"To All Employee's - Important Address UPDATE" spam leads to Cryptowall

This fake HR spam leads to a malicious ZIP file:

From:     Administrator [administrator@victimdomain.com]
Date:     11 September 2014 22:25
Subject:     To All Employee's - Important Address UPDATE

To All Employee's:The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address.Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=6871049687 If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=6871049687. Administrator,http://victimdomain.com

To All Employee's:
The end of the year is approaching and we want to ensure every employee receives their W-5 to the correct address.
Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=6871049687
If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=6871049687.

 Administrator,
http://victimdomain.com

 The link in the email goes to the same site as described in this earlier post, which means that the payload is Cryptowall.

"rooms reservation" spam leads to a malicious Word document

This fake hotel booking email has a malicious Word document attached:

From:     Zorita [info@convividautore.it]
Date:     11 September 2014 15:02
Subject:     rooms reservation

Dear Hotel Manager,

I would like to reserve accommodation for 5 single rooms in your hotel for 7 nights for 5 guests.

Arrival date will be on 16 September.

List any special requirements attached to letter.

Thank you for your prompt attention to the above, I look forward to receiving a letter confirming my reservation.

Kind Regards

The Word document attempts to persuade the victim to remove the security settings from the application:

The text says:

This error usually occurs because of macro security settings.  To check your macro security settings, click the Microsoft Office Button, click Microsoft Word Options, click Trust Center, and then click Trust Center Settings. If macro security is set to Disable all macros without notification, all macros are automatically disabled. Use the following procedure to enable the macro. In the Trust Center dialog box, click Macro Settings, and then click Disable all macros with notification. Click OK in the Trust Center dialog box to apply the new setting. Click OK to close the program options dialog box. Close the file and the Microsoft  Word. Open the file again. A Security Alert appears in the Document Information Bar just below the ribbon. Click Enable Content to allow the macro to run.

The document itself has a VirusTotal detection rate of 9/54.

If you are foolish enough to do this, the document will then download an additional component from colfdoc.it/cart/update.exe (77.81.241.104) which in turn has a detection rate of 5/55. The ThreatTrack report [pdf] shows that the malware attempts to communicate with:

cityhotlove.com/datastat/datacoll.php (109.120.177.164)
cyklopesek.cz/css/r.pack (90.182.221.59)



I would recommend blocking the following:
109.120.177.164
cityhotlove.com
cyklopesek.cz
colfdoc.it

eFax spam leads to Cryptowall

Yet another fake eFax spam. I mean really I cannot remember the last time someone sent me a fax. What's next? "Someone has sent you a telegram"?

From:     eFax [message@inbound.efax.com]
Date:     11 September 2014 20:35
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935

Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.

* The reference number for this fax is atl_did1-1400166434-52051792384-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

       

j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

I bet you've already guessed that the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game.com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55.

The ThreatTrack report clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data to the following locations:

188.165.204.210/1109inst2/NODE01/0/51-SP3/0/
188.165.204.210/1109inst2/NODE01/1/0/0/
mtsvp.com/files/3/install2.tar
suspendedwar.com/87n3hdh5wi04gy
suspendedwar.com/ttfvku8z7jn
goodbookideas.com/wp-content/themes/twentyeleven/111.exe
suspendedwar.com/gwfqwaratrpl2c
suspendedwar.com/h0nxfsskh0xu
suspendedwar.com/kvlfhc0hjgo6sgo

The 111.exe has a much wider detection rate of 22/53 and according the the ThreatTrack analysis of that binary there is some sort of network connection to the following IPs:

193.169.86.151
193.19.184.20

Overall, the web hosts involved are:
46.151.145.11 (Swift Trace Ltd, Crimea)
50.63.85.76 (GoDaddy, US)
76.74.170.149 (Daiger Sydes Gustafson LLC / Peer 1, US)
188.165.204.210 (OVH, France)
193.19.184.20 (PE Intechservice-B, Ukraine)
193.169.86.151 (Ivanov Vitaliy Sergeevich, Ukraine)

I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas.com
mtsvp.com
suspendedwar.com

Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98

There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so.

A sample of the code can be seen here [pastebin], it looks similar to this (click to enlarge):

The site mentioned in the IFRAME is the one that keeps changing, so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details. The URLs I have seen recently are as follows:

[donotclick]sexyunanu.inthepress.org/bububiolasa16.html
[donotclick]binoduselda.vagfans.info/stickomanus16.html
[donotclick]binoduselda.finalmasterplugin.com/ditirakis16.html
[donotclick]binoduselda.ireleaseme.com/falcoruide16.html
[donotclick]binoduselda.hyakunime.net/bibkajuleman16.html
[donotclick]binoduselda.bateriafina.org/filimanuio16.html

All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format

[donotclick]piplakoras.askhartleyauto.com/3674e375m87i/1/9ffbf35e4190fbba62f70c8477fa3964.html

which is hosted on 176.58.100.98 (Linode, UK). The URL structure indicates that this might be the Nuclear Exploit Kit, although it has been hardened against analysis.

