mskoblastionline.ru - malicious spam goes nuts

The malicious spam pushers are trying very hard today to drive traffic to their malware site on mskoblastionline.ru with a variety of familiar-looking spam emails:

Date:      Wed, 15 Aug 2012 01:20:05 -0400
From:      CarinaRue@mail.com
Subject:      Fwd: Wire Transfer (1408EA58)
Attachments:     Wire_Transfer_N839.htm

Dear Operator,

WIRE TRANSACTION: AC-961141236714971

STATUS: CANCELLED

You can find details in the attached file.

==========

Date:      Wed, 15 Aug 2012 10:51:49 -0500
From:      "LEILANI Roe" [RoeRmLEILANI@hotmail.com]
Subject:      Fwd: Re: Wire Transfer Confirmation
Attachments:     Wire_Transfer_N839.htm

Dear Operator,

WIRE TRANSACTION: AC-6427060719674502

STATUS: CANCELLED

You can find details in the attached file.

==========


Date:      Wed, 15 Aug 2012 12:31:44 +0300
From:      sales1@victimdomain.com
Subject:      Re: Your Flight US 34-4827
Attachments:     FLIGHT_TICKET_US1650023.htm

Dear Customer,

FLIGHT NUMBER 42463-8276

DATE/TIME : SEPT 27, 2012, 11:12 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 449.06 USD

Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.

ESMERALDA KNUTSON,

==========

Date:      Wed, 15 Aug 2012 08:06:14 +0100
From:      Collene Varner via LinkedIn [member@linkedin.com]
Subject:      Fwd: Re: Your Flight US 65-46595
Attachments:     FLIGHT_TICKET_US284399461.htm

Dear Customer,

FLIGHT NUMBER 4108-2738

DATE/TIME : SEPT 21, 2012, 10:15 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 083.97 USD

Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.

Abeni PINA,

==========

Date:      Wed, 15 Aug 2012 00:50:03 -0800
From:      LinkedIn [welcome@linkedin.com]
Subject:      Fwd: Better Business Bureau Complaint
Attachments:     Complaint_ID45JG836043169.htm

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 1630630165) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

KARRI PENA

Dispute Counselor

Better Business Bureau

==========


Date:      Wed, 15 Aug 2012 04:02:26 +0600
From:      Ashley Madison [donotreply@ashleymadison.com]
Subject:      Re: Better Business Bureau Complaint
Attachments:     Complaint_N35XL147712.htm

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 63959031295)
from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

CONNIE DORAN

Dispute Counselor

Better Business Bureau

==========

Date:      Wed, 15 Aug 2012 05:31:19 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Re: Fwd: Better Business Bureau Complaint
Attachments:     Complaint_ID61Zu4932887.htm

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 501379901) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

Romeo Keyes

Dispute Counselor

Better Business Bureau

The malicious payload is at [donotclick]mskoblastionline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:


50.56.92.47 (Slicehost, US)
190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)


The following IPs and domains are all connected and should be blocked:
50.56.92.47
190.120.228.92
203.80.16.81
spb-koalitia.ru
gorysevera.ru
sergikgorec.ru
mskoblastionline.ru
kefrikin.ru
pussyriotss.ru
ashanrestaurant.ru
panamamoskow.ru
mirdymas.ru

"Federal Tax" spam / wireframeglee.info

This tax-themed spam leads to malware on wireframeglee.info:

Date:      Tue, 14 Aug 2012 15:21:33 +0200
From:      "Internal Revenue Service" [alerts@irs.gov]
Subject:      Rejected Federal Tax transfer

Your Tax payment (ID: 38969777924999), recently sent from your checking account was returned by the The Electronic Federal Tax Payment System.

Rejected Tax transaction
Tax Transaction ID:     38969777924999
Return Reason     See details in the report below
Tax Transaction Report     tax_report_38969777924999.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========

Date:      Tue, 14 Aug 2012 13:31:21 +0000
From:      "Internal Revenue Service" [support@irs.gov]
Subject:      Federal Tax payment canceled

Your federal Tax payment (ID: 903463682456), recently from your bank account was rejected by the your financial institution.

Rejected Tax transfer
Tax Transaction ID:     903463682456
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_903463682456.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========


Date:      Tue, 14 Aug 2012 14:42:19 +0200
From:      "Internal Revenue Service" [noreply@irs.gov]
Subject:      Your Federal Tax transaction

Your Tax transaction (ID: 80110764248536), recently initiated from your checking account was returned by the your Bank.

Canceled Tax transaction
Tax Transaction ID:     80110764248536
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_80110764248536.doc (Microsoft Word Document)

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

The malicious payload is at [donotclick]wireframeglee.info/main.php?page=39630332cf486f5a (report here) hosted on 78.87.123.114 (CYTA, Greece) which has been seen several times lately and should be blocked if you can.

"We can not charge your credit card" spam / kefrikin.ru

This spam pretends to be from Amazon. Or UPS. Or perhaps both. Anyway, it leads to malware on kefrikin.ru:


Date:      Tue, 14 Aug 2012 05:26:05 +0200
From:      "ups" [mail@ups.com]
Subject:      We can not charge your credit card
Attachments:     Amazon_Invoice.htm

    Your Account | Help
Your credit card was blocked.
We tried to withdraw money from your credit card, but your bank decline it. In the attachment you will be found a invoice from your last order. Please pay this invoice as soon as possible.

Conditions of Use Privacy Notice � 1996-2012, Amazon.com, Inc. or its affiliates

The attachment Amazon_Invoice.htm is malicious and it attempts to download a malicious script from [donotcick]kefrikin.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs (which have all been used for malware distribution several times):

190.120.228.92
199.71.212.78
203.80.16.81

Even more malware sites to block on 194.28.115.150

More evil sites to block on 194.28.115.150 (Specialist ISP) following on from these:

idi42nga.rr.nu
kprud89entia.rr.nu
hin66gof.rr.nu
iste03dengi.rr.nu
hing30emplo.rr.nu
ize84dso.rr.nu
ind42icat.rr.nu
lack33andw.rr.nu

"Scan from a Xerox WorkCentre Pro" spam / mirdymas.ru

This spam leads to malware on mirdymas.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 13 August 2012 08:59
Subject: Fwd: Re: Re: Scan from a Xerox WorkCentre Pro #9484820

A Document was sent to you using a XEROX WorkJet OP578636.


SENT BY : JIN
IMAGES : 1
FORMAT (.JPEG) DOWNLOAD

DEVICE: 109A62DS953L

The malicious payload is at [donotclick]mirdymas.ru:8080/forum/showthread.php?page=5fa58bce769e5c2 (report here) hosted on the following familiar IP addresses:

46.51.218.71 (Amazon, Ireland)
71.89.140.153 (Cloudaccess.net, US)
203.80.16.81 (Myren, Malaysia)

Blocking access to these IPs will prevent other malicious sites on the same servers from being a problem.

