Sponsored by..

Tuesday, 5 February 2013

Amazon.com spam / salam-tv.com

This fake Amazon email leads to malware on salam-tv.com:


Date:      Tue, 5 Feb 2013 18:32:06 +0100
From:      "Amazon.com Orders" [no-reply@amazon.com]
Subject:      Your Amazon.com order receipt.

    Click here if the e-mail below is not displayed correctly.
   
Follow us:                    
   
   
Your Amazon.com                         Today's Deals                 See All Departments    


Dear Amazon.com Customer,    
       

Thanks for your order, [redacted]!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Details:

E-mail Address: [redacted]
Billing Address:
1170 CROSSING CRK N Rd.
Fort Wayne OH 49476-1748
United States
Phone: 1- 749-787-0001

Order Grand Total: $ 91.99
   
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     C59-2302433-5787713
Subtotal of items:     $ 91.99
    ------
Total before tax:     $ 91.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 90.00
Gift Certificates:     $ 1.99
    ------
Total for this Order:     $ 91.99
       
       
   
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.

� 2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 466 Sally Ave. N., Seattle, MA 71168-8282. Reference: 25090571

Please note that this message was sent to the following e-mail address: [redacted]
The malicious payload should be at [donotclick]salam-tv.com/detects/visit_putts.php but at the moment this domain doesn't seem to be resolving properly. A bit of digging around shows that it may be hosted on 198.144.191.50 (Chicago VPS, US) and the following malicious domains can be traced to that IP address:
morepowetradersta.com
capeinn.net
starsoftgroup.net
salam-tv.com
   

Monday, 4 February 2013

01530 561700: PPI refund cold callers are also PPI mis-sellers

Quick version:  01530 561700 is a PPI claims company trading as ABC Claims Management, but the people involved have been directors of a firm fined for PPI mis-selling. If you really want to wind them up, say you were mis-sold PPI by a firm called Hadenglen.

Long version:
PPI refund cold callers are annoying, and are almost always dishonest scumbags who claim that you are eligible for a PPI refund, but in fact they have no idea about who you are and nor do they have access to your financial records.

But there's more to the folks calling from 01530 561700 than meets the eye. The claims management company calling from this number is called ABC Claims Management (abc-inc.co.uk) who quote an address of:

York House
Smisby Road
Ashby de la Zouch
Leicestershire
LE65 2UG

A look at the WHOIS details give a nearby address:
Domain name:
        abc-inc.co.uk

    Registrant:
        HADENGLEN PLC

    Registrant type:
        Unknown

    Registrant's address:
        Hadenglen House Marlborough Square
        Leicestershire
        COALVILLE
        LE67 3WD
        United Kingdom


They list the owner as Hadenglen plc. Unlike many PPI claims firms, Hadenglen knows all about PPI.. because it and its boss were fined £182,000 in 2007  for PPI mis-selling. Hadenglen is no longer authorised to sell mortgages and there is a proposal to strike it off the register at Companies House.

The telephone number is closely associated with Hadenglen, both ABC and Hadenglen share the same address of:
SMISBY ROAD
ASHBY DE LA ZOUCH
LEICS
LE65 2UG
..and of course, Hadenglen registered the domain name.

Of course, the real gotcha is that two of the directors of ABC Incorporation Ltd are Paul Butler and Richard Hayes who were both directors of.. you guessed it.. Hadenglen. Indeed, Mr Hayes was fined £49,000 for his part in the Hadenglen PPI mis-selling.

You could argue that poachers make the best gamekeepers, and the directors of a firm that was involved in PPI mis-selling might be the best people to make a claim. Or you might think otherwise. But why pay someone to do it (which could be thousands of pounds) when you can do it for free?

Update:  the scammers from ABC rang me again, and the woman calling identified the company but said she had never heard of her directors of Hadenglen.. which I very much doubt. I advised her to fuck off and leave me alone.

Phytiva / XCHC pump-and-dump

This pump-and-dump spam (at least I assume that's what it is) caught my eye,

From:     Hugh Crouch [tacticallyf44@riceco.com]
Date:     4 February 2013 12:39
Subject:     RE: Targeting the global Cosmoceutical market

US leading biotech company is please to introduce a newly launched brand - a hybrid of a proven, existing product line that has been well-managed and conservatively-run for over a decade with a hemp-based product line, utilizing the unique and potent benefits of the plants. Revolutionary formulations target not just the symptom, but also the cause. The plant is the ideal basis for healing solutions and has been utilized for centuries, as skin responds extremely well to its properties.

Its newest Plant based Product lines that have identified over a dozen ailments that we believe that the products will be the superior choice on the market. These ailments include cancer, arthritis, influenza, HIV/ AIDS, PTSD and many more.

We are looking for leading beauty and health care investors. If you are dedicated to making difference in people”s lives, we need your help now more than ever before toprovide excellent and efficient medical and health care for our future researches.
 
For more information, please visit

You can unsubscribe from all our future email communications at
The email originates from 31.25.91.159 in the Islamic Republic of Iran, spamvertising a site at www.xn--80aakfmpm2afbm.xn--p1ai (yes, that's a valid international domain name) hosted on 111.123.180.11 in China. In all likelihood, Phytiva and its parent company The X-Change Corporation (stock ticker XCHC) are almost definitely nothing to do with this rather odd spam. Avoid.

Something evil on 108.61.12.43 and 212.7.192.100

A few sites worth blocking on 108.61.12.43 (Constant Hosting, US) courtesy of Malware Must Die:
helloherebro.com
painterinvoice.ru
painterinvoicet.ru
immediatelyinvoicew.ru

While you are at it, you might like to block 212.7.192.100 (Dediserv, Netherlands) as well.

StumbleUpon spam / drugstorepillstablets.ru

This fake StumbleUpon spam is something new, it leads to a fake pharma site on drugstorepillstablets.ru:

Date:      Mon, 4 Feb 2013 01:01:46 -0600 (CST)
From:      StumbleUpon [no-reply@stumblemail.com]
Subject:      Update: Changes to Your Email Settings

   

Hi [redacted],

This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've created a bunch of new notification options that allow you to have more control over what types of emails you'll receive from us. These new notification options are not compatible with the old settings, so your settings have been reset. We apologize for any inconvenience, and want to make sure we only send you the emails you want to receive.

Now what? Please click here to head over to your email settings and update your preferences, so we know exactly what emails you'd like to receive from StumbleUpon.

Want to receive all notifications about shares from friends, recommended Stumbles, and more? Great, you don't have to do anything at all!

Thanks for Stumbling,

The StumbleUpon Team

P.S. Haven't signed in for a while and can't remember your password? You can reset it here by entering the email address used in this email.
   
   

Please don't reply to this message - for all questions, check out our Help Center. To visit your email settings, please click here.

