More from this prolific spammer that I'm calling F3Y for the moment (because the fake email address in the WHOIS details always consists of a Female name plus 3 numbers and is hosted by Yahoo!).
IP address belong to Global Layer BV in the US who say that they have already terminated them.
IPs:
162.222.193.53
162.222.193.54
162.222.193.55
162.222.193.56
162.222.193.58
Domains:
improvewindowshutters.mobi
entirerussianbrides.mobi
med-enrollmentpick.mobi
starmiraclecure.mobi
mostasiandating.mobi
Example subjects:
Re: Timberlane - The World???s Finest Handcrafted Shutters Catalog: 5825659
Hey, Ilsa, Sasha, Sonya and others want to say Hello
Re: Are you still eligible to change your Medicare Plan? Find out today. Notice #3850150
Fwd: 5 Diseases You Thought Couldn't Be Cured, Blog: 16602444
Hey, Meet Ming our top pick of the week. No. 15318724
Fake WHOIS details:
Registrant ID:657a6ba9372a5461
Registrant Name:Alisons Foley
Registrant Organization:n/a
Registrant Street1:6418 N Us Highway 41
Registrant City:Jacksonville
Registrant State/Province:FL
Registrant Postal Code:33572
Registrant Country:US
Registrant Phone:+1.8136490339
Registrant Email:alisonsfoleym634@yahoo.com
Tuesday, 12 August 2014
Monday, 11 August 2014
Aggressive scumbag spam 2014-08-11
These prolific scumbag spammers [1] [2] [3] [4] [5] [6] [7] [8] are back again.. this time pumping out masses of spam from two different IP ranges.
The first batch is Terratransit Ag/ Kodos in Belize. The web host has reported that they have terminated the spammers.
IPs:
31.220.40.40
31.220.40.41
31.220.40.42
31.220.40.43
31.220.40.46
31.220.40.49
31.220.40.51
Domains:
unitemedicarehelp.us
fineeuropeansbrides.us
foundmiraclecure.us
leadingcasualmeet.us
survivalbracelettry.us
preparedlanguage.us
greatfloorcoating.us
Sample subjects:
Re: Unhappy with your Plan? Notice #18093831
Hi, Ilsa, Sasha, Sonya and others want to say Hello
Re: 5 Diseases You Thought Couldn't Be Cured, See Article 4093078
Hi, Hook-up with sexy people looking for fun? Invite No. 11413790
Fwd: New Survival Bracelet Sample. Gift: 18003902
Hey, 1 Sneaky Linguistic Secret to Learning a Foreign Language. No. 12072666
Re: Garage Floor Coatings before Winter Rain and Snow
The second batch belongs to Nforce in the US. The spammers have been using this web host repeatedly, and since their abuse@ email address bounces I would suggest blocking the entire /24.
IPs:
46.166.178.34
46.166.178.35
46.166.178.37
46.166.178.38
46.166.178.41
46.166.178.42
46.166.178.43
Domains:
completelydroplbs.us
showmedicarehelp.us
seekeuropeansbrides.us
imiraclecure.us
behindpaleo.us
improvehomeshutters.us
asianbridesluv.us
Example subjects:
Hi, Foreskolin - Recently reviewed on The Dr. Oz Show. Order: 4735337
Re: Unhappy with your Plan? Notice #3414040
Hi, Ilsa, Sasha, Sonya and others want to say Hello
Re: 5 Diseases You Thought Couldn't Be Cured, See Article 4023242
Re: "Ancient" Nutrition Plan - Look and Feel Amazing. Video: 10558123
Fwd: Timberlane - The World???s Finest Handcrafted Shutters Catalog: 2640878
Re: It's Communication Week. Ting and her friends want to say Hi No: 14630251
The first batch is Terratransit Ag/ Kodos in Belize. The web host has reported that they have terminated the spammers.
IPs:
31.220.40.40
31.220.40.41
31.220.40.42
31.220.40.43
31.220.40.46
31.220.40.49
31.220.40.51
Domains:
unitemedicarehelp.us
fineeuropeansbrides.us
foundmiraclecure.us
leadingcasualmeet.us
survivalbracelettry.us
preparedlanguage.us
greatfloorcoating.us
Sample subjects:
Re: Unhappy with your Plan? Notice #18093831
Hi, Ilsa, Sasha, Sonya and others want to say Hello
Re: 5 Diseases You Thought Couldn't Be Cured, See Article 4093078
Hi, Hook-up with sexy people looking for fun? Invite No. 11413790
Fwd: New Survival Bracelet Sample. Gift: 18003902
Hey, 1 Sneaky Linguistic Secret to Learning a Foreign Language. No. 12072666
Re: Garage Floor Coatings before Winter Rain and Snow
The second batch belongs to Nforce in the US. The spammers have been using this web host repeatedly, and since their abuse@ email address bounces I would suggest blocking the entire /24.
IPs:
46.166.178.34
46.166.178.35
46.166.178.37
46.166.178.38
46.166.178.41
46.166.178.42
46.166.178.43
Domains:
completelydroplbs.us
showmedicarehelp.us
seekeuropeansbrides.us
imiraclecure.us
behindpaleo.us
improvehomeshutters.us
asianbridesluv.us
Example subjects:
Hi, Foreskolin - Recently reviewed on The Dr. Oz Show. Order: 4735337
Re: Unhappy with your Plan? Notice #3414040
Hi, Ilsa, Sasha, Sonya and others want to say Hello
Re: 5 Diseases You Thought Couldn't Be Cured, See Article 4023242
Re: "Ancient" Nutrition Plan - Look and Feel Amazing. Video: 10558123
Fwd: Timberlane - The World???s Finest Handcrafted Shutters Catalog: 2640878
Re: It's Communication Week. Ting and her friends want to say Hi No: 14630251
"Ministerio Publico federal 11 08 2014 07:35" spam / informativoministeriopublico.info
This Portuguese-language spam originates from a Brazilian-IP address and has a somewhat convincing domain of informativoministeriopublico.info - but in fact it simply leads to a malicious attachment.
From there the victim goes to a download page (it tries to start automatically) which downloads MPF-747-53.2014.5.01.0466.pdf.zip which contains a malicious executable MPF-747-53.2014.5.01.0466.pdf.cpl which has a VirusTotal detection rate of 16/54.
This trojan downloads other components, although at the moment I am not sure what (you can guarantee it will be nothing good).
The malware site informativoministeriopublico.info has been created specifically for this purpose with anonymous registration details, and is hosted on 192.3.129.10 (ClearVPS / ColoCrossing, US). This IP address has been used for a number of other similar sites:
informativoministeriopublico.info
spc-cobrancas.net
ministeriopublico.net
serasaexperian.biz
The 192.3.129.0/25 range has some questionable sites in it, and you might want to block the whole lot as a precaution. You should definitely block 192.3.129.10 though.
The originating IP is 200.219.245.194 (Alog-02 Solucoes De Tecnologia Em Informatica S.a., Brazil). The presence of a Brazilian IP address as the sender is interesting, because it does make the email look more legitimate if the headers are examined.
From: [victim]The link in the email goes to a bit.ly address that forwards to [donotclick]informativoministeriopublico.info/2014-20090717094507AAtpljuX&ei=sVblU7RHpd-wBKbhgZgG&ved=0CBsQvwUoAAqid=20090717094507AAtpljuX&ei=sVblU7RHpd-wBKbhgZgG&ved=0CBsQvwUoAA.html which has garnered a fair number of clicks according to the bit.ly statistics:
To: [victim]
Date: 11 August 2014 14:33
Subject: Ministerio Publico federal 11 08 2014 07:35
VISUALIZAR-PROCESSO-MPF
Scan Security Avast, NOD 100% Seguro.
From there the victim goes to a download page (it tries to start automatically) which downloads MPF-747-53.2014.5.01.0466.pdf.zip which contains a malicious executable MPF-747-53.2014.5.01.0466.pdf.cpl which has a VirusTotal detection rate of 16/54.
This trojan downloads other components, although at the moment I am not sure what (you can guarantee it will be nothing good).
The malware site informativoministeriopublico.info has been created specifically for this purpose with anonymous registration details, and is hosted on 192.3.129.10 (ClearVPS / ColoCrossing, US). This IP address has been used for a number of other similar sites:
informativoministeriopublico.info
spc-cobrancas.net
ministeriopublico.net
serasaexperian.biz
The 192.3.129.0/25 range has some questionable sites in it, and you might want to block the whole lot as a precaution. You should definitely block 192.3.129.10 though.
The originating IP is 200.219.245.194 (Alog-02 Solucoes De Tecnologia Em Informatica S.a., Brazil). The presence of a Brazilian IP address as the sender is interesting, because it does make the email look more legitimate if the headers are examined.
Friday, 8 August 2014
"Security concern on your AmericanExpress Account" spam
This fake AmEx spam appears to lead to a phishing site on multiple URLs:
In this case the link goes to a phishing site at anerican-fortress.com/americanexpress/ but there seem to be a bunch of them at the moment:
anerikan-regress.com/americanexpress/
american-progrecs.com/americanexpress/
anerican-fortress.com/americanexpress/
amerikan-sunfacess.com/americanexpress/
IPs in use are:
91.219.29.35 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
188.240.32.75 (SC CH-NET SRL, Romania)
I recommend blocking these IPs (
91.219.29.35
188.240.32.75
From: American Express [AmericanExpress@welcome.aexp.com]
Date: 24 July 2014 10:35
Subject: Security concern on your AmericanExpress Account
Dear Customer:
We are writing to you because we need to speak with you regarding a security concern on your account. Our records indicate that you recently used your American Express card on August 8, 2014.
