Sponsored by..

Friday, 20 June 2014

bumerang.cc spam - possible Joe Job?

As with the writer of the excellent My Online Security blog I had a couple of odd-looking spams that looked like they might be malicious.

The first spam was a bit of a fail as it didn't have the link, the second spam contained a link the the bumerang.cc website.

From:     News
Date:     19 June 2014 21:40
subject:     World Political News

You can see all World Political News at our web site.Just click on link below

Invoice

------

From:     Customer support
Date:     19 June 2014 13:43
Subject:     Your invoice for June 2014

See your invoice for June 2014 by click on link below

Invoice


The link in the second email goes to the amusingly-named www.bumerang.cc/asdaa/sploit.php - amusing because "sploit" is of course slang for "exploit". Although I have seen exploit kits that contain obvious things like this as a sort of joke, it is also a bit obvious don't you think?

But there is no exploit kit at this "sploit.php" location.. it 404s. But in fact I can see no evidence that there has ever been an exploit in this location, this URLquery report from yesterday (the earliest I can find) also shows a 404. So perhaps the exploit has been deleted? Or perhaps it was never there in the first place..


As I mentioned, there are a pair of emails. The one with the working link looks like a fake invoice malspam, but the other one has the subject "World Political News" and the body "You can see all World Political News at our web site.Just click on link below".

It turns out that bumerang.cc is a news site, covering topics of interest in Moldova in the Romanian, English and Russian languages. Unlike most multilingual news sites, the content is different depending on the language.. and the default Russian language part of the site has a lot of articles on the rather corrupt breakaway region of Transnistria which is strongly pro-Russian and which seems to be getting drawn in to the godawful mess that is the Ukraine crisis.

Transnistria has a reputation for corruption and organised crime, so perhaps bumerang.cc has published something that somebody in Transnistria doesn't like. Joe Jobs against sites dealing in Russian politics are quite common, and the messages do bear several hallmarks of being fakes.

Given that there is no evidence of malware on this site, the fishy nature of the spam and the topic areas of the site itself then I am minded to think that this is a Joe Job and bumerang.cc are not behind this spam run.

UPDATE 1 2014-06-24. Another variant..

From:     Bumerang News
Date:     24 June 2014 21:24
Subject:     SENSATION NEWS!Ukraine Will Wage War With Russia

Russia's War Against Ukraine! All at our web site. Just click on link below

">http://www.bumerang.cc/



Wednesday, 18 June 2014

"Scanned Image from a Xerox WorkCentre" spam with a malicious PDF attachment

The PDF spammers are busy today - this is the third time this particular malicious PDF has been spammed out to victims, first as a fake HSBC message, then a fake Lloyds message, and now a fake Xerox WorkCentre spam.
From:     Xerox WorkCentre
Date:     18 June 2014 13:41
Subject:     Scanned Image from a Xerox WorkCentre

It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [redacted]
Number of Images: 0
Attachment File Type: PDF

WorkCentre Pro Location: Machine location not set
Device Name: [redacted]

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
The payload is a malicious PDF that is identical to the HSBC and Lloyds spams.

Lloyds Bank Commercial Finance "Customer Account Correspondence" spam

Sent to the same targets and the same victim as this HSBC spam, this fake Lloyds Bank message comes with a malicious payload:
From:     Lloyds Bank Commercial Finance [customermail@lloydsbankcf.co.uk]
Date:     18 June 2014 12:48
Subject:     Customer Account Correspondence

This attachment contains correspondence relating to your customer account with Lloyds Bank Commercial Finance Ltd.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.

If you have received this email in error please contact the individual or customer care team whose details appear on the statement.

This email message and its attachment has been swept for the presence of computer viruses.

Lloyds Bank Commercial Finance, No 1 Brookhill Way, Banbury, Oxfordshire OX16 3EL | www.lloydsbankcommercialfinance.co.uk
Ensuring that your PDF reader is up-to-date may help to mitigate against this attack.

HSBC "Unable to process your most recent Payment" spam

This convincing looking bank spam comes with a malicious PDF attachment:

From:     HSBC.co.uk [service@hsbc.co.uk]
Date:     18 June 2014 12:33
Subject:     Unable to process your most recent Payment

HSBC Logo

You have a new e-Message from HSBC.co.uk

This e-mail has been sent to you to inform you that we were unable to process your most recent payment.

Please check attached file for more detailed information on this transaction.

Pay To Account Number:   **********91
Due Date: 18/06/2014
Amount Due: £ 876.69

IMPORTANT: The actual delivery date may vary from the Delivery by date estimate. Please make sure that there are sufficient available funds in your account to cover your payment
beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.

If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.

Copyright HSBC 2014. All rights reserved. No endorsement or approval of any third parties or their advice, opinions, information, products or services is expressed or implied by any information on this Site or by any hyperlinks to or from any third party websites or pages. Your use of this website is subject to the terms and conditions governing it. Please read these terms and conditions before using the website..
Attached is a malicious PDF file HSBC_Payment_9854711.pdf which has a VirusTotal detection rate of just 6/53. The Malwr report does not add much but can be found here.

Tuesday, 17 June 2014

Wells Fargo "Important docs" spam has a malicious PDF file

This fake Wells Fargo spam comes with a malicious PDF attachment:

From:     Raul.Kelly@wellsfargo.com
Date:     17 June 2014 18:50
Subject:     Important docs

We have received this documents from your bank, please review attached documents.