I can't detect all the sites on 178.62.254.78, but a list of the ones I have observed so far can be found here [pastebin] and those on 176.58.100.98 can be found here. But blocking the following IPs may give you better protection:

176.58.100.98
178.62.254.78

Update 2014-09-12 0830 UTC: overnight a whole set of other malicious subdomains (hijacked again from AFRAID.ORG users) were active, using the same IPs to spread malware. The domains change every 30 to 60 minutes or so.

iflaroust.trainersclub.com.br/iflitegouler16.html
iflaroust.transtornomental.com.br/giditures16.html
iflaroust.transtornos.com.br/sukerkae16.html
iflaroust.ubertom.com/bubuerleras16.html
iflaroust.vaughnnugent.com/bubudejana16.html
biblaroita.lecnet.org/bubuidaheta16.html
biblaroita.ukies60.co.uk/nunigahulaala16.html
biblaroita.farahdzila.com/bubliorefusei16.html
biblaroita.buypurestevia.net/buidadusel16.html
biblaroita.loto-365.com/digigafus16.html
biblaroita.loto-777.com/ififuleradus16.html
biblaroita.g8r.ca/iglamiuser16.html
filmagrafy.qqm59.com/laperiuds16.html
filmagrafy.mda77.com/alsominora16.html
filmagrafy.fok96.com/ditroitosmiktajeras16.html
filmagrafy.hosting15.net/fiklakerasio16.html
filmagrafy.tab73.com/bibloruserna16.html
filmagrafy.uzz58.com/sigagulet16.html
filmagrafy.kts25.com/ifafloruseta16.html
guider.xmm85.com/fifakuitro16.html
guider.jam92.com/ifagugehaler16.html
guider.queensland-bedlinen.com/ifigahugera16.html

DPD Services "Home Delivery Notification" spam

This fake DPD message contains a link leading to an exploit kit.

From:     DPD Services [dpd_support@nikos-fahrschule.com]
Reply-to:     DPD Services [dpd_support@nikos-fahrschule.com]
Sate:     11 September 2014 14:18
Subject:     Home Delivery Notification

    DPD

    DPD - Parcel Services and Parcel Shipping

    Welcome to DPD

    Delivery Notification

    Track-Id: DP-U0096319662

    We could not deliver your parcel. Download Delivery Label here.

    Copyright 2014 (C) All rights reserved

In this case the link goes to [donotclick]seanergia.pl/model.php?dpd=Ny1yrZdnYkTUirJpfIQ6dj79Zbf5481JA1xta2JR54w= (this seems to be 404ing, but it could just be hiding). According to this report the payload is Asprox.

"LLC INC" / llcinc.net fake job offer

This fake company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc.net does not exist.

Date:      Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]
From:      LLC INC
Reply-To:      recruiter@llcinc.net
Subject:      EMPLOYMENT OFFER

Hello,
  Good day to you overthere we will like to inform you that our company is currently
opening an opportunity for employment if you are interested please do reply with your resume
to recruiter@llcinc.net

Thanks
Management LLC INC 

This so-called job is going to be something like a money mule, parcel mule or some other illegal activity.

The domain llcinc.net was registered just a few days ago with fake details:

Registry Registrant ID: 
Registrant Name: BEATRIZ G SANDERS
Registrant Organization: LLCINC
Registrant Street: PO BOX 33100
Registrant City: SAN ANTONIO
Registrant State/Province: TEXAS
Registrant Postal Code: 78265
Registrant Country: US
Registrant Phone: +1.2102605808
Registrant Phone Ext:  
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: JOETOMMY456@YAHOO.COM

There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail.swsymphony.org.

Avoid.

Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com] invoice spam has a malicious attachment

Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simple be deleted.

From:     Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com]
Date:     10 September 2014 10:35
Subject:     FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid


Dear Sir.

The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.

Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm


Postboks 154 Leirdal
NO-1009 OSLO
NORWAY

Direct line:        + 47 90 95 58 26
Fax:                  + 47 64 00 71 87
Mobile:             + 47 90 78 52 44

Dear Sir.

The attached invoice from Villmarksmessen 2014 has still not been settled.

Please advise as soon as possible.

Thank you and regards,

Geir

Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events

DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm


Postboks 154 Leirdal
NO-1009 OSLO
NORWAY

Direct line:        + 47 90 95 58 26
Fax:                  + 47 64 00 71 87
Mobile:             + 47 90 78 52 44

Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54.

The Comodo CAMAS report  shows an attempted connection to voladora.com/Imagenes/qaws.cab  which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending, I will update the post if I find more information.

UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53. The ThreatTrack report [pdf] and Anubis report shows the malware performing lookups for a variety of domain names [pastebin] which are not currently resolving, but might be worth blocking.

Sage "Outdated Invoice" spam

This fake Sage email leads to a malicious file.

From:     Sage Account & Payroll [invoice@sage.com]
Date:     9 September 2014 13:31
Subject:     Outdated Invoice

Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice: https://invoice.sage.co.uk/Account?902687=Invoice_090914.zip If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to [redacted]. If you request a copy of your information you will need to pay a statutory fee which is currently £10. The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues. This email was sent to: [redacted]

This email was sent by: Sage UK Limited NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

The link in the email does not go to invoice.sage.co.uk at all, but loads a page from:
[donotclick]anphucconduit.com/cslxpnzwzg/jnxxblpzjn.html

which in turn executes the following scripts:
[donotclick]lager.leadhoster.com/jflguwjgdk/rqkypcjgqt.js
[donotclick]northinc.com/mlfbxurfhn/pctxizxtfd.js
[donotclick]www.drhousesrl.it/lpwfszqqjt/gttigxxhme.js
[donotclick]mariatome.myartsonline.com/ykfmbdqqrm/jgawguxmub.js

those scripts attempt to download a malicious .ZIP file from the following locations:
[donotclick]cartadegintonics.com/js/jquery/invoice_090914.zip
[donotclick]anpilainate.org/bin/invoice_090914.zip
[donotclick]raggiottoimpianti.it/wp-content/uploads/2014/08/invoice_090914.zip
[donotclick]importedjewelryoutlet.com/include/invoice_090914.zip

You would have expected an exploit kit after all this hard work, but not.. it's a plain old ZIP (invoice_090914.zip) file containing a malicious executable invoice_090914.scr which has a VirusTotal detection rate of 8/55.