For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.
To secure your account , please click log on to : http://americanexpress.com
Your prompt response regarding this matter is appreciated.
Sincerely,
American Express Identity Protection Team
Please do not reply to this e-mail. This customer service e-mail was sent to you by American Express. You may receive customer service e-mails even if you have unsubscribed from marketing e-mails from American Express.
Contact Customer Service | View our Privacy Statement | Opt Out
This email was sent to [redacted].
American Express Customer Service Department
P.O. Box 297817 | Ft. Lauderdale, FL 33329-7817
2014 American Express Company. All rights reserved.
In this case the link goes to a phishing site at anerican-fortress.com/americanexpress/ but there seem to be a bunch of them at the moment:
anerikan-regress.com/americanexpress/
american-progrecs.com/americanexpress/
anerican-fortress.com/americanexpress/
amerikan-sunfacess.com/americanexpress/
IPs in use are:
91.219.29.35 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
188.240.32.75 (SC CH-NET SRL, Romania)
I recommend blocking these IPs (
91.219.29.35
188.240.32.75
Aggressive scumbag spam 2014-08-08
More aggressive spam from the scumbag spammers I have been tracking for a few days [1] [2] [3] [4] [5] [6] [7].. this time spamming from ColoCrossing IPs. I daresay they will have another spam run starting soon from a completely new IP range.
IPs:
198.23.159.51
198.23.159.52
198.23.159.53
198.23.159.54
198.23.159.55
198.23.159.56
Domains:
clubbrides.com
extremeconcretecoating.com
propermedicare.com
anyonegetskinny.com
rarecure.com
denynervepain.com
Sample subjects:
Hey, Ilsa, Sasha, Sonya and others want to say Hello
Re: Garage Floor Coatings before Winter Rain and Snow
Unhappy with your Plan? Notice #12942715
Hey, Foreskolin - Recently reviewed on The Dr. Oz Show. Order: 11343923
Fwd: 5 Diseases You Thought Couldn't Be Cured, See Article 18871602
Hey, SUFFERING? New Neuropathy Curing Breakthrough Revealed
Fake WHOIS:
Registrant Name: JENNY DAVIES
Registrant Organization:
Registrant Street: 17260 HARBOUR POINTE DR
Registrant City: JACKSONVILLE
Registrant State/Province: FL
Registrant Postal Code: 33908
Registrant Country: US
Registrant Phone: +1.8888961959
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: jennydavies386@yahoo.com
I'm currently working on some leads as to which particular scumbags are behind this..
UPDATE 1:
The pattern continues, still on ColoCrossing..
IPs:
198.23.159.57
198.23.159.58
198.23.159.59
Domains:
factsautowarranty.com
textasianbrides.com
useharprefi.com
Sample subjects:
Re: Expiration Notice: Keep Your Auto Warranty. Notice#5527104
Fwd: It's Communication Week. Ting and her friends want to say Hi No: 9183446
Fwd: Save-Thousands on Your Home Loan. Rpt: 7977757
UPDATE 2:
ColoCrossing seem unresponsive to the problem, here is another batch from the same range.
IPs:
198.23.159.60
198.23.159.61
198.23.159.62
Domains:
yeswalkintubs.com
secretlocalsingles.com
epichomesiding.com
Example subjects:
Hi, Learn about the Versatility of a Walk in Bathtub Message: 24268321
Hey, Hook-up with sexy people looking for fun? Invite No. 9938717
Hey, New siding can increase the value of your home. Correspondence: 12613390
Given the volume of spam and lack of action from ColoCrossing, perhaps blocking 198.23.159.0/24 is the best bet.
IPs:
198.23.159.51
198.23.159.52
198.23.159.53
198.23.159.54
198.23.159.55
198.23.159.56
Domains:
clubbrides.com
extremeconcretecoating.com
propermedicare.com
anyonegetskinny.com
rarecure.com
denynervepain.com
Sample subjects:
Hey, Ilsa, Sasha, Sonya and others want to say Hello
Re: Garage Floor Coatings before Winter Rain and Snow
Unhappy with your Plan? Notice #12942715
Hey, Foreskolin - Recently reviewed on The Dr. Oz Show. Order: 11343923
Fwd: 5 Diseases You Thought Couldn't Be Cured, See Article 18871602
Hey, SUFFERING? New Neuropathy Curing Breakthrough Revealed
Fake WHOIS:
Registrant Name: JENNY DAVIES
Registrant Organization:
Registrant Street: 17260 HARBOUR POINTE DR
Registrant City: JACKSONVILLE
Registrant State/Province: FL
Registrant Postal Code: 33908
Registrant Country: US
Registrant Phone: +1.8888961959
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: jennydavies386@yahoo.com
I'm currently working on some leads as to which particular scumbags are behind this..
UPDATE 1:
The pattern continues, still on ColoCrossing..
IPs:
198.23.159.57
198.23.159.58
198.23.159.59
Domains:
factsautowarranty.com
textasianbrides.com
useharprefi.com
Sample subjects:
Re: Expiration Notice: Keep Your Auto Warranty. Notice#5527104
Fwd: It's Communication Week. Ting and her friends want to say Hi No: 9183446
Fwd: Save-Thousands on Your Home Loan. Rpt: 7977757
UPDATE 2:
ColoCrossing seem unresponsive to the problem, here is another batch from the same range.
IPs:
198.23.159.60
198.23.159.61
198.23.159.62
Domains:
yeswalkintubs.com
secretlocalsingles.com
epichomesiding.com
Example subjects:
Hi, Learn about the Versatility of a Walk in Bathtub Message: 24268321
Hey, Hook-up with sexy people looking for fun? Invite No. 9938717
Hey, New siding can increase the value of your home. Correspondence: 12613390
Given the volume of spam and lack of action from ColoCrossing, perhaps blocking 198.23.159.0/24 is the best bet.
"FW: Resume" spam has a malicious attachment
This terse spam is malicious:
Attached is an archive Resume.zip which in turn contains a malicious executable Resume.scr. This has a VirusTotal detection rate of 24/54. The CAMAS report shows that the malware attempts to phone home to the following locations:
94.23.247.202/0708stat/SANDBOXA/0/51-SP2/0/
94.23.247.202/0708stat/SANDBOXA/1/0/0/
hngdecor.com/wp-content/uploads/2013/10/cw2800.zip
welfareofmankind.com/underconst/css/cw2800.zip
Recommended blocklist:
94.23.247.202
hngdecor.com
welfareofmankind.com
Date: Fri, 8 Aug 2014 05:57:02 +0700 [08/07/14 18:57:02 EDT]
From: Janette Sheehan [Janette.Sheehan@linkedin.com]
Subject: FW: Resume
Attached is my resume, let me know if its ok.
Thanks,
Janette Sheehan
Attached is an archive Resume.zip which in turn contains a malicious executable Resume.scr. This has a VirusTotal detection rate of 24/54. The CAMAS report shows that the malware attempts to phone home to the following locations:
94.23.247.202/0708stat/SANDBOXA/0/51-SP2/0/
94.23.247.202/0708stat/SANDBOXA/1/0/0/
hngdecor.com/wp-content/uploads/2013/10/cw2800.zip
welfareofmankind.com/underconst/css/cw2800.zip
Recommended blocklist:
94.23.247.202
hngdecor.com
welfareofmankind.com
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
RBS "RE: Incident IM03393549" spam
This fake RBS spam has a malicious attachment:
94.23.247.202/n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202/n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia.com/Scripts/n0808uk.zip
energysavingproductsinfo.com/wp-content/uploads/2014/08/n0808uk.zip
The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.
Recommended blocklist:
94.23.247.202
quesoslaespecialdechia.com
energysavingproductsinfo.com
Date: Thu, 24 Jul 2014 09:33:37 GMT [07/24/14 05:33:37 EDT]The attachment is IM03393549.zip containing a malicious executable IM008082014.scr which has a VirusTotal detection rate of 15/42. The CAMAS report shows that the malware connects to the following locations to download additional components:
From: Annie Wallace[Annie.Wallace@rbs.co.uk]
Subject: RE: Incident IM03393549
Good Afternoon ,
Attached are more details regarding your account incident. Please extract the attached
content and check the details.
Please be advised we have raised this as a high priority incident and will endeavour to
resolve it as soon as possible. The incident reference for this is IM03393549.
We would let you know once this issue has been resolved, but with any further questions
or issues, please let me know.
Kind Regards,
Annie Wallace Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th
Floor, 1 Hardman Boulevard | Manchester | M3 3AQ | Depot code: 049
Tel: 0845 300 4108 |Email: Annie.Wallace@rbs.co.uk The content of this e-mail is
CONFIDENTIAL unless stated otherwise
94.23.247.202/n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202/n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia.com/Scripts/n0808uk.zip
energysavingproductsinfo.com/wp-content/uploads/2014/08/n0808uk.zip
The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.
