Sponsored by..

Thursday, 20 June 2013

Moniker "Security Notice: Service-wide Password Reset" mail and t.lt02.net

This email from Moniker shows an impressive combination of WIN and FAIL at the same time.

www.moniker.com    

Moniker

Moniker’s Operations & Security team has discovered and blocked suspicious activity on the Moniker network that appears to have been a coordinated attempt to access a number of Moniker user accounts.

As a precaution to protect your domains, we have decided to implement a system-wide password reset. Please read the below instructions to create a new password. You will not be able to access your Moniker account until these steps are taken.

In our security investigation, we have found no evidence that domains have been lost or transferred out. We also have no evidence that any confidential or credit card information has been compromised.

While our password encryption measures are robust, we are taking additional steps to ensure that your personal data and domains remain secure. This means that, to be absolutely sure of the security of your account, we are requiring all users to reset their Moniker account passwords.
Please reset your password by following the directions below.

1) Go to Moniker.com and click the “Sign In” button in the upper right hand corner of the home page. Select the “Forgot Your Password” link.


2) You will be directed to a page to “Retrieve” your Moniker Account Password. When prompted, enter your account number and click “Submit”.


3) You will be directed to a page that displays the message below. You will receive an email from Moniker. Please follow the instructions in this email to complete the password reset.

As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your domains and personal data safe very seriously, and we're constantly enhancing the security of our service infrastructure to protect our customers. We feel it is also important to be clear that we view this as attempted illegal activity and have taken steps to report this to the appropriate authorities.

There are also several important steps that you can take to ensure that your data on any website, including Moniker, is secure:
•    Avoid using simple passwords based on dictionary words
•    Never use the same password on multiple sites or services
•    Never click on 'reset password' requests in emails that you did not request

Thank you for taking the time to read this email. We sincerely apologize for the inconvenience of having to change your password, but, ultimately, we believe this simple step will result in a more secure experience. If you have any questions, please do not hesitate to contact Moniker Support. Our support team is standing by to assist at 800-688-6311 or outside the U.S. and Canada: 954-607-1294.

Drake Harvey
Chief Operations Officer
Moniker.com

Moniker
1800 SW 1st Ave, Suite 440, Portland, OR, USA
Sales and Support: +1 (800) 688-6311
www.moniker.com
   
Copyright © 2013 Moniker.com | SnapNames. 

Full disclosure and prompt action is a WIN. Shit happens, it's often how you deal with it that makes the difference. But wait.. where does the link in the email go to? t.lt02.net? Who the heck are they? And this is where a big dose of FAIL happens.

lt02.net belongs to a company called VertexInternet (vertex.net). This company is not related to Moniker, and bearing in mind that this email is about a potential security breach you might expect people to be a little bit cautious about clicking through those links.

To be fair, the body of the email does suggest going to "moniker.com" (i.e. typing it in the address bar). The mystery of lt02.net is easily explainable too.. VertexInternet run an email marketing system called Listrak which is what is being used to send out the email. The email is legitimate, and presumably it has been done this way for reasons of speed.. the problem is that many people will probably be highly suspicious of this email given the context and that this approach is often used by the Bad Guys.

If you are going to send out a message like this, make sure that all the links go to a site that the recipient would recognise. In this case the sensible option would be to link directly to moniker.com. I'm betting that quite a few people will ignore this message and then wonder why they cannot log into their accounts at a later date.

Wednesday, 19 June 2013

HP Spam / HP_Scan_06292013_398.zip FAIL

I've been seeing these spams for a couple of days now..

Date:      Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]
From:      HP Digital Device [HP.Digital0@victimdomain]
Subject:      Scanned Copy

Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.

To view this document you need to use the Adobe Acrobat Reader.

-------------------------------------------------------------------------------
This email has been scanned for viruses and spam.
-------------------------------------------------------------------------------

The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
12 BA E8 AC 16 AC 7B AE
 Another sample version looks like this, with just 6 bytes:
12 BA E8 AC 16 AC
Googling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it). Weird, huh?

Something evil on 205.234.139.169

205.234.139.169 (Hostforweb, US) appears to be hosting a bunch of Java exploits being served up on subdomains of hacked GoDaddy domains. The malware looks like it is being served up in some sort of injection attack. Here are some example URLs of badness:

[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/applet.jnlp
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/contact.php
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe/class.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/jfygZbFu

URLquery and VirusTotal are not very conclusive, but if it walks like a duck and quacks like a duck.. well, you know the rest.

The following domains appear to be hosted on the server. You should assume that they are all malicious, ones already flagged by Google are marked in  red .

blog2.4glenview.com
blog2.bigciti.com
blog2.bonitajoe.com
blog2.dnbmedia.com
blog2.dynamomedia.com
blog2.equityblueprintmn.com
blog2.floridawaterfrontpro.com
blog2.flsearchmls.com
blog2.fmbcribs.com
blog2.fmbjoe.tv
blog2.fortmyersbeachrealestatejoe.com
blog2.joe22.com
blog2.joemoves.com
blog2.joeorlandini.com
blog2.joesrealtygroup.com
blog2.joey1.com
blog2.joeyou.com
blog2.kitejunkys.com
blog2.loan2have.com
blog2.mailjoe.com
blog2.mlsfloridasearch.com
blog2.mysportnovelties.ca
blog2.mysportnovelties.com
blog2.naplezjoe.com
blog2.orlandinifamily.com
blog2.parkshorejoe.com
blog2.portroyaljoe.com
blog2.stefura.com
blog2.stefura-associates.com
blog2.stefuraassociatesinc.com
blog3.augustacampoli.com
blog3.bhs.com.pk
blog3.buckinghamsports.ca
blog3.itcspakistan.com
blog3.sindclub.org
blog3.sindclub.org.pk

(And yes, apparently you can get .pk domains through GoDaddy!)



Tuesday, 18 June 2013

UPS Spam / rmacstolp.net

This fake UPS spam leads to malware on rmacstolp.net:

Date:      Tue, 18 Jun 2013 01:21:34 -0800 [05:21:34 EDT]
From:      UPSBillingCenter@upsmail.net
Subject:      Your UPS Invoice is Ready

UPS Billing Center
   
This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

Thank you for your business.

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.

Please visit the UPS Billing Center to view your paid invoice.



Questions about your charges? To get a better understanding of surcharges on your invoice, click here.


Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online

© 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS


The link in the email goes through a legitimate hacked site but then ends up on a malicious payload at [donotclick]rmacstolp.net/news/fishs_grands.php (report here and here). The payload appears to be the Blackhole Exploit kit, but the site seems to be either not working or (more likely) is being resistant to analysis.

If not called properly, the malware appears to serve up random payload pages.. I think they may be fake ones to evade detection. Here are some of them:
[donotclick]shop.babeta.ru/ftyxsem.php
[donotclick]kontra-antiabzocker.net/cpdedlp.php
[donotclick]www.cyprusivf.net/iabsvkc.php
[donotclick]clubempire.ru/ayrwoxt.php
[donotclick]artstroydom.com/rwlqqtq.php
[donotclick]www.masthotels.gr/ysmaols.php

rmacstolp.net is hosted on the following IPs:
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)

Recommended blocklist:
186.215.126.52
190.93.23.10
193.254.231.51
202.147.169.211
balckanweb.com
buyparrots.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
federal-credit-union.com
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
haicut.com
jetaqua.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
profurnituree.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
zurcherarchitectz.com


Something phishy on 92.48.75.214

A couple of phishing sites 92.48.75.214 (Simply Transit, UK):

linkedlne.com - LinkedIn / Webmail Phish

This laughable fake LinkedIn login page is trying to harvest webmail addresses, being sent out via a spam message and leading to a link at [donotclick]www.linkedlne.com/login/user/:

From:     Linkedln Support [Support@supportlinkedln.com]
Date:     18 June 2013 06:53
Subject:     You need to confirm your email address.

LinkedIn

We write to inform you that your LinkedIn account has been blocked due to inactivity.

To ensure that your online services with LinkedIn will no longer be interrupted

Click here to unblock your account.

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

Thank you for using LinkedIn!

--The LinkedIn Team
http://www.linkedin.com/

Learn why we included this. © 2013, LinkedIn Corporation. 2029 Stierlin 
Really this is just phishing for webmail addresses and passwords rather than LinkedIn credentials:



suncoaslfcn.org - Suncoast Schools Federal Credit Union phish

Hosted on the same server is an attempted phish for something called the "Suncoast Schools Federal Credit Union" which has an actual website at suncoastfcu.org rather than suncoaslfcn.org. The phish page is at [donotclick]sunnet.suncoaslfcn.org/SignIn/ but the phishers have left a full copy of the phishing kit which is available at [donotclick]sunnet.suncoaslfcn.org (more of which in a moment)

There's also an attempted Co-op bank phish which has been reported at [donotclick]co-operativebank.co.uk.suncoaslfcn.org/login/online-access/login.php.

There are two email addresses than can be phone in the phishing site themselves (for research purposes you can download a copy here, password is "phish"). The file verification_data.php reveals two email addresses, jsrh444@188.com and davenport1001@hotmail.com.

A quick bit of Googling around links jsrh444@188.com to the following phishing domains:
cheapflightsreserv.com
mypennystocksprofile.net
pennystocksprofile.net
sunloancom.net

A similar bit of Googling around links the other email address to the following domains:
aicuaee.com
sutherlandhostings.com
rredbulls.info
theclearfund.net

Are OVH finally taking action against spammers?

An interesting announcement from OVH might finally get the spammers on their network under control, especially the ones from India who tend to spam with impunity.

We are carrying out setup tests on the duplication of outgoing email flow.The idea is to duplicate all the traffic created by customers, going out through port 25 (smtp) on an anti-spam network, and then to analyse the sample of emails leaving our network in real time by IP, in order to control
whether the IP sends spam or not. If we detect an IP that does send spam, the aim is to be able to block the flow of (only) port 25, in less than 5 seconds after spam is first detected. All this without affecting the service performance for the customers that do not spam.

In actual fact, we have far too many spam issues and it isn't enough to shutdown the servers a few hours after having detected the spam. It's too late. It must be done in real time and must be able to block the flow in a matter of seconds. So we are thinking of how to successfully cleanse our network of spammers (who can order servers like everyone else, in just a few minutes)
The announcement has an additional note to say that it is in place already:

Comment by OVH - Monday, 17 June 2013, 16:26PM

The duplication of outgoing smtp flow has been set up.

We have 2.5Gbps to analyse in real time.
Spam isn't the only problem that OVH have as they have a significant malware problem too. But perhaps if they can drive the spammers off the network, then some of the black hat resellers that have might move elsewhere too..


Monday, 17 June 2013

NewEgg.com spam / profurnituree.com

This fake NewEgg.com spam leads to malware on profurnituree.com:

Date:      Mon, 17 Jun 2013 20:09:35 +0300 [13:09:35 EDT]
From:      Newegg Auto-Notification [indeedskahu02@services.neweg.com]
Subject:      Newegg.com - Payment  Charged


Newegg logo    
My Account     My Account |     Customer Services     Customer Services

Twitter     Twitter     You Tube     You Tube     Facebook     Facebook
click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Outdoors     Outlet     Marketplace     More
Spend 10-30% LESS next time you shop at Newegg—subscribe to our weekly e-Blast Newsletter!

Customer ID: [redacted]

Thank you for shopping at Newegg.com.

We are happy to inform you that your order (Sales Order Number: 425181429) has been successfully charged to your Credit or Debit Card and order verification is now complete.

If you have any questions, please visit our Contact Us Page.

Once You Know, You Newegg

Your Newegg.com Customer Service Team


ONCE YOU KNOW, YOU NEWEGG. ®
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | © 2000-2013 Newegg Inc. All rights reserved.

The link goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]profurnituree.com/news/posts_applied_deem.php (report here) although the payload appears to be 404ing (I wouldn't trust that though). The domain is hosted on the following IPs:

124.232.165.112 (China Telecom, China)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)

The domain registration details are fake and indicate the Amerika gang:

   Administrative Contact:
   LOPEZ, ISSAC                ukcastlee@mail.com
   2683
   CULVER CITY, CA 92407
   US
   5149238099

Below is a partial blocklist which I recommend you use in conjunction with this list.

124.232.165.112
186.215.126.52
190.93.23.10
202.147.169.211
balckanweb.com
buyparrots.net
condalinneuwu5.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
eheranskietpj.ru
ejoingrespubldpl.ru
federal-credit-union.com
giwmmasnieuhe.ru
gnunirotniviepj.ru
gstoryofmygame.ru
gurieojgndieoj.ru
jetaqua.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
profurnituree.com
smartsecurityapp2013.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
zurcherarchitectz.com

Something evil on 85.214.64.153

85.214.64.153 is an IP belonging to Strato AG in Germany, it appears to host some legitimate sites but the server seems to be serving up the Neutrino exploit kit (example) which is being injected into hacked websites (specifically, malicious code is being appended to legitimate .js files on those site).

