Sponsored by..

Tuesday, 19 February 2013

Something evil on 67.208.74.71

67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here.

Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain, the bulk of which are as follows:

assexyas.com
athersite.com
byinter.net
findhere.org
isgre.at
isthebe.st
kwik.to
lookin.at
lowestprices.at
myfw.us
myredirect.us
onmypc.info
onmypc.org
onthenetas.com
ontheweb.nu
passinggas.net
rr.nu

You can find a copy of the domains, IPs, WOT ratings and Google prognosis here [csv].

These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics:

govgrantstodays.assexyas.com
kqenc.assexyas.com
tesyf.assexyas.com
athersite.com
qezwdz.athersite.com
tdbnsc.athersite.com
www1.safeqwcleanerdm.athersite.com
www1.simple-ozfgsecurity.athersite.com
dnwswurowz.byinter.net
kcshhdvqzmte.byinter.net
mhlswzmqpe.byinter.net
oorkaibadtb.byinter.net
wonfhujmel.byinter.net
ztmgyzknjpf.byinter.net
cmvwixzxhl.findhere.org
dhyaugqmbgwm.findhere.org
gkqqujqsd.findhere.org
lvindkiys.findhere.org
lyfxhiyza.findhere.org
pvhetiozstg.findhere.org
tdtxohbjbvzx.findhere.org
thgdtujicjtq.findhere.org
ueuvjqhvao.findhere.org
wcnnrcjgb.findhere.org
free-ddddsex-ddddpasswords.isthebe.st
free-dsex-dpasswords.isthebe.st
index.isthebe.st
radiomangalia.isthebe.st
asfqphphk.kwik.to
gebofuoautl.kwik.to
lqlonqihgkco.kwik.to
mowkespvffn.kwik.to
nbnezaszei.kwik.to
qmgplmfyibh.kwik.to
ydsjveyfjr.kwik.to
rrmoymcqskq.lookin.at
htrxcytvfmhg.lowestprices.at
aadhvxiftw.myfw.us
abtqgybicghr.myfw.us
ameyznosvam.myfw.us
amvgvvyasde.myfw.us
aokeufvoci.myfw.us
azddoalylxsn.myfw.us
azojgzmnj.myfw.us
bkhrwvxblnm.myfw.us
caedvkkimck.myfw.us
cbqlthvefhv.myfw.us
ckvwoajjjg.myfw.us
crmnfeeooft.myfw.us
csllshncxdu.myfw.us
cudthmeyl.myfw.us
cwvmtudybwvr.myfw.us
dfredwpcun.myfw.us
dnbdjddrvwl.myfw.us
dsublegejzg.myfw.us
ebgilaznkcxa.myfw.us
ebhiacfkaddk.myfw.us
eepyofqzl.myfw.us
eivxprpbemv.myfw.us
ejyffxuookfi.myfw.us
eldttmawnvt.myfw.us
elfncrfubk.myfw.us
eprlccywb.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
esuifzeipsz.myfw.us
euhhmufug.myfw.us
ewvwzpiqw.myfw.us
eyefvnzwoyg.myfw.us
ezphudgyyjy.myfw.us
femtpvrvr.myfw.us
feutgqoyxc.myfw.us
fowgvslqqvgf.myfw.us
fugqgxxuiwe.myfw.us
gbptzyqhoc.myfw.us
gmnmwmuhf.myfw.us
gohvjgbrplkm.myfw.us
gvbxwmicjvq.myfw.us
gyuaowfnlrw.myfw.us
hcdazkdqlvci.myfw.us
hcwryplhc.myfw.us
hfkfeuqfvzf.myfw.us
hhifsoine.myfw.us
hhzlhizlbil.myfw.us
hqzgrwmorws.myfw.us
hvdkdcgae.myfw.us
hwmhlbscbs.myfw.us
hxlxxaqntaxb.myfw.us
idjgpnkmaj.myfw.us
isdrjerrd.myfw.us
itzpsmkbyabo.myfw.us
jebrglmzye.myfw.us
jeyqstlybz.myfw.us
jjfzmzfkoky.myfw.us
jjxhjygwcnln.myfw.us
jmmbspisw.myfw.us
jspyaaqfuj.myfw.us
jugfzxlitus.myfw.us
jumzijibbh.myfw.us
jybvhfvfhwu.myfw.us
kbahixlxpe.myfw.us
kqpaxhumj.myfw.us
ktxxlgwgze.myfw.us
kwjgjnmmcu.myfw.us
ljszveihhqb.myfw.us
lswgpbvvkukx.myfw.us
lsxswsgka.myfw.us
lwztritpzuvl.myfw.us
mibgbbbwioml.myfw.us
miptvfzufwal.myfw.us
mldtdbsoko.myfw.us
mqqpwxjlf.myfw.us
mrqmsbqrdkvk.myfw.us
mydvonyeagt.myfw.us
ngcfuanjtm.myfw.us
nsnybecste.myfw.us
nvkdyjhplpo.myfw.us
okctxkxny.myfw.us
ookzctlfazdl.myfw.us
oqlupounl.myfw.us
orownhbgn.myfw.us
oxegwgflld.myfw.us
pbvmirnwk.myfw.us
phibmvaqsap.myfw.us
phvcbflqrsbo.myfw.us
qeavazuugk.myfw.us
qhbkyfehpbzi.myfw.us
qivtnqqxjnp.myfw.us
qlhkccfosm.myfw.us
qyjkiuopo.myfw.us
rexewmyxgl.myfw.us
rjrzcrswqhl.myfw.us
rjytkixbfjxkk.myfw.us
rqjghacecazb.myfw.us
rwdpuifin.myfw.us
rynucqapeinv.myfw.us
sqazmgapz.myfw.us
sqqqrsnozlgj.myfw.us
srutebmduoh.myfw.us
sslqlwitv.myfw.us
tevrntjkrl.myfw.us
tsxwbywjwdm.myfw.us
tuobdghfp.myfw.us
tvodqreyyyh.myfw.us
ujzkfdpdf.myfw.us
ukwwwhkamh.myfw.us
wbynflhapl.myfw.us
weapwihjpu.myfw.us
whxszkeaot.myfw.us
wigfdfuvps.myfw.us
wpddnjknrn.myfw.us
wpvhiedhnzxs.myfw.us
wtgylzokmsyd.myfw.us
xiudvllnl.myfw.us
ybzwfyvadq.myfw.us
yowbgyyykemw.myfw.us
yrhamrfrzk.myfw.us
ywzjvqssv.myfw.us
yxbbvktub.myfw.us
yxkgtyqmz.myfw.us
yznafipqmd.myfw.us
zqruajfsgir.myfw.us
zwzfvpxksyx.myfw.us
zzjsujpstcsx.myfw.us
ryeyymburbyr.myredirect.us
twenbrmndfui.myredirect.us
zfhbsvcererr.myredirect.us
btwosfunny.onthenetas.com
xfinity-dddddddddddddddddddddddddddddddzimbra.onthenetas.com
xfinity-dddddddddddddddddddzimbra.onthenetas.com
forehmailywt.ontheweb.nu
hahasfunnyfb.ontheweb.nu
lhixjcdtgypr.ontheweb.nu
pornogratis.ontheweb.nu
pwvmochqwb.ontheweb.nu
qlphivcmm.ontheweb.nu
uhjqzvcjfmb.ontheweb.nu
ohchr.passas.us
mysignin-ddddddddddddddddddddddddddddddddddddddddddcomcast.passinggas.net
passinggas.net
andsto57cksstar.rr.nu
cha39nce.rr.nu
chelpo94landsa.rr.nu
dahfugwhsmzi.rr.nu
deunce68rtaint.rr.nu
its53new.rr.nu
jarujtltg.rr.nu
lasimp04risoned.rr.nu
nabwpjdola.rr.nu
nytndbssyrtkjuykiryu7.rr.nu
ssbo98omin.rr.nu
tenin58gaccel.rr.nu
tentsf05luxfig.rr.nu
jsngupdwxeoa.uglyas.com

