Sponsored by..

Monday, 3 October 2011

Something evil on 46.16.240.13

There's something evil on 46.16.240.13 that forms part of a banking trojan. Whatever the trojan is, it sends traffic to a set of randomly generated domains with a url ending in pontis.com/index.php.

Most of these domains aren't registered at present, but a few are and they live on 46.16.240.13 with nameservers at 46.16.240.14 and 46.16.240.15. This IP belongs to iNet in the Ukraine.. I suggest blocking 46.16.240.0/24 completely as every site I have ever seen there has been malicious.

These domains seem to be active (a full list is at the end of the post including some inactive ones):

bdpeapontis.com
ljroapontis.com
llcpapontis.com
tbnpapontis.com
cuzqapontis.com
bpgwapontis.com
swbxapontis.com


WHOIS details:

bdpeapontis.com
   Frederic Ebner frederic_ebners@yahoo.com
   +1.2136748631 fax: +1.2136748631
   10216 Chrysanthemum Ln.
   Los Angeles CA 90077
   us

ljroapontis.com
   Justo Marquez Sanchez justomarquezsanchez@ymail.com
   +34.659192650 fax: +34.659192650
   Calle Las Monjas, 1
   Granada Granada 18600
   es

llcpapontis.com
   Helmut Koenig koenighelmut@yahoo.com
   +49.1733201046 fax: +49.1733201046
   Oberhofer Str. 26
   Zella-Mehlis Thuringen 98544
   de

tbnpapontis.com
   Armin Blocher arminblocher@rocketmail.com
   +49.02771801325 fax: +49.02771801325
   Langgasse 1
   Dillenburg Niedersachsen 35685
   de

cuzqapontis.com
   Denis Goertz denis.goertz@yahoo.com
   +49.1639836914 fax: +49.1639836914
   hochstr. 61
   Nettetal Lobberich Sachsenanhalt 41334
   de

bpgwapontis.com
   Pius Walleser walleser32@yahoo.com
   +49.1754218358 fax: +49.1754218358
   Kesslerstrasse 5
   Breisach Sachsen-Anhalt 79206
   de

swbxapontis.com
   Denis Goertz denis.goertz@yahoo.com
   +49.1639836914 fax: +49.1639836914
   hochstr. 61
   Nettetal Lobberich Sachsenanhalt 41334
   de

These registrant details have been used in malicious sites before, see "some German scam sites" for more details.

I don't know what trojan is causing this, or how the machine got infected. If you have any more details, please consider sharing them in the Comments. Thanks!

