Sponsored by..

Wednesday, 10 October 2012

NACHA spam / formexiting.net

This fake NACHA spam leads to malware on formexiting.net:

From: The Electronic Payments Association [mailto:underlining34@anbid.com.br]
Sent: 10 October 2012 15:59
Subject: Rejected ACH transaction
Importance: High


The ACH transaction (ID: 9536860209937), recently issued from your bank account (by one of your account members), was reversed by the recepient's financial institution.
Canceled request
Transaction ID:     9536860209937
Reason of rejection    Review details in the statement below
Transaction Report    report_9536860209937.doc (Microsoft Office Word Document)


17390 Seaside Valley Drive, Suite 101
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association

The malicious payload is on [donotclick]formexiting.net/detects/review_reject_reason.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP that you should consider blocking.

Chase credit cards spam / 3.azwap.de

This fake Chase spam leads to malware on 3.azwap.de:

Date:      Wed, 10 Oct 2012 11:48:49 -0300
From:      "Chase.com" [noreply@sprint.com]
Subject:      Chase: your credit cars account

This is an Alert to help you manage your credit card account.


As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 233.30 at Apple Store has been authorized on Wed, 10 Oct 2012 11:48:49 -0300.


Do not reply to this Alert.


If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/secure_m/id=34F4A5C



To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.

The malicious payload is at [donotclick]3.azwap.de/links/assure_numb_engineers.php hosted on 69.194.194.229 (Solar VPS, US)

Another sample email:

 This is an Alert to help you manage your credit card account.

As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 669.84 at eStore has been authorized on Wed, 10 Oct 2012 11:31:42 -0400.

Do not reply to this Alert.

If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/customer_login/u=83669F

To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.


Something evil on 96.44.139.218 / perclickbank.org

There's something evil on 96.44.139.218 (OC3 Networks, US):

perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com

Malvertising, basically. More details here.


union-trans.com employment scam

This fake job offer is for a "forwarding agent". What is a forwarding agent? Well, basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble.

From:     alex Ford@un-trans.info
Reply-To:     alex@union-trans.com.cn
Date:     8 October 2012 14:46
Subject:     forwarder agent 2012-10-10 15:02:33

Hello,

It is glad to write to you with keen hope to open a business relationship with you.

union-trans (china) International Freight Co,. Ltd is always provide the best service and good price for Import and Export both of ocean and air freight.
These services include: FCL Import and Export, LCL Consolidation, Break-Bulk; Air Freight Import and Export, Sea-Land Transportation; as well as arranging booking, clearance, inspection,loading and evanning, storage, consultation, insurance, etc, forwarding supported services.Our business has extended all over the globe, including in Middle East, Red Sea, India, Europe, and East, Africa, Central and South America, Australia and Southeast Asia etc.
For more information,Please review to our website as below:
http://www.union-trans.com


We are looking forwarder to you reply!


Best regards

union-trans (china) International Freight Co,. Ltd
addr:Room 18B-2,East China Sea Dawn Building,Zhongshan Road 455, Ningbo Jiangdong area,Ningbo,China
directort manager:Alex Huang
Tel:+86-0574-89086653
Fax:+86-0574-89086659
Mbl:+86-0-13957424347 +86-0-15306636688
SKYPE:alex_huang58
Msn:alex_huang58@hotmail.com   Email:alex@union-trans.com.cn
There appear to be several scam domains in this same email.

union-trans.com is hosted on 180.178.32.238 (Simcentric, Hong Kong). The WHOIS details are:

Admin Name........... huang yijiang
  Admin Address........ Ningbo
  Admin Address........
  Admin Address........ Ningbo
  Admin Address........ 200000
  Admin Address........ ZJ
  Admin Address........ CN
  Admin Email.......... sunpt@qq.com
  Admin Phone.......... +86.13957424347
  Admin Fax............ +86.13957424347

un-trans.info is parked on 68.178.232.100, and is registered to another owner:

Registrant ID:CR117221338
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+86.057481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com

union-trans.com.cn seems to be just a mail handler:
Domain Name: union-trans.com.cn
ROID: 20120401s10011s18721153-cn
Domain Status: ok
Registrant ID: ctr4rtfs2aq58an
Registrant: 宁波瀚联国际货运代理有限公司
Registrant Contact Email: hyjbbs@163.com
Sponsoring Registrar: 北京新网互联科技有限公司
Name Server: ns1.dns.com.cn
Name Server: ns2.dns.com.cn
Registration Date: 2012-04-01 12:05:06
Expiration Date: 2019-04-01 12:05:06
DNSSEC: unsigned

uni-transglobal.info is an intermediary mail system using an expired domain name:
Registrant ID:CR75845753
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+57.481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com

Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China).

The subscribe/unsubscribe links in the email also reference these addresses: hyjbbs@gmail.com
and cncxrdy001@gmail.com

Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided..

Tuesday, 9 October 2012

Sprint spam / 1.starkresidential.net

This fake Sprint spam leads to malware on 1.starkresidential.net:

Date:      Tue, 09 Oct 2012 22:30:56 +0300
From:      "Sprint" [87A816934@uacvt.org.au]
Subject:      Your Sprint bill online



Please do not reply to this email.     Not seeing the images? View online or go mobile.
                       
   
Bill Period: September 10 - October 9, 2012

Total Due by October 9     $5207

Note: All online payments are made in a secure environment.
   
   
SPRINT NEWS AND NOTICES
This section contains important updates about your Sprint Services, Including Service or Rate Changes, Promotions and Offers.

NEXTEL PRODUCTS: IMPORTANT MESSAGE
Due to the Nextel National Network shutdown on 6/30/13, any Nextel devices sold after 6/1/12 are intended to support existing customers' migration efforts and no minimum Order Terms will apply.

              
© 2012 Sprint. All rights reserved.

The malicious payload is at [donotclick]1.starkresidential.net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US).

The following malicious sites are also on the same server:
25.allservicemovingandstorage.com
1.browncastro.com
1.browncastro.net

In all cases, these appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem.

