This is a little group of fake analytics sites containing malware (for example), hosted on 46.165.206.16 (Leaseweb, Germany). Sites listed in red have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.
adstat150.com
cexstat20.com
katestat77.us
kmstat505.us
kmstat515.us
kmstat530.com
lmstat450.com
mptraf11.info
mptraf2.info
mxstat205.us
mxstat570.com
mxstat740.com
mxstat760.com
rxtraf25.ru
rxtraf26.ru
skeltds.us
vmstat100.com
vmstat120.com
vmstat140.com
vmstat210.com
vmstat230.com
vmstat320.com
Monday, 11 February 2013
Something evil on 46.165.206.16
Labels:
Injection Attacks,
Leaseweb,
Malware,
Viruses
NACHA Spam / albaperu.net
This fake NACHA spam leads to malware on albaperu.net:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)
The following malicious domains are present on these IPs and should be blocked:
acctnmrxm.net
albaperu.net
asistyapipressta.com
capeinn.net
live-satellite-view.net
madcambodia.net
morepowetradersta.com
rebelldagsanet.com
uminteraktifcozumler.com
Date: Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]The malicious payload is at [donotclick]albaperu.net/detects/case_offices.php (report here) hosted on:
From: ACH Network [reproachedwp41@direct.nacha.org]
Subject: ACH Transfer canceled
Aborted transfer
The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.
Transaction ID: 838907191379
Reason of Cancellation See detailed information in the despatch below
Transaction Detailed Report RP838907191379.doc (Microsoft Word Document)
13150 Sunrise Drive, Suite 100 Herndon, VA 20172 (703) 561-1600
� 2013 NACHA - The Electronic Payments Association
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)
The following malicious domains are present on these IPs and should be blocked:
acctnmrxm.net
albaperu.net
asistyapipressta.com
capeinn.net
live-satellite-view.net
madcambodia.net
morepowetradersta.com
rebelldagsanet.com
uminteraktifcozumler.com
British Airways spam / epianokif.ru
Date: Mon, 11 Feb 2013 11:30:39 +0330
From: JamesTieszen@[victimdomain.com]
Subject: British Airways E-ticket receipts
Attachments: E-Ticket-N234922XM.htm
e-ticket receipt
Booking reference: DZ87548418
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 74665737. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The malicious payload is at [donotclick]epianokif.ru:8080/forum/links/column.php (report here) hosted on:
82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)
The following malicious domains can also be seen on these IPs:
epianokif.ru
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
disownon.ru
epilarikko.ru
damagalko.ru
dumarianoko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
dfudont.ru
Something evil on 46.163.79.209
The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.
social-neos.eu
cloud.social-neos.eu
quest.social-neos.eu
archiv.social-neos.eu
eyon-neos.eu
international.eyon-neos.eu
ns.eyon-neos.eu
euroherz.eyon-neos.eu
The domains look like they might be legitimate onese that have been hijacked, nonetheless blocking them would be an excellent move.
social-neos.eu
cloud.social-neos.eu
quest.social-neos.eu
archiv.social-neos.eu
eyon-neos.eu
international.eyon-neos.eu
ns.eyon-neos.eu
euroherz.eyon-neos.eu
The domains look like they might be legitimate onese that have been hijacked, nonetheless blocking them would be an excellent move.
Labels:
Evil Network,
Germany,
Malware,
Viruses
"Support Center" spam / phticker.com
Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker.com:
nislevitra.com
tablethealthipad.com
tivozanibkimedicine.com
marijuanarxmedicine.com
drugstorepharmacycenterline.com
medicalwelhealthcare.com
physicianslnesshealth.com
newhealthpharm.com
gokeyscan.com
medpillsprescription.com
wichigenerics.com
boschmeds.com
pillcarney.com
healthviagraobesity.com
pharmedicinehat.net
rxlevitrainc.eu
tabletdrugipad.eu
pillsphysicpharma.ru
xree.ru
lxie.ru
zeap.ru
tabspharmacytablets.ru
pillsmedicalsrx.ru
poey.ru
ongy.ru
phticker.com
Date: Mon, 11 Feb 2013 06:13:52 -0700The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with these other fake pharma sites:
From: "Brinda Wimberly" [noreply@mdsconsulting.be]
Subject: Support Center
Welcome to Help Support Center
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
See All tickets
Go To Profile
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
nislevitra.com
tablethealthipad.com
tivozanibkimedicine.com
marijuanarxmedicine.com
drugstorepharmacycenterline.com
medicalwelhealthcare.com
physicianslnesshealth.com
newhealthpharm.com
gokeyscan.com
medpillsprescription.com
wichigenerics.com
boschmeds.com
pillcarney.com
healthviagraobesity.com
pharmedicinehat.net
rxlevitrainc.eu
tabletdrugipad.eu
pillsphysicpharma.ru
xree.ru
lxie.ru
zeap.ru
tabspharmacytablets.ru
pillsmedicalsrx.ru
poey.ru
ongy.ru
phticker.com
Labels:
Fake Pharma,
Latvia,
Spam
Saturday, 9 February 2013
ADP spam / 048575623_02082013.zip
This fake ADP spam comes with a malicious attachment:
VirusTotal identifies it as a Zbot variant. According to ThreatExpert, the malware attempts to connect to the following hosts:
eyon-neos.eu
quest.social-neos.eu
social-neos.eu
These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.
Date: Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]In this case there was a ZIP file called 048575623_02082013.zip (this may vary) with an attachment 048575623_02082013.exe designed to look like a PDF file.
From: "ops_invoice@adp.com" [ops_invoice@adp.com]
Subject: ADP Payroll Invoice for week ending 02/08/2013 - 01647
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.
VirusTotal identifies it as a Zbot variant. According to ThreatExpert, the malware attempts to connect to the following hosts:
eyon-neos.eu
quest.social-neos.eu
social-neos.eu
These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.
Labels:
ADP,
EXE-in-ZIP,
Spam,
Viruses
BBB Spam / madcambodia.net
This fake BBB spam leads to malware on madcambodia.net:
The malicious payload is at [donotclick]madcambodia.net/detects/review_complain.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)
The following domains appear to be active on these IPs:
madcambodia.net
acctnmrxm.net
capeinn.net
starsoftgroup.net
live-satellite-view.net
morepowetradersta.com
Date: Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From: Better Business Bureau [notify@bbb.org]
Subject: BBB details about your cliente's pretense ID 43C796S77
Better Business Bureau ©
Start With Trust ©
Thu, 7 Feb 2013
RE: Issue No. 43C796S77
[redacted]
The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.
We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.
We awaits to your prompt response.
Best regards
Luis Davis
Dispute Advisor
Better Business Bureau
Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 23501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is at [donotclick]madcambodia.net/detects/review_complain.php (report here) hosted on:
175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)
The following domains appear to be active on these IPs:
madcambodia.net
acctnmrxm.net
capeinn.net
starsoftgroup.net
live-satellite-view.net
morepowetradersta.com
Friday, 8 February 2013
MMuskatov / OVH malware sites to block
I've mentioned an OVH range of IPs allocated to a mystery "MMuskatov" a couple of times before (here and here). It seemed like they needed a closer look.
The IP ranges are in the 5.135.67.x block, mostly in small /28 allocations hosted in different OVH datacentres in Europe. They are:
5.135.67.128 - 5.135.67.135
5.135.67.136 - 5.135.67.143
5.135.67.144 - 5.135.67.159
5.135.67.160 - 5.135.67.175
5.135.67.176 - 5.135.67.191
5.135.67.192 - 5.135.67.207
5.135.67.208 - 5.135.67.223
5.135.67.224 - 5.135.67.239
5.135.67.240 - 5.135.67.247
Obviously, that gives an contiguous block of 5.135.67.128 to 5.135.67.247 which is annoying difficult to express in CIDR notation. This is the best I can do:
5.135.67.128/26
5.135.67.192/27
5.135.67.224/28
5.135.67.240/29
If you don't mind a bit of collateral damage then you could simply block 5.135.67.128/25.I
Anyway.. what's so bad about this range? Well, as far as I can see, there are no legitimate sites here at all. But there do appear to be malware sites, suspicious subdomains of hijacked legitimate sites and other nasties. Quite a few have been registered very recently indeed, and to be honest I'm probably missing a lot of sites hosted in this range.
The sites are listed below. Sites listed as malware by Google are listed in red , sites with a bad WOT rating are listed in blue (there are no sites listed at both, so I can spare you from purple). You can safely assume that anything not blacklisted has just not been noticed yet. You can download a full list of the sites, IP addresses, WOT rating and the Google prognosis from here.