Something evil on 178.63.195.128/26

The IP address range 178.63.195.128/26 nominally belongs to grey hat host Hetzner in Germany, although it has been reallocated to a registrant in Israel. This block recently came up as the source for a ZeroAccess infection picked up from 178.63.195.170.

A look at the 178.63.195.128/26 range (178.63.195.128 - 178.63.195.191) shows several suspicious websites with domains apparently generated by DoItQuick (more info here). Most of the domains are too new to have any reputation, although given the live distribution of malware and the randomly chosen names then they are unlikely to be doing anything nice.

Also, I notice that quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.

The registrant for this block is:

 inetnum:         178.63.195.128 - 178.63.195.191
netname:         R5X
descr:           r5x
country:         DE
admin-c:         TG3863-RIPE
tech-c:          TG3863-RIPE
status:          ASSIGNED PA
mnt-by:          HOS-GUN
source:          RIPE # Filtered

person:          Tomas Gailiavicius
address:         r5x
address:         Kalinina 47-71
address:         188760 Priozersk
address:         RUSSIAN FEDERATION
phone:           +79876960550
nic-hdl:         TG3863-RIPE
mnt-by:          HOS-GUN
source:          RIPE # Filtered

178.63.195.163
altspanning.org
atherosplaylists.org
betasreceivable.org
bringsgrade.org
contenderfilesplitting.org
csidisengage.org
designercomcast.org
encouragesprosuite.org
excellentinvolving.org
firefoxorbitz.org
harvardhqv.org
journalcleanup.org
musicmakingranging.org
ndascontinuum.org
netbiosmediocre.org
originatingcomplicated.org
outlinedpart.org
pantspool.org
preciselycolormatching.org
rantcloned.org
sciencehearted.org
splitnearparent.org
threeparagraphrequirements.org
undeniableblues.org
upscalingfinalproduction.org
vhsintellectual.org
violationsmazes.org
weekendshadows.org
wellthoughtoutestablish.org
workforcefortunately.org

178.63.195.167
builtvaults.org
crystaljacket.org
photomanagementheadhunternet.org
spywareonlyadept.org
starshapedoutstanding.org
static-globe.info

178.63.195.168
bentowe.org
catchespayoff.org
connect4free.in
dvstitems.com
eeechock.org
flyeralone.info
flyersregard.com
free2connect.org
free4connect.org
hatssystem.org
internalpackaged.info
interviewsyamaha.org
operateriot.org
packageswml.info
playerhill.info
successfulmpfs.org
tetrisbroaden.com
zippedjump.com

178.63.195.170
abroad.name
cloud18.name
crimson25.name
dr4ms.name
du5t.name
fakejoke.name
fastservice.name
hlops.name
r0cket.name
ramaro.name
sameday.name
strongalc.name

178.63.195.171
bedtimeblues.org
book-placed.info
bookpart.info
bookpedias.info
bookposters.info
bookposts.info
builderviral.org
jeat-services.info
jeatservices.info
jeatstore.info
jetpremiums.info
jetsbookings.info
krym-house.info
krym-invest.info
krym4x4.info
krymvip-avto.info
krymzakupka.info
netledgerstumblrs.org
teatr-benefis.info
teatrbilet.info
teatrflowers.info
teatrglas.info
teatrgroup.info
trust-spb.info
truthbearers.info
trutrance.info
trworkshop.info
tryfxdata.info

Also these domains appear to be deactivated by pointing them to 127.0.0.1, but you might want to block them just in case:
addonsthoughultrasharp.info
adjustmentsmarginal.info
affectingmacrobiotics.org
alternatelylaughs.info
amalgamie.org
androidstwothirds.info
appleawardwinningstarshaped.info
attractionintrusive.org
aufdeal.info
blurbswatermarks.org
boltsmaking.info
caligarisflipboard.org
circlekidlandias.org
citegologo.org
cleanerspreview.info
collagesenjoyed.info
compensateversamail.info
computercontrolledtelsurf.info
conducivesnag.org
createasimfreemium.info
criesvendor.info
csspoets.info
curiousrebuilding.info
deletingpricelinecom.org
dependentssecond.org
desksorganize.org
didcontinuous.org
discoveredshuts.info
discussioncommentingmonths.info
disqushomepremier.info
embracedpreset.info
endurancescream.info
enforcesfinetune.org
epublishingtodays.info
exploredestabilized.info
extendscrosscountry.org
feedsproxystyle.org
filesyncingenigmatic.org
founderslogin.info
friendshipinterrupt.org
grandmasterpre.org
gunsgml.info
heftyends.info
idlpatterns.org
inboxtie.org
inputsecho.info
invoicedimplementations.info
javacentricunencumbered.org
kevinverizon.info
legalzoomspeak.org
licensedcrispest.org
likingmodule.info
lingeriegiftgiving.org
lodebombermonster.org
machinesruns.info
merchandiseorderingcommerce.org
mixedprone.info
mobileslockeddown.org
mouthmindmanager.org
mydocumentsredirected.info
myspaceatsale.org
namepasswordcobble.info
nanimatedpaperclip.info
notificationloose.org
obihaiwebfriendly.org
omissioncurve.info
onboardstougher.info
onchipimpressively.info
oneoffsynched.info
outshineresearcher.info
ownorcleared.info
pairautoupdate.info
permittighter.org
pimsluernarrating.info
programundo.org
realarcadeextranet.org
reallifeinformation.org
referjustifies.org
relinquishfloated.org
removersitevalidation.info
resettingeyeopening.info
ripoffsfliers.info
roadtripearlier.info
rocfloating.org
sanknowledge.info
selfemployedspeed.info
sierrastorms.org
silenceshalls.info
softpedalswav.info
solitaryorions.org
southmouse.org
specimenfortunate.info
spellingsurfinshield.info
sportsbare.info
stateforbid.org
staticmarkets.org
steveapprovals.org
stumbledunrooted.info
stylizeawarded.info
submenusonlineoriented.info
supplantbriefly.org
suspendersnine.org
textuallythrifty.org
tiabberation.info
touchtypinglower.org
treasuregiftgiving.org
turningcustomized.info
underlinedavira.org
uniquenesstrademarks.info
visibilityprerecorded.info
wavernewlyminted.org
wellasideallotted.org

More malware sites to block on 184.82.162.163 and 184.22.103.202

These domains are on 184.82.162.163 and 184.22.103.202, recently used in some injection attacks.