StumbleUpon | 301 Brannan Street, 6th Floor, San Francisco, CA 94107
There's no surprise to see that the IP address of the spamvertised site is 92.48.119.139 (Simply Transit, UK) along with the following other possibly spammy sites:

ariseharsh.info
biah.ru
birthmed.com
carepillshealthcare.com
climbedwelness.com
drugripdrugshealth.ru
drugstorepharmacycenterline.com
drugstorepillstablets.ru
dvicemedicalrx.net
fatdietrx.com
genericsperrigo.com
goaddscan.com
gokeyscan.com
gorayscan.com
healthviagracare.com
healthwiblackwell.com
herbalwelgarcinia.net
ipadiet.net
ladenlismeds.com
lxie.ru
mail.carepillshealthcare.com
mediamoviestar.com
medicalwelhealthcare.com
medicaremedsromney.net
medpillsprescription.com
movietestworld.com
mytabhealth.com
ongy.ru
pharmacycialismeningitis.net
physicianslnesshealth.com
pilltabletsfitness.eu
rxdrugstorewalgreens.com
tabletspharmacynutrition.ru
tabletspharmacywellbeing.ru
tabpharmacyhealth.ru
theviagrahealth.com
treatmentsdrugstorepharmacy.ru
vikingsnotdead.com


Friday, 1 February 2013

Something evil on 50.116.40.194

50.116.40.194 (Linode, US) is hosting the Blackhole Exploit Kit (e.g. [donotclick]14.goodstudentloans.org/read/walls_levels.php - report here) and seems to have been active in the past 24 hours. I can see two domains at present, although there are probably many more ready to go:

14.goodstudentloans.org
14.mattresstoppersreviews.net

Photos spam / eghirhiam.ru

Here's a tersely-worded Photos spam leading to malware on eghirhiam.ru:

Subject: Photos

Good day,
your photos here http://www.jonko.com/photos.htm
As is usually the case, the malware bounces through a legitimate hacked site and in this case ends up at [donotclick]eghirhiam.ru:8080/forum/links/public_version.php (report here) hosted on:

82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company Ltd, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

The following IPs and domains are all related and should be blocked:
82.148.98.36
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
dumarianoko.ru
eghirhiam.ru
epiratko.ru
esekundi.ru
evkotnka.ru
evskindarka.ru
evujalo.ru
exiansik.ru
eziponoma.ru

Thursday, 31 January 2013

Wednesday, 30 January 2013

FDIC spam / 1wstdfgh.organiccrap.com

Here's a slightly new spin on old spam, leading to malware on 1wstdfgh.organiccrap.com:

Date:      Wed, 30 Jan 2013 16:16:32 +0200
From:      "Тимур.Носков@fdic.gov" [midshipmanc631@buprousa.com]
Subject:      Important notice from FDIC

Attention!

Due to the adoption of a new security system, that is aimed at diminishing the number of cases of fraud and scams, all your ACH and WIRE transactions will be temporarily blocked until your security version meets the new requirements.. In order to restore your ability to make transactions, you are required to install a special security software. Please use the link below to download and install all the necessary files.

We apologize for causing you troubles by this measure.
If you need any assistance, please do not hesitate to contact us.

Sincerely yours,

Federal Deposit Insurance Corporation
Security Department
The link in the email goes through a legitimate hacked site (in this case [donotclick]www.edenespinosa.com/track.php?fdic) to the amusingly named [donotclick]1wstdfgh.organiccrap.com/closest/984y3fh8u3hfu3jcihei.php (report here) hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US) which hosts the following suspect domains that you might want to block:

1wstdfgh.organiccrap.com
23v4tn6dgdr.organiccrap.com
v446numygjsrg.mymom.info
3vbtnyumv.ns02.us
crvbhn7jbtd.mywww.biz


Intelius spam (or is it a data breach?)

This spam was sent to an email address only used for register for intelius.com. Either there has been a data breach at Intelius, or they have decided to go into the gambling business.

From:     Grand Palace Slots [no-reply@tsm-forum.net]
Date:     30 January 2013 10:39
Subject:     Try to play slots - 10$ free
Mailed-By:     tsm-forum.net

Feel the unique excitement of playing at the world's premiere games!

Grand Palace gives you welcome package for slots up to 8,000$! What a fantastic offer, straight from the heart of World's gaming leader!

This is a great offer, especially when you see what else Grand Palace has to offer:

- US players welcome
- more than 100 fun games, realistic graphics
- the most secure and up-to-date software
- professional support staff to help you with whatever you might need, any time of the day or night!

And in the end we want to give you 10$ absolutelly free! (Use code CASH10)

Hurry up! Your free Grand Palace cash is waiting! Play Today!

http://www.igrandpalacegold.com


=========================================================
Click here to opt out of this email:
http://unsubscribe.igrandpalacegold.com

The originating IP is 176.200.202.100 (Telecom Italia, Italy), spamvertised site is www.igrandpalacegold.com on 91.217.52.125 (Fajncom SRO, Czech Republic) and is registered to:

    Klemens Chmielewski
    Klemens Chmielewski        (calder@igrandpalacegold.com)
    ul. Czerniowiecka 78
    Warszawa
    Warszawa,02-705
    PL
    Tel. +48.722514299

I'm assuming that Intelius doesn't want to promote what would be illegal gambling for US citizens, which really leads just one other option..

Monday, 28 January 2013

"Most recent events on Facebook" spam / gonita.net

This fake Facebook spam leads to malware on gonita.net:


Date:      Mon, 28 Jan 2013 17:30:50 +0100
From:      "Facebook" [addlingabn2@bmatter.com]
Subject:      Most recent events on Facebook

facebook   
Hi [redacted],
You have disabled your Facebook account. You can reveal your account whenever you wish by logging into Facebook with your old login email address and password. After that you will be able to enjoy the site in the same way as before.
Kind regards,
The Facebook Team
   
Log in to Facebook and start connecting
Sign in

Please use the link below to resume your account :
http://www.facebook.com/resume/
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 419 P.O Box 10007 Palo Alto CA 94301

The malicious payload is at [donotclick]gonita.net/detects/sign_on_to_resume.php (report here) hosted on the well-known IP of 222.238.109.66 (Hanaro Telecom, Korea).

The following malicious domains are active on the same IP:
morepowetradersta.com
kendallvile.com
alphabeticalwin.com
ehadnedrlop.com
postofficenewsas.com
prepadav.com
masterseoprodnew.com
vespaboise.net
duriginal.net
shininghill.net
euronotedetector.net
fx-points.net
africanbeat.net
ensconcedattractively.biz
gonita.net

Zbot sites to block 28/1/13

These domains and IPs are currently acting as C&C and distribution servers for Zbot. I would advise blocking these IPs and domains if you can.

There are three parts to the list: IPs with hosting company names, plain IPs for copy-and-pasting and domains identified on these servers.