1aumir.biz
afito.nyxsus.net
agnitumsnuking.net
allrisor.com
analytics-djmusic-online.de
analytics-djmusic-online.info
analytics-djmusic-site.at
analytics-djmusic-site.com
analytics-djmusic-site.de
anarebrelleee.me
apeld.biz
azizmarizish2013.com
azizmarizish2013.info
azizmarizish2013.us
babynicefreelove.org
basicsensorcomfort.info
basteln5.de
bederg.biz
beratopl.sinanfe.com
besprof.samisales.com
bestfor.rotaract4670.org
bopljert.ultuma.com
brasenetworks.info
broki.wem44.com
browser.rainbowstarfish.com
carambala.com
charterd4.de
clomment.calenergy.info
clubs.sandipmistry.com
complexesuluation.info
creamvisitiorfinder.info
daimlerfidelity.info
daisychellenge.info
dasdasd.tss33.com
dasuycompletesuluation.info
dfhiod.biz
dhajbg.biz
djjgurda.com
djjgurda.us
domainsfiverich.com
dotguy.set-god.com
emporiomurmani.info
fakeferarri.info
fastmovekko.net
fbuniverse.net
federewf.org
firepow.l2firepower.com
first.bartych.com
frankmousepo.com
freepokee1.info
freepokee2.info
freepokee3.info
fromza.thirteentoedcat.com
fuchsduhastdiegansgestohlen.info
gertapo.bbcuteonline.com
gfssexcam.org
gfssexcamcum.com
ggty.oops-to.com
goodby.nissisystems.com
goodly.hukmen.com
gussi.info
heart.wheels4salvador.org
hernn.biz
heronew.biz
jagsertowns.com
jbworldtrd.com
joeturismo.com
kiloui.svxr.org
kinodrom.ivanwalker.net
ktxstat240.info
lake.frontsighlitigations.com
lefttendencies.net
lokoier.biz
loveplanetfr.org
lozytose2.de
mapplestory.info
mdopk.biz
meanse.ayesh.asia
mederf.biz
medoew.biz
mikil.hititbett.org
mini.sindiat.com
miniini.iosstore.org
mobile.mathyux.com
mojojojo.info
monoxy3.de
msner.slingthor.com
mybestprojextmm.com
my-res-to.com
myrisor.com
natrium7.de
natural9.de
ndqegsx.efx-capital.com
neregda.biz
nerero.biz
newrisor.com
news.webcam-archives.com
next.spacemonkeypirate.net
ninzaaa.commoninterestgroups.org
oploug.biz
perokil.biz
perstversion.info
poijert.ilaog.com
polocz.biz
powerpuffgirls.ru
price.hollywoodsaloon.us
provertymegastore.info
radarsky.biz
rainbowloveahaji.com
reseder.biz
resscience.com
res-to.com
risorgroup.com
risoronline.com
ronaldo.bangun.org
saledomainornott.biz
saledomainornott.co
saledomainornott.com
saledomainornott.in
saledomainornott.info
saledomainornott.me
saledomainornott.mobi
saledomainornott.net
scienceto.com
sec520.dyndns.info
sec521.dyndns.info
seghiv.biz
sexcamsfreenow.org
sfgjjj.biz
shop-best-good.info
shuttle4.de
sitesfiverich.com
sjbmb.biz
spannend3.de
srghoop.biz
stay.petersmunicipalconsultants.com
sun.frontsightbankruptcy.com
sunari9.de
supermegaextragood.info
swedpuikavrot.info
taste.frontsightblog.com
techntitus.com
termse.sharemomentwith.us
therisor.com
thewholespend.info
tikooo.afropod.com
tj6e8k.com
traespo.smoothasbeauty.com
trenere.biz
tydfghk.biz
ufrere.biz
umpi102.dyndns.info
umpi103.dyndns.info
unusedgb.net
vededd.biz
versetaility.info
vertigoz0ne.info
vertigoz0ne.net
vertigoz0ne.org
vertigozone.net
wdgwber.biz
wergxcb.biz
wryeuy.biz
xrifa.dhzq.net
yherem.biz
zaderf.biz
The IP ranges are in the 5.135.67.x block, mostly in small /28 allocations hosted in different OVH datacentres in Europe. They are:
5.135.67.128 - 5.135.67.135
5.135.67.136 - 5.135.67.143
5.135.67.144 - 5.135.67.159
5.135.67.160 - 5.135.67.175
5.135.67.176 - 5.135.67.191
5.135.67.192 - 5.135.67.207
5.135.67.208 - 5.135.67.223
5.135.67.224 - 5.135.67.239
5.135.67.240 - 5.135.67.247
Obviously, that gives an contiguous block of 5.135.67.128 to 5.135.67.247 which is annoying difficult to express in CIDR notation. This is the best I can do:
5.135.67.128/26
5.135.67.192/27
5.135.67.224/28
5.135.67.240/29
If you don't mind a bit of collateral damage then you could simply block 5.135.67.128/25.I
Anyway.. what's so bad about this range? Well, as far as I can see, there are no legitimate sites here at all. But there do appear to be malware sites, suspicious subdomains of hijacked legitimate sites and other nasties. Quite a few have been registered very recently indeed, and to be honest I'm probably missing a lot of sites hosted in this range.
The sites are listed below. Sites listed as malware by Google are listed in red , sites with a bad WOT rating are listed in blue (there are no sites listed at both, so I can spare you from purple). You can safely assume that anything not blacklisted has just not been noticed yet. You can download a full list of the sites, IP addresses, WOT rating and the Google prognosis from here.
1aumir.biz
afito.nyxsus.net
agnitumsnuking.net
allrisor.com
analytics-djmusic-online.de
analytics-djmusic-online.info
analytics-djmusic-site.at
analytics-djmusic-site.com
analytics-djmusic-site.de
anarebrelleee.me
apeld.biz
azizmarizish2013.com
azizmarizish2013.info
azizmarizish2013.us
babynicefreelove.org
basicsensorcomfort.info
basteln5.de
bederg.biz
beratopl.sinanfe.com
besprof.samisales.com
bestfor.rotaract4670.org
bopljert.ultuma.com
brasenetworks.info
broki.wem44.com
browser.rainbowstarfish.com
carambala.com
charterd4.de
clomment.calenergy.info
clubs.sandipmistry.com
complexesuluation.info
creamvisitiorfinder.info
daimlerfidelity.info
daisychellenge.info
dasdasd.tss33.com
dasuycompletesuluation.info
dfhiod.biz
dhajbg.biz
djjgurda.com
djjgurda.us
domainsfiverich.com
dotguy.set-god.com
emporiomurmani.info
fakeferarri.info
fastmovekko.net
fbuniverse.net
federewf.org
firepow.l2firepower.com
first.bartych.com
frankmousepo.com
freepokee1.info
freepokee2.info
freepokee3.info
fromza.thirteentoedcat.com
fuchsduhastdiegansgestohlen.info
gertapo.bbcuteonline.com
gfssexcam.org
gfssexcamcum.com
ggty.oops-to.com
goodby.nissisystems.com
goodly.hukmen.com
gussi.info
heart.wheels4salvador.org
hernn.biz
heronew.biz
jagsertowns.com
jbworldtrd.com
joeturismo.com
kiloui.svxr.org
kinodrom.ivanwalker.net
ktxstat240.info
lake.frontsighlitigations.com
lefttendencies.net
lokoier.biz
loveplanetfr.org
lozytose2.de
mapplestory.info
mdopk.biz
meanse.ayesh.asia
mederf.biz
medoew.biz
mikil.hititbett.org
mini.sindiat.com
miniini.iosstore.org
mobile.mathyux.com
mojojojo.info
monoxy3.de
msner.slingthor.com
mybestprojextmm.com
my-res-to.com
myrisor.com
natrium7.de
natural9.de
ndqegsx.efx-capital.com
neregda.biz
nerero.biz
newrisor.com
news.webcam-archives.com
next.spacemonkeypirate.net
ninzaaa.commoninterestgroups.org
oploug.biz
perokil.biz
perstversion.info
poijert.ilaog.com
polocz.biz
powerpuffgirls.ru
price.hollywoodsaloon.us
provertymegastore.info
radarsky.biz
rainbowloveahaji.com
reseder.biz
resscience.com
res-to.com
risorgroup.com
risoronline.com
ronaldo.bangun.org
saledomainornott.biz
saledomainornott.co
saledomainornott.com
saledomainornott.in
saledomainornott.info
saledomainornott.me
saledomainornott.mobi
saledomainornott.net
scienceto.com
sec520.dyndns.info
sec521.dyndns.info
seghiv.biz
sexcamsfreenow.org
sfgjjj.biz
shop-best-good.info
shuttle4.de
sitesfiverich.com
sjbmb.biz
spannend3.de
srghoop.biz
stay.petersmunicipalconsultants.com
sun.frontsightbankruptcy.com
sunari9.de
supermegaextragood.info
swedpuikavrot.info
taste.frontsightblog.com
techntitus.com
termse.sharemomentwith.us
therisor.com
thewholespend.info
tikooo.afropod.com
tj6e8k.com
traespo.smoothasbeauty.com
trenere.biz
tydfghk.biz
ufrere.biz
umpi102.dyndns.info
umpi103.dyndns.info
unusedgb.net
vededd.biz
versetaility.info
vertigoz0ne.info
vertigoz0ne.net
vertigoz0ne.org
vertigozone.net
wdgwber.biz
wergxcb.biz
wryeuy.biz
xrifa.dhzq.net
yherem.biz
zaderf.biz
Labels:
Evil Network,
Malware,
OVH,
Viruses
radarsky.biz and something evil on 5.135.67.160/28
There is currently an injection attack redirecting visitors to a domains radarsky.biz (for example) hosted on 5.135.67.173 (OVH) and suballocated to:
inetnum: 5.135.67.160 - 5.135.67.175
netname: MMuskatov-FI
descr: MMuskatov
country: FI
org: ORG-OH6-RIPE
admin-c: OTC15-RIPE
tech-c: OTC15-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
"MMuskatov" was involved in this attack too, and a quick inspection of 5.135.67.160/28 doesn't look promising, you might want to block it and 5.135.67.144/28 and 5.135.67.192/28 as well. A deeper analysis is in progress.
inetnum: 5.135.67.160 - 5.135.67.175
netname: MMuskatov-FI
descr: MMuskatov
country: FI
org: ORG-OH6-RIPE
admin-c: OTC15-RIPE
tech-c: OTC15-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
"MMuskatov" was involved in this attack too, and a quick inspection of 5.135.67.160/28 doesn't look promising, you might want to block it and 5.135.67.144/28 and 5.135.67.192/28 as well. A deeper analysis is in progress.