Raul Kelly
Wells Fargo Accounting
817-713-1029 office
817-306-0627 cell Raul.Kelly@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.
The attachment is account_doc~9345845757.pdf which has a VirusTotal detection rate of 5/51. The Malwr report doesn't say much but can be found here.

Personal misfortune is not an excuse for spam

"Mark" is having a hard time. Left with huge bills after being treated for prostate cancer, he feels let down by his employer at the time who did not cover the treatment with their health insurance.

How do I know this? He spammed me to tell me about it. Several times.

From:     Mark ******* [me@mail.*****]
Date:     17 June 2014 07:25
Subject:     Please donate to help support my recovery from Localised Prostate Cancer

Hi
        please consider donating to help fund my financial recovery since I was treated for Localised Prostate Cancer.

Regards,

Mark *******

        © Mark ******* , All Rights Reserved.
                http://******* .net/
                        or
                http://******* .like.to/
                        or
                http://******* .like.to/
A web form is attached soliciting funds:


Because "Mark" has suffered enough, I am withholding his full name. I did the due diligence and checked that the originating IP links back to a mailserver on his own domain, so this isn't a Joe Job.

But personal misfortune is not an excuse to spam, and in this case "Mark" sent to the spam to some randomly generated recipients that don't actually exist. That sort of thing is very bad practice, and if you are trying to get donation sent to a PayPal account then it is a good way to get your account frozen.

"Ihre Festnetz-Rechnung für Juni 2014" Vodafone spam

Over the past few weeks I have seen a concerted attack on German language speakers with various fake invoices leading to a malicious ZIP download. Here is one example:

From: 1562404288-0002@rechnung.vodafone.de
Sent: 17 June 2014 09:00
Subject: Ihre Festnetz-Rechnung für Juni 2014 #3232853429
Importance: High

Ihre neue Rechnung ist online

Sehr geehrte Kundin, sehr geehrter Kunde,

Ihre Rechnung vom Juni 2014 ist jetzt für Sie zum Abruf bereit.
Ihre Festnetz-Rechnung für Juni 2014 #25-36-8114.zip.

Die Gesamtsumme beträgt 224,88 Euro.

Der Rechnungsbetrag wird frühestens 5 Tage nach Rechnungszustellung von Ihrem angegebenen Konto eingezogen.


Mit freundlichen Grüßen
Ihr Vodafone-Team 
Of course, this isn't from Vodafone at all. The link in the email goes to [donotclick]gabilevin.com/wp-includes/SimplePie/Net/vodafoneteam which downloads a ZIP file 2014_06rechnung_pdf_vodafone.zip which in turn contains the malicious executable 2014_06rechnungonline_pdf_vodafone_00930220374_53790190_82456.exe which has a low detection rate of 3/54 at VirusTotal.

The Malwr report shows that this performs a download from 204.93.183.196:8080/70144646/974aade0/ (Server Central, US) which in turn drops another malicious binary rqvupdate.exe which also has a detection rate of just 3/54. The Malwr report for that is here.

Friday, 13 June 2014

Something suspect on 38.84.134.0/24

This attack (assuming it is an attack) revolves around a bunch of domains hosted in 38.84.134.0/24 (HostZealot, UK).

It starts when a visitor visits the website click-and-trip.com hosted on 38.84.134.46 which purports to be some sort of hotel reservation system.

However, this URLquery report also shows a suspected Fiesta EK pattern and/or a TDS (Traffic Distribution System) URL. In the case of the report, the landing page is [donotclick]asasas.eu/yo416f8/counter.php?id=5 on 38.84.134.171 but this is one of those cases where the landing page seems to change quickly.

Both the "gateway" domain and "payload" domain share similarities in the WHOIS details. For click-and-trip.com it is:

Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: DE
Registrant Phone: +34.932073031
Registrant Phone Ext: 
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: HANSBRUSE@YAHOO.COM

Well, Barcelona isn't in DE (Germany), so these contact details look awfully suspect. If we look at the WHOIS details for asasas.eu we see:

Name         Hans Bruse
Organisation hans inc
Language     German
Address      Am Forsthaus 9
             18209 Glashagen
             Germany
Phone        +49.382037295
Email        hansbruse@yahoo.com


Both addresses use the "hansbruse@yahoo.com" email address, and those German contact details for "Hans Bruse" are more convicining than "Bernado Mines".

The click-and-trip.com domain has been around since January and interestingly a dig back in time six months turns up slightly different contact details:

Registry Registrant ID:
Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: ES
Registrant Phone: +34.932073031
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: GEFEST@ZMAIL.RU
Registry Admin ID: 


See the Russian email address? That gets some positive matches on Google linking it to a person called Aleksandr Filippovskiy (or Filippovskiy Aleksandr) who has been connected with malware sites before. So on balance, this thing looks rather suspicious.. even though those details could also be a smokescreen.

