Sponsored by..

Friday, 8 March 2013

"Your tax return appeal is declined" / gimilako.ru

This following fake IRS spam leads to malware on gimilako.ru:

From: Myspace [mailto:noreply@message.myspace.com]
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.

Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.

Internal Revenue Service


Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time). 
The malicious payload is at [donotclick]gimilako.ru:8080/forum/links/column.php (reported here) hosted on:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako.ru
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
gosbfosod.ru

Adobe CS4 spam / guuderia.ru

This fake Adobe spam leads to malware on guuderia.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Donnie Cherry via LinkedIn
Sent: 07 March 2013 12:39
Subject: Order N40898

Good afternoon,

You can download your Adobe CS4 License here -

We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.


Adobe Systems Incorporated
The malicious payload is at [donotclick]guuderia.ru:8080/forum/links/column.php (report here) hosted on:

41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
212.180.176.4
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
guuderia.ru
gosbfosod.ru

Thursday, 7 March 2013

Malware sites to block 7/3/13

Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:

173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)

Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42
17.247nycr.com
17.optimax-fuel-saver.us
17.grantmassie.org
17.seniorgazette.org
17.scottbarr.org
17.kingdom-mystery.org
17.landvirginia.com
17.schnoescpa.com
17.rbasa.com
17.thinkgreensa.com
17.hogwashiniowa.com
17.ledbymmhd.com
17.ultimateserviceexperience.com
17.yourbrokerforlife.com
17.grantmassie.com
17.lascrittore.com
17.bearfoothouse.com
17.setapartcreative.com
17.sanantoniosiding.com
17.webezmarketing.com
17.iowahogwash.com
17.avbapi.com
17.sanantoniohardiplank.com
17.apielectrical.com
17.lwrbeerfestival.com
17.kathybissell.com
17.cpadahm.com
17.doorssanantoniocom.com
17.deborahramanathan.com
17.drdeborahramanathan.com
17.foodypon.com
17.renewalanderson.com
17.rbasanantonio.com
17.renewalsanantonio.com
17.thetelecomgroup.com
17.247nycr.com
17.mmholidaydecor.com
17.quakertownfamilydoctor.com
17.dmmbs.com
17.dmmmbs.com
17.kbgolfcoursesales.com
17.seniorgolfrankings.com
17.redtreebookings.com
17.southwest-referrals.com
17.texcoteproblems.com
17.taberydesigns.com
17.moffdomains.com
17.thebusiness-solutions.com
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.docholidaybanners.com
17.worldclassexteriors.com
17.southwestexteriors.com
17.productpurveyors.com
17.valuationwidgets.com
17.profitzplus.com
17.culliganwaternet.com
17.soonerflight.com
17.bradentons-finest.com
17.opti-max.com
17.meccandivinity.com
17.247nycrealty.com
17.foodypon.info
17.brightdirection.us
17.optimaxmagnetics.us
17.optimax.us
17.ir-c.net
17.grantmassie.net
17.americanseniorgazette.net
17.sanantoniosiding.net
17.sanantoniodoors.net
17.sanantoniowindows.net
17.culliganwaternet.net
17.bestbysouthwest.net
17.brightdirection.biz
20.anythinginternational.biz
20.anythinginternational.com
20.chelsiamd.com
kfz-youngtimerservice.de
mtmedia.net
cinemacityhu.iq.pl


BBB Spam / alteshotel.net and bbb-accredited.net

This fake BBB spam leads to malware onalteshotel.net and bbb-accredited.net:


Date:      Thu, 7 Mar 2013 06:23:12 -0700
From:      "Better Business Bureau Warnings" [hurriese3@bbb.com]
Subject:      BBB details regarding your claim No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Your Accreditation Suspended

[redacted]

The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.

We graciously ask you to overview the TERMINATION REPORT to meet on this claim

We awaits to your prompt rebound.

If you think you got this email by mistake - please forward this message to your principal or accountant

Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau

Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

=========================


Date:      Thu, 7 Mar 2013 21:19:18 +0800
From:      "Better Business Bureau Warnings" [prettifyingde7@transfers.americanpayroll.org]
Subject:      BBB details about your pretense No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Your Accreditation Suspended

[redacted]

The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.

