Just as a follow-up to the warmfuzzylove.com scam, the same server (98.126.22.178) now hosts Affilnet.net which may be trying to pass itself off as Affili.net which is a legitimate marketing agency, although at the moment the site appear to be blank.
The domain was previously registered to Warner Brothers (of all people!) but was reregistered to an anonymous registrant on 13th November.
Given that the pattern of registration and server being used are consistent with an existing scam, then any approach from Affilnet.net should be regarded as being suspicious unless proven otherwise.
Thursday, 19 November 2009
Avira detects TR/Crypt.XPACK.Gen in MW2
I don't play Modern Warfare 2 - but some reports indicate that it has a virus in it.
What seems to be happening is that Avira is coming up with a generic detection of TR/Crypt.XPACK.Gen on a temporary file (perhaps ~B8.tmp) in C:\Documents and Settings\%USERNAME%\Local Settings\Temp.
However, "TR/Crypt.XPACK.Gen" is a generic detection - Avira is scanning the file and determining that it might be suspicious because it has been compressed with a commercial packer (a bit like a ZIP file). It is almost definitely a false positive that will be fixed quite soon.
If you like, you can head to the Avira Support Forums although where there is a short thread about it.
What seems to be happening is that Avira is coming up with a generic detection of TR/Crypt.XPACK.Gen on a temporary file (perhaps ~B8.tmp) in C:\Documents and Settings\%USERNAME%\Local Settings\Temp.
However, "TR/Crypt.XPACK.Gen" is a generic detection - Avira is scanning the file and determining that it might be suspicious because it has been compressed with a commercial packer (a bit like a ZIP file). It is almost definitely a false positive that will be fixed quite soon.
If you like, you can head to the Avira Support Forums although where there is a short thread about it.
Labels:
Anti-Virus Software,
False Positive,
Viruses
Wednesday, 18 November 2009
T-Mobile & LBM: Just a coincidence?
In what appears to be a systematic plundering of customer records, T-Mobile staff have sold hundreds of thousands (or perhaps millions) of customer details to rival operators. Given that a lead for an expiring mobile phone contract seems to sell for around 50p to £2 a pop, this is possibly a significant slice of cash.
One question is: who sold the data. But a more pertinent one is: who bought the data?
It is probably just a sheer coincidence that I have previously documented unexplained cold calling for T-Mobile customers from a company called LBM Direct Marketing in the UK.
Just in case you missed all the furore, T-Mobile have a news article about it:
One question is: who sold the data. But a more pertinent one is: who bought the data?
It is probably just a sheer coincidence that I have previously documented unexplained cold calling for T-Mobile customers from a company called LBM Direct Marketing in the UK.
This current round of cold calling is on behalf of O2. LBM appears to have subscriber details - when they finally do talk to you rather than putting the phone down, they greet you by name. [..] The caller denied that they worked for LBM, and claimed to be working for O2 [..]. Our attempts to talk to a supervisor at LBM resulted in the caller putting the phone down. In this case, they do seem to know the name of the subscriber ([..] the phone had previously been with Vodafone and then transferred to T-Mobile)This is probably not an isolated incident - expiring mobile phone contract leads are valuable and are regularly traded, and we're not just talking about T-Mobile here.. it seems to be very widespread, and T-Mobile deserve some kudos for tackling the issue.
Just in case you missed all the furore, T-Mobile have a news article about it:
Labels:
Data Protection,
LBM,
T-Mobile
Sunday, 15 November 2009
Who is My-Data-Source.com?
My spidey sense started to tingle when I got this spam:
My-Data-Source.com is one of those work-from-home programs that you have to pay to join. Is it a scam though? A good place to start is by looking for general advice on this sort of scheme from reputable sources, for example the BBB, National Consumer League, ScamBusters, and Consumer Direct.
One important thing is to know who you are dealing with - and My-Data-Source.com doesn't mention any real contact details anywhere on their website. The domain was registered to an anonymous registrant on 1st September 2009, so it has only been around for a few months. So, no clue there.. so it is impossible to know who you are actually dealing with.
Another thing to look at are testimonials - you can find these at www.my-data-source.com/testimonials.php - they all look fantastic, but in fact they turn up for all sorts of different sites on the web and clearly do not relate to My-Data-Source.com directly.
