Those of you who know Microsoft patch levels probably already treat "Important" patches with a shrug, because the really important ones are always "Critical". So when Microsoft does an out-of-band patch only rated as "Important" then there's something not right going on.
Well, MS10-070 is one such patch, and to be brutally brief it means that IIS servers are vulnerable to an information disclosure attack.. very bad news if you are running IIS.
The ISC have more here, but be sure to read the comments.. because this one is looking like a complete fragging disaster zone..
Tuesday, 28 September 2010
Monday, 27 September 2010
"United Nation Bonded Warehouse Wales" scam
An obvious scam, but one that's really quite stupid:
What? Where? Actually, the UN does run warehouses, primarily for aid efforts (there's a list of jobs here) usually in areas suffering from disasters or war.. I don't think a Friday night in Swansea counts. But a bonded warehouse is not the same thing at all..
Dried sausage to you, too.
Well, I'm glad you pointed that out because I totally believe that it's not a scam now. Tell you what, Wales is a couple of hours drive.. why don't I pop over with a van or something?
From: AHMED SALEH ABDUL KHALEQ SLAEH ALAFIFI <info@khaliq.com>
Reply-To: khaliqalifi@iol.pt
Subject: ASSALAMUALAIKUM
From AHMED SALEH ABDUL KHALIQALIFI,.
United Nation Bonded Warehouse wales Branch.Office..........
What? Where? Actually, the UN does run warehouses, primarily for aid efforts (there's a list of jobs here) usually in areas suffering from disasters or war.. I don't think a Friday night in Swansea counts. But a bonded warehouse is not the same thing at all..
SALAM,
Dried sausage to you, too.
This is AHMED SALEH ABDUL KHALIQALIFI , Presently stationed with the possition of assistant Manager as a trusted store-keeper herein United Nation Bonded WareHouse Wales Branch ..Office, Division in South West of Great Brintain . I will like to share some very vital information that would bring some good financial returns to us in just a few weeks or days depending on how fast we pursue the matter.I am seeking your assistance to evacuate unclaimed valuable property to your safe custody, as long as I can be assured that it will be safe in your care until i complete my service hereWhy do I think that "trusted" is not the right word when you are basically offering me something that you have stolen? And Wales is in the "South West of Great Brintain"? That's somebody who has a very badly spelled atlas that they don't really understand. Oh yes, and if you're in Wales, why is the sending IP address 110.159.18.181 in Malaysia?
This may not be the best medium to make this kind of contact because of the numerous scam offers transmitted through the Internet, but it is all I have access to for now.
Well, I'm glad you pointed that out because I totally believe that it's not a scam now. Tell you what, Wales is a couple of hours drive.. why don't I pop over with a van or something?
I will be very grateful if you can give me the opportunity to discuss this matter with you by assuring me that you will not use any part of it against me in anyway, I hope you understand my limitations here. I will await a mail from you.What. like publishing your pathetic scamming effort onto teh interwebs?
Sincere Regards,I think you need to double check the meaning of "sincere.."
AHMED SALEH ABDUL KHALIQALIFI.
Friday, 24 September 2010
position-gb.com / position-west.com fake job offer
Part of a long series of fake job offers, this one uses the domains position-gb.com and position-west.com to solicit replies. In this case "bank account operations" is money laundering, "transportation and logistics" is most likely a parcel reshipping scam and "private enterprise service" could be one of a number of criminal activities. Avoid.
Date: 24 September 2010 12:56
Subject: Re: CV 62
Greetings
I am a manager of the HR department of a large multinational company.
Our enterprise is connected with a great number of various activities, like:
-property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.
We need employees in Europe:
- salary 2.500 euro + bonus
- 1 - 2 working hours per day
- free timetable
If our offer is interesting for you email us the required information: Chandra@position-gb.com
Name:
Surname:
City:
E-mail:
Telephone Number:
Note! We are searching Europeans only!
Labels:
Lapatasker,
Money Mule,
Scams,
Spam
Wednesday, 22 September 2010
Evil network: VLine Ltd / VLINERU2-NET AS39150 (109.196.128.0/20)
This summary is not available. Please
click here to view the post.
Labels:
Evil Network,
Russia,
Vline Ltd
Tuesday, 21 September 2010
FirearmsForYou.com and the Chinese connection
Automated link exchange requests are annoying, but usually easily dealt with by binning them. This idiot decided to send me the same spam 25 times..
OK, he's an idiot who sells assault rivals, but Scottsdale is over 5000 miles away, so I feel quite safe calling "James" (if that is his name) an idiot.
Now, if Americans want to take pot shots at each other with military grade weapons then it is up to them, pro-gun people will argue that it's their constitutional right to bear arms as American citizens.
But dig a little deeper, and these emails originate from 202.181.174.45 in Hong Kong.. which is part of China.. who are Communists, remember? It all looks a bit un-American to me..
From: James <linkmanager@firearmsforyou.com>
Subject: Link Exchange Proposal from FirearmsForYou.com
Hello Webmaster,
I am seeking out possible link partners to offer as a resource to our site's visitors. I've found your website http://www.dynamoo.com and its information and advice to be a great service and I am interested in exchanging links with you.
Please consider adding our link to your site on the following page:
http://www.dynamoo.com/orange/links.htm
Our linking details:
Anchor text: Guns Online
URL: http://www.firearmsforyou.com/
Description: Buy guns online from a trusted source. Firearms For You has the largest selection of firearms and accessories.
[snip]
Guns Online Buy guns online from a trusted source. Firearms For You has the largest selection of firearms and accessories.
Your link will be added in the best category here http://www.firearmsforyou.com/resources/index.html
Please send me your site details and I will add your link as soon as possible.
I hope for an early and positive response from you.
Best Regards,
James
FirearmsForYou.com
9831 E. Bell Road Suite 110
Scottsdale, AZ 85260
Note: If you would like not to receive any further communications from me, please paste this link into your browser: http://www.firearmsforyou.com/resources/unsubscribe.html?id=[snip]
Or simply respond to this email with Remove as the subject.
OK, he's an idiot who sells assault rivals, but Scottsdale is over 5000 miles away, so I feel quite safe calling "James" (if that is his name) an idiot.
Now, if Americans want to take pot shots at each other with military grade weapons then it is up to them, pro-gun people will argue that it's their constitutional right to bear arms as American citizens.
But dig a little deeper, and these emails originate from 202.181.174.45 in Hong Kong.. which is part of China.. who are Communists, remember? It all looks a bit un-American to me..
Monday, 20 September 2010
The incredibly dangerous world of browser prefetch
Perhaps I've been living under a rock, but this apparently has been a suicidally stupid feature built into Firefox for some time, but it seems to be seldom used.
It started with a short spam apparently advertising a fairly well known black hat forum for hackers and illicit trades. It's not the sort of place that would choose to advertise itself though (it is strictly by invitation only), so quite possibly this is a Joe Job by one set of black hatters against another.
Now I guess that many recipients will have done the same thing, and typed the name of the site into Google to find out about it.. under the assumption that they'll find something that doesn't involve visiting the spamvertised site itself. But if you're using Firefox (and this possibly applies to IE8 and IE9 too, then the following message pops up:
The answer lies in prefetch - a combination of a tag on the site, Google and the default browser configuration meant that the browser tried to automatically load content from the bad site just by Googling for something.
Link prefetching (and how to turn it off) is explained in this FAQ or this HOWTO guide.. if you are using a Mozilla based browser then go and turn if off NOW by going into about:config and setting network.prefetch-next to false.
So why is it so dangerous? Have there been any cases of malware using link prefetching to spread? Not as I know.. although it might be theoretically possible. The danger is that you have just revealed your IP address without knowing it..
Let's look at a particular scenario where this can be used. Let's say the attacker is targetting a victim who is using an unidentifiable email address, and the attacker wants to find that victim's IP to tie them down to a location or organisation. In this scenario, the victim is not stupid.. they don't click on links in spam, they don't reply to untrusted messages, never send read receipts and they don't load external images in their mail client.. but the attacker uses social engineering to send an email with details that the victim might Google (for example a telephone number). The victim may then search for references on Google and even without clicking on anything, the prefetch may reveal their IP address.
Alternatively, prefetch could be used to download illegal content onto a target machine without the victim knowing about it, or there are probably several other ways in which it can be abused.
So it's hard to tell if the original spam was a Joe Job, or someone using prefetch to collect IP addresses for evil purposes. But I'll bloody well keep the prefetch switched off in future..
It started with a short spam apparently advertising a fairly well known black hat forum for hackers and illicit trades. It's not the sort of place that would choose to advertise itself though (it is strictly by invitation only), so quite possibly this is a Joe Job by one set of black hatters against another.
Now I guess that many recipients will have done the same thing, and typed the name of the site into Google to find out about it.. under the assumption that they'll find something that doesn't involve visiting the spamvertised site itself. But if you're using Firefox (and this possibly applies to IE8 and IE9 too, then the following message pops up:
Secure Connection FailedRight at this point I kicked myself because I thought I had accidentally clicked through. But no... the certificate error was showing on the Google search page and I hadn't clicked through at all.. so why was Google trying to load the page and showing the HTTPS error because of the invalid certificate?
-----------.com:443 uses an invalid security certificate.
The certificate is not trusted because it is self signed.
(Error code: sec_error_untrusted_issuer)
It could be a problem with the server's configuration or it could be someone trying to impersonate the server.
If you have connected to this server successfully in the past the error may be temporary and you can try again later.
The answer lies in prefetch - a combination of a tag on the site, Google and the default browser configuration meant that the browser tried to automatically load content from the bad site just by Googling for something.
Link prefetching (and how to turn it off) is explained in this FAQ or this HOWTO guide.. if you are using a Mozilla based browser then go and turn if off NOW by going into about:config and setting network.prefetch-next to false.
So why is it so dangerous? Have there been any cases of malware using link prefetching to spread? Not as I know.. although it might be theoretically possible. The danger is that you have just revealed your IP address without knowing it..
Let's look at a particular scenario where this can be used. Let's say the attacker is targetting a victim who is using an unidentifiable email address, and the attacker wants to find that victim's IP to tie them down to a location or organisation. In this scenario, the victim is not stupid.. they don't click on links in spam, they don't reply to untrusted messages, never send read receipts and they don't load external images in their mail client.. but the attacker uses social engineering to send an email with details that the victim might Google (for example a telephone number). The victim may then search for references on Google and even without clicking on anything, the prefetch may reveal their IP address.