We graciously ask you to visit the ABUSE REPORT to answer on this appeal

We awaits to your prompt answer.

If you think you got this email by mistake - please forward this message to your principal or accountant

Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau

Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe



One potentially malicious payload is at [donotclick]alteshotel.net/detects/review_complain.php (looks like it might be broken - report here) hosted on:

69.43.161.176 (Parked at Castle Access Inc, US)

The other is at [donotclick]bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here) hosted on:

64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia)

These other domains can be seen on those IPs:
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru

Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
alteshotel.net
bbb-accredited.net

Wednesday, 6 March 2013

Pizza spam / gimalayad.ru


Cheese Lover's Pizza with no cheese?! Chicken pizza with three lots of extra ham?? This spam actually leads to malware on gimalayad.ru:

Date:      Wed, 6 Mar 2013 12:22:04 +0330
From:      Tagged [Tagged@taggedmail.com]
Subject:      Fwd: Order confirmation

You??™ve just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Bacon Pieces
- Ham
- Bacon Pieces
- Jalapenos
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Chicken Supreme with extras:
- Ham
- Ham
- Ham
- Jalapenos
- Green Peppers
- Diced Tomatoes
- Extra Cheese
- Extra Sauce
Pizza Hawaiian Luau with extras:
- Ham
- Green Peppers
- Jalapenos
- Pineapple
- Extra Cheese
- No Sauce
Pizza Pepperoni Lover's with extras:
- Beef
- Ham
- Green Peppers
- Onions
- Green Peppers
- Extra Cheese
- Easy On Sauce
Pizza Spicy Sicilian with extras:
- Chicken
- Ham
- Bacon Pieces
- Pineapple
- Easy On Cheese
- Easy On Sauce
Drinks
- Grolsch x 6
- 7up x 3
- Budweiser x 4
- Carling x 2
Total Charge:    232.33$



If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don??™t do that shortly, the order will be confirmed and delivered to you.


With respect to you
ALBERTO`s Pizzeria

================================


Date:      Wed, 6 Mar 2013 09:16:56 +0100
From:      "Xanga" [noreply@xanga.com]
Subject:      Re: Fwd: Order confirmation

You??™ve just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Beef
- Pepperoni
- Diced Tomatoes
- Easy On Cheese
- Extra Sauce
Pizza Italian Trio with extras:
- Beef
- Black Olives
- Black Olives
- Onions
- Extra Cheese
- Extra Sauce
Pizza Triple Meat Italiano with extras:
- Bacon Pieces
- Ham
- Onions
- Green Peppers
- Diced Tomatoes
- Extra Cheese
- Extra Sauce
Drinks
- Simply Orange x 4
- Fanta x 2
- 7up x 2
- Heineken x 2
- Lift x 5
- Pepsi x 4
- Budweiser x 4
Total Charge:    242.67$



If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don??™t do that shortly, the order will be confirmed and delivered to you.


With Respect
PIERO`s Pizzeria

The malicious payload is at [donotclick]gimalayad.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:


41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
forum-la.ru
gosbfosod.ru
giliaonso.ru
forum-ny.ru
ginagion.ru
gimalayad.ru

BT Business Direct Order Spam / ginagion.ru

This fake BT spam leads to malware on ginagion.ru:

From: Bebo Service [mailto:service=noreply.bebo.com@bebo.com] On Behalf Of Bebo Service
Sent: 05 March 2013 21:22
Subject: BT Business Direct Order


Notice of delivery

Hi,

We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.

Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.

***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***

We've despatched...

..using the attached shipment details...
Courier     Ref     Carriage method
Royal Mail     FM320725534     1-3 Days

Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.

For information on how track your delivery, please follow to attached file.

Important information for Yodel deliveries:

If your consignment number starts with 3S3996956 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.
The malicious payload is at [donotclick]ginagion.ru:8080/forum/links/column.php (report here) hosted on:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
gosbfosod.ru
giliaonso.ru
forum-ny.ru
ginagion.ru


Tuesday, 5 March 2013

Sendspace spam / forumkianko.ru

This fake Sendspace spam leads to malware on forumkianko.ru:

Date:      Tue, 5 Mar 2013 06:52:10 +0100
From:      AyanaLinney@[redacted]
Subject:      You have been sent a file (Filename: [redacted]-51153.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]forumkianko.ru:8080/forum/links/column.php (report here) hosted on:
 
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)

These IPs are the same as used in this attack.

