Need a phone that works under water? Well, the Samsung B2100 Solid Extreme does. But as they used to say on TV.. "kids, don't try this at home".
Monday, 11 May 2009
Friday, 1 May 2009
webmail.upgrade@spamcop.net phish
A fairly lazy attempt to phish SpamCop accounts, originating from 200.85.160.12 in Nicaragua. If you're a SpamCop subscriber, then report it via the usual mechanism. The Reply-To address is webmailupgrader@consultant.com, so you should be able to tell that it is a fake.
Subject: Spamcop Email Verification
From: "Spamcop Webmail Notice" webmail.upgrade@spamcop.net
Date: Fri, May 1, 2009 5:11 pm
To: webmail.upgrade@spamcop.net
Dear Spamcop Webmail Account Owner,
We are currently performing maintenance for Our Spamcop
Digital Webmail Customers.We intend upgrading our Digital
Webmail Security Server for better online services. We are
canceling unused Spamcop webmail email account to create
more space for new accounts.To prevent your account from
closing you will have to update it below to know it's status
as a currently used account.
CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username :=====================================
Email Password :=====================================
Date of Birth :======================================
Warning!!! Any account owner that refuses to update his/her
webmail account within three (3) days of this update
notification will loose his/her account permanently.
Thank You For Your Support
Friday, 24 April 2009
"WorldPay CARD transaction Confirmation" (again)
A repeat of a trojan spam run from a few months ago ,this fake "WorldPay CARD transaction Confirmation" email comes with a nasty payload.
Detection rates are very poor, with only Microsoft flagging it up as something specific (PWS:Win32/Zbot.M). The ThreatExpert prognosis also indicates that it is malware (by the way, if you are dealing with an infected machine the ThreatExpert report can help you clean it up).
If you can, it is always a good idea to block EXE-in-ZIP attachments at the perimeter.
Subject: WorldPay CARD transaction ConfirmationIn this case there was a ZIP file called WorldPay_NR9712.zip (the filename may vary) with an executable in named WorldPay_NR9712.exe. When unzipped it looks a bit like a Windows Help file.
Date: Fri, April 24, 2009 5:28 pm
Thank you!
Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team
This confirmation only indicates that your transaction has been processed
successfully.
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that
your order has been accepted, and to deliver any goods or services you have ordered.
Detection rates are very poor, with only Microsoft flagging it up as something specific (PWS:Win32/Zbot.M). The ThreatExpert prognosis also indicates that it is malware (by the way, if you are dealing with an infected machine the ThreatExpert report can help you clean it up).
If you can, it is always a good idea to block EXE-in-ZIP attachments at the perimeter.
Labels:
EXE-in-ZIP,
Spam,
Viruses
"IBC Group" fake job offer
There are lots of wholly legitimate firms called "IBC Group" or something similar. This one claims to be an "international business consultancy".. and yet they are using a free Google Mail address rather than a corporate one. It is just another money mule scam, although the 5% fee they are offering is surprisingly low (of course, this is stolen money so all you will end up with is a jail sentence).
Originating IP is 88.242.82.65 in Turkey.
Subject: Business
Date: Fri, April 24, 2009 12:29 pm
Dear SMALL BUSINESS OWNER
We are being a private international business consultancy (IBC GROUP) striving hard to perform the best to achieve optimal results in gaining efficiency of our client’s ventures. In this global economy crash time we turn to alternative solutions for our clients from Eastern Europe who are obliged to pay off US or Western Europe originated transfer taxes, which at times may be as much as 35%.
Therefore, we are raising up this appeal to those small business owners who have both desire and possibility to stand up as our partners and who may use their business accounts to operate internal transactions for their further remittance to our clients . As being held on a larger scale, your personal benefit will be 5% off every payment posted to your account (or company’s). It may become a considerable upgrade for you and your company.
If this comes up your alley, please, come back for details by: Katherin.Mills@gmail.com
with the following:
First Name:
Last Name:
Country:
State:
City:
Phone (Landline):
Phone (CELL):
Email:
Thank you in advance,
IBC GROUP.
