From: Margo Lawrence [mailto:robbersab@alumni.insead.edu]There's an HTML-in-ZIP attachment, leading to a malicious payload at dhjhgfkjsldkjdj.ru (report here). Blocking access to the IP addresses shown in this post may be prudent.
Sent: 04 April 2012 14:17
Subject: Re: FW: End of Aug. Statement
,
as reqeusted I give you inovices issued to you per february (Internet Explorer format).
Regards
Dollie Mcguire
Wednesday, 4 April 2012
"End of Aug. Statement" spam / dhjhgfkjsldkjdj.ru
This "End of Aug. Statement" spam uses the same malicious payload as this one earlier today.
Intuit.com spam / dhjhgfkjsldkjdj.ru
Another fake Intuit spam leading to malware, this time on dhjhgfkjsldkjdj.ru:
The malware is a Phoenix exploit kit at dhjhgfkjsldkjdj.ru:8080/navigator/jueoaritjuir.php (Wepawet Report here) which is multihomed on the IPs below, a very similar list to this recent spam run.
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Comite Gestor Da Internet, Brazil)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
78.107.82.98
89.218.55.51
125.19.103.198
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Date: Wed, 4 Apr 2012 11:33:37 +0100
From: pXTwWE@gmail.com
Subject: Dowload your Intuit.com invoice.
Attachments: Intuit_Order-255798.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-374-9959 ($2.89/min).
ORDER INFORMATION
Please download your complete order id #5400523 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malware is a Phoenix exploit kit at dhjhgfkjsldkjdj.ru:8080/navigator/jueoaritjuir.php (Wepawet Report here) which is multihomed on the IPs below, a very similar list to this recent spam run.
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Comite Gestor Da Internet, Brazil)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
78.107.82.98
89.218.55.51
125.19.103.198
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Tuesday, 3 April 2012
SMS Spam: "We have been trying to contact you regards your recent accident"
These scumbag SMS spammers are at it again:
In this case, the sender's number is +447788313443 but this will change as the networks block it.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
URGENT: We have been trying to contact you regards your recent accident; you could be due up to £5,100 in compensation. Reply CLAIM for info, STOP to opt out.
In this case, the sender's number is +447788313443 but this will change as the networks block it.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
US Airways Spam / 109.202.98.43
Another US Airways fake email leading to malware:
The malware is on 109.202.98.43/showthread.php?t=73a07bcb51f4be71 (report here) hosted Global Layer, Netherlands.
Date: Tue, 3 Apr 2012 14:26:03 +0200
From: "US Airways - Reservations" [reservations@myusairways.com]
Subject: Confirm your US airways online reservation.
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). Then, all you need to do is print your boarding pass and head to the gate.
Confirmation code: 336881
Check-in online: Online reservation details
Flight
0989
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
The malware is on 109.202.98.43/showthread.php?t=73a07bcb51f4be71 (report here) hosted Global Layer, Netherlands.
Labels:
Malware,
Spam,
US Airways,
Viruses
"Info in regard to keeping well" spam / ListK LLC
This spam appears to be some sort of probing attack, looking for valid email addresses. In this case, the email was send to an address that didn't actually exist.
This appears to be an attempt to bypass spam filters, and also the relevant spam laws by apparently not being a commercial email message.
In this case, the spam went through a relay at 174.142.85.218, but the originating IP appears to be 208.115.221.34, a Limestone Networks IP suballocated to a outfit called "24Shells, Feasterville, PA 19053, US" who control a small block of 208.115.221.32/29 (208.115.221.32 - 208.115.221.39) in this range.
So far, I have discovered the following (anonymous) domains and IP addresses connected with this spammer:
174.142.85.218 (iWeb / Listk LLC, Canada)
mx.verif1cationtime4.com
208.115.221.34 (Limestone Networks, US. Suballocated to "24Shells, Feasterville, PA 19053, US")
mail.vprtcls3.com
174.142.82.119 (iWeb, Canada)
mail.3vermethod.com
96.31.93.88 (Noc4Hosts, US)
mx.verif1cationtime2.com
209.54.55.171 (Native Hosting, US)
mx.verif1cationtime3.com
216.245.208.34 (24Shells, US)
mail.2vermethod.com
173.236.84.2 (Singlehop, US)
mx.4vermethod.com
74.112.248.179 (Triple8, US)
mail.vprtcls1.com
Out of these IPs, 174.142.85.218 is the most interesting. It belongs to iWeb in Canada (Canada is a great home for spammers) but is suballocated to:
ListK LLC has a website at listk.com and are based in Atlanta, Georgia (BBB report here). Their web site gives an indication as to exactly what this spam is about:
This describes the spam probe exactly, it is using existing contact details to try to form a valid email address, and then probe it from several different IP addresses to try to bypass spam filters.
In my personal opinion, this is unethical and arguably illegal as the spam is indeed part of a commercial offering. If you receive spam from this outfit, you should report it to their hosting providers. I also recommend complaining to the BBB if you are in the US.
Just for reference the mail headers involved are as follows:
Received: from mx.verif1cationtime4.com ([174.142.85.218])
by ---------- with esmtp (Exim 4.69)
id 1SEwkh-0006gp-2Y
for ----------; Tue, 03 Apr 2012 06:58:00 +0100
Received: from 208.115.221.34
by mail.3vermethod.com (Merak 8.9.1) with ASMTP id NJW04750
for <---------->; Tue, 03 Apr 2012 01:45:50 -0400
Status:
Message-ID: <20120403014518.8b1d3b8d2d@3b5e>
From: "Roy Johnson"
To: ----------
Date: Tue, 3 Apr 2012 01:45:18 -0400
X-Priority: 3
X-Mailer: SkillCaster
MIME-Version: 1.0
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
----------
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled
version=3.2.5
Subject: Info in regard to keeping well.
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Delivered-To: ----------
From: Roy Johnson Roy.Johnson@verif1cationtime4.com
Date: 3 April 2012 06:45
Subject: Info in regard to keeping well.
This is a one time public service message about Attention Deficit
Hyperactivity Disorder (ADHA) and no further emails will be sent.
ADHD (attention deficit hyperactivity disorder), sometimes called ADD
(attention deficit disorder), is linked with hyperactivity, impulsive
behavior, and attention problems in both children and adults. It's
estimated that up to 12 percent of school-aged children and 6 percent of
adults have ADHD, making it harder for them to focus on tasks, manage
their time, control their behavior, or even sit still. There is no
single test to diagnose ADD/ADHD. To reach a diagnosis, a doctor or
specialist may do a physical exam to rule out any physical problems, as
well as ask questions about behavior in certain situations. Treatment is
often a combination of medication and behavioral therapy. The goals of
treatment are to help the person control impulsive behaviors, do better
in school or work, and improve social relationships. Keep well.
This appears to be an attempt to bypass spam filters, and also the relevant spam laws by apparently not being a commercial email message.
In this case, the spam went through a relay at 174.142.85.218, but the originating IP appears to be 208.115.221.34, a Limestone Networks IP suballocated to a outfit called "24Shells, Feasterville, PA 19053, US" who control a small block of 208.115.221.32/29 (208.115.221.32 - 208.115.221.39) in this range.