local-dns.org
lertionk15.be

More malware sites to block on 54.245.115.106

More bad stuff in Amazon's cloud, this time on 54.245.115.106  which already hosts these other malware sites. Block the IP if you can, else block these news domains in addition to these.

fbqdazvojhyc.info
mrqfxznhke.info
wcgqelbpvdn.info
hbiewmkjdytr.info

More malware sites to block on 81.17.24.69

A follow up to this post, 81.17.24.69 (Private Layer Inc, Switzerland) now hosts some additional malware domains that you should block if you can't block the IP address:

ose-para-tek-ines.org
oseparatekines.org
ose-para-tek-ines.net

Intuit.com spam / ashanrestaurant.ru

This fake Intuit spam leads to malware on ashanrestaurant.ru:

Date:      Fri, 10 Aug 2012 09:03:06 -0300
From:      Ashley Madison [donotreply@ashleymadison.com]
Subject:      Your Intuit.com software order.
Attachments:     Intuit_Order-N15090.htm

Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-364-2935 ($1.29/min).
ORDER INFORMATION
Please download your complete order id #3262340 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malicious payload is at [donotclick]shanrestaurant.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following familiar-looking IPs that should be blocked if you can:

203.80.16.81
190.120.228.92

"Verify your order" / yrikdhxzwo.org

This spam leads to malware on yrikdhxzwo.org:

Date:      Fri, 10 Aug 2012 13:43:57 +0200
From:      "New order" [8A4EDCFB@williamsvilla.com]
To:      [redacted]
Subject:      Verify your order

Dear [redacted],

please verify your order #809910 at http://simplythebestevents.com/wp-content/plugins/mm-forms-community/upload/temp/tracking17948.php?user_id=[redacted]&order_id=8D17821C359

We hope to see you again soon!

The malicious payload is at [donotclick]yrikdhxzwo.org/main.php?page=3f19233d6515cd5d (the payload is defying analysis at the moment), hosted on 54.245.115.156 (Amazon, US). The domain btgjoulrys.info is also on the same server and can be safely assumed to be malicious.

Fake job domains 10/8/12

A bit of an oddity here - I noticed a marked uptick in people searching for very old fake job domains that had expired. It turns out that the scammers are back (probably the Lapatasker crew), and lazily they have just re-registered their old domains. Current ones doing that rounds that you should avoid are:

americafindjob.com
arbetase.com
career-depart.com
careerin-finance.com
espanajob.com
eurojobbnet.com
eurojobcouk.com
eurojobscouk.com
europ-consult.com
jobbankinusa.com
readycarts.com
top10jobbs.com
ukitcareer.com
usaitcareers.com

wetter.com compromised? oseparatekines.net and 81.17.24.69

The weather site wetter.com is the 25th most popular site in Germany (and nukber 602 in the world) according to Alexa.

Right at the moment there appears to be a compromised ad being served up by billabong3.wetter.com  redirecting to a exploit kit on [donotclick]oseparatekines.net/forum/index.php?showtopic=903878 hosted on 81.17.24.69 which is apparently hosted in Switzerland, belonging to a small netblock as follows:

inetnum:         81.17.24.64 - 81.17.24.95
netname:         CLIENT2391
descr:           CLIENT2391
country:         CH
admin-c:         JP5315-RIPE
tech-c:          JP5315-RIPE
status:          ASSIGNED PA
mnt-by:          KP73900-MNT
source:          RIPE # Filtered

person:          James Prado
address:         Torres De Las Americas Torre C Floor 29 Suite 2901 Panama City, Panama
phone:           +5078365602
nic-hdl:         JP5315-RIPE
mnt-by:          KP73900-MNT
source:          RIPE # Filtered

route:           81.17.16.0/20
descr:           Ripe Allocation
origin:          AS51852
mnt-by:          KP73900-MNT
source:          RIPE # Filtered

The following domains are hosted on that IP address and you should assume they are malicious:
pilotjobsingrash.org
oseparatekines.org
onlineswotchers.org
fishersmansslow.org
oseparatekines.com
swstockhers.com
pilotjobsingrash.in
pilotjobsingrash.info
webswedish.info
oseparatekines.net
onlineswotchers.net

The entire 81.17.24.64/27 range looks suspicious in my opinion. Blocking that range would probably be prudent.

You can see the full script that is being used in the attack here - http://pastebin.com/CMuUm05f

Yet more malware sites to block on 194.28.115.150

Another batch of malware sites to block on 194.28.115.150 following on from these.. although to be franking, blocking access to 91.211.200.0/22  and 194.28.112.0/22 (Specialist ISP) plus all .rr.nu domains would be even better.

uresre17covered.rr.nu
ented89cable.rr.nu
erstor69msconse.rr.nu
gph46ili.rr.nu
nsu83lti.rr.nu
entl77ymail.rr.nu
rren48tlyvo.rr.nu
ersinq54uiries.rr.nu
sgradu88atevis.rr.nu
arrayt78emperat.rr.nu
ieddis18tribut.rr.nu

"Verify your order" spam / qapskhnxlfuc.info

This spam leads to malware on qapskhnxlfuc.info:

Date:      Thu, 09 Aug 2012 21:25:41 +0200
From:      "New order" [30F5DC6@tendbeyond.com]
To:      [redacted]
Subject:      Verify your order

Dear [redacted],

please verify your order #447256 at http://mailnegnu.com/FlashSoundNew/welcome19205.php?user_id=[redacted]&order_id=1EDDB29B4E

We hope to see you again soon!

The malicious payload is at [donotclick]qapskhnxlfuc.info/main.php?page=3f19233d6515cd5d (http://wepawet.iseclab.org/view.php?hash=0192c837b292369c4205be3b8fbd34b9&t=1344548568&type=jshttp://wepawet.iseclab.org/view.php?hash=0192c837b292369c4205be3b8fbd34b9&t=1344548568&type=js) hosted on 54.245.115.106 (Amazon.com, US) along with the following domains that you can also assume are malicious:

keopsyc.org
ydxmzbrnjoqc.info
pjldxysgnfh.info
bfkepzvscyjh.info
drogiyfwan.info
vkycwjqdrn.info
zutacxsyiq.info
dnytximqszfr.info
wexnfvciumr.info
wfzijmubdgtv.info
nkcxlmgzuhw.info
fzblvmwoix.info
diocqvenmxz.info

"Your Photos" spam / gorysevera.ru

Another round of "Your photos" spam is in the offing, with a malicious payload on [donotclick]gorysevera.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs that have been seen several times before lately:

190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)

Malware sites to block 9/8/12

Something nasty doing the rounds..you might want to block:

184.82.162.163
184.22.103.202

reslove-dns.com
10ba.com
dns-local.org
wesaf341.org
windows-update-server.com
wsef32asd1.org

Malware on panamamoskow.ru

I'm not sure of the particular nature of the spam run involved (it is possibly a UPS themed attack), but there's a campaign underway with a malicious payload on [donotclick]panamamoskow.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:

178.33.106.254 (OVH, France)
190.120.228.92 (Infolink, Panama)

Blocking access to those IPs will prevent other malicious domains on the same server from being a threat.

