Sponsored by..

Friday, 23 May 2014

Fake NatWest email downloads malware via Dropbox

This fake NatWest email follows the same pattern as this one except that it is downloading malware via Dropbox rather than Bitly.

From:     NatWest.co.uk [noreply@natwest.co.uk]
Date:     23 May 2014 11:36
Subject:     NatWest Statement

 View Your May 2014 Online Financial Activity Statement


Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:


View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank


Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank account, please speak to a Customer Service representative at +44 121 635 1592


NatWest Bank Customer Service Department

P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

AGNEUOMS0006001

The link in the email goes to [donotclick]dl.dropboxusercontent.com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52.

Automated analysis tools [1] [2] show that it downloads a component from [donotclick]accessdi.com/wp-content/uploads/2014/04/2305UKmw.zip

The Malwr analysis shows that it then downloads some additional EXE files:
 As is typical with the attack, the payload appears to be P2P/Gameover Zeus/Zbot.

Thursday, 22 May 2014

lormaneducation.net / lorman.com "Lorman Education" spam

These spammers are sending to email addresses they have guessed by parsing my website.

From:     Toni Klawiter - Lorman Education [customerservice@lormaneducation.net]
Date:     22 May 2014 16:18
Subject:     Status Classification: Exempt vs. Nonexempt
Signed by:     lormaneducation.net

        
Seminars     Live Webinars
   
OnDemand     Membership
   

Status Classification: Exempt vs. Nonexempt

OnDemand Webinar - 93 Minutes

Learn How To:

    Identify general principles under the Fair Labor Standards Act.
    Explain salary requirements and the highly compensated employee exemption.
    Review what an employer can do to assure classifications are accurate and minimize risks.
    Discuss the executive, administrative, professional and computer professional duties tests.

More Information


Faculty

 Michael A. Pavlick
Michael A. Pavlick
K&L Gates LLP

The link in the email goes to lormaneducation.net and then forwards immediately to lorman.com, which is a typical technique that spammers use to try to avoid getting blacklisted.

lormaneducation.net is hosted on 64.77.120.67 (Peer 1, US) along with these following domains which look similarly spammy:

askthefaculty.com
hospitalityandtourismtraining.com
hospitalityandtourismtraining.net
instituteofpropertymanagement.com
instituteofpropertymanagement.net
insurancetrainingresource.com
insurancetrainingresource.net
investmentadvisortraining.com
investmentadvisortraining.net
lorman-education.net
lorman-webinar.com
lorman-webinars.com
lorman.com
lormancontinuingeducation.com
lormaneducation.com
lormaneducation.net
lormaneducationwebinar.com
lormaneducationwebinars.com
lormanondemand.com
lormanpartner.com
lormanseminars.com
lormanseminars.net
lormanteleconferences.com
lormanteleconferences.net
lormantraining.com
lormantraining.net
lormanwebinar.com
lormanwebinars.com

The WHOIS details on the lormaneducation.net spamvertised domain are:

    Admin Name: Webmaster
    Admin Organization: Lorman Education Group, Inc.
    Admin Street: PO Box 509
    Admin City: Eau Claire
    Admin State/Province: WI
    Admin Postal Code: 54702-0509
    Admin Country: US
    Admin Phone: +1.7158333940
    Admin Phone Ext:
    Admin Fax:
    Admin Fax Ext:
    Admin Email: webmaster@lorman.com


Spam originates from 184.175.164.1 (US Signal) in a range suballocated to Lorman that you might want to block traffic from of 184.175.164.0/26.

If this company thinks that promoting its seminars through spam is a legitimate way of promoting a business then I would personally give their "seminars" a very wide berth.

#BringBackOurGirls scam

This scam email attempts to steal money from unsuspecting but altruistic people by hijacking the legitimate #BringBackOurGirls campaign.

From:     Joy Marcus [joymcus55@gmail.com]
Date:     22 May 2014 00:24
Subject:     #BringBackOurGirls
Signed by:     gmail.com

Hello,
My beloved brother and sister. I hope my message get to you in peace.
My name is Mary Sambo from Borno state in Nigeria. I am crying while
putting this message together in the church hostel. I lost my husband to
the terrorist attack that is happening in Borno state, my daughters was
kidnap along with the 270 girls been kidnap in school chibok village in
Nigeria, by the terrorist.

Which the entire world is now searching for them. I am 7 month pregnant
and i am staying at the church hostel, we are 30 in a single room, i
don't have access to good medical care and i am afraid my living
condition might affect my unborn child.

I am asking for help from you in other for me to get a place for myself
and also register myself to health center where i will get proper
medical care. Please help me with anything you, May Almighty God reward
you.
Hope to hear from you.
Regards.

Mary Sambo.
Please reply here: marysamb91@yahoo.com
Apparently this church hostel that she is staying in has internet access good enough to send out spam. And although the scammer is soliciting replies to marysamb91@yahoo.com it is sent from joymcus55@gmail.com which has its own Google+ profile.. which contains a picture.

Now, I don't know about you.. but I don't think that this looks like a Nigerian woman who has to live in a church hostel. That's because it is a photograph of actress and model Yvette Fintland who would no doubt be very displeased to see her photo being abused in this way (and has nothing whatsoever to do with this scam or spam).

There are no words that can adequately describe the horror of the kidnapping of 200 innocent children. And there are no words that adequately describe the disgust at people who are prepared to exploit this awful event for their own personal gain.

Wednesday, 21 May 2014

Something evil on 93.171.173.173 (Sweet Orange EK)

93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of hijacked GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites.

For example [donotclick]www.f1fanatic.co.uk is a compromised website that tries to redirect visitors to two different exploit kits:

[donotclick]adv.atlanticcity.house:13014/sysadmin/wap/fedora.php?database=3
[donotclick]fphgyw.myftp.biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4

The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way).


