Following on from yesterday's post, there have been many, many more of these emails with slight variations, presumably ending up with a similar malware infection as before.
If you get an email like this, do NOT click the link! Simply delete it.. if you have clicked the link then it is just possible that your PC is now infected with sometihhg nasty.
From: STALEYMARISELA@aol.com
Date: 16 November 2011 06:08
Subject: Tax Payment ID 8457924507 is failed.
Hello,
Your Federal Tax Payment ID: 9454542999 has been rejected.
Return Reason Code U68 – The identification number used in the Company Identification Field is not valid.
Please, check the information and refer to Code R21 to get details about
your company payment in transaction contacts section:
http://eftpsgov/U0123063643
MARISELA STALEY,
The Electronic Federal Tax Payment System
------------------------------
From: F. K. Gallegos [mailto:Gallegos_1966@nationalbankers.org]
Sent: 16 November 2011 08:59
Subject: ACH debit transfer was not accepted by our bank
Dear Bank Account Owner,
ACH debit transfer initiated by you or on your behalf was not accepted by our bank.
Transaction ID: 1707826560727761
Current status of transaction: declined
Please review transaction details as soon as possible.
D. Y. Gallegos
Treasury Administration
------------------------------
From: Darlene Wong [mailto:Wong_1955@nationalbankers.org]
Sent: 16 November 2011 05:26
Subject: Bill Payment was not accepted by BankUnited Express
Dear Madam / Sir,
Bill Payment sent by you or on your behalf was not accepted by BankUnited Express.
Transaction ID: 17072923276
Current status of transaction: under review
Please review transaction details as soon as possible.
Darlene F. Wong
Treasury Administration
------------------------------
From: Gideon Elkins
Sent: 16 November 2011 18:03
Subject: Re: your Direct Deposit payment ID 239660991991
Attn: Financial Department
Please be notified, that your latest Direct Deposit transaction
(Int. No. 239660991991) was declined, due to your current Direct
Deposit software being out of date. The detailed information
about this matter is available in the secure section of our web
site:
http://peluangusahaonlines.com/57tt9o/index.html
Please refer to your financial institution to acquire the updated
version of the software.
Yours truly,
Gideon Elkins
ACH Network Rules Department
NACHA - The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
------------------------------
From: Duncan Winkler [mailto:Winkler1939@uba.org]
Sent: 15 November 2011 17:59
Subject: Funds Transfer was not accepted by our bank
Dear bank account holder,
Funds Transfer created by you or on your behalf was not accepted by our bank.
Transaction ID: 1701205726906
Current status of transaction: under review
Please review transaction details as soon as possible.
Duncan Winkler
Customer Support
Austin County State Bank
------------------------------
From: O. Q. Morrison [mailto:Morrison1940@uba.org]
Sent: 15 November 2011 12:35
Subject: ACH payroll payment was not accepted by United Security Bank
Dear Bank Account Owner,
ACH payroll payment initiated by you or on your behalf was not accepted by United Security Bank.
Transaction ID: 17093959546892
Current status of transaction: declined
Please review transaction details as soon as possible.
Gary Morrison
Accounting Management
------------------------------
Date: Wed, 16 Nov 2011 11:42:53 +0530
From: "Aryanna Collins" YBPAryanna@hotmail.com
Subject: Tax Payment ID 3419177910 is failed.
Good morning,
Your Federal Tax Payment ID: 9173073387 has been rejected.
Return Reason Code U78 – The identification number used in the Company Identification Field is not valid.
Please, check the information and refer to Code R21 to get details about
your company payment in transaction contacts section:
http://eftps.gov/U1433600391
Aryanna Collins,
The Electronic Federal Tax Payment System
------------------------------
Date: Wed, 16 Nov 2011 01:05:20 -1100
From: "The Electronic Payments Association" alert@nacha.org
Subject: ACH payment rejected
Attachments: nacha_logo.jpg
The ACH transaction (ID: 8185663180422), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.
Rejected transfer
Transaction ID: 8185663180422
Reason for rejection See details in the report below
Transaction Report report_8185663180422.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association
------------------------------
Date: Wed, 16 Nov 2011 12:52:10 +0100
From: Bettye_Mcknight@irs.gov
Subject: Rejected Federal Tax transfer
Your Tax transaction (ID: 971900616898), recently initiated from your bank account was rejected by the your financial institution.
Canceled Tax transaction
Tax Transaction ID: 971900616898
Reason for rejection See details in the report below
FederalTax Transaction Report tax_report_971900616898.pdf (Adobe Acrobat Reader Document)
�
�
To e-file your 2010 tax return or other electronic forms, you must verify your identity with your Self-Select PIN or Adjusted Gross Income from your 2009 tax return. If you don't have this information from your 2009 tax return, you can request an Electronic Filing PIN�it's as easy as 1-2-3!
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
------------------------------
Date: Wed, 16 Nov 2011 12:09:36 +0100
From: "The Electronic Payments Association" risk_manager@nacha.org
Subject: Your ACH transaction
Attachments: nacha_logo.jpg
The ACH transfer (ID: 516582351138), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.
Rejected transaction
Transaction ID: 516582351138
Reason of rejection See details in the report below
Transaction Report report_516582351138.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association
------------------------------
Date: Wed, 16 Nov 2011 06:11:50 -0300
From: Helga_Springer@irs.gov
Subject: Federal Tax payment rejected
Your federal Tax transaction (ID: 384736455888), recently from your bank account was rejected by the your Bank.
Canceled Tax transfer
Tax Transaction ID: 384736455888
Reason of rejection See details in the report below
FederalTax Transaction Report tax_report_384736455888.pdf (Adobe Acrobat Reader Document)
ďż˝
ďż˝
Important Information for Home-care Service Recipients
If you are a home-care service recipient who has a previously assigned EIN either as a sole proprietor or as a household employer, do not apply for a new EIN. Use the EIN previously provided. If you can not locate your EIN for any reason, follow the instructions on the Misplaced Your EIN? Web page.
If you are a home-care service recipient who does not have an EIN, do not use the online application to apply for one. You must apply for your EIN using one of the other methods (phone, fax or mail). For additional information, visit the How to Apply for an EIN Web page.
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
------------------------------
Date: Wed, 16 Nov 2011 13:25:11 +0700
From: Marylou Friedman Friedman_1948@icba.org
Subject: Wire Transfer was hold by National Bank of California
Dear Account Owner,
Wire Transfer created by you or on your behalf was hold by National Bank of California.
Transaction ID: 17017200231113028
Current status of transaction: on hold
Please review transaction details as soon as possible.
Marylou S. Friedman
Customer Support
National Bank of California
------------------------------
Date: Tue, 15 Nov 2011 12:01:16 +0000
From: "Yuridia KIRKLAND"
Subject: Fwd: Wire Transfer Confirmation (FED_REFERENCE_6232TI676)
Dear Bank Account Operator,
I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.
Transaction: 2342937901002077
Current transaction status: Pending
Please review transaction details as soon as possible.
------------------------------
Date: Tue, 15 Nov 2011 07:56:46 -0800
Subject: Fwd: Wire Transfer Confirmation (FED 23160LI34)
Dear Bank Account Operator,
I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.
Transaction: 408332756171192
Current transaction status: Pending
Please review transaction details as soon as possible.
------------------------------
Date: Wed, 16 Nov 2011 01:13:56 +0900
From: "New York State Police" noreply-401212008@nyc.gov
Subject: UNIFORM TRAFFIC TICKET (ID: 622969718)
New York State ? Department of Motor Vehicles
UNIFORM TRAFFIC TICKET
POLICE AGENCY
NEW YORK STATE POLICE
Local Police Code
THE PERSON DESCRIBED ABOVE IS CHARGED AS FOLLOWS
Time: 7:17 AM
Date of Offense: 04/10/2011
IN VIOLATION OF
NYS V AND T LAW Description of Violation:
SPEED OVER 55 ZONE
TO PLEAD, PRINT CLICK HERE AND FILL OUT THE FORM
------------------------------
Date: Tue, 15 Nov 2011 11:22:33 -0500
From: information@direct.nacha.org
Subject: Your Direct Deposit payment via ACH was declined
Attn: Financial Manager
We regret to notify you,
that your latest Direct Deposit via ACH payment (ID141672824371) was cancelled,
because your current Direct Deposit software version was out of date.
Please use the link below to enter the secure section of our web site and see the details::
www.nacha.org/download/report09809878.pdf
Please apply to your financial institution to get your updated version of the software needed.
Kind regards,
------------------------------
Date: Tue, 15 Nov 2011 20:26:57 +0530
From: info@direct.nacha.org
Subject: Direct Deposit payment was rejected
Dear Sirs,
Herewith we are notifying you,
that your most recent Direct Deposit payment (No.378745855247) was cancelled,
because your current Direct Deposit software version was out of date.
Please visit the secure section of our web site to see the details:
www.nacha.org/download/report09809878.pdf
Please apply to your financial institution to get the necessary updates of the Direct Deposit software.
Yours faithfully,
------------------------------
Date: Tue, 15 Nov 2011 05:48:07 -0800
From: "Abdul N . Moser" Moser1940@vabankers.org
Subject: ACH payroll payment was not accepted by us
Dear Sir/Madam,
I regret to inform you that ACH payroll payment sent by you or on your behalf was not accepted by us.
Transaction ID: 1704692033837
Current status of transaction: pending
Please review transaction details as soon as possible.
Abdul Moser
Accounting Management
First SAvings Bank of Hegewisch
------------------------------
Date: Tue, 15 Nov 2011 16:00:55 +0300
From: forgery16@uncw.edu
Subject: ACH payment canceled
The ACH transfer (ID: 3323817008922), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.
Rejected transaction
Transaction ID: 3323817008922
Reason for rejection See details in the report below
Transaction Report report_3323817008922.doc (Microsoft Word Document)
About NACHA
By 1978, it was possible for two financial institutions located anywhere in the United States to exchange ACH payments under a common set of rules and procedures. By 1988, the number of ACH payments exceeded 1 billion annually. By 2001, the volume of ACH payments grew by more than 1 billion in a single year.
To help guide advocacy and related communication activities, NACHA established a Communications and Marketing Advisory Group (CMAG) in early 2010. CMAG brings together practitioners representing ACH Network participants to engage in work efforts to benefit the Network and those who utilize it.
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association
Wednesday 16 November 2011
Monday 14 November 2011
NACHA / Wire Transfer malicious emails
I'm not sure if these three incidents are all related or are just using the same approach, but here goes.
and then
and finally
The first spam leads to a hacked site in Australia (there are probably many others). In turn, this tries to load four scripts to install malware though an HCP attack (Wepawet report here). The scripts are:
lallygag.com/js.js
www.miracleshappenrr.com/images/js.js
kyare.net/js.js
allmemoryram.com/js.js
In all cases, those scripts appear to be on legitimate (but hacked) websites. The final step for that attack is to try to install a malicious Java application from colobird.com/content/import.jar - a domain that is hosted on 216.250.120.100 but one that was only registered very recently.
The second and third emails take a different approach, loading a page at www.btredret.ru/main.php hosted on 93.187.142.38 (S.C. Profisol Telecom S.R.L., Romania). This attemps a Java exploit (Wepawet report here). This IP is part of a small netblock of 93.187.142.32 - 93.187.142.63 (93.187.142.32/27) and can probably safely be blocked, or you could just block the whole /24 if you wanted,
This is an old approach that has been doing the rounds for two years. It must still work though..
Date: Mon, 14 Nov 2011 17:53:54 +0100
Subject: Disallowed Direct Deposit payment
Dear Sirs,
Herewith we are notifying you, that your latest Direct Deposit transaction (No. 60795715105) was disallowed, because of your business software package being out of date. The detailed information about this matter is available in the secure section of our web site:
hxxp://astola.com.au/93oj63/index.html
Please apply to your financial institution to obtain the new version of the software.
Kind regards,
Sidney Gross
ACH Network Rules Department
NACHA - The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
and then
Date: Mon, 14 Nov 2011 02:42:02 +0530
From: accounting@victimdomain.com
Subject: Fwd: Wire Transfer Confirmation (FED 5697WN59)
Dear Bank Account Operator,
I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.
Transaction ID: 85802292158295165
Current status of transaction: under review
Please review transaction details as soon as possible.
Bernadette Dickinson
Payments Administration
and finally
Date: Mon, 14 Nov 2011 10:56:29 +0530
From: "HARMONY URBAN" support@federalreserve.gov
Subject: Your Wire Transfer
Good day,
Account: Business Account XXX
Amount: $ 93,056.63
Wire Transfer Report: View
The wire transfer will be processed within 2 hours.
Please make sure that everything is as you requested.
HARMONY URBAN,
Federal Reserve Wire Network
The first spam leads to a hacked site in Australia (there are probably many others). In turn, this tries to load four scripts to install malware though an HCP attack (Wepawet report here). The scripts are:
lallygag.com/js.js
www.miracleshappenrr.com/images/js.js
kyare.net/js.js
allmemoryram.com/js.js
In all cases, those scripts appear to be on legitimate (but hacked) websites. The final step for that attack is to try to install a malicious Java application from colobird.com/content/import.jar - a domain that is hosted on 216.250.120.100 but one that was only registered very recently.
