These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos.ru seems to be very active this morning. Block 'em if you can:
5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24
forumilllionois.ru
foruminanki.ru
forumla.ru
forum-la.ru
forumny.ru
forum-ny.ru
giimiiifo.ru
gilaogbaos.ru
giliaonso.ru
gimiinfinfal.ru
gimilako.ru
gimimniko.ru
giminaaaao.ru
giminalso.ru
giminanvok.ru
giminkfjol.ru
gimiuitalo.ru
guioahgl.ru
guuderia.ru
forumla.ru
gimiiiank.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru
giminkfjol.ru
forumla.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru
For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy)
Friday, 15 March 2013
Samsung Galaxy S4
Seriously.. when does it stop being a phone? This Galaxy S4 thing has a 5" HD display, a processor with up to eight cores, and it even watches you watching it. Just remember that last point while you are perusing your favourite rubber midget lesbian vore collection.
What I hadn't heard of before is the Samsung HomeSync server which is basically a 1TB appliance you put in your home and store all your stuff on, which you can then access from the GS4 or apparently a wide range of other devices. Just don't lose your smartphone..
Of course, the thing with smartphones is that there's always something better just around the corner. The Google / Motorola Xphone that is rumoured could be a GS4 beater.
Anyway.. in the meantime your old smartphone just got a bit more obsolete..
What I hadn't heard of before is the Samsung HomeSync server which is basically a 1TB appliance you put in your home and store all your stuff on, which you can then access from the GS4 or apparently a wide range of other devices. Just don't lose your smartphone..
Of course, the thing with smartphones is that there's always something better just around the corner. The Google / Motorola Xphone that is rumoured could be a GS4 beater.
Anyway.. in the meantime your old smartphone just got a bit more obsolete..
Labels:
Phones
Thursday, 14 March 2013
Brian Krebs gets SWATted
It looks like Brian Krebs got a visit from a SWAT team today, after having his site DDOSed and served with a fake takedown notice, possibly in retaliation for this article. Nasty.
It reminds me a little of the "suicide note" incident with the operator of abuse.ch a few years back. You know when you have pissed off the bad guys when they arrange for armed police to come calling..
It reminds me a little of the "suicide note" incident with the operator of abuse.ch a few years back. You know when you have pissed off the bad guys when they arrange for armed police to come calling..
LinkedIn spam / teenlocal.net
This fake LinkedIn spam leads to malware on teenlocal.net:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
buyersusaremote.net
cyberage-poker.net
hotels-guru.net
teenlocal.net
bbb-complaint.org
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
bbb-accredited.net
metalcrew.net
roadix.net
gatovskiedelishki.ru
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedInThe malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:
Sent: 14 March 2013 16:32
Subject: Frank and Len have endorsed you!
Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
Program Management
Strategic Planning
Continue
You are receiving Endorsements emails. Unsubscribe.
This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
buyersusaremote.net
cyberage-poker.net
hotels-guru.net
teenlocal.net
bbb-complaint.org
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
bbb-accredited.net
metalcrew.net
roadix.net
gatovskiedelishki.ru
"Efax Corporate" spam / gimiinfinfal.ru
This eFax-themed spam leads to malware on gimiinfinfal.ru:
94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)
Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo.ru
Date: Thu, 14 Mar 2013 07:39:23 +0300There's an attachment called Efax_Corporate.htm which leads to malware on [donotclick]gimiinfinfal.ru:8080/forum/links/column.php (report here) hosted on:
From: SarahPoncio@mail.com
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 449555234]
You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.
* The reference number for this fax is [eFAX-263482326].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)
Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo.ru
Wednesday, 13 March 2013
"Copies of policies" spam / giimiiifo.ru
This spam leads to malware on giimiiifo.ru:
The malicious payload is at [donotclick]giimiiifo.ru:8080/forum/links/column.php hosted on two IPs we saw earlier:
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
Date: Wed, 13 Mar 2013 06:49:25 +0100
From: LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject: RE: Alonso - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Alonso SAMS,
The malicious payload is at [donotclick]giimiiifo.ru:8080/forum/links/column.php hosted on two IPs we saw earlier:
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
"Wapiti Lease Corporation" spam / giminaaaao.ru
A fairly bizarre spam leading to malware on giminaaaao.ru:
93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao.ru
giminkfjol.ru
giminanvok.ru
From: IESHA WILLEY [mailto:AtticusRambo@tui-infotec.com]This comes with an attachment called WLC-A0064.htm although I have another sample "from" a DEANNE AMOS with an attachment of WLC-A5779.htm. In any case, the attachment tries to direct the victim to a malware landing page at [donotclick]giminaaaao.ru:8080/forum/links/column.php (report here) hosted on:
Sent: 13 March 2013 11:22
To: Sara Smith
Subject: Fwd: Wapiti Land Corporation Guiding Principles attached
Hello,
Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an opportunity for a preview and to provide any
comments that you would like to make. Please let me know that you have reviewed it and what comments you might have.
Thank you,
IESHA WILLEY
WLC
93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao.ru
giminkfjol.ru
giminanvok.ru
Zbot sites to block 13/3/13
These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something.
76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack.pl
beveragerefine.su
dinitrolkalor.com
dugsextremesda.su
establishingwi.su
eurasianpolicy.net
euroscientists.at
ewebbcst.info
fireinthesgae.pl
girdiocolocai.com
machinelikeleb.su
mixedstorybase.su
satisfactorily.su
smurfberrieswd.su
sputtersmorele.pl
suggestedlean.com
trashinesscro.com
upkeepfilesyst.su
URLs seen:
[donotclick]beveragerefine.su/hjz/file.php
[donotclick]euroscientists.at/hjz/file.php
[donotclick]machinelikeleb.su/fiv/gfhk.php
[donotclick]mixedstorybase.su/hjz/file.php
[donotclick]satisfactorily.su/hjz/file.php
[donotclick]smurfberrieswd.su/hjz/file.php
And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)
76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack.pl
beveragerefine.su
dinitrolkalor.com
dugsextremesda.su
establishingwi.su
eurasianpolicy.net
euroscientists.at
ewebbcst.info
fireinthesgae.pl
girdiocolocai.com
machinelikeleb.su
mixedstorybase.su
satisfactorily.su
smurfberrieswd.su
sputtersmorele.pl
suggestedlean.com
trashinesscro.com
upkeepfilesyst.su
URLs seen:
[donotclick]beveragerefine.su/hjz/file.php
[donotclick]euroscientists.at/hjz/file.php
[donotclick]machinelikeleb.su/fiv/gfhk.php
[donotclick]mixedstorybase.su/hjz/file.php
[donotclick]satisfactorily.su/hjz/file.php
[donotclick]smurfberrieswd.su/hjz/file.php
And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)
Tuesday, 12 March 2013
"End of Aug. Stat. Required" spam / giminkfjol.ru
This spam leads to malware on giminkfjol.ru:
The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol.ru:8080/forum/links/column.php (report here) hosted on:
5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol.ru
From: user@victimdomain.com
Sent: 12 March 2013 04:19
Subject: Re: End of Aug. Stat. Required
Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol.ru:8080/forum/links/column.php (report here) hosted on:
5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol.ru
Monday, 11 March 2013
Wire Transfer spam / giminanvok.ru
Another wire transfer spam, this time leading to malware on giminanvok.ru:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
I strongly recommend that you block access to these IPs if you can.