Alternatively, prefetch could be used to download illegal content onto a target machine without the victim knowing about it, or there are probably several other ways in which it can be abused.
So it's hard to tell if the original spam was a Joe Job, or someone using prefetch to collect IP addresses for evil purposes. But I'll bloody well keep the prefetch switched off in future..
Sunday, 19 September 2010
"hello / how are you?" mystery spam
I'm probably not alone in receiving a shedload of spam with the subject "hello" and the only content of "how are you?" A quick look at my spam filters shows hundreds of these with a small number getting through, presumably because filters are having a hard time blocking on this little data.
It's hard to be sure exactly what it is, but it reminds me the the mystery "podmena traffica test" spam from last year that appeared to be a widescale enumeration of mail systems that allowed spoofing, and those that blocked it. So, this could well be something similar.. an enumeration attempt to see which mailboxes DON'T reject a tiny, simple message like this, and then to use that data in the future to target those mailboxes.
"OK", you may be asking.. "why would you do that if you have the almost unlimited computing power of a botnet at your hands? Why would you need to be selective in your spamming when it does cost you anything?"
One good reason to attack only valid mailboxes with spam and not go for a scattergun "directory harvesting" attack is that mail spam filters specifically look for directory harvesting attacks and then block them and use the data to identify the characteristics of the spam attack. By acting more stealthily, it might be possible to avoid detection for longer and get a higher deliverability rate for spam.
Well, that's a theory anyway.. the best that I can come up with. Any ideas?
Added: here's another idea - the spammer could be looking for vulnerable mail servers to exploit later, this is a data collection phase to be followed by something evil. Or it could just be a weird prank, of couse.
It's hard to be sure exactly what it is, but it reminds me the the mystery "podmena traffica test" spam from last year that appeared to be a widescale enumeration of mail systems that allowed spoofing, and those that blocked it. So, this could well be something similar.. an enumeration attempt to see which mailboxes DON'T reject a tiny, simple message like this, and then to use that data in the future to target those mailboxes.
"OK", you may be asking.. "why would you do that if you have the almost unlimited computing power of a botnet at your hands? Why would you need to be selective in your spamming when it does cost you anything?"
One good reason to attack only valid mailboxes with spam and not go for a scattergun "directory harvesting" attack is that mail spam filters specifically look for directory harvesting attacks and then block them and use the data to identify the characteristics of the spam attack. By acting more stealthily, it might be possible to avoid detection for longer and get a higher deliverability rate for spam.
Well, that's a theory anyway.. the best that I can come up with. Any ideas?
Added: here's another idea - the spammer could be looking for vulnerable mail servers to exploit later, this is a data collection phase to be followed by something evil. Or it could just be a weird prank, of couse.
Labels:
Spam
Friday, 17 September 2010
Networking4Africa.com - scam, spam or Joe Job?
This summary is not available. Please
click here to view the post.
Labels:
Networking4Africa.com,
Scams,
South Africa,
Spam
Thursday, 16 September 2010
Krebs pwnage
Brian Krebs is on the trail of some questionable activities involving an outfit called ePassporte. Now, for those of you who don't know who Brian Krebs is, he's a former Washington Post journalist.. and when he publishes things, things happen.. so the articles are always worth a read if you're interested in information security.
What caught my eye though was this part: "Elias declined to give me his e-mail address, saying I should be able to find it if I really were an investigative reporter."
You can probably guess what happens next..
What caught my eye though was this part: "Elias declined to give me his e-mail address, saying I should be able to find it if I really were an investigative reporter."
You can probably guess what happens next..
Thursday, 9 September 2010
Evil network: MAXHOSTING Services, kfppp.com and the BBC Radio 3 compromise
MAXHOSTING are a fairly prolific evil network that I profiled last month, so it isn't a huge surprise to see that the evilness continues as normal.
But one thing that made MAXHOSTING stand out today was their involvement in an apparent compromise on the BBC's website, as reported by The Register. Google have labelled the BBC's Radio 3 subsite as being potentially dangerous:
So, what do we know about kfppp.com? Well, it was registered one day ago via black hat domain registrar BIZCN to a fake recipient, and is hosted on a server at 77.78.240.253, which is in Maxhosting's range.. so obviously this is nothing good.
The trouble is that the BBC site seems clean and it is not apparent where the infection is coming from, but the BBC site does carry ad banners for non-UK visitors, and it seems possible that a malvertisement somewhere is to blame. Although Google does sometimes make false positives, this particular report is very specific and I tend to believe that the BBC Radio 3 site is (or was) compromised with malicious code.
A full breakdown of current sites, IP addresses and MyWOT reputations can be downloaded from here.
The best advice is to completely block traffic to 77.78.239.x and 77.78.240.x (or better still, the 77.78.224.0/19 parent block), or block traffic to the domains below.
Divambee35.net
Eagen85.net
Forceclub-us.com
Forceclub-us.net
Indep29.com
Investbabaika.com
Janoodle6.net
Levelin29-online.com
Levelin29-web.com
Levelin29.biz
Levelin29.com
Levelin29.net
Levelin29.org
Levelin29.us
Secsslup.com
Trazi.in
Zabil.in
Search-static.org
Vostokgear.org
The-funny-world.info
Francecore.com
Genreystick.com
Grand-vitaro-club.com
Odistanyachts.com
Statxonline.com
Xsbot.net
Planopetroleumteam.com
Acunetxweb.net
Gvist.org
Gvistello.net
Dottasink.net
Nowisisdudescars.com
Vancouvererrorsonfile.com
Whereisdudescars.com
Zettapetta.net
Google-server09.info
Google-server10.info
Google-server11.info
Google-server12.info
Google-server14.info
Google-server29.info
Google-server31.info
Google-server41.info
Google-server42.info
Google-server43.info
Jhuiuhxfgxhlfkjhjth.info
Jhuiuhxfgxhtfkjhjth.info
Jhuluhxfgxhlfkjhjth.info
Top-teen-porn.info
Traxbax.com
Gumile.in
Pro100-soft.net
Geerht.com
Ruslan7777.com
Hyporesist.com
Installs.tv
Thefriends-place.info
Thefunny-world.info
Easy-answers.info
Theeasy-answers.info
Vstils.ru
Clickwebanalitick.com
Hotporncatalog.com
Ns3emeringo.com
Thevipbuyconterst.com
Youngirlsactions.com
Ciougmxehgjesk.com
Kingdol.com
Pcf-osow.com
Pw2.info
Reservus.com
Server90.org
Homesiteuk.com
Narmedic.org
Pp24.biz
403403.net
Firmar.org
Cebere.net
Cebere.org
Ceberz.net
Ceberz.org
Ceterz.biz
Eccinput.com
Faststat.biz
Mainstatserver.com
Bestviewbar.net
Thestatserver.com
Angelx.info
Deltav.info
Fantasyv.info
Fantasyx.info
Francisx.info
Freel.info
Freev.info
Jeffreyl.info
Lmailing.info
Millionsincomingfrom.biz
Weaponx.info
Xcorps.info
Checkege.ru
Otvetege.ru
Sdalege.ru
Stylysxvk.ru
Vkxstile.ru
1-aa.com
Atringroup.com
Awejkgf.com
Winterleaf.org
Free-pac.net
Tsbd1984.com
Fornaticumlili.biz
Dwnld0020.com
Spmfb2299.com
Thephotos-galleries.info
Hosting-backup.org
Darksiti.net
Asmatrin.com
Mvk.net.ru
Mvk.net.ru
Mynewspages.com
Newsdownloads.cn
Nvk.net.ru
Nvk.net.ru
Rsite.net.ru
Rsite.net.ru
Supercarsinfo.net
Vkhost.net.ru
Vkhost.net.ru
Webvk.net.ru
Webvk.net.ru
Sec-stats.org
Eu-analytics.com
Google-stat.org
Auto-russo-trah.com
55echosend.com
66kooum.com
Avilantup.com
Bytrin.com
Club-world-auto.org
Erityng.com
Govenablog.org
Grebtiklop.com
Hercegovinablog.org
Horsebloggovena.org
Horseblogovena.org
Horsegovena.org
Janesblog.org
Nikranox.org
Roxenda.com
Zrefkilops.com
Activateoursoft.com
Graymageds.com
Orangeosol.com
Yellowaven.com
3423254353446.org
Myteen2011.com
Onrpg-cdn.com
Sed-machinery.com
Helpsupport.biz
Connectionsupport.org
Cansbass.com
Cheni.in
Coani.in
Decdo.in
Jaddf.com
Baffyko.com
Ddret.com
Fgtre.com
Gddff.com
Kkrrn.com
Poiiu.com
Rtyyv.com
Ssadf.com
Ssweq.com
Yyeed.com
Yyutr.com
Ghdre.com
Kvxxr.com
Rchjj.com
Krnnt.com
Kvccg.com
Rcggu.com
Rcsss.com
Wrrrt.com
1host4me.ru
Fun-gsm.ru
But one thing that made MAXHOSTING stand out today was their involvement in an apparent compromise on the BBC's website, as reported by The Register. Google have labelled the BBC's Radio 3 subsite as being potentially dangerous:
Safe Browsing
Diagnostic page for bbc.co.uk/radio3
What is the current listing status for bbc.co.uk/radio3?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 15 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-09, and the last time suspicious content was found on this site was on 2010-09-09.
Malicious software is hosted on 1 domain(s), including kfppp.com/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including z145235.infobox.ru/.
This site was hosted on 1 network(s) including AS2818 (BBC).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, bbc.co.uk/radio3 did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
So, what do we know about kfppp.com? Well, it was registered one day ago via black hat domain registrar BIZCN to a fake recipient, and is hosted on a server at 77.78.240.253, which is in Maxhosting's range.. so obviously this is nothing good.
The trouble is that the BBC site seems clean and it is not apparent where the infection is coming from, but the BBC site does carry ad banners for non-UK visitors, and it seems possible that a malvertisement somewhere is to blame. Although Google does sometimes make false positives, this particular report is very specific and I tend to believe that the BBC Radio 3 site is (or was) compromised with malicious code.
A full breakdown of current sites, IP addresses and MyWOT reputations can be downloaded from here.
The best advice is to completely block traffic to 77.78.239.x and 77.78.240.x (or better still, the 77.78.224.0/19 parent block), or block traffic to the domains below.
