Sponsored by..

Tuesday, 22 January 2013

Something evil on 109.123.66.30

109.123.66.30 (UK2.NET, UK) hosts several domains containing the Blackhole Exploit Kit (example here). The domains in user are (mostly) legitimate hacked domains, but there are a couple of odd things here.

Most of the malicious domains have a format like this: 700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands.com - in this case darkhands.com is a legitimate domain registered to an individual in Australia, but it has been hacked to create a who load of malicious subdomains, hosted on another server from www.darkhands.com.

In fact, almost all the domains are registered to Australians, but the key thing is in that all of those cases the main domains are hosted by OrionVM in Australia, with the main domains hosted in the 49.156.18.0/24 block. Update: it seems that a single customer was compromised and the OrionVM issue has been resolved.

So how can the main (legitimate) sites be hosted in 49.156.18.0/24, but the malicious subdomains are hosted on a completely different network in the UK. I suspect that there is a compromise of some sort at OrionVM which has allowed the DNS records to be change (it should be noted that these domains used several different registrars).

Another oddity is that these hijacked domains only go from A to I alphabetically, which indicates that there might be some other malicious servers in this same group. The domains are:

00.co.kr
07drama.com
1001mg.com
1sim.net
20cargo.com
2ndi.com
2seul.net
3gendata.co.kr
atomthecreators.com
bodaguatemala.com
ciudaddelangel.com
colmodasa.com
ctsau.com
cyberdyne.net.au
dafconstructions.com
darkhands.com
deanmathers.com
demon-networks.com
dentistasguatemala.com
dfs-mortgages.com.au
easygosa.com
elitebusinesssupplies.com.au
eliteoz.com.au
enaballet.com
escapeelsalvador.com
fairymeadowsurfclub.com.au
floor-me.com.au
furniturebiweb.com.au
frankflick.com
fwmesker.com.au
gcbustours.com.au
giftsbiweb.com.au
goddessmassage.com.au
goldcoastnorth.org.au
goldcoastpacifictours.com.au
greyfoxjumps.com
grubisaguitars.com
img.or.kr

Also hosted on 109.123.66.30 are some malicious .in domains that were previously on 87.229.26.138 (see here):
gguwvn.in
gmvgyx.in
humswz.in
jlqrnp.in
krvrkh.in
lupszm.in
nwujgl.in
onylkp.in
pmkvyh.in
sirrpk.in
tmthzz.in
ukokqz.in
ymjjjm.in
yxrkyu.in
zjmnwv.in
znztip.in
zpjhjv.in

It looks like there are some legitimate sites on the same server, but blocking 109.123.66.30 is probably a good idea.