"Biweekly payroll" spam / editdvsyourself.net

This fake payroll spam leads to malware on editdvsyourself.net:

From: Run Do Not Reply [mailto:jutland@bmacapital.com]
Sent: 09 October 2012 15:10
Subject: Your Biweekly payroll is accepted

Your Biweekly payroll for check date 10/09/2012 is ready to go. Your payroll will be issued at least Two days prior to your check date to ensure timely tax deposits and delivery. If you offer direct deposit to your employees, this would also support pay down their money right at the necessary date.

Client ID: XXXXXXX1
Other details: Click here to Review

Important: Please be advised that calls to and from your payroll service team may be monitored or recorded.

Please don't reply to this message. automative notification system not configured to accept incoming email. 
The malicious payload is on [donotclick]editdvsyourself.net/detects/beeweek_status-check.php, hosted on the familiar IP address of 183.81.133.121 (Vodafone, Fiji).

The following malicious domains are also associated with this IP:
acmrmn.com
addsmozy.net
art-london.net
buzziskin.net
canhmn.com
casbnm.com
editdvsyourself.net
officerscouldexecute.org
stafffire.net
strangernaturallanguage.net
simplerkwiks.net

Sunday, 7 October 2012

Something evil on 5.9.188.54

Here's a nasty bunch of sites being used in injection attacks, all hosted on 5.9.188.54:

nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw.pl
nqvzrpyoossmr.qlvyeviexqzrukyo.waw.pl
xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw.pl
lgrfuqfwz.qlvyeviexqzrukyo.waw.pl
zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw.pl
qxggipnnfmnihkic.ru
mvuvchtcxxibeubd.ru



5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:

inetnum:         5.9.188.32 - 5.9.188.63
netname:         LLC-CYBERTECH
descr:           LLC "CyberTech"
country:         DE
admin-c:         AG6373-RIPE
tech-c:          AG6373-RIPE
status:          ASSIGNED PA
mnt-by:          HOS-GUN
source:          RIPE # Filtered

person:          Alexey Galaev
address:         LLC "CyberTech"
address:         Grizodubova street 4 , build.2
address:         125252 Moscow
address:         RUSSIAN FEDERATION
phone:           +660812703752
nic-hdl:         AG6373-RIPE
remarks:         -------------------------
remarks:         Vpsville.ru working 24x7
remarks:         -------------------------
remarks:         For abuse use admin@vpsville.ru
abuse-mailbox:   admin@vpsville.ru
mnt-by:          HOS-GUN
source:          RIPE # Filtered


You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can.

Friday, 5 October 2012

"Intuit GoPayment" spam / simplerkwiks.net

This fake "Intuit GoPayment" spam leads to malware on simplerkwiks.net:


Date:      Fri, 5 Oct 2012 15:54:26 +0100
From:      "Intuit GoPayment" [abstractestknos65@pacunion.com]
Subject:      Welcome - you're been granted access for Intuit GoPayment Merchant

       
.
Greetings & Congrats!
Your GoPayment? statement for WALLET , DEVELOPMENTS has been issued.
Intuit Payment
Account No.:     XXXXXXXXXXXXXX16
Email Address:     [redacted]
   
NOTE :
    Additional charges for this service may now apply.
Next step: Confirm your User ID



This is Very Important lets you:
Manage your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll


The good news is you have active an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.



Verify UserID
Get started:



Step 1: If you have not still, download the Intuit application.



Step 2: Run the GoPayment app and sign in with the UserID (your email address) and Password you setup.



Easy Manage Your GoPayment System

The Intuit GoPayment Merchant Service Center is the website where you can learn a lot about GoPayment features, customize your sales receipt and add GoPayment users. You can also manage transactions, deposits and fees. Visit link and signin with your GoPayment Access ID (your email address) and Password.
For more information on how to get started using Intuit Merchant, including tutorials, FAQs and other resources, visit the Service Center at web site.
Please do not reply to this message. automative notification system not configured to accept incoming email.
System Terms & Agreements     � 2012 Intuit, Inc. All rights reserved.


The malicious payload is at [donotclick]simplerkwiks.net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy.net
officerscouldexecute.org
simplerkwiks.net
strangernaturallanguage.net
buzziskin.net
art-london.net


UPS Spam / minus.preciseenginewarehouse.com

This fake UPS spam leads to malware on minus.preciseenginewarehouse.com:


From:      "UPSBillingCenter" [512A03797@songburi.com]
Subject:      Your UPS Invoice is Ready


This is an automatically generated email. Please do not reply to this email address.



Dear UPS Customer,



New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center


Please visit the UPS Billing Center to view and pay your invoice.


Discover more about UPS:

Visit ups.com

Explore UPS Freight Services

Learn About UPS Companies

Sign Up For Additional Email From UPS

Read Compass Online



(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.

For more information on UPS's privacy practices, refer to the UPS Privacy Policy.

Please do not reply directly to this e-mail. UPS will not receive any reply message.

For questions or comments, visit Contact UPS.



This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy

Contact UPS
The malicious payload is at [donotclick]minus.preciseenginewarehouse.com/links/assure_numb_engineers.php hosted on 174.140.165.112 (DirectSpace Networks, US) which also houses the following suspect domains:


minus.preciseenginewarehouse.com
minus.dirttrackwarehouse.com
minus.sprintwarehouse.com
two.scott-j.com
one.touveron.com
two.accent-bldrs.com

To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent.

Thursday, 4 October 2012

"Corporate eFax message" spam / 184.164.136.147

These fake fax messages lead to malware on 184.164.136.147:

Date:      Thu, 04 Oct 2012 19:00:16 +0200
From:      "eFax.Alert" [E988D6C@vida.org.pt]
Subject:      Corporate eFax message - 09 pages




Fax Message [Caller-ID: 341-498-5688]
You have received a 09 pages fax at Thu, 04 Oct 2012 19:00:16 +0200.

* The reference number for this fax is min1_20121004190016.8673161.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.