Expanded list:
aacuapontis.com
aammapontis.com
aaneapontis.com
aazgapontis.com
actsapontis.com
aikcapontis.com
aitgapontis.com
akflapontis.com
amayapontis.com
amucapontis.com
aohxapontis.com
aotbapontis.com
asziapontis.com
awqcapontis.com
awxiapontis.com
bbqrapontis.com
bbubapontis.com
bfqpapontis.com
bfyaapontis.com
bhiyapontis.com
bhjcapontis.com
bhkgapontis.com
bhriapontis.com
bhwiapontis.com
bjifapontis.com
bjnxapontis.com
bjrpapontis.com
blnkapontis.com
bndyapontis.com
bnojapontis.com
bnyyapontis.com
bdpeapontis.com
bpgwapontis.com
brqdapontis.com
bvqoapontis.com
bvsfapontis.com
bvwbapontis.com
bvyqapontis.com
bxetapontis.com
bxsjapontis.com
bxxrapontis.com
caqsapontis.com
ccbdapontis.com
ccewapontis.com
cclhapontis.com
ccqmapontis.com
cenyapontis.com
cezgapontis.com
cgjmapontis.com
cmmqapontis.com
coasapontis.com
cojpapontis.com
conhapontis.com
cqhfapontis.com
cqhqapontis.com
cqjyapontis.com
csfqapontis.com
cslgapontis.com
cuvfapontis.com
cuzqapontis.com
cwisapontis.com
dbabapontis.com
dbslapontis.com
dfcsapontis.com
dfgqapontis.com
dfyeapontis.com
dhfxapontis.com
djduapontis.com
djnrapontis.com
dlkuapontis.com
dnayapontis.com
dnpgapontis.com
dnpnapontis.com
dpjkapontis.com
dpjmapontis.com
dpjtapontis.com
dpohapontis.com
druvapontis.com
dtjvapontis.com
dtqqapontis.com
dxvwapontis.com
dxxcapontis.com
dzplapontis.com
dzrtapontis.com
dzsgapontis.com
eaxmapontis.com
eazpapontis.com
ecmsapontis.com
eefwapontis.com
eejrapontis.com
egeiapontis.com
egekapontis.com
egxgapontis.com
ekbiapontis.com
ekcuapontis.com
ekrmapontis.com
emjrapontis.com
eorpapontis.com
eozpapontis.com
eqdhapontis.com
esfdapontis.com
eupkapontis.com
ewrqapontis.com
ewzoapontis.com
eylqapontis.com
eytbapontis.com
fbmnapontis.com
fbnoapontis.com
fbpwapontis.com
fdbeapontis.com
fdbyapontis.com
fdjoapontis.com
fdxoapontis.com
ffpkapontis.com
fhclapontis.com
fheyapontis.com
fhkeapontis.com
fjvuapontis.com
floqapontis.com
flydapontis.com
fnauapontis.com
fnpkapontis.com
fpouapontis.com
frjyapontis.com
frrpapontis.com
fttzapontis.com
fvxvapontis.com
fvzlapontis.com
fxrdapontis.com
fxyxapontis.com
fzboapontis.com
fzenapontis.com
fzhmapontis.com
ggnkapontis.com
gikuapontis.com
gkdaapontis.com
gknoapontis.com
gohmapontis.com
gqjnapontis.com
gwhzapontis.com
gwzmapontis.com
gyomapontis.com
gypcapontis.com
hbhqapontis.com
hbpiapontis.com
hdqvapontis.com
hfdeapontis.com
hfilapontis.com
hfjuapontis.com
hfxdapontis.com
hfykapontis.com
hhorapontis.com
hhsiapontis.com
hjaqapontis.com
hjojapontis.com
hjuiapontis.com
hnfbapontis.com
hniaapontis.com
hpcfapontis.com
hpvsapontis.com
hravapontis.com
hrocapontis.com
htxxapontis.com
hvekapontis.com
hvrjapontis.com
hxpkapontis.com
hxrfapontis.com
hzelapontis.com
hzrfapontis.com
iaocapontis.com
icbfapontis.com
ieppapontis.com
ieqgapontis.com
iisuapontis.com
ikqaapontis.com
ikvnapontis.com
imbwapontis.com
imuaapontis.com
isbdapontis.com
ispoapontis.com
iulpapontis.com
iupfapontis.com
iuseapontis.com
iwpfapontis.com
iwyeapontis.com
iyjfapontis.com
jbcjapontis.com
jdudapontis.com
jfrxapontis.com
jhorapontis.com
jjdjapontis.com
jlaiapontis.com
jlsyapontis.com
jnhcapontis.com
jnokapontis.com
jnpxapontis.com
jnsgapontis.com
jnysapontis.com
jpsfapontis.com
jrciapontis.com
jvepapontis.com
jvqkapontis.com
jvyrapontis.com
jxmqapontis.com
jxviapontis.com
jzwkapontis.com
kaoaapontis.com
kcntapontis.com
kczuapontis.com
kebvapontis.com
kedyapontis.com
keecapontis.com
kezvapontis.com
kgacapontis.com
kgvpapontis.com
kkyyapontis.com
kmaoapontis.com
kmgoapontis.com
kmsqapontis.com
kmywapontis.com
kqrdapontis.com
kqxhapontis.com
kscoapontis.com
kuaiapontis.com
kujbapontis.com
kylkapontis.com
kyrvapontis.com
lbwbapontis.com
ldckapontis.com
ldkpapontis.com
ldsdapontis.com
lfcpapontis.com
lffuapontis.com
lfslapontis.com
lfxnapontis.com
lhirapontis.com
lhlpapontis.com
lhwkapontis.com
ljkzapontis.com
ljroapontis.com
llcpapontis.com
lldiapontis.com
lpcpapontis.com
lpcrapontis.com
lpgqapontis.com
lrauapontis.com
lrxgapontis.com
ltdnapontis.com
ltriapontis.com
lttrapontis.com
lvhbapontis.com
lvhzapontis.com
lvnbapontis.com
lvpmapontis.com
lxgmapontis.com
lxpxapontis.com
lzfzapontis.com
lzkhapontis.com
lzlcapontis.com
lzpnapontis.com
lztvapontis.com
lzuzapontis.com
madeapontis.com
makwapontis.com
marrapontis.com
mavwapontis.com
mcvlapontis.com
mebfapontis.com
meboapontis.com
menqapontis.com
menrapontis.com
mgrkapontis.com
mgviapontis.com
mikuapontis.com
mkugapontis.com
mkvzapontis.com
mmrrapontis.com
mmvpapontis.com
mmzsapontis.com
moigapontis.com
moueapontis.com
mozyapontis.com
muhvapontis.com
mwasapontis.com
mwfbapontis.com
mydcapontis.com
myjnapontis.com
mysmapontis.com
nbfkapontis.com
nbnwapontis.com
ndocapontis.com
nhweapontis.com
nlafapontis.com
nlbdapontis.com
nlosapontis.com
nlstapontis.com
nnnqapontis.com
nnoiapontis.com
npklapontis.com
npvdapontis.com
nrniapontis.com
nrsmapontis.com
nrwpapontis.com
nrxyapontis.com
nrzeapontis.com
ntjhapontis.com
ntslapontis.com
nvqhapontis.com
nvqnapontis.com
nzhmapontis.com
nzviapontis.com
nzvyapontis.com
oauoapontis.com
oecwapontis.com
oehyapontis.com
ogikapontis.com
oipaapontis.com
oiqkapontis.com
oitvapontis.com
okiwapontis.com
oknjapontis.com
oocmapontis.com
oubuapontis.com
owusapontis.com
oybtapontis.com
oypqapontis.com
pbfzapontis.com
pfqaapontis.com
pftcapontis.com
pfuoapontis.com
pfxnapontis.com
phrnapontis.com
plpmapontis.com
plwhapontis.com
plzhapontis.com
pnkpapontis.com
pntuapontis.com
pnyhapontis.com
ppvvapontis.com
ptwfapontis.com
pxdtapontis.com
pxgwapontis.com
pzycapontis.com
qennapontis.com
qepcapontis.com
qepvapontis.com
qgdgapontis.com
qgneapontis.com
qkxiapontis.com
qooqapontis.com
qqtkapontis.com
qsxnapontis.com
quieapontis.com
qullapontis.com
qwoiapontis.com
qwvmapontis.com
qyswapontis.com
rbjkapontis.com
rbjuapontis.com
rbpqapontis.com
rbyyapontis.com
rhncapontis.com
rhtxapontis.com
rldvapontis.com
rngsapontis.com
rnlyapontis.com
rnuvapontis.com
rpbnapontis.com
rpmaapontis.com
rprcapontis.com
rpsoapontis.com
rpweapontis.com
rrxrapontis.com
rtnhapontis.com
rtzoapontis.com
rvltapontis.com
rvqaapontis.com
rvwaapontis.com
rvxmapontis.com
rxboapontis.com
rxgxapontis.com
rxloapontis.com
rzbyapontis.com
rzymapontis.com
saqcapontis.com
satsapontis.com
scrrapontis.com
seasapontis.com
seiwapontis.com
sekuapontis.com
senbapontis.com
sifrapontis.com
siymapontis.com
smcmapontis.com
smusapontis.com
sqfwapontis.com
sssuapontis.com
swbxapontis.com
swfhapontis.com
swpeapontis.com
swucapontis.com
syflapontis.com
sywwapontis.com
tbgaapontis.com
tbnpapontis.com
tddiapontis.com
tdkdapontis.com
tdtnapontis.com
tfwrapontis.com
thnsapontis.com
thuoapontis.com
tjnxapontis.com
tlelapontis.com
tlupapontis.com
tlvhapontis.com
tnmzapontis.com
tnqlapontis.com
tnyvapontis.com
tpndapontis.com
truzapontis.com
ttqsapontis.com
ttwqapontis.com
ttzvapontis.com
tvbvapontis.com
tvikapontis.com
tvjhapontis.com
tvuiapontis.com
tvvwapontis.com
ucbbapontis.com
uecyapontis.com
uehmapontis.com
ugkuapontis.com
ugmcapontis.com
uibrapontis.com
uifaapontis.com
uivzapontis.com
ukseapontis.com
umpvapontis.com
uqkmapontis.com
uqvrapontis.com
uuxoapontis.com
uwgwapontis.com
vblvapontis.com
vfhaapontis.com
vhhoapontis.com
vjhdapontis.com
vjxvapontis.com
vlpdapontis.com
vndxapontis.com
vparapontis.com
vpjzapontis.com
vpnjapontis.com
vrkaapontis.com
vtgcapontis.com
vvdpapontis.com
vveyapontis.com
vvvtapontis.com
vxfiapontis.com
vxjtapontis.com
vxxiapontis.com
vzdqapontis.com
vzifapontis.com
vzqgapontis.com
waleapontis.com
wclhapontis.com
wctpapontis.com
wetuapontis.com
wezwapontis.com
wgfoapontis.com
wgmqapontis.com
wiblapontis.com
wifqapontis.com
wmbsapontis.com
wmzeapontis.com
wopnapontis.com
wqbiapontis.com
wqbqapontis.com
wqbuapontis.com
wqpwapontis.com
wqxxapontis.com
wsiaapontis.com
wslcapontis.com
wwsyapontis.com
wwxhapontis.com
wylhapontis.com
wywqapontis.com
xbpuapontis.com
xfelapontis.com
xftvapontis.com
xhozapontis.com
xhqfapontis.com
xhrwapontis.com
xjcbapontis.com
xjdfapontis.com
xjflapontis.com
xjzjapontis.com
xlpnapontis.com
xnckapontis.com
xnohapontis.com
xnqcapontis.com
xpqzapontis.com
xrflapontis.com
xvioapontis.com
xvmqapontis.com
xznkapontis.com
ycfzapontis.com
ycxkapontis.com
yebfapontis.com
yenfapontis.com
yervapontis.com
ygeoapontis.com
yghuapontis.com
ygjcapontis.com
yoiwapontis.com
yoruapontis.com
yspoapontis.com
ysqoapontis.com
ysrqapontis.com
yuvvapontis.com
ywplapontis.com
zbbiapontis.com
zbjbapontis.com
zbkdapontis.com
zdlsapontis.com
zdqoapontis.com
zdztapontis.com
zfulapontis.com
zhjvapontis.com
zjkaapontis.com
zjpgapontis.com
zlgaapontis.com
zlqtapontis.com
znfuapontis.com
zrbqapontis.com
zrkaapontis.com
ztypapontis.com
zvimapontis.com