These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious:

skidka-ddddd90.bestdeals.at
ensac.byinter.net
safe-defensehrm.byinter.net
combo-dddddddddddddddddddd04-ddddddddddddddddddddkarla.findhere.org
daphne-d52full.findhere.org
mabjdawzaqw.findhere.org
netnummers.findhere.org
nqonet.findhere.org
odiwmklhah.findhere.org
www2.first-ozsoft.findhere.org
xcnyyj7973.findhere.org
ycqtxsac62.findhere.org
215.isgre.at
power-dddfiarmy.isgre.at
ab-din.kwik.to
ag-in.kwik.to
confirm.content.files.internet.secure.access.go.kwik.to
confirm.content.files.internet.secure.access.goto.kwik.to
ksarefunny.kwik.to
media.secure.sites.acc.portal00.kwik.to
media.secure.sites.acc.portal0002.kwik.to
media.secure.sites.acc.portal001.kwik.to
media.secure.sites.acc.portal003.kwik.to
newess.kwik.to
portal00.kwik.to
www2.safeyg-sentinel.kwik.to
www2.strongsoftyc.kwik.to
ebzryeaba.lookin.at
game.lookin.at
gdz-dddddddatanasyan.lookin.at
ru-drabota.lookin.at
skidka-dvsem.lookin.at
teiinxdpe.lookin.at
wett-dddwendy.lookin.at
what.are-you.lookin.at
wyoqdaeru.lookin.at
iuntrbtyvstbn.lowestprices.at
mof-ddddddddddddddddddddddddddweb.lowestprices.at
mof-ddweb.lowestprices.at
aggwgeskrby.myfw.us
htawhcgamvq.myfw.us
jtzxmudxtno.myfw.us
mexico.activa.myfw.us
michelemontas.myfw.us
pjkcyvzcyz.myfw.us
savejtxv-sentinel.myfw.us
secure4.lac.enroll.mexico.myfw.us
umbbwtcler.myfw.us
www2.simplehircantivir.myfw.us
xglzbowlmuco.myfw.us
9999992099.rr.nu
asin54grepl.rr.nu
mila.kat.sexyphoto.athersite.comkede.rr.nu
ossnyfpkag.rr.nu
ourae.rr.nu
pcnews.rr.nu
personalhvrsecurity.rr.nu
pimping.gangsta-paradise.rr.nu
rrrrrrrrrr.rr.nu
save-antivirchecker.rr.nu
topsentinelet.rr.nu
vpnfx-d001.rr.nu
www1.mystemguard.rr.nu
www1.personal-antivirgwg.rr.nu
www3.netsurfingprotectionwe.rr.nu

These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present:

aotztod.almostmy.com
ueizqnm.changeip.name
jakrcr.changeip.org
fgzsnergle.compress.to
fmmrlp.ddns.name
gyomtcnzc.dhcp.biz
gifqravi.dnsrd.com
ydrehhvgjz.ezua.com
rawvgbygj.gr8name.biz
sspmrwli.jkub.com
slnpqel.lflinkup.org
ywtxkebtx.ns01.info
wjbluj.ns01.us
hurocozr.onedumb.com
rmvpfdg.onmypc.info
qhtqqtxqua.onmypc.org
cejkopsbv.port25.biz
efdghpug.sexxxy.biz
ttenmxqq.vizvaz.com
iselktnfo.xxxy.info

These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect.

uzdknpz.4dq.com
zzxvxyi.mydad.info
blur.rr.nu
org.rr.nu
axyaqb.xxuz.com

Friday, 15 February 2013

Wire transfer spam / 202.72.245.146

This fake wire transfer spam leads to malware on 202.72.245.146:

Date:      Fri, 15 Feb 2013 07:24:40 -0500
From:      Tasha Rosenthal via LinkedIn [member@linkedin.com]
Subject:      RE: Wire transfer cancelled

Good day,

Wire Transfer was canceled by the other bank.



Canceled transaction:

FED NR: 94813904RE5666838

Transfer Report: View



The Federal Reserve Wire Network
The malicious payload is on [donotclick]202.72.245.146:8080/forum/links/public_version.php (Railcom, Mongolia) (report here) which is a well-known malicious IP that you should definitely block if you can.

Update: there is also a "Scan from a HP ScanJet  #841548" spam for the same IP, sending victims to [donotclick]202.72.245.146:8080/forum/links/column.php

"Cum Avenue" IRS Spam / azsocseclawyer.net

This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer.net:

Date:      Fri, 15 Feb 2013 09:47:25 -0500
From:      Internal Revenue Service [ahabfya196@etax.irs.gov]
Subject:      pecuniary penalty for delay of tax return filling

Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.

Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.

You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.

Please visit official website for more information


Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
The malicious payload is at [donotclick]azsocseclawyer.net/detects/necessary_documenting_broadcasts-sensitive.php (report here) hosted on:

77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)

The following domains are currently visible on those IPs are should be regarded as malicious:
albaperu.net
azsocseclawyer.net
derdondetes.com
dressaytam.net
estudienteyo.com
extuderbest.com
madcambodia.net
micropowerboating.net
mochentopen.com
theatreli.net
thedigidares.net


Malware sites to block 15/2/13

A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US) which may be a C&C server. Interested parties might want to poke at the server a bit..

As a bonus, these are the IPs that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more.

actuallywebdav.biz
adoptionarchive.org
adscard.net
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsspark.com
adstimes.net
adstown.net
akon342.info
apolonq3.info
arenthis.org
bigtimetcpip.org
booksdesk.org
bounceeleven.biz
carambala.com
casesswooshpretty.net
classifyipchains.biz
columnheavyhanded.org
competingopts.biz
conaninefficiently.biz
confickerclones.com
cuxystaf.ru
dlnabeta.org
efisamil.ru
enjoycapacious.org
exciifun.ru
extcg.org
eyefulconcern.com
fan.ysb3.net
fesdrtfgfddsadsa.homelinux.com
filesforretail.org
gazzuxiz.ru
greatville.org
huaxydpa.ru
hudsfjfdsueofakl.homelinux.com
ifdependable.org
ifkyxdys.ru
img.handyworksfl.com
img.sppta.org
iqkibbuz.ru
ivqojsaj.ru
kamisca.com
kejfhtee.cu.cc
kemalxun.ru
koldpsaofdkdlsa.homelinux.com
kopsakfdsasew.homelinux.com
languageinads.com
languageinads.net
lebowskiappcentric.org
libertynetsgums.info
limminglory.net
lisybsij.ru
live.28356365.com
lowerqualitydocstac.in
milioneer.com
missiledongle.biz
modesthalfempty.org
moneysfilegon.net
navaten.tk
netingsixform.net
nobuaudiophile.org
offensivesimple.biz
ohvelzym.ru
partyharddns.com
performingspinoffs.org
pipelivemotion.biz
pyncegok.ru
resendfold.biz
safelyplayback.biz
sedikivu.tk
startstracker.info
syllablesshrinkwrap.org
syrjikhe.ru
techntitus.com
touristdefinitions.biz
tracktighter.biz
upicampaign.com
usingthisxploreing.org
velvetnoret.com
vowakabo.tk
wontlogics.biz
wpw.bestgoodshop.info
www.aanoownsw.tld.cc
ybavwego.ru
ykmeffyw.ru
ylgoaxle.ru
yvxaghod.ru
zypvynas.ru