Date: Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]The malicious payload is at [donotclick]giminanvok.ru:8080/forum/links/column.php (report pending) hosted on the same IPs used earlier today:
From: LinkedIn Connections [connections@linkedin.com]
Subject: Fwd: Wire Transfer (5600LJ65)
Dear Bank Account Operator,
WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
I strongly recommend that you block access to these IPs if you can.
Wire Transfer spam / gimikalno.ru
This fake wire transfer spam leads to malware on gimikalno.ru:
The malicious payload is at [donotclick]gimikalno.ru:8080/forum/links/column.php (report here) hosted on:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100
gimikalno.ru
guuderia.ru
forum-la.ru
forumla.ru
gimalayad.ru
gosbfosod.ru
ginagion.ru
giliaonso.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumkianko.ru
Date: Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From: Xanga [noreply@xanga.com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)
Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]gimikalno.ru:8080/forum/links/column.php (report here) hosted on:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100
gimikalno.ru
guuderia.ru
forum-la.ru
forumla.ru
gimalayad.ru
gosbfosod.ru
ginagion.ru
giliaonso.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumkianko.ru
Sidharth Shah / OVH / itechline.com
I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:
5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27
These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here.
So, what do we know about Mr Shah? Well, the IPs have the following contact details:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell@gmail.com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
This is presumably the same Mr Shah who owns sidharthshah.com:
Technical Contact:
Shah, Sidharth sidharth134@gmail.com
12128 Skylark Rd
Clarksburg, Maryland 20871
United States
(240) 535-2204
These contact details are
The email address sidharth134@gmail.com is also associated with itechline.com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah.
BBB rating is based on 16 factors.
ITechline.com has garnered some very negative consumer reviews [1] [2] [3] [4] . It appears to advertise on search engines for phrases like mcafee support and then charges to look at the computer, with "fixes" that some have reported to be of variable quality. You should make your own mind up as to the veracity of these negative claims.
Whether or no the OVH IP addresses are managed by Mr Shah directly or theourh ITechline is not known. Looking at the malicious domains, I cannot find a direct connection to Mr Shah other than the fact that they are a customer. However, I would not expect a well-managed network to have so many malicious domains and other spammy sites, I would recommend blocking access to all the listed IPs if you can.
5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27
These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here.
So, what do we know about Mr Shah? Well, the IPs have the following contact details:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell@gmail.com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
This is presumably the same Mr Shah who owns sidharthshah.com:
Technical Contact:
Shah, Sidharth sidharth134@gmail.com
12128 Skylark Rd
Clarksburg, Maryland 20871
United States
(240) 535-2204
These contact details are
The email address sidharth134@gmail.com is also associated with itechline.com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah.
BBB rating is based on 16 factors.
Factors that lowered the rating for ITechline.com include:
Length of time business has been operating
8 complaints filed against business
Failure to respond to 7 complaints filed against business
ITechline.com has garnered some very negative consumer reviews [1] [2] [3] [4] . It appears to advertise on search engines for phrases like mcafee support and then charges to look at the computer, with "fixes" that some have reported to be of variable quality. You should make your own mind up as to the veracity of these negative claims.
Whether or no the OVH IP addresses are managed by Mr Shah directly or theourh ITechline is not known. Looking at the malicious domains, I cannot find a direct connection to Mr Shah other than the fact that they are a customer. However, I would not expect a well-managed network to have so many malicious domains and other spammy sites, I would recommend blocking access to all the listed IPs if you can.
Labels:
Evil Network,
Malware,
OVH,
Sidharth Shah,
Viruses
Something evil on 176.31.140.64/28
176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post). It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.
Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block.
a50055.info
a6066.info
a70077.info
a80088.info
add5005.info
any303.info
apple2001.info
apple2002.info
apple2003.info
apt707.info
art808.info
article404.info
admin645.info
adscard.net
adscoast.com
adscoast.net
adsknoll.com
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsregarding.com
adsregarding.net
adsset.net
adsspark.com
adsspark.net
adstimes.net
adstown.net
adsvoice.net
akon342.info
alfa763.info
allknowingredscale.org
apolonq3.info
belligerentperformance.biz
booksdesk.org
bymailunstandard.org
cameraandspidermans.org
compatiblesohoos.biz
compellingseven.org
convertingsupply.org
deactivatelens.org
deletionaffordably.org
dlnabeta.org
draggingdownbreakdown.biz
enjoycapacious.org
entertainingsubpoenaed.org
fantasyactv.org
flipsendnow.org
graphicaluseby.org
hardwareturkish.org
ifdependable.org
ignoreorion.biz
imapnearing.org
indeliblefeaturewise.org
inexplicablysitespring.biz
initiatingslatenot.org
innovationfifth.org
inquiryunintuitively.org
interviewsmartcolumns.org
ipartitiontroublesome.org
irresponsibledefrag.biz
jeffalwaysrunning.org
languageinads.com
languageinads.net
leaveinteracted.biz
lowriskremembers.org
machinemargins.biz
madeenergy.biz
materialhencefullfeatured.org
minilabsdetailed.org
modesorganizecontentbased.org
multipledocumentthe.org
museumsinterest.org
nettalksdlsr.biz
nontechnicalcrossdisciplinary.org
notracessurfers.org
offensivesimple.biz
onyxlost.biz
operatingshorter.biz
overloadhell.org
playlistshears.biz
pointandshootfortunately.org
pushedcddb.org
recipesmailings.org
reconfigureboundaries.org
redorewards.biz
remarkablyracer.biz
retrievingevidently.biz
rummaginglistenandrepeats.org
seldomsnailmail.org
selfhealingduo.org
skimmingmanys.org
slideshareempower.org
sorryenters.biz
stretchedtool.org
superdatscalable.biz
taxactsfacebook.org
tonegrapple.biz
tonguesweetening.biz
transformingprofessional.org
transparencymonitoring.org
upsellmediathe.org
usingthisxploreing.org
visualbeesdaemon.org
vpmediastudios.org
westsidespiderman.biz
whocompatible.biz
wpcbots.org
zipsstorms.org
aapp202.info
accon101.info
after121.info
agg7574.info
all9009.info
amigosunspot.biz
bureaubasic.biz
checkinsbr.org
curateeyeballs.biz
efficacycull.biz
inappmovies.biz
menudrivenexternal.biz
moveoutgunned.biz
multitrackonew.net
palmnetstories.biz
predictkillersounding.biz
prohibitingbod.info
redirectionvx.org
selfdefensealphabetical.biz
syncopationhaving.biz
trimmingshyamalan.biz
versustempo.info
altirismotodv.net
bullzipskewing.biz
distortionexperts.net
inteloutdone.biz
opinedvdrw.net
peachtreesauto.net
snowfallsought.net
Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block.