Recommended blocklist:
94.23.247.202
quesoslaespecialdechia.com
energysavingproductsinfo.com
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Spammers probing with "How are you doing?" / poorname.us attack
The particularly aggressive spammers that I have covered recently [1] [2] [3] [4] [5] [6] launched another probing attack overnight, trying to collect email addresses by using an embedded image (the principles of the attack are described here).
The spam looks like this:
I don't know the origins of this spam, but it is being investigated.
The spam looks like this:
Received: from murch.greatsill.info (HELO find-your-perfect-bride-russians.us) (94.102.56.147)The body text is just HTML:
by [redacted] with SMTP; 8 Aug 2014 00:36:28 -0000
Date: Thu, 07 Aug 2014 17:34:22 -0700
Subject: How are you doing?
From: Stewart [stewart@find-your-perfect-bride-russians.us]
The originating IP is 94.102.56.147 (Ecatel, Netherlands). The spamvertised site is hosted on 143.95.32.129 (michael.asmallorange.com) although it is currently 403ing.
I don't know the origins of this spam, but it is being investigated.
Thursday, 7 August 2014
Aggressive scumbag spammers strike again
The very aggressive scumbag snowshoe spammers [1] [2] [3] [4] [5] strike again, this time burning through a bunch of email servers belonging to Serverel Corp in the Czech Republic:
IPs:
109.206.177.121
109.206.177.122
109.206.177.123
109.206.177.124
109.206.177.125
109.206.177.126
Spamvertised domains:
newfreecredit.com
here-medicaresignup.com
lean-slim-down.com
best-cheap-ins.com
oddmiracle.com
true-refihouse.com
Subjects:
RE: Your TransUnion Score may have recently changed.
Hey, Unhappy with your Plan? Notice #3550165
Re: Foreskolin - Recently featured on The Dr. Oz Show. Order: 22232150
Fwd: Your AutoInsurance-Policy can be lower. Notice #20768701
Fwd: 5 Diseases You Thought Couldn't Be Cured, See Article 24300322
Fwd: How much can you save by lowering our house payment?
Domain registration details:
Registrant Name: BENITA DUFFY
Registrant Organization: MARY KIMBREL
Registrant Street: 1031 WOODLEY RD
Registrant City: MONTGOMERY
Registrant State/Province: AL
Registrant Postal Code: 36106
Registrant Country: US
Registrant Phone: +1.3348343223
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: benitaduffy918@yahoo.com
UPDATE 1:
More from the same spammer, same host but different IP range:
IPs:
109.206.177.151
109.206.177.152
109.206.177.153
109.206.177.154
109.206.177.155
109.206.177.156
Spamvertised domains:
foxy-russianbrides.com
fine-walkintubs.com
many-asianbrides.com
near-enroll-medicare.com
easy-vinylsiding.com
all-rent2own.com
Subjects:
Re: Ilsa, Sasha, Sonya and others want to say Hello
Hey, Learn about the Versatility of a Walk in Bathtub Message: 7541884
Fwd: It's Communication Week. Ting and her friends want to say Hi No: 13142142
Hey, Attention: Medicare Open Enrollment Begins Soon Notice: 12453216
Hey, Help your home keep its value Tip: 21978846
Hi, Stop paying rent! Pymts can go toward owning Notice: 11516529
UPDATE 2:
Yet more but from a different Serverel range..
IPs:
109.206.177.194
109.206.177.195
109.206.177.196
Domains:
woodsurface.com
true-harp-save.com
star-auto-ins.com
Example subjects:
Re: Garage Floor Coatings before Winter Rain and Snow
Fwd: Save Thousands on Your Home Loan. Rpt: 1400334
Re: Are you overpaying for your auto insurance? Msg ID.11929129
And now a batch from Nforce IPs who were seen yesterday, but these are different servers..
IPs:
109.201.148.82
109.201.148.90
109.201.148.178
109.201.148.179
Domains:
protect-home-surfaces01.mobi
instant-oninebackgrounds101.mobi
how-low-mortgage-go.mobi
right-plan-medicare101.mobi
Example subjects:
Garage Floor Coatings before Winter Rain and Snow
Fwd: Safety Notice: Can you trust your friends? Notice: 23746989
Fwd: Save Thousands on Your Home Loan. Rpt: 1455838
These domains have a new fake registrant:
Registrant ID:aab597ea681630c5
Registrant Name:Zoe Clemons
Registrant Organization:n/a
Registrant Street1:21257 N Black Canyon Hwy
Registrant City:Phoenix
Registrant State/Province:AZ
Registrant Postal Code:85027
Registrant Country:US
Registrant Phone:+1.6234347727
Registrant Email:zoeclemons906@yahoo.com
IPs:
109.206.177.121
109.206.177.122
109.206.177.123
109.206.177.124
109.206.177.125
109.206.177.126
Spamvertised domains:
newfreecredit.com
here-medicaresignup.com
lean-slim-down.com
best-cheap-ins.com
oddmiracle.com
true-refihouse.com
Subjects:
RE: Your TransUnion Score may have recently changed.
Hey, Unhappy with your Plan? Notice #3550165
Re: Foreskolin - Recently featured on The Dr. Oz Show. Order: 22232150
Fwd: Your AutoInsurance-Policy can be lower. Notice #20768701
Fwd: 5 Diseases You Thought Couldn't Be Cured, See Article 24300322
Fwd: How much can you save by lowering our house payment?
Domain registration details:
Registrant Name: BENITA DUFFY
Registrant Organization: MARY KIMBREL
Registrant Street: 1031 WOODLEY RD
Registrant City: MONTGOMERY
Registrant State/Province: AL
Registrant Postal Code: 36106
Registrant Country: US
Registrant Phone: +1.3348343223
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: benitaduffy918@yahoo.com
UPDATE 1:
More from the same spammer, same host but different IP range:
IPs:
109.206.177.151
109.206.177.152
109.206.177.153
109.206.177.154
109.206.177.155
109.206.177.156
Spamvertised domains:
foxy-russianbrides.com
fine-walkintubs.com
many-asianbrides.com
near-enroll-medicare.com
easy-vinylsiding.com
all-rent2own.com
Subjects:
Re: Ilsa, Sasha, Sonya and others want to say Hello
Hey, Learn about the Versatility of a Walk in Bathtub Message: 7541884
Fwd: It's Communication Week. Ting and her friends want to say Hi No: 13142142
Hey, Attention: Medicare Open Enrollment Begins Soon Notice: 12453216
Hey, Help your home keep its value Tip: 21978846
Hi, Stop paying rent! Pymts can go toward owning Notice: 11516529
UPDATE 2:
Yet more but from a different Serverel range..
IPs:
109.206.177.194
109.206.177.195
109.206.177.196
Domains:
woodsurface.com
true-harp-save.com
star-auto-ins.com
Example subjects:
Re: Garage Floor Coatings before Winter Rain and Snow
Fwd: Save Thousands on Your Home Loan. Rpt: 1400334
Re: Are you overpaying for your auto insurance? Msg ID.11929129
And now a batch from Nforce IPs who were seen yesterday, but these are different servers..
IPs:
109.201.148.82
109.201.148.90
109.201.148.178
109.201.148.179
Domains:
protect-home-surfaces01.mobi
instant-oninebackgrounds101.mobi
how-low-mortgage-go.mobi
right-plan-medicare101.mobi
Example subjects:
Garage Floor Coatings before Winter Rain and Snow
Fwd: Safety Notice: Can you trust your friends? Notice: 23746989
Fwd: Save Thousands on Your Home Loan. Rpt: 1455838
These domains have a new fake registrant:
Registrant ID:aab597ea681630c5
Registrant Name:Zoe Clemons
Registrant Organization:n/a
Registrant Street1:21257 N Black Canyon Hwy
Registrant City:Phoenix
Registrant State/Province:AZ
Registrant Postal Code:85027
Registrant Country:US
Registrant Phone:+1.6234347727
Registrant Email:zoeclemons906@yahoo.com
Labels:
Czech Republic,
F3Y,
Spam
Vawtrak sites to block
I found these domains and IPs today while investigating a machine apparently infected with Vawtrak (aka Tepfer), most of them seem to be active:
http://80.243.184.239/posting.php
http://80.243.184.239/viewforum.php
http://146.185.233.97/posting.php
http://146.185.233.97/viewforum.php
http://ipubling.com/posting.php
http://ipubling.com/viewforum.php
http://magroxis.com/posting.php
http://magroxis.com/viewforum.php
http://maxigolon.com/viewforum.php
http://terekilpane.com/viewforum.php
Some of these domains are associated with the email address ctouma2@gmail.com.
You could block the sites individually, but because the sites are not isolated, I would personally recommend using the following blocklist:
146.185.233.0/24
80.243.184.224/27
The 146.185.233.0/24 range is allocted to "Cherepanova" in Russia. 80.243.184.224/27 is Redstation in the UK.
http://80.243.184.239/posting.php
http://80.243.184.239/viewforum.php
http://146.185.233.97/posting.php
http://146.185.233.97/viewforum.php
http://ipubling.com/posting.php
http://ipubling.com/viewforum.php
http://magroxis.com/posting.php
http://magroxis.com/viewforum.php
http://maxigolon.com/viewforum.php
http://terekilpane.com/viewforum.php
Some of these domains are associated with the email address ctouma2@gmail.com.
