According to McAfee, the attack on Google and several other tech companies that led to the likelihood that Google will quit China was called "Aurora" by the bad guys.
The cruiser "Aurora" signalled the start of the Russian Revolution in St Petersburg in 1917.. I wonder if this name was chosen deliberately when the attackers targeted some of the West's biggest tech companies?
Image source
Friday, 15 January 2010
Thursday, 14 January 2010
More malvertisment domains
The malicious ads were running through (and I understand now terminated by) bootcampmedia.com, related to this post, according to commenter cerdo:
traffic.worldseescolor.com
69.164.215.208, 69.164.215.210, 69.164.215.205, 69.164.215.207, 69.164.215.204 [Linode]
deliver.bailagequinismregrow.com
74.207.232.205, 74.207.232.250, 74.207.232.249, 74.207.232.248, 74.207.232.203, 74.207.232.30, 74.207.232.206, 74.207.232.31, 74.207.232.39, 74.207.232.25, 74.207.232.202, 74.207.232.35 [Linode]
img.bailagequinismregrow.com
174.143.243.220, 98.129.238.102, 98.129.238.106, 98.129.236.239, 174.143.245.236, 98.129.237.14, 174.143.242.109, 174.143.243.90, 98.129.236.154, 98.129.238.101, 98.129.238.112, 98.129.236.254, 174.143.241.174, 98.129.238.105, 98.129.238.103, 174.143.243.162, 174.143.242.58, 98.129.238.99
[Slicehost / Rackspace]
content.cabullacoexertstephen.com
69.164.196.55 [Linode]
aanserver88.com
67.225.149.152 [Liquid Web]
bonnapet.com
Was 217.20.114.40 [Netdirekt / internetserviceteam.com] now appears to be down.
afkenai.com
195.2.253.93 [Madet Ltd, Moscow]
bfskul.com
195.2.253.93 [Madet Ltd, Moscow]
I don't have the full trace of these, so it's not exactly clear what these domains are doing in the reported chain.
Blogger cerdo said...Worth checking your logs for and blocking in case they turn up on another network. Checking IPs comes up with:
bootcampmedia.com was also likely hosting a malicious campaign yesterday afternoon, and perhaps still ongoing. I'd contact you Jamie, but I don't have contact info for you. This all is clearly closely related to Dynamoo's post...
traffic.worldseescolor.com is an obvious bad actor. The other related domains:
deliver.bailagequinismregrow.com
img.bailagequinismregrow.com
content.cabullacoexertstephen.com
as well as:
aanserver88.com
bonnapet.com
afkenai.com
bfskul.com
14 January 2010 18:40
Blogger cerdo said...
Yep - saw traffic.worldseescolor.com via bootcamp again less than 30 minutes ago.
Related sites, accessed immediately after traffic.worldseescolor.com:
deliver.boaterdunnagechicot.com
img.boaterdunnagechicot.com
14 January 2010 18:45
traffic.worldseescolor.com
69.164.215.208, 69.164.215.210, 69.164.215.205, 69.164.215.207, 69.164.215.204 [Linode]
deliver.bailagequinismregrow.com
74.207.232.205, 74.207.232.250, 74.207.232.249, 74.207.232.248, 74.207.232.203, 74.207.232.30, 74.207.232.206, 74.207.232.31, 74.207.232.39, 74.207.232.25, 74.207.232.202, 74.207.232.35 [Linode]
img.bailagequinismregrow.com
174.143.243.220, 98.129.238.102, 98.129.238.106, 98.129.236.239, 174.143.245.236, 98.129.237.14, 174.143.242.109, 174.143.243.90, 98.129.236.154, 98.129.238.101, 98.129.238.112, 98.129.236.254, 174.143.241.174, 98.129.238.105, 98.129.238.103, 174.143.243.162, 174.143.242.58, 98.129.238.99
[Slicehost / Rackspace]
content.cabullacoexertstephen.com
69.164.196.55 [Linode]
aanserver88.com
67.225.149.152 [Liquid Web]
bonnapet.com
Was 217.20.114.40 [Netdirekt / internetserviceteam.com] now appears to be down.
afkenai.com
195.2.253.93 [Madet Ltd, Moscow]
bfskul.com
195.2.253.93 [Madet Ltd, Moscow]
I don't have the full trace of these, so it's not exactly clear what these domains are doing in the reported chain.
Labels:
Linode,
Malvertising,
Trojans,
Viruses
More malicious OWA domains
In addition to these and these.
- yht30.net.pl
- yht36.com.pl
- yht37.com.pl
- yht38.com.pl
- yht39.net.pl
- yht3e.net.pl
- yht3q.net.pl
- yht3r.pl
- yht3t.pl
- yht3w.net.pl
Wednesday, 13 January 2010
And there's more..