"Scan from a Hewlett-Packard ScanJet" spam / giliaonso.ru

This fake HP printer spam leads to malware on giliaonso.ru:

Date:      Tue, 5 Mar 2013 12:53:40 +0500
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments:     HP_Scan.htm

Attached document was scanned and sent

to you using a HP A-16292P.

SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment leads to malware on [donotclick]giliaonso.ru:8080/forum/links/column.php (report here) hosted on the following IPs:

46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)

Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131
forum-la.ru
forumla.ru
forumilllionois.ru
forumny.ru
forum-la.ru
forumla.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
giliaonso.ru



Something evil on 5.9.196.3 and 5.9.196.6

Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama.nl/relay.php) leading to two identified malware landing pages:

[donotclick]kisielius.surfwing.me/world/explode_conscious-scandal.jar (report here)
[donotclick]alkalichlorideasenteeseen.oyunhan.net/world/romance-apparatus_clinical_repay.php (report here)

Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan.net
kisielius.surfwing.me
dificilmentekvelijitten.surfwing.me
kisielius.surfwing.me
befool-immatriculation.nanovit.me
locoburgemeester.toys2bsold.com
ratiocination-wselig.smithsisters.us

A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb.com

Blocking these domains completely is probably a good idea:
oyunhan.net
surfwing.me
nanovit.me
toys2bsold.com
smithsisters.us
creatinaweb.com

5.9.196.0/28 is a Hetzner IP allocated to:

inetnum:        5.9.196.0 - 5.9.196.15
netname:        PQCSERVICE-LLC
descr:          pqcservice llc
country:        DE
admin-c:        VS4214-RIPE
tech-c:         VS4214-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Vadim Sheyin
address:        pqcservice llc
address:        Universitetskaya 2a
address:        61091 Kharkov
address:        UKRAINE
phone:          +380506268399
nic-hdl:        VS4214-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered


I haven't seen anything of value in this /28, blocking it may be prudent.

Monday, 4 March 2013

"British Airways E-ticket receipts" spam / forum-la.ru

This fake British Airways spam leads to malware on forum-la.ru:

From:     LiveJournal.com [do-not-reply@livejournal.com]
Date:     4 March 2013 12:17
Subject:     British Airways E-ticket receipts

e-ticket receipt
Booking reference: 9AZ3049885
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la.ru:8080/forum/links/column.php (report here) hosted on:
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)


Blocklist:
198.104.62.49
210.71.250.131
forumla.ru
forumny.ru
forum-la.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru


dealerbid.co.uk spam

This spam uses an email address ONLY used to sign up for dealerbid.co.uk

From:     HM Revenue & Customs [enroll@hmrc.gov.uk]
Date:     4 March 2013 13:37
Subject:     HMRC Tax Refund ID: 3976244

Dear Taxpayer,

After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.

 A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.

 Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).

Kind regards,

 Paul McWeeney
 Head of Consumer Sales and Service

The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:

everybodyonline.co.uk
uk-car-discount.co.uk

The email address has been stolen from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run.

It looks like I am not the only person to notice this same problem..

UPDATE 1: dealerbid.co.uk are investigating this issue.
UPDATE 2: it happened again.
UPDATE 3: there's no evidence of malware on 78.136.27.79, everybodyonline.co.uk or uk-car-discount.co.uk as far as I can see. I guess it may have been an open relay. If you are blacklisting these for malware that I suggest you un-blacklist them. (2013-09-25)

eFax spam / forumla.ru

This fake eFax spam leads to malware on forumla.ru:
Date:      Mon, 4 Mar 2013 08:53:20 +0300
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 646370000]

You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.

* The reference number for this fax is [eFAX-336705661].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.
The malicious payload is at [donotclick]forumla.ru:8080/forum/links/column.php (report here) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumla.ru

Delta Airlines spam / inanimateweaknesses.net and complainpaywall.net

This fake Delta Airlines spam leads to malware on inanimateweaknesses.net and complainpaywall.net:

From: DELTA CONFIRMATION [mailto:cggQozvOc@sutaffu.co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary

Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries

Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta.com/itineraries.