The so-called testimonials give a clue though - many of these are on "cookie cutter" sites, basically the same site with a different name. That's never a good sign as it looks like someone is trying to hide something. Sites that appear to be largely the same are:
onlinedataworkjobs.co.uk takes exactly the content and claims to have been in business for 5 years, although the domain was only registered on 14th May 2009 to a company called "United Service Solutions" (who are not listed anywhere as a UK company) apparently based out of a flat in Bristol. Doesn't fill you with confidence, eh?
Where it is possible to find a registrant for these sites, then they all appear to be different. So, either they are reselling some else's "work at home" product, or they are just copy-and-pasting content from someone else.
There are very few clues as to the owner of My-data-source.com except for the name "Mike P Sanders" embedded in the affiliate link. When you try to sign up for program, eBay gives an email address of mikepsanders@gmail.com
..but here's an oddity, when the domain was originally registered, the registrant was "Lyndon Dave Ardimer"and a straight Google for that name points to a website called primemarketers.com which contains a number of ads for various schemes.. including My-data-source.com posted by Mike Sanders. So, is Mike P Sanders actually Lyndon Dave Ardimer? Or it this Derek Lindsay? Or Timothy Darwin (who's name appears on many of these sites)? At this point, the lead vanishes into a mass of affiliate programs and offshore marketers.
So who is My-Data-Source.com? As you can see, it is difficult if not impossible to determine if there's a real company involved anywhere in this scheme. Should you shell out $50 to join up with a company with no discernible history or physical location? Almost every consumer advice site says that you shouldn't get involved in any type of work-at-home scheme unless you can verify real contact details.. so on that basis, perhaps give this one a miss!
The spam redirects through an affiliate link of mikepsandersmyd.click2sell.eu after first taking a couple of hops through TinyURL to avoid reporting. Originating IP is 200.46.204.144 in Panama.
Subject: Your friend Workathomesystem[6194] would like to tell you about the Site
From: HR6194@workathomesystem.org
Date: Sun, November 15, 2009 4:09 am
Hello, my name is Derek Lindsay, and I am the Director of My-Data-Source.com. I
would personally like to invite you to become part of our team doing work-at-home data entry. We have guided thousands of team members to success using our new type of data-entry job called Global Data Entry. Some members are currently making $300 - $2000 and more per day, using our program and guidance. We have been dealing with online data entry for over 7 years. Do you have a few minutes? I will explain more.The Legitimacy of Our Company and the Programs We Offer If you are hearing Data-Entry Jobs before then I would like to make something very clear first. We are NOT a get-rich-quick company. If you are visiting our Web site looking for this type of opportunity then I am sorry to inform you that the programs we offer are not get-rich-quick schemes. We are a legitimate company, offering legitimate work-from-home data-entry job opportunities that have proven success and that we stand behind 100% with our satisfaction guarantee. If you were to ask us the biggest difference between My-Data-Source.com and all of the other work-from-home programs on the Internet, the answer would be this - With My-Data-Source.com, we give you training courses before you could do the the actual job to perform and get paid as we will explain on this page with our newest sources of Data Processing Jobs that pays. We will also provide you other programs that you will find when you became a member and that all you are getting is a list of links to jobs that you will need to apply to. WE ARE PROVIDING TRAINING COURSE AND THE ACTUAL DATA PROCESSING JOBS WITH OUR My-DATA-SOURCE.com TRAINING CENTER AND DATA PROCESSING JOBS THAT PAYS! Join our team, get started with complete instructions and guidance on our program.
Click this link: (snip)
My-Data-Source.com is one of those work-from-home programs that you have to pay to join. Is it a scam though? A good place to start is by looking for general advice on this sort of scheme from reputable sources, for example the BBB, National Consumer League, ScamBusters, and Consumer Direct.
One important thing is to know who you are dealing with - and My-Data-Source.com doesn't mention any real contact details anywhere on their website. The domain was registered to an anonymous registrant on 1st September 2009, so it has only been around for a few months. So, no clue there.. so it is impossible to know who you are actually dealing with.
Another thing to look at are testimonials - you can find these at www.my-data-source.com/testimonials.php - they all look fantastic, but in fact they turn up for all sorts of different sites on the web and clearly do not relate to My-Data-Source.com directly.
