Sponsored by..

Tuesday, 18 May 2010

Fake "NetTemps Inc" domains

These domains and IPs seem to be associated with this company masquerading as "Net Temps Inc" (there are legitimate companies with a very similar name though), you can see examples of the scam email being used here and here.

82.243.193.235- Proxad, France
nettms.eu
nextspend.biz

95.64.133.205 - MultyKabelnie Seti Balashihi, Russia
nettms.net
nettps.net
eddpiii.com.pl

74.63.228.139 - Limestone Networks, Texas
ns1.loopcool.net
ns1.seerdanee.com

87.117.245.9 - JSHosts, UK
lokiou.eu
ns1.globalistory.net
ns1.hourscanine.com
ns1.limeteablack.net
ns1.skcstaff.com
ns1.skcstaffing.com
ns1.socialworc.net

204.12.229.89 - Hosting Ventures LLC, USA [Mostly suspended, some now deleted]
mx.nettempsin.co.uk
mx.nettms.net
ns1.availname.net
ns1.disksilver.net
ns1.girlfrendsboy.com
ns1.nodefront.net
ns1.pdsproperties.net
ns1.sorbauto.com
ns1.whiskybrend.net
availname.net
ddeasaeq.vc
edfa4.com.vc
edfa7.com.vc
efasqca.com.pl
ewasza.co.uk
ewasze.co.uk
ewasze.me.uk
ewaszi.co.uk
ewaszu.co.uk
girlfrendsboy.com
iurseda.com.vc
nodefront.net
pdsproperties.net
sorbauto.com
whiskybrend.net

79.170.40.4 - Heart Internet, UK
netpts.org
nettes.org


77.25.179.23 - Vodafone, Germany
ns2.loopcool.net
ns2.rakusolutions.com

Fast Flux (IP varies)
nettempsin.co.uk

Registered but no website
hourscanine.com
juverds.info
skcstaffing.com

Suspended / On hold
nttempinc.com
santroperz.net
assewya.co.uk
limeteablack.net
skcstaff.com

Monday, 17 May 2010

Nettms.net / Nettps.net "NetTemps Inc" scam

This fraudulent job offer solicits replies to an email address of cv@nettms.net  and it pretends to be from "NetTemps Inc". There is a legitimate firm in the US of a similar name, but this job offer is not from them.

Subject: part-time job in Europe
Date: Mon, 17 May 2010 16:05:37 +0100

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.  
      
Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.  
    
If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number. 
    
We are eager to help you find a better job and improve your career!
      
If you have questions, please do not hesitate to e-mail me on:  
      
c v @ n e t t m s . n e t      [please delete spaces in the email address before sending it to us]  
 
Yours sincerely,   
Juliette Barnes 
NetTemps Inc  
It's the same scam as this one, but in this case the back-end servers are different.. the mailed replies go to 204.12.229.89 [Hosting Ventures LLC, US] with a web site hosted at 95.64.133.205 in Russia along with another similar domain of Nettps.net.

Anyway, this job offer is probably laundering stolen money or some other criminal activity and should be avoided at all costs.

Friday, 14 May 2010

"Delivery LCI" job scam

This is a fraudulent job offer, which appears to be a reshipping scam and possibly some other "back office" functions for organised criminals. The is no company registered in the UK called Delivery LCI or LCI Delivery.

From: Timmy Bliss
Date: 14 May 2010 01:49
Subject: Job opening

Hello,

I'm Mary, writing on behalf of Delivery LCI about your job
search, would like to invite you to learn more about the job
opportunity that we are offering right now for people like you.
First of all you need no prior experience, but we will provide all
necessary training when you will join us.