Thursday, 14 February 2013

Intuit spam / epionkalom.ru

This fake Intuit spam leads to malware on epionkalom.ru:

Date:      Thu, 14 Feb 2013 09:05:48 -0500
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.

    Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
    amount to be seceded: 2246 USD
    Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]epionkalom.ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

HP ScanJet spam / 202.72.245.146

This fake printer spam leads to malware on 202.72.245.146:

Date:      Thu, 14 Feb 2013 10:10:56 +0000
From:      AntonioShapard@hotmail.com
Subject:      Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-32347P.

SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

=================

Date:      Thu, 14 Feb 2013 06:07:00 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Fwd: Scan from a Hewlett-Packard ScanJet 83097855
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-775861P.

SENT BY : CARLINE
PAGES : 4
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The malicious payload is on [donotclick]202.72.245.146:8080/forum/links/column.php (report here) which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server:
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
esigbsoahd.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
ewinhdutik.ru
efjjdopkam.ru
eipuonam.ru
emaianem.ru
disownon.ru
estipaindo.ru
ejiposhhgio.ru
epilarikko.ru
damagalko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
eminakotpr.ru
dfudont.ru

"Copies of policies" spam / ewinhdutik.ru

This spam leads to malware on ewinhdutik.ru:
Date:      Thu, 14 Feb 2013 07:16:28 -0500
From:      "Korbin BERG" [ConnorAlmeida@telia.com]
Subject:      RE: Korbin - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Korbin BERG,

======================


Date:      Thu, 14 Feb 2013 03:30:52 +0530
From:      Tagged [Tagged@taggedmail.com]
Subject:      RE: KESHIA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

KESHIA LEVINE,

The malicious payload is at [donotclick]ewinhdutik.ru:8080/forum/links/column.php (report here) hosted on the same IP addresses as this attack we saw earlier.

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

HP ScanJet spam / eipuonam.ru

This fake printer spam leads to malware on eipuonam.ru:

Date:      Thu, 14 Feb 2013 -02:00:50 -0800
From:      "Xanga" [noreply@xanga.com]
Subject:      Fwd: Scan from a HP ScanJet #72551
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-39329P.

SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam.ru:8080/forum/links/column.php (report here) hosted on:


91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

The following IPs and sites should be blocked:
91.121.57.231
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
efjjdopkam.ru
egihurinak.ru
eipuonam.ru
ejiposhhgio.ru
elistof.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
enakinukia.ru
epianokif.ru
epilarikko.ru
epiratko.ru
esekundi.ru
esigbsoahd.ru
estipaindo.ru
evskindarka.ru
evujalo.ru
exiansik.ru
exibonapa.ru

Something evil on 92.63.105.23

Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia) - see an example of the nastiness here (this link is safe to click!). The following domains are present on this address, although there are probably more.

ueizqnm.changeip.name
fmmrlp.ddns.name
qhtqqtxqua.onmypc.org
jakrcr.changeip.org
slnpqel.lflinkup.org
ydrehhvgjz.ezua.com
hurocozr.onedumb.com
sspmrwli.jkub.com
gifqravi.dnsrd.com
uzdknpz.4dq.com
aotztod.almostmy.com
ttenmxqq.vizvaz.com
axyaqb.xxuz.com
ywtxkebtx.ns01.info
rmvpfdg.onmypc.info
zzxvxyi.mydad.info
iselktnfo.xxxy.info
fgzsnergle.compress.to
wjbluj.ns01.us
yxbbvktub.myfw.us
hxlxxaqntaxb.myfw.us
rqjghacecazb.myfw.us
oxegwgflld.myfw.us
hvdkdcgae.myfw.us
hhifsoine.myfw.us
nsnybecste.myfw.us
jebrglmzye.myfw.us
fowgvslqqvgf.myfw.us
mqqpwxjlf.myfw.us
hfkfeuqfvzf.myfw.us
ukwwwhkamh.myfw.us
tvodqreyyyh.myfw.us
aokeufvoci.myfw.us
ejyffxuookfi.myfw.us
qhbkyfehpbzi.myfw.us
idjgpnkmaj.myfw.us
sqqqrsnozlgj.myfw.us
kqpaxhumj.myfw.us
elfncrfubk.myfw.us
qeavazuugk.myfw.us
pbvmirnwk.myfw.us
miptvfzufwal.myfw.us
ookzctlfazdl.myfw.us
rjrzcrswqhl.myfw.us
hhzlhizlbil.myfw.us
lwztritpzuvl.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
bkhrwvxblnm.myfw.us
ngcfuanjtm.myfw.us
orownhbgn.myfw.us
rwdpuifin.myfw.us
jjxhjygwcnln.myfw.us
azddoalylxsn.myfw.us
dfredwpcun.myfw.us
xglzbowlmuco.myfw.us
jtzxmudxtno.myfw.us
phibmvaqsap.myfw.us
tuobdghfp.myfw.us
ybzwfyvadq.myfw.us
gvbxwmicjvq.myfw.us
abtqgybicghr.myfw.us
hqzgrwmorws.myfw.us
kwjgjnmmcu.myfw.us
csllshncxdu.myfw.us
cbqlthvefhv.myfw.us
eivxprpbemv.myfw.us
yowbgyyykemw.myfw.us
jmmbspisw.myfw.us
aadhvxiftw.myfw.us
lswgpbvvkukx.myfw.us
zwzfvpxksyx.myfw.us
aggwgeskrby.myfw.us
jjfzmzfkoky.myfw.us
okctxkxny.myfw.us
jeyqstlybz.myfw.us
yxkgtyqmz.myfw.us
sqazmgapz.myfw.us
esuifzeipsz.myfw.us
pjkcyvzcyz.myfw.us
cejkopsbv.port25.biz
rawvgbygj.gr8name.biz
gyomtcnzc.dhcp.biz
efdghpug.sexxxy.biz

Wednesday, 13 February 2013

"First Foundation Bank Secure Email Notification" spam

It looks a bit like a phish, but this "First Foundation Bank Secure Email Notification" spam has a ZIP file that leads to malware:

Date:      Wed, 13 Feb 2013 20:08:46 +0200 [13:08:46 EST]
From:      FF-inc Secure Notification [secure.notification@ff-inc.com]
Subject:      First Foundation Bank Secure Email Notification - 94JIMEEQ

You have received a secure message

Read your secure message by opening the attachment, secure_mail_94JIMEEQ. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.ff-inc.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.795.7643.

