Sponsored by..

Friday, 3 December 2010

Beware of worid-of-books.com

worid-of-books.com is a fake book download site punting malicious executables. The strange name can be explained if you substitute the lowercase "i" with an uppercase one, giving worId-of-books.com which is presumably meant to fool people.



The site looks reasonably credible and appears to have about a million downloadable books, but they are not all that they seem to be. If you try to download a book, you get an EXE file instead of a PDF. What's in the EXE file? Well, malware of course! Detection is fairly patchy according to VirusTotal, but this appears to be a Cycbot variant.

Download it a second time and you actually do get a PDF file.. well, an 8 byte file that just says "PDF file" and nothing else. Subsequent attempts seem to fail with an error message of "We are sorry, this book is now being checked. Try to download it later!". It's pretty clear that worid-of-books.com is tracking visitors (perhaps by IP address) to stop them being able to repeat the infection.

The site is hosted on 95.64.111.12 which is Asociatia Family Network Connections / FAMILY-NETWORK in Romania, along with a whole load of other sites. It's worth blocking everything in this IP range.

The ThreatExpert report is here, it might help you clean up your machine if infected.

Evil network: Asociatia Family Network Connections / FAMILY-NETWORK AS49253 (95.64.110.0/23)

Asociatia Family Network Connections / FAMILY-NETWORK is a Romanian network, and their AS49253 netblock seems to have suddenly turned evil.

The SiteVet report for this AS shows a sudden increase in recent weeks, with over 1500 sites that may be malicious included in the 95.64.110.0/23 block. Most of these evil sites are on just one host, 95.64.110.100. There may be some legitimate sites here, but probably too few to worry about.

Most sites registered here appeared to be Russian, some are registered through Chinese registars. The owner of this block is listed as:

inetnum:        95.64.110.0 - 95.64.111.255
netname:        FAMILY-NETWORK
descr:          Asociatia Family Network Connections
country:        RO
admin-c:        CS6903-RIPE
tech-c:         CS6903-RIPE
status:         ASSIGNED PA
mnt-by:         NETSERV-MNT
mnt-routes:     FAMILY-NETWORK-MNT
mnt-domains:    FAMILY-NETWORK-MNT
source:         RIPE # Filtered

person:         Claudiu Sandulescu
remarks:        Asociatia Family Network Connections
address:        Str. Vlahita nr.4, Bl. PM8, Ap. 72
address:        Sector 3, Bucuresti
phone:          +40728188052
mnt-by:         FAMILY-NETWORK-MNT
abuse-mailbox:  claudiusandulescu@gmail.com
nic-hdl:        CS6903-RIPE
source:         RIPE # Filtered

route:          95.64.110.0/23
descr:          FAMILY-NETWORK
origin:         AS49253
mnt-by:         FAMILY-NETWORK-MNT
source:         RIPE # Filtered

Added: the owner of this netblock says that it is no longer in use, so it does appear that it has been hijacked somehow.. that would be consistent with the suddenly bad rankings.

You can see a CSV of domains and MyWOT ratings here, but there are too many domains to list here. Some of the domains have come from MD-ISP-MONITORING in Moldova.

Currently active IPs are:
95.64.110.36
95.64.110.37
95.64.110.43
95.64.110.45
95.64.110.48
95.64.110.50
95.64.110.66
95.64.110.100
95.64.110.105
95.64.111.11
95.64.111.12
95.64.111.14
95.64.111.15
95.64.111.16
..although to be honest, you should just block the lot of them.

Wednesday, 1 December 2010

Evil network: Informex / INFORMEX-NET AS20564 (193.178.172.0/24)

Informex on AS20564 (193.178.172.0/24) is a Ukranian operation implicated in a lot of bad things including banking trojans.

SiteVet.com fingers this as the 27th worst network on the net,  and links it to various malware domains and Zeus servers. There are a couple of hundred domains in this block, all worth blocking.. either by the whole IP address range or use this CSV file with MyWOT rankings, or see the list below.

Their own web server at informex.net is currently suspended (I wonder why), but it shows consistent details with the netblock owner, so at least we can see who allegedly is responsible.

      Informex Ltd.
      Andriy Lyasota
      28 Predslavinskaya Str.
      Kiev,   03680
      UA
      Phone: +1.380442528798
      Email: lyasota@terra.es

As I said, there's nothing at all of value here so blocking the entire lot will probably be safest for your client PCs.

