wstat.cn

Your best bet is to block the entire IP range and/or monitor for client traffic going to it.

Thursday, 1 July 2010

ultrasantifa.blogspot.com apparent Joe Job

This strange looking email plopped into my mailbox:

Date: 1 July 2010 07:31
subject: hola
   
We are european fascists ! Fight for racial purity ! Our time begins! We are strong and can build new Reich! Join to us! We call on all people visit out sites. On them you will find information about war against system! Sieg heil fascist, nordic nazi! Adresses of our sites you can see below: http://ultrasantifa.blogspot.com
Given that fascists rarely seem to advertise themselves via spam and the whole language seems over the top I thought it looked a but suspect and worth of some further investigation.

ultrasantifa.blogspot.com is (or rather was) a blog entitled "Antifa Ultras and Hooligans". Antifa means "anti-fascist", and this Russian language blog featured radical anti-fascist ideas and football, usually both at the same time. The blog linked to some other sites that might well be advocating violence, but there was certainly no way that this was a pro-fascist blog.

So, this appears to be a Joe Job and it also appears to have been successful as ultrasantifa.blogspot.com is currently 404ing. So, presumably neither Google (who hosted the blog) nor the people complaining about the spam actually checked the site..

Just for the record the email originated from 41.145.224.130, an IP address in South Africa, but I guess it's just part of a botnet-for-hire.

Sagade Ltd is still evil

I blogged about AS6851 / Sagade Ltd / ATECH-SAGADE a little while ago. A Java-based drive-by download from one of their servers brought them to my attention again.

Basically, 91.188.59.0 - 91.188.59.255 is completely evil and has no legitimate use as far as I can see. Block this range if you can. At the moment the following sites are hosted, none of which appear to be good:

AS6851
1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
Td0.ru
Fgavno.ru
Kerrimckeetq.info
Marguriiexyhamlin.info
Privatetechnology.biz
Systemcodec.net
Traffcash.biz
Maiamaribeihlv.info
Fastglobosearch.com
Kimirleonarda.info
Fastprosearch.com
Nitrosearch.info
Syscodec.net
System-codec.com
Mokato.com
Viasot.com
Brenz.pl
Chura.pl
Ghura.pl
Lometr.pl
Trenz.pl
Zief.pl
Best-web-365.com
Better-web-247.com
Better-web-365.com
Better-web-777.com
My-best-web.com
Pakwer.com
Facebook-hacking.com
Hack-vk.ru
Hacked-facebook.com
Hacks-centre.com
Icq-hk.com
Icq-lom.ru
Message-history.ru
Myspace-hk.com
Polomali.ru
Twitter-hk.com
Vk-lom.ru
Vzlomaem-kontakt.ru
Vzlomaem-vk.ru
Hitstable.com
Macromediasetup.com
Dewesan.cn
Domen-zaibisya.com
Get-money-now.net
Webgetsmart.com
Webmovedesigns.com
Mediagotech.com
Networkget.com
Webgetwisdom.com
Websitecoolgo.com
Edscorpor.com
Edsctrum.com
Edsletter.com
Edsnewter.com
Edsogos.com
Edsprofit.com
Edsrise.com
Edsspectr.com
Edstofee.com
Engduates.com
Blogslivehost.in
Freeblogshost.in
Mysuperblogs.in
Freeliveblog.in
Blogs4free.in
Host4blogs.in
Freehomeblogs.in
Myhomeblog.in
Webblog4you.in
Getfreeblog.in
Blogservice.in
Freejournal.in
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Manytis.com
Winepsy.com
Yourprofitclub.net
Yourerolive.com
Bombastats.com
Happyinstalls.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Hnarmettis.com
Mnuyetsgrr.com
Nuvolokijj.com
Smackbybitch.com
Videosite1.com
Fuck-studies.com
Ns00ns11.com
Sys-mesage.com
Syssmessage.com
Sysstem-mesage.com
Traffic-server1.org
Traffic-source.org
Traffic-source1.org
Trafficserver1.org
Trafic-source.org
Traficserver.org
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Eupharmacie.eu
Propeciacheappills.com
Allforyouplus.net
Asianrapemovies.com
Hotfilesfordownload.com
Hotquickiefuck.com
Rape-rape-rape.com
Rapepornrape.com
Sasha-blonde.com
You-porn-movies.com
Youfoundporn.com
Youpornfiles.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Downloadfreenow.in
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Youvideoxxx.com
Cern-a.com
Xbasex.com
Asspuc.com
Bux.kz
Kinorik.com
Pussylover.in
Conikor.com
Igottrafa.in
Life-dvd.ru
Maydaydom1.in
Magnabent.com
Gillestmh.com
Gillestmh.info
Indyvettes.info
Perviewguide.com
Perviewguide.info
Tesmundo.info
Todostes.info
Allhomeinfo.com
Allhomeinfo.net
Cheapsoftware.cc
Deswelt.com
Deswelt.net
Rodfirst.com
Solaruploaderz.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com

These sites are either involved in illegal activities or malware distribution, avoid them.

Read this, install this.

Read this, install this.