Fake jobs: firstjob-market.com, tech-newposition.com and ukjob-market.com

Three new fake job domains today, apparently forming part of this long running scam.

firstjob-market.com
tech-newposition.com
ukjob-market.com

Emails send soliciting replies to these domains may appear to come from your own email address (here's why). The so-called jobs being offered are actually criminal activities such as money laundering.

The no-doubt-fake registrant details are:

    Lucia Geleca
    Email: lucpolema@yahoo.fr
    Organization: Lucia Geleca
    Address: 12 rue des Camelias
    City: Alfortville
    State: Alfortville
    ZIP: 94141
    Country: FR
    Phone: +33.0148934367

Although the address is genuine, it almost definitely bogus.

If you have any examples of spam emails "from" these domains, please consider sharing them in the Comments. Thanks!

Thursday, 29 September 2011

lastest-skype-updates.com spam

Here's a spam with a twist.
From: Skype.com skype@[spammer's email redacted for legal reasons]
Reply-To: newsletter@skype-systems.com
Date: 29 September 2011 07:23
Subject: New Updates Have Been Released For Skype ! Download Now‏

This is to notify that new updates have been released for Skype.

http://www.lastest-skype-updates.com/

Following are major new features :

* Up to 5-way group video call.
* Redesigned calling experience.
* Improved video snapshots gallery.
* Improved browser plugins performance on some websites.
* Reduced false positives on browser plugin phone number recognition.
* New presence icons.
* Improved handling of calling attempts made when the user has run out of credit.
* Improved access to sharing functionality

To download the latest version , go to :

http://www.lastest-skype-updates.com/

Start downloading the update right now and let us know what you think
about it.

Talk soon,

The people at Skype
The email has been sent to an address harvested from the Epsilon data breach. That's not surprising.. what is surprising is that it has been sent through a UK company that specialises in selling mailing lists and sending bulk commercial email. Perhaps dealing in stolen data is an honest mistake, but perhaps the ICO would like to make that determination.

DNS resolution for this site seems to flip between 87.106.104.178 [1&1, UK] and 122.224.4.108 [Ninbo Lanzhong Network Ltd, China]. Of these, the Chinese address is the most interesting with the follow slimeware domains hosted:

2011-skype-software-download.com
2011-skype-software-download.net
2011-skype-software-download.org
2011-skype-software-update.net
2011-skype-software-upgrade.com
2011-skype-software-upgrade.net
2011-skype-software-upgrade.org
adobe-acrobat-reader11.com
adobe-acrobat-reader11.net
adobe-acrobat-reader11.org
adobe-acrobat11-download.com
adobe-acrobat11-upgrade.com
adobe-pdf-reader11.com
adobe-pdf-reader11.net
adobe-pdf-reader11.org
adobe-reader11-download.com
adobe-reader11-upgrade.com
adobemailer.org
official-2011-skype-download.com
official-2011-skype-update.com
official-2011-skype-upgrade.com
official-skype-download.com
official-skype-software.com
official-skype-update.com
skype-software-downloads.com
skype-software-downloads.net
skype-software-downloads.org
skypemailer.com

If you live in the UK and have the technical expertise to identify the owner of the sending IP address, please consider filing a complaint with the ICO to make sure that they understand the issue.

Monday, 26 September 2011

SMS Spam: "Due to a new legislation, those struggling with debt .."

Some sort of debt management spam this time. You can bet that these people will probably charge a lot for their services, and dealing with spammers is usually a bad idea in any case.
Due to a new legislation, those struggling with debt can now apply to have it written off. For Free information reply INFO or to opt-out text stop. Free Text!
In this case, the spam originated from +447977237820 although these numbers change regularly.

If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

There's a good article about protecting yourself from unscrupulous debt management companies here.

Sunday, 25 September 2011

Fake jobs: hire-position.com and work-position.net

Two new fake job domains with a twist, possibly the same scammers who are behind this long-running spam/scam campaign.

hire-position.com
work-position.net

Domains were registered just yesterday via a Russian registrar to an address in Spain which is most likely fake:

    Ivan Gonsalez
    Email: ivan4gonzalez@yahoo.es
    Organization: Ivan Gonsalez
    Address: P. de Extremadura 151
    City: Madrid
    State: Madrid
    ZIP: 28011
    Country: ES
    Phone: +34.914641145 

This rabbit hole goes a bit deeper than usual, because the ivan4gonzalez@yahoo.es email address has been used before, for the domain girsland.ru

domain: GIRSLAND.RU
nserver: ns1.strategy-recruiting.org.
nserver: ns2.strategy-recruiting.org.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
e-mail: ivan4gonzalez@yahoo.es
registrar: REGTIME-REG-RIPN
created: 2011.07.26
paid-till: 2012.07.26
source: TCI

Girsland.ru has a reputation for being spammy and it looks like a typical romance scam site. As with hire-position.com and work-position.net, it's odd that a Spanish address is being used for domains that are either Russian TLD or are being registered through a Russian registrar.

Girsland.ru is hosted on 173.234.8.215 at Ubiquity Server Solutions Atlanta, although it looks like the IP block might be rented out to a company called Nobis Technology Group LLC in Arizona.There are some nasty things going on in that IP neighbourhood according to SiteVet.

