Sponsored by..

Thursday, 25 July 2013

CNN "77 dead after train derails" spam / evocarr.net

This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr.net:


Date:      Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
From:      77 dead after train derails [BreakingNews@mail.cnn.com>]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN


77 dead after train derails, splits apart in Spain
By Al Goodman, Elwyn Lopez, Catherine E. Shoichet, CNN July 25, 2013 -- Updated 0939 GMT (1739 HKT)
iReporter: 'It was a horrific scene'
STORY HIGHLIGHTS

    NEW: Train driver told police he entered the bend too fast, public broadcaster reports
    NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
    Witness: "The train was broken in half. ... It was quite shocking"
    77 people are dead, more bodies may be found, regional judicial official says

Madrid (CNN) -- An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said.� Full Story >>>>

The link in the email goes to a legitimate hacked site which tries to load one or more of the following scripts:

[donotclick]church.main.jp/psychosomatics/rayon.js
[donotclick]video.whatsonstage.com/overstocking/ownership.js
[donotclick]www.fewo-am-speckbusch.de/referees/metacarpals.js

From there the victim is sent to a landing page at [donotclick]evocarr.net/topic/accidentally-results-stay.php hosted on 69.163.34.49 (Directspace LLC, US). The following hijacked GoDaddy domains are on the same IP and can be considered suspect:
evocarr.net
serapius.com
leacomunica.net
mindordny.org
rdinteractiva.com
yanosetratasolodeti.org

Wednesday, 24 July 2013

CNN "Perfect gift for royal baby ... a tree?" spam / nphscards.com

This fake CNN spam leads to malware on nphscards.com:

Date:      Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From:      "Perfect gift for royal baby ... a tree?" [BreakingNews@mail.cnn.com]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN

CNN
U.S. presidents have spotty record on gifts for royal births
By Jessica Yellin, CNN Chief White House Correspondent
July 24, 2013 -- Updated 0151 GMT (0951 HKT)
Watch this video
Perfect gift for royal baby ... a tree?

STORY HIGHLIGHTS

    Gifts for William and Catherine's baby must honor special U.S.-UK relationship
    William got a gift from Reagans when he was born; brother Harry got nothing
    Truman sent telegram for Charles' birth; Coolidge did even less for queen's birth
    Protocol expert suggests American-made crafts -- but no silver spoons

Washington (CNN)�-- What will the Obamas get the royal wee one? Sources say it's a topic under discussion in the White House and at the State Department.

No baby buggy will do. The president and first lady must find a special gift to honor the special relationship between the United States and the United Kingdom.

Kate and William bring home royal baby boy

The payload work in exactly the same way as this fake Facebook spam earlier today and consists of a hacked GoDaddy domain (nphscards.com) hosted on 162.216.18.169 by Linode.

"You requested a new Facebook password" spam / nphscards.com

This fake Facebook spam leads to malware on nphscards.com:

Date:      Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes through a legitimate hacked site and then through one or both of these following scripts:
[donotclick]ftp.thermovite.de/kurile/teeniest.js
[donotclick]traditionlagoonresort.com/prodded/televised.js

The victim is then directed to [donotclick]nphscards.com/topic/accidentally-results-stay.php (report here) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards.com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards.com is also on the same server and is probably hijacked.

More deceptive parkconnect.net / Emailmovers Ltd spam

This spam (sent to a scraped email address) is an apparent front operation for Emailmovers Ltd, who are using the parkconnect.net domain to hide who is spamming. I have caught them doing this before:

From:     Adam Perkins [adam.perkins@parkconnect.net]
Date:     24 July 2013 01:26
Subject:     The world’s most energy efficient sustainable hand dryer
Mailing list:     cGFya2Nvbm5lY3QubmV0LzIzNTM3ODI=
Signed by:     parkconnect.net

Hi,

As part of your vision of a more sustainable organisation, I have something interesting to share with you.

My client produces the world's most efficient hand dryer, achieving a Guinness World Record for its energy efficiency, drying 43 pairs of hands for an operating cost of just 1p, that’s the cost of a single sheet of paper!