The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves:

img.carmelakaiser.com
img.fortunerealtyli.com
img.realtyconnectli.com
yim.nwcreferrals.com
img.mwinsulationllc.info
img.michaelvallone.com
img.mwinsulationllc.com
adv.davetalbert.com
img.nwcreferrals.com
adv.ajs.club
adv.boisecity.house
adv.catskills.house
adv.atlanticcity.house
adv.beachrental.house
adv.chattanooga.house
adv.beachcottage.house
adv.beachrentals.house
adv.breckenridge.house
adv.coppermountain.house

The EK page itself has a VirusTotal detection rate of 0/53, although hopefully some of the components it installs will trigger a warning.


PrimeAspire (primeaspire.com) spam

UPDATE: PrimeAspire have responded to this post, scroll down to the bottom.

Startup or no startup, sending spam to a spamtrap is not a good way to drum up business..

From:     Team@primeaspire.com
To:     donotemail@wearespammers.com
Date:     20 May 2014 13:32
Subject:     PrimeAspire - The Freelance Platform

Hello,

Following our recent launch we'd like to invite you to PrimeAspire where you can post any task and securely get skilled people to complete specific freelance tasks.

The platform is completely free and used by talented people looking for freelance projects.

Learn more

Thanks,

The PrimeAspire team

P Please consider the environment before printing this email.  Thank you.

Prime Aspire is a freelance marketplace. This message, its contents and any attachments are private, confidential and may contain information that is subject to copyright. You may not disclose, use or disseminate all or part of this message without our prior written consent. If you are not the intended recipient, please notify us immediately by replying to this message and then delete it from your system. Whilst we take reasonable precautions to prevent computer viruses, we cannot accept responsibility for viruses transmitted to your computer and it is your responsibility to make all necessary checks. We may monitor email traffic data and the content of emails to ensure efficient operation of our business, for security, for staff training and for other administrative purposes.

This email was sent from Prime Aspire Limited (Registered number: 7850209). Prime Aspire Limited is registered in England and Wales. Registered address: SUITE 34, New House, 67-68 Hatton Garden, London EC1N 8JY United Kingdom. For further information, please click www.primeaspire.com

To unsubscribe please reply with the word "Unsubscribe".

But (and just as a warning, I'm going to get sweary here) wait a fucking minute.. "This message, its contents and any attachments are private, confidential and may contain information that is subject to copyright. You may not disclose, use or disseminate all or part of this message without our prior written consent." You fucking spammed me with this. I will do with it what I fucking well please.

CEO of PrimeAspire is one Chris Adiolé. PrimeAspire (strictly speaking it is Prime Aspire Ltd) is a real company (07850209 in the UK), and Mr Adiolé even has his name on the domain WHOIS details rather than hiding behind a proxy service.

Registrant Name: Christopher Adiole
Registrant Organization:
Registrant Street: 67-68 Hatton Garden
Registrant City: London
Registrant State/Province: KKD
Registrant Postal Code: EC1N 8JY
Registrant Country: GB
Registrant Phone: +44.20700000000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@primeaspire.com


Originating IP is 79.170.44.6 which is Heart Internet in the UK. The primeaspire.com domain is hosted with the same firm on 79.170.40.239.

So, let's assume that this is a real proposition and not some sort of scam. Fair enough. But promoting your startup through spam is always a very bad move, but adding meaningless legalese crap to it is really going to piss people off..

UPDATE: many Kudos points to Chris Adiolé for addressing the issue and apologising. So perhaps they're not such a bad bunch after all :)

Hi,

I note you recently published an article on your blog with regards to a promotional email you received from PrimeAspire.

We are a small startup and after our launch in February we worked with a marketing agency who supplied us with email addresses, claiming to be addresses of people that opted to receive emails about freelancing and related services. Unfortunately, we took their words at face value and failed to check the email addresses before sending out the emails.

On behalf of PrimeAspire, I sincerely apologise for the inconvenience. We are an honest startup working hard on our product and have no intention to send spam emails or use sinister marketing procedures to promote our product.

Thanks,

UPDATE 2: but now PrimeAspire are likely to lose their Kudos point due to this rather rude message from some Indian SEO guy..

From:     Tutu Kumar [tutukumarseosolutions@gmail.com]
Date:     25 June 2014 09:16
Subject:     Remove the blog of "PrimeAspire (primeaspire.com) spam"

Hello Dynamoo.com Team,

I'm Tutu Kumar from india, also a SEO Expert. Now i'm working SEO for  Primeaspire.com. And i saw google search pages our blog title
PrimeAspire (primeaspire.com) spam.
 This blog title is bad effect for our website but content is good.
Kindly remove the blog of your website.


Thank You
Tutu Kumar
Funnily enough, I don't feel inclined to do that. PrimeAspire sent me a spam.. that happened, and Chris Adiolé apologised which I think shows a great deal of integrity. Perhaps Mr Kumar needs to generate some positive press instead rather than concentrating on my little blog.

Tuesday, 20 May 2014

Fake Sage Invoice spam leads to malware

This fake Sage spam leads to malware:

Date:      Tue, 20 May 2014 09:20:53 +0100 [04:20:53 EDT]
From:      Sage [Wilbur.Contreras@sage-mail.com]
Subject:      FW: Invoice_6895366

Please see attached copy of the original invoice (Invoice_6895366). 

Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52.

The Malwr analysis shows that it then goes on to download further components from [donotclick]protecca.com/fonts/2005UKdp.zip some of which are:
 These appear to be part of a peer-to-peer Zbot infection.

Monday, 19 May 2014

"TT PAYMENT COPY" spam

This spam has a malicious attachment:

Date:      Sun, 18 May 2014 20:54:20 -0700 [05/18/14 23:54:20 EDT]
Subject:      Re TT PAYMENT COPY

please confirm the attachment payment Copy and get back to me?

Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53. Automated analysis tools (such as this one) don't reveal what is happening, but you can guarantee it is nothing good.