The so-called testimonials give a clue though - many of these are on "cookie cutter" sites, basically the same site with a different name. That's never a good sign as it looks like someone is trying to hide something. Sites that appear to be largely the same are:
- my-data-team.com
- global-data-entry.com
- mydatateam.net
- earn-clickhere.com
- mydatateamjobs.com
- mydataentryjobs.net
- my-data-source.com
- onlinedataworkjobs.co.uk
onlinedataworkjobs.co.uk takes exactly the content and claims to have been in business for 5 years, although the domain was only registered on 14th May 2009 to a company called "United Service Solutions" (who are not listed anywhere as a UK company) apparently based out of a flat in Bristol. Doesn't fill you with confidence, eh?
Where it is possible to find a registrant for these sites, then they all appear to be different. So, either they are reselling some else's "work at home" product, or they are just copy-and-pasting content from someone else.
There are very few clues as to the owner of My-data-source.com except for the name "Mike P Sanders" embedded in the affiliate link. When you try to sign up for program, eBay gives an email address of mikepsanders@gmail.com
..but here's an oddity, when the domain was originally registered, the registrant was "Lyndon Dave Ardimer"and a straight Google for that name points to a website called primemarketers.com which contains a number of ads for various schemes.. including My-data-source.com posted by Mike Sanders. So, is Mike P Sanders actually Lyndon Dave Ardimer? Or it this Derek Lindsay? Or Timothy Darwin (who's name appears on many of these sites)? At this point, the lead vanishes into a mass of affiliate programs and offshore marketers.
So who is My-Data-Source.com? As you can see, it is difficult if not impossible to determine if there's a real company involved anywhere in this scheme. Should you shell out $50 to join up with a company with no discernible history or physical location? Almost every consumer advice site says that you shouldn't get involved in any type of work-at-home scheme unless you can verify real contact details.. so on that basis, perhaps give this one a miss!
Labels:
Spam
Friday, 13 November 2009
warmfuzzylove.com scam
Another dating scam, but they could even be bothered with a picture of a pretty Russian girl.
Of course, "Jody" is probably a fat middle-aged man from a former Soviet Republic who will unexpectedly need some money wiring to them. Avoid.
Subject: re:warmfuzzylove.com was registered with anonymous details on 4th November 2009 and is hosted on 98.126.22.178 which also handles all the mail. The same server also hosts personals-online.net and singasong4u.com, both also recently registered with anonymous details.
From: "jody"
Date: Fri, November 13, 2009 10:49 pm
Hi there:
My name is jody. I was just looking at your picture online and i would
love to chat with you tonight. i just moved close to you and i have no
friends yet :(
you can send a message to my private email jody@warmfuzzylove.com
i would love to hear from you !!!!
Of course, "Jody" is probably a fat middle-aged man from a former Soviet Republic who will unexpectedly need some money wiring to them. Avoid.
Labels:
Dating Scams,
Spam
Thursday, 12 November 2009
support@nacha.org: "Please review the transaction report"
This is the Zbot trojan or something, very much like this one.
The underlying link goes to nacha.org.fffazsf.org.uk which is itself hosted on some sort of Fast Flux botnet. The landing page attempts to get a user to download report.exe ( a Zbot variant). It also opens an IFRAME to 121.12.170.177 in China, a well-known malware domain.
VirusTotal shows patchy detections, still being analysed by ThreatExpert.
The domain name registration is obviously fake:
Name : Michell
Organization : Michell
Address : 8663 Sudley Road
City : Manassas
Province/State : beijing
Country : United States
Postal Code : 20108
Phone Number : 571-866-7585793
Fax : 571-866-7585793
Email : Michell.Gregory2009@yahoo.com
A Google Search for that address comes up with over 24,000 references!
tradesdomains.net is registered differently:
Dolorous Lane
fergunis@gmail.com
512 Stonegate Pl
Brentwood
TN
37027
US
Phone: +1.6155546664
ns1.pa-estate.com and ns1.tradesdomains.net are hosted at 207.210.101.253 (Global Net Access, LLC ) which also hosts puioypai.org which looks suspect too. ns2.tradesdomains.net is on 195.178.190.48 (Bahnhof Internet, Sweden).