The dryer uses 66% less energy than the Dyson range of hand dryers, also lasting 10x longer than conventional dryers, it’s fast becoming the market leader used by multinational organisations such as British Airways, Marriott Hotels & McDonald’s to name a few.

Furthermore, the company's products qualify for ECA scheme and have been added to the Energy Technology Product List. This means that your business can claim 100% first-year capital allowance for your investment, which can provide a helpful cash flow boost, and shorten your payback period.

Purchasing a dryer could not be easier, you can purchase the product outright or rent it for less than your energy saving! Rentals cost as little as £2.51p per week, and cut your energy bills by up to 88%.
Speak to someone now about finding the best price plan for you.

See the top 7 features and benefits of this hand dryer:
1. Uses only 550W and dries in 15 seconds
2. Significant energy and cost savings of up to 88%
3. Comes with an industry leading 7-year warranty
4. Low operating sound from 83dB
5. Easy Install, Retro fitting - no rewiring or re-plastering required
6. Brushless motor - 10 times more life & little or no maintenance
7. Short payback period - up to 12 month max.

Please leave your details in the form here, or alternatively reply directly to this email.

Many thanks
Adam Perkins
Park Connect

Email: adam.perkins@parkconnect.net

Tel: 0843 289 3149

145 Irving Grove, Corby, Northamptonshire, NN17 2BL

To no longer recive emails from Park Connect please click here

The content of this email is intended only for the person(s) (“Intended Recipient”) to whom it is addressed. It may contain information which is privileged and confidential. Accordingly any dissemination, distribution, copying or other use of this message or any of its content by any person other than the Intended Recipient may constitute a breach of civil or criminal law and is strictly prohibited. If you are not the Intended Recipient, please contact the sender as soon as possible. The security of email communication cannot be guaranteed and Park Connect accepts no liability for claims arising as a result of the use of this medium to transmit messages to or from Park Connect. Any views expressed in this email are those of the individual sender, except where the sender specifies them to be of Park Connect.

This is what you see if you visit the site:



The email originates from 109.169.23.142 (Iomart Hosting, UK) and spamvertises parkconnect.net hosted on the same server. The domain is registered with anonymous WHOIS details and has no obvious ownership details.

The address "145 Irving Grove, Corby, Northamptonshire, NN17 2BL" is a complete fabrication. Irving Grove is a little cul-de-sac in Corby, and as you can see it consists of about 22 houses. There is no number 145. There is also no active company called "Park Connect" operating in the UK according to Companies House (there is a dormant company of the same name in Birkenhead, almost definitely unrelated). Pretty deceptive, huh?

But previously when I have emailed Park Connect, I get a reply from Emailmovers Ltd. Odd that, isn't it? Either "Park Connect" are acting as a lead generator of Emailmovers, or they are simply a front for Emailmovers. Either way, it doesn't reflect very well on Emailmovers, does it?

CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com

This fake CNN alert leads to malware on fragrancewalla.com:


Date:      Wed, 24 Jul 2013 12:13:04 +0530 [02:43:04 EDT]
From:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'" [BreakingNews@mail.cnn.com]
Subject:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'"

CNN
Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'
By Emily Zemler, Special to CNN
July 21, 2013 -- Updated 1546 GMT (2346 HKT)
Actor Harrison Ford said he wasn't concerned about
Actor Harrison Ford said he wasn't concerned about "Ender's Game" author Orson Scott Card's views on gay marriage.


Editor's note: CNN.com is covering Comic-Con, the international gathering of geek and mainstream pop culture enthusiasts, through Sunday.

San Diego (CNN) -- For actor Harrison Ford, who is starring in a movie adaptation of Orson Scott Card's heralded and popular novel "Ender's Game," statements against same-sex marriage by the science-fiction author "are not an issue for me." FULL STORY

The link in the email goes through a legitimate hacked site, and then tries to run one or all of the following scripts:
[donotclick]ellensplace.lk/orientated/honecker.js
[donotclick]rodeiouniversitario.com.br/vicissitudes/furlong.js
[donotclick]funeralsintexas.com/gazillions/donkey.js

In turn, these scripts direct the victim to a malware landing page at [donotclick]fragrancewalla.com/topic/accidentally-results-stay.php (report here, appears to be 403ing but that could just be an anti-analysis response) hosted on 173.246.101.146 (Gandi, US).