Originating IP is 88.242.82.65 in Turkey.
Labels:
Money Mule,
Scams,
Spam
Wednesday, 22 April 2009
Russian / Italian spam
One of the major hurdles that spammers and scammers face is language. A typical eastern bloc scammer usually won't be able to speak any language like a native other than their own, and a poorly worded pitch is often an obvious sign of a scam.
Machine translations rarely make sense, and the best translators are always native speakers of that language. So, a professional fraud crew will often try to recruit linguistic experts to give their message more of an edge.
In this case, the spammers are trying to recruit someone who speaks Italian and presumably Russian. That's a target audience of around 60 to 70 million people who might well fall for an Italian language scam.
Our samples originate from ADSL and dial-up subscribers in Turkey and India. The Gmail address is different in each one.
Don't be tempted by an unsolicited "job offer" like this. You are extremely unlikely to be paid, and you could end up in serious trouble with the police.
Machine translations rarely make sense, and the best translators are always native speakers of that language. So, a professional fraud crew will often try to recruit linguistic experts to give their message more of an edge.
In this case, the spammers are trying to recruit someone who speaks Italian and presumably Russian. That's a target audience of around 60 to 70 million people who might well fall for an Italian language scam.
This translates approximately to:
В наше бюро переводов требуются специалисты по итальянскому языку.
Если Вам нужен дополнительный заработок (~1000$ в месяц) - эта вакансия для Вас!
Ездить и ходить - никуда не нужно! Достаточно просто иметь доступ к интернету и телефон!
Никаких финансовых вложений с вашей стороны не нужно! И это не тендер!
Если Вам все еще интересно наше предложение - просто кратко ответьте на следующие
вопросы:
1. Имя
2. Город проживания
3. Где обучались языку и на каком уровне им владеете.
Наш e-mail: lONicholsonbronze@gmail.com
После этого в течении некоторого времени мы обязательно свяжемся с Вами!
Всего хорошего, надеемя на долгое сотрудничество!
We need specialists to provide translations to the Italian language. If you need additional income (about $1000 per month) - this position is for you! You do not need to drive or walk anywhere! You just need to have access to the Internet and a telephone.
If you are interested in our offer - just briefly answer the following questions:
1. Name
2. City of residence
3. Where did you learn the language and how proficient are you.
Out email is: [random Gmail account]
After this we will contact you in a short while.
Have a good time, hoping for a long cooperation!
Our samples originate from ADSL and dial-up subscribers in Turkey and India. The Gmail address is different in each one.
Don't be tempted by an unsolicited "job offer" like this. You are extremely unlikely to be paid, and you could end up in serious trouble with the police.
Labels:
Italy,
Job Offer Scams,
Russia,
Scams,
Spam
Tuesday, 21 April 2009
"August Insurance USA" scam
Another fraudulent job offer, this time originating from 190.43.155.148 in Peru. It doesn't really matter what the exact fraud is, this could well be a "back office" operation. But it's a scam nonetheless. Avoid.
Subject: Good vacancy August Insurance USA.Needless to say, don't send 'em anything. And if you have agreed to "work" for them, demand some verifiable proof that they exist.
Date: Tue, April 21, 2009 12:07 am
Priority: High
College degree but not enough experience?
Responsible for managing the day to day operations of various facilities to ensure the operations,
maintenance, and vendor management standards of the contract are met in a cost effective, safe and efficient manner.
Requirements
Candidates must possess the following:
- Effective interpersonal skills & communication skills
- Demonstrated leadership and team building abilities
- Self-confidence, flexibility and a positive attitude
- U.S. work authorization
Selected individuals will be trained to enhance leadership and networking skills in
preparation for an executive role within our company.
Compensation based solely on personal performance. For immediate consideration
please contact.
All positions will be filled immediately due to our recent expansion.
You may email your resume in Word to: CHmayHooper@gmail.com
Labels:
Job Offer Scams,
Money Mule,
Scams,
Spam
Monday, 20 April 2009
barefootsies.com: possible Joe Job.