You could block the sites individually, but because the sites are not isolated, I would personally recommend using the following blocklist:
146.185.233.0/24
80.243.184.224/27
The 146.185.233.0/24 range is allocted to "Cherepanova" in Russia. 80.243.184.224/27 is Redstation in the UK.
CDS Group (cdsgroup.co.uk) fake invoice spam
This spam email pretends to be from the CDS Group. CDS are a wholly legitimate company and are NOT sending these emails, and their computer systems have NOT been compromised. However, the emails do contain a malicious attachment and should be deleted.
It is trivially easy to fake who an email is "From". That is what is happening in this case. CDS are an innocent victim of whoever is perpetrating this spam run. Please do not take your frustrations out on CDS. CDS have a notice about these emails on their site.
This is a sample email:
Attached is a archive file CDS_241-28195.zip which contains a folder invoice_cdsgroup_799543.xls which in turn contains a malicious executable invoice_cdsgroup_799543.xls.scr which has a very low detection rate at VirusTotal of 3/54.
Automated analysis tools are inconclusive at the moment [1] [2] but I will add more details if I find them.
It is trivially easy to fake who an email is "From". That is what is happening in this case. CDS are an innocent victim of whoever is perpetrating this spam run. Please do not take your frustrations out on CDS. CDS have a notice about these emails on their site.
This is a sample email:
Date: Thu, 07 Aug 2014 10:41:48 +0100 [05:41:48 EDT]
From: Nancy Tyler CDS Group [accounts@cdsgroup.co.uk]
Subject: CDS Invoice: 241-28195
CDS Group
Dear client,
Please find attached your invoice number 241-28195
If you have any queries with this invoice, please email us at accounts@cdsgroup.co.uk or call us on 020 8752 8040
The CDS Group of Companies, Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International
Tel: 020 8752 8040
Email: accounts@cdsgroup.co.uk
Please consider the environment before printing this email.
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person. This e-mail or any attachments are for information purpose only and does not form any part of an agreement, contract or fact.
The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. Whilst The CDS Group has taken every reasonable precaution to minimise the risk, we do not accept liability for any damage, which you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachment to this e-mail.
This email has been scanned by iomartcloud.
http://www.iomartcloud.com
Attached is a archive file CDS_241-28195.zip which contains a folder invoice_cdsgroup_799543.xls which in turn contains a malicious executable invoice_cdsgroup_799543.xls.scr which has a very low detection rate at VirusTotal of 3/54.
Automated analysis tools are inconclusive at the moment [1] [2] but I will add more details if I find them.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Wednesday, 6 August 2014
Companies House "Case 4620571" spam
This fake Companies House spam has a malicious attachment:
64.191.43.150
94.23.247.202
feelgoodframesstore.com
beeprana.com
upscalebeauty.com
Date: Wed, 6 Aug 2014 19:45:59 +0700 [08:45:59 EDT]Attached is a file Case_4620571.zip which in turn contains a malicious executable Case_4620571.scr which has a VirusTotal detection rate of 11/53. Automated analysis tools [1] [2] show that the malware reaches out to the following locations which are good candidates for blocking:
From: Companies House [WebFiling@companieshouse.gov.uk]
Subject: RE: Case 4620571
The submission number is: 4620571
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.
Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500
64.191.43.150
94.23.247.202
feelgoodframesstore.com
beeprana.com
upscalebeauty.com
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
.us and .me scumbag spammers are now .mobi scumbag spammers
That didn't take long these scumbag spammers I've been tracking over the past couple of days have a new set of mail servers and domains for pumping out their useless affiliate crap.
Sending IPs:
69.39.238.200
69.39.238.201
69.39.238.202
69.39.238.203
69.39.238.204
These IPs belong to GigeNET in the US.
Spamvertised domains:
getitnow.find-cars-here-4u.mobi
trynow.safty-first-walkin-tubs.mobi
startnow.get-medicare-for-less4u.mobi
lower-your-payments-wHARP.mobi
safe.cure-most-diseases01.mobi
Sample emails:
http://getitnow.find-cars-here-4u.mobi/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=ggn806
http://www.auto-price-finder.com/welcome?id=544&subid=273748921&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&c1=&rh=www.auto-price-finder.com&id=544&landing=nonbrand&li=3&alt_exp=new&alt_ab=&rd=1
http://trynow.safty-first-walkin-tubs.mobi/
http://navytrkn.com/?a=125&c=9258&s1=ggn806
http://genetix420.com/?a=125&c=9258&s1=ggn806&ckmguid=e37b2ccf-28b9-4fc1-922d-72ccfbee9e55
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389
http://startnow.get-medicare-for-less4u.mobi/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=ggn806
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273750538&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560
http://save.lower-your-payments-wharp.mobi/
http://navytrkn.com/?a=125&c=9244&s1=ggn806
http://ckthinmints.com/?a=125&c=9244&s1=ggn806&ckmguid=89d0208b-baec-4765-b88f-de84125ebff6
http://www.267555domain.com/click.ashx?CID=182639&AFID=267555&ADID=625699&SID=125
http://EVERYDAYOFFERSJUSTFORME.COM/go/c/537/4vars?sid=
http://njk0.HI5LINKS.com/?&s1=535_1750_GB_
http://zCRzz.download.awardhall.eu/?sov=63762401&hid=gkisukqomsiwykig&redid=7312&id=XNSX.535_1750_GB_-r7312
http://safe.cure-most-diseases01.mobi/
http://navytrkn.com/?a=125&c=10590&s1=ggn806
http://genetix420.com/?a=125&c=10590&s1=ggn806&ckmguid=27f625a1-56a4-46fa-8c81-2cace4c7473d
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=201700&subid2=6389
WHOIS details for the domains are fake:
Registrant ID:bdb01b76634ea4b7
Registrant Name:Kiera Gladdish
Registrant Street1:2123 Edison Rd
Registrant City:South Bend
Registrant State/Province:IN
Registrant Postal Code:46637
Registrant Country:US
Registrant Phone:+1.5742720312
Registrant Email:kieragladdishr946@yahoo.com
Sending IPs:
69.39.238.200
69.39.238.201
69.39.238.202
69.39.238.203
69.39.238.204
These IPs belong to GigeNET in the US.
Spamvertised domains:
getitnow.find-cars-here-4u.mobi
trynow.safty-first-walkin-tubs.mobi
startnow.get-medicare-for-less4u.mobi
lower-your-payments-wHARP.mobi
safe.cure-most-diseases01.mobi
Sample emails:
From: Best_AutoPrice [carsalesevent101@find-cars-here-4u.mobi]Sample click paths:
Date: 6 August 2014 15:27
Subject: Hi, Summer Price Reduction on All New Vehicles. Notice: 14359709
Local Auto Notice: 14359709
*****************************************
US Car and Truck Dealer are Liquidating Auto Inventories
Shopping for a new or used car?
Now is the time to take advantage of Summer Discounted Automotive Prices:
Go Here To View what's in-stock near you: http://getitnow.find-cars-here-4u.mobi
Modify_your notification_preferences: http://stop.find-cars-here-4u.mobi
PO Box No. 6498
PELAYO_ 80
-28004--MADRID--MADRID
=========================================
From: Walk.In.Bathtub.2855074 [bathtub.safety@safty-first-walkin-tubs.mobi]
Date: 6 August 2014 15:34
Subject: Hi, Learn about the Versatility of a Walk in Bathtub Message: 21036031
Enjoy Safe, Comfortable-Bathing in your Home
---------------------------------------------------------
[redacted],
Whether you are looking for a Walk-in Tub for Safety or Therapeutic reasons for yourself or a loved-one, we can help.
We can help you find Professional, Affordable Service Contractors near you.
Find a safe and comfortable walk-in tub online Today:
http://trynow.safty-first-walkin-tubs.mobi
Message: 21036031
Modify_your advertising_preference here; http://leave.safty-first-walkin-tubs.mobi
QuinStreet, Inc. 950 Tower Lane_ Foster City, CA 94404
=========================================
From: enrollment-period.9138765 [future.enrollment.451@get-medicare-for-less4u.mobi]
Date: 6 August 2014 15:40
Subject: Hi, Medicare Enrollment Begins Soon. Notice #24458838
Notice: 24458838
**********************************************************
Medicare Recipient: [redacted]
Open Enrollment for 2015 Medicare Programs begins
October 15, 2014 to December 7, 2014.
You can only change your Medicare or Prescription Drug plan
during this Annual Election Period.
Find the best, most affordable Medicare plan.
**Aetna, Humana, BlueCross, AARP and more**
Don't Miss Your Chance to Change Plans.
Find the Best Plan & Save up to 40% Online: http://startnow.get-medicare-for-less4u.mobi
Opt-off this_request: http://exit.get-medicare-for-less4u.mobi
Dundrum Town Centre,Dundrum
Dublin 16, Ireland
PO Box_ No. 309
===============================================
From: HARP-Qualify.4642746 [Andrea.Casey1254@lower-your-payments-wharp.mobi]
Date: 6 August 2014 15:46
Subject: Re: HARP Program: Lower Rates May Be Available Rpt: 13849540
[redacted],
Are your home payments weighing you down?
This may be your last-chance to Re-mortgage. Lock in a low -rate today before rates rise.
Find out how you may be Eligible to lower your monthly-payment. No -registration or -login necessary.