So far, I have discovered the following (anonymous) domains and IP addresses connected with this spammer:
174.142.85.218 (iWeb / Listk LLC, Canada)
mx.verif1cationtime4.com
208.115.221.34 (Limestone Networks, US. Suballocated to "24Shells, Feasterville, PA 19053, US")
mail.vprtcls3.com
174.142.82.119 (iWeb, Canada)
mail.3vermethod.com
96.31.93.88 (Noc4Hosts, US)
mx.verif1cationtime2.com
209.54.55.171 (Native Hosting, US)
mx.verif1cationtime3.com
216.245.208.34 (24Shells, US)
mail.2vermethod.com
173.236.84.2 (Singlehop, US)
mx.4vermethod.com
74.112.248.179 (Triple8, US)
mail.vprtcls1.com
Out of these IPs, 174.142.85.218 is the most interesting. It belongs to iWeb in Canada (Canada is a great home for spammers) but is suballocated to:
NetRange: 174.142.85.216 - 174.142.85.223
CIDR: 174.142.85.216/29
OriginAS:
NetName: IWEB-CL-T215-200CN-1330
NetHandle: NET-174-142-85-216-1
Parent: NET-174-142-0-0-1
NetType: Reassigned
RegDate: 2010-05-14
Updated: 2010-05-14
Ref: http://whois.arin.net/rest/net/NET-174-142-85-216-1
CustName: ListK LLC
Address: 1200 Abernathy Road
City: Atlanta
StateProv: GA
PostalCode: 30328
Country: US
RegDate: 2010-05-14
Updated: 2011-11-21
Ref: http://whois.arin.net/rest/customer/C02496703
CIDR: 174.142.85.216/29
OriginAS:
NetName: IWEB-CL-T215-200CN-1330
NetHandle: NET-174-142-85-216-1
Parent: NET-174-142-0-0-1
NetType: Reassigned
RegDate: 2010-05-14
Updated: 2010-05-14
Ref: http://whois.arin.net/rest/net/NET-174-142-85-216-1
CustName: ListK LLC
Address: 1200 Abernathy Road
City: Atlanta
StateProv: GA
PostalCode: 30328
Country: US
RegDate: 2010-05-14
Updated: 2011-11-21
Ref: http://whois.arin.net/rest/customer/C02496703
ListK LLC has a website at listk.com and are based in Atlanta, Georgia (BBB report here). Their web site gives an indication as to exactly what this spam is about:
NameDiscoverer™ helps clients add net new contacts to their lists by utilizing our proprietary search technology to identify, gather and verify contacts and provide their titles and business email addresses.
SmartSender™ is our state-of-the-art email deployment platform that rotates and pulses emails over multiple servers so your emails never get filtered out as part of a bulk send.
eDNA™ helps companies add fresh, deliverable B2B email addresses to their lists using our proprietary technology - not by matching to an existing, tired list of emails off the shelf.
This describes the spam probe exactly, it is using existing contact details to try to form a valid email address, and then probe it from several different IP addresses to try to bypass spam filters.
In my personal opinion, this is unethical and arguably illegal as the spam is indeed part of a commercial offering. If you receive spam from this outfit, you should report it to their hosting providers. I also recommend complaining to the BBB if you are in the US.
Just for reference the mail headers involved are as follows:
Received: from mx.verif1cationtime4.com ([174.142.85.218])
by ---------- with esmtp (Exim 4.69)
id 1SEwkh-0006gp-2Y
for ----------; Tue, 03 Apr 2012 06:58:00 +0100
Received: from 208.115.221.34
by mail.3vermethod.com (Merak 8.9.1) with ASMTP id NJW04750
for <---------->; Tue, 03 Apr 2012 01:45:50 -0400
Status:
Message-ID: <20120403014518.8b1d3b8d2d@3b5e>
From: "Roy Johnson"
To: ----------
Date: Tue, 3 Apr 2012 01:45:18 -0400
X-Priority: 3
X-Mailer: SkillCaster
MIME-Version: 1.0
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
----------
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled
version=3.2.5
Subject: Info in regard to keeping well.
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Delivered-To: ----------
Labels:
Spam
Monday, 2 April 2012
US Airways Spam / 174.140.171.173
This spam appears to be from US Airways, but it actually leads to malware on 174.140.171.173.
The link goes through a couple of legitimate hacked sites and ends up at 174.140.171.173/showthread.php?t=73a07bcb51f4be71 which contains a malicious payload. This IP is hosted by Directspace in the US.
From: US Airways - Reservations support@myusairways.com
Date: 2 April 2012 15:15
Subject: US Airways online check-in confirmation.
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you need to do is print your boarding pass and proceed to the gate.
Confirmation code: 778136
Check-in online: Online reservation details
Flight
7557
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
The link goes through a couple of legitimate hacked sites and ends up at 174.140.171.173/showthread.php?t=73a07bcb51f4be71 which contains a malicious payload. This IP is hosted by Directspace in the US.
Labels:
Malware,
Spam,
US Airways,
Viruses
Saturday, 31 March 2012
txt4aloan.co.uk SMS spam / Sellers Griffin Ltd
I hate SMS Spam.. this one is particularly annoying.
In this case the sender was +447867397593 although this will probably change when the number gets blocked by the networks.
So who are txt4aloan.co.uk? Well, that's actually a bit unclear because their website claims that they are Sellers Griffin Ltd, and a quick check at Companies House reveals that there is indeed such a firm at the address they claim:
SELLERS GRIFFIN LIMITED
PEEL HOUSE
30 THE DOWNS
ALTRINCHAM
CHESHIRE
WA14 2PX
Sellers Griffin Ltd appears to be owned by someone called Will King. Essentially, this is a lead generator company who think that SMS spam is an appropriate way to drum up business.
However, the WHOIS details for the txt4aloan.co.uk website are completely different:
Domain name:
txt4aloan.co.uk
Registrant:
Inter Financial Ltd
Registrant type:
Unknown
Registrant's address:
Mont Crevelt House
St Sampson
Guernsey
GY2 4LH
United Kingdom
That's a completely different company from Sellers Griffin, again it really does exist (and it has its own website on inter-financial.co.uk). Why are there two unrelated entities? It beats us, but it certainly is odd.
Anyway.. a closer look at txt4aloan.co.uk shows just what kind of company they are. Right at the bottom of the page, you can see the interest rate that they charge:
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Loan update: Brand new lender, up to £1000 instant approval all online. No Fees. www.txt4aloan.co.uk Cash within 15 mins. Any credit ok. To opt out reply stop.
In this case the sender was +447867397593 although this will probably change when the number gets blocked by the networks.
So who are txt4aloan.co.uk? Well, that's actually a bit unclear because their website claims that they are Sellers Griffin Ltd, and a quick check at Companies House reveals that there is indeed such a firm at the address they claim:
SELLERS GRIFFIN LIMITED
PEEL HOUSE
30 THE DOWNS
ALTRINCHAM
CHESHIRE
WA14 2PX
Sellers Griffin Ltd appears to be owned by someone called Will King. Essentially, this is a lead generator company who think that SMS spam is an appropriate way to drum up business.
However, the WHOIS details for the txt4aloan.co.uk website are completely different:
Domain name:
txt4aloan.co.uk
Registrant:
Inter Financial Ltd
Registrant type:
Unknown
Registrant's address:
Mont Crevelt House
St Sampson
Guernsey
GY2 4LH
United Kingdom
That's a completely different company from Sellers Griffin, again it really does exist (and it has its own website on inter-financial.co.uk). Why are there two unrelated entities? It beats us, but it certainly is odd.
Anyway.. a closer look at txt4aloan.co.uk shows just what kind of company they are. Right at the bottom of the page, you can see the interest rate that they charge:
Representative 1737% APRNo.. that's not 17.37%, that's one thousand, seven hundred and thirty-seven percent interest. No wonder they can afford to send out random SMS spam for that kind of money..
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Friday, 30 March 2012
USPS Spam / 174.140.163.119
And there's yet another USPS spam doing the rounds, this time the malicious payload is on 174.140.163.119 (Directspace US, report here).
Block access to that IP if you can.
Block access to that IP if you can.
USPS Spam / 50.116.19.155
Yet another USPS spam is doing the rounds, this time leading to a malicious payload on 50.116.19.155.