More malware sites to block on 194.28.115.150

Yet more malware sites hosted on the same IP of 194.28.115.150 address from black hat host Specialist ISP in Transnistria, in addition to these and these. Blocking their entire ranges of 91.211.200.0/22  and 194.28.112.0/22 could save you a lot of grief.

vat19ica.rr.nu
rtr83eaga.rr.nu
utur33esma.rr.nu
rho99dena.rr.nu
sori10gina.rr.nu
spons91orapa.rr.nu
stingh58ousedra.rr.nu
rpci22nsta.rr.nu
slat80edeb.rr.nu
rmil91annob.rr.nu
ttedbr13oadplac.rr.nu
stric59tionac.rr.nu
rsob51stac.rr.nu
tssi48lenc.rr.nu
rned93airc.rr.nu
wishp97roduc.rr.nu
rop67ded.rr.nu
velysu88pported.rr.nu
tow03ard.rr.nu
urist44anford.rr.nu
stim49atesd.rr.nu
ting41peace.rr.nu
reser76veacce.rr.nu
stenn82essee.rr.nu
tro50lle.rr.nu
urech03rysle.rr.nu
rpl51ane.rr.nu
tsre36fere.rr.nu
rsgua98rante.rr.nu
sac11tive.rr.nu
rssol40elyhig.rr.nu
rmee55ting.rr.nu
sdoo02rdaug.rr.nu
rsqbsi32mplersh.rr.nu
ilsa05mpli.rr.nu
tfun34dedmi.rr.nu
rizat57ionmi.rr.nu
rov75isi.rr.nu
topse63curiti.rr.nu
tingsi83llegal.rr.nu
tid69rugm.rr.nu
robert62sultim.rr.nu
tion96gamm.rr.nu
tigato91rsonesm.rr.nu
teract53borlan.rr.nu
teb84ran.rr.nu
turere98presen.rr.nu
ssent69encin.rr.nu
rtro39ommin.rr.nu
ydet43ermin.rr.nu
ute37drin.rr.nu
tadve42rtisin.rr.nu
rre52nwin.rr.nu
ston80esco.rr.nu
shel27lsco.rr.nu
tton77stheo.rr.nu
sgill34ettewo.rr.nu
yield83ingap.rr.nu
wind89scomp.rr.nu
yin78gsp.rr.nu
ssdel12iversp.rr.nu
ustg99ener.rr.nu
steal73gener.rr.nu
sea12tfr.rr.nu
rgye90xpor.rr.nu
urroun55dingpr.rr.nu
riv58erpr.rr.nu
tici69ansr.rr.nu
uncert96aintyr.rr.nu
reque26ncies.rr.nu
ylor83cons.rr.nu
sframe80scarlos.rr.nu
zar00dous.rr.nu
tpro52duct.rr.nu
saryho39pingit.rr.nu
siveu11nlimit.rr.nu
striki53ngbent.rr.nu
state60potent.rr.nu
uff84erst.rr.nu
veacce31ssedrev.rr.nu
tandin81gfairv.rr.nu
ushed29isdrex.rr.nu
sre80pay.rr.nu

Update: a couple of new ones via the ISC:
tentsf05luxfig.rr.nu
ksstar.rr.nu

Malware sites to block on 194.28.115.150

This is an updated list of evil domains on 194.28.115.150 (Specialist ISP in Transnistria). Blocking all of 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is the best idea, and blocking traffic to .rr.nu ain't a bad one either. But if you can only block by domains names then this is the latest list of malware-laden sites to avoid:

xinthesidersdown.com
sweepstakesandcontestsdo.com
ens122zzzddazz.com
ssi11fica.rr.nu
ari55nea.rr.nu
sre13vea.rr.nu
tartis78tscolla.rr.nu
djust16scotla.rr.nu
courie90rhydra.rr.nu
idaysc65artera.rr.nu
x1010thta.rr.nu
ealis86ticeva.rr.nu
sfl20ewwa.rr.nu
rece76iptsb.rr.nu
xvarfo29urdayec.rr.nu
res11tric.rr.nu
ake60rsc.rr.nu
like90varyc.rr.nu
popre01versed.rr.nu
atr56aid.rr.nu
mentme03talsind.rr.nu
rasvi52llage.rr.nu
inglon03grange.rr.nu
senior78custome.rr.nu
sbandb46aninve.rr.nu
surpr54iseove.rr.nu
tes364rdaf.rr.nu
seamer47icadiff.rr.nu
veryt17hingof.rr.nu
ailway42staging.rr.nu
didat35egraph.rr.nu
nals02south.rr.nu
tampas71overei.rr.nu
ekendd69espitei.rr.nu
funct78ionali.rr.nu
artyi03nflati.rr.nu
ofess10ional.rr.nu
ful26qual.rr.nu
var64iabl.rr.nu
ins62ail.rr.nu
orig10inall.rr.nu
ulty75cream.rr.nu
lco16mpan.rr.nu
refi88nedn.rr.nu
ariney05aleteen.rr.nu
ital10namen.rr.nu
ymi87nin.rr.nu
olddo85esgoin.rr.nu
reque83ntlyin.rr.nu
atchp64ension.rr.nu
ional93phaco.rr.nu
eathin54gcashdo.rr.nu
ati31ngpo.rr.nu
atsda53ngero.rr.nu
ein77gyo.rr.nu
getth82rowapp.rr.nu
tsoc11ketp.rr.nu
vin04gup.rr.nu
tsroy47alpar.rr.nu
eri56orar.rr.nu
andsto57cksstar.rr.nu
train59tsafer.rr.nu
ariae54ither.rr.nu
eighbo02rsbarr.rr.nu
ing80entr.rr.nu
brown74emphas.rr.nu
sto32rybs.rr.nu
ncom24pares.rr.nu
ctab59uwes.rr.nu
spr71ings.rr.nu
ssig49nals.rr.nu
ght91ers.rr.nu
elop28ments.rr.nu
acons09olidat.rr.nu
omp25let.rr.nu
tinc31omeu.rr.nu
cello11rassu.rr.nu
pre86view.rr.nu
ns1.hoperjoper.ru
ns2.hoperjoper.ru

123Greetings.com spam / remindingwands.org

This fake 123Greetings.com spam actually delivers malware instead, hosted on remindingwands.org:

Date:      Tue, 7 Aug 2012 16:34:21 +0200
From:      "123Greetings.com" [ecards@123greetings.com]
Subject:      New e-card for you.

