This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).
This is a screenshot of the fake AV in action:
From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:
report.q7ws17sk1ywsk79g.com
report.7ws17sku7myws931u.com
report.u79i1qgmywskuo9o.com
There's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent [1] [2] [3] but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:
inetnum: 46.105.131.120 - 46.105.131.127
netname: marysanders1
descr: marysanders1net
country: IE
org: ORG-OH5-RIPE
admin-c: OTC9-RIPE
tech-c: OTC9-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
I suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go.com registered in China which has been fingered as an attack site before (e.g. here, click at your own risk). I would recommend blocking the entire 46.105.131.120/29 to be on the safe side.
The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo.com, ez.lv and zyns.com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches.
79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.
Recommended blocklist:
46.105.131.120/29
82.103.140.100
79.133.196.97/27
mooo.com
ez.lv
zyns.com
Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here.
82.103.140.100
www2.x49v36a57puq66.ez.lv
www2.tpzqzg4k2scre0.mooo.com
www2.afc5l4vfohgsz0.mooo.com
www2.f4t9jm7x21.mooo.com
www2.q9iuiwcoq2uvy-2.mooo.com
www2.wwml9bvprhllq2.mooo.com
www2.cjpujub6n0e5u2.mooo.com
www2.t-hih2cnpkpjy2.mooo.com
www2.afbsv8ooj-3.mooo.com
www2.yhqgj6kntn9ru3.mooo.com
www2.q-5f75azo15f214.mooo.com
www2.pbsx2znwccc9a4.mooo.com
www2.wa9bb2z4r3ojz-5.mooo.com
www2.abjbxt7a65.mooo.com
www2.fmrmta0nhmql95.mooo.com
www2.xkpcakk8fnvp95.mooo.com
www2.l6gbfb6l5.mooo.com
www2.ewl91b7p86.mooo.com
www2.uwgsohupxy1de6.mooo.com
www2.g-gq0soprruf5h6.mooo.com
www2.m7yzf62rp6.mooo.com
www2.vov9fsmlyq9257.mooo.com
www2.r2qrxdwo979vj7.mooo.com
www2.j9qm7o00stdyx7.mooo.com
www2.laysltotae8xd8.mooo.com
www2.wp0poz3aq7a7q8.mooo.com
www2.lisbp4cv0v6w09.mooo.com
www2.a50oup6hw0u9c9.mooo.com
www2.pa68ewk9fuqoe9.mooo.com
www2.ohcaob1cffx4l9.mooo.com
www2.g-gysij61cwkkr9.mooo.com
www2.j-8pdx3cfjxgba.mooo.com
www2.h-3aq08aicxn2c.mooo.com
www2.i-7w3rj3j54msmc.mooo.com
www2.j94ysol4em1jd.mooo.com
www2.b5nxk76wnd.mooo.com
www2.r-72i3awaqe.mooo.com
www2.e1k6twcnwqkueh.mooo.com
www2.l00mfws4y9p7ci.mooo.com
www2.l-30w3ulnwvj0qi.mooo.com
www2.z9tbs222g9unk.mooo.com
www2.g-3hww04s0mv5mn.mooo.com
www2.d-9w6t7gvgqm1o.mooo.com
www2.v3sinde9go.mooo.com
www2.l926nykwyj27mo.mooo.com
www2.e8dp78999hr5u.mooo.com
www2.y-8ppqnq8kglsou.mooo.com
www2.k79jcizh268qu.mooo.com
www2.v-9ifaa40v4bu1w.mooo.com
www2.p-2l65dl6w.mooo.com
www2.w15s6udfkhp5ry.mooo.com
www2.jjiqnfn6gj5ht-0.ez.lv
www2.z1jdd6o1e1kss0.ez.lv
www2.h-ccawkohe3qpi3.ez.lv
www2.hzyr7bh8gok2p4.ez.lv
www2.djti1cxaiz9wk5.ez.lv
www2.i-lojtegi396u5.ez.lv
www2.zgurkoad-7.ez.lv
www2.z26df3ueq3j2t7.ez.lv
www2.u263xcu8.ez.lv
www2.kyumtava8e6qv-9.ez.lv
www2.vn6wbwn7abt319.ez.lv
www2.w-5e04vjusiibj9.ez.lv
www2.n9vrk7p00g.ez.lv
www2.t3fjazatb9yov.ez.lv
79.133.196.103
www1.d6kpgdkvrolql3.zyns.com
www1.v7cqv8zdy4pjn5.mooo.com
www1.gno1meqrlspf5-0.zyns.com
www1.ibtu6x7oi3278-0.zyns.com
www1.b95ixcr30.zyns.com
www1.z-xq6xi2p7yx60.zyns.com
www1.p-aijej0.zyns.com
www1.jzyycis0.zyns.com
www1.u1wfjjs0.zyns.com
www1.h7xwv84x1huu0.zyns.com
www1.o-3xvokohw0.zyns.com
www1.fetmg6oukfvvw0.zyns.com
www1.wxe3vgvuk6th-1.zyns.com
www1.nuiq1hvmga2d11.zyns.com
www1.w5ndppqbx3p21.zyns.com
www1.u8r2a5xfb0xp51.zyns.com
www1.gbrl4es5xro4b1.zyns.com
www1.z-gfckpx0nst8c1.zyns.com
www1.ma5x4qfhh1.zyns.com
www1.ps61hen1.zyns.com
www1.cvhc6cr1.zyns.com
www1.ucfjffrizboz1.zyns.com
www1.vlza5kzj32.zyns.com
www1.cutyfk82tkfc52.zyns.com
www1.p3gn08hp62.zyns.com
www1.xa9xfs70sn92.zyns.com
www1.tt4h8odbcfxtq2.zyns.com
www1.j8qi8gl3d5jpv2.zyns.com
www1.iatjl4x2.zyns.com
www1.zqclyyon8-3.zyns.com
www1.c4w46c-3.zyns.com
www1.iu3b7pys9yah23.zyns.com
www1.veduncogo0u683.zyns.com
www1.bq1la1lcr3.zyns.com
www1.sm30hwbrxb5az3.zyns.com
www1.osxzdpb-4.zyns.com
www1.e1xyho-4.zyns.com
www1.h5yqudc184.zyns.com
www1.bctzuagte4.zyns.com
www1.gr56vr5wxvg7n4.zyns.com
www1.m5sfchcmj27cq4.zyns.com
www1.l1rtz0zaj4fnq4.zyns.com
www1.y-4an259ivs7vq4.zyns.com
www1.t8lkv8y4.zyns.com
www1.ycj49f-5.zyns.com
www1.o31omt35.zyns.com
www1.w032ang27l9d55.zyns.com
www1.x-96pxhseft8vo5.zyns.com
www1.p8yzcs8ch-6.zyns.com
www1.dhapuz06.zyns.com
www1.k-1m2fwr1zkha6.zyns.com
www1.rqc6n0zob6.zyns.com
www1.uicqviiewuukp6.zyns.com
www1.y4fyk9kw4e0lu6.zyns.com
www1.nbv4tzxo9452-7.zyns.com
www1.a6f4udb912c49-7.zyns.com
www1.ao3r3psunacd-7.zyns.com
www1.b7k6w2pnmz127.zyns.com
www1.i-vmtcr70kg2up7.zyns.com
www1.j-2qw3j92dq8x7.zyns.com
www1.yhxt4s4j78ry7.zyns.com
www1.frmbxxqc875pj-8.zyns.com
www1.axttts-8.zyns.com
www1.w-5z76xligg58.zyns.com
www1.scowhjo755l6d8.zyns.com
www1.br3u9dxxar5td8.zyns.com
www1.y5nxjxm8.zyns.com
www1.b6bu6gh1zcp8.zyns.com
www1.tnluwilt6mp2-9.zyns.com
www1.nnn17u67qzt219.zyns.com
www1.agdd43g049.zyns.com
www1.bcg6p4ctazktc9.zyns.com
www1.yoioas053gtbe9.zyns.com
www1.a-rra5zgikgcf9.zyns.com
www1.sx5egikt2kmqf9.zyns.com
www1.du3ikfh9.zyns.com
www1.f-5uhlm9.zyns.com
www1.xfrqbmljcp48n9.zyns.com
www1.r-aaqewzo8mp9.zyns.com
www1.jllt99r0v9.zyns.com
www1.uyi3rupgv9pdw9.zyns.com
www1.g8z0v3j7gwd7of.zyns.com
www1.v-1ou2ri1zrg0qf.zyns.com
www1.j02zhivh.zyns.com
www1.m0xqnb0l4j.zyns.com
www1.p5yte9ud3fbxbj.zyns.com
www1.o-2kuc2s8nkirik.zyns.com
www1.c58qlq5xcj0jrl.zyns.com
www1.v6r445h3ffl3m.zyns.com
www1.y-1gh1dkd6m.zyns.com
www1.b5sfmondbm.zyns.com
www1.d0mprkrn.zyns.com
www1.m8gnbsm902rx1p.zyns.com
www1.q-1nvlobckqmv9q.zyns.com
www1.j8o4hnar.zyns.com
www1.a4d2od4p7wyxas.zyns.com
www1.w2up72la0jj4fs.zyns.com
www1.p-7mmwht.zyns.com
www1.b-8zowxdx7c9mt.zyns.com
www1.x6nal9syket14u.zyns.com
www1.q7l2p44v81oyxw.zyns.com
www1.x-1qeru80ijr0yw.zyns.com
www1.k2o7ux378x.zyns.com
www1.y-34sc9n3kutsy.zyns.com
www1.q3nxdktdixzfzy.zyns.com
www1.t7nh3q177z.zyns.com
Wednesday, 19 December 2012
Malware sites to block 19/12/12
Labels:
Fake Anti-Virus,
Malware,
OVH
Tuesday, 18 December 2012
LinkedIn spam / apensiona.ru
This fake LinkedIn spam leads to malware on apensiona.ru:
The malicious payload is at [donotclick]apensiona.ru:8080/forum/links/column.php (the same payload as here) although this time the IPs have changed to:
109.235.71.144 (Serveriai, Lithunia)
176.31.111.198 (OVH, France)
217.112.40.69 (Utransit , UK)
Here's a plain list if you want to block the lot:
109.235.71.144
176.31.111.198
217.112.40.69
Blocking emails from linkedin.com at your perimeter might also be a good idea.