FIVE STARS GOLD MINING CO. LTD

Sometimes the dangers of fraud are worse than just losing money. This particular scam email seems to be designed to tempt you to travel to Ghana, where there's a fair chance that you might be kidnapped (as happened in this case). Although Nigeria has the worst reputation for fraud and kidnap in Africa, Ghana is not far behind.

A couple of other telltale signs that this particular spam is not legitimate are that it was sent to a nonexistant email address from a computer in Japan that had been compromised with a virus.

Gold costs about $40,000 per kilo, this scam email is offering 250 kg of quite pure gold for $24,000 when the true value would be closer to $10 million. Note that if you actually do travel to Ghana to inspect this "bargain gold" then you are also effectively saying that you have at least $24,000 in cash assets in the back.. you may as well write KIDNAP ME on your forehead!


From: FROM: FIVE STARS GOLD MINING CO. LTD.)
Reply-To: 5xminingoldaccra@discuz.org
Date: 30 June 2010 19:42
Subject: FROM: FIVE STARS GOLD MINING CO. LTD.)
Attention:

we are agent to FIVE STARS GOLD MINING CO. LTD. We are located in Accra, the Capital city of Ghana. We are a certified and duly registered agent dealing with a Gold Company in the Republic of Ghana. They have mining concessions in the Kumasi region and Western Regions of Ghana.

Their monthly product is between 275kgs to 325kgs. They have over 1000MT of Gold in our Storage.

At Present, we have Commodity: Gold (AU) Nuggets in Ghana
Origin: Ghana
Quantity: 250kgs
Quality: 23+ carat
Purity: 98% ++
Price: $24,000USD
Delivery: Buyers destination.

we write to inform you that in other to proceed with our offer, we need the following information for necessary legal documentation.

1: Your Full Names.
2: Your Mailing Address
3: A scan copy of your international passport.
4: Your Direct Mobile Number.

However, you will be require to make a contingent trip to Ghana to see the Gold. Kindly let us know how many kilos you are willing to buy at this time.

We will be happy to hear your desire to doing business with us. We can assure you that we will give you an appreciable offer. your passport this week. Hope to hear from you soon.
Attach is a copy of the pictures.

Have a good day.

Mrs Joyce Kate. 
 
 


Wednesday, 30 June 2010

German language money mule email

Money mule (money laundering) emails are pretty common in English, but this one is in German. It is really no different from any other scam job offer and should be avoided at all costs. In this case, the message solicits replies to a free email address at net.hr.

Date: Wed, 30 Jun 2010 21:28:14 +0100
From: "Pauline wurth"
Subject: HI

Sehr geehrte Damen und Herren,
wir suchen zur Zeit aktive Mitarbeiter fuer lang und kurzfristige Arbeit in den Bereich Testeinkaufer und Kurier landesweit. Die Stellen sind ab sofort frei und sofort zu belegen.

Sie fragen sich bestimmt wie wir auf Sie aufmerksam geworden sind. Die Bundesagentur fur Arbeit hat uns Ihre Personaldaten ubermittelt, damit wir selbst mit Ihnen in den Kontakt treten konnten. Leider konnen wir auf der Etappe noch nicht eine personalisierte Anwerbung vornehmen und bitten Sie hoflichst um eine Entschuldigung und um Ihr Verstandnis fur die Tatsache, dass wir Sie nicht angerufen haben oder Sie noch nicht bei Ihrem Namen nennen.

Voraussetzungen die Sie mitbringen sollten:

- Computer-Grundkenntnisse Internet, Email, Drucken
- Puenktlichkeit und Genauigkeit
- telefonische erreichbarkeit
- Volljaehrig

Was wir Ihnen bieten:
- Abwechslungsreiche Taetigkeit
- Flexible Arbeitszeiten auch in Teilzeit
- Fortlaufendes Training durch verschiedene Aufgaben
- 5 Tage-Woche
- Urlaubsgeld / Weihnachtsgeld

Die Arbeitszeit betraegt 2-3 Stunden 5 Tage die Woche. Der Verdienst betraegt 1150 Euro pro monat netto. Sie koennen die Taetigkeit auch als Zweit-Beruf ausfuehren. Fuer Rentner sind die Stellen besonders gut geeignet. Ein Firmenfahrzeug stellen wir Ihnen auf Wunsch zur Verfuegung. Weitere Informationen gibt es nach einer kurzen Bewerbung.

Wenn wir Ihr Interesse geweckt haben, dann freuen wir uns auf Ihre Antwort mit kurzen Bewerbungen an unsere Bewerbung-Stelle: denispred@net.hr


which translates roughly as:

Ladies and Gentlemen,
We are currently looking for active employees for long and short-term work in the area of test purchasing and nationwide couriers. The positions are now free to be filled immediately.

You may wonder why you have heard from us. The Federal Agency for Labour has given us your personal data so that we could contact you directly. Unfortunately we can not at the stage yet to make a personalized recruitment message and ask politely for you to forgive us and for your understanding for the fact that we can not yet address you by name.

You should fulfill the following requirements:

- Basic computer skills Internet, Email, Printing
- Punctuality and precision
- Telephone accessibility
- Age of majority

What we offer:
- Varied activity
- Flexible working hours and part-time
- Ongoing training through various tasks
- 5 day week
- Holiday / Christmas money

The working time is 2-3 hours 5 days a week. The reward is €1150 per month net. You can choose the activity as a second job. Pensioners are particularly well suited to our jobs. A company car can be found on request. Further information is available after a short job application.