This summary is not available. Please
click here to view the post.
Friday, 17 April 2009
Waledac: freeservesms.com
Waledac is pretty common these days, and it usually tries to point the victim to a fake video codec that is actually a trojan, often through a sensational "news" headline or the promise of nudity.
This particular pitch promises something quite different:
The download file is called smstrap.exe. So this magical piece of software can read someone else's SMS messages without having to install software on the phone, right? Wrong.. it's just another variant of the Waledac trojan (see the VirusTotal results, ThreatExpert prognosis).
In this case the domain in use is freeservesms.com although it is likely that there will be others. For the records, the WHOIS details are:
This particular pitch promises something quite different:
Do you want to test your partner or just to read somebody's SMS? This program is exactly what you need then!
It's so easy! You don't need to install it at the mobile phone of your partner.
Just download the program and you will able to read all SMS when you are online.
Be aware of everything! This is an extremely new service!
The download file is called smstrap.exe. So this magical piece of software can read someone else's SMS messages without having to install software on the phone, right? Wrong.. it's just another variant of the Waledac trojan (see the VirusTotal results, ThreatExpert prognosis).
In this case the domain in use is freeservesms.com although it is likely that there will be others. For the records, the WHOIS details are:
Domain Name : freeservesms.comAdded: downloadfreesms.com is punting the same malware.
Registrant Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:
Administrative Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:
Technical Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:
Billing Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:
Status :
clientDeleteProhibited
clientTransferProhibited
Domain Name Server :
ns1.moneymedal.com
ns2.moneymedal.com
ns3.moneymedal.com
ns4.moneymedal.com
ns5.moneymedal.com
ns6.moneymedal.com
Registration Date :2009-4-13
Expiration Date : 2010-4-13
Wednesday, 15 April 2009
"Yadu Investment Co., Ltd." / ntwifinetwork.com / tech-wifi.com
This email (supposedly from a Chinese domain registrar) follows a well-worn path of trying to sell useless names to owners of existing dot coms.
Registrars DO NOT check trademarks before registrations (the exception is "sunrise registrations" for completely new top-level domains). This is an attempt to get you to buy an overpriced domain name that you don't need.
This mail may come from twifinetwork.com, tech-wifi.com or other domains, the domains are hosted on 174.138.60.95, some of the wording is lifted from asiaregistry.com although it is not possible to tell if they are affiliated.
If you are concerned about securing these domains, then most registrars now deal in Asian TLDs and can register them for you, else you are probably same to ignore it.
btw, the pitch is not new and has been used here, here and here.
From: Joy [mailto:Joy@ntwifinetwork.com]
Sent: 10 April 2009 07:47
To: [redacted]
Subject: Notice of Intellectual Property Protection
Dear Sir/Madam: 2009-4-10
We are a domain name registration service company in Asia,
Last week we received a formal application submited by “Yadu Investment Co., Ltd.” Which wanted to use the keyword " [redacted]" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.
After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren’t sure whether you have any relation with this company. Because these domain names would produce possible dispute, now we have hold down this registration, but if we do not get your company’s an reply in the next 5 working days, we will approve his application
In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.
Yours sincerely
Joy
Checking Department
Tel: 86 513 8532 2060
Fax: 86 513 8532 2065
Email :Joy@ntwifinetwork.com
Website: www.ntwifinetwork.com
Mail No.: [redacted]
Registrars DO NOT check trademarks before registrations (the exception is "sunrise registrations" for completely new top-level domains). This is an attempt to get you to buy an overpriced domain name that you don't need.
This mail may come from twifinetwork.com, tech-wifi.com or other domains, the domains are hosted on 174.138.60.95, some of the wording is lifted from asiaregistry.com although it is not possible to tell if they are affiliated.
If you are concerned about securing these domains, then most registrars now deal in Asian TLDs and can register them for you, else you are probably same to ignore it.
btw, the pitch is not new and has been used here, here and here.