As for those subdomains I wrote about, well here are some examples (there are probably many more!)
9e3cca5e3db56bb811912113012211341099855c391a9f23ee6fdf9310ef65f.escapeelsalvador.com
9e3cca5e3db56bb8.escapeelsalvador.com
43c327b1d06a8667016129130121170261378958c50c75b554d3acbb2bf6327.ciudaddelangel.com
4378075af081a68c01911413012115588268499bd156f02785043714358bc6d.bodaguatemala.com
adc3e9311efa48f701604513012020274181958c0c1dd94d15b082c2f456729.2seul.net
613c852e72852488.12bears.org
4378075af081a68c119070130121141091436015a23f6147f4a5cb6f46c9612.bodaguatemala.com
4378075af081a68c01608613012113376175301d0604046f19450957fd59d89.bodaguatemala.com
4378075af081a68c0190861301211545518988357b1766a7c844beb4d7d552d.bodaguatemala.com
cb3c7f5e8885de88019102130121235232244364ff60ccc807ebd5d014bc12a.dentistasguatemala.com
cb3c7f5e8885de8801902413012123563228240bb24890930199ff12981f22c.dentistasguatemala.com
4387a7b5506e066301515913012202291029798326847e181e5c85ee57ec48c.doctoresguatemala.com
e93c8d2e7a852c88014072130119115171974917aa12cca08315e832c31f05b.07drama.com
e93c8d2e7a852c88019016130119091781150715f71f0b9afdd4128ec4cbb9c.07drama.com
da0f5ebda916ff1b01402413011913245133774bd3f2acbdbb427f332b0509e.07drama.com
4378c7aa3071667c01511113012120512184494445a0a9fabe4d9f815049c39.colmodasa.com
4378c7aa3071667c1191211301211930317435053144fdeced2f362b8701b9c.colmodasa.com
f80fcced3b066d0b1191211301220847209700257ce00433c7d66b6873eb420.easygosa.com
f80fcced3b066d0b0190861301220832613187254b83422e0b4c441fde73336.easygosa.com
073c137ee495b2980140251301220622508971181451a35f7f31a53edbc1f68.easygosa.com
073c137ee495b298.easygosa.com
ad870975fedea8d3019044130119144392288741f96f4d9d259a1b9c46683e0.1001mg.com
9eb4aa965d5d0b5001418513012018266185128b200492041c9fa22e5d7765e.2ndi.com
43c347f1b07ae67701418513011715199157549c11b32571ee03ac63e5df44a.frankflick.com
43c327b1d06a8667014102130121164341794225edd7badb251a6d939612b70.ciudaddelangel.com
43c327b1d06a8667119121130121182651816415774ff223bcf7794f72f9901.ciudaddelangel.com
43c327b1d06a8667016129130121170261378958c50c75b554d3acbb2bf6327.ciudaddelangel.com
bc4bb8f94f32193f114161130120170671429678682220d8fb9257f98a64133.20cargo.com
bc4bb8f94f32193f116161130120160641274345c1e0d1e821270ad394dce24.20cargo.com
9e3cca5e3db56bb801907013012210373118558538d878c0932bac859f75915.escapeelsalvador.com
9e3cca5e3db56bb811412113012210099114754a47f7f4cdd48cdf995c40c69.escapeelsalvador.com
9e3cca5e3db56bb80190861301221149212109450483885b4caf3bc1aa9f0ec.escapeelsalvador.com
700ff4ad03c655cb114163130116131561128525b412bf0eb1f0d8b3373d530.darkhands.com
700ff4ad03c655cb01902413011612555164840bb4054383b351bed0be72cb0.darkhands.com
700ff4ad03c655cb019025130116115161699125ddc19c767ee08cad8037869.darkhands.com
700ff4ad03c655cb01906313011612074085590bc4ca3a96ab9f70f60a845be.darkhands.com
700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands.com
da871eb5e9debfd3.demon-networks.com
da871eb5e9debfd3014025130116170451125355cc8672327f4e3759493a7b6.demon-networks.com
da871eb5e9debfd311416313011617182114754b6edb0d4e245e105a88985e8.demon-networks.com
cb789f8a68e13eec01402413011611067087175549c49b8c26df1b1e117ce52.dafconstructions.com
cb789f8a68e13eec0190241301161048514233351542cd2b24d195ba0bf6f2b.dafconstructions.com
cb789f8a68e13eec0191371301160824408432252ef981c7a10856259ae52ff.dafconstructions.com
8f0fdbcd2c567a5b.greyfoxjumps.com
8f0fdbcd2c567a5b0190761301181449720858689e2e4bcb46d495489f755db.greyfoxjumps.com
8f0fdbcd2c567a5b01410413011815492132506be98360c690e0577314b571c.greyfoxjumps.com
25c3a1b1562a002701615313011819586240920cc2c0a048cb012e78ce717e3.grubisaguitars.com
25c3a1b1562a002701409913011818231126800513e8276203b5e4706c64ac5.grubisaguitars.com
25c3a1b1562a0027.grubisaguitars.com
cb4b6fe99882ce8f01402413011613576192736c93af1192f50fb15cfe1fb20.deanmathers.com
52874685b15ee75301902413012112331103342bb3bba5bfc191f0fcffeff42.atomthecreators.com
07b43316c4cd92c00191841301211308110270853cafa0ede390f54488279a2.atomthecreators.com
52874685b15ee753.atomthecreators.com
52874685b15ee753014072130121104741407487aa1c9758f11ecec8a5080e9.atomthecreators.com
52874685b15ee753014064130121125041591348d3a795f75aa30f3c07c12fa.atomthecreators.com
52874685b15ee75301918513012110462108414055334aad721923de002768f.atomthecreators.com
ad4b99a96ed238df01902413011700222020288c860e4eed12a0c47a53b2d01.enaballet.com
ad4b99a96ed238df.enaballet.com
8f875b85acdefad3.ctsau.com
8f875b85acdefad3014086130115235542019295b59f74e05eefad146e21954.ctsau.com
520fa6dd5146074b01902413011903443069106c9587029dc299fef3a02a1cf.00.co.kr
da3c3e0ec9c59fc8014050130121084910792509f94ca468b493ae140b594f1.3gendata.co.kr
8f0f8bdd7c062a0b019044130121095082044654e48461a03046b9a158f0b56.3gendata.co.kr
da3c3e0ec9c59fc8.3gendata.co.kr
ad0fa92d5e96089b.12.img.or.kr
1687c295352e632301904413012011471097002d9bf1df5a4477988e98ea7f5.1sim.net
1687c295352e6323019115130120125041553301f169b228df07c49f6f8243f.1sim.net
8f4b9b896c123a1f0190241301181159211348659b5706dd8bba9ac9f65cc8a.goldcoastnorth.org.au
52c376c1814ad747116159130117164792434566ca998fa703bdba9f5fad36c.furniturebiweb.com.au
cb87bff5487e1e73019024130117230451540624eab8d91eedee6aae935bce8.giftsbiweb.com.au
250fa16d5616001b116062130117064610561095bc0c075f5de40e7ed52d204.fairymeadowsurfclub.com.au
6187852572ae24a3014077130118075481933705d68a7d58e329cd19e1d4831.goddessmassage.com.au
e9c32dd1daaa8ca71141631301171015509319889e28e6ae67eb0ff6dea8d71.floor-me.com.au
e9c32dd1daaa8ca70190861301171005507734854b82701243446e1f5747513.floor-me.com.au
e9c32dd1daaa8ca7.floor-me.com.au
e9c32dd1daaa8ca70150461301171003307037446410ff324aa6549c60cc9e7.floor-me.com.au
700f44ddb356e55b014025130117185911325065edcde5312a0fbd05c98f038.fwmesker.com.au
700f44ddb356e55b.fwmesker.com.au
700f944d6326352b019084130116191021210948682e24ad4db4900e40a73b4.dfs-mortgages.com.au
700f944d6326352b1141631301161913413314058ae84aa556671678b3f5e96.dfs-mortgages.com.au
700f944d6326352b.dfs-mortgages.com.au
f83c9c6e6b353d381141631301151452414962455f29541148efc4e37826913.elitebusinesssupplies.com.au
f83c9c6e6b353d3801511113011515087109682445a0a9f951927ef50f6d8c4.elitebusinesssupplies.com.au
070f33bdc4e692eb0191141301151407910841451c188064ca7eab689697868.elitebusinesssupplies.com.au
070f33bdc4e692eb0140861301151349718988357a3ee82f57b94dee43ccb7a.elitebusinesssupplies.com.au
61f02502d2998494119191130118142491702293e019202990ce84e1570c0db.goldcoastpacifictours.com.au
708774f5836ed5630140181301180909508051875c927d7e6aa55de3837e434.goldcoastbuschartertours.com.au
f8b4ac165b9d0d90014096130117213511429674e08c2686a0bb289bc3fa9d8.gcbustours.com.au
bcf038d2cf899984119163130115182621198264fd5f6cf84137810b203d561.eliteoz.com.au
61f0c522327964740190861301152121515564750483987b2c6cc62e0435464.eliteoz.com.au
61f0c52232796474.eliteoz.com.au
bcf038d2cf89998401404313011519058127117579abdbfca7f3f850c10f19b.eliteoz.com.au
bcf038d2cf8999840140241301151905812711753ae2611208cafdf0c10f19b.eliteoz.com.au
61f0c522327964740140161301152137113028789e2464b24229b3f5a3a889e.eliteoz.com.au
bcf0b8624f091904115129130116034061033429069f5026657971ac822f264.cyberdyne.net.au

Cheeky exploit kit on avirasecureserver.com

What is avirasecureserver.com? Well, it's not Avira that's for sure.. it is in fact a server for the Blackhole Exploit Kit.

This site is hosted on 82.145.57.3, an Iomart / Rapidswitch IP that appears to have been reallocated to:
person:         Dimitar Kolev
address:        QHoster Ltd
address:        Apt 1859
address:        Chynoweth House
address:        Trevissome Park
address:        Truro
address:        TR4 8UN
address:        GB
phone:          +13232180069
abuse-mailbox:  abuse@qhoster.com
nic-hdl:        DK5560-RIPE
mnt-by:         RAPIDSWITCH-MNT
source:         RIPE # Filtered


Trevissome Park is a small business park in Cornwall, there certainly isn't a building with over 1000 apartments there, so we can assume that "Apt" is a euphemism for a post box. There's also no company in the UK called QHoster Ltd. In fact, if we check the QHoster.com domain we can see that it is a Bulgarian firm:

    QHoster Ltd.
    Dimitar Kolev        (domains@qhoster.net)
    27 Nikola D. Petkov Str.
    Sevlievo
    Gabrovo,5400
    BG
    Tel. +359.898547122
    Fax. +359.67535954

QHoster has an IP block of 82.145.57.0/25 suballocated to it. A quick poke around indicates not much of value in this range, you may want to consider blocking the /25 as a precaution.



Monday, 21 January 2013

Intuit spam / danadala.ru

This fake Intuit spam leads to malware on danadala.ru:

Date:      Mon, 21 Jan 2013 04:45:31 -0300
From:      RylieBouthillette@hotmail.com
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Mon, 21 Jan 2013 04:45:31 -0300.

