There's something evil on 82.165.38.206 (1&1, Germany).. Zbot, basically. The WHOIS details are refreshingly honest about the intent of the evil domains on the server. There are some legitimate domains as well, so it looks like a hacked server.
Probably NOT EVIL:
athentours.de
beachhandball-camp.com
beachhandball-camp.de
beachhandball-camps.com
beachhandball-camps.de
beachhandballcamp.com
beachhandballcamp.de
beachhandballcamps.com
beachhandballcamps.de
ferienwerk-muenchen.com
ferienwerk-muenchen.de
gosurfcamps.de
h2o-beachhandballcamp.com
h2o-beachhandballcamp.de
h2o-beachhandballcamps.com
h2o-beachhandballcamps.de
h2o-camp.com
h2o-camp.de
h2o-camps.com
h2o-camps.de
h2obeachhandballcamp.com
h2obeachhandballcamp.de
h2obeachhandballcamps.com
h2obeachhandballcamps.de
h2ocamp.com
h2ocamp.de
h2ocamps.com
h2ocamps.de
jugendferienwerk-muenchen.com
jugendferienwerk-muenchen.de
jugendreisenbadenwuerttemberg.de
jugendreisenmuenchen.de
jugendreisenstuttgart.de
senior-surfcamp.com
senior-surfcamp.de
seniorsurfcamp.com
seniorsurfcamp.de
xn--ferienwerk-mnchen-e3b.com
xn--ferienwerk-mnchen-e3b.de
xn--jugendferienwerk-mnchen-tpc.com
xn--jugendferienwerk-mnchen-tpc.de
xn--jugendreisenmnchen-y6b.de
Probably EVIL:
coolgeneration31.org
hjdfhjpqhf52vzskdjui1231232.org
hjdfhjpqhf45vzskdjui123123.org
hjdfhjpqhf47vzskdjui123123.org
hjdfhjpqhf48vzskdjui123123.org
hjdfhjpqhf49vzskdjui123123.org
fd12fg333333.org
working-bhh555.org
ker234hdfa88a8.org
askd232ddsda.org
goldfishinsea.org
d34245f3d.org
d5bb8ae4ec63cf.org
kirvlingshoping.org
donalldakcll.org
freesalebigban.org
bigamadillo.org
analiz-pro.org
kunbengober.org
ddosmanager.org
mislimsip0tir.org
goyerbyhsjanhxas.org
frostbeulekommts.org
trinnitti-soft.org
frostbeulekommt.org
intelentbot.org
45a5ge5aert.org
matonyok-trust.org
bergfileorderingserv.org
mailforw.org
shcool2010.com
vikingwer10.com
vatind0.com
d3f78j9h8h321312nf0.com
revers1001.com
update-java01.com
zapas2011.com
frerestreetsw111.com
reserve14443211.com
vikingwer11.com
testforus7771.com
generaladvertising191.com
chicoracquetclub1.com
vmeste-mi-fruktoviy-sad1.com
hft2bnmkoedfsdfgfg5o1.com
slaviki-res1.com
blachervers-2.com
frerestreetsw112.com
for-advanced-cfg12.com
vxuservx222.com
zeppbrannigan22.com
verasertys22.com
kemebrremewrewroi6d3b3jb3b332.com
narawertyopsanzaol7632.com
ognenaiaduga2.com
doo1deivahn2.com
worldfierro2.com
trytokickmewhenimoneywwww2.com
domain510003.com
frerestreetsw113.com
34k5jh4kjh324h123.com
hhhhujnja23.com
vvverdasentarycoolnew12233.com
jrykj233.com
fhb7654568768877dhfdbdjdeek677567433.com
znakizodiakapinger33.com
kilovattmegatonnsdor33.com
5qsx-v-b-f-r-we-4543-7767-4443.com
mjsdkflkblsdfbllalsdf777793.com
kemebrremewernrewroi43b3b3b3.com
kemebrremewrewroi43b3b3b3.com
kemebrmewernrewroi6nn3b3b3b3.com
kemebrmewernrewroi4367b3b3b3.com
sourtel3.com
hft2bnmkosdfgfg5o3.com
ffhsdf4747282e734723878784234.com
ipfff3444.com
bersiuzhuf0d9g8ghddee44.com
offirstactivityna4.com
ghgng43fgjl82309dfg8df4.com
just1tto2005.com
domain460015.com
kateserv29115.com
apre-delfud1-225.com
domain445725.com
lsazzzx45.com
2344292985375634367124i2443455.com
kateserv29175.com
234k23j4h3g5.com
mailwbg5.com
bejhjhbejr77eh5.com
mnn-gff-65-33-22-22-22-bve-6.com
mnn-gff-66nn-33-22-22-22-bve-6.com
freeroom66.com
xn3yy2uroomfdnew91c2v6.com
photox15serv257.com
matenixserv257.com
dtdtdtdouble6677.com
allbe777.com
testforus777.com
pxcallcentercareers77.com
galox29serv77.com
natenixserv77.com
for-advanced-cfg7.com
domain460018.com
ptichkaleti88.com
bngh77tutjt88.com
gssghgkio7erasdotaser8.com
679iss8.com
formul89.com
solnishko999.com
for-advanced-cfg9.com
switzern9.com
vikingwer9.com
jghrt9frgtr9.com
google-1aa.com
peuhiuyca.com
berkamifa.com
sjaprotecasga.com
iesiuzeiphae4xuoch1ahgha.com
mega-kreslo-suka.com
hahamanhanla.com
ywhzwhcnjmkj28888kljsdkkccnvma.com
abortinghomethinkanormall2116tv2dnvma.com
ywhzwhcnjmzmfdhd6em16tv2dnvma.com
islaantillana.com
leboj1ra.com
hahahayahooousa.com
pddonlinedata.com
reepta.com
teughoojaeghaopuegeudeeb.com
remainresetservweb.com
qsbj356jlkb33trhbj44dklasbkb.com
jsbjlsdjlkb234jblkba8899sjkb.com
srvpvrb.com
adobesystemcorporatecodec.com
icereserv-sec.com
minisystemic.com
meteosystemic.com
qlcombrasilmusic.com
ghsmaristic.com
celeron-mypc.com
krrhazvrjma8d.com
samecomandnetad.com
ommso99dd.com
freelinceradanced.com
hostedllinked.com
muiredised.com
336nnfbvdsfuoibvc6nn78fdhdffdgffd.com
kffkdmsdn3438nfd.com
nbguiewjmznejjcuaije2hd.com
dkjs8000sjdshd.com
oepjvondifnnkskfcxzvjiefrkd.com
nextcomesonlservbuild.com
bntuyahqpcmd.com
8hrhhhtt63639serd.com
eorjroijdojrd.com
goldharbord.com
vhklideomailasd.com
cerutedwestedltd.com
pokemonnertt345e.com
mylitlebusinessplace.com
ufoksuudservice.com
serokolservice.com
someadverdownservice.com
dst1-finance.com
mbnfinance.com
recruitadyfinance.com
zswealthlastsource.com
45gvvrfr665gbffbdtrtee.com
keticussorke.com
crewboddylifestyle.com
tuvnahdmcjrueifhgne.com
palecvzhope.com
sampeladvertisingbase.com
java-00update.com
direct-gate.com
quintaavenue.com
versnoteinluserve.com
mikrobnjnru7f.com
hgng44fgjl82509dfg83df.com
ywhzwskdjfgh3lkjhtkjsdfghu9w845tgdf.com
asdff23fsafasdfsdf.com
scvsmmdiocuhsdf.com
jdhfjksdhyurw89yurhksff.com
bedegiudmakkshhf.com
h88dfsdfrefmkf.com
ufhwf8093hrdsf.com
gsdfgd536fdg.com
entcrgmd3kvc2r6nwhfom215m22eg.com
aimsfg.com
y25qwrmzv6z3nwem5mnry21smg.com
eg4zxkydxjvsd21mzgldhzkxyz2ng.com
bdg8b70dgbng.com
nqpftydjfgbbbdlspyfng.com
justcheckping.com
ponibong.com
ualol3e3ejdh98hjd893h.com
aa9798ajgjghu87h.com
cocteil-malevich.com
Monday, 1 October 2012
Something evil on 82.165.38.206
Labels:
1&1,
Evil Network,
Zbot
Sunday, 30 September 2012
ADP Spam / 69.194.194.221
This fake ADP spam leads to malware on 69.194.194.221:
The malicious payload is at [donotclick]69.194.194.221/links/marked-alter.php (Solar VPS, US).
