Sponsored by..

Tuesday, 22 June 2010

Virus / Malware on Nokia.com / miisolutions.net

Nokia.com appears to have been compromised through a third-party script:


europe.nokia.com (e.g. hxxp:||europe.nokia.com/support/download-software/nokia-pc-suite) ->
nokia.tt.omtrdc.net ->
omniture-nokia.secure.miisolutions.net ->
oploya.fancountblogger.com:8080

Details on the general attack can be found here. It appears that miisolutions.net has had malicious code injected into the script, rather than it being Nokia.com itself that has been hacked.At the time of writing the malicious code is still present.

Update: the infected page at miisolutions.net has been taken down.

Wednesday, 16 June 2010

"OFFICIAL WARNING FROM FBI" scam

An old scam, pretty much the flipside of the usual Advanced Fee Fraud. This one preys upon innocent victims by accusing them of money laundering, but the details don't pan out. Quite apart from the ridiculous proposition and free email addresses used, phrases like "shady", "waded in", "graft" and exclamation marks are something you would never expect to see in an official communication from law enforcement. Besides, I really don't think that the FBI email you if they suspect you are up to terrorist activities..

From: Anti Graft.
Reply-to: antiterrorist.crimesdiv.2010@megafastmail.com
date    16 June 2010 09:37
subject    OFFICIAL WARNING FROM FBI.

ANTI-TERRORIST AND MONETARY CRIMES DIVISION
FBI HEADQUARTERS IN WASHINGTON, D.C.
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
Website: www.fbi.gov
Phone: 202-595-1344

DATE:15/06/2010

It has been discovered that your contract/inheritance/winning FUND was about being transferred to an unknown account under your name. This attempt was perpetrated by someone who claims to be working for you, and that you have given him due authority to have the FUND moved to the account specified below:

SOUTHWESTERN FEDERAL CREDIT UNION
WESCORP 924 OVERLAND COURT
SAN DIMAS, CA 91772. USA.
ACCOUNT NUMBER: 322079133
ABA/ROUTING NUMBER: 1220-41-21-9
SHARETYPE NO.: 25
FINAL CREDIT  HABIB FENZI AND CO. (Beneficiary).

The Federal Bureau of Investigation (F.B.I.) waded in after being alerted by the supposed bank. We investigated and found that there is a possible money laundering activity in play.The FUND US$10,500,000.00(Ten Million Five Hundred Thousand United States Dollars) was found to be deposited in Bank of America in your name pending your consent to have it transferred to the new account indicated above. It was further revealed that initial FUND transfer originated from Nigeria to England and now here in Bank of America in USA.

These transfers did not follow due process in line with the international FUND transfer rules and regulation.Consequently,we suspect this be a terrorism funding, drug related fund deposit and/or money laundering. As stated above, the FUND has your name on it; and you must have it cleared of any connection with any of these illegal activities.Be informed that FAILURE to have this cleared out will attract a JAIL TERM.We will not hesitate to visit the full weight of the law upon you if you do not clear this fund.There is every indication that you are involved in this shady deal.

Finally, you are expected to have the CLEARANCE DOCUMENT obtain from where the FUND originated from to have you and your fund cleared. Only then shall we release your FUND as clean money devoid of any illegality, and you will be free of any involvement. To this end, you are to contact Mr. Peter Anderson of the Anti Graft Department of Economic and Financial Crimes Commission (E.F.C.C.) Nigeria and have the DIPLOMATIC IMMUNITY SEAL of TRANSFER (DIST) CLEARANCE DOCUMENT obtained. Contact him through this direct email address:efccantigraft.nigeria@megafastmail.com,Direct Line:+234 8028493286 Note that you have 72hrs to obtain this crucial Documentation.

This has to be cleared!

You are warned!

Faithfully Yours
Robert S. Mueller III
FBI Director
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
www.fbi.gov

Tuesday, 15 June 2010

west-vacancy.com scam

This email from a wholly fake company called west-vacancy.com is really recruiting for a money laundering job or something very similar. The domain itself was registered just a few days ago to a no-doubt fake registrant. Mail is handled by Google, there is no website but in this case the email originated from 188.16.123.52 in Russia.