a50055.info
a6066.info
a70077.info
a80088.info
add5005.info
any303.info
apple2001.info
apple2002.info
apple2003.info
apt707.info
art808.info
article404.info
admin645.info
adscard.net
adscoast.com
adscoast.net
adsknoll.com
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsregarding.com
adsregarding.net
adsset.net
adsspark.com
adsspark.net
adstimes.net
adstown.net
adsvoice.net
akon342.info
alfa763.info
allknowingredscale.org
apolonq3.info
belligerentperformance.biz
booksdesk.org
bymailunstandard.org
cameraandspidermans.org
compatiblesohoos.biz
compellingseven.org
convertingsupply.org
deactivatelens.org
deletionaffordably.org
dlnabeta.org
draggingdownbreakdown.biz
enjoycapacious.org
entertainingsubpoenaed.org
fantasyactv.org
flipsendnow.org
graphicaluseby.org
hardwareturkish.org
ifdependable.org
ignoreorion.biz
imapnearing.org
indeliblefeaturewise.org
inexplicablysitespring.biz
initiatingslatenot.org
innovationfifth.org
inquiryunintuitively.org
interviewsmartcolumns.org
ipartitiontroublesome.org
irresponsibledefrag.biz
jeffalwaysrunning.org
languageinads.com
languageinads.net
leaveinteracted.biz
lowriskremembers.org
machinemargins.biz
madeenergy.biz
materialhencefullfeatured.org
minilabsdetailed.org
modesorganizecontentbased.org
multipledocumentthe.org
museumsinterest.org
nettalksdlsr.biz
nontechnicalcrossdisciplinary.org
notracessurfers.org
offensivesimple.biz
onyxlost.biz
operatingshorter.biz
overloadhell.org
playlistshears.biz
pointandshootfortunately.org
pushedcddb.org
recipesmailings.org
reconfigureboundaries.org
redorewards.biz
remarkablyracer.biz
retrievingevidently.biz
rummaginglistenandrepeats.org
seldomsnailmail.org
selfhealingduo.org
skimmingmanys.org
slideshareempower.org
sorryenters.biz
stretchedtool.org
superdatscalable.biz
taxactsfacebook.org
tonegrapple.biz
tonguesweetening.biz
transformingprofessional.org
transparencymonitoring.org
upsellmediathe.org
usingthisxploreing.org
visualbeesdaemon.org
vpmediastudios.org
westsidespiderman.biz
whocompatible.biz
wpcbots.org
zipsstorms.org
aapp202.info
accon101.info
after121.info
agg7574.info
all9009.info
amigosunspot.biz
bureaubasic.biz
checkinsbr.org
curateeyeballs.biz
efficacycull.biz
inappmovies.biz
menudrivenexternal.biz
moveoutgunned.biz
multitrackonew.net
palmnetstories.biz
predictkillersounding.biz
prohibitingbod.info
redirectionvx.org
selfdefensealphabetical.biz
syncopationhaving.biz
trimmingshyamalan.biz
versustempo.info
altirismotodv.net
bullzipskewing.biz
distortionexperts.net
inteloutdone.biz
opinedvdrw.net
peachtreesauto.net
snowfallsought.net
Labels:
Evil Network,
Malware,
OVH,
Sidharth Shah,
Spam,
Viruses
Something evil on 37.59.214.0/28
37.59.214.0/28 is an OVH IP range suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith.info:89/forum/had.php which is evading automated analysis.
The owner of this block is as follows:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell@gmail.com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious:
1dabify.info
1linktube.info
1myloo.info
1trilium.info
2drill.info
2mars.info
2scrool.info
2skills.info
2walls.info
abubblespot.info
achatterjam.info
athoughtpedia.info
atwitterdrive.info
ayakilith.info
alivexs.info
arealster.info
arealtune.info
atopjam.info
ayombu.info
bbrightbridge.info
bdabdog.info
bfatri.info
bmyva.info
11chattervine.info
11fandu.info
11ncat.info
11tanix.info
22chatset.info
22cogizio.info
22jalium.info
22jaxworks.info
22ooyo.info
22thoughtspace.info
33demilium.info
33digipad.info
33skire.info
3digiset.info
3edgeblab.info
3linkshots.info
3livelounge.info
3meenix.info
3viva.info
5ailium.info
5flashster.info
5gabwire.info
5lalium.info
5skyzu.info
7demiboo.info
7gedeo.info
7jumpbean.info
7jumplist.info
7zambu.info
8abagen.info
8bubbledog.info
8cogitz.info
8plamba.info
8tajo.info
8twitterbox.info
The owner of this block is as follows:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell@gmail.com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious:
1dabify.info
1linktube.info
1myloo.info
1trilium.info
2drill.info
2mars.info
2scrool.info
2skills.info
2walls.info
abubblespot.info
achatterjam.info
athoughtpedia.info
atwitterdrive.info
ayakilith.info
alivexs.info
arealster.info
arealtune.info
atopjam.info
ayombu.info
bbrightbridge.info
bdabdog.info
bfatri.info
bmyva.info
11chattervine.info
11fandu.info
11ncat.info
11tanix.info
22chatset.info
22cogizio.info
22jalium.info
22jaxworks.info
22ooyo.info
22thoughtspace.info
33demilium.info
33digipad.info
33skire.info
3digiset.info
3edgeblab.info
3linkshots.info
3livelounge.info
3meenix.info
3viva.info
5ailium.info
5flashster.info
5gabwire.info
5lalium.info
5skyzu.info
7demiboo.info
7gedeo.info
7jumpbean.info
7jumplist.info
7zambu.info
8abagen.info
8bubbledog.info
8cogitz.info
8plamba.info
8tajo.info
8twitterbox.info
Labels:
Evil Network,
Malware,
OVH,
Sidharth Shah,
Spam,
Viruses
Friday, 8 March 2013
RU:8080 and Amerika spam runs
For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP.