Now let's take a look at what Delivery LCI offers you:


Shipping Regional Manager

 Requirements:
 - Resident of the United States;
 - Fluent English;
 - Basic knowledge of Microsoft Word and Microsoft Excel;
 - Home Computer with e-mail account and ability to check your e-mail
 box at least twice a day
 - Adults only accepted (we cannot hire underage people)


 Job description:

 - Receive correspondence from our company and its clients at his/her
 residential address;
 - Report to our manager (every candidate will be included in a
 manager's lists)
 - Forward received items according to instructions of our manager
 - Fill in the forms and papers as indicated in our manager's
 instructions (you will receive an e-mail with instructions for each
box).
 - Ship packages out


 Personal qualities:
- honesty
- decency
- sociability
- ability to work in team


 Salary
 - 30$ per package processed for trial period 1 month
 - 50$ per package processed \ by the end of trial period\
 - The salary is credited to your account once a month


 If you are interested in our position, reply back to us
 with your short resume at:

 KathrynKnowlton@BonBon.net

Thank you for reading.

+44.20 3286 9579 

Despite there being no company of this name in the UK, there are two probably related websites of deliverylci.com and lcidelivery.com. At the moment, only deliverylci.com is running, registered to a fake address in the US:


Registrant:
    Dennis  Oneal
    Email: support@deliverylci.com
    Organization: Delivery LCI 
    Address: 1938 Woodland Terrace
    City: Orangevale
    State: CA
    ZIP: 95662
    Country: US
    Phone: +1.9169879747 
    Fax: +1.9169879747

but claiming to be based in the UK from their website:

Your calls are received by the phone: +44.20 3286 9579

E-mail: lcidelivery@lcidelivery.com

Our Office:

5 NORTH STREET, HAILSHAM, EAST SUSSEX, BN27 1DQ, United Kingdom
5 North Street, Hailsham does exist and is the office of a firm of accountants, there are many companies registered at this address. The telephone number is a London one though, not one for Hailsham.

Digging further shows that the deliverylci.com website is hosted at  89.248.162.136 [Ecatel, Netherlands]. The following sites are hosted on the same server:

  • Dealcomltd.com
  • Deliverylci.com
  • Idealogisticservices.com
  • Todaylogisticservices.com
89.248.162.136 is also a nameserver for other domains:

  • ns1.taxreturnsworld.com
  • ns1.worldtaxreturns.com
  • ns2.itadvancedservices.com   
  • s1.oilhost.eu
The domain taxreturnsworld.com was recently mentioned by Brian Krebs as being part of a particularly sophisticated job scam. So, it seems likely that all these domains and so-called companies are bogus and should be avoided.

Thursday, 13 May 2010

Dating scam: "I will be glad to get to know you"

There have been quite a few dating scams soliciting replies to BonBon.net lately, and coming with an attached photo. This one is meant to be "Anete".. what do you mean, you don't remember Anete? Anyway, it's probaly some fat sweaty Russian bloke trying to part you from your cash, so avoid this one.

Subject: I will be glad to get to know you

Hello! How are you? I hope you are ok. I am Anete.
You remember, we have got acquainted with you at dating site?
You have given me your email and today I write to you.
I think, now we can begin our acquaintance. I will be glad! Hope you too.
I am 30 years old. I want to find the man and to create serious relationship.
I want, that you have answered me if you still want to know me.
I send you my photos, and I want, that you do the same.
I will be glad to get to know you more close.

Please reply only to my personal e-mail:  utinanete@BonBon.net

I look forward your answer. With the best regards, Anete...

Monday, 10 May 2010

Evil network: Sagade Ltd / ATECH-SAGADE

There's been an awful lot of badness from Latvia recently, with several fake AV apps and other Very Bad Things hosted in the range 91.188.59.0 - 91.188.59.255, which appears to be a wholly bad subnet of pure evil. It looks like a similar setup to Real Host Ltd which was shut down last year.

inetnum: 91.188.59.0 - 91.188.59.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89@gmail.com
country: LV
admin-c: JS1449-RIPE
tech-c: JS1449-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
source: RIPE # Filtered

person: Juris Sahurovs
remarks: Sagade Ltd.
address: Latvia, Rezekne, Darzu 21
phone: +371 20034981
abuse-mailbox: piotrek89@gmail.com
nic-hdl: JS1449-RIPE
mnt-by: ATECH-MNT
source: RIPE # Filtered

% Information related to '91.188.32.0/19AS6851'

route: 91.188.32.0/19
descr: BKCNET Autonomous System
descr: IZZI SIA
descr: Ieriku 67a, Riga, LATVIA
origin: AS6851
mnt-by: AS6851-MNT
source: RIPE # Filtered

All these websites appear to be malicious, I cannot find a single site that I can identify as being legitimate. Most have obviously fake WHOIS details too. I would recommend blocking access to the whole IP block.