Added: the email comes from several different addresses, including:
From: Electronic Payments Association [mailto:support@nacha.org]
Sent: 12 November 2009 14:58
Subject: Please review the transaction report
Dear bank account holder, The ACH transaction, recently initiated from your bank account (by you or any third party), was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:
Unauthorized ACH Transaction Report
------------------------------------------------------------------
Copyright ©2009 by NACHA - The Electronic Payments Association
The underlying link goes to nacha.org.fffazsf.org.uk which is itself hosted on some sort of Fast Flux botnet. The landing page attempts to get a user to download report.exe ( a Zbot variant). It also opens an IFRAME to 121.12.170.177 in China, a well-known malware domain.
VirusTotal shows patchy detections, still being analysed by ThreatExpert.
The domain name registration is obviously fake:
Domain name: fffazsf.org.ukDig deeper at pa-estate.com and we see a familiar email address:
Registrant: Matthew Hughes
Registrant type: Non-UK Individual
Registrant's address: 203 Striding Ridge Drive Goldsboro 3881 Belgium
Registrar: Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk
Relevant dates:
Registered on: 12-Nov-2009
Renewal date: 12-Nov-2011
Last updated: 12-Nov-2009
Registration status: Registration request being processed.
Name servers: ns1.pa-estate.com ns1.tradesdomains.net
Name : Michell
Organization : Michell
Address : 8663 Sudley Road
City : Manassas
Province/State : beijing
Country : United States
Postal Code : 20108
Phone Number : 571-866-7585793
Fax : 571-866-7585793
Email : Michell.Gregory2009@yahoo.com
A Google Search for that address comes up with over 24,000 references!
tradesdomains.net is registered differently:
Dolorous Lane
fergunis@gmail.com
512 Stonegate Pl
Brentwood
TN
37027
US
Phone: +1.6155546664
ns1.pa-estate.com and ns1.tradesdomains.net are hosted at 207.210.101.253 (Global Net Access, LLC ) which also hosts puioypai.org which looks suspect too. ns2.tradesdomains.net is on 195.178.190.48 (Bahnhof Internet, Sweden).
Added: the email comes from several different addresses, including:
- report@nacha.org
- support@nacha.org
- info@nacha.org
- Your ACH transaction was rejected by The Electronic Payments Association (NACHA)
- Please review the transaction report
- Your ACH transaction was rejected
- nacha.org.tttteacf.co.uk
- nacha.org.tttteacx.org.uk
- nacha.org.redaczxm.me.uk
- nacha.org.fffazsx.co.uk
- ns1.pa-estate.net
- ns1.video-format.com
Tuesday, 10 November 2009
media-servers.net hit bu superkahn.ru injection attack
Registrant:Their site is infected with injected code pointing to superkahn.ru:8080/index.php - probably the people who own media-servers.net know nothing about it, but they don't make it easy to be contacted.
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel
Domain Name: MEDIA-SERVERS.NET
Created on: 19-Sep-04
Expires on: 19-Sep-13
Last Updated on: 17-Feb-09
Administrative Contact:
Administrator, Domain domadmin@netposition.com
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel
+972.9723928600 Fax --
Technical Contact:
Administrator, Domain domadmin@netposition.com
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel
+972.9723928600 Fax --
superkahn.ru is registered to:
domain: SUPERKAHN.RU
type: CORPORATE
nserver: ns1.freeonlinednshost.com.
nserver: ns2.freeonlinednshost.com.
nserver: ns3.freeonlinednshost.com.
nserver: ns4.freeonlinednshost.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 4912 219900
e-mail: dibs@freemailbox.ru
registrar: NAUNET-REG-RIPN
created: 2009.10.28
paid-till: 2010.10.28
source: TC-RIPN
This is multihomed on:
91.121.88.218 (OVH, Paris)
91.121.108.53 (OVH, Paris)
94.23.211.214 (OVH, Paris)
94.75.198.241 (Leaseweb, Amsterdam)
82.192.88.35 (Leaseweb, Amsterdam)
Websense report that this runs a variety of exploit attempts against unpatched Microsoft and Abode products. Quantcast figures say that almost a million US visitors access this site per month, so a lot more worldwide.
Labels:
Injection Attacks,
OVH,
RU:8080,
Viruses
Friday, 6 November 2009
"Congratulations!! You have won todays Macbook Air.".
Another day, another badly detected trojan:
winner.zip contains winner.exe detected by some products as the Sasfis Trojan.
ThreatExpert report is here, malware phones home to 193.104.27.4 and 193.104.27.91 in the Ukraine.
Subject: Congratulations
From: "Media Service"
Congratulations!! You have won todays Macbook Air.