    Finances would be gone away from below account # ending in 8134 on Mon, 21 Jan 2013 04:45:31 -0300
    amount to be seceded: 5670 USD
    Paychecks would be procrastinated to your personnel accounts on: Mon, 21 Jan 2013 04:45:31 -0300
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]danadala.ru:8080/forum/links/column.php hosted on a familiar bunch of IPs that have been used in several recent attacks:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

The following malicious domains seems to be active at present:
dekamerionka.ru
danadala.ru
dmssmgf.ru
dmpsonthh.ru
demoralization.ru
damagalko.ru
dozakialko.ru
dopaminko.ru
dumarianoko.ru
dfudont.ru

LinkedIn spam / prepadav.com

This fake LinkedIn spam leads to malware on prepadav.com:

From: LinkedIn [mailto:news@linkedin.com]
Sent: 21 January 2013 16:21
Subject: LinkedIn Reminder from your co-worker

LinkedIn
REMINDERS
Invitation reminders:
▫ From CooperWright ( Your employer)

PENDING LETTERS
• There are a total of 2 messages awaiting your action. Acces to your InBox now.
Don't wish to receive email notifications? Adjust your letters settings.
LinkedIn respect your privacy. In no circumstances has LinkedIn made your e-mail acceptable to any other LinkedIn user without your allowance. © 2013, LinkedIn Corporation.
The malicious payload is at [donotclick]prepadav.com/detects/region_applied-depending.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in several malware attacks recently and it should be blocked if you can.

The following malicious websites are active on this server:
seoseoonwe.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
masterseoprodnew.com
cocolspottersqwery.com
teamrobotmusic.net
vaishalihotel.net
shininghill.net
terkamerenbos.net
prepadav.com

Kenyan Judiciary (judiciary.go.ke) hacked to serve malware

The Judiciary of the Republic of Kenya has a mission to deliver justice fairly, impartially and expeditiously, promote equal access to justice, and advance local jurispudence by upholding the rule of law. Unfortunately, it has also been hacked to serve up malware.


The site has been compromised to serve up an exploit kit being promoted by spam email. There's a redirector at [donotclick]www.judiciary.go.ke/wlc.htm attempting to redirect visitors to [donotclick]dfudont.ru:8080/forum/links/column.php where there's a nasty exploit kit.



Of course, most visitors to the judiciary.go.ke site won't see that particular exploit. But if someone can create an arbitrary HTML page on that server, then they pretty much have the run of the whole thing and they can do what they like. So the question might be.. what else has been compromised? Hmm.

Friday, 18 January 2013

ADP spam / dopaminko.ru

This fake ADP spam leads to malware on dopaminko.ru:

Date:      Fri, 18 Jan 2013 09:08:38 -0500
From:      "service@paypal.com" [service@paypal.com]
Subject:      ADP Immediate Notification

ADP Immediate Notification
Reference #: 544043911

Fri, 18 Jan 2013 09:08:38 -0500
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.


This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 206179035

HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious payload is at [donotclick]dopaminko.ru:8080/forum/links/column.php hosted on the following familiar IP addresses:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

These following malicious domains appear to be active on these servers:
dekamerionka.ru
dmssmgf.ru
dmpsonthh.ru
dmeiweilik.ru
demoralization.ru
damagalko.ru
dozakialko.ru
dopaminko.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dfudont.ru


LinkedIn spam / shininghill.net

This fake LinkedIn spam leads to malware on shininghill.net:

Date:      Fri, 18 Jan 2013 18:16:32 +0200
From:      "LinkedIn" [announce@e.linkedin.com]
Subject:      LinkedIn Information service message

LinkedIn
REMINDERS

Invite notifications:
? From MiaDiaz ( Your renter)


PENDING EVENTS

∙ There are a total of 2 messages awaiting your response. Enter your InBox right now.

Don't want to get email info letters? Change your message settings.

LinkedIn values your privacy. Not once has LinkedIn made your e-mail address available to any another LinkedIn member without your permission. © 2013, LinkedIn Corporation.
The malicious payload is at [donotclick]shininghill.net/detects/solved-surely-considerable.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP address has been used in several recent attacks and should be blocked if you can.

The following domains appear to be active on this IP address, all should be considered to be malicious:
seoseoonwe.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
masterseoprodnew.com
teamrobotmusic.net
foxpoolfrance.net
linuxreal.net
vaishalihotel.net
tetraboro.net
terkamerenbos.net
shininghill.net


"A.R.T. Logistics" fake job offer

There may be various genuine companies in the world with a name similar to "A.R.T. Logistics Industrial & Trading Ltd", but this job offer does not come from a genuine company. Instead it is trying to recruit people for money laundering ("money mule") jobs and parcel reshipping scams (a way of laundering stolen goods). Note that the scammers aren't even consistent in the way they name the company.

From:     ART LOGISTICS INDUSTRIAL AND TRADING LTD [info@sender.org]
Reply-To:     artlogisticsltd@yahoo.com.ph
Date:     18 January 2013 07:49
Subject:     A.R.T. LOGISTICS INDUSTRIAL & TRADING LIMITED

A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
Export & Import Agent‚ Service Company.
46/F Tower 1, Metroplaza 223 Hing Fong Road,
Kwai Chung New Territories, Hong Kong.

A.R.T. Logistics mainly provides services to customers in Russia, Kazakhstan and Hong Kong. We provide: - Air freight - Sea freight (FCL & LCL to EU, Russia, Kazakhstan & Central Asia) - Rail freight - Road Freight (FTL & LTL to any place in Russia, Kazakhstan and Central Asia) Our company has worked in Russia, Kazakhstan & Central Asia since 2005 and has wide experience of transport such as airfreight, container and rail.

We are presently shifting our base to North America and we have collective customers in the United State & Canada but We find it difficult establishing payments modalities with this customers and we don't intend loosing our customers. We are searching for a front line representative as intermediary by establishing a medium of getting payments from this customers in Canada & America by making payments through you to us. Do contact us for more information at this e-mail:(artlogis@e-mail.ua).

Subject to your satisfaction with the front line representative offer, you will be made our foreign payment receiving officer in your region and you will deduct 10% of every transactions made through you for your services as our Financial Representative.

Sincerely,
Yasar Feng Xu
A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
N.B Reply to: artlogisticsltd@yahoo.com.ph

In this case, the spam originates from 31.186.186.2 [mail.zsmirotice.cz]. Avoid!

Thursday, 17 January 2013

"Wire Transfer Confirmation" spam / dfudont.ru

This spam leads to malware on dfudont.ru:

Date:      Fri, 18 Jan 2013 08:58:56 +0600 [21:58:56 EST]
From:      SUMMERDnIKYkatTerry@aol.com
Subject:      Fwd: Wire Transfer Confirmation (FED_59983S76643)

Dear Bank Account Operator,
WIRE TRANSFER: FED86180794682707910
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]dfudont.ru:8080/forum/links/column.php hosted on:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

These IPs have been used in several malware attacks recently blocking them is a good idea. The following malicious domains are also present on these servers:
dekamerionka.ru
dmssmgf.ru
dmpsonthh.ru
dmeiweilik.ru
belnialamsik.ru
demoralization.ru
damagalko.ru
dozakialko.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dfudont.ru

Update:  there is also a fake Sendspace spam sending visitors to the same payload

Date:      Thu, 17 Jan 2013 03:03:55 +0430
From:      Badoo [noreply@badoo.com]
Subject:      You have been sent a file (Filename: [redacted]_N584581.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]_N390.pdf, (973.39 KB) waiting to be downloaded at sendspace.(It was sent by JOHNETTE ).