If we have aroused your interest, we look forward to your reply with short resumes to our application address: denispred@net.hr

netmps.com scam job offer

Another scam email from a fake company calling itself NetTemps Inc (there are several legitimate companies with similar names though). The job itself is likely to be money laundering or some other illegal activity.

Date: Wed, 30 Jun 2010 14:28:47 -0300
From: "Crowell1924"
Subject: hiring

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.                          
      
Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.                   
        
If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number.                    
                           
We are eager to help you find a better job and improve your career!    
            
If you have questions, please do not hesitate to e-mail me on:   
               
e u r o p e @ n e t m p s . c o m      [please delete spaces in the email address before sending it to us]                           
                           
Yours sincerely,                            
Juliette Barnes  
NetTemps Inc    
WHOIS details are the usual rubbish:

Registrant Name: Maria Varshavskaya
Registrant Organization: NA
Registrant Street1: ul. Elninskaya d.14 k.1 kv.10
Registrant Street2:
Registrant City: Moskva
Registrant State/Province: Moskva
Registrant Postal Code: 121615
Registrant Country: RU
Registrant Phone: 7.4959219347
Registrant Phone Ext.:
Registrant FAX: 7.4959219347
Registrant Email: rabid@fastermail.ru
Admin Name: Maria Varshavskaya
Admin Organization: NA
Admin Street1: ul. Elninskaya d.14 k.1 kv.10
Admin Street2:
Admin City: Moskva
Admin State/Province: Moskva
Admin Postal Code: 121615
Admin Country: RU
Admin Phone: 7.4959219347
Admin Phone Ext.:
Admin FAX: 7.4959219347
Admin Email: rabid@fastermail.ru
Billing Name: Maria Varshavskaya
Billing Organization: NA
Billing Street1: ul. Elninskaya d.14 k.1 kv.10
Billing Street2:
Billing City: Moskva
Billing State/Province: Moskva
Billing Postal Code: 121615
Billing Country: RU
Billing Phone: 7.4959219347
Billing Phone Ext.:
Billing FAX: 7.4959219347
Billing Email: rabid@fastermail.ru
Tech Name: Maria Varshavskaya
Tech Organization: NA
Tech Street1: ul. Elninskaya d.14 k.1 kv.10
Tech Street2:
Tech City: Moskva
Tech State/Province: Moskva
Tech Postal Code: 121615
Tech Country: RU
Tech Phone: 7.4959219347
Tech Phone Ext.:
Tech FAX: 7.4959219347
Tech Email: rabid@fastermail.ru
Name Servers:
ns1.loopcool.net
ns1.growthire.com


Plus a few related evil domains to avoid

  • loopcool.net
  • netmps.com
  • netpts.org
  • nettempsin.co.uk
  • nettes.org
  • nettms.eu
  • nettms.net
  • nettps.net
  • growthire.com
You can read more on this particular bogus job offer here, here and here.

Tuesday, 22 June 2010

Virus / Malware on Nokia.com / miisolutions.net

Nokia.com appears to have been compromised through a third-party script:


europe.nokia.com (e.g. hxxp:||europe.nokia.com/support/download-software/nokia-pc-suite) ->
nokia.tt.omtrdc.net ->
omniture-nokia.secure.miisolutions.net ->
oploya.fancountblogger.com:8080

Details on the general attack can be found here. It appears that miisolutions.net has had malicious code injected into the script, rather than it being Nokia.com itself that has been hacked.At the time of writing the malicious code is still present.

Update: the infected page at miisolutions.net has been taken down.

Wednesday, 16 June 2010

"OFFICIAL WARNING FROM FBI" scam

An old scam, pretty much the flipside of the usual Advanced Fee Fraud. This one preys upon innocent victims by accusing them of money laundering, but the details don't pan out. Quite apart from the ridiculous proposition and free email addresses used, phrases like "shady", "waded in", "graft" and exclamation marks are something you would never expect to see in an official communication from law enforcement. Besides, I really don't think that the FBI email you if they suspect you are up to terrorist activities..

From: Anti Graft.
Reply-to: antiterrorist.crimesdiv.2010@megafastmail.com
date    16 June 2010 09:37
subject    OFFICIAL WARNING FROM FBI.

ANTI-TERRORIST AND MONETARY CRIMES DIVISION
FBI HEADQUARTERS IN WASHINGTON, D.C.
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
Website: www.fbi.gov
Phone: 202-595-1344

DATE:15/06/2010

It has been discovered that your contract/inheritance/winning FUND was about being transferred to an unknown account under your name. This attempt was perpetrated by someone who claims to be working for you, and that you have given him due authority to have the FUND moved to the account specified below:

SOUTHWESTERN FEDERAL CREDIT UNION
WESCORP 924 OVERLAND COURT
SAN DIMAS, CA 91772. USA.
ACCOUNT NUMBER: 322079133
ABA/ROUTING NUMBER: 1220-41-21-9
SHARETYPE NO.: 25
FINAL CREDIT  HABIB FENZI AND CO. (Beneficiary).