The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080. You can see some current nastiness in action at Malware Must Die.
But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia.
I've labelled this series as Amerika (yes, there was a TV show of the same name) because frankly the domains are about as American asapple pie sharlotka. The Amerika spam run is a little harder to identify, so there may be some errors in it.
I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!
The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080. You can see some current nastiness in action at Malware Must Die.
But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia.
I've labelled this series as Amerika (yes, there was a TV show of the same name) because frankly the domains are about as American as
I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!
AT&T spam (again)
This fake AT&T spam leads to malware on.. well, in this case nothing at all.
In this case the link goes to a redirector page at [donotclick]vtcrm.update.se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!
Date: Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]
From: AT&T Customer Care [icare7@amcustomercare.att-mail.com]
Subject: Your AT&T wireless bill is ready to view
att.com | Support | My AT&T Account Rethink Possible
Your wireless bill is ready to view
Dear Customer,
Your monthly wireless bill for your account is now available online.
Total Balance Due: $1695.64
Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.
Smartphone users: download the free app to manage your account anywhere, anytime.
Thank you,
AT&T Online Services
att.com
Contact Us
AT&T Support - quick & easy support is available 24/7.
Find us on Facebook Talk to us on twitter AT&T Community
Get Peace of Mind
Set up secure AutoPay from your checking account.
Learn more
Go Paperless
Save time, money and the environment.
Learn more
Online Deals!
Shop the Best Deals in your area for Phone, TV, Internet and Wireless.
Learn more
Device Tutorials
Information specific about your phone Smart Controls
Block calls, set mobile purchase limits, manage usage, and more Payment Arrangements
Explore your options for arranging a payment plan
PLEASE DO NOT REPLY TO THIS MESSAGE
©2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. Subsidiaries and affiliates of AT&T Inc. provide products and services under the AT&T brand.
Privacy Policy
In this case the link goes to a redirector page at [donotclick]vtcrm.update.se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!
LinkedIn spam / giminalso.ru
This fake LinkedIn spam leads to malware on giminalso.ru:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn PasswordThe malicious payload is at [donotclick]giminalso.ru:8080/forum/links/column.php (report here) hosted on the same IPs as in this other attack today:
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...
[redacted], Congratulations!
You and Aylin are now connected.
Aylin Welsh
--
Tajikistan
2012, LinkedIn Corporation
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
"Your tax return appeal is declined" / gimilako.ru
This following fake IRS spam leads to malware on gimilako.ru:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako.ru
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
gosbfosod.ru
From: Myspace [mailto:noreply@message.myspace.com]The malicious payload is at [donotclick]gimilako.ru:8080/forum/links/column.php (reported here) hosted on:
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.
Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.
Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako.ru
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
gosbfosod.ru
Adobe CS4 spam / guuderia.ru
This fake Adobe spam leads to malware on guuderia.ru:
41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
212.180.176.4
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
guuderia.ru
gosbfosod.ru
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Donnie Cherry via LinkedInThe malicious payload is at [donotclick]guuderia.ru:8080/forum/links/column.php (report here) hosted on:
Sent: 07 March 2013 12:39
Subject: Order N40898
Good afternoon,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated
41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
212.180.176.4
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
guuderia.ru
gosbfosod.ru
Thursday, 7 March 2013
Malware sites to block 7/3/13
Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:
173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)
Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42
17.247nycr.com
17.optimax-fuel-saver.us
17.grantmassie.org
17.seniorgazette.org
17.scottbarr.org
17.kingdom-mystery.org
17.landvirginia.com
17.schnoescpa.com
17.rbasa.com
17.thinkgreensa.com
17.hogwashiniowa.com
17.ledbymmhd.com
17.ultimateserviceexperience.com
17.yourbrokerforlife.com
17.grantmassie.com
17.lascrittore.com
17.bearfoothouse.com
17.setapartcreative.com
17.sanantoniosiding.com
17.webezmarketing.com
17.iowahogwash.com
17.avbapi.com
17.sanantoniohardiplank.com
17.apielectrical.com
17.lwrbeerfestival.com
17.kathybissell.com
17.cpadahm.com
17.doorssanantoniocom.com
17.deborahramanathan.com
17.drdeborahramanathan.com
17.foodypon.com
17.renewalanderson.com
17.rbasanantonio.com
17.renewalsanantonio.com
17.thetelecomgroup.com
17.247nycr.com
17.mmholidaydecor.com
17.quakertownfamilydoctor.com
17.dmmbs.com
17.dmmmbs.com
17.kbgolfcoursesales.com
17.seniorgolfrankings.com
17.redtreebookings.com
17.southwest-referrals.com
17.texcoteproblems.com
17.taberydesigns.com
17.moffdomains.com
17.thebusiness-solutions.com
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.docholidaybanners.com
17.worldclassexteriors.com
17.southwestexteriors.com
17.productpurveyors.com
17.valuationwidgets.com
17.profitzplus.com
17.culliganwaternet.com
17.soonerflight.com
17.bradentons-finest.com
17.opti-max.com
17.meccandivinity.com
17.247nycrealty.com
17.foodypon.info
17.brightdirection.us
17.optimaxmagnetics.us
17.optimax.us
17.ir-c.net
17.grantmassie.net
17.americanseniorgazette.net
17.sanantoniosiding.net
17.sanantoniodoors.net