What else can we find on 173.234.8.215? It turns out that there's a rich vein of nastiness here.

actionfg.com - "Action Financial. All of your financial services in one place."
Chinese registrar, fake WHOIS details. Fake check scam. [1] [2]
Michael L. Walter
Michael Walter MichaelLWalter@teleworm.com
314-849-7082 fax: 314-849-7011
2523 Ash Avenue
Saint Louis MO 63126
us
NS: ns1.wapcco.net and ns2.wapcco.net

adena-job.com.
Chinese registrar, fake WHOIS details. Fake job offers. [3]
Name: Ana Bates
Organization: Ana N. Bates
Address: 789 Pinchelone Street
City: Herndon
Province/state: VA
Country: us
Postal Code: 22090
Email: AnaNBates@ymail.com
NS: ns1.needafishingboat.net and ns2.needafishingboat.net

adenafinance.com - "Adena Finance. All of your financial services in one place."
Chinese registrar, fake WHOIS details.

Eric M. Dillinger
Eric Dillinger EricMDillinger@gmail.com
+1.5305125808 fax: +1.5305125808
1467 Hill Croft Farm Road
Sacramento CA 95814
us
NS: ns1.needafishingboat.net and ns2.needafishingboat.net

arrowfg.com - "Arrow Financial Group"
Chinese registrar, fake WHOIS details. Money mule scam [4] [5]
William K. Breen
William Breen WilliamKBreen@teleworm.com
606-542-3946 fax: 606-542-3922
62 Meadowcrest Lane
Flat Lick KY 40982
us
NS: ns1.careerhiring-solutions.org and ns2.careerhiring-solutions.org

freeblogpro.org - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution. [6] [7]
Registrant ID:TOD-42629838
Registrant Name:Gertrude Mcmillan
Registrant Organization:Gertrude D. Mcmillan
Registrant Street1:250 Reynolds Alley
Registrant Street2:
Registrant Street3:
Registrant City:Long Beach
Registrant State/Province:CA
Registrant Postal Code:90808
Registrant Country:US
Registrant Phone:+1.5623772946
Registrant Phone Ext.:
Registrant FAX:+1.5623772946
Registrant FAX Ext.:
Registrant Email:GertrudeDMcmillan@gmail.com
NS: NS1.SLOWSTATUS.NET and NS2.SLOWSTATUS.NET

krokodilius8.com
Chinese registrar, fake WHOIS details. Malware distribution. [8]

Richard J. Aguilar
Richard Aguilar RichardJAguilar@gmail.com
+1.2523933705 fax: +1.2523933705
3458 Green Acres Road
Swansboro NC 28584
us
NS: ns1.barcellons.com and ns2.barcellons.com

rdm-gool.net - "Surprise!!!"
Chinese registrar, fake WHOIS details. Probably malware distribution.
Lincoln P. Miller
Lincoln Miller LincolnPMiller@gmail.com
+1.4156774378 fax: +1.4156774378
813 Boring Lane
San Francisco CA 94108
us
NS: ns1.slowstatus.net and ns2.slowstatus.net

recruitarrowfg.com
Chinese registrar, fake WHOIS details. Fake job offers [9] [10]
Name: Fletcher Leach
Organization: Fletcher C. Leach
Address: 180 Deer Ridge Drive
City: Millburn
Province/state: NJ
Country: us
Postal Code: 07041
Email: FletcherCLeach@aol.com
NS: ns1.careerhiring-solutions.org and ns2.careerhiring-solutions.org

superblogonline.org - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution [11] [12]
Registrant ID:TOD-42637428
Registrant Name:Ernest Thomas
Registrant Organization:Ernest R. Thomas
Registrant Street1:228 Riverside Drive
Registrant Street2:
Registrant Street3:
Registrant City:Athens
Registrant State/Province:GA
Registrant Postal Code:30606
Registrant Country:US
Registrant Phone:+1.7068186834
Registrant Phone Ext.:
Registrant FAX:+1.7068186834
Registrant FAX Ext.:
Registrant Email:ErnestRThomas@aol.com
NS: NS1.SLOWSTATUS.NET and NS2.SLOWSTATUS.NET

thebloggin.net - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution [13] [14]
Justin R. Martinez
Justin Martinez JustinRMartinez@aol.com
+1.3235224026 fax: +1.3235224026
2898 Evergreen Lane
Pomona CA 91766
us
NS: ns1.slowstatus.net and ns2.slowstatus.net

yourtraveldiary.net - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution [15]
Name: Paula Huerta
Organization: Paula A. Huerta
Address: 3993 Payne Street
City: Hillsville
Province/state: VA
Country: us
Postal Code: 24343
Email: PaulaAHuerta@gmail.com
NS: ns1.slowstatus.net and ns2.slowstatus.net

Querying the namesevers reveals some more domains that look worth blocking as well. In total, blocking the following related domains will probably be a very good thing to do.

actionfg.com
adenafinance.com
adena-job.com
admnxm.com
adxreport.com
arrowfg.com
barcellons.com
betononasos228.net
careerhiring-solutions.org
club-bork.com
computer-giga.net
com-watch-id2181222ooo.info
dramchinatea.net
estatediary.com
findepotdirect.com
finwizonline.com
forfreeblog.net
freebloghub.com
freeblogpro.org
freetrialmail.com
friendsadirect.com
fun-bork.com
generalcreate.net
girsland.ru
hire-position.com
hostfrontpage.com
krokodilius8.com
latinitjobs.com
needafishingboat.net
obellisk.com
ouroldfriends.com
rdm-gool.net
recruitarrowfg.com
slowstatus.net
superblogonline.org
thebloggin.net
trialreg.com
wapcco.net
workasite.com
work-position.net
yourtraveldiary.net

Friday, 23 September 2011

dfrgcc.com injection attack in progress

Thousands of sites are currently being hit by an injection attack pointing to dfrgcc.com/ur.php a domain registered to someone using the infamous hotmailbox.com domain for email.

   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

The site is hosted on 188.229.88.103 which is the equally infamous Netserv Consult SRL in Romania. 188.229.88.103 hosts the following sites:

bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
booknunu.com
bookvila.com
bookzula.com
dfrgcc.com
file-dl.com
xxxtubes8.com


These domains are pretty familiar, having previously been hosted in Lithuania. This marks them out as the same people behind the infamous LizaMoon attack.

Netserv Consult SRL host a wide variety of bad sites. Blocking 188.229.0.0/17 (188.229.0.0 - 188.229.127.255) will probably do you no harm.

Thursday, 22 September 2011

Evil network: Relikts BVK / Sagade Ltd (46.252.130.0/23)

This summary is not available. Please click here to view the post.

Fake jobs: totaljob-us.com

Another fake job offer, part of this long-running series of spam/scam emails.