Date: Sun, 30 Sep 2012 17:31:05 +0200
From: "ADP Service" [F07EBCC@pop3.rad.net]
Subject: New transactions
Your Transaction Report(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please note that your bank account will be debited within one banking
business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any
questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
The malicious payload is at [donotclick]69.194.194.221/links/marked-alter.php (Solar VPS, US).
Friday, 28 September 2012
ADP spam / 108.178.59.6
This fake ADP spam leads to malware on 108.178.59.6:
The malicious payload is at [donotclick]108.178.59.6/links/marked-alter.php (Singlehop, US) which looks like a Blackhole 2 exploit kit or similar.
The malware is hosted on this evil network, blocking 108.178.59.0/26 would be wise.
Date: Fri, 28 Sep 2012 13:22:13 +0300
From: "ADP Notification" [D7443309@phoenixpv.de]
Subject: Your Transaction Report(s)
Your Transaction Report(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please note that your bank account will be debited within one banking
business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any
questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
The malicious payload is at [donotclick]108.178.59.6/links/marked-alter.php (Singlehop, US) which looks like a Blackhole 2 exploit kit or similar.
The malware is hosted on this evil network, blocking 108.178.59.0/26 would be wise.
Thursday, 27 September 2012
ADP Spam / 69.194.193.37
This fake ADP spam leads to malware on 69.194.193.37:
The malicious payload is at [donotclick]69.194.193.37/links/marked-alter.php hosted by Solar VPS in the US.
Date: Thu, 27 Sep 2012 14:47:54 -0430
From: "ADP Alert" [FDCA492F@atlanticbeddingandfurniture.com]
Subject: Transaction Report(s)
Your Transaction Report(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please note that your bank account will be debited within one banking
business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any
questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
The malicious payload is at [donotclick]69.194.193.37/links/marked-alter.php hosted by Solar VPS in the US.
UPS Spam / sectantes-x.ru
This fake UPS spam leads to malware at sectantes-x.ru:
The malicious payload is at [donotclick]sectantes-x.ru:8080/forum/links/column.php hosted on the following IP addresses:
84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)
The following IPs and domains are all connected and should be blocked:
84.22.100.108
190.10.14.196
203.80.16.81
rumyniaonline.ru
denegnashete.ru
dimabilanch.ru
ioponeslal.ru
soisokdomen.ru
moskowpulkavo.ru
diareuomop.ru
omahabeachs.ru
sectantes-x.ru
In addition, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection.
Date: Thu, 27 Sep 2012 10:03:27 -0400
From: Habbo Hotel [auto-contact@habbo.com]
Subject: UPS Tracking Number H8244648923
USPS .com Customer Services for big savings! Can't see images? CLICK HERE.
UPS UPS SUPPORT 39
UPS - UPS TEAM 31 >>
Not Ready to Open
an Account?
The UPS Store� can help with full service packing and shipping.
Learn More >>
UPS - Your UPS .com Customer Services
Dear, [redacted]
DEAR CUSTOMER , Delivery Confirmation: Failed
Track your Shipment now!
With best wishes , UPS .com Customer Services.
Shipping Tracking Calculate Time & Cost Open an Account
@ 2011 United Parcel Service of America, Inc. Your USPS Team, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
Your USPS .US marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
USPS .com Customer Services, 33 Glenlake Parkway, NE - Atlanta, GA 30580
Attn: Customer Communications Department
The malicious payload is at [donotclick]sectantes-x.ru:8080/forum/links/column.php hosted on the following IP addresses:
84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)
The following IPs and domains are all connected and should be blocked:
84.22.100.108
190.10.14.196
203.80.16.81
rumyniaonline.ru
denegnashete.ru
dimabilanch.ru
ioponeslal.ru
soisokdomen.ru
moskowpulkavo.ru
diareuomop.ru
omahabeachs.ru
sectantes-x.ru
In addition, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection.
Intuit spam / buycelluleans.com
This fake Intuit spam leads to malware on buycelluleans.com
The malicious payload is at [donotclick]buycelluleans.com/detects/groups_him.php (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). This IP address has been used several times for malware distribution and should be blocked if you can.
From: Intuit PaymentNetwork [mailto:treacheriesz2@luther.k12.wi.us]
Sent: 27 September 2012 15:24
Subject: Your payroll verification is started by Intuit.
Direct Deposit Service System information
Request status
Dear [redacted]
We received your payroll on September 27, 2012 at 3:28 AM Pacific time.
• Funds will be transitioned from the bank account number: 6 XXXXX1345 on September 28, 2012.
• Amount to be withdrawn: $1,107.47
• Paychecks would be transferred to your employees' accounts on: September 28, 2012
• Please take a look at your payroll here.
Funds are typically withdrawn before normal bank working hours so please make sure you have sufficient funds available by 12 a.m. Pacific time on the date funds are to be processed.
Intuit must obtain your payroll by 5 p.m. Pacific time, two banking days before your payment date or your personnel payment will be aborted. QuickBooks doesn't proceed payrolls on weekends and federal banking legal holidays. A list of federal banking off-days can be accessed at the Federal Reserve holyday schedule}.
Thank you for your business.
