Sponsored by..

Friday, 15 March 2013

RU:8080 Malware sites to block 15/3/13

These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos.ru seems to be very active this morning. Block 'em if you can:

5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24
forumilllionois.ru
foruminanki.ru
forumla.ru
forum-la.ru
forumny.ru
forum-ny.ru
giimiiifo.ru
gilaogbaos.ru
giliaonso.ru
gimiinfinfal.ru
gimilako.ru
gimimniko.ru
giminaaaao.ru
giminalso.ru
giminanvok.ru
giminkfjol.ru
gimiuitalo.ru
guioahgl.ru
guuderia.ru
forumla.ru
gimiiiank.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru
giminkfjol.ru
forumla.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru

For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy)

Samsung Galaxy S4

Seriously.. when does it stop being a phone? This Galaxy S4 thing has a 5" HD display, a processor with up to eight cores, and it even watches you watching it. Just remember that last point while you are perusing your favourite rubber midget lesbian vore collection.

What I hadn't heard of before is the Samsung HomeSync server which is basically a 1TB appliance you put in your home and store all your stuff on, which you can then access from the GS4 or apparently a wide range of other devices. Just don't lose your smartphone..

Of course, the thing with smartphones is that there's always something better just around the corner. The Google / Motorola Xphone that is rumoured could be a GS4 beater.

Anyway.. in the meantime your old smartphone just got a bit more obsolete..

Thursday, 14 March 2013

Brian Krebs gets SWATted

It looks like Brian Krebs got a visit from a SWAT team today, after having his site DDOSed and served with a fake takedown notice, possibly in retaliation for this article. Nasty.


It reminds me a little of the "suicide note" incident with the operator of abuse.ch a few years back. You know when you have pissed off the bad guys when they arrange for armed police to come calling..

LinkedIn spam / teenlocal.net

This fake LinkedIn spam leads to malware on teenlocal.net:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 14 March 2013 16:32
Subject: Frank and Len have endorsed you!

Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
   
    Program Management
    Strategic Planning

Continue



You are receiving Endorsements emails. Unsubscribe.

This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:

24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)

Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
buyersusaremote.net
cyberage-poker.net
hotels-guru.net
teenlocal.net
bbb-complaint.org
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
bbb-accredited.net
metalcrew.net
roadix.net
gatovskiedelishki.ru

"Efax Corporate" spam / gimiinfinfal.ru

This eFax-themed spam leads to malware on gimiinfinfal.ru:

Date:      Thu, 14 Mar 2013 07:39:23 +0300
From:      SarahPoncio@mail.com
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 449555234]

You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.

* The reference number for this fax is [eFAX-263482326].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.
There's an attachment called Efax_Corporate.htm which leads to malware on [donotclick]gimiinfinfal.ru:8080/forum/links/column.php (report here) hosted on:

94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)

Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo.ru

Wednesday, 13 March 2013

"Copies of policies" spam / giimiiifo.ru

This spam leads to malware on giimiiifo.ru:

Date:      Wed, 13 Mar 2013 06:49:25 +0100
From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject:      RE: Alonso - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Alonso SAMS,

The malicious payload is at [donotclick]giimiiifo.ru:8080/forum/links/column.php hosted on two IPs we saw earlier:

94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
 

"Wapiti Lease Corporation" spam / giminaaaao.ru

A fairly bizarre spam leading to malware on giminaaaao.ru:

From: IESHA WILLEY [mailto:AtticusRambo@tui-infotec.com]
Sent: 13 March 2013 11:22
To: Sara Smith
Subject: Fwd: Wapiti Land Corporation Guiding Principles attached

Hello,

Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an opportunity for a preview and to provide any
comments that you would like to make. Please let me know that you have reviewed it and what comments you might have.

Thank you,

IESHA WILLEY
WLC 
This comes with an attachment called WLC-A0064.htm although I have another sample "from" a DEANNE AMOS with an attachment of WLC-A5779.htm. In any case, the attachment tries to direct the victim to a malware landing page at [donotclick]giminaaaao.ru:8080/forum/links/column.php (report here) hosted on:

93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)

Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao.ru
giminkfjol.ru
giminanvok.ru



Zbot sites to block 13/3/13

These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something.