The Federal Bureau of Investigation (F.B.I.) waded in after being alerted by the supposed bank. We investigated and found that there is a possible money laundering activity in play.The FUND US$10,500,000.00(Ten Million Five Hundred Thousand United States Dollars) was found to be deposited in Bank of America in your name pending your consent to have it transferred to the new account indicated above. It was further revealed that initial FUND transfer originated from Nigeria to England and now here in Bank of America in USA.

These transfers did not follow due process in line with the international FUND transfer rules and regulation.Consequently,we suspect this be a terrorism funding, drug related fund deposit and/or money laundering. As stated above, the FUND has your name on it; and you must have it cleared of any connection with any of these illegal activities.Be informed that FAILURE to have this cleared out will attract a JAIL TERM.We will not hesitate to visit the full weight of the law upon you if you do not clear this fund.There is every indication that you are involved in this shady deal.

Finally, you are expected to have the CLEARANCE DOCUMENT obtain from where the FUND originated from to have you and your fund cleared. Only then shall we release your FUND as clean money devoid of any illegality, and you will be free of any involvement. To this end, you are to contact Mr. Peter Anderson of the Anti Graft Department of Economic and Financial Crimes Commission (E.F.C.C.) Nigeria and have the DIPLOMATIC IMMUNITY SEAL of TRANSFER (DIST) CLEARANCE DOCUMENT obtained. Contact him through this direct email address:efccantigraft.nigeria@megafastmail.com,Direct Line:+234 8028493286 Note that you have 72hrs to obtain this crucial Documentation.

This has to be cleared!

You are warned!

Faithfully Yours
Robert S. Mueller III
FBI Director
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
www.fbi.gov

Tuesday, 15 June 2010

west-vacancy.com scam

This email from a wholly fake company called west-vacancy.com is really recruiting for a money laundering job or something very similar. The domain itself was registered just a few days ago to a no-doubt fake registrant. Mail is handled by Google, there is no website but in this case the email originated from 188.16.123.52 in Russia.

Date: 15 June 2010 12:32
Subject: vacancy number 358

I introduce a large multinational enterprise the co-worker of the HR department of which I am. Our company has been working in different fields, such as:
- companies setting-up
- companies winding-up
- opening accounts in Europe
- etc.

We need employees in Europe:
- salary 2.400 euro + bonus
- 1 - 2 working hours per day
- free timetable

If you are interested in this job, please, send us your contact information: Cornell@west-vacancy.com
Name:
Surname:
Country:
E-mail:
Mobile phone-number:

Be informed! Candidates from Europe are needed only

Please, write your Telephone Number and our manager will contact you to conduct an interview.
For what it is worth, these are the registrant details of the fake domain:

Domain name: west-vacancy.com

Name servers:
    ns1.nameself.com
    ns2.nameself.com


Registrant:
    Aleksandr Lapatau
    Email: lapatasker@earthling.net
    Organization: Private person
    Address: Lenina, 34, 8
    City: Minsk
    State: Minskaya
    ZIP: 456123
    Country: BY

Monday, 14 June 2010

Terminally confused 419er

This is just a straight advanced fee fraud scam, but the scammer seems to want to through in the names of Yahoo, Nokia AND Microsoft into the same fraudulent pitch. Just to add overkill, it's from a "Reverend" too, which a bunch of email addresses which are frankly all over the shop. Oh yes, the originating IP is Argentina of all places.

From: CONGRATULATION FROM YAHOO COMPANY THAILAND <lotto_officethai2@btinternet.com>
Reply-to: revralphdelahay@w.cn
Date: 14 June 2010 13:28
Subject: CONGRATULATION FROM YAHOO COMPANY THAILAND
   
Microsoft Award Team.
 ADDRESS: NOKIA THAILAND OFFICE
 105/33 BANGKOK THAI TWR.,
 108 SIAM ROAD.,
 BANGKOK, 10400,
 KINGDOM OF THAILAND.
 Batch: 12/25/0340


 Dear Winner


 This is to inform you that you have won a prize money of $2,000,000,00 (Two Million United state dollars) for the Edition 2010 Lottery promotion which is organized by YAHOO  LOTTERY INC & WINDOWS LIVE.YAHOO & MICROSOFT WINDOWS, collects all the email addresses of people that are active online, among the millions that subscribed to Yahoo and Hotmail we only select ten people every Month as our winners through electronic balloting System without the winner applying, we Congratulate you for being one of the people selected.

 PAYMENT OF PRIZE AND CLAIM


 You are to contact your Claims Agent with immediate effect to facilitate the protocol of your winning prize before the expiry date of Claim; Winners shall be paid in accordance with his/her Settlement Centre. Prize must be claimed not later than 15 days from date of Draw Notification after the Draw date in which Prize has won. Any prize not claimed within this period will be forfeited. These are your identification numbers:

 Batch number....................12/25/0340
 Ref number.......................Ref: MSN-L/200-26937
 Winning number...................YM09788


 You are therefore advised to send the following information to  to this office so that we facilitate the claims of your prize to you.


 1. Full name.............
 2. Country..............
 3. Contact Address........
 4. Telephone Number.....
 5. Marital Status........
 6. Occupation.............
 7. Company...............
 8. Age.....................


 Please Note:
 Your Lottery Prize must be claimed not later than 15 days from date of Draw Notification after the Draw date in which Prize has won. Any prize not claimed within this period will be forfeited.