From: messages-noreply@bounce.linkedin.com on behalf of LinkedIn Connections
Sent: Tue 18/12/2012 14:01
Subject: Join my network on LinkedIn
Hien Lawson has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn.
- Hien Lawson
Accept
View invitation from Hien Lawson
WHY MIGHT CONNECTING WITH Hien Lawson BE A GOOD IDEA?
Hien Lawson's connections could be useful to you
After accepting Hien Lawson's invitation, check Hien Lawson's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
2012, LinkedIn Corporation
The malicious payload is at [donotclick]apensiona.ru:8080/forum/links/column.php (the same payload as here) although this time the IPs have changed to:
109.235.71.144 (Serveriai, Lithunia)
176.31.111.198 (OVH, France)
217.112.40.69 (Utransit , UK)
Here's a plain list if you want to block the lot:
109.235.71.144
176.31.111.198
217.112.40.69
Blocking emails from linkedin.com at your perimeter might also be a good idea.
UPS (or is it USPS) spam / apensiona.ru
Spammers often get UPS and the USPS mixed up. They're not the same thing at all. And this one throws FilesTube into the mix as well. Anyway, this fake UPS / USPS / FilesTube spam leads to malware on apensiona.ru:
pelamutrika.ru
antariktika.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
aviaonlolsio.ru
dimarikanko.ru
adanagenro.ru
aofngppahgor.ru
apolinaklsit.ru
apensiona.ru
From: FilesTube [mailto:filestube@filestube.com]The malicious payload is at [donotclick]apensiona.ru:8080/forum/links/column.php which is hosted on 217.112.40.69 (Utransit, claims to be from the UK but probably Russia). The following malicious domains are also on that IP address:
Sent: 17 December 2012 06:01
Subject: Your Tracking Number H7300014839
USPS Customer Services for big savings!
Can't see images? CLICK HERE.
UPS - UPS TEAM 60 >>
Already Have
an Account?
Enjoy all UPS has to offer by linking your My UPS profile to your account.
Link Your
Account Now >>
UPS - UPS .com Customer Services
Good Evening, [redacted].
DEAR USER , Recipient's address is wrong
Track your Shipment now!
With Respect To You , Your UPS .com Customer Services.
Shipping
Tracking
Calculate Time & Cost
Open an Account
@ 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS Team marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
Your USPS .us Customer Services, 8 Glenlake Parkway, NE - Atlanta, GA 30585
Attn: Customer Communications Department
pelamutrika.ru
antariktika.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
aviaonlolsio.ru
dimarikanko.ru
adanagenro.ru
aofngppahgor.ru
apolinaklsit.ru
apensiona.ru
Monday, 17 December 2012
pillscarehealthcare.com spam
There has been a massive amount of pharma spam pointing to pillscarehealthcare.com over the past 48 hours or so. Here are some examples:
retailersviagrasale.nl
tabdisease.nl
viagralberta.com
medmedsepub.com
tabletlevitripad.com
newpharmsale.com
pillscarehealthcare.com
qrigzh.themedsdrugstore.com
medsmedicinedisease.com
pillsmedicinedrug.com
medmedsceccoli.com
garciniaherbal.com
medicinepharmedical.com
viagraherbalflavor.com
drugenericsmeds.com
petraeuslismeds.com
patientsmedicinepills.com
tabpatients.com
tabhealthpatients.com
cialispetraeus.com
dietwifat.com
viagradiet.com
weightprescriptiondiet.com
kidneyprescriptiondiet.com
www.welnesskidney.com
www.medicaremedsromney.com
herbalapple.at
levitratcu.at
welnessgenerics.net
romneyrx.net
pillspharmamedicine.ru
pillsdrugstoredrugstore.ru
parisdrugstore.ru
pharmacypresciption.ru
pillpharmacydrugs.ru
controlpills.ru
drugtorefitnesspills.ru
pharmacypillstreatments.ru
drugstorehealthcarerx.ru
drugstorehealthrx.ru
drugstoretabsrx.ru
pharmacymedsrx.ru
fitnessdrugstorepharmacy.ru
dosehealthpharmacy.ru
medicinerxpharmacy.ru
caprxpharmacy.ru
cappharmacypharmacy.ru
Date: Mon, 17 Dec 2012 02:47:56 +0000 (GMT)This appears to be punting fake drugs rather than malware. pillscarehealthcare.com is hosted on 95.58.254.74 (Kazakh Telecom, Kazakhstan). In my opinion blocking 95.58.254.0/24 will probably do you no harm. These other fake pharma web sites can be found on the same IP address:
From: "Account Info Change" [tyjinc@palmerlakearttour.com]
To: [redacted]
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support
==================
Date: Mon, 17 Dec 2012 01:22:56 -0700
From: "Angela Snider" [directsales@tyroo.com]
To: [redacted]
Subject: Pending ticket status
Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or close the ticket here
Go To Profile
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
==================
Date: Sat, 15 Dec 2012 21:37:47 -0700
From: "Alexis Houston" [cmassuda@agf.com.br]
To: [redacted]
Subject: Pending ticket notification
Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
Go To Profile
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
==================
Date: Sat, 15 Dec 2012 07:06:30 -0800
From: "Account Sender Mail" [daresco@excite.com]
To: [redacted]
Subject: Account is now available
Login unavailable due to maintenance ([redacted])
Hello,
Your Account is now available.
Our systems were unavailable due to maintenance and upgrading system. We apologizes for any inconvenience and appreciates the patience while this critical maintenance was performed. If you still face the problem then it would be better if you contact our team.
Access Your Account
Hope this information helps you.
Thanks,
Support team
==================
From: Kennedi Marquez [mailto:cwtroutn@naturalskincarereviews.info]
Sent: 17 December 2012 11:18
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support
retailersviagrasale.nl
tabdisease.nl
viagralberta.com
medmedsepub.com
tabletlevitripad.com
newpharmsale.com
pillscarehealthcare.com
qrigzh.themedsdrugstore.com
medsmedicinedisease.com
pillsmedicinedrug.com
medmedsceccoli.com
garciniaherbal.com
medicinepharmedical.com
viagraherbalflavor.com
drugenericsmeds.com
petraeuslismeds.com
patientsmedicinepills.com
tabpatients.com
tabhealthpatients.com
cialispetraeus.com
dietwifat.com
viagradiet.com
weightprescriptiondiet.com
kidneyprescriptiondiet.com
www.welnesskidney.com
www.medicaremedsromney.com
herbalapple.at
levitratcu.at
welnessgenerics.net
romneyrx.net
pillspharmamedicine.ru
pillsdrugstoredrugstore.ru
parisdrugstore.ru
pharmacypresciption.ru
pillpharmacydrugs.ru
controlpills.ru
drugtorefitnesspills.ru
pharmacypillstreatments.ru
drugstorehealthcarerx.ru
drugstorehealthrx.ru
drugstoretabsrx.ru
pharmacymedsrx.ru
fitnessdrugstorepharmacy.ru
dosehealthpharmacy.ru
medicinerxpharmacy.ru
caprxpharmacy.ru
cappharmacypharmacy.ru
Labels:
Fake Pharma,
Spam
2001 Trailer Recut
This is a kind of parody.. what would happen if 2001: A Space Odyssey was being promoted via a modern blockbuster-style parody today? Actually.. I think it looks freakin' awesome:
Friday, 14 December 2012
Changelog spam / aviaonlolsio.ru
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Earlean Gardner via LinkedIn
Sent: 13 December 2012 20:22
Subject: Re: Changelog as promised (upd.)