The follow Dynamic DNS domains are being abused in this attack, while they are not malicious in themselves they are abused so often that I would recommend blocking them anway:
dontexist.com
dvrdns.org
dynalias.org
gotdns.com
gotdns.org
gotdns.com
homeftp.net
mine.nu
podzone.net
selfip.biz
webhop.org

These sites appear to be legitimate, I cannot vouch for them being clean or not:
drachenschutzverein.de
rollenbeck.de
rollenbeck.eu
thefinalcut.eu
thefirstcut.de
triton-world.de

These sites are mostly flagged as malicious by Google, you can see some indicators of badness here and here:
004d28e2d38895c1245cab9b.dynalias.org
02b2b43ea1ba9bb9e72d3a69.selfip.biz
04e9e737a91bd31be2668861.mine.nu
08af1b8d55e2ba1f62732d85.gotdns.com
08ed70ff228cfd034f170d5a.mine.nu
0a935f252dd7c6a97658c956.dynalias.org
0c36d49d8ec82656db219bb5.dontexist.com
0ce19c234b42bfc3f5ae92cd.mine.nu
0ce54ec3d86cf07f5ac4640d.dontexist.com
101357ada1366203f8f3410e.podzone.net
10ffeb808d1a476d6ee06d2b.dontexist.com
11ec862e5fb9ec0762af7600.dynalias.org
128d4a163a90f543c259b1e5.mine.nu
1603db959a32f7b6f070e7b1.dontexist.com
166bb7f29be512bfc5d4c949.podzone.net
16b8286aab3437edeb846cf9.gotdns.com
17323cb4c3ff8ed8cbb0cf27.dvrdns.org
19329577e3905949b51c567c.dynalias.org
19941643733a38ef578bf12e.gotdns.org
1d26ff47b5aadad2d755979a.dvrdns.org
1d3beb9da9c09a58399e1d43.homeftp.net
1d946845b43b656d8f981e66.dynalias.org
1db064c3643e8c7cb6f89b54.gotdns.com
1f68faa21ae717bdda0536dc.dontexist.com
22c4daf753a7da024bf8b24e.mine.nu
250f1e3f1a2940aa4255deb5.dynalias.org
28d23e8ed4a6dfee2643ffce.dynalias.org
2e671f830928f031ff49f94c.dontexist.com
304ef8935293491f8259aebf.podzone.net
33409d12ccd5f348eb9e1d33.dontexist.com
33ab845252f3569c05a5ac70.dynalias.org
36a42ceaeee91822ecd84d1f.dynalias.org
37a9618442c3bd213d4877e2.gotdns.com
3896ca0bf37e183b734a6632.gotdns.org
3a009cd88f47dbd55a51ca0a.webhop.org
3b22c29409273c2ba45019e4.mine.nu
3cb79af7f0615a1eb638fd11.webhop.org
3e54c514284b705b4a6d8386.dynalias.org
3e91663455c489443d2ba75d.gotdns.com
3f80c8356bec83904a0a4b82.mine.nu
428836867237c5453a08da8e.webhop.org
43ea343452c7ac0f0846c988.podzone.net
448d3de8b830b70be22600bf.gotdns.com
44f32cf9971710b869a9e9c8.dontexist.com
47b10a4ab30e61e4b74aa661.gotdns.org
48e972108842e0d0c9e5fdf2.mine.nu
4916e2635dceb69776862390.dynalias.org
4a017cd6908b09d62c425718.selfip.biz
4c7e7dacb398c086c58d3faa.dynalias.org
4cac5eabb6a2214a81ad0760.selfip.biz
4e874edeea1e68fc792bdae2.gotdns.org
5328e9f6069f470758a00acc.dvrdns.org
549b11272b8a4b3095b0537e.dontexist.com
571ea1436338cc0d99eb8078.dynalias.org
58e74d65a3cc4fe035dbbda2.gotdns.com
5adde68d3bc12bb5e625cabb.homeftp.net
5c9d25cc7cd882479a609796.mine.nu
60a25d608e4a649e4af444e0.podzone.net
60e2af3686d06f21f3020026.homeftp.net
665b44722928d6bfbeaf988b.webhop.org
66bc311918791a6794866f50.dvrdns.org
67c97cbed3d264d19d8e5b27.dvrdns.org
6b2eb59711013d300e880d1c.dynalias.org
6b3c3cc0b4dd780c2fec2f6f.gotdns.com
6b52de135dc1495e89c0ab58.dontexist.com
6b60af16dc1d0e8ea821fdbc.gotdns.org
725a523df99960216bcfbffa.homeftp.net
73c5db9904cc52e4eace0764.webhop.org
779c26501c761d5e919a6624.homeftp.net
794b5ca01bb64c48754faf0c.dynalias.org
7e0a9746bba240206beb0fd0.homeftp.net
7e781346baa3a3bce70aa5bf.webhop.org
80cb766e88b70c906ecbefd3.dontexist.com
8140d66059dfec6425f71131.podzone.net
818644b1831c84e0798f9ee0.mine.nu
856990d5b0456a8ba9dbeb32.dontexist.com
88444afacffba122547670d1.mine.nu
8cd2b11586888ecb52ffd053.gotdns.com
8e3468104627c54bc068dd44.selfip.biz
8ec80631144f0fbc1eaa8f68.mine.nu
900139eaffbcd38018876df0.homeftp.net
90499263ca224ca95ff01024.webhop.org
909e65f061017672744285f3.dontexist.com
90d52c7d0c92f6ddacf68711.dontexist.com
910396ce5254bef0819e633d.selfip.biz
92afd94d55a6da9d1f519a7c.podzone.net
94488376b5d8d3f6c6a40bc5.webhop.org
95191465ad24aa061517253a.dynalias.org
95482702ed214a4b556619c6.selfip.biz
970fdfd18df4813f52d2472b.selfip.biz
9b212ac718b2e1235943adec.dynalias.org
9b4358c823382cbb4e82bf41.dontexist.com
9c850ba00e51786140490a36.mine.nu
9d2e959724edd7f66cec301e.selfip.biz
9eae6ea1c34249c042bf0037.podzone.net
a26f23656bab8dc4508eb5a2.mine.nu
a4c2b706b85923bb957823c2.mine.nu
a6197eccdfe18ef2ca06e48c.webhop.org
a798f98455df470c0b29b34f.mine.nu
a828fe5c598dc865e924fbb9.webhop.org
aae039e0629bd1614947f0f0.dynalias.org
ab690c910c49ad2bef9cce75.dynalias.org
b0a357b5735f902bdff042c1.podzone.net
b22d5de582060e586061f15b.homeftp.net
b66583b617d2d7b6a1dded9f.gotdns.com
b6e0134b7d7da747fe0c74e0.dynalias.org
b793df5e348aeb2c7dd5b7cc.podzone.net
ba028a028a38fcd8443e5c8f.dynalias.org
bb6e1f75f8fe369d7971ecdb.dynalias.org
bc1837ebe4d995b08079df38.mine.nu
bd7421fee539607f46f1f26a.dontexist.com
bdb7e7001bfbf6865e0e5fc7.dontexist.com
bf14f07423a53dc55ea35535.mine.nu
c1642b97da37c657a97bd848.mine.nu
c467917ae834519814e0d49a.dontexist.com
c58e1b1edc0e04195f01017a.dynalias.org
c6492763968289bebce065cf.gotdns.com
c8870d5fa9727a8d5fa2b5a8.gotdns.org
d1bfb154de06cbd381ef9751.mine.nu
d827f2ea240954322849260f.dynalias.org
d83c3de86bed61e7fb14d7b1.dynalias.org
dae7fb32afe3c0f9dc6d5ad2.mine.nu
db8c62855fb701cd676004e5.dynalias.org
dcbf23097800332e59ac4def.selfip.biz
dcc4374eda96873afb137b44.dynalias.org
dff3a271573578b6cc43c725.dontexist.com
e08bcee3f8586e0d3f3a8e31.gotdns.com
e119b0eb7fc7cb31bf64c66d.dvrdns.org
e2706818cafcdf67ea2552cb.gotdns.com
e64d445987e618bea6482938.podzone.net
eb3f72f1952b17acf62ee80d.selfip.biz
eb578347b30a518687364a9e.podzone.net
f0834c7ec0926ebe78029dc0.dynalias.org
f555bf015261100d38e0f2de.webhop.org
f5e647d0a9aa2dda4898fd2f.dynalias.org
f671629e0f16049db9ccd856.mine.nu
f777e097f711778ec22426a1.selfip.biz
fa0ccbcf1b5f74984a9530d7.mine.nu
fb857508b0c9cc35e3bab1e2.gotdns.org
fd7d46aa07ab0406560b4126.mine.nu
fd8c8f5b6a2867f79d1b8e71.gotdns.com
fe753d5f9ea4f311d1d14cc2.gotdns.com
fe8b7219896da7dbd4e28520.dynalias.org
ff5267331e22549fde4ca643.mine.nu