Vanna amet.diam.eu@lorem.ca has just sent you an ecard from 123Greetings.com

You can view it by clicking here:
http://www.123greetings.com/send/view/999095:

Thanks to our new tracking feature, you can now access all the ecards received by you in the last 14 days.

Use the link below or copy & paste the link into your browser's address bar.
http://www.123greetings.com/connect/track

Or if you prefer you can go to http://www.123greetings.com/ and type your ecard number (0090593007) in the "Search Box" at the top right of the page.

Your ecard can be downloaded for the next 30 days.

Based on user feedback, 123Greetings.com has launched 6 new pages with the best ecards in the Most Popular/ Most Viewed/ Highest Rated/ Latest Additions/ Popular Now and Always There Sections listed on the homepage.

http://www.123greetings.com/top/most_popular.html
http://www.123greetings.com/top/most_viewed.html
http://www.123greetings.com/top/highest_rated.html
http://www.123greetings.com/top/latest.html
http://www.123greetings.com/top/popular_now.html
http://www.123greetings.com/top/always_there.html

If you need any help in viewing your ecard or any other assistance,
please visit our Help/ FAQ section at: http://help.123greetings.com/

We hope you enjoy your ecard,

Your friends at 123Greetings.com
http://www.123greetings.com

We respect your privacy. You will not be receiving any promotional emails from us
because of this ecard. To view our privacy policy, click on the link below:
http://info.123greetings.com/company/privacy_policy.html

Note: This is an auto generated mail. Please do not reply.

If you have any other problem please contact us by clicking on the following link:
http://help.123greetings.com/contact_us.html

This email was sent by 123Greetings.com, Inc., 1674 Broadway, New York, NY 10019.

The malicious payload is at [donotclick]remindingwands.org/main.php?page=861097b084221fd although at the moment it is not responding. This site is hosted on 78.87.123.114 (CYTA, Greece) which is a particularly evil IP that has been seen a lot of lately and can safely be blocked.

"Your Photos" spam / pussyriotss.ru

There's not much to the recurring "Your Photos" spam apart from some terse text and a link. In this case the spam leads to a malicious payload at [donotclick]pussyriotss.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here).

pussyriotss.ru? Well, if you follow the news in Russia at all then you will have heard of the Pussy Riot case. The IP addresses for pussyriotss.ru are:

190.120.228.92 (Infolink, Panama)
116.12.49.68 (Usonyx , Singapore)

These IPs are also associated with spb-koalitia.ru and a whole bunch of other badness, blocking them would be prudent.

Malware sites to block 7/8/12

A small selection of malicious domains to add to your blocklist this morning:

advancementwowcom.org
headtoheadblaster.org
searchlesswebwasher.info
voicecontroldevotes.info
swetadeline.com
threeffect.net

LinkedIn spam / headtoheadblaster.org

This LinkedIn spam attempts to load malware from headtoheadblaster.org:

Date:      Mon, 6 Aug 2012 17:07:08 +0300
From:      "LinkedIn Invitations" [invitations@linkedin.com]
To:      [redacted]
Subject:      Your friend sent you an invitation to join LinkedIn group.

  
This is a notification that on August 5, Gage Herring sent you an invitation to become part of their professional network at LinkedIn.
Accept Gage Herring Invitation
  
On August 5, Gage Herring wrote:

> To: [redacted]
>
> I'd like to add you to my professional network on LinkedIn.
>
> Gage Herring   
  
You are receiving Reminder emails for pending invitations. Unsubscribe.
� 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.

==========


Date:      Mon, 6 Aug 2012 10:02:02 -0400
From:      "LinkedIn Invitations" [invitations@linkedin.com]
To:      [redacted]
Subject:      LinkedIn inviation notificaltion.

  
This is a notification that on August 5, Daniel Martinez sent you an invitation to join their professional network at LinkedIn.
Accept Daniel Martinez Invitation
  
On August 5, Daniel Martinez wrote:

> To: [redacted]
>
> I'd like to add you to my professional network on LinkedIn.
>
> Daniel Martinez   
  
You are receiving Reminder emails for pending invitations. Unsubscribe.
� 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.

The malicious payload is at [donotclick]headtoheadblaster.org/main.php?page=f6857febef53e332 (report here) although at the time of writing it does not seem to be resolving.

"Welcome to PayPal" spam / spb-koalitia.ru

This fake PayPal spam leads to malware on spb-koalitia.ru:

Subject: Welcome to PayPal - Choose your way to pay



Welcome
Hello [victim],
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.

Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[reciptient]@victimdomain.com

Confirmation Code
1509-3962-8257-3886-7087
    Transfer Information
Amount: 18217.81 $
Reciever: Marcie William
E-mail: [another-recipient]@victimdomain.com


Accept Decline

 Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP9335

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

The malicious payload is on [donotclick]spb-koalitia.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following (familiar looking IPs):

67.227.183.77 (LiquidWeb / SourceDNS, US)
203.80.16.81 (Myren Infrastructure, Malaysia)
213.170.99.11 (Quantum Communications, Russia)


The following domains and IPs are all related:
41.66.137.155
41.168.5.140
62.76.188.138
62.76.190.208
67.227.183.77
78.83.233.242
87.120.41.155
87.204.199.100
173.224.208.60
41.66.137.155
199.71.212.78
203.80.16.81
203.172.140.202
213.170.99.11

moskow-carsharing.ru
mysqlfordummys.ru
leprisoruim.ru
onerussiaboard.ru
online-gaminatore.ru
spb-koalitia.ru
zenedin-zidane.ru

autoaxident.com spam / Lalchand Sobhani

This spam is preying on people in the UK who have had a accident, but it is actually based in India. It starts off with a pitch similar to this one:

From:     UL05 UL05@app12.sarvdns.org
Reply-To:     UL05@app12.sarvdns.org
Date:     3 August 2012 17:26
Subject:     Accident Injuries

Auto Axident
Claim Comfort

    Home
    Injury / Claim types
    Contact Us

Welcome
Header Image

We are the accident claim specialists, offering free advice, downloads and access to top no win no fee personal injury solicitors.There are many types of Personal Injury like

    Road Traffic Accident
    Work Accident
    Accident at Sea
    Aircraft Accident
    Faulty Product Accident
    Hairdressing Accident
    Holiday Accident
    Medical Negligency Accident
    Public Place Accident

Did you have an injury in the last two years?
If yes, Apply for Compensation below.
Apply for Claim here
Step 1
     
   RTA ( SELF MEDICATING CLAIMANT )
     
[snipped]

© Copyright 2012 autoaxident.com. All Rights Reserved.