The ThreatTrack report [pdf] and Anubis report show that the malware attempts to make a connection to:
vaderhopland.be/js/9k1.cl
95.141.37.158/0909uk1/NODE01/0/51-SP3/0/
95.141.37.158/0909uk1/NODE01/1/0/0/
95.141.37.158/0909uk1/NODE01/41/5/4/

Recommended blocklist:
95.141.37.158
vaderhopland.be
anphucconduit.com
lager.leadhoster.com
northinc.com
drhousesrl.it
mariatome.myartsonline.com
cartadegintonics.com
anpilainate.org
raggiottoimpianti.it
importedjewelryoutlet.com

"PAYMENT SLIP" spam comes with an encrypted .7z archive

This spam comes with a malicious attachment:

From:     daniel mo [danielweiche002@gmail.com]
Subject:     PAYMENT SLIP
Signed by:     gmail.com

Thanks for your last message,

We remitted 30% prepayment today amounting to 51,300USD against your invoice INV332831 as was agreed with you by our purchasing agent. Please check the attached invoice and the payment slip and correspond your account information. You will receive payment in your account after a few days.

Please confirm the receipt  below,
kindly use this password {121212} to view attachment for our payment slip;
Thanks,
Daniel
Accounts Assistant
67752222
64472801
Zenia Singapore Pte Ltd

In order to deal with the attachment new order.7z, you'll need something capable of dealing with .7z files (e.g. 7-Zip). Inside the archive is a malicious executable new order.scr which has a VirusTotal detection rate of 5/54. I have not been able to analyse the malware any further than this.

RBS "Important Docs" spam doing the rounds again

The Royal Bank of Scotland has been spoofed several times recently, this latest fake spam contains a payload that looks like it might be Cryptowall.

Date:      Mon, 8 Sep 2014 15:00:22 +0100 [10:00:22 EDT]
From:      Vicente Mcneill [Vicente@rbs.co.uk]
Subject:      Important Docs

Please review attached documents regarding your account.

Tel:  01322 929655
Fax: 01322 499190
email: Vicente@rbs.co.uk

This information is classified as Confidential unless otherwise stated. 

Attached is an archive RBS_Account_Documents.zip containing a malicious executable RBS_Account_Documents.scr which has a detection rate at VirusTotal of 4/53. The ThreatTrack analysis [pdf] shows that it attempts to download components from the following locations:

95.141.37.158/0809uk1/NODE01/0/51-SP3/0/
95.141.37.158/0809uk1/NODE01/1/0/0/
95.141.37.158/0809uk1/NODE01/41/5/4/
bullethood.com/ProfilePics/0809uk1.zip

95.141.37.158 is SeFlow.it Internet Services, Italy. bullethood.com is on a shared server at GoDaddy. The malware also appears to be attempting to connect to 94.23.250.88 (OVH, France).

Recommended blocklist:
bullethood.com
95.141.37.158
94.23.250.88

BH Live Tickets "Peter Pan" spam (bhlive.co.uk / bhlivetickets.co.uk)

I have seen a very large quantity of these spam emails, purporting to be from

From:     bhlivetickets@bhlive.co.uk
Date:     8 September 2014 08:43
Subject:     Confirmation of Order Number 484914

ORDER CONFIRMATION Order Number Order Date 484914 07-09-2014 13:00

YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL, SENT TO [redacted]. Please print ALL PAGES of the PDF file attached to the email and bring them with you to gain admission to the event. The attachment requires that you have the Adobe Acrobat Reader installed on your computer. If you do not have Adobe Acrobat Reader installed, please click HERE to download and install this program. TICKETS QTY TICKET TYPE PRICE EACH TOTAL Peter Pan Bournemouth Pavilion Theatre Tue 23 Dec 2014 - 7:00 PM 3 Early Bird - Price A 18.00 54.00 6 Early Bird Child Under 16 - Price A 15.00 90.00 Ticket Information Circle/A 35-30 (6) , Circle/B 33-31 (3) DELIVERY METHOD AMOUNT Print At Home - E-Ticket(s) are attached to this order confirmation (You must be able to open and print a PDF file) 1.00 PAYMENTS TYPE # DATE AMOUNT Mastercard Sale ************7006 03-09-2014 13:00 145.00

Please keep this confirmation in a safe place. THIS IS NOT YOUR TICKET YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL Please call 0844 576 3000 if there are any errors in your order, if you have not received your tickets as expected, or if you have any questions. BH Live Tickets Exeter Road, Bournemouth, BH2 5BH Tel: 0844 576 3000 bhlivetickets@bhlive.co.uk http://www.bhlivetickets.co.uk VAT Reg: 108 2248 37 TICKETS: 144.00 CHARGES: 1.00 TOTAL: 145.00 PAYMENTS RECEIVED: 145.00

These emails are not from BH Live Tickets and their systems have not been compromised in any way. Instead, these emails are a forgery with an attachment (tickets.3130599.zip or similar) which in turn contains a malicious executable (in this case tickets.332091.exe).

The VirusTotal detection rate for this malware is just 3/55. Comodo CAMAS reports that this downloads an additional component from tiptrans.com.tr/333 which has a VirusTotal detection rate of 4/51.

According to ThreatExpert, This second component POSTs some information to 80.94.160.129:8080 (OVH, France) and also appears to contact 92.222.46.165 (National Academy Of Sciences Of Belarus).

Recommended blocklist: (updates in italics)
tiptrans.com.tr
plancomunicacion.net
92.222.46.165
80.94.160.129

Added: there is at least one other version of the malicious binary, for example this one.  I have seen some reports that there are more.