The domain in question appears to be a hacked GoDaddy account, and the following GoDaddy registered domains are also on the same server and should be treated as suspicious:
happykidoh.com
fragrancewalla.com
fragrancessurplus.com

Tuesday, 23 July 2013

Something evil on 91.233.244.102, Part II

Another batch of domains to block on this evil server. See more about the web host in question here.

3e2b312075.com
abwkscsffvqvt.com
aeflkpdhxloa.org
alnvggqlpfcnirw.in
auumhjwopdlunno.net
bgdqfddrqwpfou.net
bwincdwtyxsorh.in
cfcdgvwxnbwcs.net
cfirjgkgirkxkh.net
dkjphajyjkfpxxa.net
doxewpsjdnjmk.com
dpluydtsxloe.org
dqdoydtsxloe.org
dqyokpshxeoa.org
dqzopdhxloa.org
dsmfwjivipeysga.in
evuhdwnkmrljqx.net
fsdrpxvgmmvfiq.in
fssjpikqkysxx.net
fuaihaughbdgmp.net
gerdakourepack.com
gfhhthdfggd.com
gjktaxggjlxkp.com
gsvlynnaafkef.net
gwbybehycpxpshd.in
hclaydtsxloe.org
heepwhtaquwc.net
iebvqib-iwl.org
igpcuvalgvbfaf.net
igpmnrkjoqjwo.net
iluminati9999900.com
invognekggjp.com
iwuyrvtylnojde.in
jgsowwnlbieyv.net
jwlnelgyncojg.com
kdddkpdhxloa.org
kdsdydtsxloe.org
kpopmqjvqdnjl.com
kregstrttlsg.net
kuddkpshxeoa.org
kxagpdhxloa.org
lbaviecejxft.com
lequkvmlratgsm.in
lvhsspkwyevfca.net
mswqfsqgtcsluvy.net
mtjugjbwwldfl.net
nfryedhaxhpf.net
nhjxbdnnvmr.com
nkbfpywlvglrb.com
oeqbmaqtecen.net
oeurkpshxeoa.org
ovjxnjrowtuu.com
pgiqlkbgdooiypl.in
phgxesbwepuic.net
piltfjdxqxjkflb.net
pniawgbftvnb.com
poopthree.com
qxcytmwldjdur.com
rrqrimogegyn.net
sbmhywyrtbib.com
skwkpfaqacfdyvv.in
stebqigidqbnaqu.net
supnewdmn.com
swbadolov.com
ttncvthmewyexig.net
ufektvetngbf.net
ufvgtnnmukdmjb.net
vjseqysltlteksy.net
vpqtpdhxloa.org
vrvtgirixixepis.in
vvvjecojmbju.com
wjcfvktlefqhigp.net
xloakpdhxloa.org
xsebpicutltn.net
xsqgafytwjygwl.in
xunwrhxtwgwylr.net
yjaqgsmksfcd.net
yrfaimwtpkelc.net
yvknkdqeouqqpbo.in

webcashmgmt.com "Incoming Money Transfer" spam / A136_Incoming_Money_Transfer_Form.zip

This fake webcashmgmt.com spam comes with a malicious attachment:

Date:      Tue, 23 Jul 2013 10:21:08 -0500 [11:21:08 EDT]
From:      WebCashmgmt [Alberto_Dotson@webcashmgmt.com]
Subject:      Important Notice - Incoming Money Transfer

An Incoming Money Transfer has been received by your financial institution for spamcop.net. In order for the funds to be remitted on the correct  account please complete the "A136 Incoming Money Transfer Form".

Fax a copy of the completed "A136 Incoming Money Transfer Form" to +1 800 722 5331.

To avoid delays or additional fees please be sure the Beneficiary Information including name, branch name, address, city, state, country, and Routing Number (ABA Number) or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.