Please open attached file and see datails.
Attachments:
winner.zip 21 k [ application/zip ]
winner.zip contains winner.exe detected by some products as the Sasfis Trojan.
ThreatExpert report is here, malware phones home to 193.104.27.4 and 193.104.27.91 in the Ukraine.
Thursday, 5 November 2009
BBC websites down - possible DDOS attack?
The BBC's websites (e.g. news.bbc.co.uk and www.bbc.co.uk) are either down or very slow to respond from multiple ISPs and countries. It feels like a DDOS attack, but I cannot confirm it.
It's not trending on Twitter yet, but you can see that it's a widespread issue in real time. The BBC was subject to a major DDOS attack almost exactly a year ago.
Update: the BBC have a statement blaming "network problems" here. Perhaps they should be blaming Siemens?
It's not trending on Twitter yet, but you can see that it's a widespread issue in real time. The BBC was subject to a major DDOS attack almost exactly a year ago.
Update: the BBC have a statement blaming "network problems" here. Perhaps they should be blaming Siemens?
Wednesday, 4 November 2009
Tuesday, 27 October 2009
"Facebook Password Reset Confirmation" trojan
This trojan claims to be something to do with a Facebook password reset, but it's a plain old EXE-in-ZIP trojan attack.
The Trojan is widely detected as a version of Bredolab. ThreatExpert report is here.
Remember, if you can block EXE-in-ZIP files at your mail gateway, it is well worth doing.
Subject: Facebook Password Reset Confirmation.
From: "The Facebook Team" <service@facebook.com>
Hey fortunes ,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks, The Facebook Team
Attachments: Facebook_Password_6c6eb.zip
The Trojan is widely detected as a version of Bredolab. ThreatExpert report is here.
Remember, if you can block EXE-in-ZIP files at your mail gateway, it is well worth doing.
Labels:
EXE-in-ZIP,
Spam,
Trojans,
Viruses
Saturday, 24 October 2009
Uh.. what?
A case of "WTF is this spam trying to do"? It looks like this noobie spammer thinks that sending out millions of copies of their banking details is going to be the path for riches.. rather than (say) identity theft. Spam originates from 123.139.106.235 in Shannxi Province, China which matches with the banking details.
Out of a possibly misguided sense of pity, I have omitted some of the digits from the account number!
Out of a possibly misguided sense of pity, I have omitted some of the digits from the account number!
Subject: Electronic mail messages webmaster:
From: "The webmaster"
HELLO:
You will actively support god. Each user donated $500 a lifelong use
email. As senior members...
You are christians, please send email forwarded others thirty times,
and charitable donations to me, god will bless you! God will
organization
hello:
Please send money into my account at Bank of China.
Bank name: the bank of China
A/CNO£Âº 2979 7702 0007 xxx
INA/CWITH£Âº Zhang Lu Xi
Address: 38 Juhua Yuan, Xi'an 710001, Shaanxi Prov., China
Swiftcode: BKCH CN BJ 620
You can use high-speed does not capture email
E-mail the webmaster 2009.10.23.
Tuesday, 20 October 2009
Police Fail
Never mind the slightly dubious issue of mapping crime hotspots, the announcement of a new service using data from the UK's police force to map crime was always going to generate a lot of interest.
The map is meant to look something like the image on the right (click to enlarge), but because this is the UK the server is clearly underspecified for the amount of interest that it is generating, because anyone who actually tries to visit maps.police.uk gets the rather predictable result below:
It's all a bit reminiscent of when the 1901 Census site went offline for months. Is it beyond the capabilities of the people implementing to judge demand?
Incidentally, the Met have a similar mapping system sensibly powered by Google, which seems to work quite well.
Labels:
Fail,
Google Maps,
Police
Monday, 19 October 2009
Google indexing private Google Voice transcripts?
A disturbing item from the Boy Genius Report indicates that seemingly private Google Voice transcripts are appearing in Google search results with a seemingly simple search string. Although some of these are "test" messages, one or two do seem to be the real deal. Oops.