17.sanantoniowindows.net
17.culliganwaternet.net
17.bestbysouthwest.net
17.brightdirection.biz
20.anythinginternational.biz
20.anythinginternational.com
20.chelsiamd.com
kfz-youngtimerservice.de
mtmedia.net
cinemacityhu.iq.pl
173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)
Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42
17.247nycr.com
17.optimax-fuel-saver.us
17.grantmassie.org
17.seniorgazette.org
17.scottbarr.org
17.kingdom-mystery.org
17.landvirginia.com
17.schnoescpa.com
17.rbasa.com
17.thinkgreensa.com
17.hogwashiniowa.com
17.ledbymmhd.com
17.ultimateserviceexperience.com
17.yourbrokerforlife.com
17.grantmassie.com
17.lascrittore.com
17.bearfoothouse.com
17.setapartcreative.com
17.sanantoniosiding.com
17.webezmarketing.com
17.iowahogwash.com
17.avbapi.com
17.sanantoniohardiplank.com
17.apielectrical.com
17.lwrbeerfestival.com
17.kathybissell.com
17.cpadahm.com
17.doorssanantoniocom.com
17.deborahramanathan.com
17.drdeborahramanathan.com
17.foodypon.com
17.renewalanderson.com
17.rbasanantonio.com
17.renewalsanantonio.com
17.thetelecomgroup.com
17.247nycr.com
17.mmholidaydecor.com
17.quakertownfamilydoctor.com
17.dmmbs.com
17.dmmmbs.com
17.kbgolfcoursesales.com
17.seniorgolfrankings.com
17.redtreebookings.com
17.southwest-referrals.com
17.texcoteproblems.com
17.taberydesigns.com
17.moffdomains.com
17.thebusiness-solutions.com
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.docholidaybanners.com
17.worldclassexteriors.com
17.southwestexteriors.com
17.productpurveyors.com
17.valuationwidgets.com
17.profitzplus.com
17.culliganwaternet.com
17.soonerflight.com
17.bradentons-finest.com
17.opti-max.com
17.meccandivinity.com
17.247nycrealty.com
17.foodypon.info
17.brightdirection.us
17.optimaxmagnetics.us
17.optimax.us
17.ir-c.net
17.grantmassie.net
17.americanseniorgazette.net
17.sanantoniosiding.net
17.sanantoniodoors.net
17.sanantoniowindows.net
17.culliganwaternet.net
17.bestbysouthwest.net
17.brightdirection.biz
20.anythinginternational.biz
20.anythinginternational.com
20.chelsiamd.com
kfz-youngtimerservice.de
mtmedia.net
cinemacityhu.iq.pl
BBB Spam / alteshotel.net and bbb-accredited.net
This fake BBB spam leads to malware onalteshotel.net and bbb-accredited.net:
One potentially malicious payload is at [donotclick]alteshotel.net/detects/review_complain.php (looks like it might be broken - report here) hosted on:
69.43.161.176 (Parked at Castle Access Inc, US)
The other is at [donotclick]bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here) hosted on:
64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia)
These other domains can be seen on those IPs:
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
alteshotel.net
bbb-accredited.net
Date: Thu, 7 Mar 2013 06:23:12 -0700
From: "Better Business Bureau Warnings" [hurriese3@bbb.com]
Subject: BBB details regarding your claim No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.
We graciously ask you to overview the TERMINATION REPORT to meet on this claim
We awaits to your prompt rebound.
If you think you got this email by mistake - please forward this message to your principal or accountant
Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
=========================
Date: Thu, 7 Mar 2013 21:19:18 +0800
From: "Better Business Bureau Warnings" [prettifyingde7@transfers.americanpayroll.org]
Subject: BBB details about your pretense No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.
We graciously ask you to visit the ABUSE REPORT to answer on this appeal
We awaits to your prompt answer.
If you think you got this email by mistake - please forward this message to your principal or accountant
Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
One potentially malicious payload is at [donotclick]alteshotel.net/detects/review_complain.php (looks like it might be broken - report here) hosted on:
69.43.161.176 (Parked at Castle Access Inc, US)
The other is at [donotclick]bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here) hosted on:
64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia)
These other domains can be seen on those IPs:
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
alteshotel.net
bbb-accredited.net
Wednesday, 6 March 2013
Pizza spam / gimalayad.ru
Cheese Lover's Pizza with no cheese?! Chicken pizza with three lots of extra ham?? This spam actually leads to malware on gimalayad.ru:
Date: Wed, 6 Mar 2013 12:22:04 +0330
From: Tagged [Tagged@taggedmail.com]
Subject: Fwd: Order confirmation
You??™ve just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
- Bacon Pieces
- Ham
- Bacon Pieces
- Jalapenos
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Chicken Supreme with extras:
- Ham
- Ham
- Ham
- Jalapenos
- Green Peppers
- Diced Tomatoes
- Extra Cheese
- Extra Sauce
Pizza Hawaiian Luau with extras:
- Ham
- Green Peppers
- Jalapenos
- Pineapple
- Extra Cheese
- No Sauce
Pizza Pepperoni Lover's with extras:
- Beef
- Ham
- Green Peppers
- Onions
- Green Peppers
- Extra Cheese
- Easy On Sauce
Pizza Spicy Sicilian with extras:
- Chicken
- Ham
- Bacon Pieces
- Pineapple
- Easy On Cheese
- Easy On Sauce
Drinks
- Grolsch x 6
- 7up x 3
- Budweiser x 4
- Carling x 2
Total Charge: 232.33$
If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don??™t do that shortly, the order will be confirmed and delivered to you.
With respect to you
ALBERTO`s Pizzeria
================================
Date: Wed, 6 Mar 2013 09:16:56 +0100
From: "Xanga" [noreply@xanga.com]
Subject: Re: Fwd: Order confirmation
You??™ve just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
- Beef
- Pepperoni
- Diced Tomatoes
- Easy On Cheese
- Extra Sauce
Pizza Italian Trio with extras:
- Beef
- Black Olives
- Black Olives
- Onions
- Extra Cheese
- Extra Sauce
Pizza Triple Meat Italiano with extras:
- Bacon Pieces
- Ham
- Onions
- Green Peppers
- Diced Tomatoes
- Extra Cheese
- Extra Sauce
Drinks
- Simply Orange x 4
- Fanta x 2
- 7up x 2
- Heineken x 2
- Lift x 5
- Pepsi x 4
- Budweiser x 4
Total Charge: 242.67$
If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don??™t do that shortly, the order will be confirmed and delivered to you.