The second and third emails take a different approach, loading a page at www.btredret.ru/main.php hosted on 93.187.142.38 (S.C. Profisol Telecom S.R.L., Romania). This attemps a Java exploit (Wepawet report here). This IP is part of a small netblock of 93.187.142.32 - 93.187.142.63 (93.187.142.32/27) and can probably safely be blocked, or you could just block the whole /24 if you wanted,
This is an old approach that has been doing the rounds for two years. It must still work though..
Friday 11 November 2011
financialstatements.mrsdl.com, nookbizkitsad.com and 94.102.11.168
This is a pretty common virus laden email:
There's a link in the email.. the first port of call is a hacked legitimate website. This gets fowarded to financialstatements.mrsdl.com which then delivers an HCP exploit and tries to encourage the user to download malware.
The download is called updateflash.exe (MD5 31EA43D448086974125E9904AB1BB3C5). Vendor detection is patchy with VirusTotal reporting just 20/43 products detecting it. ThreatExpert have a more detailed analysis here (useful if you are trying to disinfect a machine manually).
financialstatements.mrsdl.com is multihomed on several IP addresses, mostly cable modem customers in Spain for some reason:
71.217.16.172
84.123.147.172
84.124.179.183
84.126.255.46
85.86.48.130
85.219.28.52
178.139.18.243
212.225.172.73
218.216.37.66
Because of the wide range of IPs, blocking access to the entire mrsdl.com domain is probably easiest.
The HCP exploit is hosted on nookbizkitsad.com, hosted on 94.102.11.168 in Turkey. This IP has a whole load of malicious sites on it, blocking access to this IP is probably a good idea. The Wepawet report for this is here.
Sites hosted on in the first "mrsdl.com" cluster include:
code732546teh34.com
mrsdl.com
financialstatements.mrsdl.com
titlefinancialstatements.mrsdl.com
digitalarmory.net
www.digitalarmory.net
worldisfriendly.com
yourowndefence.net
Sites hosted on 94.102.11.168 include:
teomagofagolo3488.co.cc
b3ibw00erdool.co.cc
frolenad.cu.cc
hkjhaqiewjkfasdfpckjhhejrf.cu.cc
m4everything.cu.cc
vjfgmifjdfkepodkfldetrg.cu.cc
kaublog.de
video-games04.ns1.name
gfqnjsqu.findhere.org
oepzvjb.myftp.org
codzicbvrc.myftp.org
dwcninccwc.myftp.org
kensndorqd.myftp.org
zsqnmpulsh.myftp.org
kqusyqj.myftp.org
nonuxbo.myftp.org
lfqcoep.myftp.org
bpocajyjs.myftp.org
orwobrysku.myftp.org
qszmsqjiiw.myftp.org
mexigxzy.myftp.org
ugkuhqerflaspeeeeggva.c0m.li
51se.stnet.nl
42se.stnet.nl
45se.stnet.nl
46se.stnet.nl
nookbizkitsad.com
gmbhsite.com
tvbkjizm.athersite.com
xpicktxr.athersite.com
imrzcsws.athersite.com
kaposuyx.athersite.com
pzwwnzky.athersite.com
coloique.com
rldthxahbw.freetcp.com
khraaqyh.uglyas.com
phpctuqz.assexyas.com
lyeldismnl.zyns.com
nhfeyo.zyns.com
fast.4pu.com
ztxserv1.in
deqiosta83.in
fantome456.in
mastrudinnnne9.in
rdolaminyollwa.in
ogoatl0.dynamic-dns-service.in
ybiyxd1.dynamic-dns-service.in
ijeuhs3.dynamic-dns-service.in
ohoymz4.dynamic-dns-service.in
teanainthernane.in
letingosite.in
clisselaweyzaii.in
fasstasharremi.in
ondayihasanzani.in
lephayndeleiul.in
rceytaronnistem.in
ffodenhenigunn.in
doritahalvarlyn.in
andracybinatono.in
kencexoveduner.in
eretansenoviver.in
preeeederdtt.in
rifaelmarmanlex.in
senaliaricangy.in
nex8.info
pis7ol.info
oalgrul.ddns.info
knyvan.ddns.info
innexts.info
hgkasdfqerofcvvuiajrfaqe.ce.ms
kleopatrik.ce.ms
pyrbvfmk.isgre.at
igazlaxn.bestdeals.at
ftgaxklp.bestdeals.at
schneller-reich.net
schnellerreich.net
schneller-reichshop.net
kopysgud.byinter.net
dzjartdj.byinter.net
bgtecocg.passinggas.net
lggpiiwm.passinggas.net
mhgtmvwm.passinggas.net
tyvsoxtn.isthebe.st
mgascbtp.ontheweb.nu
moiptenchik.ru
moiejik.ru
moisuslik.ru
moikonik.ru
moipesik.ru
fredom.ru
bqredret.ru
horkotov.ru
dfrtwintestingdomainlast222999.com.tw
Subject: ACH Transfer was not accepted by our bankand
Dear Bank Account Operator,
I regret to inform you that ACH Transfer created by you or on your behalf was not accepted by our bank.
Transaction ID: 1709919126682218
Current status of transaction: on hold
Please review transaction details as soon as possible.
Erika Y. Barnes
Treasury Management
Subject: Wire Transfer was not accepted by our bank
Dear Account Holder,
Wire Transfer sent by you or on your behalf was not accepted by our bank.
Transaction ID: 170992225147
Current status of transaction: pending
Please review transaction details as soon as possible.
Katherine Hess
Treasury Administration
There's a link in the email.. the first port of call is a hacked legitimate website. This gets fowarded to financialstatements.mrsdl.com which then delivers an HCP exploit and tries to encourage the user to download malware.
The download is called updateflash.exe (MD5 31EA43D448086974125E9904AB1BB3C5). Vendor detection is patchy with VirusTotal reporting just 20/43 products detecting it. ThreatExpert have a more detailed analysis here (useful if you are trying to disinfect a machine manually).
financialstatements.mrsdl.com is multihomed on several IP addresses, mostly cable modem customers in Spain for some reason:
71.217.16.172
84.123.147.172
84.124.179.183
84.126.255.46
85.86.48.130
85.219.28.52
178.139.18.243
212.225.172.73
218.216.37.66
Because of the wide range of IPs, blocking access to the entire mrsdl.com domain is probably easiest.
The HCP exploit is hosted on nookbizkitsad.com, hosted on 94.102.11.168 in Turkey. This IP has a whole load of malicious sites on it, blocking access to this IP is probably a good idea. The Wepawet report for this is here.
Sites hosted on in the first "mrsdl.com" cluster include:
code732546teh34.com
mrsdl.com
financialstatements.mrsdl.com
titlefinancialstatements.mrsdl.com
digitalarmory.net
www.digitalarmory.net
worldisfriendly.com
yourowndefence.net
Sites hosted on 94.102.11.168 include:
teomagofagolo3488.co.cc
b3ibw00erdool.co.cc
frolenad.cu.cc
hkjhaqiewjkfasdfpckjhhejrf.cu.cc
m4everything.cu.cc
vjfgmifjdfkepodkfldetrg.cu.cc
kaublog.de
video-games04.ns1.name
gfqnjsqu.findhere.org
oepzvjb.myftp.org
codzicbvrc.myftp.org
dwcninccwc.myftp.org
kensndorqd.myftp.org
zsqnmpulsh.myftp.org
kqusyqj.myftp.org
nonuxbo.myftp.org
lfqcoep.myftp.org
bpocajyjs.myftp.org
orwobrysku.myftp.org
qszmsqjiiw.myftp.org
mexigxzy.myftp.org
ugkuhqerflaspeeeeggva.c0m.li
51se.stnet.nl
42se.stnet.nl
45se.stnet.nl
46se.stnet.nl
nookbizkitsad.com
gmbhsite.com
tvbkjizm.athersite.com
xpicktxr.athersite.com
imrzcsws.athersite.com
kaposuyx.athersite.com
pzwwnzky.athersite.com
coloique.com
rldthxahbw.freetcp.com
khraaqyh.uglyas.com
phpctuqz.assexyas.com
lyeldismnl.zyns.com
nhfeyo.zyns.com
fast.4pu.com
ztxserv1.in
deqiosta83.in
fantome456.in
mastrudinnnne9.in
rdolaminyollwa.in
ogoatl0.dynamic-dns-service.in
ybiyxd1.dynamic-dns-service.in
ijeuhs3.dynamic-dns-service.in
ohoymz4.dynamic-dns-service.in
teanainthernane.in
letingosite.in
clisselaweyzaii.in
fasstasharremi.in
ondayihasanzani.in
lephayndeleiul.in
rceytaronnistem.in
ffodenhenigunn.in
doritahalvarlyn.in
andracybinatono.in
kencexoveduner.in
eretansenoviver.in
preeeederdtt.in
rifaelmarmanlex.in
senaliaricangy.in
nex8.info
pis7ol.info
oalgrul.ddns.info
knyvan.ddns.info
innexts.info
hgkasdfqerofcvvuiajrfaqe.ce.ms
kleopatrik.ce.ms
pyrbvfmk.isgre.at
igazlaxn.bestdeals.at
ftgaxklp.bestdeals.at
schneller-reich.net
schnellerreich.net
schneller-reichshop.net
kopysgud.byinter.net
dzjartdj.byinter.net
bgtecocg.passinggas.net
lggpiiwm.passinggas.net
mhgtmvwm.passinggas.net
tyvsoxtn.isthebe.st
mgascbtp.ontheweb.nu
moiptenchik.ru
moiejik.ru
moisuslik.ru
moikonik.ru
moipesik.ru
fredom.ru
bqredret.ru
horkotov.ru
dfrtwintestingdomainlast222999.com.tw
Thursday 10 November 2011
Rove Digital and Vladimir Tsastsin busted.
If you work in IT Security, you'll probably remember the names EstDomains and EstHost, part of a criminal organisation called Rove Digital headed by Vladimir Tsastsin (pictured).
Finally, the FBI and Estonia authorities have arrested Tsastsin and some of his associates, and have effectively ended one of the biggest organised crime rings around.
The good guys are no doubt celebrating that the online world is just a little bit safer today.. read more at Brian Krebs's blog.
Finally, the FBI and Estonia authorities have arrested Tsastsin and some of his associates, and have effectively ended one of the biggest organised crime rings around.
The good guys are no doubt celebrating that the online world is just a little bit safer today.. read more at Brian Krebs's blog.
Labels:
Estonia,
Evil Network
Tuesday 8 November 2011
Something evil on 193.106.174.220 and 91.194.214.66
193.106.174.220 and 91.194.214.66 and are a pair of IP addresses that appear to be involved in injection attacks, possibly distributing the Blackhole exploit kit.
Blocking these two IPs as a precaution is probably a good idea. A full list of the known domains on those two servers is at the bottom of the post, but blocking access to the following domains is an easy shortcut to block most of them:
cu.cc
ddns.me.uk
orge.pl
dyndns-office.com
mrface.com
ns01.us
ns02.us
myftp.name
ddns.name
itsaol.com
port25.biz
91.194.214.66
pikapika.cu.cc
adsense-google.cu.cc
mariocart.cu.cc
79574.mynumber.org
ghjgh.ddns.me.uk
rotterdam.osa.pl
1asd-patricia.orge.pl
1benz-pizza.orge.pl
1napoleon-wizard.orge.pl
3mercury-joyce.orge.pl
1pad-george.orge.pl
2melissa-file.orge.pl
1develop-profile.orge.pl
2tomato-june.orge.pl
3fourier-steph.orge.pl
2nagel-earth.orge.pl
1patty-traci.orge.pl
2berliner-mark.orge.pl
3banks-pork.orge.pl
2professor-criminal.orge.pl
1pencil-reagan.orge.pl
3beauty-noreen.orge.pl
3academic-caren.orge.pl
2shuttle-berlin.orge.pl
1gnu-nutrition.orge.pl
1ingrid-eiderdown.orge.pl
1beethoven-uucp.orge.pl
3field-summer.orge.pl
2signature-commrades.orge.pl
3daemon-sharks.orge.pl
1discovery-simpsons.orge.pl
2inna-elephant.orge.pl
3banks-elephant.orge.pl
3surfer-stuttgart.orge.pl
1tammy-nyquist.orge.pl
3memory-new.orge.pl
3kristin-andy.orge.pl
1pork-larry.orge.pl
1arlene-symmetry.orge.pl
1lori-symmetry.orge.pl
1phone-ersatz.orge.pl
zxczxcz.mrface.com
googl933.dyndns-office.com
tested23.acmetoy.com
zelenij.mypicture.info
mobiliti.ns01.us
cxqweq.ns02.us
193.106.174.220
andre12.myftp.name
aswaz.ddns.name
google2.itsaol.com
sw2sa.port25.biz
Blocking these two IPs as a precaution is probably a good idea. A full list of the known domains on those two servers is at the bottom of the post, but blocking access to the following domains is an easy shortcut to block most of them:
cu.cc
ddns.me.uk
orge.pl
dyndns-office.com
mrface.com
ns01.us
ns02.us
myftp.name
ddns.name
itsaol.com
port25.biz
Full list:
91.194.214.66
pikapika.cu.cc
adsense-google.cu.cc
mariocart.cu.cc
79574.mynumber.org
ghjgh.ddns.me.uk
rotterdam.osa.pl
1asd-patricia.orge.pl
1benz-pizza.orge.pl
1napoleon-wizard.orge.pl
3mercury-joyce.orge.pl
1pad-george.orge.pl
2melissa-file.orge.pl
1develop-profile.orge.pl
2tomato-june.orge.pl
3fourier-steph.orge.pl
2nagel-earth.orge.pl
1patty-traci.orge.pl
2berliner-mark.orge.pl
3banks-pork.orge.pl
2professor-criminal.orge.pl
1pencil-reagan.orge.pl
3beauty-noreen.orge.pl
3academic-caren.orge.pl
2shuttle-berlin.orge.pl
1gnu-nutrition.orge.pl
1ingrid-eiderdown.orge.pl
1beethoven-uucp.orge.pl
3field-summer.orge.pl
2signature-commrades.orge.pl
3daemon-sharks.orge.pl
1discovery-simpsons.orge.pl
2inna-elephant.orge.pl
3banks-elephant.orge.pl
3surfer-stuttgart.orge.pl
1tammy-nyquist.orge.pl
3memory-new.orge.pl
3kristin-andy.orge.pl
1pork-larry.orge.pl
1arlene-symmetry.orge.pl
1lori-symmetry.orge.pl
1phone-ersatz.orge.pl
zxczxcz.mrface.com
googl933.dyndns-office.com
tested23.acmetoy.com
zelenij.mypicture.info
mobiliti.ns01.us
cxqweq.ns02.us
193.106.174.220
andre12.myftp.name
aswaz.ddns.name
google2.itsaol.com
sw2sa.port25.biz
Labels:
Evil Network,
Injection Attacks,
Russia,
Ukraine
Sunday 6 November 2011
Fake jobs: europcareers.net
One more fake job domain to avoid, europcareers.net follows on from the ones spotted yesterday and uses the fake (probably fake) registration address:
The emails may appear to come from yourself (here's why). The jobs offered are actually criminal activities such as money laundering. If you have any example emails, please consider sharing them in the Comments.