UPDATE 2014-09-09:
A second spam run is in progress, essentially the same as the first one except some now have a subject in the form "Confirmation of E-Tickets Order Number 0088658".

There are two new binaries, well detected by anti-virus products with a VirusTotal score of 27/55 and 25/54.

In one case the binary downloaded an additional component from plancomunicacion.net/333  which has a detection rate of 25/54 and according to the ThreatExpert report has the same characteristics as before.

Also, the people operating BH Live have put a notice on their website.:

Concerns raised over emails purporting to be from BH Live Tickets
Published on 8 September 2014

Bournemouth, UK, 8 September – At approximately 7.30 this morning BH Live started to receive a high-volume of calls from members of the public in connection with an email purporting to come from BH Live Tickets. The email contains attachment(s) and hyperlinks relating to a booking for Peter Pan.

BH Live's Information Security teams together with information technology professionals and suppliers have investigated the matter and confirm that its internal systems have not been breached and that the emails were sent from known SPAM IP addresses. The emails are not genuine and do not originate from BH Live. A number of precautionary measures have been taken to ensure data, systems and networks continue to be protected.

The public is advised to delete these emails, to not open any attachments or links; ensure they are running the most up-to-date security products and that the operating system has been updated to the latest version. It is recommended that anyone receiving these emails update their passwords over the coming days.

BH Live continues to monitor the situation and is posting updates via websites and social media channels.

Shakira death hoax email comes with a malicious Word document

This Spanish-language spam email reports the (fake) death of Shakira in a car accident. Attached is a Word document that contains a malicious macro.

From:     El Universal [eluniversal@eluniversal.org]
Date:     5 September 2014 14:50
Subject:     Shakira muere en grave accidente

Muere Shakira en grave accidente

Esta madrugada a las 1:10 A.M. en el barrio la Macarena, Colombia. La conocida cantante e intérprete Shakira Isabel Mebarak Ripoll, sufrió un grave accidente automovilístico en el cual perdio la vida. Abordo del vehículo también se encontraba su manager, que quedó con heridas graves. Testigos, dicen que el auto conducido por este último, se dirigia a exceso de velocidad..

Para ver imágenes exclusivas y detalles de la noticia adjuntamos un documento con toda la información sobre este trágico acontecimiento.

Ampliaremos.

El Universal © todos los Derechos Reservados  2014.

This approximately translates as:

Shakira dies in serious accident

This morning at 1:10 A.M. in the neighborhood La Macarena, Colombia. The well-known singer and performer Shakira Isabel Mebarak Ripoll, suffered a serious car accident in which she lost herlife. Aboard the vehicle was her manager, who was seriously injured. Witnesses say the car driven by the latter, was speeding ..

To view exclusive images and details of the story, we have attached a document with all the information about this tragic event.

When attempting to open the Word document (IMAGENES_01.doc), the potential victim sees the following:

The rest of the document explains to the victim how to remove the security settings from Word, supposedly to enable them to view the pictures. But what will actually happen is that the malicious macro in the document will try to infect the PC.

This malicious document has a VirusTotal detection rate of just 2/54. According to an analysis of the document, it then appears to download additional components from an insecure Joomla site at [donotclick]www.papeleriaelcid.com/aurora/ajax/

This type of spam seems to commonly target Spanish-speaking South American victim (like this one).

In this case the originating IP was 207.150.195.247 (a SouthWeb Ventures IP allocated to a customer supposedly called "Microinformatica Gerencial, S.A. de C.V.").

Blocking the papeleriaelcid.com site and rejecting emails from 207.150.195.247 might be wise if you have Spanish-speaking users.

sage.co.uk "Invoice_7104304" spam

This fake invoice from Sage is actually a malicious PDF file:

From:     Margarita.Crowe@sage.co.uk [Margarita.Crowe@sage.co.uk]
Date:     23 July 2014 10:31
Subject:     FW: Invoice_7104304

Please see attached copy of the original invoice (Invoice_7104304).

Attached is a file sage_invoice_3074381_09042014.pdf which is identical to the payload for this Companies House spam circulated earlier.

Companies House "(AR01) Annual Return received" spam

This fake Companies House spam comes with a malicious attachment.

From:     Companies House [web-filing@companies-house.gov.uk]
Date:     4 September 2014 10:58
Subject:     (AR01) Annual Return received

Thank you for completing a submission Reference # (1650722).

    (AR01) Annual Return

Your unique submission number is 1650722
Please quote this number in any communications with Companies House.

Check attachment to confirm acceptance or rejection of this filing.

All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission.

Once accepted, these changes will be displayed on the public record.

Not yet filing your accounts online? See how easy it is...

For enquiries, please telephone the Service Desk on +44 (0)303 1234 500 or email enquiries@companieshouse.gov.uk

This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message.

Attached is a malicious PDF file ar01_456746_09042014.pdf which has a VirusTotal detection rate of 5/54. The Malware Tracker report shows that this attempts to exploit the CVE-2013-2729 flaw that was patched over a year ago.. so it may well be that if your version of Acrobat is up-to-date then you will be OK, as you will probably be if you use another PDF reader.

Sky.com "Statement of account" spam.. again.

These fake Sky emails are pretty common and have a malicious attachment:

Date:      Wed, 3 Sep 2014 09:17:22 +0200 [03:17:22 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for August, invoice as this is now due for payment.

Regards,
Clark

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 

The attachment is Statement.zip which contains a malicious executable Statement.scr which has a reasonable VirusTotal detection rate of 18/55. The Anubis report indicates that the binary phones home to the following domains which may be worth blocking:

notarioschiapas.com
faviles.com

Fake westlothian.gov.uk "NDR Bill" email

Sometimes spammers come up with weird approaches. This one is a bill from West Lothian Council in the UK.. well, actually it isn't a bill but it comes with a malicious attachment.