You can use the following link to retrieve your file:

Download

Thank you,

Sendspace, the best free file sharing service.


KeyBank.com "You have received a secure message" virus

This fake KeyBank spam has an attachment called securedoc.zip which contains a malicous executable file named securedoc.exe.

Date:      Thu, 17 Jan 2013 11:16:54 -0500 [11:16:54 EST]
From:      "Antoine_Pearce@KeyBank.com" [Antoine_Pearce@KeyBank.com]
Subject:      You have received a secure message

You have received a secure message


Read your secure message by opening the attachment, SECUREDOC. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions about Key's e-mail encryption service, please contact technical support at 888.764.7941.

First time users - will need to register after opening the attachment.
Help - https://mailsafe.keybank.com/websafe/help?topic=RegEnvelope
About IronPort Encryption - https://mailsafe.keybank.com/websafe/about
VirusTotal results are not good. The ThreatExpert report for the malware can be found here. The malware attempts to call home to:
173.230.139.4 (Linode, US)
192.155.83.208 (Linode, US)

..and download additional components from
[donotclick]ib-blaschke.de/4kzWUR.exe
[donotclick]chris-zukunftswege.de/DynThR8.exe
[donotclick]blueyellowbook.com/Cct1Kk58.exe

Wednesday, 16 January 2013

ADP spam / teamrobotmusic.net

This fake ADP spam leads to malware on teamrobotmusic.net:

Date:      Wed, 16 Jan 2013 18:36:25 +0200 [11:36:25 EST]
From:      "notify@adp.com" [notify@adp.com]
Subject:      ADP  Speedy  Information

ADP Speedy Communication
[redacted]

Reference ID: 14580

Dear ADP Client January, 16 2012

Your Money Transfer Statement(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following details:

• Please note that your bank account will be charged-off within 1 business day for the value(s) specified on the Record(s).

•Please don't reply to this message. auomatic informational system unable to accept incoming email. Please Contact your ADP Benefits Expert.

This email was sent to acting users in your company that access ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 14580
The malicious payload is on [donotclick]teamrobotmusic.net/detects/bits_remember_confident.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in a few attacks recently and should be blocked if you can. The following domains appear to be active on this IP:

advertizing9.com
seoseoonwe.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
masterseoprodnew.com
eartworld.net
foxpoolfrance.net
hotelrosaire.net
linuxreal.net
vaishalihotel.net
tetraboro.net
terkamerenbos.net
royalwinnipegballet.net
teamrobotmusic.net


American Express spam / dozakialko.ru

This fake AmEx spam leads to malware on dozakialko.ru:

Sent: 16 January 2013 02:22
Subject: American Express Alert: Your Transaction is Aborted

 Your Wed, 16 Jan 2013 01:22:07 -0100 Incoming Transfer is Terminated



Valued, $5203

Your American Express Card account retired ZUE36213 with amount of 5070 USD.
Transaction Time:Wed, 16 Jan 2013 01:22:07 -0100
Payment Due Date:Wed, 16 Jan 2013 01:22:07 -0100

One small way to help the environment - get paperless statements
Review billing
statement
Issue a payment
Change notifications
options


You currently reading the LIMITED DATA version of the Statement-Ready Information.
Switch to the DETAILED DATA version.

Thank you for your Cardmembership.


Sincerely,

American Express Information center
________________________________________
The malicious payload is at [donotclick]dozakialko.ru:8080/forum/links/column.php (report here) hosted on the following IPs:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

Plain list of IPs and related domains for copy-and-pasting:
89.111.176.125
91.224.135.20
212.112.207.15
dekamerionka.ru
dmssmgf.ru
dmpsonthh.ru
dmeiweilik.ru
belnialamsik.ru
demoralization.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dozakialko.ru



Tuesday, 15 January 2013

Verizon Wireless spam / dmssmgf.ru

This fake Verizon Wireless spam leads to malware on dmssmgf.ru:
From: Friendster Games [mailto:friendstergames@friendster.com]
Sent: 14 January 2013 21:47
Subject: Verizon Wireless


IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
Your acknowledgment message is issued.

Your account No. ending in 2308

Dear Client

For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.

Please browse your informational message for more details relating to your new transaction.


Open Information Message

In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.

Thank you for joining us.     My Verizon is laso works 24 hours 7 days a week to assist you with:
•    Viewing your utilization
•    Upgrade your tariff
•    Manage Account Members
•    Pay for your bill
•    And much, much more...

2013 Verizon Wireless
Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325

We respect your privacy. Please browse our policy for more information

The malicious payload is on [donotclick]dmssmgf.ru:8080/forum/links/column.php (report here) hosted on:

81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
91.224.135.20 (Proservis UAB, Luthunia)
212.112.207.15 (ip4 GmbH, Germany)

The following IPs and domains are all connected:
81.31.47.124
91.224.135.20
212.112.207.15
dekamerionka.ru
dmssmgf.ru
dmpsonthh.ru
dmeiweilik.ru
belnialamsik.ru
demoralization.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru


xree.ru and the persistent pharma spam

Do doubt sent out by the same crew who are pushing malware, this pharma spam seems to have hit new highs.

Date:      Tue, 15 Jan 2013 05:35:04 -0500 (EST)
From:      Account Mail Sender [invoice@erlas.hu]
Subject:      Invoice confirmation

Hello. Thank you for your order.

We greatly appreciate your time and look forward to a mutually rewarding business relationship with our company well into the future.

At present, our records indicate that we have an order or several orders outstanding that we have not received confirmation from you. If you have any questions regarding your account, please contact us.

We will be happy to answer any questions that you may have.

Your Customer Login Page

Customer login: [redacted]

Thanking you in advance for your attention to this matter.

Sincerely, Justa Dayton
The link in the email goes through a legitimate hacked site to [donotclick]xree.ru/?contactus but then it redirects to a seemingly random fake pharma site. However, the redirect only works if you have the referrer set correctly.

The landing sites are on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)

I can't find any malware on these sites, but you may as well block them if you can as they seem to have a lot of domains on them:

birthmed.com
canadapharmcanadian.net
caregiverskicare.net
centerlinedrugstore.net
cialisviagrapetraeus.com
cialiswelloch.net
cizaqussish.com
climbedwelness.com
contabmedicine.eu
cucy.ru
dietpillpepsi.eu
dietprescriptionpharmacy.net
dietwelness.com
djyfammerco.com
drugenericsmeds.com
drugprescriptionmedical.com
drugstoremedicalsrx.ru
drugstorepharmacycenterline.com
drugstorerxfitness.ru
exerciseprescriptiondiet.com
fitnessdrugstorepharmacy.ru
genericswelnesspharmaceutical.eu
healthcarelnessmedical.net
healthdrugstorepharmacy.ru
healthwiblackwell.com
israeltrapharm.com
levitratab.com
levitraviagraron.net
mail.tabletsdrugstoredrugstore.ru
marijuanarxmedicine.com
medicaredrugstoreprescription.eu
medicarewitax.com
mytabhealth.com
nislevitra.com
northwesternlevitrapills.net
nutritiondrugstorepharmacy.ru
parisdrugstore.ru
patientsharmedical.com
patientsharmedical.eu
pillcent.nl
pillmedicalhospital.pl
prescriptioncialteens.com
prescriptiondrugwalmart.com
prescriptionryan.eu
rxnutrition.ru
tabcalories.com
tabletdrugshealth.ru
tabletdrugstoretabs.ru
tabletlevitrapp.com
tabletpharmacypharmacy.ru
tabletpillspills.ru
tabletsdrugstoredrugstore.ru
tabletspharmacyjobs.ru
tabletspharmacypharmacy.ru
tabletspillsshop.ru
tabrxtablets.ru
thecaretab.com
viagraprogene.net
xree.ru
zury.ru

