Date: Tue, 24 Apr 2012 02:21:42 +0800The malware is hosted on 208.117.43.8/showthread.php?t=34c79594e8b8ac0f (report here) hosted by Steadfast Networks in the US. There's also an attempted download of an executable from electrosa.com/8zvW2XE.exe on 188.40.0.195 (Hetzner, South Africa) although this looks like a legitimate hacked site.
From: "ORSO`s Pizzeria"
Subject: Re: Fwd: Order confirmation 93278
You've just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
- Ham
- Italian Sausage
- Chicken
- Black Olives
- Green Peppers
- Pineapple
- Easy On Cheese
- Extra Sauce
Pizza Italian Trio with extras:
- Italian Sausage
- Pork
- Chicken
- Diced Tomatoes
- Black Olives
- Easy On Cheese
- Easy On Sauce
Pizza Spicy Sicilian with extras:
- Italian Sausage
- Pork
- Diced Tomatoes
- Onions
- Jalapenos
- Easy On Cheese
- No Sauce
Pizza Meat Lover's with extras:
- Italian Sausage
- Black Olives
- Black Olives
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Triple Meat Italiano with extras:
- Ham
- Beef
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Ultimate Cheese Lover's with extras:
- Italian Sausage
- Pepperoni
- Onions
- Onions
- No Cheese
- Easy On Sauce
Drinks
- Carling x 3
- Hancock x 3
- Dr. Pepper x 4
Total Due: 131.51$
If you haven't made the order and it's a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don't do that shortly, the order will be confirmed and delivered to you.
With Respect
ORSO`s Pizzeria
Tuesday, 24 April 2012
Pizza spam / 208.117.43.8
Another Pizza spam leading to malware:
Monday, 23 April 2012
"Scan from a HP ScanJet" spam / 199.15.252.136
Another fake printer spam leading to malware..
The malicious payload is on 199.15.252.136/showthread.php?t=34c79594e8b8ac0f (report here) hosted by Electric Postage in the US.
From: CheyanneDelasancha@hotmail.com
Date: 23 April 2012 13:18
Subject: Re: Fwd: Scan from a HP ScanJet #352369989
A document was scanned and sent to you using a Hewlett-Packard QJet 8125331KSent to you by: CAMERON
Pages : 9
Filetype(s): Images (.jpeg) Download
Location: MSK.3FL.
Device: DEV674O1JF7863855Mailprint: 1169d03a-fe6923a5 =
A document was scanned and sent to you using a Hewlett-Packard QJet 8125331K
Sent to you by: CAMERON
Pages : 9
Filetype(s): Images (.jpeg) Download
Location: MSK.3FL.
Device: DEV674O1JF7863855
Mailprint: 1169d03a-fe6923a5
The malicious payload is on 199.15.252.136/showthread.php?t=34c79594e8b8ac0f (report here) hosted by Electric Postage in the US.
Labels:
Malware,
Printer Spam,
Spam,
Viruses
Ning "Sign in Issue" spam / mycanadarx.com
This fake email from Ning (whatever that is) leads to a fake pharmacy site on mycanadarx.com, but it could easily be adapted for malware.
From: Ning Help Center [mailto:helpcenter@ning.com]mycanadarx.com is hosted on 95.168.193.182 in the Czech Republic with a whole load of other fake pharma sites.
Sent: 23 April 2012 17:22
Subject: Sign In Issue
Hello!
Thanks for contacting us. We're writing to let you know we've received your message.
We strive to respond to tickets about issues as quickly as possible.
To provide us with additional details or updates, you can simply Login to Your Account.
Please be sure to leave the subject and body of this email in place. If you are able to resolve the issue, please let us know!
Many common issues are explained in http://help.ning.com/?faq=3800.
Thanks again!
The Ning Team
Summary:
ref:_00D80cCLt._50040JSbrh:ref
Labels:
Fake Pharma,
Spam
"Welcome to LiveJournal" spam / dietpharmacyeat.com
This "LiveJournal" spam actually leads to a fake pharma site, but it could be adapted easily to deliver malware:
In this case, the fake pharma site is dietpharmacyeat.com. Always check the link carefully before clicking on this type of email, it might not be as it seems.
Date: Sun, 22 Apr 2012 04:21:28 +0000
From: "LiveJournal.com" [do-not-reply@livejournal.com]
Subject: Welcome to LiveJournal
Congratulations! Thanks for creating a new journal at LiveJournal!
Please click here to complete validation and set your primary email*
(If you are unable to click on the link, copy and paste code into your browser window.)
Code: 33416121.5p9rmuuyqvzp7tw
All the best,
The LiveJournal Team
http://www.livejournal.com/
* About your primary email address: Your first validated email address (also known as primary email) is the only way to confirm that you own the journal, so please use only your most secure email address. If you chose a less secure address in the process of registration, we recommend that you change it and confirm your new address.
In this case, the fake pharma site is dietpharmacyeat.com. Always check the link carefully before clicking on this type of email, it might not be as it seems.
Labels:
Fake Pharma,
Spam
"MediaWiki Mail" Spam / carewelhealth.com
A novel spam, in this case leading to a fake pharmacy on carewelhealth.com.. but it could just as easily be malware.
Of course, the IP address of 105.191.258.285 is invalid, but most people probably won't be looking too closely. Keep an eye out for this type of spam. it might well lead to something nastier than a fake Viagra merchant.
Date: Sun, 22 Apr 2012 16:09:12 +0000
From: MediaWiki Mail [wiki@wikimedia.org]
Subject: Account details on Wikipedia
Wikipedia
Someone (probably you, from IP address 105.191.258.285) requested a reminder of your account details for Wikipedia. The following user account is associated with this e-mail address: xxxxxxxxxxx
This reminder will expire in 7 days.
If you didn't initiate the request on Wikipedia, feel free to cancel this message and uncheck the "Reminder" checkbox in your account.
Thanks, and once again Welcome!
http://en.wikipedia.org
Of course, the IP address of 105.191.258.285 is invalid, but most people probably won't be looking too closely. Keep an eye out for this type of spam. it might well lead to something nastier than a fake Viagra merchant.
Labels:
Fake Pharma,
Spam
I love this..
St George's Day and the 30th Anniversary of the ZX Spectrum.. Google have managed to combine both into one logo.. I love it!
Labels:
Google
Friday, 20 April 2012
NACHA Spam / 85.25.189.174
Another NACHA spam, leading to malware on 85.25.189.174:
The malicious payload is on 85.25.189.174/showthread.php?t=34c79594e8b8ac0f hosted by Intergenia / PlusServer in Germany. Avoid.
From: CarleySpan@hotmail.com
Date: 19 April 2012 21:25
Subject: Your ACH transaction N73848938
The ACH credit transfer, initiated from your checking acc., was canceled by the other financial institution.
Canceled transaction:
Transaction ID: A7635857812UA
ACH Report: View
LINDSEY Zimmerman
NACHA - The Electronic Payment Association
The malicious payload is on 85.25.189.174/showthread.php?t=34c79594e8b8ac0f hosted by Intergenia / PlusServer in Germany. Avoid.