The malicious payload is on 50.116.19.155/data/ap2.php?f=4203d and 50.116.19.155/showthread.php?t=73a07bcb51f4be71 (report here) hosted by Linode.
Date: Fri, 30 Mar 2012 13:47:28 +0200
From: "Danielle Connor" [USPS_Shipping_Services@usps.com]
Subject: Your USPS shipment postage labels receipt.
Acct #: 7112220
Dear client:
This is an email confirmation for your order of 2 online shipping label(s) with postage. We will charge you the following amount:
Transaction Number: #2056017
Print Date/Time: 03/14/2012 02:30 AM CST
Postage Amount: $25.69
Credit Card Number: XXXX XXXX XXXX XXXX
Priority Mail Regional Rate Box B # 4065 2488 7608 7525 8269 (Sequence Number 1 of 1)
If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .
You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.
Thank you for choosing the United States Postal Service
Click-N-Ship: The Online Shipping Solution
Click-N-Ship has just made on line shipping with the USPS even better.
New Enhanced International Label and Customs Form: Updated Look and Easy to Use!
* * * * * * * *
This is a post-only message
The malicious payload is on 50.116.19.155/data/ap2.php?f=4203d and 50.116.19.155/showthread.php?t=73a07bcb51f4be71 (report here) hosted by Linode.
Thursday, 29 March 2012
USPS Spam / 50.56.208.113
Currently there is an email attack running similar to this one earlier today, but in this case the malware is on 50.56.208.113:8080/showthread.php?t=73a07bcb51f4be7 (report here), hosted on Slicehost in the US. Another Slicehost IP to block!
USPS Spam / clearschooner.com
Another USPS spam leading to malware on clearschooner.com:
The malware is on clearschooner.com/showthread.php?t=73a07bcb51f4be71 (report here), hosted on 50.116.50.82 (Linode, US). Blocking the IP will prevent other malcious sites on the same IP from being a problem.
Date: Thu, 29 Mar 2012 09:02:35 -0300
From: "Leonardo Randolph" [USPS_Shipping_Services@usps.com]
Subject: Your USPS shipment postage labels receipt.
Acct #: 8481973
Dear client:
This is an email confirmation for your order of 1 online shipping label(s) with postage. Your credit card will be charged the following amount:
Transaction ID: #2392415
Print Date/Time: 03/13/2012 02:30 AM CST
Postage Amount: $41.63
Credit Card Number: XXXX XXXX XXXX XXXX
Priority Mail Regional Rate Box B # 0354 0258 5729 7186 4971 (Sequence Number 1 of 1)
For further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .
You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.
Thank you for choosing the United States Postal Service
Click-N-Ship: The Online Shipping Solution
Click-N-Ship has just made on line shipping with the USPS even better.
New Enhanced International Label and Customs Form: Updated Look and Easy to Use!
* * * * * * * *
This is an automatically generated message. Please do not respond
The malware is on clearschooner.com/showthread.php?t=73a07bcb51f4be71 (report here), hosted on 50.116.50.82 (Linode, US). Blocking the IP will prevent other malcious sites on the same IP from being a problem.
"Scan from a Xerox WorkCentre Pro #25825448" spam / samsonikonyou.ru
Another malicious HTML-in-ZIP attack, this time leading to malware on samsonikonyou.ru
In the ZIP is an HTML file called Invoice_NO_Mailen.htm which contains obfuscated javascript leading to a malware site on samsonikonyou.ru:8080/navigator/jueoaritjuir.php (report here). This is hosted on a similar set of IPs to this attack yesterday.
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
202.143.147.35 (Ministry of Education, Thailand)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
216.24.194.2 (Psychz Networks, US)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
125.19.103.198
180.235.150.72
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
216.24.194.2
219.94.194.138
From: ROSALBA Poe [mailto:victimname@hotmail.com]
Sent: 28 March 2012 19:34
Subject: Scan from a Xerox WorkCentre Pro #25825448
Please open the attached document. It was scanned and sent
to you using a Xerox Center Pro .
Sent by: Guest
Number of Images: 8
Attachment File Type: .HTML
Device Name: XR550PDD9SM84547752
In the ZIP is an HTML file called Invoice_NO_Mailen.htm which contains obfuscated javascript leading to a malware site on samsonikonyou.ru:8080/navigator/jueoaritjuir.php (report here). This is hosted on a similar set of IPs to this attack yesterday.
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
202.143.147.35 (Ministry of Education, Thailand)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
216.24.194.2 (Psychz Networks, US)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
125.19.103.198
180.235.150.72
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
216.24.194.2
219.94.194.138
Labels:
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
Wednesday, 28 March 2012
"Scan from a Hewlett-Packard ScanJet" with zip attachment / superproomgh.ru
This fake HP email has a ZIP attachment, containing an HTML file that leads to malware. The ZIP format is presumably being used to get past virus scanners.
The HTML file leads to malware at superproomgh.ru:8080/navigator/jueoaritjuir.php (report here) which is multihomed on the following IPs:
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
125.19.103.198 (Bharti Infotel Ltd, India)
202.143.147.35 (Ministry of Education, Thailand)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
125.19.103.198
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Subject: Re: Scan from a Hewlett-Packard ScanJet 20382282
Attached document was scanned and sent
to you using a Hewlett-Packard NetJet 280904SL.
SENT BY : ETSUKO
PAGES : 9
FILETYPE: .HTM [Internet Explorer File]
(See attached file: HP_Jet_27_P683.zip)
The HTML file leads to malware at superproomgh.ru:8080/navigator/jueoaritjuir.php (report here) which is multihomed on the following IPs:
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
125.19.103.198 (Bharti Infotel Ltd, India)
202.143.147.35 (Ministry of Education, Thailand)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
125.19.103.198
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Labels:
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
Tuesday, 27 March 2012
USPS Spam / 184.82.202.46
From WeAreSpammers:
This link goes to malware via baumanmarketing.com (195.78.33.120, Croatia.. most likely a hacked legitimate site) the it goes to billdirect.jiffyinc.com (184.106.64.60, Slicehost UK) until it hits a malware page on 184.82.202.46 (HOSTNOC, US). Originating IP is 111.242.113.138 (HINET, Taiwan). A Wepawet report is available here.
---
From: Damon Mcneill USPS_Shipping_Services@usps.com
To: donotemail@wearespammers.com
Date: 27 March 2012 12:06
Subject: USPS postage labels order confirmation.
Your USPS delivery
This link goes to malware via baumanmarketing.com (195.78.33.120, Croatia.. most likely a hacked legitimate site) the it goes to billdirect.jiffyinc.com (184.106.64.60, Slicehost UK) until it hits a malware page on 184.82.202.46 (HOSTNOC, US). Originating IP is 111.242.113.138 (HINET, Taiwan). A Wepawet report is available here.
---
From: Damon Mcneill USPS_Shipping_Services@usps.com
To: donotemail@wearespammers.com
Date: 27 March 2012 12:06
Subject: USPS postage labels order confirmation.
Acct #: 9869890 Dear client: This is an email confirmation for your order of 5 online shipping label(s) with postage. We will charge you the following amount: Transaction Number: #7887095 Print Date/Time: 03/13/2012 02:30 AM CST Postage Amount: $23.88 Credit Card Number: XXXX XXXX XXXX XXXX Priority Mail Regional Rate Box B # 1653 4367 1992 2294 3630 (Sequence Number 1 of 1) If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions . Refunds for unused postage-paid labels can be requested online up to 14 days after the issue date by logging on to your Click-N-Ship Account. Thank you for choosing the United States Postal Service Click-N-Ship: The Online Shipping Solution Click-N-Ship has just made on line shipping with the USPS even better. New Enhanced International Label and Customs Form: Updated Look and Easy to Use! * * * * * * * * This is a post-only message |
Monday, 26 March 2012
Evil network: Komplit Plyus LLC / AS56697 (91.226.78.0/24)
I came across Komplit Plyus LLC / AS56697 (91.226.78.0/24) while having a look at this injection attack. At first glance it looked like everything in this /24 was dodgy. After taking a close look, I cannot find a single legitimate site in this range and would strongly recommend that you block it.