Monday, 14 January 2013

BBB spam / terkamerenbos.net

This fake BBB spam leads to malware on terkamerenbos.net:

Date:      Mon, 14 Jan 2013 07:53:04 -0800 [10:53:04 EST]
From:      Better Business Bureau [notify@bbb.org]
Subject:      BBB Pretense ID 68C474U93

Better Business Bureau ©
Start With Trust ©

Mon, 14 Jan 2013

RE: Issue # 68C474U93

[redacted]

The Better Business Bureau has been booked the above said claim from one of your customers with regard to their business relations with you. The detailed description of the consumer's uneasiness are available at the link below. Please give attention to this subject and notify us about your mind as soon as possible.

We amiably ask you to click and review the CLAIM REPORT to meet on this complaint.

We are looking forward to your prompt reaction.

Best regards
Alexis Nguyen
Dispute Councilor
Better Business Bureau

Better Business Bureau
3033  Wilson Blvd, Suite 600   Arlington, VA 22701
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277
 

This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is at [donotclick]terkamerenbos.net/detects/pull_instruction_assistant.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). The following malicious sites are on the same server:

advertizing9.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
eartworld.net
foxpoolfrance.net
hotelrosaire.net
linuxreal.net
tetraboro.net
royalwinnipegballet.net

ADP spam / dekamerionka.ru

This fake ADP spam leads to malware on dekamerionka.ru:


Date:      Mon, 14 Jan 2013 10:49:06 +0300
From:      Friendster Games [friendstergames@friendster.com]
Subject:      ADP Immediate Notification

ADP Immediate Notification
Reference #: 540328394

Mon, 14 Jan 2013 10:49:06 +0300
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.


This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 984259785

HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious payload is on [donotclick]dekamerionka.ru:8080/forum/links/column.php hosted on:
81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
91.224.135.20 (Proservis UAB, Luthunia)
212.112.207.15 (ip4 GmbH, Germany)

Plain list of IPs and domains involved:
81.31.47.124
91.224.135.20
212.112.207.15
dmeiweilik.ru
belnialamsik.ru
demoralization.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dekamerionka.ru

Malware sites to block 14/1/13

A couple of interesting posts over at Malware Must Die!  showed some significant nastiness on a few IP ranges you might want to block. The IPs mentioned are:

91.243.115.140 (Aztek Ltd, Russia)
46.166.169.238 (Santrex, Netherlands)
62.76.184.93 (IT House / Clodo-Cloud, Russia)

I'll list the sites on these domains at the end of the post for readability. But in these cases, blocking just the single IPs is not enough as they reside in pretty evil netblocks which should be blocked altogether.

91.243.115.0/24 (Aztek Ltd) is part of this large collection of malware hosts. Perhaps not all sites in the network are malicious, but certainly a lot of them are. I would err on the side of caution and block access to all sites in this /24, legitimate or not.

46.166.169.0/24 (Santrex) is another horrible network. According to Google, out of 4604 tested sites in this block, at least 3201 (70%) are involved in malware distribution. There may be legitimate sites in this /24, but since customer service is allegedly atrocious then it's hard to see why they would stick around. Again, blocking this /24 is probably prudent.

62.76.184.0/21 (IT House / Clodo-Cloud) is quite a large range to block, but I have seen many malicious sites in this range, and like Aztek it is part of this large network of malware hosts and it has a poor reputation. This is only a part of this netblock, if you want to go further you could consider blocking 62.76.160.0/19.

These following domains are all connected to these two attacks:
amgstaying.net
awczh.portrelay.com
bestchange001.ru
bestchange002.ru
bestchange003.ru
bestchange004.ru
bestchange005.ru
bestchange006.ru
bestchange007.ru
bestchange050.ru
bestchange051.ru
bestchange053.ru
bestchange054.ru
blydjkqtj.2waky.com
clientlink011.ru
clientlink015.ru
clientlink018.ru
clientlink024.ru
clientlink026.ru
clientlink027.ru
clientlink034.ru
clientlink038.ru
clientlink040.ru
clientlink042.ru
clientlink046.ru
clientlink063.ru
clientlink067.ru
clientlink070.ru
clientlink073.ru
clientlink074.ru
clientlink075.ru
clientlink076.ru
clientlink077.ru
clientlink078.ru
clientlink079.ru
clientlink080.ru
clientlink083.ru
clientlink084.ru
clientlink085.ru
clientlink086.ru
clientlink087.ru
clientlink089.ru
clientlink090.ru
clientlink091.ru
clientlink093.ru
clientlink094.ru
clientlink095.ru
clientlink100.ru
coshqa.2waky.com
diresofnetbook.com
djondonetwork.com
dukcwhmc.portrelay.com
ewarmz.2waky.com
fiendishtask.info
frnujzogt.2waky.com
glcuofjx.2waky.com
glrozxsjk.portrelay.com
gvcrtf.2waky.com
hrwusuf.portrelay.com
husvmp.portrelay.com
hvgzklbx.portrelay.com
igrhcsfdx.portrelay.com
imvkmu.portrelay.com
inherentlywriters.info
ipaeh.portrelay.com
iqtbzwa.2waky.com
jbygu.2waky.com
jjfzxpim.2waky.com
jzkwt.2waky.com
khmdkcath.portrelay.com
ksgha.2waky.com
lbuym.2waky.com
lgoqsh.portrelay.com
museumsnimble.net
ndcukbk.2waky.com
nvzlyez.portrelay.com
oaigq.2waky.com
owowgjqof.2waky.com
oyobalz.2waky.com
pavingcorroborated.org
pefmpltrz.2waky.com
pjmbpvacm.portrelay.com
pxsthim.portrelay.com
qqmtqy.portrelay.com
reservedir003.ru
rndhezha.portrelay.com
root.kaovo.com
simplicitypernicious.org
snxecl.2waky.com
supportservice001.ru
supportservice002.ru
supportservice003.ru
supportservice004.ru
supportservice005.ru
supportservice006.ru
supportservice008.ru
supportservice009.ru
supportservice010.ru
supportservice011.ru
supportservice012.ru
supportservice013.ru
supportservice014.ru
supportservice015.ru
supportservice016.ru
supportservice017.ru
supportservice018.ru
supportservice019.ru
supportservice020.ru
supportservice021.ru
supportservice022.ru
supportservice023.ru
supportservice025.ru
supportservice028.ru
supportservice029.ru
supportservice030.ru
supportservice031.ru
supportservice032.ru
supportservice033.ru
supportservice035.ru
supportservice038.ru
supportservice042.ru
supportservice044.ru
supportservice047.ru
supportservice054.ru
supportservice055.ru
supportservice058.ru
supportservice060.ru
supportservice064.ru
supportservice065.ru
supportservice066.ru
supportservice068.ru
supportservice069.ru
supportservice075.ru
supportservice078.ru
supportservice082.ru
supportservice083.ru
supportservice085.ru
supportservice089.ru
supportservice093.ru
supportservice095.ru
supportservice096.ru
supportservice097.ru
supportservice098.ru
tezjytph.portrelay.com
tpfoc.2waky.com
trghfx.2waky.com
uretf.2waky.com
utilityremember.net
uzmai.portrelay.com
vzaxmfgz.portrelay.com
wfeanf.2waky.com
wibeay.2waky.com
wpacule.portrelay.com
xycoordinatesskinny.org
yfvvmj.portrelay.com
zbwss.portrelay.com
zrwhrkm.portrelay.com
zzspkyrcr.portrelay.com