Thursday, 15 May 2014

"NatWest Statement" spam contains a bit.ly link

This fake NatWest spam sends victims to a malicious download via a bit.ly link.

From:     NatWest.co.uk
Date:     15 May 2014 13:11
Subject:     NatWest Statement

 View Your April 2014 Online Merchant Financial Activity Statement
   



Keep track of your account with your latest Online Merchant Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:


View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank


Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank ®
Merchant account, please speak to a Customer Service representative at 1-800-374-2639


NatWest Bank Customer Service Department

P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

AGNEUOMS0006001 
The link in the email goes to [donotclick]bit.ly/1jKW2GJ which then downloads a malicious file Statement-pdf.scr which has a VirusTotal detection rate of 8/53. Automated analysis tools [1] [2] [3] [4] are inconclusive about what the malware actually does.

One thing about bit.ly links is that if you put a "+" at the end of the link you can see how many people clicked it. In this case, 236 people have clicked so far, mostly in North America. I suspect that quite a few of those are malware researchers!


"Advertising for Red Bull (Energy Drink)" car wrap scam

This spam does not come from Red Bull or anybody related to them:

From:      RED-BULL CARADVERT
Reply-To:      rolandbest196@gmail.com
Subject:      Advertising for Red Bull (Energy Drink) 05/13 /2014

Hello,

We are currently seeking to employ individualÃÔ world wide. How would you like to make money by simply driving your car advertising for RED BULL.

How it works?

HereÃÔ the basic premise of the "paid to drive" concept: RED BULL seeks people -- regular citizens,professional drivers to go about their normal routine as they usually do, only with a big advert for "RED BULL" plastered on your car. The ads are typically vinyl decals, also known as "auto wraps,"that almost seem to be painted on the vehicle, and which will cover any portion of your car's exterior surface.

What does the company get out of this type of ad strategy? Lots of exposure and awareness. The auto wraps tend to be colorful, eye-catching and attract lots of attention. Plus, it's a form of advertising with a captive audience,meaning people who are stuck in traffic can't avoid seeing the wrapped car alongside them. This program will last for 3 months and the minimum you can participate is 1 month.

You will be compensated with $300 per week which is essentially a "rental"payment for letting our company use the space no fee is required from you RED BULL shall provide experts that would handle the advert placing on your car. You will receive an up front payment of $300 inform of check via courier service for accepting to carry this advert on your car.

It is very easy and simple no application fees required contact email along with the following you are interested in these offer.
rolandbest195@gmail.com

Full Name:
Address:
City:
State:
Zip code:
Country:
Make of car/ year:
Telephone numbers:

We shall be contacting you as soon as we receive this information.

Kind Regards
Roland Best
Hiring Manager,
Red Bull™
It's a scam.. but what is the scam exactly? The whole process is nicely detailed here, but essentially the scammers send you a fake cheque ("check" I in the US) as payment. This cheque includes an amount that you are meant to pay the "graphic artist" for the work needed to create the wrap. Of course, once you have sent your own money to the "artist" (in reality a scam artist) then the fake cheque will be rejected, and you will end up out of pocket (and possibly in trouble with the police or bank for fraud).

The overpayment scam is a common one, and it is used in all sorts of different set-ups. If anyone sends you a cheque and then asks you to pay it in and forward some of the money elsewhere then you can almost guarantee that someone is trying to rip you off.

Wednesday, 14 May 2014

citibank.com "Important - Commercial Form" spam

This fake Citibank spam comes with a malicious attachment:

Date:      Wed, 14 May 2014 11:56:34 -0500 [12:56:34 EDT]
From:      Nola Painter [Nola.Painter@citibank.com]
Subject:      FW: Important - Commercial Form

citibank.com
Commercial Banking Form

To: [redacted]

Case: C1957115
Please scan attached document and fax it to +1 800-285-1110 .

All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is... For enquiries, please telephone the Service Desk on +1 800-285-4794 or email enquiries@citibank.com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .

Yours faithfully

Nola Painter
Commercial Banking
Citibank N.A
Nola.Painter@citibank.com

Copyright © 2014 Citigroup Inc.                                                                    
Citibank 


Other senders spotted include:
Lavonne Bermudez [Lavonne.Bermudez@citibank.com]
Gabriel Britton [Gabriel.Britton@citibank.com]

Attached to the message is an archive file CommercialForm.zip which in turn contains a malicious executable CommercialForm.exe which has a VirusTotal detection rate of 19/52. Automated analysis tools [1] [2] [3] show that it downloads an encrypted file from [donotclick]desktopcrafts.com/wp-content/uploads/2014/05/Targ-1405USdp.enc although what that does is currently unclear.

One. Two. Three. Network Operations Center hosting things as bad as can be.

Network Operations Center don't exactly have a glowing reputation of cleanliness when it comes to malware. These following IPs and hosts seem to be distributing something nasty which appears to be injected into victim sites.

I don't have a good analysis of what is going on at the moment, so you'll just have to take my word for it at the moment. The activity has been observed on the following Network Operations Center IP addresses over the past few days:

64.120.207.252
66.96.246.135
66.197.241.194
173.212.223.243
184.22.149.175
184.22.149.176
184.22.149.177
184.22.149.178
184.82.38.54
209.159.153.171
209.159.153.186