A full list of domains and MyWOT scores can be found here.Alternatively, I have highlighted some of the non-pharma sites below, which appear to contain malware sites, money mule sites and other nastiness.
adalbrechtmeier-gmbh.com
alvinconsultingjobs.com
alvinconsulting-jobs.com
autorizacia.ru
baxor-ertagi.com
beeline-mms.net
bee-mms.com
besthottestsites.com
bitrealestate.com
bitrealestate.net
canalcountryartisans.net
careersatalvinconsulting.com
dagoatrapist.com
ddc1000.com
deutschenoote.com
dnd-lawyers.com
dsgc.biz
ebay-sa.com
estsales.com
eucash.biz
fgthyj.com
freejoinsites4u.com
freesites4you.com
gbfhju.com
gertalt-gmbh.com
glich.ru
gomms.ru
goo-log.com
hjfghj.com
id2837627733333.ru
in-auth.com
jobsatalvinconsulting.com
jobs-at-alvinconsulting.com
johanauch-gmbh.com
jokeywagner-gmbh.com
julia-oliver-blog.com
kenlandoverseas.com
kontrolatelefonu.com
korbldalman-gmbh.com
langinform.ru
lost-pass.com
lufthansa-shipper.com
mailboxexchange.net
mdstoreonline.com
mmsmix.com
modelmilfs.com
mts-mms.com
myvideo-4.ru
net-mover.com
orgkomitet.net
proftrans.org
rnailgoogle.com
ru-cgi-bin.in
ru-log.in
skypeinto.com
smhaulage.com
soqqa-topish-kere.com
statmail.ru
stat-mail.ru
statsmy.com
stmyst.com
tg-group.com
thesoftforfree.ru
thesoftfree.ru
tk77.org
useac.net
vzlom-pochty.ru
wimbach-gmbh.com
win-auth.ru
yourpagestat.com
yourpagestats.com
zakaz-xak.com
A full list of domains and MyWOT scores can be found here.Alternatively, I have highlighted some of the non-pharma sites below, which appear to contain malware sites, money mule sites and other nastiness.
adalbrechtmeier-gmbh.com
alvinconsultingjobs.com
alvinconsulting-jobs.com
autorizacia.ru
baxor-ertagi.com
beeline-mms.net
bee-mms.com
besthottestsites.com
bitrealestate.com
bitrealestate.net
canalcountryartisans.net
careersatalvinconsulting.com
dagoatrapist.com
ddc1000.com
deutschenoote.com
dnd-lawyers.com
dsgc.biz
ebay-sa.com
estsales.com
eucash.biz
fgthyj.com
freejoinsites4u.com
freesites4you.com
gbfhju.com
gertalt-gmbh.com
glich.ru
gomms.ru
goo-log.com
hjfghj.com
id2837627733333.ru
in-auth.com
jobsatalvinconsulting.com
jobs-at-alvinconsulting.com
johanauch-gmbh.com
jokeywagner-gmbh.com
julia-oliver-blog.com
kenlandoverseas.com
kontrolatelefonu.com
korbldalman-gmbh.com
langinform.ru
lost-pass.com
lufthansa-shipper.com
mailboxexchange.net
mdstoreonline.com
mmsmix.com
modelmilfs.com
mts-mms.com
myvideo-4.ru
net-mover.com
orgkomitet.net
proftrans.org
rnailgoogle.com
ru-cgi-bin.in
ru-log.in
skypeinto.com
smhaulage.com
soqqa-topish-kere.com
statmail.ru
stat-mail.ru
statsmy.com
stmyst.com
tg-group.com
thesoftforfree.ru
thesoftfree.ru
tk77.org
useac.net
vzlom-pochty.ru
wimbach-gmbh.com
win-auth.ru
yourpagestat.com
yourpagestats.com
zakaz-xak.com
Labels:
Evil Network,
Russia
gbfhju.com/r.php injection attack in progress
I haven't seen much buzz about this injection attack yet, but several hundred thousand pages have been infected with an injection attack pointing to gbfhju.com/r.php.
According to this Google search there are 236,000 hits for the search string "gbfhju.com/r.php". The sites seem to be randomly distributed through the web, although I couldn't spot any infected UK or US Government or University sites.
The domain gbfhju.com is registered with a set of details that should be familiar to IT security researchers:
These details are connected to the LizaMoon gang. The site is hosted on 91.226.78.148 which is Komplit Plyus in Russia.91.226.78.0/24 is a real sewer of malware sites, money mule and phishing sites and fake pharma outlets and is well worth blocking.
The following domains are hosted on 91.226.78.148 and they can all be assumed to be dangerous:
fgthyj.com
gbfhju.com
hjfghj.com
statsmy.com
stmyst.com
yourpagestat.com
yourpagestats.com
These other domains are also being used in injection attacks (usually overlapping each other). Blocking the IP range will stop any other attacks coming from this hosting provider.
According to this Google search there are 236,000 hits for the search string "gbfhju.com/r.php". The sites seem to be randomly distributed through the web, although I couldn't spot any infected UK or US Government or University sites.
The domain gbfhju.com is registered with a set of details that should be familiar to IT security researchers:
Domain name: gbfhju.com Registrant Contact: JamesNorthone James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 11803 us Administrative Contact: James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 11803 us Technical Contact: James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 11803 us Billing Contact: James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 11803 us DNS: ns1.dnsexit.com ns2.dnsexit.com ns3.dnsexit.com ns4.dnsexit.com Created: 2012-03-17 Expires: 2013-03-17
These details are connected to the LizaMoon gang. The site is hosted on 91.226.78.148 which is Komplit Plyus in Russia.91.226.78.0/24 is a real sewer of malware sites, money mule and phishing sites and fake pharma outlets and is well worth blocking.
The following domains are hosted on 91.226.78.148 and they can all be assumed to be dangerous:
fgthyj.com
gbfhju.com
hjfghj.com
statsmy.com
stmyst.com
yourpagestat.com
yourpagestats.com
These other domains are also being used in injection attacks (usually overlapping each other). Blocking the IP range will stop any other attacks coming from this hosting provider.
Labels:
Injection Attacks,
LizaMoon,
Russia
Friday, 23 March 2012
"USPS postage labels invoice" spam / indigocellular.com and jadecellular.com
This fake USPS message leads to malware on indigocellular.com:
The malicious payload is on indigocellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.218.102 (Endurance International, US). Blocking the IP will prevent other malware on the IP from being a threat.
Update: another current version of this spam redirects to jadecellular.com/showthread.php?t=73a07bcb51f4be71 on 72.249.104.75 (Networld Internet, US)
From: Elmer Cross USPS_Shipping_Info@usps.com
Date: 23 March 2012 13:42
Subject: USPS postage labels invoice.
Acct #: 5047483
Dear client:
This is an email confirmation for your order of 1 online shipping label(s) with postage. Your credit card will be charged the following amount:
Transaction ID: #1412337
Print Date/Time: 03/11/2012 02:30 AM CST
Postage Amount: $35.74
Credit Card Number: XXXX XXXX XXXX XXXX
Priority Mail Regional Rate Box B # 0583 1282 5071 3122 8696 (Sequence Number 1 of 1)
If you need further assistance, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .
Refunds for unused postage-paid labels can be requested online up to 7 days after the print date by logging on to your Click-N-Ship Account.
Thank you for choosing the United States Postal Service
Click-N-Ship: The Online Shipping Solution
Click-N-Ship has just made on line shipping with the USPS even better.
New Enhanced International Label and Customs Form: Updated Look and Easy to Use!
* * * * * * * *
This is an automatically generated message. Please do not respond
The malicious payload is on indigocellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.218.102 (Endurance International, US). Blocking the IP will prevent other malware on the IP from being a threat.
Update: another current version of this spam redirects to jadecellular.com/showthread.php?t=73a07bcb51f4be71 on 72.249.104.75 (Networld Internet, US)
Thursday, 22 March 2012
LinkedIn Spam / cyancellular.com and browncellular.com
Another load of LinkedIn Spam is doing the rounds, this time the payload is at cyancellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.217.78 (Endurance International, US) and also browncellular.com/showthread.php?t=d7ad916d1c0396ff hosted on 174.140.168.207 (Directspace, US)
Be on the lookout for other domains of a similar pattern, if you known of more then please consider adding a comment.. thanks!
Update: indigocellular.com is also part of this same pattern.
Be on the lookout for other domains of a similar pattern, if you known of more then please consider adding a comment.. thanks!
Update: indigocellular.com is also part of this same pattern.
LinkedIn Spam / bluecellular.com
The second LinkedIn spam of the day is underway, which is almost exactly identical to this one. In this case, the malicious payload is on bluecellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 96.126.122.240 (Linode, US)
"LinkedIn Invitation from your co-worker" spam / slickcurve.com and bluecellular.com
Another malicious fake email from LinkedIn leading to malware hosted on slickcurve.com.
The malware payload is on slickcurve.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 173.255.195.167 (Linode, US). Blocking that IP address will block any other malicious sites on the same server.
Date: Thu, 22 Mar 2012 13:35:48 +0200
From: "Dominique Benitez" [peripherals698@linkedin.com]
Subject: LinkedIn Invitation from your co-worker
REMINDERS
Invitation reminders:
? From Timothy Vega (Your classmate)
PENDING MESSAGES
? There are a total of 1 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.
The malware payload is on slickcurve.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 173.255.195.167 (Linode, US). Blocking that IP address will block any other malicious sites on the same server.
Wednesday, 21 March 2012
"LinkedIn Invitation from your colleague" spam / closteage.com
A fake LinkedIn spam leading to malware hosted at closteage.com:
Date: Wed, 21 Mar 2012 16:24:04 +0200The payload is at closteage.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 209.59.217.101 (Endurance International, US). Blocking that IP will block any other malicious sites on the same server.
From: "Stacy Goss"
Subject: LinkedIn Invitation from your colleague
REMINDERS
Invitation notifications:
? From Kadeem Ruiz (Your Colleague)
PENDING MESSAGES
? There are a total of 3 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. Å 2010, LinkedIn Corporation.
Tuesday, 20 March 2012
Mid Bedfordshire Constituency and Nadine Dorries - time to go
I don't often get to write about politics on this blog, and I know that most of my readers won't really care.. so scroll on :)
There are proposals to abolish the UK parliamentary constituency of mid-Bedfordshire (where I live). The current MP is Nadine Dorries who is fighting a desperate rearguard action to try to get the proposals overturned. However, not everybody supports Ms Dorries and her campaign, and it seems to me that the proposals (outlined here) are a very good thing and should be supported.
The deadline for submissions is 30th March, the email address to send them to is reviews -at- bcommengland.x.gsi.gov.uk - obviously you can send what you like, but this is what I have sent:
Dear Chairman,
I am writing to support the dissolution of the Mid Bedfordshire parliamentary constituency for the following reasons:
1) The current constituency does not represent a cohesive entity. It is merely a rural "filler" between the urban areas to the north and south.
2) The proposed boundaries reflect closely "Travel to Work Areas" and takes into account that the north of the county is more closely affiliated with Bedford, and the south of the county with Luton and Dunstable.
Although there are obviously some compromises in the way the proposed boundaries have been drawn up, it is my belief that the proposals have been made with some care and understanding of the demographics of the area. In my view the proposed arrangements will be much better for the residents of the current Mid Bedfordshire parliamentary constituency, and that the constituency should be abolished and new boundaries should be established based on those proposed.
There are proposals to abolish the UK parliamentary constituency of mid-Bedfordshire (where I live). The current MP is Nadine Dorries who is fighting a desperate rearguard action to try to get the proposals overturned. However, not everybody supports Ms Dorries and her campaign, and it seems to me that the proposals (outlined here) are a very good thing and should be supported.
The deadline for submissions is 30th March, the email address to send them to is reviews -at- bcommengland.x.gsi.gov.uk - obviously you can send what you like, but this is what I have sent:
Dear Chairman,
I am writing to support the dissolution of the Mid Bedfordshire parliamentary constituency for the following reasons:
1) The current constituency does not represent a cohesive entity. It is merely a rural "filler" between the urban areas to the north and south.
2) The proposed boundaries reflect closely "Travel to Work Areas" and takes into account that the north of the county is more closely affiliated with Bedford, and the south of the county with Luton and Dunstable.
Although there are obviously some compromises in the way the proposed boundaries have been drawn up, it is my belief that the proposals have been made with some care and understanding of the demographics of the area. In my view the proposed arrangements will be much better for the residents of the current Mid Bedfordshire parliamentary constituency, and that the constituency should be abolished and new boundaries should be established based on those proposed.
Labels:
Bedfordshire,
Nadine Dorries,
Politics
Monday, 19 March 2012
"Fwd: Your Flight N 76-124339" spam / dnvfodooshdkfhha.ru
Date: Tue, 20 Mar 2012 11:56:41 +0900
From: "DEDE Rainey"
Subject: Re: Fwd: Your Flight N 76-124339
Attachments: FLIGHT_TICKET_N-A7401085.htm
Dear Customer,
FLIGHT NUMBER 162-717
DATE/TIME : MARCH 28, 2011, 14:13 PM
ARRIVING AIRPORT: NEW-YORK AIRPORT
PRICE : 906.20 USD
Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).
To use your ticket you should print it.
DEDE Rainey,
The attachment tries to redirect the victim to a malware site on dnvfodooshdkfhha.ru:8080/images/aublbzdni.php (report here) and as with most of the .ru:8080 attacks we see, this one is multihomed:
62.85.27.129 (Microlink Latvia Ltd, Latvia)
78.83.233.242 (Spectrum, Bulgaria)
83.238.208.55 (Netia, Poland)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Net, Indonesia)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.56.24.226 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)
Plain list for copy and pasting:
62.85.27.129
78.83.233.242
83.238.208.55
125.19.103.198
173.203.51.174
200.169.13.84
202.149.85.37
209.114.47.158
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Friday, 16 March 2012
"Scan from a Hewlett-Packard ScanJet " spam / debiudlasduisioa.ru
Another fake "HP scan" document with a malicious attachment.
The payload is on debiudlasduisioa.ru:8080/images/aublbzdni.php - the IPs are the same as in this spam run and should be blocked if you can do it.
Date: Fri, 16 Mar 2012 10:49:18 -0300
From: scan@victimdomain.com
Subject: Fwd: Scan from a Hewlett-Packard ScanJet 684248
Attachments: HP_Document-16-539.htm
Attached document was scanned and sent
to you using a Hewlett-Packard Scan Jet 57968D.
SENT BY: KAM
PAGES : 4
FILETYPE: .HTML [Internet Explorer File]
The payload is on debiudlasduisioa.ru:8080/images/aublbzdni.php - the IPs are the same as in this spam run and should be blocked if you can do it.