Hi,
as promised - View
I. SWEET
====================
Date: Fri, 14 Dec 2012 05:22:54 +0700
From: "Kaiya HIGGINS" [fwGpEzHIGGINS@hotmail.com]
Subject: Re: Fwd: Changelog as promised(updated)
Hi,
as promised chnglog updated - View
I. HIGGINS
The malicious payload is at [donotclick]aviaonlolsio.ru:8080/forum/links/column.php hosted on the same IPs as used in this attack:
75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)
The following malicious domains are on those same IPs:
ahiontota.ru
aliamognoa.ru
amnaosogo.ru
anifkailood.ru
aofngppahgor.ru
aseniakrol.ru
aviaonlolsio.ru
awoeionfpop.ru
dimarikanko.ru
pelamutrika.ru
pitoniamason.ru
podarunoki.ru
publicatorian.ru
Citibank spam / 6.bbnsmsgateway.com
This fake Citibank spam leads to malware on 6.bbnsmsgateway.com:
The malicious payload is at [donotclick]6.bbnsmsgateway.com/string/obscure-logs-useful.php hosted on 192.155.81.9 (Linode, US). There are probably some other bad domains on this server, so blocking access to that IP could be prudent.
Date: Fri, 14 Dec 2012 19:27:56 +0530
From: Citi Cards [citicards@info.citibank.com]
Subject: Your Citi Credit Card Statement
Add citicards@info.citibank.com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$4,873.54
Minimum Payment Due: $578.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
The malicious payload is at [donotclick]6.bbnsmsgateway.com/string/obscure-logs-useful.php hosted on 192.155.81.9 (Linode, US). There are probably some other bad domains on this server, so blocking access to that IP could be prudent.
Citibank spam / 4.whereintrentinoaltoadige.com
This fake Citibank spam leads to malware on 4.whereintrentinoaltoadige.com:
The following malicious domains are also on the same server:
4.whereinpuglia.com
4.whereinsicilia.com
4.whereinliguria.com
4.whereintoscana.com
4.whereinsardegna.com
4.whereinmolise.com
4.whereinpiemonte.com
4.whereinmilan.com
4.whereinlazio.com
4.whereinlombardy.com
4.whereinitaly.com
4.whereinsicily.com
4.whereintrentinoaltoadige.com
4.whereintoscana.com
Date: Fri, 14 Dec 2012 13:54:14 +0200The malicious payload is at [donotclick]4.whereintrentinoaltoadige.com/string/obscure-logs-useful.php hosted on 198.74.54.28 (Linode, US).
From: Citi Cards [citicards@info.citibank.com]
Subject: Your Citi Credit Card Statement
Add citicards@info.citibank.com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$4,550.67
Minimum Payment Due: $764.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
====================
Alternative mid-sections:
Statement Date: December 13, 2012
Statement Balance: -$8,902.58
Minimum Payment Due: $211.00
Payment Due Date: Tue, January 01, 2013
Statement Date: December 13, 2012
Statement Balance: -$9,905.95
Minimum Payment Due: $535.00
Payment Due Date: Tue, January 01, 2013
The following malicious domains are also on the same server:
4.whereinpuglia.com
4.whereinsicilia.com
4.whereinliguria.com
4.whereintoscana.com
4.whereinsardegna.com
4.whereinmolise.com
4.whereinpiemonte.com
4.whereinmilan.com
4.whereinlazio.com
4.whereinlombardy.com
4.whereinitaly.com
4.whereinsicily.com
4.whereintrentinoaltoadige.com
4.whereintoscana.com
Something evil on 87.229.26.138
This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example).
There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.
The registration details are probably fake, but for the record the .eu domains are registered to:
Juha Salonen
Lukiokatu 23
13430 Hameenlinna
Hameenlinna
Finland
salonen_juha@yahoo.com
The .in domains are registered to:
Puk T Lapkanen
Puruntie 33
LAPPEENRANTA
53200
FI
+358.443875638
puklapkanen@yahoo.com
If you can block the IP address then it will be the simplest option as there are rather a lot of domains here:
krvrkh.in
pmkvyh.in
hqzzpk.in
wkhmyk.in
ymjjjm.in
lupszm.in
gguwvn.in
znztip.in
onylkp.in
jlqrnp.in
yyssyr.in
nxwktt.in
zpjhjv.in
zjmnwv.in
ypmptx.in
humswz.in
quoorh.eu
zxlngj.eu
lxtnmm.eu
lrqjrn.eu
knxhsn.eu
pzgztn.eu
wokjpq.eu
lkowgs.eu
hiikrs.eu
knvutt.eu
smqtnu.eu
tmkvmv.eu
ihltwv.eu
prhhvw.eu
sowxyw.eu
utppry.eu
anshg.quoorh.eu
hjzg.quoorh.eu
utkvvk.quoorh.eu
krqm.quoorh.eu
rueyn.quoorh.eu
cdnro.quoorh.eu
xdxp.quoorh.eu
qrhxp.quoorh.eu
vtr.quoorh.eu
zrlrrs.quoorh.eu
dvyy.quoorh.eu
vymf.zxlngj.eu
xjpf.zxlngj.eu
xxvcj.zxlngj.eu
radcm.zxlngj.eu
lixcmn.zxlngj.eu
nnn.zxlngj.eu
hwpdq.zxlngj.eu
akiy.zxlngj.eu
mvtrn.lxtnmm.eu
ygz.lxtnmm.eu
hkauh.lrqjrn.eu
aqsf.knxhsn.eu
mqjpl.pzgztn.eu
wmmj.wokjpq.eu
plfztn.wokjpq.eu
fyqwrv.wokjpq.eu
prz.wokjpq.eu
ygh.lkowgs.eu
jasiv.hiikrs.eu
gechga.knvutt.eu
dxcypc.knvutt.eu
pod.knvutt.eu
sie.knvutt.eu
pdlgf.knvutt.eu
qvxqj.knvutt.eu
xdp.knvutt.eu
ikp.knvutt.eu
foxq.knvutt.eu
snt.knvutt.eu
wou.knvutt.eu
env.knvutt.eu
xor.knvutt.eu
pllrcn.knvutt.eu
stgc.smqtnu.eu
uknqc.smqtnu.eu
ynkf.smqtnu.eu
sgph.smqtnu.eu
sgo.smqtnu.eu
nlcowd.tmkvmv.eu
amp.tmkvmv.eu
wbs.tmkvmv.eu
uvpne.ihltwv.eu
vfjrn.ihltwv.eu
zlpttn.ihltwv.eu
xlt.ihltwv.eu
kcvvct.prhhvw.eu
kda.sowxyw.eu
kvb.sowxyw.eu
jbjol.sowxyw.eu
hegr.sowxyw.eu
maizss.sowxyw.eu
jfeu.sowxyw.eu
ozku.sowxyw.eu
rgpxz.sowxyw.eu
houqw.utppry.eu
There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.