Saturday, 15 June 2013

HAIR / Biostem Pump and Dump rakes in the dollars

If like me you've been plagued with pump and dump spam messages for Biostem US Corp (stock ticker HAIR) for the past several days, you might be curious to know if this massive spam run is actually having any impact on the company's share price.


The stock spam started after the close of trading on Friday 7th June 2013 and has continued aggressively ever since. In parallel, the message boards for HAIR were spammed with some fairly obvious attempts to pump up the price, the following screenshot is from the Yahoo! message board.



If we look at a stock chart for Biostem, we can see that something raised the stock price from the $0.21 it had been stuck on for a while (after collapsing from about $1 a share in February) up to $0.36 on the close of business on 10th June, an increase of 71%, before settling at around $0.29 (a 38% increase).

As pointed out here, Biostem is a pretty awful looking stock where the CEO was recently arrested, accounts are overdue and the last reported financial position of the company was dire, so it looks like it is on its last legs. But crucially there seems to be no news of substance about the company, so we can assume that all the stock price movement is purely down to the pump and dump spam.

The usual volume of trade for Biotech (HAIR) stocks is pretty close to zero. From when the markets opened on Monday 10th June to the close of the market on Friday 14th June, over 2.2 million shares were traded when normally we would expect to see a few thousand if that.

There had been bursts of trading activity recently, but the most interesting was a period from 9th May for about 6 trading days when over 1.3 million shares were bought for no particular reason. After that was a period from 20th May when a further 270k shares were purchased, perhaps as speculators sniffed around the company.

We don't know who is behind the pump and dump spam run, but we assume that the spammers are the ones who bought the 1.3 million shares or so after the 9th May. If they manage to dump those shares at the peak they could have made over $200,000. But the spam run didn't stop there, and as of 15th June it is still going on. Why? Presumably because somebody still has shares in the company that they are still trying to offload. In total there are 114.2 million shares, and only 2.2 million (1.9%) of them were traded during that week.

The sad fact of the matter seems to be that pump and dump does seem to have a positive effect on this sort of thinly-traded low-value share price. But the thing is that the spammers have already taken out their positions in the target company, it is almost impossible for a normal investor to make any money out of this because as soon as the spamming starts, then the stock dumping starts as well.

Friday, 14 June 2013

On 195.110.124.133

A couple of days ago I recommended blocking 195.110.124.133 (Register.it, Italy) as a malware C&C server. It turns out that I didn't do enough checking, and this is a parking server with nearly 200k sites on it, mostly for Italian customers.

You might want to unblock the IP and block the domain ftp.videotre.tv.it instead. On the other hand, there is still some actual evil-ness on this server so you may want to keep it blocked, especially if you don't send much traffic in Italy's way.

Yahoo! "We want you back" email mystery

Here's a minor mystery with something that looks very much like a phishing email..

From:     Yahoo! [noreply@email.yahoo-inc.com]
Date:     14 June 2013 08:42
Subject:     We want you back
Signed by:     email.yahoo-inc.com

Yahoo!    
We want you back.
Sign in now    
     

Keep your account active by signing in before July 15th, 2013.

By reactivating your Yahoo! account you can experience the new Yahoo! Mail, more personalized content on Yahoo.com, and so much more.

Once your account is reactivated, every time you sign in, your account will be extended by 12 months.

Need to reset your password?
Assistance is here!

Have additional questions?
Visit Customer Care

   
      Yahoo! Customer Experience    
     

Privacy Policy  |   Web Beacons in Email

It just looks so much like a phishing email that a sensible person probably wouldn't click on it.. except, the links in the email actually go to Yahoo! and the email has been signed, so this really does appear to be a genuine email.