Get competitive rates quotes from Top Lenders and Save --
http://save.lower-your-payments-wHARP.mobi
Andrea Casey
Harp Eligibility Team
Report: 13849540
If you would like to update settings please go here: http://halt.lower-your-payments-wHARP.mobi
8776 [East-Shea_Blvd. #B3A-462_Scottsdale, AZ 85260]
===============================================
From: Ultimate_Cure.5798463 [your.miracle.cure@cure-most-diseases01.mobi]
Date: 6 August 2014 15:54
Subject: Re: Doctor Jailed for CURING Cancer (see why), Article No. 5615302
Today, you have a 95% chance of eventually dying from a disease or condition for which there is already a known cure right at your fingertips.
Well-respected doctors have been attacked, threatened with losing their licenses and even JAILED for sharing the information you are about to discover...
If you or a your loved one is suffering from ANY, and we mean ANY illness, chronic or acute, especially if you've been told it is incurable, then this is the most important message you will hear today.
View This SHOCKING Health Alert in your Browser: http://safe.cure-most-diseases01.mobi
(they don't want you to know about this)
Article No. 5615302
Modify_your_preferences here- http://hold.cure-most-diseases01.mobi
PO Box: #678
Calle Arturo Rodriguez- 17--23410 Sabiote
Ja??n, Spain
http://getitnow.find-cars-here-4u.mobi/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=ggn806
http://www.auto-price-finder.com/welcome?id=544&subid=273748921&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&c1=&rh=www.auto-price-finder.com&id=544&landing=nonbrand&li=3&alt_exp=new&alt_ab=&rd=1
http://trynow.safty-first-walkin-tubs.mobi/
http://navytrkn.com/?a=125&c=9258&s1=ggn806
http://genetix420.com/?a=125&c=9258&s1=ggn806&ckmguid=e37b2ccf-28b9-4fc1-922d-72ccfbee9e55
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389
http://startnow.get-medicare-for-less4u.mobi/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=ggn806
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273750538&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560
http://save.lower-your-payments-wharp.mobi/
http://navytrkn.com/?a=125&c=9244&s1=ggn806
http://ckthinmints.com/?a=125&c=9244&s1=ggn806&ckmguid=89d0208b-baec-4765-b88f-de84125ebff6
http://www.267555domain.com/click.ashx?CID=182639&AFID=267555&ADID=625699&SID=125
http://EVERYDAYOFFERSJUSTFORME.COM/go/c/537/4vars?sid=
http://njk0.HI5LINKS.com/?&s1=535_1750_GB_
http://zCRzz.download.awardhall.eu/?sov=63762401&hid=gkisukqomsiwykig&redid=7312&id=XNSX.535_1750_GB_-r7312
http://safe.cure-most-diseases01.mobi/
http://navytrkn.com/?a=125&c=10590&s1=ggn806
http://genetix420.com/?a=125&c=10590&s1=ggn806&ckmguid=27f625a1-56a4-46fa-8c81-2cace4c7473d
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=201700&subid2=6389
WHOIS details for the domains are fake:
Registrant Name:Kiera Gladdish
Registrant Street1:2123 Edison Rd
Registrant City:South Bend
Registrant State/Province:IN
Registrant Postal Code:46637
Registrant Country:US
Registrant Phone:+1.5742720312
Registrant Email:kieragladdishr946@yahoo.com
.us scumbag spammers are now .me scumbag spammers
This active scumbag spamming crew [1] [2] [3] have switched to .me domains instead of .us domains. Maybe they got too much heat.. anyway, here they are with a new set of mail servers and domains but a similar pile of affiliate networks as before.
Sending IPs:
79.142.65.6
79.142.65.7
79.142.65.8
79.142.65.10
79.142.65.12
79.142.65.15
All these IPs are on ALTUSHOST B.V. in the Netherlands.
Spamvertised domains:
getitnow.affordable-auto-ins10.me
orderhere.food-storage-freshness10.me
signup.lower-personal-credit10.me
starttoday.life-coverage-for-you10.me
actnow.reduce-mortgage-cost10.me
check.unwanted-timeshares-sold.me
Sample emails:
Click paths:
http://getitnow.affordable-auto-ins10.me/
http://navytrkn.com/?a=125&c=9558&s1=alt806
http://genetix420.com/?a=125&c=9558&s1=alt806&ckmguid=3d4d97bb-f163-4c45-bedc-61d9169c3170
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=201700&subid2=6389
http://orderhere.food-storage-freshness10.me/
http://affiliate.adgtracker.com/rd/r.php?sid=6396&pub=331259&c1=alt806
http://comperz.com/click.ashx?CID=243834&AFID=156909&SID=273736842&AffiliateReferenceID=331259
http://www.vacationrome.net?subid=243834
http://signup.lower-personal-credit10.me/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQap1koX-Vi2KYmmKhg5qJkHKcYKR7w49icZVinA?dp=alt806
http://starttoday.life-coverage-for-you10.me/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQa5hjpIKdimOYmmKifZWJkHKbZZ57w5Fqb5llnQ?dp=alt806
http://actnow.reduce-mortgage-cost10.me/
http://www.soccertruck.com/rd/r.php?sid=4841&pub=331259&c1=alt806
http://affiliate.adgtracker.com/rd/r.php?sid=4841&pub=331259&c1=alt806
https://www.lowermybills.com/lending/home-refinance/?pkey1=331259&pkey2=273738878&sourceid=lmb-30537-53464-85353
http://check.unwanted-timeshares-sold.me/
http://trkerlittle.com/?a=9406&c=46451&s1=alt806
http://aboveallurl.com/?a=9406&c=46451&s1=alt806&ckmguid=4a81a1ee-41aa-4e37-9a42-da436ff2dcba
http://aboveall.garcinia.cpa.clicksure.com/?s1=GLOBAL-9406
http://clicksurecpa.com/recookie/Fep4b8L5ECHFQnqk
The WHOIS details on the domains are fake:
Registrant ID:3537f036cb04904e
Registrant Name:Rose Cotterill
Registrant Organization:n/a
Registrant Address:5300 Gateway Ctr
Registrant Address2:
Registrant Address3:
Registrant City:Troy
Registrant State/Province:MI
Registrant Country/Economy:US
Registrant Postal Code:48507
Registrant Phone:+1.8102321772
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:rosecotterillv296@yahoo.com
Sending IPs:
79.142.65.6
79.142.65.7
79.142.65.8
79.142.65.10
79.142.65.12
79.142.65.15
All these IPs are on ALTUSHOST B.V. in the Netherlands.
Spamvertised domains:
getitnow.affordable-auto-ins10.me
orderhere.food-storage-freshness10.me
signup.lower-personal-credit10.me
starttoday.life-coverage-for-you10.me
actnow.reduce-mortgage-cost10.me
check.unwanted-timeshares-sold.me
Sample emails:
From: Lower-Auto-Coverage.11013628 [Auto-Insurance-Discount@affordable-auto-ins10.me]
Date: 6 August 2014 14:28
Subject: Re: Notice: Hey, Pay as little as $9/week on car insurance
Announcement: You may be Required to carry Auto Insurance
-------------------------------------------------------------------------------------
[redacted],
You are NOT Required to Over-Pay!
Premiums as low as $9
Compare quotes from Top Carriers and see how much you can SAVE.
Find Me Auto Insurance as low as $9/week: http://getitnow.affordable-auto-ins10.me
Notice No: 11013628
Modify_announcement_preferences here: http://disallow.affordable-auto-ins10.me???
Cheaper Auto Coverage-PO Box 425768 Cambridge MA02142-9998
========================================
From: ASOTV_MrLid.20092754 [organized.mr.lid@food-storage-freshness10.me]
Date: 6 August 2014 14:15
Subject: Hi, The only food storage container of its kind ID: 23965159
Are you loosing your Mind? Loosing your Lids.
========================================
From: Go-Triple_Score.22560108 [score.report.476@lower-personal-credit10.me]
Date: 6 August 2014 14:08
Subject: Fwd: Has Your Score Recently Changed? Update: 6055819
RE: Your TransUnion Score may have recently changed.
----------------------------------------------------.
Date: August 2014 Score Update
----------------------------------------------------.
Update # 13518498
----------------------------------------------------.
Dear [redacted],
The reason that we are reaching out to you today is to make you aware that your score may have been changed based on a number of recent transactions.
Go here now to find out how your score was affected by these updates: http://signup.lower-personal-credit10.me
Your Score Generation Time: 47 Seconds
Regards,
Marcie D.
2014 Score Defender
Cancel_this email_notification: http://disallow.lower-personal-credit10.me
Suite 4753-24B Moorefield Rd Johnsonville--Wellington 6037 New Zealand
========================================
From: AIG_Direct Inc.9292124 [aig.direct.2014@life-coverage-for-you10.me]
Date: 6 August 2014 14:01
Subject: Re: Your $250K Term Life for Just $10.63 a month. Ref. No. 14329170
Call or Visit Today for $250K Term Life Under $11/mo
========================================
From: Home_Savings Info.2550922 [lower.home.payment@reduce-mortgage-cost10.me]
Date: 6 August 2014 14:41
Subject: Re: Homeowners Could be Missing out on Thousands in Savings
Notice for Homeowner: [redacted]
President Has Waived Refi-Requirement
Homeowners who do this will save about 3,000 USD/year. The problem is 70% of homeowners don't even know how to take advantage of the savings. If you're a homeowner and you don't know, you have to read this. . .