Thank you,

Alfredo_Ochoa
Senior Officer
Cash Management Verification
Phone : 733-495-7476
Email: Alfredo_Ochoa@webcashmgmt.com

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (Fiserv, Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender, by email or telephone (800 722 6328), of any unintended recipients and delete the original message without making any copies. 
There is an attachment A136_Incoming_Money_Transfer_Form.zip containing an executable file A136_Incoming_Money_Transfer_Form.exe. The VirusTotal detection rate is a miserable 6/47.

This is a two stage pony/gate infection according to the Malwr report. Functionally it looks very similar to the payload used in this spam run.

Something evil on 91.233.244.102

These following domains are hosted on 91.233.244.102 (Olborg Ltd, Russia). This IP is implicated in Runforestrun infectors, has several malware detections on VirusTotal plus a few on URLquery. Google has flagged several domains as being malicious (marked in red below).

Obviously there's quite a concentration of evil on this IP address and the simplest thing to do would be to banish it from your network, in fact I would personally recommend blocking the whole 91.233.244.0/23 block at least 91.233.244.96/28 (see why) . However, a (probably incomplete) list of suspect domains on this IP are as follows:


aabgxpqayus.com
adcjhjpalcljihgw.info
adwwlwgfgefmzcwg.info
aefbydtsxloe.org
anzku-bqe.net
aodpcm-foub.com
aodpcm-foubfkmp.info
aoflkpshxeoa.org
apsnxeyafofkqfql.ru
apvvkrodqlouyoso.ru
aydpgzxzyidbeqoq.ru
ayxksipvqfxvlfaq.ru
bhigmqckbqhleqlo.ru
cqfreoz-qwd.info
cqfreoz-qwdhmor.com
cuojshtbohnt.com
cuojshtbohnt.info
dfglsfvdyus.com
dgjrfwiwpgjrwdcg.info
dgmcaaliawgewghp.info
donotwantyou787.ru
dppukpdhxloa.org
drgsfp-irxei.com
dspukpshxeoa.org
dwofvs-jdoyhpe.in
eaxrm-xnesh.org
fafogzpvzbvorqkk.ru
fexwxvogrgvfqxzk.ru
feyvxryisqafrssy.ru
fiwiziccefirihhh.info
fjzgpahrgwrzcwle.info
ftiuhrc-tzgk.info
fwcfpfwggjgmfwhw.info
fwdgffzethwhgffp.info
fyqhxu-lfq.in
gffqihioodwfteii.info
ggprgzwfapwdwold.info
gooogleadsense.org
hccakpdhxloa.org
hcnvidjkpytou.com
hhmsobscuoxgqwkhtugpnr.com
hivqwbnkasisil.com
hmcakpshxeoa.org
igicpiipggljcwaf.info
ihwwwhwipfarwrtf.info
ijxsncuprepwqzlt.ru
iprdjrhfporqpgcg.info
ipwfwtdwgiwwehie.info
jdiiffgfgg.com
jecvydtsxloe.org
jeuvkpdhxloa.org
jyuvkpshxeoa.org
kdvmczv-k.in
kkagkpshxeoa.org
kkyqexfzsqzysrkl.ru
knuidyekzkyuhtpi.ru
kxpgydtsxloe.org
kynzmwh-y.info
kynzmwh-yelpu.com
lalcjrdwrqwgwerf.info
ljfwwtftwgiltwwp.info
ljhfhwgiwiwhpwrf.info
lomxtgmgrswlgrrn.ru
mapbo-jra.com
mapbo-jragnrw.info
mfgqnlbmyus.com
mpmeezpmowrgihzc.info
nealkpdhxloa.org
newlydtsxloe.org
nsjosicxuhpidhlp.ru
nwalkpshxeoa.org
ocunydtsxloe.org
ocurkpdhxloa.org
odzbgxfiipvkrqfa.ru
oghwrfhoyus.com
oiicmtkpkaocnm.com
peawrwfgtewchzjc.info
peijgfhwhoffgorf.info
powwrwllojfjgrfg.info
pqueaafqaeoqrqxq.ru
psknwsqsqognrpoo.ru
qablspvqyus.com
qflqqfqqwzazqzrw.ru
qqzewquorqiuqviv.ru
r5z7yy68.com
rfffnahfiywyd.com
rfffnahfiywyd.info
rgdgkpshxeoa.org
rpdgkpdhxloa.org
rpdtydtsxloe.org
rrilffoowjcrqpdw.info
rrrmpfqrgfgfmthj.info
rseibvaoopvkvxyp.ru
sdfsfjkhewsdfe.com
sodsvsyxfzelkknq.ru
soopqzxleaqlqqfi.ru
sownoyqkaqxpqqkp.ru
thwiv-qyhnuydf.info
twctqwaggdwfwhzd.info
uivh-cltqmhb.org
uquqlyyuivkogxyr.ru
vbkfrqqfovaqyeio.ru
viqtkpshxeoa.org
vjykxh-ajp.info
vjykxh-ajpwafh.com
vogxnkg-vgqz.in
vpftydtsxloe.org
vvteeuevhpbpepfi.ru
vxvhwcixcxqxd.com
walfyqoslwfzgxxf.ru
wcrcwwzwercejjjp.info
wfcwhhrfoacawllf.info
wfigeegwffwgoffj.info
wgfdwfhejieeppeo.info
wiafokpwyus.com
wqllweihhwawzctg.info
wwfcfpmfwpompwow.info
xlamzju-lr.com
xlamzju-lrychj.info
xloeydtsxloe.org
xwaqllqvdovqikyn.ru
xweexxdyiaoaskfy.ru
yalkzsvudybexfgd.ru
yirxzxffiedeqddo.ru
ylaqdsoorlrrfyke.ru
ylbaugjnfutivfupbojcybabmrax.com
ypfuidx-i.com
yqgeqwxyfqowoiko.ru
yrjaq-jeyjtckzn.in
zkafwwiilgszbeps.ru
zkzuqobzowqyuixg.ru
zvswwossogquwrfs.ru
zyvskwylixxfswkq.ru