76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack.pl
beveragerefine.su
dinitrolkalor.com
dugsextremesda.su
establishingwi.su
eurasianpolicy.net
euroscientists.at
ewebbcst.info
fireinthesgae.pl
girdiocolocai.com
machinelikeleb.su
mixedstorybase.su
satisfactorily.su
smurfberrieswd.su
sputtersmorele.pl
suggestedlean.com
trashinesscro.com
upkeepfilesyst.su

URLs seen:
[donotclick]beveragerefine.su/hjz/file.php
[donotclick]euroscientists.at/hjz/file.php
[donotclick]machinelikeleb.su/fiv/gfhk.php
[donotclick]mixedstorybase.su/hjz/file.php
[donotclick]satisfactorily.su/hjz/file.php
[donotclick]smurfberrieswd.su/hjz/file.php

And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)

Tuesday, 12 March 2013

"End of Aug. Stat. Required" spam / giminkfjol.ru

This spam leads to malware on giminkfjol.ru:

From: user@victimdomain.com
Sent: 12 March 2013 04:19
Subject: Re: End of Aug. Stat. Required

Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)

Regards

The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol.ru:8080/forum/links/column.php (report here) hosted on:

5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)

Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol.ru

Monday, 11 March 2013

Wire Transfer spam / giminanvok.ru

Another wire transfer spam, this time leading to malware on giminanvok.ru:

Date:      Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Fwd: Wire Transfer (5600LJ65)

Dear Bank Account Operator,


WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]giminanvok.ru:8080/forum/links/column.php (report pending) hosted on the same IPs used earlier today:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)

 I strongly recommend that you block access to these IPs if you can.


Wire Transfer spam / gimikalno.ru

This fake wire transfer spam leads to malware on gimikalno.ru:

Date:      Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From:      Xanga [noreply@xanga.com]
Subject:      Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)

Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]gimikalno.ru:8080/forum/links/column.php (report here) hosted on:

5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)

Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100
gimikalno.ru
guuderia.ru
forum-la.ru
forumla.ru
gimalayad.ru
gosbfosod.ru
ginagion.ru
giliaonso.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumkianko.ru

Sidharth Shah / OVH / itechline.com

I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:

5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27

These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here.

So, what do we know about Mr Shah? Well, the IPs have the following contact details:

organisation:   ORG-SS252-RIPE
org-name:       Shah Sidharth
org-type:       OTHER
address:        12218 Skylark Rd
address:        20871 Clarksburg
address:        US
abuse-mailbox:  ovhresell@gmail.com
phone:          +1.5407378283
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered


This is presumably the same Mr Shah who owns sidharthshah.com:
   Technical Contact:
      Shah, Sidharth  sidharth134@gmail.com
      12128 Skylark Rd
      Clarksburg, Maryland 20871
      United States
      (240) 535-2204


These contact details are 

The email address sidharth134@gmail.com is also associated with itechline.com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah.

BBB rating is based on 16 factors.
Factors that lowered the rating for ITechline.com include:

    Length of time business has been operating
    8 complaints filed against business
    Failure to respond to 7 complaints filed against business

ITechline.com has garnered some very negative consumer reviews [1] [2] [3] [4] . It appears to advertise on search engines for phrases like mcafee support and then charges to look at the computer, with "fixes" that some have reported to be of variable quality. You should make your own mind up as to the veracity of these negative claims.

Whether or no the OVH IP addresses are managed by Mr Shah directly or theourh ITechline is not known. Looking at the malicious domains, I cannot find a direct connection to Mr Shah other than the fact that they are a customer. However, I would not expect a well-managed network to have so many malicious domains and other spammy sites, I would recommend blocking access to all the listed IPs if you can.


Something evil on 176.31.140.64/28

176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post). It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.

Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block.

a50055.info
a6066.info
a70077.info
a80088.info
add5005.info
any303.info
apple2001.info
apple2002.info
apple2003.info
apt707.info
art808.info
article404.info
admin645.info
adscard.net
adscoast.com
adscoast.net
adsknoll.com
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsregarding.com
adsregarding.net
adsset.net
adsspark.com
adsspark.net
adstimes.net
adstown.net
adsvoice.net
akon342.info
alfa763.info
allknowingredscale.org
apolonq3.info
belligerentperformance.biz
booksdesk.org
bymailunstandard.org
cameraandspidermans.org
compatiblesohoos.biz
compellingseven.org
convertingsupply.org