Labels:
Intergenia,
Malware,
NACHA,
Spam,
Viruses
New Blogger interface: It's all too horrible to contemplate.
If you use Blogger, you'll know that it has a new interface. It's horrible. OK, the old interface was horrible but usable at the same time. This is just horrible, with the familiar looking elements seeming sprinkled at random over the new interface.
There are a lot of companies at the moment doing a similar thing.. making over their tried and tested (but tired) old software interfaces and coming up with something pastel-ly and awful. Or perhaps I'm just a Luddite?
Update: you can share your feedback on the Blogger forum which is full of similar complaints.
There are a lot of companies at the moment doing a similar thing.. making over their tried and tested (but tired) old software interfaces and coming up with something pastel-ly and awful. Or perhaps I'm just a Luddite?
Update: you can share your feedback on the Blogger forum which is full of similar complaints.
LinkedIn spam / mysalepharmacy.com
Here's a very convincing looking LinkedIn spam:
There are three hyperlinks in the message, two of them are to LinkedIn and one of them is to a fake pharma site on mysalepharmacy.com on 178.19.108.195 in Poland.
Personally, I hate LinkedIn emails. Blocking everything that appears to be from linkedin.com will not have any adverse impact on your life.
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Email Confirmation
Sent: 20 April 2012 09:54
Subject: Please confirm your email address
Click here to confirm your email address.
If the above link does not work, you can paste the following address into your browser:
https://www.linkedin.com/e/vAIspiNMa9UrLxwLy8OkxtE3ZZ5hfZkRMg0f2bmzDWANi
You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.
If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
Thank you for using LinkedIn!
--The LinkedIn Team
http://www.linkedin.com/
© 2012, LinkedIn Corporation
There are three hyperlinks in the message, two of them are to LinkedIn and one of them is to a fake pharma site on mysalepharmacy.com on 178.19.108.195 in Poland.
Personally, I hate LinkedIn emails. Blocking everything that appears to be from linkedin.com will not have any adverse impact on your life.
Labels:
Fake Pharma,
LinkedIn,
Spam
Thursday, 19 April 2012
LinkedIn Spam / springrheumatology.net
Another LinkedIn spam run leading to malware, this time on springrheumatology.net
The malicious payload is at springrheumatology.net/main.php?page=9e32768587b0d9a8 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt, a very good IP address to block.
Date: Thu, 19 Apr 2012 19:34:55 +0100
From: "Callie Holland" [donor@linkedin.com]
Subject: LinkedIn Invitation from your co-worker
REMINDERS
Invitation notifications:
? From Patrick Mcdaniel (Your co-worker)
PENDING MESSAGES
? There are a total of 2 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.
=========================
Date: Thu, 19 Apr 2012 14:57:47 -0300
From: "Jane Gaston" [lulu9@linkedin.com]
Subject: LinkedIn Reminder
REMINDERS
Invitation reminders:
? From Solomon Goff (Your Colleague)
PENDING MESSAGES
? There are a total of 2 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.
The malicious payload is at springrheumatology.net/main.php?page=9e32768587b0d9a8 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt, a very good IP address to block.
"Scan from a Xerox W. Pro" spam / 184.22.115.24
Another malicious (and fake) printer spam leading to malware:
In this case the malicious payload is on 184.22.115.24/showthread.php?t=34c79594e8b8ac0f (report here) which is hosted by HostNOC in the US.
From: MollieFaw@hotmail.com [mailto:MollieFaw@hotmail.com]
Sent: 19. april 2012 10:40
Subject: Re: Fwd: Fwd: Scan from a Xerox W. Pro #55048919
A Document was sent to you using a XEROX SuperJet 036582425.SENT BY : MIRIAM
IMAGS : 97
FORMAT (.JPG) DOWNLOAD
DEVICE: 69972L7ODS736028L
In this case the malicious payload is on 184.22.115.24/showthread.php?t=34c79594e8b8ac0f (report here) which is hosted by HostNOC in the US.
Labels:
Malware,
Printer Spam,
Spam,
Viruses
Tuesday, 17 April 2012
"Hello. Thank you for contacting us!" spam
Here's a slightly different spam from normal, in this case it doesn't lead to malware, but to a fake pharmacy site. However, the malware/pharma playloads are easily interchangeable. So, don't click that link, eh?
fff
Date: Date: Tue, 17 Apr 2012 14:49:18 -0400
From: Customer center [anfinnegan@pasadena.net]
Subject: [#3143] Ticket
Hello. Thank you for contacting us!
Your information has been changed and we should be in touch with you soon.
Proceed to Site.
Ticket code: fi5FFkG
You should expect a personal reply within the day or even sooner - as we answer most email within a few hours.
fff
Labels:
Fake Pharma,
Spam
"Scan from a Hewlett-Packard ScanJet 719606" / 173.44.136.197
This fake HP scan email leads to malware on 173.44.136.197.
The malware is on 173.44.136.197/showthread.php?t=34c79594e8b8ac0f (report here) hosted by JSC Media in Canada.
Date: Tue, 17 Apr 2012 09:21:07 +0530
From: HaileyWeeth@hotmail.com
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet 719606
A document was scanned and sent to you using a Hewlett-Packard JET ON22536593S
Sent to you by: LERA
Pages : 4
Filetype: Image (.jpeg) View
Location: NPSK1.4FL.
Device: OP594S3OD1420493
Mailprint: ca5b83c7-2d5b8888
The malware is on 173.44.136.197/showthread.php?t=34c79594e8b8ac0f (report here) hosted by JSC Media in Canada.
Labels:
Malware,
Printer Spam,
Spam,
Viruses
Monday, 16 April 2012
"You've just ordered pizza from our site" / uiwewsecondary.ru
We haven't seen this "pizza spam" (or spam pizza?) for a while. Rest assured, it leads to malware on uiwewsecondary.ru:
The malicious payload is at uiwewsecondary.ru:8080/internet/fpkrerflfvd.php (report here) hosted on some familiar IP addresses (a subset of the ones found here):
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
83.170.91.152 (UK2.NET, UK)
85.214.204.32 (Strato AG, Germany)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
210.56.23.100
211.44.250.173
219.94.194.138
Date: Mon, 16 Apr 2012 08:40:47 -0500
From: CeceliaKosack@hotmail.com
Subject: Order confirmation
You've just ordered pizza from our site
Pizza Triple Meat Italiano with extras:
- Ham
- Ham
- Bacon Pieces
- Pineapple
- Onions
- Easy On Cheese
- No Sauce
Pizza Chicken Supreme with extras:
- Ham
- Jalapenos
- Black Olives
- Extra Cheese
- Extra Sauce
Pizza Hawaiian Luau with extras:
- Pepperoni
- Italian Sausage
- Beef
- Pineapple
- Easy On Cheese
- No Sauce
Pizza Chicken Supreme with extras:
- Italian Sausage
- Bacon Pieces
- Italian Sausage
- Jalapenos
- Diced Tomatoes
- Green Peppers
- Easy On Cheese
- Extra Sauce
Drinks
- Fanta x 4
- Limonade x 6
- Schweppes x 6
- Sprite x 2
Total Charge: 89.70$
If you haven't made the order and it's a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don't do that shortly, the order will be confirmed and delivered to you.