More domains relating to this Zbot attack:
- ui7772.co.kr
- ui7772.kr
- ui7772.ne.kr
- ui7772.or.kr
- ui7772co.kr
- ui777f.kr
- ui777f.ne.kr
- ui777f.or.kr
- ui777for.kr
- ui777l.co.kr
- ui777l.co.kr
- ui777lco.kr
- ui777p.co.kr
- ui777p.kr
- ui777p.or.kr
- vcrtp.eu
- vcrtp1.eu
- vcrtp21.eu
- vcrtprsa21.eu
- vcrtps21.eu
- vcrtpsa21.eu
- vcrtrsa21.eu
- vcrtrsr21.eu
- vcrtrsrp2.eu
- vcrtrsrp21.eu
Convincing look OWA fake leads to PDF exploit
There are getting spammed out at the moment:
The displayed link isn't the actual link, underneath it points to something like:
http://blahblah.blah.vcrtp21.eu/owa/service_directory/settings.php?email=username@blahblah.bah&from=blahblah.blah&fromname=username
Clicking through the link takes you to a convincing looking OWA (Outlook Web Access) forgery page, populated with the victim's domain name and email address.
There are two exploits on the page, the first one is a drive-by download of an infected PDF file called pdf.pdf for which VirusTotal detection is only 10/41, detected by McAfee as Exploit-PDF.ac and various others. The executable file you are directed to download is also a bit patchy on detections.
Sender names include:
Subjects include:
Some domains in use on this are:
WHOIS details are fake:
ns1.raddoor.com
84.243.201.159 [Netrouting Data Facilities, Amsterdam]
ns2.raddoor.com
71.123.51.158 [Verizon Internet Services Inc, Aston]
ns1.elkins-realty.net
84.243.201.159 [Netrouting Data Facilities, Amsterdam]
ns2.elkins-realty.net
71.123.17.61 [Verizon Internet Services Inc, Whitesboro]
Registrant details for raddoor.com are probably bogus:
From: automailer@blahblah.blah [mailto:automailer@blahblah.blah]
Sent: 13 January 2010 11:08
To: Victim Username
Subject: The settings for the username@blahblah.blah mailbox were changed
Dear user of the blahblah.blah mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (username@blahblah.blah) settings were changed. In order to apply the new set of settings click on the following link:
http://blahblah.blah/owa/service_directory/settings.php?email=username@blahblah.blah&from=blahblah.blah&fromname=username
Best regards, blahblah.blah Technical Support.
Letter ID#NGTS7OTY8XPZX8FEUYTTTZ1PF
The displayed link isn't the actual link, underneath it points to something like:
http://blahblah.blah.vcrtp21.eu/owa/service_directory/settings.php?email=username@blahblah.bah&from=blahblah.blah&fromname=username
Clicking through the link takes you to a convincing looking OWA (Outlook Web Access) forgery page, populated with the victim's domain name and email address.
There are two exploits on the page, the first one is a drive-by download of an infected PDF file called pdf.pdf for which VirusTotal detection is only 10/41, detected by McAfee as Exploit-PDF.ac and various others. The executable file you are directed to download is also a bit patchy on detections.
Sender names include:
- operator@
- support@
- notifications@
- no-reply@
- system@
- alert@
- info@
Subjects include:
- The settings for the blah@blah.blah mailbox were changed
- The settings for the blah@blah.blah were changed
- A new settings file for the blah@blah.blah mailbox
- A new settings file for the blah@blah.blah has just been released
- For the owner of the blah@blah.blah e-mail account
- For the owner of the blah@blah.blah mailbox
Some domains in use on this are:
- vcrtp1.eu
- vcrtp21.eu
- vcrtprsa21.eu
- vcrtpsa21.eu
- vcrtrsa21.eu
- vcrtrsr21.eu
- vcrtrsrp2.eu
- vcrtrsrp21.eu
WHOIS details are fake:
Name:Domains are on a fast flux botnet, so there's no point listing IPs. However, nameservers are as follows:
Quezada, Ramon
Address:
1800 N. Bayshore Drive
33132 Roma
Roma
Italy
Email:
wawddhaepny@yahoo.com
ns1.raddoor.com
84.243.201.159 [Netrouting Data Facilities, Amsterdam]
ns2.raddoor.com
71.123.51.158 [Verizon Internet Services Inc, Aston]
ns1.elkins-realty.net
84.243.201.159 [Netrouting Data Facilities, Amsterdam]
ns2.elkins-realty.net
71.123.17.61 [Verizon Internet Services Inc, Whitesboro]
Registrant details for raddoor.com are probably bogus:
edmund pang figarro77@gmail.comRegistration details for elkins-realty.net are DEFINITELY bogus:
751 kinau st. #30
honolulu
HI
96813
US
Phone: +1.8085362450
Name : B OOnce your machine is infected, it probably gets infected with a Zbot variant as in these two previous examples.
Organization : B O
Address : 123 elm str.
City : Los Angeles
Province/State : beijing
Country :
Postal Code : 23456
Phone Number : 86--8586104812
Fax : 86--8586104819
Email : BO.la@yahoo.com
More on malvertisements running through Bootcampmedia.com
Sandi at Spyware Sucks has a closer look at the malvertisements running through Bootcampmedia.com and comes up with some more details, following up from this post yesterday.
In this case the endpoint of the infection has switched to bonnapet.com hosted on 217.20.114.40 which is hosted by netdirekt e.K. / internetserviceteam.com, hardly surprising as they are one of the more common havens for crimeware. The internetserviceteam.com name appears to be a sub-brand used for black hat hosting .. perhaps it is time for a visit from the Bundespolizei?