Labels:
Injection Attacks,
Malware,
OVH,
Viruses
Thursday, 7 February 2013
+20 3 2983245 telepest
For some reason I've been plagued with cold calling telepests recently. This particular one (+20 3 2983245) offered the usual "press 5 to be ripped off" and "press 9 to try to unsubscribe which we will ignore" recorded message about claiming for an accident.
There was a very politely spoken and nice young man on the end of the phone. He seemed a bit perplexed and upset when I told him to f--k off and leave me alone. Good.
I don't know exactly who is behind this nuisance activity, but they were calling a TPS-registered phone from a number in Alexandria, Egypt. Offshoring fraudulent activity like this is quite common, but this is the first time that I've had to swear at an Egyptian. Perhaps the poor guy will consider doing something less scummy instead.
Update: unbelievably, they rang back again. This time I had a chat with another guy, and we had a discussion about my horrible industrial accident when my penis got caught in the shredder at work . There was blood everywhere, it was a real shocker for the other people in the office too. I asked where he was calling from, and he said Cambridge.. so I replied that it was odd that it appeared to be a number from Alexandria, and that he was a lying scumbag and please could he f--k off and never call me again. Oddly enough, he hung up.
There was a very politely spoken and nice young man on the end of the phone. He seemed a bit perplexed and upset when I told him to f--k off and leave me alone. Good.
I don't know exactly who is behind this nuisance activity, but they were calling a TPS-registered phone from a number in Alexandria, Egypt. Offshoring fraudulent activity like this is quite common, but this is the first time that I've had to swear at an Egyptian. Perhaps the poor guy will consider doing something less scummy instead.
Update: unbelievably, they rang back again. This time I had a chat with another guy, and we had a discussion about my horrible industrial accident when my penis got caught in the shredder at work . There was blood everywhere, it was a real shocker for the other people in the office too. I asked where he was calling from, and he said Cambridge.. so I replied that it was odd that it appeared to be a number from Alexandria, and that he was a lying scumbag and please could he f--k off and never call me again. Oddly enough, he hung up.
FFIEC spam / live-satellite-view.net
From: FFIEC [mailto:complaints@ffiec.gov]The attempted download is from [donotclick]live-satellite-view.net/detects/advanced_selected_determines_comparison.php although it fails to resolve. Perhaps the registrar nuked the domain? However, it is possible to tell that the nameservers were ns1.http-page.net and ns2.http-page.net, and up investigate it turns out that all the following IPs and domains are related and should be treated as malicious:
Sent: 06 February 2013 16:17
Subject: FFIEC Occasion No. 77715
This summons is meant to make advise of file # 77715 which is opened and under interrogative with FFIEC following a accusation of your Financial Institution regarding suspect financial activity on your account.
A hard copy of this judicial process will be delivered to your business address.
Our institution will forward information to competent government agencies following this accusation.
Information and contacts regarding your Occasion file # can be found at
Occasion Number: 77715
Observed by
Federal Financial Institution Examination Council
Emily Gray
7.129.51.158
31.170.106.17
74.4.6.128
98.144.191.50
175.121.229.209
198.144.191.50
208.117.43.145
222.238.109.66
able-stock.net
capeinn.net
duriginal.net
euronotedetector.net
gonita.net
gutprofzumbns.com
http-page.net
live-satellite-view.net
morepowetradersta.com
ocean-movie.net
starsoftgroup.net
vespaboise.net
Wednesday, 6 February 2013
inukjob.com fake job offer (also ineurojob.com and hollandsjob.com)
This fake job offer from inukjob.com involves illegal money laundering, and it also seems that the scammers want to use your identity for "correspondence" which normally means things like reshipping stolen goods and identity theft.
The WHOIS details are fake:
Tara Zwilling info@inukjob.com
315-362-4562 fax: 315-362-4511
3201 Oak Street
Syracuse NY 13221
us
There is no number 3201 Oak Street in Syracuse, New York (see for yourself) and the Zip code is incorrect, it should be 13203 and not 13221.
There's no web site, mail is handled by a server at 31.214.169.94 (Exetel, Germany). The following mailservers can be found at that IP:
mx.ineurojob.com
mx.hollandsjob.com
mx.inukjob.com
You can assume that all these domains are fraudulent. If we dig a little deeper at the namesevers ns1.ariparts.net (also on 31.214.169.94) and ns2.ariparts.net (8.163.20.161, Level 3, US), then we can also find the following very dodgy domains:
hollandsjob.com
pracapolsk.com
ariparts.net
ineurojob.com
All these domains have fake or hidden registration details and can assume to be part of a scam. Avoid.
Update: Another version,
From: VictimI've seen another variant with a reply address of Delores@inukjob.com. In all these cases, the email appears to come from the victim (here's why). Let's dig a little deeper into the domain. It turns out that it is registered by scam-friendly Chinese registrar BIZCN.COM.
To: Victim
Date: 6 February 2013 09:16
Subject: Looking for remote assistants, paid $ 100 per hour helping other people
Good afternoon!
Is it possible for you to spare a few hours a week to the new occupation, which would increase your wages in 2-3 times, without investing a penny? While you are looking for the trick in this offer, hundreds of your compatriots have already been reaping the benefits of working with us.
This is not a financial pyramid or marketing of any kind. It's about doing simple assignments, not exceed the limits of morals or ethics.
Your gender, age, employment do not matter - the main factors are your diligence and conscientiousness.
Lots of our employees began with a part-time employment and combined with other jobs, but two weeks later,
most of them devoted themselves to our job.
We are in all respects ready to remove all your doubts and help you to understand all details.
Position is called the "Regional Manager".
Functional duties:
- to represent the interests of foreign companies in the region (For example: providing your address for correspondence.)
- to take control of transactions between the company and the client in your area.
For more information, please, email us attaching your CV, the country and city of residence.
It will considerably increase your chances for employment. Email: Kelsey@inukjob.com
Best Regards,
PR Manager
The WHOIS details are fake:
Tara Zwilling info@inukjob.com
315-362-4562 fax: 315-362-4511
3201 Oak Street
Syracuse NY 13221
us
There is no number 3201 Oak Street in Syracuse, New York (see for yourself) and the Zip code is incorrect, it should be 13203 and not 13221.
There's no web site, mail is handled by a server at 31.214.169.94 (Exetel, Germany). The following mailservers can be found at that IP:
mx.ineurojob.com
mx.hollandsjob.com
mx.inukjob.com
You can assume that all these domains are fraudulent. If we dig a little deeper at the namesevers ns1.ariparts.net (also on 31.214.169.94) and ns2.ariparts.net (8.163.20.161, Level 3, US), then we can also find the following very dodgy domains:
hollandsjob.com
pracapolsk.com
ariparts.net
ineurojob.com
All these domains have fake or hidden registration details and can assume to be part of a scam. Avoid.
Update: Another version,
Date: 7 February 2013 16:53
Subject: You can earn an additional $ 200 per day helping your communi
I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.
If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.
Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is 2000 GBP per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (UK time).
Region: United Kingdom.
Please note that there are no startup fees or deposits to start working for us.
To request an application form, schedule your interview and receive more information about this position
please reply to Rene@inukjob.com with your personal identification number for this position IDNO: 6376
Labels:
Job Offer Scams,
Spam
Tuesday, 5 February 2013
Amazon.com spam / salam-tv.com
This fake Amazon email leads to malware on salam-tv.com:
morepowetradersta.com
capeinn.net
starsoftgroup.net
salam-tv.com
Date: Tue, 5 Feb 2013 18:32:06 +0100The malicious payload should be at [donotclick]salam-tv.com/detects/visit_putts.php but at the moment this domain doesn't seem to be resolving properly. A bit of digging around shows that it may be hosted on 198.144.191.50 (Chicago VPS, US) and the following malicious domains can be traced to that IP address:
From: "Amazon.com Orders" [no-reply@amazon.com]
Subject: Your Amazon.com order receipt.
Click here if the e-mail below is not displayed correctly.