The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php  which is an IP address belonging to Secured Servers LLC in the US and suballocated to:

autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:Class-Name:network
network:Auth-Area:184.164.128.0/19
network:ID:NET-11719.184.164.136.128/27
network:Network-Name:Public
network:IP-Network:184.164.136.128/27
network:IP-Network-Block:184.164.136.128 - 184.164.136.159
network:Org-Name:Jolly Works Hosting
network:Street-Address:Unit 3C No. 831 SAM Building, Dagupan Road
network:City:Manilla
network:State:NCR
network:Postal-Code:1013
network:Country-Code:PH
network:Tech-Contact:MAINT-11719.184.164.136.128/27
network:Created:20110811175617000
network:Updated:20110811175617000
network:Updated-By:dnsadmin@securedservers.com
contact:POC-Name:Nevin Poly
contact:POC-Email:supportsages@gmail.com
contact:POC-Phone:
contact:Tech-Name:DNS Administrator
contact:Tech-Email:dnsadmin@securedservers.com
contact:Tech-Phone:(480) 422-2023
contact:Abuse-Name:Abuse
contact:Abuse-Email:abuse@securedservers.com
contact:Abuse-Phone:+1-480-422-2022 (Office)


It might be worth blocking 184.164.136.128/27 to be on the safe side.

Verizon Wireless spam / strangernaturallanguage.net

This fake Verizon wireless spam leads to malware on strangernaturallanguage.net:

From:     AccountNotify whitheringj@spcollege.edu
Date:     4 October 2012 18:52
Subject:     Recent Notification in My Verizon
   
SIGNIFICANT ACCOUNT NOTIFICATION FROM VERIZON WIRELESS.
Your informational letter is available.
Your account # ending: XXX8 XXXX4
Our Valued Client
For your accommodation, your confirmation message can be found in the Account Documentation desk of My Verizon.
Please check your acknowledgment letter for all the information relating to your new transaction.
View Approval Message
In addition, in My Verizon you will find links to info about your device & services that may be helpfull if you looking for answers.
Thank you for joining us .
   

     
My Verizon is also accessible 24 hours 7 days a week to assist you with:
Usage details
Updating your tariff
Add Account Users
Pay your invoice
And much, much more...
   

© 2012 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 523WSE | Basking Ridge, MA 55584
We respect your privacy. Please review our privacy policy for more details

The malicious payload is at [donotclick]strangernaturallanguage.net/detects/notification-status_login.php hosted on 183.81.133.121 (Vodafone, Fiji).

The following domains are hosted on that IP and should be regarded as being suspect:
strangernaturallanguage.net
buzziskin.net
art-london.net
addsmozy.net

Wednesday, 3 October 2012

PayPal spam / lenindeads.ru

This fake PayPal spam leads to malware on lenindeads.ru:


Date:      Wed, 3 Oct 2012 09:41:01 -0500
From:      "service@paypal.com" [service@paypal.com]
To:      [redacted]
Subject:      Welcome to PayPal - Choose your way to pay

   
Welcome

Hello postinialerts,

Thanks for paying with PayPal.

We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.


Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[redacted]
Confirmation Code
2188-9944-1312-3905-5127
   
Transfer Information
Amount: 31549.96 $
Reciever: Merrill Prather
E-mail: Rogers40144@[redacted]
Accept Decline

   
Help Center | Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP1529

==========



Date:      Wed, 3 Oct 2012 01:04:29 +0300
From:      "service@paypal.com" [service@paypal.com]
To:      [redacted]
Subject:      Welcome to PayPal - Choose your way to pay

   
Welcome

Hello [redacted],

Thanks for paying with PayPal.

We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.


Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[redacted]
Confirmation Code
5554-8629-5683-9807-4239
   
Transfer Information
Amount: 38567.21 $
Reciever: Anabel Cordero
E-mail: Travis68451@[redacted]
Accept Decline

   
Help Center | Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP7370
The malicious payload is at [donotclick]lenindeads.ru:8080/forum/links/column.php hosted on:

202.3.245.13 (MANA, Tahiti)
203.80.16.81 (MYREN, Malaysia)
213.251.162.65 (OVH, France)

The following domains and IPs are all related:
202.3.245.13
203.80.16.81
213.251.162.65
limonadiksec.ru
rumyniaonline.ru
sonatanamore.ru
ioponeslal.ru
onlinebayunator.ru
uzoshkins.ru
moskowpulkavo.ru
omahabeachs.ru
sectantes-x.ru

Added:
pionierspokemon.ru
appleonliner.ru

"Corporate eFax message" spam / 69.194.194.222

This fake fax spam leads to malware on 69.194.194.222:


Date:      Wed, 03 Oct 2012 15:00:43 +0200
From:      "eFax" [4FBED27@fashioninsomniacs.com]
Subject:      Corporate eFax message - 8 pages




Fax Message [Caller-ID: 368-848-8852]
You have received a 8 pages fax at Wed, 03 Oct 2012 15:00:43 +0200.

* The reference number for this fax is min1_20121003150043.438820.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.

==========


Date:      Wed, 03 Oct 2012 17:12:57 +0530
From:      "eFax.Corporate" [2FEDD7BC@kelprint.fr]
Subject:      Corporate eFax message - 1 pages




Fax Message [Caller-ID: 033-717-5099]
You have received a 1 pages fax at Wed, 03 Oct 2012 17:12:57 +0530.

* The reference number for this fax is min1_20121003171257.5227.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.

==========


Date:      Wed, 03 Oct 2012 07:25:36 -0400
From:      "eFax" [965F7212@dyer.com.hk]
Subject:      Corporate eFax message - 7 pages




Fax Message [Caller-ID: 300-811-6555]
You have received a 7 pages fax at Wed, 03 Oct 2012 07:25:36 -0400.

* The reference number for this fax is min1_20121003072536.6902337.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.


The malicious payload is at [donotclick]69.194.194.222/links/assure_numb_engineers.php (Solar VPS, US). Blocking this IP address may be wise as they tend to be used in more than one campaign.