Labels:
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
Intuit.com spam / 173.224.71.132
Yet another round of malicious fake Intuit.com spam is doing the rounds:
In this case the link in the email goes through a legitimate hacked site and ends up at 173.224.71.132:8080/showthread.php?t=73a07bcb51f4be71 (Colo5, US). There's a Wepawet report here. Blocking that IP would stop any further malicious sites on the server from being a problem.
Date: Fri, 16 Mar 2012 11:15:29 -0300
From: "INTUIT INC."
Subject: Your Intuit.com order confirmation.
Dear Client:
Thank you for ordering from Intuit Market. We are working on and will send you an e-mail when your order is processed. If you ordered multiple items, we may deliver them in more than one delivery (at no extra cost to you) to provide faster processing time.
If you have questions about your order, please call 1-800-955-8890.
ORDER INFORMATION
Please download your complete order
id #078419178757 information at Intuit small business website.
NEED HELP?
Email us at mktplace_customerservice@intuit.com.
Call us at 1-800-955-8890.
Reorder Intuit Checks Quickly and Easily starting with
the information from your previous order.
To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.
Thanks again for your order,
Intuit Market Customer Service
Privacy , Legal , Contact Us , About Us
You have received this business communication as part of our efforts to fulfill your request or service
your account. You may receive this and other business communications from us even if you have opted
out of marketing messages.
Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing
e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for
additional security information.
�2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax,
among others, are registered trademarks of Intuit Inc.
In this case the link in the email goes through a legitimate hacked site and ends up at 173.224.71.132:8080/showthread.php?t=73a07bcb51f4be71 (Colo5, US). There's a Wepawet report here. Blocking that IP would stop any further malicious sites on the server from being a problem.
"Traffic ticket N250997376 " spam / dkjhfkjsjadsjjfj.ru
Date: Fri, 16 Mar 2012 -06:13:46 -0800This is multihomed on exactly the same IPs as this other attack. Blocking those IPs would be prudent.
From: UPS Account Services
Subject: Traffic ticket N250997376
Attachments: TRAFFIC_TICKET_N75412.htm
This notification is from the Conestoga department, your car has been pictured while crossing on the red light. We're testing the automatical identification system and the system of issuing fines, so please have a look at the picture in attachment and confirm whether this car is yours or no.
fff
Thursday, 15 March 2012
"Scan from a Hewlett-Packard ScanJet " malware / dsakhfgkallsjfd.ru
Another malicious spam campaign, this time with an attachment leading to a malware payload at dsakhfgkallsjfd.ru:8080/images/aublbzdni.php
There's further malicious code at dsakhfgkallsjfd.ru:8080/images/xlhwhrfvfsxubl.php (report here) - the dsakhfgkallsjfd.ru domain is multihomed on the following IP addresses:
62.85.27.129 (Microlink Latvia Ltd, Latvia)
78.83.233.242 (Spectrum, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
83.238.208.55 (Netia, Poland)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
173.203.211.157 (Slicehost, US)
190.81.107.70 (Telmex, Peru)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Net, Indonesia)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.56.24.226 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)
Plain list for copy-and-pasting:
62.85.27.129
78.83.233.242
78.107.82.98
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
173.203.51.174
173.203.211.157
190.81.107.70
194.85.97.121
200.169.13.84
202.149.85.37
209.114.47.158
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Date: Thu, 15 Mar 2012 -01:08:49 -0800
From: scanner@victimdomain.com
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet 92186094
Attachments: HP_Document-15-905.htm
Attached document was scanned and sent
to you using a Hewlett-Packard ScanJet 56348K.
SENT BY: LAKITA
PAGES : 2
FILETYPE: .HTML [Internet Explorer File]
There's further malicious code at dsakhfgkallsjfd.ru:8080/images/xlhwhrfvfsxubl.php (report here) - the dsakhfgkallsjfd.ru domain is multihomed on the following IP addresses:
62.85.27.129 (Microlink Latvia Ltd, Latvia)
78.83.233.242 (Spectrum, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
83.238.208.55 (Netia, Poland)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
173.203.211.157 (Slicehost, US)
190.81.107.70 (Telmex, Peru)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Net, Indonesia)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.56.24.226 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)
Plain list for copy-and-pasting:
62.85.27.129
78.83.233.242
78.107.82.98
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
173.203.51.174
173.203.211.157
190.81.107.70
194.85.97.121
200.169.13.84
202.149.85.37
209.114.47.158
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
goo.gl/FP84h link leads to malware
Another malware campaign using the goo.gl redirector leading to a malicious payload, this time on 66.151.138.87.
The goo.gl redirector goes to shfd19za.roversmolina.ru (multihomed, see below) and then ends up on a malicious page at 66.151.138.87/showthread.php?t=72d268be707a5fb7 (Nuclear Fallout Enterprises, US again).
The intermediate site is multihomed on what looks like a botnet:
1.170.145.188 (HINET, Tawian)
37.99.3.131 (2day Telecom, Kazakhstan)
46.158.89.63 (Rostelecom, Russia)
46.166.89.234 (Sibtranstelecom, Russia)
59.161.112.144 (Tata Communications, India)
61.90.53.87 (True Internet, Thailand)
94.41.81.55 (Ufanet, Russia)
95.28.225.180 (Vimpelcom, Russia)
95.57.1.107 (Kazakhtelecom, Kazakhstan)
95.58.88.151 (Kazakhtelecom, Kazakhstan)
95.58.106.240 (Kazakhtelecom, Kazakhstan)
95.176.193.129 (Telekom Slovenije, Slovenia)
109.194.43.62 (ER-Telecom Holding, Russia)
112.110.219.218 (Pune Mobile Subscriber, India)
114.43.145.75 (HINET, Taiwan)
117.195.168.49 (BSNL Internet, India)
122.179.171.126 (Airtel, India)
123.17.240.127 (VNPT, Vietnam)
123.18.190.230 (VNPT, Vietnam)
178.46.12.159 (Rostelecom, Russia)
Plain list for copy-and-pasting:
1.170.145.188
37.99.3.131
46.158.89.63
46.166.89.234
59.161.112.144
61.90.53.87
94.41.81.55
95.28.225.180
95.57.1.107
95.58.88.151
95.58.106.240
95.176.193.129
109.194.43.62
112.110.219.218
114.43.145.75
117.195.168.49
122.179.171.126
123.17.240.127
123.18.190.230
178.46.12.159
66.151.138.87
From: OP 25939760 Y tuelkv60@yahoo.com
To: ptofomen@elpuertosm.net
Date: 15 March 2012 08:35
Subject: LinkedIn Corporation account on Hold Ref78087257
Signed by: yahoo.com
CaseȌ99-4582982-70209467-8-373
< !--PZ 62188868 V
http://goo.gl/FP84h
XR 28309138 C
The goo.gl redirector goes to shfd19za.roversmolina.ru (multihomed, see below) and then ends up on a malicious page at 66.151.138.87/showthread.php?t=72d268be707a5fb7 (Nuclear Fallout Enterprises, US again).