Monday, 13 April 2009
Tropicalnames.com scam
tropicalnames.com is the new name for the pedma.com domain appraisal scam. The basic pitch is that you get an unsolicited offer for a domain name, along with a list of recognised appraisal companies. The cheapest company is controlled by the scammers who sent the email (apparently operating out of Canada).
Domain was registered on 3rd April 2008 with anonymised details and is hosted on 124.217.231.173 in Malaysia. If you get one of these, treat it as spam and file a complaint with abuse -at- piradius.net.
Domain was registered on 3rd April 2008 with anonymised details and is hosted on 124.217.231.173 in Malaysia. If you get one of these, treat it as spam and file a complaint with abuse -at- piradius.net.
Sunday, 12 April 2009
"Mikeyy Mooney" / StalkDaily.com - someone is lying
The rules of spam are a semi-humorous and semi-serious look at the behavior of spammers.
Well, one hot spam topic is the recent StalkDaily.com XSS attack on Twitter. This cross-site attack basically spams out ads via a victim's contact list, and although it is arguable if this is "hacking", it certainly is spamming.
So, let's look at the "rules of spam" and how they apply in this case.
Rule #0: Spam is theft.
Using Twitter's services to send spam is theft. But perhaps the main financial cost to Twitter is that this kind of rubbish will put people of using the service. Of course, Twitter doesn't actually seem to make any money, but that's another issue..
Rule #1: Spammers lie.
So, when the spam attack took place, some people must have started to make complaints about StalkDaily.com, a domain registered on 22nd March to an anonymous registrant. The owner of StalkDaily.com responded as follows:
We didn't have to wait long for an answer:
That's kind of 100% different from the last denial. The operator of StalkDaily.com is clearly lying about something, perhaps everything.
Rule #2: If a spammer seems to be telling the truth, see Rule #1.
As we have discovered, StalkDaily.com's denial was proved to be a lie. Or perhaps there denial is a lie. In any case, you should not do business with liars or spammers.
Rule #3: Spammers are stupid.
And this dude is as stupid as they get. Sure, stupid in a very smart kind of way.. but the kind of stupid that doesn't thing what the consequences might be.
Rule #4: The natural course of a spamming business is to go bankrupt.
I can hear the sound of Twitter lawyering up. Hahahah.
The StalkDaily.com website points to a pseudo-news article at BNOnews fingering someone called "Mikeyy Mooney". And there's a large collection of material relating to "Mikeyy Mooney" at sqworl. But is it really "Mikeyy Mooney"? The admission itself comes from whoever operaters StalkDaily.com.. and we have already established that they are a liar. The sqworl documents point to someone in Louisiana.. the BNOnews article says New York. Last time I looked at a map, these were two different places.
Perhaps a closer look at StalkDaily.com's server might be interesting. 74.200.253.195 hosts the following domains:
Most of these sites have anonymous WHOIS details, except for Haxyou.com which is registered to some guy called Ryan who appears to be a distinctly different biological entity.
This is the bottom line - the operator of StalkDaily.com is a liar. They may even be lying that they are "Mikeyy Mooney." Perhaps Twitter can do us all a favour and subpoena the domain records before suing this idiot into the ground.
Well, one hot spam topic is the recent StalkDaily.com XSS attack on Twitter. This cross-site attack basically spams out ads via a victim's contact list, and although it is arguable if this is "hacking", it certainly is spamming.
So, let's look at the "rules of spam" and how they apply in this case.
Rule #0: Spam is theft.
Using Twitter's services to send spam is theft. But perhaps the main financial cost to Twitter is that this kind of rubbish will put people of using the service. Of course, Twitter doesn't actually seem to make any money, but that's another issue..
Rule #1: Spammers lie.