2000-2013 First Foundation Inc. All rights reserved. 

Attached is a file called secure_mail_94JIMEEQ.zip which expands into.. well, nothing good.. a file called secure_mail_{_Case_DIG}.exe with an icon that is meant to disguise it as an Acrobat file.

VirusTotal detection rates are just 15/45 and the malware is resistant to analysis. Incidentally, emailing mobile@res.ff-inc.com just generates a failure message. Avoid.

NACHA spam / eminakotpr.ru

More fake NACHA spam, this time leading to malware on eminakotpr.ru:


Date:      Wed, 13 Feb 2013 05:24:26 +0530
From:      "ACH Network" [risk-management@nacha.org]
Subject:      Re: Fwd: ACH Transfer rejected

The ACH transaction, initiated from your checking acc., was canceled.

Canceled transfer:

Transfer ID: FE-65426265630US

Transaction Report: View

August BLUE

NACHA - The National Automated Clearing House Association
The malicious payload is at [donotclick]eminakotpr.ru:8080/forum/links/column.php hosted on:

46.175.224.21 (MAXNET Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)

The following IPs and domains are all related and should be blocked:
46.175.224.21
91.121.57.231
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
dumarianoko.ru
egihurinak.ru
elistof.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
enakinukia.ru
epianokif.ru
epilarikko.ru
epiratko.ru
esekundi.ru
esigbsoahd.ru
estipaindo.ru
evskindarka.ru
evujalo.ru
exiansik.ru
exibonapa.ru

Malware sites to block 13/2/13

These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca.ru/nothing.exe: URLquery, VirusTotal, Comodo CAMAS, ThreatExpert.

I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.. it is probably not an exhaustive list though.

afxeftof.ru
ahtiagge.ru
ajgijuap.ru
amxylkap.ru
apnifosa.ru
aqqajofi.ru
atxembef.ru
awetefid.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
bowbiluk.ru
bugfivin.ru
citpoloj.ru
copapjid.ru
didcufun.ru
dikojnah.ru
diqnawug.ru
diteqciq.ru
dubfoluc.ru
dohjapju.ru
dufyhive.ru
dyrzaqfu.ru
dyxketam.ru
ecrihgep.ru
egygumlo.ru
epejanhi.ru
ewenhugi.ru
fachejyp.ru
fawsilom.ru
fedvojvy.ru
fytfotlo.ru
gegwikaf.ru
guphumsa.ru
gybebeho.ru
gyvolnac.ru
gywquroz.ru
hikutcur.ru
ikbyznod.ru
ixfocgaf.ru
jiwviqpa.ru
jizugqux.ru
joljihuk.ru
junedles.ru
jureetse.ru
lafdamow.ru
linsubby.ru
linyaqor.ru
liwmiccu.ru
liwuwquh.ru
merwiqca.ru
narzoquc.ru
nozwyhvi.ru
nylzudwo.ru
nypmivhy.ru
nyzvelew.ru
ocbiccan.ru
ojvectyk.ru
ophirjih.ru
owideker.ru
papcybop.ru
pegkowoz.ru
picifcym.ru
pypwalve.ru
qiqwoxki.ru
qysmahku.ru
qysriloh.ru
rabpabyr.ru
racapsyq.ru
raguhloc.ru
rehvuwib.ru
rulwusyc.ru
secegbiw.ru
sedfibyr.ru
soduvnec.ru
solhusny.ru
sumjecyg.ru
syofzaim.ru
tijenric.ru
todqenym.ru
towmidar.ru
tubtihiv.ru
tunzovnu.ru
ugnyspyr.ru
vacrajak.ru
vehyfgor.ru
viackipa.ru
vibewpav.ru
voxyqjyc.ru
wowrizep.ru
xitydjeg.ru
xyjiekfe.ru
ypvudhek.ru
zazzeqan.ru
zehyqjol.ru
zempakiv.ru
zyqutfeb.ru
fpyyb.axcakqif.ru
gipwf7i.zempakiv.ru
gkca7nkr.tyryfpix.ru
boomsco.com
larstor.com
newrect.com

NACHA spam / thedigidares.net

This fake NACHA spam leads to malware on thedigidares.net:


Date:      Wed, 13 Feb 2013 12:10:27 +0000
From:      " NACHA" [limbon@direct.nacha.org]
Subject:      Aborted transfer

Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.

Transaction ID:     648919687408
Cancellation Reason     Review additional info in the statement below
Transaction Detailed Report     Report_648919687408.xls (Microsoft/Open Office Word Document)


13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200

� 2013 NACHA - The Electronic Payments Association
The malicious payload is at [donotclick]thedigidares.net/detects/irritating-crashed-registers.php (report here) hosted on:

134.74.14.98 (City College of New York, US)
175.121.229.209 (Hanaro Telecom, Korea)



The following IPs and domains are linked and should be blocked:
134.74.14.98
175.121.229.209
albaperu.net
capeinn.net
thedigidares.net
madcambodia.net
micropowerboating.net
dressaytam.net
acctnmrxm.net
albaperu.net
live-satellite-view.net
dressaytam.net


Tuesday, 12 February 2013

Something evil on 192.81.129.219

It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example). The IP is controlled by Linode in the US who have been a bit quiet recently. Here are the active domains that I can identify on this IP:

17.soldatna.com
17.coloryourpatiowholesale.com
17.silvascape.com
17.dcnwire.com
17.canyonturf.com
17.kdebug.com
17.soldatnacapital.com
17.swvmail.com
17.drycanyon.com
17.wolfmountaingroup.com
17.designerbiochar.com
17.easygardencolor.com
17.devicelogics.com
17.springwoodventures.com
17.designersoils.com
17.drdos.com
17.wolfmountainproducts.com
17.soldatnainvestments.com
17.themulchpit.com
17.soleradevelopment.com
17.silvasport.com
17.scenicdesign.us
17.dailyexpress.us
17.canyonturf.net
17.southwesttelecom.net
17.wlfmtn.net
17.coloryourpatio.net
17.designersoils.net
17.scenicdesign.biz

Changelog spam / emaianem.ru

This changelog spam leads to malware on emaianem.ru:

Date:      Tue, 12 Feb 2013 09:11:11 +0200
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Changlog 10.2011

Good day,

changelog update - View

L. KIRKLAND

=================


Date:      Tue, 12 Feb 2013 05:14:54 -0600
From:      LinkedIn [welcome@linkedin.com]
Subject:      Fwd: Re: Changelog as promised(updated)

Good morning,

as prmised updated changelog - View

L. AGUILAR
The malicious payload is at [donotclick]emaianem.ru:8080/forum/links/column.php and is hosted on the same servers as found here.

IRS spam / micropowerboating.net

This fake IRS spam leads to malware on micropowerboating.net:

Date:      Tue, 12 Feb 2013 22:06:55 +0800
From:      Internal Revenue Service [damonfq43@taxes.irs.gov]
Subject:      Income Tax Refund TURNED DOWN

Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to misunderstanding of the fact(s), be prepared to serve additional information. You can obtain refusal to accept details and re-submit your appeal by browsing a link below.