Except for one thing.. the email address that it was sent to has never been used to register a Yahoo! account. Yup.. something somewhere is not right with this email..

Yahoo!'s explanation can be found here.

Wednesday, 12 June 2013

"Scan from a Xerox WorkCentre" spam / Scan_06122013_29911.zip

This fake Xerox WorkCentre spam comes with a malicious attachment and appears to come from the victim's own domain:

Date:      Wed, 12 Jun 2013 10:36:16 -0500 [11:36:16 EDT]
From:      Xerox WorkCentre [Xerox.Device9@victimdomain.com]
Subject:      Scan from a Xerox WorkCentre

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~3.pdf

multifunction device Location: machine location not set
Device Name: Xerox2023


For more information on Xerox products and solutions, please visit http://www.xerox.com
Attached is a ZIP file, in this case called Scan_06122013_29911.zip which in turn contains an executable Scan_06122013_29911.exe. Note that the date is encoded into the filename so future versions will be different.

VirusTotal results are 23/47 which is typically patchy. Comodo CAMAS reports that the malware attempts to phone home to forum.xcpus.com on 71.19.227.135 and has the following checksums:
MD58fcba93b00dba3d182b1228b529d3c9e
SHA154f02f3f1d6954f98e14a9cee62787387e5b072c
SHA256544c08f288b1102d6304e9bf3fb352a8fdfb59df93dc4ecc0f753dd30e39da0c

ThreatExpert has some more information, but the ThreatTrack report [pdf] is more detailed and also identifies the following domains and IPs which are probably worth blocking or looking out for:
71.19.227.135
205.178.152.164
198.173.244.62
204.8.121.24

173.246.106.150
forum.xcpus.com
apparellogisticsgroup.net
ftp.celebritynetworks.com
portal.wroctv.com
ftp.videotre.tv.it
buildmybarwebsite.com

Update: I'd previously listed 195.110.124.133 on the blocklist which is a register.it parking server in Italy. That was probably overkill, you might want to unblock it and block ftp.videotre.tv.it instead.

Fedex spam / oxfordxtg.net

This fake FedEx spam leads to malware on oxfordxtg.net:

Date:      Thu, 13 Jun 2013 01:18:09 +0800 [13:18:09 EDT]
From:      FedEx [wringsn052@emc.fedex.com]
Subject:      Your Fedex invoice is ready to be paid now.

FedEx(R)     FedEx Billing Online - Ready for Payment

        fedex.com        
       
Hello [redacted]
You have a new outstanding invoice(s) from FedEx that is ready for payment.

The following ivoice(s) are to be paid now :

Invoice Number
 5135-13792

To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo

Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo

Thank you,
Revenue Services
FedEx


    This message has been sent by an auto responder system. Please do not reply to this message.

The content of this message is protected by copyright and trademark laws under U.S. and international law.
Review our privacy policy. All rights reserved.

The link in the email goes through a legitimate hacked site and ends up on a malware payload page at [donotclick]oxfordxtg.net/news/absence_modern-doe_byte.php (report here) hosted on:

124.42.68.12 (Langfang University, China)
190.93.23.10 (Greendot, Trinidad and Tobago)

The following partial blocklist covers these two IPs, but I recommend you also apply this larger blocklist of related sites as well.
124.42.68.12
190.93.23.10
biati.net
condalinneuwu5.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
janefgort.net
jetaqua.com
klosotro9.net
mortolkr4.com
myhispress.com
nipiel.com
onlinedatingblueprint.net
oxfordxtg.net
oydahrenlitutskazata.ru
pnpnews.net
smartsecurityapp2013.com
trleaart.net
twintrade.net
usforclosedhomes.net


Is this Guy a moron spammer?

Here's a spam email from somebody I'll call Guy Van Dumbass (not quite his real name, but close enough). Is this Guy a moron spammer? Or does he just hire morons to push his CV through spam?

From:     Guy Van Dumbass [gvd@g-vanDumbass.be]
Date:     12 June 2013 09:52
Subject:     Sollicitatie als directiemedewerker

Pour la version française, cliquez ici

Betreft : Spontane sollicitatie – onmiddellijk beschikbaar

Directiemedewerker - verantwoordelijke 14 jaar ervaring

Mevrouw, Mijnheer,

Een ervaring van 14 jaar in het beheer van een sociaal juridische en financiële functie heeft mij geleerd in volledige autonomie te werken. Ik heb goede ervaringen verworven welke me vandaag toelaten het volledige beheer van één of meerdere bedrijven tot aan de balans en fiscale aangifte op me te nemen.

Daarenboven, aangezien ik voor een aantal bedrijven met een verschillend juridische statuut en in verschillende sectoren heb gewerkt, heb ik mijn aanpassingsvermogen kunnen ontwikkelen.

Ik beheers meerdere software programma's met betrekking tot het beheer en de boekhouding van bedrijven (VISION, CUBIC, GEBAT pro,…) en ik kan snel operationeel zijn in elk nieuw systeem, uiteraard met opleiding.

Ik ben stipt, georganiseerd en zou mijn competenties ten dienste willen stellen van uw bedrijf, in een functie met verantwoordelijkheid. Ik heb eveneens de smaak van analyse te pakken en ik ben geïnteresseerd in de nodige werkzaamheden nodig in de opvolging van de resultaten van een bedrijf.

Ik nodig U uit om mijn parcours bij het lezen van mijn CV, in bijlage, te ontdekken. Ik kijk ernaar uit om deze te verduidelijken tijdens een onderhoud welke U kunt inplannen volgens de beschikbaarheden in uw agenda. Ik ben immers onmiddellijk beschikbaar wegens stopzetting van mijn huidige werkgever.

In afwachting van een positief antwoord, verblijf ik met vriendelijke groeten,

Klik hier om mijn CV te downloaden

Cliquez ici pour télécharger mon CV

Guy Van Dumbass
M: +32 (0) [redacted]
E: gvd@g-vanDumbass.be
To unsubscribe, click here 
I won't bother to translate it for you, but Mr Van Dumbass is some sort of accountant. Now, actually I could probably use an accountant to save me the bother of filing my tax return myself but I somehow think that employing him full-time would be rather excessive.

Now, I'm going to be charitable to Mr Van Dumbass and assume that he didn't intend to spam these out to random unsolicited recipients such as myself but has in fact hired a bunch of moron spammers to do the work for him. So who is actually sending out this crap?