From:     Ebilling [Ebilling@westlothian.gov.uk]
Date:     3 September 2014 09:20
Subject:     NDR Bill

Please find attached your Non Domestic Rates bill.

If your account is in credit you are due a refund unless you have any other debt due to the Council.

To allow your credit to be processed please confirm:

- If you want the credit transferred to another account you have with us. Please confirm the account details.
- If you want the credit refunded by cheque, please confirm who it should be sent to and the address.

Links to Non Domestic Rates information are detailed below.

Important Note:
If you access these links using a mobile phone the network provider may charge for this service.

Yours sincerely
Scott Reid
Revenues Manager

 http://www.westlothian.gov.uk/media/downloaddoc/1799465/1851216/2395547

* PDF Viewer required.

This message, together with any attachments, is sent subject to the
following statements:

1.    It is sent in confidence for the addressee only.  It may
    contain legally privileged information.  The contents are
    not to be disclosed to anyone other than the addressee.
    Unauthorised recipients are requested to preserve this
    confidentiality and to advise the sender immediately.
2.    It does not constitute a representation which is legally
    binding on the Council or which is capable of constituting
    a contract and may not be founded upon in any proceedings
    following hereon unless specifically indicated otherwise.

http://www.westlothian.gov.uk

Attached is a file 00056468.pdf.zip which contains a malicious executable D0110109.PDF.exe (which has an icon to make it look like a PDF file). This has a low detection rate at VirusTotal of 4/55.

The Comodo CAMAS report shows that it downloads an additional component from the following locations:

paodeler.com/333
awat.ugu.pl/333
twigsite.org/333
chico-assen.nl/333
beckerseguros.com.br/333
vacacionescosta.com.ar/333
frere-bros.com/333
kaituforumas.lt/333
www.van-der-leest.nl/333
lavetrinadeimotori.it/333
uj.spexx.hu/333
hamalabeachresort.com/333
voladora.com/333
ccemanpower.com/333
tiptrans.com.tr/333
areteeventos.com.br/333
ochodiez.com.ar/333
www.alabiimoveis.com/333
www.tbdistributors.co.nz/333
itspecialist.ro/333
groupgraphic.dk/333

This second component has a VT detection rate of just 3/55. The Anubis report shows an attempted phone home to 80.94.160.129 (National Academy of Sciences of Belarus) and 92.222.46.165 (OVH, France)

Recommended blocklist:
80.94.160.129
92.222.46.165
paodeler.com
awat.ugu.pl
twigsite.org
chico-assen.nl
beckerseguros.com.br
vacacionescosta.com.ar
frere-bros.com
kaituforumas.lt
van-der-leest.nl
lavetrinadeimotori.it
uj.spexx.hu
hamalabeachresort.com
voladora.com
ccemanpower.com
tiptrans.com.tr
areteeventos.com.br
ochodiez.com.ar
alabiimoveis.com
tbdistributors.co.nz
itspecialist.ro
groupgraphic.dk

Something evil on 95.163.121.188 (Sweet Orange EK)

95.163.121.188 is currently hosting the Sweet Orange Exploit Kit (hat tip). The IP is allocated to Digital Networks CJSC (aka DINETHOSTING) that has featured on this blog many times before.

Currently I can see the following domains active on this IP address. Ones highlighted are flagged as malicious by Google.