Calculate My Lower House Payment: http://actnow.reduce-mortgage-cost10.me
(To view this message in your browser, use the link above.)
Notice: 11105679
This is an advertisement. All trademarks, service marks, logos and/or domain names (including the names of products or retailers) are the property of their respective owners. The manufacturers, retailers or providers of the items offered may not have endorsed, approved of or otherwise sponsored this promotion. Restrictions apply. Void where prohibited by law. To manage your notification preferences, please visit here: http://end.reduce-mortgage-cost10.me
Richardshaw Lane, Hanson Centre, GR
Leeds, LS28 6QP
==========================================
From: Timeshare_Brokers.17819636 [linda.kesler93@unwanted-timeshares-sold.me]
Date: 6 August 2014 15:04
Subject: Re: Timeshare Owners- Don't pay another Maintenance Fee. Bulletin: 14642854
TIMESHARE BULLETIN: Timeshare Sales are heating up this Summer
July 2014
[redacted],
You may be eligible to sell your unwanted timeshare.
Eliminate monthly maintenance fees on a timeshare you no longer use.
Timeshare sales are on the rise in 2014;
non-US residents buying timeshares.
Don't miss the chance to dispose of your unwanted timeshare.
Let us Sell Your Timeshare Now:
http://check.unwanted-timeshares-sold.me
Thank you,
Emily D.
Time-share Advisor
No. 17819636
Click paths:
http://getitnow.affordable-auto-ins10.me/
http://navytrkn.com/?a=125&c=9558&s1=alt806
http://genetix420.com/?a=125&c=9558&s1=alt806&ckmguid=3d4d97bb-f163-4c45-bedc-61d9169c3170
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=201700&subid2=6389
http://orderhere.food-storage-freshness10.me/
http://affiliate.adgtracker.com/rd/r.php?sid=6396&pub=331259&c1=alt806
http://comperz.com/click.ashx?CID=243834&AFID=156909&SID=273736842&AffiliateReferenceID=331259
http://www.vacationrome.net?subid=243834
http://signup.lower-personal-credit10.me/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQap1koX-Vi2KYmmKhg5qJkHKcYKR7w49icZVinA?dp=alt806
http://starttoday.life-coverage-for-you10.me/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQa5hjpIKdimOYmmKifZWJkHKbZZ57w5Fqb5llnQ?dp=alt806
http://actnow.reduce-mortgage-cost10.me/
http://www.soccertruck.com/rd/r.php?sid=4841&pub=331259&c1=alt806
http://affiliate.adgtracker.com/rd/r.php?sid=4841&pub=331259&c1=alt806
https://www.lowermybills.com/lending/home-refinance/?pkey1=331259&pkey2=273738878&sourceid=lmb-30537-53464-85353
http://check.unwanted-timeshares-sold.me/
http://trkerlittle.com/?a=9406&c=46451&s1=alt806
http://aboveallurl.com/?a=9406&c=46451&s1=alt806&ckmguid=4a81a1ee-41aa-4e37-9a42-da436ff2dcba
http://aboveall.garcinia.cpa.clicksure.com/?s1=GLOBAL-9406
http://clicksurecpa.com/recookie/Fep4b8L5ECHFQnqk
The WHOIS details on the domains are fake:
Registrant ID:3537f036cb04904e
Registrant Name:Rose Cotterill
Registrant Organization:n/a
Registrant Address:5300 Gateway Ctr
Registrant Address2:
Registrant Address3:
Registrant City:Troy
Registrant State/Province:MI
Registrant Country/Economy:US
Registrant Postal Code:48507
Registrant Phone:+1.8102321772
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:rosecotterillv296@yahoo.com
Tuesday, 5 August 2014
.us scumbag spammers, part 3
These are the same scumbags as found here and here.They are burning through hosting accounts at a fearsome rate. The latest two IPs are in the Worldstream address space:
217.23.14.153
217.23.14.13
Spamvertised domains:
reservenow.enroll-in-medicare-14.us
startnow.protect-your-surface01.us
Sample emails:
http://reservenow.enroll-in-medicare-14.us/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=exm805
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273621705&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560
http://startnow.protect-your-surface01.us/
http://silvertrkn.com/?a=125&c=2907&s1=nf805
http://genetix420.com/?a=125&c=2907&s1=nf805&ckmguid=a8d5f09a-ceb2-47ec-9ba7-c4e42fd7afaa
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389
Some of these affiliate networks and sites have no contact details at all, all the other ones have been notified of the problem.
Recommended blocklist (for this spam run and the one earlier today):
217.23.14.153
217.23.14.13
109.201.135.21
109.201.135.35
109.201.135.47
109.201.135.108
109.201.148.11
109.201.148.24
77.93.204.105
enroll-in-medicare-14.us
protect-your-surface01.us
readcriminalsearch.us
pluscarsearch.us
bumpcredit.us
expectlowmortgage.us
citizensmedicare.us
closedfoodstorage.us
silvertrkn.com
genetix420.com
enzjptkr.com
navytrkn.com
autoaffiliatenetwork.com
217.23.14.153
217.23.14.13
Spamvertised domains:
reservenow.enroll-in-medicare-14.us
startnow.protect-your-surface01.us
Sample emails:
From: enrollment_period.12352763Click paths:
Date: 5 August 2014 17:32
Subject: Hey, Medicare Enrollment Begins Soon. Notice #11262474
Notice: Medicare Open Enrollment Starts Soon
**********************************************************
Medicare Recipient: [redacted]
Open Enrollment for 2015 Medicare Programs begins October 15, 2014 to December 7, 2014.
You can only change your Medicare or Prescription Drug plan during this Annual Election Period. .
Find the best, most affordable Medicare plan.
**Aetna, Humana, BlueCross, AARP and more**
Don't Miss Your Chance to Change Plans. Find the Best Plan & Save up to 40% Online: http://reservenow.enroll-in-medicare-14.us
Notice: 11262474
======================================
From: Protective.Coating.3879421
Date: 5 August 2014 17:14
Subject: Re: Garage Floor Coatings before Winter Rain and Snow
-------- Start Notice #3879421 --------------
Surface Protect Plus Summer Savings
Attn: snowshoe2@dynamoo.com
Don't let rain and the coming snow ruin your deck and garage.
Summer is the time to protect your garage and wood floors.
Amazing deal for homeowners looking to preserve their deck and garage surfaces.
Go Here Now to Protect Your Floors for Years and Years: http://startnow.protect-your-surface01.us
--------------- End Notice ----------------
Manage_your_preferences: http://end.protect-your-surface01.us
PO Box: #19258
Falterstrasse., 12 97318--Kitzingen., Germany.
http://reservenow.enroll-in-medicare-14.us/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=exm805
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273621705&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560
http://startnow.protect-your-surface01.us/
http://silvertrkn.com/?a=125&c=2907&s1=nf805
http://genetix420.com/?a=125&c=2907&s1=nf805&ckmguid=a8d5f09a-ceb2-47ec-9ba7-c4e42fd7afaa
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389
Some of these affiliate networks and sites have no contact details at all, all the other ones have been notified of the problem.
Recommended blocklist (for this spam run and the one earlier today):
217.23.14.153
217.23.14.13
109.201.135.21
109.201.135.35
109.201.135.47
109.201.135.108
109.201.148.11
109.201.148.24
77.93.204.105
enroll-in-medicare-14.us
protect-your-surface01.us
readcriminalsearch.us
pluscarsearch.us
bumpcredit.us
expectlowmortgage.us
citizensmedicare.us
closedfoodstorage.us
silvertrkn.com
genetix420.com
enzjptkr.com
navytrkn.com
autoaffiliatenetwork.com
.us scumbag spammers strike again
This low-life scumbag spammers are the same people I wrote about here and are playing around in the scummy end of the affiliate marketing business.
The spamvertised domains are:
readcriminalsearch.us
pluscarsearch.us
bumpcredit.us
expectlowmortgage.us
citizensmedicare.us
closedfoodstorage.us
All of these are registered with fake WHOIS details:
Registrant ID: 28B5829EB467EADA
Registrant Name: Colleen Fenn
Registrant Organization: na
Registrant Address1: 2555 W Lawrence Ave
Registrant City: Chicago
Registrant State/Province: IL
Registrant Postal Code: 60625
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.7739070654
Registrant Email: colleenfennf342@yahoo.com
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Originating IPs for email are:
109.201.135.21
109.201.135.35
109.201.135.47
109.201.135.108
109.201.148.11
109.201.148.24
All of these IPs are in the same 109.201.128.0/19 block allocated to:
organisation: ORG-NE3-RIPE
org-name: NForce Entertainment B.V.
org-type: LIR
address: NFOrce Entertainment BV
address: Postbus 1142
address: 4700BC
address: Roosendaal
address: NETHERLANDS
phone: +31206919299
fax-no: +31206919409
abuse-mailbox: abuse@nforce.com
admin-c: PT3315-RIPE
admin-c: JH24522-RIPE
admin-c: NFAR
tech-c: NFTR
mnt-ref: MNT-NFORCE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: MNT-NFORCE
mnt-by: RIPE-NCC-HM-MNT
abuse-c: NFAB
source: RIPE # Filtered
You might want to block the /24s or even the whole /19 belonging to these people. Up to you.