Labels:
Google,
Google Voice,
Privacy
Wednesday, 14 October 2009
"A new settings file for the blah@blah.blah mailbox"
A clever bit of social engineering, looks like Zbot:
The link is a forgery, underneath it is actually blahblah.tld.polikka.eu/owa/service_directory/settings.php
?email=name@blahblah.tld&from=blahblah.tld&fromname=name
polikka.eu was registered just today, the registration details are:
Domäne
Name
polikka
Status
REGISTRIERT
Registriert
October 14, 2009
Letzte Aktualisierung
October 14, 2009, 4:35 pm
Registrant
Name
Spasova, Galia
Unternehmen/Organisation
Galia Spasova
Sprache
Englisch
Adresse
j.k. Droujba-1
44231 paris
Frankreich
Telefon
+32.8834336218
E-Mail
gsmailva@ge-88.com
Probably fake you might think, except that "j.k. Droujba-1" is an address in Sofia, not Paris. And it belongs to a company called GE-88 Ltd who have a website of ge-88.com. So, the email address in the WHOIS does seem to trace back to a Bulgarian company. And what does GE-88 Ltd do? Ummm.. well, it appears to manufacture alloys. It could be fake, perhaps their mailserver is compromised..
Nameservers are ns1.supranull.com and ns1.trapsing.net (96.31.81.80 - Noc4Hosts Inc) (although the site is not resolving at the moment).
Just as I was typing this in, another one came through using the domain oikkkkua.co.uk as a redirector:
Domain name:
oikkkkua.co.uk
Registrant:
Evelyn Wilson
Registrant type:
Non-UK Individual
Registrant's address:
805 E. Stocker
paris
68554
Belgium
Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk
Relevant dates:
Registered on: 14-Oct-2009
Renewal date: 14-Oct-2011
Last updated: 14-Oct-2009
Registration status:
Registration request being processed.
Name servers:
ns1.horstsolution.net
ns1.soon-moon.com
Again, this one isn't resolving yet but it was just registered today.
From: alert@blahblah.tld
Subject: A new settings file for the name@blahblah.tld mailbox
Dear user of the blahblah.tld mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (name@blahblah.tld) settings were changed. In order to apply the new set of settings click on the following link:
http://blahblah.tld/owa/service_directory/settingsphp
?email=name@blahblah.tld&from=blahblag.tld&fromname=name
Best regards, blahblah.tld Technical Support.
The link is a forgery, underneath it is actually blahblah.tld.polikka.eu/owa/service_directory/settings.php
?email=name@blahblah.tld&from=blahblah.tld&fromname=name
polikka.eu was registered just today, the registration details are:
Domäne
Name
polikka
Status
REGISTRIERT
Registriert
October 14, 2009
Letzte Aktualisierung
October 14, 2009, 4:35 pm
Registrant
Name
Spasova, Galia
Unternehmen/Organisation
Galia Spasova
Sprache
Englisch
Adresse
j.k. Droujba-1
44231 paris
Frankreich
Telefon
+32.8834336218
gsmailva@ge-88.com
Probably fake you might think, except that "j.k. Droujba-1" is an address in Sofia, not Paris. And it belongs to a company called GE-88 Ltd who have a website of ge-88.com. So, the email address in the WHOIS does seem to trace back to a Bulgarian company. And what does GE-88 Ltd do? Ummm.. well, it appears to manufacture alloys. It could be fake, perhaps their mailserver is compromised..
Nameservers are ns1.supranull.com and ns1.trapsing.net (96.31.81.80 - Noc4Hosts Inc) (although the site is not resolving at the moment).
Just as I was typing this in, another one came through using the domain oikkkkua.co.uk as a redirector:
Domain name:
oikkkkua.co.uk
Registrant:
Evelyn Wilson
Registrant type:
Non-UK Individual
Registrant's address:
805 E. Stocker
paris
68554
Belgium
Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk
Relevant dates:
Registered on: 14-Oct-2009
Renewal date: 14-Oct-2011
Last updated: 14-Oct-2009
Registration status:
Registration request being processed.
Name servers:
ns1.horstsolution.net
ns1.soon-moon.com
Again, this one isn't resolving yet but it was just registered today.
Suspect ad network leads to PDF exploit
This was picked up from an ad apparently running on grooveshark.com
An ad from ad.technoratimedia.com loads an ad from ad.yieldmanager.com.. so far, pretty normal.
The next step is:
ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?ajecscp=1254835789307&z=BootCamp&dim=335848
This domain is protected by DomainsByProxy, registered in December 2007 and is hosted 208.113.133.105.
The site has the following contact details:
Bootcampmedia.com has a near-zero profile, but it may well be a legitimate company.