Sincerely,
Intuit Services
NOTICE: This information was sent to inform you of a some actions at your account or software. Please mind that if you confirmed option of receiving informative materials from Intuit QuickBooks you may continue to receive informational materials similar to this message that affect your service or software.
If you have any questions or comments about this email please DO NOT REPLY to this message. If you need further information please contact us.
If you receive an message that appears to come from Intuit but that you suspect is a scam email, submit it on a link below customer feedback .
Copyright 2008-2012 Intuit Inc. QuickBooks and Intuit are registered of or registered service marks of Intuit Inc. in the US and other countries. This email message is not intended to supplement, modify or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Information Services
2816 A. Commerce Center Place, Tucson, AZ 84516
The malicious payload is at [donotclick]buycelluleans.com/detects/groups_him.php (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). This IP address has been used several times for malware distribution and should be blocked if you can.
SMS Spam: "Hi, we think you may be entitled to compensation.."
These annoying spammers (and probably scammers) are back, sending out their scummy PPI spam messages from +447568105443
I've never been mis-sold PPI, so this is obviously a generic spam. It also looks like an invitation to make a claim even if you're not eligible. And that would be fraud..
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Hi, we think you may be entitled to compensation of up to £3500 from missold PPI on a credit card or loan.
Reply INFO for more info
Reply STOP to quit
I've never been mis-sold PPI, so this is obviously a generic spam. It also looks like an invitation to make a claim even if you're not eligible. And that would be fraud..
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Amazon.com spam / uenwxgvrymch.net
This Amazon.com spam leads to malware on uenwxgvrymch.net:
From: Gabriel Roach [mailto:plectrumsiy0@independentreporters.com]
Sent: 27 September 2012 13:19
To: UK HPEA 2
Subject: Your Amazon.com order of "Fossil Men's FS9367 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!
Hello,
Shipping Confirmation
Order # 675-5092359-2844093
Your estimated delivery date is:
Friday, August 3 2012
Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Shipment Details
Fossil Men's FS9367 Black Silicone Bracelet Black Analog Dial Chronograph Watch $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95
You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.
Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
===
The malicious payload is at [donotclick]uenwxgvrymch.net/links/claims_separate-learns_buy.php?ioufk=353302063538093336083737030a0a040309020703383305030a060906350a0a&pgaxszhs=39&meus=0a340b37043808020237&wzirxo=0a000300040002 (report here) which is hosted on the same IP address as this attack.
From: Gabriel Roach [mailto:plectrumsiy0@independentreporters.com]
Sent: 27 September 2012 13:19
To: UK HPEA 2
Subject: Your Amazon.com order of "Fossil Men's FS9367 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!
Hello,
Shipping Confirmation
Order # 675-5092359-2844093
Your estimated delivery date is:
Friday, August 3 2012
Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Shipment Details
Fossil Men's FS9367 Black Silicone Bracelet Black Analog Dial Chronograph Watch $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95
You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.
Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
===
The malicious payload is at [donotclick]uenwxgvrymch.net/links/claims_separate-learns_buy.php?ioufk=353302063538093336083737030a0a040309020703383305030a060906350a0a&pgaxszhs=39&meus=0a340b37043808020237&wzirxo=0a000300040002 (report here) which is hosted on the same IP address as this attack.
Amazon.com spam / ciafgnepbs.ddns.ms
This fake Amazon.com spam leads to malware on ciafgnepbs.ddns.ms:
The malicious payload is at [donotclick]ciafgnepbs.ddns.ms/links/claims_separate-learns_buy.php hosted on 62.109.23.82 (TheFirst-RU, Russia), the suspect domain ynrteqhsobjv.dnset.com is also on the same server, blocking that IP address would protect against other malicious sites on the same server.
You might also want to consider blocking all ddns.ms and dnset.com domains, although this type of Dynamic DNS domain does have its uses, I personally believe that the dangers of mis-use outweigh the benefits.
From: Viola Chatman [mailto:parchesei642@foxvalley.net]
Sent: 27 September 2012 12:10
Subject: Your Amazon.com order of "Casio Men's PRW7035T-6CR Pathfinder Triple Sensor Tough Solar Digital Multi-Function Titanium Pathfinder Watch" has shipped!
Hello,
Shipping Confirmation
Order # 749-1221929-9346291
Your estimated delivery date is:
Friday, August 3 2012
Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Shipment Details
Casio Men's PRW7035T-6CR Pathfinder Triple Sensor Tough Solar Digital Multi-Function Titanium Pathfinder Watch $139.95
Item Subtotal: $139.95
Shipping & Handling: $0.00
Total Before Tax: $139.95
Shipment Total: $139.95
Paid by Visa: $139.95
You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.
Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
The malicious payload is at [donotclick]ciafgnepbs.ddns.ms/links/claims_separate-learns_buy.php hosted on 62.109.23.82 (TheFirst-RU, Russia), the suspect domain ynrteqhsobjv.dnset.com is also on the same server, blocking that IP address would protect against other malicious sites on the same server.
You might also want to consider blocking all ddns.ms and dnset.com domains, although this type of Dynamic DNS domain does have its uses, I personally believe that the dangers of mis-use outweigh the benefits.
Labels:
Amazon,
Malware,
Spam,
TheFirst-RU,
Viruses
Wednesday, 26 September 2012
IRS spam / 1.howtobecomeabostonian.com and mortal-records.net
Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian.com and the other with a malicious payload on mortal-records.net.
Payload one is at [donotclick]1.howtobecomeabostonian.com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a hacked GoDaddy domain. Payload two is at [donotclick]mortal-records.net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal.
These other bad domains are associated with the Mongolian IP address:
allmn-leicncester.net
amsnxn.com
bowerystore.net
cahgmt.com
cahmncm.com
casxmn.com
catmngn.com
chgmnm.com
myinfn.com
nitor-solutions.net
ntanwolb.com
penel-opessong.com
sncahmn.com
stafffire.net
Date: Wed, 26 Sep 2012 20:44:47 +0530
From: "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Hello,
Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.
For detail information, please refer to:
https://www.irs.gov/Login.aspx?u=E8710D9E9
Email address: [redacted]
Sincerely yours,
Barry Griffin
IRS Customer Service representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 11:09:45 -0400
From: "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To: [redacted]
Subject: Internal Revenue Service: For the attention of enterpreneurs
Internal Revenue Service (IRS)
Dear business owners,
Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.
For the details please refer to:
https://www.irs.gov/ClientArea.aspx?u=1CBD0FC829256C
Email address: [redacted]
Sincerely yours,
Damon Abbott
Internal Revenue Service Representative
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.
You will need to use your email address to log in.
This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535
==========
Date: Wed, 26 Sep 2012 19:53:28 +0400
From: Internal Revenue Service [weirdpr6@polysto.com]
To: [[redacted]]
Subject: IRS report of not approved tax bank transfer
Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.
