There seem to be some strange spam emails doing the rounds, with a body text of "podmena traffica test".. what gives?
It makes a bit more sense if you transliterate it into Cyrillic, which leaves you with a Russlish phrase "подмена трафика тест" and that simply translates as "spoofing traffic test".
The subject is a random spammy one, the originating IP looks like part of a botnet.
I'm pretty sure these are coming through "to" and "from" the same email address, so it may well be someone enumerating mailservers looking for SMTP spoofing protection.. in other words, testing addresses to see if they work and then recording the server's SMTP response.
Why? Who knows.. spammers don't usually care about efficiency if they are using a botnet, because they are not paying for bandwidth or equipment. These type of "probes" are seen sometimes and can be safely deleted.
Friday, 2 January 2009
Monday, 29 December 2008
SQL injection: msngk6.ru, dft6s.kz and mcuve.cn
A new bunch of domains being used in SQL injection attacks at the moment:
Check your proxy logs for .cn/1.js and .ru/style.js plus .kz/style.js to keep on top of these. It is often worth monitoring all traffic to .cn, .ru and .kz domains for manual review.
- www.msngk6.ru
- www.dft6s.kz
domain: MSNGK6.RUThe domain mcuve.cn is different, calling 1.js. This is related to the recent 17gamo.com domain which exploits a number of things including this recent IE7 vulnerability.
type: CORPORATE
nserver: ns2.msngk6.ru. 75.63.155.106
nserver: ns3.msngk6.ru. 146.57.249.100
nserver: ns1.msngk6.ru. 76.240.151.177
nserver: ns4.msngk6.ru. 24.247.215.75
state: REGISTERED, DELEGATED
person: Aleksandr A Zamaraev
phone: +7 495 7412992
e-mail: zamaraev@namebanana.net
registrar: NAUNET-REG-RIPN
created: 2008.12.17
paid-till: 2009.12.17
source: TC-RIPN
Check your proxy logs for .cn/1.js and .ru/style.js plus .kz/style.js to keep on top of these. It is often worth monitoring all traffic to .cn, .ru and .kz domains for manual review.
Labels:
Asprox,
SQL Injection,
Trojans,
Viruses
Monday, 22 December 2008
Asprox SQL injections are back
The Silent Noise blog reports that a fresh round of SQL injection attacks by the Asprox crew are under way. They seem to be using a variety of .ru and .kz domain names, although at the moment they all redirect to 79.135.168.18 in the Lebanon.. the whole 79.135.168.* block is pretty bad and has been covered here before.
Currently active domains are:
inetnum: 79.135.168.0 - 79.135.168.255The endpoint appears to be a PDF exploit running on 79.135.168.18 - it's worth blocking or checking for anyaccess to this server, and also check your logs for accesses to ".kz/style.js" and ".ru/style.js" too.
netname: LB-NET
descr: Lebanon private dedicated service
country: LB
admin-c: MHB1111-RIPE
tech-c: MHB1111-RIPE
remarks: abuse mailbox: moh.b@lubnannetworks.biz
status: ASSIGNED PA
mnt-by: SISTEM-NET-MNT
source: RIPE # Filtered
person: Mohamed Baga
address: Basha Garden bldg, 5th floor LB
address: Jisr El Bacha Main Road
address: Beirut - Lebanon
e-mail: moh.b@lubnannetworks.biz
remarks: abuse mailbox: moh.b@lubnannetworks.biz
phone: +961 1 512341
nic-hdl: MHB1111-RIPE
source: RIPE # Filtered
route: 79.135.160.0/19
descr: Sistemnet Telecom
origin: AS44097
mnt-by: Sistem-Net-MNT
source: RIPE # Filtered
Currently active domains are:
- www.bnmd.kz
- www.nvepe.ru
- www.mtno.ru
- www.wmpd.ru
- frontweb.vuse.vanderbilt.edu (Vanderbilt University)
- maryvillecollege.edu (Maryville College)
- guildford.ac.uk (Guildford University)
- many .gov.ar (Argentina) and .gov.cn (China) sites
- navigationusa.com (Online retailer)
- worldcricketstore.com (Online retailer)
Labels:
Asprox,
SQL Injection
Saturday, 20 December 2008
"Classmates Info Center": Currently planning the 2009 Year Reunion
There's a fake "Classmates" email being spammed out, that leads to a fake video that needs a fake "Adoble Media Player" called Adobe_Player10.exe and as you would probably guess, at the end of all this fakery is a nasty trojan.
