Friday, 15 July 2011
Christwire.org hacked with sokoloperkovuske.com redirect
This summary is not available. Please
click here to view the post.
Labels:
.htaccess,
Fake Anti-Virus,
Korea,
Latvia
Thursday, 14 July 2011
yahlink.php / DreamHost hack
Almost identical in every way to this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.
It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.
In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 78.129.132.26 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:
bepfinance.com
brentnallfg.com
estatediary.com
forfreeblog.net
freeblogpro.org
freetrialmail.com
krokodilius8.com
lucky-bet.in
pubertavad.com
russwoman.ru
superblogonline.org
thebloggin.net
vedrozhuk7.com
yourtraveldiary.net
Users are then directed to another host in Romania, 188.229.89.230 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 188.229.0.0/17 range and you can safely block access to the entire lot.
The final step is to a host called drugstorehealthrisks.net hosted on 90.182.175.232 which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:
fatdrugstoremeds.net
healthrxinsurance.net
healthrxpharmacyinsurance.com
healthtabletsnook.net
Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:
67.205.0.0/18
69.163.128.0/17
75.119.192.0/19
208.97.128.0/18
..although blocking access to the Romanian 188.229.0.0/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.
It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.
In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 78.129.132.26 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:
bepfinance.com
brentnallfg.com
estatediary.com
forfreeblog.net
freeblogpro.org
freetrialmail.com
krokodilius8.com
lucky-bet.in
pubertavad.com
russwoman.ru
superblogonline.org
thebloggin.net
vedrozhuk7.com
yourtraveldiary.net
Users are then directed to another host in Romania, 188.229.89.230 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 188.229.0.0/17 range and you can safely block access to the entire lot.
The final step is to a host called drugstorehealthrisks.net hosted on 90.182.175.232 which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:
fatdrugstoremeds.net
healthrxinsurance.net
healthrxpharmacyinsurance.com
healthtabletsnook.net
Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:
67.205.0.0/18
69.163.128.0/17
75.119.192.0/19
208.97.128.0/18
..although blocking access to the Romanian 188.229.0.0/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.
Labels:
DreamHost,
Injection Attacks,
Netserv Consult SRL,
PHP,
Romania
Wednesday, 13 July 2011
Fake jobs: cl-exlusive.com, europ-exlusive.com, totalworld-job.com, uk-cvlists.com and uk-exlusive.com
Five new domains offering fake jobs (actually money laundering and other illegal activities), forming part of this long running series of scams.
cl-exlusive.com
europ-exlusive.com
totalworld-job.com
uk-cvlists.com
uk-exlusive.com
The domains were created yesterday, registered to a no-doubt fake registrant:
If you have a sample email soliciting replies to one of these domains, please consider sharing it in the comments.
cl-exlusive.com
europ-exlusive.com
totalworld-job.com
uk-cvlists.com
uk-exlusive.com
The domains were created yesterday, registered to a no-doubt fake registrant:
Registrant:
Luca Drue
Email: lucadrue@yahoo.fr
Organization: Luca Drue
Address: 27, BERESTYANSKAYA STR
City: Minsk
State: Minsk
ZIP: BY-220123
Country: BY
Phone: +37.5172749317
Fax: +37.5172749311
Luca Drue
Email: lucadrue@yahoo.fr
Organization: Luca Drue
Address: 27, BERESTYANSKAYA STR
City: Minsk
State: Minsk
ZIP: BY-220123
Country: BY
Phone: +37.5172749317
Fax: +37.5172749311
If you have a sample email soliciting replies to one of these domains, please consider sharing it in the comments.
Labels:
Chile,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Tuesday, 12 July 2011
Fake HMRC site: confirm-hmrc.com / onlineservice.confirm-hmrc.com
This is a rather new phishing site, pretending to be a tax refund from the UK's HMRC agency pointing to the domain confirm-hmrc.com (subdomains www.confirm-hmrc.com and onlineservice.confirm-hmrc.com).
Although the phish looks convincing, the HMRC don't do tax refunds in this way. Usually they will just transfer the money to your bank account or alternatively send you a cheque. Furthermore, in my experience the HMRC only communicate by post and not electronic mail.
The site hosted on 218.108.75.53 in China. The same server also has the fraudulent domains account-update-westernunion.com, account-westernunion.com and accounts-westernunion.com. The domain registration details are fake:
Domain Name.......... confirm-hmrc.com
Creation Date........ 2011-07-12
Registration Date.... 2011-07-12
Expiry Date.......... 2012-07-12
Organisation Name.... wu wu
Organisation Address. 12 na
Organisation Address.
Organisation Address. miami
Organisation Address. 12311
Organisation Address. AL
Organisation Address. UNITED STATES
Admin Name........... wu wu
Admin Address........ 12 na
Admin Address........
Admin Address........ miami
Admin Address........ 12311
Admin Address........ AL
Admin Address........ UNITED STATES
Admin Email.......... sadasda@re.com
Admin Phone.......... +1.12312312312
Admin Fax............
Tech Name............ wu wu
Tech Address......... 12 na
Tech Address.........