Rejected Tax transaction
Tax Transaction ID: 52007291963155
Reason ID See details in the report below
State Tax Transaction Report tax_report_52007291963155.doc (Microsoft Word Document)
Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV
Payload one is at [donotclick]1.howtobecomeabostonian.com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a hacked GoDaddy domain. Payload two is at [donotclick]mortal-records.net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal.
These other bad domains are associated with the Mongolian IP address:
allmn-leicncester.net
amsnxn.com
bowerystore.net
cahgmt.com
cahmncm.com
casxmn.com
catmngn.com
chgmnm.com
myinfn.com
nitor-solutions.net
ntanwolb.com
penel-opessong.com
sncahmn.com
stafffire.net
Tuesday, 25 September 2012
Evil network: 108.178.59.0/26
There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)
So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad an should be blocked.
Singlehop have reallocated the IP range to a customer:
network:Class-Name:network
network:ID:ORG-SINGL-8.108-178-59-0/26
network:Auth-Area:108.178.0.0/18
network:IP-Network:108.178.59.0/26
network:Organization:Lorenzo Coco
network:Street-Address:via Nardi, 8 Prato
network:City:Prato
network:State:Italy
network:Postal-Code:59100
network:Country-Code:IT
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20120430
network:Updated:20120430
It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent.
Added: You can also add 108.178.59.6 to the list of malicious sites.
So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad an should be blocked.
Singlehop have reallocated the IP range to a customer:
network:Class-Name:network
network:ID:ORG-SINGL-8.108-178-59-0/26
network:Auth-Area:108.178.0.0/18
network:IP-Network:108.178.59.0/26
network:Organization:Lorenzo Coco
network:Street-Address:via Nardi, 8 Prato
network:City:Prato
network:State:Italy
network:Postal-Code:59100
network:Country-Code:IT
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20120430
network:Updated:20120430
It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent.
Added: You can also add 108.178.59.6 to the list of malicious sites.
Labels:
Evil Network,
Italy,
Malware,
Viruses
BBB Spam / one.1000houses.biz
This fake BBB spam leads to malware at one.1000houses.biz:
Blocking 199.195.116.185 would probably be prudent.
Date: Tue, 25 Sep 2012 11:42:18 +0200The malicious payload is at [donotclick]one.1000houses.biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses.biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.
From: "Better.Business Bureau" [8050910@zread.com]
Subject: Activity Report
Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.
You are asked to provide response to this complaint within 7 days.
Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.
Complaint ID#125368
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
Blocking 199.195.116.185 would probably be prudent.
Monday, 24 September 2012
Amazon.com spam / pallada-cruise.net
From: Belinda Gallagher vigilancejy586@williamsguitarcompany.com
To: [redacted]
Date: 24 September 2012 18:44
Subject: Your Order Shipped Now
Amazon
Your Orders  | Your Account | Amazon.com
Order Confirmation
Order #002-3989927-06014360
Greetings [redacted],
Thank you for shopping with us. Wethought you'd like to know that our shop shipped your item, and that this completes your order.. If you need to return an good from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Friday, September 21, 2012
Why tracking information may not be available?
Your order was shipped to:
[redacted]
006 S Academy St, App. 1D
S Paolo, DC
United States
This shipment have no an associated delivery tracking No..
Shipment Details
LG 42LW5302, SV 46-Inch 720p 120 Hz Cinema 3D LCD HDTV with 3D Blu-ray Player and Four Pairs of 3D Glasses
Sold by onner
Condition: not-used before
$612.35
Item Subtotal: $612.35
Shipping & Handling: $20.43
Total Before Tax: $612.35
Shipment Total: $612.35
Paid by MC: $612.35
Returns are easy. Visit our ON-line Return Center.
If you need further assistance with your order, please visit Merchant Contact Form.
We hope to see you again soon!
Amazon.com
Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and item provider information.
This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.
The malicious payload (probably a Blackhole 2 exploit kit) is at [donotclick]pallada-cruise.net/detects/plain-keyboard_beginning-monitor.php hosted on 203.91.113.6 (G Mobile, Mongolia), an IP address that has been very active in spreading badness and which you should block if you can.
BBB Spam / 108.178.59.11
This fake BBB spam leads to malware on 108.178.59.11:
The malicious payload is on [donotclick]108.178.59.11/links/anybody_miss-knowing.php (Singlehop, US) which is most likely a Blackhole 2 kit. This IP address has been used in other attacks and should be blocked if you can.
Date: Mon, 24 Sep 2012 18:39:47 +0530
From: "BBB Complaint activity report" [B1A41D3F@onlinepcexpert.net]
Subject: BBB Case #9833204
Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.
You are asked to provide response to this complaint within 7 days.
Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.
Complaint ID#9833204
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
==========
Date: Mon, 24 Sep 2012 08:25:00 -0300
From: "Better Business Bureau" [792375B2@mbdservices.com]
Subject: BBB Complaint activity report
Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.
You are asked to provide response to this complaint within 7 days.
Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.
Complaint ID#360343
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The malicious payload is on [donotclick]108.178.59.11/links/anybody_miss-knowing.php (Singlehop, US) which is most likely a Blackhole 2 kit. This IP address has been used in other attacks and should be blocked if you can.
Saturday, 22 September 2012
LinkedIn spam / 69.194.201.21
This fake LinkedIn spam leads to malware on 69.194.201.21:
The malicious payload is at [donotclick]69.194.201.21/links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent.
Date: Sat, 22 Sep 2012 15:16:47 -0500
From: "Reminder" [CC8504C0E@updownstudio.com]
Subject: LinkedIn: New messages awaiting your response
REMINDERS
Invitation reminders:
From Emilio Byrd (Insurance Manager at Wolseley)
PENDING MESSAGES
There are a total of 88 message(-s) awaiting your response. Go to InBox now.
This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.
Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.
2012, LinkedIn Corporation.
The malicious payload is at [donotclick]69.194.201.21/links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent.
Thursday, 20 September 2012
Amazon.com spam / webgrafismo.net and 203.91.113.6
This fake Amazon.com spam leads to malware on webgrafismo.net:
The malicious payload is at [donotclick]webgrafismo.net/detects/rates-event_convinced-sent.php hosted on a known bad IP address of 203.91.113.6 (G Mobile, Mongolia). The exploit kit is probably Blackhole 2 given it's characteristics.
If you can block this IP address then I strong advise it. Other malicious sites on the same IP include.
penel-opessong.com
sncahmn.com
xlzones.com
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
sowendo.net
thebummwrap.net
allmn-leicncester.net
bode-sales.net
webgrafismo.net
Date: Fri, 21 Sep 2012 03:44:47 +0800
From: "Adolfo Bruno" [debitst54@uky.edu]
Subject: Your HD TV Delivered Yesterday
Your Orders | Your Account | Amazon.com
Shipping Confirmation
Order #002-9587043-55406590
Greetings [redacted],
Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated shipment delivery date is:
Friday, September 21, 2012
Why tracking information may be unavailable?