With Best Regards
Pizza by AMERIGO
The malicious payload is at uiwewsecondary.ru:8080/internet/fpkrerflfvd.php (report here) hosted on some familiar IP addresses (a subset of the ones found here):
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
83.170.91.152 (UK2.NET, UK)
85.214.204.32 (Strato AG, Germany)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
210.56.23.100
211.44.250.173
219.94.194.138
"FedEx Delivery Confirmation 821630" spam / pokeronmep.ru
This spam leads to malware on pokeronmep.ru.
The malicious payload is on pokeronmep.ru:8080/pages/glavctkoasjtct.php (report here) which is hosted on the same IP addresses as found in this attack. Blocking them would be worthwhile.
Date: Mon, 16 Apr 2012 18:26:48 +0900
From: "Fed Ex SUPPORT 36" [support.391@fedex.com]
Subject: FedEx Delivery Confirmation 821630
Attachments: Collect_Letter.htm
ATTENTION!
DEAR USER , Delivery Confirmation: FAILED
PLEASE FILL IN ATTACHED FILE WITH RIGHT ADDRESS AND RESEND TO YOUR PERSONAL MANAGER (Open with Internet Explorer)
With Respect , Your Fed Ex Customer Services
The malicious payload is on pokeronmep.ru:8080/pages/glavctkoasjtct.php (report here) which is hosted on the same IP addresses as found in this attack. Blocking them would be worthwhile.
Friday, 13 April 2012
"NY TRAFFIC TICKET " spam / vitalitysomer.ru
Date: Fri, 13 Apr 2012 02:46:11 +0600The malware is on vitalitysomer.ru:8080/pages/glavctkoasjtct.php (report here) hosted on the same IP addresses found in this attack.
From: "LUIS MOSES" [Phl8DeB6MG@hotmail.com]
Subject: Fwd: Re: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 8:11 AM
Date of Offense: 25/01/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM
Fingerprint: 67d251e9-830ebcaf
Fake AV sites to block on 64.120.207.108
There are a bunch of fake AV sites on 64.120.207.108 (HostNOC, US) that are active at the moment. You might want to block them :)
informationmonitorcare.info
preventiontoolsscanning.info
on-linecleanersupervision.info
supervisiontesterinspection.info
reliabilitywormsprocesses.info
verifywrecksafety.info
informationmonitorcare.info
preventiontoolsscanning.info
on-linecleanersupervision.info
supervisiontesterinspection.info
reliabilitywormsprocesses.info
verifywrecksafety.info
Labels:
Fake Anti-Virus
Thursday, 12 April 2012
Federal Reserve Wire Network spam / vanishingmasers.ru
Date: Thu, 12 Apr 2012 15:14:41 -0300
From: "Lidia Polk" [uzbekistanqp39@sterkinekor.com]
Subject: RE: Wire transfer cancelled
Good afternoon,
Wire transfer was canceled by the other bank.
Rejected transaction:
FEDWIRE REFERENCE NUMBER: SK9415179747ODP36641K
Wire Transfer Report: View
The Federal Reserve Wire Network
The payload is on vanishingmasers.ru:8080/pages/glavctkoasjtct.php (report here) which is hosted on some familiar looking IP addresses:
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
83.170.91.152 (UK2.NET, UK)
85.214.204.32 (Strato AG, Germany)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
125.19.103.198 (Bharti Infotel, India)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
210.56.23.100
211.44.250.173
219.94.194.138
LinkedIn Spam / prospero-marketing.net
This spam leads to malware:
The malicious payload is on prospero-marketing.net/main.php?page=5ab26a646c9cf178 (report here) hosted on 85.189.11.134 and 41.64.21.71 which are the same IPs as seen in this attack yesterday.
From: Patrice Burke premonition9@linkedin.com
Date: 12 April 2012 16:33
Subject: LinkedIn Nofitication service message
REMINDERS
Invitation reminders:
• From Kadeem Ruiz (Your classmate)
PENDING MESSAGES
• There are a total of 2 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.
The malicious payload is on prospero-marketing.net/main.php?page=5ab26a646c9cf178 (report here) hosted on 85.189.11.134 and 41.64.21.71 which are the same IPs as seen in this attack yesterday.
Something evil on 91.230.147.204 / Aldevir Invest
There are a bunch of domains on 91.230.147.204 being used in injection attacks..
entra78ting1.rr.nu
kickp43erryba.rr.nu
ngem44entca.rr.nu
ecei45veda.rr.nu
pingyo18ungmea.rr.nu
lls83sea.rr.nu
ipsre94marka.rr.nu
ownsca11ncerdra.rr.nu
ipme54ntsa.rr.nu
pora96tionb.rr.nu
rhol48dingc.rr.nu
anyco35mmunic.rr.nu
ddispl59ayingad.rr.nu
duni54xdled.rr.nu
ate62bid.rr.nu
losin31gsind.rr.nu
eted47place.rr.nu
stem59lice.rr.nu
ense21sgene.rr.nu
prepa36repre.rr.nu
sbrill22iantte.rr.nu
repres92enteve.rr.nu
stiga68tedef.rr.nu
taxv93italf.rr.nu
ivisi07onbeg.rr.nu
les23leg.rr.nu
citati35onpreg.rr.nu
who97mhig.rr.nu
nit25ionh.rr.nu
long63edhi.rr.nu
gypt73iani.rr.nu
unde52sbank.rr.nu
tank95ersfl.rr.nu
supe54radol.rr.nu
opria79teprol.rr.nu
egulat49ionspl.rr.nu
partia68llyearl.rr.nu
asketb75allmul.rr.nu
ent69aryl.rr.nu
sswhyp63rogramm.rr.nu
otin51gform.rr.nu
tern37etban.rr.nu
asi59ain.rr.nu
conce87ptfin.rr.nu
ing85erin.rr.nu
sadjus10tmentin.rr.nu
yworld22widecon.rr.nu
mpti08ngcon.rr.nu
tril70lion.rr.nu
ini66ngco.rr.nu
meant86lakefo.rr.nu
epopu02latio.rr.nu
ieved92lebano.rr.nu
egis13lato.rr.nu
esa70cto.rr.nu
urdr08eamp.rr.nu
anie49sdar.rr.nu
rical10ibrar.rr.nu
ngnyb99omber.rr.nu
tlongt08ermwer.rr.nu
ggest37power.rr.nu
rswa90rbur.rr.nu
ari90ores.rr.nu
rece69ives.rr.nu
ment54leaks.rr.nu
earal02ltwos.rr.nu
tsp15ers.rr.nu
speakf56eelingt.rr.nu
iesst77atepot.rr.nu
hurric76anereu.rr.nu
elba98nkru.rr.nu
greedc57upelev.rr.nu
duc15edov.rr.nu
ens62how.rr.nu
dustry52dontow.rr.nu
nta17ctex.rr.nu
kelly44array.rr.nu
ns1.hoperjoper.ru
ns2.hoperjoper.ru
This is a dodgy looking /24 allocated to:
Some of these domains were previously hosted on Specialist ISP, one of the blackest hat hosting providers that I know of. I would suggest blocking the entire /24 on this to be on the safe side.