The link in the email goes to a page at stats.wew167.com and then bounces to wew-storage.com, specifically a file in wew-storage.com/com_clients/emailbrokers/20130611/GuyCVNL07.06.2013.pdf that I'm not going to link to.These two domains are registered to:

  EmailStrategie
  Buron Frederic
  6 rue de Belgique CP19
  PUILBOREAU, 17138
  FR
  +33.546661000
  (fax: +33.546661010)
  domaines@emailstrategie.com

The originating IP is 82.97.29.167, and spamvertised domains are on 82.97.13.103 and 82.97.13.233 (all belonging to TAS France / Emailstrategie).

The danger with hiring a company to "market" you as a personal brand via email is that it can backfire completely, and you could end up like Bernard Shifman. Luckily for Mr Van Dumbass, I haven't felt it necessary to put his real name on this blog to save him the humiliation. This time, anyway..

Malware sites to block 12/6/13

This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway.

Hosts involved:
5.175.157.110 (GHOSTnet, Germany)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal Communication Tech. Co., China)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
46.165.248.117 (Leaseweb, Germany)
49.212.221.29 (Sakura Internet Inc., Japan)
50.56.216.124 (Rackspace, US)
50.57.166.222 (Slicehost, US)
59.42.10.172 (Guangdong Tuosi Software Science Garden, China)
67.159.12.94 (FDCservers, US)
67.202.109.141 (Steadfast Networks, US)
67.215.2.251 (Colo-Serv Communications, Canada)
77.237.190.22 (Parsun Network Solutions, Iran)
81.252.120.250 (Collectivit Locale , France)
83.136.249.108 (Sigmatic Oy, Finland)
85.17.178.56 (Leaseweb, Netherlands)
85.26.31.60 (Brutele SC, Belgium)
85.201.12.244 (Brutele SC, Belgium)
86.84.0.11 (Planet Technologies, Netherlands)
88.80.222.73 (Alfahosting, Germany)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
95.143.41.16 (Inline Internet / VPS4less, Germany)
95.170.95.142 (TransIP, Netherlands)
109.95.23.4 (Kvartal Plus Ltd, Russia)
109.129.225.68 (Belgacom / Skynet, Belgium)
110.78.147.173 (CAT Telecom, Thailand)
111.93.156.171 (Tata Teleservices, India)
112.170.169.56 (Korea Telecom, Korea)
114.4.27.219 (IDIA Kantor Arsip MKS, Indonesia)
116.3.3.200 (China Unicom, China)
119.147.137.31 (China Telecom, China)
141.28.126.201 (Hochschule Furtwangen, Germany)
143.107.220.160 (Universidade De Sao Paulo, Brazil)
151.1.224.118 (ITnet, Italy)
159.90.91.179 (Universidad Simon Bolivar, Venezuela)
159.253.18.253 (FastVPS, Estonia)
160.75.169.49 (Istanbul Technical University, Turkey)
164.77.149.237 (Isapre Banmedica, Chile)
172.8.24.9 (Angela Curtolo DBA / AT&T, US)
172.246.16.27 (Enzu Inc, US)
177.84.128.54 (Informática Ltda, Brazil)
177.86.131.18 (Prime Telecomunicacoes Ltda, Brazil)
177.124.195.202 (Mundivox Do Brasil Ltda, Brazil)
178.16.216.66 (Gabrielson Invest AB, Sweden)
181.52.237.17 (Telmex, Colombia)
183.82.221.13 (Hitech / Beam Telecom, India)
184.82.115.37 (HostNOC, US)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
187.33.48.12 (GTi Telecomunicacoes Ltda, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
192.64.80.143 (Interserver, US)
192.210.216.90 (ColoCrossing, US)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.199.93.55 (Digital Ocean, US)
200.3.153.91 (Pontificia Universidad Javeriana, Colombia)
200.87.177.124 (EntelNet, Bolivia)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
202.29.242.249 (UniNet, Thailand)
202.31.139.173 (Kum Oh National University Of Technology, Korea)
203.64.69.52 (Taiwan Academic Network, Taiwan)
203.157.216.77 (Information Technology Office, Thailand)
208.68.36.11 (Digital Ocean, US)
210.42.103.141 (Wuhan Urban Construction Institute, China)
213.74.79.236 (Superonline, Turkey)
216.172.102.230 (EBL Global Networks, US)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Plain IPlist for copy-and-pasting:
5.175.157.110
41.89.6.179
42.62.29.4
46.18.160.86
46.165.248.117
49.212.221.29
50.56.216.124
50.57.166.222
59.42.10.172
67.159.12.94
67.202.109.141
67.215.2.251
77.237.190.22
81.252.120.250
83.136.249.108
85.17.178.56
85.26.31.60
85.201.12.244
86.84.0.11
88.80.222.73
93.89.235.13
95.143.41.16
95.170.95.142
109.95.23.4
109.129.225.68
110.78.147.173
111.93.156.171
112.170.169.56
114.4.27.219
116.3.3.200
119.147.137.31
141.28.126.201
143.107.220.160
151.1.224.118
159.90.91.179
159.253.18.253
160.75.169.49
164.77.149.237
172.8.24.9
172.246.16.27
177.84.128.54
177.86.131.18
177.124.195.202
178.16.216.66
181.52.237.17
183.82.221.13
184.82.115.37
186.215.126.52
188.32.153.31
187.33.48.12
190.93.23.10
192.64.80.143
192.210.216.90
193.254.231.51
196.1.95.44
198.199.93.55
200.3.153.91
200.87.177.124
201.65.23.153
202.29.242.249
202.31.139.173
203.64.69.52
203.157.216.77
208.68.36.11
210.42.103.141
213.74.79.236
216.172.102.230
217.174.211.1
222.200.187.83

Identified malicious domains:
abacs.pl
autotradeguide.net
avastsurveyor.com
balckanweb.com
biati.net
bnamecorni.com
businessdocu.net
buyparrots.net
citysubway.net
cocainism.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
diodmobilered.com
docudat.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
fastkrug.ru
federal-credit-union.com
freemart.pl
freenico.net
genown.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
hiddenhacks.com
historuronded.com
icensol.net
ingrestrained.com
inutesnetworks.su
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
lorganizedcue.com
ludena.ru
mantuma.pl
marvelfilms.net
mortolkr4.com
mslatearrival.com
multipliedfor.com
myhispress.com
nipiel.com
nvufvwieg.com
onlinedatingblueprint.net
otoperhone.com
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
privat-tor-service.com
proxy-tor-service.com
relectsdispla.com
relectsdispla.net
reportingglan.com
safe-browser.biz
safe-time.net
salesplaytime.net
secondfiddleu.com
securepro7.ru
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
smurfberrieswd.su
sngroup.pl
solarmiracles.net
techno5room.ru
televisionhunter.com
testerpro5.ru
thinkindi.net
tor-connect-secure.com
trleaart.net
twinkniche.net
twintrade.net
ukbarbers.net
unixawards.net
usergateproxy.net
usforclosedhomes.net
vip-proxy-to-tor.com
well-tailored.net
wmlawoffice.net
yelpwapphoned.com