Reverse DNS on 38.84.134.171 shows three suspect domains with a similar naming pattern:

aaqaaq.eu
asasas.eu
ooaooa.eu

We can also check the IP's reputation at VirusTotal and it doesn't look great. However, if we extend a look to neighbouring servers, we can see a similar pattern of domains all the way from 38.84.134.162 to 38.84.134.171.


ioooiiio.eu 38.84.134.162
oieaa.com 38.84.134.162
dcfvfr.com 38.84.134.162
eiieei.com 38.84.134.162
ijueee.com 38.84.134.162
aoooaooa.com 38.84.134.162
acccaacccaaaa.pw 38.84.134.163
aaeeaae.com 38.84.134.163
ooioooii.com 38.84.134.163
azzaaazz.pw 38.84.134.164
axxaaaxxx.pw 38.84.134.164
aaooaaoaoaaa.pw 38.84.134.164
advantagefilm.pw 38.84.134.164
gthyuuuy.com 38.84.134.164
kujeikdkd.com 38.84.134.164
mijkuiiid.com 38.84.134.164
rfttyhuui.com 38.84.134.164
uyueueuee.com 38.84.134.164
oooiiiio.us 38.84.134.165
iiiiiiioooooooooo.us 38.84.134.165
hyujuuy.com 38.84.134.165
hyujyttr.com 38.84.134.165
nefdefeettyt.com 38.84.134.165
gthuueeed.us 38.84.134.166
eeeeaeeeea.us 38.84.134.166
aaeeeaaaeee.us 38.84.134.166
gtyuyyuuj.com 38.84.134.166
eedeeeedddd.eu 38.84.134.167
iyiiyyyiiiyy.eu 38.84.134.167
uoooouuuoo.pw 38.84.134.167
efefefeeeeee.pw 38.84.134.167
eaeaaaaaaeeeeee.pw 38.84.134.167
aaaaaaooooo.us 38.84.134.167
ioiiio.eu 38.84.134.168
aeaaeee.eu 38.84.134.168
aoaoooao.eu 38.84.134.168
oiioooiiii.pw 38.84.134.168
iaiaiaiaia.eu 38.84.134.169
axxazazaza.eu 38.84.134.170
jjjjajjiiiooo.eu 38.84.134.170
aaqaaq.eu 38.84.134.171
asasas.eu 38.84.134.171
ooaooa.eu 38.84.134.171

Older domains seem to use lower IP addresses, the pattern seems to be that domains are hosted in the range for a short time, then they are parked on what appear to be Namecheap parking IPs. Once the reputation of the IP is tarnished, then the domains move on to the next IP address.

The IPs in question roughly correspond to 38.84.134.160/28, but looking at the sites hosted in that range there is a gap of unused IPs all the way to 38.84.134.196.

Where these domains have identifiable WHOIS details, they conform to variants of the "Bernado Mines" persona, for example, acccaacccaaaa.pw:

Registrant ID:SVXABVV3KWVMGEKW
Registrant Name:Bernardo Mines
Registrant Organization:La Sagrada
Registrant Street1:Carrer de Mallorca, 401
Registrant City:Barcelona
Registrant State/Province:non
Registrant Postal Code:08013
Registrant Country:ES
Registrant Phone:+34.932073031
Registrant Fax:+1.5555555555
Registrant Email:ilokios@gmail.com


But we know that "Bernado Mines" also operates other IPs in this range, including techno6.com on 38.84.134.47 and a further examination of sites in the range shows aws-wireless.com on 38.84.134.14 which is registered to..

Registry Registrant ID:
Registrant Name: FILIPPOVSKIY ALEKSANDR
Registrant Organization: DOM
Registrant Street: YLICA BAYMANA. DOM 9.KORPYS A. KVARTIRA 106
Registrant Street: KVARTIRA 106
Registrant City: YOSHKAR OLA
Registrant State/Province: YOSHKAR OLA
Registrant Postal Code: 42400
Registrant Country: RU
Registrant Phone: +7.79276827596
Registrant Phone Ext:
Registrant Fax: +7.79276827596
Registrant Fax Ext:
Registrant Email: AWSWIRELESS@MAIL.COM


So we have Filippovskiy Aleksandr again

A look at all the hosts I can find in this range [csv] show nothing of value, and a load of cyberquatting and spam sites. On balance, I think that blocking the entire 38.84.134.0/24 range may be prudent, even if it is hard to tell exactly what is going on here.

"Equity Investment Limited" lottery scam still around after more than a decade

Scammers can be really stupid. Take these guys who are running a non-existent UK National Lottery / FIFA Brazil 2014 World Cup scam..


The scam is purportedly from a "Mrs Hilda Adams" references a fake company:

Equity Investment Limited
132 Blackburn Road
Bolton
BL7 9RP
England
UK
Tel: 00447924556231
Email: uklclaims@mail.com

Some key parts of the email are:
Reference: EKS255125600304
Ticket number: 034-1416-4612750

But search for "Equity Investment Limited" on just about any search engine and the first hit you will get is an article I wrote way back in 2003 about a lottery scam using a company of exactly the same name.

The email address is a throwaway free email account, the telephone number looks like it is British but in fact it a forwarding number provided by Cloud9  which could potentially forward calls to anywhere in the world. This type of "follow me anywhere" number is often abused by scammers. As for the address.. well, it's unlikely that whoever lives at that address is anything to do with this at all.

Luckily, most people who run lottery scams have the intelligence of a box of rocks. And it seems that quite a few of their victims have heard of a thing called a search engine..

Something evil on 64.202.123.43 and 64.202.123.44

This is one of those ephemeral traces of malware you sometimes see, like a will-o'-the-wisp. Something seems to be there, but on closer examination it has vanished. But this isn't an illusion, it seems to be a cleverly constructed way of distributing malware which pops up and then vanishes before anyone can analyse it.