From: Spam Victim
Sent: 21 September 2011 20:18
To: Spam Victim
Subject: Current Vacancy

Urgente!

Solicitamos personal de cofianza para trabajo a largo plazo en la seccion financiera.
Estudiantes, amas de casa etc...
tambien pueden conseguir trabajo en la empresa, el trabajo no toma mucho tiempo, requiere de mucha responsabilidad.

No es marqueting! Ni nada parecido.
Trabajamos con mas de 10 paises del mundo para hacer nuestras transferencias.
La empresa se dedica a hacer transferencias de dinero local y internacional.

Sus datos personales favor enviar al correo electronico: Ana@totaljob-us.com

Deje su telefono movil para que nuestro operador se contacte con usted.

En espera de sus curriculums,  Ana Sykes

The email appears to come "from" the spam victim (here's why). The domain was registered just yesterday to an "Alexey Kernel" at a fake address in the Ukraine.

Some other "reply to" addresses are:
Casandro@totaljob-us.com
Gad@totaljob-us.com
Prospero@totaljob-us.com
Martirio@totaljob-us.com
Guy@totaljob-us.com
Melvis@totaljob-us.com
Muneca@totaljob-us.com

Subjects include "Current Vacancy", "Job Offer - Flexible Hours", "Get a New Job Today", "Current Open Position", "Administrative Assistant Vacancy" and "Employment Opportunity". Oddly, the subject is in English even though the body of the message is in Spanish.

The jobs offered will be money laundering and other illegal activities. If you have any samples that are different, please consider sharing them in the Comments. Thanks!

Wednesday, 21 September 2011

dossier-ua.com Joe Job

dossier-ua.com is a site that is critical about politics in the Ukraine, and names several individuals and governmental bodies in connection with alleged wrongdoing.

Obviously, they have upset somebody because there is currently a Joe Job campaign against the site, presumably in an attempt to have the site shut down:

Subject: {Snuff filmes|Snuff films}
From: david -at- davidbreach.co.uk
Reply-To: dossieruacom -at- gmail.com

{Hi!|Hello!|Good day!}
You can {see|watch|download} child {pron|porn} and snuff {filmes|films} now for free and without registration.
Just email us what do you want to see (child {pron|porn} or some snuff {filmes|films}) and we will
send you back what did you ordered. Only hardcore cam murders, children fukcing,
awesome bloody maniacs and vrigins may brind you a lot of brillian hours! This is
happened in reality and no any montage so be the one who seen this!

http://dossier-ua.com/?p=852

Contact us to pay for pron:
politblok -at- gmail.com

In this case, the email came from a server called davidbreach.co.uk, a wholly legitimate domain that appears to have been hacked, hosted at Node 4 in the UK. The mail originates from 93.174.141.52 (also Node 4). An examination of the mail headers indicates that it may originally have come from 151.16.60.68, an IP address in Milan, probably a compromised PC.

Dossier-ua.com is a political blog. There is no evidence at all that it is involved in distributing pornography or illegal material. If you receive an email of this nature, you should report it to the abuse address of the sender's IP, it is probably not worth bothering dossier-ua.com's web host.

Evil network: RONET / ro-net.eu (91.229.90.0/23)

RONET (aka. ro-net.eu) seems to be a new netblock occupying the 91.229.90.0/23 (91.229.90.0 - 91.229.91.255) range. This block has several sites recently moved from Netserv Consult SRL (who have a very bad reputation), all of which appear to be involved in criminal activity.

Although the number of sites is very low at present (just 30), the use of a /23 block indicates the perhaps this will be used for more sites very soon. Blocking 91.229.90.0/23 preemptively would probably be an excellent idea.

Here are some examples of evilness:

bywordelectronics.com [91.229.90.11]
Money mule scam / fake jobs [1] [2] [3] [4]

admagnet1.com [91.229.90.35]
Malware distribution [5] [6] [7]

eyebluster-sv1.com [91.229.90.37]
Malware distribution [8]  [9]

Other domains are registered with fake WHOIS details which is never a good sign.

The 91.229.90.0/23 range is registered to:

inetnum:         91.229.90.0 - 91.229.91.255
netname:         RONET
descr:           FOP Varovaev Leonid Gennadevich
country:         EU
org:             ORG-VARO1-RIPE
admin-c:         AV6418-RIPE
tech-c:          AV6418-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          VAROVAEV-MNT
mnt-routes:      VAROVAEV-MNT
mnt-domains:     VAROVAEV-MNT
source:          RIPE # Filtered

organisation:    ORG-VARO1-RIPE
org-name:        FOP Varovaev Leonid Gennadevich
org-type:        OTHER
address:         H-1120 Budapest,  Street Gabor Denes, 4, Hungary
mnt-ref:         VAROVAEV-MNT
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

person:          Anton Varnai
address:         H-1120 Budapest
address:         Street Gabor Denes, 4
address:         Hungary
abuse-mailbox:   abuse@ro-net.eu
phone:           +3614585544
nic-hdl:         AV6418-RIPE
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

% Information related to '91.229.90.0/23AS6753'

route:           91.229.90.0/23
descr:           RONET
origin:          AS6753
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

Of note is the fact that ro-net.eu was only registered two weeks ago with anonymous registration details. Also, note that although the address is in Hungary, the RONET name would indicate that it still has a ROmanian connection.

Another oddity is that the network announces itself as part of AS17088 which is allocated to Currenex, Inc. There seems to be no connection at all between Currenex, Inc and RONET, so perhaps this is an error or some kind of forgery.

You can find a full list of domains and MyWOT ratings in this CSV file. Alternatively, the currently hosted domains are listed below.

admagnet1.com
adopsassistant.com
amaltheiatech.com
arctosinbrasilia.com
bestpccleaners.org
bywordelectronics.com
combo-parts.com
easycleaners.org
eyebluster-stat.com
eyebluster-sv1.com
fixpcexperts.com
hidedns.org
jjoor.com
mediamindcal.com
mediamind-tech.com
mediatechadvice.com
mr-srv.com
newco-op.com
newsecsolutions.com
pc-syscleaner.com
pc-syscleaner.net
pc-syscleaner.org
proton-micro.com
quickwebsupport.net
ro-net.eu
searchelcome.org
softsecsolutions.net
supportnetmail.com
trackingpxl.com
vi-hosts.com

Saturday, 17 September 2011

Fake jobs: careers-consult.com, europe-career.com and usa-newcareer.com

Three new domains used to adveritise bogus jobs (which will actually be money laundering or other criminal activities)

careers-consult.com
europe-career.com
usa-newcareer.com


The approach is the same as the domains registered two days ago, and indeed this has been going on for several years. The spam may appear to come from your own email address (here's why).

If you have any sample emails using this domain to solicit replies, please consider sharing them in the Comments. Thanks!