A lot of these IPs are connected with things like porn sites, but they also have a number of malicious subdomains in the form .one .two and .three on them. You can safely assume that the domains themselves are malicious (listed as the end of the post if you want to block them). Malicious subdomains spotted are:

one.odpewnvd.biz
two.odpewnvd.biz
three.odpewnvd.biz
one.jldywencp.biz
three.jldywencp.biz
one.gdliiitra.biz
two.gdliiitra.biz
three.gdliiitra.biz
one.dkjeeeielv.biz
two.dkjeeeielv.biz
three.dkjeeeielv.biz
one.kleionrtue.biz
two.kleionrtue.biz
one.jhvbhvhch.biz
three.jhvbhvhch.biz
one.fnfgcngjhv.biz
two.fnfgcngjhv.biz
three.fnfgcngjhv.biz
one.khvvkhvchk.biz
two.khvvkhvchk.biz
three.khvvkhvchk.biz
one.hgvjhvjhvjh.biz
two.hgvjhvjhvjh.biz
three.hgvjhvjhvjh.biz
one.jhvjhvhvhjv.biz
two.jhvjhvhvhjv.biz
three.jhvjhvhvhjv.biz
one.kguukgukigk.biz
two.kguukgukigk.biz
three.kguukgukigk.biz
one.khvkhvkhvkjv.biz
two.khvkhvkhvkjv.biz
three.khvkhvkhvkjv.biz
one.kjghkjdfjhdc.biz
two.kjghkjdfjhdc.biz
three.kjghkjdfjhdc.biz
one.jhvkjvhfkcykc.biz
two.jhvkjvhfkcykc.biz
three.jhvkjvhfkcykc.biz
one.fdsglj.biz
two.fdsglj.biz
three.fdsglj.biz
one.dfwvdfsk.biz
two.dfwvdfsk.biz
three.dfwvdfsk.biz
one.fderefjfv.biz
two.fderefjfv.biz
three.fderefjfv.biz
one.jdfslfdsgy.biz
two.jdfslfdsgy.biz
one.jhfjgdhfds.biz
two.jhfjgdhfds.biz
three.jhfjgdhfds.biz
one.vfdsgsrgsg.biz
two.vfdsgsrgsg.biz
three.vfdsgsrgsg.biz
one.bfsdmhglsdg.biz
one.fdfjkhfsadv.biz
two.fdfjkhfsadv.biz
three.fdfjkhfsadv.biz
one.fdsfgsgdvsd.biz
two.fdsfgsgdvsd.biz
three.fdsfgsgdvsd.biz
one.hfgkjhkklbj.biz
two.hfgkjhkklbj.biz
three.hfgkjhkklbj.biz
one.khfjhcfhgfk.biz
two.khfjhcfhgfk.biz
three.khfjhcfhgfk.biz
one.vdgbfslgdfs.biz
two.vdgbfslgdfs.biz
three.vdgbfslgdfs.biz
one.vsfbglmldsv.biz
two.vsfbglmldsv.biz
three.vsfbglmldsv.biz
two.jreoplte.biz
three.jreoplte.biz
one.djsliufhgs.biz
two.djsliufhgs.biz
three.djsliufhgs.biz
one.vfknvdwowe.biz
two.vfknvdwowe.biz
one.vfsnjvdsisw.biz
two.vfsnjvdsisw.biz
three.vfsnjvdsisw.biz
one.dwfnkvgd.biz
two.dwfnkvgd.biz
three.dwfnkvgd.biz
one.fewfjisi.biz
two.fewfjisi.biz
three.fewfjisi.biz
one.vcdsknvkds.biz
two.vcdsknvkds.biz
three.vcdsknvkds.biz
one.hfdodiopr.biz
two.hfdodiopr.biz
three.hfdodiopr.biz
one.nchepeweo.biz
two.nchepeweo.biz
three.nchepeweo.biz
one.odhbowdwe.biz
two.odhbowdwe.biz
three.odhbowdwe.biz
one.khvjhv.biz
two.khvjhv.biz
one.hghdswo.biz
two.hghdswo.biz
three.hghdswo.biz
one.jhchgch.biz
two.jhchgch.biz
three.jhchgch.biz
one.dmslcfwq.biz
three.dmslcfwq.biz
one.bjfyteshi.biz
two.bjfyteshi.biz
three.bjfyteshi.biz
three.fdgblkdor.biz
one.hgufkjyvu.biz
two.hgufkjyvu.biz
one.hgvhfdesl.biz
two.hgvhfdesl.biz
three.hgvhfdesl.biz
one.berzaoli.biz
two.berzaoli.biz
three.berzaoli.biz
one.guilerty.biz
two.guilerty.biz
three.guilerty.biz
one.nertriko.biz
two.nertriko.biz
three.nertriko.biz
one.hutyerfliop.biz
two.hutyerfliop.biz
three.hutyerfliop.biz
one.kiortnion.biz
two.kiortnion.biz
three.kiortnion.biz
one.mdfckel.biz
two.mdfckel.biz
three.mdfckel.biz
one.dfioptie.biz
two.dfioptie.biz
three.dfioptie.biz
one.kdifpewiofg.biz
two.kdifpewiofg.biz
three.kdifpewiofg.biz
two.jlopirtdsmncx.biz

Recommended blocklist:
64.120.207.252
66.96.246.135
66.197.241.194
173.212.223.243
184.22.149.175
184.22.149.176
184.22.149.177
184.22.149.178
184.82.38.54
209.159.153.171
209.159.153.186
odpewnvd.biz
jldywencp.biz
gdliiitra.biz
dkjeeeielv.biz
kleionrtue.biz
jhvbhvhch.biz
fnfgcngjhv.biz
khvvkhvchk.biz
hgvjhvjhvjh.biz
jhvjhvhvhjv.biz
kguukgukigk.biz
khvkhvkhvkjv.biz
kjghkjdfjhdc.biz
jhvkjvhfkcykc.biz
fdsglj.biz
dfwvdfsk.biz
fderefjfv.biz
jdfslfdsgy.biz
jhfjgdhfds.biz
vfdsgsrgsg.biz
bfsdmhglsdg.biz
fdfjkhfsadv.biz
fdsfgsgdvsd.biz
hfgkjhkklbj.biz
khfjhcfhgfk.biz
vdgbfslgdfs.biz
vsfbglmldsv.biz
jreoplte.biz
djsliufhgs.biz
vfknvdwowe.biz
vfsnjvdsisw.biz
dwfnkvgd.biz
fewfjisi.biz
vcdsknvkds.biz
hfdodiopr.biz
nchepeweo.biz
odhbowdwe.biz
khvjhv.biz
hghdswo.biz
jhchgch.biz
dmslcfwq.biz
bjfyteshi.biz
fdgblkdor.biz
hgufkjyvu.biz
hgvhfdesl.biz
berzaoli.biz
guilerty.biz
nertriko.biz
hutyerfliop.biz
kiortnion.biz
mdfckel.biz
dfioptie.biz
kdifpewiofg.biz
jlopirtdsmncx.biz


Monday, 12 May 2014

Yahoo! Advertising Services (formerly overture.com) email address leak

A long, long time ago there used to be a company called Overture.com that did online advertising, and it was acquired by Yahoo! some time ago.