deactivatelens.org
deletionaffordably.org
dlnabeta.org
draggingdownbreakdown.biz
enjoycapacious.org
entertainingsubpoenaed.org
fantasyactv.org
flipsendnow.org
graphicaluseby.org

hardwareturkish.org
ifdependable.org
ignoreorion.biz

imapnearing.org
indeliblefeaturewise.org
inexplicablysitespring.biz

initiatingslatenot.org
innovationfifth.org
inquiryunintuitively.org
interviewsmartcolumns.org

ipartitiontroublesome.org
irresponsibledefrag.biz
jeffalwaysrunning.org

languageinads.com
languageinads.net
leaveinteracted.biz
lowriskremembers.org
machinemargins.biz
madeenergy.biz
materialhencefullfeatured.org
minilabsdetailed.org
modesorganizecontentbased.org
multipledocumentthe.org
museumsinterest.org
nettalksdlsr.biz
nontechnicalcrossdisciplinary.org
notracessurfers.org
offensivesimple.biz

onyxlost.biz
operatingshorter.biz
overloadhell.org
playlistshears.biz
pointandshootfortunately.org
pushedcddb.org
recipesmailings.org

reconfigureboundaries.org
redorewards.biz
remarkablyracer.biz
retrievingevidently.biz
rummaginglistenandrepeats.org
seldomsnailmail.org
selfhealingduo.org
skimmingmanys.org
slideshareempower.org
sorryenters.biz
stretchedtool.org

superdatscalable.biz
taxactsfacebook.org
tonegrapple.biz
tonguesweetening.biz
transformingprofessional.org
transparencymonitoring.org
upsellmediathe.org
usingthisxploreing.org

visualbeesdaemon.org
vpmediastudios.org
westsidespiderman.biz
whocompatible.biz
wpcbots.org
zipsstorms.org

aapp202.info
accon101.info
after121.info
agg7574.info
all9009.info
amigosunspot.biz
bureaubasic.biz
checkinsbr.org
curateeyeballs.biz
efficacycull.biz
inappmovies.biz
menudrivenexternal.biz
moveoutgunned.biz

multitrackonew.net
palmnetstories.biz
predictkillersounding.biz

prohibitingbod.info
redirectionvx.org
selfdefensealphabetical.biz
syncopationhaving.biz

trimmingshyamalan.biz
versustempo.info
altirismotodv.net
bullzipskewing.biz
distortionexperts.net
inteloutdone.biz
opinedvdrw.net
peachtreesauto.net
snowfallsought.net

Something evil on 37.59.214.0/28

37.59.214.0/28 is an OVH IP range suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith.info:89/forum/had.php which is evading automated analysis.

The owner of this block is as follows:
organisation:   ORG-SS252-RIPE
org-name:       Shah Sidharth
org-type:       OTHER
address:        12218 Skylark Rd
address:        20871 Clarksburg
address:        US
abuse-mailbox:  ovhresell@gmail.com
phone:          +1.5407378283
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered


Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious:

1dabify.info
1linktube.info
1myloo.info
1trilium.info
2drill.info
2mars.info
2scrool.info
2skills.info
2walls.info
abubblespot.info
achatterjam.info
athoughtpedia.info
atwitterdrive.info
ayakilith.info
alivexs.info
arealster.info
arealtune.info
atopjam.info
ayombu.info
bbrightbridge.info
bdabdog.info
bfatri.info
bmyva.info
11chattervine.info
11fandu.info
11ncat.info
11tanix.info
22chatset.info
22cogizio.info
22jalium.info
22jaxworks.info
22ooyo.info
22thoughtspace.info
33demilium.info
33digipad.info
33skire.info
3digiset.info
3edgeblab.info
3linkshots.info
3livelounge.info
3meenix.info
3viva.info
5ailium.info
5flashster.info
5gabwire.info
5lalium.info
5skyzu.info
7demiboo.info
7gedeo.info
7jumpbean.info
7jumplist.info
7zambu.info
8abagen.info
8bubbledog.info
8cogitz.info
8plamba.info
8tajo.info
8twitterbox.info

Friday, 8 March 2013

RU:8080 and Amerika spam runs

For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP.

The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080. You can see some current nastiness in action at Malware Must Die.

But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia.

I've labelled this series as Amerika (yes, there was a TV show of the same name) because frankly the domains are about as American as apple pie sharlotka. The Amerika spam run is a little harder to identify, so there may be some errors in it.