In this case the endpoint of the infection has switched to bonnapet.com hosted on 217.20.114.40 which is hosted by netdirekt e.K. / internetserviceteam.com, hardly surprising as they are one of the more common havens for crimeware. The internetserviceteam.com name appears to be a sub-brand used for black hat hosting .. perhaps it is time for a visit from the Bundespolizei?
Labels:
Bogus Ads,
Malvertising
Tuesday, 12 January 2010
BoingBoing.net / Bootcampmedia.com ad leads to malware
A malicious ad running on BoingBoing.net is delivering visitors to a PDF exploit.
Given the complicated state of advertising arbitrage, it is unlikely that BoingBoing.net have much control over it. The ad appears to be loading in from ad.yieldmanager.com (which is Yahoo!) and/or ad.z5x.net (DSNR Media Group) both of which are hosted on the same multihomed IP addresses.
The ad itself (pictured) appears to be some sort of get-rich-quick scheme or other.
This ad then directs through ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?z=BootCamp&dim=335848 to traffic.firedogred.com/content?campaign=1219131&sz=2 (this combination of bootcampmedia.com and firedogred.com has been noted before)
The ad then hops to deliver.amerchibchapowered.com/rotate?m=5;b=2;c=1;z=243826 then content.baalcootymalachi.com/track/3388182/S_SE?[snip] loading an image from img.amerchibchapowered.com along the way.
Finally, the visitor is directed to chohivyb.info/cgi-bin/aer/[snip] which contains an exploit detected as Troj/PDFJs-GI by Sophos.
"Boot Camp Media" is run by a guy called Jamie Dalgetty of Guelph, Ontario in Canada. It's unlikely that he's a bad guy, more likely that his ad network is being exploited by a malcious third party.
traffic.firedogred.com is rather more interesting, multihomed on 69.164.215.204, 69.164.215.205, 69.164.215.207, 69.164.215.208 and 69.164.215.210 at Linode, New Jersey. The domain firedogred.com is slightly interesting:
Registrant:trafficbuyer@gmail.com has been used for these malicious domains for some months and is well known.
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09
Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --
Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --
Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM
deliver.amerchibchapowered.com is also multihomed at Linode on 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203, 74.207.232.205, 74.207.232.206, 74.207.232.248 and 74.207.232.249. The domain was registered on 7th January 2010 and is hidden by DomainsByProxy.
content.baalcootymalachi.com is hosted on 69.164.196.55 at Linode again, again registered on 7th January via DomainsByProxy.
img.amerchibchapowered.com is hosted on a large number of servers at 174.143.243.90, 174.143.243.162, 174.143.243.220, 174.143.245.236, 98.129.236.154, 98.129.236.239, 98.129.236.254, 98.129.237.14, 98.129.238.99, 98.129.238.101, 98.129.238.102, 98.129.238.103, 98.129.238.105, 98.129.238.106, 98.129.238.112, 174.143.241.174, 174.143.242.58, 174.143.242.109 - these are all hosted at Slicehost.com which is a customer of Rackspace.
Finally, chohivyb.info is hosted on 216.150.79.74 which is some outfit called ezzi.net of New York owned by another outfit called AccessIT. No prizes for guessing that chohivyb.info has been registered only very recently with anonymous details.
216.150.79.74 is a well-known malware server, and that hosts the following domains which you can assume are malicious:
- Ablxsr.info
- Ajgdrt.info
- Alevfq.info
- Alfwqr.info
- Alrpsl.info
- Ameronada.info
- Bnzbfz.info
- Bodxmt.info
- Bplimo.info
- Briliantio.info
- Bvqlag.info
- Bzjsqk.info
- Ccwarj.info
- Cityopicos.info
- Clthth.info
- Ctksji.info
- Dasyxe.info
- Dbivoh.info
- Dgltup.info
- Dpuefh.info
- Dtjblp.info
- Enhmqq.info
- Enqpqk.info
- Euespj.info
- Exmxfd.info
- Fblooe.info
- Fdwghs.info
- Fopqde.info
- Fprvsu.info
- Frgbat.info
- Fymjjz.info
- Gelvmf.info
- Gnautw.info
- Gnysgg.info
- Gredotcom.info
- Grupodanot.info
- Grxqog.info
- Gukuny.info
- Gyckjq.info
- Hagijd.info
- Haqdsc.info
- Hgtbng.info
- Hjdnps.info
- Hyiyyi.info
- Iakecg.info
- Iaoaxz.info
- Iewwpn.info
- Ijaflj.info
- Iohbvo.info
- Jhrubd.info
- Jokirator.info
- Kbwstb.info
- Kibfsz.info
- Klamniton.info
- Ktebkx.info
- Kxlglw.info
- Leeloe.info
- Lgcezx.info
- Lkraat.info
- Lktcaj.info
- Llchqs.info
- Lnmrjz.info
- Lokitoreni.info
- Lqhczk.info
- Lywavy.info
- Lyzocu.info
- Mallstern.info
- Manaratora.info
- Megafrontan.info
- Mesxql.info
- Mngmjc.info
- Monsatrik.info
- Montrealt.info
- Mruvienno.info
- Mrvsnq.info
- Nalszu.info
- Ncnzfh.info
- Neiaea.info
- Nigrandara.info
- Njcmug.info
- Npmkrr.info
- Ntaxkj.info
- Obzdkn.info
- Ocftfa.info
- Optugj.info
- Otfcco.info
- Owpwhi.info
- Pbrugb.info
- Plxxii.info
- Pncgfd.info
- Ppusmb.info
- Prbakn.info
- Qdinql.info
- Qgxelo.info
- Qqtwft.info
- Realuqitor.info
- Refrentora.info
- Retuvarot.info
- Rfouce.info
- Rljysj.info
- Rocqdn.info
- Roeaaj.info
- Semqef.info
- Snosrz.info
- Spgsgh.info
- Stqvqw.info
- Swrapz.info
- Tcoqgo.info
- Tehfnn.info
- Top-lister1.info
- Transforltd.info
- Tsfxzg.info
- Tyenxv.info
- Ugrdzf.info
- Uliganoinc.info
- Urupnk.info
- Utpxno.info
- Uyguau.info
- Vbqfdm.info
- Veqibp.info
- Vkfaao.info
- Vwwtlp.info
- Wddifv.info
- Wdhcvv.info
- Wdokxd.info
- Wevoratora.info
- Wtstds.info
- Wvkjxx.info
- Wvlsam.info
- Xbhmws.info
- Xbxynl.info
- Xcisup.info
- Xxiyrv.info
- Ybeaxd.info
- Yfntrg.info
- Yqjxkj.info
- Ywbxen.info
- Zdkaki.info
- Zhwtqz.info
- Zlpbha.info
- Znkwjc.info
- Zqpwco.info
Obviously block or null-route these destinations as you feel fit, and do not purchase any ads from firedogred.com!