Now, I use a unique email address for every service I use, and today I was surprised to see the address I used for Overture being used in this spam. I believe this is the first time that I have ever seen spam to this address, so I assume that this is a recent leak of addresses (and Yahoo! has had all sort of problems with breaches at the Heatbleed bug recently).

The botnet sending out this spam does seem to have access to leaked email data that I haven't seen used before. So is this an early warning of yet another problem at Yahoo?

Friday, 9 May 2014

Dr. Annette Bosworth is a moron spammer

I'm not very interested in US politics, and I certainly don't live there. So why is this moron spammer trying to get me to vote for her?

From:     Anette Bosworth [anette.bosworth@bosworthcampaign.com]
Reply-To:     anette.bosworth@bosworthcampaign.com
Date:     9 May 2014 15:27
Subject:     Not Cool, Guys
Signed by:     bosworthcampaign.com

Honestly, who acts like this? 

This is my first run for political office.  I am a doctor, not a career politician, but I just couldn’t sit on the sidelines and watch what is happening to our great nation any longer.

I have always stood up for what I believe in.  The first time I stood up to a bully I was 7 years old.

Today, the biggest bully I see is the federal government.  I grew up on a working farm in Plankinton, South Dakota.  I am a doctor who works with the elderly and the poor.  The clinic I own is a small business.  In every area of work and life, there is just too much government interference.

Being a doctor, I understand how unfair and harmful Obamacare really is -- and I have vowed to repeal every single word of it.  I also pledge to cut taxes, defend the second amendment, and to protect the unborn.

Washington, D.C. insiders don’t want to see people like you and me change their way of doing business.

Change is possible, but it takes effort from all of us.

I am fighting for that change against an establishment insider with millions of dollars, much of it PAC money from special interest groups.

My opponent has so much PAC money, he can afford to be wasteful – and he is.  Just this week, he produced a slick advertisement for TV that didn’t even feature voters from the state of South Dakota.  And when he was caught, he didn’t even apologize -- he just threw the advertisement away.

That’s not how I do things.

I am a fiscal conservative.  I promise that if you donate now, your hard earned donation will be used in a responsible way to fight big government and wasteful spending.  I need your help to get there. Will you join me?

Absentee ballots in South Dakota are mailed out this month and that’s when voting begins – will you chip in $5 or more today?

The donation you make today will help us get our message to voters.

Thanks,
Dr. Annette Bosworth
image2.png

To unsubscribe please click here
   

Dr. Annette Bosworth
2601 S. Minnesota Ave, Suite 105-129, Sioux Falls, SD, 57105

Paid for by Dr. Annette Bosworth for U.S. Senate

Contributions to Bosworth for US Senate are not tax deductible

It seems that she's a Doctor of some sort, but she opposes affordable healthcare. As a European we are constantly amazed and horrified at the way US healthcare professionals just let people die when the money runs out of their insurance policy.. if they have an insurance policy. Until Obama forced changes to the US healthcare system through it was 100 years behind that in Europe. Now it is only 80 years or so behind. Progress I guess.

Also, Annette Bosworth (or whatever idiot is spamming on her behalf) is attempting to solicit funds through fundly.com which violates their terms of service. Luckily she hasn't been able to recruit many other morons to her cause and has only raised $1,150 out of a target of $750,000.

Well, since this is an abuse of the Fundly terms of service, then getting it shut down and losing the funds could be a bit of a laugh.

The spam originates from two18.2bits.co (63.143.38.243) and spamvertises a site at marketer.2bits.co (63.143.38.226). Both these IPs are allocated to Limestone Networks in the US, but are suballocated to a customer called Joseph (Joey) Burzynski of ResistedNormalcy LLC and/or MarketKar.ma in Dallas. The email is digitally signed for the domain bosworthcampaign.com which has hidden WHOIS details.

Of course, this could be a subtle Joe Job intended to frame Annette Bosworth and make her look like a moron. But according to Joey Burzynski's own Facebook page at www.facebook.com/resistednormalcy/likes he "likes" Annette Bosworth. And tattoos. A lot.

There are plenty of other indicators online that Dr Bosworth has employed the promotional "talents" of Mr Burzynski.

I'm not the only one that thinks that this is spammy either, because Gmail says..


Presumably Annette Bosworth thinks that her point of view is so important that she can spam it out to people at random, regardless of where they live. I personally think she is a moron spammer and hope that the electors of South Dakota treat her accordingly.

UPDATE 12 May 2014: According to US law..
Contributions and donations may not be solicited, accepted, or received from, or made directly or indirectly by, foreign nationals who do not have permanent residence in the United States (i.e., those without green cards). This prohibition encompasses all US elections; including federal, state and local elections. 11 CFR 110.20(b).
So it would be prohibited for Dr Bosworth's campaign to accept a donation from me as I live in the UK and have never even visited to the US.

So it's probably a bad move that they accepted my ten bucks.

 There's a lively discussion about this over at the Madville Times.

UPDATE 13 May 2014: it has been said that Americans don't get irony. When I made my illegal $10 contribution to Annette Bosworth's campaign, I added the comment "Ten Bucks Well Spent!" because I knew that that accepting the money from a foreign donor would have some entertaining repercussions.

What I didn't expect was that not only would be donation be accepted, but that Dr Bosworth would also quote me on her Facebook page..