Please enter official website for information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
9611 Tellus. Av.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.


==============================


Date:      Tue, 12 Feb 2013 15:00:35 +0100
From:      Internal Revenue Service [zirconiumiag0@irs.gov]
Subject:      Income Tax Refund NOT ACCEPTED

Hereby we hav to inform that Your Income Tax Refund Appeal ({ID: 46303803645929), recently has been CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to equip additional information. You can obtain non-acceptance details and re-submit your appeal by browsing a link below.

Please browse official site for more information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
3192 Aliquam Rd.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.


==============================

Date:      Tue, 12 Feb 2013 15:13:37 +0100 [09:13:37 EST]
From:      Internal Revenue Service [idealizesmtz@informer.irs.gov]
Subject:      Income Tax Refund TURNED DOWN

Hereby You notified that Your Income Tax Outstanding transaction Appeal (No: 8984589927661), recently was CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to deliver additional information. You can obtain refusal of acceptance details and re-submit your appeal by using a link below.

Please enter official site for information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
P.O. Box 265
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time. 

The malicious payload is on [donotclick]micropowerboating.net/detects/pending_details.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

The following IPs and domains should be blocked:
175.121.229.209
198.144.191.50
micropowerboating.net 
morepowetradersta.com
asistyapipressta.com
uminteraktifcozumler.com
rebelldagsanet.com
madcambodia.net
acctnmrxm.net
capeinn.net
albaperu.net
live-satellite-view.net

eFax spam / estipaindo.ru

This fake eFax spam leads to malware on estipaindo.ru:

From: messages-noreply@bounce.linkedin.com
Sent: 12 February 2013 04:10
Subject: Efax Corporate

Fax Message [Caller-ID: 181999356]

You have received a 44 pages fax at Tue, 12 Feb 2013 05:10:03 +0100, (944)-095-3172.

* The reference number for this fax is [eFAX-101609258].

View attached fax using your Internet Browser.

________________________________________
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement. 
The malicious payload is at [donotclick]estipaindo.ru:8080/forum/links/column.php (report here) hosted on:

46.175.224.21 (Maxnet Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)

The following IPs and domains can be blocked:
46.175.224.21
91.121.57.231
202.72.245.146
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
disownon.ru
epilarikko.ru
damagalko.ru
dumarianoko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
dfudont.ru
estipaindo.ru
emaianem.ru

Monday, 11 February 2013

Something evil on 46.165.206.16

This is a little group of fake analytics sites containing malware (for example), hosted on 46.165.206.16 (Leaseweb, Germany). Sites listed in  red   have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.

adstat150.com
cexstat20.com
katestat77.us
kmstat505.us
kmstat515.us
kmstat530.com
lmstat450.com
mptraf11.info
mptraf2.info
mxstat205.us
mxstat570.com
mxstat740.com
mxstat760.com
rxtraf25.ru
rxtraf26.ru
skeltds.us
vmstat100.com
vmstat120.com
vmstat140.com

vmstat210.com
vmstat230.com
vmstat320.com

NACHA Spam / albaperu.net

This fake NACHA spam leads to malware on albaperu.net:

Date:      Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]
From:      ACH Network [reproachedwp41@direct.nacha.org]
Subject:      ACH Transfer canceled

Aborted transfer
The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.

Transaction ID:     838907191379
Reason of Cancellation     See detailed information in the despatch below
Transaction Detailed Report     RP838907191379.doc (Microsoft Word Document)

                          

13150 Sunrise Drive, Suite 100 Herndon, VA 20172 (703) 561-1600

� 2013 NACHA - The Electronic Payments Association
The malicious payload is at [donotclick]albaperu.net/detects/case_offices.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

 The following malicious domains are present on these IPs and should be blocked:
acctnmrxm.net
albaperu.net
asistyapipressta.com
capeinn.net
live-satellite-view.net
madcambodia.net
morepowetradersta.com
rebelldagsanet.com
uminteraktifcozumler.com

British Airways spam / epianokif.ru

This fake British Airways spam leads to malware on epianokif.ru:


Date:      Mon, 11 Feb 2013 11:30:39 +0330
From:      JamesTieszen@[victimdomain.com]
Subject:      British Airways E-ticket receipts
Attachments:     E-Ticket-N234922XM.htm



e-ticket receipt
Booking reference: DZ87548418
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 74665737. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The malicious payload is at [donotclick]epianokif.ru:8080/forum/links/column.php (report here) hosted on:

82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

The following malicious domains can also be seen on these IPs:
epianokif.ru
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
disownon.ru
epilarikko.ru
damagalko.ru
dumarianoko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
dfudont.ru

Something evil on 46.163.79.209

The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.

social-neos.eu
cloud.social-neos.eu
quest.social-neos.eu
archiv.social-neos.eu
eyon-neos.eu
international.eyon-neos.eu
ns.eyon-neos.eu
euroherz.eyon-neos.eu

The domains look like they might be legitimate onese that have been hijacked, nonetheless blocking them would be an excellent move.



"Support Center" spam / phticker.com

Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker.com:

Date:      Mon, 11 Feb 2013 06:13:52 -0700
From:      "Brinda Wimberly" [noreply@mdsconsulting.be]
Subject:      Support Center

    Welcome to Help Support Center

Hello,

You have been successfully registered in our Ticketing System

Please, login and check status of your ticket, or report new ticket here

See All tickets
   
Go To Profile

This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with these other fake pharma sites:

nislevitra.com
tablethealthipad.com
tivozanibkimedicine.com
marijuanarxmedicine.com
drugstorepharmacycenterline.com
medicalwelhealthcare.com
physicianslnesshealth.com
newhealthpharm.com
gokeyscan.com
medpillsprescription.com
wichigenerics.com
boschmeds.com
pillcarney.com
healthviagraobesity.com
pharmedicinehat.net
rxlevitrainc.eu
tabletdrugipad.eu
pillsphysicpharma.ru
xree.ru
lxie.ru
zeap.ru
tabspharmacytablets.ru
pillsmedicalsrx.ru
poey.ru
ongy.ru
phticker.com

Saturday, 9 February 2013

ADP spam / 048575623_02082013.zip

This fake ADP spam comes with a malicious attachment:

Date:      Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]
From:      "ops_invoice@adp.com" [ops_invoice@adp.com]
Subject:      ADP Payroll Invoice for week ending 02/08/2013 - 01647

Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Thank you for choosing ADP Payroll.

Important: Please do not respond to this message. It comes from an unattended mailbox.
In this case there was a ZIP file called 048575623_02082013.zip (this may vary) with an attachment 048575623_02082013.exe designed to look like a PDF file.

VirusTotal identifies it as a Zbot variant. According to ThreatExpert, the malware attempts to connect to the following hosts:

eyon-neos.eu
quest.social-neos.eu
social-neos.eu

These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.





BBB Spam / madcambodia.net

This fake BBB spam leads to malware on madcambodia.net:

Date:      Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From:      Better Business Bureau [notify@bbb.org]
Subject:      BBB  details about your  cliente's pretense ID 43C796S77

Better Business Bureau ©
Start With Trust ©

Thu, 7 Feb 2013

RE: Issue No. 43C796S77

[redacted]

The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.