Subject: Currently planning the 2009 Year Reunion
From: "Classmates Info Center" personalvideo@classmates.com
Your Classmates Events: Reunion January 16th 2009
" With pride and joy we invite you to share a special day in our lives and join us
for the Class Reunion on Friday, January 16th 2009.
Bring the gang from Our High School back together again!
Great party - from start to finish! "
Proceed to view details:
http://video.classmates.logon.user-gandy3ts0.updateyourplayer.com/messages.htm?/identification/INVITATION=vvffx2dckssqnle
Your favorite people are already here, so use ClassmatesTM to bring them together.
With best regards, Josh Jacobson. Customer Service Department.
Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.
The landing page looks like this:
Detection rates are poor according to VirusTotal. ThreatExpert's report is right here. It installs a rootkit and does all sorts of nasty things. Avoid.
Subject: Currently planning the 2009 Year Reunion
From: "Classmates Info Center" personalvideo@classmates.com
Your Classmates Events: Reunion January 16th 2009
" With pride and joy we invite you to share a special day in our lives and join us
for the Class Reunion on Friday, January 16th 2009.
Bring the gang from Our High School back together again!
Great party - from start to finish! "
Proceed to view details:
http://video.classmates.logon.user-gandy3ts0.updateyourplayer.com/messages.htm?/identification/INVITATION=vvffx2dckssqnle
Your favorite people are already here, so use ClassmatesTM to bring them together.
With best regards, Josh Jacobson. Customer Service Department.
Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.
The landing page looks like this:
Detection rates are poor according to VirusTotal. ThreatExpert's report is right here. It installs a rootkit and does all sorts of nasty things. Avoid.
Labels:
Classmates.com,
Spam,
Trojans,
Viruses
Friday, 19 December 2008
Beijing AUG Networks Technology Co / augnetworks.cn scam
This is certainly spam.. but is it a scam? Most likely..
augnetworks.cn was only registered on 23/11/2008 to "Beijing AUG Networks Co", it is in no way an official registrar and the company probably doesn't even exist. Domain registrars are not actually responsible for checking trademarks, they most likely have had no such approach from a customer and really the whole thing is designed to make you panic into buying something you don't need.
There's more on Chinese domain malpractice here.
Subject: Dynamoo Domain name and Internet keyword Registration
From: "tom.xu"
Dec 19, 2008
Dynamoo
Domain name & Internet keyword
Dear Sir/Madam,
We are Beijing AUG Networks Technology Co., Ltd which is the domain name and internet keyword registration service company in China. We received a formal application from a company who is applying to register " dynamoo " as their domain name and Internet keyword on Dec 16, 2008.Since through our investigation we found that this word has been in use by your company, and this may involve your company name or trade mark so we inform you in no time. If you consider the domain name and internet keyword are important to your company and it is necessary to protect them by registering them first, contact us soon.
Kind Regards,
Tom Xu
Registration Comissioner
Tel/fax: +86-10-82797446
Email: tom.xu@augnetworks.cn
Website: www.augnetworks.cn
augnetworks.cn was only registered on 23/11/2008 to "Beijing AUG Networks Co", it is in no way an official registrar and the company probably doesn't even exist. Domain registrars are not actually responsible for checking trademarks, they most likely have had no such approach from a customer and really the whole thing is designed to make you panic into buying something you don't need.
There's more on Chinese domain malpractice here.