Friday, 11 January 2013

"Payroll Account Holded by Intuit" spam / dmeiweilik.ru

This fake Intuit (or LinkedIn?) spam leads to malware on dmeiweilik.ru:


Date:      Fri, 11 Jan 2013 06:23:41 +0100
From:      LinkedIn Password [password@linkedin.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Fri, 11 Jan 2013 06:23:41 +0100.

    Finances would be gone away from below account # ending in 0198 on Fri, 11 Jan 2013 06:23:41 +0100
    amount to be seceded: 8057 USD
    Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 06:23:41 +0100
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

====================



From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Lilianna Grimes via LinkedIn
Sent: 10 January 2013 21:04
Subject: Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Fri, 11 Jan 2013 02:03:33 +0500.
•    Finances would be gone away from below account # ending in 8913 on Fri, 11 Jan 2013 02:03:33 +0500
•    amount to be seceded: 9567 USD
•    Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 02:03:33 +0500
•    Log In to Review Operation

Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services


The malicious payload is at [donotclick]dmeiweilik.ru:8080/forum/links/column.php hosted on the same IPs as in this attack:

91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)

The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik.ru
demoralization.ru
dimanakasono.ru
bananamamor.ru
dmeiweilik.ru

Changelog spam / dimanakasono.ru

This fake "Changelog" spam leads to malware on dimanakasono.ru:

From: Ashley Madison [mailto:donotreply@ashleymadison.com]
Sent: 10 January 2013 08:25
Subject: Re: Fwd: Changelog as promised(updated)

Hi,


changelog update - View

L. Cook
The malicious payload is at [donotclick]dimanakasono.ru:8080/forum/links/column.php hosted on the following IPs:

91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)

The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik.ru
demoralization.ru
dimanakasono.ru
bananamamor.ru

Thursday, 10 January 2013

ADP spam / tetraboro.net and advertizing*.com

This fake ADP spam leads to malware on tetraboro.net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly. The most amusing one is the reference to "business butty" which presumably is some sort of sandwich.

Date:      Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
From:      "ADPClientServices@adp.com" [ADPClientServices@adp.com]
Subject:      adp_subj


ADP Urgent Note

Note No.: 33469

Respected ADP Consumer January, 9 2013

Your Processed Payroll Record(s) have been uploaded to the web site:

Click here to Sign In

Please take a look at the following details:

•   Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).

� Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.

This notification was sent to current clients in your company that approach ADP Netsecure.

As general, thank you for choosing ADP as your business butty!

Ref: 33469

The malicious payload is on [donotclick]tetraboro.net/detects/coming_lost-source.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1.com through to advertizing9.com. All of these should be blocked.

5.135.90.19 (OVH, France - suballocated to premiervps.net, UK)
91.227.220.121 (VooServers, UK)
94.102.55.23 (Ecatel, Netherlands)
119.78.243.16 (China Science & Technology Network, China)
198.144.191.50 (New Wave Netconnect, US)
199.233.233.232 (Quickpacket, US)
203.1.6.211 (China Telecom, China)
222.238.109.66 (Hanaro Telecom, Korea)

Plain list:
advertizing1.com
advertizing2.com
advertizing3.com
advertizing4.com
advertizing5.com
advertizing6.com
advertizing7.com
advertizing8.com
advertizing9.com
cookingcarlog.ne
hotelrosaire.net
richbergs.com
royalwinnipegballet.net
tetraboro.net
5.135.90.19
91.227.220.121
94.102.55.23
119.78.243.16
198.144.191.50
199.233.233.232
203.1.6.211
222.238.109.66

Wednesday, 9 January 2013

BBB spam / hotelrosaire.net

This fake BBB spam leads to malware on hotelrosaire.net:

Date:      Wed, 9 Jan 2013 09:21:32 -0600 [10:21:32 EST]
From:      Better Business Bureau <complaint@bbb.org>
Subject:      BBB notification regarding your  cliente's pretense No. 62850348

Better Business Bureau ©
Start With Trust �

Tue, 8 Jan 2013

RE: Complaint N. 62850348

[redacted]

The Better Business Bureau has been booked the above said complaint from one of your users in regard to their business contacts with you. The detailed description of the consumer's anxiety are available for review at a link below. Please give attention to this problem and inform us about your sight as soon as possible.

We pleasantly ask you to click and review the APPEAL REPORT to respond on this claim letter.

We awaits to your prompt reaction.

Yours respectfully
Liam Barnes
Dispute Consultant
Better Business Bureau

Better Business Bureau
3053   Wilson Blvd, Suite 600   Arlington, VA 25501
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277


This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

==========================

Date:      Wed, 9 Jan 2013 23:21:42 +0800 [10:21:42 EST]
From:      Better Business Bureau <donotreply@bbb.org>
Subject:      BBB  Complaint No. C1343110

Better Business Bureau ©
Start With Trust ©

Tue, 8 Jan 2013

RE: Case No. C1343110

[redacted]

The Better Business Bureau has been booked the above mentioned complaint from one of your clients as regards their business relations with you. The information about the consumer's anxiety are available for review at a link below. Please pay attention to this question and inform us about your glance as soon as possible.

We pleasantly ask you to overview the COMPLAINT REPORT to reply on this grievance.

We are looking forward to your prompt reaction.

Yours respectfully
Hunter Gomez
Dispute Counselor
Better Business Bureau

Better Business Bureau
3053   Wilson Blvd, Suite 600   Arlington, VA 22801
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277


This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe 

The malicious payload is on [donotclick]hotelrosaire.net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet.net which was seen in another BBB spam run yesterday.

ADP spam / demoralization.ru

This fake ADP spam leads to malware on demoralization.ru:

Date:      Wed, 9 Jan 2013 04:23:03 -0600
From:      Habbo Hotel [auto-contact@habbo.com]
Subject:      ADP Immediate Notification

ADP Immediate Notification
Reference #: 948284271

Wed, 9 Jan 2013 04:23:03 -0600
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.


This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 703814359


HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
� 2013 ADP, Inc. All rights reserved.