5.45.181.164 (Bradler & Krantz, Germany)
5.175.148.207 (GHOSTnet, Germany)
24.126.203.109 (Comcast, US)
31.170.106.13 (Bradler & Krantz, Germany)
37.26.244.86 (Digicube, France)
37.59.76.3 (OVH, Netherlands)
42.96.136.158 (Alibaba, China)
43.101.119.123 (Kokusai-kougyou-kanda Bldg., Japan)
46.249.46.182 (Serverius, Netherlands)
50.19.77.237 (Amazon, US)
50.31.99.126 (Steadfast Networks, US)
59.90.147.31 (BSNL Internet, India)
59.167.120.210 (Internode, Australia)
64.221.210.108 (XO Communications, US)
69.65.47.245 (Bodhost, US)
69.85.92.155 (Hostigation, US)
72.66.16.146 (Verizon, US)
73.123.5.128 (Comcast, US)
80.152.149.121 (Deutsche Telekom, Germany)
84.253.2.244 (Cybernet, Switzerland)
85.93.219.253 (Visual Online, Luxembourg)
88.88.101.162 (Telenor Norge, Norway)
91.121.248.127 (OVH, Spain)
92.21.156.70 (TalkTalk, UK)
92.146.246.96 (France Telecom, France)
93.92.207.86 (Saint-Petersburg Computer Networks Ltd, Russia)
94.76.234.163 (Simply Transit, UK)
95.225.161.106 (Telecom Italia, Italy)
99.169.151.134 (SBC Internet Services, US)
101.89.80.132 (China Telecom, China)
115.153.226.65 (China Telecom, China)
118.41.184.73 (Kornet, Korea)
119.252.162.18 (Comnets Plus, Indonesia)
123.224.196.84 (Open Computer Network, Japan)
125.63.91.52 (Spectra ISP, India)
128.32.149.121 (University Of California, US)
141.0.176.155 (Avantel, Russia)
141.0.176.231 (Avantel, Russia)
159.253.20.217 (FastVPS, Estonia)
166.111.143.248 (Tsinghua University, China)
173.213.112.245 (Eonix Corporation, US)
176.56.229.201 (RouteLabel, Netherlands)
184.82.187.181 (HostNOC, US)
189.75.96.19 (Brasil Telecom, Brazil)
193.254.233.242 (Teleradiocompany Soniko-Svyaz Ltd, Ukraine)
202.57.189.141 (Internet Service Provider Co. Ltd., Thailand)
209.207.112.195 (Treasuremart, Canada)
210.56.15.19 (COMSATS, Pakistan)
211.20.45.138 (Chunghwa Telecom, Taiwan)
216.224.176.47 (Earthlink, US)

5.45.181.164
5.175.148.207
24.126.203.109
31.170.106.13
37.26.244.86
37.59.76.3
42.96.136.158
43.101.119.123
46.249.46.182
50.19.77.237
50.31.99.126
59.90.147.31
59.167.120.210
64.221.210.108
69.65.47.245
69.85.92.155
72.66.16.146
73.123.5.128
80.152.149.121
84.253.2.244
85.93.219.253
88.88.101.162
91.121.248.127
92.21.156.70
92.146.246.96
93.92.207.86
94.76.234.163
95.225.161.106
99.169.151.134
101.89.80.132
115.153.226.65
118.41.184.73
119.252.162.18
123.224.196.84
125.63.91.52
128.32.149.121
141.0.176.155
141.0.176.231
159.253.20.217
166.111.143.248
173.213.112.245
176.56.229.201
184.82.187.181
189.75.96.19
193.254.233.242
202.57.189.141
209.207.112.195
210.56.15.19
211.20.45.138
216.224.176.47

advstar.com
aldio.ru
askwhite.net
atkit.ru
autocanonicals.com
billablelisten.pl
bioshift.net
boxtralsurvisv.pl
cflyon.ru
cipriotdilingel.ru
confloken.ru
dinitrolkalor.com
dobar.pl
dqnouce.ru
encounterkaspe.pl
evamaro.ru
fearedembracin.su
fitoteafclope.pl
gellax.com
haicut.com
htimemanagemen.su
indianayellow.net
infocyber.pl
jintropictonic.pl
kcrio-oum.com
litfors.com
mypicshare.net
namelesscorn.net
netfest.pl
ntrolingwhitel.pl
orlandotenerife.net
phicshappening.com
photoshopya.net
porkystory.net
quliner.ru
rolino.pl
sadertokenupd.ru
secmicroupdate.ru
secondhandfurnitur.com
seldomname.com
sminiviolatede.pl
stadionservisecheck.ru
steppinglegalzoom.com
stockanddraw.net
suggestedlean.com
svictrorymedia.ru
trainyardscree.pl
uawxaeneh.com
usergateproxy.net
weatherrecord.net
widexsecconnect.ru
youhavegomail.com

Friday, 25 January 2013

UPS spam / eziponoma.ru

This fake UPS spam leads to malware on eziponoma.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 25 January 2013 04:12
Subject: UPS Tracking Number H0931698016

You can use UPS Services to:
 Ship Online
 Schedule a Pickup
 Open a UPS Services Account
    
Welcome to UPS .com Customer Services
Hi, [redacted].

DEAR CLIENT , RECIPIENT'S ADDRESS IS WRONG

PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.

With Respect , Your UPS Customer Services.    


    ________________________________________
Copyright 2011 United Parcel Service of America, Inc. UNITED STATES POSTAL SERVICES, the Your USPS TEAM brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. USPS CUSTOMER SERVICES will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the USPS Team Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.    
The malicious payload is at [donotclick]eziponoma.ru:8080/forum/links/column.php which is hosted on:

94.23.3.196 (OVH, France)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

FedEx spam / vespaboise.net

This fake FedEx spam leads to malware on vespaboise.net:


Date:      Fri, 25 Jan 2013 15:39:33 +0200
From:      services@fedex.com
Subject:      FedEx Billing - Bill Prepared to be Paid

    FedEx Billing - Bill Prepared to be Paid
        fedex.com        
       
[redacted]

You have a new invoice(s) from FedEx that is prepared for discharge.

The following invoice(s) are ready for your overview:

Invoice Number
   
Invoice Amount
2-649-22849
   
49.81
1-181-19580
   
257.40

To pay or overview these invoices, please log in to your FedEx Billing Online account proceeding this link: http://www.fedex.com/us/account/fbo

Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo


Thank you,

Revenue Services

FedEx

Please Not try to reply to this message. auto informer system cannot accept incoming mail.

The content of this message is protected by copyright and trademark laws under U.S. and international law.

review our privacy policy . All rights reserved.

The malicious payload is at [donotclick]vespaboise.net/detects/invoice_overview.php which is on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which has been used in several recent attacks.. blocking it would be prudent.

Thursday, 24 January 2013

ADP spam / 14.sofacomplete.com

This fake ADP spam leads to malware on 14.sofacomplete.com:

From:     Erna_Thurman@ADP.com Date:     24 January 2013 17:48
Subject:     ADP Generated Message: Final Notice - Digital Certificate Expiration

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.

---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.

Days left before expiration: 1
Expiration date: Jan 25 23:59:59 GMT-03:59 2013

--------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp

2. Follow the instructions on the screen.

3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.