Tech Address......... miami
Tech Address......... 12311
Tech Address......... AL
Tech Address......... UNITED STATES
Tech Email........... sadasda@re.com
Tech Phone........... +1.12312312312
Tech Fax.............
Name Server.......... ns2.confirm-hmrc.com
Name Server.......... ns1.confirm-hmrc.com
Blocking traffic to 218.108.75.0/24 will probably do no harm.
Although the phish looks convincing, the HMRC don't do tax refunds in this way. Usually they will just transfer the money to your bank account or alternatively send you a cheque. Furthermore, in my experience the HMRC only communicate by post and not electronic mail.
The site hosted on 218.108.75.53 in China. The same server also has the fraudulent domains account-update-westernunion.com, account-westernunion.com and accounts-westernunion.com. The domain registration details are fake:
Domain Name.......... confirm-hmrc.com
Creation Date........ 2011-07-12
Registration Date.... 2011-07-12
Expiry Date.......... 2012-07-12
Organisation Name.... wu wu
Organisation Address. 12 na
Organisation Address.
Organisation Address. miami
Organisation Address. 12311
Organisation Address. AL
Organisation Address. UNITED STATES
Admin Name........... wu wu
Admin Address........ 12 na
Admin Address........
Admin Address........ miami
Admin Address........ 12311
Admin Address........ AL
Admin Address........ UNITED STATES
Admin Email.......... sadasda@re.com
Admin Phone.......... +1.12312312312
Admin Fax............
Tech Name............ wu wu
Tech Address......... 12 na
Tech Address.........
Tech Address......... miami
Tech Address......... 12311
Tech Address......... AL
Tech Address......... UNITED STATES
Tech Email........... sadasda@re.com
Tech Phone........... +1.12312312312
Tech Fax.............
Name Server.......... ns2.confirm-hmrc.com
Name Server.......... ns1.confirm-hmrc.com
Blocking traffic to 218.108.75.0/24 will probably do no harm.
Friday, 8 July 2011
Evil network: hotmailbox.com
The domain hotmailbox.com often comes up when looking at malicious domains, it's a domain used to provide a bulletproof email address for domain registration. The registrar for hotmailbox.com is the scammer's favourite, BIZCN which probably explains why it has lingered for so long.
There are several hundred domains registered through email accounts at hotmailbox.com, all of them are bogus and follow a similar pattern with bogus US addresses. Most of the domains with active websites are hosted in Romania, in netblocks that have a known bad reputation.
You can download a list of domains, IPs and MyWOT ratings for at least some of these domains here [CSV], or if you just want a plain list then keep scrolling down.
Because the hotmailbox.com domains are all in bad blocks or dedicated servers, then it is possible to block access to these IP ranges or individual boxes to prevent infection. I would recommend blocking the following:
84.247.61.0/24 (Sistem Soft Network, Romania)
91.217.162.0/24 (Voejkova Nadezhda, Russia)
94.63.149.0/24 (SC CORAL IT OFFICE SRL, Romania)
94.244.80.7 (Uab Kauno Interneto Sistemos, Lithunia)
95.64.55.0/24 (Netserv Consult SRL, Romania)
96.9.139.208/28 (UAB "Dominant Plius", c/o HOSTNOC, US)
141.136.16.14 (MORE SECURE SRL, Romania)
173.236.34.238 (Inferno Solutions, UK)
184.105.178.85 (Hurricane Electric, US [parked])
188.138.90.110 (Intergenia AG, Germany)
188.138.116.223 (Intergenia AG, Germany)
188.229.0.0/17 (Netserv Consult SRL, Romania)
202.75.41.42 (TM VADS DC Hosting, Malaysia)
209.212.157.208/29 (BONHOST, Ukraine)
212.117.164.39 (root SA, Luxembourg)
217.23.9.247 (Worldstream, Netherlands)
220.112.0.0/18 (Guangzhou For Great Wall Broadband Network, China)
Not every site in those ranges is part of this group, and indeed there may be a few legitimate sites, but you are much more likely to come into contact with a malware site on these IP addresses than a real one, so treat them as "high risk".
If you have any examples of domains using hotmailbox.com that are not listed, then please consider adding them to the Comments.
There are several hundred domains registered through email accounts at hotmailbox.com, all of them are bogus and follow a similar pattern with bogus US addresses. Most of the domains with active websites are hosted in Romania, in netblocks that have a known bad reputation.
You can download a list of domains, IPs and MyWOT ratings for at least some of these domains here [CSV], or if you just want a plain list then keep scrolling down.