The malicious payload is at [donotclick]demoralization.ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)

The following IPs and domains are all related:
82.165.193.26
91.224.135.20
187.85.160.106
demoralization.ru
belnialamsik.ru
bananamamor.ru

Something evil on 173.246.102.246

173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers.

In the example I have seen, the malicious payload is at [donotclick]11.lamarianella.info/read/defined_regulations-frequently.php (report here). These other domains appear to be on the same server, all of which can be assumed to be malicious:

11.livinghistorytheatre.ca
11.awarenesscreateschange.com
11.livinghistorytheatre.com
11.b2cviaggi.com
11.13dayz.com
11.lamarianella.info
11.studiocitynorth.tv
11.scntv.tv

These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain.

Tuesday, 8 January 2013

PPI scam: 0843 410 0078

Short version: 
If you're Googling this number to see who is ringing you, then the short answer is that it is a bunch of scammers trying to get you to make a PPI refund claim. If you end up speaking to a human, then you can either ask them to "remove and suppress" your number, alternatively you can just tell them to fuck off (as there's no real reason to be polite with them).

Long version:
Despite a massive fine handed out to some SMS spammers for pushing PPI and ambulance chasing spam, there are still others about.

One particularly common on is to be called with a recorded message about a PPI refund, and then being given the opportunity to press "5" to connect to an operator.

So, I got one of these today from 0843 410 0078, a number allocated to Jtec UK Ltd (although they are probably just the telecoms provider). It seems that this number block is stuffed full of telepests.

Now, this isn't just spam.. it's a scam. Firstly, I'm not eligible for any PPI refunds, but the scammers are encouraging you to make a fraudulent claim regardless. They're just interested in selling your lead on to the next level in this very seedy world of PPI refund claims.

My conversation with the lady scammer went something like this:

Me: So I'm due a PPI refund am I?

Scammer: Yes, our records indicate that you may be eligible for a refund.

Me: Oh yes? You have records?

Scammer: Yes.

Me: So then, please tell me what my name is.

Scammer: We don't have that information for data protection reasons. [Yeah, but you have my financial records and telephone number, so really you are lying, aren't you?]

At which point I got bored and suggested that the woman fucked off and never called me again, at which point she hung up. I really do recommend being rude to these people incidentally. If you can ruin their afternoon and make them feel shitty about themselves then it's a small victory, they are willing participants in the scam after all.

The problem is that the people working at lead generation at this level will NEVER reveal who they are, and by the time the PPI claim has gotten to someone higher up in the food chain then the lead has been laundered through several middlemen.

Registering with the TPS isn't always as effective as you might think. Mobile numbers seem to expire after a year and need renewing (don't forget, the TPS is run by marketers). If you are TPS registered and still get bombarded with PPI scam calls, then you can try filing an ICO complaint. Or you could try doing it this way. But please remember, if you can make the telepests upset for the whole afternoon then it might make them reconsider their bad career choices..

If you find out who these pests are, or come across any other numbers, please consider sharing them in the Comments. Thanks!

These other numbers appear to be related:
0843 410 2215
0843 410 2576
0843 410 4770
0843 410 0269 (claimed to be from a nonexistant company called "PPI Assistance")

This is the same scam, but may be a different outfit:
01277 509018

BBB Spam / royalwinnipegballet.net

This fake BBB spam leads to malware on royalwinnipegballet.net:

Date:      Tue, 8 Jan 2013 19:18:34 +0200 [12:18:34 EST]
From:      Better Business Bureau <information@bbb.org>
To:      [redacted]Subject:      BBB information regarding your customer's appeal ¹ 96682901

Better Business Bureau ©
Start With Trust ©

Mon, 7 Jan 2013

RE: Complaint # 96682901

[redacted]

The Better Business Bureau has been registered the above mentioned appeal from one of your clients as regards their business contacts with you. The details of the consumer's worry are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.

We graciously ask you to open the CLAIM REPORT to answer on this reclamation.

We are looking forward to your prompt answer.

Faithfully yours
Alex Green
Dispute Counselor
Better Business Bureau

Better Business Bureau
3063  Wilson Blvd, Suite 600  Arlington, VA 27201
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277
 

This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

====================

Date:      Tue, 8 Jan 2013 19:12:58 +0200 [12:12:58 EST]
From:      Better Business Bureau <donotreply@bbb.org>
Subject:      Better Business Beareau   Pretense ¹ C6273504
Priority:      High Priority 1

 Better Business Bureau ©
Start With Trust ©

Mon, 7 Jan 2013

RE: Issue No. C6273504

[redacted]

The Better Business Bureau has been registered the above said reclamation from one of your users in respect of their business contacts with you. The information about the consumer's anxiety are available visiting a link below. Please give attention to this problem and notify us about your mind as soon as possible.

We kindly ask you to overview the APPEAL REPORT to meet on this claim letter.

We are looking forward to your prompt rebound.

Yours respectfully
Julian Morales
Dispute Advisor
Better Business Bureau

Better Business Bureau
3013   Wilson Blvd, Suite 600  Arlington, VA 20701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277


This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is on [donotclick]royalwinnipegballet.net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)


"Federal ACH Announcement" spam / cookingcarlog.net

This rather terse spam leads to malware on cookingcarlog.net:

From:     Federal Reserve Services@sys.frb.org [ACHR_59273219@fedmail.frb.org]
Date:     8 January 2013 15:11
Subject:     FedMail (R): Federal ACH Announcement - End of Day - 12/27/12

Please find the ACH Letter of Advice Reporting from the Federal Reserve System clicking here. 
The link in the email goes to an exploit kit on [donotclick]cookingcarlog.net/detects/occasional-average-fairly.php (report here) which is hosted on 89.207.132.144 (Snel Internet Services, Netherlands).

Added - a BBB spam is also doing the rounds with the same payload:

 Better Business Bureau ©
Start With Trust �

Mon, 7 Jan 2013

RE: Case N. 54809787

[redacted]

The Better Business Bureau has been recorded the above said claim from one of your customers in respect to their dealings with you. The detailed description of the consumer's worry are available for review at a link below. Please pay attention to this issue and communicate with us about your judgment as soon as possible.

We pleasantly ask you to click and review the CLAIM REPORT to meet on this claim letter.

We are looking forward to your prompt response.

WBR
Mason Turner
Dispute Consultant
Better Business Bureau

Better Business Bureau
3063   Wilson Blvd, Suite 600  Arlington, VA 22701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277

Malware sites to block 8/1/13

These IPs and domains appear to be active in malicious spam runs today:

41.168.5.140
42.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik.ru

Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.

Update: some sample emails pointing to a malicious landing page at  [donotclick]belnialamsik.ru:8080/forum/links/column.php:


Date:      Tue, 8 Jan 2013 10:05:55 +0100
From:      Shavonda Duke via LinkedIn [member@linkedin.com]
Subject:      Re: Fwd: Security update for banking accounts.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department

================

Date:      Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
From:      FilesTube [filestube@filestube.com]
Subject:      Fwd: Re: Banking security update.

Dear Online Account Operator,

Your ACH  transactions have been
temporarily disabled.
 View details

Best regards,
Security department

Wednesday, 2 January 2013

Malware sites to block 2/1/13 part II

This summary is not available. Please click here to view the post.