Date: 15 June 2010 12:32
Subject: vacancy number 358

I introduce a large multinational enterprise the co-worker of the HR department of which I am. Our company has been working in different fields, such as:
- companies setting-up
- companies winding-up
- opening accounts in Europe
- etc.

We need employees in Europe:
- salary 2.400 euro + bonus
- 1 - 2 working hours per day
- free timetable

If you are interested in this job, please, send us your contact information: Cornell@west-vacancy.com
Name:
Surname:
Country:
E-mail:
Mobile phone-number:

Be informed! Candidates from Europe are needed only

Please, write your Telephone Number and our manager will contact you to conduct an interview.
For what it is worth, these are the registrant details of the fake domain:

Domain name: west-vacancy.com

Name servers:
    ns1.nameself.com
    ns2.nameself.com


Registrant:
    Aleksandr Lapatau
    Email: lapatasker@earthling.net
    Organization: Private person
    Address: Lenina, 34, 8
    City: Minsk
    State: Minskaya
    ZIP: 456123
    Country: BY

Monday, 14 June 2010

Terminally confused 419er

This is just a straight advanced fee fraud scam, but the scammer seems to want to through in the names of Yahoo, Nokia AND Microsoft into the same fraudulent pitch. Just to add overkill, it's from a "Reverend" too, which a bunch of email addresses which are frankly all over the shop. Oh yes, the originating IP is Argentina of all places.

From: CONGRATULATION FROM YAHOO COMPANY THAILAND <lotto_officethai2@btinternet.com>
Reply-to: revralphdelahay@w.cn
Date: 14 June 2010 13:28
Subject: CONGRATULATION FROM YAHOO COMPANY THAILAND
   
Microsoft Award Team.
 ADDRESS: NOKIA THAILAND OFFICE
 105/33 BANGKOK THAI TWR.,
 108 SIAM ROAD.,
 BANGKOK, 10400,
 KINGDOM OF THAILAND.
 Batch: 12/25/0340


 Dear Winner


 This is to inform you that you have won a prize money of $2,000,000,00 (Two Million United state dollars) for the Edition 2010 Lottery promotion which is organized by YAHOO  LOTTERY INC & WINDOWS LIVE.YAHOO & MICROSOFT WINDOWS, collects all the email addresses of people that are active online, among the millions that subscribed to Yahoo and Hotmail we only select ten people every Month as our winners through electronic balloting System without the winner applying, we Congratulate you for being one of the people selected.

 PAYMENT OF PRIZE AND CLAIM


 You are to contact your Claims Agent with immediate effect to facilitate the protocol of your winning prize before the expiry date of Claim; Winners shall be paid in accordance with his/her Settlement Centre. Prize must be claimed not later than 15 days from date of Draw Notification after the Draw date in which Prize has won. Any prize not claimed within this period will be forfeited. These are your identification numbers:

 Batch number....................12/25/0340
 Ref number.......................Ref: MSN-L/200-26937
 Winning number...................YM09788


 You are therefore advised to send the following information to  to this office so that we facilitate the claims of your prize to you.


 1. Full name.............
 2. Country..............
 3. Contact Address........
 4. Telephone Number.....
 5. Marital Status........
 6. Occupation.............
 7. Company...............
 8. Age.....................


 Please Note:
 Your Lottery Prize must be claimed not later than 15 days from date of Draw Notification after the Draw date in which Prize has won. Any prize not claimed within this period will be forfeited.

 Congratulations!! Once again.