1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
00g00.ru
Odnotraxniki.ru
Td0.ru
Kerrimckeetq.info
Maiamaribeihlv.info
Marguriiexyhamlin.info
Privatetechnology.biz
Syscodec.com
Systemcodec.net
Traffcash.biz
Kimirleonarda.info
Nitrosearch.info
Fastglobosearch.com
Likinto.com
Mcml1.com
Trol0l0.com
Mokato.com
Ziko.in
Viasot.com
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Lotise.com
Manytis.com
Membernameserver.com
Ossarix.com
Soterpo.com
Stepil.com
Winepsy.com
Zingis.com
Bombastats.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Belleplaceurl.com
Christophecoinurl.com
Coinurlredirect.com
Coinurlredirection.com
Endroiturlredirect.com
Glossipfd.com
Goldcoinurl.com
Gork.in
Gulk.in
Hnarmettis.com
Hotelplaceurl.com
Lieuurlredirect.com
Mnuyetsgrr.com
My654bestsite.com
Nuvolokijj.com
Parkplaceurl.com
Polk.in
Rozg.in
Samk.in
Sekmoon.net
Silvercoinurl.com
Sumk.in
Vvven.in
Worldplaceurl.com
Zoid.in
Smackbybitch.com
Videosite1.com
Beeape.com
Supercrazynight.com
Supersporns.com
Sys-force.ru
Firsttunesclub.in
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Allforyouplus.net
Hotfilesfordownload.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Yourbestway.cn
Youvideoxxx.com
Cern-a.com
Xbasex.com
Rowfirst.com
Autouploaders.net
Poafirst.com
Rodfirst.com
Solaruploader.com
Noafirst.com
My-best-web.com
Pakwer.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com
Oklahomacitycom.com

Thursday, 6 May 2010

"I live in a city under name Kirov"

Unlike some other dating scam emails promoting very young women, this particular one claims to be from a 37-year-old economist, which I guess might say something about their target audience. In reality, "Mariya" is probably a fat sweaty male Russian who is trying to scam you out of some money.

Date: 6 May 2010 09:44
Subject: I live in a city under name Kirov

Hello my the surprised Friend!

I understand, that you are surprised now, when this letter has arrived to you. BUT I ASK YOU TO SPEND 5 MINUTES, your time and have read it up to the end then probably it will change your and my life. At first I wish to tell a little about myself. My name is Mariya. To me of 37 years. I live in a city under name Kirov, it is a small city in northern part of Russia. I not married and never was. I also do not have children. I have left school then has finished institute on a
trade of "economist". If it is interesting to you I will necessarily tell about it, but now not in it the purpose dear friend. Recently, I watched TV and saw, that in Russia there are 35000000
women who live without men, and there are such agencies of marriage which have many electronic addresses, and such agency can help to find for women the suitable man. I have gone to one of such agencies, and have addressed to them with inquiry that they have found for me the
good man. They have informed at once me, that in Russia I should search for the good and decent man very long time. Then they have offered me acquaintance to the man from other country, on what I have looked from a positive side. As I know, that at us in the country of the man, do not appreciate women, is possible because women several times more.