Powered by SARV Mail

Click here to unsubscribe

The spam leads you to a side called autoaxident.com on 174.122.93.250 which appears to belong to Confluence Networks in the UAE. The WHOIS details are privacy protected (never a good sign for this type of site). Nameservers show an Indian connection, they are dns1.bigrock.in and dns2.bigrock.in. The spam is sent through a relay service at 74.117.60.126 (lbsmtp.org, India).

The website has no contact details or privacy policy, it is basically just a collector. However, sending a query does generate a response..

from:     AnnieThomas alaska05@rediffmail.com
date:     6 August 2012 08:15
subject:     Re: RTA - Injuries

Awaiting your reply.

Annie Thomas




From: "Swati"[alaska05@rediffmail.com]
Sent: Sat, 04 Aug 2012 14:11:40
Subject: RTA - Injuries
Dear Mr. Xxxx Xxxx

Thanks for sending us your message.

Please send your contact phone number and address.

Also if you have time please fill up form available at www.autoaxident.com and press continue button instead of submit to get the full claim form to be filled.

Upon receipt of your phone number solicitor Mr. Lamb Brook will contact you for compensation for your injury
---

 Annie Thomas
Customer Care Executive

Auto Accident Claim Company
London
Phone No. +44 20 3286 4645
Website - www.autoaxident.com 

The originating IP was 14.98.247.162 (TATA Indicom, India), so there's the Indian connection again.

Several things don't stand up with this pitch. One of them is the solicitor's name of "Mr. Lamb Brook". That's quite an unusual name, and it probably comes as no surprise to find that there is no such solicitor listed by the Law Society in the UK. Oddly, the telephone number quoted seems potentially valid and is a London number. Update: the name of the law firm is Lamb Brooks and not an individual solicitor, note however that Lamb Brooks are not sending out this unsolicited mail, I suspect that they are not even aware of it.

The email address of "Annie Thomas" alaska05@rediffmail.com also gives some clues. rediffmail.com is almost exclusively used in India, thus confirming that this is an Indian-based scam again, Googling this email address shows several clues with a background of buying and selling leads.

This thread ties the email address up with a user called lalchand38 and this is linked to a Twitter account at https://twitter.com/LCS38 (Lalchand / @LCS38) who appears to be Lalchand Sobhani who also uses an email address of lalchand38@yahoo.com. You can see his dating profile here and there are several other matches on Google for the same email address which show an interesting variety of enterprises including shipping prescription medications from India to the US.

So Annie Thomas is either Lalchand Sobhani or someone working for him. The solicitor in the UK does not exist. Mr Sobhani has gone to some efforts to hide his involvement here too.

What is probably going on here is lead generation through spam. Lalchand Sobhani is probably trying to generate personal injury leads to resell on to others. In any case, dealing with spammers is unlikely to be beneficial and it could lead to you being seriously out of pocket.

AT&T spam / searchlesswebwasher.info

Another AT&T spam, this time leading to a working malicious payload on searchlesswebwasher.info:

Date:      Fri, 3 Aug 2012 16:54:24 +0100
From:      "AT&T Online Services" <alert@email.att-mail.com>
Subject:      Your AT&T bill is ready to be paid now.

<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
att.com | Support | My AT&T Account    
<td style="padding: 0px 10px 0px 10px;" width:34%="" valign="top">
Your online bill is ready to be viewed
Dear Valued Customer,

A new bill for your AT&T account is ready.

Any operations completed after your bill period expires will not be shown in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.

Service     Account ending in     Bill Amount     Due Date
Internet and Home Phone     3     $808.32     08/06/2012

Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.



Thank you for choosing AT&T. We value your business and look forward to serving you!

Thank you,
AT&T Online Services
www.att.com

Contact Us
AT&T Support - quick & easy support is available 24/7.

   

Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.

<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
AT&T Online Services
Get more time to do what you want. What would you do?
Show me how

Automatic Payments
Save time and pay your monthly bill automatically!
Sign up now

Special Offers
Visit our Special Offers to check out our best promotions.
Learn more

Online Information
AT&T Community
Repair
   
Home Phone
Special Offers
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.

�2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy

The malicious payload is at [donotclick]searchlesswebwasher.info/main.php?page=6df8994172330e77 (report here) hosted on 78.87.123.114 which is part of a small range of IP addresses which can probably be safely blocked:

inetnum:         78.87.123.112 - 78.87.123.119
netname:         GB13561-static
descr:           tomeaspl-static
country:         GR
admin-c:         GB13561-RIPE
tech-c:          GB13561-RIPE
status:          ASSIGNED PA
mnt-by:          CYTA-HELLAS
source:          RIPE # Filtered

person:          GEORGIOS BASILAKIS
address:         TOMEAS PLIROFORIKIS EPE
address:         FILELLHNON 8
address:         HRAKLEIO KRHTHS
address:         GREECE
phone:           +302810327452
nic-hdl:         GB13561-RIPE
mnt-by:          CYTA-HELLAS
source:          RIPE # Filtered

route:          78.87.64.0/18
descr:          CYTANET - For CYTA HELLAS
origin:         AS6866
mnt-by:         CYTANET-NOC
source:         RIPE # Filtered

"Your Photos" spam / moskow-carsharing.ru

This terse spam leads to malware on moskow-carsharing.ru:

From: [redacted]
Sent: venerdì 3 agosto 2012 17:09
To: [redacted]
Subject: Your Photos

Hi,
your photos - http://www.[redacted].com/upload.htm

 The malicious payload is at [donotclick]moskow-carsharing.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:

67.227.183.77
203.80.16.81
213.170.99.11

The following domain names are also related and should be blocked:

ipadvssonyx.ru
leprisoruim.ru
mysqlfordummys.ru
onerussiaboard.ru
online-cammunity.ru
online-gaminatore.ru
switched-games.ru

AT&T spam / globixlowerright.org

These fake AT&T spam emails lead to an attempted malware page at globixlowerright.org:

Date:      Fri, 3 Aug 2012 11:03:52 -0300
From:      "AT&T Online Services" [att-services@email.att-mail.com]
Subject:      Pay your AT&T bill online

<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
att.com | Support | My AT&T Account    
<td style="padding: 0px 10px 0px 10px;" width:34%="" valign="top">
Your online bill is ready to be accessed
Dear Esteemed Customer,

A new bill for your AT&T services is prepared.

Any transactions completed after your bill period expires will not be shown in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.

Service     Account ending in     Bill Amount     Due Date
Internet and Home Phone     {LET:0     $460.46     08/06/2012

Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.