With Respect
PIERO`s Pizzeria
The malicious payload is at [donotclick]gimalayad.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
forum-la.ru
gosbfosod.ru
giliaonso.ru
forum-ny.ru
ginagion.ru
gimalayad.ru
BT Business Direct Order Spam / ginagion.ru
From: Bebo Service [mailto:service=noreply.bebo.com@bebo.com] On Behalf Of Bebo ServiceThe malicious payload is at [donotclick]ginagion.ru:8080/forum/links/column.php (report here) hosted on:
Sent: 05 March 2013 21:22
Subject: BT Business Direct Order
Notice of delivery
Hi,
We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.
Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.
***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***
We've despatched...
..using the attached shipment details...
Courier Ref Carriage method
Royal Mail FM320725534 1-3 Days
Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.
For information on how track your delivery, please follow to attached file.
Important information for Yodel deliveries:
If your consignment number starts with 3S3996956 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
gosbfosod.ru
giliaonso.ru
forum-ny.ru
ginagion.ru
Tuesday, 5 March 2013
Sendspace spam / forumkianko.ru
Date: Tue, 5 Mar 2013 06:52:10 +0100
From: AyanaLinney@[redacted]
Subject: You have been sent a file (Filename: [redacted]-51153.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
The malicious payload is at [donotclick]forumkianko.ru:8080/forum/links/column.php (report here) hosted on:
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
These IPs are the same as used in this attack.
"Scan from a Hewlett-Packard ScanJet" spam / giliaonso.ru
This fake HP printer spam leads to malware on giliaonso.ru:
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131
forum-la.ru
forumla.ru
forumilllionois.ru
forumny.ru
forum-la.ru
forumla.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
giliaonso.ru
Date: Tue, 5 Mar 2013 12:53:40 +0500The attachment leads to malware on [donotclick]giliaonso.ru:8080/forum/links/column.php (report here) hosted on the following IPs:
From: "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments: HP_Scan.htm
Attached document was scanned and sent
to you using a HP A-16292P.
SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131
forum-la.ru
forumla.ru
forumilllionois.ru
forumny.ru
forum-la.ru
forumla.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
giliaonso.ru
Something evil on 5.9.196.3 and 5.9.196.6
Two IPs in the 5.9.196.0/28 block that you probably want to avoid are 5.9.196.3 and 5.9.196.6. The first of these IPs is being used in an injection attack (in this case via [donotclick]frasselt-kalorama.nl/relay.php) leading to two identified malware landing pages:
[donotclick]kisielius.surfwing.me/world/explode_conscious-scandal.jar (report here)
[donotclick]alkalichlorideasenteeseen.oyunhan.net/world/romance-apparatus_clinical_repay.php (report here)
Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan.net
kisielius.surfwing.me
dificilmentekvelijitten.surfwing.me
kisielius.surfwing.me
befool-immatriculation.nanovit.me
locoburgemeester.toys2bsold.com
ratiocination-wselig.smithsisters.us
A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb.com
Blocking these domains completely is probably a good idea:
oyunhan.net
surfwing.me
nanovit.me
toys2bsold.com
smithsisters.us
creatinaweb.com
5.9.196.0/28 is a Hetzner IP allocated to:
inetnum: 5.9.196.0 - 5.9.196.15
netname: PQCSERVICE-LLC
descr: pqcservice llc
country: DE
admin-c: VS4214-RIPE
tech-c: VS4214-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered
person: Vadim Sheyin
address: pqcservice llc
address: Universitetskaya 2a
address: 61091 Kharkov
address: UKRAINE
phone: +380506268399
nic-hdl: VS4214-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered
I haven't seen anything of value in this /28, blocking it may be prudent.
[donotclick]kisielius.surfwing.me/world/explode_conscious-scandal.jar (report here)
[donotclick]alkalichlorideasenteeseen.oyunhan.net/world/romance-apparatus_clinical_repay.php (report here)
Domains visible on 5.9.196.3 include:
alkalichlorideasenteeseen.oyunhan.net
kisielius.surfwing.me
dificilmentekvelijitten.surfwing.me
kisielius.surfwing.me
befool-immatriculation.nanovit.me
locoburgemeester.toys2bsold.com
ratiocination-wselig.smithsisters.us
A few IPs along is 5.9.196.6 which hosts the following domain that also looks highly suspect:
inspegrafstatkakukano.creatinaweb.com
Blocking these domains completely is probably a good idea:
oyunhan.net
surfwing.me
nanovit.me
toys2bsold.com
smithsisters.us
creatinaweb.com
5.9.196.0/28 is a Hetzner IP allocated to:
inetnum: 5.9.196.0 - 5.9.196.15
netname: PQCSERVICE-LLC
descr: pqcservice llc
country: DE
admin-c: VS4214-RIPE
tech-c: VS4214-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered
person: Vadim Sheyin
address: pqcservice llc
address: Universitetskaya 2a
address: 61091 Kharkov
address: UKRAINE
phone: +380506268399
nic-hdl: VS4214-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered
I haven't seen anything of value in this /28, blocking it may be prudent.
Labels:
Hetzner,
Injection Attacks,
Malware,
Viruses
Monday, 4 March 2013
"British Airways E-ticket receipts" spam / forum-la.ru
From: LiveJournal.com [do-not-reply@livejournal.com]
Date: 4 March 2013 12:17
Subject: British Airways E-ticket receipts
e-ticket receipt
Booking reference: 9AZ3049885
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la.ru:8080/forum/links/column.php (report here) hosted on:
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)
Blocklist:
198.104.62.49
210.71.250.131
forumla.ru
forumny.ru
forum-la.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
dealerbid.co.uk spam
This spam uses an email address ONLY used to sign up for dealerbid.co.uk
The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:
everybodyonline.co.uk
uk-car-discount.co.uk
The email address has been stolen from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run.
It looks like I am not the only person to notice this same problem..
UPDATE 1: dealerbid.co.uk are investigating this issue.
UPDATE 2: it happened again.
UPDATE 3: there's no evidence of malware on 78.136.27.79, everybodyonline.co.uk or uk-car-discount.co.uk as far as I can see. I guess it may have been an open relay. If you are blacklisting these for malware that I suggest you un-blacklist them. (2013-09-25)
From: HM Revenue & Customs [enroll@hmrc.gov.uk]
Date: 4 March 2013 13:37
Subject: HMRC Tax Refund ID: 3976244
Dear Taxpayer,
After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of 377.50 GBP. Kindly complete the tax refund request and allow 2-3 working days to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Please click on the attached file in order to access the form for your tax refund.