Tuesday, 16 December 2008
MS08-078: Out-of-band patch for IE coming
Microsoft are issuing an out-of-band patch tomorrow (17th December) for the well-publicised flaw in Internet Explorer. This is another one of those "patch now" things - see here for more details.
Labels:
Internet Explorer,
Microsoft
"IE 7 users: stop looking at porn now!"
This zero day vulnerability in Internet Explorer has already been very widely publicised. There are no effective workarounds for the problem until Microsoft patch it.. apart from using a different browser.
The aptly named Zero Day blog has this sage piece of advice: "IE 7 users: stop looking at porn now!" Simply put, randomly surfing for smut, warez, illegal torrents or anything like that* is likely to infect your machine if you are running IE.
In fact, because there's no such thing as a safe site you should consider ditching IE altogether. If you're running Windows then probably one of the safest things you can do is get Firefox, add the NoScript extension and then ensure that your PC is fully up-to-date by using the Secunia Software Inspector. Even security firms such as CA and Trend Micro have had their sites compromised to serve up malware in the past, so you can never be to careful...
* or Myspace.. or Facebook..
Labels:
Firefox,
Internet Explorer,
Microsoft,
Viruses
Wednesday, 10 December 2008
Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
Most people will rarely use WordPad these days, but it's installed on pretty much every Windows system out there. So when Microsoft announce a vulnerability in WordPad, it could spell trouble.. essentially, a specially-crafted WordPad file could run arbitrary code on your system.
WordPad documents have a .DOC or .WRI extension, and if you have Word installed (or a similar product) then .DOC files will default to loading in Word instead. So, to mitigate against this you could simply block .WRI files at your proxy and/or mail filter. Or you could use Windows XP SP3 or Vista.. but that's not exactly a quick fix. Or you could deassociate .WRI files from WordPad using a policy.
There aren't a lot of WRI files to test with on the web, so here's a harmless file I prepared earlier:
WordPad documents have a .DOC or .WRI extension, and if you have Word installed (or a similar product) then .DOC files will default to loading in Word instead. So, to mitigate against this you could simply block .WRI files at your proxy and/or mail filter. Or you could use Windows XP SP3 or Vista.. but that's not exactly a quick fix. Or you could deassociate .WRI files from WordPad using a policy.
There aren't a lot of WRI files to test with on the web, so here's a harmless file I prepared earlier:
Sunday, 7 December 2008
Spammers try and fail with fake Classmates email
We've seen this particular attack several times before - an email for a bank or other service that requires some sort of software installation to proceed.. in this case, masquerading as an update to Flash for some nonsense to do with Classmates.com.
Unfortunately, the stupidity of spammer is such the they have messed up the incredibly long URL, and if the users click on the link they'll get nowhere. The spammer is trying to send visitors to a subdomains of clasmatessup.com but they have forgotten the dot before com and instead are sending visitors to clasmatessupcom.
If you go to the effort of correcting the link, you get redirected to a site on a fast flux botnet which prompts you: Can't see the video? please download the Adobe_Player v10 Converter and this leads to a downloaded called AdobePlayer10.exe which actually doesn't appear to be malware (at the moment) as it identifies itself as "IIS Fortezza Setup Utility" which is a security add-on to Microsoft IIS servers, usually called fortutil.exe.
So, it's all kinda strange. Let's have a look at the WHOIS details for the domain:
If you run a corporate mail system, it might well be worth blocking email "from" classmates.com in any case, even if this time the spam is hugely unsuccessful, because all the bad guys will do is repackage it up and send it out again.
Subject: Classmates Organisation.Reunion Website Builder
From: "Classmates Messagebox#329" invitation591@classmates.com
Dear Classmates customer.
Classmates Day 2009 soon!
Video Invitation from your Classmates "2009 Classmates Day Announcement!" prepared to view.
Reunite Your High School Classmates and Celebrate This Day!
Your Classmates Are Waiting to Hear From You!
Proceed to view Your invitation now>>
With best regards, Lowell Abernathy.
Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.