Thank you for choosing AT&T. We value your business and look forward to serving you!

Thank you,
AT&T Online Services
www.att.com

Contact Us
AT&T Support - quick & easy support is available 24/7.

   

Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.

<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
AT&T Online Services
Get more time to do what you want. What would you do?
Show me how

Automatic Payments
Save time and pay your monthly bill automatically!
Sign up now

Special Offers
Visit our Special Offers to check out our best promotions.
Learn more

Online Information
AT&T Community
Repair
   
Home Phone
Special Offers
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.

�2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy

==========


Date:      Fri, 3 Aug 2012 10:25:59 -0300
From:      "AT&T Online Services" [att-services@email.att-mail.com]
Subject:      Your AT&T bill is ready to be viewed

<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
att.com | Support | My AT&T Account    
<td style="padding: 0px 10px 0px 10px;" width:34%="" valign="top">
Your online bill is ready to be accessed
Dear Valued Customer,

A new bill for your AT&T account is ready.

Any transactions made after your bill period expires will not be reflected in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.

Service     Account ending in     Bill Amount     Due Date
Home Phone     1     $718.25     08/06/2012

Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.



Thank you for choosing AT&T. We value your business and look forward to serving you!

Thank you,
AT&T Online Services
www.att.com

Contact Us
AT&T Support - quick & easy support is available 24/7.

   

Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.

<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
AT&T Online Services
Get more time to do what you want. What would you do?
Show me how

Automatic Payments
Save time and pay your monthly bill automatically!
Sign up now

Special Offers
Visit our Special Offers to check out our best promotions.
Learn more

Online Information
AT&T Community
Repair
   
Home Phone
Special Offers
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.

�2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy

==========


Date:      Fri, 3 Aug 2012 15:17:49 +0200
From:      "AT&T Online Services" [att-services@email.att-mail.com]
Subject:      Your AT&T bill is ready to be paid now.

<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
att.com | Support | My AT&T Account    
<td style="padding: 0px 10px 0px 10px;" width:34%="" valign="top">
Your online bill is ready to be viewed
Dear Valued Customer,

A new bill for your AT&T services is prepared.

Any payments made after your bill period ends will not be shown in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.

Service     Account ending in     Bill Amount     Due Date
Internet access     5     $373.39     08/06/2012

Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.



Thank you for choosing AT&T. We value your business and look forward to serving you!

Thank you,
AT&T Online Services
www.att.com

Contact Us
AT&T Support - quick & easy support is available 24/7.

   

Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.

<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
AT&T Online Services
Get more time to do what you want. What would you do?
Show me how

Automatic Payments
Save time and pay your monthly bill automatically!
Sign up now

Special Offers
Visit our Special Offers to check out our best promotions.
Learn more

Online Information
AT&T Community
Repair
   
Home Phone
Special Offers
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.

�2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy

The link goes through a legitimate (but hacked) site and attempts to load a malware page at [donotclick]globixlowerright.org/main.php?page=6df8994172330e77 (report here) but at the moment it is not resolving as the domain appears to have been de-registered.

yg-network.org / Keyya Ltd domain scam

This is part of a domain scam that has been going on for years..

from:     Angela info@gytrademark.com
to:     sales@[redacted].com
date:     3 August 2012 03:21
subject:     Notice of Internet Intellectual Property



Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On July 30th 2012, We received Keyya Ltd's application that they are registering the name "[redacted]" as their Internet Keyword and "[redacted].cn "、"[redacted].com.cn " 、"[redacted].asia "domain names etc.., they are China and ASIA domain names. But after auditing we found the brand name been used by your company. As the domain name registrar in China, it is our duty to notice you, so we are sending you this email to check. According to the principle in China, your company is the owner of the trademark, In our auditing time we can keep the domain names safe for you firstly, but our audit period is limited, if you object the third party application these domain names and need to protect the brand in china and Asia by yourself, please let the responsible officer contact us as soon as possible. Thank you!

Best Regards,

Angela Zhang



General Manager
Anhui Office (Head Office)
Registration Department Manager
Room 1008 Shenhui Building 
Haitian Road, Huli Anhui, China
Office:  +86 0553 4994789
Fax:     +86 0553 4994789
web:  www.yg-network.org

Basically the idea is to panic you into buying worthless domains from a dodgy Chinese registrar. Of course, there is no company actually trying to register these domains.. and even if there was there is no responsibility for the registrar to check trademark ownership (except in a tiny handful of cases such as sunrise registrations).

What's more.. I already own the .asia version of this domain name, so it is impossible that someone else is trying to register it.

So, this one is definitely a scam. Stay away.

"Reset Your LinkedIn Password" spam / mysqlfordummys.ru

This fake LinkedIn email leads to malware on the oddly named domain of mysqlfordummys.ru:

Date:      Thu, 2 Aug 2012 02:27:38 -0300
From:      LinkedIn Password [password@linkedin.com]
Subject:      Reset Your LinkedIn Password

LinkedIn

Hi altera,

Can’t remember your LinkedIn password? No problem - it happens.

Please use this link to reset your password within the next 1 day:
Click here

Then sign in to LinkedIn with your new password and the email address where you received this message.

Thanks for using LinkedIn!

Flaws in SQL server implementations are a hacker's favourite target, so perhaps there is a wry sense of humour here. Anyway, the malicious payload is at [donotclick]mysqlfordummys.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on 203.80.16.81 (MYREN Infrastructure, Malaysia)

The following domains and IPs are all related, you should block access to them if you can:

ipadvssonyx.ru
mysqlfordummys.ru
onerussiaboard.ru
online-cammunity.ru
online-gaminatore.ru
switched-games.ru
zenedin-zidane.ru

41.66.137.155
41.168.5.140
62.76.188.138
62.76.190.208
62.213.64.161
78.83.233.242
85.143.166.243
87.120.41.155
87.204.199.100
173.224.208.60
184.106.189.124
199.71.212.78
203.80.16.81
203.172.140.202

"Pay your AT&T bill online" spam / unboxhibernation.org

This fake AT&T spam leads to malware on unboxhibernation.org:

 From: Tonya Bates [mailto:robot@craigslist.org]
Sent: 02 August 2012 14:08
Subject: Pay your AT&T bill online
Importance: High

att.com | Support | My AT&T Account


Your online bill is ready to be downloaded
Dear Valued Customer,

A new bill for your AT&T account is ready.

Any operations completed after your bill period expires will not be reflected in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.
Service     Account ending in     Bill Amount     Due Date
Home Phone     6     $355.26     08/06/2012

Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.



Thank you for choosing AT&T. We value your business and look forward to serving you!