Added: You probably want to block these too..
216.150.79.76
- Cacorq.info
- Clxhbz.info
- Dgrxqh.info
- Diwiowano.info
- Dmdurz.info
- Funkol.info
- Geetol.info
- Gitoer.info
- Gondiroda.info
- Gutrandin.info
- Hizfek.info
- Hopore.info
- Ivgzda.info
- Jopqae.info
- Kolpao.info
- Nadotraza.info
- Niraynome.info
- Ofahitino.info
- Oirjsa.info
- Ornotivec.info
- Pirtaf.info
- Popsto.info
- Rellok.info
- Ruhcsy.info
- Sacmtf.info
- Sdoras.info
- Tapiroten.info
- Tiizwb.info
- Traxemere.info
- Ulmqmq.info
- Vivibt.info
- Xsxydj.info
- Yuncdjbiw.info
- Yyoqny.info
216.150.79.77
- Bnodas.info
- Brasilianstoree.info
- Byzypub.info
- Depahugu.info
- Gionasodor.info
- Giratunes.info
- Gyreal.info
- Hlopki.info
- Huerin.info
- Igerinsar.info
- Jcafuzixa.info
- Joketarona.info
- Koevoru.info
- L-iza.info
- Laryju.info
- Manocoraz.info
- Nbuuf.info
- Npefu.info
- Nvihobepo.info
- Pe-aqemop.info
- Pyneh.info
- Retiof.info
- Rzajexu.info
- Tolkienad.info
- Tymane.info
- Typolazu.info
- Vfoxoe.info
- Wanitale.info
- Yawibyve.info
- Ydiuvy.info
- Zoimie.info
Labels:
Bogus Ads,
Linode,
Malvertising,
Viruses
Thursday, 7 January 2010
"Testkauf" - German language "mystery shopper" scam
For some reason, I've been getting a lot of these German-language spams, mostly originating from Brazil..
Subject: TestkaufThis roughly translates as:
Mitarbeiter fuer Testeinkauf bundesweit gesucht.
Bewerbung bitte an blahblah@yahoo.de
Subject: Test ShoppingIn each case, the header contain a fake "from" address, the Yahoo! email address changes constantly.. and the mail seems to come from Brazil. This is most likely just a version of the mystery shopper scam, and should be avoided.
Searching nationwide for employees to do test purchasing.
To apply, please contact blahblah@yahoo.de
Labels:
Germany,
Job Offer Scams,
Mystery Shopper,
Scams,
Spam
Tuesday, 22 December 2009
mailbox-email.com scam
Part of a long running dating scam, mailbox-email.com looks like a free email service, but isn't. Hosted on 222.170.127.122 in China, the server also hosts various fake dating and prescription sites.
All of these following sites are some scam or another, avoid them:
All of these following sites are some scam or another, avoid them:
- Adltfuntime.com
- Adultmeetspot.com
- Amazmail.com
- Aprofilepage.com
- Blowingawaytherestnow.com
- Email-mailbox.com
- Findallthebestherenow.com
- Findnewfriend.net
- Free-email-chat.com
- Free-email-connect.com
- Free-email-fun.com
- Free-email-live.com
- Freeextender.net
- Freemailaccounts.net
- Freemailnow.net
- Getitatrxcenternow.com
- Greatestofrxznow.com
- Happeningrxcenternow.com
- Hotlivemailchat.com
- Kingofthekingofrxznow.com
- Myemailhome.net
- Netherlandsdns.com
- Nodocneededforrxmedznow.com
- Plygroundadlt.com
- Realdealrxbrandnamesnow.com
- Sexyhotlivechat.com
- Skinny-me.info
- Ysjhdfjd.com
- Zeuhiuer.com
Labels:
Dating Scams,
Fake Pharma,
Scams,
Spam
Tuesday, 15 December 2009
Piradius.Net / Adobe Zero-Day threat
Another good reason not to have Adobe Reader on your PC - the ISC is reporting yet another zero-day threat being exploited by the bad guys, using the domain foruminspace.com.