In general, I have agreed to strike up acquaintance to the man from other country, and they have given me your electronic address. Having told that you the lonely fair and decent man who searches for the woman for creation of relations. Then I took your electronic address and have gone to the cafe Internet to write you the letter. Here now you can my letter see. I have written you it with hope, that you will answer to me. I have inserted one my photo that you could see, my appearance and to solve for you directly completely, you will like to begin dialogue and relations with me or not. Only I ask, concern my letter seriously, look my photo, the letter, think and solve, precisely you would like to have the correspondence with me? I do not wish to be the friend, it is not necessary, I am ready to serious relations. It is very necessary to love, give my love to the MAN and family creation. If you really wish to have serious relations with me
write to me. If you do not want to have a relationship with me, just do not respond to my letter, I can understand everything myself. And nevertheless, I wish to tell to you, that my photo is made not professionally, but you see me, such what I in a life. And you can precisely define such woman as I am necessary for you or not. Very big inquiry as wanted if you however interested in me write to me about your e-mail where we can speak with you and small good photos you. Like everything, that I wished to tell you, and now I only need to wait from you for the answer, and I hope you write to me. If I was not pleasant to you, or serious relations are not necessary for you then do not write me anything, I will understand!

I hope your new friend, I hope that I can become for you friend Mariya!

You can send your letter and photo to this email address: mashalovers@BonBon.net

The lonely woman from Russia Mariya.

Saturday, 1 May 2010

Scam: "The big prospects for intelligent people from England and other regions"

Another money mule scam dressed up as a job offer from an estate agents. The estate agent pitch seems popular at the moment, having come up recently here and here.

From: Heather Crum
Date: 1 May 2010 01:31
Subject: The big prospects for intelligent people from England and other regions

I am HR manager in international real estate agency.

Your electronic address is taken from base of people who are searching for the job. We have the job offer for you. If it is an error and you aren’t searching for the job or you aren’t interested in additional earnings, please ignore this message. We apologize for spent time.

If you are interested in this offer, you need to address to e-mail: Schiavone.Basso@HotPOP.com

The basic direction of our company: The search of clients and partners. Sale, resale and rent of the elite real estate and the industrial areas.

Required qualities for the post:

Practical knowledge of the program “Microsoft Office Word”.
Ability to communicate, intelligence.
Experience in commercial activity is welcomed.
The knowledge of the Italian language and of other languages is welcomed.

The minimum salary is 2000 euro. Frequently the monthly income exceeds 10.000 euro. It all depends on intelligence of the Agent and on his desire and ability to work to his full extent.

For the additional information can refer to the electronic address which is specified above.
Yours faithfully, on behalf of all employees “Europe Real Estate”.

Friday, 30 April 2010

What is this I don’t even

Seriously, no.

Why doesn't Windows include native PDF reader support?

F-Secure asks: Why doesn't Windows include native PDF reader support? Perhaps it's time for Microsoft to act in character and help kill off Acrobat Reader for good.

"I am looking for the second half"

A straightforward dating scam email, but one notable for including a picture of a pretty Russian girl, which most spammers don't bother with. In any case, if you respond to "Natalia" (who is probably note even a woman in real life) then you'll soon find that she has unexpected "expenses" that will require you to send money..


Subject: I am looking for the second half

HELLO!!! My name is Natalia! I live in Russia, dating site, I am looking for the second half. I want to find true love, I loved your profile, I would like to continue with you dialogue.

If you do not mind to write me an e-mail: mamaevanatalia20@HotPOP.com

I am very tired of being single. I really want to build a serious relationship. I'll be glad to communicate ..... Natalia



Tuesday, 27 April 2010

I have a bad feeling about Donald Trump..

I have a bad feeling about Donald Trump.. one day he might become president.

Friday, 23 April 2010

"Twitter Support" phish

This phish claims to be from Twitter, but it actually redirects to a fake site at adcopy.awbweb.com/differential.html hosted on 216.81.74.9 which appears to be a legitimate site that has been hijacked.

From: Twitter Support <support@twitter.com;>
Subject: Undelivered Message 52-629

Hi,

You have 1 unread message(s)
http://twitter.com/account/message/0C5B9-C2FEF

The Twitter Team

Please do not reply to this message; it was sent from an unmonitored email address. This message is a service email related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support.

Wednesday, 21 April 2010

nettempsin.co.uk / NetTemps Inc scam

There are probably plenty of legitimate companies with names like "NetTemps Inc", but this money mule scam email soliciting replies to nettempsin.co.uk is not from one of them.

From: "Polly Richardson"
Subject: representatives wanted

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.

Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.

If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number.

We are eager to help you find a better job and improve your career!