Malware sites to block 3/10/12

These domains and IPs relate to an emerging threat, I don't have a full analysis at the moment but they appear to be malicious. If you have more information then please consider leaving a comment:

Suspect URLs:
[donotclick]e-protections.cc/ping.html
[donotclick]e-statistic.cc/ping.html
[donotclick]e-statistic.su/ping.html
[donotclick]estats.su/ping.html
[donotclick]store-main.su/ping.html
[donotclick]sysmain.cc/ping.html
[donotclick]e-protections.cc/ping.html
[donotclick]e-statistic.cc/ping.html
[donotclick]e-statistic.su/ping.html
[donotclick]estats.su/ping.html
[donotclick]store-main.su/ping.html
[donotclick]sysmain.cc/files/hidden7770777.jpg
[donotclick]sysmain.cc/ping.html



Hosts involved:
23.29.119.138 (Incero LLC, US)
69.85.86.159 (Hostigation, US)
94.102.55.20 (Ecatel, Netherlands)
173.236.53.54 (Singlehop / Nexeon Technologies, US)

Plain list for copy and pasting:
e-protections.cc
e-statistic.cc
e-statistic.su
estats.su
first-service.cc
some-service.com
somesystems.cc
store-main.su
sysmain.cc
www-protection.su
23.29.119.138
69.85.86.159
94.102.55.20
173.236.53.54


References: McAfee and Sophos.

Something evil on 66.45.251.224/29 and 199.71.233.226

The IP address 199.71.233.226 (Netrouting, US)  and the range 66.45.251.224/29 (Interserver, US) are currently being used to distribute malware through advertising. Of these the 66.45.251.224/29 has been suballocated to an anonymous person, which I didn't even know was permitted:

network:Class-Name:network
network:ID:NETBLK-INTSRV.66.45.224.0/19
network:Auth-Area:66.45.224.0/19
network:Network-Name:INTSRV-66.45.251.224
network:IP-Network:66.45.251.224/29
network:Org-Name:Private Customer
network:Street-Address:Private Residence
network:City:Moscow
network:State:77
network:Postal-Code:119192
network:Country-Code:US
network:Created:20120701
network:Updated:20120816
network:Updated-By:abuse@interserver.net


The domains listed below are on those IP addresses, all appear to be disributing malware (see example) and they seem to have fake or anonymous WHOIS details. Blocking traffic to 66.45.251.224/29 (66.45.251.224 - 66.45.251.231) and 199.71.233.226 should be effective in countering this threat.

Update 95.211.193.36 (Leaseweb, Netherlands) and 77.95.230.77 (Snel Internet Services, Netherlands) may also be distributing malware in connection with this (report here).

Update 2:  Another IP in this cluster is 96.44.139.218 (OC3 networks, US), running malicious ads using the domain perclickbank.org (scroll down for more information)

1sedobazole.info
acpacompany.info
acpvcompany.info
adp.marketsamples.info
alladulttest.info
alttubesite.info
appvcompany.info
artsellernet.com
blabeladstarget.info
boldcpaportal.info
boldcpvportal.info
boldpopportal.info
boldppvportal.info
coldcpvportal.info
coldppvportal.info
cpaintermediary.info
cpamarketer.biz
cpappvportel.info
cpvtoolswork.info
cpvtoolwork.info
domycpa.info
domycpv.info
domyppv.info
ecpamarkets.info
ecpmmarkets.info
ecpvmarkets.info
egoodsstore.info
egoodystore.info
eppvmarkets.info
forcpamarkets.info
forcpmmarkets.info
frankinews.info
goladero.info
higeaisedo.in
hinsmart.ca
joyforcpa.info
joyforcpm.info
joyforcpv.info
joyforppv.info
juniorcpa.info
juniorcpm.info
juniorcpv.info
juniorppv.info
kabitopa.info
lowcost4hosting.info
marketsamples.info
marketsamplestore.info
nameurneeds.com
ppvadulttools.info
ppvcpaportal.info
ppvcpatools.info
ppvdatetools.info
ppvsystemgate.info
ppvsystemgateway.info
ppvsystemleadaway.info
ppvsystemnet.info
ppvsystemnetwork.info
ppvsystempointer.info
ppvsystemportal.info
ppvworktools.info
prolixppv.info
raberolasi.info
renaissancestylingstudio.com
rencai.com.ar
theforgottentruth1937.com
toolsforppv.info

Added: 6/10/12
adp.joyforppv.info
giantppv.info
giantcpa.info

Added: 10/10/12
highloadcpa.info
highloadppa.info
entry.highloadppa.info
giantppa.info
highloadpop.info
highloadcpv.info
highloadppv.info

Also, on  96.44.139.218:
perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com

Tuesday, 2 October 2012

Friendster spam / sonatanamore.ru

Friendster.. remember that? Before Facebook.. before Myspace.. there was Friendster. This spam email is not from Friendster though and leads to malware on sonatanamore.ru:


Date:      Tue, 2 Oct 2012 05:39:54 -0500
From:      Friendster Games [friendstergames@friendster.com]
Subject:      Regarding your Friendster password

  
  
Thank you for joining Friendster! Your system generated password is 0JR8YXB1YR. You may change your password in your Account Settings Page.
  

Friendster is the social gaming destination of choice. Connect and play with your friends & share your progress with your network.
Copyright � 2002 - 2012 Friendster, Inc. All rights reserved. Visit our site. - Terms of Service
To manage your notification preferences, go here
To stop receiving emails from us, you can unsubscribe here


The malicious payload is at [donotclick]sonatanamore.ru:8080/forum/links/column.php hosted on:
70.38.31.71 (iWeb, Canada)
202.3.245.13 (MANA, Tahiti)
203.80.16.81 (Myren, Malaysia)

Plain list of IPs and domains on those IPs for copy-and-pasting.
70.38.31.71
202.3.245.13
203.80.16.81
limonadiksec.ru
rumyniaonline.ru
denegnashete.ru
dimabilanch.ru
ioponeslal.ru
moskowpulkavo.ru
onlinebayunator.ru
omahabeachs.ru
uzoshkins.ru
sectantes-x.ru
sonatanamore.ru

Monday, 1 October 2012

Intuit Shipment spam / art-london.net

This terminally confused Intuit / USPS / Amazon-style spam leads to malware at art-london.net:


Date:      Mon, 1 Oct 2012 21:31:57 +0430
From:      "Intuit Customer Service" [battingiy760@clickz.com]
To:      [redacted]
Subject:      Intuit Shipment Confirmation

   

Dear [redacted],

Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.