cdn2.sefu.co
cdn3.sefu.co
cdn4.sefu.co
cdn5.sefu.co
cdn.seefu.co
cdn2.seefu.co
cdn3.seefu.co
cdn.seefoo.co
cdn2.seefoo.co
cdn3.seefoo.co
cdn.critico.co
cdn.easynet.co
cdn.networkguys.co
cdn.tequilacritico.es
cdn2.tequilacritico.es
cdn3.tequilacritico.es
cdn4.tequilacritico.es
cdn5.tequilacritico.es
cdn.critico.com.mx
cdn.critico.mx
cdn.thecritico.mx
cdn2.thecritico.mx
cdn4.thecritico.mx
cdn5.thecritico.mx
cdn.tequilacritico.mx
cdn2.tequilacritico.mx
cdn3.tequilacritico.mx
cdn4.tequilacritico.mx
cdn5.tequilacritico.mx
cdn.sweetip.uk.com
cdn2.sweetip.uk.com
cdn3.sweetip.uk.com
cdn4.sweetip.uk.com
cdn5.sweetip.uk.com
cdn.sweetip.com
cdn2.sweetip.com
cdn3.sweetip.com
cdn4.sweetip.com
cdn5.sweetip.com
cdn.brazitel.com
cdn.thecritico.com
cdn2.thecritico.com
cdn3.thecritico.com
cdn4.thecritico.com
cdn5.thecritico.com
google.chagwichita.com
cdn.tequilatimes.com
cdn2.tequilatimes.com
cdn3.tequilatimes.com
cdn4.tequilatimes.com
cdn5.tequilatimes.com
google.ajdistributor.com
cdn.netguysglobal.com
cdn.tequilacritics.com
cdn2.tequilacritics.com
cdn3.tequilacritics.com
cdn4.tequilacritics.com
cdn5.tequilacritics.com
cdn.mcelectricalinc.com
cdn.tequilaspectator.com
cdn2.tequilaspectator.com
cdn3.tequilaspectator.com
cdn4.tequilaspectator.com
cdn5.tequilaspectator.com
cdn.primrosebrentwood.com
cdn.tequilaguildofamerica.com
cdn2.tequilaguildofamerica.com
cdn3.tequilaguildofamerica.com
cdn4.tequilaguildofamerica.com
cdn5.tequilaguildofamerica.com
cdn.primrosenashvillemidtown.com
cdn.seefu.net
cdn2.seefu.net
cdn3.seefu.net
cdn4.seefu.net
cdn5.seefu.net
cdn.seefoo.net
cdn2.seefoo.net
cdn3.seefoo.net
cdn.sweetip.net
cdn2.sweetip.net
cdn3.sweetip.net
cdn4.sweetip.net
cdn5.sweetip.net
cdn.networkguys.net
cdn2.networkguys.net
cdn3.networkguys.net
cdn.tequilacritico.net
cdn2.tequilacritico.net
cdn3.tequilacritico.net
cdn4.tequilacritico.net
cdn5.tequilacritico.net
cdn.gandco.pro
cdn.primrosebrentwood.xyz
cdn.tequilatimes.info
cdn2.tequilatimes.info
cdn3.tequilatimes.info
cdn4.tequilatimes.info
cdn5.tequilatimes.info
cdn.georgicasweets.info
cdn.sefu.mobi
cdn2.sefu.mobi
cdn3.sefu.mobi
cdn4.sefu.mobi
cdn5.sefu.mobi
cdn.seefu.mobi
cdn2.seefu.mobi
cdn3.seefu.mobi
cdn4.seefu.mobi
cdn5.seefu.mobi
cdn.seefoo.mobi
cdn2.seefoo.mobi
cdn3.seefoo.mobi
cdn.georgika.co
cdn.georgicasuites.com
cdn.georgicasweets.com
google.vctelectronics.com
cdn.limodog.net
cdn2.limodog.net
cdn3.limodog.net
cdn4.limodog.net
cdn5.limodog.net
cdn.soundpet.net
cdn2.soundpet.net
cdn3.soundpet.net
cdn4.soundpet.net
cdn5.soundpet.net
cdn.georgicas.net
cdn.georgicasweets.net
cdn.georgicasweets.org
cdn.limodog.xyz
cdn2.limodog.xyz
cdn3.limodog.xyz
cdn4.limodog.xyz
cdn5.limodog.xyz
cdn.georgicas.mobi
cdn.georgicasweets.mobi
cdn.georgika.net

The domains appear to be legitimates ones that have been hijacked in some way.

95.163.121.188 forms part of a large netblock of 95.163.64.0/18 - I have had half of this (95.163.64.0/19) blocked for several years which has stopped a great deal of badness, so I recommend that you block either the /19 or /18 and/or the following domains:

sweetip.uk.com
critico.com.mx
critico.co
easynet.co
georgika.co
networkguys.co
seefoo.co
seefu.co
sefu.co
ajdistributor.com
brazitel.com
chagwichita.com
georgicasuites.com
georgicasweets.com
mcelectricalinc.com
netguysglobal.com
primrosebrentwood.com
primrosenashvillemidtown.com
sweetip.com
tequilacritics.com
tequilaguildofamerica.com
tequilaspectator.com
tequilatimes.com
thecritico.com
vctelectronics.com
tequilacritico.es
georgicasweets.info
tequilatimes.info
georgicas.mobi
georgicasweets.mobi
seefoo.mobi
seefu.mobi
sefu.mobi
critico.mx
tequilacritico.mx
thecritico.mx
georgicas.net
georgicasweets.net
georgika.net
limodog.net
networkguys.net
seefoo.net
seefu.net
soundpet.net
sweetip.net
tequilacritico.net
georgicasweets.org
gandco.pro
limodog.xyz
primrosebrentwood.xyz

IRMGF (Inspiration Mining Corporation) pump-and-dump spam

Here's another pump-and-dump spam pushing a stock that as far as I can see is utterly worthless.

From:     WallStreetOTC Daily
Date:     29 August 2014 13:36
Subject:     This company is about to go ten fold.

WallStreetOTC Daily

August 29, 2014

Billlions in proven reserves just found

Dear Investor,

Every once in a while a ridiculous deal presents itself. IRMGF (or inspiration miniing corporation) is a junior miining company that has properties in Ontario, Utah and Chile and has just found massive reserves of nickel, copper platinum and other rare metals. Walstreet is about to start buying up shares in IRMGF this very quickly as it is so cheap right now trading at just under 10cents. I expect to see this hit a dollar next week. Move quickly.

To end your WallStreetOTC Daily e-mail subscription and associated external offers sent from WallStreetOTC Daily, click here to unsubscribe.

If you are you having trouble receiving your WallStreetOTC Daily subscription, you can ensure its arrival in your mailbox by whitelisting Laissez Faire Today.

(c) 2014 WallStreetOTC Daily, LLC.  Reproduction, copying, or redistribution (electronic or otherwise, including on the World Wide Web), in whole or in part, is encouraged provided the attribution WallStreetOTC Daily Faire Books is preserved. 808 Saint Paul Street, Baltimore MD 21202. Nothing in this e-mail should be considered personalized

IRMGF trades on the Toronto stock exchange, it appears to have no income or cash assets but does have land holdings in Ontario. In May 2007 the share price was up to $6.82, today it is around one-hundredth of that at $0.073 a share, according to this data. There are around 75 million shares and options, which gives the firm a nominal market cap of $5.5m.

Trading levels are normally close to zero, but in late May and early June around 5.5 million shares were bought at about $0.15, since when the price halved.

Sometimes there is a pattern of share purchases just before the pump-and-dump operation, but that does not seem to be the case here.. so whoever is promoting this illegal spam run most likely already holds stock in the company.