The source of the infection seems to be a malvertisement on one of those sites with an immensely complicated set of scripts running on all sort of different sites, including those low-grade ad networks that have a reputation for not giving a damn about what their advertisers are doing.

In this case, the visitor gets directed to a page at 12ljeot1.wdelab.com/ijvdg2k/2 which got picked up with a generic malware detection.. but by the time anyone gets to investigate the domain it is mysteriously not resolving.

What appears to be happening is that the bad guys are publishing the malicious subdomains only for a very short time, then they stop it resolving and they publish another one. And one thing all these domains have in common is that they are using afraid.org for nameserver services.

A bit of investigation shows that this malware is hosted on a pair of servers at 64.202.123.43 and 64.202.123.44 (HostForWeb, US), and despite that bad guys efforts they do leave a trace on services such as VirusTotal [1] [2] and URLquery [3]. This particular URLquery report shows indications of the Fiesta EK.

The attackers are covering their traces by using legitimate hijacked domains, the owners of which may not even be aware of the problem. Despite there being a large number of subdomains, I can only spot sixdomains being abused:

theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch

A full list of the subdomains that I have found so far can be found here [pastebin].

A look at the 64.202.123.0/24 block shows a mix of legitimate sites, plus some spammy ones and quite a lot that look malicious. If you are running a high-security environment then you might want to block this who range. Else, I would recommend the following minimum blocklist:

64.202.123.43
64.202.123.44
theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch

Thursday, 12 June 2014

pcwelt.de hacked, serving EK on 91.121.51.237

The forum of popular German IT news site pcwelt.de has been hacked and is sending visitors to the Angler exploit kit.

Visitors to the forum are loading up a compromised script hxxp://www[.]pcwelt[.]de/forum/map/vbulletin_sitemap_forum_13.xml.js which contains some Base64 obfuscated malicious code (see Pastebin here) which uses a date-based DGA (domain generation algorithm) to direct visitors to a URL with the following format:

[7-or-8-digit-hex-string].pw/nbe.html?0.[random-number]

The .pw domain contains Base64 encoded data which points to the payload kit, in this case [donotclick]exburge-deinothe.type2consulting.net:2980/meuu5z7b3w.php (Pastebin) which is hosted on 91.121.51.237 (OVH, France). This appears to be the Angler EK.

It looks like the EK domains rotate regularly, but the following sites can be observed on this address:

ingetrekte.valueoptimizationfrontier.com
shellshellwillbomb.type2consulting.net
voorspannenzl.valueoptimizationfrontier.com
tourmenterai.afiduciaryfirst.com
kingyoku.typetwoconsulting.com
mittelbau.typetwoconsulting.com
yogeespith1.typetwoconsulting.com
rozrzewnienie.typetwoconsulting.com
geschaeftlichen.typetwoconsulting.com
kyhtyy-pimprinum.typetwoconsulting.com
jezuietendriesthe.typetwoconsulting.com
depolitsuperconfusion.typetwoconsulting.com
degivreraitdeorganization.typetwoconsulting.com
sknktekonzile-streelsters.typetwoconsulting.com
shogunalbeschenktet.viverebenealcaldo.com
subigi.valueoptimizationfrontier.com
totalize.valueoptimizationfrontier.com
puyaljoukou.valueoptimizationfrontier.com
weisungsgemaess.valueoptimizationfrontier.com
kezune-palpitera.valueoptimizationfrontier.com
remorquervltimme.valueoptimizationfrontier.com
clackdisfundamellemting.valueoptimizationfrontier.com
doscall.type2consulting.net
pehmoilla.type2consulting.net
moariesubigissem.type2consulting.net
unvigilant-straucht.type2consulting.net
mycetozoanreassesses.type2consulting.net

It is worth noting that these domains appear to have been hijacked from a GoDaddy customer:
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com

The following .pw sites are live right now, hiding behind Cloudflare:
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw

Recommended blocklist:
91.121.51.237
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw
(and if you can block all .pw domains then it is probably worth doing that too)

Thanks to the #MalwareMustDie crew and Steven Burn for help with this analysis.

Wednesday, 11 June 2014

Fake RBS spam spreads malware via Cubby.com

This fake bank spam downloads malware from file sharing site cubby.com:

From:     Sammie Aaron [Sammie@rbs.com]
Date:     11 June 2014 12:20
Subject:     Important Docs

Please review attached documents regarding your account.

To view/download your documents please click here

Tel:  01322 215660
Fax: 01322 796957
email: Sammie@rbs.com

This information is classified as Confidential unless otherwise stated. 

The download location is [donotclick]www.cubby.com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54.

Automated analysis tools [1] [2] [3] [4] show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs:
85.25.148.6 (Intergenia AG, Germany)
192.99.6.61 (OVH, Canada)
217.12.207.151 (ITL Company, Ukraine)

(Plain list)
85.25.148.6
192.99.6.61
217.12.207.151

Tuesday, 10 June 2014

"You have received a voice mail" spam downloads malware from Dropbox

Another fake voice message spam, and another malware attack downloading from Dropbox.

From:     Microsoft Outlook [no-reply@victimdomain]
Date:     10 June 2014 15:05
Subject:     You have received a voice mail

You received a voice mail : VOICE437-349-3989.wav (29 KB)
Caller-Id: 437-349-3989
Message-Id: U7C7CI
Email-Id: [redacted]

Download and extract the attachment to listen the message.