So, when the spam attack took place, some people must have started to make complaints about StalkDaily.com, a domain registered on 22nd March to an anonymous registrant. The owner of StalkDaily.com responded as follows:
For everyone wondering, I did NOT promote and/or was involved with the spamming ON Twitter. All bad things you are hearing about this site is not true. Please reconsider as I am not the person who did this.So, that clearly states that StalkDaily.com is not behind the XSS attack. So what's going on? Is it a Joe Job? Here's the odd thing.. Joe Jobs normally target established sites (not one less than a month old), and why waste an XSS exploit like this on a Joe Job when Twitter will probably close it?
We didn't have to wait long for an answer:
I have came clean and have accepted the responsibility for the worm, read the interview here, http://www.bnonews.com/news/242.html.
That's kind of 100% different from the last denial. The operator of StalkDaily.com is clearly lying about something, perhaps everything.
Rule #2: If a spammer seems to be telling the truth, see Rule #1.
As we have discovered, StalkDaily.com's denial was proved to be a lie. Or perhaps there denial is a lie. In any case, you should not do business with liars or spammers.
Rule #3: Spammers are stupid.
And this dude is as stupid as they get. Sure, stupid in a very smart kind of way.. but the kind of stupid that doesn't thing what the consequences might be.
Rule #4: The natural course of a spamming business is to go bankrupt.
I can hear the sound of Twitter lawyering up. Hahahah.
The StalkDaily.com website points to a pseudo-news article at BNOnews fingering someone called "Mikeyy Mooney". And there's a large collection of material relating to "Mikeyy Mooney" at sqworl. But is it really "Mikeyy Mooney"? The admission itself comes from whoever operaters StalkDaily.com.. and we have already established that they are a liar. The sqworl documents point to someone in Louisiana.. the BNOnews article says New York. Last time I looked at a map, these were two different places.
Perhaps a closer look at StalkDaily.com's server might be interesting. 74.200.253.195 hosts the following domains:
- Haxyou.com
- Michangelomooney.com
- Stalkdaily.com
Most of these sites have anonymous WHOIS details, except for Haxyou.com which is registered to some guy called Ryan who appears to be a distinctly different biological entity.
This is the bottom line - the operator of StalkDaily.com is a liar. They may even be lying that they are "Mikeyy Mooney." Perhaps Twitter can do us all a favour and subpoena the domain records before suing this idiot into the ground.
"Body parts" murder II
The gruesome body parts murder has a new installment with the discovery of a fifth body part, quite near to some of the others. You can see a the distribution of finds on Google Maps.
This adds another element to the data set. The route between points "A" and "B" is curious and uses a lot of back roads, if that IS the route. Clearly these grisly finds have a pattern, but can they be traced back to the origin?
This adds another element to the data set. The route between points "A" and "B" is curious and uses a lot of back roads, if that IS the route. Clearly these grisly finds have a pattern, but can they be traced back to the origin?
Labels:
Crime,
Google Maps
Thursday, 9 April 2009
"Body parts" murder
One mystery gripping this part of the UK is the mysterious "body parts" murder, where part of a dismembered victim have been left near the roadside in several locations: Wheathampstead, Puckeridge and Cottered in Hertfordshire and the head was dumped in Asfordby, Leicestershire.
Given that the Puckeridge part was reportedly left by the northbound carriageway, that gives a clue as the the direction that the "dumper" was travelling. And making an assumption that the head was the last part to be dumped because it was the furthest away from the others, then you can take these four data points and plot them into Google Maps.
You can see more here. Of course, speculation is just that, but if does appear that the dumper did a loop around Hertfordshire perhaps near the A414, A10, A507 and then drove up the A1 for about an hour before turning off. Yes, there's a technology aspect here - a tool like Google Maps makes it very easy to visualise this sort of data.
OK, this is all pretty gruesome and don't forget that someone has lost their life. But there's a grim fascination as to where the next discovery will be. Will that fit into the pattern?
Given that the Puckeridge part was reportedly left by the northbound carriageway, that gives a clue as the the direction that the "dumper" was travelling. And making an assumption that the head was the last part to be dumped because it was the furthest away from the others, then you can take these four data points and plot them into Google Maps.