 Congratulations!! Once again.

 Yours in service,
 REV.RALPH DELAHAY
 (Operation Manager)
 Yahoo International Promotion Center

 Email: thailand.lotto@yahoo.com
 Bangkok 10400
 Kingdom of Thailand





Phishtank FAIL: hsbcnet.com / hsbc.net

hsbcnet.com is a valid and legitimate website belonging to HSBC. Traffic is redirected to this site from hsbc.net. The site itself is hosted on AS26381 63.111.163.110 which is delegated to an HSBC subsiduary called Household International from Verizon. The hsbcnet.com  was registered in 1998 to a registrant with an hsbc.com web address:

Registrant:
HSBC
   One HSBC Center
   Floor 21 - HTS eBusiness
   Buffalo, NY 14203
   US

   Domain Name: HSBCNET.COM

   Administrative Contact, Technical Contact:
      Fischer, Chuck  charles.fischer -at- us.hsbc.com
      HSBC Bank USA
      One HSBC Bank
      eBusiness, 21st Floor
      Buffalo,, NY 14203
      US
      (716) 841-2075 fax: (716) 841-5022


   Record expires on 04-Dec-2010.
   Record created on 04-Dec-1998.
   Database last updated on 14-Jun-2010 04:41:11 EDT.

   Domain servers in listed order:

   NS3.HSBC.COM                
   NS4.HSBC.COM       
         

It's clearly not a phishing site, and yet Phishtank say that it is.


Now, Phishtank does just allow any old user to mark a site as phishing. In this case, the site was submitted by a user called dvk01  and then verified by SEVEN other people as a phish - stuartgrant knack NotBuyingIt cybercrime marcoadfox Aminof theGeezer - although some people have said that it isn't. As a result of this faulty groupthink, 71% of reports say that this legitimate site is a phish.

This false positive has now filtered down to OpenDNS and a number of other blocking services (e.g. Sophos) that are now erroneously blocking access to HSBC.

Don't get me wrong, Phishtank and other similar service can be very useful. But in this case it shows that Phishtank's verification process really doesn't work.. as any actual examination of the web site in question would surely identify is as legitimate.

Wednesday, 2 June 2010

"llona Timofeeva" scam

There are probably lots of people called llona Timofeeva who are perfectly trustworthy, but this job offer from a "llona Timofeeva" is not.. and it is almost definitely a made up name. So if you are llona Timofeeva, then this is probably not about you.

From: Illona Timofeeva
Date: 2 June 2010 20:04
Subject: Part-time job

My name is Illona Timofeeva, I am Director of an EastEuropean humane society S_O_S.
We have organized an animal shelter providing veterinary services, management and sterilization.
A lot of our pets have been adopted and taken care of. But now we are facing difficulties
with acceptance of donations and contributions for our shelter in your region,
that is why we are looking for a manager of our corporate account in UK.
This is a part-time job offer which would not interfere with your day job.
You may earn as much as P3,000 per month or more. In case you are interested in this offer,
we look forward to receiving your CV or brief information about yourself to our email HumaneSociety_sos@lavabit.com    
We shall write you back as soon as possible and state the terms of this job offer.

Sincerely yours,
Illona Timofeeva
Director
SOSHumane Society
What is it? Well, it's a straightforward money laundering scam using the hook of cute, fluffy and defenceless animals to get you interested. Avoid.

Tuesday, 1 June 2010

Another spam using BonBon.net for replies

There have been a stack of fake job offers soliciting replies to a BonBon.net email address lately. These emails don't actually come from BonBon.net, but they are seeking a reply to a mailbox using that domain.

I was unfamiliar with this mail service, but a bit of research shows that it belongs to HotPOP who have been around since 1998 and have a pretty good anti-spam policy and seem to be a pretty decent bunch.. so my advice is that if you get a spam trying to get you to reply to BonBon.net then forward a copy to abuse -at - hotpop.com.

From: Emilio Richardson
Date: 1 June 2010 02:40
Subject: Vacancy
   
Req'd Education: High School
Citizenship or Work-Visa: YES
Base Pay: 72,000/year
Employee Type: Part-Time/Home-Based
Bonus: Yes

Description:

If you want to work in a strong developing team, in which you can feel like in your family, this  position is for you! Our company is looking for local customer service managers. You will have good career opportunities and will enjoy friendly working atmosphere of our team.

Requirements:
High School required. PC and Internet, MS Office or compatible. Must have strong writing and communication skills.

To Apply:
Forward your contact details back ONLY to our e-mail:  manager03ltd@BonBon.net

 and wait for response next 24h - 48h. Resume-containing only.
This really is just another Money Mule operation or similar, avoid at all costs.

Tuesday, 25 May 2010

job4-us.com fake job offer

Run by the same crew as this scam, this fake job offer is a "money mule" operation laundering stolen funds, under the guise of payment processor for a car sales company. The entire job4-us.com domain is fake, any email purporting to be from that address are bogus.

Date: 25 May 2010 11:22
Subject: A car store is looking for remote employees. (US)

My name is Lisa and our company is looking to fulfill several part time positions in your region. We are one of the largest internet solutions resellers on the market and are looking to build strong support team in United States to provide the best Customer Care.