Don't be tempted to buy stock in this company.. somebody is probably trying to cash out and is using this illegal method to try to maximise their returns. Normally when the P&D spam finishes, the stock price collapses leaving people daft enough to invest out of pocket.

UPDATE:  there have been many more of these over the weekend..

From:     SuperStocksTIPS Daily
Date:     29 August 2014 19:14
Subject:     This company just struck gold. Cashin on the rush.

SuperStocksTIPS Daily


If you are reading this now you must act very quickly.



I.R.M.G.F (inspiration.miining.corp) is about to blow up. They have just found billiions worth of minerals on their properties and the stokc is about to soar to new highs. My analyst told me that we could see shares go up by as much as 15 times in a span of days. Move fast before bargainprices run out.



This message was delivered to [redacted]
Unique ID: 2c2864c18552de62f398a858f625a48810b2dee735055839

To unsubscribe, change your due date, or change your e-mail preferences, click here

SuperStocksTIPS
4 New York Plaza
4th Floor
New York, NY 10041

2014 SuperStocksTIPS Publications, Inc. All Rights Reserved.

====================

From:     WallSt Report
Date:     30 August 2014 11:33
Subject:     (IRMGF) has produced big gains this week!

Wall St Report

If you can get sharres in this company for less than 15cents you are very lucky. It is currently at slightly under 10cents but we expect that itll soar a lot today. I.R_M_G_F (inspiration miningg corporation) just found billlions in proven reserves, special, rare and precious mettals.

We expect to see shhares cross the 2dollar range next week. Act quickly before its too late.

1d467f58c8310949c647e38f59a4ef0f030139beb824c32a

The preceding is a paid message from a Wall St Report advertiser and does
not reflect the views of nor is in any way endorsed by Wall St Report.
We do not share personal information with any third party without your permission.

This email was requested by: [redacted]
Unsubscribe, Modify or Add Newsletters: Click here.

This e-mail was sent by: Wall St Report Publishing LLC
3400 Dundee Road
Northbrook, IL 60062
United States of America

(c) 2014. Wall St Report. All rights reserved



Privacy Policy. By using this site you agree to our Terms of Service.
To learn about our email partners' privacy policies, click here.

====================

From:     TheWallStreet Journal
Date:     30 August 2014 15:46
Subject:     Critical news information read now

TheWallStreet Journal     Aug 30, 2014



If this company doesnt at least triple im retiring



My prediction is coming true.

I told you I R M,G:F, inspraition miningg corp, was going to soar to new highs.

Since the company discovered 4billion worth of proven metal reserves it has become the target of Walstreet invesstors looking to cash in on the rush.

Analysts are predicting a rise to over 1dollar in the coming weeks from a current price of 11cents.

Be swift and grab sharres first thing tuesday morning.


This email was sent to [redacted]. You are receiving this newsletter because you opted-in to receive relevant communications from TheWallStreet Journal LLC. If you would like to manage your newsletter preferences, please click here.

 WSJ LLC | 16192 Coastal Highway Lewes, DE 19958

 68aff86579d632c6a7dcbc7c6a29786c4476728b2989ac49

Unsubscribe

====================

From:     The OTC Bulletin Board
Date:     31 August 2014 18:51
Subject:     Gains of over 55 percent! Momentum is strong!

The OTC Bulletin Board®
   
Sunday, August 31, 2014


Happy labor day week end.

As you know , inspiration miniing corporation, IR:M,GF is up over 55% for the week on massive news on metals discovery.

The company is now sitting on more than 3billion worth of preciousmetals reserves. Sharess are tradinng at 11cents right now and are expected to reach more than a dollar each next week.

Move fast to grab cheapshares on tuesday while you still can.

   

About This Email:
You are signed up for this OTCBB email as [redacted].

Manage My OTCBB Mail | Unsubscribe

OTCBB Privacy Policy
OTCBB Office of Privacy | 1201 Peachtree Street, NE | 400 Colony Square, Suite 2400 | Atlanta, GA 30361
© 2014 OTCBB, LLC. All rights reserved.

====================

From:     StockWatch
Date:     1 September 2014 06:39
Subject:     Ready? Last reminder
 

cars4cashuk.com scam and Cyber Cast International (CCIHosting), Panama [190.97.160.0/21]

I spotted this scam warning on the Autotrader website:

We have received reports of customers receiving a text message asking them to visit www.cars4cashuk.com to sell their cars quickly for cash. Customers are asked to pay a deposit in order to secure the sale of their vehicle. This website is not genuine and in no way affiliated with AutoTrader. We are currently working to have this website shut down.

For more information please contact our Customer Security team on 0330 303 9001.

The site is a crude attempt to extract money from unsuspecting people trying to trade their car, but it does feature the AutoTrader logo prominently.

If you're trying to sell your car then probably all you need to know is that it's a scam, and you probably don't need to read any further. But if you read my blog regularly then you might want to read on..

The site has no ownership information, but a check of the WHOIS details show the following contacts:

Domain Name: CARS4CASHUK.COM
Registry Domain ID:
Registrar WHOIS Server: whois.1api.net
Registrar URL: http://www.1api.net
Updated Date: 2014-08-10T15:31:12Z
Creation Date: 2014-08-10T15:31:12Z
Registrar Registration Expiration Date: 2015-08-10T15:31:12Z
Registrar: 1API GmbH
Registrar IANA ID: 1387
Registrar Abuse Contact Email: abuse@1api.net
Registrar Abuse Contact Phone: +49.68416984x200
Reseller: www.sky-ip.com http://www.sky-ip.com/
Domain Status: ok - http://www.icann.org/epp#OK
Registry Registrant ID:
Registrant Name: José Castrellón
Registrant Organization: CyberCast
Registrant Street: Ricardo J. Alfaro, El Dorado
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code: 0819-06448
Registrant Country: PA
Registrant Phone: +507.3014841
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@sky-ip.com
Registry Admin ID:
Admin Name: José Castrellón
Admin Organization: CyberCast
Admin Street: Ricardo J. Alfaro, El Dorado
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code: 0819-06448
Admin Country: PA
Admin Phone: +507.3014841
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@sky-ip.com
Registry Tech ID:
Tech Name: José Castrellón
Tech Organization: CyberCast
Tech Street: Ricardo J. Alfaro, El Dorado
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code: 0819-06448
Tech Country: PA
Tech Phone: +507.3014841
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@sky-ip.com
Name Server: ns1.cybercastco.com
Name Server: ns2.cybercastco.com