Malware sites to block 23/7/13

These malicious domains and IPs are associated with this prolific gang.  As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end.

5.175.191.106 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson-NET, Turkey)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
50.97.253.162 (Softlayer, US)
54.225.124.116 (Amazon AWS, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
61.28.143.133 (ETPI, Philippines)
62.76.44.105 (IT House / Clodo-Cloud, Russia)
69.60.115.92 (Colopronto, US)
74.62.189.22 (Time Warner Cable, US)
74.93.56.83 (Comcast, US)
74.208.246.145 (1&1, US)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UniWeb, Belgium)
88.86.100.2 (Supernetwork / Castlegem, Czech Republic)
88.150.191.194 (Redstation, UK)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobitel EAD, Bulgaria)
108.170.32.179 (Secured Servers, US)
108.179.8.103 (Tyco / Cablevision, US)
109.123.125.68 (UK2.net, UK)
114.112.172.34 (Worldcom Teda Networks Technology, China)
119.92.209.120 (Makati  IPG, Philippines)
120.124.132.123 (TANET, Taiwan)
121.83.197.179 (K-Opticom Corporation, Japan)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.120.113.18 (TANET, Taiwan)
162.209.80.221 (Rackspace, US)
165.225.149.235 (Joyent, US)
166.78.183.28 (Rackspace, US)
172.245.16.47 (New Wave NetConnect / ColoCrossing, US)
172.255.106.126 (Nobis Technology Group, US)
182.72.216.173 (CusDelight Consultancy Services, India)
188.40.92.12 (Hetzner, Germany)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
189.15.96.61 (Companhia De Telecomunicacoes Do Brasil Central , Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (Telefonica del Peru, Peru)
192.95.54.119 (OVH, Canada)
192.241.205.26 (Digital Ocean, US)
195.225.58.122 (C&A Connect SRL, Romania)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu, US)
198.175.124.17 (DNSSLAVE.COM, US)
202.197.127.42 (Hunan Normal University, China)
203.236.232.42 (KINX, Korea)
208.69.42.50 (Bay Area Video Coalition, US)
208.115.114.68 (WOWRACK, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services, Taiwan)
211.224.204.141 (KINX, Korea)
212.143.233.159 (013 Netvision Network, Israel)
217.64.107.108 (Society Of Mali's Telecommunications , Mali)