Mypctech.net
Dynamicnetwork.ru
Inethunter.ru
Mservicesonline.ru
Mystaticdatas.ru
Dontchangeurmind.com
Seven7news.net
Mistesr.com
Dlphonethems.com
Goodsandserv.com
Jscmsdev.com
Oversportresults.com
Az-investment.org
P2p-group.com
Wrg34gwww333.com
Trusted001.com
Atlantisc.net
Inetercs.com
1change-your-life.com
Be-rock-steady.com
Big-strong-feeling.com
Creative-in-bed.com
Freedom-performance.com
Lookgreat-now.com
Make-me-skinny.com
Master-in-bed.com
Master-in-bed1.com
Natural-performance.com
Nice-white-smiles.com
Presstopgo.com
Pump-reality.com
Pure-natural-power.com
Smooth-movements.com
Sweet-fire-power.com
Sweet-success1.com
Tiger-powers.com
Transform-bedtime.com
Triple-powersa.com
True-in-bed.com
Ultimate-perform.com
Vital-solutionsa.com
White-smile-center.com
1sweet-success.com
Be-always-ready.com
Bedtime-heroes.com
Change-your-life1.com
Dream-kings1.com
Feel-tight-now.com
Freedom-of-age.com
Get-her-happy.com
Goprepackum.com
Greatest-feeling.com
Greenlight-perform.com
Juiced-performance.com
Just-like-gold.com
Make-greatness.com
Make-greatness1.com
Master-of-performance.com
Mister-stronger.com
Only-your-love.com
Perform-magic.com
Perform-magic1.com
Prepackum.com
Winners-perform.com
Fgjlookstmbypxpq.org
Hmkhlviounvozy.org
Hpzoqkpjptqtwro.biz
Icqmgointiwlxo.biz
Jdqqmrtxqvhay.org
Jwymehkjtnrjkrqu.org
Koupvrnospqiluip.info
Lkimqsreoetvqnnv.org
Lxigeqglsfbyyle.net
Mnmmkswxuvlqep.net
Muxklfmqnhzkorsq.net
Nlxhhudkvxziktu.com
Odpjsdqtdumnmj.com
Oqrgtnsqoleyfnn.info
Osyrpcewsuwufw.info
Oszkhkxvmrqrxgp.info
Pcsrtnklvddwnqvp.biz
Pdgwvengffyqdv.biz
Pgioznuvfrgmhwqe.biz
Pmgmzxreftplqnk.com
Pnoeitglysiqq.com
Poxpmrusrdsnlp.com
Qnqlorgefiyrrirs.biz
Qpqugpjnuykqdr.info
Qqikrwpuhdssplu.info
Quysrnkcpjgmk.info
Rpmukxmppxqps.biz
Rrtopnnrmxtulsu.com
Rvgkcpvhnsrix.com
Soinuswqbkwvomp.org
Strlonntjnrexnnt.com
Svphksoppxdkzxva.net
Uwvtlfdoygrtmuvn.org
Vkfkqtwliuwrzs.biz
Vrnhlmoxsqntnzuy.org
Wrdkrkttmlsmxf.org
Xtgpiqullqonpq.biz
Yjhqnlssfpepjgu.info
Yzpqkplwqmpqlem.com
Zbttlmsrwrqeokq.net
Zupfomstceuqxh.com
Irvnseqtnprwekc.info
Jrpdqvjnusnxm.org
Nynqponxkinmoq.com
Piuzlhtwjcfqtpg.net
Smljqmotnovtvt.org
Uoepjgfhkkowizr.biz
Dmpvrxqvqvlmpw.net
Hljuzkosrunitgp.net
Ofojwmovourkkg.net
Syedgulzptgqgp.info
Wrnlfbmjsshqk.com
Cmxqqzproplonnx.info
Malzpeltoquvlp.com
Nlvmyxeqosdtkp.org
Bowlufpyzvvirl.biz
Dnxlxohozwoopr.org
Emkihmmxvgmtkcgl.com
Hgkqngxllqrrnmiz.info
Htmyyyipmkekuynr.com
Hwdouwuknqqpsxmd.com
Ionrssqxsvstzivs.net
Iuxjkahsqrwpyox.org
Jhpkyooltuxqsjhm.info
Jsjyjpsfobqgkg.org
Jtepwqyeuvioouz.biz
Jtlhisjmurjllhti.biz
Jwegwyvqsiejvql.net
Kfvhtqpbqxldgso.org
Klitonyplwwzgg.com
Kmkkblefthoqglpg.info
Kobnjdiimqdolvh.org
Kpqowrbumptldl.org
Kvkkhmrlqylvfpon.com
Llkmtmldfheouhs.info
Ltlzvdtkraspchuj.org
Ndhsmnkqrftkulx.biz
Nijldtopnyogqbwv.com
Nnjwoxtlkjpqom.biz
Nyqnrynqhijmyjs.org
Olepnsytepgvmzep.biz
Opnqhjwpnmmmogwr.org
Ospihkkjvpmeogs.com
Pgjmysmupmbtx.com
Plkrpmjhenxulq.com
Qjlzmqlujmenop.net
Qoyrlzihqqlmwpo.org
Rolktmkupuvretpp.info
Rolwrlwthqpvri.info
Rooggmxuopjgmq.com
Rxmuyhntwfqfyth.org
Sepvsjywabgsupys.org
Snhcykqpytqwrs.info
Snpyrsdprknjrm.org
Snrnrnluokjdsqms.org
Spiotsftcqchqgow.info
Svpoqmonfpxtghfw.net
Upswzirptwvfqs.info
Vbskivpfonknoenp.net
Vhkfuwmqzowhobds.com
Vncnwhkkrsffhlwr.com
Vnfjgutpslxwifpe.org
Vnzfunomqvoznv.org
Vsnwnrnfgpntp.biz
Wdyvkpwfprmrwjrp.com
Dnlosvqsuopnqse.info
Jdwfskrtlqmrvodu.org
Rqhgfkojltsoj.net
Uvzqwuzrnrnhnlm.com
Vsqfpixstrwupl.biz
Yoonelhpvgdpkcx.net
Fmotffizsnjookju.biz
Lcknxpybqzpwmj.com
Qktlvumlcpvgmzju.com
Txqtuiltmsqqjerr.com
Kylvxwjxuypjpix.com
Qehmknmprxrvmwp.info
Trjvprpivnkxcad.biz
Vwloihjzoorjjyp.com
Simpsonstoys.info
Kjgkjbkjbk.com
Maf1sdwe1yu.com
Dualexstream.info
Hp3qvb.in
Alperinathon.com
Ca100jsadsgd.com
Ca300dsahdkjsah.com
Half-living-for-us.com
Jolly-teaside2000.com
Looking4heather.com
Mk200kdshdg.com
Pa200skjdhsg.com
Sj100asdjsh.com
Sj82hags6.com
Us100asdjnagdsajd.com
Appchoko23.com
Vazzterax.net
C3n.ru
Gamemarinost.net
Gamemarisik.net
Dakpowj.com
Iciq.biz
Primegcorp.com
Sdoajd.com

Friday, 26 November 2010

Dynamoo.com is 10!

Dynamoo.com is 10 years old this week! Registered way back on 24th November 2000.. there wasn't much to see back then. Some would argue that there still isn't! Anyway, here's what the site looked like when it was first archived.

My first web site was created sometime in the mid 1990s (can't remember exactly when) and looked like this.


I largely learned about web design in the mid-90's and I think it still shows!