Unfortunately, the stupidity of spammer is such the they have messed up the incredibly long URL, and if the users click on the link they'll get nowhere. The spammer is trying to send visitors to a subdomains of clasmatessup.com but they have forgotten the dot before com and instead are sending visitors to clasmatessupcom.
If you go to the effort of correcting the link, you get redirected to a site on a fast flux botnet which prompts you: Can't see the video? please download the Adobe_Player v10 Converter and this leads to a downloaded called AdobePlayer10.exe which actually doesn't appear to be malware (at the moment) as it identifies itself as "IIS Fortezza Setup Utility" which is a security add-on to Microsoft IIS servers, usually called fortutil.exe.
So, it's all kinda strange. Let's have a look at the WHOIS details for the domain:
Domain name: clasmatessup.comOf course, these are fake. The registrar is BIZCN.COM, who are often a registrar of choice for spammers. Of real interest are the name servers, ns1.licence-dsl.com is 207.150.183.180, ns2.licence-dsl.com is 66.34.177.43. 207.150.183.180 is an IP address connected with the Srizbi botnet and is a name server for a whole buncha domains.
Registrant Contact:
inc inc
Greff Frelos inc@yahoo.com
4576810811 fax: 4576810811
8883 Sh Road
New York NY 10003
us
[blah blah]
DNS:
ns1.licence-dsl.com
ns2.licence-dsl.com
Created: 2008-12-07
Expires: 2009-12-07
If you run a corporate mail system, it might well be worth blocking email "from" classmates.com in any case, even if this time the spam is hugely unsuccessful, because all the bad guys will do is repackage it up and send it out again.
Saturday, 6 December 2008
Joe Job against GoldPoll.com: welcome to the murky world of HYIP
GoldPoll.com is a web site about HYIPs (High Yield Investment Programs) that is hosted in the British Virgin Islands to an anonymous (possibly Panamanian) registrant, and until recently the registrar was the well-known fraudster's friend EstDomains. Despite this unpromising pedigree, it does appear that GoldPoll.com is legitimate..
..well, as legitimate as anything is in the world of HYIPs. Most HYIPs are generally just a front for Ponzi schemes and offer ridiculous payout rates such as 2% interest per day (about 624% per year) which are clearly unsustainable.
Anyway, as you can imagine there are a LOT of fraudulent HYIP schemes (are there any that are actually legitimate?) GoldPoll.com attempts to flag up schemes that aren't paying up.. which means that they have obviously annoyed some HYIP scammer somewhere who has decided to carry out a Joe Job against GoldPoll.com:
Now GoldPoll.com states: "We never send SPAM and hate SPAMmers. Please don't trust in any e-mail that appeared to be from us and not stated on our Newsletters Archive!" which of course doesn't mean that much.. but a close investigation of the offending email indicates that it came from 211.95.78.71 in China. Now, 211.95.78.71 isn't just any IP address, it happens to be a server where a number of HYIP related domains are hosted:
It seems that there is a related server to this at 64.63.1.204, at least one of the domains (nasdaq-invest.com) is on GoldPoll.com's blacklist (there may be others).
But really my best advice is to avoid HYIP altogether. It's basically just a form of gambling, but with much worse odds in the long run.
..well, as legitimate as anything is in the world of HYIPs. Most HYIPs are generally just a front for Ponzi schemes and offer ridiculous payout rates such as 2% interest per day (about 624% per year) which are clearly unsustainable.
Anyway, as you can imagine there are a LOT of fraudulent HYIP schemes (are there any that are actually legitimate?) GoldPoll.com attempts to flag up schemes that aren't paying up.. which means that they have obviously annoyed some HYIP scammer somewhere who has decided to carry out a Joe Job against GoldPoll.com:
Subject: Gold Poll
From: goldpoll.com.ads@gmail.com
Date: Sat, December 6, 2008 3:57 pm
The most relevant information about the top HYIP programs from the best hyip monitoring. http://www.goldpoll.com
We personally invest in each HYIP and check the reliability of everyday payments. Click on any HYIP name to be redirected to it. Click on Program Details to get further information about a HYIP, find other members' posts and vote yourself.