You can see more here. Of course, speculation is just that, but if does appear that the dumper did a loop around Hertfordshire perhaps near the A414, A10, A507 and then drove up the A1 for about an hour before turning off. Yes, there's a technology aspect here - a tool like Google Maps makes it very easy to visualise this sort of data.
OK, this is all pretty gruesome and don't forget that someone has lost their life. But there's a grim fascination as to where the next discovery will be. Will that fit into the pattern?
Labels:
Crime,
Google Maps
Wednesday, 8 April 2009
secretdesiresuk.com spam
Yuck.
Debbie 'n' Paul. They say: "SecretDesiresUK is the culmination of 3 years of false starts and hard work by Debbie and Paul, of Orion Network Designs. We are both Swingers and have worked in the Adult Industry long enough to understand exactly what people want from an Adult Social Networking Site."
What? Like spam?
Let's log in. No confirmation of email address is needed. Bad luck Mr President.
67 members. And yes, the photograph gallery shows plenty of "members". Including some nudie shots of Debbie 'n' Paul. Yuk.
I'm not prudish, and frankly I believe that consenting adults should be able to get on with whatever they want to in private. But spamming this crap out at random is just going to get the wrong kind of attention.
If you get one of these, forward the email to security -at- hostgator.com.
Subject: SecretDesires - The Ultimate Social Networking for Singles and CouplesOriginating IP is 78.145.126.63, secretdesiresuk.com is hosted on 174.132.193.251. The domain is registered to HostGator rather than the actual registrants, who are..
From: "Secret Desires"
Date: Wed, April 8, 2009 5:25 pm
Are you a couple or single looking for FUN??
Worldwide Coverage with Audio and Video Cam Chat Rooms!
Virtual Kisses and Profile Voting!
Profile Pictures and Videos!
Massive Video Database growing Daily!
Come and Enjoy the Ride!!
You must add at least one valid profile picture to remain a FREE member!!
Secret Desires - What's Yours??
Debbie 'n' Paul. They say: "SecretDesiresUK is the culmination of 3 years of false starts and hard work by Debbie and Paul, of Orion Network Designs. We are both Swingers and have worked in the Adult Industry long enough to understand exactly what people want from an Adult Social Networking Site."
What? Like spam?
Let's log in. No confirmation of email address is needed. Bad luck Mr President.
67 members. And yes, the photograph gallery shows plenty of "members". Including some nudie shots of Debbie 'n' Paul. Yuk.
I'm not prudish, and frankly I believe that consenting adults should be able to get on with whatever they want to in private. But spamming this crap out at random is just going to get the wrong kind of attention.
If you get one of these, forward the email to security -at- hostgator.com.
Labels:
Spam
Saturday, 4 April 2009
luxgroupnz.com / LuxGroup scam
There are lots of legitimate ocmpanies with the name LuxGroup or Lux Group or something similar. This particular fake "LuxGroup" uses the domain luxgroupnz.com to push some sort of fraudulent job offer, probably a money mule or some other criminal activity.
Name : Michell
Organization : Michell
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
Country :
Postal Code : 85230
Phone Number : 86--56343365
Fax : 86--56343365
Email : Michell.Gregory2009@yahoo.com
Site is hosted on 222.73.37.250, name services are proved by NS1.CHOSTSERVICE.COM and NS2.CHOSTSERVICE.COM. Other domains hosted on that server are:
If you get one of these ignore it.
The luxgroupnz.com domain was registered on April 1st 2009 through XIN NET TECHNOLOGY CORPORATION to:
Subject: A better career with LuxGroup
Good Day,
Major International Company is ready to offer you part(1-2 hours a day) and full time(5-8 hours per day) job in the USA. If you are interested, get back to us by email and send your resume or a short description of your former activities. Excellent career growth perspectives and merited salary.