Take control and make changes to your itineraries at delta.com/itineraries.

Speed through the airport. Check-in online for your flight.

Check-in

Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ---------------- ------ ------ -------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH

Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH

Check your flight information online at delta.com/itineraries
The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report  here) or [donotclick]complainpaywall.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.


Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page.


Friday, 1 March 2013

Casino-themed Blackhole sites

Here's a a couple of URLs that looks suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:

[donotclick]888casino-luckystar.net/discussing/sizes_agreed.php
[donotclick]555slotsportal.org/discussing/alternative_distance.php
[donotclick]555slotsportal.net/shrift.php
[donotclick]555slotsportal.net/discussing/alternative_distance.php
[donotclick]555slotsportal.me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez.biz/discussing/alternative_distance.php

You can find a sample report here.  Let's dig a little deeper into that IP address.

inetnum:        130.185.105.0 - 130.185.105.127
netname:        Creative-Telematics-Trade
descr:          Creative Telematics & Trade s.r.o.
country:        CZ
admin-c:        AT1717-RIPE
tech-c:         AT1717-RIPE
status:         ASSIGNED PA
mnt-by:         XIRRA
source:         RIPE # Filtered

person:         Alexey Terentyev
address:        Czech Republic
address:        Praha 1, Na Prikope 10
address:        11000 Praha Czech Republi
address:        CZ
phone:          +420 228880161
fax-no:         +420 227204027
abuse-mailbox:  abuses@nkvdteam.ru
nic-hdl:        AT1717-RIPE
mnt-by:         NETDIRECT-MNT
source:         RIPE # Filtered

route:          130.185.105.0/24
descr:          XIRRA-NET
origin:         AS51191
mnt-by:         XIRRA
source:         RIPE # Filtered


"Alexey Terentyev" isn't a very Czech name, and neitgher is the domain name of nkvdteam.ru.. wait.. NKVD? You have to have a certain mind-set to call yourself that I guess..

So what can we find hosted on 130.185.105.74?

cams4xonline.me
555slotsportal.me
888casino-luckystar.me
klom555slots.me
zitex555slots.me
555slotsgamestoday.me
sexstreamsmatez.me
cams4xonline.org
555slotsportal.org
ttlxpoker.org
555pokerstreamx.org
sexstreamsmatez.org
555slotsportal.com
888casino-luckystar.com
ttlxpoker.com
888slotmachines.com
klom555slots.com
555slotsgamestoday.com
sexstreamsmatez.com
cams4xonline.info
555slotsportal.info
888casino-luckystar.info
ttlxpoker.info
klom555slots.info
zitex555slots.info
555slotsgamestoday.info
sexstreamsmatez.info
cams4xonline.net
555slotsportal.net
ttlxpoker.net
zitex555slots.net
daisy555slots.net
555slotsgamestoday.net
sexstreamsmatez.net
555slotsportal.biz
888casino-luckystar.biz
ttlxpoker.biz
muxxx4cams.biz
zitex555slots.biz
555slotsgamestoday.biz
sexstreamsmatez.biz

I'm going to suggest that there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too.


Thursday, 28 February 2013

usanewwork.com fake job offer

This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:

Date:      Thu, 28 Feb 2013 14:57:55 -0600
From:      andrzej.wojnarowski@[victimdomain]
Subject:      There is a vacancy of a Regional manager in USA:

If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.

If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:

Please email us for details: Paulette@usanewwork.com
In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):

   Sarah Shepard info@usanewwork.com
   360-860-3630 fax: 360-860-3321
   4478 Pratt Avenue
   Tukwila WA 98168
   us

The domain was only registered two days ago on 28/2/13.


The nameservers ns1.stageportal.net and ns2.stageportal.net are shared by several other domains offering similar fake jobs:

arbeitsagentura.com
stepstonede.com
europswork.com
usanewwork.com
euroconsaltinn.com
europsconsult.com
stageportal.net

IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)

This job offer is best avoided unless you like prison food.