 Yours in service,
 REV.RALPH DELAHAY
 (Operation Manager)
 Yahoo International Promotion Center

 Email: thailand.lotto@yahoo.com
 Bangkok 10400
 Kingdom of Thailand





Phishtank FAIL: hsbcnet.com / hsbc.net

hsbcnet.com is a valid and legitimate website belonging to HSBC. Traffic is redirected to this site from hsbc.net. The site itself is hosted on AS26381 63.111.163.110 which is delegated to an HSBC subsiduary called Household International from Verizon. The hsbcnet.com  was registered in 1998 to a registrant with an hsbc.com web address:

Registrant:
HSBC
   One HSBC Center
   Floor 21 - HTS eBusiness
   Buffalo, NY 14203
   US

   Domain Name: HSBCNET.COM

   Administrative Contact, Technical Contact:
      Fischer, Chuck  charles.fischer -at- us.hsbc.com
      HSBC Bank USA
      One HSBC Bank
      eBusiness, 21st Floor
      Buffalo,, NY 14203
      US
      (716) 841-2075 fax: (716) 841-5022


   Record expires on 04-Dec-2010.
   Record created on 04-Dec-1998.
   Database last updated on 14-Jun-2010 04:41:11 EDT.

   Domain servers in listed order:

   NS3.HSBC.COM                
   NS4.HSBC.COM       
         

It's clearly not a phishing site, and yet Phishtank say that it is.


Now, Phishtank does just allow any old user to mark a site as phishing. In this case, the site was submitted by a user called dvk01  and then verified by SEVEN other people as a phish - stuartgrant knack NotBuyingIt cybercrime marcoadfox Aminof theGeezer - although some people have said that it isn't. As a result of this faulty groupthink, 71% of reports say that this legitimate site is a phish.

This false positive has now filtered down to OpenDNS and a number of other blocking services (e.g. Sophos) that are now erroneously blocking access to HSBC.

Don't get me wrong, Phishtank and other similar service can be very useful. But in this case it shows that Phishtank's verification process really doesn't work.. as any actual examination of the web site in question would surely identify is as legitimate.

Wednesday, 2 June 2010

"llona Timofeeva" scam

There are probably lots of people called llona Timofeeva who are perfectly trustworthy, but this job offer from a "llona Timofeeva" is not.. and it is almost definitely a made up name. So if you are llona Timofeeva, then this is probably not about you.

From: Illona Timofeeva
Date: 2 June 2010 20:04
Subject: Part-time job

My name is Illona Timofeeva, I am Director of an EastEuropean humane society S_O_S.
We have organized an animal shelter providing veterinary services, management and sterilization.
A lot of our pets have been adopted and taken care of. But now we are facing difficulties
with acceptance of donations and contributions for our shelter in your region,
that is why we are looking for a manager of our corporate account in UK.
This is a part-time job offer which would not interfere with your day job.
You may earn as much as P3,000 per month or more. In case you are interested in this offer,
we look forward to receiving your CV or brief information about yourself to our email HumaneSociety_sos@lavabit.com    
We shall write you back as soon as possible and state the terms of this job offer.

Sincerely yours,
Illona Timofeeva
Director
SOSHumane Society
What is it? Well, it's a straightforward money laundering scam using the hook of cute, fluffy and defenceless animals to get you interested. Avoid.

Tuesday, 1 June 2010

Another spam using BonBon.net for replies

There have been a stack of fake job offers soliciting replies to a BonBon.net email address lately. These emails don't actually come from BonBon.net, but they are seeking a reply to a mailbox using that domain.

I was unfamiliar with this mail service, but a bit of research shows that it belongs to HotPOP who have been around since 1998 and have a pretty good anti-spam policy and seem to be a pretty decent bunch.. so my advice is that if you get a spam trying to get you to reply to BonBon.net then forward a copy to abuse -at - hotpop.com.

From: Emilio Richardson
Date: 1 June 2010 02:40
Subject: Vacancy
   
Req'd Education: High School
Citizenship or Work-Visa: YES
Base Pay: 72,000/year
Employee Type: Part-Time/Home-Based
Bonus: Yes

Description:

If you want to work in a strong developing team, in which you can feel like in your family, this  position is for you! Our company is looking for local customer service managers. You will have good career opportunities and will enjoy friendly working atmosphere of our team.

Requirements:
High School required. PC and Internet, MS Office or compatible. Must have strong writing and communication skills.

To Apply:
Forward your contact details back ONLY to our e-mail:  manager03ltd@BonBon.net

 and wait for response next 24h - 48h. Resume-containing only.
This really is just another Money Mule operation or similar, avoid at all costs.