The registration details are probably fake, but for the record the .eu domains are registered to:
Juha Salonen
Lukiokatu 23
13430 Hameenlinna
Hameenlinna
Finland
salonen_juha@yahoo.com
The .in domains are registered to:
Puk T Lapkanen
Puruntie 33
LAPPEENRANTA
53200
FI
+358.443875638
puklapkanen@yahoo.com
If you can block the IP address then it will be the simplest option as there are rather a lot of domains here:
krvrkh.in
pmkvyh.in
hqzzpk.in
wkhmyk.in
ymjjjm.in
lupszm.in
gguwvn.in
znztip.in
onylkp.in
jlqrnp.in
yyssyr.in
nxwktt.in
zpjhjv.in
zjmnwv.in
ypmptx.in
humswz.in
quoorh.eu
zxlngj.eu
lxtnmm.eu
lrqjrn.eu
knxhsn.eu
pzgztn.eu
wokjpq.eu
lkowgs.eu
hiikrs.eu
knvutt.eu
smqtnu.eu
tmkvmv.eu
ihltwv.eu
prhhvw.eu
sowxyw.eu
utppry.eu
anshg.quoorh.eu
hjzg.quoorh.eu
utkvvk.quoorh.eu
krqm.quoorh.eu
rueyn.quoorh.eu
cdnro.quoorh.eu
xdxp.quoorh.eu
qrhxp.quoorh.eu
vtr.quoorh.eu
zrlrrs.quoorh.eu
dvyy.quoorh.eu
vymf.zxlngj.eu
xjpf.zxlngj.eu
xxvcj.zxlngj.eu
radcm.zxlngj.eu
lixcmn.zxlngj.eu
nnn.zxlngj.eu
hwpdq.zxlngj.eu
akiy.zxlngj.eu
mvtrn.lxtnmm.eu
ygz.lxtnmm.eu
hkauh.lrqjrn.eu
aqsf.knxhsn.eu
mqjpl.pzgztn.eu
wmmj.wokjpq.eu
plfztn.wokjpq.eu
fyqwrv.wokjpq.eu
prz.wokjpq.eu
ygh.lkowgs.eu
jasiv.hiikrs.eu
gechga.knvutt.eu
dxcypc.knvutt.eu
pod.knvutt.eu
sie.knvutt.eu
pdlgf.knvutt.eu
qvxqj.knvutt.eu
xdp.knvutt.eu
ikp.knvutt.eu
foxq.knvutt.eu
snt.knvutt.eu
wou.knvutt.eu
env.knvutt.eu
xor.knvutt.eu
pllrcn.knvutt.eu
stgc.smqtnu.eu
uknqc.smqtnu.eu
ynkf.smqtnu.eu
sgph.smqtnu.eu
sgo.smqtnu.eu
nlcowd.tmkvmv.eu
amp.tmkvmv.eu
wbs.tmkvmv.eu
uvpne.ihltwv.eu
vfjrn.ihltwv.eu
zlpttn.ihltwv.eu
xlt.ihltwv.eu
kcvvct.prhhvw.eu
kda.sowxyw.eu
kvb.sowxyw.eu
jbjol.sowxyw.eu
hegr.sowxyw.eu
maizss.sowxyw.eu
jfeu.sowxyw.eu
ozku.sowxyw.eu
rgpxz.sowxyw.eu
houqw.utppry.eu
Thursday, 13 December 2012
"Copies of Policies" spam / awoeionfpop.ru:
Date: Thu, 13 Dec 2012 09:08:32 -0400The malicious payload is at [donotclick]awoeionfpop.ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:
From: "Myspace" [noreply@message.myspace.com]
Subject: Fwd: Deshaun - Copies of Policies
Unfortunately, I cannot obtain electronic copies of the SPII policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Deshaun ZAMORA,
75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)
The following domains are also on these IPs:
pelamutrika.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
amnaosogo.ru
dimarikanko.ru
aofngppahgor.ru
awoeionfpop.ru
Citibank spam / eaglepointecondo.biz
Date: Thu, 13 Dec 2012 16:59:14 +0400
From: "Citi Alerts" [lubumbashiny63@bankofdeerfield.com]
Subject: Account Operation Alert
EMAIL SAFETY AREA
ATM/Credit card ending in: XXX8
Notifications System
Wire Transaction Issued
Ultimate Savings Account (USA) XXXXXXXXX5
Amount Withdrawn: $4,564.61
Date: 12/12/12
Sign In to Abort Details
Wire Transaction Issued
Ultimate Savings Account (USA) XXXXXXXXX5
Amount Debited: $.24
Date: 12/12/12
Login to Overview Operation
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system can't accept incoming mail.
Citibank, N.A. Member FDIC.
� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
====================
From: Citibank - Alerts [mailto:enormityyf10@iztzg.hr]
Sent: 13 December 2012 12:50
Subject: Account Operation Alert
Importance: High
EMAIL SAFETY AREA
ATM/Credit card ending in: XXX6
Notifications System
Bill Payment
Checking XXXXXXXXX7
Amount Withdrawn: $5,951.56
Date: 12/12/12
Visit this link to Cancel Detailed information
Bill Payment
Checking XXXXXXXXX7
Amount Debited: $.14
Date: 12/12/12
Login to Review Operation
ABOUT THIS MESSAGE
Please don't reply to this message. auto informer system unable to accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
====================
From: Citibank - Service [mailto:goaliesj79@wonderware.com]
Sent: 13 December 2012 12:59
Subject: Account Alert
Importance: High
EMAIL SAFETY ZONE
ATM/Debit card ending in: XXX8
Alerting System
Withdraw Message
Savings Account XXXXXXXXX4
Amount Debited: $1,218.42
Date: 12/12/12
Login to Abort Operation
Withdraw Message
Savings Account XXXXXXXXX4
Amount Withdrawn: $.42
Date: 12/12/12
Sign In to Overview Operation
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system not configured to accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
The malicious payload is on [donotclick]eaglepointecondo.biz/detects/operation_alert_login.php hosted on 59.57.247.185 in China, the same IP has been used several times for evil recently and you should block it if you can.
Citi Cards spam / 6.bbnface.com and 6.mamaswishes.com
This fake Citi Cards spam leads to malware on 6.bbnface.com and 6.mamaswishes.com:
The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface.com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes.com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent.
Update: the following domains appears to be on this server:
6.bbnface.com
6.mamasauction.com
6.bbnfaces.com
6.mamaswishes.com
6.bbnfaces.net
6.mamaswishes.net
Date: Thu, 13 Dec 2012 11:59:33 +0300
From: Citi Cards [citicards@info.citibank.com]
Subject: Your Citi Credit Card Statement
Add citicards@info.citibank.com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$8,803.77
Minimum Payment Due: $750.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
============================
Date: Thu, 13 Dec 2012 10:30:55 +0200
From: Citi Cards [citicards@info.citibank.com]
Subject: Your Citi Credit Card Statement
Add citicards@info.citibank.com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$5,319.77
Minimum Payment Due: $506.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at www.citicards.com and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface.com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes.com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent.
Update: the following domains appears to be on this server:
6.bbnface.com
6.mamasauction.com
6.bbnfaces.com
6.mamaswishes.com
6.bbnfaces.net
6.mamaswishes.net
Wednesday, 12 December 2012
Citibank spam / platinumbristol.net
From: citibankonline@serviceemail1.citibank.com via pado.com.br
Date: 12 December 2012 15:38
Subject: Account Alert
Mailed-by: pado.com.br
Citi
Email Security Zone EMAIL SECURITY AREA
ATM/Credit card ending in: XXX7
Alerting System
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX2
Amount Debited: $2,973.22
Date: 12/12/12
Log In to Overview Transaction
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX2
Amount Credited: $.97
Date: 12/12/12
Visit this link to Overview Detailed information
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auomatic informational system unable to accept incoming messages.
Citibank, N.A. Member FDIC.
Å 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
From: citibankonline@serviceemail5.citibank.com via clickz.com
Date: 12 December 2012 15:39
Subject: Account Notify
Mailed-by: clickz.com
Citi
Email Security Zone EMAIL SAFETY AREA
ATM/Debit card ending in: XXX7
Alerting System
Money Transfer Report
Savings Account XXXXXXXXX8
Amount Withdrawn: $3,620.11
Date: 12/12/12
Visit this link to Cancel Details
Money Transfer Report
Savings Account XXXXXXXXX8
Amount Withdrawn: $.38
Date: 12/12/12
Sign In to Overview Details
ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system unable to accept incoming messages.
Citibank, N.A. Member FDIC.
© 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================The malicious payload is at [donotclick]platinumbristol.net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.
Date: Wed, 12 Dec 2012 23:16:15 +0700
From: alets-no-reply@serviceemail6.citibank.com
Subject: Account Insufficient funds
EMAIL SAFETY ZONE
ATM/Debit card ending in: XXX0
Notifications System
Transaction Announcement
Ultimate Savings Account (USA) XXXXXXXXX4
Amount Debited: $4,222.19
Date: 12/12/12
Login to Abort Detailed information
Transaction Announcement
Ultimate Savings Account (USA) XXXXXXXXX4
Amount Credited: $.41
Date: 12/12/12
Go to web site by clicking here to See Operation
ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system cannot accept incoming mail.
Citibank, N.A. Member FDIC.
� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
Date: Wed, 12 Dec 2012 20:07:46 +0400
From: citibankonline@serviceemail8.citibank.com
Subject: Account Operation Alert
EMAIL SECURITY ZONE
Credit card ending in: XXX0
Notifications System
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX3
Amount Credited: $5,970.51
Date: 12/12/12
Click Here to Review Transaction
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX3
Amount Withdrawn: $.11
Date: 12/12/12
Sign In to View Operation
ABOUT THIS MESSAGE
Please don't reply to this message. auomatic informational system cannot accept incoming mail.