goldpoll.com
Now GoldPoll.com states: "We never send SPAM and hate SPAMmers. Please don't trust in any e-mail that appeared to be from us and not stated on our Newsletters Archive!" which of course doesn't mean that much.. but a close investigation of the offending email indicates that it came from 211.95.78.71 in China. Now, 211.95.78.71 isn't just any IP address, it happens to be a server where a number of HYIP related domains are hosted:
- Accuramoney.com
- Bestinvestfar.com
- Bestnethosta.com
- Dalamonda.com
- Google-analyser.com
- Google-optimise.com
- Google-spider.com
- Healthcarem.com
- Heroesadvent.com
- Homegome.com
- Injektus.com
- Jampadventures.com
- Libertyreiserve.com
- Libertyrescerve.com
- Luckautomachine.com
- Luckjewel.com
- Maxcargotrade.com
- Ordtechnologies.com
- Platinumtvonline.com
- Sekermen.com
- Toguessgame.com
- Trancgroup.com
- Webtradersite.com
It seems that there is a related server to this at 64.63.1.204, at least one of the domains (nasdaq-invest.com) is on GoldPoll.com's blacklist (there may be others).
- Al-moeed.com
- Boodjewel.com
- Deluxeinvestment.org
- E-investbank.net
- Fastprofit-2008.com
- Futureinvest.biz
- Gpttalkpro.com
- Higaintrade.com
- Hyip-profits.com
- Hyip-world.com
- Hyipchecking.com
- Hyipozaurus.biz
- Katyadumper.com
- Libertyrieserve.com
- Mcdump.com
- Monemoke.com
- Moneyinvests.biz
- More-invest-2009.com
- Nasdaq-invest.com
- Pensioninsurancefund.com
- Perfectservers1.us
- Photos-vn.com
- Realforex.us
- Sectrustbonline.com
- Solid-fund.com
- Supervirtualcards.com
- Teekypleaze.com
- Tieudiemchinh.com
- Tomerbusiness.com
- Tophyipsite.com
- Ukoblos.com
- Userinvest.com
- Wertor.info
- Wmrub.com
But really my best advice is to avoid HYIP altogether. It's basically just a form of gambling, but with much worse odds in the long run.
Wednesday, 3 December 2008
"Alpha Soft Company" bogus employment offer
Alpha Soft Company is a wholly legitimate Ukrainian software development company, this fake job offer is being sent out by someone pretending to be Alpha Soft, and who is fraudulently using the name of Taras Vergovsky (who is a director) in order to make the offer seem more credible.
There have been a few similar emails targeting companies from the Ukraine recently, for example: Infopulse, JavaRealm Software, VM-Soft, SocMart. They all follow a similar pattern and wording, and all mention the name of a senior person within the company.. and they are all bogus. In short, this is just another money laundering scam that should be avoided at all costs.
Hello Sir/Madam.
I Taras Vergovsky, Director of Alpha Soft Company specializes in innovative IT solutions and complex software projects development.
My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.
That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.
Please contact me for more information via email: alphasoft.ua.job@gmail.com
and send us the following information about yourself:
1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age
Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.
Thank you,
Taras Vergovsky ,
Alpha Soft Company
Some email addresses to look out for are alphasoft.ua.job@gmail.com, sup.alphasoft@gmail.com, job.alphasoft@gmail.com.. there are probably others. Sending IP is 217.170.2.228.
There have been a few similar emails targeting companies from the Ukraine recently, for example: Infopulse, JavaRealm Software, VM-Soft, SocMart. They all follow a similar pattern and wording, and all mention the name of a senior person within the company.. and they are all bogus. In short, this is just another money laundering scam that should be avoided at all costs.
Hello Sir/Madam.
I Taras Vergovsky, Director of Alpha Soft Company specializes in innovative IT solutions and complex software projects development.
My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.
That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.
Please contact me for more information via email: alphasoft.ua.job@gmail.com
and send us the following information about yourself:
1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age
Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.