Tuesday, 25 May 2010

job4-us.com fake job offer

Run by the same crew as this scam, this fake job offer is a "money mule" operation laundering stolen funds, under the guise of payment processor for a car sales company. The entire job4-us.com domain is fake, any email purporting to be from that address are bogus.

Date: 25 May 2010 11:22
Subject: A car store is looking for remote employees. (US)

My name is Lisa and our company is looking to fulfill several part time positions in your region. We are one of the largest internet solutions resellers on the market and are looking to build strong support team in United States to provide the best Customer Care.

Title of the current position available is “Payment Processing Assistant” and we have seven openings.

An ideal applicant for this position must meet the following requirements:
* At least 22 years of age
* Resident of United States of America
* Very observant and able to focus on details
* Patient
* Trustworthy
* Practical
* Loves to learn
* Explains well in writing
* Handles deadlines
* Bank account
* Full internet access (at home or at work)

Benefits:
* 50% of the monthly cell phone bill is covered by the company
* Monthly salary starting at $2000(after a month evaluation period)
* 5% commission for every processed transfer
* Banking, Western Union and Money Gram fees is be covered by the company

If you are interested please reply to: Kaitlin@job4-us.com

As before, the site is hosted on 195.206.246.210 in Moldova, on the same server as europjob.com, with the same registrant details which are probably fake:

Registrant:
Maksim Rodkin
Email: roddsn@post.com
Organization: Private person
Address: Miichurinskij prospekt, d.10-2, kv. 144
City: Moskva
State: Moskovskaya
ZIP: 178234
Country: RU
Phone: +7.4956783214

Evil Network: Maximus Hosting Services, Bosnia 77.78.239.0 - 77.78.240.255

A bunch of sites in the IP range 77.78.239.0 - 77.78.240.255 look all evil and appear to be serving up bad PDFs and other nastiness. IPs are allocated to Maximus Hosting Services, Bosnia and honestly I cannot see a single domain that looks legitimate.. I would suggest that you block the entire range.

1iii.org
2iii.org
Poteriapoter.com
Dwnld0020.com
Hyporesist.com
Newsbosnia.org
Search-static.org
Spmfb2299.com
Spmfb3309.com
Crowledarmor.com
Statxonline.com
Xsbot.net
Exfxreporting.com
Planopetroleumteam.com
Acunetxweb.net
Macuysinstall.net
1-aa.com
Caucasus-a.com
Pa-2.net
G000ggle.com
Zettapetta.net
Google-server14.info
Top-teen-porn.info
Google-server11.info
Kalashmalash.org
Ruslan7777.com
Bazavaza233.net
Shalalopdns.com
Vstils.ru
Tygolev.com
Hostingpanelavg.com
Homesiteuk.com
Vk-socks.net
Lrstat.com
Statistics-of-world.org
Eu-analytics.com

Wednesday, 19 May 2010

"Re: Intercepted Over Due Fund Transfer!!!" scam

This isn't the first time that we've seen a scam email pretending to be from the UN, but they are often slightly amusing in their pitch. The idea here is that the scammers are targeting people who have already been ripped off with the promise of compensation. Presumably the success rate with this approach makes it worth doing.

Unsurprisingly, the telephone number listed is in Nigeria. Avoid.
From: United Nations <info@un.org>
Reply-to: cenbankng@ml1.net
Date: 19 May 2010 02:40
Subject: Re: Intercepted Over Due Fund Transfer!!!

United Nations

Palais des Nations,

1211 Geneva 10,

Switzerland

Subject: Re: Intercepted Over Due Fund Transfer

Attention: Beneficiary,

In the last meeting between the United Nations OCHA and UNDP hold Copenhagen, 19 Febraury 2010-After a marathon all night session, talks aimed at injecting new and more wide-ranging momentum into the international effort to combat climate change, global recession and scam  ended with a positive outcome.

