Sponsored by..

Tuesday, 6 April 2010

"Represent Party" / representparty.org spam

Sent to a postmaster role account.. classy.

From: Represent [mailto:ben.lynch@representparty.org]
Sent: 05 April 2010 16:22
To: UK Postmaster
Subject: How would you improve the UK - we need your ideas.

Hi,

How would you improve the UK - we need your ideas.

We have just launched a new website ‘Represent’ – and we are looking for ideas on how to make the UK a better place - any ideas will do as long as they are positive.

All ideas submitted will be published on the website where they can be rated to find the most popular ideas for improving the country.

Go to http://www.representparty.org <http://www.representparty.org/>, register (this does not mean you are joining any organisation it helps you to add ideas and rate other ideas) and add your ideas. Remember the website is new so there may not be many ides at the moment but bear with us as we process the ideas uploaded and we’ll get more ideas published as soon as possible.

Thank you for your time.

Regards

Ben Lynch
Represent

PS – If you believe that this email was intrusive please accept my apologies. If you do not want to receive any further emails from us please click on the link below.
http://www.representparty.org/unregister.aspx?action=unsubscribe&value=[redacted]
Originating IP is 109.228.0.79 which also hosts representparty.org and representparty.com. It will probably come as no surprise to see that this IP address belongs to Fasthosts in the UK who are very tolerant of bulk emailers like this.

Anyway, how's this for a positive idea.. stop f**king spamming me.

Thursday, 1 April 2010

Wednesday, 17 March 2010

argiento.eu / Piccini Real Estate Company scam

This is a money mule scam, email originating from a hacked PC in Brazil, site hosted on 188.130.250.248 in Latvia which is a well-known bad IP address.

Note that there are several reliable real estate companies with "Piccini" in the name, this scam is not related to any of these companies. Avoid.

From: "Kathryn Crum"
Subject: The Italian company is looking for partners in England
Date: Wed, March 17, 2010 2:15 pm


Dear
My name is Martin Argiento. I am working in the international real estate agency Piccini Real Estate. Our company is registered in Italy.

Currently we are taking on the employees to hold a post of regional agents. We have a vacancy which you could fill.

Your electronic address, is taken from a database of the company which is engaged in employment. If it is an error, or if you do not have time, or you are not interested in this offer, we ask you to ignore the message. We apologize for the wasted time.

The vacancy description:
The salary from 2000 Euros.
Non fixed working ours.
The guaranteed prospect.

Requirements:
Practical knowledge of the program Microsoft Office Word.
Having skills in Microsoft Office Excel.
Ability to communicate, intelligence, responsibility.
Ability to come to an understanding with people and to carry on negotiations.
Experience in commercial activity is welcomed.

If you are interested in cooperation, please send mail on the electronic address: m@argiento.eu


On behalf of employees of Piccini Real Estate company.

Thursday, 4 March 2010

"west-es-company.com" scam job offer

This is another money mule email, soliciting replies to west-es-company.com which is hosted at 193.104.94.57 in the Russian Federation along with a whole bunch of other badness.



Subject: hello!
From: "Ronald"
Date: Thu, March 4, 2010 11:10 am

Hello,

My name is Ronald and our company currently has several positions it needs to fill in your region.

We are a well known company with offices throughout Europe, Asia and North America.

Our current turnover is over 130 million annually and we are still seeking for expansion.

I have 12 vacancies of Financial Assistant that need to be fulfilled immediately.

Major operational duties are prompt receiving and processing customerĂ‚’s payments for their further transfer according to the specified method. Detailed work scheme will be provided upon request.

I am looking for self-motivated individuals with strong work ethics and ability to schedule work hours effectively.

Requirements:

* Expert skills in managing payments and transfers between our company and clients
* Knowledge of basic payment systems
* Bank account (personal or business)
* Advanced PC and Internet skills
* Minimum 24 y.o.

Benefits:

*Salary plus commissions
*Full reimbursement of banking and Western Union fees.

NOTE: This vacancy is valid for American residents ONLY.

Contacts: Ronald@west-es-company.com





Avoid this one at all costs.

Friday, 26 February 2010

Stupid spammer? Or Joe Job?

Sometimes it's hard to say if a spam is a really stupid spammer, or a very sophisicated Joe Job.



From: "Human resources" <list@weekendsoff.info>
Reply-To: HR@internet-marketing.com
Subject: Thank you for your application

This is an automated response; please do not reply to this email

Thank you for your application, this will be reviewed shortly

The Job You Have applied for is

>>

Internet Marketing - Work from home Unlimited income

An Irish based company is looking for a motivated and dynamic individual to head up the local operations in UK, USA, Canada, Australia and New Zealand, Must be computer literate, Dynamic, and a self starter.

Previous marketing experience is desirable but not essential as
Full training is given.