For info, the following sites are also in that /24 block:
kleostor.com
prillipapa.biz
prillipapa.com
prillipapa.info
prillipapa.net
prillipapa.org
zeraniko.biz
zeraniko.com
zeraniko.info
zeraniko.net
zeraniko.org
zex-tezx.com
argobuilding.in
mybackdomain888.in
besthostnets.com
firstnethosting.com
highesthostnets.com
tophostnetworks.org
lockandkeyeventsparty.com
thisdomainsmakemetired.info
hashs.ru
allyrboom.com
trisstan-express.org
tropicana-tour.org
entra78ting1.rr.nu
kickp43erryba.rr.nu
ngem44entca.rr.nu
ecei45veda.rr.nu
pingyo18ungmea.rr.nu
lls83sea.rr.nu
ipsre94marka.rr.nu
ownsca11ncerdra.rr.nu
ipme54ntsa.rr.nu
pora96tionb.rr.nu
rhol48dingc.rr.nu
anyco35mmunic.rr.nu
ddispl59ayingad.rr.nu
duni54xdled.rr.nu
ate62bid.rr.nu
losin31gsind.rr.nu
eted47place.rr.nu
stem59lice.rr.nu
ense21sgene.rr.nu
prepa36repre.rr.nu
sbrill22iantte.rr.nu
repres92enteve.rr.nu
stiga68tedef.rr.nu
taxv93italf.rr.nu
ivisi07onbeg.rr.nu
les23leg.rr.nu
citati35onpreg.rr.nu
who97mhig.rr.nu
nit25ionh.rr.nu
long63edhi.rr.nu
gypt73iani.rr.nu
unde52sbank.rr.nu
tank95ersfl.rr.nu
supe54radol.rr.nu
opria79teprol.rr.nu
egulat49ionspl.rr.nu
partia68llyearl.rr.nu
asketb75allmul.rr.nu
ent69aryl.rr.nu
sswhyp63rogramm.rr.nu
otin51gform.rr.nu
tern37etban.rr.nu
asi59ain.rr.nu
conce87ptfin.rr.nu
ing85erin.rr.nu
sadjus10tmentin.rr.nu
yworld22widecon.rr.nu
mpti08ngcon.rr.nu
tril70lion.rr.nu
ini66ngco.rr.nu
meant86lakefo.rr.nu
epopu02latio.rr.nu
ieved92lebano.rr.nu
egis13lato.rr.nu
esa70cto.rr.nu
urdr08eamp.rr.nu
anie49sdar.rr.nu
rical10ibrar.rr.nu
ngnyb99omber.rr.nu
tlongt08ermwer.rr.nu
ggest37power.rr.nu
rswa90rbur.rr.nu
ari90ores.rr.nu
rece69ives.rr.nu
ment54leaks.rr.nu
earal02ltwos.rr.nu
tsp15ers.rr.nu
speakf56eelingt.rr.nu
iesst77atepot.rr.nu
hurric76anereu.rr.nu
elba98nkru.rr.nu
greedc57upelev.rr.nu
duc15edov.rr.nu
ens62how.rr.nu
dustry52dontow.rr.nu
nta17ctex.rr.nu
kelly44array.rr.nu
ns1.hoperjoper.ru
ns2.hoperjoper.ru
This is a dodgy looking /24 allocated to:
inetnum: 91.230.147.0 - 91.230.147.255
netname: zuzu-net
descr: OOO "Aldevir Invest"
country: RU
org: ORG-OI19-RIPE
admin-c: KY241-RIPE
tech-c: KY241-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: zuzu-mnt
mnt-routes: zuzu-mnt
mnt-domains: zuzu-mnt
source: RIPE # Filtered
organisation: ORG-OI19-RIPE
org-name: OOO "Aldevir Invest"
org-type: other
address: 192012, St.-Petersburg, Chernova ul., 25, office 12
mnt-ref: zuzu-mnt
mnt-by: zuzu-mnt
source: RIPE # Filtered
person: Krutko Evgeni Yurevich
address: 192012, St.-Petersburg, Chernova ul., 25, office 12
phone: +7812850202
nic-hdl: KY241-RIPE
mnt-by: zuzu-mnt
source: RIPE # Filtered
route: 91.230.147.0/24
descr: Route for DC
origin: AS5508
mnt-by: zuzu-mnt
source: RIPE # Filtered
netname: zuzu-net
descr: OOO "Aldevir Invest"
country: RU
org: ORG-OI19-RIPE
admin-c: KY241-RIPE
tech-c: KY241-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: zuzu-mnt
mnt-routes: zuzu-mnt
mnt-domains: zuzu-mnt
source: RIPE # Filtered
organisation: ORG-OI19-RIPE
org-name: OOO "Aldevir Invest"
org-type: other
address: 192012, St.-Petersburg, Chernova ul., 25, office 12
mnt-ref: zuzu-mnt
mnt-by: zuzu-mnt
source: RIPE # Filtered
person: Krutko Evgeni Yurevich
address: 192012, St.-Petersburg, Chernova ul., 25, office 12
phone: +7812850202
nic-hdl: KY241-RIPE
mnt-by: zuzu-mnt
source: RIPE # Filtered
route: 91.230.147.0/24
descr: Route for DC
origin: AS5508
mnt-by: zuzu-mnt
source: RIPE # Filtered
Some of these domains were previously hosted on Specialist ISP, one of the blackest hat hosting providers that I know of. I would suggest blocking the entire /24 on this to be on the safe side.
For info, the following sites are also in that /24 block:
kleostor.com
prillipapa.biz
prillipapa.com
prillipapa.info
prillipapa.net
prillipapa.org
zeraniko.biz
zeraniko.com
zeraniko.info
zeraniko.net
zeraniko.org
zex-tezx.com
argobuilding.in
mybackdomain888.in
besthostnets.com
firstnethosting.com
highesthostnets.com
tophostnetworks.org
lockandkeyeventsparty.com
thisdomainsmakemetired.info
hashs.ru
allyrboom.com
trisstan-express.org
tropicana-tour.org
Labels:
Evil Network,
Injection Attacks,
Malware,
Specialist ISP,
Viruses
Wednesday, 11 April 2012
Wire Transfer spam / wiskonsintpara.ru
From: Marcel Ouellette RaymondKalan@nyc.rr.com
Date: 11 April 2012 13:30
Subject: Re: Wire Transfer Confirmation (FED REFERENCE 42420PP01)
Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-900098281493111
CURRENT STATUS: CANCELLED
You can find details in the attached file.(Internet Explorer file)
Transfer_N883664.htm
There's an HTML attachment which attempts to load malicious content from wiskonsintpara.ru:8080/img/?promo=nacha (although this wasn't working when I tested it). This domain is multihomed on a set of IP addresses we have seen a lot of lately and are definitely worth blocking:
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
125.19.103.198 (Bharti Infotel, India)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
62.85.27.129
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
202.149.85.37
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138
LinkedIn Spam / baiparz.com
This fake LinkedIn message leads to malware:
There's a malicious payload at baiparz.com/main.php?page=f93de12c807d28df (report here) which is hosted by Griffin Internet in the UK on 85.189.11.134 and also can be found on the familiar IP address of 41.64.21.71 which is an ADSL subscriber in Egypt.