And guess who is hosting it.. yes, our old friends at Piradius.net, going to show just how dark grey their hat is and demonstrating another very good reason to block 124.217.224.0 - 124.217.255.255.
And guess who is hosting it.. yes, our old friends at Piradius.net, going to show just how dark grey their hat is and demonstrating another very good reason to block 124.217.224.0 - 124.217.255.255.
Labels:
Adobe,
Piradius.net,
Zero Day
Saturday, 5 December 2009
"freeemailnow.net" scam
The domain freeemailnow.net looks like.. well, it looks like a free e-mail provider. But it isn't, it's part of some sort of fraudulent scheme, most likely a dating scam.
The pitch arrives something like this:
The registration details for freeemailnow.net are anonymous, nameservers are ns1.netherlandsdns.com and ns2.netherlandsdns.com, both on 222.170.127.122 in China along with freeemailnow.net itself.
There's a bunch of fake pharma sites sharing the same server:
The pitch arrives something like this:
Subject: your profileA look at the SOA records points to ns1.netherlandsdns.com and admin.affilnet.net - affilnet.net is familiar, indicating that this is a re-run of the warmfuzzylove.com scam but again annoyingly missing a picture of a pretty Russian girl.
From: "Pasquale Clay"
Date: Fri, December 4, 2009 11:55 pm
Hey!
I know you dont know me, but I d like to get to know you.
I stumbled upon your contact information, am looking for a chat friend and maybe more.
Write me back at: snowfall1@freeemailnow.net
i am anxious to talk with you
The registration details for freeemailnow.net are anonymous, nameservers are ns1.netherlandsdns.com and ns2.netherlandsdns.com, both on 222.170.127.122 in China along with freeemailnow.net itself.
There's a bunch of fake pharma sites sharing the same server:
- Acquireflowherenow.com
- Acquirerxmedzherenow.com
- Allthebestatyourfingertips.com
- Alwaysbetterrx.com
- Anyrxmedications.com
- Beatingallcompetition.com
- Besatifiedmedsnow.com
- Bestrxbuyshere.com
- Blowingawaytherestnow.com
- Championrxsource.com
- Cheapcodeines.com
- Choosefr0mthebest.com
- Codeineoffers.com
- Codeinepromo.com
- Crazymedsupplyforyou.com
- Discount-codeine.com
- Easyrxhere.com
- Expressmedz4u.com
- Findallthebestherenow.com
- Fingtertiprxmedacces.com
- Firerxmedication.com
- Flowagerofgood.com
- G00dsonline.com
- Getallyourfavorites.com
- Getitatrxcenternow.com
- Getmedicatedonline.com
- Getrxeasily.com
- Getrxeasilyonline.com
- Getrxmedicationsherenow.com
- Goodzchoices.com
- Greatestofrxznow.com
- Greatmedicalshere.com
- Greatrxdepot.com
- Greatrxg00ds.com
- Greatrxonline4u.com
- Grillindealz4u.com
- Happeninggoodtime.com
- Happeningrxcenternow.com
- Honorablechoice.com
- Incrediblerx4u.com
- Kingofthekingofrxznow.com
- Maxsav3r.com
- Maxsaverz.com
- Meddiezcenter.com
- Medzfromonlinetoyourhome.com
- Mosthighlysoughtafter.com
- Neverendingflowages.com
- Neverwaitrx.com
- Newrx4champions.com
- Niceflowofmedz.com
- Nodocneededforrxmedznow.com
- Nomorewaitinginlinenow.com
- Onpointflowage.com
- Qualitycodeine.com
- Quickrxmedications.com
- Readysetgetmedz.com
- Realdealrxbrandnames.com
- Realdealrxbrandnamesnow.com
- Realdealrxrefills.com
- Refillrx-depot.com
- Reliableflowagehere.com
- Reliablemedsource4u.com
- Reliablerx4uonline.com
- Rightrxchoice.com
- Rx-refilldepot.com
- Rxmainsource.com
- Rxmedsolution4unow.com
- Rxmedzatthefingers.com
- Rxmedzinnotime.com
- Rxremedies4u.com
- Rxthatbeatsallothers.com
- Rxwindowonline.com
- Rxsourceforwinners.com
- Selectfromallthebestmeds.com
- Selectionfromthebest.com
- Simeplyarx.com
- Smokingdealz4u.com
- Swiftestmedz.com
- Theeasyreliablesourcenow.com
- Theflowageoccurshere.com
- Themybetterrx.com
- Toprxsuppliers.com
- Toprxsupplierz.com
- Uniqueflowagesnow.com
- Wehaveallyourfavorites.com
- Wehavethemforyou.com
- Wehavewhaturlookingfornow.com
- Wehavewhatyourlooking4.com
- Your-rxs.com
- Netherlandsdns.com
Labels:
Dating Scams,
Fake Pharma,
Scams,
Spam
Thursday, 3 December 2009
"Bank of England" scam email
This is some sort of fraud or phishing attempt, the email originates from richardscott269@msn.com but solicits replies to richardscott555@rediffmail.com - both of these are free email providers, and I'm pretty sure that the Bank of England can afford its own email servers. Avoid.