UPDATE: a second wave of spam has started from 77.93.204.105 in the Czech Republic:
organisation: ORG-EA808-RIPE
org-name: Exmasters.com
org-type: OTHER
address: Exmasters.com
address: Milos Kalerta
address: Fricova 1102,26301 Dobris,Czech Republic
phone: +420 603 114414
abuse-mailbox: abuse@exmasters.com
mnt-ref: MASTER-MNT
mnt-ref: MASTER-MNT
mnt-by: MASTER-MNT
admin-c: EC6938-RIPE
tech-c: EC6938-RIPE
abuse-c: EC6938-RIPE
source: RIPE # Filtered
The spamvertised sites themselves are parked on 98.124.199.1 and 98.124.198.1 (eNom). There are several hundred thousand sites parked on these servers, blocking those IPs might have unexpected consequences.
The spam emails generated do not identify the true sender, and given that the email list they are using was originally generated from a forced UNSUBSCRIBE link then I would bet that trying to unsubscribe will just lead to more spam.
Here are some examples:
http://find.readcriminalsearch.us/
http://navytrkn.com/?a=125&c=9034&s1=nf805
http://genetix420.com/?a=125&c=9034&s1=nf805&ckmguid=7aba1f24-2e05-4757-a6cf-f288466d0695
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389
http://limited.pluscarsearch.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=nf805
http://www.auto-price-finder.com/welcome?id=544&subid=273567460&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&landing=nonbrand&=&c1=&rh=www.auto-price-finder.com&id=544&li=3&alt_exp=new&alt_ab=&rd=1
http://www.auto-price-finder.com/new/car_non_branded?c1=&land=y
http://trynow.bumpcredit.us/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQap1koX-Vi2KYmmKhg5qJkHKcYKR7w49icZVinA?dp=nf805
http://joinnow.expectlowmortgage.us/
http://silvertrkn.com/?a=125&c=7570&s1=nf805
http://genetix420.com/?a=125&c=7570&s1=nf805&ckmguid=c7633716-4790-4104-ac97-5360ffa8f1c1
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389
http://reservenow.citizensmedicare.us/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=nf805
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273569127&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560
http://requestnow.closedfoodstorage.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6396&pub=331259&c1=nf805
http://comperz.com/click.ashx?CID=243834&AFID=156909&SID=273569713&AffiliateReferenceID=331259
http://www.vacationrome.net?subid=243834
http://start.car-truck-searches01.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=exm80
http://www.auto-price-finder.com/welcome?id=544&subid=273575551&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&landing=nonbrand&=&c1=&rh=www.auto-price-finder.com&id=544&li=3&alt_exp=new&alt_ab=&rd=1
http://www.auto-price-finder.com/new/car_non_branded?c1=&land=y
I'm not accusing the affiliate networks involved of soliciting sales through spam, but these are a lit of all the domains in use in case you want to do something with them:
affiliate.adgtracker.com
affiliate.gwmtracker.com
comperz.com
find.readcriminalsearch.us
genetix420.com
joinnow.expectlowmortgage.us
limited.pluscarsearch.us
navytrkn.com
network.adsmarket.com
pixel.autoaffiliatenetwork.com
requestnow.closedfoodstorage.us
reservenow.citizensmedicare.us
silvertrkn.com
start.car-truck-searches01.us
trynow.bumpcredit.us
valuedealshopper.com
www.auto-price-finder.com
www.enzjptkr.com
www.medicare-providers.net
www.vacationrome.net
The spamvertised domains are:
readcriminalsearch.us
pluscarsearch.us
bumpcredit.us
expectlowmortgage.us
citizensmedicare.us
closedfoodstorage.us
All of these are registered with fake WHOIS details:
Registrant ID: 28B5829EB467EADA
Registrant Name: Colleen Fenn
Registrant Organization: na
Registrant Address1: 2555 W Lawrence Ave
Registrant City: Chicago
Registrant State/Province: IL
Registrant Postal Code: 60625
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.7739070654
Registrant Email: colleenfennf342@yahoo.com
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Originating IPs for email are:
109.201.135.21
109.201.135.35
109.201.135.47
109.201.135.108
109.201.148.11
109.201.148.24
All of these IPs are in the same 109.201.128.0/19 block allocated to:
organisation: ORG-NE3-RIPE
org-name: NForce Entertainment B.V.
org-type: LIR
address: NFOrce Entertainment BV
address: Postbus 1142
address: 4700BC
address: Roosendaal
address: NETHERLANDS
phone: +31206919299
fax-no: +31206919409
abuse-mailbox: abuse@nforce.com
admin-c: PT3315-RIPE
admin-c: JH24522-RIPE
admin-c: NFAR
tech-c: NFTR
mnt-ref: MNT-NFORCE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: MNT-NFORCE
mnt-by: RIPE-NCC-HM-MNT
abuse-c: NFAB
source: RIPE # Filtered
You might want to block the /24s or even the whole /19 belonging to these people. Up to you.
UPDATE: a second wave of spam has started from 77.93.204.105 in the Czech Republic:
organisation: ORG-EA808-RIPE
org-name: Exmasters.com
org-type: OTHER
address: Exmasters.com
address: Milos Kalerta
address: Fricova 1102,26301 Dobris,Czech Republic
phone: +420 603 114414
abuse-mailbox: abuse@exmasters.com
mnt-ref: MASTER-MNT
mnt-ref: MASTER-MNT
mnt-by: MASTER-MNT
admin-c: EC6938-RIPE
tech-c: EC6938-RIPE
abuse-c: EC6938-RIPE
source: RIPE # Filtered
The spamvertised sites themselves are parked on 98.124.199.1 and 98.124.198.1 (eNom). There are several hundred thousand sites parked on these servers, blocking those IPs might have unexpected consequences.
The spam emails generated do not identify the true sender, and given that the email list they are using was originally generated from a forced UNSUBSCRIBE link then I would bet that trying to unsubscribe will just lead to more spam.
Here are some examples:
From: Background_Archives [records.archive@readcriminalsearch.us]
Date: 5 August 2014 14:22
Subject: Hi, Your background check is available online. Notice: 1718629
Date: 05-August-2014
-----------------------------
Notice No. 1718629
-----------------------------
Attention: [redacted]
Past criminal records are now online because of new privacy laws.
Find out if your records are available online:
http://find.readcriminalsearch.us
0pt-off this request_ http://halt.readcriminalsearch.us
Av. Conselheiro Aguiar, 312 _ Pina
Recife _ PE
51011--031, Brazil
PO box: _0913
==================================================
From: Best-AutoPrice [car.liquidation.event@pluscarsearch.us]
Date: 5 August 2014 14:12
Subject: Hey, Summer Price Reduction on All New Vehicles. Notice: 5370643
Local Auto Notice: 5370643
*****************************************
US Car and Truck Dealer are Liquidating Auto Inventories
Shopping for a new or used car?
Now is the time to take advantage of Summer Discounted Automotive Prices:
Go Here To View what's in-stock near you: http://limited.pluscarsearch.us
Modify_your notification_preferences: http://end.pluscarsearch.us
PO Box No. 6498
PELAYO_ 80
-28004--MADRID_MADRID
==================================================
From: Go_Triple_Score.22692335 [score.report.476@bumpcredit.us]
Date: 5 August 2014 14:04
Subject: Re: Has Your Score Recently Changed? Update: 24174301
RE: Your TransUnion Score may have recently changed.
----------------------------------------------------.
Date: August 2014 Score Update
----------------------------------------------------.
Update # 24174301
----------------------------------------------------.
Dear [redacted],
The reason that we are reaching out to you today is to make you aware that your score may have been changed based on a number of recent transactions.
Go here now to find out how your score was affected by these updates: http://trynow.bumpcredit.us
Your Score Generation Time: 47 Seconds
Regards,
Marcie D.
2014 Score Defender
Cancel_this email_notification: http://stop.bumpcredit.us
Suite 4753-24B Moorefield Rd Johnsonville _Wellington 6037 New Zealand
==================================================
From: HARP_Qualify.24513021 [Andrea.Casey@expectlowmortgage.us]
Date: 5 August 2014 14:51
Subject: Fwd: HARP Program: Lower Rates May Be Available Rpt: 14579829
[redacted],
Are your home payments weighing you down?
This may be your last-chance to Re-mortgage. Lock in a low -rate today before rates rise.
Find out how you may be Eligible to lower your monthly-payment. No -registration or -login necessary.
Get competitive rates quotes from Top Lenders and Save --
http://joinnow.expectlowmortgage.us
Andrea Casey
Harp Eligibility Team
Report: 14579829
Control your_advertising status_here --- http://end.expectlowmortgage.us
or mail to:
Suite 4753-24B Moorefield Rd_Johnsonville Wellington_6037 New Zealand
==================================================
From: enrollment_period.7469835 [future.enrollment.451@citizensmedicare.us]
Date: 5 August 2014 14:42
Subject: Hey, Medicare Enrollment Begins Soon. Notice #17904389
Notice: Medicare Open Enrollment Starts Soon
**********************************************************
Medicare Recipient: [redacted]
Open Enrollment for 2015 Medicare Programs begins October 15, 2014 to December 7, 2014.
You can only change your Medicare or Prescription Drug plan during this Annual Election Period. .