For the record, these are the other registrant details.

stageportal.net:

      LAUREEN FREEMAN
      7538 TRADE ST.
      SAN DIEGO, CA 92121
      US
      Phone: +1.8585668488
      Email: wondermitch@hotmail.com

arbeitsagentura.com:

   Michael B. Jackson
   Michael Jackson info@arbeitsagentura.com
   909-542-7178 fax: 909-542-7311
   3832 Gordon Street
   Pomona CA 91766
   us

stepstonede.com:

   John L. Irizarry
   John Irizarry info@stepstonede.com
   858-450-8875 fax: 858-450-8811
   4808 Hamill Avenue
   San Diego CA 92123
   us

europswork.com:

   Connie J. Grooms
   Connie Grooms info@europswork.com
   626-448-5229 fax: 626-448-5211
   2815 Woodstock Drive
   El Monte CA 91731
   us

euroconsaltinn.com:

   Mamie W. Murray
   Mamie Murray info@euroconsaltinn.com
   920-245-0475 fax: 920-245-0411
   3390 Rockford Mountain Lane
   West Allis WI 53227
   us

europsconsult.com:

   Regina P. Clay
   Regina Clay info@europsconsult.com
   212-241-1581 fax: 212-241-1211
   408 Bell Street
   New York NY 10029
   us


"Contract of 09.07.2011" spam / forumny.ru

This contracts-themed spam leads to malware on forumny.ru:

Date:      Thu, 28 Feb 2013 11:43:15 +0400
From:      "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:      Fw: Contract of 09.07.2011
Attachments:     Contract_Scan_IM0826.htm

Dear Sirs,

In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.

Best regards,

SHERLENE DARBY, secretary
The attachment Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny.ru:8080/forum/links/column.php (report here) on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
carmennavarro.es
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
filialkas.ru
finalions.ru
forumbmwr.ru
forumkinza.ru
forumligandaz.ru
forummersedec.ru
forummoskowciti.ru
forumny.ru
forumrogario.ru
forumusaaa.ru
forumvvz.ru
fuigadosi.ru
fzukungda.ru



"Follow this link" spam / sidesgenealogist.org

This rather terse spam appears to leads to an exploit kit on sidesgenealogist.org:

From: Josefina Underwood [mailto:hdFQe@heathrowexpress.com]
Sent: 27 February 2013 16:43
Subject: Follow this link

I have found it http://www.eurosaudi.com/templates/beez/wps.php?v20120226

Sincerely yours,
Sara Walton
The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist.org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here that indicates an exploit kit.

The malware is hosted on 188.93.210.226 (Logol.ru, Russia). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:

reinstalltwomonthold.org
nephewremovalonly.org
scriptselse.org
everflowinggopayment.net

Wednesday, 27 February 2013

"End of Aug. Statement" spam / forumusaaa.ru

This invoice-themed spam leads to malware on forumusaaa.ru:

Date:      Thu, 28 Feb 2013 06:04:08 +0530
From:      "Lisa HAGEN" [WilsonVenditti@ykm.com.tr]
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoice_JAN-2966.htm

Good day,

as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards

Lisa HAGEN
The malware is hosted at [donotclick]forumusaaa.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumligandaz.ru
forumvvz.ru
forumusaaa.ru

US Airways spam / berrybots.net

This very details but fake US Airways spam leads to malware on berrybots.net:

Date:      Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
From:      bursarp1@email-usairways.com
Subject:      Your US Airways trip

US Airways - Your Reservation

Confirmation code:   B339AO

Date issued:   Tuesday, February 26, 2013


Barcode
[redacted]
Scan at any US Airways kiosk to check in
Passenger summary
Passenger name
Frequent flyer # (Airline)
Ticket number
Special needs
Angel Morris 40614552582 (US)   22401837506661    
Robert White   12938253579871     
Fly details Download to Outlook
Depart:    Philadelphia, PA  (PHL) Chicago, IL (O'Hare)  (ORD)

Date: Thursday, February 28, 2013
Flight #/ Carrier
Depart
Arrive
Travel time
Meal
Aircraft
Cabin
Seats
8766   
09:38 AM   PHL
10:56 AM   ORD
2h 18m
A320
Coach
236E 236A

Return:    Chicago, IL (O'Hare)  (ORD) Philadelphia, PA   (PHL)