We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.

We awaits to your prompt response.

Best regards
Luis Davis
Dispute Advisor
Better Business Bureau

Better Business Bureau
3073  Wilson Blvd, Suite 600  Arlington, VA 23501
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277


This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is at [donotclick]madcambodia.net/detects/review_complain.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

The following domains appear to be active on these IPs:
madcambodia.net
acctnmrxm.net
capeinn.net
starsoftgroup.net
live-satellite-view.net
morepowetradersta.com

Friday, 8 February 2013

MMuskatov / OVH malware sites to block

I've mentioned an OVH range of IPs allocated to a mystery  "MMuskatov" a couple of times before (here and here). It seemed like they needed a closer look.

The IP ranges are in the 5.135.67.x block, mostly in small /28 allocations hosted in different OVH datacentres in Europe. They are:
5.135.67.128 - 5.135.67.135
5.135.67.136 - 5.135.67.143
5.135.67.144 - 5.135.67.159
5.135.67.160 - 5.135.67.175
5.135.67.176 - 5.135.67.191
5.135.67.192 - 5.135.67.207
5.135.67.208 - 5.135.67.223
5.135.67.224 - 5.135.67.239
5.135.67.240 - 5.135.67.247

Obviously, that gives an contiguous block of 5.135.67.128 to 5.135.67.247 which is annoying difficult to express in CIDR notation. This is the best I can do:
5.135.67.128/26
5.135.67.192/27
5.135.67.224/28
5.135.67.240/29

If you don't mind a bit of collateral damage then you could simply block 5.135.67.128/25.I

Anyway.. what's so bad about this range? Well, as far as I can see, there are no legitimate sites here at all. But there do appear to be malware sites, suspicious subdomains of hijacked legitimate sites and other nasties. Quite a few have been registered very recently indeed, and to be honest I'm probably missing a lot of sites hosted in this range.

The sites are listed below. Sites listed as malware by Google are listed in  red , sites with a bad WOT rating are listed in  blue (there are no sites listed at both, so I can spare you from purple). You can safely assume that anything not blacklisted has just not been noticed yet. You can download a full list of the sites, IP addresses, WOT rating and the Google prognosis from here.

1aumir.biz
afito.nyxsus.net
agnitumsnuking.net
allrisor.com
analytics-djmusic-online.de
analytics-djmusic-online.info
analytics-djmusic-site.at
analytics-djmusic-site.com
analytics-djmusic-site.de
anarebrelleee.me
apeld.biz
azizmarizish2013.com
azizmarizish2013.info
azizmarizish2013.us
babynicefreelove.org
basicsensorcomfort.info
basteln5.de
bederg.biz
beratopl.sinanfe.com
besprof.samisales.com
bestfor.rotaract4670.org
bopljert.ultuma.com
brasenetworks.info
broki.wem44.com
browser.rainbowstarfish.com
carambala.com
charterd4.de
clomment.calenergy.info
clubs.sandipmistry.com
complexesuluation.info
creamvisitiorfinder.info
daimlerfidelity.info
daisychellenge.info
dasdasd.tss33.com
dasuycompletesuluation.info
dfhiod.biz
dhajbg.biz
djjgurda.com
djjgurda.us
domainsfiverich.com
dotguy.set-god.com
emporiomurmani.info
fakeferarri.info
fastmovekko.net
fbuniverse.net
federewf.org
firepow.l2firepower.com
first.bartych.com
frankmousepo.com
freepokee1.info
freepokee2.info
freepokee3.info
fromza.thirteentoedcat.com
fuchsduhastdiegansgestohlen.info
gertapo.bbcuteonline.com
gfssexcam.org
gfssexcamcum.com
ggty.oops-to.com
goodby.nissisystems.com
goodly.hukmen.com
gussi.info
heart.wheels4salvador.org
hernn.biz
heronew.biz
jagsertowns.com
jbworldtrd.com
joeturismo.com
kiloui.svxr.org
kinodrom.ivanwalker.net
ktxstat240.info
lake.frontsighlitigations.com
lefttendencies.net
lokoier.biz
loveplanetfr.org
lozytose2.de
mapplestory.info
mdopk.biz
meanse.ayesh.asia
mederf.biz
medoew.biz
mikil.hititbett.org
mini.sindiat.com
miniini.iosstore.org
mobile.mathyux.com
mojojojo.info
monoxy3.de
msner.slingthor.com
mybestprojextmm.com
my-res-to.com
myrisor.com
natrium7.de
natural9.de
ndqegsx.efx-capital.com
neregda.biz
nerero.biz
newrisor.com
news.webcam-archives.com
next.spacemonkeypirate.net
ninzaaa.commoninterestgroups.org
oploug.biz
perokil.biz
perstversion.info
poijert.ilaog.com
polocz.biz
powerpuffgirls.ru
price.hollywoodsaloon.us
provertymegastore.info
radarsky.biz
rainbowloveahaji.com
reseder.biz
resscience.com
res-to.com
risorgroup.com
risoronline.com
ronaldo.bangun.org
saledomainornott.biz
saledomainornott.co
saledomainornott.com
saledomainornott.in
saledomainornott.info
saledomainornott.me
saledomainornott.mobi
saledomainornott.net
scienceto.com
sec520.dyndns.info
sec521.dyndns.info
seghiv.biz
sexcamsfreenow.org
sfgjjj.biz
shop-best-good.info
shuttle4.de
sitesfiverich.com
sjbmb.biz
spannend3.de
srghoop.biz
stay.petersmunicipalconsultants.com
sun.frontsightbankruptcy.com
sunari9.de
supermegaextragood.info
swedpuikavrot.info
taste.frontsightblog.com
techntitus.com
termse.sharemomentwith.us
therisor.com
thewholespend.info
tikooo.afropod.com
tj6e8k.com
traespo.smoothasbeauty.com
trenere.biz
tydfghk.biz
ufrere.biz
umpi102.dyndns.info
umpi103.dyndns.info
unusedgb.net
vededd.biz
versetaility.info
vertigoz0ne.info
vertigoz0ne.net
vertigoz0ne.org
vertigozone.net
wdgwber.biz
wergxcb.biz
wryeuy.biz
xrifa.dhzq.net
yherem.biz
zaderf.biz


radarsky.biz and something evil on 5.135.67.160/28

There is currently an injection attack redirecting visitors to a domains radarsky.biz (for example) hosted on 5.135.67.173 (OVH) and suballocated to:

inetnum:        5.135.67.160 - 5.135.67.175
netname:        MMuskatov-FI
descr:          MMuskatov
country:        FI
org:            ORG-OH6-RIPE
admin-c:        OTC15-RIPE
tech-c:         OTC15-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered


 "MMuskatov" was involved in this attack too, and a quick inspection of 5.135.67.160/28 doesn't look promising, you might want to block it and 5.135.67.144/28 and 5.135.67.192/28 as well. A deeper analysis is in progress.

Thursday, 7 February 2013

+20 3 2983245 telepest

For some reason I've been plagued with cold calling telepests recently. This particular one (+20 3 2983245) offered the usual "press 5 to be ripped off" and "press 9 to try to unsubscribe which we will ignore" recorded message about claiming for an accident.