Divambee35.net
Eagen85.net
Forceclub-us.com
Forceclub-us.net
Indep29.com
Investbabaika.com
Janoodle6.net
Levelin29-online.com
Levelin29-web.com
Levelin29.biz
Levelin29.com
Levelin29.net
Levelin29.org
Levelin29.us
Secsslup.com
Trazi.in
Zabil.in
Search-static.org
Vostokgear.org
The-funny-world.info
Francecore.com
Genreystick.com
Grand-vitaro-club.com
Odistanyachts.com
Statxonline.com
Xsbot.net
Planopetroleumteam.com
Acunetxweb.net
Gvist.org
Gvistello.net
Dottasink.net
Nowisisdudescars.com
Vancouvererrorsonfile.com
Whereisdudescars.com
Zettapetta.net
Google-server09.info
Google-server10.info
Google-server11.info
Google-server12.info
Google-server14.info
Google-server29.info
Google-server31.info
Google-server41.info
Google-server42.info
Google-server43.info
Jhuiuhxfgxhlfkjhjth.info
Jhuiuhxfgxhtfkjhjth.info
Jhuluhxfgxhlfkjhjth.info
Top-teen-porn.info
Traxbax.com
Gumile.in
Pro100-soft.net
Geerht.com
Ruslan7777.com
Hyporesist.com
Installs.tv
Thefriends-place.info
Thefunny-world.info
Easy-answers.info
Theeasy-answers.info
Vstils.ru
Clickwebanalitick.com
Hotporncatalog.com
Ns3emeringo.com
Thevipbuyconterst.com
Youngirlsactions.com
Ciougmxehgjesk.com
Kingdol.com
Pcf-osow.com
Pw2.info
Reservus.com
Server90.org
Homesiteuk.com
Narmedic.org
Pp24.biz
403403.net
Firmar.org
Cebere.net
Cebere.org
Ceberz.net
Ceberz.org
Ceterz.biz
Eccinput.com
Faststat.biz
Mainstatserver.com
Bestviewbar.net
Thestatserver.com
Angelx.info
Deltav.info
Fantasyv.info
Fantasyx.info
Francisx.info
Freel.info
Freev.info
Jeffreyl.info
Lmailing.info
Millionsincomingfrom.biz
Weaponx.info
Xcorps.info
Checkege.ru
Otvetege.ru
Sdalege.ru
Stylysxvk.ru
Vkxstile.ru
1-aa.com
Atringroup.com
Awejkgf.com
Winterleaf.org
Free-pac.net
Tsbd1984.com
Fornaticumlili.biz
Dwnld0020.com
Spmfb2299.com
Thephotos-galleries.info
Hosting-backup.org
Darksiti.net
Asmatrin.com
Mvk.net.ru
Mvk.net.ru
Mynewspages.com
Newsdownloads.cn
Nvk.net.ru
Nvk.net.ru
Rsite.net.ru
Rsite.net.ru
Supercarsinfo.net
Vkhost.net.ru
Vkhost.net.ru
Webvk.net.ru
Webvk.net.ru
Sec-stats.org
Eu-analytics.com
Google-stat.org
Auto-russo-trah.com
55echosend.com
66kooum.com
Avilantup.com
Bytrin.com
Club-world-auto.org
Erityng.com
Govenablog.org
Grebtiklop.com
Hercegovinablog.org
Horsebloggovena.org
Horseblogovena.org
Horsegovena.org
Janesblog.org
Nikranox.org
Roxenda.com
Zrefkilops.com
Activateoursoft.com
Graymageds.com
Orangeosol.com
Yellowaven.com
3423254353446.org
Myteen2011.com
Onrpg-cdn.com
Sed-machinery.com
Helpsupport.biz
Connectionsupport.org
Cansbass.com
Cheni.in
Coani.in
Decdo.in
Jaddf.com
Baffyko.com
Ddret.com
Fgtre.com
Gddff.com
Kkrrn.com
Poiiu.com
Rtyyv.com
Ssadf.com
Ssweq.com
Yyeed.com
Yyutr.com
Ghdre.com
Kvxxr.com
Rchjj.com
Krnnt.com
Kvccg.com
Rcggu.com
Rcsss.com
Wrrrt.com
1host4me.ru
Fun-gsm.ru
Labels:
Bosnia,
Evil Network,
Malvertising,
Maxhosting
Monday, 6 September 2010
Tainted network: InterWeb Media / Gogax.com AS21793 (76.76.96.0/19)
This summary is not available. Please
click here to view the post.
Labels:
Evil Network,
Gogax
Friday, 3 September 2010
Tainted network: Serverconnect.se / serverconnect-dedicateserver-net AS49770 (95.143.193.0/23)
Not a fully evil network, but AS49770 (owned by Serverconnect.se) has been abused by the bad guys for a long, long time. This particular /23 includes fake ad networks, counterfeit goods, torrents, pornography and a suspiciously large number of .ru domains for a Swedish web host.
Known bad domains currently hosted and in the past include:
There's very little of significant value here, although not all sites are malicious. Blocking 95.143.193.0/23 (95.143.193.0 - 95.143.194.255) will most likely do more good than harm and I suggest you consider it.
You can download a full set of domains, IPs and MyWOT ratings from here. The highest priority domains to block are below:
Mazcostrol.com
Nonstopacc.com
Allregioncode.com
Balmain-discount.com
Balmain-dresses.com
Balmain-jacket.com
Balmain-jeans.com
Balmain-leather.com
Balmain-michael-jackson.com
Balmain-mj.com
Balmain-online-shop.com
Balmain-shirt.com
Balmain-shop.com
Balmain-store.com
Balmain-suede-dress.com
Cheap-balmain.com
Dvdboxset2010.com
Fridaydvdstore.com
Ghdhairsales-uk.com
Hi-tvshows.com
Hi-tvshows.net
I-dvdforsale.com
I-dvdforsale.net
I-herveleger.com
I-manoloblahnik.com
I-manoloblahnik.net
I-moncler.com
Just-moncler.com
Mondaydvdstore.com
My-balmain-store.com
My-balmain.com
My-manolo-blahnik.com
Myshoesbus.com
Onlydvdforsale.com
Onlydvdforsale.net
Onsalegolf.com
Saturdaydvdstore.com
Sundaydvdstore.com
Thursdaydvdstore.com
Tuesdaydvdstore.com
Wensdaydvdstore.com
Wesaledvd.net
Yourtopsales.us
Yourtoryburch.com
Youruggshoes.com
Yslshoes-uk.com
Buy-moncler-coat.com
Buy-moncler-jacket.com
Daily-moncler.com
Discount-moncler-onsale.com
Discount-moncler-shop.com
Discount-moncler-store.com
Moncler-2010.com
Moncler-classics.com
Moncler-downjackets.com
Moncler-everyday.com
Moncler-online-mall.com
Moncler-online-store.com
Moncler-today.com
Moncler-zone.com
Monclerfeatherdress.com
Monclerwinterclothes.com
Monclerwinterdress.com
My-moncler-store.com
Newh0tdvd.com
Rosetta4u.info
5fingerstoreonline.info
5fingerstores.info
5fingerstoresite.info
60daysstore.info
90-mall.info
90day-mall.info
90daymall.info
90daymallnow.info
90daymallonline.info
90daymalls.info
90daymallshop.info
90daymallsite.info
90daymallstore.info
90daymalltoday.info
90daysonline.info
90daysworkoutonline.info
90daysworkouts.info
90daysworkoutsite.info
90daysworkoutstore.info
90mall.info
90mallnow.info
90mallonline.info
90malls.info
90mallshop.info
90mallsite.info
90mallstore.info
90malltoday.info
Abercrombiefitchonline.info
Abercrombiefitchonsale.com
Abercrombiefitchsite.info
Abercrombieonline.info
Abercrombies.info
Abercrombiesite.info
Allfitstore.info
Apparelwholesale.info
Beach-body-insanity.info
Beachbodyinsanitynow.info
Beachbodyinsanityshop.info
Beachbodyinsanitystore.info
Beachbodyinsanitytoday.info
Best90daymall.info
Best90days.info
Best90mall.info
Bestabercrombiefitch.info
Bestbeachbodyinsanity.info
Bestmallonline.info
Bestmbtshoes.info
Bestp90mall.info
Besttshirt.info
Bestvibramshoes.info
Bestworkoutnow.info
Bestworkoutonline.info
Bestworkoutshop.info
Bestworkoutsite.info
Bestworkoutstore.info
Buybagsshop.info
Buybrandbags.info
Buyshoesnow.info
Buyshoesstore.info
Buyshoestoday.info
Dvdboxsetonline.info
Dvdsetsnow.info
Ecb2b.info
Ecb2c.info
Edhardyfactory.com
Extremehomefit.info
Forwholesale.info
Free90daymall.info
Free90daysworkout.info
Free90mall.info
Freebeachbodyinsanity.info
Freebuybags.info
Freedvdsets.info
Freembtshoes.info
Freep90mall.info
Freep90xreview.info
Freetshirt.info
Get-bags.info
Globalsourcesite.info
Globalsourcestore.info
Honestmall.info
Honestshop.info
Insanitysite.info
Inverterwholesale.com
Jersey-supply.com
Letsbuyshoes.info
Lotslinksoflondon.com