---------------------------------------------------------------------
Deleting Your Old Digital Certificate
---------------------------------------------------------------------
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.

The malicious payload is at [donotclick]14.sofacomplete.com/read/saint_hate-namely_fails.php hosted on 173.246.103.26 (Gandi, US). These other malicious domains are also visible, there may be more:

14.sofacomplete.com
14.onlinecollegecomplete.com
14.technicianinformations.com

Update, these additional sites are on the same server:
14.internationalscholarships.org
14.igeekygadgets.com

Fake pharma sites 24/1/13

Here's an updated list of fake RX sites being promoted through vague spam like this:


Date:      Thu, 24 Jan 2013 04:44:45 +0000 (GMT)
From:      "Account Info Change" [noreply@etraxx.com]
Subject:      Updated information

Attention please:


- Over 50 new positions added (view recently added products)
- Free positions included with all accounts (read more here)
- The hottest products awaiting you in the first weeks of the new year (read more here)
- We want you to feel as comfortable as possible while you?re at our portal.


Click Here to Unsubscribe
As with a few days ago, these sites are hosted on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)

Currently active spamvertised sites are as follows:
adderallsprescription.com
annotatedtabmed.com
caloriesab.com
canadaviagracent.com
caregiverskicare.net
centerlinedrugstore.net
cheaptabletsdrugstore.ru
clubmedspills.ru
dosedrugstorepills.ru
drugriphealthdrugs.ru
drugshealthpharmacy.ru
drugshealthrx.ru
drugstabletsfitness.ru
drugstorecapspills.ru
drugstoredosespills.ru
drugstorepharmacycenterline.com
drugstorepharmacypillstablets.ru
drugstorepill.com
drugstorepillsrx.ru
drugstorerxhealth.ru
drugstorerxpills.ru
drugtorehealthmeds.ru
drugtoremedicinesrx.ru
drugtorenutritiontablets.ru
drugtorepillsfitness.ru
drugtorepillsnutrition.ru
drugtoretabletsdrugstore.ru
drugtoretabletspharmacy.ru
drugtoretabletsrx.ru
experienced.healthcarewimedical.com
fitnessmedsrx.ru
fitnesspharmacypills.ru
fitnesspillsrx.ru
genericpillstablets.ru
gokeyscan.com
healthcarehealthcare.com
healthcarerxpharmacy.ru
healthmedsrx.ru
healthpillsrx.ru
israeltrapharm.com
kzqaooiw.com
marijuanarxmedicine.com
medicaidmeds.com
medicalmedspatients.com
medicinetoretabletspharmacy.ru
medpillsprescription.com
memoglobalmedia.com
nislevitra.com
northwesternlevitrapills.net
nutritionpill.ru
ozzaltinza.com
parisdrugstore.ru
patientswelnesshealthcare.com
pharmacyhealthcarerx.ru
pharmacypillspharmacy.ru
pharmacytabletstabs.ru
pharmacytabletstreatments.ru
pharmacywellbeing.ru
pilldrugstoregroup.com
pillmedicalhospital.pl
pillpharmacymeds.ru
pillsaleshoppers.com
pillsmedicalsrx.ru
pillsphysicpharma.ru
prescriptioncialteens.com
prescriptiondrugwalmart.com
ricecialis.com
rxcaution.com
sedationmed.com
tabcalories.com
tabspharmacytablets.ru
zury.ru

"Efax Corporate" spam / epimarkun.ru

This fake eFax spam leads to malware on epimarkun.ru:

Date:      Thu, 24 Jan 2013 04:04:42 +0600
From:      Habbo Hotel [auto-contact@habbo.com]
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 963153883]

You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.

* The reference number for this fax is [eFAX-009228416].

View attached fax using your Internet Browser.


� 2013 j2 Global Communications, Inc. All rights reserved.
eFax � is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax � Customer Agreement.
There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun.ru:8080/forum/links/column.php which is hosted on the following IPs:

50.31.1.104 (Steadfast Networks, US)
94.23.3.196 (OVH, France)
202.72.245.146 (Mongolian Railway Commercial Center, Mongolia)

These IPs and domains are all malicious:
50.31.1.104
94.23.3.196
202.72.245.146
dmssmgf.ru
esekundi.ru
esenstialin.ru
disownon.ru
epimarkun.ru
damagalko.ru
dumarianoko.ru
epiratko.ru
dfudont.ru

Wednesday, 23 January 2013

NACHA spam / canonicalgrumbles.biz

This fake NACHA spam leads to malware on canonicalgrumbles.biz:

Date:      Wed, 23 Jan 2013 16:55:46 +0100
From:      ".Анисимов@direct.nacha.org" [throttled2@inneremitte.de]
Subject:      Direct Deposit payment was declined

Attn: Accounting Department

We regret to inform you, that your latest Direct Deposit transaction (#432007776488) was declined,because of your current Direct Deposit software being out of date. The detailed information about this matter is available in the secure section of our web site:

Click here for more information

Please contact your financial institution to get the necessary updates of the Direct Deposit software.

Kind regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


10608 Sunrise Valley Drive, Suite 452
Herndon, VA 20169
Phone: 703-561-4685 Fax: 703-787-1154
The malicious payload is at [donotclick]canonicalgrumbles.biz/closest/984y3fh8u3hfu3jcihei.php (report here) hosted on 93.190.46.138 (Ukranian Hosting / ukrainianhosting.com)

I've seen other malware servers in 93.190.40.0/21 before, I would recommend blocking the whole lot.

H Seal and Company fake job offer

H Seal is a real, legitimate firm. This email is not from H Seal, but a criminal organisation wanting to recruit people for money laundering and other unlawful activities. Originating IP is 199.254.123.20 (Intermedia, US)  and the Reply-To address is john_jackson1976@yahoo.com.ph which indicates someone in the Philppines.

From:     H. Seal & Company Ltd [jonjack7745@yahoo.com.ph]
Reply-To:     john_jackson1976@yahoo.com.ph
Date:     23 January 2013 12:38
Subject:     Would you like to work online from Home/Temporarily.

Hello.


Would you like to work online from Home/Temporarily.
We are glad to offer you a job position without paying for application.


 Our Company H. Seal & Company Ltd are into Insurance, Buying and Selling cars, Incidents and Accidents Insurance. with numerous customers home and abroad. We need a representative in the Asia, Japan, china, Europe, South Africa, USA, CA, and Australia. who will be in charge of all our payment from clients/customers in Asia, Europe, Canada, and Usa


Your tasks are:


 1. Receive payment from our Customers through mail: (DHL, FEDEX, UPS OR OTHER FORM OF DELEIEVERY)
 2. Cash it at your Bank
 3. Deduct 10% which will be your percentage/pay on Payment processed
 4. Forward balance after deduction of percentage/pay to any of the offices
 you will be contacted to send payment to.
 Payment is to be forwarded either by Money Gram or Western Union Money
 Transfer. A local Money transfer takes barely hours, so it will give us a possibility to get customer payment almost  immediately.