Follow us:
Your Amazon.com Today's Deals See All Departments
Dear Amazon.com Customer,
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Details:
E-mail Address: [redacted]
Billing Address:
1170 CROSSING CRK N Rd.
Fort Wayne OH 49476-1748
United States
Phone: 1- 749-787-0001
Order Grand Total: $ 91.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: C59-2302433-5787713
Subtotal of items: $ 91.99
------
Total before tax: $ 91.99
Tax Collected: $0.00
------
Grand Total: $ 90.00
Gift Certificates: $ 1.99
------
Total for this Order: $ 91.99
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.
� 2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 466 Sally Ave. N., Seattle, MA 71168-8282. Reference: 25090571
Please note that this message was sent to the following e-mail address: [redacted]
morepowetradersta.com
capeinn.net
starsoftgroup.net
salam-tv.com
Monday, 4 February 2013
01530 561700: PPI refund cold callers are also PPI mis-sellers
Quick version: 01530 561700 is a PPI claims company trading as ABC Claims Management, but the people involved have been directors of a firm fined for PPI mis-selling. If you really want to wind them up, say you were mis-sold PPI by a firm called Hadenglen.
Long version:
PPI refund cold callers are annoying, and are almost always dishonest scumbags who claim that you are eligible for a PPI refund, but in fact they have no idea about who you are and nor do they have access to your financial records.
But there's more to the folks calling from 01530 561700 than meets the eye. The claims management company calling from this number is called ABC Claims Management (abc-inc.co.uk) who quote an address of:
York House
Smisby Road
Ashby de la Zouch
Leicestershire
LE65 2UG
A look at the WHOIS details give a nearby address:
Domain name:
abc-inc.co.uk
Registrant:
HADENGLEN PLC
Registrant type:
Unknown
Registrant's address:
Hadenglen House Marlborough Square
Leicestershire
COALVILLE
LE67 3WD
United Kingdom
They list the owner as Hadenglen plc. Unlike many PPI claims firms, Hadenglen knows all about PPI.. because it and its boss were fined £182,000 in 2007 for PPI mis-selling. Hadenglen is no longer authorised to sell mortgages and there is a proposal to strike it off the register at Companies House.
The telephone number is closely associated with Hadenglen, both ABC and Hadenglen share the same address of:
SMISBY ROAD
ASHBY DE LA ZOUCH
LEICS
LE65 2UG
..and of course, Hadenglen registered the domain name.
Of course, the real gotcha is that two of the directors of ABC Incorporation Ltd are Paul Butler and Richard Hayes who were both directors of.. you guessed it.. Hadenglen. Indeed, Mr Hayes was fined £49,000 for his part in the Hadenglen PPI mis-selling.
You could argue that poachers make the best gamekeepers, and the directors of a firm that was involved in PPI mis-selling might be the best people to make a claim. Or you might think otherwise. But why pay someone to do it (which could be thousands of pounds) when you can do it for free?
Update: the scammers from ABC rang me again, and the woman calling identified the company but said she had never heard of her directors of Hadenglen.. which I very much doubt. I advised her to fuck off and leave me alone.
Long version:
PPI refund cold callers are annoying, and are almost always dishonest scumbags who claim that you are eligible for a PPI refund, but in fact they have no idea about who you are and nor do they have access to your financial records.
But there's more to the folks calling from 01530 561700 than meets the eye. The claims management company calling from this number is called ABC Claims Management (abc-inc.co.uk) who quote an address of:
York House
Smisby Road
Ashby de la Zouch
Leicestershire
LE65 2UG
A look at the WHOIS details give a nearby address:
Domain name:
abc-inc.co.uk
Registrant:
HADENGLEN PLC
Registrant type:
Unknown
Registrant's address:
Hadenglen House Marlborough Square
Leicestershire
COALVILLE
LE67 3WD
United Kingdom
They list the owner as Hadenglen plc. Unlike many PPI claims firms, Hadenglen knows all about PPI.. because it and its boss were fined £182,000 in 2007 for PPI mis-selling. Hadenglen is no longer authorised to sell mortgages and there is a proposal to strike it off the register at Companies House.
The telephone number is closely associated with Hadenglen, both ABC and Hadenglen share the same address of:
SMISBY ROAD
ASHBY DE LA ZOUCH
LEICS
LE65 2UG
..and of course, Hadenglen registered the domain name.
Of course, the real gotcha is that two of the directors of ABC Incorporation Ltd are Paul Butler and Richard Hayes who were both directors of.. you guessed it.. Hadenglen. Indeed, Mr Hayes was fined £49,000 for his part in the Hadenglen PPI mis-selling.
You could argue that poachers make the best gamekeepers, and the directors of a firm that was involved in PPI mis-selling might be the best people to make a claim. Or you might think otherwise. But why pay someone to do it (which could be thousands of pounds) when you can do it for free?
Update: the scammers from ABC rang me again, and the woman calling identified the company but said she had never heard of her directors of Hadenglen.. which I very much doubt. I advised her to fuck off and leave me alone.
Phytiva / XCHC pump-and-dump
This pump-and-dump spam (at least I assume that's what it is) caught my eye,
From: Hugh Crouch [tacticallyf44@riceco.com]The email originates from 31.25.91.159 in the Islamic Republic of Iran, spamvertising a site at www.xn--80aakfmpm2afbm.xn--p1ai (yes, that's a valid international domain name) hosted on 111.123.180.11 in China. In all likelihood, Phytiva and its parent company The X-Change Corporation (stock ticker XCHC) are almost definitely nothing to do with this rather odd spam. Avoid.
Date: 4 February 2013 12:39
Subject: RE: Targeting the global Cosmoceutical market
US leading biotech company is please to introduce a newly launched brand - a hybrid of a proven, existing product line that has been well-managed and conservatively-run for over a decade with a hemp-based product line, utilizing the unique and potent benefits of the plants. Revolutionary formulations target not just the symptom, but also the cause. The plant is the ideal basis for healing solutions and has been utilized for centuries, as skin responds extremely well to its properties.
Its newest Plant based Product lines that have identified over a dozen ailments that we believe that the products will be the superior choice on the market. These ailments include cancer, arthritis, influenza, HIV/ AIDS, PTSD and many more.
We are looking for leading beauty and health care investors. If you are dedicated to making difference in people”s lives, we need your help now more than ever before toprovide excellent and efficient medical and health care for our future researches.
For more information, please visit
You can unsubscribe from all our future email communications at
Labels:
Pump and Dump,
Spam
Something evil on 108.61.12.43 and 212.7.192.100
A few sites worth blocking on 108.61.12.43 (Constant Hosting, US) courtesy of Malware Must Die:
helloherebro.com
painterinvoice.ru
painterinvoicet.ru
immediatelyinvoicew.ru
While you are at it, you might like to block 212.7.192.100 (Dediserv, Netherlands) as well.
helloherebro.com
painterinvoice.ru
painterinvoicet.ru
immediatelyinvoicew.ru
While you are at it, you might like to block 212.7.192.100 (Dediserv, Netherlands) as well.
StumbleUpon spam / drugstorepillstablets.ru
This fake StumbleUpon spam is something new, it leads to a fake pharma site on drugstorepillstablets.ru:
ariseharsh.info
biah.ru
birthmed.com
carepillshealthcare.com
climbedwelness.com
drugripdrugshealth.ru
drugstorepharmacycenterline.com
drugstorepillstablets.ru
dvicemedicalrx.net
fatdietrx.com
genericsperrigo.com
goaddscan.com
gokeyscan.com
gorayscan.com
healthviagracare.com
healthwiblackwell.com
herbalwelgarcinia.net
ipadiet.net
ladenlismeds.com
lxie.ru
mail.carepillshealthcare.com
mediamoviestar.com
medicalwelhealthcare.com
medicaremedsromney.net
medpillsprescription.com
movietestworld.com
mytabhealth.com
ongy.ru
pharmacycialismeningitis.net
physicianslnesshealth.com
pilltabletsfitness.eu
rxdrugstorewalgreens.com
tabletspharmacynutrition.ru
tabletspharmacywellbeing.ru
tabpharmacyhealth.ru
theviagrahealth.com
treatmentsdrugstorepharmacy.ru
vikingsnotdead.com
Date: Mon, 4 Feb 2013 01:01:46 -0600 (CST)There's no surprise to see that the IP address of the spamvertised site is 92.48.119.139 (Simply Transit, UK) along with the following other possibly spammy sites:
From: StumbleUpon [no-reply@stumblemail.com]
Subject: Update: Changes to Your Email Settings
Hi [redacted],
This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've created a bunch of new notification options that allow you to have more control over what types of emails you'll receive from us. These new notification options are not compatible with the old settings, so your settings have been reset. We apologize for any inconvenience, and want to make sure we only send you the emails you want to receive.
Now what? Please click here to head over to your email settings and update your preferences, so we know exactly what emails you'd like to receive from StumbleUpon.
Want to receive all notifications about shares from friends, recommended Stumbles, and more? Great, you don't have to do anything at all!