After this, the visitor starts to go well off the beaten track. The next hop is traffic.firedogred.com/content?campaign=1219131&sz=2
firedogred.com is registered to:
That email address of trafficbuyer@gmail.com is well known. The subdomain traffic.firedogred.com is dual-homed on 207.57.97.233 and 161.58.56.25 (both NTT America, Inc).
The next hop is show.sheathssubtotal.info/rotate?m=3;b=2;c=0;z=406377
sheathssubtotal.info was regisitered on 17th September with the same "trafficbuyer@gmail.com" contact details as firedogred.com.
show.sheathssubtotal.info is dual homed on 140.174.93.100, 161.58.192.228 (both NTT America, Inc).
Yet another hop, this time to content.neighbanner882.info/track/3388081/S_SE?{munged}
neighbanner882.info was created on 7th August 2009, registered to trafficbuyer@gmail.com (again). content.neighbanner882.info is hosted on 69.164.196.55 at some outfit called Linode.
Yet another hop, this time to winckag.com which is currently down but was hosted on 89.149.251.71 (Netdirekt E.k) who are pretty well known for hosting bad sites (but they may well have nuked this one already, and if so.. well done!)
The owners of winckag.com have something to hide..
This loads an image from img.sheathssubtotal.info/120x600/54019.gif multihomed on 174.143.241.174, 174.143.243.90, 174.143.243.162 (some sort of cloud hosting) and then loads the following:
winckag.com/base/data/p29.php
winckag.com/base/data/vou.png
Those nameservers on 200.63.45.62 are interesting, that's PanamaServer.com who are well known for supporting malware.
Finally, winckag.com appears to try to load a Troj/PDFJs-DY trojan onto the victim's machine.
You should certainly avoid ads running on firedogred.com, sheathssubtotal.info, neighbanner882.info, winckag.com or any domain registered to trafficbuyer@gmail.com. Make up your own mind about Boot Camp Media - these small ad networks are very often targeted by the bad guys, but they really need to get their act together.
An ad from ad.technoratimedia.com loads an ad from ad.yieldmanager.com.. so far, pretty normal.
The next step is:
ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?ajecscp=1254835789307&z=BootCamp&dim=335848
This domain is protected by DomainsByProxy, registered in December 2007 and is hosted 208.113.133.105.
The site has the following contact details:
Address
Bootcamp Media
121 Wyndham St. N.
Suite 202
Guelph, Ontario, Canada
N1H 4E9
Phone
1-519-515-0094
Fax
1-519-515-0151
Bootcampmedia.com has a near-zero profile, but it may well be a legitimate company.
After this, the visitor starts to go well off the beaten track. The next hop is traffic.firedogred.com/content?campaign=1219131&sz=2
firedogred.com is registered to:
Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09
Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --
Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --
That email address of trafficbuyer@gmail.com is well known. The subdomain traffic.firedogred.com is dual-homed on 207.57.97.233 and 161.58.56.25 (both NTT America, Inc).
The next hop is show.sheathssubtotal.info/rotate?m=3;b=2;c=0;z=406377
sheathssubtotal.info was regisitered on 17th September with the same "trafficbuyer@gmail.com" contact details as firedogred.com.
show.sheathssubtotal.info is dual homed on 140.174.93.100, 161.58.192.228 (both NTT America, Inc).
Yet another hop, this time to content.neighbanner882.info/track/3388081/S_SE?{munged}
neighbanner882.info was created on 7th August 2009, registered to trafficbuyer@gmail.com (again). content.neighbanner882.info is hosted on 69.164.196.55 at some outfit called Linode.
Yet another hop, this time to winckag.com which is currently down but was hosted on 89.149.251.71 (Netdirekt E.k) who are pretty well known for hosting bad sites (but they may well have nuked this one already, and if so.. well done!)
The owners of winckag.com have something to hide..
Registrant:
Contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
Domain name: WINCKAG.COM
Administrative Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
Technical Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
Registration Service Provider:
domainsnext.com, Sales@DomainsNext.com
+1.9494979623
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 04-Oct-2009.
Record expires on 04-Oct-2010.
Record created on 04-Oct-2009.