Citibank, N.A. Member FDIC.
� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
I can see the following evil domains on that same server:
eaglepointecondo.org
sessionid0147239047829578349578239077.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
eaglepointecondo.co
naky.net
ygsecured.ru
romoviebabenki.ru
robertokarlosskiy.su
platinumbristol.net
Happy 12:12 12/12/12
Happy 12:12 12/12/12! Well, if you are in the GMT time zone anyway..
Tuesday, 11 December 2012
Changelog spam / aseniakrol.ru
Date: Tue, 11 Dec 2012 10:46:43 -0300The malicious payload is at [donotclick]aseniakrol.ru:8080/forum/links/column.php hosted on a bunch of IPs that have been used for malware before:
From: Tarra Comer via LinkedIn [member@linkedin.com]
Subject: Re: Your Changelog UPDATED
Hi,
as promised your changelog - View
I. Easley
202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)
Monday, 10 December 2012
AICPA spam / eaglepointecondo.org
Yet another fake AICPA spam run today with a slightly different domain from before, now on eaglepointecondo.org:
In this case the malicious payload is at [donotclick]eaglepointecondo.org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today.
Date: Mon, 10 Dec 2012 18:51:38 +0100
From: "AICPA" [info@aicpa.org]
Subject: Tax return assistance fraud.
You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having any issues reading this email? Overview it in your favorite browser.
Suspension of CPA license due to income tax indictment
Valued AICPA participant,
We have been notified of your potential participation in income tax refund shady transactions for one of your customers. In concordance with AICPA Bylaw Head # 740 your Certified Public Accountant status can be terminated in case of the act of submitting of a phony or fraudulent tax return for your client or employer.
Please be informed of the complaint below and respond to it within 7 work days. The refusal to respond within this period will finish in cancellation of your Accountant status.
Delation.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
===================
Date: Mon, 10 Dec 2012 14:50:40 -0300
From: "AICPA" [noreply@aicpa.org]
Subject: Your accountant license can be end off.
You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having problems reading this email? Review it in your browser.
Suspension of Accountant status due to tax return fraud prosecution
Respected AICPA member,
We have received a complaint about your alleged participation in income tax return fraudulent activity for one of your employees. In accordance with AICPA Bylaw Section No. 500 your Certified Public Accountant license can be terminated in case of the event of presenting of a false or fraudulent tax return for your client or employer.
Please find the complaint below below and provide your feedback to it within 3 work days. The rejection to provide the clarifications within this time-frame would abide in end off of your Certified Accountant Career.
SubmittedReport.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
In this case the malicious payload is at [donotclick]eaglepointecondo.org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today.
AICPA spam / eaglepointecondo.co
This fake AICPA spam leads to malware on eaglepointecondo.co:
The following malicious domains appear to be on the same server:
moid.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
zindt.net
naky.net
svictrorymedia.ru
ygsecured.ru
romoviebabenki.ru
addon.su
robertokarlosskiy.su
eaglepointecondo.co
Date: Mon, 10 Dec 2012 19:29:21 +0400The malicious payload is at [donotclick]eaglepointecondo.co/detects/denouncement-reports.php hosted on 59.57.247.185 in China, which has been used a few times recently for malware distribution.
From: "AICPA" [alerts@aicpa.org]
Subject: Income fake tax return accusations.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having difficulties reading this email? Take a look at it in your browser.
Termination of Public Account Status due to income tax fraud allegations
Respected accountant officer,
We have received a denouncement about your probable interest in income tax return swindle for one of your customers. In concordance with AICPA Bylaw Head # 500 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a faked or fraudulent income tax return for your client or employer.
Please be notified below and provide explanation of this issue to it within 21 business days. The rejection to provide elucidation within this period would finish in end off of your CPA license.
SubmittedReport.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The following malicious domains appear to be on the same server:
moid.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
zindt.net
naky.net
svictrorymedia.ru
ygsecured.ru
romoviebabenki.ru
addon.su
robertokarlosskiy.su
eaglepointecondo.co
"You have been sent a file" Sendspace spam / anifkailood.ru:
Date: Mon, 10 Dec 2012 06:01:01 -0500The malicious payload is at [donotclick]anifkailood.ru:8080/forum/links/column.php hosted on the following IPs:
From: "Octavio BOWMAN" [AdlaiBaldacci@telefonica.net]
Subject: You have been sent a file (Filename: [redacted]-722.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-018.pdf, (767.2 KB) waiting to be downloaded at sendspace.(It was sent by Octavio BOWMAN).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)
Plain list:
202.180.221.186
212.162.52.180
212.162.56.210
Friday, 7 December 2012
Sendspace "You have been sent a file" spam / pelamutrika.ru
Date: Fri, 7 Dec 2012 10:53:57 +0200The malicious payload is at [donotclick]pelamutrika.ru:8080/forum/links/column.php hosted on the following familiar IP addresses which you should definitely try to block:
From: Badoo [noreply@badoo.com]
Subject: You have been sent a file (Filename: [victimname]-64.pdf)
Sendspace File Delivery Notification:
You've got a file called [victimname]-792244.pdf, (337.19 KB) waiting to be downloaded at sendspace.(It was sent by CHASSIDY PROCTOR).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)
BBB spam / ibertomoralles.org
This bizarrely worded fake BBB spam leads to malware on ibertomoralles.org:
Date: Fri, 7 Dec 2012 18:43:08 +0100The payload and IP addresses are exactly the same as the ones found in this spam run.
From: "Better Business Bureau" [complaint@bbb.org]
Subject: BBB Complaint No.65183683
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau �
Start With Trust �
Fri, 7 Dec 2012
RE: Complaint N. 65183683
Hello
The Better Business Bureau has been booked the above said complaint from one of your purchasers in regard to their business relations with you. The detailed description of the consumer's disturbance are available visiting a link below. Please give attention to this point and let us know about your mind as soon as possible.
We amiably ask you to overview the GRIEVANCE REPORT to reply on this claim letter.
We are looking forward to your prompt reaction.
Faithfully yours
Natalie Richardson
Dispute Councilor
Better Business Bureau
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 28201
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
====================
Date: Fri, 7 Dec 2012 19:42:23 +0200
From: "Better Business Bureau" [noreply@bbb.org]
Subject: BBB Appeal No.05P610Q78
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau �
Start With Trust �
Fri, 7 Dec 2012
RE: Case # 05P610Q78
Hello
The Better Business Bureau has been filed the above said reclamation from one of your customers in respect of their dealings with you. The details of the consumer's disturbance are available at the link below. Please pay attention to this issue and notify us about your sight as soon as possible.
We politely ask you to visit the PLAINT REPORT to meet on this claim.
We are looking forward to your prompt reaction.
Yours respectfully
Dylan Peterson
Dispute Councilor
Better Business Bureau
Better Business Bureau
3003 Wilson Blvd, Suite 600 Arlington, VA 25301
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was delivered to [redacted] Don't want to receive these emails anymore? You can unsubscribe
====================
From: Better Business Bureau [mailto:information@bbb.org]
Sent: Fri 07/12/2012 17:01
Subject: Better Business Beareau Pretension No.S8598593
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust
Fri, 7 Dec 2012
RE: Complaint N. S8598593
Valued client
The Better Business Bureau has been entered the above mentioned grievance from one of your clientes with reference to their dealings with you. The details of the consumer's worry are available at the link below. Please give attention to this problem and let us know about your opinion as soon as possible.
We pleasantly ask you to click and review the CLAIM LETTER REPORT to respond on this grievance.
We awaits to your prompt response.
WBR
Aiden Thompson
Dispute Advisor
Better Business Bureau
Better Business Bureau
3003 Wilson Blvd, Suite 600 Arlington, VA 26701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This letter was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
AICPA spam / ibertomoralles.org
I haven't seen fake AICPA spam like this for a while, it leads to malware on ibertomoralles.org:
The malicious payload is at [donotclick]ibertomoralles.org/detects/five-wise_leads_ditto.php hosted on the same Chinese IP address of 59.57.247.185 as used in this spam yesterday.
From: AICPA [noreply@aicpa.org]===================
Date: 7 December 2012 16:55
Subject: Your accountant license can be cancelled.
You're receiving this information as a Certified Public Accountant and a member of AICPA.
Having any problems reading this email? See it in your favorite browser.
AICPA logo
Revocation of CPA license due to income tax fraud accusations
Dear AICPA participant,
We have been informed of your potential involvement in tax return swindle on behalf of one of your employers. In obedience to AICPA Bylaw Article 700 your Certified Public Accountant position can be discontinued in case of the aiding of filing of a phony or fraudulent income tax return for your client or employer.