Date: Wed, 11 Apr 2012 15:09:48 -0300
From: "Pasquale Nieves" [warthogv@linkedin.com]
Subject: LinkedIn Nofitication service message
REMINDERS
Invitation reminders:
? From Felix Byers (Your Colleague)
PENDING MESSAGES
? There are a total of 2 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.
There's a malicious payload at baiparz.com/main.php?page=f93de12c807d28df (report here) which is hosted by Griffin Internet in the UK on 85.189.11.134 and also can be found on the familiar IP address of 41.64.21.71 which is an ADSL subscriber in Egypt.
Tuesday, 10 April 2012
Intuit.com spam / webmastaumuren.ru
Here's a fake Intuit spam leading to malware on webmastaumuren.ru:8080:
The malware is on webmastaumuren.ru:8080/navigator/jueoaritjuir.php (report here) which is multihomed on the same IP addresses found here.
From: Yvonne Lewis [mailto:MalikDuenes@choice.net]
Sent: 10 April 2012 12:03
Subject: Dowload your Intuit.com invoice.
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-367-0794 ($4.49/min).
ORDER INFORMATION
Please download your complete order id #4147367 from the attachment.(Open with Internet Explorer)
©2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malware is on webmastaumuren.ru:8080/navigator/jueoaritjuir.php (report here) which is multihomed on the same IP addresses found here.
US Airways Spam / 50.116.5.41 and 174.140.165.197
This fake US Airways spam leads to malware on 50.116.5.41
The payload is on 50.116.5.41/showthread.php?t=73a07bcb51f4be71 (report here) which is hosted by Linode in the US.
Update: a similar spam is also doing the rounds with a payload on 174.140.165.197 (Directspace, US)
Date: Tue, 10 Apr 2012 19:18:16 +0530
From: "US Airways - Reservations" [usair@myusairways.com]
Subject: Confirm your US airways online reservation.
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). Then, all you have to do is print your boarding pass and proceed to the gate.
Confirmation code: 956153
Check-in online: Online reservation details
Flight
1396
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012
�
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
The payload is on 50.116.5.41/showthread.php?t=73a07bcb51f4be71 (report here) which is hosted by Linode in the US.
Update: a similar spam is also doing the rounds with a payload on 174.140.165.197 (Directspace, US)
Labels:
Linode,
Malware,
Spam,
US Airways,
Viruses
jueoaritjuir.php attacks to block
Intercompany inv. from Safeco Corporation Corp.
Invoice_1750544151.zip
Invoice.htm
Scan from a HP ScanJet #24166324
Scan_HPa.zip
HP_Scan.htm
Re: End of Aug. Statement Required
Invoice_N{DIG}.htm
Your Flightticket
FLIGHT_TICKET_N24207.zip
Ticket.htm
FEDEX: DELIVER CONFIRMATION - FAILED 335929
Collect_Letter-176310.htm
Payload URLs include:
hxxp://41.168.5.140:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
hxxp://81.30.160.7:8080/navigator/jueoaritjuir.php
hxxp://88.190.22.72:8080/navigator/jueoaritjuir.php
hxxp://89.31.145.154:8080/navigator/jueoaritjuir.php
hxxp://112.78.124.115:8080/navigator/jueoaritjuir.php
hxxp://194.85.97.121:8080/navigator/jueoaritjuir.php
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php
hxxp://webalizerindians.ru:8080/navigator/jueoaritjuir.php
By host:
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
81.30.160.7 (Vinteleport, Ukraine)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
125.19.103.198 (Bharti Infotel, India)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
62.85.27.129
81.30.160.7
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
194.85.97.121
202.149.85.37
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138
These IPs seem pretty consistent at the moment, blocking them should offer some degree of protection.
Friday, 6 April 2012
"Scan from a Hewlett-Packard ScanJet" spam 6/4/12
Another fake HP scan spam email leading to malware. This one follows the new technique of putting a malicious HTML (HP_Scan.htm) file inside a ZIP file to reduce the risk of it being blocked, and then it has multiple payload sites to try to get a higher infection rate. Nasty.
The payload can be found at:
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
..the IP address can also be found in this attack.
A Wepawet report can be found here. Anti-virus detection is pretty poor at the moment.
The bad guys certainly seem to have found a way to bring more machines into contact with this malware. Take care!
Date: Fri, 6 Apr 2012 08:29:34 +0200
From: "Hewlett-Packard Officejet 70419A" [JaysonGritten@estout.com]
Subject: Scan from a Hewlett-Packard ScanJet #02437326
Attachments: HP_Document-12-Z1380.zip
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 45211A.
Sent by: MILLIE
Images : 7
Attachment Type: ZIP [DOC]
Hewlett-Packard Officejet Location: machine location not set
Device: OFC347AA3BSX37057762
The payload can be found at:
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
..the IP address can also be found in this attack.
A Wepawet report can be found here. Anti-virus detection is pretty poor at the moment.
The bad guys certainly seem to have found a way to bring more machines into contact with this malware. Take care!
Labels:
Malware,
Printer Spam,
Spam,
Viruses
Thursday, 5 April 2012
US Airways Spam / 209.59.218.94
Another US Airways spam, malformed this time, pointing to malware on 209.59.218.94.
The malicious payload is at 209.59.218.94/showthread.php?t=73a07bcb51f4be71 (report here). This is hosted by Endurance International in the US.
Date: Thu, 5 Apr 2012 14:10:48 +0000
From: "US Airways - Reservations" [usair@myusairways.com]
Subject: Confirm your US airways online reservation.
you {l2} check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying {l3}). {l4}, all you {l5} to do is print your boarding pass and {l6} to the gate.
confirmation code: {digit}
check-in online: online reservation details
flight
{digit}
departure city and time
washington, dc (dca) 10:00pm
depart date: 4/5/2012
we are committed to protecting your privacy. your information is kept private and confidential. for information about our privacy policy visit usairways.com.
us airways, 111 w. rio salado pkwy, tempe, az 85281 , copyright us airways , all rights reserved.
The malicious payload is at 209.59.218.94/showthread.php?t=73a07bcb51f4be71 (report here). This is hosted by Endurance International in the US.
Labels:
Endurance International Group,
Malware,
Spam,
US Airways,
Viruses
US Airways Spam / 174.140.171.117
Another US Airways spam leading to malware on a Directspace IP (174.140.171.117)
Date: Thu, 5 Apr 2012 18:54:19 +0700The malicious payload is on 174.140.171.117 (report here) hosted by Directspace in the US. This is the third time in recent days that Directspace have hosted such a site in this range, the others were 174.140.171.173 (here) and 174.140.166.138 (here).
From: "US Airways - Reservations" [support@myusairways.com]
Subject: US Airways online check-in.
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). After that, all you need to do is print your boarding pass and go to the gate.