For more info about terms, conditions and financial remuneration, get back ONLY to our corporative email address below: advjob@luxgroupnz.com
With regards,
Lux Group, Hiring Department
Name : Michell
Organization : Michell
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
Country :
Postal Code : 85230
Phone Number : 86--56343365
Fax : 86--56343365
Email : Michell.Gregory2009@yahoo.com
Site is hosted on 222.73.37.250, name services are proved by NS1.CHOSTSERVICE.COM and NS2.CHOSTSERVICE.COM. Other domains hosted on that server are:
- A-finance.net
- A-finance.org
- Aiminfo.info
- Careertrip.cn
- Danunafig.ru
- Dessgif.com
- Hot-jobster.cn
- I-love-pets.ru
- Icm-mail.biz
- Icm-network.net
- Isearchword.info
- Itellu.info
- Itellu.ru
- Lastyp.ru
- Mountain-travel.ru
- Mycotteges.ru
- Oceananswers.info
- Oceanofsearches.info
- Pinigeliai.com
- Temp-biz.cn
- U-search.info
- Yadrenamat.ru
- Yaponamat.ru
If you get one of these ignore it.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Scams,
Spam
Friday, 3 April 2009
Hostfresh dead?
Sandi reports that Hostfresh has been de-peered, the latest organized criminal web host to be removed from the interwebs.
This Hong-Kong based outfit provided the back end hosting for malware infections including early versions of Conficker. It has been increasing apparent that they are basically an outpost of the Russian Business Network.
Hostfresh-hosted domains have scattered, but it probably won't be long until they find another RBN-friendly host that doesn't know what happened to Atrivo, McCole, Ukrtelegroup and Estdomains.
This Hong-Kong based outfit provided the back end hosting for malware infections including early versions of Conficker. It has been increasing apparent that they are basically an outpost of the Russian Business Network.
Hostfresh-hosted domains have scattered, but it probably won't be long until they find another RBN-friendly host that doesn't know what happened to Atrivo, McCole, Ukrtelegroup and Estdomains.
Labels:
Hostfresh
Thursday, 2 April 2009
BlizzardImageHosting.com - possible Joe Job
We have an email trap that seems to be hit exclusively by a low number of Waledac related spam (fake "terror reports", pharma spam, penis enlargement etc). We know that this particular address was harvested from a compromised PC, so the only people who have the address are the Bad Guys.
Unexpectedly then, the following email turned up:
So, my initial thoughts were that blizzardimagehosting.com were in league with the bad guys. Let's check out their WHOIS details:
Marquee Media operates a web server at 216.17.107.72, which contains an ill-advised mix of adult sites and general interest sites (porn sites and fishing on the same server?) all the WHOIS details are consistent, and there seems to be nothing illegal going on.
Here's the thing - nothing at all about blizzardimagehosting.com fits the Waledac profile. This seems to be a small business running out of Illinois, nothing more. At a best guess, Marquee Media has somehow displeased the Waledac gang, either through something to do with adult content or web hosting.
So.. if you get a spam for blizzardimagehosting.com then treat it with scepticism, and as far as I am concerned this company is probably not guilty of this spam run and instead it looks like a Joe Job.
Unexpectedly then, the following email turned up:
From: (removed)
Sent: 01 April 2009 20:33
To: (removed)
Subject: Free Image Hosting
BlizzardImageHosting.com is a new leader in online image & photo hosting,
portfolios, and slideshow creation. We offer features you wont find
at other image hosting sites and we offer it FOR FREE!
- Upload Unlimited Images
- Share Images With Anyone and Anywhere
- Get Gigabytes of Monthly Bandwidth
and much more...
Sign up now!
http://blizzardimagehosting.com/index.php
(c) 2003-2009 Blizzard Image Hosting All Rights Reserved
So, my initial thoughts were that blizzardimagehosting.com were in league with the bad guys. Let's check out their WHOIS details:
Marquee, Media Networks webmaster -at- marqueemediaonline.comThe address is actually a branch of PakMail, but that probably means in this case that Marquee Media Networks rents a post box. The WHOIS details for marqueemediaonline.com indicate a name of Christopher Maher. So do these WHOIS details look suspicious? Not really. Usually, Waledac related domains come with WHOIS details that indicate telltale traces in China or Russia, the details for blizzardimagehosting.com are not inherently suspicious.