Subject: Payment Notification
From: "Richard Scott" <richardscott269@msn.com>
Date: Thu, December 3, 2009 10:12 pm
From: Richard Scott
International Settlement Dept.
Bank of England
http://www.bankofengland.co.uk/
Ref: BOE/ISD/ACD/4556/09
ATTN :
The International Settlement department of Bank of England is obligated to contact you for the immediate release of your fund whose account has be come dormant and subsequently transferred to this department as unclaimed fund.Our findings have revealed that the problem behind your inability to have received your fund from the corresponding bank resulted from lack of transparency, insincerity and incessant demand for money by your representative(s) for unusual payments. We have therefore decided to establish a direct transfer payment system (DIPS) with you for the prompt release of your funds without any hitch.
We therefore request that you respond to this email immediately ( forwarding your direct contact telephone number) to enable us proceed with the release of your fund accordingly.
Yours in service,
Richard Scott.
Wednesday, 2 December 2009
Incisive Media / writeathomesystems.com spam
Incisive Media is a little-known firm that comprises the rump of the much better known VNU Publications that was sold off into private equity a few years ago.
You might know the name "Incisive Media" through their miserable failure to sustain Personal Computer World which was one of the oldest computer magazines in the world, but they also own several other professional publications.
So, I was a little surprised to see that Incisive now seems to be in the business of sending out get-rich-quick spam.
The spam originates from 62.140.213.241 which is an Incisive Media IP address, and a close look at the mail headers shows more evidence:
Message-ID: <02 Dec 2009 19:21 IncisiveMailer@www.incisivemedia.com>
The URL miniurl.com/22939 forwards to Caroline.mikepsanderswri.click2sell.eu which is a laughably pathetic work-at-home scheme on the click2sell.eu affiliate network. To give click2sell.eu some credit, they are pretty good at terminating spammers.. which is why spammers try to mask their affiliate URLs.
I said "laughably pathetic", because you end up at writeathomesystems.com which attempts to recruit people to part with cold hard cash in order to learn how to write and market articles on the web.
Now, I'm not the best writer in the world.. and we all make tpyos now and again, but this one has a howler:
Yes, that says "(Prize will be changed tomorrow from $34.95 to $64.95)" when I'm really pretty sure that they mean "price".
Incidentally, a check of the Google cache shows that it was still referring to a price change "tomorrow" six days ago. I think there's a word for that.
Anyway, despite writeathomesystems.com truly crappy ad copy and highly dubious marketing techniques, they are not responsible for the spam. And as already mentioned, I know that click2sell.eu are pretty good at terminating spammers... so who is responsible?
Well, obviously the affiliate is responsible.. but also the people who strenuously deny responsibility are right in the frame.. remember the footer from the Incisive Media spam?
You might know the name "Incisive Media" through their miserable failure to sustain Personal Computer World which was one of the oldest computer magazines in the world, but they also own several other professional publications.
So, I was a little surprised to see that Incisive now seems to be in the business of sending out get-rich-quick spam.
Subject: Private Equity Europe
From: "Chesther Jane" <mcjane99@gmail.com>
Date: Wed, December 2, 2009 7:21 pm
Respected Friends,
“Who else wants to earn a full-time income writing on the INTERNET? You can start earning money writing online even if you have no prior experience.” If you can write at a 9th grade level, you could easily earn a full time income writing online.
Companies are desperately looking for entry level writers. If you want to start
earning money writing at home, this may be the most important page on the Internet you’ll read all year. Right now, you can make really good money, quickly and easily.
http://miniurl.com/22939
Chesther Jane
to unsubscribe reply REMOVE
Thank you for visiting my site!
http://www.incisivemedia.com/public/showPage.html?page=330349
DISCLAIMER
Private Equity Europe and Incisive Media do not take any responsibility for the
content of this email
The spam originates from 62.140.213.241 which is an Incisive Media IP address, and a close look at the mail headers shows more evidence:
Message-ID: <02 Dec 2009 19:21 IncisiveMailer@www.incisivemedia.com>
The URL miniurl.com/22939 forwards to Caroline.mikepsanderswri.click2sell.eu which is a laughably pathetic work-at-home scheme on the click2sell.eu affiliate network. To give click2sell.eu some credit, they are pretty good at terminating spammers.. which is why spammers try to mask their affiliate URLs.
I said "laughably pathetic", because you end up at writeathomesystems.com which attempts to recruit people to part with cold hard cash in order to learn how to write and market articles on the web.
Now, I'm not the best writer in the world.. and we all make tpyos now and again, but this one has a howler:
Yes, that says "(Prize will be changed tomorrow from $34.95 to $64.95)" when I'm really pretty sure that they mean "price".
Incidentally, a check of the Google cache shows that it was still referring to a price change "tomorrow" six days ago. I think there's a word for that.
Anyway, despite writeathomesystems.com truly crappy ad copy and highly dubious marketing techniques, they are not responsible for the spam. And as already mentioned, I know that click2sell.eu are pretty good at terminating spammers... so who is responsible?
Well, obviously the affiliate is responsible.. but also the people who strenuously deny responsibility are right in the frame.. remember the footer from the Incisive Media spam?