There was a very politely spoken and nice young man on the end of the phone. He seemed a bit perplexed and upset when I told him to f--k off and leave me alone. Good.

I don't know exactly who is behind this nuisance activity, but they were calling a TPS-registered phone from a number in Alexandria, Egypt. Offshoring fraudulent activity like this is quite common, but this is the first time that I've had to swear at an Egyptian. Perhaps the poor guy will consider doing something less scummy instead.

Update: unbelievably, they rang back again. This time I had a chat with another guy, and we had a discussion about my horrible industrial accident when my penis got caught in the shredder at work . There was blood everywhere, it was a real shocker for the other people in the office too. I asked where he was calling from, and he said Cambridge.. so I replied that it was odd that it appeared to be a number from Alexandria, and that he was a lying scumbag and please could he f--k off and never call me again. Oddly enough, he hung up.

FFIEC spam / live-satellite-view.net

This spam attempts to load malware from live-satellite-view.net, but fails because at the moment the domain isn't registered. However, you can expect them to try again.. so watch out for emails like this.

From: FFIEC [mailto:complaints@ffiec.gov]
Sent: 06 February 2013 16:17
Subject: FFIEC Occasion No. 77715


This summons is meant to make advise of file # 77715 which is opened and under interrogative with FFIEC following a accusation of your Financial Institution regarding suspect financial activity on your account.   
A hard copy of this judicial process will be delivered to your business address.
Our institution will forward information to competent government agencies following this accusation.
Information and contacts regarding your Occasion file # can be found at
   Occasion Number: 77715             
Observed by
 Federal Financial Institution Examination Council
   Emily Gray
The attempted download is from [donotclick]live-satellite-view.net/detects/advanced_selected_determines_comparison.php although it fails to resolve. Perhaps the registrar nuked the domain? However, it is possible to tell that the nameservers were ns1.http-page.net and ns2.http-page.net, and up investigate it turns out that all the following IPs and domains are related and should be treated as malicious:
7.129.51.158
31.170.106.17
74.4.6.128
98.144.191.50
175.121.229.209
198.144.191.50
208.117.43.145
222.238.109.66
able-stock.net
capeinn.net
duriginal.net
euronotedetector.net
gonita.net
gutprofzumbns.com
http-page.net
live-satellite-view.net
morepowetradersta.com
ocean-movie.net
starsoftgroup.net
vespaboise.net

Wednesday, 6 February 2013

inukjob.com fake job offer (also ineurojob.com and hollandsjob.com)

This fake job offer from inukjob.com involves illegal money laundering, and it also seems that the scammers want to use your identity for "correspondence" which normally means things like reshipping stolen goods and identity theft.

From: Victim
To: Victim
Date: 6 February 2013 09:16
Subject: Looking for remote assistants, paid $ 100 per hour helping other people


Good afternoon!

Is it possible for you to spare a few hours a week to the new occupation, which would increase your wages in 2-3 times, without investing a penny?  While you are looking for the trick in this offer, hundreds of your compatriots have already been reaping the benefits of working with us.
This is not a financial pyramid or marketing of any kind. It's about doing simple assignments, not exceed the limits of morals or ethics.

Your gender, age, employment do not matter - the main factors are your diligence and conscientiousness.
Lots of our employees began with a part-time employment and combined with other jobs, but two weeks later,
most of them devoted themselves to our job.

We are in all respects ready to remove all your doubts and help you to understand all details.
Position is called the "Regional Manager".

Functional duties:
- to represent the interests of foreign companies in the region (For example:  providing your address for correspondence.)
- to take control of transactions between the company and the client in your area.

For more information, please, email us attaching your CV, the country and city of residence.
It will considerably increase your chances for employment. Email: Kelsey@inukjob.com

Best Regards,
PR Manager
I've seen another variant with a reply address of Delores@inukjob.com. In all these cases, the email appears to come from the victim (here's why). Let's dig a little deeper into the domain. It turns out that it is registered by scam-friendly Chinese registrar BIZCN.COM.

The WHOIS details are fake:

   Tara Zwilling info@inukjob.com
   315-362-4562 fax: 315-362-4511
   3201 Oak Street
   Syracuse NY 13221
   us

There is no number 3201 Oak Street in Syracuse, New York (see for yourself) and the Zip code is incorrect, it should be 13203 and not 13221.

There's no web site, mail is handled by a server at 31.214.169.94 (Exetel, Germany).  The following mailservers can be found at that IP:

mx.ineurojob.com
mx.hollandsjob.com
mx.inukjob.com


You can assume that all these domains are fraudulent. If we dig a little deeper at the namesevers ns1.ariparts.net (also on 31.214.169.94) and ns2.ariparts.net (8.163.20.161, Level 3, US), then we can also find the following very dodgy domains:

hollandsjob.com
pracapolsk.com
ariparts.net
ineurojob.com


All these domains have fake or hidden registration details and can assume to be part of a scam. Avoid.

Update: Another version, 

Date:     7 February 2013 16:53
Subject:     You can earn an additional $ 200 per day helping your communi

I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.

If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.

Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is 2000 GBP per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (UK time).

Region: United Kingdom.

Please note that there are no startup fees or deposits to start working for us.

To request an application form, schedule your interview and receive more information about this position
please reply to Rene@inukjob.com with your personal identification number for this position IDNO: 6376


Tuesday, 5 February 2013

Amazon.com spam / salam-tv.com

This fake Amazon email leads to malware on salam-tv.com:


Date:      Tue, 5 Feb 2013 18:32:06 +0100
From:      "Amazon.com Orders" [no-reply@amazon.com]
Subject:      Your Amazon.com order receipt.

    Click here if the e-mail below is not displayed correctly.
   
Follow us:                    
   
   
Your Amazon.com                         Today's Deals                 See All Departments    


Dear Amazon.com Customer,    
       

Thanks for your order, [redacted]!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Details:

E-mail Address: [redacted]
Billing Address:
1170 CROSSING CRK N Rd.
Fort Wayne OH 49476-1748
United States
Phone: 1- 749-787-0001

Order Grand Total: $ 91.99
   
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     C59-2302433-5787713
Subtotal of items:     $ 91.99
    ------
Total before tax:     $ 91.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 90.00
Gift Certificates:     $ 1.99
    ------
Total for this Order:     $ 91.99
       
       
   
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.

� 2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 466 Sally Ave. N., Seattle, MA 71168-8282. Reference: 25090571

Please note that this message was sent to the following e-mail address: [redacted]
The malicious payload should be at [donotclick]salam-tv.com/detects/visit_putts.php but at the moment this domain doesn't seem to be resolving properly. A bit of digging around shows that it may be hosted on 198.144.191.50 (Chicago VPS, US) and the following malicious domains can be traced to that IP address:
morepowetradersta.com
capeinn.net
starsoftgroup.net
salam-tv.com
   

Monday, 4 February 2013

01530 561700: PPI refund cold callers are also PPI mis-sellers

Quick version:  01530 561700 is a PPI claims company trading as ABC Claims Management, but the people involved have been directors of a firm fined for PPI mis-selling. If you really want to wind them up, say you were mis-sold PPI by a firm called Hadenglen.