frederic benou Email: fredericabenou@yahoo.fr Organization: frederic benou Address: 23 rue des Camelias City: Alfortville State: Alfortville ZIP: 94112 Country: FR Phone: +33.0148931456
The emails may appear to come from yourself (here's why). The jobs offered are actually criminal activities such as money laundering. If you have any example emails, please consider sharing them in the Comments.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Friday 4 November 2011
Fake jobs: jobsearchoo.com, newstatejob.com and usanewjobgov.com
Three more domains being used to recruit money laundering jobs and other illegal activities:
jobsearchoo.com
newstatejob.com
usanewjobgov.com
The jobs form part of this long running scam.Email messages may appear to come from yourself (here's why). The domain is registered to the following (probably fake) address:
If you have any examples of emails using these domains, then please consider sharing them in the Comments. Thanks!
jobsearchoo.com
newstatejob.com
usanewjobgov.com
The jobs form part of this long running scam.Email messages may appear to come from yourself (here's why). The domain is registered to the following (probably fake) address:
frederic benou
Email: fredericabenou@yahoo.fr
Organization: frederic benou
Address: 23 rue des Camelias
City: Alfortville
State: Alfortville
ZIP: 94112
Country: FR
Phone: +33.0148931456
Email: fredericabenou@yahoo.fr
Organization: frederic benou
Address: 23 rue des Camelias
City: Alfortville
State: Alfortville
ZIP: 94112
Country: FR
Phone: +33.0148931456
If you have any examples of emails using these domains, then please consider sharing them in the Comments. Thanks!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Thursday 3 November 2011
Something evil on 95.163.66.209
There are a bunch of domains being used in injection attacks on 95.163.66.209 (Digital Network JSC, Russia). recently Armorize covered attacks using this particular site. The problem seems to be ongoing, and 95.163.66.209 is a good IP to block. In fact, blocking 95.163.64.0/19 is probably a good idea too as there are a whole load of nasties there too. Google is pretty damning:
The sites on 95.163.66.209 are listed at the end of the post. However, most of them seem to be pretty odd subdomains (probably free) and blocking access to domains ending as follows could be a good general idea.
cz.cc
nl.ai
xe.cx
c0m.li
coom.in
l2x.eu
myddns.com
mx.am
ce.ms
mywww.biz
4dq.com
88n.eu
jesais.fr
qpoe.com
25u.com
dnset.com
Full list:
badcake.cz.cc
bdf.nl.ai
bent-pastry.xe.cx
bfsghsf.c0m.li
bgdh.coom.in
bgfdsbd.nl.ai
bghfxdh.nl.ai
bhdgzh.nl.ai
bluecloakroom.l2x.eu
boiling-fish.myddns.com
boilingpasta.xe.cx
boleklelek.nl.ai
care.appliancesraleighnc.com
chem.bluesky2010.com
chief-bagel.xe.cx
dark-veal.xe.cx
dead.carboneconstruction.info
dfhdf.nl.ai
diplomadog.mx.am
dsadas.coom.in
dwrewr.c0m.li
eeerr.ce.ms
elastic-venison.xe.cx
electrical.xe.cx
electric-meal.xe.cx
equal-pomegranate.aelita.fr
false-fig.xe.cx
fasdf.coom.in
fczxfczx.coom.in
fdasfsa.nl.ai
fdsfds.coom.in
feeble-cereal.lacheun.com
fertileroast.nl.ai
first-peanuts.l2x.eu
fixedbread.xe.cx
flat-fork.mx.am
flat-vegetables.xe.cx
frequentglass.xe.cx
gdgfdd.nl.ai
gdsg.nl.ai
gdsggdag.nl.ai
gershlagen.nl.ai
gfdgdf.nl.ai
gfsdgfds.coom.in
gfsdgsd.coom.in
gfsgfds.coom.in
ghdfhd.nl.ai
gjgfj.coom.in
gocheating.nl.ai
good-meal.l2x.eu
goodorange.xe.cx
goodrice.xe.cx
gsdgd.nl.ai
gsdgs.coom.in
gsfgs.nl.ai
gsgssd.coom.in
habdf.coom.in
hbgdh.nl.ai
hdggd.nl.ai
hdgh.nl.ai
hdgjd.coom.in
hdgsh.nl.ai
hgdhfg.nl.ai
hgf.nl.ai
high-hotdog.mywww.biz
hist.benjamin-moore.info
hjdgjhdg.coom.in
hkjjl.nl.ai
holybutter.lflinkup.org
homeimprovement.nl.ai
honor-for-you.mx.am
jaguaro.4dq.com
jdgjdg.coom.in
jgfjg.coom.in
jgjg.nl.ai
jobcracker.nl.ai
jvhkgh.coom.in
kghg.coom.in
kripple.88n.eu
leaveme.nl.ai
light.designerfloors.info
lihlhk.nl.ai
listen.c0m.li
loose-f.lacheun.com
loveme.88n.eu
lovewill.sellclassics.com
loveyoulike.c0m.li
lucky-force.mx.am
make.budgetblindsraleigh.info
mangle.blueskyresort.us
maniacmansion.88n.eu
med.designerfloors.info
medicalgrill.jesais.fr
mfhjmfh.coom.in
myrabbit.sixth.biz
negativecreep.mywww.biz
newbread.xe.cx
nhdgjhnd.nl.ai
normal-bagel.xe.cx
nownownow.l2x.eu
obsess.crawlspacecleaning.org
old-grapefruit.xe.cx
poorgrapes.c0m.li
pref.bluesky2011.com
promise.demartinocompanies.info
quiet-orange.qpoe.com
quietsoup.xe.cx
right-pomegranate.xe.cx
roberre.ftpserver.biz
roughslices.xe.cx
round-chicken.moneyhome.biz
sad-pineapple.lacheun.com
samerice.nl.ai
same-waitress.xe.cx
separate-buffet.25u.com
short-spoon.itemdb.com
shutham.ns01.biz
slewincom.com
smoothturkey.xe.cx
specialcookies.88n.eu
sport.designerfloorfashions.com
sticky-bacon.88n.eu
strangecooking.mynetav.net
strangesalad.xe.cx
strongkumquat.c0m.li
suckmydiscoball.oueb.eu
told.aeheatingandair.info
uytdujg.nl.ai
vcnvbhjmfgvj.coom.in
vfjhfj.nl.ai
vjh.coom.in
vzsfd.coom.in
wallex.l2x.eu
wannabe.c0m.li
webelieve.nl.ai
wehaveadeal.nl.ai
wet-toast.dnset.com
wise-crackers.xe.cx
workfree.nl.ai
youngmutton.mynetav.org
Safe Browsing
Diagnostic page for 95.163.66.0
What is the current listing status for 95.163.66.0?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 21 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-10-05, and the last time suspicious content was found on this site was on 2011-10-05.
Malicious software includes 330 trojan(s), 276 scripting exploit(s).
This site was hosted on 1 network(s) including AS12695 (DINET).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 95.163.66.0 appeared to function as an intermediary for the infection of 19 site(s) including manualeofficina.altervista.org/, ua90.com/, phelpsweb.com/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 107 domain(s), including manualeofficina.altervista.org/, settatonchat.com/, zktoot.com/.
The sites on 95.163.66.209 are listed at the end of the post. However, most of them seem to be pretty odd subdomains (probably free) and blocking access to domains ending as follows could be a good general idea.
cz.cc
nl.ai
xe.cx
c0m.li
coom.in
l2x.eu
myddns.com
mx.am
ce.ms
mywww.biz
4dq.com
88n.eu
jesais.fr
qpoe.com
25u.com
dnset.com
Full list:
badcake.cz.cc
bdf.nl.ai
bent-pastry.xe.cx
bfsghsf.c0m.li
bgdh.coom.in
bgfdsbd.nl.ai
bghfxdh.nl.ai
bhdgzh.nl.ai
bluecloakroom.l2x.eu
boiling-fish.myddns.com
boilingpasta.xe.cx
boleklelek.nl.ai
care.appliancesraleighnc.com
chem.bluesky2010.com
chief-bagel.xe.cx
dark-veal.xe.cx
dead.carboneconstruction.info
dfhdf.nl.ai
diplomadog.mx.am
dsadas.coom.in
dwrewr.c0m.li
eeerr.ce.ms
elastic-venison.xe.cx
electrical.xe.cx
electric-meal.xe.cx
equal-pomegranate.aelita.fr
false-fig.xe.cx
fasdf.coom.in
fczxfczx.coom.in
fdasfsa.nl.ai
fdsfds.coom.in
feeble-cereal.lacheun.com
fertileroast.nl.ai
first-peanuts.l2x.eu
fixedbread.xe.cx
flat-fork.mx.am
flat-vegetables.xe.cx
frequentglass.xe.cx
gdgfdd.nl.ai
gdsg.nl.ai
gdsggdag.nl.ai
gershlagen.nl.ai
gfdgdf.nl.ai
gfsdgfds.coom.in
gfsdgsd.coom.in
gfsgfds.coom.in
ghdfhd.nl.ai
gjgfj.coom.in
gocheating.nl.ai
good-meal.l2x.eu
goodorange.xe.cx
goodrice.xe.cx
gsdgd.nl.ai
gsdgs.coom.in
gsfgs.nl.ai
gsgssd.coom.in
habdf.coom.in
hbgdh.nl.ai
hdggd.nl.ai
hdgh.nl.ai
hdgjd.coom.in
hdgsh.nl.ai
hgdhfg.nl.ai
hgf.nl.ai
high-hotdog.mywww.biz
hist.benjamin-moore.info
hjdgjhdg.coom.in
hkjjl.nl.ai
holybutter.lflinkup.org
homeimprovement.nl.ai
honor-for-you.mx.am
jaguaro.4dq.com
jdgjdg.coom.in
jgfjg.coom.in
jgjg.nl.ai
jobcracker.nl.ai
jvhkgh.coom.in
kghg.coom.in
kripple.88n.eu
leaveme.nl.ai
light.designerfloors.info
lihlhk.nl.ai
listen.c0m.li
loose-f.lacheun.com
loveme.88n.eu
lovewill.sellclassics.com
loveyoulike.c0m.li
lucky-force.mx.am
make.budgetblindsraleigh.info
mangle.blueskyresort.us
maniacmansion.88n.eu
med.designerfloors.info
medicalgrill.jesais.fr
mfhjmfh.coom.in
myrabbit.sixth.biz
negativecreep.mywww.biz
newbread.xe.cx
nhdgjhnd.nl.ai
normal-bagel.xe.cx
nownownow.l2x.eu
obsess.crawlspacecleaning.org
old-grapefruit.xe.cx
poorgrapes.c0m.li
pref.bluesky2011.com
promise.demartinocompanies.info
quiet-orange.qpoe.com
quietsoup.xe.cx
right-pomegranate.xe.cx
roberre.ftpserver.biz
roughslices.xe.cx
round-chicken.moneyhome.biz
sad-pineapple.lacheun.com
samerice.nl.ai
same-waitress.xe.cx
separate-buffet.25u.com
short-spoon.itemdb.com
shutham.ns01.biz
slewincom.com
smoothturkey.xe.cx
specialcookies.88n.eu
sport.designerfloorfashions.com
sticky-bacon.88n.eu
strangecooking.mynetav.net
strangesalad.xe.cx
strongkumquat.c0m.li
suckmydiscoball.oueb.eu
told.aeheatingandair.info
uytdujg.nl.ai
vcnvbhjmfgvj.coom.in
vfjhfj.nl.ai
vjh.coom.in
vzsfd.coom.in
wallex.l2x.eu
wannabe.c0m.li
webelieve.nl.ai
wehaveadeal.nl.ai
wet-toast.dnset.com
wise-crackers.xe.cx
workfree.nl.ai
youngmutton.mynetav.org
Labels:
Evil Network,
Injection Attacks,
Russia
Wednesday 2 November 2011
Fake jobs: expoeurojob.com, newjobsineurope.com and thenewjobbs.com
Three new domains offering jobs which will actually turn out to be money laundering or reshipping stolen goods. This scam has been going on for years.
expoeurojob.com
newjobsineurope.com
thenewjobbs.com
The emails may appear to come "from" your own email address (here's why). The (probably fake) registrant details for this domain are:
Francisco Getz
Email: franciscogetz@yahoo.fr
Organization: Francisco Getz
Address: 43 rue Mazarine
City: Paris
State: Paris
ZIP: 75002
Country: FR
Phone: +33.191282216
If you have any samples of spam using these domains, please consider sharing them in the Comments. Thanks!
expoeurojob.com
newjobsineurope.com
thenewjobbs.com
The emails may appear to come "from" your own email address (here's why). The (probably fake) registrant details for this domain are:
Francisco Getz
Email: franciscogetz@yahoo.fr
Organization: Francisco Getz
Address: 43 rue Mazarine
City: Paris
State: Paris
ZIP: 75002
Country: FR
Phone: +33.191282216
If you have any samples of spam using these domains, please consider sharing them in the Comments. Thanks!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Friday 28 October 2011
Fake jobs: jobbslists.com, jobbsearcher.com, gbjobb.com and greecejobb.com
Yet more fake job offers, following on from this long-running scam. This time the following domains are in use to solicit replies:
jobbslists.com
jobbsearcher.com
gbjobb.com
greecejobb.com
The spam emails adveritising these may appear to come from your own email account (here's why). The "jobs" on offer are actually illegal activities such as money laundering.