Thursday, 15 September 2011

Fake jobs: ca-jobcareer.com, uk-jobcareer.com and usa-jobcareer.com

Three new domains offering fake jobs, targeting US, UK and Canadian victims:

ca-jobcareer.com
uk-jobcareer.com
usa-jobcareer.com

The "jobs" on offer are typically money laundering and other illegal activities, and form part of this long running scam. The emails may appear to have been sent from your own account (here's why).

The domains were registered two days ago to "Alexey Kernel" in Kiev, although this is probably a fake name and address.

If you have samples of spam emails using these domains, please consider sharing them in the comments. Thanks!

Wednesday, 14 September 2011

Some fake Bundeskriminalamt and Bundespolizei sites

Here are some more fake sites pretending to be the Bundeskriminalamt and Bundespolizei (agencies of the German Federal Police) which are probably worth blocking, following on from these.

193.105.240.204 [Sia Vps Hosting, Latvia]
bundespolizei-de.net
bundespolizei-de.org
bundespolizei-online.com
dpolg-bundespolizei.org
inter-bundeskriminalamt.org

77.87.229.14 [Invalid pointer to bundespolizei.de]
inter-bundeskriminalamt.eu
dpolg-bundespolizei.org [also on 193.105.240.204]
inter-bundeskriminalamt.org [also on 193.105.240.204]

211.154.153.49 [China Motion Network Communication]
agentbundeskriminalamt.net
bundeskriminalamtde.net
onlinebundeskriminalamt.net
torrentbundeskriminalamt.net

Note that 77.87.229.14 is actually the real IP for bundespolizei.de, but the scammers are pointing their DNS records to it, presumably to cause confusion.

You can safely block access to 193.105.240.0/24 (Sia VPS) without much fear of losing anything important. The Chinese netblock is more mixed, but blocking at least 211.154.153.49 might be a good idea if you are in Germany.

Injection attack: malavasso.com, migraviro.com and montenegrorio.com

Three more domains being used in injection attacks today:

malavasso.com
migraviro.com
montenegrorio.com

The payload is the Sinowal trojan. Malicious software is hosted on 95.64.45.43 which is well-known very dark grey hat host Netserv Consult SRL of Romania. Blocking 95.64.0.0/17 (95.64.0.0 - 95.64.127.255) will probably do no harm.

The (possibly fake) registrant for these domains is:
Registrant Contact:
   Xicheng Co.
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Administrative Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Technical Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Billing Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

bundespol.com is not the Bundespolizei

Another fake Bundespolizei today, bundespol.com is registered through  a Chinese registrar and then is anonymised through a Chinese WHOIS privacy service

The site doesn't resolve yet, but it is almost identical to bundespol.net which is fingered in this attack. In that case, the fake Bundespolizei site was hosted on 188.229.97.2 which is Netserv Consult SRL in Romania (incidentally, blocking 188.229.0.0/17 will probably do you no harm).

There's a whole bunch of fake Bundespolizei at the moment, but I'm guessing that this particular bunch of scammers may well try the same thing in other countries very soon.

Tuesday, 13 September 2011

Injection attack: cbchhuacyus.com, ibccmsuiyus.com and wbccmquwyus.com

There is currently a Sinowal injection attack doing the rounds, redirecting traffic to the following domains on 46.165.192.97:

cbchhuacyus.com
ibccmsuiyus.com
wbccmquwyus.com

There may well be other domains on the same server, blocking traffic to 46.165.192.97 would probably be prudent. The payload is being analysed (I will post an update later), but detection rates are not good.

Fake "internationalservicecheck.com" email

International Service Check (internationalservicecheck.com) is a legitimate mystery shopping company based in Germany. This email claims to come from International Service Check, but does not and it will be some sort of mystery shopping scam instead.

From: INTERNATIONAL SERVICE CHECK / Multisearch GmbH <shopping@internationalservicecheck.com>Subject: Application for New Mystery Shoppers.
Date: 12 Sep 2011 17:10:21 -0500
Reply-To: adele.green@aol.com

We have a mystery shopping assignment in your area and we would like you to participate"

INTERNATIONAL SERVICE CHECK / Multisearch GmbH is accepting applications for qualified individuals to become mystery shoppers. Its fun and rewarding,
and you choose when and where you want to shop. You are never obligated to accept an assignment.
There is no charge to become a shopper and you do not need previous experience. After you sign up, you will have
access to training materials via e-mail, fax or postal mail.

ABOUT US

INTERNATIONAL SERVICE CHECK / Multisearch GmbH is the premier mystery shopping company; serving clients across America with over 500,000
shoppers available and ready to help businesses better serve their customers. Continual investment in the latest internet and
communication technologies coupled with over 16 years of know-how means working with INTERNATIONAL SERVICE CHECK / Multisearch GmbH is a satisfying and
rewarding experience.

Secret shopping as been seen on ABC NEWS, NBC NEWS, L.A.TIMES.
Mystery Shopping provides an insight into what happens when hard won prospective buyers are in contact with your sales and
customer service teams. INTERNATIONAL SERVICE CHECK / Multisearch GmbH’s range of Mystery Shopping services cover every aspect of the customer experience –
on-site and face-to-face, on the telephone and electronically, through your website.

We conduct evaluations by personal visits and/or by E-mail. "Mystery Shoppers" are independent contractors that conduct
"shops", complete online evaluation forms and get paid "per assignment".
We consider our shoppers part of our extended team. Most of our staff, including management, still Mystery Shop
and are aware of the challenges and rewards. We negotiate the best possible compensation for our
shoppers and will not accept business that is unfair to our team. If we wouldn't accept the shop, we don't expect you to.

Stores and organizations such as The Gap, Wal-Mart, Pizza Hut, and Bank. One amongst many others pay for Secret Shoppers to
shop in their establishments and report their experiences. On top of being paid for shopping you are also allowed to keep
purchases for free. INTERNATIONAL SERVICE CHECK / Multisearch GmbH NEVER charge fees to the shopper. Training, tips for improvement, and shopping
opportunities are provided free to registered shoppers. Mystery shoppers are either paid a pre-arranged fee for a particular shop, a
reimbursement for a purchase or a combination of both.

We boast super fast payouts and expect high quality reporting in return to keep our clients satisfied.

We hold a strong belief in the fact that nothing is more important than the customers perceptions and this can
only be realized using "real consumers" (YOU) to perform evaluations. The same cannot be said for using
industry insiders or people from within the company, as their opinions are naturally subjective and biased. The
only opinions that count are ones of real consumers since they are the ones making purchases.

You will be required to interact with the shop clerk.