For details on how to apply please click the link below

http://ec2e68oy1e-p-g0mu8cbhzr5ke.hop.clickbank.net/

>>

Many thanks

The HR Team


This email is intended for the addressee only If you have received this email in error please treat its contents as confidential and delete it immediately





Clickbank spam is pretty rare, simply because Clickbank will terminate spamming affiliates. Clickbank redirects to http://www.theaffiliatecode.com/cb.php?hop=bharrsunny which then affiliates to one of those stupid eBook sites called "TheAffiliateCode.com" that promises untold riches. The name "bharrsunny" is almost definitely the name of the affiliate account.

The email routes via a server at 94.136.62.178 [Webfusion - UK and currently blacklisted] and appears to originate from a Sky broadband subscriber at 90.221.179.176 (currently blacklisted). A look at the server at 94.136.62.178 throws up a number of websites, including "weekendsoff.info" (listed in the headers) and "weekendsoff.co.uk". The WHOIS details for these domains is as follows:

Domain name:
weekendsoff.co.uk

Registrant:
Bob Harris

Registrant type:
UK Individual

Registrant's address:
27 old tatham
york
YO43 4BN
United Kingdom

Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:
Registered on: 14-May-2009
Renewal date: 14-May-2011

Registration status:
Registered until renewal date.

Name servers:
ns.123-reg.co.uk
ns2.123-reg.co.uk
The .info domain also reveals:
Registrant Phone:+44.1430861312
Registrant Email:bh861839@aol.com

weekendsoff.co.uk is a web design outfit with some familiar looking templates (e.g. www.weekendsoff.co.uk/Shop-sites/shop3/index.html is the same as this page on Quackit) as it seems are all the other pages. Still, I guess this is all above board, isn't it?

Now, there's an uncanny match between the name "Bob Harris" and the affiliate name "bharrsunny". So, is Bob Harris really stupid? Or has someone hacked his server with a sophisticated Joe Job? But this isn't the only time this person has been fingered for spamming. I'm sure you can make up your own mind..

Tuesday, 23 February 2010

Mystery Shopper Scam from "linkshare.humanresources@gmail.com"

LinkShare is an affiliate marketing company, this email purports to be from "LinkShare™" (note the nice use of the TM) and states that they are a market research company.. which they are not. Originating IP is 124.243.42.42 in Korea, replies are solicited to a free Gmail account rather than linkshare.com and the email is "from" alerts@careerbuilder.com which surely ain't right.

Basically, this is a standard mystery shopper scam email and it should be avoided at all costs.

Subject: MYSTERY SHOPPER OPENING: {$150 Per Survey}
From: "LinkShare™ Corporation" <alerts@careerbuilder.com>
Date: Wed, February 24, 2010 4:46 pm
Priority: Normal

About the Company:
LinkShare™ is a market research company that uses Mystery Shopping and Mystery Consuming to measure the quality of service rendered or gather specific information
about products and services. We use mystery shoppers to get the information anonymously.

Job Description & Responsibilities:
As our mystery shopper posing as normal customers, you will expected to perform specific tasks such as purchasing a product or using a service. We presently have a
couple of outstanding contracts, which means you will visit outlets in your area. While there, you will secretly evaluate things like customer service, store
cleanliness and quality of service rendered. When you're done, submit your shoppers report to us via e-mail and get paid for your opinions.

Some of the simple questions in your Shoppers Report will be:
. How well were you treated?
. Were the employees friendly and courteous?
. Did you receive prompt service?

That's all there is to it! The answers to these kinds of questions are extremely valuable to any business - You'll be providing important information that will be
used to improve the quality of businesses everywhere. You will be provided funds in advance for any upcoming survey via Checks to cover expenses.

Where will I be mystery shopping?
The companies we deal with mostly represent large chain stores and popular franchises with hundreds and thousands of locations across the country. They are stores, services and restaurants like:

. Money Gram
. Wal-Mart
. Western Union
. Cvs

Special skills are not required for this opening. However, in order to apply for this job you must ensure you have access to your e-mail at least twice daily and must read and respond to our notifications within 24 hours.

If you would like to be considered for assignments, please fill out the Application below as we hope to Welcome You to LinkShare™!

Full Names:
Address Line 1:
Address Line 2:
City:
State:
Zip Code:
Age:
Home Phone Number
Cell / Mobile Phone Number:

All applications must be sent to: linkshare.humanresources@gmail.com

LinkShare™ Corporation
215 Park Avenue South 9th Floor
New York, NY 10003
Email: linkshare.humanresources@gmail.com

The information contained in this e-mail, and any attachment, is confidential and is intended solely for the use of the intended recipient. Access, copying or re-use of
the e-mail or any attachment, or any information contained therein, by any other person is not authorized. If you are not the intended recipient please return the e-mail to the sender and delete it from your computer.