Because the hotmailbox.com domains are all in bad blocks or dedicated servers, then it is possible to block access to these IP ranges or individual boxes to prevent infection. I would recommend blocking the following:
84.247.61.0/24 (Sistem Soft Network, Romania)
91.217.162.0/24 (Voejkova Nadezhda, Russia)
94.63.149.0/24 (SC CORAL IT OFFICE SRL, Romania)
94.244.80.7 (Uab Kauno Interneto Sistemos, Lithunia)
95.64.55.0/24 (Netserv Consult SRL, Romania)
96.9.139.208/28 (UAB "Dominant Plius", c/o HOSTNOC, US)
141.136.16.14 (MORE SECURE SRL, Romania)
173.236.34.238 (Inferno Solutions, UK)
184.105.178.85 (Hurricane Electric, US [parked])
188.138.90.110 (Intergenia AG, Germany)
188.138.116.223 (Intergenia AG, Germany)
188.229.0.0/17 (Netserv Consult SRL, Romania)
202.75.41.42 (TM VADS DC Hosting, Malaysia)
209.212.157.208/29 (BONHOST, Ukraine)
212.117.164.39 (root SA, Luxembourg)
217.23.9.247 (Worldstream, Netherlands)
220.112.0.0/18 (Guangzhou For Great Wall Broadband Network, China)
Not every site in those ranges is part of this group, and indeed there may be a few legitimate sites, but you are much more likely to come into contact with a malware site on these IP addresses than a real one, so treat them as "high risk".
If you have any examples of domains using hotmailbox.com that are not listed, then please consider adding them to the Comments.
8nm2.com |
aaaholic.com |
aaoutfit.com |
aarocket.com |
abcartel.com |
abminute.com |
abutable.com |
acgoblin.com |
aemodern.com |
afchalet.com |
agfiesta.com |
alexblane.com |
alisa-carter.com |
analitycscredit.com |
asweds.com |
automaticsecurityscan.com |
awesomepornofree.com |
awfulice.com |
bcrocket.com |
bdcartel.com |
bestipdns.com |
bookaros.com |
bookarra.com |
bookavio.com |
bookdolo.com |
bookfula.com |
bookgusa.com |
bookmonn.com |
bookmono.com |
bookmylo.com |
booknunu.com |
bookpolo.com |
booksgou.com |
booksoco.com |
booksolo.com |
booktuba.com |
bookvila.com |
bookvivi.com |
bookvoxy.com |
bookzoul.com |
bookzula.com |
caldnsserver.com |
calmsearch.org |
cbhammer.com |
cblender.com |
cebistro.com |
cfaholic.com |
clickabundant.org |
clickaccept.org |
clickadvice.org |
clickahead.org |
clickalmost.org |
clickan.org |
clickancient.org |
clickany.org |
clickanybody.org |
clickanybody.org |
clickarrogant.org |
clickarvada.org |
clickattempt.org |
clickautomatic.org |
clickbad.org |
clickbatonrouge.org |
clickber.org |
clickboa.org |
clickbored.org |
clickbrake.org |
clickbury.org |
clickcharleston.org |
clickclear.org |
clickclever.org |
clickdesmoines.org |
clickdowe.org |
clickdrea.org |
clickdreadful.org |
clickfer.org |
clickflat.org |
clickfortlauderdale.org |
clickfremont.org |
clickhartford.org |
clickicy.org |
clickill.org |
clickjacksonville.org |
clickmesquite.org |
clicknorman.org |
clickodd.org |
clickolathe.org |
clicksalem.org |
clickshy.org |
clicksyracuse.org |
clickwet.org |
comasians.com |
comchemicalsns.com |
daily-basis.com |
daletter.com |
darksecurityscan.com |
dateoncount.com |
dbchalet.com |
dnseasy.ru |
dnsforwebuse.com |
dns-good-you.com |
dnshot.ru |
dnssuperb.com |
dnsundservice.com |
dnsvip.ru |
domainforuse.com |
dowpolenas.org |
dynamicip-dns.com |
e48i.com |
easysecurityscan.com |
edsawake.org |
edsawake.org |
edsback.org |
edsbang.org |
edsbang.org |
edsbeautiful.com |
edsbent.com |
edsbent.com |
edsbid.com |
edsblew.com |
edscold.com |
edsfull.com |
edsfull.com |
edswoken.org |
emptywin.com |
engduates.com |
excellentdnshost.com |
fastsapere.com |
fastsofgeld.com |
findacid.org |
findaddition.org |
findadvertisem.org |
findalert.org |
findangry.org |
findattack.org |
findawful.org |
findbitter.org |
findblow.org |
findbrake.org |
findbrave.org |
findcaret.org |
findchalk.org |
findchance.org |
findcheeks.org |
findclumsy.org |
findcolorful.org |
findconsonant.org |
findcopper.org |
findcurly.org |
finddamaged.org |
finddistribution.org |
finddrawer.org |
finddriving.org |
finddrop.org |
findear.org |
findearly.org |
findears.org |
findearth.org |
findeast.org |
findexperie.org |
findeyes.org |
findfertile.org |
findfierce.org |
findforeign.org |
findforget.org |
findfort.org |
findforth.org |
findharsh.org |
findinexpensive.org |
findinnocent.org |
findjolly.org |
findjoyous.org |
findjuicy.org |
findlate.org |
findsister.org |
findsize.org |
findsky.org |
findsour.org |
findstage.org |
findstart.org |
findstation.org |
findstem.org |
findstep.org |
findstitch.org |