Slimeware sites to block

If you work in corporate IT, then you've probably had users come across sites that appear to be things like Acrobat Reader, Google Earth or some other application.. but are in fact a deceptive way to install some other software (typically some sort of adware). I call this "slimeware".

This list of sites are (in my view) [CSV] offering applications of limited use that you might want to consider blocking. Some example sites trade heavily on well-known names like Avast, Yahoo Messenger, Nero and other well-known apps. Quite a lot of these are sourced via MarketBay. Scroll down for some sample screenshots.

The list includes over 1000 sites of dubious value and a much shorter list of IP addresses (below) which might be easier, plus MyWOT ratings as a guide to the nastiness of the sites. You can download it from http://www.dynamoo.com/files/slimeware01.csv

IP Addresses:
64.38.49.191
64.141.101.204
64.141.103.177
64.150.190.80
67.212.90.67
67.212.90.71
67.212.90.72
67.212.90.73
67.214.176.218
67.215.2.90
67.215.2.98
67.215.2.99
67.215.2.100
84.22.98.11
208.82.121.34
208.82.121.46
208.82.121.69
208.82.121.140

Sample screenshots:







Wednesday, 24 November 2010

MarketBay.. yuk!

This post on the Sunbelt blog about apparently bogus anti-virus software rang a bell.. there was something eerily familiar about this whole operation that I'd seen before. A close examination of these so-called anti-virus sites shows a link to marketbay.com - so these look like some autogenerated affiliate sites or other.

MarketBay are pretty well known for shady practices, for example here and here. Before they were called marketbay.com, they were known as yourclick.com and run by a firm apparently called Three W Networks Ltd (Google it). Everything is hidden behind a shell company in the Bahamas, with a name of David Da Silva connected to it, although this is a fairly common name and it may well be assumed. The company recently changed name to Media Entertainment Guide, still quoting the Da Silva name and a Bahamas address as seen in the WHOIS for marketbay.org which is not privacy protected (unlike marketbay.com).

[As a side note, the historical WHOIS records for marketbay.com identify a previous owner who confirmed that the domain was sold to another party]

The software punted by MarketBay looks to be of questionable use, but that's an accusation that can be made against any one of a number of businesses.. caveat emptor and all that. But at the very least you can say that affiliates are marketing this software deceptively.

Now, the IP address of 67.212.90.64/28 is rather more fruitful to examine. It's a very small block of IP addresses, listed as belonging to Mango Ideas in Canada (note: these sites are no longer hosted there as of March 2011)

There is certainly nothing worth visiting in 67.212.90.64/28 and blocking the whole lot would probably save you some headaches, The block seems to be clean, but for research interest, the sites that WERE hosted are listed in this this CSV file with MyWOT ratings attached.

Update 23/3/11: It appears that most of the sites are no longer hosted here (they appear to have moved to other Canadian hosts), there are a few remaining sites that I can't vouch for one way or another.. as it is, I would suggest that this block is now clean and no longer evil.

Mr Kennedy says that he assumes that the bad sites were probably put on there by a reseller or perhaps a compromised account, and they have a very strict anti-abuse policy.

Friday, 19 November 2010

It's 30 for a reason, part 2

This guy claims that he was doing 20mph before he demolished about 15 metres of fencing, two gateposts and one gate before hitting my house.. backwards. I am largely disinclined to believe him.

I don't know what you have to do to pass a driving test in Lithuania where this guy hails from. I suspect driving backwards into a house isn't part of the test though.

But.. this isn't the first time that this has happened either. Three years ago we were lucky not to be picking body parts out of the garden after this accident.

And the speed limit? 30 miles per hour. It's 30 for a reason..

Monday, 8 November 2010

theciosummits.org / CIO Summits spam

theciosummits.org / CIO Summits is the same outfit as BizSummits  who have a particular spamming technique that has been seen before.

The technique appears to be that they search a website for strings that look like names, and then they try and guess the email address for that person at that domain. Email addresses tend to follow a limited number of formats, so it probably gets a reasonable success rate, but even so.. the name is still scraped and the recipient emailed without opting in to anything.

From: Jason Williams <jwilliams@theciosummits.org>
To: James Studer [redacted]
Date: 8 November 2010 15:06
subject: James, just following-up.
   
Hi James, is now a better time to reach out to you in regards to the CIO
Summit? You received a request on behalf of our Board due to your key
role in the technology field and I'm curious to know if a decision has
been made.

The CIO Summit is an invitation-only group comprised of the very best
executives and visionaries in technology. We meet monthly by
teleconference to exchange what is working, what is not, strategies and
ideas. It is a confidential forum with dedicated groups of other
successful VPs and key executives whose only agenda is to help each other
outperform. Our site is at www.theciosummits.org

I am certain you will find the experience both enjoyable and useful in
your efforts. Please take a look and let me know of your decision. Thanks,
 James.

Sincerely,
Jason Williams
CIO Summits
Tel. (803) 712-3027
www.theciosummits.org


The information contained in this message is confidential and intended
only for James Studer. If you have received this message in error, please
delete it or mail us back if you no longer wish to receive further
invites. For my records, I show your contact information as: James Studer,
 Dynamoocom, [redacted]  800-688-6115 If needed, you can reach
us at 201 17th St, #1200, Atlanta, GA 30363. Thank you.

Who is James Studer exactly? It turns out that he was a contributor to the Orange Book, which I have a section about on my website.. and as with the BizSummits spam I've seen before, the pattern is exactly the same.

CIO Summit's pitch looks fairly deceptive. They have guessed an email address, apparently to make it look like we have a prior relationship. It's worth noting as well that the BBB give parent BizSummits a very poor "F" rating which definitely makes it look like one to avoid.

Massive yourfreeworld.com / downlinegoldmine.com spam run

Sometimes it is difficult to tell if a spam run is a Joe Job, or if the spammer is really a moron.

Over the past few hours, a massive spam run has been caught by several spamtraps and has also been spammed out heaving to spamcop.net email addresses:

From: Rohit Seth - YourFreeWorld <seth@yourfreeworld.com>
Date: 8 November 2010 07:39
Subject: Amazing New MLM Scripts, Mass Mailers, Downline Builders
   
- Hide quoted text -
Check out our amazing range of money making matrix scripts, bulk emailers, safelists, banner ad scripts and downline builders.

Check out our latest additions too by bookmarking our site and checking it often.

Our ingenious affiliate program integrates your ClickBank ID into your affiliate link. So when someone comes to our page and conducts a search for any ClickBank product, YOU can make up to 75% commissions with very little effort!

"Imagine earning commissions hand over fist 24 hours a day, 7 days a week, 365 days of the year -- even while you're sleeping! This is truly a no-effort style affiliate program that maximises multiple income streams."

http://www.yourfreeworld.com

or make monster cash for the holidays by becoming a reseller of our fantastic scripts, it's that simple!

http://www.downlinegoldmine.com

If you are ready to start to MAKE MONEY online, Downlinegoldmine.com is the place to do it! We will give you the keys to build your Downline, to create your own Downline Program and to learn winning techniques so that you can sit back and let the earnings begin!

From the desk of Rohit Seth
Delhi
India

WHOS details are consistent with the message:
  Registrant :
    Name: Rohit kumar Seth
    Organization: Dr. M.Seth & Co.
    Address: S-5,Naveen Shahdara
    City: Delhi
    State: DE
    Postal Code: 110032
    Country: IN
    Phone: +91.0112232
    Fax:
    Email: rolovedeep@yahoo.com


The originating IP is 64.244.62.22 [Point North Networks / XO Communications, US] pointing to two spamvertised sites, downlinegoldmine.com on 72.29.67.174 and yourfreeworld.com on 66.7.201.119  [both at Hostime, Orlando].

Almost all MLMs are some sort of scam, and these are two sites promoting MLMs. But these sites also promote "safe email sendlists", but clearly sending hundreds of spam emails to spamtraps is clearly a poor definition of "safelist".. it's almost as if this activity is deliberately designed to generate spam complaints..

..and here's the thing. There's no evidence linking 64.244.62.22 to the alleged sender, and sending massive amounts of the same email to SpamCop.net addresses is either a massively stupid move, or it could be a deliberate attack on these sites by an unknown party.

In my opinion, both yourfreeworld.com and downlinegoldmine.com look like crappy sites that are worth avoiding. 

Monday, 1 November 2010

europa-consult.com job offer scam

Another scam email in a long-running series of fake job offers, this time using the domain europa-consult.com (not to be confused with any companies of a similar name).

for CV #19


EXPANDING COMPANY LOOKING FOR SALES SUPPORT/ADMINISTRATIVE ASSISTANT TO HELP US! FULL IN HOUSE PRODUCT TRAINING IS PROVIDED!

COMPETITIVE INDIVIDUALS.....START ASAP!

Who are we:
We are an international leading property investment and development company.
Our firm has recently acquired new clients and are continuing to expand to new locations across the US.
We are inlolved in a variety of activities that include construction, realty management, investment sector,
rental services etc. Right now we are working on more than 10 objects around the world, primarily in Europe, United Kingdom and North America.

Our Mission:
If you have an oustanding experience in sales and administration, we would welcome you immediately!
If you don't have a formal qualification but have gained skills and knowledge through experience - apply today!
We also equip new grads or candidates with no experience with the experience they need to build a successful business in the field of sales,
advertising, or marketing. Many high school grads or college & university students hear employers tell them they need more experience.

WE ARE LOOKING TO GIVE YOU THAT EXPERIENCE!

What you'll be doing: You will conduct comprehensive residential and/or small commercial property audits.

Other duties of the Administrative Assistant/Sales Support include, but are not limited to:
Incorporating effective priorities for the virtual office function
Administer day-to-day financial responsibilities for our clients
Reporting online daily
Preparing brief summary reports, and weekly financial reports

What's in it for you: - Excellent Pay (guaranteed Euro 725/weekly) - Great Opportunity
All compensation/salary is paid biweekly. Compensation involves uncapped earnings and bonuses.

If you are interested, please reply to : info@europa-consult.com with your latest CV.

Best regards,

Claire Haynes
Hiring Manager

The WHOIS details look very familiar:

Registrant:
    Aleksandr Lapatau
    Email: lapatasker@earthling.net
    Organization: Private person
    Address: Lenina, 34, 8
    City: Minsk
    State: Minskaya
    ZIP: 456123
    Country: BY
    Phone: +375.172427204 



Avoid.

Friday, 29 October 2010

"Polden Financial" / poldenfs.co.uk spam

This following spam was sent to a complete invalid email address, most likely harvested from the web. Although I suspect that the sender probably acquired the email address in good faith, it shows a complete lack of due diligence by the sender to spam random addresses like this. Given that the spammer claims to be a financial adviser, then you should draw your own conclusions about their reliability.

From: What to expect <contact@fundamentalmediasolutions.co.uk>
Reply-To: poldenfinance@gmail.com

When did you last review your pension plans?


Do you know what to expect from your pensions 

when you retire?

Was your pension set-up during a previous employment or with a financial adviser you no longer have contact with? 

Your pension may not have been reviewed for a number of years or it may NEVER have been reviewed.

Could it be worth reviewing your pensions, possibly bringing them all under �one roof�? and...

Have a better understanding of your current position as far as your retirement planning is concerned.

Receive professional advice on the levels of funding into your pension plans.

Potentially reduce the charges on your pension plans, which could help you increase your income in retirement.

Would you like a clear investment strategy that matches your own attitude towards investment risk in an economic climate, which is un-clear?

Regular reviews to keep your pension on track and access to new opportunities that might help you derive a greater income in retirement.

For simple explanations to help you understand your pension planning and how it will benefit you.

  
Telephone  01278 445968  or email  adviser@poldenfs.co.uk  today 

and we can discuss our review process in full.


PO Box 359, Bridgwater, Somerset TA6 9AS

Polden Financial   is a trading style of Rosemount Financial Solutions Ltd who are an appointed Representative of Intrinsic Financial Planning Ltd, Registered in England 5372217, Wakefield House, Aspect Park, Pipers Way, Swindon, SN3 1SA. Intrinsic Financial Services is a holding Company, subsidiaries of which are authorised and regulated by the Financial Services Authority. The information contained in this message is confidential and may be legally priviledged. If you are not the intended recipient, please do not read, copy or otherwise use it and do not disclose it to anyone else.  Please notify ! the sender of the delivery error and then delete the message from your system.  Any views or opinions expressed in this e-mail are those of the author only.  Email communications are not secure. For this reason Rosemount Financial Solutions cannot guarantee the security of the email or its contents or that it remains virus free once sent.
 I always love those self-important disclaimers at the end, especially when it comes to spam.. as I will publish details of spam as I f--king well see fit.

The spam originates from 78.109.170.7 (identifying itself as belonging to emarketingdesigndelivery.co.uk in Somerset) , and unusually for a spam it doesn't link to a website and solicits replies to adviser@poldenfs.co.uk or 01278 445968 instead. The domain poldenfs.co.uk is also registered to an individual in Somerset, so the originating IP address seems to be a close match to the business.

The WHOIS entry for the domain poldenfs.co.uk (and poldenfs.com) list their web host as the contact, not the spammer themselves. The number 01278 445968 does match a record at the FSA for Polden Financial Solutions LLC but marks them as no longer being "authorised". Companies House lists that company as being at:

POLDEN FINANCIAL SOLUTIONS LLP
40 WOODBOROUGH ROAD
WINSCOMBE
SOMERSET
BS25 1AG
Company No. OC313363


Records indicate that this business is operated by a John McBurnie who is listed as a representative of Rosemount Financial Solutions Ltd., and the email does say that Polden is a trading style of Rosemount FS, which is correct.

In fact, everything about this firm seems to check out OK apart from the fact that they send unsolicited commercial email to invalid addresses. But in my view, that's enough to avoid doing business with them.

As an aside, you might want to amuse yourself with this Google search about poldenfs.co.uk.

Rev2Share.com spam

Following one a day from this almost identical MySuperShares.com spam, this email also appears to be trying to game a "get rich quick" MLM scheme with fake signups.

From: Rev2Share.com <admin@rev2share.com>
Reply-To: admin@rev2share.com
Date: 29 October 2010 05:24
Subject: Welcome to Rev2Share.com!
   
Dear member,

Welcome to Rev2Share.com!
We are pleased that you have decided to join our fast growing community.

You can now login to your account at:
http://www.rev2share.com/login.php
Your Username: 0000_000
Your Password: 0000000

We hope you have a great time at Rev2Share.com.

Administrator
Rev2Share.com

It's not a Joe Job as such, the email originates from 174.122.225.73 which is the same server that Rev2Share.com is hosted on along with a bunch of shabby MLM sites. The domain was registered just days ago, the WHOIS details seem to be accurate:

Domain name: rev2share.com

Registrant Contact:
  
   Dustin Langley ()
  
   Fax:
   105 southpark circle
   gallatin, TN 37066
   US

Administrative Contact:
  
   Dustin Langley (dustin.langley@gmail.com)
   +1.615347925
   Fax:
   105 southpark circle
   gallatin, TN 37066
   US

Technical Contact:
  
   Dustin Langley (dustin.langley@gmail.com)
   +1.615347925
   Fax:
   105 southpark circle
   gallatin, TN 37066
   US

Status: Locked

Name Servers:
   ns1.hostingmmt.com
   ns2.hostingmmt.com
  
Creation date: 25 Oct 2010 16:18:00
Expiration date: 25 Oct 2011 11:18:00



The physical address checks out, it would be highly unusual for a deliberate scammer to post their real address (even if most MLMs do turn out to be scams in the end). So it does appear that a third party is involved, using Rev2Share.com's own systems to generate fake signups, either to shut the site down or to game the system for personal profit.



It is probably no coincidence that both Rev2Share.com (hosted on 174.122.225.73) and MySuperShares.com (174.122.14.227) have an almost identical business model that claims to be selling advertising (only on their own sites) but in fact concentrates on getting signups to generate a download instead. When you see a very thin product offering like this with an emphasis on recruiting other people, then that it usually a bad sign.. best to avoid it altogether in my opinion.

Thursday, 28 October 2010

MySuperShares.com spam

In my view, all MLM schemes are almost always scams.. and MySuperShares.com seems to be just another MLM scheme, this time selling "ads" that only seem to display on the MySuperShares.com site. But the real carrot is the promise of downlines if you sign someone else up.. in other words, a thin product offering with a concentration on signing up other members rather than selling a real product.

The scheme itself is based in Australia, and I am no expert in Australian law. So, let's assume that this type of MLM scheme is legal in Australia for now.

Still, this particular email seemed unusually brazen..

From: MySuperShares.com <webmaster@mysupershares.com>
Reply-To: webmaster@mysupershares.com
Date: 28 October 2010 13:30
Subject: MySuperShares.com Confirmation Email
   
Dear 4612_210 4080_759,

Thank you for creating your account with MySuperShares.com.

To activate your account, please click the link below:

http://www.mysupershares.com/confirm.php?username=0000_000&id=00000

Once you have completed this step, you will be able to
login to your account.

Kind regards

Eva Browne-Paterson & Jullieanne Matheson
MySuperShares.com


The originating IP is 174.122.14.226, MySuperShares.com is hosted on 174.122.14.227 (i.e. the next IP address), so it indicates that the mail is genuinely from MySuperShares.com. Let's look at the WHOIS details for that domain:


Registrant:
   EvieB.com
   1 Keswick Island Drive
   Keswick Island, Queensland 4740
   Australia

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: MYSUPERSHARES.COM
      Created on: 13-Oct-10
      Expires on: 13-Oct-11
      Last Updated on: 13-Oct-10

   Administrative Contact:
      Browne-Paterson, Eva  evieb@evieb.com
      EvieB.com
      1 Keswick Island Drive
      Keswick Island, Queensland 4740
      Australia
      411569782      Fax -- 749658019

   Technical Contact:
      Browne-Paterson, Eva  evieb@evieb.com
      EvieB.com
      1 Keswick Island Drive
      Keswick Island, Queensland 4740
      Australia
      411569782      Fax -- 749658019

   Domain servers in listed order:
      NS1.MYFREESAFELIST.COM
      NS2.MYFREESAFELIST.COM


It's unusual for fraudsters to include their real contact details in the WHOIS, in fact everything checks out as being legitimate, it you check out the MLM business model.

There are a few possibilities:
  1. The people running the site are really stupid and think that this is a good way to get signups (rather than getting your site nuked)
  2. Someone is using MySuperShare.com's own system to perform a Joe Job with deliberately false signups.
  3. Someone thinks that they can make money by gaming MySuperShare.com's system with fake signups.
My best bet is that it is the #2 or #3 option, because I really don't think that the site operators are so stupid as to try spamming like this. Does that mean that it is a legitimate programme? Well, put it this way.. do you really think that it is feasible to make money by selling nothing of value?


Update:it does appear that someone is targetting these MLM "get rich quick" sites as another site called Rev2Share.com has also been hit.

Evil network: Alex Gorbunov / GORBY-VPN-NET AS51303 (195.226.197.0/24)

A small but nasty netblock hosting ZeuS C&C servers and Phoenix exploit kit attacks, GORBY-VPN-NET (registered to an Alex Gorbunov) seems to have no legitimate sites at all. There aren't a lot of sites in this range (I see just 24) but there does seem to be quite a lot of malicious activity. I recommend that you block access to 195.226.197.0/24.

RIPE says:

inetnum:         195.226.197.0 - 195.226.197.255
netname:         GORBY-VPN-NET
descr:           Alexandr Gorbunov
remarks:         MyVPN service
country:         UA
org:             ORG-AG58-RIPE
admin-c:         AG10224-RIPE
tech-c:          AG10224-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          GORBY-MNT
mnt-routes:      GORBY-MNT
mnt-domains:     GORBY-MNT
source:          RIPE # Filtered
organisation:    ORG-AG58-RIPE
org-name:        Alexandr Anatolyevich Gorbunov
remarks:         MyVPN service
org-type:        OTHER
address:         Moskva, Yasniy proezd 14a, kv. 73
phone:           +79025392311
admin-c:         AAG76-RIPE
tech-c:          AAG76-RIPE
mnt-ref:         GORBY-MNT
abuse-mailbox:   gorby@land.ru
mnt-by:          GORBY-MNT
source:          RIPE # Filtered
person:          Alex Gorbunov
address:         Moskva, Yasniy proezd 14a, kv. 73
phone:           +79025392311
nic-hdl:         AG10224-RIPE
mnt-by:          GORBY-MNT
source:          RIPE # Filtered
% Information related to '195.226.197.0/24AS51303'
route:           195.226.197.0/24
descr:           GORBY-AS Route Object
origin:          AS51303
mnt-by:          GORBY-MNT
source:          RIPE # Filtered


Google says of AS51303:

Safe Browsing
Diagnostic page for AS51303


What happened when Google visited sites hosted on this network?

    Of the 23 site(s) we tested on this network over the past 90 days, none served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-27, and the last time suspicious content was found was on 2010-10-27.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 5 site(s) on this network, including, for example, semikemi.info/, surogatesm.info/, meinisp.info/, that appeared to function as intermediaries for the infection of 16 other site(s) including, for example, vlasti.net/, inmobiliaria-habitat.es/, inoxmarti.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, semikemi.info/, terikmask.info/, qstrokes.info/, that infected 176 other site(s), including, for example, montealea.com/, ideal.es/, crosswordscrucigramas.com/.

You can see a list of domains and MyWOT reputations here [csv], the current list of domains that I can see is below:

Hello-larry.com
Reklamaservice.org
Solarisgrand.net
Bungalougrand.net
Lintuage.net
Miksint.net
Mistiriks.net
Limpop.net
Gitrometro.net
Gennuine.com
Mussiss.com
Meinisp.info
Leimdungl.info
Terikmask.info
Traveldens.info
Simanticwerd.info
Balacenewiq.info
Afishatop.com
Afishaintop.com
Inafishatop.com
Kinakoi.net
Salimko.com
Simrako.com
Sipolin.net

Tuesday, 26 October 2010

"Bikini Robot Army" spam

I've never listened to Bikini Robot Army (although for some reason I have heard of them), but this spam run I was at the wrong end of did tempt me to give them a listen, if only to hear what a spammer sounds like.. basically pretty derivative and dull but somewhat technically competent. In other words.. it sounds like the musical equivalent of spam.

This email originates from 216.92.1.93 spavertising bikinirobotarmy.com on 216.92.45.18 plus a defunct Facebook page, MySpace page and Twitter account. Frankly I'd give them a miss if they have to resort to unsolicited bulk email to drum up interest.

Slightly amusingly, their spam has this line in it: Bill Gates - "I gave Bikini Robot Army YOUR email address!” - I don't think he did.

From: robotarmy-bounces@bikinirobotarmy.com [mailto:robotarmy-bounces@bikinirobotarmy.com] On Behalf Of Bikini Robot Army
Sent: 25 October 2010 19:40
To: robotarmy@bikinirobotarmy.com
Subject: [Robotarmy] Bikini Robot Army wants YOU!

Bikini Robot Army wants YOU!

If you love the Rolling Stones, Beatles, Bowie and Beck - you will love... Bikini Robot Army.

From the mouth of David Bowie (Digivegas, 2010)
"Bikini Robot Army is a wild new band - I've never heard a song like that before"
[Joe Strummer's House]

Joe Strummer's House is the new hit by Bikini Robot Army taking the UK by storm;
you can hear it on BBC Radio One and BBC 6.

Bikini Robot Army continues to tear like a tornado through the US!

Come join us! We want YOU!
www.bikinirobotarmy.com
Available at iTunes, Amazon and all online stores.

Remember, Bikini Robot Army LOVES YOU!

Follow us for updates and special guests, radio interviews, live shows etc
Plus FREE music, FREE merchandise and regular updates.

facebook.com/bikinirobotarmy
twitter.com/bikinirobotarmy
myspace.com/bikinirobotarmy

Thanks,
www.bikinirobotarmy.com.
Available at iTunes, Amazon and all online stores.

Any questions, comments or rants, please email us at info@bikinirobotarmy.com.

If you would like to unsubscribe, please email info@bikinirobotarmy.com with Unsubscribe in the subject.
--------------------------------------------------------------------------------------------------------------

50cent - "I only listen to Bikini Robot Army

George Bush - “B.R.A. I never go running without Bikini Robot Army in my iPod”

Madonna - “Bikini Robot Army saved my life”

Elton John - “Bikini Robot Army made me gay!”

Keith Richards - "Who the F*@K is Bikini Robot Army?”

Richard Pryor - "Bikini Robot Army killed me!”

Superman - "Kryptonite? I don’t think so!”

Bill Gates - "I gave Bikini Robot Army YOUR email address!”

Bill Murray - "Stop asking me about Ghostbusters 3, I wanna hear the new Bikini Robot Army album!”

Sunday, 24 October 2010

"america-newresume.com" scam

This scam has been around for a while, strangely it spells out "NB" in the full Latin of "Nota Bene". You don't see an awful lot of Latin in spam these days. Anyway, this is a fake job offer, most likely in money laundering or receiving stolen goods. Avoid

Re: CV 69


I’m addressing you on behalf of the HR department of a large company.

Our company takes an active part in the life of its subsidiaries, for example:
-property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.

We have vacancies to be filled by Europe residents only:
- salary 2.600 euro + bonus
- underemployment
- flextime


If you are ready to work as a regional manager in Europe send us the below information: Dominick@america-newresume.com
First Name:
Last name:
Country of living:
City
E-mail:
Phone:



Nota bene! Only European residents are required !

Please provide us with your Personal data (Phone number and First and Last name) and our manager will contact to you to make a brief interview.

Saturday, 23 October 2010

sshopper.net "mystery shopper" scam

We've seen this scam before, but this type the mystery shopper scam uses a domain of sshopper.net to solicit replies. Avoid.


Re: MS/Secret Shopper [$700/week]


Thank you for your interest in the MS Shopper position.
Our company conducts surveys and evaluates other companies in order to help them achieve their performance goals.
We offer an integrated suite of business solutions that enables corporations to achieve tangible results in the marketplace.

We get hired by other companies and act like customers to find out how they are handling their services in relation to their customers.
MS Shopping is the most accurate and reliable tool a business can use to gather information regarding their actual customer service performance at the moment of truth.
This moment of truth is not when the staff is on their best behavior because the boss is around - it is when they interact with customers during their normal daily routines.

This is where you, the MS Shopper, come in.
You pose as an ordinary customer and provide feedback of both factual observations (ex...the floor was free of debris)
and your own opinions (ex...I felt that the temperature in the establishment was too cold).

MS Shoppers must remain anonymous. You must act as a regular customer and be careful not to do anything that would reveal you as a shopper.
An inexperienced shopper could tip off the staff to his/her identity by asking for the manager's name for no clear or appropriate reason.
If you are going to be bringing someone with you on the shop, make sure you educate them about the process as well.
Beware that even whispers can be overheard by employees. If anyone notices you are a shopper,
you can bet that word will quickly spread around the establishment and you will get some of the best customer service in town.

No company can afford to have a gap between the promise of quality and its actual delivery, that's why leading corporations look to us,
the nation's premiere MS shopping and customer experience measurement company.

In order for a business to effectively compete in today's economy, they must be prepared to meet the challenge of increasing sales by:
* Retaining existing customers
* Acquiring new customers
* Creating word-of-mouth advocacy
* Improving customer loyalty

Once we have a contract to do so, you would be directed to the company or outlet, and you would be given
the funds you need to do the job(either purchase merchandise or require services), after which you would write a detailed report of your experience.

Examples of details you would forward to us are:
1) How long does it take to get served.
2) Politeness of the attendant.
3) Customer service professionalism.
4) Sometimes you might be required to upset the attendant, to see how they deal with difficult clients.

Then we turn the information over to the company executives and they will carry out their own duties in improving their services.
Most companies employ our assistance when people complain about their services, or when they feel there is a need for them to improve upon their customer service.
Our company partners with you to implement proven MS shop auditing and surveying strategies that provide critical information about customer experiences.

You will be paid a commission of $100 for every duty you carry out, and bonus on your transportation allowance.
Your task will be to evaluate and comment on customer service in a wide variety of restaurants, retail stores, casinos,
shopping malls, banks and hotels in your area.


Qualities of a good MS Shopper:
* Is 21 years of age or older
* Loves to go shopping
* Is fair and objective
* Is ON TIME
* Is very observant and able to focus on details
* Is fairly intelligent
* Has patience
* Is detail oriented
* Is practical
* Types well
* Is trustworthy
* Explains well in writing
* Is discreet
* Loves to learn
* Handles deadlines
* Has full internet access (at home or at work)

MS Shopping is fun and exciting but also must be approached very seriously and is definitely not for everyone.

If you are interested in applying for consideration as a MS Shopper do send in your information: Guadalupe@sshopper.net
Full Name:
Address:
City:
State:
Zip Code:
Phone Number:
Age:
Occupation:

As soon as we receive your information we will add you to our database and we will look for locations in your area that needs to be evaluated.

The possition is only available for United States.

Thank you,
Guadalupe VEYTIA

Friday, 22 October 2010

"MR.BANKY MOON" scam

This one is from "MR.BANKY MOON" who is apparently the "UN SEC.GENERAL.", but for some reason he's using a free Gmail address and is sending this email from Argentina. And an ATM card loaded with seven million dollars? If your ATM withdrawal limit is $500 per day, then it will take you 14,000 days (or 38 years, 4 months and 9 days) to get it out of the cash machine..