DISCLAIMERThat's a bit like saying "I don't take any responsibility for taking a shit in your shoes" even though you have just left a big steaming turd in someone's footwear. And one vital question is.. where did the spammers get their email addresses from? Did Incisive sell them on? Or were they scraped?
Private Equity Europe and Incisive Media do not take any responsibility for the
content of this email
Friday, 27 November 2009
"Please design a logo for me. With pie charts. For free."
Classic.. but wait, there's more to this story too! Language possibly NSFW.
This is the guy who tried to pay a bill with a drawing of a spider.
This is the guy who tried to pay a bill with a drawing of a spider.
Mystery Google Toothbrush Mystery
Mystery Google is old news for many.. basically you get the search results that the previous person had typed in, and the possibility of being redirected to a malware site seeded by the previous person is a legitimate concern.
Just out of curiosity, I was poking around at it and got the folllowing message:
Now, only a complete nutjob would actually follow these instructions. So here's my effort:
Just out of curiosity, I was poking around at it and got the folllowing message:
mission: write a limerick about toothbrushes and send it to randombystander -at- yahoo.comOf course, there are no matches for "mission: write a limerick about toothbrushes and send it to randombystander -at- yahoo.com".. except there are now I blogged about it.
Now, only a complete nutjob would actually follow these instructions. So here's my effort:
There was an old battered toothbrushWell.. it sort of rhymes. Let's see if that mailbox actually exists.. it does! :)
It was ancient and didn't get used much
You'd be willing to bet
That because of neglect
The owner's teeth surely are now mush
Labels:
Google
Friday, 20 November 2009
"please update your blah@blah.blab mailbox" spam
Another version of the Zbot trojan coming in via email, much like this one.
From: operator@blah.blah Sent: 20 November 2009 15:21
To: Blah
Subject: please update your blah@blah.blah mailbox
Dear owner of the blah@blah.blah mailbox, You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:
http://accounts.blah.blah.verzzi.org.uk/webmail/settings/noflash.php?mode=standart&id=[snip]&email=blah@blah.blah
So far verzzi.co.uk and verzzi.org.uk seem to be domains that are used for this, there are probably many others.
Target page is a fake Flash download:
Target file is flashinstaller.exe with patchy or generic detection at best, according to VirusTotal.
ThreatExpert report is here which could be useful if you are trying to disinfect a machine.
When infected, the machine calls home to 193.104.27.42 in the Ukraine, allegedly belonging to "Vladimir Vasulyovich Kamushnoy" but that could be fake.
Fake WHOIS details for verzzi.co.uk and verzzi.org.uk:
elkinsrealty.net is one nameserver domain, with obviously fake WHOIS details
ns2.elkinsrealty.net is on 210.217.15.41 (Korea Telecom)
ns2.winderz.net is on 210.217.45.138 (Korea Telecom)
In this case the email "came" from operator@victimdomain - filtering your own domain at the gateway (or the "operator" address) could be useful.
Update: full list so far..
dirddrf.be
dlsports.be
ftpddrs.be
modertps.be
verzzi.co.uk
verzzi.org.uk
verzzq.co.uk
verzzq.me.uk
verzzq.org.uk
verzzg.co.uk
verzzg.me.uk
verzzg.org.uk
verzzm.co.uk
verzzm.me.uk
verzzm.org.uk
verzzn.co.uk
verzzn.me.uk
verzzn.org.uk
From: operator@blah.blah Sent: 20 November 2009 15:21
To: Blah
Subject: please update your blah@blah.blah mailbox
Dear owner of the blah@blah.blah mailbox, You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:
http://accounts.blah.blah.verzzi.org.uk/webmail/settings/noflash.php?mode=standart&id=[snip]&email=blah@blah.blah
So far verzzi.co.uk and verzzi.org.uk seem to be domains that are used for this, there are probably many others.
Target page is a fake Flash download:
Target file is flashinstaller.exe with patchy or generic detection at best, according to VirusTotal.
ThreatExpert report is here which could be useful if you are trying to disinfect a machine.
When infected, the machine calls home to 193.104.27.42 in the Ukraine, allegedly belonging to "Vladimir Vasulyovich Kamushnoy" but that could be fake.
Fake WHOIS details for verzzi.co.uk and verzzi.org.uk:
The Verzzi domains are hosted on a fast flux botnet, so the good news is that it won't be very reliable if some muppet DOES visit the site.
Domain name:
verzzi.co.uk
Registrant:
Suzanne Mendez
Registrant type:
Non-UK Individual
Registrant's address:
Taylor Street Apt. 22
Wilrijk
2771
Belgium
Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk
Relevant dates:
Registered on: 18-Nov-2009
Renewal date: 18-Nov-2011
Last updated: 19-Nov-2009
Registration status:
Registration request being processed.