If you have questions, please do not hesitate to e-mail me on:

c v @ n e t t e m p s i n . c o . u k [please delete spaces in the email address before sending it to us]

Yours sincerely,
Juliette Barnes
NetTemps Inc


==================================

Unusually, the mail server that deals with replies is multihomed:
  • 79.125.134.191 [ADSL subscriber, Macedonia]
  • 91.41.145.247 [Deutsche Telekom dial-up subscriber, Germany]
  • 83.132.68.62 [TVCABO cable modem, Portugal]
  • 87.116.150.117 [Broadband customer, Serbia]
  • 186.137.3.195 [Cablevision customer, Argentina]
Nameservers are ns1.santroperz.net (domain suspended by registrar for fraud) and ns1.seerdanee.com hosted on 204.12.237.52 at WholeSale Internet, Inc. in Kansas City.

In any case, this is just a Money Mule scam and it should be avoided.

Tuesday, 20 April 2010

martin-argiento.eu / Martin Argiento scam

A slight remix of this money mule scam from last month, but with a slightly different name.

Subject: The Italian company is looking for reliable partners
From: "Cindy Jeffers"
Date: Tue, April 20, 2010 6:03 pm

Dear Mr\Ms
My name is Martin Argiento. I am the manager in international real estate agency Europe Real Estate.

At present, we increase the number of part-time employees on the territory of England and other regions. In this connection, we carry on hiring new employees for the post of the regional real estate Agent.

Activity of the agent:
The search of the clients, advertising of the company.
Purchase \sale of the elite real estate.
Talks.
The monitoring of the market in several region.

Required qualities for the post:
Practical knowledge of the program Microsoft Office Word.
Ability to communicate, intelligence.
Experience in commercial activity is welcomed.
The knowledge of the Italian language and of other languages is welcomed.

The minimum salary is 2000 euro. Frequently the monthly income exceeds 10.000 euro.
It all depends on intelligence of the Agent and on his desire and ability to work to his full extent.

For the additional information refer to the electronic address:
realestate@martin-argiento.eu

Yours faithfully, on behalf of all employees Europe Real Estate.

Mail is directed to 85.112.126.89 in Russia [colocat.ru] but there is also a website hosted at 188.130.250.248 in Latvia [Fastmedia].

There's a whole bunch of badness on the same server in Russia, all of which should probably be avoided:

  • agency-sunsea.com
  • allinwondernews.com
  • apolcentral.com
  • apolonline.com
  • argiento.com
  • argiento.eu
  • argiento.net
  • beastdat.com
  • beinorder.com
  • bgrealty.org
  • bm-holding.com
  • cannibalcannibalistic.com
  • catcherscatherine.com
  • cemeterycentaurus.com
  • cephaliccerebrum.com
  • cesspoolchainsaw.com
  • chelseacinderblock.com
  • clubdatingckoo.com
  • coleldatingcom.com
  • comdatinghorse.com
  • comecloserit.com
  • confessionconducting.com
  • corporectomycorpus.com
  • crowpathcuernos.com
  • cunthuntcraniotomy.com
  • dacelie.com
  • datdos.com
  • datingfooool.com
  • datinggogocolelc.com
  • datingord.com
  • datingsermon.com
  • datingswot.com
  • datomg.com
  • datyandel.com
  • decapitationcattle.com
  • forurelax.com
  • freedom-dating.com
  • gaterk.com
  • goforitdear.com
  • gogodatinghorn.com
  • gskcorp.com
  • handshakesharvest.com
  • hatebeakhereafter.com
  • hereufame.com
  • hornydatingyou.com
  • ise-sl.com
  • itmakesuhappier.com
  • josetxe-financiero.com
  • klaipedetis.com
  • lovesexdatings.com
  • mail.swpost.net
  • martin-argiento.eu
  • myapol.com
  • negligentcondemned.com
  • new-crash.com
  • olsen-rossi.com
  • oppsmyhotty.com
  • orddating.com
  • prime-techno.net
  • pro-job24.com
  • qgraphicinstalls.com
  • rdnets.com
  • reallyforu.com
  • shekelsta.com
  • shufersalta.com
  • swpost.net
  • umap-btl.com
  • uwillhappy.com
  • youthesuperman.com
  • znakomilka.com

Monday, 19 April 2010

MICROSOFT WINDOWS-2010 lottery scam


A French language advanced fee fraud scam email with a colourful PDF file attached. The PDF does seem to be free of viruses, but you should never open unsolicited Acrobat documents from untrusted sources as they often carry a virus.