findstone.org |
findstraight.org |
findstrange.org |
finduneven.org |
findunsightly.org |
findvoiceless.org |
findwandering.org |
findwet.org |
findwicked.org |
fixtracker.com |
forumaccept.org |
forumadd.org |
forumadmire.org |
forumadmit.org |
forumadvise.org |
forumafford.org |
forumallow.org |
forumamuse.org |
forumanalyze.org |
forumbusy.org |
forumcalm.org |
forumcold.org |
forumcute.org |
forumdamp.org |
frailwin.com |
frequentwin.com |
gcocgle.com |
goodworkdns.com |
goodworkdns.com |
googletrackgeo.com |
hotmailbox.com |
ibtable.com |
ibtable.com |
imageacid.org |
imagebad.org |
imagebent.org |
imagefipe.org |
imagelue.org |
install-internet.com |
ipbestdns.com |
IpCodesNet.com |
IpInternetExplorer.com |
ipmagicnet.com |
ipnetworklegal.com |
ipsecurityuse.com |
ip-tracing.com |
IpWebDirectory.com |
koxtable.com |
lizamoon.com |
m0o0.com |
malineip.com |
milapop.com |
netlinksgo.com |
networkdnstrust.com |
nondeip.com |
op0o.com |
ottomip.com |
ottomip.com |
phlorip.com |
pornootrada.com |
portalkey.org |
s0po.com |
searchabout.org |
searchact.org |
searchadorable.org |
searchadvice.org |
searchaffect.org |
searchafternoon.org |
searchago.org |
searchairplane.org |
searchalaska.org |
searchalice.org |
searchalike.org |
searchallow.org |
searchaloud.org |
searchalphabet.org |
searchalready.org |
searchalready.org |
searchalso.org |
searchalso.org |
searchalthough.org |
searcham.org |
searchamount.org |
searchamusement.org |
searchand.org |
searchangle.org |
searchanimal.org |
searchanswer.org |
searchant.org |
searchapparatus.org |
searcharound.org |
searcharrange.org |
searcharrow.org |
searchas.org |
searchaside.org |
searchask.org |
searchasleep.org |
searchaswe.org |
searchat.org |
searchate.org |
searchatlantic.org |
searchatmosphere.org |
searchatom.org |
searchatomic.org |
searchattached.org |
searchattention.org |
searchbad.org |
searchbase.org |
searchbat.org |
searchbattery.org |
searchbattle.org |
searchbegan.org |
searchbeginning.org |
searchbegun.org |
searchbehavior.org |
searchbehind.org |
searchbet.org |
searchbetsy.org |
searchbeyond.org |
searchbigger.org |
searchbiggest.org |
searchbilly.org |
searchbirth.org |
searchborn.org |
searchbottle.org |
searchbound.org |
searchbow.org |
searchbowl.org |
searchbread.org |
searchbreak.org |
searchbreathe.org |
searchbreathing.org |
searchbreeze.org |
searchbreeze.org |
searchbrick.org |
searchbrick.org |
searchbrief.org |
searchclumsy.com |
searchcruel.org |
searchdead.com |
searchdear.org |
searchdepressed.org |
searchdrab.com |
searchdrab.org |
searchdull.com |
searchelated.org |
searchfertile.org |
searchfindestablish.org |
searchfindfix.org |
searchfindfund.org |
searchfoggy.org |
searchgrieving.org |
searchhuge.org |
searchhumid.org |
searchhushed.org |
searchjewel.org |
searchlarge.org |
searchlazy.org |
searchmany.org |
searchmeat.org |
searchmedical.org |
searchmemory.org |
searchmetal.org |
searchmilk.org |
searchminiature.org |
searchmisty.org |
searchmixed.org |
searchmodern.org |
searchnumber.org |
searchodd.org |
searchof.org |
searchplant.org |
searchrelieved.org |
searchways.org |
seardall.org |
static-ipdns.com |
t02j.com |
tadygus.com |
trafficjoyous.com |
u98i.com |
ultradnshost.com |
Labels:
Evil Network,
Intergenia,
Netserv Consult SRL,
Romania
Fake jobs: job-britain.com and job4america.com
Two new fake job domains that form part of this long-running series, job-britain.com and job4america.com are pushing fake job offers which will actually be illegal activities like money laundering.
These domains were registered just yesterday to a fake registrant called "Leonid Pravduk". Avoid.
If you have samples of the spam emails using these domains, please consider sharing them in the comments.
These domains were registered just yesterday to a fake registrant called "Leonid Pravduk". Avoid.
If you have samples of the spam emails using these domains, please consider sharing them in the comments.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Thursday, 7 July 2011
Fake jobs: westgroupcv.net, wug-cunsulting.net, wug-joblist.com and wugcv-offers.com
Four new domains forming part of the very long-running "Lapatasker" series of fake job offers:
westgroupcv.net
wug-cunsulting.net
wug-joblist.com
wugcv-offers.com
These job offers will typically involve illegal money mule operations and other fraudulent activities. Unless you enjoy jail time, they are best ignored.