Confirmation code: 610235
Check-in online: Online reservation details
Flight
5266
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
Labels:
Malware,
Spam,
US Airways,
Viruses
Malicious spam / Invoice_N{DIG}.zip
We're seeing a huge spam run at the moment with various subject and attachments, but typically using an HTML-in-ZIP attack with an attachment called Invoice_N{DIG}.zip
Subjects include:
DHL: DELIVER CONFIRMATION - FAILED 113996
FW: End of Aug. Statement
FW: Scan from a Xerox W. Pro #7338339
although there are probably many others.
The attachment leads to a multihomed exploit kit (report here) on:
hxxp://41.168.5.140:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
hxxp://180.235.150.72:8080/navigator/jueoaritjuir.php
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php
Hosts:
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net, Bulgaria)
180.235.150.72 (Ardh Global, Indonesia)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)
Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
78.83.233.242
180.235.150.72
211.44.250.173
219.94.194.138
Subjects include:
DHL: DELIVER CONFIRMATION - FAILED 113996
FW: End of Aug. Statement
FW: Scan from a Xerox W. Pro #7338339
although there are probably many others.
The attachment leads to a multihomed exploit kit (report here) on:
hxxp://41.168.5.140:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
hxxp://180.235.150.72:8080/navigator/jueoaritjuir.php
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php
Hosts:
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net, Bulgaria)
180.235.150.72 (Ardh Global, Indonesia)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)
Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
78.83.233.242
180.235.150.72
211.44.250.173
219.94.194.138
Labels:
Malware,
Printer Spam,
Spam,
Viruses
Wednesday, 4 April 2012
US Airways Spam / 174.140.166.138
Another one of a spate of fake US Airways emails, with a link leading to malware:
From: US Airways - Reservations reservations@myusairways.com
Date: 4 April 2012 14:58
Subject: US Airways online check-in.
You should check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you have to do is print your boarding pass and go to the gate.
Confirmation code: 266492
Check-in online: Online reservation details
Flight
0312
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
The malicious payload is on 174.140.166.138 (report here) hosted by Directspace in the US. Avoid.
Labels:
Malware,
Spam,
US Airways,
Viruses
playbill.com hacked
playbill.com covers listings and tickets for theatre events in New York and London. It's a popular site in the US, ranked 3350 according to Alexa.
Unfortunately, the site has been hacked with exploit code for the Java AtomicReferenceArray unsafe typing (CVE-2012-0507) vulnerability (report here), apparently loading malicious components from dezbvu.dyndns-server.com/forum/s1 (62.76.180.69 - ClodoCloud / IT House Ltd, Russia).
Remember you keep your Java up to date to avoid this sort of drive-by attack.
Unfortunately, the site has been hacked with exploit code for the Java AtomicReferenceArray unsafe typing (CVE-2012-0507) vulnerability (report here), apparently loading malicious components from dezbvu.dyndns-server.com/forum/s1 (62.76.180.69 - ClodoCloud / IT House Ltd, Russia).
Remember you keep your Java up to date to avoid this sort of drive-by attack.
Labels:
Injection Attacks,
Malware,
Viruses
"End of Aug. Statement" spam / dhjhgfkjsldkjdj.ru
This "End of Aug. Statement" spam uses the same malicious payload as this one earlier today.
From: Margo Lawrence [mailto:robbersab@alumni.insead.edu]There's an HTML-in-ZIP attachment, leading to a malicious payload at dhjhgfkjsldkjdj.ru (report here). Blocking access to the IP addresses shown in this post may be prudent.
Sent: 04 April 2012 14:17
Subject: Re: FW: End of Aug. Statement
,
as reqeusted I give you inovices issued to you per february (Internet Explorer format).
Regards
Dollie Mcguire
Intuit.com spam / dhjhgfkjsldkjdj.ru
Another fake Intuit spam leading to malware, this time on dhjhgfkjsldkjdj.ru:
The malware is a Phoenix exploit kit at dhjhgfkjsldkjdj.ru:8080/navigator/jueoaritjuir.php (Wepawet Report here) which is multihomed on the IPs below, a very similar list to this recent spam run.
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Comite Gestor Da Internet, Brazil)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
78.107.82.98
89.218.55.51
125.19.103.198
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Date: Wed, 4 Apr 2012 11:33:37 +0100
From: pXTwWE@gmail.com
Subject: Dowload your Intuit.com invoice.
Attachments: Intuit_Order-255798.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-374-9959 ($2.89/min).
ORDER INFORMATION
Please download your complete order id #5400523 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malware is a Phoenix exploit kit at dhjhgfkjsldkjdj.ru:8080/navigator/jueoaritjuir.php (Wepawet Report here) which is multihomed on the IPs below, a very similar list to this recent spam run.
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Comite Gestor Da Internet, Brazil)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
78.107.82.98
89.218.55.51
125.19.103.198
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Tuesday, 3 April 2012
SMS Spam: "We have been trying to contact you regards your recent accident"
These scumbag SMS spammers are at it again:
In this case, the sender's number is +447788313443 but this will change as the networks block it.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
URGENT: We have been trying to contact you regards your recent accident; you could be due up to £5,100 in compensation. Reply CLAIM for info, STOP to opt out.
In this case, the sender's number is +447788313443 but this will change as the networks block it.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
US Airways Spam / 109.202.98.43
Another US Airways fake email leading to malware:
The malware is on 109.202.98.43/showthread.php?t=73a07bcb51f4be71 (report here) hosted Global Layer, Netherlands.
Date: Tue, 3 Apr 2012 14:26:03 +0200
From: "US Airways - Reservations" [reservations@myusairways.com]
Subject: Confirm your US airways online reservation.
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). Then, all you need to do is print your boarding pass and head to the gate.
Confirmation code: 336881
Check-in online: Online reservation details
Flight
0989
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
The malware is on 109.202.98.43/showthread.php?t=73a07bcb51f4be71 (report here) hosted Global Layer, Netherlands.
Labels:
Malware,
Spam,
US Airways,
Viruses
"Info in regard to keeping well" spam / ListK LLC
This spam appears to be some sort of probing attack, looking for valid email addresses. In this case, the email was send to an address that didn't actually exist.
This appears to be an attempt to bypass spam filters, and also the relevant spam laws by apparently not being a commercial email message.
In this case, the spam went through a relay at 174.142.85.218, but the originating IP appears to be 208.115.221.34, a Limestone Networks IP suballocated to a outfit called "24Shells, Feasterville, PA 19053, US" who control a small block of 208.115.221.32/29 (208.115.221.32 - 208.115.221.39) in this range.
So far, I have discovered the following (anonymous) domains and IP addresses connected with this spammer:
174.142.85.218 (iWeb / Listk LLC, Canada)
mx.verif1cationtime4.com
208.115.221.34 (Limestone Networks, US. Suballocated to "24Shells, Feasterville, PA 19053, US")
mail.vprtcls3.com
174.142.82.119 (iWeb, Canada)
mail.3vermethod.com
96.31.93.88 (Noc4Hosts, US)
mx.verif1cationtime2.com
209.54.55.171 (Native Hosting, US)
mx.verif1cationtime3.com
216.245.208.34 (24Shells, US)
mail.2vermethod.com
173.236.84.2 (Singlehop, US)
mx.4vermethod.com
74.112.248.179 (Triple8, US)
mail.vprtcls1.com
Out of these IPs, 174.142.85.218 is the most interesting. It belongs to iWeb in Canada (Canada is a great home for spammers) but is suballocated to:
ListK LLC has a website at listk.com and are based in Atlanta, Georgia (BBB report here). Their web site gives an indication as to exactly what this spam is about:
This describes the spam probe exactly, it is using existing contact details to try to form a valid email address, and then probe it from several different IP addresses to try to bypass spam filters.