Title of the current position available is “Payment Processing Assistant” and we have seven openings.

An ideal applicant for this position must meet the following requirements:
* At least 22 years of age
* Resident of United States of America
* Very observant and able to focus on details
* Patient
* Trustworthy
* Practical
* Loves to learn
* Explains well in writing
* Handles deadlines
* Bank account
* Full internet access (at home or at work)

Benefits:
* 50% of the monthly cell phone bill is covered by the company
* Monthly salary starting at $2000(after a month evaluation period)
* 5% commission for every processed transfer
* Banking, Western Union and Money Gram fees is be covered by the company

If you are interested please reply to: Kaitlin@job4-us.com

As before, the site is hosted on 195.206.246.210 in Moldova, on the same server as europjob.com, with the same registrant details which are probably fake:

Registrant:
Maksim Rodkin
Email: roddsn@post.com
Organization: Private person
Address: Miichurinskij prospekt, d.10-2, kv. 144
City: Moskva
State: Moskovskaya
ZIP: 178234
Country: RU
Phone: +7.4956783214

Evil Network: Maximus Hosting Services, Bosnia 77.78.239.0 - 77.78.240.255

A bunch of sites in the IP range 77.78.239.0 - 77.78.240.255 look all evil and appear to be serving up bad PDFs and other nastiness. IPs are allocated to Maximus Hosting Services, Bosnia and honestly I cannot see a single domain that looks legitimate.. I would suggest that you block the entire range.

1iii.org
2iii.org
Poteriapoter.com
Dwnld0020.com
Hyporesist.com
Newsbosnia.org
Search-static.org
Spmfb2299.com
Spmfb3309.com
Crowledarmor.com
Statxonline.com
Xsbot.net
Exfxreporting.com
Planopetroleumteam.com
Acunetxweb.net
Macuysinstall.net
1-aa.com
Caucasus-a.com
Pa-2.net
G000ggle.com
Zettapetta.net
Google-server14.info
Top-teen-porn.info
Google-server11.info
Kalashmalash.org
Ruslan7777.com
Bazavaza233.net
Shalalopdns.com
Vstils.ru
Tygolev.com
Hostingpanelavg.com
Homesiteuk.com
Vk-socks.net
Lrstat.com
Statistics-of-world.org
Eu-analytics.com

Wednesday, 19 May 2010

"Re: Intercepted Over Due Fund Transfer!!!" scam

This isn't the first time that we've seen a scam email pretending to be from the UN, but they are often slightly amusing in their pitch. The idea here is that the scammers are targeting people who have already been ripped off with the promise of compensation. Presumably the success rate with this approach makes it worth doing.

Unsurprisingly, the telephone number listed is in Nigeria. Avoid.
From: United Nations <info@un.org>
Reply-to: cenbankng@ml1.net
Date: 19 May 2010 02:40
Subject: Re: Intercepted Over Due Fund Transfer!!!

United Nations

Palais des Nations,

1211 Geneva 10,

Switzerland

Subject: Re: Intercepted Over Due Fund Transfer

Attention: Beneficiary,

In the last meeting between the United Nations OCHA and UNDP hold Copenhagen, 19 Febraury 2010-After a marathon all night session, talks aimed at injecting new and more wide-ranging momentum into the international effort to combat climate change, global recession and scam  ended with a positive outcome.

The United Nations and U.S department for Homeland security has meet with delegate from Africa, Asia, Australia, Antarctica, North America, South America  and Europe has agreed to Pay scam victims around the world the sum $10.8Million USD as compensation so the money could be use to combat unemployment and help people like you make the world a better place. The United States Department of Homeland Security (DHS), with the help of the FBI and Interpol Has screened through various Monitoring Networks and has been confirmed and notified that the transaction is Legal and you have the Lawful Right to claim your due fund.

To effect and carry out the directives given, you are advised to contact Dr David Wills

Dr David Wills.

International Claims Officer

Telephone: +234 8039393143

E-Mail: cenbankng@ml1.net

You have been instructed on what to do next you are strictly advice to follow his instruction so as to follow into the hands of fraudster,

Yours Faithfully,

Yvette Morris (UN)
Public Relation officer

Tuesday, 18 May 2010

europjob.com fake job offer

This fake job offer comes with a Moldovan and Russian connection.

Date: 18 May 2010 20:52
Subject: good day!
   
International Real Estate Consulting Company seeking local representation


Countries of interest: Austria, Belgium, Bulgaria, Hungary ,Greece, Denmark, Ireland, Cyprus, Lithuania, France, Sweden
Luxembourg, Malta, Netherlands, Poland, Slovakia, Slovenia, Portugal, Romania, Finland, Czech, Estonia

Tasks of the representation to consist of liaison and intermediation in financial transactions.

Good and prolonged relations history with local financial institutions is strongly recommended
(references will be asked).

If you would like to be a regional manager in Europe send us your contact information: Full name:
Country:
City:
E-mail:
Telephone Number:

Our contacts: Denver@europjob.com
The europjob.com domain was registered just yesterday and is hosted on 195.206.246.210 at Starnet in Moldova. The WHOIS details show the infamous "Private Person" as a registrant with an email address frequently connected with scams.