Thanks for Stumbling,
The StumbleUpon Team
P.S. Haven't signed in for a while and can't remember your password? You can reset it here by entering the email address used in this email.
Please don't reply to this message - for all questions, check out our Help Center. To visit your email settings, please click here.
StumbleUpon | 301 Brannan Street, 6th Floor, San Francisco, CA 94107
ariseharsh.info
biah.ru
birthmed.com
carepillshealthcare.com
climbedwelness.com
drugripdrugshealth.ru
drugstorepharmacycenterline.com
drugstorepillstablets.ru
dvicemedicalrx.net
fatdietrx.com
genericsperrigo.com
goaddscan.com
gokeyscan.com
gorayscan.com
healthviagracare.com
healthwiblackwell.com
herbalwelgarcinia.net
ipadiet.net
ladenlismeds.com
lxie.ru
mail.carepillshealthcare.com
mediamoviestar.com
medicalwelhealthcare.com
medicaremedsromney.net
medpillsprescription.com
movietestworld.com
mytabhealth.com
ongy.ru
pharmacycialismeningitis.net
physicianslnesshealth.com
pilltabletsfitness.eu
rxdrugstorewalgreens.com
tabletspharmacynutrition.ru
tabletspharmacywellbeing.ru
tabpharmacyhealth.ru
theviagrahealth.com
treatmentsdrugstorepharmacy.ru
vikingsnotdead.com
Labels:
Fake Pharma,
Simply Transit,
Spam,
Viruses
Friday, 1 February 2013
Something evil on 50.116.40.194
50.116.40.194 (Linode, US) is hosting the Blackhole Exploit Kit (e.g. [donotclick]14.goodstudentloans.org/read/walls_levels.php - report here) and seems to have been active in the past 24 hours. I can see two domains at present, although there are probably many more ready to go:
14.goodstudentloans.org
14.mattresstoppersreviews.net
14.goodstudentloans.org
14.mattresstoppersreviews.net
Photos spam / eghirhiam.ru
Subject: PhotosAs is usually the case, the malware bounces through a legitimate hacked site and in this case ends up at [donotclick]eghirhiam.ru:8080/forum/links/public_version.php (report here) hosted on:
Good day,
your photos here http://www.jonko.com/photos.htm
82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company Ltd, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)
The following IPs and domains are all related and should be blocked:
82.148.98.36
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
dumarianoko.ru
eghirhiam.ru
epiratko.ru
esekundi.ru
evkotnka.ru
evskindarka.ru
evujalo.ru
exiansik.ru
eziponoma.ru
Thursday, 31 January 2013
FDIC spam / 123435jynfbdf.myWWW.biz
This summary is not available. Please
click here to view the post.
Wednesday, 30 January 2013
FDIC spam / 1wstdfgh.organiccrap.com
Here's a slightly new spin on old spam, leading to malware on 1wstdfgh.organiccrap.com:
1wstdfgh.organiccrap.com
23v4tn6dgdr.organiccrap.com
v446numygjsrg.mymom.info
3vbtnyumv.ns02.us
crvbhn7jbtd.mywww.biz
Date: Wed, 30 Jan 2013 16:16:32 +0200The link in the email goes through a legitimate hacked site (in this case [donotclick]www.edenespinosa.com/track.php?fdic) to the amusingly named [donotclick]1wstdfgh.organiccrap.com/closest/984y3fh8u3hfu3jcihei.php (report here) hosted on 91.218.121.86 (CoolVDS / Kutcevol Maksum Mukolaevichm, US) which hosts the following suspect domains that you might want to block:
From: "Тимур.Носков@fdic.gov" [midshipmanc631@buprousa.com]
Subject: Important notice from FDIC
Attention!
Due to the adoption of a new security system, that is aimed at diminishing the number of cases of fraud and scams, all your ACH and WIRE transactions will be temporarily blocked until your security version meets the new requirements.. In order to restore your ability to make transactions, you are required to install a special security software. Please use the link below to download and install all the necessary files.
We apologize for causing you troubles by this measure.
If you need any assistance, please do not hesitate to contact us.
Sincerely yours,
Federal Deposit Insurance Corporation
Security Department
1wstdfgh.organiccrap.com
23v4tn6dgdr.organiccrap.com
v446numygjsrg.mymom.info
3vbtnyumv.ns02.us
crvbhn7jbtd.mywww.biz
Intelius spam (or is it a data breach?)
This spam was sent to an email address only used for register for intelius.com. Either there has been a data breach at Intelius, or they have decided to go into the gambling business.
The originating IP is 176.200.202.100 (Telecom Italia, Italy), spamvertised site is www.igrandpalacegold.com on 91.217.52.125 (Fajncom SRO, Czech Republic) and is registered to:
Klemens Chmielewski
Klemens Chmielewski (calder@igrandpalacegold.com)
ul. Czerniowiecka 78
Warszawa
Warszawa,02-705
PL
Tel. +48.722514299
I'm assuming that Intelius doesn't want to promote what would be illegal gambling for US citizens, which really leads just one other option..
From: Grand Palace Slots [no-reply@tsm-forum.net]
Date: 30 January 2013 10:39
Subject: Try to play slots - 10$ free
Mailed-By: tsm-forum.net
Feel the unique excitement of playing at the world's premiere games!
Grand Palace gives you welcome package for slots up to 8,000$! What a fantastic offer, straight from the heart of World's gaming leader!
This is a great offer, especially when you see what else Grand Palace has to offer:
- US players welcome
- more than 100 fun games, realistic graphics
- the most secure and up-to-date software
- professional support staff to help you with whatever you might need, any time of the day or night!
And in the end we want to give you 10$ absolutelly free! (Use code CASH10)
Hurry up! Your free Grand Palace cash is waiting! Play Today!
http://www.igrandpalacegold.com
=========================================================
Click here to opt out of this email:
http://unsubscribe.igrandpalacegold.com
The originating IP is 176.200.202.100 (Telecom Italia, Italy), spamvertised site is www.igrandpalacegold.com on 91.217.52.125 (Fajncom SRO, Czech Republic) and is registered to:
Klemens Chmielewski
Klemens Chmielewski (calder@igrandpalacegold.com)
ul. Czerniowiecka 78
Warszawa
Warszawa,02-705
PL
Tel. +48.722514299
I'm assuming that Intelius doesn't want to promote what would be illegal gambling for US citizens, which really leads just one other option..
Labels:
Data Breach,
Spam
Monday, 28 January 2013
"Most recent events on Facebook" spam / gonita.net
This fake Facebook spam leads to malware on gonita.net:
The malicious payload is at [donotclick]gonita.net/detects/sign_on_to_resume.php (report here) hosted on the well-known IP of 222.238.109.66 (Hanaro Telecom, Korea).
The following malicious domains are active on the same IP:
morepowetradersta.com
kendallvile.com
alphabeticalwin.com
ehadnedrlop.com
postofficenewsas.com
prepadav.com
masterseoprodnew.com
vespaboise.net
duriginal.net
shininghill.net
euronotedetector.net
fx-points.net
africanbeat.net
ensconcedattractively.biz
gonita.net
Date: Mon, 28 Jan 2013 17:30:50 +0100
From: "Facebook" [addlingabn2@bmatter.com]
Subject: Most recent events on Facebook
Hi [redacted],
You have disabled your Facebook account. You can reveal your account whenever you wish by logging into Facebook with your old login email address and password. After that you will be able to enjoy the site in the same way as before.
Kind regards,
The Facebook Team
Log in to Facebook and start connecting
Sign in
Please use the link below to resume your account :
http://www.facebook.com/resume/
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 419 P.O Box 10007 Palo Alto CA 94301
The malicious payload is at [donotclick]gonita.net/detects/sign_on_to_resume.php (report here) hosted on the well-known IP of 222.238.109.66 (Hanaro Telecom, Korea).
The following malicious domains are active on the same IP:
morepowetradersta.com
kendallvile.com
alphabeticalwin.com
ehadnedrlop.com
postofficenewsas.com
prepadav.com
masterseoprodnew.com
vespaboise.net
duriginal.net
shininghill.net
euronotedetector.net
fx-points.net
africanbeat.net
ensconcedattractively.biz
gonita.net
Zbot sites to block 28/1/13
These domains and IPs are currently acting as C&C and distribution servers for Zbot. I would advise blocking these IPs and domains if you can.
There are three parts to the list: IPs with hosting company names, plain IPs for copy-and-pasting and domains identified on these servers.