If you have any example emails, please consider sharing them in the comments!
westgroupcv.net
wug-cunsulting.net
wug-joblist.com
wugcv-offers.com
These job offers will typically involve illegal money mule operations and other fraudulent activities. Unless you enjoy jail time, they are best ignored.
If you have any example emails, please consider sharing them in the comments!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Tuesday, 5 July 2011
Sapphire Town Real Estate (sapphiretown.com) suck
I don't normally post twice on one spammer, but the idiots at Sapphire Town Real Estate seem to have hit new levels of stupidity with this spam that they have now sent 283 times, apparently about 1% into a dictionary attack (so I can expect to see it 28,000 more times!)
If they are this stupid when it comes to doing business then I would advise giving them a wide berth.
Update: now 4386 times and counting!
If they are this stupid when it comes to doing business then I would advise giving them a wide berth.
Update: now 4386 times and counting!
Monday, 4 July 2011
Sapphire Town Real Estate "Labour Camps" spam. Just add slaves.
This spam for labour camps was so important to the sender that they sent it 300 times (and counting). Just add slaves, I guess. And in jolly Comic Sans too! Originating IP is 86.96.226.150 in the UAE, all attempts at contacting their abuse department bounce. Classy.
From: Sapphire Town Real Estate stre@emirates.net.ae
Reply-To: info@sapphiretown.com
To: Redacted
Date: 4 July 2011 19:12
Subject: Labour Camps
Dear Valued Customer,We offer a wide variety of labour camps for rent in ALMUHAISNAH 2nd (Sonapour), AL QUOZ, JEBEL ALI and DIP with your exact requirements and reasonable price.
Labour Camp in Al QuozTotal Rooms = 295Supervisors Rooms = 5Kitchen = 7Dining =7Toilet =117Showers =117Parking for 14 buses and 25 carsPrice = AED 1,250 All Inclusive Labour camp in Al Muhaisnah 2ndTotal Rooms = 140Kitchen = 3Dining = 3Showers = 60Toilets = 60Price = AED 1,200 All Inclusive
Labour Camp for Rent in DIP phase 1Total Room = 70Kitchen & Dining =2Toilet & Showers = 50Price = AED 1,600 All Inclusive
Labour Camp for Rent in Jebel Ali Ind.3Total Rooms = 200Kitchen & Dining = 4Toilets & Showers = 160TV, First Aid, Gym & Service RoomPrice = AED 1,400 All InclusiveIf you have any questions or concerns, please email us directly stre@eim.ae Or call 050-3479984///04-2576603
- Labour Camps & Warehouses for Sale.
- Residential Building For sale in Bur Dubai.
This E-mail has been sent to you as a person interested in the information enclosed. If you have received this e-mail in error please notify theoriginator of the Email If you want your Email to be removed PLEASE reply to info@sapphiretown.com to ''Remove from list''. We sincerely apologize for the possible inconvenience.
Labels:
Dubai,
Etisalat,
Sapphire Town Real Estate,
Spam,
Stupidity
Sunday, 3 July 2011
Fake jobs: europe-cv.net, gb-traffic.com and totaljoblists.net
A trio of domains being used to push fake jobs (such as money mule operations) and other illegal activities, part of this long running series. The domains were registered just yesterday.
europe-cv.net
gb-traffic.com
totaljoblists.net
Avoid any offers soliciting a reply to these domains. If you have an example spam email, please consider sharing it in the comments. Thanks!
europe-cv.net
gb-traffic.com
totaljoblists.net
Avoid any offers soliciting a reply to these domains. If you have an example spam email, please consider sharing it in the comments. Thanks!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Thursday, 30 June 2011
Fake jobs: au-jobposition.com
Another domain being used to promote money laundering jobs or other criminal enterprises is au-jobposition.com which forms part of this long-running scam.
As usual, avoid. If you have any samples, please consider posting them in the comments section.
As usual, avoid. If you have any samples, please consider posting them in the comments section.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Tuesday, 28 June 2011
Fake jobs: greece-joblist.com and italia-lavoro.net
A pair of domains offering fake money mule jobs or reshipping mule jobs, the greece-joblist.com and italia-lavoro.net domains seem to be targeting Italian and Greek victims and form part of this long running scam.
If you have any examples (especially non-English ones) please share them in the comments!
If you have any examples (especially non-English ones) please share them in the comments!
Labels:
Greece,
Italy,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Sunday, 26 June 2011
yahoolink.php / DreamHost hack
It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:
67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8
Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for "yahoolink.php" in your favourite search engine to see the scope of the problem.
People who click on the link get redirected through several steps:
vedrozhuk7.com
63.226.210.102
NETPOINT, Utah
(no domain)
188.229.90.71
Securvera SRL, Romania
www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania
The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.
With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.
67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8
Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for "yahoolink.php" in your favourite search engine to see the scope of the problem.
People who click on the link get redirected through several steps:
vedrozhuk7.com
63.226.210.102
NETPOINT, Utah
(no domain)
188.229.90.71
Securvera SRL, Romania
www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania
The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.
With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.