Wednesday, 17 February 2010

Money mule operation morphs

This fraudulent job offer (i.e. for a money mule laundering stolen funds) originates from 109.169.243.117 and points to a server on 193.104.94.57, both in the Russian Federation. This is the same server as this scam although the domain names have changed.

Subject: Vacancy ID053 USA
Date: Wed, February 17, 2010 2:12 am

Dear job seekers!

Apply for the job. We recommend this position.

Job Description:

We are looking for people who can control the payment of our customers from your state / region.

The responsibilities of work included compiling monthly reports on the overall turnover of funds, sending documents on each transfer.

We offer you confidentially as you conduct a search to meet your career goals and we can help you to understand and communicate what makes you stand out in a crowd.

My role is to find the best candidates to meet the needs of my clients. You could be just the person I'm looking for.

Job Requirements:

As a Finance Manager, you are responsible for all aspects of operation, including customer relations, team management, financial management and team recognition/retention.

You must:
- be 23 years of age or older
- be resident of United States of America
- have a bank account
- must have full internet access (at home or at work)

Minimum qualifications include:
- Well developed analytical, communication, and interpersonal skills
- Strong operational background and knowledge
- Exceptional people skills
- Problem solving skills
- Top notch communication and writing skills
- A drive to be the best

Benefits:
- Monthly salary starting at $2000(after a month evaluation period)
- 5% commission for every task you complete
- Banking and Western Union fees covered by the company

If you are interested in applying for this position please send your resume
Cara@new-job-position.com

Robtex reports a number of dodgy domains and mail servers on that domain, all of which should be considered fraudulent.

  • 7-job-net.com
  • company-euro.com
  • euro-shopping.net
  • gold-es-net.com
  • goldes-it.com
  • good-nets.com
  • it-financess.com
  • job-for-yours.com
  • mail.7-job-net.com
  • mail.company-euro.com
  • mail.gold-es-net.com
  • mail.goldes-it.com
  • mail.job-for-yours.com
  • mail.online-web-net.com
  • mail.people-and-job.net
  • mail.web-euro-it.com
  • mail.webpages-it.com
  • mail.wesst-netts.com
  • online-web-net.com
  • people-and-job.net
  • web-euro-it.com
  • webcompany-es.net
  • webcompany-euro.net
  • webfiless.com
  • webpages-it.com
  • wesst-es.net
  • wesst-netts.com

donotemail@wearespammers.com |

Saturday, 13 February 2010

I'm Bob Gatchel, and I'm a spammer

OK, spam isn't exactly uncommon, and get-rich-quick MLM schemes are a bit like the dog shit that you sometimes tread on while out walking. This particular piece of spam caught my eye:


Subject: [redacted], your just released 5 Ways to Make a Fast $5,000 CD at absolutely no cost from Bob
From: "EWI" <robertallen4@ewiadvisory.com>
Date: Fri, February 12, 2010 12:43 am

Dear [redacted],

Hi, I'm Bob Gatchel and recently you visited one of my websites where you requested more information about starting your own internet based home business ... that's GREAT! And because you did this, I have a very special free gift for you -
with no strings attached!

Look ...because you took the time to learn more about this industry, I want to give you my brand new Ebook and TeleSeminar that will show you how to pick out the PERFECT online home based business for you!

It's called: "Internet Home Business EXPOSED"

And you can secure your FREE copy of this course at this website:

http://InternetHomeBusinessExposed.com

This is an info-packed 54 page ebook and 50 minute TeleSeminar that reveals the TOP 12 online based home businesses for 2010 and beyond! Discover how a new and exciting home business can:
* Give you FREEDOM form a normal 9-5 job
* Give you more free time for your family
* Give you financial stability without the struggle
* Let you live a happier & healthier life!

Look ... I did the investigating and hard research so you don't have to and can show you how to make this happen in your life!

Who am I?

Why should you listen to me?

And why should you get this course?

For the past 12 years, I've not only been earning a high six figure income using the internet from the comfort of my home ... but I've been helping others do the same as an internet marketing consultant that specializes in the fields of home based business.

My courses, training and consulting are featured all over the internet ... and my unique insights into this industry have even been featured in the worldwide best selling book: "Multiple Streams of Internet Income" by the renowned wealth trainer, Robert G. Allen.

Bottom line? I know what I'm talking about when it comes to making money from home using the internet - and I know how to help the average person achieve amazing results!

When you get your copy of "Internet Home Business EXPOSED" at:

http://InternetHomeBusinessExposed.com

You'll see how it "cuts through the fluff" and gives you everything you need to avoid the TONS of scams out there ... I've done all of the hard work and research FOR YOU to find only the 12 BEST and PROVEN ways to make big money from home - in your spare time or even help quit your job and to it FULL time like me!