The United Nations and U.S department for Homeland security has meet with delegate from Africa, Asia, Australia, Antarctica, North America, South America  and Europe has agreed to Pay scam victims around the world the sum $10.8Million USD as compensation so the money could be use to combat unemployment and help people like you make the world a better place. The United States Department of Homeland Security (DHS), with the help of the FBI and Interpol Has screened through various Monitoring Networks and has been confirmed and notified that the transaction is Legal and you have the Lawful Right to claim your due fund.

To effect and carry out the directives given, you are advised to contact Dr David Wills

Dr David Wills.

International Claims Officer

Telephone: +234 8039393143

E-Mail: cenbankng@ml1.net

You have been instructed on what to do next you are strictly advice to follow his instruction so as to follow into the hands of fraudster,

Yours Faithfully,

Yvette Morris (UN)
Public Relation officer

Tuesday, 18 May 2010

europjob.com fake job offer

This fake job offer comes with a Moldovan and Russian connection.

Date: 18 May 2010 20:52
Subject: good day!
   
International Real Estate Consulting Company seeking local representation


Countries of interest: Austria, Belgium, Bulgaria, Hungary ,Greece, Denmark, Ireland, Cyprus, Lithuania, France, Sweden
Luxembourg, Malta, Netherlands, Poland, Slovakia, Slovenia, Portugal, Romania, Finland, Czech, Estonia

Tasks of the representation to consist of liaison and intermediation in financial transactions.

Good and prolonged relations history with local financial institutions is strongly recommended
(references will be asked).

If you would like to be a regional manager in Europe send us your contact information: Full name:
Country:
City:
E-mail:
Telephone Number:

Our contacts: Denver@europjob.com
The europjob.com domain was registered just yesterday and is hosted on 195.206.246.210 at Starnet in Moldova. The WHOIS details show the infamous "Private Person" as a registrant with an email address frequently connected with scams.

Registrant:
    Maksim Rodkin
    Email: roddsn@post.com
    Organization: Private person
    Address: Miichurinskij prospekt, d.10-2, kv. 144
    City: Moskva
    State: Moskovskaya
    ZIP: 178234
    Country: RU
    Phone: +7.4956783214

It's not clear what the job is, probably money laundering or some other criminal back office service. Avoid.

Fake "NetTemps Inc" domains

These domains and IPs seem to be associated with this company masquerading as "Net Temps Inc" (there are legitimate companies with a very similar name though), you can see examples of the scam email being used here and here.

82.243.193.235- Proxad, France
nettms.eu
nextspend.biz

95.64.133.205 - MultyKabelnie Seti Balashihi, Russia
nettms.net
nettps.net
eddpiii.com.pl

74.63.228.139 - Limestone Networks, Texas
ns1.loopcool.net
ns1.seerdanee.com

87.117.245.9 - JSHosts, UK
lokiou.eu
ns1.globalistory.net
ns1.hourscanine.com
ns1.limeteablack.net
ns1.skcstaff.com
ns1.skcstaffing.com
ns1.socialworc.net

204.12.229.89 - Hosting Ventures LLC, USA [Mostly suspended, some now deleted]
mx.nettempsin.co.uk
mx.nettms.net
ns1.availname.net
ns1.disksilver.net
ns1.girlfrendsboy.com
ns1.nodefront.net
ns1.pdsproperties.net
ns1.sorbauto.com
ns1.whiskybrend.net
availname.net
ddeasaeq.vc
edfa4.com.vc
edfa7.com.vc
efasqca.com.pl
ewasza.co.uk
ewasze.co.uk
ewasze.me.uk
ewaszi.co.uk
ewaszu.co.uk
girlfrendsboy.com
iurseda.com.vc
nodefront.net
pdsproperties.net
sorbauto.com
whiskybrend.net

79.170.40.4 - Heart Internet, UK
netpts.org
nettes.org


77.25.179.23 - Vodafone, Germany
ns2.loopcool.net
ns2.rakusolutions.com

Fast Flux (IP varies)
nettempsin.co.uk

Registered but no website
hourscanine.com
juverds.info
skcstaffing.com

Suspended / On hold
nttempinc.com
santroperz.net
assewya.co.uk
limeteablack.net
skcstaff.com

Monday, 17 May 2010

Nettms.net / Nettps.net "NetTemps Inc" scam

This fraudulent job offer solicits replies to an email address of cv@nettms.net  and it pretends to be from "NetTemps Inc". There is a legitimate firm in the US of a similar name, but this job offer is not from them.