Subject: BONJOUR Mr/Mme
From: "DOMINIQUE LOVERS"
Date: Mon, April 19, 2010 10:44 am

BONSOIR Mr/Mme

Nous sommes heureux de vous annoncer que vous faites partie des heureux
gagnants de la loterie MICROSOFT WINDOWS-2010, veuillez prendre connaissance du message en pièce jointe, ensuite contacter l'huissier de justice du Maître JEAN MICHEL .
E-MAIL: jean-michel.brousseau@live.fr

Veuillez surtout lui faire parvenir votre numéro de lot et vos informations
Ci-dessous en vue de vous donner la procédure de retrait de votre gain.
Recevez nos sincères félicitations.

Bonne compréhension à vous

MICROSOFT WINDOWS
Direction Marketing
Mr WEI ANDRE

Saturday, 17 April 2010

euvacant.com job offer scam

This is some sort of money mule operation, euvacant.com has the domain registered with hidden details though a registrat in China, the website and mail server are hosted at 178.162.135.100 which is Pegashosting Network in the Ukraine.

Subject: part-time employment in Europe
From: "Katheryn.Parra"
Date: Sat, April 17, 2010 7:38 am

Hi,
West Union Group is searching for a European representative in order to satisfy the
requests of our well respected costumer. To be welcome to our team you need to be a
communicative person and to possess the skills in proper customer care.
We provide you with:
- Flexible schedule
- Good salary
- We pay-off all taxes for you
- Insurance
To obtain more information, please fill up the form below and send it to:

r e p l y 9 @ e u v a c a n t . c o m [please delete spaces in the email
address before sending it to us]

First Name:
Last Name:
Country:
E-Mail:
Contact Number:
Best time to contact you:
Attached resume is preferable

Our operators will contact you and will assist all your questions.

Position available for European citizens only!

Best Regards HR Management of West Union Group

In this case the originating IP was 190.22.247.165 in Chile. Avoid.

Note that the return email address varies, another example used "c v 2 @ e u v a c a n t . c o m" but in all cases the domain seems to be the same.

Wednesday, 14 April 2010

"IMPORTANT: Royal Mail Delivery Invoice #1092817" Virus / Trojan

The wording may vary, but this is a PDF exploit currently doing the rounds pretending to be from Royal Mail. Sophos, F-Secure and Avast detect it along with some other products (VT results here) but otherwise detection is patchy.

Subject: IMPORTANT: Royal Mail Delivery Invoice #1092817
From: "Royal Mail" <delivery@royalmail.com>
Date: Wed, April 14, 2010 11:28 am

We missed you, when trying to deliver.

Please view the invoice and contact us with any questions.

We will try to deliver again the following business day.

Royal Mail.

Attachments:
Royal_Mail_Delivery_Invoice_1092817.pdf

The bad PDF file looks like some sort of calendar, I have not yet been able to analyse exactly what sort of evil things it does.

If you still use Adobe Acrobat then you should make sure that you update to the latest version which is 9.3.2, or use an alternative like Sumatra.

Monday, 12 April 2010

FarmTown, impressionclub.com and justimpression.com

Sandi at Spyware Sucks reports that the popular(ish) Facebook game of FarmTown (not FarmVille) has be compromised, possibly through a malicious banner.

The domain justimpression.com has been fingered as part of the malware chain, registered to the infamous "Private person" of:

Registrant:
Private person
Armand Gregori (armandgregory3@gmail.com)
Federicsshopen via 3
Katowice
Katowice,S589FG
PL
Tel. +34.41528965

Creation Date: 17-Dec-2009
Expiration Date: 17-Dec-2010

Domain servers in listed order:
ns2.reg.ru
ns1.reg.ru
That email address is pretty well known for malware distribution.