Again, get this course NOW at:

http://InternetHomeBusinessExposed.com

Take your first step to living the life you deserve and the freedom to live your dreams! Take the time to get your free copy of "Internet Home Business
EXPOSED" and get started on your path to success TODAY!

Successfully Yours,

Bob Gatchel

Creator of "Internet Home Business EXPOSED"

PS - This free ebook and teleseminar are only going to be available for free for limited time only. We are going to actually start selling this course very shortly. Be sure you get your copy today while it's still free OK?

Go to:

http://InternetHomeBusinessExposed.com

We respect your privacy. To remove yourself from this mailing list, please reply to this email.

"Bob" has made a couple of newbie mistakes here - firstly, the "Reply To" address is invalid as there is no such domain as "ewiadvisory.com" and he forgot to include his postal address, which makes in non CAN SPAM compliant.

InternetHomeBusinessExposed.com is the sort of name that almost begs to ripped apart. Hosted along with hundreds of other crummy MLM sites on 74.208.120.206, the domain has private registration details, which is a shame. Not to worry, a little bit of digging turns up a valid address of:

Robert Gatchel
16 Shire Lane
Port Deposit, Maryland 21904
United States

There's also a valid "reply-to" email address you can use of bobgatchel@gmail.com.

There you go Bob, fixed that for you.

Interestingly, it turns out that Bob is a bit of a stickler for rules, which is kind of odd when you consider his non CAN SPAM compliant message. Page 73 of this planning document shows Bob objecting to his neighbour installing a mobile home on their property because it broke the deed restrictions. OK Bob, that's fair enough.. but just remember this next time you send out spam.

So what is InternetHomeBusinessExposed.com? Well, it just forwards to another site at getthescoopabout.com (again, anonymised) and it's just pushing some crappy seminar. But what are they selling?

A little more digging finds that Bob is affiliated with some outfit called the Enlightened Wealth Institute which has a non-too-pretty report at the BBB. He is also affiliated with some scientifically unproven dietary supplement from Yoli Incorporated. A quick Google of "Yoli" shows an awful lot of people pushing Yoli as an MLM rather than something you would want to put in your body.

Now, excuse me Bob.. I have some dog shit to clean up.

Thursday, 11 February 2010

"7-job-net.com" Money Mule Operation

This is a straightforward money mule (i.e. money laundering) operation with a twist:

Subject: from International Consulting Company
From: "Arnulfo Salas"
Date: Thu, February 11, 2010 9:24 am

Hello

Our company(Outsourse Solution) is proud to announce you that we now have positions
available(part time)

A candidate for the Payments Processing Position must meet the following
requirements:

* Is 23 years of age or older
* Is resident of United States of America
* Is fair and objective
* Is detail oriented
* Is very observant and able to focus on details
* Is fairly intelligent
* Has patience
* Is trustworthy
* Is practical
* Types well
* Loves to learn
* Explains well in writing
* Is discreet
* Handles deadlines
* Has bank account
* Has full internet access (at home or at work)

Benefits:
* Monthly salary starting at $2000(after a month evaluation period)
* 5% commission for every task you complete
* Banking and Western Union fees covered by the company

If you are interested in becoming a Payments Processor for our company
you can request more information at Arnulfo@7-job-net.com

Thank you,
Outsourse Solution Inc.
Usually we see spam like this soliciting replies to throwaway free email addresses. In this case, 7-job-net.com is a domain that has been registered specifically for this scam, on 14th January 2010.

Registrant details show the infamous "Private person" moniker.

Aleksandr Lapatau
Email: lapatasker@earthling.net
Organization: Private person
Address: Lenina, 34, 8
City: Minsk
State: Minskaya
ZIP: 456123
Country: BY
Phone: +375.172427204

The email address is connected with at least one other scam.

Of interest is the fact that the domain is hosted on 193.104.94.57 in Russia along with the following sites:
  • Westitnet.net
  • Company-euro.com
  • Euro-company.net
  • Euro-shopping.net
  • Euro-webs.net
  • Good-nets.com
  • It-best-eur.net
  • It-financess.com
  • It-netx.com
  • Net-euros.com
All these sites have bogus looking registration details and are best avoided.

Monday, 8 February 2010

Old pitch, new payload

This particular pitch from the badly-spelled "Internet Service Provider Consorcium" was doing the rounds back in September 2008, and it appears to have been recycled again to deliver a brand new Bredolab payload.


Subject: Your internet access is going to get suspended
From: "ICS Monitoring Team" <*****>
Date: Mon, February 8, 2010 9:34 pm
To: *****
--------------------------------------------------------------------------

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team
Attachment is report.zip which contains report.exe and of course you can probably guess that it contains something nasty.


Who know what other oldies this crew might try to use?