Please be notified below and provide explanation of this issue to it within 14 work days. The rejection to provide elucidation within this time-frame would finish in decline of your Accountant status.
Delation.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
Date: Fri, 7 Dec 2012 18:31:58 +0100
From: "AICPA" [do-not-reply@aicpa.org]
Subject: Tax return assistance contrivance.
You're receiving this note as a Certified Public Accountant and a part of AICPA.
Having any problems reading this email? See it in your favorite browser.
Cancellation of Public Account Status due to tax return indictment
Respected accountant officer,
We have received a note of your presumable interest in income tax fraud for one of your clients. In concordance with AICPA Bylaw Article 600 your Certified Public Accountant status can be discontinued in case of the event of submitting of a fake or fraudulent income tax return on the member's or a client's behalf.
Please familiarize yourself with the complaint below and provide your feedback to it within 14 work days. The rejection to respond within this time-frame will result in end off of your CPA license.
Delation.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The malicious payload is at [donotclick]ibertomoralles.org/detects/five-wise_leads_ditto.php hosted on the same Chinese IP address of 59.57.247.185 as used in this spam yesterday.
Thursday, 6 December 2012
iTunes "Christmas gift card" / api.myobfuscate.com / nikolamireasa.com
Here's a malware-laden spam with a twist:
In this case the link goes through a free web hosting site at [donotclick]longa-neara.ucoz.org which contains some heavily obfuscated javascript that eventually leads to malicious landing page on [donotclick]nikolamireasa.com/less/demands-probably.php hosted on 188.93.210.133 (logol.ru, Russia). That IP hosts the following toxic domains that you should block:
nikolamireasa.com
portgazza.cu.cc
hopercac.cu.cc
hopercas.cu.cc
ukumuxur.qhigh.com
ymuvyjih.25u.com
Heck, you might just want to cut your losses and block 188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called api.myobfuscate.com which you can see has been used to infect a few sites before.
Now, perhaps myobfuscate.com was created with the best of intentions, but if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way.
Both api.myobfuscate.com and www.myobfuscate.com are hosted on the same IP at 188.64.170.17 (also in Russia) which is part of a tiny netblock of 188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:
htmlobfuscator.com
api.htmlobfuscator.com
htmlobfuscator.info
javascript-obfuscator.info
javascriptcompressor.info
javascriptcrambler.com
javascriptobfuscate.com
javascriptobfuscator.info
myobfuscate.com
api.myobfuscate.com
obfuscatorjavascript.com
api.obfuscatorjavascript.com
js.robotext.com
js.robotext.info
js.robottext.ru
In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots.
From: iTunes [shipping@new.itunes.com]
To: purchasing [purchasing@[redacted]]
Date: 6 December 2012 20:59
Subject: Christmas gift card
Order Number: M1V7577311
Receipt Date: 06/12/2012
Shipping To: purchasing@[redacted]
Order Total: $500.00
Billed To: Hilary Shandonay, Credit card
Item Number Description Unit Price
1 Christmas gift card (View\Download ) $500.00
Subtotal: $500.00
Tax: $0.00
Order Total: $500.00
Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.
Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies
FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.
Answers to frequently asked questions regarding the iTunes Store can be found at http://www.apple.com/support/itunes/store/
Apple ID Summary ââ‚В¬Ð“‚Ð’Ñž Detailed invoice
Apple respects your privacy.
Copyright ÂГ‚Ð’© 2011 Apple Inc. All rights reserved
In this case the link goes through a free web hosting site at [donotclick]longa-neara.ucoz.org which contains some heavily obfuscated javascript that eventually leads to malicious landing page on [donotclick]nikolamireasa.com/less/demands-probably.php hosted on 188.93.210.133 (logol.ru, Russia). That IP hosts the following toxic domains that you should block:
nikolamireasa.com
portgazza.cu.cc
hopercac.cu.cc
hopercas.cu.cc
ukumuxur.qhigh.com
ymuvyjih.25u.com
Heck, you might just want to cut your losses and block 188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called api.myobfuscate.com which you can see has been used to infect a few sites before.
Now, perhaps myobfuscate.com was created with the best of intentions, but if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way.
Both api.myobfuscate.com and www.myobfuscate.com are hosted on the same IP at 188.64.170.17 (also in Russia) which is part of a tiny netblock of 188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:
htmlobfuscator.com
api.htmlobfuscator.com
htmlobfuscator.info
javascript-obfuscator.info
javascriptcompressor.info
javascriptcrambler.com
javascriptobfuscate.com
javascriptobfuscator.info
myobfuscate.com
api.myobfuscate.com
obfuscatorjavascript.com
api.obfuscatorjavascript.com
js.robotext.com
js.robotext.info
js.robottext.ru
In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots.
eBay, PayPal spam / ibertomoralles.com
These spam messages lead to malware on ibertomoralles.com:
The malicious payload is at [donotclick]ibertomoralles.com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server:
addon.su
ansncm.org
codemark.net
hfeitu.net
ibertomoralles.com
icobag.com
labpr.com
minevi.com
moid.pl
naky.net
namelesscorn.net
porkystory.net
proscitomash.com
robertokarlosskiy.su
roketlauncherskiy.org
romoviebabenki.ru
securityday.pl
seldomname.com
shopgreatvideonax.com
svictrorymedia.ru
tradenext.net
winterskyserf.ru
ygsecured.ru
zindt.net
Date: Thu, 6 Dec 2012 13:12:16 -0600
From: "PayPal" [service@paypal.com]
Subject: Your Ebay.com transaction details.
Dec 5, 2012 09:31:49 CST
Transaction ID: U5WZP603SNLLWR5DT
Hello [redacted],
You sent a payment of $363.48 USD to Normand Akers.
It may take a several minutes for this transaction to appear in your transactions history.
Seller
Normand-Akers@aol.com
Instructions to seller
You haven't entered any instructions.
Shipping address - confirmed
Hyde Rd
Glendale SC 58037-0659
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Qty. Amount
NordicTrack Mini Cycle
Item# 118770508253 24 $363.48 USD
Shipping and handling $24.99 USD
Insurance - not offered ----
Total $363.48 USD
Payment $363.48 USD
Payment sent to Normand Akers
Receipt ID: D-69NQRGN113A3A9UQ3
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Please do not reply to this message. auto informer system unable to accept incoming messages. For immediate answers to your issues, visit our Help Center by clicking "Help" located on any PayPal page.
PayPal Email ID PZ147
==========
Date: Thu, 6 Dec 2012 19:57:37 +0100
From: "PayPal" [noreply@paypal.com]
Subject: Your Paypal.com transaction confirmation.
Dec 5, 2012 09:50:54 CST
Transaction ID: 8P7D295HFIIIMUC4Q
Hello [redacted],
You done a payment of $894.48 USD to Carol Brewster.
It may take a few moments for this transfer to appear in your transactions history.
Merchant
Carol-Brewster@aol.com
Instructions to seller
You haven't entered any instructions.
Shipping address - confirmed
Pharetra Street
Manlius NY 74251-6442
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Qty. Amount
TaylorMade R11 Driver Golf Club
Item# 703099838857 54 $894.48 USD
Shipping and handling $14.49 USD
Insurance - not offered ----
Total $894.48 USD
Payment $894.48 USD
Payment sent to Carol Brewster
Receipt ID: H-K01U2WSTLZZMRAB90
Issues with this transaction?
You have 45 days from the date of the purchase to issue a dispute in the Resolution Center.
Please DO NOT reply to this message. auto-notification system can't accept incoming mail. For fast answers to your subjects, visit our Help Center by clicking "Help" located on any PayPal page.
PayPal Email ID P8695
The malicious payload is at [donotclick]ibertomoralles.com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server:
addon.su
ansncm.org
codemark.net
hfeitu.net
ibertomoralles.com
icobag.com
labpr.com
minevi.com
moid.pl
naky.net
namelesscorn.net
porkystory.net
proscitomash.com
robertokarlosskiy.su
roketlauncherskiy.org
romoviebabenki.ru
securityday.pl
seldomname.com
shopgreatvideonax.com
svictrorymedia.ru
tradenext.net
winterskyserf.ru
ygsecured.ru
zindt.net
"Copies of policies" spam / cinemaallon.ru
Date: Thu, 6 Dec 2012 06:41:01 -0500The malicious payload is at [donotclick]cinemaallon.ru:8080/forum/links/column.php hosted on the following familiar IPs:
From: Isidro Pierre via LinkedIn [member@linkedin.com]
Subject: RE: ASHTON - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
ASHTON QUINONES,
202.180.221.186 (Gnet, Mongolia)
208.87.243.131 (Psychz Networks, US)
Amazon spam / evokeunreasoning.pro
Date: Thu, 6 Dec 2012 17:32:38 +0200
From: "Amazon . com" [digital-notifier@amazon.com]
Subject: Your Amazon.com order receipt.