I like the comment "GOOD AMERICAN;;" (even with the spurious semicolons. Perhaps Americans don't understand semicolons either. I'm not sure I do) because of course I am British. And if Dr Bosworth's supporters knew my political leanings then they would assume I was the Spawn of Satan.

Interestingly, this means that they not only accepted the donation but someone took the time to review it.. surely then they should have spotted that I was not in the US.

Ten bucks well spent indeed!

And for those asking.. here is the receipt:

UPDATE 5 June 2014: Annette Bosworth has been arrested on charges of perjury.

HMRC spam / VAT0781569.zip

This fake HMRC spam comes with a malicious attachment:

Date:      Fri, 9 May 2014 12:47:49 +0530 [03:17:49 EDT]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      Successful Receipt of Online Submission for Reference 0781569


Thank you for sending your VAT Return online. The submission for reference 0781569 was
successfully received on Fri, 9 May 2014 12:47:49 +0530  and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes. 

It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52.


This is part one of the infection chain. Automated analysis [1] [2] [3] shows that components are then downloaded from the following locations:

[donotclick]bmclines.com/0905UKdp.rar
[donotclick]gamesofwar.net/img/icons/0905UKdp.rar
[donotclick]entslc.com/misc/farbtastic/heap170id3.exe
[donotclick]distrioficinas.com/css/b01.exe


The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52. Automated analysis [1] [2] shows that this makes a connection to a server at 94.23.32.170 (OVH, France).

The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52. Analysis of this shows [1] [2] that it attempts to connect to several different email services, presumably to send out spam.

Thursday, 8 May 2014

Maersk Line Shipping Phish

Some people will phish for anything, this seems to be looking for credentials to My Maersk Line, I guess to allow the scammers to illegally ship items at someone else's expense.


From:     Maersk Line Shipping [sunil.dharmappa@stalliongroup.com]
Reply-To:     shipping@maersklines.com
Date:     8 May 2014 14:55
Subject:     TRACK YOUR CONTAINERS & CARGO NOW!


Dear Sir/madam,

we  want to inform you that your supplier/seller shipped your goods  through our shipping services, we hope your supplier must have given you the details about your container vessel ,we strongly recommend that you confirm your goods/cargo immediately by tracking your goods online.
 All shipped container/goods must be tracked  to enable  you to know the location of your shipment and to know the arrival date of vessel. This is why MAERSK LINE has enabled a user friendly interface for our customers to track there goods by themselves without the help of the agents.

Download the container tracking form attached and  log in with your email now to know the status and location of your container/shipment. You must use the email which you used in communicating with your supplier/seller that is the email our tracking system will recognize because it is the email your supplier registered your goods with .You will be able to save the search criteria for easy reuse at a later stage. You will also have the opportunity to search for shipment from/from specific locations and many other features.

Check the attached now .

Best regards

Maersk shipping company.

Terms of use | Privacy policy | Sitemap | Maersk Line. All rights reserved.


Attached is a file maersk container tracking.htm ..


This attempts to harvest credentials and then POSTS them via a dedicated phishing site at send.apbem.org.br/zolamaersksend.php (189.73.155.37 / Brasil Telecom, Brazil). Once the username and password have been stolen, the victim is sent to the real My Maersk site (which doesn't actually require a password for basic container tracking).

Not many people will have a relevant shipping account at Maersk, but you can imaging the potential value of being able to ship stolen or illegal goods for free..

Wednesday, 7 May 2014

unitedtraderegister.eu / europeantraderegister.net spam

This spam is attempting to solicit signups for a worthless "World Trade Register" website.

From:     utr@unitedtraderegister.eu
Date:     7 May 2014 00:04
Subject:     Are you ready?
Signed by:     unitedtraderegister.eu

Dear Partner,

In order to have your company inserted in the
global trade register of partner companies for
the 2015/2016 edition you must print, complete
and send the enclosed form before the end of
next week to the following address:

World Trade Register
P.O. Box 3079
3502 GB Utrecht
The Netherlands

or fax it to:
Fax: +31 205 248 107

or reply to this email and attach the form to it.

Updating is free of charge!
To unsubscribe please visit this link:
unitedtraderegister.eu/unsubscribe.php?email=info@[redacted]
In case the form is missing you can download it here:
unitedtraderegister.eu/wtr.pdf
The company behind this spam is a ROKSO-listed organisation called World Company Register / EU Business Register. A ROKSO listing basically means that this is one of the worst spammers currently in the world.

unitedtraderegister.eu forwards to europeantraderegister.net (and worldtraderegister.net is on the same server). This is an old-fashioned directory scam and it should be ignored.

"Lloyds Commercial Banking" "Important BACs" spam

This fake bank spam comes with a malicious attachment:

Date:      Tue, 6 May 2014 08:29:83 GMT
From:      Lloyds Commercial Banking [Annmarie.Baldwin@lloydsbank.com]
Subject:      FW : Important BACs


Important account documents


Reference: C06
Case number: 0995479

Please review attached BACs documents and fax it to +44 (0) 845 600 3319.
Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.

Yours faithfully



Annmarie Baldwin
Senior Manager, Lloyds Commercial Banking


Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email. 
The last line gave me a laugh.. "Please remember we guarantee the security of messages sent by email." Attached to the message is a file LloydsCase-0995479.zip which in turn contains a malicious executable LloydsCase-07052014.scr. The binary is identical in function to the one used in this TNT spam run doing the rounds at the same time.

"TNT UK Limited" spam

This fake TNT spam has a malicious attachment:

Date:      Wed, 7 May 2014 01:50:00 -0600 [03:50:00 EDT]
From:      TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject:      TNT UK Limited - Package tracking 236406937389

TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.

DETAILS OF PACKAGE
Reg order no: GB5766211

Your package have been picked up and is ready for dispatch. Please print attached form
and pick up at the nearest office.