I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!

AT&T spam (again)

This fake AT&T spam leads to malware on.. well, in this case nothing at all.

Date:      Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]
From:      AT&T Customer Care [icare7@amcustomercare.att-mail.com]
Subject:      Your AT&T wireless bill is ready to view


att.com | Support | My AT&T Account     Rethink Possible
Your wireless bill is ready to view
Dear Customer,

Your monthly wireless bill for your account is now available online.

Total Balance Due: $1695.64

Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.

Smartphone users: download the free app to manage your account anywhere, anytime.


Thank you,
AT&T Online Services
att.com


Contact Us
AT&T Support - quick & easy support is available 24/7.

Find us on Facebook   Talk to us on twitter   AT&T Community    
Get Peace of Mind

Set up secure AutoPay from your checking account.

Learn more
Go Paperless

Save time, money and the environment.

Learn more
Online Deals!

Shop the Best Deals in your area for Phone, TV, Internet and Wireless.

Learn more
Device Tutorials
Information specific about your phone     Smart Controls
Block calls, set mobile purchase limits, manage usage, and more     Payment Arrangements
Explore your options for arranging a payment plan
PLEASE DO NOT REPLY TO THIS MESSAGE    
©2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. Subsidiaries and affiliates of AT&T Inc. provide products and services under the AT&T brand.
Privacy Policy


In this case the link goes to a redirector page at [donotclick]vtcrm.update.se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!

LinkedIn spam / giminalso.ru

This fake LinkedIn spam leads to malware on giminalso.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...

     [redacted], Congratulations!
You and Aylin are now connected.

    Aylin Welsh

--
Tajikistan    

2012, LinkedIn Corporation
The malicious payload is at [donotclick]giminalso.ru:8080/forum/links/column.php (report here) hosted on the same IPs as in this other attack today:

41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)


"Your tax return appeal is declined" / gimilako.ru

This following fake IRS spam leads to malware on gimilako.ru:

From: Myspace [mailto:noreply@message.myspace.com]
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.

Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.

Internal Revenue Service


Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time). 
The malicious payload is at [donotclick]gimilako.ru:8080/forum/links/column.php (reported here) hosted on:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako.ru
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
gosbfosod.ru

Adobe CS4 spam / guuderia.ru

This fake Adobe spam leads to malware on guuderia.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Donnie Cherry via LinkedIn
Sent: 07 March 2013 12:39
Subject: Order N40898

Good afternoon,

You can download your Adobe CS4 License here -

We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.


Adobe Systems Incorporated
The malicious payload is at [donotclick]guuderia.ru:8080/forum/links/column.php (report here) hosted on:

41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
212.180.176.4
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
guuderia.ru
gosbfosod.ru

Thursday, 7 March 2013

Malware sites to block 7/3/13

Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:

173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)

Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42
17.247nycr.com
17.optimax-fuel-saver.us
17.grantmassie.org
17.seniorgazette.org
17.scottbarr.org
17.kingdom-mystery.org
17.landvirginia.com
17.schnoescpa.com
17.rbasa.com
17.thinkgreensa.com
17.hogwashiniowa.com
17.ledbymmhd.com
17.ultimateserviceexperience.com
17.yourbrokerforlife.com
17.grantmassie.com
17.lascrittore.com
17.bearfoothouse.com
17.setapartcreative.com
17.sanantoniosiding.com
17.webezmarketing.com
17.iowahogwash.com
17.avbapi.com
17.sanantoniohardiplank.com
17.apielectrical.com
17.lwrbeerfestival.com
17.kathybissell.com
17.cpadahm.com
17.doorssanantoniocom.com
17.deborahramanathan.com
17.drdeborahramanathan.com
17.foodypon.com
17.renewalanderson.com
17.rbasanantonio.com
17.renewalsanantonio.com
17.thetelecomgroup.com
17.247nycr.com
17.mmholidaydecor.com
17.quakertownfamilydoctor.com
17.dmmbs.com
17.dmmmbs.com
17.kbgolfcoursesales.com
17.seniorgolfrankings.com
17.redtreebookings.com
17.southwest-referrals.com
17.texcoteproblems.com
17.taberydesigns.com
17.moffdomains.com
17.thebusiness-solutions.com
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.docholidaybanners.com
17.worldclassexteriors.com
17.southwestexteriors.com
17.productpurveyors.com
17.valuationwidgets.com
17.profitzplus.com
17.culliganwaternet.com
17.soonerflight.com
17.bradentons-finest.com
17.opti-max.com
17.meccandivinity.com
17.247nycrealty.com
17.foodypon.info
17.brightdirection.us
17.optimaxmagnetics.us
17.optimax.us
17.ir-c.net
17.grantmassie.net
17.americanseniorgazette.net
17.sanantoniosiding.net
17.sanantoniodoors.net
17.sanantoniowindows.net
17.culliganwaternet.net
17.bestbysouthwest.net
17.brightdirection.biz
20.anythinginternational.biz
20.anythinginternational.com
20.chelsiamd.com
kfz-youngtimerservice.de
mtmedia.net
cinemacityhu.iq.pl