Thank you for your interest.
   
    ORDER DETAILS    
    Order #: ID859560
Order Date: Sep 25, 2012

Item(s) In Your Order

Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217

Quantity     Item
1     Intuit Card Reader Device - Gray

Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.

Shipment Information:

We sent your item(s) to the next address:

065 S Paolo Ave, App. 5A
S Maria, FL

Email: [redacted]   
       
       
       
    Questions about your order? Please visit Customer Service.

Return Policy and Instructions
   
       
       


Privacy | Legal Disclaimer | Contact Us | About

You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications.



Please note: This email was sent from an automative notification system that not configured to accept incoming mail. Please don't reply to this message.



�2008-2012 Intuit Llc. or its affiliates. All rights reserved.
The malicious payload is at [donotclick]art-london.net/detects/stones-instruction_think.php  hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domains buzziskin.net and  indice-acores.net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless.

Sendspace spam / onlinebayunator.ru

I haven't seen Sendspace spam before.. but here it is, leading to malware on onlinebayunator.ru:


Date:      Mon, 1 Oct 2012 10:40:29 +0300
From:      Twitter
To:      [redacted]
Subject:      You have been sent a file (Filename: [redacted]-9038870.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-56.pdf, (133.8 KB) waiting to be downloaded at sendspace.(It was sent by CHIQUITA Caldwell).





You can use the following link to retrieve your file:

Download Link



The file may be available for a limited time only.

Thank you,



sendspace - The best free file sharing service.



----------------------------------------------------------------------



Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]onlinebayunator.ru:8080/forum/links/column.php  hosted on the same IP address as this attack earlier today.

Evolution1 spam / 69.194.194.221

I haven't seen this spam before, it leads to malware on 69.194.194.221:


Date:      Mon, 01 Oct 2012 15:44:59 +0200
From:      "INTUIT" [D6531193@familyhealthplans.com]
Subject:      Information regarding Employer Contribution



INTUIT





Attn: Account Holder



You can view the information about all Employer contributions that are due to be made on 2/1/2012 by visiting the following link:



http://intuithealthemployer.lh1ondemand.com



Please let us know employment alterations on your enrollment spreadsheet within the period of two business days. The foregoing report shows the ACH amount we will withdraw from your bank account for the contributions on the first business day of the month. Please remember, if changes occur, this may affect the ACH amount.



Intuit Health Debit Card Powered by Evolution1 Employer Services.



This is a system generated email. Please do not respond.



� Copyright, Evolution1, Inc. 2004-2012,

ALL RIGHTS RESERVED

Powered by Lighthouse1TM, a product of Evolution1TM



The malicious payload is on 69.194.194.221 (Solar VPS, US) which is the same IP as found in this attack.

NACHA spam / onlinebayunator.ru

This fake NACHA spam leads to malware on onlinebayunator.ru:


Date:      Mon, 1 Oct 2012 04:16:46 -0500
From:      Bebo Service [service@noreply.bebo.com]
Subject:      Fwd: ACH Transfer rejected

The ACH debit transfer, initiated from your bank account, was canceled.

Canceled transaction:

Transfer ID: FE-764029897226US

Transaction Report: View



Valentino Dickey

NACHA - The Electronic Payment Association



f0c34915-3e624bbb


The malicious payload is at [donotclick]onlinebayunator.ru:8080/forum/links/column.php  (probably a Blackhole 2 exploit kit) hosted on the following familiar IPs that should be blocked:

84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)

Of note,  CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection.


Something evil on 82.165.38.206

There's something evil on 82.165.38.206 (1&1, Germany).. Zbot, basically. The WHOIS details are refreshingly honest about the intent of the evil domains on the server. There are some legitimate domains as well, so it looks like a hacked server.

Probably NOT EVIL:
athentours.de
beachhandball-camp.com
beachhandball-camp.de
beachhandball-camps.com
beachhandball-camps.de
beachhandballcamp.com
beachhandballcamp.de
beachhandballcamps.com
beachhandballcamps.de
ferienwerk-muenchen.com
ferienwerk-muenchen.de
gosurfcamps.de
h2o-beachhandballcamp.com
h2o-beachhandballcamp.de
h2o-beachhandballcamps.com
h2o-beachhandballcamps.de
h2o-camp.com
h2o-camp.de
h2o-camps.com
h2o-camps.de
h2obeachhandballcamp.com
h2obeachhandballcamp.de
h2obeachhandballcamps.com
h2obeachhandballcamps.de
h2ocamp.com
h2ocamp.de
h2ocamps.com
h2ocamps.de
jugendferienwerk-muenchen.com
jugendferienwerk-muenchen.de
jugendreisenbadenwuerttemberg.de
jugendreisenmuenchen.de
jugendreisenstuttgart.de
senior-surfcamp.com
senior-surfcamp.de
seniorsurfcamp.com
seniorsurfcamp.de
xn--ferienwerk-mnchen-e3b.com
xn--ferienwerk-mnchen-e3b.de
xn--jugendferienwerk-mnchen-tpc.com
xn--jugendferienwerk-mnchen-tpc.de
xn--jugendreisenmnchen-y6b.de