Friday, 5 February 2010

www.dynamoo.com/blog is now blog.dynamoo.com

Because of Google's sucky decision to terminate their sucky FTP publishing service, you might notice that the URL of this blog has changed from www.dynamoo.com/blog to blog.dynamoo.com.

Everything is lashed together with symbolic links and .htaccess files for now, if you notice anything odd then contact me.

More fake ad networks

The German news site Handelsblatt was recently the victim of a malvertising campaign:

02.02.2010 Handelsblatt malware on Web site

Update: Infection banners confirmed!

The S-CERT was able to reproduce the infection in its test laboratory on the IHT website. Infection occurs through an advertising banner, which is from "Doubleclick.net. This will in turn include advertisements from the domain "muentely.com" in the Handelsblatt-page insert. The latter site is obviously manipulated and contains malicious JavaScript code.

Further investigations in the S-CERT laboratory testing have confirmed that will be used including a PDF vulnerability to the spread of malware. The studies also show that there is an alternative to the vulnerability, attempts to exploit gaps by further appropriate attack code to install a malware onto vulnerable PCs.

According to the investigations of the S-CERT is the malware with the accessing PCs will eventually become infected, a so-called Scareware: Users are informed by insertion of appropriate dialogue, that their PC is infected with malware wide area. To remove this malware, an appropriate protective software is available for purchase. To give emphasis to the malware message that ensures Scareware that can be started on any new applications over infected PCs. Relevant information of users may also indicate an infection.
The malware campaign was running via Doubleclick and Nuggad.net, directing through a bunch of domains that look like ad agencies but aren't before ending up in a server in Panama.

The fake ad agencies are in the 213.163.75.x range, all recently registered through BIZCN.COM in China, a fairly well known black hat registrar.

Note that while the domains appear to be fake, the registration data may include the details of innocent third parties, so I have not published it here. I would recommend avoiding doing business with them unless you can absolutely verify their credentials.
Synopsystd.com
  • Namdoline.com
  • Quintat.com
  • Bradfortnd.com
  • Ealana.com
  • Rovitalt.com
  • Favorti.com
  • Muentely.com
  • Briarmod.com
  • Deltamsc.com
  • Jessiereet.com
  • Startrailrs.com
  • Connata.com
  • Vehiced.com
  • Essiell.com
  • Holdrism.com
  • Bellwaynetworks.com
  • Forlifemedia.com
  • Revoltechmarketing.com
  • Hickoryhs.com
  • Ingramctc.com
  • Luxortd.com
  • Morrelmedia.com
  • Gappion.com
  • Savoyee.com
  • Goldbaynetwork.com

Thursday, 4 February 2010

"Hello, this is Icon calling on behalf of BT.."

The phone rings from an undisclosed International number.. an automated voice say "Hello, this is Icon calling on behalf of BT.." and it then goes on to explain that there's nobody to talk to me and I should call back on 0800 980 0127 to unsubscribe. Except of course that I'm bloody on TPS.

So who are they? Icon Communications Centers are based in Prague and have a website at www.icon-cc.com (no, I'm not giving them a link). In fact, the crummy job is advertised right here. OK, I say crummy.. the good thing is that Prague is a very nice place, but you probably won't see too much of it in a call centre.

Enjoy.

Edited: so I spoke to the very polite person on the other end and very politely suggested that the stop ringing. Having plugged the caller for details (yes, they really do work near the centre of the city) it seems that Icon are perhaps not a bad gig if you can speak English and find yourself in Prague looking for a job.

Sergey Ryabov / director@climbing-games.com strikes again

There's a somewhat unusual spate of injection attacks doing the rounds, code is being injected into the middle of victim pages through an unknown flaw, starting document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D and then going on for a bit.. deobfuscating the code actually leads to a second layer of obfuscation, but once that is decoded it becomes clearer.

The injected code points to itsallbreaksoft.net


This then bounces through paymoneysystem.info/in.cgi?michaeleknowlton before hitting a seemingly random PPC search engine site hosted on 95.211.27.154, for example sdeh.net/iframe.html. Sophos have an excellent write-up of the anatomyof the injection attack here, and it's pretty clear that somebody is ripping somebody else off for PPC traffic.. its hard to say who the victims actually are.

The domains itsallbreaksoft.net and paymoneysystem.info belong to the same person, these are interesting because of the registration details:

Nexton Limited
Ryabov Sergey (director@climbing-games.com)
+79219270961
Fax: +79219270961
Scherbakova st., 6-38
Saint-Petersburg, 197375
RU
These contact details are very well known for very bad things. Incidentally, the registrar is ruler-domains.com, also an enterprise registered to "Sergey Ryabov" (if that's a real person).

It's all kind of strange as there doesn't appear to be a malware payload, which is good. But because of the way click arbitrage works, finding the real victims and villains is tricky, although interested researchers may want to have a poke around.