BBB Spam / alteshotel.net and bbb-accredited.net

This fake BBB spam leads to malware onalteshotel.net and bbb-accredited.net:


Date:      Thu, 7 Mar 2013 06:23:12 -0700
From:      "Better Business Bureau Warnings" [hurriese3@bbb.com]
Subject:      BBB details regarding your claim No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Your Accreditation Suspended

[redacted]

The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.

We graciously ask you to overview the TERMINATION REPORT to meet on this claim

We awaits to your prompt rebound.

If you think you got this email by mistake - please forward this message to your principal or accountant

Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau

Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

=========================


Date:      Thu, 7 Mar 2013 21:19:18 +0800
From:      "Better Business Bureau Warnings" [prettifyingde7@transfers.americanpayroll.org]
Subject:      BBB details about your pretense No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Your Accreditation Suspended

[redacted]

The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.

We graciously ask you to visit the ABUSE REPORT to answer on this appeal

We awaits to your prompt answer.

If you think you got this email by mistake - please forward this message to your principal or accountant

Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau

Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe



One potentially malicious payload is at [donotclick]alteshotel.net/detects/review_complain.php (looks like it might be broken - report here) hosted on:

69.43.161.176 (Parked at Castle Access Inc, US)

The other is at [donotclick]bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here) hosted on:

64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia)

These other domains can be seen on those IPs:
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru

Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
alteshotel.net
bbb-accredited.net

Wednesday, 6 March 2013

Pizza spam / gimalayad.ru


Cheese Lover's Pizza with no cheese?! Chicken pizza with three lots of extra ham?? This spam actually leads to malware on gimalayad.ru:

Date:      Wed, 6 Mar 2013 12:22:04 +0330
From:      Tagged [Tagged@taggedmail.com]
Subject:      Fwd: Order confirmation

You??™ve just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Bacon Pieces
- Ham
- Bacon Pieces
- Jalapenos
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Chicken Supreme with extras:
- Ham
- Ham
- Ham
- Jalapenos
- Green Peppers
- Diced Tomatoes
- Extra Cheese
- Extra Sauce
Pizza Hawaiian Luau with extras:
- Ham
- Green Peppers
- Jalapenos
- Pineapple
- Extra Cheese
- No Sauce
Pizza Pepperoni Lover's with extras:
- Beef
- Ham
- Green Peppers
- Onions
- Green Peppers
- Extra Cheese
- Easy On Sauce
Pizza Spicy Sicilian with extras:
- Chicken
- Ham
- Bacon Pieces
- Pineapple
- Easy On Cheese
- Easy On Sauce
Drinks
- Grolsch x 6
- 7up x 3
- Budweiser x 4
- Carling x 2
Total Charge:    232.33$



If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don??™t do that shortly, the order will be confirmed and delivered to you.


With respect to you
ALBERTO`s Pizzeria

================================


Date:      Wed, 6 Mar 2013 09:16:56 +0100
From:      "Xanga" [noreply@xanga.com]
Subject:      Re: Fwd: Order confirmation

You??™ve just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Beef
- Pepperoni
- Diced Tomatoes
- Easy On Cheese
- Extra Sauce
Pizza Italian Trio with extras:
- Beef
- Black Olives
- Black Olives
- Onions
- Extra Cheese
- Extra Sauce
Pizza Triple Meat Italiano with extras:
- Bacon Pieces
- Ham
- Onions
- Green Peppers
- Diced Tomatoes
- Extra Cheese
- Extra Sauce
Drinks
- Simply Orange x 4
- Fanta x 2
- 7up x 2
- Heineken x 2
- Lift x 5
- Pepsi x 4
- Budweiser x 4
Total Charge:    242.67$



If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don??™t do that shortly, the order will be confirmed and delivered to you.