Currently we are only able to process tax refunds through "LloydsTSB". Alternatively, you can wait for the next few weeks to apply for a full refund through additional financial institutions(Banks).
Kind regards,
Paul McWeeney
Head of Consumer Sales and Service
The email got horribly mangled on the way and luckily whatever payload came with it is buggered. Of interest though, the email originates from 78.136.27.79 which is home to the following websites:
everybodyonline.co.uk
uk-car-discount.co.uk
The email address has been stolen from one UK motoring related site, and the spam sent through the hacked server of another UK motoring site. That's a peculiar coincidence, although I do not believe that those site operators are responsible for this spam run.
It looks like I am not the only person to notice this same problem..
UPDATE 1: dealerbid.co.uk are investigating this issue.
UPDATE 2: it happened again.
UPDATE 3: there's no evidence of malware on 78.136.27.79, everybodyonline.co.uk or uk-car-discount.co.uk as far as I can see. I guess it may have been an open relay. If you are blacklisting these for malware that I suggest you un-blacklist them. (2013-09-25)
Labels:
Spam
eFax spam / forumla.ru
Date: Mon, 4 Mar 2013 08:53:20 +0300The malicious payload is at [donotclick]forumla.ru:8080/forum/links/column.php (report here) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
From: LinkedIn [welcome@linkedin.com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 646370000]
You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.
* The reference number for this fax is [eFAX-336705661].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumla.ru
Delta Airlines spam / inanimateweaknesses.net and complainpaywall.net
From: DELTA CONFIRMATION [mailto:cggQozvOc@sutaffu.co.jp]The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here) or [donotclick]complainpaywall.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary
Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries
Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta.com/itineraries.
Take control and make changes to your itineraries at delta.com/itineraries.
Speed through the airport. Check-in online for your flight.
Check-in
Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ---------------- ------ ------ -------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH
Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH
Check your flight information online at delta.com/itineraries
Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page.
Friday, 1 March 2013
Casino-themed Blackhole sites
Here's a a couple of URLs that looks suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:
[donotclick]888casino-luckystar.net/discussing/sizes_agreed.php
[donotclick]555slotsportal.org/discussing/alternative_distance.php
[donotclick]555slotsportal.net/shrift.php
[donotclick]555slotsportal.net/discussing/alternative_distance.php
[donotclick]555slotsportal.me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez.biz/discussing/alternative_distance.php
You can find a sample report here. Let's dig a little deeper into that IP address.
inetnum: 130.185.105.0 - 130.185.105.127
netname: Creative-Telematics-Trade
descr: Creative Telematics & Trade s.r.o.
country: CZ
admin-c: AT1717-RIPE
tech-c: AT1717-RIPE
status: ASSIGNED PA
mnt-by: XIRRA
source: RIPE # Filtered
person: Alexey Terentyev
address: Czech Republic
address: Praha 1, Na Prikope 10
address: 11000 Praha Czech Republi
address: CZ
phone: +420 228880161
fax-no: +420 227204027
abuse-mailbox: abuses@nkvdteam.ru
nic-hdl: AT1717-RIPE
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered
route: 130.185.105.0/24
descr: XIRRA-NET
origin: AS51191
mnt-by: XIRRA
source: RIPE # Filtered
"Alexey Terentyev" isn't a very Czech name, and neitgher is the domain name of nkvdteam.ru.. wait.. NKVD? You have to have a certain mind-set to call yourself that I guess..
So what can we find hosted on 130.185.105.74?
cams4xonline.me
555slotsportal.me
888casino-luckystar.me
klom555slots.me
zitex555slots.me
555slotsgamestoday.me
sexstreamsmatez.me
cams4xonline.org
555slotsportal.org
ttlxpoker.org
555pokerstreamx.org
sexstreamsmatez.org
555slotsportal.com
888casino-luckystar.com
ttlxpoker.com
888slotmachines.com
klom555slots.com
555slotsgamestoday.com
sexstreamsmatez.com
cams4xonline.info
555slotsportal.info
888casino-luckystar.info
ttlxpoker.info
klom555slots.info
zitex555slots.info
555slotsgamestoday.info
sexstreamsmatez.info
cams4xonline.net
555slotsportal.net
ttlxpoker.net
zitex555slots.net
daisy555slots.net
555slotsgamestoday.net
sexstreamsmatez.net
555slotsportal.biz
888casino-luckystar.biz
ttlxpoker.biz
muxxx4cams.biz
zitex555slots.biz
555slotsgamestoday.biz
sexstreamsmatez.biz
I'm going to suggest that there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too.
[donotclick]888casino-luckystar.net/discussing/sizes_agreed.php
[donotclick]555slotsportal.org/discussing/alternative_distance.php
[donotclick]555slotsportal.net/shrift.php
[donotclick]555slotsportal.net/discussing/alternative_distance.php
[donotclick]555slotsportal.me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez.biz/discussing/alternative_distance.php
You can find a sample report here. Let's dig a little deeper into that IP address.
inetnum: 130.185.105.0 - 130.185.105.127
netname: Creative-Telematics-Trade
descr: Creative Telematics & Trade s.r.o.
country: CZ
admin-c: AT1717-RIPE
tech-c: AT1717-RIPE
status: ASSIGNED PA
mnt-by: XIRRA
source: RIPE # Filtered
person: Alexey Terentyev
address: Czech Republic
address: Praha 1, Na Prikope 10
address: 11000 Praha Czech Republi
address: CZ
phone: +420 228880161
fax-no: +420 227204027
abuse-mailbox: abuses@nkvdteam.ru
nic-hdl: AT1717-RIPE
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered
route: 130.185.105.0/24
descr: XIRRA-NET
origin: AS51191
mnt-by: XIRRA
source: RIPE # Filtered
"Alexey Terentyev" isn't a very Czech name, and neitgher is the domain name of nkvdteam.ru.. wait.. NKVD? You have to have a certain mind-set to call yourself that I guess..