Your order was sent to:
[redacted]
572 9th Ave, App. 2D
S Paolo, TX
United States
This shipment does not have an associated delivery tracking No..
Conveyance Data
Sharp XVT3D32, SV 46-Inch 1080p 1000 Hz Cinema 3D LED-LCD HDTV with 3D Blu-ray Player and Two Pairs of 3D Glasses
Sold by secondipity
Condition: used - acceptable
$740.43
Item Subtotal: $740.43
Shipping & Handling: $22.40
Total Before Tax: $740.43
Shipment Total: $740.43
Paid by Maestro: $740.43
Returns are easy. Visit our ON-line Return Center.
If you need urgent assistance with your order, please visit Merchant Contact Form.
We hope to see you again soon!
Amazon.com
Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and seller information.
This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.
==========
Date: Thu, 20 Sep 2012 20:51:04 +0100
From: "Ned@mc2school.org" [Ned@ataonline.com.tr]
Subject: Re: HDTV Shipped Yesterday
Your Orders | Your Account | Amazon.com
Order Processing Confirmation
Order #002-1662198-01565354
Greetings [redacted],
Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated shipment date is:
Friday, September 21, 2012
Why tracking information may be not available?
Your order was delivered to:
[redacted]
148 S Academy Dr, App. 1D
Albuquerque, KY
United States
This shipment does not have an associated delivery tracking number.
Order
Sony XVT3D15, SV 42-Inch 1080p 600 Hz Cinema 3D LCD HDTV with 3D Blu-ray Player and Two Pairs of 3D Glasses
Sold by onner
Condition: used-new
$594.65
Item Subtotal: $594.65
Shipping & Handling: $22.34
Total Before Tax: $594.65
Shipment Total: $594.65
Paid by Discover: $594.65
Returns are easy. Visit our ON-line Return Center.
If you need urgent assistance with your order, please visit Merchant Contact Form.
We hope to see you again soon!
Amazon.com
Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and shop information.
This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.
The malicious payload is at [donotclick]webgrafismo.net/detects/rates-event_convinced-sent.php hosted on a known bad IP address of 203.91.113.6 (G Mobile, Mongolia). The exploit kit is probably Blackhole 2 given it's characteristics.
If you can block this IP address then I strong advise it. Other malicious sites on the same IP include.
penel-opessong.com
sncahmn.com
xlzones.com
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
sowendo.net
thebummwrap.net
allmn-leicncester.net
bode-sales.net
webgrafismo.net
Federal Tax Payment Spam / soisokdomen.ru
This fake tax payment spam leads to malware on soisokdomen.ru:
213.135.42.98
50.56.92.47
203.80.16.81
Blocking these would be prudent.
Date: Thu, 20 Sep 2012 09:10:47 -0300The malicious payload (probably Blackhole 2) is at [donotclick]soisokdomen.ru:8080/forum/links/column.php hosted on the following familiar looking IP addresses:
From: Badoo [noreply@badoo.com]
Subject: Re: Fwd: Tax Payment COM1684-645 is failed.
Hello,
Your Federal Tax Payment has been rejected.
Please, check the information and refer to Code I 94 to get details about
your company payment:
http://www.eftps.gov/section794/P9367027
JACINTA Stout,
The Electronic Federal Tax Payment System
213.135.42.98
50.56.92.47
203.80.16.81
Blocking these would be prudent.
ADP Spam / 69.194.192.203
This fake ADP spam email leads to malware on 69.194.192.203:
The malicious payload is at [donotclick]69.194.192.203/links/deep_recover-result.php (probably Blackhole 2.0) hosted by Solar VPS in the US. This IP has been used for malware before recently, blocking it would be prudent.
Date: Thu, 20 Sep 2012 14:25:24 +0300
From: "ADPClientServices" [ABD331056@losblancoba.com.ar]
Subject: ADP Urgent Notification - Debit Draft
Your Transaction Report(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
The malicious payload is at [donotclick]69.194.192.203/links/deep_recover-result.php (probably Blackhole 2.0) hosted by Solar VPS in the US. This IP has been used for malware before recently, blocking it would be prudent.
Tuesday, 18 September 2012
UPS Spam / denegnashete.ru
This fake UPS spam (or is it USPS.. or LinkedIn?) leads to malware on denegnashete.ru:
The malware can be found at [donotclick]denegnashete.ru:8080/forum/links/column.php which is the same as found on this attack..
Date: Tue, 18 Sep 2012 08:01:39 +0100
From: LinkedIn Connections [connections@linkedin.com]
Subject: UPS: Your Package H7022585958
Attachments: UPS_ID7683348.htm
You can use UPS Services to:
Ship Online
Schedule a Pickup
Open a UPS Team Account
Welcome to UPS CUSTOMER SERVICES
OI, [redacted].
Dear Customer , We were not able to delivery the postal package
Please print out the invoice copy attached and collect the package at our department.
Best Regards , UPS .com Customer Services.
Copyright 2011 United Parcel Service of America, Inc. USPS Services, the Your usps Customer Services brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. Your USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the USPS Team Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
The malware can be found at [donotclick]denegnashete.ru:8080/forum/links/column.php which is the same as found on this attack..
"Scan from a Hewlett-Packard ScanJet" spam / denegnashete.ru
This fake printer spam.. or Craigslist spam.. leads to malware on denegnashete.ru:
The malicious payload is at [donotclick]denegnashete.ru:8080/forum/links/column.php (report here) hosted on the same IPs as found here.
From: craigslist - automated message, do not reply [mailto:robot@craigslist.org]
Sent: 18 September 2012 11:44
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet #97273
A document was scanned and sent to you using a Hewlett-Packard HP18412598P
Sent to you by: SIDNEY
Pages : 7
Filetype(s): Images (.jpeg) View
Location: not set.
Device: P91162592KLLD
The malicious payload is at [donotclick]denegnashete.ru:8080/forum/links/column.php (report here) hosted on the same IPs as found here.
Labels:
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
IRS spam / xlzones.com
More IRS themed spam, this time leading to malware on xlzones.com:
The malicious payload can be found at [donotclick]xlzones.com/detects/char-storing-hate.php and [donotclick]xlzones.com/maintain/java.jar (report here) hosted on the familiar IP address of 203.91.113.6 (G Mobile, Mongolia). Block this IP if you can.. also beware of these other malicious domains on the same server:
centennialfield.net
blue-lotusgrove.net
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
thebummwrap.net
bode-sales.net
cat-mails.net
xlzones.com
From: Internal Revenue Service [mailto:papillaq9@wonderware.com]
Sent: 18 September 2012 15:22
Subject: Your IRS federal tax payment has not been accepted
Importance: High
Your Federal Tax transaction (ID: 1550573369185), recently sent from your bank account was returned by The Electronic Federal Tax Payment System.