Probably EVIL:
coolgeneration31.org
hjdfhjpqhf52vzskdjui1231232.org
hjdfhjpqhf45vzskdjui123123.org
hjdfhjpqhf47vzskdjui123123.org
hjdfhjpqhf48vzskdjui123123.org
hjdfhjpqhf49vzskdjui123123.org
fd12fg333333.org
working-bhh555.org
ker234hdfa88a8.org
askd232ddsda.org
goldfishinsea.org
d34245f3d.org
d5bb8ae4ec63cf.org
kirvlingshoping.org
donalldakcll.org
freesalebigban.org
bigamadillo.org
analiz-pro.org
kunbengober.org
ddosmanager.org
mislimsip0tir.org
goyerbyhsjanhxas.org
frostbeulekommts.org
trinnitti-soft.org
frostbeulekommt.org
intelentbot.org
45a5ge5aert.org
matonyok-trust.org
bergfileorderingserv.org
mailforw.org
shcool2010.com
vikingwer10.com
vatind0.com
d3f78j9h8h321312nf0.com
revers1001.com
update-java01.com
zapas2011.com
frerestreetsw111.com
reserve14443211.com
vikingwer11.com
testforus7771.com
generaladvertising191.com
chicoracquetclub1.com
vmeste-mi-fruktoviy-sad1.com
hft2bnmkoedfsdfgfg5o1.com
slaviki-res1.com
blachervers-2.com
frerestreetsw112.com
for-advanced-cfg12.com
vxuservx222.com
zeppbrannigan22.com
verasertys22.com
kemebrremewrewroi6d3b3jb3b332.com
narawertyopsanzaol7632.com
ognenaiaduga2.com
doo1deivahn2.com
worldfierro2.com
trytokickmewhenimoneywwww2.com
domain510003.com
frerestreetsw113.com
34k5jh4kjh324h123.com
hhhhujnja23.com
vvverdasentarycoolnew12233.com
jrykj233.com
fhb7654568768877dhfdbdjdeek677567433.com
znakizodiakapinger33.com
kilovattmegatonnsdor33.com
5qsx-v-b-f-r-we-4543-7767-4443.com
mjsdkflkblsdfbllalsdf777793.com
kemebrremewernrewroi43b3b3b3.com
kemebrremewrewroi43b3b3b3.com
kemebrmewernrewroi6nn3b3b3b3.com
kemebrmewernrewroi4367b3b3b3.com
sourtel3.com
hft2bnmkosdfgfg5o3.com
ffhsdf4747282e734723878784234.com
ipfff3444.com
bersiuzhuf0d9g8ghddee44.com
offirstactivityna4.com
ghgng43fgjl82309dfg8df4.com
just1tto2005.com
domain460015.com
kateserv29115.com
apre-delfud1-225.com
domain445725.com
lsazzzx45.com
2344292985375634367124i2443455.com
kateserv29175.com
234k23j4h3g5.com
mailwbg5.com
bejhjhbejr77eh5.com
mnn-gff-65-33-22-22-22-bve-6.com
mnn-gff-66nn-33-22-22-22-bve-6.com
freeroom66.com
xn3yy2uroomfdnew91c2v6.com
photox15serv257.com
matenixserv257.com
dtdtdtdouble6677.com
allbe777.com
testforus777.com
pxcallcentercareers77.com
galox29serv77.com
natenixserv77.com
for-advanced-cfg7.com
domain460018.com
ptichkaleti88.com
bngh77tutjt88.com
gssghgkio7erasdotaser8.com
679iss8.com
formul89.com
solnishko999.com
for-advanced-cfg9.com
switzern9.com
vikingwer9.com
jghrt9frgtr9.com
google-1aa.com
peuhiuyca.com
berkamifa.com
sjaprotecasga.com
iesiuzeiphae4xuoch1ahgha.com
mega-kreslo-suka.com
hahamanhanla.com
ywhzwhcnjmkj28888kljsdkkccnvma.com
abortinghomethinkanormall2116tv2dnvma.com
ywhzwhcnjmzmfdhd6em16tv2dnvma.com
islaantillana.com
leboj1ra.com
hahahayahooousa.com
pddonlinedata.com
reepta.com
teughoojaeghaopuegeudeeb.com
remainresetservweb.com
qsbj356jlkb33trhbj44dklasbkb.com
jsbjlsdjlkb234jblkba8899sjkb.com
srvpvrb.com
adobesystemcorporatecodec.com
icereserv-sec.com
minisystemic.com
meteosystemic.com
qlcombrasilmusic.com
ghsmaristic.com
celeron-mypc.com
krrhazvrjma8d.com
samecomandnetad.com
ommso99dd.com
freelinceradanced.com
hostedllinked.com
muiredised.com
336nnfbvdsfuoibvc6nn78fdhdffdgffd.com
kffkdmsdn3438nfd.com
nbguiewjmznejjcuaije2hd.com
dkjs8000sjdshd.com
oepjvondifnnkskfcxzvjiefrkd.com
nextcomesonlservbuild.com
bntuyahqpcmd.com
8hrhhhtt63639serd.com
eorjroijdojrd.com
goldharbord.com
vhklideomailasd.com
cerutedwestedltd.com
pokemonnertt345e.com
mylitlebusinessplace.com
ufoksuudservice.com
serokolservice.com
someadverdownservice.com
dst1-finance.com
mbnfinance.com
recruitadyfinance.com
zswealthlastsource.com
45gvvrfr665gbffbdtrtee.com
keticussorke.com
crewboddylifestyle.com
tuvnahdmcjrueifhgne.com
palecvzhope.com
sampeladvertisingbase.com
java-00update.com
direct-gate.com
quintaavenue.com
versnoteinluserve.com
mikrobnjnru7f.com
hgng44fgjl82509dfg83df.com
ywhzwskdjfgh3lkjhtkjsdfghu9w845tgdf.com
asdff23fsafasdfsdf.com
scvsmmdiocuhsdf.com
jdhfjksdhyurw89yurhksff.com
bedegiudmakkshhf.com
h88dfsdfrefmkf.com
ufhwf8093hrdsf.com
gsdfgd536fdg.com
entcrgmd3kvc2r6nwhfom215m22eg.com
aimsfg.com
y25qwrmzv6z3nwem5mnry21smg.com
eg4zxkydxjvsd21mzgldhzkxyz2ng.com
bdg8b70dgbng.com
nqpftydjfgbbbdlspyfng.com
justcheckping.com
ponibong.com
ualol3e3ejdh98hjd893h.com
aa9798ajgjghu87h.com
cocteil-malevich.com

Sunday, 30 September 2012

ADP Spam / 69.194.194.221

This fake ADP spam leads to malware on 69.194.194.221:


Date:      Sun, 30 Sep 2012 17:31:05 +0200
From:      "ADP Service" [F07EBCC@pop3.rad.net]
Subject:      New transactions

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services


The malicious payload is at [donotclick]69.194.194.221/links/marked-alter.php (Solar VPS, US).