Connote #        :        236406937389
Service Type        :        Export Non Documents - Intl
Shipped on        :        07 Apr 13 00:00
Order No                :        5766211
Status                :       Driver's Return Description      :       Wrong Postcode
Service Options: You are required to select a service option below.

The options, together with their associated conditions 
The attachment is GB5766211.zip which contains the malicious executable GB07052014.scr (note the date is encoded into the filename). This has a VirusTotal detection rate of 7/52.

Automated analysis tools [1] [2] [3] show a UDP connection to wavetmc.com and a further binary download from demo.providenthousing.com/wp-content/uploads/2014/05/b01.exe

This second executable has a VirusTotal detection rate of 20/51. The Malwr report and Anubis report both show attempted connection to various mail servers (e.g. Gmail and Hotmail). Furthermore the Anubis report shows a data transfer to 83.172.8.59 (Tomsk Telecommunication Company, Russia).

Recommended blocklist:
83.172.8.59
wavetmc.com
demo.providenthousing.com

"This email contains an invoice file attachment" spam

Another case of a very terse spam with a malicious email attachment:

Date:      Wed, 7 May 2014 14:06:46 +0700 [03:06:46 EDT]
From:      Accounts Dept [menopausaln54@jaygee.co.uk]
Subject:      Email invoice: 1888443

This email contains an invoice file attachment 
I guess the psychology here is that if you can't tell a convincing lie, then tell a short one. The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52.

Automated analysis tools of this binary [1] [2] [3] shows that it downloads a further component from one of the following locations:

pgalvaoteles.pt/111
axisbuild.com/111
sadiqtv.com/111
hostaldubai.com/111
nbook.far.ru/111
relimar.com/111
webbook.pluto.ro/111
bugs.trei.ro/111
gaunigeria.com/111
rubendiaz.net/111
adventiaingenieria.es/111
assurances-immobilier.com/111
markus.net.pl/111
www.mrpeter.it/111
inmobiliariarobinson.com/111
cigelecgeneration.com/111
hbeab.com/111
lefos.net/111
pk-100331.fdlserver.de/111
decota.es/111
lefos.net/111
krasienin.cba.pl/111
rallyeair.com/111
camnosa.com/111
caclclo.web.fc2.com/111
beautysafari.com/111
www.delytseboer.com/111
atelierprincesse.web.fc2.com/111
czarni.i15.eu/111
gogetgorgeous.com/111

This "111.exe" binary has an even lower VirusTotal detection rate of 3/51. Automated analysis of this shows [1] [2] [3] shows the malware installs itself deeply into the target system.

There is a further dowload of a malicious binary from files.karamellasa.gr/tvcs_russia/2.exe which has a detection rate of 5/50 and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system [1] [2] [3].

Recommended blocklist:
pgalvaoteles.pt
axisbuild.com
sadiqtv.com
hostaldubai.com
nbook.far.ru
relimar.com
webbook.pluto.ro
bugs.trei.ro
gaunigeria.com
rubendiaz.net
adventiaingenieria.es
assurances-immobilier.com
markus.net.pl
www.mrpeter.it
inmobiliariarobinson.com
cigelecgeneration.com
hbeab.com
lefos.net
pk-100331.fdlserver.de
decota.es
lefos.net
krasienin.cba.pl
rallyeair.com
camnosa.com
caclclo.web.fc2.com
beautysafari.com
www.delytseboer.com
atelierprincesse.web.fc2.com
czarni.i15.eu
gogetgorgeous.com
files.karamellasa.gr

Tuesday, 6 May 2014

"Important - BT Digital File" spam

This fake BT spam comes with a malicious attachment:

Date:      Tue, 6 May 2014 15:18:15 +0700 [04:18:15 EDT]
From:      Santiago Biggs [Santiago.Biggs@bt.com]
Subject:      Important - BT Digital File

BT Digital Vault     BT

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 1116* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000 

Attached to the message is an archive file BT_Digital_Vault_File.zip which in turn contains a malicious executable BT_Digital_File.scr which has a VirusTotal detection rate of 11/52.

Automated analysis tools [1] [2] [3] show that this malware downloads additional components from the following locations:

[donotclick]realtech-international.com/css/0605UKdp.rar
[donotclick]biz-ventures.net/scripts/0605UKdp.rar

Blocking those URLs or monitoring for them may help to prevent further infection.


ccccooa.org - another hacked WordPress site

ccccooa.org ("Cumberland County Council on Older Adults") is another hacked WordPress site being used to serve pharma spam. I got 82 of these all at the same time..

From:     Linkedln Email Confirmation [emailing@compumundo.info]
Reply-To:     emailing@compumundo.info
To:     topsailes@gmail.com
Date:     6 May 2014 13:41
Subject:     Please confirm your email address

Linkedln

Click here to confirm your email address.

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at Linkedln. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

Thank you for using Linkedln!

--The Linkedln Team


This email was intended for [redacted]. Learn why we included this. © 2012, East Middlefield Road. Mountain View, CA 94043, USA 
One example landing URL is [donotclick]www.ccccooa.org/buyphentermine/ which leads to a sort of intermediary landing page..


This is turn goes to a redirected at [donotclick]stylespanel.com/h/go/phentermine.php and then to [donotclick]www.hq-pharmacy-online.com/search.html?q=phentermine which is a fake pharmacy site hosted on 95.211.228.240 (LeaseWeb, Netherlands) which is registered to a probably fake address in Argentina.


Avoid.. oh, and if you run a WordPress site please make sure the software is up-to-date.

Sinister spam from "Agent Feather"

This sinister spam comes with a malicious payload..

From:     Agent Feather [afgeathe32322323@gmail.com]
Reply-To:     afgeathe32323323@gmail.com
Date:     6 May 2014 02:12
Subject:     Do something before it's too late!


My Friend,

Someone close to you wants you to spend at least the next five years of your life behind bars. He has reported you to our organization and I am the one assigned to follow you up to gather more evidences against you. Attached to this email is a copy of the person's audio recording against you. Your name was mentioned eleven times in this recorded conversation, check if you can recognise the person's voice.