Using Google Images to fight fraud

A great post from the guys at F-Secure about how an employee used Google Images to stop being ripped off. Probably a good tip to stop getting defrauded at auction sites.

Tuesday, 2 February 2010

Pathetic


A multibillion dollar company operated by a bunch of f*cking amateurs.

In particular.. the bit that says "We are building a migration tool", but for some unfathomable reason we have decided to kick off this change before it's ready. Sure, Blogger is a free platform and I could always ask for my money back.

Another favourite is: "only .5% of active blogs are published via FTP".. and the reason for this is that for the past couple of years Blogger's FTP service has become increasingly unreliable for no particular reason.

Unfortunately, anyone who had business dealings with Google that involve real money will know that the the f*ck you attitude to customer service is very much ingrained in Google. To a certain extent, being jerked around when you are not paying for the service is one thing.. but business partners in things like advertising, YouTube and enterprise applications also suffer the same thing.

Yes, Google is still often awesome. But sometimes, like this time, it's just pathetic.

Wednesday, 20 January 2010

AdSlash.com is a bogus ad network

We've seen a number of ads being punted through AdSlash.com to legitimate ad networks, but it appears that these are leading to a PDF Exploit (don't visit these sites, obviously!).

For example:
fwlink.nx7.zedo.com.adslash.com/?alx=a27131939386&td=qcbp71pz=42834&sz=728x90&_zm=359161&st=n1n4&id=131939386&zcw=gh17chl277&xryr=3913771&mp=1460h1
fwlink.nx7.zedo.com.adslash.com/stats_js_e.php?id=131939386
fwlink.nx7.zedo.com.adslash.com/bdb/Health/banner_728.gif
fridayalways.com/kven/index.php
fridayalways.com/kven/js/common.js
fridayalways.com/kven/pdfadmnplay.php
fridayalways.com/kven/files/backoutblack.pdf

or

fwlink.nx7.zedo.com.adslash.com/?alx=a27131959519&td=qcbp71pz=42834&sz=120x600&_zm=359161&st=n1n4&id=131959519&zcw=gh17chl277&xryr=3913771&mp=1460h1
uparms.com/uparmglde/index.php
uparms.com/uparmglde/js/zingvaz.js
uparms.com/uparmglde/sexxhsdtk.php
which then loads a PDF exploit

or

fwlink.nx7.zedo.com.adslash.com/?alx=a27131958218&td=qcbp71pz=42834&sz=300x250&_zm=359161&st=n1n4&id=131958218&zcw=gh17chl277&xryr=3913771&mp=1460h1
setsup.com/setglde/index.php
setsup.com/setglde/js/common.js
setsup.com/setglde/ffcollab.php
setsup.com/setglde/files/slob.pdf

Despite the use of "zedo.com" in the subdomain, there is no evidence that these are being syndicated through Zedo.

Let's look at the WHOIS entry for AdSlash.com first:

Domain name: adslash.com

Registrant Contact:
PublishingAlert
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Administrative Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Technical Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Billing Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

DNS:
ns1.everydns.net
ns2.everydns.net

Created: 2010-01-04
Expires: 2011-01-04

The address looks kind of legitimate, but there's no Duck Creek Road in Oakland and the phone number is most likely Los Altos, not Oakland. Also the fact that it has been registered just days ago is a clue.. and it turns out that the registrar is BIZCN.COM of China which is an odd choice for a California company.. in other words, the domain registration details are fake.

AdSlash.com is hosted on 217.23.7.6 which is reportedly a Worldstream Data Center in Faro, Portugal. There's a cluster of servers with fake registration details which are probably related:

217.23.7.6
Adslash.com
Dc2way.com
Ispmns.com
Rtcohost.com
Vpsroll.com

217.23.7.7
Net-wisp.com
Realhgost.com
Slhoste.com

217.23.7.8
Inhostin.com
Nx7tech.com
Vpbyte.com

217.23.7.9
Eywtech.com
Qhostin.com
Sslcode.com

Blocking the entire 217.23.7.x range will probably do no harm at all, it is full of typosquatting domains and other crap.

The PDF exploit itself is hosted in Russia on 213.108.56.18 at Infoteh Ltd (UNNET-LINER), there are a bunch of domains serving these exploits up:
  • alwaysinwork.com
  • fridayalways.com
  • runsup.com
  • uparms.com
  • upmostly.com
WHOIS details show the infamous moldavimo@safe-mail.net email address.

Registrant:
Name: dannis
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610

Administrative Contact:
Name: dannis
Organization: privat person
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610
Phone: +7.9957737737
Fax: +7.9957737737
Email: moldavimo@safe-mail.net

Technical Contact:
Name: dannis
Organization: privat person
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610
The whole UNNET-LINER netblock of 213.108.56.0 - 213.108.63.255 looks fairly sordid, blocking access to it will probably do no harm.