Labels:
DreamHost,
Injection Attacks,
PHP,
Romania
Thursday, 23 June 2011
Peteris Sahurovs and Marina Maslobojeva arrested: Sagade hopefully busted
Another victory for the good guys, according to El Reg.
Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.
The FBI have a press release about it here.
The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m).Although there are several bad hosts in Latvia, the one that really stands out is Sagade Ltd. And it looks very much as if Peteris Sahurovs worked for Sagade, his screen name on the internet was piotrek89 which was also the abuse address for the Sagade network.
The gang screwed money out of more than a million victims. They installed software on their computers which falsely claimed to have detected viruses or malware. The gang then took payment for supposedly cleaning up the machines.
22-year-old Peteris Sahurovs and 23-year-old Marina Maslobojeva were arrested in Latvia on charges made in court in Minnesota.
Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.
The FBI have a press release about it here.
Labels:
Evil Network,
Latvia,
Sagade Ltd
Fake job domains 23/6/11
Another day, another set of fake job domains forming part of this long-running scam. The domains were registered just two days ago to a presumably fictitious character called "Leonid Pravduk".
au-joblists.com
europ-joblist.com
gb-totaljob.com
uk-joblists.com
us-joblists.com
The "job" being offered is usually something like a money mule or taking part in a reshipping scam. In any case, the so-called job is illegal and should be avoided.
If you have a copy of a sample email, please share it in the comments section!
au-joblists.com
europ-joblist.com
gb-totaljob.com
uk-joblists.com
us-joblists.com
The "job" being offered is usually something like a money mule or taking part in a reshipping scam. In any case, the so-called job is illegal and should be avoided.
If you have a copy of a sample email, please share it in the comments section!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Wednesday, 22 June 2011
Some malware sites to block
These domains are associated with the Win32/FakeRean "Fake anti-virus" trojan, and are worth blocking.
The Comodo report for this bit of nastiness is here.
Domain | IP |
laxesepaweno.com | 50.23.83.40 |
fugegewulevu.com | 50.23.83.41 |
tepucazij.com | 50.23.83.42 |
cuhucupivu.com | 50.23.84.216 |
sirakapofeti.com | 50.23.84.217 |
zenevakyfa.com | 50.23.84.218 |
tuwynaropotit.com | 50.23.193.236 |
cikipihigilani.com | 50.23.193.237 |
pifajeniwyt.com | 50.23.193.238 |
wumytaxuboly.com | 50.23.200.56 |
tevisuwapucumu.com | 76.73.85.251 |
jicylegavade.com | 76.73.85.252 |
dolagomosu.com | 85.17.239.191 |
bumucewafypevy.com | 85.17.239.192 |
xaqygacatewuk.com | 85.17.239.198 |
mysupigaqyme.com | 173.193.196.178 |
zypomamuzosa.com | 173.249.145.53 |
nylujusofo.com | 173.249.145.54 |
qajivehucewupo.com | 173.249.145.55 |
wyduzylys.com | 174.36.220.136 |
vyqivaneh.com | 174.36.220.136 |
litubibam.com | 174.36.220.138 |
pykolujij.com | 188.240.32.162 |
gyravatimak.com | 188.240.32.163 |
dubacobimude.com | 188.240.32.164 |
waliwetixybuk.com | 204.45.41.82 |
tixirukemosa.com | 204.45.41.83 |
sumuryvynuh.com | 204.45.41.84 |
dazixydecamur.com | |
cadyfahirecyci.com | |
myfofeviqilo.com |
The Comodo report for this bit of nastiness is here.
Labels:
Fake Anti-Virus,
Trojans
Tuesday, 21 June 2011
"Federal Tax transfer rejected" malware
I've never paid taxes to the IRS and I don't intend to now..
The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (89.208.149.215, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.
From: Jeannette_Case@irs.gov
Date: 21 June 2011 11:16
Subject: Federal Tax transfer rejected
Your federal Tax payment (ID: 632869994691), recently from your checking account was canceled by the your Bank.
Canceled Tax transfer Tax Transaction ID: 632869994691 Reason of rejection See details in the report below FederalTax Transaction Report
tax_report_632869994691.pdf.exe (self-extracting
archive, Adobe PDF)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (89.208.149.215, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.
Update 28/9/11: a new version of this email is doing the rounds. This DOES successfully infect vulnerable machines, I will try to find more details.
Nokia N9. Beautiful but doomed.
I've always been a fan of big Nokias, especially the Communicator series. My collection includes a Nokia E90, Nokia 9500, Nokia 9110i, a Nokia 770 tablet and even the rare Nokia 7710 touchscreen phone.
So I should be pretty excited by the Nokia N9. Well, yes.. actually I am excited by the N9 which is Nokia's most powerful phone to date. There's a lovely big OLED screen, a relatively fast processor, lots of memory and the interesting looking MeeGo operating system as well.
But will I be buying one? Probably not. MeeGo is doomed. Nokia announced a switch to Windows earlier this year, but the MeeGo-powered N9 was already in development and is now official. However, it's quite likely that we won't see another MeeGo device from Nokia, leaving the N9 as an orphan. And an expensive orphan at that.
The N9 really should have been announced over a year ago to follow up from the N900, as it is it's a beautiful but ultimately doomed device.. which is quite sad. Perhaps there will be some bargain ones on eBay in the future though..
[Via]
So I should be pretty excited by the Nokia N9. Well, yes.. actually I am excited by the N9 which is Nokia's most powerful phone to date. There's a lovely big OLED screen, a relatively fast processor, lots of memory and the interesting looking MeeGo operating system as well.
But will I be buying one? Probably not. MeeGo is doomed. Nokia announced a switch to Windows earlier this year, but the MeeGo-powered N9 was already in development and is now official. However, it's quite likely that we won't see another MeeGo device from Nokia, leaving the N9 as an orphan. And an expensive orphan at that.
The N9 really should have been announced over a year ago to follow up from the N900, as it is it's a beautiful but ultimately doomed device.. which is quite sad. Perhaps there will be some bargain ones on eBay in the future though..
[Via]
Sunday, 19 June 2011
Fake job domains 19/6/111
A whole batch of domains advertising fake jobs today (mostly money mule operations). These were are registered two days ago to the fictitious "Leonid Pravduk" registrant that we have seen recently, and form part of the very long running "Lapatasker" series of scam domains.
europe-hire.net
green-westeurope.com
hosting-europ.com
newgreen-europ.com
traffic-europ.com
us-totaljob.com
usa-totaljob.com
Avoid these, basically.. but if you do have a sample email, feel free to share it in the comments.
europe-hire.net
green-westeurope.com
hosting-europ.com
newgreen-europ.com
traffic-europ.com
us-totaljob.com
usa-totaljob.com
Avoid these, basically.. but if you do have a sample email, feel free to share it in the comments.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Friday, 17 June 2011
Fake jobs: totaljob-eu.com
Another day, another fake job domain used for contacting potential money laundering mules, this time totaljob-eu.com which is a part of this long-running scam.
The domain was registered just yesterday to the new "Leonid Pravduk" persona that the scammers seem to be using. Avoid.
The domain was registered just yesterday to the new "Leonid Pravduk" persona that the scammers seem to be using. Avoid.
Leonid Pravduk
Email: leonpravduk@yahoo.com
Organization: Leonid Pravduk
Address: ul.Beregovaya 13-2
City: Doneck
State: Doneckaya
ZIP: 83000
Country: UA
Phone: +3.80443582153
Email: leonpravduk@yahoo.com
Organization: Leonid Pravduk
Address: ul.Beregovaya 13-2
City: Doneck
State: Doneckaya
ZIP: 83000
Country: UA
Phone: +3.80443582153
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Thursday, 16 June 2011
SMS Spam: "You have still not claimed the compensation you are due.."
These mystery ambulance-chasing SMS spammers are at it again:
If you get one of these, forward the message to 7726 ("SPAM") on T-Mobile, O2, Orange or Three. If you are a Vodafone customer, forward it to 87726 ("VSPAM"). Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!
You have still not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOPIn this case the spam comes from +44749353036, but the spammers rotate numbers regularly as they get blacklisted.
If you get one of these, forward the message to 7726 ("SPAM") on T-Mobile, O2, Orange or Three. If you are a Vodafone customer, forward it to 87726 ("VSPAM"). Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!
Fake jobs: cosulting-eu.com and espana-cvbase.com
Two more fake domains in the long-running "Lapatasker" series:
cosulting-eu.com
espana-cvbase.com
The registration details have changed (see below), but otherwise this is the same old attempt to recruit people for money laundering. Avoid.
cosulting-eu.com
espana-cvbase.com
The registration details have changed (see below), but otherwise this is the same old attempt to recruit people for money laundering. Avoid.
Leonid Pravduk Email: leonpravduk@yahoo.com Organization: Leonid Pravduk Address: ul.Beregovaya 13-2 City: Doneck State: Doneckaya ZIP: 83000 Country: UA Phone: +3.80443582153
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Tuesday, 14 June 2011
SMS Spam: "URGENT! If you took out a Bank Loan prior to 2007.."
This SMS spam is probably from the same bunch of scumbags who brought you this long-running ambulance chasing spam.
Since they don't honour TPS opt-outs, then they are probably not to be trusted.. whoever they are.
If you get one of these, forward the message to 7226 ("SPAM") on T-Mobile, O2 or Orange.. If you are a Vodafone customer, forward it to 87726 ("VSPAM"), on Three the number is 37726 ("3SPAM") Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
If you see any other telephone numbers for this, please consider letting us known through a Comment.
In this case the SMS came from +447591233963, but the spammers vary these all the time to avoid getting blocked.(Update 28/9 they are now using +447968780878 and +447968766208. Update 30/9 and now +44798044443)URGENT! If you took out a Bank Loan prior to 2007 then you are almost certainly entitled to £2300 in compensation. To claim text 'YES'. Free to apply.
Since they don't honour TPS opt-outs, then they are probably not to be trusted.. whoever they are.