5.175.191.106
24.173.170.230
31.145.19.17
41.196.17.252
46.246.41.68
46.45.182.27
50.97.253.162
54.225.124.116
59.77.36.225
59.124.33.215
59.126.142.186
59.160.69.74
61.28.143.133
62.76.44.105
69.60.115.92
74.62.189.22
74.93.56.83
74.208.246.145
85.17.224.131
85.119.187.145
88.86.100.2
88.150.191.194
95.87.1.19
95.111.32.249
108.170.32.179
108.179.8.103
109.123.125.68
114.112.172.34
119.92.209.120
120.124.132.123
121.83.197.179
128.252.158.57
138.80.14.27
140.120.113.18
162.209.80.221
165.225.149.235
166.78.183.28
172.245.16.47
172.255.106.126
182.72.216.173
188.40.92.12
188.132.213.115
188.134.26.172
189.15.96.61
190.85.249.159
190.238.107.240
192.95.54.119
192.241.205.26
195.225.58.122
198.61.213.12
198.98.102.165
198.175.124.17
202.197.127.42
203.236.232.42
208.69.42.50
208.115.114.68
209.222.67.251
210.200.0.95
211.224.204.141
212.143.233.159
217.64.107.108
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
abundanceguys.net
allgstat.ru
amimeseason.net
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
autocompletiondel.net
autorize.net.models-and-kits.net
badstylecorps.com
basedbreakpark.su
beachfiretald.com
bebomsn.net
biati.net
blacklistsvignet.pl
blackragnarok.net
blindsay-law.net
bnamecorni.com
boats-sale.net
brasilmatics.net
buffalonyroofers.net
businessdocu.net
buty24-cool.com
buycushion.net
cbstechcorp.net
centow.ru
chairsantique.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condaleunvjdlp55.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalinneuwu5.ru
condalnua745746.ru
cooldeaflympics.com
cpa.state.tx.us.tax-returns.mattwaltererie.net
crossplatformcons.com
cryoroyal.net
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
e-eleves.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
etiquetteinsp.net
fastfragcheck.com
feminineperceiv.pl
fenvid.com
filmstripstyl.com
firefoxupd.pw
firerice.com
flashedglobetrot.pl
foremostorgand.su
foremostorgand.suc
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
generationpasswaua40.net
genie-enterprises.com
germany.no-ip.biz
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
greenleaf-investment.net
gromovieotvodidiejj40.net
handwrittenma.com
hdmltextvoice.net
heavygear.net
heidipinks.com
hemorelief.net
hiddenhacks.com
highsecure155.com
hingpressplay.net
homesforsaleftwaltonbea.com
hotkoyou.net
hotpubblici.com
housesales.pl
iberiti.com
icensol.net
independinsy.net
info-for-health.net
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kistrotilewest.su
klermont.net
klwines.com.order.complete.prysmm.net
kubiwaya.net
ledfordlawoffice.net
letsgofit.net
linguaape.net
linkedin.com-update-report.taltondark.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
mackay-revealed.net
made-bali.net
magiklovsterd.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
metalcrew.net
microsoftnotification.net
mifiesta.ru
modshows.net
momotlawfirm.net
morphed.ru
mosher.pl
motobrio.net
mycanoweb.com
myfreecamgirls.net
mywebsitetips.net
neplohsec.com
nipslippage.net
nvufvwieg.com
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
outbounduk.net
oydahrenlitu346357.ru
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
peertag.com
playtimepixelating.su
pool-inter.com
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
prothericsplk.com
prysmm.net
quipbox.com
ratenames.net
relectsdispla.net
rentipod.ru
restless.su
saberig.net
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
scourswarriors.su
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
seodirect-proxy.com
shanghaiherald.net
sludgekeychai.net
soberimages.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
techno5room.ru
thegalaxyatwork.com
thosetemperat.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
u-janusa.net
ukbash.ru
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
wic-office.com
wordstudio.pl
wow-included.com
zestrecommend.com