For the record, the registrant details for those domains (which are almost definitely fake) are:
If you have any example emails, please consider sharing them in the Comments. Thanks!
jobbslists.com
jobbsearcher.com
gbjobb.com
greecejobb.com
The spam emails adveritising these may appear to come from your own email account (here's why). The "jobs" on offer are actually illegal activities such as money laundering.
For the record, the registrant details for those domains (which are almost definitely fake) are:
Lorian Kern
Email: loorjaan@yahoo.dk
Organization: Lorian Kern
Address: Sonderskovvej 22
City: Lystrup
State: Lystrup
ZIP: 8124
Country: DK
Phone: +45.83743412
Email: loorjaan@yahoo.dk
Organization: Lorian Kern
Address: Sonderskovvej 22
City: Lystrup
State: Lystrup
ZIP: 8124
Country: DK
Phone: +45.83743412
If you have any example emails, please consider sharing them in the Comments. Thanks!
Labels:
Greece,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Tuesday 25 October 2011
Some malware sites to block
These sites and IPs seem to be distributing some sort of Zeus variant. In this case users are being enticed to download a file called Fattura.zip (Italian for "invoice") which then contains an executable with the name Fattura.Doc_________________________________________________________________.exe (there are 65 underscores in the filename). That seems daft until you realise that all those underscores are designed to hide the .exe extension by making the filename so big that it is truncated.
At the moment, the malware (MD5 09886612d542e1b354aeda6a16f9ccf5) is poorly detected (4/43 at VirusTotal). ThreatExpert's prognosis is here.
The back end is a big more interesting and gives a large number of IPs and domains to block if you want to be proactive about stopping this sort of thing.
The back end servers are primarly:
41.189.229.65 (Djibouti Telecom)
60.19.30.131 (China Unicom)
60.19.30.135 (China Unicom)
67.40.211.116 (Qwest Communications, Seattle)
71.217.16.11 (Qwest Communications, Seattle)
82.210.157.9 (Aster, Poland)
113.161.87.176 (VietNam Post and Telecom Corporation)
195.214.238.241 (Interphone, Ukraine)
202.199.160.107 (Dongbei University of Finance and Economics, China)
218.24.113.3 (China Unicom)
Associated domains:
axeswizardepx.ru
bellicbridge.ru
bellicoreturbo.ru
blackofspogus.com
booksforbool.com
brentnallfg.com
dartzofmybpull.ru
digibeetlesop.ru
dontstop21523510.com
duffiduffid.ru
duklio.com
dzmeritelshop.ru
ebaliu.com
esperadooptic.ru
fabsnot.ru
fgrag3.com
financialactivson.com
financialpoet.com
fitle8.com
florianarray.ru
freakcan.ru
getinmo.net
gorycup.ru
hoperjulia.com
itchysauce.ru
jetsetflysystems.asia
koklip.com
krufop.com
linkmoduledso.com
lu4isa.com
lurofletzhen.com
microhousezez.com
musicframeit.com
n3ot6op.com
naughtywifepal.ru
onepet.ru
paperrain.net
papertulip.ru
pellicslotersa.ru
plasticinetec.ru
poczta.orgmasz.pl
popspostenkple.ru
recruitaimsfg.com
routerstructo.ru
rudeink.ru
runnystorm.ru
secondconcert.ru
sichererautoverkauf.net
simulatormage.ru
so47nop.com
softmarkets.ru
steelcinetecs.ru
t3a4ano.com
tamilworldinfo.net
tinpiano.com
tradesystemsy.com
vanilaprojectlive.com
weaktrash.ru
widuop.com
At the moment, the malware (MD5 09886612d542e1b354aeda6a16f9ccf5) is poorly detected (4/43 at VirusTotal). ThreatExpert's prognosis is here.
The back end is a big more interesting and gives a large number of IPs and domains to block if you want to be proactive about stopping this sort of thing.
The back end servers are primarly:
41.189.229.65 (Djibouti Telecom)
60.19.30.131 (China Unicom)
60.19.30.135 (China Unicom)
67.40.211.116 (Qwest Communications, Seattle)
71.217.16.11 (Qwest Communications, Seattle)
82.210.157.9 (Aster, Poland)
113.161.87.176 (VietNam Post and Telecom Corporation)
195.214.238.241 (Interphone, Ukraine)
202.199.160.107 (Dongbei University of Finance and Economics, China)
218.24.113.3 (China Unicom)
Associated domains:
axeswizardepx.ru
bellicbridge.ru
bellicoreturbo.ru
blackofspogus.com
booksforbool.com
brentnallfg.com
dartzofmybpull.ru
digibeetlesop.ru
dontstop21523510.com
duffiduffid.ru
duklio.com
dzmeritelshop.ru
ebaliu.com
esperadooptic.ru
fabsnot.ru
fgrag3.com
financialactivson.com
financialpoet.com
fitle8.com
florianarray.ru
freakcan.ru
getinmo.net
gorycup.ru
hoperjulia.com
itchysauce.ru
jetsetflysystems.asia
koklip.com
krufop.com
linkmoduledso.com
lu4isa.com
lurofletzhen.com
microhousezez.com
musicframeit.com
n3ot6op.com
naughtywifepal.ru
onepet.ru
paperrain.net
papertulip.ru
pellicslotersa.ru
plasticinetec.ru
poczta.orgmasz.pl
popspostenkple.ru
recruitaimsfg.com
routerstructo.ru
rudeink.ru
runnystorm.ru
secondconcert.ru
sichererautoverkauf.net
simulatormage.ru
so47nop.com
softmarkets.ru
steelcinetecs.ru
t3a4ano.com
tamilworldinfo.net
tinpiano.com
tradesystemsy.com
vanilaprojectlive.com
weaktrash.ru
widuop.com
Monday 24 October 2011
Scam sites on 84.22.161.169
84.22.161.169 (IOMART Ltd, UK) seems to have some problems with scam sites, such as the one mentioned in this post. I haven't had time to check the whole range, but most of the sites they host are legitimate, these however appear to be bogus.
mailukrsoft.com
Rogers, Sid via@viagrasuperpills.com
March St 43
San Antonio, Tx 7820 1
US
+1.2103354574
mailopal.com
Weis, Albert albert.weiso@yahoo.com
56 Dashington Avenue
New York State, West Stay Ville 1179 6
US
+1.016312918436
ukraiansoftware.com
Mitch, Ray vpx@vpxlpillstore.com
Po Box 434
Grand Prairie, Tx 7505 0
US
+1.5743436654
ukrdevonline.net
SMITH, THOMAS akky@buyaccutane.us
14664 State Hwy B
Marshfield, Mo 6570 6
US
+1.4177377167
ukrsoft.org
Registrant ID:tu1tWtvki2quecE9
Registrant Name:raymond russ
Registrant Organization:raymond russ
Registrant Street1:229 west 78 street
Registrant Street2:
Registrant Street3:
Registrant City:new york
Registrant State/Province:newyork
Registrant Postal Code:10024-6646
Registrant Country:US
Registrant Phone:+1.2125953001
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:raymondruss@yahoo.com
ukrsoftmail.com
Smith, David david.smith791@yahoo.com
1845 east northgate drive
Irdi ange, Texas 75062- 47 36
US
+1.019277214101
westmailwug.com
morrison, dennis morrison.wug78@yahoo.com
575
texas, texas fghhy2
US
+1.9723479881
westunionhome.com
Walters, Hank doggerellhlog@gmail.com
Railway Circle 55
Hannibal, Mo 6340 1
US
+1.5734564433
westunionweb.com
Jacks, Michael griswoldmopar@gmail.com
Forest Ave 65
Oak Park, Illinois 6030 1
US
+1.7085561232
taurus-analityc.com
De Gaetano, Richard xsponger@gmail.com
1001 Lincoln Avenue
Lockport, Newyork 14094
US
+44.017164336832
taurus-mac.com
Vanko, Ken eudociafrequk@gmail.com
16st 65 Ap 44
San Diego, Ca 9210 1
US
+1.4342268876
mailukrsoft.com
Rogers, Sid via@viagrasuperpills.com
March St 43
San Antonio, Tx 7820 1
US
+1.2103354574
mailopal.com
Weis, Albert albert.weiso@yahoo.com
56 Dashington Avenue
New York State, West Stay Ville 1179 6
US
+1.016312918436
ukraiansoftware.com
Mitch, Ray vpx@vpxlpillstore.com
Po Box 434
Grand Prairie, Tx 7505 0
US
+1.5743436654
ukrdevonline.net
SMITH, THOMAS akky@buyaccutane.us
14664 State Hwy B
Marshfield, Mo 6570 6
US
+1.4177377167
ukrsoft.org
Registrant ID:tu1tWtvki2quecE9
Registrant Name:raymond russ
Registrant Organization:raymond russ
Registrant Street1:229 west 78 street
Registrant Street2:
Registrant Street3:
Registrant City:new york
Registrant State/Province:newyork
Registrant Postal Code:10024-6646
Registrant Country:US
Registrant Phone:+1.2125953001
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:raymondruss@yahoo.com
ukrsoftmail.com
Smith, David david.smith791@yahoo.com
1845 east northgate drive
Irdi ange, Texas 75062- 47 36
US
+1.019277214101
westmailwug.com
morrison, dennis morrison.wug78@yahoo.com
575
texas, texas fghhy2
US
+1.9723479881
westunionhome.com
Walters, Hank doggerellhlog@gmail.com
Railway Circle 55
Hannibal, Mo 6340 1
US
+1.5734564433
westunionweb.com
Jacks, Michael griswoldmopar@gmail.com
Forest Ave 65
Oak Park, Illinois 6030 1
US
+1.7085561232
taurus-analityc.com
De Gaetano, Richard xsponger@gmail.com
1001 Lincoln Avenue
Lockport, Newyork 14094
US
+44.017164336832
taurus-mac.com
Vanko, Ken eudociafrequk@gmail.com
16st 65 Ap 44
San Diego, Ca 9210 1
US
+1.4342268876
Labels:
Job Offer Scams,
Money Mule,
Scam
The Register blunders, hands itself into the ICO
Oops.
There's a couple of interesting things here - one is that The Register did the decent thing and reported the breach, it will be interesting to see the ICO's reaction when they ignore more serious breaches all the time. The second one is that the email address I used to err register is unique to The Register. Will I start getting spam as a result of it being sent out to 3521 people, or would it require more.
Anyway, Kudos to The Register for coming clean. You can read more about it here.
From: The Register marketing@theregister.co.uk
Date: 24 October 2011 18:28
Subject: Apologies from The Register
Hello,
This morning the name and email address you used to register for The
Register was mistakenly sent to 3,521 individuals, also readers of
The Register.
We've contacted them asking them to delete the email and respect your
privacy.
We are of course terribly sorry for this error and have reported
ourselves to the ICO. Our initial statement is here:
http://www.theregister.co.uk/2011/10/24/email_blunder/
You are free to edit or delete your account details here:
http://account.theregister.co.uk/register/
If you have any questions or would just like to rant at us please
send emails to mailto:data@theregister.co.uk
Best Regards
The Register
There's a couple of interesting things here - one is that The Register did the decent thing and reported the breach, it will be interesting to see the ICO's reaction when they ignore more serious breaches all the time. The second one is that the email address I used to err register is unique to The Register. Will I start getting spam as a result of it being sent out to 3521 people, or would it require more.
Anyway, Kudos to The Register for coming clean. You can read more about it here.