Thank you,
Taras Vergovsky ,
Alpha Soft Company
Some email addresses to look out for are alphasoft.ua.job@gmail.com, sup.alphasoft@gmail.com, job.alphasoft@gmail.com.. there are probably others. Sending IP is 217.170.2.228.
Labels:
Job Offer Scams,
Money Mule,
Scams,
Spam,
Ukraine
Tuesday, 2 December 2008
Awesome or what? The Nokia N97.
Announced a couple of hours ago, the Nokia N97 is a pretty awesome looking bit of kit. We've waited a long, long time for Nokia to come up with something like this.. although I don't think that I will be giving up the Nokia E90 just yet, since the rumour is that there will be a touchscreen Communicator next year (probably announced at Mobile World Congress).
It's not cheap: €550 (around £450 or $650) SIM-free before tax. You can get a laptop for that. Very tempting though...
Friday, 28 November 2008
French "Bill Gates" lottery scam
A colourful lottery scam featuring Bill Gates. The pitch is that the Bill Gates Foundation is running a lottery and you have won €400,000 which for some reason will be paid through a bank in the Ivory Coast. It is all written in fairly simple French, and it isn't difficult to see that the pitch is basically the same as in English.
Subject: Toutes Nos "Felicitation !!!!! Vous Venez De Gagnez La Somme De 400.000Euros"
Unusually, the scam comes with a PDF attachment that gives more details. On the principle that unsolicited PDF files can often come with nasty surprises, here is a JPG version for you to enjoy (click to enlarge):
A strange mismash of elements that looks unconvincing, but it does seem that people still fall for this type of trick.
Subject: Toutes Nos "Felicitation !!!!! Vous Venez De Gagnez La Somme De 400.000Euros"
From: lottery_cristal2008
Bonjour Mme / M,
Nous vous contactons par cette presente pour vous informer de votregain à la Bill Gates fondation ISABELLE CHEVALIER
Ceci n'étant donc pas un spam ni un virus, veuillez trouver en fichier joint votre notification de gain.
Cordialement.
Mme ISABELLE CHEVALIER
Directrice des Opérations
INTERNATIONALE BILL GATES
FONDATION.
Contact Agent
NOM ET PRENOMS : Bouah Williams Herve
numéro de téléphone: 0225-02 73 98 90
E-mail:cabinet_bouah_williams_herve@yahoo.fr
Unusually, the scam comes with a PDF attachment that gives more details. On the principle that unsolicited PDF files can often come with nasty surprises, here is a JPG version for you to enjoy (click to enlarge):
A strange mismash of elements that looks unconvincing, but it does seem that people still fall for this type of trick.
Wednesday, 26 November 2008
SINOCHEM bogus job offer
Nice for them to label this as "spam". SINOCHEM is a legitimate and huge Chinese chemicals company, but they did not send this email. Why would SINOCHEM need to use a Yahoo! email account anyway? Liu Deshu really is the president of SINOCHEM though, it's a case of the scammers trying to use a real name to make it more convincing.
Subject: Spam: Free: Collection Officer Needed
From: "Sinochem Company"
China National Chemicals Import & Export Corporation(SINOCHEM)
Tower A2,Fuxingmenai,
Street,Beijing,
People's Republic of China.
PC: 100080.
REF:SC/08/00867546.
Dear Sir/Madam,
We need Representatives from all over the World and as specified.
North America
Collection Officer wanted in this region who will assist in retrieving debts
from our clients in USA & CANADA.
EUROPE, ASIA, SOUTH AMERICA & AUSTRALIAS
Someone needed to assist in setting up a Branch of our Company in his/her
country.
If interested, please supply the following:
1) Name
2) Country
Send your response via email SPECIFICALLY to sinochemcorp221@yahoo.cn
Respectfully Submitted,
Mr. Liu Deshu.
President.
Sinochem Trading Company.
Subject: Spam: Free: Collection Officer Needed
From: "Sinochem Company"
China National Chemicals Import & Export Corporation(SINOCHEM)
Tower A2,Fuxingmenai,
Street,Beijing,
People's Republic of China.