Malware sites to block 2/1/13

The following sites and IPs seem to be active today, being pushed out by spam campaigns. I'll post email samples when I get them. Perhaps.

91.224.135.20
187.85.160.106
210.71.250.131

afjdoospf.ru
akionokao.ru
bilainkos.ru
bumarazhkaio.ru
bunakaranka.ru

Saturday, 29 December 2012

"How Fatima Started Islam" spam

This nasty anti-Islam email has been doing the rounds recently, I've received it several times over the past few months and decided that it was worth a closer look..

From:     Laurel Pettit [kqmdy@agenta.de]
Date:     27 December 2012 22:39
Subject:     Re: more infomation about islam

How Fatima Started Islam

A book like no other on this earth.  Not a few cartoons or an infantile movie trailer but 234 page novel which insults Islam like no other.  A parody of the always drunk proprietor of "Mohammad's Saloon & Brothel" with his completely ridiculous life exposed.  This moronic child molestating coward and fool who bumps his way through life oblivious to his manipulation as the figurehead of another new religion.  Learn about his adopted son and heir Ali, the biggest swish ever to sashay across Arabia while sadistically running Mecca's largest boy's brothel.  Only $9.99 to laugh at, mock, and ridicule those fanatics who do not enjoy being ridiculed.  A well written and extremely funny parody at Amazon.com.

http://www.amazon.com/How-Fatima-Started-Islam-Mohammads/dp/0578032902/ref=sr_1_1?ie=UTF8&qid=1339884134&sr=8-1&keywords=how+fatima+started+islam
 link to Amazon.com
https://www.amazon.com/How-Fatima-Started-Islam-Mohammads/dp/0578032902/ref
Observe the never sober Mohammad having sex with camels, pre-adolescent girls and boys, the mutilations, murders, terrorism, sneak attacks, back stabbings and mental illnesses.  Absolutely no other novel is similar.  Stick up for America by sticking it to Radical Islam.

Also: There is a subtle effort to dissuade Americans from buying or reading this parody.  The Mullahs of Radical Islam HATE the fact that we in the West can still purchase this book.  They are pressuring and threatening Amazon to stop offering the novel for sale.  They demand a world wide ban with criminal penalties under Sharia Law.  Out of 6,000,000 Amazon books "How Fatima Started Islam" has the second lowest review rating, why, because Amazon has been flooded with well over 100 negative reviews with the lowest possible rating, reviewers who openly state that they would never ever buy or read a book insulting The Prophet, yet they take the time to tell you not to read it.  The second lowest rating is a badge of honor, it shows how much the Ayatollahs of BAGHDAD and DAMASCUS and the murderous terrorist who killed our ambassador and burned our embassy in BENGHAZI  do not want you to buy HFSI. Do not let these radical tin pot madmen, who think they rule the world and everyone in it, dictate to you what you may or may not read; purchase this important, well written, and extremely funny book.

Well, they're right about one thing.. the reviews are terrible. And they're terrible because this has been spammed out on a regular basis.

But where does this spam come from? Here is the key part of the mail header:

Received: from [183.131.24.233] (port=1249 helo=mailbook.simalbok9v.com)
    by [redacted] with smtp (Exim 4.80)
    (envelope-from <kqmdy@agenta.de>)
    id 1ToM6k-0001GW-12
    for [redacted]; Thu, 27 Dec 2012 22:39:22 +0000
Received: from cpe-184-56-141-86.neo.res.rr.com (HELO cpe-184-56-141-86.neo.res.rr.com) ([184.56.141.86])
From: "Laurel Pettit" <kqmdy@agenta.de>


183.131.24.233 is an IP address in China (Zhejiang Telecom). The domain simalbok9v.com doesn't actually exist though, the mail relay was spoofing it. But it's the email address before it that gives a least a little clue as to the sender. 184.56.141.86 is a Road Runner subscriber in Cleveland, in the US.

Alas, it doesn't tell us who it is, but it DOES tell us that it originates from within the US, and this spam is illegal under the CAN-SPAM act.

Now, I'm quite curious as to who else has looked at the headers to see what pattern there is. And I'm open to the possibility that this could be a Joe Job. But I certainly ain't gonna buy that book..

Update: the spam is still doing the rounds and is still originating from a Road Runner subscriber at 184.56.141.86, but now there is a new Chinese mail relay at 122.240.59.40.

Received: from [122.240.59.40] (port=2892 helo=mailbook.simalbok9v.com)
    by [redacted] with smtp (Exim 4.80)
    (envelope-from <crvll@fresnosheriff.org>)
    id 1Tp6dX-00071A-Qk
    for [redacted]; Sun, 30 Dec 2012 00:20:20 +0000
Received: from cpe-184-56-141-86.neo.res.rr.com (HELO cpe-184-56-141-86.neo.res.rr.com) ([184.56.141.86])
From: "Brianna Collins" <crvll@fresnosheriff.org>

FedACH Announcement spam / incinteractive.net

This fake whatever-the-heck-it-is spam leads to malware on incinteractive.net:
Date:      Fri, 28 Dec 2012 22:45:28 +0900
From:      "Federal Reserve Banking Services@sys.frb.org" [ACHR_58976105@FedMail.frb.org]
Subject:      FedMail (R): FedACH Announcement - End of Day - 12/27/12

Please overview the ACH Advice Statement from the Federal Reserve System by clicking here.
The malicious payload is at [donotclick]incinteractive.net/detects/wishs_continually.php hosted on the well-known IP of 59.57.247.185 in China which also hosts these following malicious domains:

sessionid0147239047829578349578239077.pl
tv-usib.com
atsushitani.com
proxfied.net
incinteractive.net
timesofnorth.net
latticesoft.net
incinteractive.net


Friday, 28 December 2012

IRS Spam / tv-usib.com

This fake IRS spam leads to malware on tv-usib.com:
Date:      Thu, 27 Dec 2012 22:14:44 +0400
From:      Internal Revenue Service [information@irs.gov]
Subject:      Your transaction is not approved

Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.

Canceled Tax transfer
Tax Transaction ID:     3870703170305
Rejection ID     See details in the report below
Federal Tax Transaction Report     tax_report_3870703170305.pdf (Adobe Acrobat Document)

Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon
The malicious payload is at [donotclick]tv-usib.com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:


sessionid0147239047829578349578239077.pl
tv-usib.com
proxfied.net
timesofnorth.net
latticesoft.net

Wednesday, 26 December 2012

NACHA spam / bunakaranka.ru:

This fake ACH / NACHA spam leads to malware on bunakaranka.ru:

Date:      Wed, 26 Dec 2012 06:48:11 +0100
From:      Tagged [Tagged@taggedmail.com]
Subject:      Re: Fwd: Banking security update.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department
The malicious payload is on [donotclick]bunakaranka.ru:8080/forum/links/column.php hosted on the following well-known IPs:

91.224.135.20 (Proservis UAB, Lithuania)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)


Plain list:
91.224.135.20
187.85.160.106
210.71.250.131

Associated domains:
bunakaranka.ru
afjdoospf.ru
angelaonfl.ru
akionokao.ru
apendiksator.ru
bilainkos.ru