We have uploaded fax report on dropbox, please use the following link to download your file:

https://www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICIxeWEwMGx3enQ1aWdpOXEifQ/AANABss7_JqczoocZG5p_SjA659fq_BNbEs6hyC4CqDuBA?dl=1
Sent by Microsoft Exchange Server
The link downloads a file VOICE-864169741-28641.zip which in turn contains a malicious executable VOICE-864169741-28641.scr which has a VirusTotal detection rate of 4/52. Automated analysis [1] [2] [3] [4] indicates that it downloads files from the following domains:

newsbrontima.com
yaroshwelcome.com
granatebit.com
teromasla.com
rearbeab.com


Monday, 9 June 2014

"inovice 2110254 June" spam

This terse but badly-spelled spam has a malicious attachment:

Date:      Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]
From:      Ladonna Gray [wtgipagw@airtelbroadband.in]
Subject:      inovice 2110254 June

This email contains an invoice file attachment 
Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52. Automated analysis tools are not able to determine exactly what the malware does.

UPDATE 1: A Malwr analysis of the malware can be found here. It makes the following HTTP connections:
[donotclick]62.76.189.58:8080/dron/ge.php
[donotclick]62.76.41.73:8080/tst/b_cr.exe


It also drops a file KB05152056.exe which has a VirusTotal detection rate of 5/51. Analysis is pending.

UPDATE 2: the Malwr analysis of the second binary is here. This makes a connection to 62.76.185.30.

All the IP addresses listed belong to Clodo-Cloud in Russia:
62.76.41.73
62.76.185.30
62.76.189.58


Although there are probably some legitimate sites in these ranges, you might want to consider blocking the following if you feel like it:
62.76.40.0/21
62.76.184.0/21




Saturday, 7 June 2014

Institute of Project Management America (instituteofprojectmanagementamerica.org). Is this a scam?


Three years ago I was spammed by an organisation called the North American Program Planning and Policy Academy (NAPPPA) which was attempting to get me to sign up for some seminars. It looked like a scam at the time, and it still looks like a scam now.

It took me a year of sporadic research to come up with the names of the people running the scam. Anthony Christopher Jones (known sometimes as "Tony Jones") and Patchree Patchrint (known as "Patty Patchrint"). After exposing them and detailing some of the evidence against them, NAPPPA, Jones and Patchrint dropped out of view. I assumed that this was the cockroach effect.. switch the lights on, and those roaches scurry for cover.

It looks like I was wrong.

A unexpected comment on my blog post opened up a new line of investigation.
Lem said...

I wish I would have found this blog prior to teaching a course for the Institute of Project Management America (IPMA). www.instituteofprojectmanagementamerica.org
The student certificates were signed by none other than Anthony C. Jones. Needless to say, I have not been paid nor the facility that hosted the training. I plan to sue them. In addition, there is a Patty Jones serving as the administrator/front person for IPMA. Perhaps his spouse. If anyone has any additional information about them, please share.
6 June 2014 22:25 
Could this be the same Anthony C Jones and Patty Jones (or Patchree Patchrint) that ran NAPPPA?

A look at instituteofprojectmanagementamerica.org shows an unremarkable site, but one which is carefully devoid of any contact details. The WHOIS records for the domain are hidden, and the only contact data that can be found are the telephone numbers  888-859-5659 and 866-959-3543.


The logo on the website has been recycled from elsewhere  and otherwise the template is bland, professional looking but completely anonymous.

A close look at the hosting history shows a number of related sites, either which are direct clones of instituteofprojectmanagementamerica.org or are previous versions. A full list is at the end of the post in Appendex 1, but principle domain names in use are:
americanprojectmanagementusa.org
instituteofprojectmanagementamerica.org
instituteofprojectmanagementamerica2.org
instituteofprojectmanagementamerica3.org
instituteofprojectmanagementamerica4.org
ipma5.org
ipma6.org
ipma7.org
mastercoursedevelopment.org
projectmanagementusa.org
projectmanagementusa1.org
projectmanagementusa2.org
projectmanagementusa3.org
The ones in the format projectmanagementusa3.org go all the way up to projectmanagementusa212.org. Who needs 212 copies of the same website? Well, spammers use these techniques to evade blacklisting.

The domains americanprojectmanagementusa.org  and projectmanagementusa.org are rather interesting as it is an older generation of the "Institute of Project Management America" spam site entitled "American Project Management" (you can see them at the Internet Archive).




A quick search against the phone number listed on that site (213-293-7410, 877-359-1110 and 888-739-0821) lead us to a BBB report with an alert to say the business has ceased trading.






The BBB indicates that this is a Colorado business, but a search of State records shows that there is no such business of that name registered in that state.

But a further Google search of the phone numbers also brings up this document at Scribd outlining the so-called American Project Management outfit and its activities [pdf copy here]. And who uploaded the document? A user called ppatchrint. That is undoubtedly Patchree Patchrint.


This document gives a California address rather than a Colorado one:
American Project Management
645 W. 9th Street
Unit 110-603
Los Angeles, CA 90015



So this gives us a clue to search the state records in California. An LLC search for "Institute of Project Management America" comes up blank, but a search for "American Project Management" comes up with a hit for "DDGLA AMERICAN PROJECT MANAGEMENT, LLC"


Now, I know that "DDGLA American Project Mangement LLC" is not quite the same thing  as "America Project Management", but the "645 WEST 9TH ST STE 110-603" address is the same as "645 W. 9th Street, Unit 110-603" as seen in the Scribd document. So there's a high likelihood that this is a match.. but there's no real contact information for this company.