BBB Spam / trleaart.net

This fake BBB spam with a "PLAINT REPORT" (sic) leads to malware on trleaart.net:

From: Better Business Bureau [mailto:rivuletsjb72@bbbemail.org]
Sent: 11 June 2013 18:04

Subject: Better Business Beareau Complaint ¹ S3452568
Importance: High

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser

Better Business Bureau ©
Start With Trust
Tue , 11 Jun 2013
Issue N. S3452568
The Better Business Bureau has been booked the above said claim letter from one of your customers in respect of their dealings with you. The detailed description of the consumer's trouble are available visiting a link below. Please pay attention to this matter and inform us about your mind as soon as possible.
We amiably ask you to open the PLAINT REPORT to answer on this claim.
We awaits to your prompt response.
Faithfully yours
Daniel Cox
Dispute Advisor
Better Business Bureau
________________________________________
________________________________________
Better Business Bureau
3083   Wilson Blvd, Suite 600   Arlington, VA 25301
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277
  
This information was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The link goes through a legitimate hacked site and end up with a malware landing page on [donotclick]trleaart.net/news/members_guarantee.php (report here) hosted on the following IPs:


160.75.169.49 (Istanbul Technical University, Turkey)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)

This network of evil sites is rather large and I haven't had the time to look at it closely, but in the meantime here is a partial blocklist:
160.75.169.49
186.215.126.52
190.93.23.10
193.254.231.51
abacs.pl
balckanweb.com
biati.net
buyparrots.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
federal-credit-union.com
freemart.pl
genown.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
icensol.net
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
ludena.ru
mantuma.pl
mortolkr4.com
myhispress.com
nipiel.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
relectsdispla.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
sngroup.pl
televisionhunter.com
trleaart.net
twintrade.net
usforclosedhomes.net

Tuesday, 11 June 2013

Amazon.com spam / goldcoinvault.com

This fake Amazon.com spam leads to malware on goldcoinvault.com:

Date:      Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From:      "Amazon.com Customer Care Service" [payments-update@amazon.com]
Subject:      Payment for Your Amazon Order # 104-884-8180383

Regarding Your Amazon.com Order

Order Placed: June 11, 2013
Amazon.com order number: 104-884-8180383
Order Total: $2761.86

Sony VAIO E Series SVE11135CXW 11.6-Inch Laptop (White)

Sony KDL50EX645 50-Inch 1080p 120HZ Internet Slim LED HDTV (Black)

Sony DSC-H200 Digital Camera with 3-Inch LCD (Black)



Payment Problem
We're writing to let you know that we are having difficulty processing your payment for the above 
transaction.  To protect your security and privacy, your issuing bank cannot provide us with 
information regarding why your credit card was declined. 

However, we suggest that you double-check the billing address, expiration date and cardholder name 
that you entered; if entered incorrectly these will sometimes cause a card to decline. There is no 
need to place a new order as we  will automatically  try your credit card again.

There are a few steps you can take to make the process faster:  

1. Verify the payment information for this order is correct (expiration date, billing address, etc). 
You can update your account and billing information at : 

https://www.amazon.com/gp/css/summary/edit.html?ie=UTF8&orderID=104-884-8180383 
 
2. Contact your issuing bank using the number on the back of your card to learn more about their 
policies. Some issuers put restrictions on using credit cards for electronic or internet 
purchases.  Please have the exact dollar amount and details of this purchase when you call the 
bank.  If paying by credit card is not an option, buy Amazon.com Gift Card claim codes with cash 
from authorized resellers at a store near you. Visit www.amazon.com/cashgcresellers to learn 
more.  

Thank you for shopping at Amazon.com.  Sincerely, Amazon.com Customer Service 
http://www.amazon.com  

Please note: This e-mail was sent from a notification-only address that cannot accept incoming
 e-mail. Please do not reply to this message..
To view more details click Order Summary.
Please note: This is not a VAT invoice.

Conditions of Use | Privacy Notice 1996-2013, Amazon.com, Inc. or its affiliates

The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
[donotclick]ftp.blacktiedjent.com/mechanic/vaccinated.js
[donotclick]piratescoveoysterbar.com/piggybacks/rejoiced.js
[donotclick]nteshop.es/tsingtao/flanneling.js

..from there it hits the main malware payload site at [donotclick]goldcoinvault.com/news/pictures_hints_causes.php (report here) hosted on goldcoinvault.com which is a hacked GoDaddy domain hijacked to point at 173.255.213.171 (Linode, US). This same server is very active and has been spotted here and here, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good.

These following domains appear to be pointing to that server:
ccrtl.com
chrisandannwedding.com
chriscarlson.com
eaglebay5.com
eaglebay-eb5.com
freepokermoney.com
goldcoinvault.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
page10development.com
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
supportquilting.com
taxfreeincomenow.com
taxfreeincomenow.info
taxfreeincomenow.net
taxfreeincomenow.org
tmgfinancial.org
tmginsurance.org
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
wcaband.org





Something evil on 173.255.213.171

As a follow-up to this post, the exploit server on 173.255.213.171 (Linode, US) is hosting a number of hijacked GoDaddy-registered domains that are serving an exploit kit [1] [2]. If you are unable to block 173.255.213.171 then I would recommend the following blocklist:

ccrtl.com
eaglebay5.com
eaglebay-eb5.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
supportquilting.com
taxfreeincomenow.com
taxfreeincomenow.info
taxfreeincomenow.net
taxfreeincomenow.org
tmgfinancial.org
tmginsurance.org
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
wcaband.org

Friday, 7 June 2013

"PAYVE - Remit file" spam / CD0607213.389710762910.zip

This fake American Express Payment Network spam has a malicious attachment.