Find the best, most affordable Medicare plan.
**Aetna, Humana, BlueCross, AARP and more**
Don't Miss Your Chance to Change Plans. Find the Best Plan & Save up to 40% Online: http://reservenow.citizensmedicare.us
Notice: 17904389
Opt-off this request: http://leave.citizensmedicare.us
Dundrum Town Centre,Dundrum
Dublin 16, Ireland
PO Box, No. 309
==================================================
From: ASOTV-MrLid.11390255 [organized.mr.lid@closedfoodstorage.us]
Date: 5 August 2014 15:06
Subject: Hey, The only food storage container of its kind ID: 16462768
==================================================
From: Best-AutoPrice [car.liquidation.event@car-truck-searches01.us]When you follow the clickthroughs you can see the the victim is being bounced around what in my opinion look like several very low quality ad networks.
Date: 5 August 2014 15:42
Subject: Hey, Summer Price Reduction on All New Vehicles. Notice: 21892282
Local Auto Notice: 21892282
*****************************************
US Car and Truck Dealer are Liquidating Auto Inventories
Shopping for a new or used car?
Now is the time to take advantage of Summer Discounted Automotive Prices:
Go Here To View what's in-stock near you: http://start.car-truck-searches01.us
Modify_your notification_preferences: http://stop.car-truck-searches01.us
PO Box No. 6498
PELAYO_ 80
-28004--MADRID_MADRID
http://find.readcriminalsearch.us/
http://navytrkn.com/?a=125&c=9034&s1=nf805
http://genetix420.com/?a=125&c=9034&s1=nf805&ckmguid=7aba1f24-2e05-4757-a6cf-f288466d0695
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389
http://limited.pluscarsearch.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=nf805
http://www.auto-price-finder.com/welcome?id=544&subid=273567460&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&landing=nonbrand&=&c1=&rh=www.auto-price-finder.com&id=544&li=3&alt_exp=new&alt_ab=&rd=1
http://www.auto-price-finder.com/new/car_non_branded?c1=&land=y
http://trynow.bumpcredit.us/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQap1koX-Vi2KYmmKhg5qJkHKcYKR7w49icZVinA?dp=nf805
http://joinnow.expectlowmortgage.us/
http://silvertrkn.com/?a=125&c=7570&s1=nf805
http://genetix420.com/?a=125&c=7570&s1=nf805&ckmguid=c7633716-4790-4104-ac97-5360ffa8f1c1
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389
http://reservenow.citizensmedicare.us/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=nf805
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273569127&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560
http://requestnow.closedfoodstorage.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6396&pub=331259&c1=nf805
http://comperz.com/click.ashx?CID=243834&AFID=156909&SID=273569713&AffiliateReferenceID=331259
http://www.vacationrome.net?subid=243834
http://start.car-truck-searches01.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=exm80
http://www.auto-price-finder.com/welcome?id=544&subid=273575551&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&landing=nonbrand&=&c1=&rh=www.auto-price-finder.com&id=544&li=3&alt_exp=new&alt_ab=&rd=1
http://www.auto-price-finder.com/new/car_non_branded?c1=&land=y
I'm not accusing the affiliate networks involved of soliciting sales through spam, but these are a lit of all the domains in use in case you want to do something with them:
affiliate.adgtracker.com
affiliate.gwmtracker.com
comperz.com
find.readcriminalsearch.us
genetix420.com
joinnow.expectlowmortgage.us
limited.pluscarsearch.us
navytrkn.com
network.adsmarket.com
pixel.autoaffiliatenetwork.com
requestnow.closedfoodstorage.us
reservenow.citizensmedicare.us
silvertrkn.com
start.car-truck-searches01.us
trynow.bumpcredit.us
valuedealshopper.com
www.auto-price-finder.com
www.enzjptkr.com
www.medicare-providers.net
www.vacationrome.net
"Invoice 20146308660 June 2014 - July 2014" spam
This summary is not available. Please
click here to view the post.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Monday, 4 August 2014
Bank of America "Important Documents" spam leads to Cryptowall
This fake BofA spam has a malicious payload:
94.23.247.202/0408cnet28/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408cnet28/SANDBOXB/1/0/0/
dirbeen.com/khalid53/cnet28.zip
ibuildchoppers.com/wp-content/gallery/choppers/cnet28.zip
Recommended blocklist:
94.23.247.202
dirbeen.com
ibuildchoppers.com
Date: Mon, 4 Aug 2014 19:57:07 +0800 [07:57:07 EDT]Attached to the message is an archive AccountDocuments.zip which in turn contains the malicious executable AccountDocuments.scr which has a VirusTotal detection rate of 6/54 and the comments indicate that this is a variant of Cryptowall. The Comodo CAMAS report shows that it phones home to the following URLs:
From: Andrea Talbot [Andrea.Talbot@bofa.com]
Subject: RE: Important Documents
Please check attached documents regarding your Bofa account.
Andrea Talbot
Bank Of America
817-298-4679 office
817-180-2340 cell Andrea.Talbot@bofa.com
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
94.23.247.202/0408cnet28/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408cnet28/SANDBOXB/1/0/0/
dirbeen.com/khalid53/cnet28.zip
ibuildchoppers.com/wp-content/gallery/choppers/cnet28.zip
Recommended blocklist:
94.23.247.202
dirbeen.com
ibuildchoppers.com
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
"Invoice 2014080420" spam
This spam has a malicious attachment:
There is an attachment INV_2014080420.zip containing a folder invoice_june2014-july2014.xls which in turn contains a malicious executable invoice_june2014-july2014.xls.scr which has a VirusTotal detection rate of 6/52. Automated analysis tools are inconclusive [1] [2] about what it does.
UPDATE:
The first part downloads a copy of Cridex from 23.92.84.52:8080/ord/1.exe which currently has a VT detection rate of 9/54. Blocking 23.92.84.52 may offer some protection.
Date: Mon, 04 Aug 2014 20:29:43 +0900 [07:29:43 EDT]
From: Accounts Dept [tolvan.rover@btinternet.com]
Subject: Invoice 2014080420 dynamoo
This email contains an invoice file for June 2014 - July 2014. Please pay invoice in full in 3 business days and reply to us.
There is an attachment INV_2014080420.zip containing a folder invoice_june2014-july2014.xls which in turn contains a malicious executable invoice_june2014-july2014.xls.scr which has a VirusTotal detection rate of 6/52. Automated analysis tools are inconclusive [1] [2] about what it does.
UPDATE:
The first part downloads a copy of Cridex from 23.92.84.52:8080/ord/1.exe which currently has a VT detection rate of 9/54. Blocking 23.92.84.52 may offer some protection.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
"Important - BT Digital File" spam
This fake BT spam has a malicious attachment:
94.23.247.202/0408choUK2/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408choUK2/SANDBOXB/1/0/0/
94.23.247.202/0408heap/SANDBOXB/1/0/0/
94.23.247.202/0408preb04/SANDBOXB/1/0/0/
amhzconsultancy.com/wordpress/48u2.zip
sintesismark.com/images/48u2.zip
bianconeandwilinsky.com/wp-content/uploads/2013/02/h8i3.zip
osteoarthritisblog.com/wp-content/uploads/2010/02/h8i3.zip
hopeisnull.comuf.com/wp-content/uploads/2014/03/pre.zip
grenzland-classic.de/css/pre.zip
Recommended blocklist:
94.23.247.202
amhzconsultancy.com
sintesismark.com
bianconeandwilinsky.com
osteoarthritisblog.com
hopeisnull.comuf.com
grenzland-classic.de
UPDATE: the following spam also has the same payload..
Date: Mon, 4 Aug 2014 08:48:51 -0430 [09:18:51 EDT]The attachment is BT_Digital_Vault_File.zip which contains a malicious executable BT_Digital_Vault_File.exe which has a VirusTotal detection rate of 5/54. According to the Comodo CAMAS report the malware reaches out to the following URLs:
From: Marci Tobin
Subject: Important - BT Digital File
BT Digital Vault BT
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 7221* between 8am and midnight.
Thank you for choosing BT Digital Vault.
Kind regards,
BT Digital Vault Team
footer
*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.
Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.
This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.
Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000
94.23.247.202/0408choUK2/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408choUK2/SANDBOXB/1/0/0/
94.23.247.202/0408heap/SANDBOXB/1/0/0/
94.23.247.202/0408preb04/SANDBOXB/1/0/0/
amhzconsultancy.com/wordpress/48u2.zip
sintesismark.com/images/48u2.zip
bianconeandwilinsky.com/wp-content/uploads/2013/02/h8i3.zip
osteoarthritisblog.com/wp-content/uploads/2010/02/h8i3.zip
hopeisnull.comuf.com/wp-content/uploads/2014/03/pre.zip
grenzland-classic.de/css/pre.zip
Recommended blocklist:
94.23.247.202
amhzconsultancy.com
sintesismark.com
bianconeandwilinsky.com
osteoarthritisblog.com
hopeisnull.comuf.com
grenzland-classic.de
UPDATE: the following spam also has the same payload..
Date: Mon, 4 Aug 2014 11:41:18 +0000 [07:41:18 EDT]
From: Companies House [WebFiling@companieshouse.gov.uk]
Subject: Incident 7132163 - Companies House
The submission number is: 7132163
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.
Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Subscribe to:
Posts (Atom)