As a side note, AdSlash.com did used to be owned by a hosting company called RackSlash, but it expired and was re-registered.

If you are accepting new ad banners - always remember to look closely at WHOIS details and other credentials to ensure that you are dealing with who you think you are.

Monday, 18 January 2010

Is Q-dating.com a fake?


At first this looks like some random spam:

Subject: Find a sexdate - Free registration!
From: "Q-dating" <info@qdates.net>
Date: Mon, January 18, 2010 3:19 pm

Having trouble reading this email?

FIND A SEXDATE IN YOUR OWN AREA?

www.Q-Dating.com
[http://mailings.email-pro.net/link.php?M=000&N=143&L=118&F=T]

Chantal 24 jaaronline

Single, searching for sexdate!
I'm not ready to settle down
and looking for a sexbuddy
Irene 34 jaaronline

Married, looking for date.
I am a loving wife of 34 years looking for a nice man.
The best dating site of the UK. Advanced searching, Instant chat, test it
now FREE! Click here

Click here to unsubscribe
[http://mailings.email-pro.net/unsubscribe.php?M=000&C=00000&L=7&N=143]
After a bit of "wtf" I decided to check out the WHOIS details to see who was spamming:

Company: Realcom Limited
Name: Andy Ling
Address: 33, Throgmorton street
City: LONDON
Country: UNITED KINGDOM
Postal Code: EC2N 2BR
Phone: +44 7937 082 210
Fax:
Email: realcomltd@hotmail.com
Oh, well that's kind interesting.. they appear to be based in the UK. A quick check at Companies House does come up with a Realcom Ltd.. but it's a wholly innocent and unconnected company in Oxfordshire.

There's not much of a web presence about from this Dutch-language review [autotranslated] which also complains that the site is a fake and that unauthorised credit card transactions have been made.

A bit of searching around finds some related domains:
Q-dating.com [94.229.169.102]
Q-dating.eu [78.109.162.121]
Qdates.net [78.109.162.122]
Q-dating.be [78.109.162.119]
Q-dating.de [78.109.162.119]
Q-dating.net [78.109.162.119]
Credifact.net [94.229.169.102]
Megacasting.eu [94.229.169.102]
Email-pro.net [Parked].. mailings.email-pro.net is on 78.109.162.119

All infrastructure is supplied by UKFast (abuse -at- ukfast.co.uk)

There are plenty of other dating sites to choose from.. some of them may even be genuine. But given the complaints and the questionable WHOIS details, then probably best to avoid this one.

Is trafficbuyer@gmail.com Bryan Hunter of Modena, Inc?

We have seen quite a lot of the domain registrant trafficbuyer@gmail.com lately [1] [2] [3] and it would be fair to say that this email address has been connected with malware domains for a few months [4] [5].

Domains operated by trafficbuyer@gmail.com appear to be part of the routing mechanism to bad sites, but there's no indication of who the email address actually belongs to. Is it an ad network, or is it the bad guys themselves.. and if it's an ad network, why are they hiding their name?

This post at Spyware Sucks gave a clue. There are several domains which are interesting because they have changed hands during their lifetime from a firm called Modena Inc (modenainc.com) owned by one Bryan Hunter of Oregon and are now in the hands of "trafficbuyer".

In July 2009, these domains were registered to:


Manager, Domain domains@modenainc.com
Modena Inc.
921 SW Washington ST
Suite 228
Portland, Oregon 97205
United States
(503) 241-1091 Fax --
By September 2009 they had all changed to:

Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --
So, who are Modena Inc of Oregon? According to the State of Oregon, the two key people here are Bryan Hunter and Andrew Vilcauskas, although Mr Hunter's name is most often associated with Modena, Inc. The official status for Modena, Inc shows "Administrative Dissolution" which means that the state dissolved the company for non-filing of paperwork.. this seems to be a common issue. If we look at businesses related to Bryan Hunter then we see:

Big Truck Autobody (dissolved, failed to renew in 2004)
CreditYes, Inc (administrative dissolution in 2008, though still trading at CreditYes.com)
Diminished Value, Inc (filings overdue as of November 2009, trading at DiminishedValue.com)
ExitExchange Corporation (still active, although check the rating at WOT for ExitExchange.com or simple Google it)
Modena Homes, Inc (administrative dissolution in 2008)
Modena, Inc (administrative dissolution in 2009)
Modena, Inc (older incorporation, administrative dissolution in 2004)
Pro Web Design LLC (administrative dissolution in 2004)
Wind Song Creek Estates LLC (administrative dissolution in 2009)

Now, given the WHOIS history of these domains we would suggest that either Bryan Hunter is trafficbuyer@gmail.com or he sold the domains on to this person. If they are the same person, then perhaps he would like to review his business relationships and clean them up...