The site is hosted on 64.120.176.42 along with a site called impressionclub.com. "Impression Club" claims to be a Pennsylvania based company that has been in business for four year, except the domain was only registered in January 2010 with anonymous contact details, and Russian nameservers.


You can probably count impressionclub.com as a rogue ad network and one to avoid.

The FarmTown developers have a forum thread about the problem (one poster identifies an ad for greetingcards.com as the culprit) and there are several threads on Facebook about this [1] [2] [3] [4] [5] which also point at the following domains as being part of the chain

  • scan-and-protect3.com
  • scan-and-protect5.com
  • scan-and-protect7.com
  • scan-and-protect8.com
  • scan-and-remove10.com
  • scan-and-remove55.com
  • scan-and-remove99.com
  • 1server-antivirus.com
  • 2server-antivirus.com
  • 4server-antivirus.com
  • 6server-antivirus.com
  • 1web-antivirus.com
  • 2web-antivirus.com
  • try6-your-scanner.com
  • 111-your-scanner.com
  • 222-your-scanner.com
  • basketballtickets2.com
  • batman2010.com
  • spread2010.com
  • terminator-2010.com

All these domains are registered with apparently false details, there are probably a bunch more but I'm having difficult resolving the IPs at the moment.

This could be a fairly big deal, Quantcast reports that justimpression.com has a traffic rank of 6,227 and pulled in 329,000 US visitors during February.


This is another good reason to block Facebook in corporate enviroments, and also a useful warning that you need to be very, very careful when selling ad space!

Tuesday, 6 April 2010

reycorporacion.com - bogus job offer

A slightly unusual twist to bogus job offers, this one solicits replies to reycorporacion.com which appears to be a legitimate company, but it looks like the mail has somehow been compromised.

Subject: Position Opening

Speech of welcome

I am a representative of the HR department of a large international company. Our company has been working in different fields, such as:
- real estate companies setting-up and winding-up bank accounts opening and maintenance logistics private undertaking services etc.


We are making a regional managers team in Europe now:
- salary 2.600 euro + bonus
- part-time employment
- flexible work time

If our offer is interesting for you send us the below information on our e-mail address: marta.urzola@reycorporacion.com
Name:Surname:Country:E-mail:Mobile phone-number:

Note! We are searching Europeans only!

Please, write you
Nothing in the registration details, IP address or MX records looks particularly suspect, so it is likely that the reycorporacion.com server has been compromised in some way. In any case, avoid this job offer as it will be some sort of Money Mule operation. If you get one of these, then I recommend alerting the web host abuse-server -at- strato.de to the problem.

"Represent Party" / representparty.org spam

Sent to a postmaster role account.. classy.

From: Represent [mailto:ben.lynch@representparty.org]
Sent: 05 April 2010 16:22
To: UK Postmaster
Subject: How would you improve the UK - we need your ideas.

Hi,

How would you improve the UK - we need your ideas.

We have just launched a new website ‘Represent’ – and we are looking for ideas on how to make the UK a better place - any ideas will do as long as they are positive.

All ideas submitted will be published on the website where they can be rated to find the most popular ideas for improving the country.

Go to http://www.representparty.org <http://www.representparty.org/>, register (this does not mean you are joining any organisation it helps you to add ideas and rate other ideas) and add your ideas. Remember the website is new so there may not be many ides at the moment but bear with us as we process the ideas uploaded and we’ll get more ideas published as soon as possible.

Thank you for your time.

Regards

Ben Lynch
Represent

PS – If you believe that this email was intrusive please accept my apologies. If you do not want to receive any further emails from us please click on the link below.
http://www.representparty.org/unregister.aspx?action=unsubscribe&value=[redacted]
Originating IP is 109.228.0.79 which also hosts representparty.org and representparty.com. It will probably come as no surprise to see that this IP address belongs to Fasthosts in the UK who are very tolerant of bulk emailers like this.

Anyway, how's this for a positive idea.. stop f**king spamming me.