 Kindly provide us with the requested details below if you are interested.


 Full Name
 Full Address
 Bank Name
 City:
 State:

 Zip Code:

Country:
Phone:
Age:
present or prev job:
Can you Check email at least twice Daily?
 ========================


 You are to respond to this offer by clicking reply to this message and filling the required information where necessary.

 We await your urgent response.Thank you for your help. We look forward to working with you.
 Regards
 John Jackson



Corporate eFax spam / 13.carnovirious.net

This spam is leading to malware on 13.carnovirious.net, a domain spotted earlier today.. but one that has switched server to 74.91.117.49 since then.

From:     Corporate eFax [message@inbound.efax.com] via luther.k12.wi.us
Date:     23 January 2013 15:52
Subject:     Corporate eFax message - 4 pages
Mailed-by:     luther.k12.wi.us


Fax Message [Caller-ID: 607-652-2962]
You have received a 4 pages fax at 2013-01-23 12:00:13 GMT.

* The reference number for this fax is min1_did27-5667781893-3154150936-31.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home Contact Login
Powered by j2
2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.

The spam leads to an exploit kit on [donotclick]13.carnovirious.net/read/persons_jobs.php hosted on 74.91.117.49 by Nuclear Fallout Enterprises. You should probably block 74.91.117.50 as well.


The following domains are on these two IPs:
13.jonemnominik.net
13.lomerdaster.net
13.zabakarvester.net
13.carnovirious.net
13.blumotorada.net

USPS spam / euronotedetector.net

This fake USPS spam leads to malware on euronotedetector.net:

From: USPS Quantum View [mailto:notify@usps.com]
Sent: 23 January 2013 14:33
Subject: Your USPS postage labels charge.


Acct #: 2377203

[redacted]

This is an email confirmation for your order of 5 online shipping label(s) with postage. Your credit card will be charged the following amount:

Transaction ID: #9724602
Print Date/Time: 01/21/2013 02:05 PM EST
Postage Amount: $21.80
Credit Card Number: XXXX XXXX XXXX XXXX

Overnight Mail Regional Rate Box B # 7184  5899 9548 5735 5133 (Sequence Number 1 of 1)
   

If you need further assistance, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

Refunds for unused postage-paid labels can be requested online up to 10 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is a post-only message. Please do not respond
The malicious payload is at [donotclick]euronotedetector.net/detects/updated_led-concerns.php hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecome, Korea) which has been used in several recent attacks.

The following malicious domains are on the same IP:
kendallvile.com
seoseoonwe.com
alphabeticalwin.com
ehadnedrlop.com
bestwesttest.com
prepadav.com
masterseoprodnew.com
cocolspottersqwery.com
teamrobotmusic.net
shininghill.net
africanbeat.net
euronotedetector.net



BT Business spam / esenstialin.ru

This fake BT Business spam leads to malware on esenstialin.ru:


Date:      Wed, 23 Jan 2013 05:18:56 +0100
From:      MackenzieCronin@[victimdomain]
Subject:      BT Business Direct Order
Attachments:     DeliveryTR992802.htm


Notice of delivery

Hi,

We're pleased to confirm that we have now accepted and despatched your order on Wed, 23 Jan 2013 05:18:56 +0100.

Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.

***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***

We've despatched...

..using the attached shipment details...
Courier     Ref     Carriage method
Royal Mail     53792837735     1-3 Days

Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.

For information on how track your delivery, please follow to attached file.

Important information for Yodel deliveries:

If your consignment number starts with KN8053154 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.


The malicious payload is on [donotclick]esenstialin.ru:8080/forum/links/column.php hosted on the following IPs:

50.31.1.104 (Steadfast Networks, US)
91.224.135.20 (Proservis UAB, Lithunia)

Something evil on 74.91.117.50

OK, I can see just two malicious domains on 74.91.117.50 but they are currently spreading an exploit kit through this spam run.

The domain is allocated to Nuclear Fallout Enterprises who often seem to host malware sites like this, so there's a good chance that more evil will turn up on this IP.

These are the domains that I can see right now:
13.blumotorada.net
13.carnovirious.net

The domains are registered wit these apparently fake details:
Glen Drobney office@glenarrinera.com
1118 hagler dr
neptune bch
FL
32266
US
Phone: +1.9044019773


Since there will almost definitely be more malicious domains coming up on this IP, it is well worth blocking.

Tuesday, 22 January 2013

ADP spam / elemikn.ru

This fake ADP spam potentially leads to malware on elemikn.ru:


Date:      Tue, 22 Jan 2013 12:25:06 +0100
From:      LinkedIn [welcome@linkedin.com]
Subject:      ADP Immediate Notification

ADP Immediate Notification
Reference #: 815979361

Tue, 22 Jan 2013 12:25:06 +0100
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.


This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 286532564

HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.


The malicious payload is at [donotclick]elemikn.ru:8080/forum/links/column.php but at the moment the domain does not seem to be resolving (which is a good thing!)

"Batch Payment File Reversed" spam / kendallvile.com

This spam leads to malware on kendallvile.com:

From:     batchservice@eftps.net [batchservice@eftps.net]
Date:     22 January 2013 17:56
Subject:     Batch Payment File Reversed

=== PLEASE NOT REPLY TO THIS MESSAGE===  

[redacted]

This notification was mailed to inform you that your payment file has Reversed. 2013-01-21-9.56.22.496135

Detailed information is accessible by sign into the Batch Provider with this link.

--  
With Best Regards,
EFTPS         

Contact Us: EFTPS Batch Provider Customer Service 
This leads to an exploit kit on [donotclick]kendallvile.com/detects/exceptions_authority_distance_disturbing.php (report here) hosted on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which should be blocked if you can.

Dutch language Swiss tax spam / africanbeat.net

This Nederlands language spam appears to be from some Swiss tax authority, but in fact it leads to the Blackhole Exploit kit on africanbeat.net:

From:     report@ag.ch via bernina.co.il
Date:     22 January 2013 13:48
Subject:     Re: je NAT3799 belastingformulier
Mailed-by:     bernina.co.il

[redacted]

Wij willen brengen aan uw bericht dat je hebt fouten gemaakt bij het invullen van de meest recente belastingformulier NAT3799 (ID: 023520).
vindt u aanbevelingen en tips van onze fiscalisten HIER
( Wacht 2 minuten op het verslag te laden)

Wij verzoeken u om corrigeer de fouten en verzenden de gecorrigeerd aangifte aan uw belastingadviseur zo snel mogelijk.