With Respect
PIERO`s Pizzeria

The malicious payload is at [donotclick]gimalayad.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:


41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
forum-la.ru
gosbfosod.ru
giliaonso.ru
forum-ny.ru
ginagion.ru
gimalayad.ru

BT Business Direct Order Spam / ginagion.ru

This fake BT spam leads to malware on ginagion.ru:

From: Bebo Service [mailto:service=noreply.bebo.com@bebo.com] On Behalf Of Bebo Service
Sent: 05 March 2013 21:22
Subject: BT Business Direct Order


Notice of delivery

Hi,

We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.

Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.

***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***

We've despatched...

..using the attached shipment details...
Courier     Ref     Carriage method
Royal Mail     FM320725534     1-3 Days

Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.

For information on how track your delivery, please follow to attached file.

Important information for Yodel deliveries:

If your consignment number starts with 3S3996956 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.
The malicious payload is at [donotclick]ginagion.ru:8080/forum/links/column.php (report here) hosted on:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
gosbfosod.ru
giliaonso.ru
forum-ny.ru
ginagion.ru


Tuesday, 5 March 2013

Sendspace spam / forumkianko.ru

This fake Sendspace spam leads to malware on forumkianko.ru:

Date:      Tue, 5 Mar 2013 06:52:10 +0100
From:      AyanaLinney@[redacted]
Subject:      You have been sent a file (Filename: [redacted]-51153.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]forumkianko.ru:8080/forum/links/column.php (report here) hosted on:
 
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)

These IPs are the same as used in this attack.

"Scan from a Hewlett-Packard ScanJet" spam / giliaonso.ru

This fake HP printer spam leads to malware on giliaonso.ru:

Date:      Tue, 5 Mar 2013 12:53:40 +0500
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments:     HP_Scan.htm

Attached document was scanned and sent

to you using a HP A-16292P.

SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment leads to malware on [donotclick]giliaonso.ru:8080/forum/links/column.php (report here) hosted on the following IPs:

46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)

Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131
forum-la.ru
forumla.ru
forumilllionois.ru
forumny.ru
forum-la.ru
forumla.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
giliaonso.ru



Something evil on 5.9.196.3 and 5.9.196.6

Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama.nl/relay.php) leading to two identified malware landing pages:

[donotclick]kisielius.surfwing.me/world/explode_conscious-scandal.jar (report here)
[donotclick]alkalichlorideasenteeseen.oyunhan.net/world/romance-apparatus_clinical_repay.php (report here)

Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan.net
kisielius.surfwing.me
dificilmentekvelijitten.surfwing.me
kisielius.surfwing.me
befool-immatriculation.nanovit.me
locoburgemeester.toys2bsold.com
ratiocination-wselig.smithsisters.us

A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb.com

Blocking these domains completely is probably a good idea:
oyunhan.net
surfwing.me
nanovit.me
toys2bsold.com
smithsisters.us
creatinaweb.com

5.9.196.0/28 is a Hetzner IP allocated to:

inetnum:        5.9.196.0 - 5.9.196.15
netname:        PQCSERVICE-LLC
descr:          pqcservice llc
country:        DE
admin-c:        VS4214-RIPE
tech-c:         VS4214-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Vadim Sheyin
address:        pqcservice llc
address:        Universitetskaya 2a
address:        61091 Kharkov
address:        UKRAINE
phone:          +380506268399
nic-hdl:        VS4214-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered


I haven't seen anything of value in this /28, blocking it may be prudent.

Monday, 4 March 2013

"British Airways E-ticket receipts" spam / forum-la.ru

This fake British Airways spam leads to malware on forum-la.ru:

From:     LiveJournal.com [do-not-reply@livejournal.com]
Date:     4 March 2013 12:17
Subject:     British Airways E-ticket receipts

e-ticket receipt
Booking reference: 9AZ3049885
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la.ru:8080/forum/links/column.php (report here) hosted on:
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)


Blocklist:
198.104.62.49
210.71.250.131
forumla.ru
forumny.ru
forum-la.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru


dealerbid.co.uk spam

This spam uses an email address ONLY used to sign up for dealerbid.co.uk

From:     HM Revenue & Customs [enroll@hmrc.gov.uk]
Date:     4 March 2013 13:37
Subject:     HMRC Tax Refund ID: 3976244

Dear Taxpayer,

After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.