Labels:
Stupidity
mailukrsoft.com: job scammers in action
A post over at woozoo.nl caught my eye (in Nederlands, Google Translated to English) about the netherlandjobb.com scam. Robert Krom goes several steps further than I usually do with a good investigation into how the scammers try to rope people in.
Robert identifies mailukrsoft.com as the next stage in the scam. To me, it looks like it is run by a different crew, but scammers tend to oursource activities to others these days. It appears that one group of scammers may be looking for money mules and then selling them on to others.
Robert identifies mailukrsoft.com as the next stage in the scam. To me, it looks like it is run by a different crew, but scammers tend to oursource activities to others these days. It appears that one group of scammers may be looking for money mules and then selling them on to others.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Netherlands,
Russia,
Ukraine
Sunday 23 October 2011
Fake jobs: jobbworld.com and yourjobb.com
Two new domains being used to recruit for fake jobs, which actually turn out to be illegal activities such as money laundering.
jobbworld.com
yourjobb.com
This is part of a long-running scam that has been going on for ages. One characteristic of the spam received is that it appears to come from your own email address (here's why).
If you have any examples of spam using these domains for reply addresses, please consider sharing them in the Comments.
Here is one sample:
And another one that seems to drift between Dutch and Czech for a while..
jobbworld.com
yourjobb.com
This is part of a long-running scam that has been going on for ages. One characteristic of the spam received is that it appears to come from your own email address (here's why).
If you have any examples of spam using these domains for reply addresses, please consider sharing them in the Comments.
Here is one sample:
Date: 24 October 2011 20:15
Subject: Deeltijdarbeid
Ik wil uw aandacht brengen en u te informeren dat Consulting Bedrijf beginnen proces te inhuren en geven u een
grote kans om carrière te beginnen nu met veel voordelen en de voordelen van dit werek.
Als u besloten om onderbreking in uw carrière te maken, of u op een moederschapsverlof bent,
onlangs gepensioneerde of gewoon op zoek naar enkele aanvullende tijdelijk baan, dit standpunt is enkel voor u gemaakt.
Werkende uuren: Flexibele tijdschema van van 1 tot 3 uur per dag. We garanderen ongeveer 20 uur een week bezetting.
Salaris en voordelen: begin salaris is variërend van 2000 tot 2500 euro per maand,
vermeerderd met extra commissie als u alle taken nauwkeurig vervullen.
Regio: Europese Unie.
Houd er rekening mee dat er geen betalingen of elke andere trucs om te gaan werken voor ons zijn.
Indien geïnteresseerd en wil u verzoeken een aanvraagformulier toepassen voor deze positie,
uw interview plannen en of gewoon meer informatie ontvangen over deze positie voordat u toepast,
kunt u antwoord op deze e-mail en stuur ons uw contact informatie.
In het onderwerp van e-mail Geef uw persoonlijk identificatienummer voor deze positie IDNO: 04459
Als u geïnteresseerd bent, kunt u reageren op: Damion@yourjobb.com,bedank!
And another one that seems to drift between Dutch and Czech for a while..
Subject: Vacature
Ik wil uw aandacht brengen en u te informeren dat Consulting Bedrijf beginnen proces te inhuren en geven u een
grote kans om carričre te beginnen nu met veel voordelen en de voordelen van dit werek.
Als u besloten om onderbreking in uw carričre te maken, of u op een moederschapsverlof bent,
onlangs gepensioneerde of gewoon op zoek naar enkele aanvullende tijdelijk baan, dit standpunt is enkel voor u gemaakt.
Werkende uuren: Flexibele tijdschema van van 1 tot 3 uur per dag. We garanderen ongeveer 20 uur een week bezetting.
Salaris en voordelen: begin salaris is variërend van 2000 tot 2500 euro per maand,
vermeerderd met extra commissie als u alle taken nauwkeurig vervullen.
Regio: Europese Unie.
Houd er rekening mee dat er geen betalingen of elke andere trucs om te gaan werken voor ons zijn.
Indien geďnteresseerd en wil u verzoeken een aanvraagformulier toepassen voor deze positie,
uw interview plannen en of gewoon meer informatie ontvangen over deze positie voordat u toepast,
kunt u antwoord op deze e-mail en stuur ons uw contact informatie.
In het onderwerp van e-mail Geef uw persoonlijk identificatienummer voor deze positie IDNO: 64594
Als u geďnteresseerd bent, kunt u reageren op: Fidel@yourjobb.com,bedank!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Thursday 20 October 2011
Fake jobs: canada-newjob.com, netherlandjobb.com and newjobrecruit.com
Another bunch of domains being used to peddle fake jobs:
canada-newjob.com
netherlandjobb.com
newjobrecruit.com
These domains form part of this long running scam. You may find that the emails appear to come from your own email address (here's why).
The domain registrant details are no doubt fake:
The jobs offered will actually be criminal activities such as money laundering. If you have any examples of emails using these domains, please consider sharing them in the Comments. Thanks!
Here is one example:
In this case, the email originated from 178.172.136.117 in Belarus.
canada-newjob.com
netherlandjobb.com
newjobrecruit.com
These domains form part of this long running scam. You may find that the emails appear to come from your own email address (here's why).
The domain registrant details are no doubt fake:
Adolf Nureng
Email: adolfnureng@yahoo.dk
Organization: Adolf Nureng
Address: Spellingevej 3 Ro
City: Gudhjem
State: Gudhjem
ZIP: 3703
Country: DK
Phone: +45.70225632
Email: adolfnureng@yahoo.dk
Organization: Adolf Nureng
Address: Spellingevej 3 Ro
City: Gudhjem
State: Gudhjem
ZIP: 3703
Country: DK
Phone: +45.70225632
The jobs offered will actually be criminal activities such as money laundering. If you have any examples of emails using these domains, please consider sharing them in the Comments. Thanks!
Here is one example:
Date: 20 October 2011 13:17
Subject: Huidige vacature
Wij werven aan!
Wij bieden part-time of full-time posities in de EU.
Momenteel is onze team van specialisten is het ontwikkelen van vooruitstrevende en innovatieve
manier van samenwerking met onze klant dus breiden we ons netwerk van vertegenwoordigers in heel Europa.
Wij bieden volledig betaalde trainingen om u te begeleiden door uw werk, competitief salaris,
vrij werk schema en andere voordelen die uw samenwerking met ons zeer aangenaam.
Wilt u bij ons bedrijf te sluiten, moet u ervoor zorgen dat u houdt de Europese verblijf
en je bezit een sterk verlangen om te werken.
Als je eenmaal hebt besloten om ons aan te sluiten, gelieve ons dan uw contactgegevens
en wij nemen zo spoedig contact met u op om een interview te plannen.
Onze contactgegevens: Rolland@netherlandjobb.com
Hartelijk dank voor uw interesse!
In this case, the email originated from 178.172.136.117 in Belarus.
Labels:
Canada,
Job Offer Scams,
Lapatasker,
Money Mule,
Netherlands,
Russia
Wednesday 12 October 2011
"Scan from a Hewlett-Packard Officejet 745065" and 94.23.116.30
These fake "Scan from a Hewlett-Packard Officejet" emails have been around for a little while now. Here's a slightly new verson:
The following domains appear to be hosted on that site:
agudo9871.info
alpers82c0.info
amybfd0.info
anselmo0661.info
antitrap.in
apperson6613.info
applee9a1.info
arkless6d92.info
arreza330.info
asley2ee0.info
aytes7191.info
banome2cb0.info
beckerman08b2.info
beneger50e2.info
bergfelde7c0.info
bestel2810.info
beuchatb280.info
binesc5d2.info
blincow4480.info
boaler2ab1.info
bonge06b0.info
boschier0930.info
bowrah1591.info
bramante66f2.info
brentsonc1d0.info
bridenstine1211.info
brodellabc2.info
burpee66f2.info
byczek5822.info
cable9b12.info
calleycd62.info
careford3a12.info
carver3102.info
casserley4d52.info
cavrotti42b0.info
clerkley2120.info
cluleyade1.info
cooney9712.info
corporationsweb.info
corvi3532.info
cottrillcb01.info
crate4361.info
creasey8b42.info
cristescu00ca.info
curtsinger8ad2.info
cusatis8b91.info
czyrnik74c1.info
dagley1e91.info
dallmand932.info
davidoviczc8d2.info
davydenko99d1.info
degand5e0.info
delancyfc71.info
delross6813.info
denver84e6.info
derefoner.in
desso9b20.info
deyak34c2.info
dilksf841.info
drewettf160.info
dutschmannc651.info
eavensonc190.info
edstrom6952.info
ehlicca1.info
elmoaf71.info
espenscheid2711.info
federal-domesticwires.com
fever01e1.info
firzkun.in
fissell39c0.info
flemming0dc1.info
frascaf6d0.info
frericks7582.info
friedberg3cc0.info
fuger1511.info
fulmerfdb2.info
fund4nothing.in
gadzinski1180.info
galassi9103.info
gange4742.info
gbur8c20.info
gegenheimer4bf0.info
glinkerman9380.info
gordenffb0.info
grygorwicz2191.info
guiles8570.info
guthorn9b60.info
hadselle732.info
hamiss4460.info
hartmannbf21.info
hartsook7391.info
hauben5930.info
henrettaa3c2.info
herzerb931.info
hodoa689.info
holliead00.info
horimotodb21.info
hornick0e30.info
houghtelling2355.info
hova.in
hugues1990.info
hultond5a0.info
husky9212.info
itzchakeb90.info
jauron24d0.info
jeskieff30.info
kaufmann2542.info
kellywoodf4d2.info
kintighb491.info
klinge9641.info
knauff5c60.info
koltz0341.info
kralicekcdc0.info
kramarczyk5681.info
kuns0a30.info
kurodaeb72.info
kurtisfe10.info
larssone1d2.info
lartiguef572.info
lawrey9052.info
leinbach91b0.info
lezab966.info
lidstone5a13.info
lirette3470.info
londonsbug.com
loshbaughd3b0.info
lough3572.info
mahlman67a1.info
maisenbacher5cf2.info
malizia0df1.info
malueg6fa1.info
mandia0d2.info
marlanb610.info
mcconnell1461.info
mcglumphy43c0.info
mclagan8a92.info
mclaughlan6670.info
meisenburg7e20.info
menapace7590.info
moegvubegcwan.in
molbideneoil.com
moneyforfree.in
montagnec802.info
morin4e00.info
mourinoa761.info
mullaly0ca0.info
munden49e2.info
musumeciccf0.info
naisbetta600.info
neoplanritm.in
nestel0321.info
nogueras0ba2.info
nothnagelf5b2.info
obrodderikd370.info
ogaraee50.info
omura6e81.info
oriold040.info
pangburn87e1.info
paolotto86d1.info
pariseau2e50.info
peace7fc1.info
pendextere5e2.info
percellb430.info
pidduck32e2.info
pidgeon9022.info
pinna3942.info
pioske8501.info
qqqe.us.to
quoss3f91.info
ramagano86a0.info
rashdicd02.info
raupache7f1.info
redeniusd503.info
returenget60.net
ricker5462.info
rideaufd40.info
rucci5d51.info
runagles2411.info
sacre86c2.info
sandilandsa5b1.info
sasseville9e91.info
schleppenbachae60.info
schuh9acc.info
scroger65f0.info
shearonafb1.info
shee5632.info
sita6030.info
slovinskye820.info
smard4e2.info
soetncitydyr.com
souvannavong5c90.info
speroe8c0.info
spigelmandca0.info
srnsky8f70.info
steinmiller9ca1.info
stivanson51b0.info
stonhame852.info
stopkad101.info
subera6a01.info
sultani9ef0.info
surrella8e0.info
swigart61f0.info
tabbertbe70.info
tabisulacbb4.info
tickle29c2.info
timko84d0.info
tinaa750.info
tolefreebdd2.info
tunnock0d02.info
twedena141.info
woehl5bb0.info
wolken6da2.info
worsfieldd4d1.info
From: hp@victimdomain.comThe link goes through to one of several sites on 94.23.116.30 (OVH, Poland). Blocking access to that IP should protect against this spam run.
Date: 11 October 2011 23:41
Subject: Scan from a Hewlett-Packard Officejet 745065
A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 63639D.