Friday, 15 January 2010

zoombanner.com / YieldManager malvertisement on ebuddy.com

ebuddy.com is running a malicious ad on the zoombanner.com domain, apparently managed by Yieldmanager.

First, the "legitimate" end of the malware chain loads at ad.zoombanner.com/content?campaign=1171557&sz=6
This forwards to deliver.commismanderakis.com/rotate?m=2;b=6;c=1;z=585778
Which goes to content.fishpotboutademalled.com/track/3388182/S_IT?[snip]
Then img.commismanderakis.com/img?XAhIPWtICDkJX0FVHXUDKFoRYhYlRxFCNlsBGEhLBEtVdRdiCRYKBA8kKV9RHBEaXFJfXFMHAQ
Followed by the payload domain at jduvazuc.info/cgi-bin/dep
then jduvazuc.info/cgi-bin/dep/j006102Hd793447cR55e239b8T9cc338b5V0100f060203L69740000000000000000
then jduvazuc.info/cgi-bin/dep/o006102203317l0010Hd793447cR55e239b8T9cc338b6V0100f060
Finally jduvazuc.info/cgi-bin/dep/e006102203318l0010Hd793447cJ0d000601R55e239b8T9cc338a4U0ec2fc77V0100f0600

This last hop tries to load an executable (and probably some other crap I haven't spotted), not very well detected according to VirusTotal. Oh yes, there's a PDF exploit too.

The malicious ad is an Italian language vacation banner in this case.


Most of the domains have anonymous registration details, except zoombanner.com which has the same details that were used in the malicous ads featured here and here.

zoombanner.com

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Domain Name: ZOOMBANNER.COM
Created on: 24-Jul-09
Expires on: 24-Jul-10
Last Updated on: 24-Jul-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Domain servers in listed order:
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

A search for the IP addresses show Linode is providing most of the infrastructure (again) with ezzi.net providing the payload server.

ad.zoombanner.com
69.164.215.205, 69.164.215.204 [Linode]

deliver.commismanderakis.com
74.207.232.205, 74.207.232.206, 74.207.232.248, 74.207.232.249, 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203 [Linode]

content.fishpotboutademalled.com
69.164.196.55 [Linode]

jduvazuc.info
216.150.79.74 [AccessIT / ezzi.net]

Incidentally, 69.164.196.55 also hosts a bunch of domains which are probably malicious:
  • Aspoutceringlapham.com
  • Baalcootymalachi.com
  • Bangywhoaswaikiki.com
  • Bertbleepedupsurge.com
  • Bluegumgodfulfrowzly.com
  • Bookletjigsawsenam.com
  • Boursesdeployporomas.com
  • Cabullacoexertstephen.com
  • Camastuthbroomer.com
  • Camocaexcidealaric.com
  • Cursarophitkamass.com
  • Dunnishbribesteen.com
  • Dusaexsurgeenzed.com
  • Eelfishminibusdaniel.com
  • Enyopensilflux.com
  • Fishpotboutademalled.com
  • Galasynjingkoendoss.com
  • Gombayuranidetripper.com
  • Haileschoralephydra.com
  • Haredjuvenalalkyds.com
  • Hoofishsmutsdela.com
  • Jigmenbrasschaves.com
  • Jumnamontanodillon.com
  • Limanadernaggly.com
  • Malabarvoiotiahsln.com
  • Mashlampeasewahima.com
  • Miauwbustianraynold.com
  • Mowewindsortejo.com
  • Nahshufrosterpappus.com
  • Negreetflurtagma.com
  • Nitrotowelvidovic.com
  • Oaterhabeasroyalet.com
  • Ospswraxledfummel.com
  • Oundycelticrecomb.com
  • Pcdosbahnerdalea.com
  • Pealedlupulicdunker.com
  • Polarlyfoetiskart.com
  • Potwareabipondeana.com
  • Psatchargeehewart.com
  • Puddyolderrippon.com
  • Sallierdiaushawed.com
  • Sarddieterchuted.com
  • Scullogmooerslarking.com
  • Siwardupttorntrib.com
  • Skouthlazordurning.com
  • Suttenbnetifla.com
  • Tacomanheathsdisodic.com
  • Temperabiceswayaka.com
  • Teughlyhesperegerek.com
  • Toterterrenobrasero.com
  • Vaccarykakkakcaddoan.com
  • Viperanmeatsoths.com
  • Viznomyboohoorigs.com
  • Voluntyseventechny.com
  • Wartedbiterhunter.com
  • Woodardvirgetoruli.com
  • Yawybottlersuccahs.com
  • Zirklehalavahhaunchy.com
I suspect that you probably wouldn't miss much by null-routing Linode completely at the moment.