In my personal opinion, this is unethical and arguably illegal as the spam is indeed part of a commercial offering. If you receive spam from this outfit, you should report it to their hosting providers. I also recommend complaining to the BBB if you are in the US.
Just for reference the mail headers involved are as follows:
Received: from mx.verif1cationtime4.com ([174.142.85.218])
by ---------- with esmtp (Exim 4.69)
id 1SEwkh-0006gp-2Y
for ----------; Tue, 03 Apr 2012 06:58:00 +0100
Received: from 208.115.221.34
by mail.3vermethod.com (Merak 8.9.1) with ASMTP id NJW04750
for <---------->; Tue, 03 Apr 2012 01:45:50 -0400
Status:
Message-ID: <20120403014518.8b1d3b8d2d@3b5e>
From: "Roy Johnson"
To: ----------
Date: Tue, 3 Apr 2012 01:45:18 -0400
X-Priority: 3
X-Mailer: SkillCaster
MIME-Version: 1.0
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
----------
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled
version=3.2.5
Subject: Info in regard to keeping well.
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Delivered-To: ----------
From: Roy Johnson Roy.Johnson@verif1cationtime4.com
Date: 3 April 2012 06:45
Subject: Info in regard to keeping well.
This is a one time public service message about Attention Deficit
Hyperactivity Disorder (ADHA) and no further emails will be sent.
ADHD (attention deficit hyperactivity disorder), sometimes called ADD
(attention deficit disorder), is linked with hyperactivity, impulsive
behavior, and attention problems in both children and adults. It's
estimated that up to 12 percent of school-aged children and 6 percent of
adults have ADHD, making it harder for them to focus on tasks, manage
their time, control their behavior, or even sit still. There is no
single test to diagnose ADD/ADHD. To reach a diagnosis, a doctor or
specialist may do a physical exam to rule out any physical problems, as
well as ask questions about behavior in certain situations. Treatment is
often a combination of medication and behavioral therapy. The goals of
treatment are to help the person control impulsive behaviors, do better
in school or work, and improve social relationships. Keep well.
This appears to be an attempt to bypass spam filters, and also the relevant spam laws by apparently not being a commercial email message.
In this case, the spam went through a relay at 174.142.85.218, but the originating IP appears to be 208.115.221.34, a Limestone Networks IP suballocated to a outfit called "24Shells, Feasterville, PA 19053, US" who control a small block of 208.115.221.32/29 (208.115.221.32 - 208.115.221.39) in this range.
So far, I have discovered the following (anonymous) domains and IP addresses connected with this spammer:
174.142.85.218 (iWeb / Listk LLC, Canada)
mx.verif1cationtime4.com
208.115.221.34 (Limestone Networks, US. Suballocated to "24Shells, Feasterville, PA 19053, US")
mail.vprtcls3.com
174.142.82.119 (iWeb, Canada)
mail.3vermethod.com
96.31.93.88 (Noc4Hosts, US)
mx.verif1cationtime2.com
209.54.55.171 (Native Hosting, US)
mx.verif1cationtime3.com
216.245.208.34 (24Shells, US)
mail.2vermethod.com
173.236.84.2 (Singlehop, US)
mx.4vermethod.com
74.112.248.179 (Triple8, US)
mail.vprtcls1.com
Out of these IPs, 174.142.85.218 is the most interesting. It belongs to iWeb in Canada (Canada is a great home for spammers) but is suballocated to:
NetRange: 174.142.85.216 - 174.142.85.223
CIDR: 174.142.85.216/29
OriginAS:
NetName: IWEB-CL-T215-200CN-1330
NetHandle: NET-174-142-85-216-1
Parent: NET-174-142-0-0-1
NetType: Reassigned
RegDate: 2010-05-14
Updated: 2010-05-14
Ref: http://whois.arin.net/rest/net/NET-174-142-85-216-1
CustName: ListK LLC
Address: 1200 Abernathy Road
City: Atlanta
StateProv: GA
PostalCode: 30328
Country: US
RegDate: 2010-05-14
Updated: 2011-11-21
Ref: http://whois.arin.net/rest/customer/C02496703
CIDR: 174.142.85.216/29
OriginAS:
NetName: IWEB-CL-T215-200CN-1330
NetHandle: NET-174-142-85-216-1
Parent: NET-174-142-0-0-1
NetType: Reassigned
RegDate: 2010-05-14
Updated: 2010-05-14
Ref: http://whois.arin.net/rest/net/NET-174-142-85-216-1
CustName: ListK LLC
Address: 1200 Abernathy Road
City: Atlanta
StateProv: GA
PostalCode: 30328
Country: US
RegDate: 2010-05-14
Updated: 2011-11-21
Ref: http://whois.arin.net/rest/customer/C02496703
ListK LLC has a website at listk.com and are based in Atlanta, Georgia (BBB report here). Their web site gives an indication as to exactly what this spam is about:
NameDiscoverer™ helps clients add net new contacts to their lists by utilizing our proprietary search technology to identify, gather and verify contacts and provide their titles and business email addresses.
SmartSender™ is our state-of-the-art email deployment platform that rotates and pulses emails over multiple servers so your emails never get filtered out as part of a bulk send.
eDNA™ helps companies add fresh, deliverable B2B email addresses to their lists using our proprietary technology - not by matching to an existing, tired list of emails off the shelf.
This describes the spam probe exactly, it is using existing contact details to try to form a valid email address, and then probe it from several different IP addresses to try to bypass spam filters.
In my personal opinion, this is unethical and arguably illegal as the spam is indeed part of a commercial offering. If you receive spam from this outfit, you should report it to their hosting providers. I also recommend complaining to the BBB if you are in the US.
Just for reference the mail headers involved are as follows:
Received: from mx.verif1cationtime4.com ([174.142.85.218])
by ---------- with esmtp (Exim 4.69)
id 1SEwkh-0006gp-2Y
for ----------; Tue, 03 Apr 2012 06:58:00 +0100
Received: from 208.115.221.34
by mail.3vermethod.com (Merak 8.9.1) with ASMTP id NJW04750
for <---------->; Tue, 03 Apr 2012 01:45:50 -0400
Status:
Message-ID: <20120403014518.8b1d3b8d2d@3b5e>
From: "Roy Johnson"
To: ----------
Date: Tue, 3 Apr 2012 01:45:18 -0400
X-Priority: 3
X-Mailer: SkillCaster
MIME-Version: 1.0
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
----------
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled
version=3.2.5
Subject: Info in regard to keeping well.
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Delivered-To: ----------
Labels:
Spam
Monday, 2 April 2012
US Airways Spam / 174.140.171.173
This spam appears to be from US Airways, but it actually leads to malware on 174.140.171.173.