Sent by: SINA
Images : 2
Attachment Type: Image (.jpg) Download
Hewlett-Packard Officejet Location: machine location not set
Device: CRP272SO4SLM3917752
The following domains appear to be hosted on that site:
agudo9871.info
alpers82c0.info
amybfd0.info
anselmo0661.info
antitrap.in
apperson6613.info
applee9a1.info
arkless6d92.info
arreza330.info
asley2ee0.info
aytes7191.info
banome2cb0.info
beckerman08b2.info
beneger50e2.info
bergfelde7c0.info
bestel2810.info
beuchatb280.info
binesc5d2.info
blincow4480.info
boaler2ab1.info
bonge06b0.info
boschier0930.info
bowrah1591.info
bramante66f2.info
brentsonc1d0.info
bridenstine1211.info
brodellabc2.info
burpee66f2.info
byczek5822.info
cable9b12.info
calleycd62.info
careford3a12.info
carver3102.info
casserley4d52.info
cavrotti42b0.info
clerkley2120.info
cluleyade1.info
cooney9712.info
corporationsweb.info
corvi3532.info
cottrillcb01.info
crate4361.info
creasey8b42.info
cristescu00ca.info
curtsinger8ad2.info
cusatis8b91.info
czyrnik74c1.info
dagley1e91.info
dallmand932.info
davidoviczc8d2.info
davydenko99d1.info
degand5e0.info
delancyfc71.info
delross6813.info
denver84e6.info
derefoner.in
desso9b20.info
deyak34c2.info
dilksf841.info
drewettf160.info
dutschmannc651.info
eavensonc190.info
edstrom6952.info
ehlicca1.info
elmoaf71.info
espenscheid2711.info
federal-domesticwires.com
fever01e1.info
firzkun.in
fissell39c0.info
flemming0dc1.info
frascaf6d0.info
frericks7582.info
friedberg3cc0.info
fuger1511.info
fulmerfdb2.info
fund4nothing.in
gadzinski1180.info
galassi9103.info
gange4742.info
gbur8c20.info
gegenheimer4bf0.info
glinkerman9380.info
gordenffb0.info
grygorwicz2191.info
guiles8570.info
guthorn9b60.info
hadselle732.info
hamiss4460.info
hartmannbf21.info
hartsook7391.info
hauben5930.info
henrettaa3c2.info
herzerb931.info
hodoa689.info
holliead00.info
horimotodb21.info
hornick0e30.info
houghtelling2355.info
hova.in
hugues1990.info
hultond5a0.info
husky9212.info
itzchakeb90.info
jauron24d0.info
jeskieff30.info
kaufmann2542.info
kellywoodf4d2.info
kintighb491.info
klinge9641.info
knauff5c60.info
koltz0341.info
kralicekcdc0.info
kramarczyk5681.info
kuns0a30.info
kurodaeb72.info
kurtisfe10.info
larssone1d2.info
lartiguef572.info
lawrey9052.info
leinbach91b0.info
lezab966.info
lidstone5a13.info
lirette3470.info
londonsbug.com
loshbaughd3b0.info
lough3572.info
mahlman67a1.info
maisenbacher5cf2.info
malizia0df1.info
malueg6fa1.info
mandia0d2.info
marlanb610.info
mcconnell1461.info
mcglumphy43c0.info
mclagan8a92.info
mclaughlan6670.info
meisenburg7e20.info
menapace7590.info
moegvubegcwan.in
molbideneoil.com
moneyforfree.in
montagnec802.info
morin4e00.info
mourinoa761.info
mullaly0ca0.info
munden49e2.info
musumeciccf0.info
naisbetta600.info
neoplanritm.in
nestel0321.info
nogueras0ba2.info
nothnagelf5b2.info
obrodderikd370.info
ogaraee50.info
omura6e81.info
oriold040.info
pangburn87e1.info
paolotto86d1.info
pariseau2e50.info
peace7fc1.info
pendextere5e2.info
percellb430.info
pidduck32e2.info
pidgeon9022.info
pinna3942.info
pioske8501.info
qqqe.us.to
quoss3f91.info
ramagano86a0.info
rashdicd02.info
raupache7f1.info
redeniusd503.info
returenget60.net
ricker5462.info
rideaufd40.info
rucci5d51.info
runagles2411.info
sacre86c2.info
sandilandsa5b1.info
sasseville9e91.info
schleppenbachae60.info
schuh9acc.info
scroger65f0.info
shearonafb1.info
shee5632.info
sita6030.info
slovinskye820.info
smard4e2.info
soetncitydyr.com
souvannavong5c90.info
speroe8c0.info
spigelmandca0.info
srnsky8f70.info
steinmiller9ca1.info
stivanson51b0.info
stonhame852.info
stopkad101.info
subera6a01.info
sultani9ef0.info
surrella8e0.info
swigart61f0.info
tabbertbe70.info
tabisulacbb4.info
tickle29c2.info
timko84d0.info
tinaa750.info
tolefreebdd2.info
tunnock0d02.info
twedena141.info
woehl5bb0.info
wolken6da2.info
worsfieldd4d1.info
Fake jobs: it-jobsearch.com
Another fake job domain, it-jobsearch.com follows on directly from these two reported yesterday. The domain is registered to the same fake address in France as yesterday.
As usual, the email soliciting replies to this domain is trying to recruit people for money laundering. The email may appear to come from your own email address (here's why).
If you have example emails soliciting replies to this domain, please consider sharing them in the Comments. Thanks!
As usual, the email soliciting replies to this domain is trying to recruit people for money laundering. The email may appear to come from your own email address (here's why).
If you have example emails soliciting replies to this domain, please consider sharing them in the Comments. Thanks!
Labels:
Italy,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Something evil on 66.197.235.245 (Exp/20100840-B)
There is currently a poorly detected (VirusTotal reports 1/43) Java exploit being distributed by 66.197.235.245 via injection attacks. One example is injected obfuscated code pointing to tualette.ce.ms/content/field.jar but there are probably lots of these. Currently only Sophos detects this as Exp/20100840-B.
Blocking all traffic to 66.197.235.245 is the quickest way to protect against this particular attack, it might be worth blocking 66.197.235.240/28 as in case this is a bad block.
The domains on 66.197.235.245 are a mix of crappy free domains, hijacked GoDaddy domains and a few others. I have identified the following sites, although I suspect there are many more:
abra.ce.ms
arenda3213.ce.ms
billyfuns.net
cherrychat.ru
e-casher.ru
fastresource.in
footporntube.com
gavni.usa.cc
goldmail.in
guano.ce.ms
jobtrue.ru
max5clock.net
naxnax.ce.ms
oilsintetyc.ru
osiki.osa.pl
plumcrazy-media.net
rijeguni.co.tv
samsusams.net
sharki.osa.pl
sortirka.osa.pl
trusiki.345.pl
tualette.ce.ms
usapornotube.com
vedroskofun.com
web.mlep.com
xmlnetwork.in
Blocking all traffic to 66.197.235.245 is the quickest way to protect against this particular attack, it might be worth blocking 66.197.235.240/28 as in case this is a bad block.
The domains on 66.197.235.245 are a mix of crappy free domains, hijacked GoDaddy domains and a few others. I have identified the following sites, although I suspect there are many more:
abra.ce.ms
arenda3213.ce.ms
billyfuns.net
cherrychat.ru
e-casher.ru
fastresource.in
footporntube.com
gavni.usa.cc
goldmail.in
guano.ce.ms
jobtrue.ru
max5clock.net
naxnax.ce.ms
oilsintetyc.ru
osiki.osa.pl
plumcrazy-media.net
rijeguni.co.tv
samsusams.net
sharki.osa.pl
sortirka.osa.pl
trusiki.345.pl
tualette.ce.ms
usapornotube.com
vedroskofun.com
web.mlep.com
xmlnetwork.in
Labels:
Evil Network
Tuesday 11 October 2011
Cyanogenmod.com compromised with warlikedisobey.org injection
Cyanogenmod.com is a site offering legitmate custom firmware for Android devices. It's a popular site, pulling in about 100,000 unique US users per day according to compete.com and it has an Alexa rank of 6728.
Unfortunately, the site has been compromised in an injection attack with a hard-to-diagnose piece of malware attempting to load code from warlikedisobey.org/coehegzxw8xgahtrb on 66.197.158.102. The code seems resistant to several common analysis tools. The injection attack is hidden on the very first line of HTML on the home page.. you have to scroll a long way right to see it.
Update 12/10: it looks like the site is currently clean, but it might get re-infected if the core problem hasn't been fixed.
Update 20/10: it turns out that it isn't clean at all, but the exploit code is not present all the time. It could be that something is going on at Cloudflare who provide load balancing for the site, but I've never seen that sort of issue with Cloudflare before.
I haven't been able to analyse the payload yet. There is a possibility that it might target Android devices.
The domain is registered through Bizcn.com in China to the following registrant:
privacy-protect.cn is very commonly used by criminals to cover their tracks.A Google search for 66.197.158.102 indicates that the IP address is in use by several malicious domains (listed below).
A look at the Cyanogenmod.com forums indicates that similar attacks have been happening since September 25th:
Blocking traffic to 66.197.158.102 is probably a good idea. It looks like there may be other problems in 66.197.158.0/24 so you could block the whole range as a precaution.
The following domains are hosted on 66.197.158.102:
acclaimpump.org
acreafloat.org
aeroadore.org
affairmedley.org
afraiddown.org
againindorse.org
alertworsted.org
analyseshort.org
ardorloathe.org
arraigngarment.org
assortsetto.org
bakedemure.org
balloontroops.org
baskettubular.org
beandown.org
bedridpollute.org
benttopple.org
bequestramble.org
blazefiddle.org
blisswilds.org
boardbutts.org
bringgreed.org
bunkscamp.org
burntbrought.org
butchermeetm.org
bywordtoll.org
cackleshaggy.org
capsuletrapeze.org
carptheirs.org
cellarprank.org
cellchin.org
cementshout.org
choreuphold.org
clamourunion.org
classiclily.org
clerkinure.org
comechirp.org
crafttexture.org
damaskslab.org
declaimtaunt.org
decreecattle.org
delayabrige.org
desisthateful.org
deskoccur.org
devoidshed.org
dimsadden.org
dirttouchy.org
discernpitcher.org
divingpeddle.org
dotingbouquet.org
eclipsedensity.org
economyjersey.org
elateexample.org
elkrecline.org
embraceniece.org
enigmaflutter.org
enjoyocean.org
enrolcaw.org
estril.org
eventliving.org
evermist.org
eyescanty.org
facingsinvade.org
factionchurch.org
fallacypour.org
fangwrath.org
fiancesardine.org
fishingbeet.org
flaxnap.org
foggystudent.org
foresttruck.org
fuzzoffal.org
gailyflounce.org
gazettesay.org
ghatlend.org
ghatreds.org
gibbetshook.org
gladespilt.org
godliketourist.org
goodantics.org
grandetidings.org
grenadeabove.org
gruver.org
gulpillegal.org
halcyonet.com
hamcadet.org
heronuntrue.org
hideousmindful.org
hillocksaunter.org
horntreason.org
hotspurequal.org
hourmesh.org
hulknutmeg.org
hungermouth.org
hymnrough.org
idearevel.org
ignservice.com
inclosegem.org
incurhealth.org
inducttrunk.org
innentry.org
innersoloist.org
inroadperish.org
installherb.org
intentbell.org
ironingonset.org
itemizefir.org
jarabroad.org
javarequest.com
javatooltip.com
jewishdin.org
jocularputrefy.org
jstooltip.com
juicecaulk.org
justlysubtle.org
kalmup.org
kinoutlaw.org
lambkinclad.org
laundrysudden.org
leanspeck.org
letconsul.org
libelconvoy.org
lieweld.org
likesfetter.org
linseedpaste.org
lodgersow.org
loitercash.org
longingashamed.org
lowlymeaty.org
lowsnooze.org
maniashow.org
mashscamp.org
maximumnone.org
memoirsmatrix.org
milletavoid.org
miserytenure.org
modernbin.org
morphiaseaside.org
movingsnip.org
mummeryscales.org
musterydecoy.org
muzzleastute.org
nationearn.org
naughtgrubby.org
nestjolt.org
netllookup.com
nightlyseeds.org
nodeconvert.org
noisomechicane.org
nominalunwary.org
nullcandy.org
numbuse.org
oatmealfrisk.org
oatmealshatter.org
opticmoving.org
orationyou.org
orderdid.org
orhanhundred.org
otspark.org
overrunwooden.org
pactcelery.org
pastrydug.org
pedalslacken.org
pentfinite.org
pentmull.org
phantombecame.org
phantomsell.org
pigskinturn.org
pilgrimstrut.org
plentyvicious.org
plumtreacle.org
pompousdenial.org
ponderbelong.org
popestrict.org
portionchagrin.org
posyhatch.org
potseclude.org
prancecontour.org
praysad.org
precededynamic.org
primacyresin.org
prosaiccube.org
provereject.org
puristar.org
purposestupid.org
quartpliancy.org
racialfreshe.org
rashcrowd.org
readerocular.org
rebirthfalcon.org
rectoryfeign.org
refereeshe.org
reflexpan.org
refundwine.org
remissdeceive.org
repentavow.org
repulsemaximum.org
riddensoot.org
rsstooltip.com
runletlanky.org
saintlunatic.org
sapammonia.org
savourotter.org
scumwoollen.org
seniormilage.org
shouldfasten.org
sinnerreflex.org
sirsize.org
skimlyrical.org
slopestipend.org
sorrelramble.org
sprutnetwork.com
squealflirt.org
staideconomy.org
starryplank.org
stowgranary.org
stripescud.org
studentfairly.org
stuffwrestle.org
stuntedvote.org
subdueshone.org
suctionbanking.org
suitebillion.org
sunnyscythe.org
superbhotbed.org
taintfurl.org
talkerrun.org
tasteleg.org
tensionwarble.org
testradiant.org
timelymaze.org
titledrutty.org
toiletarchway.org
torturetactful.org
totaltwelfth.org
trafficgarland.org
trashnote.org
trickleivy.org
trivialappears.org
tunebask.org
turbidworship.org
undoingperfect.org
unduedome.org
unitepulpit.org
unshipreckon.org
usheronce.org
vacancyagainst.org
veinassert.org
vileisolate.org
visapeer.org
votegroggy.org
voyagebud.org
vultureoffer.org
waivertouch.org
warlikedisobey.org
waspad.org
wastefuzz.org
wedanthem.org
wettrend.org
whimperchart.org
widowerfeeble.org
wivestemple.org
woecake.org
woverecruit.org
wretchninny.org
zippuny.org
Unfortunately, the site has been compromised in an injection attack with a hard-to-diagnose piece of malware attempting to load code from warlikedisobey.org/coehegzxw8xgahtrb on 66.197.158.102. The code seems resistant to several common analysis tools. The injection attack is hidden on the very first line of HTML on the home page.. you have to scroll a long way right to see it.