Not Accepted Tax transfer
Tax Transaction ID: 1550573369185
Reason ID See details in the report below
Income Tax Transaction Report tax_report_1550573369185.doc (Microsoft Word Document)
Internal Revenue Service P.O. Box 996 Davis 99627 NY
The malicious payload can be found at [donotclick]xlzones.com/detects/char-storing-hate.php and [donotclick]xlzones.com/maintain/java.jar (report here) hosted on the familiar IP address of 203.91.113.6 (G Mobile, Mongolia). Block this IP if you can.. also beware of these other malicious domains on the same server:
centennialfield.net
blue-lotusgrove.net
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
thebummwrap.net
bode-sales.net
cat-mails.net
xlzones.com
"Photos" spam / diareuomop.ru
From: Carleen GarrettThe payload is at [donotclick]diareuomop.ru:8080/forum/links/column.php hosted on the following IPs:
Sent: Tuesday, September 18, 2012 3:17:33 PM
Subject: Photos
Hi,
as promised your photos - http://flyershot.com/gallery.htm
50.56.92.47
203.80.16.81
46.51.218.71
These IPs are a subset of the ones found here. Block 'em if you can.
Monday, 17 September 2012
Intuit.com spam / kerneloffce.ru
This fake Intuit.com spam attempts to load malware from kerneloffce.ru:
The malicious payload is at kerneloffce.ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked. The following domains and IP addresses are all related:
moskowpulkavo.ru
omahabeachs.ru
kerneloffce.ru
46.51.218.71
50.56.92.47
62.76.188.246
62.76.190.50
87.120.41.155
91.194.122.8
132.248.49.112
178.63.51.54
203.80.16.81
Date: Mon, 17 Sep 2012 08:54:50 -0600
From: "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject: Your Intuit.com software order.
Attachments: Intuit_Order_A49436.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION
Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malicious payload is at kerneloffce.ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked. The following domains and IP addresses are all related:
moskowpulkavo.ru
omahabeachs.ru
kerneloffce.ru
46.51.218.71
50.56.92.47
62.76.188.246
62.76.190.50
87.120.41.155
91.194.122.8
132.248.49.112
178.63.51.54
203.80.16.81
IRS Spam / virtual-geocaching.net
This spam leads to malware on virtual-geocaching.net:
The malicious payload is at [donotclick]virtual-geocaching.net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others.
Date: Mon, 17 Sep 2012 11:28:14 -0600
From: Internal Revenue Service [tangierss4@porterorlin.com]
Subject: IRS report of not approved tax transfer
Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.
Not Accepted Tax transaction
Tax Transaction ID: 30062091798009
Reason of rejection See details in the report below
Federal Tax Transaction Report tax_report_30062091798009.doc (Microsoft Word Document)
Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA
IRS spam / thebummwrap.net
This fake IRS spam leads to malware on thebummwrap.net:
The malicious payload is at [donotclick]thebummwrap.net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes.
At the moment, the following sites seem to be active on the server, all can be assumed to be malicious.
thebummwrap.net
centennialfield.net
blue-lotusgrove.net
afgreenwich.net
bode-sales.net
cat-mails.net
nitor-solutions.net
From: Internal Revenue Service [mailto:fascinatesh07@deltamar.net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted
Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID: 60498447771657
Rejection code See details in the report below
Income Tax Transaction Report tax_report_60498447771657.doc (Microsoft Word Document)
Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI
The malicious payload is at [donotclick]thebummwrap.net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes.
At the moment, the following sites seem to be active on the server, all can be assumed to be malicious.
thebummwrap.net
centennialfield.net
blue-lotusgrove.net
afgreenwich.net
bode-sales.net
cat-mails.net
nitor-solutions.net
Spam with numbers and "hi" in it..
There seems to be a lot of this about today..
The emails are not harmful, but obviously there is something going on. One possibility is that this is a probing attack, where an outside source is attempting to enumerate live mailboxes or collate server responses for further use. A short email like this will get passed through many spam filters, so (for example) it could be that the attacker is looking for SMTP responses that indicate a real mailbox to spam again later rather than a dead one.
If you have any other ideas, then please share them in the Comments :)
Date: Mon, 17 Sep 2012 08:39:16 -0300The numbers vary in each email, from single digits to quite long sequences. The body text is always "Hi", nothing appears to be hidden or malicious in any way. One characteristic is that the recipient is not usually the one in the "To" field as the spam is using the BCC field to suppress recipients.
Subject: Re: 89898877282500
Hi
The emails are not harmful, but obviously there is something going on. One possibility is that this is a probing attack, where an outside source is attempting to enumerate live mailboxes or collate server responses for further use. A short email like this will get passed through many spam filters, so (for example) it could be that the attacker is looking for SMTP responses that indicate a real mailbox to spam again later rather than a dead one.
If you have any other ideas, then please share them in the Comments :)
Labels:
Spam
Thursday, 13 September 2012
ADP spam / 46.249.37.122
This fake ADP spam tries to load malware from 46.249.37.122:
After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122/links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case.
From: ADP_Online_Invoice_DoNotReply@adp.com ADP_Online_Invoice_DoNotReply@adp.com
Date: 13 September 2012 14:29
Subject: ADP Invoice Reminder
Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .
To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.
Total amount due by September 13, 2012
$17202.04
If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.
Questions about your bill?
Contact David Nieto by Secure Mail.
Note: This is an automated email. Please do not reply.
After clicking the link bouncing through a couple of redirectors, the victim ends up at [donotclick]46.249.37.122/links/systems-links_warns.php which appears to be generating a 404 error (although it could be fake). This could be a legitimate but hacked server as it is also the IP address for a proxy service called dutchprox.com. In any case, you might decide you want to block the IP just in case.
Tuesday, 11 September 2012
US Airways spam / blue-lotusgrove.net
A couple of samples of a fake US Airways spam email leading to malware on blue-lotusgrove.net:
The malicious payload is at [donotclick]blue-lotusgrove.net/main.php?page=559e008e5ed98bf7 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack. The following domains are on the same server, they can all be considered to be malicious:
padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
dushare.net
blue-lotusgrove.net
nitor-solutions.net
gsigallery.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz
Date: Tue, 11 Sep 2012 15:32:42 -0300
From: "US Airways - Reservations" [reservations@myusairways.com]
Subject: Please confirm your US Airways online registration.
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). Then, all you need to do is print your boarding pass and proceed to the gate.
Confirmation code: 592499
Check-in online: Online reservation details
Flight
6840
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 9/12/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
==========
Date: Tue, 11 Sep 2012 23:29:14 +0700
From: "US Airways - Reservations" [intuitpayroll@e.payroll.intuit.com]
Subject: US Airways online check-in.
you {l2} check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying {l3}). {l4}, all you {l5} to do is print your boarding pass and {l6} to the gate.
confirmation code: {digit}
check-in online: online reservation details
flight
{digit}
departure city and time
washington, dc (dca) 10:00pm
depart date: 9/12/2012
we are committed to protecting your privacy. your information is kept private and confidential. for information about our privacy policy visit usairways.com.
us airways, 111 w. rio salado pkwy, tempe, az 85281 , copyright us airways , all rights reserved.