But what does DDGLA actually stand for? I've been down this particular path with the NAPPPA investigation, so I know that DDGLA actually stands for "DOSS Development Group Los Angeles". A search for DOSS DEVELOPMENT GROUP at the California secretary of state reveals a name behind that company. And you've probably already guessed that it is Patchree Patchrint aka Patty Jones.


So, between the blog comments, the Scribd document and data held by the California Secretary of State, there are now three points of evidence linking the "Institute of Project Management America" and "American Project Management" with Patchree Patchrint aka Patty Jones and Anthony Christopher Jones.

So, is it a scam?

I haven't personally seen any spam promoting this so-called institute, but that was the basic approach with NAPPPA. Millions of credible-looking spam emails were sent out to universities and other organisations, that were published in good faith (such as this one).

Project Management Masters Certification Program

June 10-13, 2014
Association of Research and Enlightenment of New York
The PMMC is designed for those seeking professional project management certification.
PMMC program provides 36 hours of project management education, meeting education requirements for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. The program meets the education requirement for all professional designations through the Project Management Institute and other professional agencies. Additionally, the program awards 3.6 Continuing Education Units (CEUs) upon request. Tuition for the four-day Project Management Masters Certification program is $995.00

Participants may reserve a seat online at the website, or by calling the Program Office toll-free at (888) 859-5659

Go to: http://www.instituteofprojectmanagementamerica.org/
What happened with NAPPPA is that these courses appeared to be booked at universities throughout the US, presumably to give them an air of authenticity. But at the last moment the venue for the course got moved to somewhere off-campus, people drafted in to teach the course never got paid and many students complained that the courses were of low quality. I don't doubt that the same is happening here.

In fact, this scam has been going on for a long time. Before the Institute of Project Management America, American Project Management and North American Program Planning and Policy Academy there were another similar scammy outfits.

The "Institute for Communication Improvement, LLC" (aka "The Grant Institute") seems to be the best known. For example:
The evidence seems to show that in one form or another the business has been running since 2005 or 2006, only now it is charging victims nearly a thousand dollars a pop for a course of questionable value.

Given the history of this pair, it is my personal opinion that the Institute of Project Management America is a scam. Indeed, DDGLA American Project Management LLC have already been successfully sued in California over their unethical operations.

Who are Anthony Christopher Jones and Patchree Patchrint (Patty Jones)?

I coverered this pair before, a California-based husband-and-wife team with links to Hacienda Heights and Los Angeles. In addition to the programs listed above, they have run a number of (mostly failed) LA based restaurants such as Mother Road, Mode, and the Royale on Wilshire.

DDGLA is also associated with the following (apparently defunct) websites:
  • ddglacommercial.com
  • pettycashadvance.com
  • bankddgla.com
  • ddglafinancial.com

What should you do if you are unhappy with the Institute of Project Management America?

I don't live in the US so I'm not 100% familiar with the processes that you can use. But if you think you have been ripped-off then complaining the the BBB, your local Attorney General, law enforcment or the courts seem to be a way to go. I don't have a current address for this pair however, if you manage to turn one up then I can share it if you send me an email.

Appendix 1:
These are a selection of the domains and IPs used. There are hundreds of other ones, especially in in the format projectmanagementusa111.org .

americanprojectmanagementusa.org
instituteofprojectmanagementamerica.org
instituteofprojectmanagementamerica2.org
instituteofprojectmanagementamerica3.org
instituteofprojectmanagementamerica4.org
ipma5.org
ipma6.org
ipma7.org
mastercoursedevelopment.org
projectmanagementusa.org
projectmanagementusa1.org
projectmanagementusa2.org
projectmanagementusa3.org
projectmanagementusa4.org
projectmanagementusa5.org
projectmanagementusa6.org
projectmanagementusa7.org
projectmanagementusa8.org
projectmanagementusa9.org
projectmanagementusa10.org
projectmanagementusa11.org
projectmanagementusa12.org
projectmanagementusa13.org
projectmanagementusa14.org
projectmanagementusa15.org
projectmanagementusa16.org
projectmanagementusa17.org
projectmanagementusa18.org
projectmanagementusa19.org
projectmanagementusa20.org
projectmanagementusa22.org
projectmanagementusa28.org
projectmanagementusa31.org
projectmanagementusa32.org
projectmanagementusa36.org
projectmanagementusa37.org
projectmanagementusa38.org
projectmanagementusa39.org
projectmanagementusa41.org
projectmanagementusa43.org
projectmanagementusa44.org
projectmanagementusa46.org
projectmanagementusa77.org
projectmanagementusa92.org
projectmanagementusa99.org
projectmanagementusa100.org
projectmanagementusa111.org
projectmanagementusa114.org
projectmanagementusa143.org
projectmanagementusa157.org
projectmanagementusa210.org
projectmanagementusa212.org
23.94.13.183
23.249.165.7
37.59.255.192
50.2.193.25
63.223.125.56
63.223.125.58
64.37.51.2
64.37.51.10
64.37.51.19
64.37.51.45
64.37.51.80
64.37.51.107
64.37.51.110
64.37.51.112
67.23.232.6
67.23.238.35
67.23.238.36
67.23.242.154
67.23.242.181
67.222.130.43
75.127.3.76
96.44.146.44
96.44.189.189
107.155.68.39
107.158.160.92
107.161.114.135
107.161.158.57
107.178.105.133
108.160.156.59
108.174.54.119
109.169.37.185
109.169.56.251
109.169.58.167
109.169.63.171
109.169.64.155
109.169.64.158
109.169.64.184
109.169.64.196
109.169.64.211
109.169.87.169
142.0.39.203
142.0.42.156
162.221.176.120
162.244.77.138
162.248.211.236
172.245.33.189
172.245.44.90
172.245.44.144
172.245.44.189
172.245.136.161
173.232.104.208
192.3.1.155
192.3.121.202
192.3.161.123
192.3.161.130
192.40.57.130
192.198.90.160
192.210.137.134
192.210.138.205
192.210.142.101
192.210.211.112
192.227.166.167
192.227.182.169
198.23.167.152
198.23.242.196
198.49.73.17
198.143.0.171
198.143.1.71
199.168.142.113
199.204.23.35
199.204.23.129
199.204.23.151
199.204.184.164
199.233.232.177
199.241.191.215
209.105.248.47