Click here if the e-mail below is not displayed correctly.
Follow us:
Your Amazon.com Today's Deals See All Departments
Dear Amazon.com Member,
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Overview:
E-mail Address: [redacted]
Billing Address:
1113 4th Street
Fort North NC 71557-2319,,FL 67151}
United States
Phone: 1-491-337-0438
Order Grand Total: $ 50.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: C47-8578330-3362713
Subtotal of items: $ 50.99
------
Total before tax: $ 50.99
Tax Collected: $0.00
------
Grand Total: $ 50.00
Gift Certificates: $ 0.99
------
Total for this Order: $ 50.99
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.
� 2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 475 Larry Ave. N., Seattle, MI 83304-6203. Reference: 61704824
Please note that this message was sent to the following e-mail address: [redacted]
The malicious payload is at [donotclick]evokeunreasoning.pro/detects/slowly_apply.php but at the time of writing the domain does not seem to be resolving.
Wednesday, 5 December 2012
BBB Spam / leberiasun.ru
This fake BBB spam leads to malware on leberiasun.ru:
The malicious payload is at [donotclick]leberiasun.ru:8080/forum/links/column.php (report here) hosted on the following IPs:
42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)
219.255.134.110 (SK Broadband, Korea
These IPs have been used in several attacks recently. You should block access if you can.
Date: Wed, 5 Dec 2012 11:32:47 +0330
From: Bebo Service [service@noreply.bebo.com]
Subject: Urgent information from BBB
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have received a complaint (ID 243917811)
from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.
We are looking forward to your prompt reply.
Regards,
JONELLE Payne
The malicious payload is at [donotclick]leberiasun.ru:8080/forum/links/column.php (report here) hosted on the following IPs:
42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)
219.255.134.110 (SK Broadband, Korea
These IPs have been used in several attacks recently. You should block access if you can.
Zbot sites to block 5/12/12
These domains and IPs are involved in malware distribution, especially the Zbot trojan. Most are using the nameservers in the dnsnum10.com domain, or are co-hosted on the same server and have malicious characteristics.
I've come up with a recommended blocklist based on the characteristics on the netblocks in question. If you are based in Russia, Ukraine, Poland or Iran then you may want to review these carefully.
IP addresses and hosts
31.184.244.73 (TOEN Incorporated, UAE)
62.122.74.47 (Leksim, Poland)
77.72.133.69 (Colobridge, Germany)
78.46.205.130 (Hetzner, Germany)
78.140.135.211 (Webazilla, Gibraltar)
85.143.166.132 (PIRIX, Russia)
87.107.121.131 (Soroush Rasanheh Company Ltd, Iran)
91.211.119.56 (Zharkov Mukola Mukolayovuch, Ukraine)
91.231.156.25 (Sevzapkanat-Unimars, Russia)
91.238.83.56 (Standart LLC, Moldova)
146.185.255.161 (Sergeev Sergei Yurievich PE, Russia)
178.162.132.202 (Tower Marketing, Belize)
178.162.134.176 (Silin Vitaly Petrovich, Belarus)
188.93.210.28 (Hosting Service, Russia)
195.88.74.110 (Info Data Center, Bulgaria)
198.144.183.227 (Colocrossing, US)
Single IP list for copy and pasting:
31.184.244.73
62.122.74.47
77.72.133.69
78.46.205.130
78.140.135.211
85.143.166.132
87.107.121.131
91.211.119.56
91.231.156.25
91.238.83.56
146.185.255.161
178.162.132.202
178.162.134.176
188.93.210.28
195.88.74.110
198.144.183.227
Recommended blocklist:
31.184.244.73
62.122.72.0/21
77.72.133.69
78.46.5.128/29
78.140.135.211
85.143.166.0/24
87.107.96.0/19
91.211.119.56
91.231.156.0/24
91.238.83.0/24
146.185.255.0/24
178.162.132.0/24
178.162.134.128/26
188.93.210.28
195.88.74.110
198.144.183.227
Domains:
001dulpieafry.changeip.org
001lrrldtavol.changeip.org
002tkbhqhlsvt.changeip.org
004ppfpcbvctd.changeip.org
004quzisdueai.changeip.org
020jbxsgqwpse.changeip.org
022btrarqcfuk.changeip.org
026kordzsydup.changeip.org
4nfyfj.info
6j5jjek.info
accelerationarrangement.info
aderto.cu.cc
adertos.cu.cc
adx.empowersspanish.info
all1.lflinkup.com
all10.lflinkup.com
all3.lflinkup.com
all8.lflinkup.com
all9.lflinkup.com
alpha.spice-forum.in.ua
apple-free.uni.me
arizonaunintelligible.pro
avast.formsbasedscreeners.asia
avira.formsbasedscreeners.asia
barracoon.org
bicyclingsecondfastest.pro
bigprobivbig.net
bilitys.cu.cc
bilityss.cu.cc
brainiacdatingcomothers.pro
bringingaward.asia
broadlytrap.net
bulkmolosiz.com
bulkyards.com
bulkyards.net
charitablesecurities.asia
clearcubeinterviews.pro
clinquant.org
collatesphotoworks.org
confusingfunctionality.info
coreldrawscratch.asia
dangerstriangle.info
deephole.info
derusliman.org
dialectskew.info
dnsnum10.com
docspittance.asia
dracodatas.info
empowersspanish.info
energyefficientpermonth.pro
ergyefficient.asia
eset.formsbasedscreeners.asia
f4lhhd.com
f56yk.com
fapitorgtube.cu.cc
faxesworry.asia
finestaccompanying.info
fkyjyj.cu.cc
flashrssfeedlike.asia
formsbasedscreeners.asia
foundationfourtrack.asia
g4nj389.net
g6aews.com
gdgt54hdfg5y6d.hopto.org
get-it-free.flu.cc
goldenmail.in
helicograph.com
helicograph.net
helicograph.org
highflyingmotivates.info
hry24h.com
img.coldstoragemn.com
img.floodace.com
img.heritagedaysfestival.org
img.mnrealestatehome.com
iptcbolts.net
isiftheoretically.pro
jacklighter.org
jfoih347.net
jkrsryk.info
js.casio-11.com
js.casio-ok.com
kasadi.cu.cc
kazbec.info
kiklamas.cu.cc
krestybx.cu.cc
lasazar.cu.cc
lessexpensiveprototypes.asia
lisagaxu.tk
logs.clearcubeinterviews.pro
mailtypical.net
meprovidinggiggle.net
mergingvisisafe.info
minimoogsmerits.info
mobilewalmartcom.pro
mokingbirdgives.org
mytouchcoediting.net
nomadtoys.pro
nuf78784f.com
nuvfhruf.com
openearedinclusive.net
opticshoc.pro
packingdebug.asia
partnerssitesnonauthorized.asia
pasteszerou.pro
patiencerevolution.asia
phalange.net
phalange.org
pitchessuppress.org
platformindependentviz.pro
powerquesttrivial.net
primemasterswitch.asia
proofingsloth.info
pulldownnextag.info
qorayot.tk
ranikslall.biz
ranikslall.com
ranikslall.info
ranikslall.org
ratevoicemail.asia
repurposedsmtppop.asia
rightfullyretina.org
ringtonesprevent.asia
rushcreaking.net
sensibilitiesdolls.org
shareself.info
siteadvisorejector.info
slimmingedirol.pro
soundtrackoh.org
surviveoutpace.info
syenial.com
t5rgddfth67rdfgd.hopto.org
terminaloften.pro
toolbarpcmag.info
tutaqasi.tk
tutorialmediumsize.asia
udneriww.com
uikojyurfersw.homelinux.net
uninstallerthumbtack.asia
unprotectedepicture.info
usozureq.isasecret.com
vmailtalkguideone.net
vn3vrr.com
www.all15.lflinkup.com
www.all16.lflinkup.com
xovgnbxdvzsc.dyndns-remote.com
xubodaqi.tk
y8jdo.info
yardinjuries.info
zawejame.tk
zazaebuk.cu.cc
zks5k.com
zwedaseeqqs.homelinux.com
I've come up with a recommended blocklist based on the characteristics on the netblocks in question. If you are based in Russia, Ukraine, Poland or Iran then you may want to review these carefully.