Name servers:
ns1.elkinsrealty.net
ns1.winderz.net
elkinsrealty.net is one nameserver domain, with obviously fake WHOIS details
Domain Name : elkinsrealty.netAnd for Winderz.net:
PunnyCode : elkinsrealty.net
Creation Date : 2009-07-02 19:50:00
Updated Date : 2009-11-20 01:11:11
Expiration Date : 2010-07-02 19:49:56
Registrant:
Organization : Elkins Realty
Name : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Administrative Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com
Technical Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com
Billing Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com
ns1.winderz.net and ns1.elkinsrealty.net are on 198.177.253.152 (Allerion Inc, Altlanta)
Registrant:
R Opitz, Brian
341 Church Road
West Sunbury, PA 16061
US
Domain Name: WINDERZ.NET
Administrative Contact, Technical Contact:
R Opitz, Brian straus2009@live.com
341 Church Road
West Sunbury, PA 16061
US
7246372446
Record expires on 17-Nov-2010.
Record created on 17-Nov-2009.
Database last updated on 20-Nov-2009 10:46:04 EST.
Domain servers in listed order:
NS1.WINDERZ.NET 198.177.253.152
NS2.WINDERZ.NET 210.217.45.138
ns2.elkinsrealty.net is on 210.217.15.41 (Korea Telecom)
ns2.winderz.net is on 210.217.45.138 (Korea Telecom)
In this case the email "came" from operator@victimdomain - filtering your own domain at the gateway (or the "operator" address) could be useful.
Update: full list so far..
dirddrf.be
dlsports.be
ftpddrs.be
modertps.be
verzzi.co.uk
verzzi.org.uk
verzzq.co.uk
verzzq.me.uk
verzzq.org.uk
verzzg.co.uk
verzzg.me.uk
verzzg.org.uk
verzzm.co.uk
verzzm.me.uk
verzzm.org.uk
verzzn.co.uk
verzzn.me.uk
verzzn.org.uk
Thursday, 19 November 2009
Warning: Affilnet.net
Just as a follow-up to the warmfuzzylove.com scam, the same server (98.126.22.178) now hosts Affilnet.net which may be trying to pass itself off as Affili.net which is a legitimate marketing agency, although at the moment the site appear to be blank.
The domain was previously registered to Warner Brothers (of all people!) but was reregistered to an anonymous registrant on 13th November.
Given that the pattern of registration and server being used are consistent with an existing scam, then any approach from Affilnet.net should be regarded as being suspicious unless proven otherwise.
The domain was previously registered to Warner Brothers (of all people!) but was reregistered to an anonymous registrant on 13th November.
Given that the pattern of registration and server being used are consistent with an existing scam, then any approach from Affilnet.net should be regarded as being suspicious unless proven otherwise.
Labels:
Bogus Ads
Avira detects TR/Crypt.XPACK.Gen in MW2
I don't play Modern Warfare 2 - but some reports indicate that it has a virus in it.
What seems to be happening is that Avira is coming up with a generic detection of TR/Crypt.XPACK.Gen on a temporary file (perhaps ~B8.tmp) in C:\Documents and Settings\%USERNAME%\Local Settings\Temp.
However, "TR/Crypt.XPACK.Gen" is a generic detection - Avira is scanning the file and determining that it might be suspicious because it has been compressed with a commercial packer (a bit like a ZIP file). It is almost definitely a false positive that will be fixed quite soon.
If you like, you can head to the Avira Support Forums although where there is a short thread about it.
What seems to be happening is that Avira is coming up with a generic detection of TR/Crypt.XPACK.Gen on a temporary file (perhaps ~B8.tmp) in C:\Documents and Settings\%USERNAME%\Local Settings\Temp.
However, "TR/Crypt.XPACK.Gen" is a generic detection - Avira is scanning the file and determining that it might be suspicious because it has been compressed with a commercial packer (a bit like a ZIP file). It is almost definitely a false positive that will be fixed quite soon.
If you like, you can head to the Avira Support Forums although where there is a short thread about it.
Labels:
Anti-Virus Software,
False Positive,
Viruses
Wednesday, 18 November 2009
T-Mobile & LBM: Just a coincidence?
In what appears to be a systematic plundering of customer records, T-Mobile staff have sold hundreds of thousands (or perhaps millions) of customer details to rival operators. Given that a lead for an expiring mobile phone contract seems to sell for around 50p to £2 a pop, this is possibly a significant slice of cash.
One question is: who sold the data. But a more pertinent one is: who bought the data?
It is probably just a sheer coincidence that I have previously documented unexplained cold calling for T-Mobile customers from a company called LBM Direct Marketing in the UK.
Just in case you missed all the furore, T-Mobile have a news article about it:
One question is: who sold the data. But a more pertinent one is: who bought the data?
It is probably just a sheer coincidence that I have previously documented unexplained cold calling for T-Mobile customers from a company called LBM Direct Marketing in the UK.
This current round of cold calling is on behalf of O2. LBM appears to have subscriber details - when they finally do talk to you rather than putting the phone down, they greet you by name. [..] The caller denied that they worked for LBM, and claimed to be working for O2 [..]. Our attempts to talk to a supervisor at LBM resulted in the caller putting the phone down. In this case, they do seem to know the name of the subscriber ([..] the phone had previously been with Vodafone and then transferred to T-Mobile)This is probably not an isolated incident - expiring mobile phone contract leads are valuable and are regularly traded, and we're not just talking about T-Mobile here.. it seems to be very widespread, and T-Mobile deserve some kudos for tackling the issue.
Just in case you missed all the furore, T-Mobile have a news article about it:
Labels:
Data Protection,
LBM,
T-Mobile
Subscribe to:
Posts (Atom)