PC: 100080.
REF:SC/08/00867546.
Dear Sir/Madam,
We need Representatives from all over the World and as specified.
North America
Collection Officer wanted in this region who will assist in retrieving debts
from our clients in USA & CANADA.
EUROPE, ASIA, SOUTH AMERICA & AUSTRALIAS
Someone needed to assist in setting up a Branch of our Company in his/her
country.
If interested, please supply the following:
1) Name
2) Country
Send your response via email SPECIFICALLY to sinochemcorp221@yahoo.cn
Respectfully Submitted,
Mr. Liu Deshu.
President.
Sinochem Trading Company.
Labels:
Job Offer Scams,
Money Mule,
Scams,
Spam
Tuesday, 25 November 2008
bobbear.co.uk "Joe Job" attack
This summary is not available. Please
click here to view the post.
Monday, 24 November 2008
"Ran-De-Vou Co." proofreading scam
Sometimes it is hard to see what the scam is with some of the job offers, except that undoubtedly it IS a scam. This job offer from the ficticious "Ran-De-Vou Co." offers a proofreading job which is kind of unusual at first glance.
Subject: Successful Positions Available
Dear Job Seeker,
We are glad to inform you about new vacancy opening in the area of proofreading at
Ran-De-Vou Co.
Part time job Description:
We provide you with business messages which require revision and your task is to
make necessary
corrections as an english speaking person, and e-mail them back to us.
Payment:
There is no fixed salary for this vacancy. We offer $5.00 per 1Kb of the text which
you revise (the workload is about 4-5 Kb a day).
The salary is paid once a month, and begins with the date of the first revision you
make.
(Example: by editing 5Kb of texts a day you earn $1000.00 a month)
Requirements:
-Applicant must be a US citizen
-Applicant must be of a legal age: 21+
-Applicant should be skilled in computer usage, and American English
Feel free to submit the application form which follows only to e-mail:
ran.devou.gr@gmail.com
__________
FULL NAME:
HOME ADDRESS:
CITY, STATE, ZIP CODE:
Phone number (home or cell, but SHOULD BE available any day time):
E-MAIL:
AGE:
OCCUPATION:
EDUCATION:
----------
You will receive a response from us in 24 hours.
If you have any questions please reply only at our e-mail: ran.devou.gr@gmail.com
Sincerely, Ran-De-Vou Co. Team
Unlike the usual money mule and parcel reshipping scam jobs, this really does seem to be asking for a proofreader. And given the poor quality of English seen in some of these scams, it is easy to understand why. In fact, there is a whole underground fake career network aimed at recruiting virtual office staff for these bogus outfits. Unfortunately for these "employees", they are usually the people that end up having to deal with the police when the scam gets busted.
Avoid.
Subject: Successful Positions Available
Dear Job Seeker,
We are glad to inform you about new vacancy opening in the area of proofreading at
Ran-De-Vou Co.
Part time job Description:
We provide you with business messages which require revision and your task is to
make necessary
corrections as an english speaking person, and e-mail them back to us.
Payment:
There is no fixed salary for this vacancy. We offer $5.00 per 1Kb of the text which
you revise (the workload is about 4-5 Kb a day).
The salary is paid once a month, and begins with the date of the first revision you
make.
(Example: by editing 5Kb of texts a day you earn $1000.00 a month)
Requirements:
-Applicant must be a US citizen
-Applicant must be of a legal age: 21+
-Applicant should be skilled in computer usage, and American English
Feel free to submit the application form which follows only to e-mail:
ran.devou.gr@gmail.com
__________
FULL NAME:
HOME ADDRESS:
CITY, STATE, ZIP CODE:
Phone number (home or cell, but SHOULD BE available any day time):
E-MAIL:
AGE:
OCCUPATION:
EDUCATION:
----------
You will receive a response from us in 24 hours.