The assignment will pay $150 per assignment

If you feel you are a good candidate, then fill out the application form below
to this email (adele.green@aol.com) and we will get back to you shortly with the assignment:

PERSONAL INFORMATION:

Full Name :
Street Address:
City:
State:
Zip Code:
Cell Phone Number:
Home Phone Number:
Age:
Current Occupation:
Email Address:

AVAILABILITY:

Days/Hours Available

Monday.............................................
Tuesday.............................................
Wednesday.............................................
Thursday.............................................
Friday.............................................
Saturday.............................................


Hours Available: from _______ to ______

We await your urgent response.

Sincerely yours,
Adele Green.
© 2011 INTERNATIONAL SERVICE CHECK / Multisearch GmbH   All Rights Reserved.
If you accept this job offer, then you will not be dealing with International Service Check.

The email originates from a server at 70.32.113.152 which belongs to Fivecube Pte in Singapore (the server is physically in California), although most likely this is either a compromised server or a customer. An examination of the mail headers indicate that it may originate from 69.92.92.47, a Cable One subscriber in Seminole, Oklahoma. The Reply-To address is adele.green@aol.com althought this is probably fake, so do not assume that it really is someone of that name behind it.

Monday, 12 September 2011

bundespolizei-online.com is not the Bundespolizei

bundespolizei-online.com is a fake domain pretending to be the Bundespolizei (German Federal Police). It appears to be part of a malware scam that has been around for a while, where the victim is told that they have done something illegal and need to pay a fine to the police.

The text of the message might vary, but the last scam domain  was used in conjunction with a message that read:

Es ist ungesetzliche Tätigkeit enthüllt
Achtung!!!
Ein Vorgang illegaler Aktivitäten wurde erkannt.
Das Betriebssystem wurde im Zusammenhang mit Verstoßen gegen die Gesetze der Bundesrepublik Deutschland gesperrt! Es wurde folgender Verstoß festgestelltt: Ihre IP Adresse lautet "x.x.x.x" mit dieser IP wurden Seiten mit pornografischen Inhalten,Kinderpornographie, Sodomie und Gewalt gegen Kinder aufgerufen Auf Ihrem Computer wurden ebenfalls Videodateien mit pornografischen Inhalten, Elementen von Gewalt und Kinderpornografie festgestellt! Es wurden auch Emails in Form von Spam, mit terroristischen Hintergründen, verschickt. Diese Sperre des Computers dient dazu, Ihre illegalen Aktivitäten zu unterbinden.
Ihre IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
Um die Sperre des Computers aufzuheben, sind Sie dazu verflichtet eine Strafe von 100 Euro zu zahlen. Sie haben zwei Möglichkeiten die Zahlung von 100 Euro zu leisten.

    1) Die Zahlung per Ukash begleichen:
    Dazu geben Sie bitte den erworbenen Code in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email (einzahlung@dpolg-bundespolizei.org) versenden.
    2) Die Zahlung per Paysafecard begleichen:
    Dazu geben Sie bitte den erworbenen Code (gegebenfalls inkl. Passwort) in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email(einzahlung@dpolg-bundespolizei.org) versenden.
This roughly translates as:

It is illegal activity revealed
Attention!
An operation of illegal activity has been detected.
The operating system was blocked in connection with Violating the laws of the Federal Republic of Germany! It was festgestelltt following violation: Your IP address is "xxxx" with the IP were pages containing pornography, child pornography, bestiality and violence invoked against children on the computer were also video files containing pornography, found elements of violence and child pornography! There were also emails sent in the form of spam, with terrorist backgrounds. This serves to lock the computer to stop your illegal activities.
Your IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
To unlock the computer, you have to pay a penalty verflichtet of 100 €. You have two ways to make the payment of 100 €.

     1 pay) Payment via Ukash:
     You enter the acquired code into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, you have the code by email (einzahlung@dpolg-bundespolizei.org) ship.
     2) The payment by paysafecard to pay:
     You enter the acquired code (if necessary including password) into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, so you must send the code by email (einzahlung@dpolg-bundespolizei.org).

A €100 fine for terrorist likes and download child pornography? Obviously this is nonsense, but the victim might well try to pay to get rid of the trojan.

The bundespolizei-online.com is quite interesting to look at. First, there is the WHOIS record:

    Steffen Schüssler
    Email: t-mart-admin@teiekom.de
    Organization: Hostmaster T-Systems
    Address: Vahrenwalder Strasse 240-247
    City: Hannover
    State: Hannover
    ZIP: 30159
    Country: DE
    Phone: +49.43171633486
    Fax: +49.43171633486

It looks legitimate enough. T-Systems is the hosting division of Deutsche Telekom, and the email address looks legitimate at first glance.. but wait, it says teiekom.de and not telekom.de which can't be right.

The domain is registered through the Russian registrar Regtime Ltd. The site bundespolizei-online.com is hosted on 193.105.240.204 in Latvia. Latvia is pretty much a hotbed of crime, and the AS12578 block has a pretty bad reputation, and the whole 193.105.240.0/24 range looks quite toxic. As is common with malicious sites such as this, all the mail is handled by Google.

So.. if you see a message soliciting an email reply to bundespolizei-online.com or running on the same website then it is malware, and you should try to disinfect your machine using up-to-date antivirus software, or you could try following the instructions here.

Friday, 9 September 2011

Why am I sending myself spam?

One of the most comment questions I get about spam is: "Why am I sending myself spam?" The most common answer to this is: "It's a forgery, you are are not sending yourself spam at all".

This answer requires some explanation, but the most important thing is that when you see spam both "To" and "From" you at the same time then it DOES NOT mean that someone has hacked into your email account. However, if a friend or contact is getting spam email "From" you  then it is quite possible that someone HAS hacked your email account and you should take appropriate action.

These mail forgeries are incredibly simple to do. Part of the problem is that the protocols that email runs on were written in the early 1980s when there was no such thing as email spam. Basically, when one computer connects to another computer to send mail then usually the receiving computer trusts that the sending computer is telling the truth about the sender.

The conversation between the two computers looks something like this:

HELO
MAIL FROM: sender@sender.domain
RCPT TO: recipient@recipient.domain
DATA
This is the body text of the email.
.
QUIT

What might come as a shock is that the sender's email address specified in "MAIL FROM" can be anything at all, including being the same as recipient. This is technically known as spoofing (i.e. it is a form of forgery), and it explains as well why spam often seems to come from nonsense email addresses. There are some ways of stopping spoofing, such as SPF, but they are not very widely used.

One reason why spammers like to send spam "from" the victim is because it will often get through the victim's spam filters. In general, you should not whitelist your own email address in your spam filter for this reason. Fixing spoofing at a filter level is possible, but every email system and spam filter is different and this is really one for experienced IT support people to resolve for you.

I mentioned earlier about a different scenario - one where the mail appears to be "From" a contact. Although superficially it might appear to be similar, in this case it usually means that an email account has been hacked into, typically the person that the mail is "from". If you receive spam from someone you know then the best thing to do is contact them offline and let them know that there's a problem.