Thursday, 5 June 2014

dedicatedpool.com.. spam or Joe Job?

I received a number of spam emails mentioning a Bitcoin mining website dedicatedpool.com, subjects spotted are:

Subject: Bitcoins are around you - don't miss the train!
Subject: Dedicatedpool.com business proposal (Save up on taxes)
Subject: Make money with darkcoin and bitcoin now!
Body text:

Hello,
Have you heard about bitcoins? I bet you did. Do you know how to make
money on it? Don.t worry, we are professionals in bitcoin and alternative
cryptocurrencies world and we will help you monetize your computing
hardware into bitcoins in no time. Come and joins us at
http://dedicatedpool.com and join our IRC chat at
http://dedicatedpool.com/?page=about&action=chat
--
Ryan, dedicatedpool.com support/admin

------------------------

Don't want Government to steal your money?
Join us at http://dedicatedpool.com and learn how you can save up on
taxes by using bitcoin, darkcoin and other cryptocurrencies!
We will provide you with detailed instructions on how to set up all
hardware in your house and start keeping your money instead of paying
taxes. 100% legal!
Please register at http://dedicatedpool.com

--
Ryan, dedicatedpool.com support/admin

------------------------

Do you have income but you don't want Obama to steal it from you? Come and
join us and turn your electricity cost into cash!
The only pool you can trust - come and mine bitcoins/altcoins with us. We
will provide you detailed guide on how to setup equipment in your house
that will turn electricity into bitcoins!
No taxes no problems: http://Dedicatedpool.com/
--
Ryan, dedicatedpool.com support/admin

However, the pattern of the spam looks like a Joe Job rather than some horribly misguided attempt to market the website. There are several signs that make it look like someone is trying to cause trouble for the site operators:
  1. The spam was sent repeatedly to a spamcop.net address, the type of address that would have a high probability of filing an abuse report. I call this a "reverse listwash".
  2. The spam mentions the established dedicatedpool.com website repeatedly (rather than using some sort of redirector) but the originating IPs appear to be from an illegal botnet (see note 1). The use of a botnet indicates a malicious intent.
  3. Spammers don't tend to include personal details of any sort in their messages, but the inclusion of "Ryan" (who does genuinely appear to be the administrator) seems suspicious.
 In my opinion, the balance of probabilities is that this is not sent out by dedicatedpool.com themselves, but is sent out by someone wanting to disrupt their business.

Note 1: I have seen the following IPs as originating the spam..
188.54.89.107
92.83.156.130
31.192.3.89
37.99.127.11
87.109.78.213


Wednesday, 4 June 2014

Amazon.com spam / order.zip

This fake Amazon spam has a malicious attachment:

Date:      Wed, 04 Jun 2014 11:55:10 +0200 [05:55:10 EDT]
From:      "Amazon.com"
Subject:      Shipping Confirmation : Order #002-1301707075-0206502025

Amazon
Your Recommendations
     |      Your Orders      |      Amazon.com
Shipping Confirmation
Order #002-1660680038-7011611870
Hello ,
Thank you for shopping with us. We'd like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order report is attached here.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

Attached to the spam is an archive file order.zip which in turn contains a malicious executable order_id_26348273894729847239.exe which has a VirusTotal detection rate of 4/51.

Automated analysis tools [1] [2] [3] shows the malware altering system files and creating a fake csrss.exe and svhost.exe to run at startup.

The malware also attempts to phone home to two IP addresses at 91.226.212.32 and 193.203.48.37 hosted in Russia but controlled by a Ukranian person or entity PE Ivanov Vitaliy Sergeevich. These network blocks are well-known purveyors of crapware, and I recommend that you block the following:

91.226.212.0/23
193.203.48.0/22

Thursday, 29 May 2014

More eFax / Dropbox malware spam

This fake eFax message downloads malware from Dropbox, similar to yesterday's attack but with different binaries:

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     29 May 2014 10:26
Subject:     INCOMING FAX REPORT : Remote ID: 499-364-9797

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 29 May 2014 18:26:56 +0900
Speed: 4360bps
Connection time: 07:09
Pages: 9
Resolution: Normal
Remote ID: 915-162-0353
Line number: 0
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

https://www.dropbox.com/meta_dl/[redacted]
The malicious download is from [donotclick]www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr

This binary has a VirusTotal detection rate of 6/53 and the Malwr report shows that it downloads a file from soleilberbere.com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51. Automated reports [1] [2] are pretty inconclusive as to what this does.