Friday, 28 September 2012

ADP spam / 108.178.59.6

This fake ADP spam leads to malware on 108.178.59.6:

Date:      Fri, 28 Sep 2012 13:22:13 +0300
From:      "ADP Notification" [D7443309@phoenixpv.de]
Subject:      Your Transaction Report(s)

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services


The malicious payload is at [donotclick]108.178.59.6/links/marked-alter.php (Singlehop, US) which looks like a Blackhole 2 exploit kit or similar.

The malware is hosted on this evil network,  blocking 108.178.59.0/26 would be wise.

Thursday, 27 September 2012

ADP Spam / 69.194.193.37

This fake ADP spam leads to malware on 69.194.193.37:

Date:      Thu, 27 Sep 2012 14:47:54 -0430
From:      "ADP Alert" [FDCA492F@atlanticbeddingandfurniture.com]
Subject:      Transaction Report(s)

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services

The malicious payload is at [donotclick]69.194.193.37/links/marked-alter.php hosted by Solar VPS in the US.

UPS Spam / sectantes-x.ru

This fake UPS spam leads to malware at sectantes-x.ru:


Date:      Thu, 27 Sep 2012 10:03:27 -0400
From:      Habbo Hotel [auto-contact@habbo.com]
Subject:      UPS Tracking Number H8244648923

    USPS .com Customer Services for big savings!     Can't see images? CLICK HERE.    
    UPS UPS SUPPORT 39    
UPS - UPS TEAM 31 >>
   
    Not Ready to Open

an Account?    
       
    The UPS Store� can help with full service packing and shipping.   
    Learn More >>   
   
       
   
UPS - Your UPS .com Customer Services
Dear, [redacted]

DEAR CUSTOMER , Delivery Confirmation: Failed

Track your Shipment now!

With best wishes , UPS .com Customer Services.
   
                       
Shipping         Tracking         Calculate Time & Cost         Open an Account
                       
@ 2011 United Parcel Service of America, Inc. Your USPS Team, the UPS brandmark, and the color brown are

trademarks of United Parcel Service of America, Inc. All rights reserved.



This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to

Your USPS .US marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.



USPS .com Customer Services, 33 Glenlake Parkway, NE - Atlanta, GA 30580

Attn: Customer Communications Department


The malicious payload is at [donotclick]sectantes-x.ru:8080/forum/links/column.php hosted on the following IP addresses:
84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)

The following IPs and domains are all connected and should be blocked:
84.22.100.108
190.10.14.196
203.80.16.81
rumyniaonline.ru
denegnashete.ru
dimabilanch.ru
ioponeslal.ru
soisokdomen.ru
moskowpulkavo.ru
diareuomop.ru
omahabeachs.ru
sectantes-x.ru

In addition, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection.

Intuit spam / buycelluleans.com

This fake Intuit spam leads to malware on buycelluleans.com

From: Intuit PaymentNetwork [mailto:treacheriesz2@luther.k12.wi.us]
Sent: 27 September 2012 15:24
Subject: Your payroll verification is started by Intuit.


Direct Deposit Service System information
Request status

Dear [redacted]
We received your payroll on September 27, 2012 at 3:28 AM Pacific time.
•    Funds will be transitioned from the bank account number: 6 XXXXX1345 on September 28, 2012.
•    Amount to be withdrawn: $1,107.47
•    Paychecks would be transferred to your employees' accounts on: September 28, 2012
•    Please take a look at your payroll here.
Funds are typically withdrawn before normal bank working hours so please make sure you have sufficient funds available by 12 a.m. Pacific time on the date funds are to be processed.
Intuit must obtain your payroll by 5 p.m. Pacific time, two banking days before your payment date or your personnel payment will be aborted. QuickBooks doesn't proceed payrolls on weekends and federal banking legal holidays. A list of federal banking off-days can be accessed at the Federal Reserve holyday schedule}.
Thank you for your business.
Sincerely,
Intuit Services
NOTICE: This information was sent to inform you of a some actions at your account or software. Please mind that if you confirmed option of receiving informative materials from Intuit QuickBooks you may continue to receive informational materials similar to this message that affect your service or software.
If you have any questions or comments about this email please DO NOT REPLY to this message. If you need further information please contact us.
If you receive an message that appears to come from Intuit but that you suspect is a scam email, submit it on a link below customer feedback .
Copyright 2008-2012 Intuit Inc. QuickBooks and Intuit are registered of or registered service marks of Intuit Inc. in the US and other countries. This email message is not intended to supplement, modify or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Information Services
2816 A. Commerce Center Place, Tucson, AZ 84516

The malicious payload is at [donotclick]buycelluleans.com/detects/groups_him.php (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). This IP address has been used several times for malware distribution and should be blocked if you can.

SMS Spam: "Hi, we think you may be entitled to compensation.."

These annoying spammers (and probably scammers) are back, sending out their scummy PPI spam messages from +447568105443

Hi, we think you may be entitled to compensation of up to £3500 from missold PPI on a credit card or loan.
Reply INFO for more info
Reply STOP to quit

I've never been mis-sold PPI, so this is obviously a generic spam. It also looks like an invitation to make a claim even if you're not eligible. And that would be fraud..

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Amazon.com spam / uenwxgvrymch.net

This Amazon.com spam leads to malware on uenwxgvrymch.net:

From: Gabriel Roach [mailto:plectrumsiy0@independentreporters.com]
Sent: 27 September 2012 13:19
To: UK HPEA 2
Subject: Your Amazon.com order of "Fossil Men's FS9367 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!

Hello,

Shipping Confirmation
Order # 675-5092359-2844093

Your estimated delivery date is:
Friday, August 3 2012

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Fossil Men's FS9367 Black Silicone Bracelet Black Analog Dial Chronograph Watch $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com
===

The malicious payload is at [donotclick]uenwxgvrymch.net/links/claims_separate-learns_buy.php?ioufk=353302063538093336083737030a0a040309020703383305030a060906350a0a&pgaxszhs=39&meus=0a340b37043808020237&wzirxo=0a000300040002 (report here) which is hosted on the same IP address as this attack.