Thursday, 8 September 2011

9/11 reflections

You've probably noticed that the tenth anniversary of the September 11th attacks is coming around in a few days time. There's a lot a material around covering all sorts of aspects, but one of the things that I distinctly remember (as a distant observer) was that there were a lot of important things happening, but it was hard to find out what was happening because the 2001-era web couldn't cope with the thirst for information. I wrote about it few days afterwards because it was probably the first time that the web had to deal with such a monumental news story.

In some respects the situation is very different ten years on. News sites are much more resilient, Twitter gives us real-time updates of major events, YouTube can give us raw eyewitness footage just minutes after things have happened. But the recent attacks in Oslo demonstrate just how fragile technology can still be.

Anyway, you can read my thoughts a decade on here if you like.

Tuesday, 6 September 2011

Fake jobs: allworld-career.com, greece-newcareer.com, new-joboffers.com and worldjob-career.com

Four new domains offering a variety of fake and illegal jobs, part of a very long running series of scam emails.

allworld-career.com
greece-newcareer.com
new-joboffers.com
worldjob-career.com


These fake domains have been set up to solicit replies to bogus job offers, including money laundering and other illegal activities. The emails may appear to have been sent from your own account, but this is a simple forgery and does not mean that your email account has been compromised.

The registrant details are no doubt fake:

    Alexey Kernel
    Email: johnkernel26@yahoo.co.uk
    Organization: Alexey Kernel
    Address: Kreshchatyk Street 34
    City: Kiev
    State: Kiev
    ZIP: 01090
    Country: UA
    Phone: +38.00442794512 

All these domains have been registered in the past couple of days.

If you have a sample spam with one of these in, please consider sharing it in the Comments. Thanks!

Saturday, 3 September 2011

Fake jobs: usa-newcareers.com

usa-newcareers.com is another domain being used for offer fake jobs (usually criminal activities such as money laundering). Is is part of this long running scam and is essentially just a variant of us-newcareer.com registered a few days ago. The domain was registered yesterday to a presumably fake registrant.

One feature of these scam emails is that they appear to come from yourself, this is just a simple forgery and it does not mean that your mail account has been compromised. If you have any examples of spam using this domain, please consider sharing it in the comments.

Wednesday, 31 August 2011

dpolg-bundespolizei.org is not DPolG or the Bundespolizei

DPolG is a staff a association of the German Federal Police (Bundespolizei). So you might expect that dpolg-bundespolizei.org is something to do with the DPolG.. especially when the www.dpolg-bundespolizei.org resolves to 77.87.229.14, which is the same IP address as bundespolizei.de which is the German Federal Police.

But something is very wrong with this domain.Let's start with the WHOIS details:

Domain ID:D163178250-LROR
Domain Name:DPOLG-BUNDESPOLIZEI.ORG
Created On:30-Aug-2011 11:02:35 UTC
Last Updated On:30-Aug-2011 11:02:35 UTC
Expiration Date:30-Aug-2012 11:02:35 UTC
Sponsoring Registrar:Regtime Ltd. (R1602-LROR)
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CO1014850-RT
Registrant Name:ALex Potolot
Registrant Organization:ALex Potolot
Registrant Street1:49-12 Shepherd Street
Registrant Street2:
Registrant Street3:
Registrant City:London
Registrant State/Province:London
Registrant Postal Code:W12 7HF
Registrant Country:GB
Registrant Phone:+44.2073290240
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:apotolot@yahoo.com

It's kind of odd that a German police domain should be registered to a person in the UK using a free email address. But what is odder is that the address does not exist. Although there is a Shepherd Street in London, the postcode is not W12 7HF, that's the postcode for Stanlake Road in Hammersmith. Shepherd Street's postcode begins W1J 7Jx in any case, and there's no number 49 on that road (it is approximately the location of the Park Lane Mews Hotel).

Let's check the nameservers:
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
Nameself.com is DNS service for Russian registrar WebNames.ru. (aka Regtime Ltd) who are also the domain registrar. Why would the German police use a Russian registrar?

The next clue is in the MX handlers - these are the servers that handle mail for dpolg-bundespolizei.org:

  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT1.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT2.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX2.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX3.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX4.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX5.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 10 ASPMX.L.GOOGLE.COM
So, the domain is using Google for mail handling. DPolG use their own mailservers, not Google.

Something is definitely amiss here, and it wouldn't be the first time that the Bundespolizei name was used for malicious purposes as there has been a recent rash of malware using it. On balance, a domain with a fake UK address registered via a Russian registrar and using Google for mail handling is unlikely to be legitimate. Avoid.




Monday, 29 August 2011

Fake jobs: consult-position.com, instant-job.com, newweb-career.com, uk-bestjob.com and web-newcarer.com

A new set of domains pushing illegal money laundering jobs and other criminal activities as part of this long running operation.

consult-position.com
instant-job.com
newweb-career.com
uk-bestjob.com
web-newcarer.com


Typically, these emails will appear to be "from" you as well as "to" you.. this is just a forgery and it doesn't mean that your mail is hacked.

Don't be tempted by the jobs on offer, typical positions are for money mules, reshipping scams or sometimes back-office functions such as translating emails or signing paperwork. Don't bother replying to the email as no good will come of it.

If you have an example of any emails using this address, please consider sharing it in the Comments. Thanks!

Friday, 26 August 2011

Fake jobs: us-newcareer.com

Operating the same money laundering scam/spam as this batch of domains, and forming part of this very long running scam, the domain us-newcareer.com was freshly registered two days ago.

The jobs offered by anyone soliciting replies to this email address are all criminal activities and should be avoided. The spam email messages may appear to be coming from your own email address, but this is a simple forgery and it does not mean that your computer or mail account is compromised.

If you have examples of spam emails using the domain, please consider sharing them in the Comments. Thanks!

Wednesday, 24 August 2011

Fake jobs: greece-career.com, il-career.com, mc-jobs.com and oae-career.com

Four new domains peddling fake jobs today, forming part of this very long running scam.

greece-career.com
il-career.com
mc-jobs.com
oae-career.com

The "jobs" offered are actually criminal activities such as money laundering. It may be that the email appears to come "from" you as well (the from address is trivially easy to fake, it doesn't mean that your machine is infected with anything).

Domains were registered two days ago to "Alexey Kernel", which is no doubt a fake name.

greece-career.com presumably targets Greek nationals, and il-career.com looks to be targeting Israelis. The other two are less clear, but our best guess is that mc-jobs.com might be targeting Macedonia (but the TLD is .mk) and oae-career.com might be the UAE and is just a typo. This continues the pattern of going after non-English speaking victims who might be fooled more easily by a scam email in their own language.

If you have any examples of this spam, please consider sharing them in the Comments. Thanks!