The intermediate site is multihomed on what looks like a botnet:
1.170.145.188 (HINET, Tawian)
37.99.3.131 (2day Telecom, Kazakhstan)
46.158.89.63 (Rostelecom, Russia)
46.166.89.234 (Sibtranstelecom, Russia)
59.161.112.144 (Tata Communications, India)
61.90.53.87 (True Internet, Thailand)
94.41.81.55 (Ufanet, Russia)
95.28.225.180 (Vimpelcom, Russia)
95.57.1.107 (Kazakhtelecom, Kazakhstan)
95.58.88.151 (Kazakhtelecom, Kazakhstan)
95.58.106.240 (Kazakhtelecom, Kazakhstan)
95.176.193.129 (Telekom Slovenije, Slovenia)
109.194.43.62 (ER-Telecom Holding, Russia)
112.110.219.218 (Pune Mobile Subscriber, India)
114.43.145.75 (HINET, Taiwan)
117.195.168.49 (BSNL Internet, India)
122.179.171.126 (Airtel, India)
123.17.240.127 (VNPT, Vietnam)
123.18.190.230 (VNPT, Vietnam)
178.46.12.159 (Rostelecom, Russia)
Plain list for copy-and-pasting:
1.170.145.188
37.99.3.131
46.158.89.63
46.166.89.234
59.161.112.144
61.90.53.87
94.41.81.55
95.28.225.180
95.57.1.107
95.58.88.151
95.58.106.240
95.176.193.129
109.194.43.62
112.110.219.218
114.43.145.75
117.195.168.49
122.179.171.126
123.17.240.127
123.18.190.230
178.46.12.159
66.151.138.87
Labels:
LinkedIn,
Malware,
Nuclear Fallout Enterprises,
Spam,
Viruses
Wednesday, 14 March 2012
INTUIT / IRS malicious spam and georgekinsman.net
There are two parallel spam campaigns running right not, one in the "Intuit.com invoice" form, one in the "IRS Tax Appeal form".
Both spams lead to a malicious page at georgekinsman.net/main.php?page=c9a5e6d306c55c68 (report here) hosted on the very familiar IP address of 41.64.21.71. Block it if you haven't already.
Both spams lead to a malicious page at georgekinsman.net/main.php?page=c9a5e6d306c55c68 (report here) hosted on the very familiar IP address of 41.64.21.71. Block it if you haven't already.
"Scan from a Hewlett-Packard ScanJet" malware / doosdkdkjsjdfo.ru
This old attack again, a malicious email with an attachment leading to doosdkdkjsjdfo.ru
The malware is on doosdkdkjsjdfo.ru:8080/images/aublbzdni.php, which is multihomed on a subset of the IPs in this other recent attack. A Wepawet report can be found here.
62.85.27.129 (Microlink Latvia Ltd, Latvia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
200.169.13.84 (Century Telecom Ltda, Brazil)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)
Plain list for copy-and-pasting:
62.85.27.129
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
190.81.107.70
200.169.13.84
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138
Date: Wed, 14 Mar 2012 12:31:50 +0530
From: officejet@victimdomain.com
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet 297552
Attachments: HP_Scanjet-14-626146.htm
Attached document was scanned and sent
to you using a Hewlett-Packard ScanJet 93988PP.
SENT BY: Teagan
PAGES : 2
FILETYPE: .HTML [Internet Explorer File]
The malware is on doosdkdkjsjdfo.ru:8080/images/aublbzdni.php, which is multihomed on a subset of the IPs in this other recent attack. A Wepawet report can be found here.
62.85.27.129 (Microlink Latvia Ltd, Latvia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
200.169.13.84 (Century Telecom Ltda, Brazil)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)
Plain list for copy-and-pasting:
62.85.27.129
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
190.81.107.70
200.169.13.84
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138
Labels:
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
nu.nl compromised with svitart.in attack
Popular Netherlands news site nu.nl (Global rank 544, NL rank 4 according to Alexa) has been compromised in an injection attack of some sort, leading to an exploit kit hosted on svitart.in.
More here (in Nederlands or Google Translated).
More here (in Nederlands or Google Translated).
Labels:
Injection Attacks
goo.gl/NEQlS link leads to malware
Another case of the goo.gl redirector being used for evil:
goo.gl/NEQlS leads to m6ttp.burdencrigyll.ru (multihomed, see below) and then to a malicious payload site at 64.150.166.50/showthread.php?t=72d268be707a5fb7 (iPower, US). This URL contains an exploit kit.
The intermediate step is hosted on several servers:
31.40.240.89 (Ukrainian American Joint Venture, Ukraine)
31.45.144.128 (VIPnet, Croatia)
46.146.101.194 (ER-Telecom Holding, Russia)
46.173.172.249 (Galitski Telekommunications, Ukraine)
49.0.153.231 (Yokozunanet, Mongolia)
59.93.196.162 (BSNL Internet, India)
59.103.211.151 (Pakistan Telecommunication Company Limited, Pakistan)
59.161.115.17 (TATA Communications, India)
61.227.168.35 (HINET, Taiwan)
77.34.225.103 (Rostelecom, Russia)
91.82.23.56 (Invitel, Hungary)
95.57.154.111 (Kazakhtelecom, Kazakhstan)
95.57.188.134 (Kazakhtelecom, Kazakhstan)
95.188.155.101 (Rostelecom, Russia)
95.234.146.196 (Alice, Italy)
109.191.44.122 (Intersvyaz-2, Russia)
114.163.159.142 (Open Computer Network, Japan)
115.242.148.93 (Reliance Communication, India)
122.175.149.136 (Bharti Airtel, India)
178.91.60.141 (Kazakhtelecom, Kazakhstan)
This is a plain list for copy-and-pasting:
31.40.240.89
31.45.144.128
46.146.101.194
46.173.172.249
49.0.153.231
59.93.196.162
59.103.211.151
59.161.115.17
61.227.168.35
77.34.225.103
91.82.23.56
95.57.154.111
95.57.188.134
95.188.155.101
95.234.146.196
109.191.44.122
114.163.159.142
115.242.148.93
122.175.149.136
178.91.60.141
64.150.166.50
From: Dilip Lalita dklalita1977@yahoo.com
Date: 14 March 2012 09:38
Subject: Changes in FDIC policy #22666447
Signed by: yahoo.com
Id 36-4866333-96425034-8-662
< !--KG 19021150 K
http://goo.gl/NEQlS
HF 22555007 Z
goo.gl/NEQlS leads to m6ttp.burdencrigyll.ru (multihomed, see below) and then to a malicious payload site at 64.150.166.50/showthread.php?t=72d268be707a5fb7 (iPower, US). This URL contains an exploit kit.
The intermediate step is hosted on several servers:
31.40.240.89 (Ukrainian American Joint Venture, Ukraine)
31.45.144.128 (VIPnet, Croatia)
46.146.101.194 (ER-Telecom Holding, Russia)
46.173.172.249 (Galitski Telekommunications, Ukraine)
49.0.153.231 (Yokozunanet, Mongolia)
59.93.196.162 (BSNL Internet, India)
59.103.211.151 (Pakistan Telecommunication Company Limited, Pakistan)
59.161.115.17 (TATA Communications, India)
61.227.168.35 (HINET, Taiwan)
77.34.225.103 (Rostelecom, Russia)
91.82.23.56 (Invitel, Hungary)
95.57.154.111 (Kazakhtelecom, Kazakhstan)
95.57.188.134 (Kazakhtelecom, Kazakhstan)
95.188.155.101 (Rostelecom, Russia)
95.234.146.196 (Alice, Italy)
109.191.44.122 (Intersvyaz-2, Russia)
114.163.159.142 (Open Computer Network, Japan)
115.242.148.93 (Reliance Communication, India)
122.175.149.136 (Bharti Airtel, India)
178.91.60.141 (Kazakhtelecom, Kazakhstan)
This is a plain list for copy-and-pasting:
31.40.240.89
31.45.144.128
46.146.101.194
46.173.172.249
49.0.153.231
59.93.196.162
59.103.211.151
59.161.115.17
61.227.168.35
77.34.225.103
91.82.23.56
95.57.154.111
95.57.188.134
95.188.155.101
95.234.146.196
109.191.44.122
114.163.159.142
115.242.148.93
122.175.149.136
178.91.60.141
64.150.166.50
Tuesday, 13 March 2012
MS12-020: this is not good
MS12-020.. what can I say except that this is NOT GOOD. If you're running RDP on your clients or servers then this is something you need to patch RIGHT NOW..