The link goes through a couple of legitimate hacked sites and ends up at 174.140.171.173/showthread.php?t=73a07bcb51f4be71 which contains a malicious payload. This IP is hosted by Directspace in the US.
From: US Airways - Reservations support@myusairways.com
Date: 2 April 2012 15:15
Subject: US Airways online check-in confirmation.
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you need to do is print your boarding pass and proceed to the gate.
Confirmation code: 778136
Check-in online: Online reservation details
Flight
7557
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
The link goes through a couple of legitimate hacked sites and ends up at 174.140.171.173/showthread.php?t=73a07bcb51f4be71 which contains a malicious payload. This IP is hosted by Directspace in the US.
Labels:
Malware,
Spam,
US Airways,
Viruses
Saturday, 31 March 2012
txt4aloan.co.uk SMS spam / Sellers Griffin Ltd
I hate SMS Spam.. this one is particularly annoying.
In this case the sender was +447867397593 although this will probably change when the number gets blocked by the networks.
So who are txt4aloan.co.uk? Well, that's actually a bit unclear because their website claims that they are Sellers Griffin Ltd, and a quick check at Companies House reveals that there is indeed such a firm at the address they claim:
SELLERS GRIFFIN LIMITED
PEEL HOUSE
30 THE DOWNS
ALTRINCHAM
CHESHIRE
WA14 2PX
Sellers Griffin Ltd appears to be owned by someone called Will King. Essentially, this is a lead generator company who think that SMS spam is an appropriate way to drum up business.
However, the WHOIS details for the txt4aloan.co.uk website are completely different:
Domain name:
txt4aloan.co.uk
Registrant:
Inter Financial Ltd
Registrant type:
Unknown
Registrant's address:
Mont Crevelt House
St Sampson
Guernsey
GY2 4LH
United Kingdom
That's a completely different company from Sellers Griffin, again it really does exist (and it has its own website on inter-financial.co.uk). Why are there two unrelated entities? It beats us, but it certainly is odd.
Anyway.. a closer look at txt4aloan.co.uk shows just what kind of company they are. Right at the bottom of the page, you can see the interest rate that they charge:
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Loan update: Brand new lender, up to £1000 instant approval all online. No Fees. www.txt4aloan.co.uk Cash within 15 mins. Any credit ok. To opt out reply stop.
In this case the sender was +447867397593 although this will probably change when the number gets blocked by the networks.
So who are txt4aloan.co.uk? Well, that's actually a bit unclear because their website claims that they are Sellers Griffin Ltd, and a quick check at Companies House reveals that there is indeed such a firm at the address they claim:
SELLERS GRIFFIN LIMITED
PEEL HOUSE
30 THE DOWNS
ALTRINCHAM
CHESHIRE
WA14 2PX
Sellers Griffin Ltd appears to be owned by someone called Will King. Essentially, this is a lead generator company who think that SMS spam is an appropriate way to drum up business.
However, the WHOIS details for the txt4aloan.co.uk website are completely different:
Domain name:
txt4aloan.co.uk
Registrant:
Inter Financial Ltd
Registrant type:
Unknown
Registrant's address:
Mont Crevelt House
St Sampson
Guernsey
GY2 4LH
United Kingdom
That's a completely different company from Sellers Griffin, again it really does exist (and it has its own website on inter-financial.co.uk). Why are there two unrelated entities? It beats us, but it certainly is odd.
Anyway.. a closer look at txt4aloan.co.uk shows just what kind of company they are. Right at the bottom of the page, you can see the interest rate that they charge:
Representative 1737% APRNo.. that's not 17.37%, that's one thousand, seven hundred and thirty-seven percent interest. No wonder they can afford to send out random SMS spam for that kind of money..
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Friday, 30 March 2012
USPS Spam / 174.140.163.119
And there's yet another USPS spam doing the rounds, this time the malicious payload is on 174.140.163.119 (Directspace US, report here).
Block access to that IP if you can.
Block access to that IP if you can.
USPS Spam / 50.116.19.155
Yet another USPS spam is doing the rounds, this time leading to a malicious payload on 50.116.19.155.
The malicious payload is on 50.116.19.155/data/ap2.php?f=4203d and 50.116.19.155/showthread.php?t=73a07bcb51f4be71 (report here) hosted by Linode.
Date: Fri, 30 Mar 2012 13:47:28 +0200
From: "Danielle Connor" [USPS_Shipping_Services@usps.com]
Subject: Your USPS shipment postage labels receipt.
Acct #: 7112220
Dear client:
This is an email confirmation for your order of 2 online shipping label(s) with postage. We will charge you the following amount:
Transaction Number: #2056017
Print Date/Time: 03/14/2012 02:30 AM CST
Postage Amount: $25.69
Credit Card Number: XXXX XXXX XXXX XXXX
Priority Mail Regional Rate Box B # 4065 2488 7608 7525 8269 (Sequence Number 1 of 1)
If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .
You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.
Thank you for choosing the United States Postal Service
Click-N-Ship: The Online Shipping Solution
Click-N-Ship has just made on line shipping with the USPS even better.
New Enhanced International Label and Customs Form: Updated Look and Easy to Use!
* * * * * * * *
This is a post-only message
The malicious payload is on 50.116.19.155/data/ap2.php?f=4203d and 50.116.19.155/showthread.php?t=73a07bcb51f4be71 (report here) hosted by Linode.
Thursday, 29 March 2012
USPS Spam / 50.56.208.113
Currently there is an email attack running similar to this one earlier today, but in this case the malware is on 50.56.208.113:8080/showthread.php?t=73a07bcb51f4be7 (report here), hosted on Slicehost in the US. Another Slicehost IP to block!
USPS Spam / clearschooner.com
Another USPS spam leading to malware on clearschooner.com:
The malware is on clearschooner.com/showthread.php?t=73a07bcb51f4be71 (report here), hosted on 50.116.50.82 (Linode, US). Blocking the IP will prevent other malcious sites on the same IP from being a problem.
Date: Thu, 29 Mar 2012 09:02:35 -0300
From: "Leonardo Randolph" [USPS_Shipping_Services@usps.com]
Subject: Your USPS shipment postage labels receipt.
Acct #: 8481973
Dear client:
This is an email confirmation for your order of 1 online shipping label(s) with postage. Your credit card will be charged the following amount:
Transaction ID: #2392415
Print Date/Time: 03/13/2012 02:30 AM CST
Postage Amount: $41.63
Credit Card Number: XXXX XXXX XXXX XXXX
Priority Mail Regional Rate Box B # 0354 0258 5729 7186 4971 (Sequence Number 1 of 1)
For further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .
You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.
Thank you for choosing the United States Postal Service
Click-N-Ship: The Online Shipping Solution
Click-N-Ship has just made on line shipping with the USPS even better.
New Enhanced International Label and Customs Form: Updated Look and Easy to Use!
* * * * * * * *
This is an automatically generated message. Please do not respond
The malware is on clearschooner.com/showthread.php?t=73a07bcb51f4be71 (report here), hosted on 50.116.50.82 (Linode, US). Blocking the IP will prevent other malcious sites on the same IP from being a problem.
Subscribe to:
Posts (Atom)