Marquee Media Networks
6741 Sprinkle Road, Ste 293
Portage
MI
49002
US
Phone: +1.2694929957
Fax: +1.2694929958
Marquee Media operates a web server at 216.17.107.72, which contains an ill-advised mix of adult sites and general interest sites (porn sites and fishing on the same server?) all the WHOIS details are consistent, and there seems to be nothing illegal going on.
Here's the thing - nothing at all about blizzardimagehosting.com fits the Waledac profile. This seems to be a small business running out of Illinois, nothing more. At a best guess, Marquee Media has somehow displeased the Waledac gang, either through something to do with adult content or web hosting.
So.. if you get a spam for blizzardimagehosting.com then treat it with scepticism, and as far as I am concerned this company is probably not guilty of this spam run and instead it looks like a Joe Job.
Labels:
Joe Job
Friday, 27 March 2009
"Shanghai QiPeng Network Information Technology" / "Sopper Investment Co. LTD"
This particular pitch has been around for a long time - a domain name registrar (or reseller) who is "checking" about a domain registration that might infringe on your trademarks. Of course, registrars are not responsible for checking trademarks (can you imagine how complicated and expensive the process would be!)
Usually this approach is an attempt to get you to register useless domain names at inflated prices.. and in all probability these domain names they are warning about will never even be registered. If you really are concerned, then register them through a reputable registrar, else you are best off ignoring it.
The same approach can be seen here and here.
Usually this approach is an attempt to get you to register useless domain names at inflated prices.. and in all probability these domain names they are warning about will never even be registered. If you really are concerned, then register them through a reputable registrar, else you are best off ignoring it.
Subject: Domain Issues for "[redacted]"
From: "Ramon zhang"
Date: Fri, March 27, 2009 9:20 am
If you are not the person who is in charge of this, please forward to the right person/department. Thank you)
Dear CEO,
We , a registrar organization in China, have something to check with you. We received an application today One South Korea company called " Sopper Investment Co. LTD" is applying for "[redacted]" as internet brand and following Asian/.CN domain names to use.
[redacted].com.tw
[redacted].hk
[redacted].in
[redacted].net.cn
[redacted].org.cn
[redacted].tw
After our initial checking, we found the internet brand and keyword of these domain names are as same as your company¡¯s.Because of it involves your company's intellectual property, so we need to check this with your company. If the aforesaid company is your subsidiary company or your business partner, please DO NOT reply us, we will approve the application automatically. If you have no any relationship with this company, please contact us within 7 workdays. If out of the deadline, we will approve the application submitted by "Sopper Investment Co. LTD" unconditionally.
Look forwarding to hearing from you.Thanks.
Best Regards,
Ramon Zhang
Leader Checker
Shanghai QiPeng Network Information Technology Co.,Ltd
Tel£º +86-21-6992-9440 Fax£º +86-21-6992-9447
Postal Code£º 200063
website:http://www.qipeng.org.cn
Shanghai QPNIC Web Property Solutions Limited is a comprehensive company engaged in the Internet intellectual property services that mainly provides network-based service, network intellectual property service.
Company objective: The good faith first, the customer is supreme.
The same approach can be seen here and here.
Thursday, 26 March 2009
dns@nisource.com Joe Job
NiSource is a US electricity and gas provider. This spam appears to be a Joe Job aimed at the DNS support mailbox at that company. In this case the originating IP is 166.156.53.33.
Since the email is soliciting replies via email, it is most likely a revenge attack for something or other.
From: Mabel Mcdaniel [mailto:dns@nisource.com]
Sent: 26 March 2009 14:55
To: [redacted]
Subject: Replica Watches
A lot of brands, 100-300 usd.
Mail to order: dns@nisource.com
Since the email is soliciting replies via email, it is most likely a revenge attack for something or other.
Monday, 23 March 2009
Subscribe to:
Posts (Atom)