Date:      Fri, 7 Jun 2013 20:41:25 +0600 [10:41:25 EDT]
From:      "PAYVESUPPORT@AEXP.COM" [PAYVESUPPORT@AEXP.COM]
Subject:      PAYVE - Remit file

A payment(s) to your company has been processed through the American Express Payment
Network.
The remittance details for the payment(s) are attached (CD06072013.389710762910.zip).

   -   The remittance file contains invoice information passed by your buyer. Please
contact your buyer
       for additional information not available in the file.

   -   The funds associated with this payment will be deposited into your bank account
according to the
       terms of your American Express merchant agreement and may be combined with other
American Express deposits.
       For additional information about Deposits, Fees, or your American Express merchant
agreement:
       Contact American Express Merchant Services at 1-800-528-0265 Monday to Friday,
8:00 AM to 8:00 PM ET.    -  You can also view PAYVE payment and invoice level details
using My Merchant Account/Online Merchant Services.
      If you are not enrolled in My Merchant Account/OMS, you can do so at
www.americanexpress.com/mymerchantaccount
      or call us at 1-866-220-3581, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
be glad to help you.
      For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number)
      and DDA (account number) on hand.

This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails from
American Express.

Copyright 2013 American Express Company. All rights reserved Contact Customer Service:
https://www.americanexpress.com/messagecenter

******************************************************************************
"This message and any attachments are solely for the intended recipient and may contain
confidential or privileged information. If you are not the intended recipient, any
disclosure, copying, use, or distribution of the information included in this message and
any attachments is prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this message and any
attachments. Thank you."
******************************************************************************
Attached to the email is an archive file called CD0607213.389710762910.zip which in turn contains an executable named CD06072013.239871839.exe (note that the date is included in the filename). Virustotal reports that just 8/46 anti-virus scanners detect it.

The Comodo CAMAS report gives some details about the malware, including the following checksums:

MD5fd18576bd4cf1baa8178ff4a2bef0849
SHA18b8ba943393e52a3972c11603c3f1aa1fc053788
SHA256f31ca8a9d429e98160183267eea67dd3a6e592757e045b2c35bb33d5e27d6875

The malware attempts to download further components from storeyourbox.com on 97.107.137.239 (Linode, US) which looks like a legitimate server that has been badly compromised. The following domains appear to be on the server, I would advise that they are all dangerous at the moment:

drjoycethomasderm.com
goodvaluemove.com
jacksonmoving.com
jacksonmoving.net
napervillie-movers.com
reebie.net
storageandmoving.net
storeyourbox.com
storeyourbox.net
storeyourthings.net

Update: the ThreatExpert report took a long time to process, but is quit interesting. It shows DNS queries for:
storeyourbox.com
storeyourbox.net
storeyourthings.net
drjoycethomasderm.com
www.archeting.it
www.errezeta.biz
190.147.81.28
207.204.5.170

The following URLs are accessed:
[donotclick]www.archeting.it/86zP.exe
[donotclick]www.errezeta.biz/ToSN79T.exe
[donotclick]190.147.81.28/yqRSQ.exe
[donotclick]207.204.5.170/PXVYGJx.exe

archeting.it and errezeta.biz are hosted on IPs belonging to Aruba S.p.A. in Italy (62.149.132.57 and 62.149.131.162 respectively). I've long suspected that there's a serious problem with Aruba due to a very high incidence of malware sites. Those are shared hosting IPs and as far as I can tell the rest of the sites on those servers are clean.

190.147.81.28 and 207.204.5.170 (Telmex, Colombia and Register.com US) have been seen before and don't seem to be shared hosts. I would strongly recommend blocking them.



BBB spam / pnpnews.net

This fake BBB spam leads to malware on pnpnews.net:

From: Better Business Bureau [mailto:standoffzwk68@clients.bbb.com]
Sent: 07 June 2013 15:08
Subject: BBB information regarding your customer's pretension No. 00167486

Better Business Bureau ©
Start With Trust ©
Fri, 7 Jun 2013
RE: Complaint No. 00167486
[redacted]
The Better Business Bureau has been entered the above said grievance from one of your users in regard to their business relations with you. The information about the consumer's trouble are available visiting a link below. Please pay attention to this matter and notify us about your sight as soon as possible.
We kindly ask you to overview the CLAIM LETTER REPORT to meet on this claim.
We awaits to your prompt answer.
Faithfully yours
Jonathan Edwards
Dispute Advisor
Better Business Bureau
________________________________________
________________________________________
Better Business Bureau
3093  Wilson Blvd, Suite 600   Arlington, VA 29701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277
 
This letter was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The link in the email goes through a legitimate hacked site and then to a payload at [donotclick]pnpnews.net/news/readers-sections.php (report here) hosted on:

46.18.160.86 - Saudi Electronic Info Exchange Company (Tabadul) JSC
93.89.235.13 - FBS Bilisim Cozumleri, Cyprus
178.16.216.66 - Gabrielson Invest AB, Sweden
186.215.126.52 - Global Village Telecom, Brazil
190.93.23.10 - Greendot, Trinidad and Tobago

Blocklist:
46.18.160.86
93.89.235.13
178.16.216.66
186.215.126.52
190.93.23.10
abacs.pl
balckanweb.com
biati.net
buyparrots.net
citysubway.net
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
enway.pl
federal-credit-union.com
giwmmasnieuhe.ru
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
janefgort.net
myhispress.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
smartsecurityapp2013.com
sngroup.pl
twintrade.net
usforclosedhomes.net


Malware sites to block 7/6/13

Two IPs that look related, the first is 37.235.48.185 (Edis, Poland or Austria) which host some domains that are also found here (158.255.212.96 and 158.255.212.97, also Edis) that seem to be used in injection attacks. I can identify the following domains linked to 37.235.48.185:

faggyppvers5.info
finger2.climaoluhip.org
linkstoads.net
node1.hostingstatics.org
node2.hostingstatics.org

Injecting some of the same sites as the domains on the above IPs is jstoredirect.net which is currently offline but was hosted on 149.154.152.18 which is also Edis (can you see the pattern yet?) so I would assume that they are linked. In the few days that jstoredirect.net was online it managed to infect over 1500 sites.

Aggregate blocklist:
98.126.9.34
114.142.147.51
158.255.212.96
158.255.212.97
nethostingdb.com
netstoragehost.com
connecthostad.net
climaoluhip.org
hostingstatics.org
systemnetworkscripts.org
numstatus.com
linkstoads.net
faggyppvers5.info
jstoredirect.net