Mac-makeups.com
Mbtantishoesonline.info
Mbtdiscountstore.info
Mbtliquidation.info
Mbtretail.info
Mbtshoesnow.info
Mbtshoesshop.info
Mbtshoessite.info
Mbtshoesstore.info
Mbtshoestoday.info
Mbtsonsale.com
Mbtstoresite.com
Mbttoday.info
My5fingerstore.info
My90daymall.info
My90daysworkout.info
My90mall.info
Mybagsonsale.com
Mybestworkout.info
Mydvdboxset.info
Mymbtantishoes.info
Mymbtshoes.biz
Mymbtshoes.info
Myp90mall.info
Myvibram5finger.info
New90daymall.info
New90daysworkout.info
New90mall.info
Newabercrombie.info
Newabercrombiefitch.info
Newbeachbodyinsanity.info
Newbuyshoes.info
Newglobalsource.info
Newmbtshoes.info
Newp90mall.info
Newtees.info
Newvibramshoes.info
Newwholesale.info
Newwholesaleplatform.info
Newworkoutsonsale.info
Nfl-nhljersey.com
Officalp90x.info
Onlinebuydvds.info
Onlinebuyshoes.info
Onlinewholesale.info
Onlywholesaleprice.info
P90mallonline.info
P90mallshop.info
P90mallsite.info
P90mallstore.info
P90xfitnessdvds.com
P90xmall.com
P90xreviewnow.info
P90xreviewonline.info
P90xreviews.info
P90xreviewshop.info
P90xworkoutmallsale.com
Pandorajewellrysale.com
Purchasebags.info
Teesnow.info
Teesonline.info
Teessite.info
Teesstore.info
The5fingerstore.info
The90daymall.info
The90daysworkout.info
The90mall.info
Theabercrombie.info
Theabercrombiefitch.info
Thebestworkout.info
Thehomeworkout.info
Theinsanity.info
Thembtantishoes.info
Thembtshoes.info
Theoffical-p90x.info
Thep90mall.info
Thep90xreview.info
Theshoesshop.info
Thetees.info
Thetshirt.info
Thevibram5finger.info
Theworkoutsonsale.info
Totally-fit.info
Tshirtsite.info
Vibram5finger.info
Vibram5fingersite.info
Vibramshoesnow.info
Vibramshoesonline.info
Vibramshoesshop.info
Vibramshoessite.info
Vibramshoesstore.info
Watchestimes.com
Wholesaleelectronic.info
Wholesalefromhere.info
Wholesalemac.info
Wholesalenet.info
Wholesaleplatform.info
Wholesalestart.info
Workoutsonsale.info
Workoutsonsales.info
Newhotdvd.com
Newrosetta.info
Rosetta-shop.info
Rosetta-store.info
Rosettapro.info
Rosettasoft.info
Rosettstone.info
21ugg.com
21uggboots.com
9webshoe.com
9webshop.com
Air-max-90-shoes.com
Amazonuggs.com
Anynfljerseys.com
Anyugg.com
Aubootsky.com
Aubootsonline.com
Australiaboot.net
Ausuggbootssale.com
Bbbshoe.com
Bendmoon.com
Bhdtrade.com
Bootsgame.com
Bootshead.com
Bootsinbox.us
Bootslove.com
Bootsstreet.com
Cheapsuprashoes.us
Clothesscoop.com
Cosyboots.net
Ebay-cigarettes.com
Ebayuggs.com
Finishboots.com
Fleeceboot.com
Fugems.com
Ghostshoe.com
Gonnaspace.com
Govipshop.com
Hgshoe.com
Hottestuggboots.com
Inbootstock.com
Ineedboots.com
Jumpmanlocker.com
Jumpmanlocker.com.cn
Jumpmanlocker.com.cn
Lacosteralphlauren.com
Lacosteralphlauren.us
Lock-ugg.com
Lolsaleshop.com
Look4clothing.com
Lovesuggs.com
Macktrade.com
Mybootsgame.com
Mybootsid.com
Mybootstrade.com
Mytonyboots.com
Net-ugg.com
New-ugg.com
Nfl007.us
Nfljerseynfl.com
Nike-shoes.com.cn
Nike-shoes.com.cn
Nike99bar.com
Niketrading.com
Nikezone23.com
Nonoshoe.com
Okhairs.com
Pickuggshop.com
Pikmart.com
Pkuggboots.com
Pkuggboots.net
Pololacosteshop.com
Pololatecosshop.com
Pop-ugg.com
Ralphlaurenpolosale.com
Rock-ugg.com
Ruimachina.com
Sellaaa.com
Sheepskinbootsid.com
Sheepskinbootsky.com
Shoeshive.com
Shoeshive.net
Shoestrade.biz
Shoestrade168.cn
Snowboots4sales.com
Snowbootsid.com
Star-ugg.com
Storeboot.com
Tallboot.net
Topcredittrade.com
Topcredittrade3.com
Topcredittrade6.com
Ugg-up.com
Uggbootscheapsales.com
Uggbootsoutletuk.com
Uggbootsuksales.com
Ugglink.com
Uggtopshop.cn
Uggtopshop.com
Uggtopshop.org
Uglyugg.com
Usugg.com
Wholesalemarket168.com
Wiresea.com
World-credittrade.com
Chighdwholesale.com
Pickuggshops.com
Adphil.com
Inshout.com
Timoton.com
Tomitt.com
Tribudd.com
Wifell.com
Ghdonsaleh.com
Ghdsaley.com
Ghdstore2010.com
Mbtsalea.com
Mbtsaleb.com
Mbtstorea.com
Uggonlinei.com
Rseeting.com
Torpalis.com
Daxitymb.com
Quoines.com
Cheratic.com
Clarbt.com
Punnin.com
Sconect.com
Skeptor.com
Ectomor.com
Risoton.com
Expiage.com
2010ugg-uk.com
Branduggonline.com
Chi-chioutlet.com
Chi-store2010.com
Chi-topshop.com
Chivipstore.com
Ghdbrandstore.com
Ghdmylove.com
Masaiantishoes.com
Mbtuk-outlet.com
Mbtuk-outlet.net
Mbtus-outlet.com
Mbtus-outlet.net
Mbtus-store.com
Myuggstreet.com
Outlet-northface.com
Outlet-uggs.com
Outletchi.com
Sparknew.com
Specialuggstore.com
Uggbranchshop.com
Uggbranchstore.com
Uggchainshop.com
Uggcredibleoutlet.com
Uggdirectshops.com
Uggflagshipstores.com
Ugghigh-leveloutlet.com
Uggoutlet-aus.com
Uggoutlet-branch.com
Uggreliantoutlet.com
Uggschain-store.com
Uggsoutletstore.com
Uk-uggs-outlet.com
Discountbrand-online.com
Discountshop-online.com
Monclercoatsite.com
Supermoncler.com
Branduggline.com
Specailuggstore.com
Uggchain-store.com
Ugghigh-lveloutlet.com
Fashiontruereligion.com
Maxchausures.com
Bellasinteractive.com
Ghcanada.com
Dishroe.com
Issector.com
Elisegm.com
Telyware.com
Blasteriox.com
Barathr.com
Pnewum.com
Rasuma.com
Enyki.com
Pravendita.com
Nmtsm.com
Smtpst.com
Admt2.com
Huciv.com
Bexbyz.com
Hiehost.com
Mainsyql.com
Xbevs.com
Niklip.com
Aisviv.com
Hiskweb.com
Debtsle.com
Hornium.com
Liegan.com
Phillacy.com
Sulandry.com
Cathypo.com
Colpint.com
Doxoni.com
Pegbow.com
Margant.com
Examah.com
Leastive.com
Pierran.com
Togueno.com
Honettee.com
Ophori.com
Mattoft.com
Rogloard.com
Epholo.com
Veraph.com
Landsm.com
Rismit.com
Velmace.com
Dedicot.com
Requild.com
Atstatec.com
Known bad domains currently hosted and in the past include:
- Bellasinteractive.com [1]
- Mazcostrol.com [2]
- Nonstopacc.com [3]
- Jumpmanlocker.com [4]
- Timoton.com [5]
- Tomitt.com [6]
- Atstatec.com [7]
- Luxor-groupinc.cc and others [8]
- Tunedads.com and others [9]
- Wowtribes.com [10]
- Transworldlife.com [11]
- Eurotransbiz.com [12]
Safe Browsing
Diagnostic page for AS49770 (SERVERCONNECT)
What happened when Google visited sites hosted on this network?
Of the 288 site(s) we tested on this network over the past 90 days, 5 site(s), including, for example, roditelskyi-dvor.ru/, sicko.se/, klybvolvo.ru/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2010-09-03, and the last time suspicious content was found was on 2010-08-31.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 21 site(s) on this network, including, for example, mainsyql.com/, elisegm.com/, mediafasts.co.cc/, that appeared to function as intermediaries for the infection of 21 other site(s) including, for example, adrants.com/, thepiratebay.org/, rlslog.net/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, mediafasts.co.cc/, wowtribes.com/, that infected 4 other site(s), including, for example, rlslog.net/, golfreview.com/, mtbr.com/.
There's very little of significant value here, although not all sites are malicious. Blocking 95.143.193.0/23 (95.143.193.0 - 95.143.194.255) will most likely do more good than harm and I suggest you consider it.