So who are José Castrellón and CyberCast (aka CyberCast International). Are they the scammers? Well, no.. CyberCast (through their website at ccihosting.com) offer anonymous offshore hosting and domain registrations. The sort of things that scammers love, although of course there are legitimate uses for such things. CyberCast presumably are not doing the actual scamming, but I'd suggest that they could be accused of some level of complicity.

So.. you can buy a domain and web hosting using an anonymous payment system like Bitcoin or Perfect Money and it seems more-or-less do what you like with it. Now, that's great if you are running a web site dedicated to overthrowing an oppressive regime (for example) but the bulk of the sites hosted by CyberCast are a lot less savoury, including phishing sites, sites selling DDOS services, counterfeit goods, trading stolen credit card information, piracy sites, spam, cybersquatting, illegal or fake pharmacies, hacking sites and a little bit of porn as well.

There may well be some legitimate sites hosted by this company, I spotted some local Panamanian sites for example, but the overwhelming majority of the CyberCast / CCIHosting address space is completely toxic, therefore I would strongly recommend that you block access to the 190.97.160.0/21 range from your network.

There is not a lot of reputation data for the sites in this /21, but I have compiled a list of sites, IPs, WOT ratings and Google and SURBL prognoses here [csv].

"Customer Statements" malware spam

This brief spam has a malicious PDF attachment:

Fom:     Accounts [hiqfrancistown910@gmail.com]
Date:     27 August 2014 09:51
Subject:     Customer Statements

Good morning,attached is your statement.
My regards.
W ELIAS

Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55. Analysis is pending.

"Morupule Coal Mine" malware spam

This fake invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.

From:     Madikwe, Gladness [GMadikwe@mcm.co.uk]
Date:     27 August 2014 10:43
Subject:     Tax Invoice for Delivery Note 11155 dated 22.08.14

Hello ,   

Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.

Thank you      
Regards

Gladness B Madikwe
Sales & Marketing Clerk
Morupule Coal Mine
Private Bag 35
Palapye,Botswana
Tel:  +267 494 1204
Cell: +267 71373569
Fax:  +267 4920643


Debswana Diamond Company Email Disclaimer: The information contained in this e-mail is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not use, copy, distribute or disclose the e-mail or any part of its contents or take any action in reliance on it. If you have received this e-mail in error, please e-mail the sender by replying to this message. All reasonable precautions have been taken to ensure no viruses are present in this e-mail and the sender cannot accept responsibility for loss or damage arising from the use of this e-mail or attachments.

Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a hacked machine in India.

The attachment has a VirusTotal detection rate of 5/54. My PDF-fu isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious.

Vodafone MMS service malware spam

This fake Vodafone spam comes with a malicious attachment. There is not body text as such, the header reads:

From:     Vodafone MMS service [mms813562@vodafone.co.uk]
Date:     26 August 2014 12:00
Subject:     IMG Id 813562-PictQbmR TYPE--MMS

The version I had was mangled and the attachment was just called noname which required a bit of work to turn into a ZIP file IMG Id 813562-PicYbgRr TYPE--MMS.zip which in turn contains a malicious executable Picture Id 550125-PicSfdce TYPE-MMS.exe

This .EXE file has a VirusTotal detection rate of 3/55. The malware then attempts to download additional components from the following locations:

lovina.co.id/333
swfilms.co.nz/333
terria.ch/333
everlandvn.vn/333
custy.org/333
applnw.com/333
bodypro.co.nz/333
trafacs.com/333
pocketapps.co/333
opencart.guru/333
btw.co.il/~btwcoil/333
panaceamediacorp.com/333
trijayadi.net/333
muabandiaoc.vn/333
yamahamatsakti.com/333
smk-assaabiq.sch.id/333
vinamex.com/333
lindy.co.id/333
webpixsolutions.com/333
tnk-sat.com/333
vinaconexmec.vn/333
192.254.186.106/333
diennhest.vn/333
shiftgears.com.au/333
datrix-news.com/333
localnewshost.com/333
dp37198306.lolipop.jp/333
kampungnasi.com/333
www.devdemoz.com/333

This second component has a VirusTotal detection rate of 3/53. The CAMAS report for that component is here.

If you can block your network perimeter by pattern, then the "/333" string might be good to look for. Else I would recommend the following blocklist:

192.254.186.106
lovina.co.id
swfilms.co.nz
terria.ch
everlandvn.vn
custy.org
applnw.com
bodypro.co.nz
trafacs.com
pocketapps.co
opencart.guru
btw.co.il
panaceamediacorp.com
trijayadi.net
muabandiaoc.vn
yamahamatsakti.com
smk-assaabiq.sch.id
vinamex.com
lindy.co.id
webpixsolutions.com
tnk-sat.com
vinaconexmec.vn
diennhest.vn
shiftgears.com.au
datrix-news.com
localnewshost.com
dp37198306.lolipop.jp
kampungnasi.com
devdemoz.com