Kanton Aargau
Sonja Urech
Sachbearbeiterin Wehrpflichtersatzverwaltung
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 6253 Aarau
Tel.: +41 (0)62 332 31 62
Fax: +41 (0)62 332 33 18

Translated as:

We want to bring to your notice that you have made mistakes when completing the most recent tax form NAT3799 (ID: 023520).
You can find recommendations and tips from our tax specialists HERE
(Wait 2 minutes for the report to load)

We ask you to correct the error and send the corrected report to your tax advisor as soon as possible. 
The link leads to an exploit kit at [donotclick]africanbeat.net/detects/urgent.php (report here) hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea). The following domains are active on this server:

africanbeat.net
seoseoonwe.com
alphabeticalwin.com
bestwesttest.com
prepadav.com
masterseoprodnew.com
cocolspottersqwery.com
teamrobotmusic.net
shininghill.net
terkamerenbos.net

Something evil on 109.123.66.30

109.123.66.30 (UK2.NET, UK) hosts several domains containing the Blackhole Exploit Kit (example here). The domains in user are (mostly) legitimate hacked domains, but there are a couple of odd things here.

Most of the malicious domains have a format like this: 700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands.com - in this case darkhands.com is a legitimate domain registered to an individual in Australia, but it has been hacked to create a who load of malicious subdomains, hosted on another server from www.darkhands.com.

In fact, almost all the domains are registered to Australians, but the key thing is in that all of those cases the main domains are hosted by OrionVM in Australia, with the main domains hosted in the 49.156.18.0/24 block. Update: it seems that a single customer was compromised and the OrionVM issue has been resolved.

So how can the main (legitimate) sites be hosted in 49.156.18.0/24, but the malicious subdomains are hosted on a completely different network in the UK. I suspect that there is a compromise of some sort at OrionVM which has allowed the DNS records to be change (it should be noted that these domains used several different registrars).

Another oddity is that these hijacked domains only go from A to I alphabetically, which indicates that there might be some other malicious servers in this same group. The domains are:

00.co.kr
07drama.com
1001mg.com
1sim.net
20cargo.com
2ndi.com
2seul.net
3gendata.co.kr
atomthecreators.com
bodaguatemala.com
ciudaddelangel.com
colmodasa.com
ctsau.com
cyberdyne.net.au
dafconstructions.com
darkhands.com
deanmathers.com
demon-networks.com
dentistasguatemala.com
dfs-mortgages.com.au
easygosa.com
elitebusinesssupplies.com.au
eliteoz.com.au
enaballet.com
escapeelsalvador.com
fairymeadowsurfclub.com.au
floor-me.com.au
furniturebiweb.com.au
frankflick.com
fwmesker.com.au
gcbustours.com.au
giftsbiweb.com.au
goddessmassage.com.au
goldcoastnorth.org.au
goldcoastpacifictours.com.au
greyfoxjumps.com
grubisaguitars.com
img.or.kr

Also hosted on 109.123.66.30 are some malicious .in domains that were previously on 87.229.26.138 (see here):
gguwvn.in
gmvgyx.in
humswz.in
jlqrnp.in
krvrkh.in
lupszm.in
nwujgl.in
onylkp.in
pmkvyh.in
sirrpk.in
tmthzz.in
ukokqz.in
ymjjjm.in
yxrkyu.in
zjmnwv.in
znztip.in
zpjhjv.in

It looks like there are some legitimate sites on the same server, but blocking 109.123.66.30 is probably a good idea.