Registrar Domain Name Help Center:
http://domainhelp.tucows.com
Domain servers in listed order:
NS1.WINCKAG.COM 200.63.45.62
NS2.WINCKAG.COM 200.63.45.62
This loads an image from img.sheathssubtotal.info/120x600/54019.gif multihomed on 174.143.241.174, 174.143.243.90, 174.143.243.162 (some sort of cloud hosting) and then loads the following:
winckag.com/base/data/p29.php
winckag.com/base/data/vou.png
Those nameservers on 200.63.45.62 are interesting, that's PanamaServer.com who are well known for supporting malware.
Finally, winckag.com appears to try to load a Troj/PDFJs-DY trojan onto the victim's machine.
You should certainly avoid ads running on firedogred.com, sheathssubtotal.info, neighbanner882.info, winckag.com or any domain registered to trafficbuyer@gmail.com. Make up your own mind about Boot Camp Media - these small ad networks are very often targeted by the bad guys, but they really need to get their act together.
Labels:
Linode,
Malvertising,
Malware,
PDFs
Tuesday, 13 October 2009
Piradius.net running Zbot infrastructure servers
Piradius.net appears to be up to its dark grey hat antics again with a server at 124.217.251.179 which is providing services to the current run of Zbot trojans, as seen (for example) with this recent ThreatExpert report.
Robtex reports the the server is also being used as the NS for a number of Zbot related domains, notably x2dns.ru, cedns.ru, updata-1.com, admin-systems.com, db-1.net, upd01.net, ssl-updates.net and several others connected with this spam run. 124.217.251.179 is also the download server for various Zbot components.
Although Piradius.net probably has many legitimate customers (primarily from Malaysia, Thailand and South-East Asia), it seems to have a lot of bad ones too (including Yohost.org). Prudent network administrators may want to consider blocking 124.217.224.0 - 124.217.255.255 which will probably not cause too many problems.
Robtex reports the the server is also being used as the NS for a number of Zbot related domains, notably x2dns.ru, cedns.ru, updata-1.com, admin-systems.com, db-1.net, upd01.net, ssl-updates.net and several others connected with this spam run. 124.217.251.179 is also the download server for various Zbot components.
Although Piradius.net probably has many legitimate customers (primarily from Malaysia, Thailand and South-East Asia), it seems to have a lot of bad ones too (including Yohost.org). Prudent network administrators may want to consider blocking 124.217.224.0 - 124.217.255.255 which will probably not cause too many problems.
Labels:
Piradius.net,
Zbot
Wednesday, 7 October 2009
Orwellian Black Opel
I thought I'd get a photo of the Google Streetview car while it was having a rest.. and before it got me :)
Labels:
Google Maps,
Google Streetview
Tuesday, 6 October 2009
htmlads.ru injection attack
Another injection attack following on from this one, htmlads.js looks like it is being injected into IIS 6.0 servers. In this case, the string to look for in your logs in htmlads.js/ads. js which is worth checking for and blocking if you can.
For the records, the domain registration details are:
domain: HTMLADS.RU
type: CORPORATE
nserver: ns1.htmlads.ru. 75.34.216.140
nserver: ns2.htmlads.ru. 216.119.45.147
nserver: ns3.htmlads.ru. 72.48.193.152
nserver: ns4.htmlads.ru. 71.108.37.140
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private person
phone: +7 496 4047474
e-mail: tau@8081.ru
registrar: REGRU-REG-RIPN
created: 2009.10.05
paid-till: 2010.10.05
source: TC-RIPN
For the records, the domain registration details are:
domain: HTMLADS.RU
type: CORPORATE
nserver: ns1.htmlads.ru. 75.34.216.140
nserver: ns2.htmlads.ru. 216.119.45.147
nserver: ns3.htmlads.ru. 72.48.193.152
nserver: ns4.htmlads.ru. 71.108.37.140
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private person
phone: +7 496 4047474
e-mail: tau@8081.ru
registrar: REGRU-REG-RIPN
created: 2009.10.05
paid-till: 2010.10.05
source: TC-RIPN
Monday, 5 October 2009
Are your personal details on Jigsaw.com?
An interesting post caught my eye about a site called Jigsaw.com over at the CluBlog. It's a sort of collective where people trade other people's business card information, and it might well be the reason why my number of irrelevant direct marketing calls has gone through the roof.
The blog post also usefully tells you how to remove your details - recommended reading!
The blog post also usefully tells you how to remove your details - recommended reading!
Labels:
Privacy
Subscribe to:
Posts (Atom)