Subject: part-time job in Europe
Date: Mon, 17 May 2010 16:05:37 +0100

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.  
      
Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.  
    
If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number. 
    
We are eager to help you find a better job and improve your career!
      
If you have questions, please do not hesitate to e-mail me on:  
      
c v @ n e t t m s . n e t      [please delete spaces in the email address before sending it to us]  
 
Yours sincerely,   
Juliette Barnes 
NetTemps Inc  
It's the same scam as this one, but in this case the back-end servers are different.. the mailed replies go to 204.12.229.89 [Hosting Ventures LLC, US] with a web site hosted at 95.64.133.205 in Russia along with another similar domain of Nettps.net.

Anyway, this job offer is probably laundering stolen money or some other criminal activity and should be avoided at all costs.

Friday, 14 May 2010

"Delivery LCI" job scam

This is a fraudulent job offer, which appears to be a reshipping scam and possibly some other "back office" functions for organised criminals. The is no company registered in the UK called Delivery LCI or LCI Delivery.

From: Timmy Bliss
Date: 14 May 2010 01:49
Subject: Job opening

Hello,

I'm Mary, writing on behalf of Delivery LCI about your job
search, would like to invite you to learn more about the job
opportunity that we are offering right now for people like you.
First of all you need no prior experience, but we will provide all
necessary training when you will join us.

Now let's take a look at what Delivery LCI offers you:


Shipping Regional Manager

 Requirements:
 - Resident of the United States;
 - Fluent English;
 - Basic knowledge of Microsoft Word and Microsoft Excel;
 - Home Computer with e-mail account and ability to check your e-mail
 box at least twice a day
 - Adults only accepted (we cannot hire underage people)


 Job description:

 - Receive correspondence from our company and its clients at his/her
 residential address;
 - Report to our manager (every candidate will be included in a
 manager's lists)
 - Forward received items according to instructions of our manager
 - Fill in the forms and papers as indicated in our manager's
 instructions (you will receive an e-mail with instructions for each
box).
 - Ship packages out


 Personal qualities:
- honesty
- decency
- sociability
- ability to work in team


 Salary
 - 30$ per package processed for trial period 1 month
 - 50$ per package processed \ by the end of trial period\
 - The salary is credited to your account once a month


 If you are interested in our position, reply back to us
 with your short resume at:

 KathrynKnowlton@BonBon.net

Thank you for reading.

+44.20 3286 9579 

Despite there being no company of this name in the UK, there are two probably related websites of deliverylci.com and lcidelivery.com. At the moment, only deliverylci.com is running, registered to a fake address in the US:


Registrant:
    Dennis  Oneal
    Email: support@deliverylci.com
    Organization: Delivery LCI 
    Address: 1938 Woodland Terrace
    City: Orangevale
    State: CA
    ZIP: 95662
    Country: US
    Phone: +1.9169879747 
    Fax: +1.9169879747

but claiming to be based in the UK from their website:

Your calls are received by the phone: +44.20 3286 9579

E-mail: lcidelivery@lcidelivery.com

Our Office:

5 NORTH STREET, HAILSHAM, EAST SUSSEX, BN27 1DQ, United Kingdom
5 North Street, Hailsham does exist and is the office of a firm of accountants, there are many companies registered at this address. The telephone number is a London one though, not one for Hailsham.

Digging further shows that the deliverylci.com website is hosted at  89.248.162.136 [Ecatel, Netherlands]. The following sites are hosted on the same server:

  • Dealcomltd.com
  • Deliverylci.com
  • Idealogisticservices.com
  • Todaylogisticservices.com
89.248.162.136 is also a nameserver for other domains:

  • ns1.taxreturnsworld.com
  • ns1.worldtaxreturns.com
  • ns2.itadvancedservices.com   
  • s1.oilhost.eu
The domain taxreturnsworld.com was recently mentioned by Brian Krebs as being part of a particularly sophisticated job scam. So, it seems likely that all these domains and so-called companies are bogus and should be avoided.