Amazon.com spam / ciafgnepbs.ddns.ms

This fake Amazon.com spam leads to malware on ciafgnepbs.ddns.ms:

From: Viola Chatman [mailto:parchesei642@foxvalley.net]
Sent: 27 September 2012 12:10
Subject: Your Amazon.com order of "Casio Men's PRW7035T-6CR Pathfinder Triple Sensor Tough Solar Digital Multi-Function Titanium Pathfinder Watch" has shipped!

Hello,

Shipping Confirmation
Order # 749-1221929-9346291

Your estimated delivery date is:
Friday, August 3 2012

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Casio Men's PRW7035T-6CR Pathfinder Triple Sensor Tough Solar Digital Multi-Function Titanium Pathfinder Watch $139.95
Item Subtotal: $139.95
Shipping & Handling: $0.00
Total Before Tax: $139.95
Shipment Total: $139.95
Paid by Visa: $139.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com


The malicious payload is at [donotclick]ciafgnepbs.ddns.ms/links/claims_separate-learns_buy.php hosted on 62.109.23.82 (TheFirst-RU, Russia), the suspect domain ynrteqhsobjv.dnset.com  is also on the same server, blocking that IP address would protect against other malicious sites on the same server.

You might also want to consider blocking all ddns.ms and dnset.com domains, although this type of Dynamic DNS domain does have its uses, I personally believe that the dangers of mis-use outweigh the benefits.

Wednesday, 26 September 2012

IRS spam / 1.howtobecomeabostonian.com and mortal-records.net

Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian.com and the other with a malicious payload on mortal-records.net.


Date:      Wed, 26 Sep 2012 20:44:47 +0530
From:      "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Hello,

Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.





For detail information, please refer to:

https://www.irs.gov/Login.aspx?u=E8710D9E9

    Email address: [redacted]

Sincerely yours,

Barry Griffin

IRS Customer Service representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535

==========


Date:      Wed, 26 Sep 2012 11:09:45 -0400
From:      "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Dear business owners,

Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.



For the details please refer to:

https://www.irs.gov/ClientArea.aspx?u=1CBD0FC829256C

    Email address: [redacted]

Sincerely yours,

Damon Abbott

Internal Revenue Service Representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535


==========

Date:      Wed, 26 Sep 2012 19:53:28 +0400
From:      Internal Revenue Service [weirdpr6@polysto.com]
To:      [[redacted]]
Subject:      IRS report of not approved tax bank transfer

Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.

Rejected Tax transaction
Tax Transaction ID:     52007291963155
Reason ID     See details in the report below
State Tax Transaction Report     tax_report_52007291963155.doc (Microsoft Word Document)

Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV  

Payload one is at [donotclick]1.howtobecomeabostonian.com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a hacked GoDaddy domain. Payload two is at [donotclick]mortal-records.net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal.

These other bad domains are associated with the Mongolian IP address:
allmn-leicncester.net
amsnxn.com
bowerystore.net
cahgmt.com
cahmncm.com
casxmn.com
catmngn.com
chgmnm.com
myinfn.com
nitor-solutions.net
ntanwolb.com
penel-opessong.com
sncahmn.com
stafffire.net

Tuesday, 25 September 2012

Evil network: 108.178.59.0/26

There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)

So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad an should be blocked.

Singlehop have reallocated the IP range to a customer:

network:Class-Name:network
network:ID:ORG-SINGL-8.108-178-59-0/26
network:Auth-Area:108.178.0.0/18
network:IP-Network:108.178.59.0/26
network:Organization:Lorenzo Coco
network:Street-Address:via Nardi, 8 Prato
network:City:Prato
network:State:Italy
network:Postal-Code:59100
network:Country-Code:IT
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20120430
network:Updated:20120430


It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent.

Added: You can also add 108.178.59.6 to the list of malicious sites.

BBB Spam / one.1000houses.biz

This fake BBB spam leads to malware at one.1000houses.biz:


Date:      Tue, 25 Sep 2012 11:42:18 +0200
From:      "Better.Business Bureau" [8050910@zread.com]
Subject:      Activity Report



Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.

You are asked to provide response to this complaint within 7 days.

Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.

Complaint ID#125368

Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The malicious payload is at [donotclick]one.1000houses.biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses.biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.

Blocking 199.195.116.185 would probably be prudent.

Monday, 24 September 2012

Amazon.com spam / pallada-cruise.net

This fake Amazon spam leads to malware on pallada-cruise.net:

From:     Belinda Gallagher vigilancejy586@williamsguitarcompany.com
To:     [redacted]
Date:     24 September 2012 18:44
Subject:     Your Order Shipped Now

Amazon    
Your Orders &nbsp| Your Account | Amazon.com
Order Confirmation
Order #002-3989927-06014360

Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that our shop shipped your item, and that this completes your order.. If you need to return an good from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:

Friday, September 21, 2012

Why tracking information may not be available?
    Your order was shipped to:

[redacted]
006 S Academy St, App. 1D
S Paolo, DC
United States

This shipment have no an associated delivery tracking No..

Shipment Details
   

LG 42LW5302, SV 46-Inch 720p 120 Hz Cinema 3D LCD HDTV with 3D Blu-ray Player and Four Pairs of 3D Glasses
Sold by onner
Condition: not-used before
    $612.35
Item Subtotal:     $612.35
Shipping & Handling:     $20.43
Total Before Tax:     $612.35
Shipment Total:     $612.35
Paid by MC:     $612.35

Returns are easy. Visit our ON-line Return Center.
If you need further assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and item provider information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

The malicious payload (probably a Blackhole 2 exploit kit) is at [donotclick]pallada-cruise.net/detects/plain-keyboard_beginning-monitor.php hosted on 203.91.113.6 (G Mobile, Mongolia), an IP address that has been very active in spreading badness and which you should block if you can.