IP addresses and hosts
31.184.244.73 (TOEN Incorporated, UAE)
62.122.74.47 (Leksim, Poland)
77.72.133.69 (Colobridge, Germany)
78.46.205.130 (Hetzner, Germany)
78.140.135.211 (Webazilla, Gibraltar)
85.143.166.132 (PIRIX, Russia)
87.107.121.131 (Soroush Rasanheh Company Ltd, Iran)
91.211.119.56 (Zharkov Mukola Mukolayovuch, Ukraine)
91.231.156.25 (Sevzapkanat-Unimars, Russia)
91.238.83.56 (Standart LLC, Moldova)
146.185.255.161 (Sergeev Sergei Yurievich PE, Russia)
178.162.132.202 (Tower Marketing, Belize)
178.162.134.176 (Silin Vitaly Petrovich, Belarus)
188.93.210.28 (Hosting Service, Russia)
195.88.74.110 (Info Data Center, Bulgaria)
198.144.183.227 (Colocrossing, US)
Single IP list for copy and pasting:
31.184.244.73
62.122.74.47
77.72.133.69
78.46.205.130
78.140.135.211
85.143.166.132
87.107.121.131
91.211.119.56
91.231.156.25
91.238.83.56
146.185.255.161
178.162.132.202
178.162.134.176
188.93.210.28
195.88.74.110
198.144.183.227
Recommended blocklist:
31.184.244.73
62.122.72.0/21
77.72.133.69
78.46.5.128/29
78.140.135.211
85.143.166.0/24
87.107.96.0/19
91.211.119.56
91.231.156.0/24
91.238.83.0/24
146.185.255.0/24
178.162.132.0/24
178.162.134.128/26
188.93.210.28
195.88.74.110
198.144.183.227
Domains:
001dulpieafry.changeip.org
001lrrldtavol.changeip.org
002tkbhqhlsvt.changeip.org
004ppfpcbvctd.changeip.org
004quzisdueai.changeip.org
020jbxsgqwpse.changeip.org
022btrarqcfuk.changeip.org
026kordzsydup.changeip.org
4nfyfj.info
6j5jjek.info
accelerationarrangement.info
aderto.cu.cc
adertos.cu.cc
adx.empowersspanish.info
all1.lflinkup.com
all10.lflinkup.com
all3.lflinkup.com
all8.lflinkup.com
all9.lflinkup.com
alpha.spice-forum.in.ua
apple-free.uni.me
arizonaunintelligible.pro
avast.formsbasedscreeners.asia
avira.formsbasedscreeners.asia
barracoon.org
bicyclingsecondfastest.pro
bigprobivbig.net
bilitys.cu.cc
bilityss.cu.cc
brainiacdatingcomothers.pro
bringingaward.asia
broadlytrap.net
bulkmolosiz.com
bulkyards.com
bulkyards.net
charitablesecurities.asia
clearcubeinterviews.pro
clinquant.org
collatesphotoworks.org
confusingfunctionality.info
coreldrawscratch.asia
dangerstriangle.info
deephole.info
derusliman.org
dialectskew.info
dnsnum10.com
docspittance.asia
dracodatas.info
empowersspanish.info
energyefficientpermonth.pro
ergyefficient.asia
eset.formsbasedscreeners.asia
f4lhhd.com
f56yk.com
fapitorgtube.cu.cc
faxesworry.asia
finestaccompanying.info
fkyjyj.cu.cc
flashrssfeedlike.asia
formsbasedscreeners.asia
foundationfourtrack.asia
g4nj389.net
g6aews.com
gdgt54hdfg5y6d.hopto.org
get-it-free.flu.cc
goldenmail.in
helicograph.com
helicograph.net
helicograph.org
highflyingmotivates.info
hry24h.com
img.coldstoragemn.com
img.floodace.com
img.heritagedaysfestival.org
img.mnrealestatehome.com
iptcbolts.net
isiftheoretically.pro
jacklighter.org
jfoih347.net
jkrsryk.info
js.casio-11.com
js.casio-ok.com
kasadi.cu.cc
kazbec.info
kiklamas.cu.cc
krestybx.cu.cc
lasazar.cu.cc
lessexpensiveprototypes.asia
lisagaxu.tk
logs.clearcubeinterviews.pro
mailtypical.net
meprovidinggiggle.net
mergingvisisafe.info
minimoogsmerits.info
mobilewalmartcom.pro
mokingbirdgives.org
mytouchcoediting.net
nomadtoys.pro
nuf78784f.com
nuvfhruf.com
openearedinclusive.net
opticshoc.pro
packingdebug.asia
partnerssitesnonauthorized.asia
pasteszerou.pro
patiencerevolution.asia
phalange.net
phalange.org
pitchessuppress.org
platformindependentviz.pro
powerquesttrivial.net
primemasterswitch.asia
proofingsloth.info
pulldownnextag.info
qorayot.tk
ranikslall.biz
ranikslall.com
ranikslall.info
ranikslall.org
ratevoicemail.asia
repurposedsmtppop.asia
rightfullyretina.org
ringtonesprevent.asia
rushcreaking.net
sensibilitiesdolls.org
shareself.info
siteadvisorejector.info
slimmingedirol.pro
soundtrackoh.org
surviveoutpace.info
syenial.com
t5rgddfth67rdfgd.hopto.org
terminaloften.pro
toolbarpcmag.info
tutaqasi.tk
tutorialmediumsize.asia
udneriww.com
uikojyurfersw.homelinux.net
uninstallerthumbtack.asia
unprotectedepicture.info
usozureq.isasecret.com
vmailtalkguideone.net
vn3vrr.com
www.all15.lflinkup.com
www.all16.lflinkup.com
xovgnbxdvzsc.dyndns-remote.com
xubodaqi.tk
y8jdo.info
yardinjuries.info
zawejame.tk
zazaebuk.cu.cc
zks5k.com
zwedaseeqqs.homelinux.com
Tuesday, 4 December 2012
Facebook "You have notifications pending" spam / francese.ru
This fake Facebook spam leads to malware on francese.ru:
The malicious payload is at [donotclick]francese.ru:8080/forum/links/column.php hosted on the following IP addresses:
42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks , US)
219.255.134.110 (SK Broadband, Korea)
Plain list for copy-and-pasting:
42.121.116.38
202.180.221.186
203.80.16.81
208.87.243.131
219.255.134.110
Date: Tue, 4 Dec 2012 03:38:42 +0000
From: KaseyElleman@victimdomain.com
Subject: You have notifications pending
Hi,
Here's some activity you may have missed on Facebook.
SALLIE FELIX has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to postinialerts@[redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]francese.ru:8080/forum/links/column.php hosted on the following IP addresses:
42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks , US)
219.255.134.110 (SK Broadband, Korea)
Plain list for copy-and-pasting:
42.121.116.38
202.180.221.186
203.80.16.81
208.87.243.131
219.255.134.110
US Airways spam / attachedsignup.pro
This fake US Airways spam leads to malware on attachedsignup.pro:
From: US Airways - Booking [reservations@myusairways.com][The payload and IP addresses are identical to this spam doing the rounds today.
Date: 4 December 2012 14:30
Subject: US Airways online check-in.
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). After that, all you have to do is print your boarding pass and go to the gate.
Purchase code: 183303
Check-in online: Online booking details
Payment method: Credit card
Money will be withdrawn in next 3 days
Voyage
5990
Departure city and time
Massachusets MA (DCA) 10:10 AM
Depart date: 12/05/2012
We takes care to protect your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 145 W. Rio Salado Pkwy, Tempe, AK 93426 , Copyright US Airways , All rights reserved.
"Most recent events on Facebook" spam / attachedsignup.pro
This fake Facebook spam leads to malware on Most recent events on attachedsignup.pro:
Date: Tue, 4 Dec 2012 15:19:16 +0100The malicious payload is at [donotclick]attachedsignup.pro/detects/links-neck.php (report here) hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) which also hosts the probably malicious domain sessionid0147239047829578349578239077.pl
From: " Facebook Security Team" [fractionallyb9@hendrickauto.com]
Subject: Most recent events on Facebook
Hi [redacted],
You have closed your Facebook account. You can rebuild your account whenever you wish by logging into Facebook using your current login email address and password. Subsequently you will be able to take advantage of the site as usually.
Please use the link below to reactivate :
http://www.facebook.com/home.php
If this was you, please pass over this informer. If this wasn't you, please secure your account, as some outlaw person may be explore it.
Best regards, The FaceBook Team
Please note: Facebook will never ask for your personal data through email.
This message was sent to [redacted] from your profile details. Facebook, Inc., Attention: Department 437, PO Box 20000, Palo Alto, CA 96906
Subscribe to:
Posts (Atom)