You can download a full set of domains, IPs and MyWOT ratings from here. The highest priority domains to block are below:
Mazcostrol.com
Nonstopacc.com
Allregioncode.com
Balmain-discount.com
Balmain-dresses.com
Balmain-jacket.com
Balmain-jeans.com
Balmain-leather.com
Balmain-michael-jackson.com
Balmain-mj.com
Balmain-online-shop.com
Balmain-shirt.com
Balmain-shop.com
Balmain-store.com
Balmain-suede-dress.com
Cheap-balmain.com
Dvdboxset2010.com
Fridaydvdstore.com
Ghdhairsales-uk.com
Hi-tvshows.com
Hi-tvshows.net
I-dvdforsale.com
I-dvdforsale.net
I-herveleger.com
I-manoloblahnik.com
I-manoloblahnik.net
I-moncler.com
Just-moncler.com
Mondaydvdstore.com
My-balmain-store.com
My-balmain.com
My-manolo-blahnik.com
Myshoesbus.com
Onlydvdforsale.com
Onlydvdforsale.net
Onsalegolf.com
Saturdaydvdstore.com
Sundaydvdstore.com
Thursdaydvdstore.com
Tuesdaydvdstore.com
Wensdaydvdstore.com
Wesaledvd.net
Yourtopsales.us
Yourtoryburch.com
Youruggshoes.com
Yslshoes-uk.com
Buy-moncler-coat.com
Buy-moncler-jacket.com
Daily-moncler.com
Discount-moncler-onsale.com
Discount-moncler-shop.com
Discount-moncler-store.com
Moncler-2010.com
Moncler-classics.com
Moncler-downjackets.com
Moncler-everyday.com
Moncler-online-mall.com
Moncler-online-store.com
Moncler-today.com
Moncler-zone.com
Monclerfeatherdress.com
Monclerwinterclothes.com
Monclerwinterdress.com
My-moncler-store.com
Newh0tdvd.com
Rosetta4u.info
5fingerstoreonline.info
5fingerstores.info
5fingerstoresite.info
60daysstore.info
90-mall.info
90day-mall.info
90daymall.info
90daymallnow.info
90daymallonline.info
90daymalls.info
90daymallshop.info
90daymallsite.info
90daymallstore.info
90daymalltoday.info
90daysonline.info
90daysworkoutonline.info
90daysworkouts.info
90daysworkoutsite.info
90daysworkoutstore.info
90mall.info
90mallnow.info
90mallonline.info
90malls.info
90mallshop.info
90mallsite.info
90mallstore.info
90malltoday.info
Abercrombiefitchonline.info
Abercrombiefitchonsale.com
Abercrombiefitchsite.info
Abercrombieonline.info
Abercrombies.info
Abercrombiesite.info
Allfitstore.info
Apparelwholesale.info
Beach-body-insanity.info
Beachbodyinsanitynow.info
Beachbodyinsanityshop.info
Beachbodyinsanitystore.info
Beachbodyinsanitytoday.info
Best90daymall.info
Best90days.info
Best90mall.info
Bestabercrombiefitch.info
Bestbeachbodyinsanity.info
Bestmallonline.info
Bestmbtshoes.info
Bestp90mall.info
Besttshirt.info
Bestvibramshoes.info
Bestworkoutnow.info
Bestworkoutonline.info
Bestworkoutshop.info
Bestworkoutsite.info
Bestworkoutstore.info
Buybagsshop.info
Buybrandbags.info
Buyshoesnow.info
Buyshoesstore.info
Buyshoestoday.info
Dvdboxsetonline.info
Dvdsetsnow.info
Ecb2b.info
Ecb2c.info
Edhardyfactory.com
Extremehomefit.info
Forwholesale.info
Free90daymall.info
Free90daysworkout.info
Free90mall.info
Freebeachbodyinsanity.info
Freebuybags.info
Freedvdsets.info
Freembtshoes.info
Freep90mall.info
Freep90xreview.info
Freetshirt.info
Get-bags.info
Globalsourcesite.info
Globalsourcestore.info
Honestmall.info
Honestshop.info
Insanitysite.info
Inverterwholesale.com
Jersey-supply.com
Letsbuyshoes.info
Lotslinksoflondon.com
Mac-makeups.com
Mbtantishoesonline.info
Mbtdiscountstore.info
Mbtliquidation.info
Mbtretail.info
Mbtshoesnow.info
Mbtshoesshop.info
Mbtshoessite.info
Mbtshoesstore.info
Mbtshoestoday.info
Mbtsonsale.com
Mbtstoresite.com
Mbttoday.info
My5fingerstore.info
My90daymall.info
My90daysworkout.info
My90mall.info
Mybagsonsale.com
Mybestworkout.info
Mydvdboxset.info
Mymbtantishoes.info
Mymbtshoes.biz
Mymbtshoes.info
Myp90mall.info
Myvibram5finger.info
New90daymall.info
New90daysworkout.info
New90mall.info
Newabercrombie.info
Newabercrombiefitch.info
Newbeachbodyinsanity.info
Newbuyshoes.info
Newglobalsource.info
Newmbtshoes.info
Newp90mall.info
Newtees.info
Newvibramshoes.info
Newwholesale.info
Newwholesaleplatform.info
Newworkoutsonsale.info
Nfl-nhljersey.com
Officalp90x.info
Onlinebuydvds.info
Onlinebuyshoes.info
Onlinewholesale.info
Onlywholesaleprice.info
P90mallonline.info
P90mallshop.info
P90mallsite.info
P90mallstore.info
P90xfitnessdvds.com
P90xmall.com
P90xreviewnow.info
P90xreviewonline.info
P90xreviews.info
P90xreviewshop.info
P90xworkoutmallsale.com
Pandorajewellrysale.com
Purchasebags.info
Teesnow.info
Teesonline.info
Teessite.info
Teesstore.info
The5fingerstore.info
The90daymall.info
The90daysworkout.info
The90mall.info
Theabercrombie.info
Theabercrombiefitch.info
Thebestworkout.info
Thehomeworkout.info
Theinsanity.info
Thembtantishoes.info
Thembtshoes.info
Theoffical-p90x.info
Thep90mall.info
Thep90xreview.info
Theshoesshop.info
Thetees.info
Thetshirt.info
Thevibram5finger.info
Theworkoutsonsale.info
Totally-fit.info
Tshirtsite.info
Vibram5finger.info
Vibram5fingersite.info
Vibramshoesnow.info
Vibramshoesonline.info
Vibramshoesshop.info
Vibramshoessite.info
Vibramshoesstore.info
Watchestimes.com
Wholesaleelectronic.info
Wholesalefromhere.info
Wholesalemac.info
Wholesalenet.info
Wholesaleplatform.info
Wholesalestart.info
Workoutsonsale.info
Workoutsonsales.info
Newhotdvd.com
Newrosetta.info
Rosetta-shop.info
Rosetta-store.info
Rosettapro.info
Rosettasoft.info
Rosettstone.info
21ugg.com
21uggboots.com
9webshoe.com
9webshop.com
Air-max-90-shoes.com
Amazonuggs.com
Anynfljerseys.com
Anyugg.com
Aubootsky.com
Aubootsonline.com
Australiaboot.net
Ausuggbootssale.com
Bbbshoe.com
Bendmoon.com
Bhdtrade.com
Bootsgame.com
Bootshead.com
Bootsinbox.us
Bootslove.com
Bootsstreet.com
Cheapsuprashoes.us
Clothesscoop.com
Cosyboots.net
Ebay-cigarettes.com
Ebayuggs.com
Finishboots.com
Fleeceboot.com
Fugems.com
Ghostshoe.com
Gonnaspace.com
Govipshop.com
Hgshoe.com
Hottestuggboots.com
Inbootstock.com
Ineedboots.com
Jumpmanlocker.com
Jumpmanlocker.com.cn
Jumpmanlocker.com.cn
Lacosteralphlauren.com
Lacosteralphlauren.us
Lock-ugg.com
Lolsaleshop.com
Look4clothing.com
Lovesuggs.com
Macktrade.com
Mybootsgame.com
Mybootsid.com
Mybootstrade.com
Mytonyboots.com
Net-ugg.com
New-ugg.com
Nfl007.us
Nfljerseynfl.com
Nike-shoes.com.cn
Nike-shoes.com.cn
Nike99bar.com
Niketrading.com
Nikezone23.com
Nonoshoe.com
Okhairs.com
Pickuggshop.com
Pikmart.com
Pkuggboots.com
Pkuggboots.net
Pololacosteshop.com
Pololatecosshop.com
Pop-ugg.com
Ralphlaurenpolosale.com
Rock-ugg.com
Ruimachina.com
Sellaaa.com
Sheepskinbootsid.com
Sheepskinbootsky.com
Shoeshive.com
Shoeshive.net
Shoestrade.biz
Shoestrade168.cn
Snowboots4sales.com
Snowbootsid.com
Star-ugg.com
Storeboot.com
Tallboot.net
Topcredittrade.com
Topcredittrade3.com
Topcredittrade6.com
Ugg-up.com
Uggbootscheapsales.com
Uggbootsoutletuk.com
Uggbootsuksales.com
Ugglink.com
Uggtopshop.cn
Uggtopshop.com
Uggtopshop.org
Uglyugg.com
Usugg.com
Wholesalemarket168.com
Wiresea.com
World-credittrade.com
Chighdwholesale.com
Pickuggshops.com
Adphil.com
Inshout.com
Timoton.com
Tomitt.com
Tribudd.com
Wifell.com
Ghdonsaleh.com
Ghdsaley.com
Ghdstore2010.com
Mbtsalea.com
Mbtsaleb.com
Mbtstorea.com
Uggonlinei.com
Rseeting.com
Torpalis.com
Daxitymb.com
Quoines.com
Cheratic.com
Clarbt.com
Punnin.com
Sconect.com
Skeptor.com
Ectomor.com
Risoton.com
Expiage.com
2010ugg-uk.com
Branduggonline.com
Chi-chioutlet.com
Chi-store2010.com
Chi-topshop.com
Chivipstore.com
Ghdbrandstore.com
Ghdmylove.com
Masaiantishoes.com
Mbtuk-outlet.com
Mbtuk-outlet.net
Mbtus-outlet.com
Mbtus-outlet.net
Mbtus-store.com
Myuggstreet.com
Outlet-northface.com
Outlet-uggs.com
Outletchi.com
Sparknew.com
Specialuggstore.com
Uggbranchshop.com
Uggbranchstore.com
Uggchainshop.com
Uggcredibleoutlet.com
Uggdirectshops.com
Uggflagshipstores.com
Ugghigh-leveloutlet.com
Uggoutlet-aus.com
Uggoutlet-branch.com
Uggreliantoutlet.com
Uggschain-store.com
Uggsoutletstore.com
Uk-uggs-outlet.com
Discountbrand-online.com
Discountshop-online.com
Monclercoatsite.com
Supermoncler.com
Branduggline.com
Specailuggstore.com
Uggchain-store.com
Ugghigh-lveloutlet.com
Fashiontruereligion.com
Maxchausures.com
Bellasinteractive.com
Ghcanada.com
Dishroe.com
Issector.com
Elisegm.com
Telyware.com
Blasteriox.com
Barathr.com
Pnewum.com
Rasuma.com
Enyki.com
Pravendita.com
Nmtsm.com
Smtpst.com
Admt2.com
Huciv.com
Bexbyz.com
Hiehost.com
Mainsyql.com
Xbevs.com
Niklip.com
Aisviv.com
Hiskweb.com
Debtsle.com
Hornium.com
Liegan.com
Phillacy.com
Sulandry.com
Cathypo.com
Colpint.com
Doxoni.com
Pegbow.com
Margant.com
Examah.com
Leastive.com
Pierran.com
Togueno.com
Honettee.com
Ophori.com
Mattoft.com
Rogloard.com
Epholo.com
Veraph.com
Landsm.com
Rismit.com
Velmace.com
Dedicot.com
Requild.com
Atstatec.com
Labels:
Evil Network,
Serverconnect.se
nl-position.com fake job offer
In what appears to be an update of this fake job offer, there is now a spam run soliciting replies to nl-position.com for "representatives" who will most likely be handling stolen money and goods.
The nl-position.com was registered just three days ago to a no doubt fake address:
The name servers are ns1.nameself.com and ns2.nameself.com, both based in Russia and commonly used by scammers. Unusually the JuliaNewYork76.com domain is also fake. Both domains have their mail handled by Google.