Long version:
PPI refund cold callers are annoying, and are almost always dishonest scumbags who claim that you are eligible for a PPI refund, but in fact they have no idea about who you are and nor do they have access to your financial records.

But there's more to the folks calling from 01530 561700 than meets the eye. The claims management company calling from this number is called ABC Claims Management (abc-inc.co.uk) who quote an address of:

York House
Smisby Road
Ashby de la Zouch
Leicestershire
LE65 2UG

A look at the WHOIS details give a nearby address:
Domain name:
        abc-inc.co.uk

    Registrant:
        HADENGLEN PLC

    Registrant type:
        Unknown

    Registrant's address:
        Hadenglen House Marlborough Square
        Leicestershire
        COALVILLE
        LE67 3WD
        United Kingdom


They list the owner as Hadenglen plc. Unlike many PPI claims firms, Hadenglen knows all about PPI.. because it and its boss were fined £182,000 in 2007  for PPI mis-selling. Hadenglen is no longer authorised to sell mortgages and there is a proposal to strike it off the register at Companies House.

The telephone number is closely associated with Hadenglen, both ABC and Hadenglen share the same address of:
SMISBY ROAD
ASHBY DE LA ZOUCH
LEICS
LE65 2UG
..and of course, Hadenglen registered the domain name.

Of course, the real gotcha is that two of the directors of ABC Incorporation Ltd are Paul Butler and Richard Hayes who were both directors of.. you guessed it.. Hadenglen. Indeed, Mr Hayes was fined £49,000 for his part in the Hadenglen PPI mis-selling.

You could argue that poachers make the best gamekeepers, and the directors of a firm that was involved in PPI mis-selling might be the best people to make a claim. Or you might think otherwise. But why pay someone to do it (which could be thousands of pounds) when you can do it for free?

Update:  the scammers from ABC rang me again, and the woman calling identified the company but said she had never heard of her directors of Hadenglen.. which I very much doubt. I advised her to fuck off and leave me alone.

Phytiva / XCHC pump-and-dump

This pump-and-dump spam (at least I assume that's what it is) caught my eye,

From:     Hugh Crouch [tacticallyf44@riceco.com]
Date:     4 February 2013 12:39
Subject:     RE: Targeting the global Cosmoceutical market

US leading biotech company is please to introduce a newly launched brand - a hybrid of a proven, existing product line that has been well-managed and conservatively-run for over a decade with a hemp-based product line, utilizing the unique and potent benefits of the plants. Revolutionary formulations target not just the symptom, but also the cause. The plant is the ideal basis for healing solutions and has been utilized for centuries, as skin responds extremely well to its properties.

Its newest Plant based Product lines that have identified over a dozen ailments that we believe that the products will be the superior choice on the market. These ailments include cancer, arthritis, influenza, HIV/ AIDS, PTSD and many more.

We are looking for leading beauty and health care investors. If you are dedicated to making difference in people”s lives, we need your help now more than ever before toprovide excellent and efficient medical and health care for our future researches.
 
For more information, please visit

You can unsubscribe from all our future email communications at
The email originates from 31.25.91.159 in the Islamic Republic of Iran, spamvertising a site at www.xn--80aakfmpm2afbm.xn--p1ai (yes, that's a valid international domain name) hosted on 111.123.180.11 in China. In all likelihood, Phytiva and its parent company The X-Change Corporation (stock ticker XCHC) are almost definitely nothing to do with this rather odd spam. Avoid.

Something evil on 108.61.12.43 and 212.7.192.100

A few sites worth blocking on 108.61.12.43 (Constant Hosting, US) courtesy of Malware Must Die:
helloherebro.com
painterinvoice.ru
painterinvoicet.ru
immediatelyinvoicew.ru

While you are at it, you might like to block 212.7.192.100 (Dediserv, Netherlands) as well.

StumbleUpon spam / drugstorepillstablets.ru

This fake StumbleUpon spam is something new, it leads to a fake pharma site on drugstorepillstablets.ru:

Date:      Mon, 4 Feb 2013 01:01:46 -0600 (CST)
From:      StumbleUpon [no-reply@stumblemail.com]
Subject:      Update: Changes to Your Email Settings

   

Hi [redacted],

This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've created a bunch of new notification options that allow you to have more control over what types of emails you'll receive from us. These new notification options are not compatible with the old settings, so your settings have been reset. We apologize for any inconvenience, and want to make sure we only send you the emails you want to receive.

Now what? Please click here to head over to your email settings and update your preferences, so we know exactly what emails you'd like to receive from StumbleUpon.

Want to receive all notifications about shares from friends, recommended Stumbles, and more? Great, you don't have to do anything at all!

Thanks for Stumbling,

The StumbleUpon Team

P.S. Haven't signed in for a while and can't remember your password? You can reset it here by entering the email address used in this email.
   
   

Please don't reply to this message - for all questions, check out our Help Center. To visit your email settings, please click here.

StumbleUpon | 301 Brannan Street, 6th Floor, San Francisco, CA 94107
There's no surprise to see that the IP address of the spamvertised site is 92.48.119.139 (Simply Transit, UK) along with the following other possibly spammy sites:

ariseharsh.info
biah.ru
birthmed.com
carepillshealthcare.com
climbedwelness.com
drugripdrugshealth.ru
drugstorepharmacycenterline.com
drugstorepillstablets.ru
dvicemedicalrx.net
fatdietrx.com
genericsperrigo.com
goaddscan.com
gokeyscan.com
gorayscan.com
healthviagracare.com
healthwiblackwell.com
herbalwelgarcinia.net
ipadiet.net
ladenlismeds.com
lxie.ru
mail.carepillshealthcare.com
mediamoviestar.com
medicalwelhealthcare.com
medicaremedsromney.net
medpillsprescription.com
movietestworld.com
mytabhealth.com
ongy.ru
pharmacycialismeningitis.net
physicianslnesshealth.com
pilltabletsfitness.eu
rxdrugstorewalgreens.com
tabletspharmacynutrition.ru
tabletspharmacywellbeing.ru
tabpharmacyhealth.ru
theviagrahealth.com
treatmentsdrugstorepharmacy.ru
vikingsnotdead.com


Friday, 1 February 2013

Something evil on 50.116.40.194

50.116.40.194 (Linode, US) is hosting the Blackhole Exploit Kit (e.g. [donotclick]14.goodstudentloans.org/read/walls_levels.php - report here) and seems to have been active in the past 24 hours. I can see two domains at present, although there are probably many more ready to go:

14.goodstudentloans.org
14.mattresstoppersreviews.net

Photos spam / eghirhiam.ru

Here's a tersely-worded Photos spam leading to malware on eghirhiam.ru:

Subject: Photos

Good day,
your photos here http://www.jonko.com/photos.htm
As is usually the case, the malware bounces through a legitimate hacked site and in this case ends up at [donotclick]eghirhiam.ru:8080/forum/links/public_version.php (report here) hosted on:

82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company Ltd, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

The following IPs and domains are all related and should be blocked:
82.148.98.36
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
dumarianoko.ru
eghirhiam.ru
epiratko.ru
esekundi.ru
evkotnka.ru
evskindarka.ru
evujalo.ru
exiansik.ru
eziponoma.ru