 A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.

 Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).

Kind regards,

 Paul McWeeney
 Head of Consumer Sales and Service

The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:

everybodyonline.co.uk
uk-car-discount.co.uk

The email address has been stolen from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run.

It looks like I am not the only person to notice this same problem..

UPDATE 1: dealerbid.co.uk are investigating this issue.
UPDATE 2: it happened again.
UPDATE 3: there's no evidence of malware on 78.136.27.79, everybodyonline.co.uk or uk-car-discount.co.uk as far as I can see. I guess it may have been an open relay. If you are blacklisting these for malware that I suggest you un-blacklist them. (2013-09-25)

eFax spam / forumla.ru

This fake eFax spam leads to malware on forumla.ru:
Date:      Mon, 4 Mar 2013 08:53:20 +0300
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 646370000]

You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.

* The reference number for this fax is [eFAX-336705661].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.
The malicious payload is at [donotclick]forumla.ru:8080/forum/links/column.php (report here) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumla.ru

Delta Airlines spam / inanimateweaknesses.net and complainpaywall.net

This fake Delta Airlines spam leads to malware on inanimateweaknesses.net and complainpaywall.net:

From: DELTA CONFIRMATION [mailto:cggQozvOc@sutaffu.co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary

Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries

Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta.com/itineraries.

Take control and make changes to your itineraries at delta.com/itineraries.

Speed through the airport. Check-in online for your flight.

Check-in

Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ---------------- ------ ------ -------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH

Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH

Check your flight information online at delta.com/itineraries
The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report  here) or [donotclick]complainpaywall.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.


Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page.


Friday, 1 March 2013

Casino-themed Blackhole sites

Here's a a couple of URLs that looks suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:

[donotclick]888casino-luckystar.net/discussing/sizes_agreed.php
[donotclick]555slotsportal.org/discussing/alternative_distance.php
[donotclick]555slotsportal.net/shrift.php
[donotclick]555slotsportal.net/discussing/alternative_distance.php
[donotclick]555slotsportal.me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez.biz/discussing/alternative_distance.php

You can find a sample report here.  Let's dig a little deeper into that IP address.

inetnum:        130.185.105.0 - 130.185.105.127
netname:        Creative-Telematics-Trade
descr:          Creative Telematics & Trade s.r.o.
country:        CZ
admin-c:        AT1717-RIPE
tech-c:         AT1717-RIPE
status:         ASSIGNED PA
mnt-by:         XIRRA
source:         RIPE # Filtered

person:         Alexey Terentyev
address:        Czech Republic
address:        Praha 1, Na Prikope 10
address:        11000 Praha Czech Republi
address:        CZ
phone:          +420 228880161
fax-no:         +420 227204027
abuse-mailbox:  abuses@nkvdteam.ru
nic-hdl:        AT1717-RIPE
mnt-by:         NETDIRECT-MNT
source:         RIPE # Filtered

route:          130.185.105.0/24
descr:          XIRRA-NET
origin:         AS51191
mnt-by:         XIRRA
source:         RIPE # Filtered


"Alexey Terentyev" isn't a very Czech name, and neitgher is the domain name of nkvdteam.ru.. wait.. NKVD? You have to have a certain mind-set to call yourself that I guess..

So what can we find hosted on 130.185.105.74?

cams4xonline.me
555slotsportal.me
888casino-luckystar.me
klom555slots.me
zitex555slots.me
555slotsgamestoday.me
sexstreamsmatez.me
cams4xonline.org
555slotsportal.org
ttlxpoker.org
555pokerstreamx.org
sexstreamsmatez.org
555slotsportal.com
888casino-luckystar.com
ttlxpoker.com
888slotmachines.com
klom555slots.com
555slotsgamestoday.com
sexstreamsmatez.com
cams4xonline.info
555slotsportal.info
888casino-luckystar.info
ttlxpoker.info
klom555slots.info
zitex555slots.info
555slotsgamestoday.info
sexstreamsmatez.info
cams4xonline.net
555slotsportal.net
ttlxpoker.net
zitex555slots.net
daisy555slots.net
555slotsgamestoday.net
sexstreamsmatez.net
555slotsportal.biz
888casino-luckystar.biz
ttlxpoker.biz
muxxx4cams.biz
zitex555slots.biz
555slotsgamestoday.biz
sexstreamsmatez.biz

I'm going to suggest that there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too.