Wednesday, 28 May 2014

"TPPCO" PPI SMS spam

Despite some high-profile recent cases where SMS spammers have been busted by the ICO, the wave of spam seems to be continuing. This one came less than an hour ago from +447729938098.
Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out. TPPCO
I have no idea who "TPPCO" are, but they are a common sender of these spam message. In this case, the spam was sent to a number that is TPS registered, and I believe that the approach is fraudulent in any case - in most cases the spammers will get paid for a lead even if it turns out that the claimant wasn't eligible.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Carriers and the ICO are cracking down on these scumbags, but they need reports from victims to gather enough evidence.

You can also report persistent spam like this via the ICO's page on the subject, which might well end up in the spammers getting a massive fine.

eFax message from "unknown" spam downloads malware from Dropbox

This fake eFax message downloads malicious content from a Dropbox link.

From:     eFax [message@inbound.efax.com]
Date:     28 May 2014 13:12
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643

Fax Message [Caller-ID: 1-949-698-5643
You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.

* The reference number for this fax is atl_did1-1400166434-95058563842-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

       

j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.
The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent.com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr.

This binary has a VirusTotal detection rate of 6/53. Automated reporting tools [1] [2] show a download from landscaping-myrtle-beach.com/wp-content/uploads/2014/05/2805UKdw.dkt which in turn drops the following files:
This last one makes a connection to innogate.co.kr for unknown reasons.

Recommended blocklist:
landscaping-myrtle-beach.com
innogate.co.kr





Friday, 23 May 2014

Fake NatWest email downloads malware via Dropbox

This fake NatWest email follows the same pattern as this one except that it is downloading malware via Dropbox rather than Bitly.

From:     NatWest.co.uk [noreply@natwest.co.uk]
Date:     23 May 2014 11:36
Subject:     NatWest Statement

 View Your May 2014 Online Financial Activity Statement


Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:


View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank


Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank account, please speak to a Customer Service representative at +44 121 635 1592


NatWest Bank Customer Service Department

P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

AGNEUOMS0006001

The link in the email goes to [donotclick]dl.dropboxusercontent.com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52.

Automated analysis tools [1] [2] show that it downloads a component from [donotclick]accessdi.com/wp-content/uploads/2014/04/2305UKmw.zip

The Malwr analysis shows that it then downloads some additional EXE files:
 As is typical with the attack, the payload appears to be P2P/Gameover Zeus/Zbot.

Thursday, 22 May 2014

lormaneducation.net / lorman.com "Lorman Education" spam

These spammers are sending to email addresses they have guessed by parsing my website.

From:     Toni Klawiter - Lorman Education [customerservice@lormaneducation.net]
Date:     22 May 2014 16:18
Subject:     Status Classification: Exempt vs. Nonexempt
Signed by:     lormaneducation.net

        
Seminars     Live Webinars
   
OnDemand     Membership
   

Status Classification: Exempt vs. Nonexempt

OnDemand Webinar - 93 Minutes

Learn How To:

    Identify general principles under the Fair Labor Standards Act.
    Explain salary requirements and the highly compensated employee exemption.
    Review what an employer can do to assure classifications are accurate and minimize risks.
    Discuss the executive, administrative, professional and computer professional duties tests.

More Information


Faculty

 Michael A. Pavlick
Michael A. Pavlick
K&L Gates LLP

The link in the email goes to lormaneducation.net and then forwards immediately to lorman.com, which is a typical technique that spammers use to try to avoid getting blacklisted.

lormaneducation.net is hosted on 64.77.120.67 (Peer 1, US) along with these following domains which look similarly spammy:

askthefaculty.com
hospitalityandtourismtraining.com
hospitalityandtourismtraining.net
instituteofpropertymanagement.com
instituteofpropertymanagement.net
insurancetrainingresource.com
insurancetrainingresource.net
investmentadvisortraining.com
investmentadvisortraining.net
lorman-education.net
lorman-webinar.com
lorman-webinars.com
lorman.com
lormancontinuingeducation.com
lormaneducation.com
lormaneducation.net
lormaneducationwebinar.com
lormaneducationwebinars.com
lormanondemand.com
lormanpartner.com
lormanseminars.com
lormanseminars.net
lormanteleconferences.com
lormanteleconferences.net
lormantraining.com
lormantraining.net
lormanwebinar.com
lormanwebinars.com

The WHOIS details on the lormaneducation.net spamvertised domain are:

    Admin Name: Webmaster
    Admin Organization: Lorman Education Group, Inc.
    Admin Street: PO Box 509
    Admin City: Eau Claire
    Admin State/Province: WI
    Admin Postal Code: 54702-0509
    Admin Country: US
    Admin Phone: +1.7158333940
    Admin Phone Ext:
    Admin Fax:
    Admin Fax Ext:
    Admin Email: webmaster@lorman.com


Spam originates from 184.175.164.1 (US Signal) in a range suballocated to Lorman that you might want to block traffic from of 184.175.164.0/26.

If this company thinks that promoting its seminars through spam is a legitimate way of promoting a business then I would personally give their "seminars" a very wide berth.