The malicious payload is at [donotclick]blue-lotusgrove.net/main.php?page=559e008e5ed98bf7 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack. The following domains are on the same server, they can all be considered to be malicious:
padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
dushare.net
blue-lotusgrove.net
nitor-solutions.net
gsigallery.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz
Friday, 7 September 2012
FedEx spam / dushare.net and gsigallery.net
Two fake FedEx campaigns today, with a format similar to the one found here but with different payload sites of dushare.net and gsigallery.net
In the first case, the malicious payload is at [donotclick]dushare.net/main.php?page=c82ec1c8d6998cf0 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is at [donotclick]gsigallery.net/main.php?page=2bfd5695763b6536 (report here) also hosted on 203.91.113.6.
The following domains are on the same server and should also be treated as being suspect.
padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
obweesysho.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz
dushare.net
gsigallery.net
In the first case, the malicious payload is at [donotclick]dushare.net/main.php?page=c82ec1c8d6998cf0 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is at [donotclick]gsigallery.net/main.php?page=2bfd5695763b6536 (report here) also hosted on 203.91.113.6.
The following domains are on the same server and should also be treated as being suspect.
padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
obweesysho.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz
dushare.net
gsigallery.net
FedEx spam / studiomonahan.net
This somewhat mangled looking fake FedEx spam leads to malware on studiomonahan.net:
Subjects spotted so far include:
Pay your Fedex invoice online.
Your Fedex invoice is ready to be paid now.
Please pay your outstanding Fedex invoice.
Your Fedex invoice is ready.
The malicious payload is found at [donotclick]studiomonahan.net/main.php?page=2bfd5695763b6536 (report here) hosted on 206.253.164.43 (Hostigation, US). The server contains the following suspect domains which should also be blocked:
fireinthesgae.pl
joncarterlope.pl
storuofginezi.com
usagetorrenen.com
dinitrolkalor.com
comercicalinz.com
studiomonahan.net
globusbusworld.su
jordanpowelove.su
appropriatenew.su
cdfilmcounderw.su
studiomonahan.net
Date: Thu, 6 Sep 2012 11:00:28 -0600
From: BillingOnline@fedex.com
Subject: Your Fedex invoice is ready to be paid now.
FedEx Billing Online - Ready for Payment
fedex.com
<td wid="th="10"" rowspan="2">
Hello [redacted]
You have a new not paid bill from FedEx that is ready for payment.
The following ivoice(s) are ready for your review :
<table border-top="1px solid #000" solid="" #000"="" border-left="1px solid #ccc" border="-bottom="1px" height="55" width="473">
<td= class="resultstableheader">
Invoice Number
7215-17193
To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo
Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo
Thank you,
Revenue Services
FedEx
This message has been sent by an auto responder system. Please do not reply to this message.
The content of this message is protected by copyright and trademark laws under U.S. and international law.
Review our privacy policy. All rights reserved.
Subjects spotted so far include:
Pay your Fedex invoice online.
Your Fedex invoice is ready to be paid now.
Please pay your outstanding Fedex invoice.
Your Fedex invoice is ready.
The malicious payload is found at [donotclick]studiomonahan.net/main.php?page=2bfd5695763b6536 (report here) hosted on 206.253.164.43 (Hostigation, US). The server contains the following suspect domains which should also be blocked:
fireinthesgae.pl
joncarterlope.pl
storuofginezi.com
usagetorrenen.com
dinitrolkalor.com
comercicalinz.com
studiomonahan.net
globusbusworld.su
jordanpowelove.su
appropriatenew.su
cdfilmcounderw.su
studiomonahan.net
Wednesday, 5 September 2012
Nokia Lumia 920
This is nice. If you've been waiting a long time for Nokia to come up with something competitive in the smartphone market then the wait might be over, because the Lumia 920 is certainly as good as the best of them.
Perhaps the interesting thing is Windows Phone 8, based on the same core as the desktop version. It holds out the promise of eventual Active Directory integration and easier management for corporates. And it's a lot, lot sexier than a BlackBerry.
[via]
Perhaps the interesting thing is Windows Phone 8, based on the same core as the desktop version. It holds out the promise of eventual Active Directory integration and easier management for corporates. And it's a lot, lot sexier than a BlackBerry.
[via]
"Records passed to us show you're entitled to a refund.." SMS Spam (again)
These spammers are at it again:
The sending number is +447876628983 (although they will change this). Bearing in mind that I have never been mis-sold PPI, I can pretty much disregard this as a scam. Except, rather more seriously the implication is that the spammers are prepared to submit a fraudulent refund claim on your behalf, which is something rather more serious.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Records passed to us show you're entitled to a refund approximately £2560 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop
The sending number is +447876628983 (although they will change this). Bearing in mind that I have never been mis-sold PPI, I can pretty much disregard this as a scam. Except, rather more seriously the implication is that the spammers are prepared to submit a fraudulent refund claim on your behalf, which is something rather more serious.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Fake HMRC spam leads to multi-phish
Here's something I haven't seen before.. it starts with an email:
HM Revenue and Customs are the UK tax collecting agency, so this is basically a tax refund. The link goes to a somewhat authentic looking page.
The phishing site in this case is in Korea (durideco.co.kr in this case). The interesting part is the drop-down menu in the middle that the victim is meant to use to select their bank. There are 17 different UK banks to choose from. Each one leads to an individual phishing page for each bank, for example:
or
I won't bother pasting all the pictures here, but some of the pages are very good and a few don't work at all (e.g. Northern Rock, which doesn't really exist any more).
This is quite a clever approach. Normally a phishing email is a "one bank per phish" affair.. it's no use sending someone a Barclays phish if they're with HSBC. In this case pretty much all the major UK banks are covered in one email which is really quite sneaky..
From: HM Revenue & Customs [mailto:refund.request@hmrc.gov.uk]
Sent: 05 September 2012 14:27
Subject: Tax Refund Alert - Action Required
How to complain, ask for a review or make an appeal
Review process update
Review process - the first 12 months. Find out more
Claim Your Tax Refund Online
We identified an error in the calculation of your tax from the last payment, amounting to £ 859.00. In order for us to return the excess payment, we need to confirm a few extra details after which the funds will be credited to your specified bank account. Please click "Refund Me Now" below to claim your refund:
Refund Me Now
We are here to ensure the correct tax is paid at the right time, whether this relates to payment of taxes received by the department or entitlement to benefits paid.
Best Regards,
HM Revenue & Customs Refund Department
• See also
• Appeal and review news
• Working and paying tax
• Pensioners
• Find a form
• Complaints factsheet C/FS (PDF 67K)
• Feedback
HM Revenue and Customs are the UK tax collecting agency, so this is basically a tax refund. The link goes to a somewhat authentic looking page.