Date: Wednesday, March 06, 2013
Flight #/ Carrier
Depart
Arrive
Travel time
Meal
Aircraft
Cabin
Seats
4394   
11:55 AM   ORD
02:49 PM  PHL
1h 54m
A320
Coach
10A 10B
  US Airways


Total travel cost (2 passengers)
2 Adults   $667.35 USD 
Taxes and fees  $95.25 USD 

Fare total $754.61 USD   

Total   $751.62 USD

Charged to
************XXX7 (Credit or Debit Card)

Helpful links


Bags

Pay for your checked bags when you check in online or at the airport! Read more about bags.
Carry ons* Carry-on bag Personal item
All flights $0 $0
Checked bags (each way/per person)* 1st bag 2nd bag
U.S. / Canada / Latin America / Caribbean / Bermuda / South America (except Brazil) $25 $35
Transatlantic $0 $100
Transpacific / Brazil (except Hawaii) $0 $0
*Carry-ons can be up to 40 lbs and up to 45 inches and a personal item is a handbag, briefcase or laptop bag.
**1st & 2nd checked bags can be up to 50 lbs and 62 inches except Brazil where you're allowed up to 70 lbs. Europe fees apply for travel to/from Asia through Europe. Baggage fees are non-refundable.


1st, 2nd and 3rd checked bag fees waived
  • Gold, Platinum and Chairman's Preferred members
  • Star Alliance Gold status members
1st and 2nd checked bag fees waived
  • (Overweight / oversize fees still apply)
  • Confirmed First Class and Envoy passengers
  • Active U.S. military with ID on personal travel
  • Active U.S. military with ID and dependents traveling with them on orders
  • Unaccompanied minors (with US Airways unaccompanied minor paid assistance)
1st checked bag fees waived
  • (Overweight / oversize fees still apply)
  • Silver Preferred members
  • Star Alliance Silver status members
Other guidelines:
  • Overweight/oversize fees and fees for 3 or more bags apply. Read all baggage policies.
  • If you're traveling with an infant, the child is allowed 1 fully collapsible stroller or 1 child restraint device or car seat (no charge). If you're traveling internationally with an infant in lap, your child is also allowed 1 checked bag (checked bag fees apply - max 62 in/157 cm and 50 lbs/23 kg).
  • If one or more of your flights is on a partner airline, please check with the other airline for information on optional fees.



Terms & conditions
  • Ticket is non-transferable.
  • You must contact US Airways on or before your scheduled departure to cancel any or all of your flights. If you don't, your entire itinerary will be cancelled and there may be no remaining value to use toward another ticket.
  • Any change to this reservation, including flights, dates, or cities, is subject to a fee per passenger (according to the rules of the original fare). The new itinerary will be priced at the lowest available published fare at the time of change, which may result in a fare increase.
  • Ticket expires one year from original date of issue. Unflown value expires one year from original date of issue.
  • Read more about all US Airways taxes and fees.
  • You have 24 hours to cancel your reservation for a full refund. Please view this link.
  • Checked baggage fees may apply.
  • Air transportation on US Airways is subject to the US Airways Contract of Carriage. View this document in PDF format.
  • Security regulations may require us to disclose to government agencies the data you provide to us in connection with this reservation.
  • Changes to the country of origin are not permitted, except for changes between the United States and U.S. territories.
  • Send US your compliments and/or complaints.

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com. Please do not reply to this email, it is not monitored. If you'd like to contact us, please visit our website.

Picture version (click to enlarge):
The malicious payload is at [donotclick]berrybots.net/detects/circulation-comparatively.php (report here) hosted on:118.97.77.122 (PT Telkon, Jakarta)
147.91.83.31 (AMRES, Serbia)
195.88.139.78 (Neiron Systems, Ukraine)

Recommended blocklist:
118.97.77.122
147.91.83.31
195.88.139.78
greatfallsma.com
lazaro-sosa.com
yoga-thegame.net
dekolink.net
saberdelvino.net
berrybots.net


Tuesday, 26 February 2013

Intuit spam / forumligandaz.ru

This fake Intuit spam leads to malware on forumligandaz.ru:

Date:      Tue, 26 Feb 2013 01:27:09 +0330
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.

    Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
    amount to be seceded: 3373 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]forumligandaz.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumvvz.ru
forumligandaz.ru