As for those subdomains I wrote about, well here are some examples (there are probably many more!)
9e3cca5e3db56bb811912113012211341099855c391a9f23ee6fdf9310ef65f.escapeelsalvador.com
9e3cca5e3db56bb8.escapeelsalvador.com
43c327b1d06a8667016129130121170261378958c50c75b554d3acbb2bf6327.ciudaddelangel.com
4378075af081a68c01911413012115588268499bd156f02785043714358bc6d.bodaguatemala.com
adc3e9311efa48f701604513012020274181958c0c1dd94d15b082c2f456729.2seul.net
613c852e72852488.12bears.org
4378075af081a68c119070130121141091436015a23f6147f4a5cb6f46c9612.bodaguatemala.com
4378075af081a68c01608613012113376175301d0604046f19450957fd59d89.bodaguatemala.com
4378075af081a68c0190861301211545518988357b1766a7c844beb4d7d552d.bodaguatemala.com
cb3c7f5e8885de88019102130121235232244364ff60ccc807ebd5d014bc12a.dentistasguatemala.com
cb3c7f5e8885de8801902413012123563228240bb24890930199ff12981f22c.dentistasguatemala.com
4387a7b5506e066301515913012202291029798326847e181e5c85ee57ec48c.doctoresguatemala.com
e93c8d2e7a852c88014072130119115171974917aa12cca08315e832c31f05b.07drama.com
e93c8d2e7a852c88019016130119091781150715f71f0b9afdd4128ec4cbb9c.07drama.com
da0f5ebda916ff1b01402413011913245133774bd3f2acbdbb427f332b0509e.07drama.com
4378c7aa3071667c01511113012120512184494445a0a9fabe4d9f815049c39.colmodasa.com
4378c7aa3071667c1191211301211930317435053144fdeced2f362b8701b9c.colmodasa.com
f80fcced3b066d0b1191211301220847209700257ce00433c7d66b6873eb420.easygosa.com
f80fcced3b066d0b0190861301220832613187254b83422e0b4c441fde73336.easygosa.com
073c137ee495b2980140251301220622508971181451a35f7f31a53edbc1f68.easygosa.com
073c137ee495b298.easygosa.com
ad870975fedea8d3019044130119144392288741f96f4d9d259a1b9c46683e0.1001mg.com
9eb4aa965d5d0b5001418513012018266185128b200492041c9fa22e5d7765e.2ndi.com
43c347f1b07ae67701418513011715199157549c11b32571ee03ac63e5df44a.frankflick.com
43c327b1d06a8667014102130121164341794225edd7badb251a6d939612b70.ciudaddelangel.com
43c327b1d06a8667119121130121182651816415774ff223bcf7794f72f9901.ciudaddelangel.com
43c327b1d06a8667016129130121170261378958c50c75b554d3acbb2bf6327.ciudaddelangel.com
bc4bb8f94f32193f114161130120170671429678682220d8fb9257f98a64133.20cargo.com
bc4bb8f94f32193f116161130120160641274345c1e0d1e821270ad394dce24.20cargo.com
9e3cca5e3db56bb801907013012210373118558538d878c0932bac859f75915.escapeelsalvador.com
9e3cca5e3db56bb811412113012210099114754a47f7f4cdd48cdf995c40c69.escapeelsalvador.com
9e3cca5e3db56bb80190861301221149212109450483885b4caf3bc1aa9f0ec.escapeelsalvador.com
700ff4ad03c655cb114163130116131561128525b412bf0eb1f0d8b3373d530.darkhands.com
700ff4ad03c655cb01902413011612555164840bb4054383b351bed0be72cb0.darkhands.com
700ff4ad03c655cb019025130116115161699125ddc19c767ee08cad8037869.darkhands.com
700ff4ad03c655cb01906313011612074085590bc4ca3a96ab9f70f60a845be.darkhands.com
700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands.com
da871eb5e9debfd3.demon-networks.com
da871eb5e9debfd3014025130116170451125355cc8672327f4e3759493a7b6.demon-networks.com
da871eb5e9debfd311416313011617182114754b6edb0d4e245e105a88985e8.demon-networks.com
cb789f8a68e13eec01402413011611067087175549c49b8c26df1b1e117ce52.dafconstructions.com
cb789f8a68e13eec0190241301161048514233351542cd2b24d195ba0bf6f2b.dafconstructions.com
cb789f8a68e13eec0191371301160824408432252ef981c7a10856259ae52ff.dafconstructions.com
8f0fdbcd2c567a5b.greyfoxjumps.com
8f0fdbcd2c567a5b0190761301181449720858689e2e4bcb46d495489f755db.greyfoxjumps.com
8f0fdbcd2c567a5b01410413011815492132506be98360c690e0577314b571c.greyfoxjumps.com
25c3a1b1562a002701615313011819586240920cc2c0a048cb012e78ce717e3.grubisaguitars.com
25c3a1b1562a002701409913011818231126800513e8276203b5e4706c64ac5.grubisaguitars.com
25c3a1b1562a0027.grubisaguitars.com
cb4b6fe99882ce8f01402413011613576192736c93af1192f50fb15cfe1fb20.deanmathers.com
52874685b15ee75301902413012112331103342bb3bba5bfc191f0fcffeff42.atomthecreators.com
07b43316c4cd92c00191841301211308110270853cafa0ede390f54488279a2.atomthecreators.com
52874685b15ee753.atomthecreators.com
52874685b15ee753014072130121104741407487aa1c9758f11ecec8a5080e9.atomthecreators.com
52874685b15ee753014064130121125041591348d3a795f75aa30f3c07c12fa.atomthecreators.com
52874685b15ee75301918513012110462108414055334aad721923de002768f.atomthecreators.com
ad4b99a96ed238df01902413011700222020288c860e4eed12a0c47a53b2d01.enaballet.com
ad4b99a96ed238df.enaballet.com
8f875b85acdefad3.ctsau.com
8f875b85acdefad3014086130115235542019295b59f74e05eefad146e21954.ctsau.com
520fa6dd5146074b01902413011903443069106c9587029dc299fef3a02a1cf.00.co.kr
da3c3e0ec9c59fc8014050130121084910792509f94ca468b493ae140b594f1.3gendata.co.kr
8f0f8bdd7c062a0b019044130121095082044654e48461a03046b9a158f0b56.3gendata.co.kr
da3c3e0ec9c59fc8.3gendata.co.kr
ad0fa92d5e96089b.12.img.or.kr
1687c295352e632301904413012011471097002d9bf1df5a4477988e98ea7f5.1sim.net
1687c295352e6323019115130120125041553301f169b228df07c49f6f8243f.1sim.net
8f4b9b896c123a1f0190241301181159211348659b5706dd8bba9ac9f65cc8a.goldcoastnorth.org.au
52c376c1814ad747116159130117164792434566ca998fa703bdba9f5fad36c.furniturebiweb.com.au
cb87bff5487e1e73019024130117230451540624eab8d91eedee6aae935bce8.giftsbiweb.com.au
250fa16d5616001b116062130117064610561095bc0c075f5de40e7ed52d204.fairymeadowsurfclub.com.au
6187852572ae24a3014077130118075481933705d68a7d58e329cd19e1d4831.goddessmassage.com.au
e9c32dd1daaa8ca71141631301171015509319889e28e6ae67eb0ff6dea8d71.floor-me.com.au
e9c32dd1daaa8ca70190861301171005507734854b82701243446e1f5747513.floor-me.com.au
e9c32dd1daaa8ca7.floor-me.com.au
e9c32dd1daaa8ca70150461301171003307037446410ff324aa6549c60cc9e7.floor-me.com.au
700f44ddb356e55b014025130117185911325065edcde5312a0fbd05c98f038.fwmesker.com.au
700f44ddb356e55b.fwmesker.com.au
700f944d6326352b019084130116191021210948682e24ad4db4900e40a73b4.dfs-mortgages.com.au
700f944d6326352b1141631301161913413314058ae84aa556671678b3f5e96.dfs-mortgages.com.au
700f944d6326352b.dfs-mortgages.com.au
f83c9c6e6b353d381141631301151452414962455f29541148efc4e37826913.elitebusinesssupplies.com.au
f83c9c6e6b353d3801511113011515087109682445a0a9f951927ef50f6d8c4.elitebusinesssupplies.com.au
070f33bdc4e692eb0191141301151407910841451c188064ca7eab689697868.elitebusinesssupplies.com.au
070f33bdc4e692eb0140861301151349718988357a3ee82f57b94dee43ccb7a.elitebusinesssupplies.com.au
61f02502d2998494119191130118142491702293e019202990ce84e1570c0db.goldcoastpacifictours.com.au
708774f5836ed5630140181301180909508051875c927d7e6aa55de3837e434.goldcoastbuschartertours.com.au
f8b4ac165b9d0d90014096130117213511429674e08c2686a0bb289bc3fa9d8.gcbustours.com.au
bcf038d2cf899984119163130115182621198264fd5f6cf84137810b203d561.eliteoz.com.au
61f0c522327964740190861301152121515564750483987b2c6cc62e0435464.eliteoz.com.au
61f0c52232796474.eliteoz.com.au
bcf038d2cf89998401404313011519058127117579abdbfca7f3f850c10f19b.eliteoz.com.au
bcf038d2cf8999840140241301151905812711753ae2611208cafdf0c10f19b.eliteoz.com.au
61f0c522327964740140161301152137113028789e2464b24229b3f5a3a889e.eliteoz.com.au
bcf0b8624f091904115129130116034061033429069f5026657971ac822f264.cyberdyne.net.au

Cheeky exploit kit on avirasecureserver.com

What is avirasecureserver.com? Well, it's not Avira that's for sure.. it is in fact a server for the Blackhole Exploit Kit.

This site is hosted on 82.145.57.3, an Iomart / Rapidswitch IP that appears to have been reallocated to:
person:         Dimitar Kolev
address:        QHoster Ltd
address:        Apt 1859
address:        Chynoweth House
address:        Trevissome Park
address:        Truro
address:        TR4 8UN
address:        GB
phone:          +13232180069
abuse-mailbox:  abuse@qhoster.com
nic-hdl:        DK5560-RIPE
mnt-by:         RAPIDSWITCH-MNT
source:         RIPE # Filtered


Trevissome Park is a small business park in Cornwall, there certainly isn't a building with over 1000 apartments there, so we can assume that "Apt" is a euphemism for a post box. There's also no company in the UK called QHoster Ltd. In fact, if we check the QHoster.com domain we can see that it is a Bulgarian firm:

    QHoster Ltd.
    Dimitar Kolev        (domains@qhoster.net)
    27 Nikola D. Petkov Str.
    Sevlievo
    Gabrovo,5400
    BG
    Tel. +359.898547122
    Fax. +359.67535954

QHoster has an IP block of 82.145.57.0/25 suballocated to it. A quick poke around indicates not much of value in this range, you may want to consider blocking the /25 as a precaution.