If you have any questions please reply only at our e-mail: ran.devou.gr@gmail.com
Sincerely, Ran-De-Vou Co. Team
Unlike the usual money mule and parcel reshipping scam jobs, this really does seem to be asking for a proofreader. And given the poor quality of English seen in some of these scams, it is easy to understand why. In fact, there is a whole underground fake career network aimed at recruiting virtual office staff for these bogus outfits. Unfortunately for these "employees", they are usually the people that end up having to deal with the police when the scam gets busted.
Avoid.
Labels:
Job Offer Scams,
Spam Scams
Saturday, 22 November 2008
"Louvre Tec Products Ltd" job offer scam
LouvreTec is a wholly legitimate New Zealand company using the domains www.louvretec.co.nz, louvretec.net, louvretec.com and other similar names.
This fraudulent job offer is not from LouvreTec, but it looks like it is.
£5000 a week sounds good.. after all, that's over a quarter of a million quid a year. Yeah right..
One interesting thing with this spam is the bit at the bottom. The scammers realise that spam filters tend to remove junk like this, so they are asking you to check your junk messages for job offers. Not a good idea.
Originating IP address is 78.159.123.169, which claims to be in the UK and the message was sent to an email address stolen from a UK online retailer.
This fraudulent job offer is not from LouvreTec, but it looks like it is.
Subject: Work Online With USAlthough it appears to be "from" louvretec.co.nz, hitting "reply" comes up with a completely different email address of louvretecproductsltd.n.z@emailaccount.com. The scammers are hoping that no-one will notice this. (In case you are wondering why it is different, it's an annoying feature called the "reply to" address).
From: "Louvre Tec Products Ltd" Job@louvretec.co.nz
You could make 5,000 pounds online in a week without delaying your present job...
Hit REPLY for more details..
NOTICE: IF YOU ARE SERIOUS TO GET EMPLOYED ONLINE, YOU MUST REGULARLY CHECK YOUR JUNK OR/ BULK OR/ SPAM FOLDERS IN OTHER NOT TO LOSE SOME OF OUR MESSAGES.
£5000 a week sounds good.. after all, that's over a quarter of a million quid a year. Yeah right..
One interesting thing with this spam is the bit at the bottom. The scammers realise that spam filters tend to remove junk like this, so they are asking you to check your junk messages for job offers. Not a good idea.
Originating IP address is 78.159.123.169, which claims to be in the UK and the message was sent to an email address stolen from a UK online retailer.
Labels:
Money Mule,
Scams,
Spam
Wednesday, 19 November 2008
ISC: Large quantity SQL Injection mitigation
The ISC have given some good guidance on SQL injection mitigation, in case your server has been hit by Asprox or something similar. It's complicated stuff, and if you don't understand it, then it is definitely worth hiring a professional to fix your database.
Labels:
SQL Injection
Tuesday, 18 November 2008
Microsoft Morro: free anti-virus software for consumers
This might be a good deal for cash-strapped consumers, but a bad deal for other anti-virus companies.
Anyway, "Microsoft Morro" is the name given to this idea of giving away free anti-virus software to consumers. I will say that Microsoft's malware scanning technology is actually pretty darned good, but having a security monoculture is not a good idea.
I think perhaps McAfee, Symantec and some other AV vendors might be lawyering up on this one..
Anyway, "Microsoft Morro" is the name given to this idea of giving away free anti-virus software to consumers. I will say that Microsoft's malware scanning technology is actually pretty darned good, but having a security monoculture is not a good idea.
I think perhaps McAfee, Symantec and some other AV vendors might be lawyering up on this one..
Labels:
Anti-Virus Software,
Microsoft,
Viruses
Friday, 14 November 2008
McColo dead - spam 69% down
If there was any doubt the McColo was behind a vast majority of the world spam, then I think the figures speak for themselves. We're seeing a 69% drop in spam volumes day-on-day (although we still only have one day's worth of post-McCole data). It will be interesting to see how long this takes to recover back to "normal" levels of awfulness.
Subscribe to:
Posts (Atom)