Thursday, 28 February 2013

usanewwork.com fake job offer

This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:

Date:      Thu, 28 Feb 2013 14:57:55 -0600
From:      andrzej.wojnarowski@[victimdomain]
Subject:      There is a vacancy of a Regional manager in USA:

If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.

If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:

Please email us for details: Paulette@usanewwork.com
In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):

   Sarah Shepard info@usanewwork.com
   360-860-3630 fax: 360-860-3321
   4478 Pratt Avenue
   Tukwila WA 98168
   us

The domain was only registered two days ago on 28/2/13.


The nameservers ns1.stageportal.net and ns2.stageportal.net are shared by several other domains offering similar fake jobs:

arbeitsagentura.com
stepstonede.com
europswork.com
usanewwork.com
euroconsaltinn.com
europsconsult.com
stageportal.net

IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)

This job offer is best avoided unless you like prison food.

For the record, these are the other registrant details.

stageportal.net:

      LAUREEN FREEMAN
      7538 TRADE ST.
      SAN DIEGO, CA 92121
      US
      Phone: +1.8585668488
      Email: wondermitch@hotmail.com

arbeitsagentura.com:

   Michael B. Jackson
   Michael Jackson info@arbeitsagentura.com
   909-542-7178 fax: 909-542-7311
   3832 Gordon Street
   Pomona CA 91766
   us

stepstonede.com:

   John L. Irizarry
   John Irizarry info@stepstonede.com
   858-450-8875 fax: 858-450-8811
   4808 Hamill Avenue
   San Diego CA 92123
   us

europswork.com:

   Connie J. Grooms
   Connie Grooms info@europswork.com
   626-448-5229 fax: 626-448-5211
   2815 Woodstock Drive
   El Monte CA 91731
   us

euroconsaltinn.com:

   Mamie W. Murray
   Mamie Murray info@euroconsaltinn.com
   920-245-0475 fax: 920-245-0411
   3390 Rockford Mountain Lane
   West Allis WI 53227
   us

europsconsult.com:

   Regina P. Clay
   Regina Clay info@europsconsult.com
   212-241-1581 fax: 212-241-1211
   408 Bell Street
   New York NY 10029
   us


"Contract of 09.07.2011" spam / forumny.ru

This contracts-themed spam leads to malware on forumny.ru:

Date:      Thu, 28 Feb 2013 11:43:15 +0400
From:      "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:      Fw: Contract of 09.07.2011
Attachments:     Contract_Scan_IM0826.htm

Dear Sirs,

In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.

Best regards,

SHERLENE DARBY, secretary
The attachment Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny.ru:8080/forum/links/column.php (report here) on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
carmennavarro.es
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
filialkas.ru
finalions.ru
forumbmwr.ru
forumkinza.ru
forumligandaz.ru
forummersedec.ru
forummoskowciti.ru
forumny.ru
forumrogario.ru
forumusaaa.ru
forumvvz.ru
fuigadosi.ru
fzukungda.ru



"Follow this link" spam / sidesgenealogist.org

This rather terse spam appears to leads to an exploit kit on sidesgenealogist.org:

From: Josefina Underwood [mailto:hdFQe@heathrowexpress.com]
Sent: 27 February 2013 16:43
Subject: Follow this link

I have found it http://www.eurosaudi.com/templates/beez/wps.php?v20120226

Sincerely yours,
Sara Walton
The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist.org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here that indicates an exploit kit.

The malware is hosted on 188.93.210.226 (Logol.ru, Russia). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:

reinstalltwomonthold.org
nephewremovalonly.org
scriptselse.org
everflowinggopayment.net

Wednesday, 27 February 2013

"End of Aug. Statement" spam / forumusaaa.ru

This invoice-themed spam leads to malware on forumusaaa.ru:

Date:      Thu, 28 Feb 2013 06:04:08 +0530
From:      "Lisa HAGEN" [WilsonVenditti@ykm.com.tr]
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoice_JAN-2966.htm

Good day,

as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards

Lisa HAGEN
The malware is hosted at [donotclick]forumusaaa.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumligandaz.ru
forumvvz.ru
forumusaaa.ru