Saturday, 26 March 2011
Mango Ideas / gsid.net is now clean
Just a quick note to say that Mango Ideas cleaned up their network from this incident which was possibly due to a reseller or perhaps a compromised server which is excellent news.
Labels:
Canada
Thursday, 24 March 2011
west-ugroup.net (and other) fake job offers
Another fake job offer in this very long running scam, the job involved is actually in support of organised crime and may involve such things as money laundering and fraudulent parcel reshipping, in addition to being the "front" person for various fraudulent activities.. and the first person the police will drag in when it all goes wrong.
The domains will vary, but these are all closely related:
west-ugroup.net
cl-ugroup.com
resume-eur.com
au-vacancy.com
usa-vacancy.com
wugconsult.com
wug-consulting.com
wug-myvacancy.com
wug-cv.com
wug-consult.com
wug-offer.com
wug-position.com
wug-vacancy.com
us-myvacancy.com
center-position.com
east-european.net
The (possibly fake) domain registration details are:
There are some other fraudulent and/or malicious domains connected with the registrant:
109.196.134.18 - VLine Ltd, Moscow
bestandxast.com
besternax.com
joprestons.net
russian-post.net
trafallbest.com
xalentarna.net
(Incidentally, pretty much all of Vline is evil so blocking 109.196.128.0 - 109.196.143.255 is an excellent idea)
195.170.178.76 - allocation unclear
abolzaka.com
allnettraf.com
basletboll.com
bests-tracks.com
climersnet.com
nonstopsen.com
Date: 24 March 2011 04:34
Subject: We need employees in Europe
Good day!
I am writing to you in the name of the corporation the Human Resources department of which I represent.
Our corporation has a great scope of business activities.
-real property
-business support
-company dissolution
-private firm service
-etc
There is a vacancy of a Regional manager in Europe:
-compansation 2.600 euro + bonus
-bonus-job
- no fixed office hours
If you have an intention to cooperate with our company, please send your contact information on our e-mail: Josiah@west-ugroup.net
Name
Surname
Counrty
City
Sell phone number
Remark! Applicants with the permission to work in Netherlands & Portugal only!
Please inform your name and phone number so that we can find you for further communication.
The domains will vary, but these are all closely related:
west-ugroup.net
cl-ugroup.com
resume-eur.com
au-vacancy.com
usa-vacancy.com
wugconsult.com
wug-consulting.com
wug-myvacancy.com
wug-cv.com
wug-consult.com
wug-offer.com
wug-position.com
wug-vacancy.com
us-myvacancy.com
center-position.com
east-european.net
The (possibly fake) domain registration details are:
Aleksej Iliin
Email: abolan@mail.org
Organization: Private person
Address: Okruzhnaya ul. d.5 kv.4
City: Moskva
State: Moskovskaya obl.
ZIP: 183124
Country: RU
Phone: +7.4959424617
Fax: +7.4959424617
Email: abolan@mail.org
Organization: Private person
Address: Okruzhnaya ul. d.5 kv.4
City: Moskva
State: Moskovskaya obl.
ZIP: 183124
Country: RU
Phone: +7.4959424617
Fax: +7.4959424617
There are some other fraudulent and/or malicious domains connected with the registrant:
109.196.134.18 - VLine Ltd, Moscow
bestandxast.com
besternax.com
joprestons.net
russian-post.net
trafallbest.com
xalentarna.net
(Incidentally, pretty much all of Vline is evil so blocking 109.196.128.0 - 109.196.143.255 is an excellent idea)
195.170.178.76 - allocation unclear
abolzaka.com
allnettraf.com
basletboll.com
bests-tracks.com
climersnet.com
nonstopsen.com
Labels:
Job Offer Scams,
Lapatasker,
Money Mule
Monday, 21 March 2011
Evil network: Intermedia Top SRL / INTERMEDIA-TOP AS49873 (95.64.8.0/24)
Intermedia Top SRL is a Romanian host operating a network in the 95.64.8.0/24 range. This range appears to contain nothing but malicious sites, including malware distribution, fake news sites (designed to help sell fake products), and fake anti-virus and utility applications.
Update 2/4/11: you should also block 95.64.9.0/24 which is allocated to the same people.
AS49873 is flagged as having Zeus C&C servers, and has a pretty bad reputation at SiteVet which shows that badness shot up at the beginning of March.
Google says:
Below is a partial list of sites found on this network, although there are a lot of others not listed here. Blocking the whole 95.64.8.0/24 is probably the best approach. A CSV of the list plus MyWOT ratings can be downloaded from here.
machmit.cc
servat.cc
serwaz.com
testaz.cc
financeprogramm.com
localnews47.com
localnews69.com
mmtrx.com
newslocal64.com
newslocal74.com
newslocal89.com
nwolbcom.cc
atlaty.com
atydut.com
buroti.com
fileac.com
itapos.com
lsrato.com
memhys.com
morafu.com
mupoga.com
muposs.com
nlosaf.com
onfiro.com
podyme.com
poisor.com
posjuc.com
posunn.com
qertys.com
scoolq.com
tmwars.com
usudom.com
abrogatesdv.info
absolutiovbf2n.info
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fop22.info
fre94.info
gez20.info
gru12.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
her33.info
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
mag20.info
mia16.info
mineral-beauty.net
nuzzlefgf.info
nyb90.info
obduratexv.info
obfuscate98y.info
opa63.info
ova22.info
plauditaz.info
plethoradtb.info
reprieve8mf.info
tedium34n.info
xxxpornteensex.com
Update 2/4/11: you should also block 95.64.9.0/24 which is allocated to the same people.