So what can we find hosted on 130.185.105.74?
cams4xonline.me
555slotsportal.me
888casino-luckystar.me
klom555slots.me
zitex555slots.me
555slotsgamestoday.me
sexstreamsmatez.me
cams4xonline.org
555slotsportal.org
ttlxpoker.org
555pokerstreamx.org
sexstreamsmatez.org
555slotsportal.com
888casino-luckystar.com
ttlxpoker.com
888slotmachines.com
klom555slots.com
555slotsgamestoday.com
sexstreamsmatez.com
cams4xonline.info
555slotsportal.info
888casino-luckystar.info
ttlxpoker.info
klom555slots.info
zitex555slots.info
555slotsgamestoday.info
sexstreamsmatez.info
cams4xonline.net
555slotsportal.net
ttlxpoker.net
zitex555slots.net
daisy555slots.net
555slotsgamestoday.net
sexstreamsmatez.net
555slotsportal.biz
888casino-luckystar.biz
ttlxpoker.biz
muxxx4cams.biz
zitex555slots.biz
555slotsgamestoday.biz
sexstreamsmatez.biz
I'm going to suggest that there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too.
Thursday, 28 February 2013
usanewwork.com fake job offer
This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:
Sarah Shepard info@usanewwork.com
360-860-3630 fax: 360-860-3321
4478 Pratt Avenue
Tukwila WA 98168
us
The domain was only registered two days ago on 28/2/13.
The nameservers ns1.stageportal.net and ns2.stageportal.net are shared by several other domains offering similar fake jobs:
arbeitsagentura.com
stepstonede.com
europswork.com
usanewwork.com
euroconsaltinn.com
europsconsult.com
stageportal.net
IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)
This job offer is best avoided unless you like prison food.
For the record, these are the other registrant details.
stageportal.net:
LAUREEN FREEMAN
7538 TRADE ST.
SAN DIEGO, CA 92121
US
Phone: +1.8585668488
Email: wondermitch@hotmail.com
arbeitsagentura.com:
Michael B. Jackson
Michael Jackson info@arbeitsagentura.com
909-542-7178 fax: 909-542-7311
3832 Gordon Street
Pomona CA 91766
us
stepstonede.com:
John L. Irizarry
John Irizarry info@stepstonede.com
858-450-8875 fax: 858-450-8811
4808 Hamill Avenue
San Diego CA 92123
us
europswork.com:
Connie J. Grooms
Connie Grooms info@europswork.com
626-448-5229 fax: 626-448-5211
2815 Woodstock Drive
El Monte CA 91731
us
euroconsaltinn.com:
Mamie W. Murray
Mamie Murray info@euroconsaltinn.com
920-245-0475 fax: 920-245-0411
3390 Rockford Mountain Lane
West Allis WI 53227
us
europsconsult.com:
Regina P. Clay
Regina Clay info@europsconsult.com
212-241-1581 fax: 212-241-1211
408 Bell Street
New York NY 10029
us
Date: Thu, 28 Feb 2013 14:57:55 -0600In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):
From: andrzej.wojnarowski@[victimdomain]
Subject: There is a vacancy of a Regional manager in USA:
If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.
If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:
Please email us for details: Paulette@usanewwork.com
Sarah Shepard info@usanewwork.com
360-860-3630 fax: 360-860-3321
4478 Pratt Avenue
Tukwila WA 98168
us
The domain was only registered two days ago on 28/2/13.
The nameservers ns1.stageportal.net and ns2.stageportal.net are shared by several other domains offering similar fake jobs:
arbeitsagentura.com
stepstonede.com
europswork.com
usanewwork.com
euroconsaltinn.com
europsconsult.com
stageportal.net
IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)
This job offer is best avoided unless you like prison food.
For the record, these are the other registrant details.
stageportal.net:
LAUREEN FREEMAN
7538 TRADE ST.
SAN DIEGO, CA 92121
US
Phone: +1.8585668488
Email: wondermitch@hotmail.com
arbeitsagentura.com:
Michael B. Jackson
Michael Jackson info@arbeitsagentura.com
909-542-7178 fax: 909-542-7311
3832 Gordon Street
Pomona CA 91766
us
stepstonede.com:
John L. Irizarry
John Irizarry info@stepstonede.com
858-450-8875 fax: 858-450-8811
4808 Hamill Avenue
San Diego CA 92123
us
europswork.com:
Connie J. Grooms
Connie Grooms info@europswork.com
626-448-5229 fax: 626-448-5211
2815 Woodstock Drive
El Monte CA 91731
us
euroconsaltinn.com:
Mamie W. Murray
Mamie Murray info@euroconsaltinn.com
920-245-0475 fax: 920-245-0411
3390 Rockford Mountain Lane
West Allis WI 53227
us
europsconsult.com:
Regina P. Clay
Regina Clay info@europsconsult.com
212-241-1581 fax: 212-241-1211
408 Bell Street
New York NY 10029
us
Labels:
Job Offer Scams,
Money Mule,
Spam
"Contract of 09.07.2011" spam / forumny.ru
Date: Thu, 28 Feb 2013 11:43:15 +0400The attachment Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny.ru:8080/forum/links/column.php (report here) on:
From: "LiveJournal.com" [do-not-reply@livejournal.com]
Subject: Fw: Contract of 09.07.2011
Attachments: Contract_Scan_IM0826.htm
Dear Sirs,
In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.
Best regards,
SHERLENE DARBY, secretary
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58
carmennavarro.es
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
filialkas.ru
finalions.ru
forumbmwr.ru
forumkinza.ru
forumligandaz.ru
forummersedec.ru
forummoskowciti.ru
forumny.ru
forumrogario.ru
forumusaaa.ru
forumvvz.ru
fuigadosi.ru
fzukungda.ru
"Follow this link" spam / sidesgenealogist.org
From: Josefina Underwood [mailto:hdFQe@heathrowexpress.com]The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist.org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here that indicates an exploit kit.
Sent: 27 February 2013 16:43
Subject: Follow this link
I have found it http://www.eurosaudi.com/templates/beez/wps.php?v20120226
Sincerely yours,
Sara Walton
The malware is hosted on 188.93.210.226 (Logol.ru, Russia). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:
reinstalltwomonthold.org
nephewremovalonly.org
scriptselse.org
everflowinggopayment.net
Wednesday, 27 February 2013
"End of Aug. Statement" spam / forumusaaa.ru
Date: Thu, 28 Feb 2013 06:04:08 +0530The malware is hosted at [donotclick]forumusaaa.ru:8080/forum/links/column.php (report here) hosted on:
From: "Lisa HAGEN" [WilsonVenditti@ykm.com.tr]
Subject: Re: FW: End of Aug. Statement
Attachments: Invoice_JAN-2966.htm
Good day,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).
Regards
Lisa HAGEN
31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)
Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumligandaz.ru
forumvvz.ru
forumusaaa.ru
Subscribe to:
Posts (Atom)