From: UN AUDIT DEPT. <morriswilliams01@ciudad.com.ar>
Reply-To: atmswiftdeptm@gmail.com
Date: 23 October 2010 07:15
Subject: ATM-001 CODE
UNITED NATIONS NATIONAL AUDIT OFFICE
BUCKINGHAM PALACE ROAD, VICTORIA
LONDON SW1W 9SP,
UNITED KINGDOM.


Attn: Beneficiary
We sincerely apologize for sending you this sensitive information via e-mail instead of a certified mail, phone call or a  face-to-face conversation, it is due to the urgency and importance of the security information involved. In the quest to cushion the effect of the global financial crisis, American government through the Federal Bureau of Investigation (FBI) Washington  DC, United Nations and the Internet Crime Complaint Center (ic3) has signed an agreement with Nigeria & EFCC for an immediate release of all overdue funds presently logged in their treasury and ensure it is disbursed to the rightful beneficiaries in any part of the world. If you the beneficiary would adhere to this notification it will help stabilize the various economies of the world and reduce the effect of this depressing recession.
Prior to this agreement our team of security experts has swung into action for transparency and accountability of this periodic project. The Federal Bureau of Investigation (Global Intelligence, Cyber Division) saddled with the responsibility of monitoring activities going on over the internet have discovered your name in the list of unpaid beneficiaries and it might interest you to know that we have conducted a comprehensive investigation on this discovery as stipulated on our protocol of operation and have confirmed that the funds was endorsed in your favor and it is 100% genuine and hitch free from all facets. You have the lawful right to contact the appropriate authority to claim your payment without further delay.
Under the Joint Regulatory Commission,we have appointed a sole fiduciary member of CBN that will handle the transfer of your funds through ATM CARD Payment. This card centre will send you an ATM CARD which you will use to withdraw your money in any ATM Machine located in your designation/any part of the world, the maximum amount to withdraw is three thousand dollars per day. Contact the below card payment centre for more details.
Contact person: Dr.Wilfred Bruce
Email: atmswiftdeptm@gmail.com
Tel: +2347037250822
Also send the below information to the above address to enable them start processing your ATM CARD.
1. Your full name
2. Phone number & fax
3. Address where you want them to send the ATM CARD
4. Your Age & Current Occupation
5. Attach copy of your Identification.
This ATM CARD payment centre has been mandated to issue out USD7, 000,000.00 as part payment for your Contract/Inheritance/Lottery Winnings for this fiscal year 2010. Also for your information, you have to stop any further communication with any other person (s) / office (s) to avoid any hitches in receiving your payment. For oral discussion, call or email back as soon as you receive this important message for further direction and also update me with the developments from the above mentioned office.
Note that because of impostors,we hereby issued you our code of conduct which is (ATM-001) so you have to indicate this code when contacting the card centre by using it as your subject.
Thanks.

MR.BANKY MOON
UN SEC.GENERAL.


Just silly really..

eu-ltk.com fake job offer

Another fake job offer (probably following on from this one), probably involving money laundering and other criminal support services.

Date: 22 October 2010 11:06
Subject: Civilities
   
This message was likely forged and did not originate from your account. Learn More
Greetings

I introduce a large multinational enterprise the co-worker of the HR department of which I am.

Our company takes an active part in the life of its subsidiaries, for example:
- real estate
- companies setting-up and winding-up
- bank accounts opening and maintenance
- logistics
- private undertaking services
- etc.

There are vacant positions of regional managers in Europe:
- salary 2.300 euro + bonus
- 2 - 3 working hours per day
- optimal timetable

If you are interested in this job, please, send us your contact information: Sam@eu-ltk.com
First Name:
Last name:
Country of living:
City
E-mail:
Phone:



We are looking for the people who have a right to work in Europe!

Please provide you name and contact information in order we can find you for further communication.

WHOIS details for the domain show the infamous info@JuliaNewYork76.com as the registrant.


Domain name: eu-ltk.com

Name servers:
    ns1.nameself.com
    ns2.nameself.com

Registrar: Regtime Ltd.
Creation date: 2010-10-19
Expiration date: 2011-10-19
Status: active

Registrant:
    Julia Morgan
    Email: info@JuliaNewYork76.com
    Organization: MDS LTD
    Address: 201 Varick Street
    City: New York
    State: NY
    ZIP: 10014
    Country: US
    Phone: +1.8668402756
Administrative Contact:
    Julia Morgan
    Email: info@JuliaNewYork76.com
    Organization: MDS LTD
    Address: 201 Varick Street
    City: New York
    State: NY
    ZIP: 10014
    Country: US
    Phone: +1.8668402756
Technical Contact:
    Julia Morgan
    Email: info@JuliaNewYork76.com
    Organization: MDS LTD
    Address: 201 Varick Street
    City: New York
    State: NY
    ZIP: 10014
    Country: US
    Phone: +1.8668402756
Billing Contact:
    Julia Morgan
    Email: info@JuliaNewYork76.com
    Organization: MDS LTD
    Address: 201 Varick Street
    City: New York
    State: NY
    ZIP: 10014
    Country: US
    Phone: +1.8668402756 

Thursday, 21 October 2010

Evil network: DG Holding SIA / ALTNET-LV AS41390 (195.3.144.0/22)

DG Holding SIA / ALTNET-LV is another evil network, and it's no surprise to see that it is in Latvia. The 195.3.144.0/22 hosts sites involved in hacking, malware distribution, MLM scams, fake goods and porn plus a number of ZeuS C&C servers.

There are a small number of legitimate customers in this block, but they most cater for Latvian users only.. if you are outside of Latvia, then very little will be lost by blocking this entire /22 (195.3.144.0 - 195.3.147.255).

There's a listing of domains, IPs and MyWOT ratings here [csv] if you want to probe more deeply and avoid blocking the handul of legitimate sites.. otherwise, I would recommend blocking the lot.