These other domains also seem to belong to the same crew, any "job offer" from them can safely be regarded as bogus:
ca-position.com
es-position.net
europ-position.com
gb-new-position.com
ms-positions.com
nl-position.com
east-europ.com
inc-europ.com
it-europ.net
north-europ.com
pt-europ.com
uk-europ.com
trabajo-europ.com
west-europ.com
Date: 3 September 2010 06:30
Subject: Welcoming speech
Dear Sir/Madam!
The Company would like to offer you extra opportunity to get part-time position.
Today we open offices in some countries of Europe and need "Representatives".
Responsibilities:
- Work with clients and partners
- Collecting information
- Paper work
- Online monitoring
Principle of work:
- Home office position
Salary:
- 60.000 euro per year + bonuses for transactions
Minimal requirments:
- Location: Holland
- Age: +23
- Secondary education
- Responsibility
Wait for your applications to the following address: cv@nl-position.com
Do not hesitate to contact us and know more.
Look forward to your applications!
Best wishes!
Don Tennant
Manager of HR department
The nl-position.com was registered just three days ago to a no doubt fake address:
Julia Morgan Email: info@JuliaNewYork76.com Organization: MDS LTD Address: 201 Varick Street City: New York State: NY ZIP: 10014 Country: US Phone: +1.8668402756
The name servers are ns1.nameself.com and ns2.nameself.com, both based in Russia and commonly used by scammers. Unusually the JuliaNewYork76.com domain is also fake. Both domains have their mail handled by Google.
These other domains also seem to belong to the same crew, any "job offer" from them can safely be regarded as bogus:
ca-position.com
es-position.net
europ-position.com
gb-new-position.com
ms-positions.com
nl-position.com
east-europ.com
inc-europ.com
it-europ.net
north-europ.com
pt-europ.com
uk-europ.com
trabajo-europ.com
west-europ.com
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Scams,
Spam
Wednesday, 25 August 2010
Evil network: Sagade Ltd / ATECH-SAGADE AS6851 (85.234.190.0/23)
I've mentioned Sagade Ltd before, it's a totally Black Hat Latvian network that should be blocked on sight. Google's Safe Browsing diagnostic for this range is fairly damning:
Domains in the IP address range 85.234.190.0 - 85.234.191.255 are:
Marre.in
Monre.in
Sdaya.in
Dnsdnsprovider.com
Respw.info
Tonew.info
Wbypa.info
Celebsalon.net
Celebsvideos.net
Soltberger.net
Sumerki-saga.com
Zatmenie-saga.com
Bestgoogleanalytics.com
Bestgenerics.org
Dhag.org
Autoseon7.com
Auou.info
Premiaa.com
Tdyeah.com
Oeema.info
Oeeme.info
Toptrep.biz
Staticdnsdns.com
Aaasphereezine.com
Aopsompamspn.com
Hsudsasodams.com
Ieksmanskasdk.com
Mopsdiamsas.com
Alert-system.net
Ffgde.com
Gdlka.com
Khhfg.com
Nnmty.com
Ppolr.com
Rcchr.com
Rrtyu.com
Rttye.com
Trrre.com
Uyyty.com
Ccdfr.com
Ffeeq.com
Kklou.com
Kkuyt.com
Oouty.com
Ppuut.com
Ppyur.com
Ttyww.com
Wrraa.com
Yyrew.com
Bbhty.com
Ggbdb.com
Rggsd.com
Rihdd.com
Rrryu.com
Bbgtr.com
Kjhtr.com
Wrrrt.com
Mylote.com
Tube-free-online.com
Adminka.org
Bbcxq.com
Bnfgd.com
Cbdfr.com
Dettt.com
Fggpr.com
Ggffr.com
Hhyyr.com
Ssmmb.com
Trdvr.com
Darkseo.org
Dbsoft.in
Domainpc.in
Exinfo.in
Lightdebug.in
Microsoft-security-center.com
Mxinfo.in
Statreview.in
Uimode.in
Unport.in
Bestdomainforus.info
Bestvido.info
Bluffycrob.info
Domain-for-email-us.info
Domain-for-gain-us.info
Domain-for-lease-us.info
Domain-for-us.info
Domainfordollarsus.info
Domainforemailus.info
Domainforgainus.info
Domainforleaseus.info
Domainforus.info
Domainforusblog.info
Domainforusnow.info
Domainforusonline.info
Domainforusshop.info
Domainforussite.info
Domainforusstore.info
Domainforustoday.info
Fffvideo.info
Freedomainforus.info
Freevido.info
Microoplata.info
Moplata.info
Mydomainforus.info
Myvido.info
Newdomainforus.info
Newvido.info
Stupid-domain-for-us.info
Stupiddomainforus.info
Thebluffycrob.info
Thedomainforus.info
Thefffvideo.info
Vi-do.info
Vidonow.info
Vidoonline.info
Has this site acted as an intermediary resulting in further distribution of malware?There's very little point playing whack-a-mole with these Latvian IP addresses. It's probably worth null-routing the entire country until some government agency that isn't being paid off by Russian organised criminals sorts the mess out. There's a list of major Latvian IP address allocations here- unless you do business in the Baltic states, then blocking all of them will probably do no harm.
Over the past 90 days, 85.234.190.0 appeared to function as an intermediary for the infection of 476 site(s) including lekarnar.com/, mysofa.es/, audiofile.org.ua/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1999 domain(s), including audiofile.org.ua/, votailprof.it/, capinaremos.com/.
Domains in the IP address range 85.234.190.0 - 85.234.191.255 are:
Marre.in
Monre.in
Sdaya.in
Dnsdnsprovider.com
Respw.info
Tonew.info
Wbypa.info
Celebsalon.net
Celebsvideos.net
Soltberger.net
Sumerki-saga.com
Zatmenie-saga.com
Bestgoogleanalytics.com
Bestgenerics.org
Dhag.org
Autoseon7.com
Auou.info
Premiaa.com
Tdyeah.com
Oeema.info
Oeeme.info
Toptrep.biz
Staticdnsdns.com
Aaasphereezine.com
Aopsompamspn.com
Hsudsasodams.com
Ieksmanskasdk.com
Mopsdiamsas.com
Alert-system.net
Ffgde.com
Gdlka.com
Khhfg.com
Nnmty.com
Ppolr.com
Rcchr.com
Rrtyu.com
Rttye.com
Trrre.com
Uyyty.com
Ccdfr.com
Ffeeq.com
Kklou.com
Kkuyt.com
Oouty.com
Ppuut.com
Ppyur.com
Ttyww.com
Wrraa.com
Yyrew.com
Bbhty.com
Ggbdb.com
Rggsd.com
Rihdd.com
Rrryu.com
Bbgtr.com
Kjhtr.com
Wrrrt.com
Mylote.com
Tube-free-online.com
Adminka.org
Bbcxq.com
Bnfgd.com
Cbdfr.com
Dettt.com
Fggpr.com
Ggffr.com
Hhyyr.com
Ssmmb.com
Trdvr.com
Darkseo.org
Dbsoft.in
Domainpc.in
Exinfo.in
Lightdebug.in
Microsoft-security-center.com
Mxinfo.in
Statreview.in
Uimode.in
Unport.in
Bestdomainforus.info
Bestvido.info
Bluffycrob.info
Domain-for-email-us.info
Domain-for-gain-us.info
Domain-for-lease-us.info
Domain-for-us.info
Domainfordollarsus.info
Domainforemailus.info
Domainforgainus.info
Domainforleaseus.info
Domainforus.info
Domainforusblog.info
Domainforusnow.info
Domainforusonline.info
Domainforusshop.info
Domainforussite.info
Domainforusstore.info
Domainforustoday.info
Fffvideo.info
Freedomainforus.info
Freevido.info
Microoplata.info
Moplata.info
Mydomainforus.info
Myvido.info
Newdomainforus.info
Newvido.info
Stupid-domain-for-us.info
Stupiddomainforus.info
Thebluffycrob.info
Thedomainforus.info
Thefffvideo.info
Vi-do.info
Vidonow.info
Vidoonline.info
Labels:
Evil Network,
Latvia,
Sagade Ltd
The Walking Dead on FXUK
Holy moley.. the FX TV channel in the UK certainly runs some intersting shows (Dexter, Breaking Bad, Better Off Ted). This latest one coming in the Autumn is about.. zombies! Yeah, it looks a bit like a 28 Days Later / Mad Max mashup, but it has Egg from This Life in at and Gale Anne Hurd is ivolved.
Check out the trailer (possibly works in the UK only) or read more here. More information about the show and the graphic novel can be found here.
Oh yes, in the US it's showing on AMC which has a decent photo gallery and other stuff here.
Check out the trailer (possibly works in the UK only) or read more here. More information about the show and the graphic novel can be found here.
Oh yes, in the US it's showing on AMC which has a decent photo gallery and other stuff here.
Labels:
Zombies
Evil network: Latnet Serviss Ltd (latnet.lv) AS2588 (159.148.117.0/24)
Latvia is definitely becoming a problem when it comes to black hat hosting. The 159.148.117.0/24 range (159.148.117.0 - 159.148.117.255) is another malicious block, forming part of AS2588 belonging to Latnet (similar to microlines.lv). At a rough calculation, roughly half the IP address ranges I am currently blocking are based in Latvia.
This bunch of domains is a mix of fake pharma sites, browser exploits, illegal downloads and possibly some hijacked domains. In any case, there is nothing of use here and either blocking the entire IP range, or the list below is probably a good idea.
There's a more detailed file with MyWOT ratings and IP addresses to download here.
Bitssit.com
Solid-pay-gate.com
Bombastats.com
1001meds.info
101doctors.info
101health.info
11doctors.info
333tabs.info
5meds.info
911drugs.info
99pharmacy.info
99pills.info
Abouttabs.info
Actualdrugs.info
Actualtabs.info
Addhealth.info
Addpills.info
Advancedsoft.in
Allpills.info
Anyhealth.info
Anymeds.info
Anytabs.info
Atlanticdrugs.info
Atlantictabs.info
Bestwesthost.info
Bluedoctor.info
Buycheapnow3.info
Buyfdatabs.info
Buygeneric1.info
Buyld.info
Buyonline5.info
Buytramadol5.info
Buytramadolf.info
Buytramadolk.info
Buytramadolp.info
Buytramadolt.info
Buytramadoly.info
Buyxanax1.info
Buyxanaxk.info
Cheap2tramadol.info
Cheaponline2.info
Cheaprt.info
Cheaptramadolh.info
Cheaptramadoli.info
Cheaptramadolss.info
Cheaptramadolw.info
Cheaptramadolz.info
Cheapxanaxz.info
Doctor01.info
Doctorarea.info
Doctordaily.info
Doctorgiant.info
Doctorjones.info
Dogoal.in
Drugs01.info
Drugs12.info
Drugsapple.info
Drugsbasket.info
Drugsblue.info
Drugscenter.info
Drugsclub.info
Drugscompany.info
Drugsdaily.info
Drugsfast.info
Drugsgood.info
Drugslife.info
Drugsreview.info
Drugstoree.info
Fasttabs.info
Fdapillsonline.info
Fulink.in
Fustat.in
Generictramadolb.info
Generictramadolc.info
Generictramadoln.info
Generictramadolr.info
Generictramadolv.info
Genericxanaxn.info
Getonlinehealth.info
Getonlinemeds.info
Haycorn.info
Health911.info
Healthbasket.info
Healthblue.info
Healthgreat.info
Healthlabel.info
Kinghealth.info
Kingpills.info
Knownmeds.info
Knowntabs.info
Labeldrugs.info
Labelhealth.info
Meds01.info
Meds333.info
Meds4him.info
Medsapple.info
Medsarea.info
Medsdaily.info
Medsexpress.info
Medsguard.info
Medshealth.info
Medslife.info
Medslocate.info
Medssearch.info
Mmlist.in
Mmsoft.in
Moderndrugs.info
Modernpills.info
Mxstat.in
Needsdoctor.info
Olstat.in
Online01.info
Onlinecasinosbestusa.info
Onlineow.info
Ordercheapnow6.info
Orderoj.info
Orderonline4.info
Ordertramadold.info
Ordertramadole.info
Ordertramadolj.info
Ordertramadolo.info
Ordertramadolx.info
Orderxanaxx.info
Owndoctor.info
Pacificdoctor.info
Pills007.info
Pills01.info
Pills4him.info
Pills4men.info
Pillsaccept.info
Pillsarea.info
Pillsblue.info
Pillscontrol.info
Pillsdaily.info
Pillsfast.info
Pillsgood.info
Pillslabel.info
Pillslife.info
Pillslocate.info
Pillsoffice.info
Pillsreview.info
Pillssearch.info
Pillstoday.info
Pillsworld.info
Realtabs.info
Rx999.info
Safedoctor.info
Searchtabs.info
Sermyagino.info
Ssmode.in
Ssnews.in
Tabs01.info
Tabs4him.info
Tabs5.info
Tabsaccept.info
Tabsapple.info
Tabsarea.info
Tabscenter.info
Tabsclub.info
Tabscompany.info
Tabscontrol.info
Tabsdaily.info
Tabsexpress.info
Tabsguard.info
Tabsguide.info
Tabslife.info
Tabsoffice.info
Tabspills.info
Tabsreview.info
Tabssearch.info
Tabsworld.info
Todaypills.info
Todaytabs.info
Tramadolonline7.info
Tramadolonlinea.info
Tramadolonlineg.info
Tramadolonlinel.info
Tramadolonlineq.info
Tramadolonlineu.info
Tramadoltramadol1.info
Tramadoltramadol10.info
Tramadoltramadol2.info
Tramadoltramadol3.info
Tramadoltramadol4.info
Tramadoltramadol5.info
Tramadoltramadol6.info
Tramadoltramadol7.info
Tramadoltramadol8.info
Tramadoltramadol9.info
Uiplus.in
Usaapharm.info
Usausaonlinecasinossuper.info
Xanaxonlinee.info
Xanaxonlinel.info
Pupseg.net
Pupseg.org
Pixelstatservice.com
Mybesttubeporn.com
Rowfirst.com
Java-9update.com
Update-00server.com
Hqll.ru
Xacz.ru
Aloa.asia
Vniz.asia
Bbls.ru
Vaseagruzitkorm.com
Vaseajretikru.com
Ewacx.com
Yacver.com
Security-defencing.com
Mypctech.net
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Thebestporn.in
Cormoupo.info
Zombie-world.org
Alterparadigma.net
Brickplayer.ru
Chilauter.ru
Compromendes.com
Moretds.org
Danjg.com
Aftui.in
Ammew.info
Armrm.in
Aspow.info
Clasd.in
Coerw.info
Demim.in
Diasw.info
Diaui.in
Expew.info
Eynew.info
Gatui.in
Harui.in
Highw.info
Homow.in
Jenyx.in
Jusui.in
Katre.in
Lisni.in
Manui.in
Marsw.in
Marui.in
Micre.in
Neigw.info
Ningl.in
Nitan.in
Nvenc.in
Nvene.in
Nvild.in
Nvill.in
Pockw.info
Praaw.info
Pulpm.in
Racew.info
Recei.in
Recky.in
Recto.in
Regaw.info
Rendm.in
Sepsd.in
Slovw.in
Socyx.in
Stpsd.in
Synre.in
Thiui.in
Torsw.in
Uianh.in
Volnv.in
Yxiac.in
California-ns.com
UPDATE 2014-06-25: It's been a long time since I wrote this, and it looks like the block was cleaned up some time ago and now contains some Latvian government sites.
This bunch of domains is a mix of fake pharma sites, browser exploits, illegal downloads and possibly some hijacked domains. In any case, there is nothing of use here and either blocking the entire IP range, or the list below is probably a good idea.
There's a more detailed file with MyWOT ratings and IP addresses to download here.
Bitssit.com
Solid-pay-gate.com
Bombastats.com
1001meds.info
101doctors.info
101health.info
11doctors.info
333tabs.info
5meds.info
911drugs.info
99pharmacy.info
99pills.info
Abouttabs.info
Actualdrugs.info
Actualtabs.info
Addhealth.info
Addpills.info
Advancedsoft.in
Allpills.info
Anyhealth.info
Anymeds.info
Anytabs.info
Atlanticdrugs.info
Atlantictabs.info
Bestwesthost.info
Bluedoctor.info
Buycheapnow3.info
Buyfdatabs.info
Buygeneric1.info
Buyld.info
Buyonline5.info
Buytramadol5.info
Buytramadolf.info
Buytramadolk.info
Buytramadolp.info
Buytramadolt.info
Buytramadoly.info
Buyxanax1.info
Buyxanaxk.info
Cheap2tramadol.info
Cheaponline2.info
Cheaprt.info
Cheaptramadolh.info
Cheaptramadoli.info
Cheaptramadolss.info
Cheaptramadolw.info
Cheaptramadolz.info
Cheapxanaxz.info
Doctor01.info
Doctorarea.info
Doctordaily.info
Doctorgiant.info
Doctorjones.info
Dogoal.in
Drugs01.info
Drugs12.info
Drugsapple.info
Drugsbasket.info
Drugsblue.info
Drugscenter.info
Drugsclub.info
Drugscompany.info
Drugsdaily.info
Drugsfast.info
Drugsgood.info
Drugslife.info
Drugsreview.info
Drugstoree.info
Fasttabs.info
Fdapillsonline.info
Fulink.in
Fustat.in
Generictramadolb.info
Generictramadolc.info
Generictramadoln.info
Generictramadolr.info
Generictramadolv.info
Genericxanaxn.info
Getonlinehealth.info
Getonlinemeds.info
Haycorn.info
Health911.info
Healthbasket.info
Healthblue.info
Healthgreat.info
Healthlabel.info
Kinghealth.info
Kingpills.info
Knownmeds.info
Knowntabs.info
Labeldrugs.info
Labelhealth.info
Meds01.info
Meds333.info
Meds4him.info
Medsapple.info
Medsarea.info
Medsdaily.info
Medsexpress.info
Medsguard.info
Medshealth.info
Medslife.info
Medslocate.info
Medssearch.info
Mmlist.in
Mmsoft.in
Moderndrugs.info
Modernpills.info
Mxstat.in
Needsdoctor.info
Olstat.in
Online01.info
Onlinecasinosbestusa.info
Onlineow.info
Ordercheapnow6.info
Orderoj.info
Orderonline4.info
Ordertramadold.info
Ordertramadole.info
Ordertramadolj.info
Ordertramadolo.info
Ordertramadolx.info
Orderxanaxx.info
Owndoctor.info
Pacificdoctor.info
Pills007.info
Pills01.info
Pills4him.info
Pills4men.info
Pillsaccept.info
Pillsarea.info
Pillsblue.info
Pillscontrol.info
Pillsdaily.info
Pillsfast.info
Pillsgood.info
Pillslabel.info
Pillslife.info
Pillslocate.info
Pillsoffice.info
Pillsreview.info
Pillssearch.info
Pillstoday.info
Pillsworld.info
Realtabs.info
Rx999.info
Safedoctor.info
Searchtabs.info
Sermyagino.info
Ssmode.in
Ssnews.in
Tabs01.info
Tabs4him.info
Tabs5.info
Tabsaccept.info
Tabsapple.info
Tabsarea.info
Tabscenter.info
Tabsclub.info
Tabscompany.info
Tabscontrol.info
Tabsdaily.info
Tabsexpress.info
Tabsguard.info
Tabsguide.info
Tabslife.info
Tabsoffice.info
Tabspills.info
Tabsreview.info
Tabssearch.info
Tabsworld.info
Todaypills.info
Todaytabs.info
Tramadolonline7.info
Tramadolonlinea.info
Tramadolonlineg.info
Tramadolonlinel.info
Tramadolonlineq.info
Tramadolonlineu.info
Tramadoltramadol1.info
Tramadoltramadol10.info
Tramadoltramadol2.info
Tramadoltramadol3.info
Tramadoltramadol4.info
Tramadoltramadol5.info
Tramadoltramadol6.info
Tramadoltramadol7.info
Tramadoltramadol8.info
Tramadoltramadol9.info
Uiplus.in
Usaapharm.info
Usausaonlinecasinossuper.info
Xanaxonlinee.info
Xanaxonlinel.info
Pupseg.net
Pupseg.org
Pixelstatservice.com
Mybesttubeporn.com
Rowfirst.com
Java-9update.com
Update-00server.com
Hqll.ru
Xacz.ru
Aloa.asia
Vniz.asia
Bbls.ru
Vaseagruzitkorm.com
Vaseajretikru.com
Ewacx.com
Yacver.com
Security-defencing.com
Mypctech.net
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Thebestporn.in
Cormoupo.info
Zombie-world.org
Alterparadigma.net
Brickplayer.ru
Chilauter.ru
Compromendes.com
Moretds.org
Danjg.com
Aftui.in
Ammew.info
Armrm.in
Aspow.info
Clasd.in
Coerw.info
Demim.in
Diasw.info
Diaui.in
Expew.info
Eynew.info
Gatui.in
Harui.in
Highw.info
Homow.in
Jenyx.in
Jusui.in
Katre.in
Lisni.in
Manui.in
Marsw.in
Marui.in
Micre.in
Neigw.info
Ningl.in
Nitan.in
Nvenc.in
Nvene.in
Nvild.in
Nvill.in
Pockw.info
Praaw.info
Pulpm.in
Racew.info
Recei.in
Recky.in
Recto.in
Regaw.info
Rendm.in
Sepsd.in
Slovw.in
Socyx.in
Stpsd.in
Synre.in
Thiui.in
Torsw.in
Uianh.in
Volnv.in
Yxiac.in
California-ns.com
UPDATE 2014-06-25: It's been a long time since I wrote this, and it looks like the block was cleaned up some time ago and now contains some Latvian government sites.
Labels:
Evil Network,
Latnet,
Latvia
Tuesday, 24 August 2010
north-europ.com job offer scam
This is a fraudulent job offer originating from an IP address in Vietnam, with a ridiculous salary for doing next to nothing:
Aleksandr Lapatau
Email: lapatasker@earthling.net
Organization: Private person
Address: Lenina, 34, 8
City: Minsk
State: Minskaya
ZIP: 456123
Country: BY
Phone: +375.172427204
Infrastructure is in various locations around Russia. Avoid.
Hello messagenorth-europ.com uses Google to handle its mail and doesn't have a website. The WHOIS details have a very familiar email address of lapatasker@earthling.net.
We are in a hurry to offer you position in the building Company.
In few words our Company provides huge circle of building services like
building, landscaping, interior and exterior design of premises, houses etc.
We offer you:
- career growth
- flexible working day
- minimal requirements to become the part of our team
Job description:
- type of work: part time position
- the place to work: your home office
- territory of work: you area(city)
- salary: 60.000 euro per year + percents of transactions
- principle of work: work with clients/partners getting tasks online
If you are interested please respond with the C.V. or minimal contact data to the e-mail: Allison@north-europ.com
Attention!
We are interested in cooperation to the people who live in Europe.
Aleksandr Lapatau
Email: lapatasker@earthling.net
Organization: Private person
Address: Lenina, 34, 8
City: Minsk
State: Minskaya
ZIP: 456123
Country: BY
Phone: +375.172427204
Infrastructure is in various locations around Russia. Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Scams,
Spam
There's more to this than meets the eye..
This is a straightforward money mule pitch, so nothing very interesting in the message itself..
But the headers tell an interesting story..
Received: from mail.pna.ps ([213.244.123.84])
by ********** with esmtp (Exim 4.69)
id 1Onsd0-0004Yt-Jc
for **********; Tue, 24 Aug 2010 13:29:22 +0100
Received: from User (unknown [60.18.167.17])
by mail.pna.ps (Postfix) with ESMTPA id ED6A94476F;
Tue, 24 Aug 2010 15:12:09 +0300 (IDT)
You can only really trust the last hop before it hits your mail server (in truth, not always then either). That IP is 213.244.123.84 which is indeed mail.pna.ps.
So what the heck is .ps? Well, it turns out to be the TLD for Palestine, and the PNA is the Palestinian National Authority, with servers that look to be based in Ramallah on the West Bank. So, it looks like the PNA mail servers are either insecure or compromised.
Did you even know that Palestine had a TLD of its own? I didn't.. so I guess this spam has tought me something!
From: james roberts <jamesroberts02@sify.com>
Reply-to: james.roberts@sify.com
Date: 24 August 2010 13:13
subject: JOB OFFER:APPLY IF YOU ARE INTERESTED.
Hello,
My name is JAMES ROBERTS , a designer also the Manager of JAMES ROBERTS FABRIC and Consultant live and work here in United Kingdom,will you like to work online from home and get paid without affecting your present job?
Actually I need a representative who can be working for the company as online book-keeper. We make lots of supplies to some of our clients in the USA/CANADA/EUROPE, for which I do come to USA/CANADA/EUROPE to receive payment and have it cashed after I supply them raw materials. It’s always too expensive and stressful for me to come down and receive such payment twice in a month so I therefore decided to contact you.
I am willing to pay you 10% for every payment receive by you from our clients who makes payment through you. Please note you don't have to be a book keeper to apply for the job.
Kindly get back to me as soon as possible if you are interested in this job offer with your details:
FULL NAMES...................
ADDRESS ..................
STATE..................
ZIPCODE................
COUNTRY................
PHONE NUMBER(S)........
GENDER.................
AGE....................
OCCUPATION.............
Yours Faithfully,
JAMES ROBERTS
But the headers tell an interesting story..
Received: from mail.pna.ps ([213.244.123.84])
by ********** with esmtp (Exim 4.69)
id 1Onsd0-0004Yt-Jc
for **********; Tue, 24 Aug 2010 13:29:22 +0100
Received: from User (unknown [60.18.167.17])
by mail.pna.ps (Postfix) with ESMTPA id ED6A94476F;
Tue, 24 Aug 2010 15:12:09 +0300 (IDT)
You can only really trust the last hop before it hits your mail server (in truth, not always then either). That IP is 213.244.123.84 which is indeed mail.pna.ps.
So what the heck is .ps? Well, it turns out to be the TLD for Palestine, and the PNA is the Palestinian National Authority, with servers that look to be based in Ramallah on the West Bank. So, it looks like the PNA mail servers are either insecure or compromised.
Did you even know that Palestine had a TLD of its own? I didn't.. so I guess this spam has tought me something!
Labels:
Job Offer Scams,
Money Mule,
Palestine,
Scams,
Spam
Friday, 13 August 2010
Weird scam mashup makes little sense
This is a weird mashup of an FBI scare scam and a lottery scam, spelling out very clearly that it is really an advanced fee fraud. It makes no sense.. why would the FBI be informing you that you had won the lottery in the UK anyway? Bin it.
From: Federal Bureau Of Investigation <soundsit@btconnect.com>
Date: 2010/8/13
Subject: *Alert*
To:
FEDERAL BUREAU OF INVESTIGATIONAnti-Terrorist and International Fraud Division601 4th Street NW, Washington, DC 20535
Attn: Beneficiary
RE: AUTHETICATED LOTTERY WINNINGS
This is to officially inform you that it has come to our notice and we have thoroughly completed an Investigation with the help of our Intelligence Monitoring Network System that you legally won the sum of $850,000.00 US Dollars from a Lottery Organization in the United Kingdom. During our investigation we discovered that your e-mail won the Lottery from an online balloting system and we have authorized this winning to be authentic and paid to you via a Certified Cashier's Check. Normally, it will take up to 15 business days for an International Check to be cashed by your local bank. We have successfully come to an agreement with this organization on your behalf that funds are to be drawn from a registered bank within the United States of America so as to enable you cash the check instantly without any delay, henceforth the stated amount of $850,000.00 US Dollars has been deposited with Chase Manhattan Bank.
We have completed this investigation and you are hereby approved to receive the winning prize as we have verified the entire transaction to be Legitimate, Safe and 100% risk free of scams and frauds of any nature, due to the fact that the funds have been deposited at Chase Manhattan Bank you will be required to settle the following bills directly to the lottery claims agent in-charge of this transaction whom is located at the liaison office of the Lottery Organization in Washington, DC. According to our records, you are required to pay for the following:
(1) Deposit Fee's (Fee's paid by the organization for the deposit into Chase Manhattan Bank)(2) Cashier's Check Conversion Fee (Fee for converting the EFT into a Certified Cashier's Check)(3) Shipping Fee's (The charge for shipping the Cashier's Check to your nominated destination)
The total amount is $349.99 (Three Hundred & Fourty Nine United States Dollars & Ninety Nine Cents). We have tried our possible best to have the lottery organization deduct the $349.99 from your lottery winning but the funds have already been deposited at Chase Manhattan Bank and cannot be accessed by anyone apart from you the winner. Therefore you will be required to pay the needed funds to your lotto claims Agent in-charge of this transaction. The payment will NOT reflect at the Chase Manhattan Bank with the given transaction code (US8976-003) until you have covered the processing fees needed.
In order to proceed with this transaction, Click Here (ericaclain@gala.net) to contact your claims agent Mrs. Erica Molin .You may be required to call her for verbal verification and e-mail her with the following informations:
FULL NAME:LOCAL ADDRESS (INCLUDING CITY/STATE/ZIPCODE):AGE/GENDER/OCCUPATION:CONTACT PHONE NUMBERS (CELL & HOME):
You will also be required to request details on how to pay up the required $349.99 in order to immediately ship your prize of $850,000.00 USD via Certified Cashier's Check drawn from Chase Manhattan Bank, Also include the following transaction code in order for her to immediately identify this transaction: US8976-003. This letter will serve as proof that the Federal Bureau Of Investigation is authorizing you to pay the required $349.99 ONLY to your claims agent via the information in which she shall send to you upon your request, if you do not receive your winning prize of $850,000.00 US Dollars we shall be held responsible for the loss and this shall invite a penalty of $3,000 which will be made PAYABLE ONLY by you (The Winner).
Robert Anderson, Jr.Special Agent in Charge
NOTE: In order to ensure your check gets delivered to you ASAP, you are advised to immediately contact Mrs. Erica Molin (ericaclain@gala.net) via contact information provided above and make the required payment of $349.99 to information in which she will provide you.
Labels:
Advanced Fee Fraud,
Lottery Scam,
Spam,
Stupidity
Thursday, 12 August 2010
"Spam King Leo Kuvayev Jailed on Child Sex Charges"
A spammer.. and a kiddy fiddler (allegedly), notable Russian spammer Leo Kuvayev has been jailed on remand on charges of raping 50 children. I hear that Russian prisons are not very nice..
More at Krebs on Security.
More at Krebs on Security.
Labels:
Spam
Subscribe to:
Posts (Atom)