AS49873 is flagged as having Zeus C&C servers, and has a pretty bad reputation at SiteVet which shows that badness shot up at the beginning of March.
Google says:
Safe BrowsingContact details for the block are:
Diagnostic page for AS49873 (TELECOMPO)
What happened when Google visited sites hosted on this network?
Of the 640 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, absolutiovbf2n.info/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2011-03-19, and the last time suspicious content was found was on 2011-03-19.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 17 site(s) on this network, including, for example, zelwwu4kk.info/, tawdry4d.info/, gru12.info/, that appeared to function as intermediaries for the infection of 33 other site(s) including, for example, nowatermark.net/, itanil.com/, itcomputerservers.com/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 611 site(s), including, for example, sasae.co.cc/, slumbes.tk/, clemowceer.cz.cc/, that infected 1143 other site(s), including, for example, iwilltellyouhow.com/, saatihajj.com/, icabbies.org/.
inetnum: 95.64.8.0 - 95.64.8.255
netname: INTERMEDIA-TOP
descr: INTERMEDIA TOP SRL
descr: BDUL. 1 DECEMBRIE 1918 nr. 105
descr: Alba Iulia, Jud. Alba
country: RO
admin-c: AP13061-RIPE
tech-c: AP13061-RIPE
status: ASSIGNED PA
mnt-by: NETSERV-MNT
mnt-routes: MNT-TELECOMPO
mnt-domains: MNT-TELECOMPO
source: RIPE # Filtered
person: Adrian Popa
remarks: INTERMEDIA TOP SRL
address: BDUL. 1 DECEMBRIE 1918 nr. 105
address: Alba Iulia, Jud. Alba
phone: +40214302223
abuse-mailbox: imintermediatop90@gmail.com
mnt-by: NETSERV-MNT
nic-hdl: AP13061-RIPE
source: RIPE # Filtered
route: 95.64.8.0/24
descr: INTERMEDIA TOP SRL
origin: AS49873
mnt-by: MNT-TELECOMPO
source: RIPE # Filtered
netname: INTERMEDIA-TOP
descr: INTERMEDIA TOP SRL
descr: BDUL. 1 DECEMBRIE 1918 nr. 105
descr: Alba Iulia, Jud. Alba
country: RO
admin-c: AP13061-RIPE
tech-c: AP13061-RIPE
status: ASSIGNED PA
mnt-by: NETSERV-MNT
mnt-routes: MNT-TELECOMPO
mnt-domains: MNT-TELECOMPO
source: RIPE # Filtered
person: Adrian Popa
remarks: INTERMEDIA TOP SRL
address: BDUL. 1 DECEMBRIE 1918 nr. 105
address: Alba Iulia, Jud. Alba
phone: +40214302223
abuse-mailbox: imintermediatop90@gmail.com
mnt-by: NETSERV-MNT
nic-hdl: AP13061-RIPE
source: RIPE # Filtered
route: 95.64.8.0/24
descr: INTERMEDIA TOP SRL
origin: AS49873
mnt-by: MNT-TELECOMPO
source: RIPE # Filtered
Below is a partial list of sites found on this network, although there are a lot of others not listed here. Blocking the whole 95.64.8.0/24 is probably the best approach. A CSV of the list plus MyWOT ratings can be downloaded from here.
machmit.cc
servat.cc
serwaz.com
testaz.cc
financeprogramm.com
localnews47.com
localnews69.com
mmtrx.com
newslocal64.com
newslocal74.com
newslocal89.com
nwolbcom.cc
atlaty.com
atydut.com
buroti.com
fileac.com
itapos.com
lsrato.com
memhys.com
morafu.com
mupoga.com
muposs.com
nlosaf.com
onfiro.com
podyme.com
poisor.com
posjuc.com
posunn.com
qertys.com
scoolq.com
tmwars.com
usudom.com
abrogatesdv.info
absolutiovbf2n.info
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fop22.info
fre94.info
gez20.info
gru12.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
her33.info
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
mag20.info
mia16.info
mineral-beauty.net
nuzzlefgf.info
nyb90.info
obduratexv.info
obfuscate98y.info
opa63.info
ova22.info
plauditaz.info
plethoradtb.info
reprieve8mf.info
tedium34n.info
xxxpornteensex.com
Labels:
Evil Network,
Romania
Tuesday, 8 March 2011
"Debt Advice UK" Sussex
You know when you are dealing with a dodgy outfit when they robo-call your mobile from a supressed number with a recorded message that starts "Please do not hangup" and then blabbers on about debt management, inviting you to press "2" to talk to an adviser.