Update: the folks at the ISC think so too. This is wormable and apparently not difficult to exploit, assuming it is switched on. So, you either need to patch or disable it.. or a combination of both.
Update 2: a visitor left a note to say they were working on a vulnerability scanner at rdpcheck.com . It's not ready yet, but there's a signup form on the page for more information.
Update 3: Allegedly, there is PoC code available for this on Pastebin, although this has not been independently confirmed.
Update 4: The ISC have changed the INFOCON status to yellow because of the perceived high risk.
Update 5: There is now an nmap script available to scan for vulnerable machines here.
Update: the folks at the ISC think so too. This is wormable and apparently not difficult to exploit, assuming it is switched on. So, you either need to patch or disable it.. or a combination of both.
Update 2: a visitor left a note to say they were working on a vulnerability scanner at rdpcheck.com . It's not ready yet, but there's a signup form on the page for more information.
Update 3: Allegedly, there is PoC code available for this on Pastebin, although this has not been independently confirmed.
Update 4: The ISC have changed the INFOCON status to yellow because of the perceived high risk.
Update 5: There is now an nmap script available to scan for vulnerable machines here.
BBB Spam / mynourigen.net
More BBB spam leading to malware, this time at mynourigen.net. For example:
The malicious payload is on mynourigen.net/main.php?page=dc6f9d2a120107b9 and mynourigen.net/content/ap2.php?f=fa88c - it's the usual mixed bag of exploits.
mynourigen.net is apparently hosted on 41.64.21.71 in Egypt (seen many times before). The following domains are also associated with the same IP and can be considered to be malicious.
abc-spain.net
bonus100get.com
excellentworkchoise.com
foryouhomework.com
freac.net
get100bonus.com
getbonus100.com
icemed.net
likethisjob.com
perfectbusinesschance.net
sony-zeus.net
stafffire.net
synergyledlighting.net
systemtestnow.com
themeparkoupons.net
workatyourhomenow.com
yourbeautifulchance.com
yourbeautifullife.net
yourlifechance.net
yourpersonaldefence.com
Date: Tue, 13 Mar 2012 20:39:07 +0700
From: "BBB"
Subject: Important! BBB complaint activity report
Attachments: betterbb_logo.jpg
Attn: Owner/Manager
Here with the Better Business Bureau would like to inform you that we have been filed a complaint (ID 92163107) from one of your customers related to their dealership with you.
Please open the COMPLAINT REPORT below to obtain the details on this question and let us know of your opinion as soon as possible.
We hope to hear from you very soon.
Sincerely,
Rebecca Wilcox
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
==========
Date: Tue, 13 Mar 2012 14:42:30 +0100
From: "Better Business Bureau"
Subject: Your customer complained to BBB
Attachments: betterbb_logo.jpg
Good afternoon,
Here with the Better Business Bureau informs you that we have been sent a complaint (ID 31347804) from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this issue and let us know of your position as soon as possible.
We hope to hear from you very soon.
Sincerely,
Carlos Baxter
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
==========
Date: Tue, 13 Mar 2012 14:53:11 +0100
From: "BBB"
Subject: BBB important information
Attachments: betterbb_logo.jpg
Good afternoon,
Here with the Better Business Bureau informs you that we have been sent a complaint (ID 11043517) from your customer in regard to their dealership with you.
Please open the COMPLAINT REPORT below to find the details on this case and let us know of your point of view as soon as possible.
We are looking forward to hearing from you.
Faithfully,
Fernando Grodhaus
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
==========
Date: Tue, 13 Mar 2012 14:30:45 +0100
From: "BBB"
Subject: BBB processing RE: Case ID 06216966
Attachments: betterbb_logo.jpg
Good afternoon,
Here with the Better Business Bureau informs you that we have been sent a complaint (ID 06216966) from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT below to view more information on this case and suggest us about your position as soon as possible.
We hope to hear from you very soon.
Kind regards,
Carlos Baxter
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
==========
The malicious payload is on mynourigen.net/main.php?page=dc6f9d2a120107b9 and mynourigen.net/content/ap2.php?f=fa88c - it's the usual mixed bag of exploits.
mynourigen.net is apparently hosted on 41.64.21.71 in Egypt (seen many times before). The following domains are also associated with the same IP and can be considered to be malicious.
abc-spain.net
bonus100get.com
excellentworkchoise.com
foryouhomework.com
freac.net
get100bonus.com
getbonus100.com
icemed.net
likethisjob.com
perfectbusinesschance.net
sony-zeus.net
stafffire.net
synergyledlighting.net
systemtestnow.com
themeparkoupons.net
workatyourhomenow.com
yourbeautifulchance.com
yourbeautifullife.net
yourlifechance.net
yourpersonaldefence.com
"I'm in trouble! " spam / ckjsfhlasla.ru
Another recycled spam campaign leading to malware:
The malicious web page is at ckjsfhlasla.ru:8080/images/aublbzdni.php which is hosted on exactly the same IP addresses as this spam run yesterday. Blocking these IPs would be prudent.
Date: Tue, 13 Mar 2012 01:52:30 +0700
From: "Greyson Montoya"
Subject: I'm in trouble!
Attachments: Image_DIG33080106.htm
I was at a party yesterday, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light!
I've just got the pictures, maybe you know him???
I have attached the photo to the mail (Open with Internet Explorer).
I need to find him urgently!
Thank you
Niju
The malicious web page is at ckjsfhlasla.ru:8080/images/aublbzdni.php which is hosted on exactly the same IP addresses as this spam run yesterday. Blocking these IPs would be prudent.
Monday, 12 March 2012
"Scan from a Xerox W. Pro" spam / cjjasjjikooppfkja.ru
A fairly familiar spam with a malicious attachment:
62.85.27.129 (Microlink Latvia Ltd, Latvia)
83.238.208.55 (Netia SA, Poland)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
200.169.13.84 (Century Telecom Ltda, Brazil)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)
Plain list:
62.85.27.129
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
190.81.107.70
200.169.13.84
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138
Blocking hese IPs would be a good idea.
Date: Mon, 12 Mar 2012 08:32:11 +0100The attachment leads to a malicious page at cjjasjjikooppfkja.ru:8080/images/aublbzdni.php. This domain is multihomed at:
From: "KATELYN NEAL"
Subject: Fwd: Scan from a Xerox W. Pro #0099345
Attachments: Xerox_Workcentre_03.08_FZ1820.htm
Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.
Sent by: Guest
Number of Images: 1
Attachment File Type: .HTML
WorkCentre Pro Location: machine location not set
Device Name: XRX318AA5BSX3515459
62.85.27.129 (Microlink Latvia Ltd, Latvia)
83.238.208.55 (Netia SA, Poland)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
200.169.13.84 (Century Telecom Ltda, Brazil)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)
Plain list:
62.85.27.129
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
190.81.107.70
200.169.13.84
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138
Blocking hese IPs would be a good idea.
Labels:
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
"URGENT: Your pension could be underperforming" SMS Spam
Arriving just minutes apart from this spam and probably related, these SMS spamming scumbags are back with another pitch:
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
The sending number this time was +447895882070 although this will change as numbers get blocked.URGENT: Your pension could be underperforming and could leave you with less then you thought on retirement, reply REVIEW for a free review now, STOP to opt out.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
"Records passed to us show you're entitled to a refund.." SMS Spam
These scumbag SMS spammers again:
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Records passed to us show you're entitled to a refund approximately £2560 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stopThis is pure and simple spam, there are no "records" showing any such thing. In this case the spam came from +447790682898 although spammers often change their numbers.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Subscribe to:
Posts (Atom)