If you get one of these, forward the message to 7226 ("SPAM") on T-Mobile, O2 or Orange.. If you are a Vodafone customer, forward it to 87726 ("VSPAM"), on Three the number is 37726 ("3SPAM") Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
If you see any other telephone numbers for this, please consider letting us known through a Comment.
Fake jobs: usa-jobslist.com
Another addition to this long running scam, usa-jobslist.com is freshly registered and will be used to attempt to recruit people for money laundering and other illegal activities. Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams,
Spam
Monday, 13 June 2011
Fake jobs: gb-offerlist.com, high-webtraffic.com and traffic-dc.com
More fake job offers.. or at least more fake something from the crew behind the "Lapatasker" series of dodgy domains:
gb-offerlist.com
high-webtraffic.com
traffic-dc.com
The shift in domain names might mean a shift in tactics, but be assured that any solicitation you get from these email addresses will be a scam.
gb-offerlist.com
high-webtraffic.com
traffic-dc.com
The shift in domain names might mean a shift in tactics, but be assured that any solicitation you get from these email addresses will be a scam.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams,
Spam
Thursday, 9 June 2011
Fake jobs: europe-joblist.com
Another fake "Lapatasker" job offer domain, europe-joblist.com was registered just yesterday to "Aleksej Iliin".
The standard pitch is for a job that actually involves money laundering or some other criminal activity. Avoid.
The standard pitch is for a job that actually involves money laundering or some other criminal activity. Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Russia,
Scams,
Spam
Wednesday, 8 June 2011
94.244.80.7 / bookpolo.com / booksolo.com / bookgusa.com injection attacks
The crew responsible for the LizaMoon and Worid-Of-Books.com are back with a new set of injection attacks, this time hosted on 94.244.80.7 in Lithuania.
The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com
Registrant details are familiar and fake:
Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.
The whole 94.244.64.0/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.
The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com
Registrant details are familiar and fake:
JamesNorthone James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 1180
us
Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.
The whole 94.244.64.0/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.
Labels:
Injection Attacks,
Lithunia,
LizaMoon
Tuesday, 7 June 2011
Fake jobs: allconsult-eu.com, es-joblist.com and us-joblist.com
Another bunch of fake "Lapatasker" job offers, part of a long-running series. Jobs offered will including such illegal activities as money laundering and receiving stolen goods, so worth avoiding.
allconsult-eu.com
es-joblist.com
us-joblist.com
Contact details on the domain are probably fake ("Aleksej Iliin" again):
All domains were registered on 5th June.
allconsult-eu.com
es-joblist.com
us-joblist.com
Contact details on the domain are probably fake ("Aleksej Iliin" again):
Aleksej Iliin
Email: abolan@mail.org
Organization: Private person
Address: Okruzhnaya ul. d.5 kv.4
City: Moskva
State: Moskovskaya obl.
ZIP: 183124
Country: RU
Phone: +7.4959424617
Fax: +7.4959424617
Email: abolan@mail.org
Organization: Private person
Address: Okruzhnaya ul. d.5 kv.4
City: Moskva
State: Moskovskaya obl.
ZIP: 183124
Country: RU
Phone: +7.4959424617
Fax: +7.4959424617
All domains were registered on 5th June.
Labels:
Job Offer Scams,
Lapatasker,
Russia,
Scams,
Spam
Tuesday, 31 May 2011
Liver Transplant spam
A weird one here.. somebody offering bits of their liver for sale. Of course it could be a scam, but it might even be genuine (which is perhaps more disconcerting). Originating IP address is 95.167.110.9 in Russia.
From: Alex alexsilpo@yahoo.com
Date: 30 May 2011 10:37
subject: Liver transplant.
Hello.
I found your e-mail adress on medical site of transplant and liver problems.
My name is Alex, I am 31 years european man, I never drank alcohol and did not smoke cigarettes, my blood is O+ and I have a good health. If you need liver transplant I am ready to give part of my liver, but I want to receive a big compensation for that...
If you do not need liver transplant, but you know somebody who need it, please send my message to this person or keep it just in case.
alexsilpo@yahoo.com
alexsilpo@hotmail.com
alexsilpoeu@yandex.ua
Alex
P.S. If I was mistaken, I am sorry, I will not disturb you any more.
Fake jobs: 1new-position.com, gb-hire.net, gb-jbprogramm.com, online-vacancy.net and us-vacancy.net
Another installment of this long-running job scam, the following domains are newly registered (2 days ago) and are most likely to be used to recruit people for money laundering and other criminal activities. Avoid.
1new-position.com
gb-hire.net
gb-jbprogramm.com
online-vacancy.net
us-vacancy.net
Domains are registered to the "Aleksej Iliin" persona that we have seen many times before.
1new-position.com
gb-hire.net
gb-jbprogramm.com
online-vacancy.net
us-vacancy.net
Domains are registered to the "Aleksej Iliin" persona that we have seen many times before.
Labels:
Job Offer Scams,
Lapatasker,
Scams,
Spam
Subscribe to:
Posts (Atom)