5.45.181.164 (Bradler & Krantz, Germany)
5.175.148.207 (GHOSTnet, Germany)
24.126.203.109 (Comcast, US)
31.170.106.13 (Bradler & Krantz, Germany)
37.26.244.86 (Digicube, France)
37.59.76.3 (OVH, Netherlands)
42.96.136.158 (Alibaba, China)
43.101.119.123 (Kokusai-kougyou-kanda Bldg., Japan)
46.249.46.182 (Serverius, Netherlands)
50.19.77.237 (Amazon, US)
50.31.99.126 (Steadfast Networks, US)
59.90.147.31 (BSNL Internet, India)
59.167.120.210 (Internode, Australia)
64.221.210.108 (XO Communications, US)
69.65.47.245 (Bodhost, US)
69.85.92.155 (Hostigation, US)
72.66.16.146 (Verizon, US)
73.123.5.128 (Comcast, US)
80.152.149.121 (Deutsche Telekom, Germany)
84.253.2.244 (Cybernet, Switzerland)
85.93.219.253 (Visual Online, Luxembourg)
88.88.101.162 (Telenor Norge, Norway)
91.121.248.127 (OVH, Spain)
92.21.156.70 (TalkTalk, UK)
92.146.246.96 (France Telecom, France)
93.92.207.86 (Saint-Petersburg Computer Networks Ltd, Russia)
94.76.234.163 (Simply Transit, UK)
95.225.161.106 (Telecom Italia, Italy)
99.169.151.134 (SBC Internet Services, US)
101.89.80.132 (China Telecom, China)
115.153.226.65 (China Telecom, China)
118.41.184.73 (Kornet, Korea)
119.252.162.18 (Comnets Plus, Indonesia)
123.224.196.84 (Open Computer Network, Japan)
125.63.91.52 (Spectra ISP, India)
128.32.149.121 (University Of California, US)
141.0.176.155 (Avantel, Russia)
141.0.176.231 (Avantel, Russia)
159.253.20.217 (FastVPS, Estonia)
166.111.143.248 (Tsinghua University, China)
173.213.112.245 (Eonix Corporation, US)
176.56.229.201 (RouteLabel, Netherlands)
184.82.187.181 (HostNOC, US)
189.75.96.19 (Brasil Telecom, Brazil)
193.254.233.242 (Teleradiocompany Soniko-Svyaz Ltd, Ukraine)
202.57.189.141 (Internet Service Provider Co. Ltd., Thailand)
209.207.112.195 (Treasuremart, Canada)
210.56.15.19 (COMSATS, Pakistan)
211.20.45.138 (Chunghwa Telecom, Taiwan)
216.224.176.47 (Earthlink, US)
5.45.181.164
5.175.148.207
24.126.203.109
31.170.106.13
37.26.244.86
37.59.76.3
42.96.136.158
43.101.119.123
46.249.46.182
50.19.77.237
50.31.99.126
59.90.147.31
59.167.120.210
64.221.210.108
69.65.47.245
69.85.92.155
72.66.16.146
73.123.5.128
80.152.149.121
84.253.2.244
85.93.219.253
88.88.101.162
91.121.248.127
92.21.156.70
92.146.246.96
93.92.207.86
94.76.234.163
95.225.161.106
99.169.151.134
101.89.80.132
115.153.226.65
118.41.184.73
119.252.162.18
123.224.196.84
125.63.91.52
128.32.149.121
141.0.176.155
141.0.176.231
159.253.20.217
166.111.143.248
173.213.112.245
176.56.229.201
184.82.187.181
189.75.96.19
193.254.233.242
202.57.189.141
209.207.112.195
210.56.15.19
211.20.45.138
216.224.176.47
advstar.com
aldio.ru
askwhite.net
atkit.ru
autocanonicals.com
billablelisten.pl
bioshift.net
boxtralsurvisv.pl
cflyon.ru
cipriotdilingel.ru
confloken.ru
dinitrolkalor.com
dobar.pl
dqnouce.ru
encounterkaspe.pl
evamaro.ru
fearedembracin.su
fitoteafclope.pl
gellax.com
haicut.com
htimemanagemen.su
indianayellow.net
infocyber.pl
jintropictonic.pl
kcrio-oum.com
litfors.com
mypicshare.net
namelesscorn.net
netfest.pl
ntrolingwhitel.pl
orlandotenerife.net
phicshappening.com
photoshopya.net
porkystory.net
quliner.ru
rolino.pl
sadertokenupd.ru
secmicroupdate.ru
secondhandfurnitur.com
seldomname.com
sminiviolatede.pl
stadionservisecheck.ru
steppinglegalzoom.com
stockanddraw.net
suggestedlean.com
svictrorymedia.ru
trainyardscree.pl
uawxaeneh.com
usergateproxy.net
weatherrecord.net
widexsecconnect.ru
youhavegomail.com
There are three parts to the list: IPs with hosting company names, plain IPs for copy-and-pasting and domains identified on these servers.
5.45.181.164 (Bradler & Krantz, Germany)
5.175.148.207 (GHOSTnet, Germany)
24.126.203.109 (Comcast, US)
31.170.106.13 (Bradler & Krantz, Germany)
37.26.244.86 (Digicube, France)
37.59.76.3 (OVH, Netherlands)
42.96.136.158 (Alibaba, China)
43.101.119.123 (Kokusai-kougyou-kanda Bldg., Japan)
46.249.46.182 (Serverius, Netherlands)
50.19.77.237 (Amazon, US)
50.31.99.126 (Steadfast Networks, US)
59.90.147.31 (BSNL Internet, India)
59.167.120.210 (Internode, Australia)
64.221.210.108 (XO Communications, US)
69.65.47.245 (Bodhost, US)
69.85.92.155 (Hostigation, US)
72.66.16.146 (Verizon, US)
73.123.5.128 (Comcast, US)
80.152.149.121 (Deutsche Telekom, Germany)
84.253.2.244 (Cybernet, Switzerland)
85.93.219.253 (Visual Online, Luxembourg)
88.88.101.162 (Telenor Norge, Norway)
91.121.248.127 (OVH, Spain)
92.21.156.70 (TalkTalk, UK)
92.146.246.96 (France Telecom, France)
93.92.207.86 (Saint-Petersburg Computer Networks Ltd, Russia)
94.76.234.163 (Simply Transit, UK)
95.225.161.106 (Telecom Italia, Italy)
99.169.151.134 (SBC Internet Services, US)
101.89.80.132 (China Telecom, China)
115.153.226.65 (China Telecom, China)
118.41.184.73 (Kornet, Korea)
119.252.162.18 (Comnets Plus, Indonesia)
123.224.196.84 (Open Computer Network, Japan)
125.63.91.52 (Spectra ISP, India)
128.32.149.121 (University Of California, US)
141.0.176.155 (Avantel, Russia)
141.0.176.231 (Avantel, Russia)
159.253.20.217 (FastVPS, Estonia)
166.111.143.248 (Tsinghua University, China)
173.213.112.245 (Eonix Corporation, US)
176.56.229.201 (RouteLabel, Netherlands)
184.82.187.181 (HostNOC, US)
189.75.96.19 (Brasil Telecom, Brazil)
193.254.233.242 (Teleradiocompany Soniko-Svyaz Ltd, Ukraine)
202.57.189.141 (Internet Service Provider Co. Ltd., Thailand)
209.207.112.195 (Treasuremart, Canada)
210.56.15.19 (COMSATS, Pakistan)
211.20.45.138 (Chunghwa Telecom, Taiwan)
216.224.176.47 (Earthlink, US)
5.45.181.164
5.175.148.207
24.126.203.109
31.170.106.13
37.26.244.86
37.59.76.3
42.96.136.158
43.101.119.123
46.249.46.182
50.19.77.237
50.31.99.126
59.90.147.31
59.167.120.210
64.221.210.108
69.65.47.245
69.85.92.155
72.66.16.146
73.123.5.128
80.152.149.121
84.253.2.244
85.93.219.253
88.88.101.162
91.121.248.127
92.21.156.70
92.146.246.96
93.92.207.86
94.76.234.163
95.225.161.106
99.169.151.134
101.89.80.132
115.153.226.65
118.41.184.73
119.252.162.18
123.224.196.84
125.63.91.52
128.32.149.121
141.0.176.155
141.0.176.231
159.253.20.217
166.111.143.248
173.213.112.245
176.56.229.201
184.82.187.181
189.75.96.19
193.254.233.242
202.57.189.141
209.207.112.195
210.56.15.19
211.20.45.138
216.224.176.47
advstar.com
aldio.ru
askwhite.net
atkit.ru
autocanonicals.com
billablelisten.pl
bioshift.net
boxtralsurvisv.pl
cflyon.ru
cipriotdilingel.ru
confloken.ru
dinitrolkalor.com
dobar.pl
dqnouce.ru
encounterkaspe.pl
evamaro.ru
fearedembracin.su
fitoteafclope.pl
gellax.com
haicut.com
htimemanagemen.su
indianayellow.net
infocyber.pl
jintropictonic.pl
kcrio-oum.com
litfors.com
mypicshare.net
namelesscorn.net
netfest.pl
ntrolingwhitel.pl
orlandotenerife.net
phicshappening.com
photoshopya.net
porkystory.net
quliner.ru
rolino.pl
sadertokenupd.ru
secmicroupdate.ru
secondhandfurnitur.com
seldomname.com
sminiviolatede.pl
stadionservisecheck.ru
steppinglegalzoom.com
stockanddraw.net
suggestedlean.com
svictrorymedia.ru
trainyardscree.pl
uawxaeneh.com
usergateproxy.net
weatherrecord.net
widexsecconnect.ru
youhavegomail.com
Friday, 25 January 2013
UPS spam / eziponoma.ru
This fake UPS spam leads to malware on eziponoma.ru:
94.23.3.196 (OVH, France)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn PasswordThe malicious payload is at [donotclick]eziponoma.ru:8080/forum/links/column.php which is hosted on:
Sent: 25 January 2013 04:12
Subject: UPS Tracking Number H0931698016
You can use UPS Services to:
Ship Online
Schedule a Pickup
Open a UPS Services Account
Welcome to UPS .com Customer Services
Hi, [redacted].