Thursday, 13 May 2010

Dating scam: "I will be glad to get to know you"

There have been quite a few dating scams soliciting replies to BonBon.net lately, and coming with an attached photo. This one is meant to be "Anete".. what do you mean, you don't remember Anete? Anyway, it's probaly some fat sweaty Russian bloke trying to part you from your cash, so avoid this one.

Subject: I will be glad to get to know you

Hello! How are you? I hope you are ok. I am Anete.
You remember, we have got acquainted with you at dating site?
You have given me your email and today I write to you.
I think, now we can begin our acquaintance. I will be glad! Hope you too.
I am 30 years old. I want to find the man and to create serious relationship.
I want, that you have answered me if you still want to know me.
I send you my photos, and I want, that you do the same.
I will be glad to get to know you more close.

Please reply only to my personal e-mail:  utinanete@BonBon.net

I look forward your answer. With the best regards, Anete...

Monday, 10 May 2010

Evil network: Sagade Ltd / ATECH-SAGADE

There's been an awful lot of badness from Latvia recently, with several fake AV apps and other Very Bad Things hosted in the range 91.188.59.0 - 91.188.59.255, which appears to be a wholly bad subnet of pure evil. It looks like a similar setup to Real Host Ltd which was shut down last year.

inetnum: 91.188.59.0 - 91.188.59.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89@gmail.com
country: LV
admin-c: JS1449-RIPE
tech-c: JS1449-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
source: RIPE # Filtered

person: Juris Sahurovs
remarks: Sagade Ltd.
address: Latvia, Rezekne, Darzu 21
phone: +371 20034981
abuse-mailbox: piotrek89@gmail.com
nic-hdl: JS1449-RIPE
mnt-by: ATECH-MNT
source: RIPE # Filtered

% Information related to '91.188.32.0/19AS6851'

route: 91.188.32.0/19
descr: BKCNET Autonomous System
descr: IZZI SIA
descr: Ieriku 67a, Riga, LATVIA
origin: AS6851
mnt-by: AS6851-MNT
source: RIPE # Filtered

All these websites appear to be malicious, I cannot find a single site that I can identify as being legitimate. Most have obviously fake WHOIS details too. I would recommend blocking access to the whole IP block.

1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
00g00.ru
Odnotraxniki.ru
Td0.ru
Kerrimckeetq.info
Maiamaribeihlv.info
Marguriiexyhamlin.info
Privatetechnology.biz
Syscodec.com
Systemcodec.net
Traffcash.biz
Kimirleonarda.info
Nitrosearch.info
Fastglobosearch.com
Likinto.com
Mcml1.com
Trol0l0.com
Mokato.com
Ziko.in
Viasot.com
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Lotise.com
Manytis.com
Membernameserver.com
Ossarix.com
Soterpo.com
Stepil.com
Winepsy.com
Zingis.com
Bombastats.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Belleplaceurl.com
Christophecoinurl.com
Coinurlredirect.com
Coinurlredirection.com
Endroiturlredirect.com
Glossipfd.com
Goldcoinurl.com
Gork.in
Gulk.in
Hnarmettis.com
Hotelplaceurl.com
Lieuurlredirect.com
Mnuyetsgrr.com
My654bestsite.com
Nuvolokijj.com
Parkplaceurl.com
Polk.in
Rozg.in
Samk.in
Sekmoon.net
Silvercoinurl.com
Sumk.in
Vvven.in
Worldplaceurl.com
Zoid.in
Smackbybitch.com
Videosite1.com
Beeape.com
Supercrazynight.com
Supersporns.com
Sys-force.ru
Firsttunesclub.in
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Allforyouplus.net
Hotfilesfordownload.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Yourbestway.cn
Youvideoxxx.com
Cern-a.com
Xbasex.com
Rowfirst.com
Autouploaders.net
Poafirst.com
Rodfirst.com
Solaruploader.com
Noafirst.com
My-best-web.com
Pakwer.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com
Oklahomacitycom.com

Thursday, 6 May 2010

"I live in a city under name Kirov"

Unlike some other dating scam emails promoting very young women, this particular one claims to be from a 37-year-old economist, which I guess might say something about their target audience. In reality, "Mariya" is probably a fat sweaty male Russian who is trying to scam you out of some money.

Date: 6 May 2010 09:44
Subject: I live in a city under name Kirov

Hello my the surprised Friend!

I understand, that you are surprised now, when this letter has arrived to you. BUT I ASK YOU TO SPEND 5 MINUTES, your time and have read it up to the end then probably it will change your and my life. At first I wish to tell a little about myself. My name is Mariya. To me of 37 years. I live in a city under name Kirov, it is a small city in northern part of Russia. I not married and never was. I also do not have children. I have left school then has finished institute on a
trade of "economist". If it is interesting to you I will necessarily tell about it, but now not in it the purpose dear friend. Recently, I watched TV and saw, that in Russia there are 35000000
women who live without men, and there are such agencies of marriage which have many electronic addresses, and such agency can help to find for women the suitable man. I have gone to one of such agencies, and have addressed to them with inquiry that they have found for me the
good man. They have informed at once me, that in Russia I should search for the good and decent man very long time. Then they have offered me acquaintance to the man from other country, on what I have looked from a positive side. As I know, that at us in the country of the man, do not appreciate women, is possible because women several times more.

In general, I have agreed to strike up acquaintance to the man from other country, and they have given me your electronic address. Having told that you the lonely fair and decent man who searches for the woman for creation of relations. Then I took your electronic address and have gone to the cafe Internet to write you the letter. Here now you can my letter see. I have written you it with hope, that you will answer to me. I have inserted one my photo that you could see, my appearance and to solve for you directly completely, you will like to begin dialogue and relations with me or not. Only I ask, concern my letter seriously, look my photo, the letter, think and solve, precisely you would like to have the correspondence with me? I do not wish to be the friend, it is not necessary, I am ready to serious relations. It is very necessary to love, give my love to the MAN and family creation. If you really wish to have serious relations with me
write to me. If you do not want to have a relationship with me, just do not respond to my letter, I can understand everything myself. And nevertheless, I wish to tell to you, that my photo is made not professionally, but you see me, such what I in a life. And you can precisely define such woman as I am necessary for you or not. Very big inquiry as wanted if you however interested in me write to me about your e-mail where we can speak with you and small good photos you. Like everything, that I wished to tell you, and now I only need to wait from you for the answer, and I hope you write to me. If I was not pleasant to you, or serious relations are not necessary for you then do not write me anything, I will understand!

I hope your new friend, I hope that I can become for you friend Mariya!

You can send your letter and photo to this email address: mashalovers@BonBon.net

The lonely woman from Russia Mariya.

Saturday, 1 May 2010

Scam: "The big prospects for intelligent people from England and other regions"

Another money mule scam dressed up as a job offer from an estate agents. The estate agent pitch seems popular at the moment, having come up recently here and here.

From: Heather Crum
Date: 1 May 2010 01:31
Subject: The big prospects for intelligent people from England and other regions

I am HR manager in international real estate agency.

Your electronic address is taken from base of people who are searching for the job. We have the job offer for you. If it is an error and you aren’t searching for the job or you aren’t interested in additional earnings, please ignore this message. We apologize for spent time.

If you are interested in this offer, you need to address to e-mail: Schiavone.Basso@HotPOP.com

The basic direction of our company: The search of clients and partners. Sale, resale and rent of the elite real estate and the industrial areas.

Required qualities for the post:

Practical knowledge of the program “Microsoft Office Word”.
Ability to communicate, intelligence.
Experience in commercial activity is welcomed.
The knowledge of the Italian language and of other languages is welcomed.

The minimum salary is 2000 euro. Frequently the monthly income exceeds 10.000 euro. It all depends on intelligence of the Agent and on his desire and ability to work to his full extent.

For the additional information can refer to the electronic address which is specified above.
Yours faithfully, on behalf of all employees “Europe Real Estate”.

Friday, 30 April 2010