Update 12/10: it looks like the site is currently clean, but it might get re-infected if the core problem hasn't been fixed.
Update 20/10: it turns out that it isn't clean at all, but the exploit code is not present all the time. It could be that something is going on at Cloudflare who provide load balancing for the site, but I've never seen that sort of issue with Cloudflare before.
I haven't been able to analyse the payload yet. There is a possibility that it might target Android devices.
The domain is registered through Bizcn.com in China to the following registrant:
Registrant ID:orgff14354361081 Registrant Name:Henry Nguyen Gong Registrant Organization:Privacy-Protect.cn Registrant Street1:Rue la produit 34 Registrant Street2: Registrant Street3: Registrant City:Nimes Registrant State/Province:Languedoc-Roussillon Registrant Postal Code:30189 Registrant Country:FR Registrant Phone:+33.466583875 Registrant Phone Ext.: Registrant FAX:+33.466583875 Registrant FAX Ext.: Registrant Email:contact@privacy-protect.cn
privacy-protect.cn is very commonly used by criminals to cover their tracks.A Google search for 66.197.158.102 indicates that the IP address is in use by several malicious domains (listed below).
A look at the Cyanogenmod.com forums indicates that similar attacks have been happening since September 25th:
Does anyone know what this is? I got a warning from Norton with High severity saying I was attacked by sloughsputter.org and warlikedisobey.org from 66.197.158.102:80 when I entered into the touchpad forum for this website. The IPS alert name is: web attack malicious exploit kit website at High risk
Blocking traffic to 66.197.158.102 is probably a good idea. It looks like there may be other problems in 66.197.158.0/24 so you could block the whole range as a precaution.
The following domains are hosted on 66.197.158.102:
acclaimpump.org
acreafloat.org
aeroadore.org
affairmedley.org
afraiddown.org
againindorse.org
alertworsted.org
analyseshort.org
ardorloathe.org
arraigngarment.org
assortsetto.org
bakedemure.org
balloontroops.org
baskettubular.org
beandown.org
bedridpollute.org
benttopple.org
bequestramble.org
blazefiddle.org
blisswilds.org
boardbutts.org
bringgreed.org
bunkscamp.org
burntbrought.org
butchermeetm.org
bywordtoll.org
cackleshaggy.org
capsuletrapeze.org
carptheirs.org
cellarprank.org
cellchin.org
cementshout.org
choreuphold.org
clamourunion.org
classiclily.org
clerkinure.org
comechirp.org
crafttexture.org
damaskslab.org
declaimtaunt.org
decreecattle.org
delayabrige.org
desisthateful.org
deskoccur.org
devoidshed.org
dimsadden.org
dirttouchy.org
discernpitcher.org
divingpeddle.org
dotingbouquet.org
eclipsedensity.org
economyjersey.org
elateexample.org
elkrecline.org
embraceniece.org
enigmaflutter.org
enjoyocean.org
enrolcaw.org
estril.org
eventliving.org
evermist.org
eyescanty.org
facingsinvade.org
factionchurch.org
fallacypour.org
fangwrath.org
fiancesardine.org
fishingbeet.org
flaxnap.org
foggystudent.org
foresttruck.org
fuzzoffal.org
gailyflounce.org
gazettesay.org
ghatlend.org
ghatreds.org
gibbetshook.org
gladespilt.org
godliketourist.org
goodantics.org
grandetidings.org
grenadeabove.org
gruver.org
gulpillegal.org
halcyonet.com
hamcadet.org
heronuntrue.org
hideousmindful.org
hillocksaunter.org
horntreason.org
hotspurequal.org
hourmesh.org
hulknutmeg.org
hungermouth.org
hymnrough.org
idearevel.org
ignservice.com
inclosegem.org
incurhealth.org
inducttrunk.org
innentry.org
innersoloist.org
inroadperish.org
installherb.org
intentbell.org
ironingonset.org
itemizefir.org
jarabroad.org
javarequest.com
javatooltip.com
jewishdin.org
jocularputrefy.org
jstooltip.com
juicecaulk.org
justlysubtle.org
kalmup.org
kinoutlaw.org
lambkinclad.org
laundrysudden.org
leanspeck.org
letconsul.org
libelconvoy.org
lieweld.org
likesfetter.org
linseedpaste.org
lodgersow.org
loitercash.org
longingashamed.org
lowlymeaty.org
lowsnooze.org
maniashow.org
mashscamp.org
maximumnone.org
memoirsmatrix.org
milletavoid.org
miserytenure.org
modernbin.org
morphiaseaside.org
movingsnip.org
mummeryscales.org
musterydecoy.org
muzzleastute.org
nationearn.org
naughtgrubby.org
nestjolt.org
netllookup.com
nightlyseeds.org
nodeconvert.org
noisomechicane.org
nominalunwary.org
nullcandy.org
numbuse.org
oatmealfrisk.org
oatmealshatter.org
opticmoving.org
orationyou.org
orderdid.org
orhanhundred.org
otspark.org
overrunwooden.org
pactcelery.org
pastrydug.org
pedalslacken.org
pentfinite.org
pentmull.org
phantombecame.org
phantomsell.org
pigskinturn.org
pilgrimstrut.org
plentyvicious.org
plumtreacle.org
pompousdenial.org
ponderbelong.org
popestrict.org
portionchagrin.org
posyhatch.org
potseclude.org
prancecontour.org
praysad.org
precededynamic.org
primacyresin.org
prosaiccube.org
provereject.org
puristar.org
purposestupid.org
quartpliancy.org
racialfreshe.org
rashcrowd.org
readerocular.org
rebirthfalcon.org
rectoryfeign.org
refereeshe.org
reflexpan.org
refundwine.org
remissdeceive.org
repentavow.org
repulsemaximum.org
riddensoot.org
rsstooltip.com
runletlanky.org
saintlunatic.org
sapammonia.org
savourotter.org
scumwoollen.org
seniormilage.org
shouldfasten.org
sinnerreflex.org
sirsize.org
skimlyrical.org
slopestipend.org
sorrelramble.org
sprutnetwork.com
squealflirt.org
staideconomy.org
starryplank.org
stowgranary.org
stripescud.org
studentfairly.org
stuffwrestle.org
stuntedvote.org
subdueshone.org
suctionbanking.org
suitebillion.org
sunnyscythe.org
superbhotbed.org
taintfurl.org
talkerrun.org
tasteleg.org
tensionwarble.org
testradiant.org
timelymaze.org
titledrutty.org
toiletarchway.org
torturetactful.org
totaltwelfth.org
trafficgarland.org
trashnote.org
trickleivy.org
trivialappears.org
tunebask.org
turbidworship.org
undoingperfect.org
unduedome.org
unitepulpit.org
unshipreckon.org
usheronce.org
vacancyagainst.org
veinassert.org
vileisolate.org
visapeer.org
votegroggy.org
voyagebud.org
vultureoffer.org
waivertouch.org
warlikedisobey.org
waspad.org
wastefuzz.org
wedanthem.org
wettrend.org
whimperchart.org
widowerfeeble.org
wivestemple.org
woecake.org
woverecruit.org
wretchninny.org
zippuny.org
Labels:
Android,
Injection Attacks
Fake jobs: new-jobaccess.com and simple-jobneed.com
Two new fake job domains, forming part of the long-running "Lapatasker" scam.
new-jobaccess.com
simple-jobneed.com
Emails from these domains may appear to be from your own email address (here's why). They are registered to a no-doubt fake registrant:
The "jobs" on offer are illegal activities such as money laundering. If you have any examples of spam using these domains to solicit replies, please consider sharing them in the Comments. Thanks!
new-jobaccess.com
simple-jobneed.com
Emails from these domains may appear to be from your own email address (here's why). They are registered to a no-doubt fake registrant:
Luc Metteran Email: lucmetteran@yahoo.fr Organization: Luc Metteran Address: 6, avenue Kennedy City: Paris State: Paris ZIP: 17880 Country: FR Phone: +33.0156402315
The "jobs" on offer are illegal activities such as money laundering. If you have any examples of spam using these domains to solicit replies, please consider sharing them in the Comments. Thanks!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Monday 10 October 2011
Some TDL/TDSS rootkit sites to block
The following IPs are related to the TDL/TDSS rootkit. 212.36.9.52 / gic-kbmtu0zkvwylf.com appears to be a C&C server.
94.63.149.10
94.63.149.11
94.63.149.12
94.63.149.13
94.63.149.14
94.63.149.15
146.185.250.140
146.185.250.141
195.3.145.251
195.3.145.252
195.3.145.253
212.36.9.52
94.63.149.0/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no ill-effects. 146.185.0.0/16 is Petersburg Internet Network Ltd in Russia, the whole /16 is sparsely populated and blocking that would probably do no harm. 195.3.144.0/22 is Latvia host RN Data SIA, given that Latvia hosts are such a sewer then blocking the /22 is probably also a good idea.
As for 212.36.9.52 (OTEL, Bulgaria), there appear to be a few malware servers in 212.36.8.0/23 mixed with several legitimate sites. 212.36.9.60, 212.36.9.52 and 212.36.9.52 also appear to be malicious. Blocking 212.36.0.48/28 should filter out the bad sites without blocking good ones.
The following domains are associated with these IPs, if you can't block by IP then blocking these might be a good idea,
bejb883-njm.com
bxwqxlkp4ajt.com
feeew0r-geek.com
gic-kbmtu0zkvwylf.com
gv47numkmkmfub8790.com
hhnnbtcnotcf3ohtxt.com
j5dlz7rxoto8g1fubb.com
jblextyhsfqttkz.com
jhv684ybknjkm.com
keter-jankinsome.com
q9-e52wjh7cz.com
retgen-rasch12.com
retno-uhb3.com
rzncgorop-yvpx.com
serch-iteration.com
tylt9avnpfl-zdk.com
uh-i99ur3qa9t3ssw.com
upsbkschmajhlxs6.com
vbhw53jnjjn00o.com
x24l0jpdhtccng-ojw.com
xcxmjb2joopypo.com
zhfg0l5eijw4tjxc.com
zw5kfhmujx024saj2.com
94.63.149.10
94.63.149.11
94.63.149.12
94.63.149.13
94.63.149.14
94.63.149.15
146.185.250.140
146.185.250.141
195.3.145.251
195.3.145.252
195.3.145.253
212.36.9.52
94.63.149.0/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no ill-effects. 146.185.0.0/16 is Petersburg Internet Network Ltd in Russia, the whole /16 is sparsely populated and blocking that would probably do no harm. 195.3.144.0/22 is Latvia host RN Data SIA, given that Latvia hosts are such a sewer then blocking the /22 is probably also a good idea.
As for 212.36.9.52 (OTEL, Bulgaria), there appear to be a few malware servers in 212.36.8.0/23 mixed with several legitimate sites. 212.36.9.60, 212.36.9.52 and 212.36.9.52 also appear to be malicious. Blocking 212.36.0.48/28 should filter out the bad sites without blocking good ones.
The following domains are associated with these IPs, if you can't block by IP then blocking these might be a good idea,
bejb883-njm.com
bxwqxlkp4ajt.com
feeew0r-geek.com
gic-kbmtu0zkvwylf.com
gv47numkmkmfub8790.com
hhnnbtcnotcf3ohtxt.com
j5dlz7rxoto8g1fubb.com
jblextyhsfqttkz.com
jhv684ybknjkm.com
keter-jankinsome.com
q9-e52wjh7cz.com
retgen-rasch12.com
retno-uhb3.com
rzncgorop-yvpx.com
serch-iteration.com
tylt9avnpfl-zdk.com
uh-i99ur3qa9t3ssw.com
upsbkschmajhlxs6.com
vbhw53jnjjn00o.com
x24l0jpdhtccng-ojw.com
xcxmjb2joopypo.com
zhfg0l5eijw4tjxc.com
zw5kfhmujx024saj2.com
Friday 7 October 2011
talkhard.com spam from scam.com
Here's an oddity:
The mail originates from 208.86.2.42 which is mail.scam.com. The mail headers read:
Received: from unknown (HELO srv349.rackco.com) (208.86.2.42)
by ********** with SMTP; 7 Oct 2011 15:26:45 -0000
Received: from apache by srv349.rackco.com with local (Exim 4.69)
(envelope-from)
id 1RC7Gd-0001vk-RA
for **********; Fri, 07 Oct 2011 06:02:59 -0400
To: **********
Subject: [RE] New message board you will like
From: "funforumcommuity@yahoo.com"
Message-ID: <201110071059.42eccb836871@scam.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Sender: Apache
Date: Fri, 07 Oct 2011 06:02:59 -0400
Not very classy, scam.com!