DEAR CLIENT , RECIPIENT'S ADDRESS IS WRONG
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.
With Respect , Your UPS Customer Services.
________________________________________
Copyright 2011 United Parcel Service of America, Inc. UNITED STATES POSTAL SERVICES, the Your USPS TEAM brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. USPS CUSTOMER SERVICES will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the USPS Team Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
94.23.3.196 (OVH, France)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)
FedEx spam / vespaboise.net
This fake FedEx spam leads to malware on vespaboise.net:
The malicious payload is at [donotclick]vespaboise.net/detects/invoice_overview.php which is on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which has been used in several recent attacks.. blocking it would be prudent.
Date: Fri, 25 Jan 2013 15:39:33 +0200
From: services@fedex.com
Subject: FedEx Billing - Bill Prepared to be Paid
FedEx Billing - Bill Prepared to be Paid
fedex.com
[redacted]
You have a new invoice(s) from FedEx that is prepared for discharge.
The following invoice(s) are ready for your overview:
Invoice Number
Invoice Amount
2-649-22849
49.81
1-181-19580
257.40
To pay or overview these invoices, please log in to your FedEx Billing Online account proceeding this link: http://www.fedex.com/us/account/fbo
Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo
Thank you,
Revenue Services
FedEx
Please Not try to reply to this message. auto informer system cannot accept incoming mail.
The content of this message is protected by copyright and trademark laws under U.S. and international law.
review our privacy policy . All rights reserved.
The malicious payload is at [donotclick]vespaboise.net/detects/invoice_overview.php which is on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which has been used in several recent attacks.. blocking it would be prudent.
Thursday, 24 January 2013
ADP spam / 14.sofacomplete.com
This fake ADP spam leads to malware on 14.sofacomplete.com:
The malicious payload is at [donotclick]14.sofacomplete.com/read/saint_hate-namely_fails.php hosted on 173.246.103.26 (Gandi, US). These other malicious domains are also visible, there may be more:
14.sofacomplete.com
14.onlinecollegecomplete.com
14.technicianinformations.com
Update, these additional sites are on the same server:
14.internationalscholarships.org
14.igeekygadgets.com
From: Erna_Thurman@ADP.comDate: 24 January 2013 17:48
Subject: ADP Generated Message: Final Notice - Digital Certificate Expiration
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.
---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 1
Expiration date: Jan 25 23:59:59 GMT-03:59 2013
--------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp
2. Follow the instructions on the screen.
3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.
---------------------------------------------------------------------
Deleting Your Old Digital Certificate
---------------------------------------------------------------------
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.
The malicious payload is at [donotclick]14.sofacomplete.com/read/saint_hate-namely_fails.php hosted on 173.246.103.26 (Gandi, US). These other malicious domains are also visible, there may be more:
14.sofacomplete.com
14.onlinecollegecomplete.com
14.technicianinformations.com
Update, these additional sites are on the same server:
14.internationalscholarships.org
14.igeekygadgets.com
Fake pharma sites 24/1/13
Here's an updated list of fake RX sites being promoted through vague spam like this:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)
Currently active spamvertised sites are as follows:
adderallsprescription.com
annotatedtabmed.com
caloriesab.com
canadaviagracent.com
caregiverskicare.net
centerlinedrugstore.net
cheaptabletsdrugstore.ru
clubmedspills.ru
dosedrugstorepills.ru
drugriphealthdrugs.ru
drugshealthpharmacy.ru
drugshealthrx.ru
drugstabletsfitness.ru
drugstorecapspills.ru
drugstoredosespills.ru
drugstorepharmacycenterline.com
drugstorepharmacypillstablets.ru
drugstorepill.com
drugstorepillsrx.ru
drugstorerxhealth.ru
drugstorerxpills.ru
drugtorehealthmeds.ru
drugtoremedicinesrx.ru
drugtorenutritiontablets.ru
drugtorepillsfitness.ru
drugtorepillsnutrition.ru
drugtoretabletsdrugstore.ru
drugtoretabletspharmacy.ru
drugtoretabletsrx.ru
experienced.healthcarewimedical.com
fitnessmedsrx.ru
fitnesspharmacypills.ru
fitnesspillsrx.ru
genericpillstablets.ru
gokeyscan.com
healthcarehealthcare.com
healthcarerxpharmacy.ru
healthmedsrx.ru
healthpillsrx.ru
israeltrapharm.com
kzqaooiw.com
marijuanarxmedicine.com
medicaidmeds.com
medicalmedspatients.com
medicinetoretabletspharmacy.ru
medpillsprescription.com
memoglobalmedia.com
nislevitra.com
northwesternlevitrapills.net
nutritionpill.ru
ozzaltinza.com
parisdrugstore.ru
patientswelnesshealthcare.com
pharmacyhealthcarerx.ru
pharmacypillspharmacy.ru
pharmacytabletstabs.ru
pharmacytabletstreatments.ru
pharmacywellbeing.ru
pilldrugstoregroup.com
pillmedicalhospital.pl
pillpharmacymeds.ru
pillsaleshoppers.com
pillsmedicalsrx.ru
pillsphysicpharma.ru
prescriptioncialteens.com
prescriptiondrugwalmart.com
ricecialis.com
rxcaution.com
sedationmed.com
tabcalories.com
tabspharmacytablets.ru
zury.ru
Date: Thu, 24 Jan 2013 04:44:45 +0000 (GMT)As with a few days ago, these sites are hosted on:
From: "Account Info Change" [noreply@etraxx.com]
Subject: Updated information
Attention please:
- Over 50 new positions added (view recently added products)
- Free positions included with all accounts (read more here)
- The hottest products awaiting you in the first weeks of the new year (read more here)
- We want you to feel as comfortable as possible while you?re at our portal.
Click Here to Unsubscribe
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)
Currently active spamvertised sites are as follows:
adderallsprescription.com
annotatedtabmed.com
caloriesab.com
canadaviagracent.com
caregiverskicare.net
centerlinedrugstore.net
cheaptabletsdrugstore.ru
clubmedspills.ru
dosedrugstorepills.ru
drugriphealthdrugs.ru
drugshealthpharmacy.ru
drugshealthrx.ru
drugstabletsfitness.ru
drugstorecapspills.ru
drugstoredosespills.ru
drugstorepharmacycenterline.com
drugstorepharmacypillstablets.ru
drugstorepill.com
drugstorepillsrx.ru
drugstorerxhealth.ru
drugstorerxpills.ru
drugtorehealthmeds.ru
drugtoremedicinesrx.ru
drugtorenutritiontablets.ru
drugtorepillsfitness.ru
drugtorepillsnutrition.ru
drugtoretabletsdrugstore.ru
drugtoretabletspharmacy.ru
drugtoretabletsrx.ru
experienced.healthcarewimedical.com
fitnessmedsrx.ru
fitnesspharmacypills.ru
fitnesspillsrx.ru
genericpillstablets.ru
gokeyscan.com
healthcarehealthcare.com
healthcarerxpharmacy.ru
healthmedsrx.ru
healthpillsrx.ru
israeltrapharm.com
kzqaooiw.com
marijuanarxmedicine.com
medicaidmeds.com
medicalmedspatients.com
medicinetoretabletspharmacy.ru
medpillsprescription.com
memoglobalmedia.com
nislevitra.com
northwesternlevitrapills.net
nutritionpill.ru
ozzaltinza.com
parisdrugstore.ru
patientswelnesshealthcare.com
pharmacyhealthcarerx.ru
pharmacypillspharmacy.ru
pharmacytabletstabs.ru
pharmacytabletstreatments.ru
pharmacywellbeing.ru
pilldrugstoregroup.com
pillmedicalhospital.pl
pillpharmacymeds.ru
pillsaleshoppers.com
pillsmedicalsrx.ru
pillsphysicpharma.ru
prescriptioncialteens.com
prescriptiondrugwalmart.com
ricecialis.com
rxcaution.com
sedationmed.com
tabcalories.com
tabspharmacytablets.ru
zury.ru
Labels:
Fake Pharma,
Spam
"Efax Corporate" spam / epimarkun.ru
Date: Thu, 24 Jan 2013 04:04:42 +0600There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun.ru:8080/forum/links/column.php which is hosted on the following IPs:
From: Habbo Hotel [auto-contact@habbo.com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 963153883]
You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.
* The reference number for this fax is [eFAX-009228416].
View attached fax using your Internet Browser.
� 2013 j2 Global Communications, Inc. All rights reserved.
eFax � is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax � Customer Agreement.
50.31.1.104 (Steadfast Networks, US)
94.23.3.196 (OVH, France)
202.72.245.146 (Mongolian Railway Commercial Center, Mongolia)
These IPs and domains are all malicious:
50.31.1.104
94.23.3.196
202.72.245.146
dmssmgf.ru
esekundi.ru
esenstialin.ru
disownon.ru
epimarkun.ru
damagalko.ru
dumarianoko.ru
epiratko.ru
dfudont.ru
Wednesday, 23 January 2013
NACHA spam / canonicalgrumbles.biz
This fake NACHA spam leads to malware on canonicalgrumbles.biz:
I've seen other malware servers in 93.190.40.0/21 before, I would recommend blocking the whole lot.
Date: Wed, 23 Jan 2013 16:55:46 +0100The malicious payload is at [donotclick]canonicalgrumbles.biz/closest/984y3fh8u3hfu3jcihei.php (report here) hosted on 93.190.46.138 (Ukranian Hosting / ukrainianhosting.com)
From: ".Анисимов@direct.nacha.org" [throttled2@inneremitte.de]
Subject: Direct Deposit payment was declined
Attn: Accounting Department
We regret to inform you, that your latest Direct Deposit transaction (#432007776488) was declined,because of your current Direct Deposit software being out of date. The detailed information about this matter is available in the secure section of our web site:
Click here for more information
Please contact your financial institution to get the necessary updates of the Direct Deposit software.
Kind regards,
ACH Network Rules Department
NACHA - The Electronic Payments Association
10608 Sunrise Valley Drive, Suite 452
Herndon, VA 20169
Phone: 703-561-4685 Fax: 703-787-1154
I've seen other malware servers in 93.190.40.0/21 before, I would recommend blocking the whole lot.
H Seal and Company fake job offer
H Seal is a real, legitimate firm. This email is not from H Seal, but a criminal organisation wanting to recruit people for money laundering and other unlawful activities. Originating IP is 199.254.123.20 (Intermedia, US) and the Reply-To address is john_jackson1976@yahoo.com.ph which indicates someone in the Philppines.
From: H. Seal & Company Ltd [jonjack7745@yahoo.com.ph]
Reply-To: john_jackson1976@yahoo.com.ph
Date: 23 January 2013 12:38
Subject: Would you like to work online from Home/Temporarily.
Hello.
Would you like to work online from Home/Temporarily.
We are glad to offer you a job position without paying for application.
Our Company H. Seal & Company Ltd are into Insurance, Buying and Selling cars, Incidents and Accidents Insurance. with numerous customers home and abroad. We need a representative in the Asia, Japan, china, Europe, South Africa, USA, CA, and Australia. who will be in charge of all our payment from clients/customers in Asia, Europe, Canada, and Usa
Your tasks are:
1. Receive payment from our Customers through mail: (DHL, FEDEX, UPS OR OTHER FORM OF DELEIEVERY)
2. Cash it at your Bank
3. Deduct 10% which will be your percentage/pay on Payment processed
4. Forward balance after deduction of percentage/pay to any of the offices
you will be contacted to send payment to.
Payment is to be forwarded either by Money Gram or Western Union Money
Transfer. A local Money transfer takes barely hours, so it will give us a possibility to get customer payment almost immediately.
Kindly provide us with the requested details below if you are interested.
Full Name
Full Address
Bank Name
City:
State:
Zip Code:
Country:
Phone:
Age:
present or prev job:
Can you Check email at least twice Daily?
========================
You are to respond to this offer by clicking reply to this message and filling the required information where necessary.
We await your urgent response.Thank you for your help. We look forward to working with you.
Regards
John Jackson
Labels:
Job Offer Scams,
Spam
Corporate eFax spam / 13.carnovirious.net
This spam is leading to malware on 13.carnovirious.net, a domain spotted earlier today.. but one that has switched server to 74.91.117.49 since then.
The spam leads to an exploit kit on [donotclick]13.carnovirious.net/read/persons_jobs.php hosted on 74.91.117.49 by Nuclear Fallout Enterprises. You should probably block 74.91.117.50 as well.
The following domains are on these two IPs:
13.jonemnominik.net
13.lomerdaster.net
13.zabakarvester.net
13.carnovirious.net
13.blumotorada.net
From: Corporate eFax [message@inbound.efax.com] via luther.k12.wi.us
Date: 23 January 2013 15:52
Subject: Corporate eFax message - 4 pages
Mailed-by: luther.k12.wi.us
Fax Message [Caller-ID: 607-652-2962]
You have received a 4 pages fax at 2013-01-23 12:00:13 GMT.
* The reference number for this fax is min1_did27-5667781893-3154150936-31.
View this fax using your PDF reader.
Click here to view this message
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home Contact Login
Powered by j2
2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.
The spam leads to an exploit kit on [donotclick]13.carnovirious.net/read/persons_jobs.php hosted on 74.91.117.49 by Nuclear Fallout Enterprises. You should probably block 74.91.117.50 as well.
The following domains are on these two IPs:
13.jonemnominik.net
13.lomerdaster.net
13.zabakarvester.net
13.carnovirious.net
13.blumotorada.net
Labels:
Malware,
Nuclear Fallout Enterprises,
Spam,
Viruses
USPS spam / euronotedetector.net
This fake USPS spam leads to malware on euronotedetector.net:
The following malicious domains are on the same IP:
kendallvile.com
seoseoonwe.com
alphabeticalwin.com
ehadnedrlop.com
bestwesttest.com
prepadav.com
masterseoprodnew.com
cocolspottersqwery.com
teamrobotmusic.net
shininghill.net
africanbeat.net
euronotedetector.net
From: USPS Quantum View [mailto:notify@usps.com]The malicious payload is at [donotclick]euronotedetector.net/detects/updated_led-concerns.php hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecome, Korea) which has been used in several recent attacks.
Sent: 23 January 2013 14:33
Subject: Your USPS postage labels charge.
Acct #: 2377203
[redacted]
This is an email confirmation for your order of 5 online shipping label(s) with postage. Your credit card will be charged the following amount:
Transaction ID: #9724602
Print Date/Time: 01/21/2013 02:05 PM EST
Postage Amount: $21.80
Credit Card Number: XXXX XXXX XXXX XXXX
Overnight Mail Regional Rate Box B # 7184 5899 9548 5735 5133 (Sequence Number 1 of 1)
If you need further assistance, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .
Refunds for unused postage-paid labels can be requested online up to 10 days after the issue date by logging on to your Click-N-Ship Account.
Thank you for choosing the United States Postal Service
Click-N-Ship: The Online Shipping Solution
Click-N-Ship has just made on line shipping with the USPS even better.
New Enhanced International Label and Customs Form: Updated Look and Easy to Use!
* * * * * * * *
This is a post-only message. Please do not respond
The following malicious domains are on the same IP:
kendallvile.com
seoseoonwe.com
alphabeticalwin.com
ehadnedrlop.com
bestwesttest.com
prepadav.com
masterseoprodnew.com
cocolspottersqwery.com
teamrobotmusic.net
shininghill.net
africanbeat.net
euronotedetector.net
BT Business spam / esenstialin.ru
Date: Wed, 23 Jan 2013 05:18:56 +0100
From: MackenzieCronin@[victimdomain]
Subject: BT Business Direct Order
Attachments: DeliveryTR992802.htm
Notice of delivery
Hi,
We're pleased to confirm that we have now accepted and despatched your order on Wed, 23 Jan 2013 05:18:56 +0100.
Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.
***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***
We've despatched...
..using the attached shipment details...
Courier Ref Carriage method
Royal Mail 53792837735 1-3 Days
Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.
For information on how track your delivery, please follow to attached file.
Important information for Yodel deliveries:
If your consignment number starts with KN8053154 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.
The malicious payload is on [donotclick]esenstialin.ru:8080/forum/links/column.php hosted on the following IPs:
50.31.1.104 (Steadfast Networks, US)
91.224.135.20 (Proservis UAB, Lithunia)
Something evil on 74.91.117.50
OK, I can see just two malicious domains on 74.91.117.50 but they are currently spreading an exploit kit through this spam run.
The domain is allocated to Nuclear Fallout Enterprises who often seem to host malware sites like this, so there's a good chance that more evil will turn up on this IP.
These are the domains that I can see right now:
13.blumotorada.net
13.carnovirious.net
The domains are registered wit these apparently fake details:
Glen Drobney office@glenarrinera.com
1118 hagler dr
neptune bch
FL
32266
US
Phone: +1.9044019773
Since there will almost definitely be more malicious domains coming up on this IP, it is well worth blocking.
The domain is allocated to Nuclear Fallout Enterprises who often seem to host malware sites like this, so there's a good chance that more evil will turn up on this IP.
These are the domains that I can see right now:
13.blumotorada.net
13.carnovirious.net
The domains are registered wit these apparently fake details:
Glen Drobney office@glenarrinera.com
1118 hagler dr
neptune bch
FL
32266
US
Phone: +1.9044019773
Since there will almost definitely be more malicious domains coming up on this IP, it is well worth blocking.
Labels:
Evil Network,
Malware,
Nuclear Fallout Enterprises,
Viruses
Subscribe to:
Posts (Atom)