Thank you,
AT&T Online Services
www.att.com

Contact Us
AT&T Support - quick & easy support is available 24/7.

 




Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.


AT&T Online Services
Get more time to do what you want. What would you do?
 Show me how

    Automatic Payments
Save time and pay your monthly bill automatically!
 Sign up now

    Special Offers
Visit our Special Offers to check out our best promotions.
 Learn more


  
Online Information
AT&T Community
Repair
Home Phone
Special Offers

________________________________________
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.

2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy

The malicious payload is at [donotclick]unboxhibernation.org/main.php?page=19152be46559e39d (report here) hosted on 78.87.123.114 (CYTA Hellas, Greece) which also hosts the apparently legitimate site infosector.gr, although some DNS results are coming back with 211.157.105.160 in China instead.. and this IP address is definitely malicious as it contains the following malware domains:

advancementwowcom.org
damidc.com
retweetadministrator.org
stafffire.net
unboxhibernation.org

Blocking both IPs may well be prudent.

Also, the following nameservers are indicative of an evil host, keep an eye out for them..
ns1.ashton-pitt.net
64.37.54.215

ns2.ashton-pitt.net
111.214.135.11

xinthesidersdown.com injection attack in progress

There is currently an injection attack using a script pointing to [donotclick]xinthesidersdown.com/sl.php  doing the rounds. The malicious code is hosted on 194.28.115.150, the same IP address as used in this attack yesterday.

Something evil on 194.28.115.150 and lasimp04risoned.rr.nu

The following domains appear to be part of an ongoing injection attack (using lasimp04risoned.rr.nu at present). They are hosted by black-hat web host Specialist ISP in Transnistria. Block the IP range of 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is a very good idea as this is one of the worst netblocks I know of.

aelis30greek.rr.nu
aff29ili.rr.nu
aljo73hnsto.rr.nu
ambers00supplem.rr.nu
ano98the.rr.nu
appoin62tmentba.rr.nu
asciia28rmcover.rr.nu
ati92oni.rr.nu
ation82gamma.rr.nu
avia83resou.rr.nu
bear37sall.rr.nu
bitr07aryc.rr.nu
bles41steve.rr.nu
carrie01rskans.rr.nu
che59mica.rr.nu
chn34olo.rr.nu
comme17rcial.rr.nu
cons63isten.rr.nu
cos69tbu.rr.nu
cov59erm.rr.nu
cthu85srisc.rr.nu
ctsc60anli.rr.nu
eates01publi.rr.nu
ection18depres.rr.nu
elew72isst.rr.nu
enedm79ultina.rr.nu
enegat43ivecon.rr.nu
engag75edfol.rr.nu
enge75sfra.rr.nu
enormousw1illa.com
ens122zzzddazz.com
entio21nsamba.rr.nu
esgen48erally.rr.nu
eside00ntwin.rr.nu
fee89edi.rr.nu
gra98desi.rr.nu
hitam41ultime.rr.nu
hoperjoper.ru
iab35ilit.rr.nu
ialac93idcod.rr.nu
icans11deskto.rr.nu
ident08winner.rr.nu
impo82rtse.rr.nu
int99onin.rr.nu
ion68you.rr.nu
ited51pala.rr.nu
ive23lit.rr.nu
kpo82stp.rr.nu
lasimp04risoned.rr.nu
lighte93dnickel.rr.nu
limina94tedefi.rr.nu
mainglobilisi.com
mals30ynta.rr.nu
mpa89qaut.rr.nu
mtube-ssl.com
ncomp97aredli.rr.nu
neou44slypa.rr.nu
ngsin45dividu.rr.nu
nstitu42tional.rr.nu
nting91uncle.rr.nu
nusi60ngmus.rr.nu
ocat47edha.rr.nu
ocum04entat.rr.nu
oneflo30orcall.rr.nu
onsco10mdexpo.rr.nu
ort26ibm.rr.nu
ort53hori.rr.nu
ovie26tther.rr.nu
pxm-tube.com
qtr49exis.rr.nu
raff60icke.rr.nu
rlyspa21rcleona.rr.nu
rsm95ario.rr.nu
scue08doral.rr.nu
selle33rsjunk.rr.nu
sicb79enef.rr.nu
sor52tium.rr.nu
ssic2061thligh.rr.nu
ssmo24king.rr.nu
sweepstakesandcontestsdo.com
sweepstakesandcontestsinfo.com
syno98nepet.rr.nu
takeo46versav.rr.nu
tanswe24ringni.rr.nu
tarts63exten.rr.nu
timel08arges.rr.nu
tiona82lclos.rr.nu
tormco48nstitu.rr.nu
tssign51stechno.rr.nu
vada86subje.rr.nu
velit30eratu.rr.nu
viv17eddr.rr.nu
whyi70splay.rr.nu
yint60eres.rr.nu
ysoci94alspec.rr.nu
zbol42lahg.rr.nu

Malware on online-gaminatore.ru

Another malicious spam run, although I don't have a sample of the actual spam this time.. however, the payload is at [donotclick]online-gaminatore.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here), hosted on the following IPs:

89.111.177.151
203.80.16.81
78.83.233.242

These IPs have been used several times recently and should be blocked.

"Federal Tax transfer" spam / retweetadministrator.org

These fake "Federal Tax Transfer" spams lead to malware on retweetadministrator.org:

Date:      Thu, 26 Jul 2012 20:56:10 +0530
From:      "Internal Revenue Service" [alerts@irs.gov]
Subject:      Federal Tax transfer returned

Your federal Tax payment (ID: 632004160993), recently from your checking account was rejected by the your financial institution.

Canceled Tax transfer
Tax Transaction ID:     632004160993
Rejection Reason     See details in the report below
Tax Transaction Report     tax_report_632004160993.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785


==========

Date:      Thu, 26 Jul 2012 20:55:41 +0530
From:      "Internal Revenue Service" [support@irs.gov]
Subject:      Rejected Federal Tax transaction

Your Tax payment (ID: 766644379032), recently initiated from your checking account was rejected by the your financial institution.

Rejected Tax transfer
Tax Transaction ID:     766644379032
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_766644379032.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

==========

Date:      Thu, 26 Jul 2012 12:00:54 -0300
From:      "Internal Revenue Service" [support@irs.gov]
Subject:      Rejected Federal Tax transfer

Your federal Tax payment (ID: 776394251906), recently from your checking account was returned by the your financial institution.

Canceled Tax transfer
Tax Transaction ID:     776394251906
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_776394251906.doc (Microsoft Word Document)


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

The malicious payload is on [donotclick]retweetadministrator.org/main.php?page=8b45f871830c6e5a (report here) hosted on 89.253.231.202 (Rusonyx Ltd, Moscow).