From: funforumcommuity@yahoo.com funforumcommuity@yahoo.com
Date: 7 October 2011 11:02
Subject: [RE] New message board you will like
Hey I figured you would like this new forum I found. There's no ads, its uncensored, and they are doing a hundred dollar contest this month. Check it out.
http://www.talkhard.com
The mail originates from 208.86.2.42 which is mail.scam.com. The mail headers read:
Received: from unknown (HELO srv349.rackco.com) (208.86.2.42)
by ********** with SMTP; 7 Oct 2011 15:26:45 -0000
Received: from apache by srv349.rackco.com with local (Exim 4.69)
(envelope-from
id 1RC7Gd-0001vk-RA
for **********; Fri, 07 Oct 2011 06:02:59 -0400
To: **********
Subject: [RE] New message board you will like
From: "funforumcommuity@yahoo.com"
Message-ID: <201110071059.42eccb836871@scam.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Sender: Apache
Date: Fri, 07 Oct 2011 06:02:59 -0400
Not very classy, scam.com!
Something evil on 91.220.35.38
91.220.35.38 contains several malicious domains, apparently connected with the Blackhole Exploit Kit. These sites are being promoted through spam email. The IP range of 91.220.35.0/24 (zamanhost.ru who appear to operate out of the Ukraine) looks like a good thing to block.
The email looks something like this:
associationandmyblog.info
associationandmyexperience.info
association-and-my-experience.info
associationandmyexperienceblog.info
associationandmyexperienceonline.info
associationandmyexperiencesite.info
associationandmyonline.info
associationandmysite.info
associationandmystore.info
associationchoose.info
association-choose.info
associationcourse.info
associationcreationblog.info
associationcreationonline.info
associationcreationsite.info
associationcreationstore.info
associationearth.info
association-earth.info
associationed.info
association-ed.info
associationeducationblog.info
associationeducationonline.info
associationeducationsite.info
associationeducationstore.info
associationepoch.info
associationformationblog.info
associationformationonline.info
associationformationsite.info
associationformationstore.info
associationgenerationblog.info
associationgenerationonline.info
associationgenerationsite.info
associationgenerationstore.info
associationgethome.info
associationglobe.info
associationgohome.info
association-go-home.info
associationgohomeblog.info
associationgohomeonline.info
associationgohomestore.info
associationgohouse.info
associationinterval.info
associationlearning.info
associationlifetime.info
associationlongword.info
association-long-word.info
associationlongwordblog.info
associationlongwordonline.info
associationlongwordsite.info
associationlongwordstore.info
associationminute.info
associationmonth.info
associationmovehome.info
associationmultiplicationblog.info
associationmultiplicationsite.info
associationmultiplicationstore.info
associationmusicsanalarm.info
associationnewsblog.info
associationnewsmedia.info
associationnewsonline.info
associationnewssite.info
associationnewsstore.info
association-newstageofdevelopmentblog.info
association-newstageofdevelopmentonline.info
association-newstageofdevelopmentsite.info
association-newstageofdevelopmentstore.info
associationnmyexperience.info
associationnmyknowledge.info
associationprogenyblog.info
associationprogenyonline.info
associationprogenysite.info
associationprogenystore.info
associationrace.info
association-race.info
associationraceblog.info
associationraceonline.info
associationracesite.info
associationracestore.info
associationreproductionblog.info
associationreproductiononline.info
associationreproductionsite.info
associationreproductionstore.info
associationschool.info
association-school.info
associationsecond.info
associationselectblog.info
associationselectonline.info
associationselectstore.info
associationsoundsanalarm.info
association-sound-san-alarm.info
associationsoundsanalarmblog.info
associationsoundsanalarmonline.info
associationsoundsanalarmsite.info
associationsoundsanalarmstore.info
associationsoundsanpanic.info
associationspeed.info
associationtime.info
association-time.info
associationtimeblog.info
associationtimeonline.info
associationtimesite.info
associationtimestore.info
associationtonesanalarm.info
associationtrapsblog.info
associationtrapsonline.info
associationtrapssite.info
associationtrapsstore.info
associationuniverse.info
associationworld.info
association-world.info
associationworldblog.info
associationworldonline.info
associationworldsite.info
associationworldstore.info
bestassociationandmyexperience.info
bestassociationgohome.info
bestassociationlongword.info
bestassociationrace.info
bestassociationsoundsanalarm.info
bestassociationtime.info
bestassociationworld.info
dollar-krise.de
eredirect.ru
fortunatemoney.in
fortunate-money.in
fotv.in
freeassociationandmyexperience.info
freeassociationgohome.info
freeassociationlongword.info
freeassociationrace.info
freeassociationsoundsanalarm.info
freeassociationtime.info
freeassociationworld.info
groupandmyexperience.info
groupandmyexpertise.info
groupandmyknowledge.info
groupchoose.info
group-choose.info
groupextendedword.info
groupextensiveword.info
groupgethome.info
group-get-home.info
groupgohome.info
group-go-home.info
grouplengthyword.info
grouplongmessage.info
grouplongphrase.info
grouplongsaying.info
grouplongword.info
groupnmyexperience.info
groupnmyknowledge.info
groupprolongedword.info
group-race.info
groupschool.info
group-time.info
groupworld.info
group-world.info
kitr.in
logisticperu.in
myassociationandmyexperience.info
myassociationgohome.info
myassociationlongword.info
myassociationrace.info
myassociationsoundsanalarm.info
myassociationtime.info
myassociationworld.info
newassociationandmyexperience.info
newassociationgohome.info
newassociationlongword.info
newassociationrace.info
newassociationsoundsanalarm.info
newassociationtime.info
newassociationworld.info
organizationandmyexperience.info
organization-choose.info
organizationgethome.info
organizationgohome.info
organization-go-home.info
organizationnmyexperience.info
organizationrace.info
organization-race.info
organizationsoundsanalarm.info
organizationtime.info
organization-time.info
organizationworld.info
organization-world.info
pzmjrv.5iai-shop.co.uk
searchassociationblog.info
searchassociationonline.info
searchassociationsite.info
searchassociationstore.info
theassociationandmyexperience.info
theassociationgohome.info
theassociationlongword.info
theassociationrace.info
theassociationsoundsanalarm.info
theassociationtime.info
theassociationworld.info
wfdjszyzou.ce.ms
widgetharden.in
widgetwithstand.in
xore.in
xxxi.us.to
The email looks something like this:
Subject: Re: FW: End of Aug. Statement ReqiuredThe email contains a link going to one of the malicious sites hosted on the server. At the moment I can identify the following sites:
Good morning,
as reqeusted I give you inovices issued to you per sept.
Download Invoice
Regards
CHEREE DUNHAM
associationandmyblog.info
associationandmyexperience.info
association-and-my-experience.info
associationandmyexperienceblog.info
associationandmyexperienceonline.info
associationandmyexperiencesite.info
associationandmyonline.info
associationandmysite.info
associationandmystore.info
associationchoose.info
association-choose.info
associationcourse.info
associationcreationblog.info
associationcreationonline.info
associationcreationsite.info
associationcreationstore.info
associationearth.info
association-earth.info
associationed.info
association-ed.info
associationeducationblog.info
associationeducationonline.info
associationeducationsite.info
associationeducationstore.info
associationepoch.info
associationformationblog.info
associationformationonline.info
associationformationsite.info
associationformationstore.info
associationgenerationblog.info
associationgenerationonline.info
associationgenerationsite.info
associationgenerationstore.info
associationgethome.info
associationglobe.info
associationgohome.info
association-go-home.info
associationgohomeblog.info
associationgohomeonline.info
associationgohomestore.info
associationgohouse.info
associationinterval.info
associationlearning.info
associationlifetime.info
associationlongword.info
association-long-word.info
associationlongwordblog.info
associationlongwordonline.info
associationlongwordsite.info
associationlongwordstore.info
associationminute.info
associationmonth.info
associationmovehome.info
associationmultiplicationblog.info
associationmultiplicationsite.info
associationmultiplicationstore.info
associationmusicsanalarm.info
associationnewsblog.info
associationnewsmedia.info
associationnewsonline.info
associationnewssite.info
associationnewsstore.info
association-newstageofdevelopmentblog.info
association-newstageofdevelopmentonline.info
association-newstageofdevelopmentsite.info
association-newstageofdevelopmentstore.info
associationnmyexperience.info
associationnmyknowledge.info
associationprogenyblog.info
associationprogenyonline.info
associationprogenysite.info
associationprogenystore.info
associationrace.info
association-race.info
associationraceblog.info
associationraceonline.info
associationracesite.info
associationracestore.info
associationreproductionblog.info
associationreproductiononline.info
associationreproductionsite.info
associationreproductionstore.info
associationschool.info
association-school.info
associationsecond.info
associationselectblog.info
associationselectonline.info
associationselectstore.info
associationsoundsanalarm.info
association-sound-san-alarm.info
associationsoundsanalarmblog.info
associationsoundsanalarmonline.info
associationsoundsanalarmsite.info
associationsoundsanalarmstore.info
associationsoundsanpanic.info
associationspeed.info
associationtime.info
association-time.info
associationtimeblog.info
associationtimeonline.info
associationtimesite.info
associationtimestore.info
associationtonesanalarm.info
associationtrapsblog.info
associationtrapsonline.info
associationtrapssite.info
associationtrapsstore.info
associationuniverse.info
associationworld.info
association-world.info
associationworldblog.info
associationworldonline.info
associationworldsite.info
associationworldstore.info
bestassociationandmyexperience.info
bestassociationgohome.info
bestassociationlongword.info
bestassociationrace.info
bestassociationsoundsanalarm.info
bestassociationtime.info
bestassociationworld.info
dollar-krise.de
eredirect.ru
fortunatemoney.in
fortunate-money.in
fotv.in
freeassociationandmyexperience.info
freeassociationgohome.info
freeassociationlongword.info
freeassociationrace.info
freeassociationsoundsanalarm.info
freeassociationtime.info
freeassociationworld.info
groupandmyexperience.info
groupandmyexpertise.info
groupandmyknowledge.info
groupchoose.info
group-choose.info
groupextendedword.info
groupextensiveword.info
groupgethome.info
group-get-home.info
groupgohome.info
group-go-home.info
grouplengthyword.info
grouplongmessage.info
grouplongphrase.info
grouplongsaying.info
grouplongword.info
groupnmyexperience.info
groupnmyknowledge.info
groupprolongedword.info
group-race.info
groupschool.info
group-time.info
groupworld.info
group-world.info
kitr.in
logisticperu.in
myassociationandmyexperience.info
myassociationgohome.info
myassociationlongword.info
myassociationrace.info
myassociationsoundsanalarm.info
myassociationtime.info
myassociationworld.info
newassociationandmyexperience.info
newassociationgohome.info
newassociationlongword.info
newassociationrace.info
newassociationsoundsanalarm.info
newassociationtime.info
newassociationworld.info
organizationandmyexperience.info
organization-choose.info
organizationgethome.info
organizationgohome.info
organization-go-home.info
organizationnmyexperience.info
organizationrace.info
organization-race.info
organizationsoundsanalarm.info
organizationtime.info
organization-time.info
organizationworld.info
organization-world.info
pzmjrv.5iai-shop.co.uk
searchassociationblog.info
searchassociationonline.info
searchassociationsite.info
searchassociationstore.info
theassociationandmyexperience.info
theassociationgohome.info
theassociationlongword.info
theassociationrace.info
theassociationsoundsanalarm.info
theassociationtime.info
theassociationworld.info
wfdjszyzou.ce.ms
widgetharden.in
widgetwithstand.in
xore.in
xxxi.us.to
Labels:
Evil Network,
Russia,
Spam,
Ukraine,
Viruses
Thursday 6 October 2011
Scam: "Conference on racism/human trafficking and child abuse 2011"
This fake conference is actually likely to be a form of advanced fee fraud:
Mail is routed via 41.207.177.16 in Togo from an ADSL subscriber in Dakar (Senegal). Two sample originating IPs are 41.82.79.108 and 41.82.64.163.
Avoid.
From: Ms Regina Linus reginafedrick@yahoo.comOf course, there will be "problems" with the Senegal leg which will require a fee payment in advance, and the Atlanta part of the conference will never materialise. If you actually are involved in stopping racism, human trafficking and child abuse then consider just what scumbags these scammers are.
Reply-To: regina.linus200@globomail.com
Date: 5 October 2011 19:53
Subject: Conference on racism/human trafficking and child abuse 2011,,,,,,,,,,
Dear Colleagues,
You are cordially invited to participate in a Global Combined conference taking
place from (22ND-25th November 2011) in Atlanta-Georgia, United States of
America at the Hilton Atlanta Conference Center, and from (28th-30th
November2011) in Olympic Stadium Hall Dakar Senegal.
Applicant that are interested and want to represent his/her country should
Contact the conference secretariat via Email :{ csecretaryoffice@aol.com }
{giyf.newoffice@globomail.com } for more details and Information.
Endeavor to inform them that you were invited to participate by (Ms. Regina
Linus). Note that the Organizing Committee is responsible for the air
tickets, visas and lodging accommodation in USA only.
Sincerely Yours,
Ms. Regina Linus.
(regina.linus200@globomail.com)
Mail is routed via 41.207.177.16 in Togo from an ADSL subscriber in Dakar (Senegal). Two sample originating IPs are 41.82.79.108 and 41.82.64.163.
Avoid.
Subscribe to:
Posts (Atom)