What I require is that you create a new email address which will be used for our further correspondence. Use your mobile phone number to text me your newly created email address on this number: +66928711125. The phone line is secured and cannot be traced by our organization or any other law enforcement agent. I know my reason for disclosing this important information to you at this time. Upon receiving your text, I will tell you who I am, our organization and what next you are to do.

You are to note the following and observe them, contrary to these, you will never hear from me again.

1. You are not to reply me on this email address.
2. You are not to call me on the above given number for any reason.
3. You are to text only your newly created email address to me.
4. The newly created email address must be used just for the both of us alone
4. If you know the voice in the recorded message, never approach the person until I tell you to.
5. You must not disclose anything relating to this information to another person.

Having read and understood what I have said, you are to now create a new email address and send it to me by text through your mobile phone number. I am waiting.

Yours sincerely,
Agent Feather.
Attached is a file His Voice.zip which unzips to another file called Voice Conversation without any extension at all. In fact, this file is a malicious executable (you would have to rename it to Voice Conversation.exe manually if you want to infect yourself) which has a VirusTotal detection rate of 13/49.

Most of the automated tools I have thrown at it seem to error out, but the ThreatExpert report does show the malware installing itself onto the test system and making some system changes to prevent removal. It also enumerates the IP address, detects proxy settings and attempts to connect to Google's Gmail SMTP server.

Thursday, 1 May 2014

Something evil on 146.185.213.69 and probably the whole /24

146.185.213.69 caught my eye, hosting a number of "ads." subdomains, many of which are tagged by Google as being malicious (highlighted below)

ads.warmsanieren.de
ads.coaching-baum.de
ads.fatmansempire.de
ads.marktluecke-berlin.de
ads.xn--hoffmnsche-u5a.de
ads.lagu.la
ads.lad-consult.lu
ads.reachcms.co.uk
ads.martinwguy.co.uk
ads.ukbizrooms.co.uk
ads.ajcqualityassurance.co.uk
ads.warmsanieren.de
ads.coaching-baum.de
ads.fatmansempire.de
ads.marktluecke-berlin.de
ads.xn--hoffmnsche-u5a.de
ads.lagu.la
ads.lad-consult.lu
ads.reachcms.co.uk
ads.martinwguy.co.uk
ads.ajcqualityassurance.co.uk
ads.ukbizrooms.co.uk

ads.cto.lu
ads.hoa.lu
ads.blackcockinn.co.uk
ads.loumacfitness.co.uk
ads.cto.lu
ads.hoa.lu
ads.blackcockinn.co.uk
ads.loumacfitness.co.uk

Well, you can probably assume that all those domains are malicious (even without the ads. prefix). But a look at the IP address range was revealing:

inetnum:        146.185.213.0 - 146.185.213.255
netname:        Customer-Valyalov-net
descr:          net for user Valyalov (hosting and VPS)
country:        RU
admin-c:        VME12-RIPE
tech-c:         VME12-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     LIPATOV-MNT
source:         RIPE # Filtered

person:         Valyalov Mikhail Evgenyevich
address:        Sankt-Petersburg, Volynski per., d. 2, lit. A, pom. 12N
phone:          +79099740171
nic-hdl:        VME12-RIPE
mnt-by:         VEROX-MNT
source:         RIPE # Filtered

route:          146.185.213.0/24
descr:          Valyalov-Net @ RN-Data/AltNet datacenter
origin:         AS41390
mnt-by:         LIPATOV-MNT
source:         RIPE # Filtered


The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of  Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past, and I tend to lean towards blocking them.

A look at the other contents of the /24 appear [csv] to indicate further suspicious activity, especially f528764d624db129b32c21fbca0cb8d6.com on 146.185.213.53 (mentioned here plus several other places).

So, frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it, plus these following domains:

man.liborcartel.com
letter.liborscam.com
kick.lmfho.co.uk
kiss.mbnappiclaim.co.uk
impulse.nrgcard.co.uk
increase.olympicclaims.co.uk
history.parkingclaims.co.uk
heat.onlinefuelcard.co.uk
hole.parkingclaims.com
33db9538.com
54dfa1cb.com
blue.azhealthlawblog.com
board.milliganlawless.com
body.phoenixhealthlaw.com
blow.arizonahealthlawyers.com
exchange.phoenixhealthlawyers.com
boat.milliganlawlesstaylormurphybailey.com
regentimpaired.com
revealedattached.com
f528764d624db129b32c21fbca0cb8d6.com
warmsanieren.de
coaching-baum.de
fatmansempire.de
marktluecke-berlin.de
xn--hoffmnsche-u5a.de
lagu.la
lad-consult.lu
reachcms.co.uk
martinwguy.co.uk
ukbizrooms.co.uk
ajcqualityassurance.co.uk
cto.lu
hoa.lu
blackcockinn.co.uk
loumacfitness.co.uk
ellis-fuhr.us


"BiP Solutions Company" fake invoice spam

This fake invoice spam message leads to a malicious download:

Date:      Thu, 01-May-2014 15:12:56 GMT [11:12:56 EDT]
From:      Eduard Fulton [bfischernn@netmedia1.com]
Subject:      Notification of your invoice

Dear Customer
Our company has obtained your order and it'll be processing for 2 days.
The the bill of parcels and delivery details are below:
http://www.anat-barnir.co.il/04-05-2014/clients/clients.045-264.zip
Sincerely yours,
BiP Solutions Company
Eduard Fulton
BiP Solutions is a real company, but this spam did not come from them. The link in the email goes to a legitimate (but hacked) site in Israel and downloads a file clients.045-264.zip which unzip to a malicious executable clients.045-264.PDF______________________________________________________.exe (there are a lot of underscores in there, yes). This has a VirusTotal detection rate of 15/52, however automated analysis tools [1] [2] are inconclusive as to what it actually does.