The dodginess continued when the "adviser" at the other end could not confirm the name of the company he worked for (he claimed not to know!) except for a name of "Debt Advice UK" and didn't give any address other than "Sussex". There is no company in the UK of this name, and since I'm TPS registered then they should not even have been calling.
The hidden phone number, blatant disregard of TPS and refusal to give a company name or address definitely has all the hallmarks of something highly unethical.
If anyone has details of these scumbags, please feel free to add a comment!
The dodginess continued when the "adviser" at the other end could not confirm the name of the company he worked for (he claimed not to know!) except for a name of "Debt Advice UK" and didn't give any address other than "Sussex". There is no company in the UK of this name, and since I'm TPS registered then they should not even have been calling.
The hidden phone number, blatant disregard of TPS and refusal to give a company name or address definitely has all the hallmarks of something highly unethical.
If anyone has details of these scumbags, please feel free to add a comment!
Labels:
Stupidity
Monday, 7 March 2011
Evil network: Sagade Latvia AS52055 (46.252.130.0/23) and traff4you.info
I've covered Sagade before, which appears to be a completely black hat web host with no legitimate domains at all. Sagade appear to have a new IP range in the 46.252.130.0 - 46.252.131.255 range which are completely full of toxic sites that should be blocked.
This IP range forms AS52055, of which Google says:
SiteVet oddly shows the AS as being offline, but the accompanying "badness" chart shows a big leap in evilness since the beginning of the year, so perhaps the block was reallocated.
As well as .com domains and the like, the block hosts several hard-to-spot .cz.cc and .vv.cc domains which host malware, much of which is being distributed through an apparently bogus ad network at traff4you.info.
So far, I can see see the following domains in the block (a list with IP addresses and MyWOT ratings can be downloaded from here):
ertmovs.com
lkjsnfs.com
antivirussystem2011get.com
bbuydelivery.com
berrydush.net
brewtonconsult.net
collach.com
ddk2200.com
enter-way.net
euro2012corp.com
facebook-surprise-njwo.tk
facebook-surprise-njww.tk
fire6495ksd.com
fotoshare-2dknc.com
gigomark.com
grapndet.com
htss.su
hyipl.info
ibifit.com
lokia.info
lost-pass.ru
lostpass.ru
mailx.su
mittmax.com
nanosearchpro.net
novasystemutils2011.com
sentex10zx.in
shabgdr.com
softstoreinc.com
spy4.net
stylus2641fm.com
trabniyd.com
turb-o-search.com
x-pass.ru
xaker.me
nalmeron.cz.cc
agamaris.vv.cc
dalalore.vv.cc
thetakus.vv.cc
maribandis.vv.cc
mogrinn.vv.cc
Registration details for this block are:
As I said, traffic seems to be fed through traff4you.info, registered on 10th Decemeber 2010 with anonymous registration details and currently hosted on a dedicated server at 206.161.200.11, but until recently it was on a shared server on 69.65.48.218. This is probably a good domain to block, and I can't see much harm in blocking access to 206.161.200.0/24 and 69.95.48.0/24 while you're at it too.
This IP range forms AS52055, of which Google says:
Safe Browsing
Diagnostic page for AS52055 (RELIKT)
What happened when Google visited sites hosted on this network?
Of the 159 site(s) we tested on this network over the past 90 days, 9 site(s), including, for example, opanaw.com/, videospartyh.info/, galleryhotf.info/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2011-02-23, and the last time suspicious content was found was on 2011-02-23.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 16 site(s) on this network, including, for example, welcometotheglobalisnet.com/, 46.252.129.0/, welcometotheglobaliscom.com/, that appeared to function as intermediaries for the infection of 507 other site(s) including, for example, ctwatchdog.com/, deewanapan.com/, thedailyherald.com/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 55 site(s), including, for example, 46.252.129.0/, sontollones.co.cc/, toney.co.cc/, that infected 2312 other site(s), including, for example, cmsocial.com/, mediafire.com/, aotsargentina.org.ar/.
SiteVet oddly shows the AS as being offline, but the accompanying "badness" chart shows a big leap in evilness since the beginning of the year, so perhaps the block was reallocated.
As well as .com domains and the like, the block hosts several hard-to-spot .cz.cc and .vv.cc domains which host malware, much of which is being distributed through an apparently bogus ad network at traff4you.info.
So far, I can see see the following domains in the block (a list with IP addresses and MyWOT ratings can be downloaded from here):
ertmovs.com
lkjsnfs.com
antivirussystem2011get.com
bbuydelivery.com
berrydush.net
brewtonconsult.net
collach.com
ddk2200.com
enter-way.net
euro2012corp.com
facebook-surprise-njwo.tk
facebook-surprise-njww.tk
fire6495ksd.com
fotoshare-2dknc.com
gigomark.com
grapndet.com
htss.su
hyipl.info
ibifit.com
lokia.info
lost-pass.ru
lostpass.ru
mailx.su
mittmax.com
nanosearchpro.net
novasystemutils2011.com
sentex10zx.in
shabgdr.com
softstoreinc.com
spy4.net
stylus2641fm.com
trabniyd.com
turb-o-search.com
x-pass.ru
xaker.me
nalmeron.cz.cc
agamaris.vv.cc
dalalore.vv.cc
thetakus.vv.cc
maribandis.vv.cc
mogrinn.vv.cc
Registration details for this block are:
inetnum: 46.252.130.0 - 46.252.131.255
netname: Sagade
descr: users
country: LV
admin-c: AK6804-RIPE
tech-c: AK6804-RIPE
status: ASSIGNED PA
mnt-by: andrejskaminskis-mnt
source: RIPE # Filtered
person: Andrejs Kaminskis
address: Latgales 32/34, Rezekne, Latvia
phone: +37127580487
e-mail: reliktbvk@gmail.com
nic-hdl: AK6804-RIPE
mnt-by: andrejskaminskis-mnt
source: RIPE # Filtered
route: 46.252.130.0/23
descr: users
origin: AS52055
mnt-by: andrejskaminskis-mnt
source: RIPE # Filtered
netname: Sagade
descr: users
country: LV
admin-c: AK6804-RIPE
tech-c: AK6804-RIPE
status: ASSIGNED PA
mnt-by: andrejskaminskis-mnt
source: RIPE # Filtered
person: Andrejs Kaminskis
address: Latgales 32/34, Rezekne, Latvia
phone: +37127580487
e-mail: reliktbvk@gmail.com
nic-hdl: AK6804-RIPE
mnt-by: andrejskaminskis-mnt
source: RIPE # Filtered
route: 46.252.130.0/23
descr: users
origin: AS52055
mnt-by: andrejskaminskis-mnt
source: RIPE # Filtered
As I said, traffic seems to be fed through traff4you.info, registered on 10th Decemeber 2010 with anonymous registration details and currently hosted on a dedicated server at 206.161.200.11, but until recently it was on a shared server on 69.65.48.218. This is probably a good domain to block, and I can't see much harm in blocking access to 206.161.200.0/24 and 69.95.48.0/24 while you're at it too.
Labels:
.SU,
Evil Network,
Latvia,
Sagade Ltd
Tuesday, 15 February 2011
Scam: "North American Program Planning and Policy Academy (NAPPPA)"
NOTE: You can find out who was operating NAPPPA here
Fake seminars are an unusual way of scamming money from people, but this one appears to be such a pitch.
Using the domains napppa.org, napppaweb.com, napppanetwork.com, napppanetwork.org and napppa.com the "North American Program Planning and Policy Academy (NAPPPA)" claims to have been around for 50 years, but it only seems to have gotten around to registering its domains in the past two months with anonymous registrations. A Google search comes up with nothing but these recently registered websites and some spam, so it certainly appears that this is a wholly bogus outfit.
In this case the email is routed via 96.43.142.170 in the US, which also hosts napppanetwork.com.
Update: these emails appear to be originating from 173.55.115.38, a Verizon customer in Hacienda Heights, California (near Los Angeles).
The (800) 649-6522 number comes up on Google quite often, and should probably serve as a warning if you ever see it in an email. Avoid.
Update 17/5/11: there's been a lot of interest in this "Academy", so here are some more details
The napppa.org domain is registered to a presumably rented box at "Mailboxes & More" in Los Angeles.
You can see the store here (note the "655" number on the left door)
View Larger Map
Most of the other domains are anonymised, apart from napppa.com which is also registered to what appears to be a box in at Wilshire Mailbox in LA.
There is also a new anonymised domain called napppaprograms.org that is in use.
Update: two new anonymous domains have emerged, napppanet1.org (212.38.176.159) and napppanet2.org (69.57.166.88). These appear to be used for sending spam mail.
Update: as of August 2011, these spam emails are still continuing:
Mail routed via 173.254.208.137, but appears to originate from 173.55.115.38 in Hacienda_Heights, California. This is consistent with the first email
Update: 26th September 2011
ABC15 in Arizona have picked up the story. Text transcript is here, or you can see the video below.
Update: 6th October 2011:
NAPPPA has now renamed itself as NA3PA but is still pumping out the same spam.
Please share your experiences by clicking the "comments" link near the bottom of the post.
NOTE: You can find out who was operating NAPPPA here
Fake seminars are an unusual way of scamming money from people, but this one appears to be such a pitch.
Using the domains napppa.org, napppaweb.com, napppanetwork.com, napppanetwork.org and napppa.com the "North American Program Planning and Policy Academy (NAPPPA)" claims to have been around for 50 years, but it only seems to have gotten around to registering its domains in the past two months with anonymous registrations. A Google search comes up with nothing but these recently registered websites and some spam, so it certainly appears that this is a wholly bogus outfit.
In this case the email is routed via 96.43.142.170 in the US, which also hosts napppanetwork.com.
Update: these emails appear to be originating from 173.55.115.38, a Verizon customer in Hacienda Heights, California (near Los Angeles).
From: NAPPPA Announcements <announcements@napppanetwork.com>
Date: 15 February 2011 14:40
Subject: Strategy Session: Academic Research Funding (April 25-26, 2011: Seattle University, Seattle, WA)
Signed by: napppanetwork.com
The North American Program Planning and Policy Academy (NAPPPA) will be sponsoring an Academic Research Funding Strategy Session at Seattle University in Seattle, WA on April 25-26, 2011. Interested science, technology, and medical professionals, researchers, faculty, and graduate students should register as soon as possible, as demand means that seats will fill up quickly. Please forward, post, and distribute this e-mail to your colleagues and listservs.
For more information call (800) 649-6522 or visit The NAPPPA website at http://www.napppaweb.com.
Please find the program description below:
As a response to increased demand and competition for academic research funding support and training, as well as the high cost of many programs, we offer this two day strategy session through the proposal writing and development process. This strategy features two modules: 1) Practicum I: Focusing on the format and structure of the successful research funding proposal, this module provides attendees with an overview of each part of the research funding proposal, avenues for researching available grant programs, and concludes with fundamental proposal writing techniques. 2) Practicum II: Drawing from practical exercises and techniques developed in Practicum I and the Pre-Session coursework, participants are guided through the completion of a Research Funding Dossier, which acts as the culminating work product of the session.
This session is ideal for the researcher with a targeted program, but is equally effective for those who can identify their research interests. Completion of the Pre-Session Interview and Assignments is essential to program success and value.
Academic Research Funding Strategy Session will cover the following topics:
* Fundamentals of the Research Funding Proposal Process
* Basic Elements of the Standard Research Proposal
* Essentials of Researching Funding Opportunities
* Types of Research Funding Opportunities
* Online Tools and Traditional Publications for Research
* Successful Proposal Writing Techniques
* The Do's and Don'ts of Proposal Writing
* The Strategic Grant Acquisition Effort
Tuition for this two day strategy session is $398.00.
Strategy Session Registration
1. Participants tentatively reserve a seat online at www.napppaweb.com, by calling the Program Office toll-free at (800) 649-6522, or by sending their name and contact information via email to registrar@napppaweb.com.
2. A confirmation email is sent to registrants that includes session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements. An invoice and agency W9 is also included.
3. Upon attendance confirmation, registrants will receive (usually via email) a Pre-Session packet that will include 1) a Pre-Session Interview, 2) A Pre-Session Reading Packet, 3) Three exercises to be completed, 4) a Session Agenda and Schedule, and 5) a receipt.
You have received this invitation due to specific educational affiliation. We respect your privacy and want to ensure that interested parties are made aware of NAPPPA strategy sessions and schedules. This is intended to be a one-time announcement. In any event, you should not receive any more announcements unless there is a program next year in your area. To be unlisted from next year's announcement, send an email to remove@napppaweb.com and write "Unlist" in the subject line.
The (800) 649-6522 number comes up on Google quite often, and should probably serve as a warning if you ever see it in an email. Avoid.
Update 17/5/11: there's been a lot of interest in this "Academy", so here are some more details
The napppa.org domain is registered to a presumably rented box at "Mailboxes & More" in Los Angeles.
Registrant Name:Program Director Registrant Organization:NAPPPA Registrant Street1:655 S Flower Street Registrant Street2: Registrant Street3: Registrant City:Los Angeles Registrant State/Province:CA Registrant Postal Code:90017 Registrant Country:US Registrant Phone:+1.7602023597 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:cadiyadvisor@gmail.com
You can see the store here (note the "655" number on the left door)
View Larger Map
Most of the other domains are anonymised, apart from napppa.com which is also registered to what appears to be a box in at Wilshire Mailbox in LA.
Programs, NPPPA cadiyadvisor@gmail.com 5042 Wilshire Boulevard Ste 15699 Los Angeles, CA 90017 US +1.7602023597
There is also a new anonymised domain called napppaprograms.org that is in use.
Update: two new anonymous domains have emerged, napppanet1.org (212.38.176.159) and napppanet2.org (69.57.166.88). These appear to be used for sending spam mail.
Update: as of August 2011, these spam emails are still continuing:
From: NAPPPA Announcements idaho@napppanet1.org
Date: 7 August 2011 22:15
Subject: Strategy Session: Program Planning, Evaluation, and Proposals (August 18 - 19, 2011: University of Idaho - Boise)
The North American Program Planning and Policy Academy will be conducting the Program Planning, Evaluation, and Proposals Strategy Session at University of Idaho - Boise in Boise, Idaho on August 18 - 19, 2011. Interested development professionals, researchers, faculty, and graduate students should register as soon as possible, as demand means that seats will fill up quickly. Please forward, post, and distribute this e-mail to your colleagues and listservs.
For more information call (800) 649-6522 or visit The NAPPPA website at http://napppaPROGRAMS.org. Please find the program description below:
The Program Planning, Evaluation, and Proposals Strategy Session is a hands-on, intensive session that leads participants through the entire grant proposal and funding research processes. Through an intense two day practicum, participants will receive an overview of program planning concepts along with advanced writing techniques to develop successful proposals. This results-based session combines individual exercises with group collaboration to allow each participant to leave the session with a Program Planning and Funding Dossier. Exercises leading up to the dossier and organization narrative include a thorough proposal outline, completed worksheets necessary for proposal submissions, and a starting collection of publications and resources to build a development library. Strategy Sessions is designed to provide your organization with the competitive advantage necessary in our modern grants award environment.
This session is ideal for those with a targeted program, but is equally effective for those who can identify their program and funding interests. Completion of the Pre-Session Interview and Assignments is essential to program success and value. Each participant will receive a selection of funding programs tailored to their program and/or areas of interest. Participants without a program will be provided a working example during Pre-Session.
The Program Planning, Evaluation, and Proposals Strategy Session will cover the following during the two day session:
(1) Fundamentals of Program Planning
This session will teach professional program development essentials and program evaluation. While most grantsmanship "workshops" treat program development and evaluation as separate from the writing of a proposal, this will teach students the relationship between overall program planning and proposal writing.
(2) Strategic Funding Research
At its foundation, this session will address the basics of foundation, corporation, and government grant research. However, this course will emphasize a strategic funding research approach that encourages writers to see research not as something they do before they write a proposal, but as an integrated part of the grant seeking process. Students will be exposed to online database research tools, as well as publications and directories that contain information about foundation, corporation, and government grant opportunities. Focusing on funding sources and basic social science research, this course teaches students how to use research as part of a strategic grant acquisition effort.
(3) Professional Proposal Writing
Designed to obtain tangible results, this session will make each student an overall proposal writing specialist. In addition to teaching the basic components of a grant proposal, successful approaches, and the do's and don'ts of grant writing, this session is infused with expert principles that will lead to a mastery of the process. Strategy resides at the forefront of this session's intent to illustrate grant writing as an integrated, multidimensional, and dynamic endeavor. Each student will learn to stop writing the grant and to start writing the story. Ultimately, this session will conclude with a completed proposal outline.
Tuition for this two day strategy session is $398.00.
Strategy Session Registration
1. Participants tentatively reserve a seat online at http://napppaPROGRAMS.org, by calling the Program Office toll-free at (800) 649-6522, or by sending their name and contact information via email to registrar@napppaprograms.org.
2. A confirmation email is sent to registrants that includes session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements. An invoice and agency W9 is also included.
3.Upon attendance confirmation, registrants will receive (usually via email) a Pre-Session packet that will include 1) a Pre-Session Interview, 2) A Pre- Session Reading Packet, 3) Three exercises to be completed, 4) a Session Agenda and Schedule, and 5) a receipt.
You have received this invitation due to specific educational affiliation. We respect your privacy and want to ensure that interested parties are made aware of NAPPPA strategy sessions and schedules. This is intended to be a one-time announcement. In any event, you should not receive any more announcements unless there is a program next year in your area. To be unlisted from next year's announcement, send an email to remove@napppaprograms.org and write "Unlist" in the subject line.
Mail routed via 173.254.208.137, but appears to originate from 173.55.115.38 in Hacienda_Heights, California. This is consistent with the first email
Update: 26th September 2011
ABC15 in Arizona have picked up the story. Text transcript is here, or you can see the video below.
Update: 6th October 2011:
NAPPPA has now renamed itself as NA3PA but is still pumping out the same spam.
Please share your experiences by clicking the "comments" link near the bottom of the post.
NOTE: You can find out who was operating NAPPPA here
Thursday, 10 February 2011
Evil network: Voejkova Nadezhda / VOEJNA-NET AS51441 (91.217.162.0/24) aka tirexhost.com
Voejkova Nadezhda, aka VOEJNA-NET and also known as tirexhost.com is a netblock allegedly based in the Ukraine, but apparently operated out of St Petersburg, Russia.
The block 91.217.162.0/24 is quite small, but one of the nastiest that I have seen in a while (and it's the new home of worid-of-books.com) with a selection of fake security updates, bogus companies and malware sites and apparently no legitimate sites at all.
Google's safe browsing diagnostics report for AS51441 gives an idea of how nasty it is:
This also fingers the domain tirexhost.com which is protected with an anonymous registration.. but behind that it is actually one Boris Umitbaev:
There's a list of domains, IP addresses and myWOT ratings here, alternatively block the entire 91.217.162.0/24 (91.217.162.0 to 91.217.162.255) range or use the list below:
Tirexhost.com
Np-comp.com
Lee2ip.com
Leemka.com
Company777.com
Traff-shop.net
Zaebalihostingi.com
Funglobal.net
Going-wide.net
Myvafpt.com
Easyiptracker.info
Hscr.info
Ipcounter.info
Soxabi.info
Vecite.info
Benelulz.com
Belikoff.info
Da0s.info
Swindling.info
Termogaz.info
Glhkghjfhhfklffr.com
Drollkenga.com
Fuckzebra.com
Drollcats.com
Drollpinguins.com
Drollumbat.com
Drollzebra.com
Firastbill.com
Funnybarsshow.com
Funnybearsshow.com
Funnymarmotshow.com
Funnypinguinshow.com
Online-network-solution.com
Microsoftwindowssecurity184.com
Microsoftwindowssecurity185.com
Microsoftwindowssecurity199.com
Microsoftwindowssecurity200.com
Microsoftwindowssecurity2011.com
Kdddaber.com
Newprojectbrain.com
Bftop.ru
Rezip.ru
Havephun.org
Molotora.com
Molotorasolutions.com
Turbostat.org
Zaebalikakdolgopizdec.com
98ghwe5p98gh.net
Gwk5ghwo.net
Jok7.com
Xp-scaner.com
Truegeneralporn.com
Mostporntube.com
Lightporntube.com
Xp-scan.com
Xppclapgirl.com
Handbag-review-2010.com
Googlerr.com
Gtrafx.com
Optimumconsult.net
Romanchuk.net
Statsnets.com
Celebsclips.net
Celebsvideos.net
Celebsvidz.net
Fruitvideos.net
Goodpetrovich.com
Rogervideos.net
8fd30g.net
Gsa8f3.net
General-st.info
Worid-of-books.com
Agasi-story.info
New-looking.net
Slowpoke.in
Em-stat.com
Updatewincenter.com
Getacc.net
My-loads.com
Top-ups.net
Getacc2.com
My-loads2.net
Worldstatsgate.com
Zaparena.biz
Rmkstore.us
Lotos2.com
Bog77.com
Dor77.com
Gol77.com
Dangerboom.com
Dangerboom.net
Dangerthree.com
Dangertwo.com
Dangertwo.net
Bgnt.net
Gentix77.net
Googleadstat.com
Halyot.net
Girtac.ru
Protection-pc.org
Berrianguz.com
Irompas.com
Mirotag.com
Mizanticonif.com
Mollotojub.com
Vikanzubik.com
Volgansuk.com
Ruvipxxxa.ru
Mysnom.net
Ejewels.ca
Santa77.com
Bali-planet.com
Sailingaccommodations.com
Zxstats.com
Ntstats.com
Stxstats.com
Excellentcat.com
Golovanerabotaet.com
Groupmind.in
Picheta.net
Pinout.in
Restrovids.net
Toplesson.in
External-top-domains.ru
Justnewleft.ru
Newsdfg.com
Repoiury.com
Rerererererere.com
The block 91.217.162.0/24 is quite small, but one of the nastiest that I have seen in a while (and it's the new home of worid-of-books.com) with a selection of fake security updates, bogus companies and malware sites and apparently no legitimate sites at all.
Google's safe browsing diagnostics report for AS51441 gives an idea of how nasty it is:
Safe BrowsingRegistration details for the netblock are:
Diagnostic page for AS51441 (VOEJNA)
What happened when Google visited sites hosted on this network?
Of the 755 site(s) we tested on this network over the past 90 days, 295 site(s), including, for example, takofep.co.cc/, camesom.co.cc/, tiruvov.co.cc/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2011-02-10, and the last time suspicious content was found was on 2011-02-10.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 63 site(s) on this network, including, for example, bali-planet.com/, zxstats.com/, adsensestat.com/, that appeared to function as intermediaries for the infection of 2642 other site(s) including, for example, walhi.or.id/, protagonistasdelacultura.cl/, uvfx.com/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 318 site(s), including, for example, paimiru.tk/, ua968089679.co.cc/, fenkaololo.com/, that infected 2943 other site(s), including, for example, veryripe.com/, sketchiest.com/, coneofignorance.net/.
inetnum: 91.217.162.0 - 91.217.162.255
netname: VOEJNA-NET
descr: Voejkova Nadezhda
country: UA
org: ORG-VN12-RIPE
admin-c: BT1959-RIPE
tech-c: BT1959-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: VOEJNA-MNT
mnt-routes: VOEJNA-MNT
mnt-domains: VOEJNA-MNT
source: RIPE # Filtered
organisation: ORG-VN12-RIPE
org-name: Voejkova Nadezhda
org-type: OTHER
descr: Voejkova Nadezhda
address: Russia, St.Pitersburb
address: Kupchinskaya 29/1, ap.90
phone: +7 (812) 7359264
e-mail:
admin-c: BT1959-RIPE
tech-c: BT1959-RIPE
mnt-ref: VOEJNA-MNT
mnt-by: VOEJNA-MNT
source: RIPE # Filtered
person: Berkevich Taras
address: Ukraine, Lviv
address: Povitryana 94, ap. 47
phone: +38 (032) 7302345
nic-hdl: BT1959-RIPE
mnt-by: VOEJNA-MNT
source: RIPE # Filtered
route: 91.217.162.0/24
descr: TIREXHOST.COM
origin: AS51441
mnt-by: VOEJNA-MNT
source: RIPE # Filtered
netname: VOEJNA-NET
descr: Voejkova Nadezhda
country: UA
org: ORG-VN12-RIPE
admin-c: BT1959-RIPE
tech-c: BT1959-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: VOEJNA-MNT
mnt-routes: VOEJNA-MNT
mnt-domains: VOEJNA-MNT
source: RIPE # Filtered
organisation: ORG-VN12-RIPE
org-name: Voejkova Nadezhda
org-type: OTHER
descr: Voejkova Nadezhda
address: Russia, St.Pitersburb
address: Kupchinskaya 29/1, ap.90
phone: +7 (812) 7359264
e-mail:
admin-c: BT1959-RIPE
tech-c: BT1959-RIPE
mnt-ref: VOEJNA-MNT
mnt-by: VOEJNA-MNT
source: RIPE # Filtered
person: Berkevich Taras
address: Ukraine, Lviv
address: Povitryana 94, ap. 47
phone: +38 (032) 7302345
nic-hdl: BT1959-RIPE
mnt-by: VOEJNA-MNT
source: RIPE # Filtered
route: 91.217.162.0/24
descr: TIREXHOST.COM
origin: AS51441
mnt-by: VOEJNA-MNT
source: RIPE # Filtered
This also fingers the domain tirexhost.com which is protected with an anonymous registration.. but behind that it is actually one Boris Umitbaev:
Umitbaev, Boris larinkamil@googlemail.com Bolshaya Zelenina, 13-80 St-Petersburg, Leningradskaya Oblast 103008 Russian Federation 78127736549 Fax --
There's a list of domains, IP addresses and myWOT ratings here, alternatively block the entire 91.217.162.0/24 (91.217.162.0 to 91.217.162.255) range or use the list below:
Tirexhost.com
Np-comp.com
Lee2ip.com
Leemka.com
Company777.com
Traff-shop.net
Zaebalihostingi.com
Funglobal.net
Going-wide.net
Myvafpt.com
Easyiptracker.info
Hscr.info
Ipcounter.info
Soxabi.info
Vecite.info
Benelulz.com
Belikoff.info
Da0s.info
Swindling.info
Termogaz.info
Glhkghjfhhfklffr.com
Drollkenga.com
Fuckzebra.com
Drollcats.com
Drollpinguins.com
Drollumbat.com
Drollzebra.com
Firastbill.com
Funnybarsshow.com
Funnybearsshow.com
Funnymarmotshow.com
Funnypinguinshow.com
Online-network-solution.com
Microsoftwindowssecurity184.com
Microsoftwindowssecurity185.com
Microsoftwindowssecurity199.com
Microsoftwindowssecurity200.com
Microsoftwindowssecurity2011.com
Kdddaber.com
Newprojectbrain.com
Bftop.ru
Rezip.ru
Havephun.org
Molotora.com
Molotorasolutions.com
Turbostat.org
Zaebalikakdolgopizdec.com
98ghwe5p98gh.net
Gwk5ghwo.net
Jok7.com
Xp-scaner.com
Truegeneralporn.com
Mostporntube.com
Lightporntube.com
Xp-scan.com
Xppclapgirl.com
Handbag-review-2010.com
Googlerr.com
Gtrafx.com
Optimumconsult.net
Romanchuk.net
Statsnets.com
Celebsclips.net
Celebsvideos.net
Celebsvidz.net
Fruitvideos.net
Goodpetrovich.com
Rogervideos.net
8fd30g.net
Gsa8f3.net
General-st.info
Worid-of-books.com
Agasi-story.info
New-looking.net
Slowpoke.in
Em-stat.com
Updatewincenter.com
Getacc.net
My-loads.com
Top-ups.net
Getacc2.com
My-loads2.net
Worldstatsgate.com
Zaparena.biz
Rmkstore.us
Lotos2.com
Bog77.com
Dor77.com
Gol77.com
Dangerboom.com
Dangerboom.net
Dangerthree.com
Dangertwo.com
Dangertwo.net
Bgnt.net
Gentix77.net
Googleadstat.com
Halyot.net
Girtac.ru
Protection-pc.org
Berrianguz.com
Irompas.com
Mirotag.com
Mizanticonif.com
Mollotojub.com
Vikanzubik.com
Volgansuk.com
Ruvipxxxa.ru
Mysnom.net
Ejewels.ca
Santa77.com
Bali-planet.com
Sailingaccommodations.com
Zxstats.com
Ntstats.com
Stxstats.com
Excellentcat.com
Golovanerabotaet.com
Groupmind.in
Picheta.net
Pinout.in
Restrovids.net
Toplesson.in
External-top-domains.ru
Justnewleft.ru
Newsdfg.com
Repoiury.com
Rerererererere.com
Labels:
Evil Network,
Russia,
Ukraine
Monday, 7 February 2011
Evil network: Didjief LLC / DIGIEF-NET AS48709 (91.200.242.0/23)
Didjief LLC - or to give its full (and presumably fake) name "Didjief Internation Kulinari Koncept LLC" - runs a wholly malicious netblock in the 91.200.242.0/23 (91.200.240.0 - 91.200.243.255) range which includes a variety of malware sites, fake businesses, fake software and other malicious sites that should be blocked.
Many of these sites have wholly ficticious WHOIS entries or are registered through known black hat registrars. Some examples and references are:
A simple Google search bring up lots of matches that indicate malicious activity, for example 91.200.240 and 91.200.242. There are also fake business sites such as Adclickmarket.com which gives WHOIS contact details as:
There is no company in the UK with the name Ad Click Market Ltd according to Companies House.
There is also another group of fake businesses using the "Advertising German Group" name, such as traveleshop.biz (also implicated in malware distribution here):
According to SiteVet, the AS48709 block has been bad ever since it was allocated late last year. The digief.eu domain associated with it is currently suspended, and it isn't clear if the WHOIS details for the netblock are accurate (they are probably not).
On the subject of reputation, