Latvia is definitely becoming a problem when it comes to black hat hosting. The 159.148.117.0/24 range (159.148.117.0 - 159.148.117.255) is another malicious block, forming part of AS2588 belonging to Latnet (similar to microlines.lv). At a rough calculation, roughly half the IP address ranges I am currently blocking are based in Latvia.
This bunch of domains is a mix of fake pharma sites, browser exploits, illegal downloads and possibly some hijacked domains. In any case, there is nothing of use here and either blocking the entire IP range, or the list below is probably a good idea.
There's a more detailed file with MyWOT ratings and IP addresses to download here.
Bitssit.com
Solid-pay-gate.com
Bombastats.com
1001meds.info
101doctors.info
101health.info
11doctors.info
333tabs.info
5meds.info
911drugs.info
99pharmacy.info
99pills.info
Abouttabs.info
Actualdrugs.info
Actualtabs.info
Addhealth.info
Addpills.info
Advancedsoft.in
Allpills.info
Anyhealth.info
Anymeds.info
Anytabs.info
Atlanticdrugs.info
Atlantictabs.info
Bestwesthost.info
Bluedoctor.info
Buycheapnow3.info
Buyfdatabs.info
Buygeneric1.info
Buyld.info
Buyonline5.info
Buytramadol5.info
Buytramadolf.info
Buytramadolk.info
Buytramadolp.info
Buytramadolt.info
Buytramadoly.info
Buyxanax1.info
Buyxanaxk.info
Cheap2tramadol.info
Cheaponline2.info
Cheaprt.info
Cheaptramadolh.info
Cheaptramadoli.info
Cheaptramadolss.info
Cheaptramadolw.info
Cheaptramadolz.info
Cheapxanaxz.info
Doctor01.info
Doctorarea.info
Doctordaily.info
Doctorgiant.info
Doctorjones.info
Dogoal.in
Drugs01.info
Drugs12.info
Drugsapple.info
Drugsbasket.info
Drugsblue.info
Drugscenter.info
Drugsclub.info
Drugscompany.info
Drugsdaily.info
Drugsfast.info
Drugsgood.info
Drugslife.info
Drugsreview.info
Drugstoree.info
Fasttabs.info
Fdapillsonline.info
Fulink.in
Fustat.in
Generictramadolb.info
Generictramadolc.info
Generictramadoln.info
Generictramadolr.info
Generictramadolv.info
Genericxanaxn.info
Getonlinehealth.info
Getonlinemeds.info
Haycorn.info
Health911.info
Healthbasket.info
Healthblue.info
Healthgreat.info
Healthlabel.info
Kinghealth.info
Kingpills.info
Knownmeds.info
Knowntabs.info
Labeldrugs.info
Labelhealth.info
Meds01.info
Meds333.info
Meds4him.info
Medsapple.info
Medsarea.info
Medsdaily.info
Medsexpress.info
Medsguard.info
Medshealth.info
Medslife.info
Medslocate.info
Medssearch.info
Mmlist.in
Mmsoft.in
Moderndrugs.info
Modernpills.info
Mxstat.in
Needsdoctor.info
Olstat.in
Online01.info
Onlinecasinosbestusa.info
Onlineow.info
Ordercheapnow6.info
Orderoj.info
Orderonline4.info
Ordertramadold.info
Ordertramadole.info
Ordertramadolj.info
Ordertramadolo.info
Ordertramadolx.info
Orderxanaxx.info
Owndoctor.info
Pacificdoctor.info
Pills007.info
Pills01.info
Pills4him.info
Pills4men.info
Pillsaccept.info
Pillsarea.info
Pillsblue.info
Pillscontrol.info
Pillsdaily.info
Pillsfast.info
Pillsgood.info
Pillslabel.info
Pillslife.info
Pillslocate.info
Pillsoffice.info
Pillsreview.info
Pillssearch.info
Pillstoday.info
Pillsworld.info
Realtabs.info
Rx999.info
Safedoctor.info
Searchtabs.info
Sermyagino.info
Ssmode.in
Ssnews.in
Tabs01.info
Tabs4him.info
Tabs5.info
Tabsaccept.info
Tabsapple.info
Tabsarea.info
Tabscenter.info
Tabsclub.info
Tabscompany.info
Tabscontrol.info
Tabsdaily.info
Tabsexpress.info
Tabsguard.info
Tabsguide.info
Tabslife.info
Tabsoffice.info
Tabspills.info
Tabsreview.info
Tabssearch.info
Tabsworld.info
Todaypills.info
Todaytabs.info
Tramadolonline7.info
Tramadolonlinea.info
Tramadolonlineg.info
Tramadolonlinel.info
Tramadolonlineq.info
Tramadolonlineu.info
Tramadoltramadol1.info
Tramadoltramadol10.info
Tramadoltramadol2.info
Tramadoltramadol3.info
Tramadoltramadol4.info
Tramadoltramadol5.info
Tramadoltramadol6.info
Tramadoltramadol7.info
Tramadoltramadol8.info
Tramadoltramadol9.info
Uiplus.in
Usaapharm.info
Usausaonlinecasinossuper.info
Xanaxonlinee.info
Xanaxonlinel.info
Pupseg.net
Pupseg.org
Pixelstatservice.com
Mybesttubeporn.com
Rowfirst.com
Java-9update.com
Update-00server.com
Hqll.ru
Xacz.ru
Aloa.asia
Vniz.asia
Bbls.ru
Vaseagruzitkorm.com
Vaseajretikru.com
Ewacx.com
Yacver.com
Security-defencing.com
Mypctech.net
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Thebestporn.in
Cormoupo.info
Zombie-world.org
Alterparadigma.net
Brickplayer.ru
Chilauter.ru
Compromendes.com
Moretds.org
Danjg.com
Aftui.in
Ammew.info
Armrm.in
Aspow.info
Clasd.in
Coerw.info
Demim.in
Diasw.info
Diaui.in
Expew.info
Eynew.info
Gatui.in
Harui.in
Highw.info
Homow.in
Jenyx.in
Jusui.in
Katre.in
Lisni.in
Manui.in
Marsw.in
Marui.in
Micre.in
Neigw.info
Ningl.in
Nitan.in
Nvenc.in
Nvene.in
Nvild.in
Nvill.in
Pockw.info
Praaw.info
Pulpm.in
Racew.info
Recei.in
Recky.in
Recto.in
Regaw.info
Rendm.in
Sepsd.in
Slovw.in
Socyx.in
Stpsd.in
Synre.in
Thiui.in
Torsw.in
Uianh.in
Volnv.in
Yxiac.in
California-ns.com
UPDATE 2014-06-25: It's been a long time since I wrote this, and it looks like the block was cleaned up some time ago and now contains some Latvian government sites.
Wednesday, 25 August 2010
Evil network: Latnet Serviss Ltd (latnet.lv) AS2588 (159.148.117.0/24)
Labels:
Evil Network,
Latnet,
Latvia
Tuesday, 24 August 2010
north-europ.com job offer scam
This is a fraudulent job offer originating from an IP address in Vietnam, with a ridiculous salary for doing next to nothing:
Aleksandr Lapatau
Email: lapatasker@earthling.net
Organization: Private person
Address: Lenina, 34, 8
City: Minsk
State: Minskaya
ZIP: 456123
Country: BY
Phone: +375.172427204
Infrastructure is in various locations around Russia. Avoid.
Hello messagenorth-europ.com uses Google to handle its mail and doesn't have a website. The WHOIS details have a very familiar email address of lapatasker@earthling.net.
We are in a hurry to offer you position in the building Company.
In few words our Company provides huge circle of building services like
building, landscaping, interior and exterior design of premises, houses etc.
We offer you:
- career growth
- flexible working day
- minimal requirements to become the part of our team
Job description:
- type of work: part time position
- the place to work: your home office
- territory of work: you area(city)
- salary: 60.000 euro per year + percents of transactions
- principle of work: work with clients/partners getting tasks online
If you are interested please respond with the C.V. or minimal contact data to the e-mail: Allison@north-europ.com
Attention!
We are interested in cooperation to the people who live in Europe.
Aleksandr Lapatau
Email: lapatasker@earthling.net
Organization: Private person
Address: Lenina, 34, 8
City: Minsk
State: Minskaya
ZIP: 456123
Country: BY
Phone: +375.172427204
Infrastructure is in various locations around Russia. Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Scams,
Spam
There's more to this than meets the eye..
This is a straightforward money mule pitch, so nothing very interesting in the message itself..
But the headers tell an interesting story..
Received: from mail.pna.ps ([213.244.123.84])
by ********** with esmtp (Exim 4.69)
id 1Onsd0-0004Yt-Jc
for **********; Tue, 24 Aug 2010 13:29:22 +0100
Received: from User (unknown [60.18.167.17])
by mail.pna.ps (Postfix) with ESMTPA id ED6A94476F;
Tue, 24 Aug 2010 15:12:09 +0300 (IDT)
You can only really trust the last hop before it hits your mail server (in truth, not always then either). That IP is 213.244.123.84 which is indeed mail.pna.ps.
So what the heck is .ps? Well, it turns out to be the TLD for Palestine, and the PNA is the Palestinian National Authority, with servers that look to be based in Ramallah on the West Bank. So, it looks like the PNA mail servers are either insecure or compromised.
Did you even know that Palestine had a TLD of its own? I didn't.. so I guess this spam has tought me something!
From: james roberts <jamesroberts02@sify.com>
Reply-to: james.roberts@sify.com
Date: 24 August 2010 13:13
subject: JOB OFFER:APPLY IF YOU ARE INTERESTED.
Hello,
My name is JAMES ROBERTS , a designer also the Manager of JAMES ROBERTS FABRIC and Consultant live and work here in United Kingdom,will you like to work online from home and get paid without affecting your present job?
Actually I need a representative who can be working for the company as online book-keeper. We make lots of supplies to some of our clients in the USA/CANADA/EUROPE, for which I do come to USA/CANADA/EUROPE to receive payment and have it cashed after I supply them raw materials. It’s always too expensive and stressful for me to come down and receive such payment twice in a month so I therefore decided to contact you.
I am willing to pay you 10% for every payment receive by you from our clients who makes payment through you. Please note you don't have to be a book keeper to apply for the job.
Kindly get back to me as soon as possible if you are interested in this job offer with your details:
FULL NAMES...................
ADDRESS ..................
STATE..................
ZIPCODE................
COUNTRY................
PHONE NUMBER(S)........
GENDER.................
AGE....................
OCCUPATION.............
Yours Faithfully,
JAMES ROBERTS
But the headers tell an interesting story..
Received: from mail.pna.ps ([213.244.123.84])
by ********** with esmtp (Exim 4.69)
id 1Onsd0-0004Yt-Jc
for **********; Tue, 24 Aug 2010 13:29:22 +0100
Received: from User (unknown [60.18.167.17])
by mail.pna.ps (Postfix) with ESMTPA id ED6A94476F;
Tue, 24 Aug 2010 15:12:09 +0300 (IDT)
You can only really trust the last hop before it hits your mail server (in truth, not always then either). That IP is 213.244.123.84 which is indeed mail.pna.ps.
So what the heck is .ps? Well, it turns out to be the TLD for Palestine, and the PNA is the Palestinian National Authority, with servers that look to be based in Ramallah on the West Bank. So, it looks like the PNA mail servers are either insecure or compromised.
Did you even know that Palestine had a TLD of its own? I didn't.. so I guess this spam has tought me something!
Labels:
Job Offer Scams,
Money Mule,
Palestine,
Scams,
Spam
Friday, 13 August 2010
Weird scam mashup makes little sense
This is a weird mashup of an FBI scare scam and a lottery scam, spelling out very clearly that it is really an advanced fee fraud. It makes no sense.. why would the FBI be informing you that you had won the lottery in the UK anyway? Bin it.
From: Federal Bureau Of Investigation <soundsit@btconnect.com>
Date: 2010/8/13
Subject: *Alert*
To:
FEDERAL BUREAU OF INVESTIGATIONAnti-Terrorist and International Fraud Division601 4th Street NW, Washington, DC 20535
Attn: Beneficiary
RE: AUTHETICATED LOTTERY WINNINGS
This is to officially inform you that it has come to our notice and we have thoroughly completed an Investigation with the help of our Intelligence Monitoring Network System that you legally won the sum of $850,000.00 US Dollars from a Lottery Organization in the United Kingdom. During our investigation we discovered that your e-mail won the Lottery from an online balloting system and we have authorized this winning to be authentic and paid to you via a Certified Cashier's Check. Normally, it will take up to 15 business days for an International Check to be cashed by your local bank. We have successfully come to an agreement with this organization on your behalf that funds are to be drawn from a registered bank within the United States of America so as to enable you cash the check instantly without any delay, henceforth the stated amount of $850,000.00 US Dollars has been deposited with Chase Manhattan Bank.
We have completed this investigation and you are hereby approved to receive the winning prize as we have verified the entire transaction to be Legitimate, Safe and 100% risk free of scams and frauds of any nature, due to the fact that the funds have been deposited at Chase Manhattan Bank you will be required to settle the following bills directly to the lottery claims agent in-charge of this transaction whom is located at the liaison office of the Lottery Organization in Washington, DC. According to our records, you are required to pay for the following:
(1) Deposit Fee's (Fee's paid by the organization for the deposit into Chase Manhattan Bank)(2) Cashier's Check Conversion Fee (Fee for converting the EFT into a Certified Cashier's Check)(3) Shipping Fee's (The charge for shipping the Cashier's Check to your nominated destination)
The total amount is $349.99 (Three Hundred & Fourty Nine United States Dollars & Ninety Nine Cents). We have tried our possible best to have the lottery organization deduct the $349.99 from your lottery winning but the funds have already been deposited at Chase Manhattan Bank and cannot be accessed by anyone apart from you the winner. Therefore you will be required to pay the needed funds to your lotto claims Agent in-charge of this transaction. The payment will NOT reflect at the Chase Manhattan Bank with the given transaction code (US8976-003) until you have covered the processing fees needed.
In order to proceed with this transaction, Click Here (ericaclain@gala.net) to contact your claims agent Mrs. Erica Molin .You may be required to call her for verbal verification and e-mail her with the following informations:
FULL NAME:LOCAL ADDRESS (INCLUDING CITY/STATE/ZIPCODE):AGE/GENDER/OCCUPATION:CONTACT PHONE NUMBERS (CELL & HOME):
You will also be required to request details on how to pay up the required $349.99 in order to immediately ship your prize of $850,000.00 USD via Certified Cashier's Check drawn from Chase Manhattan Bank, Also include the following transaction code in order for her to immediately identify this transaction: US8976-003. This letter will serve as proof that the Federal Bureau Of Investigation is authorizing you to pay the required $349.99 ONLY to your claims agent via the information in which she shall send to you upon your request, if you do not receive your winning prize of $850,000.00 US Dollars we shall be held responsible for the loss and this shall invite a penalty of $3,000 which will be made PAYABLE ONLY by you (The Winner).
Robert Anderson, Jr.Special Agent in Charge
NOTE: In order to ensure your check gets delivered to you ASAP, you are advised to immediately contact Mrs. Erica Molin (ericaclain@gala.net) via contact information provided above and make the required payment of $349.99 to information in which she will provide you.
Labels:
Advanced Fee Fraud,
Lottery Scam,
Spam,
Stupidity
Thursday, 12 August 2010
"Spam King Leo Kuvayev Jailed on Child Sex Charges"
A spammer.. and a kiddy fiddler (allegedly), notable Russian spammer Leo Kuvayev has been jailed on remand on charges of raping 50 children. I hear that Russian prisons are not very nice..
More at Krebs on Security.
More at Krebs on Security.
Labels:
Spam
Battle.Net / WOW Phish domains
I don't play World of Warcraft of Starcraft..but lots of people do and Blizzard accounts (used for playing the game online) are often a target for phishers. Why? Well, these accounts can be resold and are worth real money.
This post at the Sunbelt software blog caught my eye.. but knowing that fake WOW / Blizzard sites don't tend to travel alone I did some digging and came up with a whole batch of them on neighbouring IPs.
58.64.158.233
Ba11ile.net
Baititle.net
Eu-batile.net
Eu-battlie.net
58.64.158.238
Barittle.net
Bartiile.net
Bartlie.net
Bartllie.net
Barttirle.net
Barttle.net
Blizzte.net
Eu-de-battle.net
Bliizte.net
Blrttle.net
Battrlie.net
Bartzle.net
Battiale.net
Barttlie.net
58.64.158.240
Usbatt1ee.net
58.64.158.244
De-bartle.net
Registrant details are:
These are all fake, so avoid
This post at the Sunbelt software blog caught my eye.. but knowing that fake WOW / Blizzard sites don't tend to travel alone I did some digging and came up with a whole batch of them on neighbouring IPs.
58.64.158.233
Ba11ile.net
Baititle.net
Eu-batile.net
Eu-battlie.net
58.64.158.238
Barittle.net
Bartiile.net
Bartlie.net
Bartllie.net
Barttirle.net
Barttle.net
Blizzte.net
Eu-de-battle.net
Bliizte.net
Blrttle.net
Battrlie.net
Bartzle.net
Battiale.net
Barttlie.net
58.64.158.240
Usbatt1ee.net
58.64.158.244
De-bartle.net
Registrant details are:
Name : Ji XiaoWei
Organization : Ji XiaoWei
Address : LiShui Dengtalu 25
City : LiShui
Province/State : Zhejiang
Country : CN
Postal Code : 323700
Phone Number : 86-0578-7245132
Fax : 86-0578-7245132
Email : qnpv@163.com
Organization : Ji XiaoWei
Address : LiShui Dengtalu 25
City : LiShui
Province/State : Zhejiang
Country : CN
Postal Code : 323700
Phone Number : 86-0578-7245132
Fax : 86-0578-7245132
Email : qnpv@163.com
These are all fake, so avoid
Labels:
Phishing,
World of Warcraft
Saturday, 7 August 2010
"Your Free Money with Grants 4 CD Set At Absolutely No Cost From Robert Allen"
I quite enjoy this spammy crap I get from Robert Allen, in all its breathless uselessness, from a company that only rates a D+ from the BBB.
Hello Conrad,One day we must talk about where you got your mailing list from.
It’s Robert Allen checking in with some MAJOR NEWS for you!Major news? You've discovered you have some horrible terminal disease that causes you to die through continuous pustulant eruptions? No? Shame.
I am very excited to announce an amazing new program that reveals how anyone can quickly and easily get FREE MONEY from the Government.What, you want me to become a failed bank?
No technical jargon or complicated procedures, simple, straight forward advice and methods on how to locate the free money that you are entitled to.Which government is this exactly?
Best of all, you can get your own copy of this hot, new course for free.Why do I feel that there will be a catch?
Read on … because this is exciting!This must be a definition of "exciting" that I wasn't previously aware of.
My friend and colleague Rex Hudson just put the finishing touches on his brand new, “FREE MONEY with GRANTS” audio training course, and I’ve convinced him to give you, a free copy of this info packed 4 disc audio library!How did that go? "Rex, I'd really like to send a free copy of this training course to Conrad!" "Oh Robert, I'm not really sure I want to do that!" "Oh come on Rex, he's a great guy!" "Oh alright then Robert".
Over the course of his long and varied investment career, Rex has held SEC licenses for Stock, Bond, Insurance, Options and Commodities. As an MBA and the VP of Investments for a National Bank he also held a Municipal Bond Principle License and operated as a Registered Investment Advisor. As the investment manager Rex held discretionary investment authority on over $850 Million in assets. The bottom line is Rex knows money!He's a stockbroker and banker, basically. But now he works for the "Enlightened Wealth Institute" as "Vice President of Training" which is a bit of an interesting career move.
Now you can have a chance to learn from the master – and get his best, proven techniques for getting FREE MONEY from the GOVERNMENT.I did say he was a banker.
Rex’s FREE MONEY with GRANTS is your one stop source for BILLIONS of dollars that is ready, available, and waiting to be claimed! This easy to listen and easy to follow 4 disc audio program tells you exactly what to do to find your share of this FREE MONEY.Dollars? Can I have pounds instead?
FREE MONEY with GRANTS audio program contains simple plan for puttingChampagne does taste so much better when it has been paid for by the taxpayer.
cash in your hands. And this is FREE MONEY THAT YOU NEVER HAVE TO
PAY BACK!
Find out how to get free money grants from Uncle Sam!I don't have an Uncle Sam. Wait, Robert.. you didn't think I was American did you?
Find out how to get free money grants from private foundations!
Find out how to borrow money with government guarantees!
Discover the huge opportunity in selling to the government!
These are some of the best kept secrets of our government – and now you will know there are BILLIONS OF DOLLARS sitting, waiting to be claimed. And MILLIONS of people are eligible to receive free money from the government.Honestly, no.. I don't think these are the best kept secrets of the US Government. I mean, they probably even have leaflets and stuff.
The FREE MONEY WITH GRANTS audio program is your ultimate guide to getting your share of free money from the government.You can keep shouting FREE MONEY WITH GRANTS all you like but you are still not going to convince me. Actually, I'm starting to get a headache now.
Rex’s “FREE MONEY with GRANTS” quick cash program could easily retail $69.95,Nearly seventy dollars? Well, you can put whatver price on it you like.. it doesn't mean that it will sell. Look at the bidding wars going on for these items.. oh wait, they're not even shifting for 99 cents. And by "nothing down" I guess you mean that I don't have to pay anything NOW for them.. but what about later?
but in true “Nothing Down” fashion, I’ve arranged for you to get this fantastic new 4 CD audio training course for FREE … not even shipping and handling!
All you have to do is dial toll free 1-888-384-4047 RIGHT NOW and let me know where to ship your course! That’s it … it’s as simple as that!Please ship it firmly up your own backside.
I am very excited about Rex’s “FREE MONEY with GRANTS” 4 CD audio trainingWicked!
program and I look forward to sending you your FREE COPY!
Massive Success,
Robert AllenI'll pass if it's OK with you.
P.S. Don’t Wait! Call toll free 1-888-384-4047 RIGHT NOW. This offer is NOT going to last forever. Rex is only allowing us to give away a very limited number of these hot courses. So act now so you don’t miss out! Get your copy today!
Please note that product prices and availability are limited time offers and are subject to change. We respect your privacy. To remove yourself from this mailing list, click http://www.ewimail.com/unsubscribe.aspx or reply to this message with “unsubscribe” as the subject line or write us at Enlightened Wealth Institute, LC, 5072 N 300 W Provo, UT 84604But apparently you don't respect my intelligence by sending me this crap.
Labels:
Robert G Allen,
Spam
Friday, 6 August 2010
Evil network: MAXHOSTING Services / GlobalNET Bosnia (AS42560 / 77.78.239.0/23)
This summary is not available. Please
click here to view the post.
Labels:
Bosnia,
Evil Network,
Maxhosting,
Russia
"Thank you for scheduling your online payment" email leads to malware
The spammers seem to be busy today, using an old trick of embedded a spam in a template lifted from a legitimate business. This particular one is from Chase bank in the US, they key "hook" they use to get people to click is:
This seems to be exactly the same attack as used here and here, although in this case the intermediate site had already been cleaned up and the malicious payload could not be delivered.
Thank you for scheduling your recent credit card payment online. Your ($USD) $117.00 payment will post to your credit card account (CREDIT CARD) on 08/06/2010.
This seems to be exactly the same attack as used here and here, although in this case the intermediate site had already been cleaned up and the malicious payload could not be delivered.
Best Buy "Thank You, Your Anti-Virus Protection Plan has been renewed" email leads to malware
From: Best Buy Subscription Software [mailto:noresponse@softwaresubscription.bestbuy.com]
Sent: 06 August 2010 11:23
Subject: Thank You, Your Anti-Virus Protection Plan has been renewed
Dear [victim]
Your Webroot Spysweeper with AntiVirus Product Protection Plan has been successfully renewed and charged to the credit card you have on file with us. With this automatic renewal, you will continue to have uninterrupted anti-virus software protection on your PC for another year plus these great benefits:
òÀâ Best in Class Security Software
òÀâ No hassle automatic renewals makes sure that you will never go unprotected
òÀâ Receive all version updates free of charge
òÀâ Cancel at any time and received a refund for any unused months of protection
òÀâ Simple Customer Support, Call 1-888-BESTBUY with any questions
-------------------------------------------------------------
Here are the details of your renewed Protection Plan:
-------------------------------------------------------------
Product: Webroot Spysweeper with AntiVirus Product
Protection Plan: Annual
Best Buy Serial Number: WBR00AV000044180817
Transaction Date: 7/19/2010
Renewal Price: $43.54
If you have any questions about your protection plan or your recent renewal, please contact our Customer Support Team at 1-888-BESTBUY (1-888-237-8289), and ask for the Subscription Software Team.
Thank you again for your business, and being a Best Buy Customer.
Sincerely,
Best Buy Stores, L.P.
Payload and approach seem to be exactly the same as this one, with a Bredolab dropper. Again, it routes through yummyeyes.ru and you should look for the same log entries of .ru:8080 and /x.html to make sure you are clean.
In this case the intermediate step is a hacked site at peninsula.co.nz/x.html but it probably varies.
If you are not in the US, then blocking bestbuy.com at your mail perimeter will do no harm.
"Thanks for planning your event with Evite" mail leads to malware
This summary is not available. Please
click here to view the post.
Thursday, 5 August 2010
"Shifflett Martin Stores" scam
As far as I can tell, there is no such company as "Shifflett Martin Stores", although there may be legitimate companies with a similar name, but this particular job offer is a fraud.
From the insistence that potential employees / victims have a bank account with either Wells Fargo or Wachovia indicates that they will probably be accepting wire transfers from bank accounts where the password has been stolen (because transfers between accounts in the same bank are usually immediate).
Originating IP is 80.8.199.189, an open proxy in Réunion of all places.
From the insistence that potential employees / victims have a bank account with either Wells Fargo or Wachovia indicates that they will probably be accepting wire transfers from bank accounts where the password has been stolen (because transfers between accounts in the same bank are usually immediate).
From: Ceaser <marrrtttiii@yahoo.com>
Reply-To: gapstarrrss11@aol.com
Date: 5 August 2010 07:29
Subject: Help Wanted
I am Ceaser Martin, owner of Shifflett Martin Stores I seek an online virtual assistant to accept payments on my behalf in the United States of America. Requirements **Applicants must have a Wells Fargo or Wachovia bank account*** You are also eligible to apply if you can open a new Wells Fargo or Wachovia account. Great pay (15% of each payment processed), flexible and will not affect your present employment. Interested and meet the requirements? Send Full Names, Address, Direct Telephone Number and email address to gapstarrrss11@aol.com
Originating IP is 80.8.199.189, an open proxy in Réunion of all places.
Labels:
Money Mule,
Scams
Wednesday, 4 August 2010
"Anatomy Of An Attempted Malware Scam"
If you work in IT Security then malicious ads are a regular pain in the backside.. and you probably wonder why "reputable" ad networks get talked into running them. This article is possibly the best thing I have read on the problem, written from the ad network's point of view. It seems the Bad Guys do go to extraordinary lengths to try to look genuine, but sometimes the simplest checks can reveal that they are not what they seem.
Hat Tip
Hat Tip
Labels:
Malvertising
Friday, 30 July 2010
Evil network: Microlines (microlines.lv), AS2588 (79.135.128.0/19)
Latvia seems to be getting a bad reputation for supporting criminal activity. The latest accomplice is Microlines (microlines.lv) who mix in a large number of bad sites with a few legitimate ones.
Their netblock AS2588 (79.135.128.0/19) actually ranges from 79.135.128.0 - 79.135.159.255, although the badness is concentrated in 79.135.152.0/24, all legitimate web sites are hosted outside of that /24.
I used the MyWOT API to query the reputation of the hosted domains, and it shows a clear differentiation between the /24 and the rest of the /19. You can download a CSV of the analysis from here.
Out of 157 domains looked at, 4 (2.5%) were rated "excellent", 3 (1.9%) were rated "good", 43 (27.4%) were unrated and 107 (68.1%) were "very poor". You might want to block the whole /19 on that basis, certainly you should block 79.135.152.0 - 79.135.152.255 at the very least.
A list of bad domains to block:
Best-scanner-2010.net
First-online-scanner.com
Nameservice-worldwide.com
Scanner2010.com
Scanner2010.org
Scannerglobal.com
Scannerglobal.net
Super-scanner.net
Super-scanner.org
Volunteer-scan.com
Best-scanner-2010.org
First-online-scanner.net
Scanner2010.net
Best-scanner-2010.com
Huisko.cn
Lokisko.cn
First-online-scanner.org
Ad-parking.net
S-powerlink.com
Creatives-labs.com
Brick-layer888.com
Advdefender.com
Goadvdef.com
Advanced-def.com
Advanceddefender.org
Getadvdef.com
Goadvdef2.com
Kavascansecurity.com
Iuysdjerh.com
Lkhysayte.com
Sadangez.com
Evdoilsdus.com
Hhsdgbes.com
Jkhasels.com
Sfahdasjw.com
Maniyakat.cn
Kljdskrza.com
Kipyatok.cn
Head-moron.cn
Youaskedthedomain.cn
Asdagj.com
Banubanasy.cn
Love2coffe.cn
Sadahesz.com
Rebornendkit.cn
Qsfgyee.com
Sakjgeyq.com
Tottaldomain.cn
Salkjyhx.com
Pogodanet.cn
Vipsocks.cn
Mdsget1.com
Opudsjh.com
Sdasfj6.com
Kjast3z.com
Lkfjfuisdh.com
Safniiyew.com
Mjsgsawz.com
Jkhteqa.com
About-joga.ru
Icq4all.net
Bravqwer.com
Ajhsfget.com
Ajytse5.com
Dkeh38oz.com
Fd1a234sa.com
Ilui45iu7.com
Jhrez76.com
Kjdst6ey.com
Lasur8e.com
Sfah3sz.com
Sjb653xz.com
Sadkajt357.com
Fuchroot.com
Gagainco.com
Mcd0nalds.com
B00tlife.com
Dlkasfgatker.com
Klitar.cn
Breenders.com
Directbinary.com
Gasredbox.com
Kaljv63s.com
Kdy7rsxa.com
Lovinezer.com
Mdmasege.com
Rmbtoor.com
Safe3etfejwqf.com
Wdggtwegww.com
S0cksps.com
87jonsonfd.com
Gosrmecalonl16.com
Gosrmecalonl20.com
Gosrmecalonl21.com
Gosrmecalonl3.com
Gosrmecalonl30.com
Gosrmecalonl4.com
Gosrmecalonl5.com
Gosrmecalonl8.com
Gosrmecalonl9.com
Gosrmecalodnl38.com
Gosrmedicalonl13.com
Gosrmedicalonl14.com
Gosrmedicalonl2.com
Gosrmedicalonl20.com
Gosrmedicalonl1.com
Gosrmedicalonl10.com
Gosrmedicalonl11.com
Gosrmedicalonl16.com
Gosrmedicalonl17.com
Gosrmedicalonl19.com
Gosrmedicalonl3.com
Gosrmedicalonl5.com
Gosrmedicalonl6.com
Gosrmedicalonl7.com
Gosrmedicalonl9.com
Gosrmedicalonl18.com
Sweethost.org
Twowildgirls.net
Profithobby.net
Antiviractive.com
Antivirback.com
Antispysp.com
Webantispy.com
Antispymv.com
Antispynew.com
Antispybox.com
Antispyutil.com
Avmirror.com
Antispymega.com
Cyber-deployment.com
Their netblock AS2588 (79.135.128.0/19) actually ranges from 79.135.128.0 - 79.135.159.255, although the badness is concentrated in 79.135.152.0/24, all legitimate web sites are hosted outside of that /24.
I used the MyWOT API to query the reputation of the hosted domains, and it shows a clear differentiation between the /24 and the rest of the /19. You can download a CSV of the analysis from here.
Out of 157 domains looked at, 4 (2.5%) were rated "excellent", 3 (1.9%) were rated "good", 43 (27.4%) were unrated and 107 (68.1%) were "very poor". You might want to block the whole /19 on that basis, certainly you should block 79.135.152.0 - 79.135.152.255 at the very least.
A list of bad domains to block:
Best-scanner-2010.net
First-online-scanner.com
Nameservice-worldwide.com
Scanner2010.com
Scanner2010.org
Scannerglobal.com
Scannerglobal.net
Super-scanner.net
Super-scanner.org
Volunteer-scan.com
Best-scanner-2010.org
First-online-scanner.net
Scanner2010.net
Best-scanner-2010.com
Huisko.cn
Lokisko.cn
First-online-scanner.org
Ad-parking.net
S-powerlink.com
Creatives-labs.com
Brick-layer888.com
Advdefender.com
Goadvdef.com
Advanced-def.com
Advanceddefender.org
Getadvdef.com
Goadvdef2.com
Kavascansecurity.com
Iuysdjerh.com
Lkhysayte.com
Sadangez.com
Evdoilsdus.com
Hhsdgbes.com
Jkhasels.com
Sfahdasjw.com
Maniyakat.cn
Kljdskrza.com
Kipyatok.cn
Head-moron.cn
Youaskedthedomain.cn
Asdagj.com
Banubanasy.cn
Love2coffe.cn
Sadahesz.com
Rebornendkit.cn
Qsfgyee.com
Sakjgeyq.com
Tottaldomain.cn
Salkjyhx.com
Pogodanet.cn
Vipsocks.cn
Mdsget1.com
Opudsjh.com
Sdasfj6.com
Kjast3z.com
Lkfjfuisdh.com
Safniiyew.com
Mjsgsawz.com
Jkhteqa.com
About-joga.ru
Icq4all.net
Bravqwer.com
Ajhsfget.com
Ajytse5.com
Dkeh38oz.com
Fd1a234sa.com
Ilui45iu7.com
Jhrez76.com
Kjdst6ey.com
Lasur8e.com
Sfah3sz.com
Sjb653xz.com
Sadkajt357.com
Fuchroot.com
Gagainco.com
Mcd0nalds.com
B00tlife.com
Dlkasfgatker.com
Klitar.cn
Breenders.com
Directbinary.com
Gasredbox.com
Kaljv63s.com
Kdy7rsxa.com
Lovinezer.com
Mdmasege.com
Rmbtoor.com
Safe3etfejwqf.com
Wdggtwegww.com
S0cksps.com
87jonsonfd.com
Gosrmecalonl16.com
Gosrmecalonl20.com
Gosrmecalonl21.com
Gosrmecalonl3.com
Gosrmecalonl30.com
Gosrmecalonl4.com
Gosrmecalonl5.com
Gosrmecalonl8.com
Gosrmecalonl9.com
Gosrmecalodnl38.com
Gosrmedicalonl13.com
Gosrmedicalonl14.com
Gosrmedicalonl2.com
Gosrmedicalonl20.com
Gosrmedicalonl1.com
Gosrmedicalonl10.com
Gosrmedicalonl11.com
Gosrmedicalonl16.com
Gosrmedicalonl17.com
Gosrmedicalonl19.com
Gosrmedicalonl3.com
Gosrmedicalonl5.com
Gosrmedicalonl6.com
Gosrmedicalonl7.com
Gosrmedicalonl9.com
Gosrmedicalonl18.com
Sweethost.org
Twowildgirls.net
Profithobby.net
Antiviractive.com
Antivirback.com
Antispysp.com
Webantispy.com
Antispymv.com
Antispynew.com
Antispybox.com
Antispyutil.com
Avmirror.com
Antispymega.com
Cyber-deployment.com
Labels:
Evil Network,
Latvia
"Toyton Ltd" / todayisp.com / dboxs.org scam
We've seen this scam before, an alleged Chinese registrar claims that someone is buying a domain name similar to the one that you want in an attempt to scare you into buying overpriced domains that you do not need.
I always love confidentiality statements on spam!
Both domains are Chinese registered and are hosted in Hong Kong. The email comes from a Chinese IP address.
Registrars are not responsible for checking trademarks. If they were then domains registration would take days and cost a fortune.This is simply an attempt to rip you off.
From: owen@dboxs.org
To: help@[domain name redacted]
Date: 30 July 2010 06:16
subject: [domain name redacted]
Dear [domain name redacted] team,
Our organization received a formal application from a company who is called Toyton Ltd are applying to register "[domain name redacted]" as their domain name and Internet keyword. In order to prevent cyber piracy,Please explain:
1: Whether this company is your IT supplier or distributor.
2: Whether you are interested in registering these domains first to preservation your company’s brand. (.cn .com.cn .net .asia .eu and keyword etc…)
We are now obligated to inform you this issue ,So we will handle the next step after this audit procedure. Pls understand.
Best regards
Owen
Mww Group
Internet: www.todayisp.com
Internet: www.dboxs.org
Email: Owen@dboxs.org
Confidentiality Statement:
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not an intended recipient, any disclosure, copying, distribution, or other action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this message in error please be advised of your obligation to immediately notify sender of the error in transmission, and to destroy all associated documentation.
I always love confidentiality statements on spam!
Both domains are Chinese registered and are hosted in Hong Kong. The email comes from a Chinese IP address.
Registrars are not responsible for checking trademarks. If they were then domains registration would take days and cost a fortune.This is simply an attempt to rip you off.
Thursday, 29 July 2010
freead.name / mybar.us / toolbarcom.org / adsnet.biz
A slightly novel attack, found injected into a Javascript library and using freshly-registered domains. The attack uses obfuscated Javascript to send visitors to one of the following domains: myads.name, adsnet.biz, toolbarcom.org, mybar.us, freead.name, and to the front of this is appended a subdomain of vagi., vain., vale., vars., vary., vasa., vaut., vavs., viny., viol., vrow., vugs., vuln.
Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:
66.221.212.92
66.221.212.94
66.221.212.96
66.221.212.98
66.221.212.99
69.13.73.203
69.13.73.205
69.13.73.248
69.13.73.250
69.13.154.250
69.13.154.251
All of those IPs belong to C I Host, some seem to have legitimate sites hosted on them.
One one domain (mybar.us) is not anonymised:
Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.
The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.
The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.
If you want to block the intermediate domains, they are:
vagi.adsnet.biz
vain.adsnet.biz
vale.adsnet.biz
vars.adsnet.biz
vary.adsnet.biz
vasa.adsnet.biz
vaut.adsnet.biz
vavs.adsnet.biz
viny.adsnet.biz
viol.adsnet.biz
vrow.adsnet.biz
vugs.adsnet.biz
vuln.adsnet.biz
vagi.toolbarcom.org
vain.toolbarcom.org
vale.toolbarcom.org
vars.toolbarcom.org
vary.toolbarcom.org
vasa.toolbarcom.org
vaut.toolbarcom.org
vavs.toolbarcom.org
viny.toolbarcom.org
viol.toolbarcom.org
vrow.toolbarcom.org
vugs.toolbarcom.org
vuln.toolbarcom.org
vagi.mybar.us
vain.mybar.us
vale.mybar.us
vars.mybar.us
vary.mybar.us
vasa.mybar.us
vaut.mybar.us
vavs.mybar.us
viny.mybar.us
viol.mybar.us
vrow.mybar.us
vugs.mybar.us
vuln.mybar.us
vagi.freead.name
vain.freead.name
vale.freead.name
vars.freead.name
vary.freead.name
vasa.freead.name
vaut.freead.name
vavs.freead.name
viny.freead.name
viol.freead.name
vrow.freead.name
vugs.freead.name
vuln.freead.name
Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:
66.221.212.92
66.221.212.94
66.221.212.96
66.221.212.98
66.221.212.99
69.13.73.203
69.13.73.205
69.13.73.248
69.13.73.250
69.13.154.250
69.13.154.251
All of those IPs belong to C I Host, some seem to have legitimate sites hosted on them.
One one domain (mybar.us) is not anonymised:
Registrar URL (registration services): www.publicdomainregistry.com Domain Status: clientTransferProhibited Registrant ID: DI_11638984 Registrant Name: Andrew Black Registrant Organization: N/A Registrant Address1: 555 Taylor Rd. Registrant City: Enfield Registrant State/Province: Connecticut Registrant Postal Code: 06082 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +860.7492291 Registrant Email: dday.rabbit@gmail.com Registrant Application Purpose: P1 Registrant Nexus Category: C11
Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.
The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.
The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.
If you want to block the intermediate domains, they are:
vagi.adsnet.biz
vain.adsnet.biz
vale.adsnet.biz
vars.adsnet.biz
vary.adsnet.biz
vasa.adsnet.biz
vaut.adsnet.biz
vavs.adsnet.biz
viny.adsnet.biz
viol.adsnet.biz
vrow.adsnet.biz
vugs.adsnet.biz
vuln.adsnet.biz
vagi.toolbarcom.org
vain.toolbarcom.org
vale.toolbarcom.org
vars.toolbarcom.org
vary.toolbarcom.org
vasa.toolbarcom.org
vaut.toolbarcom.org
vavs.toolbarcom.org
viny.toolbarcom.org
viol.toolbarcom.org
vrow.toolbarcom.org
vugs.toolbarcom.org
vuln.toolbarcom.org
vagi.mybar.us
vain.mybar.us
vale.mybar.us
vars.mybar.us
vary.mybar.us
vasa.mybar.us
vaut.mybar.us
vavs.mybar.us
viny.mybar.us
viol.mybar.us
vrow.mybar.us
vugs.mybar.us
vuln.mybar.us
vagi.freead.name
vain.freead.name
vale.freead.name
vars.freead.name
vary.freead.name
vasa.freead.name
vaut.freead.name
vavs.freead.name
viny.freead.name
viol.freead.name
vrow.freead.name
vugs.freead.name
vuln.freead.name
Labels:
Injection Attacks,
Latvia,
microlines.lv
Phishing domains on M247 Ltd
I've never heard of M247 Ltd before today until their network came up as providing infrastructure for this scam. A few IPs over from that server is another one at 89.238.165.197 which contains three phishing sites:
Ibloqin.com
Lloydststb-offshore.com
Nbtibank.com
The sites are currently only displaying "Suspended" if you visit them.. this means nothing though, and it's a fairly common scammer technique to disguise that the site is active. Avoid.
Update: apparently these have now been nuked from orbit.
Ibloqin.com
Lloydststb-offshore.com
Nbtibank.com
The sites are currently only displaying "Suspended" if you visit them.. this means nothing though, and it's a fairly common scammer technique to disguise that the site is active. Avoid.
Update: apparently these have now been nuked from orbit.
Labels:
Phishing
"eurjobs.org" fake job offer
There are a lot of these going on at the moment, this is another fake job offer trying to rope unsuspecting applicants into doing something illegal.
The domain is currently not resolving, and is registered to a fake address in the WHOIS details. Perhaps of some interest are the two nameservers for the domain:
ns1.usaportall.com [89.238.165.212 - M247 Ltd, Manchester, UK]
ns2.usaportall.com [191.184.23.131 - Apparently invalid IP allocated to LACNIC]
The no doubt fake registrant details are:
Anyway, beware of unsolicited job offers from people you don't know and can't verify, unless you like prison food.
Date: 29 July 2010 08:23
Subject: Representatives Wanted
Civilities
I am a manager of the HR department of a large multinational company. Our company covers a wide range of businesses:
- supporting business in Europe and other countries
– bank accounts opening and maintenance
– private undertaking services
– etc.
There are vacant positions of regional managers in Europe:
- salary 2.400 dollars + bonus
- 1-2 working hours per day
- flextime
If our offer is interesting for you send us the below information on our e-mail address:
h r @ e u r j o b s . o r g [please delete spaces before sending]
Full name:
Country:
E-mail:
Mobile phone-number:
Attention! We need European residents only.
Please provide you name and contact information in order we can find you for further communication.
The domain is currently not resolving, and is registered to a fake address in the WHOIS details. Perhaps of some interest are the two nameservers for the domain:
ns1.usaportall.com [89.238.165.212 - M247 Ltd, Manchester, UK]
ns2.usaportall.com [191.184.23.131 - Apparently invalid IP allocated to LACNIC]
The no doubt fake registrant details are:
Kacie Cheverton
105 FOREST DR
CATONSVILLE, MD 21228
US
Phone: +1.4105668199
Email: roller@consultant.com
105 FOREST DR
CATONSVILLE, MD 21228
US
Phone: +1.4105668199
Email: roller@consultant.com
Anyway, beware of unsolicited job offers from people you don't know and can't verify, unless you like prison food.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Scams,
Spam
Wednesday, 28 July 2010
"west-epec.com" fake job offer
This is some sort of money laundering or parcel reshipping scam. The domains west-epec.com was registered just yesterday but it appears not to be resolving properly.
The WHOIS details are probably fake, but consistent with a large number of other fake job websites.
A Google search for that email address shows lots of similar sites. Avoid.
Date: 28 July 2010 13:36
Subject: vacancy #876
I am writing to you in the name of the corporation the Human Resources department of which I represent.
Our enterprise has a lot of different lines of business.
-real property
-business support
-company dissolution
-private firm service
-etc
There is a vacancy of a Regional manager in Europe:
-compansation package 2.300 euro +bonus
-taskwork
- 'open-leave' schedule
If you have an intention to cooperate with our company, please send your contact information on our e-mail: Darla@west-epec.com
First Name:
Country of living
City
mail address:
Contact telephone number
Remark! Applicants with the permission to work in Europe!
Please let us know you contact information.
Our manager will contact you to provide answers for the questions you are interested at and invite you for brief interview.
The WHOIS details are probably fake, but consistent with a large number of other fake job websites.
Aleksandr Lapatau
Email: lapatasker@earthling.net
Organization: Private person
Address: Lenina, 34, 8
City: Minsk
State: Minskaya
ZIP: 456123
Country: BY
Phone: +375.172427204
Email: lapatasker@earthling.net
Organization: Private person
Address: Lenina, 34, 8
City: Minsk
State: Minskaya
ZIP: 456123
Country: BY
Phone: +375.172427204
A Google search for that email address shows lots of similar sites. Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Scams,
Spam
LAPO LOAN COMPANY LIMITED
Scams evolve in much the same way as plant or animal life. Unsuccessful scams become extinct, very successful ones tend to explode in numbers to the point of over population. In between are a number of scams that inhabit ecological niches where there is just enough return to make them worthwhile.
Now, most novice users won't know how to inspect mail headers or be able to trace back where the email address came from, but the Gmail thing is a huge red flag. But honestly, the whole pitch is frankly sloppy, badly spelled and unbelievable.. but the thing is that people must fall for this scam (presumably an Advanced Fee Fraud or identity theft gig) from time-to-time, else the scammers wouldn't persevere with it.
From: LAPO LOAN COMPANY LIMITED. <lapo.loancompany1@gmail.com>Obviously it's dodgy.. how many loan companies use a free Gmail address? Digging deeper shows that this originates from 41.217.220.212 (mail.zimele.net) in Kenya. What you can't tell is that the email address has been harvested from a data breach (either accidental or deliberate) at 0catch.com.
Reply-To: lapo.loancompany1@gmail.com
Date: 28 July 2010 04:07
subject: (Loan Transfet Updated)
Do you need a loan to pay off your bills and clear off your debt? Do you
have an urgent loan or a business loan? You are refused a loan from your
bank or any financial firm? Do you need a loan to pay off your bills or
buying a house? Do you need a loan to start a business? Get anaffordable
loan at a low interest rate of 3%, contact us at:
lapo.loancompany1@gmail.com
Your Name:
Loan Amount:
Loan Duration:
Your phone number
E-mail: lapo.loancompany1@gmail.com
Now, most novice users won't know how to inspect mail headers or be able to trace back where the email address came from, but the Gmail thing is a huge red flag. But honestly, the whole pitch is frankly sloppy, badly spelled and unbelievable.. but the thing is that people must fall for this scam (presumably an Advanced Fee Fraud or identity theft gig) from time-to-time, else the scammers wouldn't persevere with it.
Subscribe to:
Posts (Atom)