Registrant:
    Maksim Rodkin
    Email: roddsn@post.com
    Organization: Private person
    Address: Miichurinskij prospekt, d.10-2, kv. 144
    City: Moskva
    State: Moskovskaya
    ZIP: 178234
    Country: RU
    Phone: +7.4956783214

It's not clear what the job is, probably money laundering or some other criminal back office service. Avoid.

Fake "NetTemps Inc" domains

These domains and IPs seem to be associated with this company masquerading as "Net Temps Inc" (there are legitimate companies with a very similar name though), you can see examples of the scam email being used here and here.

82.243.193.235- Proxad, France
nettms.eu
nextspend.biz

95.64.133.205 - MultyKabelnie Seti Balashihi, Russia
nettms.net
nettps.net
eddpiii.com.pl

74.63.228.139 - Limestone Networks, Texas
ns1.loopcool.net
ns1.seerdanee.com

87.117.245.9 - JSHosts, UK
lokiou.eu
ns1.globalistory.net
ns1.hourscanine.com
ns1.limeteablack.net
ns1.skcstaff.com
ns1.skcstaffing.com
ns1.socialworc.net

204.12.229.89 - Hosting Ventures LLC, USA [Mostly suspended, some now deleted]
mx.nettempsin.co.uk
mx.nettms.net
ns1.availname.net
ns1.disksilver.net
ns1.girlfrendsboy.com
ns1.nodefront.net
ns1.pdsproperties.net
ns1.sorbauto.com
ns1.whiskybrend.net
availname.net
ddeasaeq.vc
edfa4.com.vc
edfa7.com.vc
efasqca.com.pl
ewasza.co.uk
ewasze.co.uk
ewasze.me.uk
ewaszi.co.uk
ewaszu.co.uk
girlfrendsboy.com
iurseda.com.vc
nodefront.net
pdsproperties.net
sorbauto.com
whiskybrend.net

79.170.40.4 - Heart Internet, UK
netpts.org
nettes.org


77.25.179.23 - Vodafone, Germany
ns2.loopcool.net
ns2.rakusolutions.com

Fast Flux (IP varies)
nettempsin.co.uk

Registered but no website
hourscanine.com
juverds.info
skcstaffing.com

Suspended / On hold
nttempinc.com
santroperz.net
assewya.co.uk
limeteablack.net
skcstaff.com

Monday, 17 May 2010

Nettms.net / Nettps.net "NetTemps Inc" scam

This fraudulent job offer solicits replies to an email address of cv@nettms.net  and it pretends to be from "NetTemps Inc". There is a legitimate firm in the US of a similar name, but this job offer is not from them.

Subject: part-time job in Europe
Date: Mon, 17 May 2010 16:05:37 +0100

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.  
      
Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.  
    
If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number. 
    
We are eager to help you find a better job and improve your career!
      
If you have questions, please do not hesitate to e-mail me on:  
      
c v @ n e t t m s . n e t      [please delete spaces in the email address before sending it to us]  
 
Yours sincerely,   
Juliette Barnes 
NetTemps Inc  
It's the same scam as this one, but in this case the back-end servers are different.. the mailed replies go to 204.12.229.89 [Hosting Ventures LLC, US] with a web site hosted at 95.64.133.205 in Russia along with another similar domain of Nettps.net.

Anyway, this job offer is probably laundering stolen money or some other criminal activity and should be avoided at all costs.

Friday, 14 May 2010

"Delivery LCI" job scam

This is a fraudulent job offer, which appears to be a reshipping scam and possibly some other "back office" functions for organised criminals. The is no company registered in the UK called Delivery LCI or LCI Delivery.

From: Timmy Bliss
Date: 14 May 2010 01:49
Subject: Job opening

Hello,

I'm Mary, writing on behalf of Delivery LCI about your job
search, would like to invite you to learn more about the job
opportunity that we are offering right now for people like you.
First of all you need no prior experience, but we will provide all
necessary training when you will join us.

Now let's take a look at what Delivery LCI offers you:


Shipping Regional Manager

 Requirements:
 - Resident of the United States;
 - Fluent English;
 - Basic knowledge of Microsoft Word and Microsoft Excel;
 - Home Computer with e-mail account and ability to check your e-mail
 box at least twice a day
 - Adults only accepted (we cannot hire underage people)


 Job description:

 - Receive correspondence from our company and its clients at his/her
 residential address;
 - Report to our manager (every candidate will be included in a
 manager's lists)
 - Forward received items according to instructions of our manager
 - Fill in the forms and papers as indicated in our manager's
 instructions (you will receive an e-mail with instructions for each
box).
 - Ship packages out


 Personal qualities:
- honesty
- decency
- sociability
- ability to work in team


 Salary
 - 30$ per package processed for trial period 1 month
 - 50$ per package processed \ by the end of trial period\
 - The salary is credited to your account once a month


 If you are interested in our position, reply back to us
 with your short resume at:

 KathrynKnowlton@BonBon.net

Thank you for reading.