The phishing site in this case is in Korea (durideco.co.kr in this case). The interesting part is the drop-down menu in the middle that the victim is meant to use to select their bank. There are 17 different UK banks to choose from. Each one leads to an individual phishing page for each bank, for example:
or
I won't bother pasting all the pictures here, but some of the pages are very good and a few don't work at all (e.g. Northern Rock, which doesn't really exist any more).
This is quite a clever approach. Normally a phishing email is a "one bank per phish" affair.. it's no use sending someone a Barclays phish if they're with HSBC. In this case pretty much all the major UK banks are covered in one email which is really quite sneaky..
Labels:
Phishing
Something evil on 195.225.55.130
These domains are pushing some sort of malware or other (possibly fake antivirus). It's hard to tell exactly what nastiness is here, but given that these are all recently registered domains with fake WHOIS details then it's certainly not going to be anything good.
Whatever it is, it seems to be promoted via spam and requires the correct User Agents and Referrer data to trigger. Sites are hosted on 195.225.55.130 (Dako Systems, Netherlands)
spokanesimplified.org
safetygold.org
businsideessfolowinggate.org
reservetri.org
cardreform.org
swapopen.org
businessfolowingdoor.org
smokersinsurancelinesguns.org
smokerslifeonlinesguns.org
smokerslifeoverlinesguns.org
livesstorytiderss.org
wiredesert.org
mylittallbeizz.org
gunslinzmouses.info
criticstocks.info
largusliananumbers.info
livesstorytiders.info
mailhostsboot.info
Whatever it is, it seems to be promoted via spam and requires the correct User Agents and Referrer data to trigger. Sites are hosted on 195.225.55.130 (Dako Systems, Netherlands)
spokanesimplified.org
safetygold.org
businsideessfolowinggate.org
reservetri.org
cardreform.org
swapopen.org
businessfolowingdoor.org
smokersinsurancelinesguns.org
smokerslifeonlinesguns.org
smokerslifeoverlinesguns.org
livesstorytiderss.org
wiredesert.org
mylittallbeizz.org
gunslinzmouses.info
criticstocks.info
largusliananumbers.info
livesstorytiders.info
mailhostsboot.info
Labels:
Evil Network
Tuesday, 4 September 2012
LinkedIn spam / 108.178.59.26 and myasuslaptop.com
This fake LinkedIn spam leads to malware on 108.178.59.26 and myasuslaptop.com:
The malicious payload (report here) is at [donotclick]108.178.59.26/bv6rcs3v1ithi.php?w=6de4412e62fd13be (Singlehop, US) in a block 108.178.59.0/26 suballocated to a person in Italy. A further malicious download is attempted from [donotclick]myasuslaptop.com/updateflashplayer.exe which appears to be a legitimate (but hacked site).
My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff..
Date: Tue, 04 Sep 2012 10:43:03 +0100
From: "noreply" [noreply@linkedin.com]
Subject: Link LinkedIn Mail
REMINDERS
Invitation reminders:
• From Charlie Alexander (Mexico Key Account Director at Quanta)
PENDING MESSAGES
• There are a total of 5 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.
The malicious payload (report here) is at [donotclick]108.178.59.26/bv6rcs3v1ithi.php?w=6de4412e62fd13be (Singlehop, US) in a block 108.178.59.0/26 suballocated to a person in Italy. A further malicious download is attempted from [donotclick]myasuslaptop.com/updateflashplayer.exe which appears to be a legitimate (but hacked site).
My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff..
Tuesday, 28 August 2012
"QuickBooks Security Update" spam / roadmateremove.org
This fake Intuit spam leads to malware on roadmateremove.org:
The malicious payload is at [donotclick]roadmateremove.org/main.php?page=9bb4aab85fa703f5 (report here) hosted on 89.248.231.122 (Mastak Telecom / JSC Quickline, Russia) along with these other malicious sites:
roadmateremove.org
restoreairpowered.net
allhugedeals.net
classic-poems.net
You can pretty safely assume that 89.248.231.122 is a bad server and should be blocked.
Date: Tue, 28 Aug 2012 11:04:30 -0400
From: "Intuit Payroll Services" [intuitpayroll@e.payroll.intuit.com]
Subject: QuickBooks Security Update
You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST™) after 31th of August, 2012.
You can update Intuit Security Tool here.
After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly.
This email was sent from an auto-notification system that can't accept incoming email. Please don't reply to this message.
You have received this business communication as part of our efforts to fulfill your request or service your account.
You may receive this and other business communications from us even if you have opted out of marketing messages.
Terms, conditions, pricing, features, and service options are subject to change. View our complete Terms of Service.
The malicious payload is at [donotclick]roadmateremove.org/main.php?page=9bb4aab85fa703f5 (report here) hosted on 89.248.231.122 (Mastak Telecom / JSC Quickline, Russia) along with these other malicious sites:
roadmateremove.org
restoreairpowered.net
allhugedeals.net
classic-poems.net
You can pretty safely assume that 89.248.231.122 is a bad server and should be blocked.
Monday, 27 August 2012
"Federal Tax Payment" spam / videomanipulationccflbacklit.pro
This spam attempts to load malware from videomanipulationccflbacklit.pro although at the moment the domain is not resolving:
I've seen a few .pro domains in spam recently, but they seem to get shut down quite quickly. I thought this TLD was meant to have more careful vetting?
Date: Mon, 27 Aug 2012 18:15:37 +0300
From: "Internal Revenue Service" [irs@service.govdelivery.com]
Subject: Federal Tax transaction canceled
Your Tax transaction (ID: 849395748011), recently sent from your checking account was canceled by the your financial institution.
Rejected Tax transfer
Tax Transaction ID: 849395748011
Return Reason See details in the report below
FederalTax Transaction Report tax_report_849395748011.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Mon, 27 Aug 2012 16:41:45 +0200
From: "Internal Revenue Service" [irs@service.govdelivery.com]
Subject: Rejected Federal Tax payment
Your Tax transaction (ID: 13394702616857), recently initiated from your bank account was returned by the your Bank.
Rejected Tax transfer
Tax Transaction ID: 13394702616857
Reason for rejection See details in the report below
Tax Transaction Report tax_report_13394702616857.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Mon, 27 Aug 2012 16:41:35 +0200
From: "Internal Revenue Service" [support@govdelivery.com]
Subject: Federal Tax payment canceled
Your Tax transaction (ID: 7227784606474), recently initiated from your bank account was returned by the The Electronic Federal Tax Payment System.
Rejected Tax transfer
Tax Transaction ID: 7227784606474
Reason for rejection See details in the report below
FederalTax Transaction Report tax_report_7227784606474.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
I've seen a few .pro domains in spam recently, but they seem to get shut down quite quickly. I thought this TLD was meant to have more careful vetting?
Subscribe to:
Posts (Atom)