Monday, 21 January 2013

Intuit spam / danadala.ru

This fake Intuit spam leads to malware on danadala.ru:

Date:      Mon, 21 Jan 2013 04:45:31 -0300
From:      RylieBouthillette@hotmail.com
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Mon, 21 Jan 2013 04:45:31 -0300.

    Finances would be gone away from below account # ending in 8134 on Mon, 21 Jan 2013 04:45:31 -0300
    amount to be seceded: 5670 USD
    Paychecks would be procrastinated to your personnel accounts on: Mon, 21 Jan 2013 04:45:31 -0300
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]danadala.ru:8080/forum/links/column.php hosted on a familiar bunch of IPs that have been used in several recent attacks:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

The following malicious domains seems to be active at present:
dekamerionka.ru
danadala.ru
dmssmgf.ru
dmpsonthh.ru
demoralization.ru
damagalko.ru
dozakialko.ru
dopaminko.ru
dumarianoko.ru
dfudont.ru

LinkedIn spam / prepadav.com

This fake LinkedIn spam leads to malware on prepadav.com:

From: LinkedIn [mailto:news@linkedin.com]
Sent: 21 January 2013 16:21
Subject: LinkedIn Reminder from your co-worker

LinkedIn
REMINDERS
Invitation reminders:
▫ From CooperWright ( Your employer)

PENDING LETTERS
• There are a total of 2 messages awaiting your action. Acces to your InBox now.
Don't wish to receive email notifications? Adjust your letters settings.
LinkedIn respect your privacy. In no circumstances has LinkedIn made your e-mail acceptable to any other LinkedIn user without your allowance. © 2013, LinkedIn Corporation.
The malicious payload is at [donotclick]prepadav.com/detects/region_applied-depending.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in several malware attacks recently and it should be blocked if you can.

The following malicious websites are active on this server:
seoseoonwe.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
masterseoprodnew.com
cocolspottersqwery.com
teamrobotmusic.net
vaishalihotel.net
shininghill.net
terkamerenbos.net
prepadav.com

Kenyan Judiciary (judiciary.go.ke) hacked to serve malware

The Judiciary of the Republic of Kenya has a mission to deliver justice fairly, impartially and expeditiously, promote equal access to justice, and advance local jurispudence by upholding the rule of law. Unfortunately, it has also been hacked to serve up malware.


The site has been compromised to serve up an exploit kit being promoted by spam email. There's a redirector at [donotclick]www.judiciary.go.ke/wlc.htm attempting to redirect visitors to [donotclick]dfudont.ru:8080/forum/links/column.php where there's a nasty exploit kit.



Of course, most visitors to the judiciary.go.ke site won't see that particular exploit. But if someone can create an arbitrary HTML page on that server, then they pretty much have the run of the whole thing and they can do what they like. So the question might be.. what else has been compromised? Hmm.

Friday, 18 January 2013

ADP spam / dopaminko.ru

This fake ADP spam leads to malware on dopaminko.ru:

Date:      Fri, 18 Jan 2013 09:08:38 -0500
From:      "service@paypal.com" [service@paypal.com]
Subject:      ADP Immediate Notification

ADP Immediate Notification
Reference #: 544043911

Fri, 18 Jan 2013 09:08:38 -0500
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.


This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 206179035

HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
The malicious payload is at [donotclick]dopaminko.ru:8080/forum/links/column.php hosted on the following familiar IP addresses:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

These following malicious domains appear to be active on these servers:
dekamerionka.ru
dmssmgf.ru
dmpsonthh.ru
dmeiweilik.ru
demoralization.ru
damagalko.ru
dozakialko.ru
dopaminko.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dfudont.ru


LinkedIn spam / shininghill.net

This fake LinkedIn spam leads to malware on shininghill.net:

Date:      Fri, 18 Jan 2013 18:16:32 +0200
From:      "LinkedIn" [announce@e.linkedin.com]
Subject:      LinkedIn Information service message

LinkedIn
REMINDERS

Invite notifications:
? From MiaDiaz ( Your renter)


PENDING EVENTS

∙ There are a total of 2 messages awaiting your response. Enter your InBox right now.

Don't want to get email info letters? Change your message settings.

LinkedIn values your privacy. Not once has LinkedIn made your e-mail address available to any another LinkedIn member without your permission. © 2013, LinkedIn Corporation.
The malicious payload is at [donotclick]shininghill.net/detects/solved-surely-considerable.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP address has been used in several recent attacks and should be blocked if you can.

The following domains appear to be active on this IP address, all should be considered to be malicious:
seoseoonwe.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
masterseoprodnew.com
teamrobotmusic.net
foxpoolfrance.net
linuxreal.net
vaishalihotel.net
tetraboro.net
terkamerenbos.net
shininghill.net


"A.R.T. Logistics" fake job offer

There may be various genuine companies in the world with a name similar to "A.R.T. Logistics Industrial & Trading Ltd", but this job offer does not come from a genuine company. Instead it is trying to recruit people for money laundering ("money mule") jobs and parcel reshipping scams (a way of laundering stolen goods). Note that the scammers aren't even consistent in the way they name the company.

From:     ART LOGISTICS INDUSTRIAL AND TRADING LTD [info@sender.org]
Reply-To:     artlogisticsltd@yahoo.com.ph
Date:     18 January 2013 07:49
Subject:     A.R.T. LOGISTICS INDUSTRIAL & TRADING LIMITED

A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
Export & Import Agent‚ Service Company.
46/F Tower 1, Metroplaza 223 Hing Fong Road,
Kwai Chung New Territories, Hong Kong.

A.R.T. Logistics mainly provides services to customers in Russia, Kazakhstan and Hong Kong. We provide: - Air freight - Sea freight (FCL & LCL to EU, Russia, Kazakhstan & Central Asia) - Rail freight - Road Freight (FTL & LTL to any place in Russia, Kazakhstan and Central Asia) Our company has worked in Russia, Kazakhstan & Central Asia since 2005 and has wide experience of transport such as airfreight, container and rail.

We are presently shifting our base to North America and we have collective customers in the United State & Canada but We find it difficult establishing payments modalities with this customers and we don't intend loosing our customers. We are searching for a front line representative as intermediary by establishing a medium of getting payments from this customers in Canada & America by making payments through you to us. Do contact us for more information at this e-mail:(artlogis@e-mail.ua).

Subject to your satisfaction with the front line representative offer, you will be made our foreign payment receiving officer in your region and you will deduct 10% of every transactions made through you for your services as our Financial Representative.

Sincerely,
Yasar Feng Xu
A.R.T LOGISTIC INDUSTRIAL & TRADING LIMITED
N.B Reply to: artlogisticsltd@yahoo.com.ph

In this case, the spam originates from 31.186.186.2 [mail.zsmirotice.cz]. Avoid!