+44.20 3286 9579 

Despite there being no company of this name in the UK, there are two probably related websites of deliverylci.com and lcidelivery.com. At the moment, only deliverylci.com is running, registered to a fake address in the US:


Registrant:
    Dennis  Oneal
    Email: support@deliverylci.com
    Organization: Delivery LCI 
    Address: 1938 Woodland Terrace
    City: Orangevale
    State: CA
    ZIP: 95662
    Country: US
    Phone: +1.9169879747 
    Fax: +1.9169879747

but claiming to be based in the UK from their website:

Your calls are received by the phone: +44.20 3286 9579

E-mail: lcidelivery@lcidelivery.com

Our Office:

5 NORTH STREET, HAILSHAM, EAST SUSSEX, BN27 1DQ, United Kingdom
5 North Street, Hailsham does exist and is the office of a firm of accountants, there are many companies registered at this address. The telephone number is a London one though, not one for Hailsham.

Digging further shows that the deliverylci.com website is hosted at  89.248.162.136 [Ecatel, Netherlands]. The following sites are hosted on the same server:

  • Dealcomltd.com
  • Deliverylci.com
  • Idealogisticservices.com
  • Todaylogisticservices.com
89.248.162.136 is also a nameserver for other domains:

  • ns1.taxreturnsworld.com
  • ns1.worldtaxreturns.com
  • ns2.itadvancedservices.com   
  • s1.oilhost.eu
The domain taxreturnsworld.com was recently mentioned by Brian Krebs as being part of a particularly sophisticated job scam. So, it seems likely that all these domains and so-called companies are bogus and should be avoided.

Thursday, 13 May 2010

Dating scam: "I will be glad to get to know you"

There have been quite a few dating scams soliciting replies to BonBon.net lately, and coming with an attached photo. This one is meant to be "Anete".. what do you mean, you don't remember Anete? Anyway, it's probaly some fat sweaty Russian bloke trying to part you from your cash, so avoid this one.

Subject: I will be glad to get to know you

Hello! How are you? I hope you are ok. I am Anete.
You remember, we have got acquainted with you at dating site?
You have given me your email and today I write to you.
I think, now we can begin our acquaintance. I will be glad! Hope you too.
I am 30 years old. I want to find the man and to create serious relationship.
I want, that you have answered me if you still want to know me.
I send you my photos, and I want, that you do the same.
I will be glad to get to know you more close.

Please reply only to my personal e-mail:  utinanete@BonBon.net

I look forward your answer. With the best regards, Anete...

Monday, 10 May 2010

Evil network: Sagade Ltd / ATECH-SAGADE

There's been an awful lot of badness from Latvia recently, with several fake AV apps and other Very Bad Things hosted in the range 91.188.59.0 - 91.188.59.255, which appears to be a wholly bad subnet of pure evil. It looks like a similar setup to Real Host Ltd which was shut down last year.

inetnum: 91.188.59.0 - 91.188.59.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89@gmail.com
country: LV
admin-c: JS1449-RIPE
tech-c: JS1449-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
source: RIPE # Filtered

person: Juris Sahurovs
remarks: Sagade Ltd.
address: Latvia, Rezekne, Darzu 21
phone: +371 20034981
abuse-mailbox: piotrek89@gmail.com
nic-hdl: JS1449-RIPE
mnt-by: ATECH-MNT
source: RIPE # Filtered

% Information related to '91.188.32.0/19AS6851'

route: 91.188.32.0/19
descr: BKCNET Autonomous System
descr: IZZI SIA
descr: Ieriku 67a, Riga, LATVIA
origin: AS6851
mnt-by: AS6851-MNT
source: RIPE # Filtered

All these websites appear to be malicious, I cannot find a single site that I can identify as being legitimate. Most have obviously fake WHOIS details too. I would recommend blocking access to the whole IP block.

1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
00g00.ru
Odnotraxniki.ru
Td0.ru
Kerrimckeetq.info
Maiamaribeihlv.info
Marguriiexyhamlin.info
Privatetechnology.biz
Syscodec.com
Systemcodec.net
Traffcash.biz
Kimirleonarda.info
Nitrosearch.info
Fastglobosearch.com
Likinto.com
Mcml1.com
Trol0l0.com
Mokato.com
Ziko.in
Viasot.com
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Lotise.com
Manytis.com
Membernameserver.com
Ossarix.com
Soterpo.com
Stepil.com
Winepsy.com
Zingis.com
Bombastats.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Belleplaceurl.com
Christophecoinurl.com
Coinurlredirect.com
Coinurlredirection.com
Endroiturlredirect.com
Glossipfd.com
Goldcoinurl.com
Gork.in
Gulk.in
Hnarmettis.com
Hotelplaceurl.com
Lieuurlredirect.com
Mnuyetsgrr.com
My654bestsite.com
Nuvolokijj.com
Parkplaceurl.com
Polk.in
Rozg.in
Samk.in
Sekmoon.net
Silvercoinurl.com
Sumk.in
Vvven.in
Worldplaceurl.com
Zoid.in
Smackbybitch.com
Videosite1.com
Beeape.com
Supercrazynight.com
Supersporns.com
Sys-force.ru
Firsttunesclub.in
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Allforyouplus.net
Hotfilesfordownload.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Yourbestway.cn
Youvideoxxx.com
Cern-a.com
Xbasex.com
Rowfirst.com
Autouploaders.net
Poafirst.com
Rodfirst.com
Solaruploader.com
Noafirst.com
My-best-web.com
Pakwer.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com
Oklahomacitycom.com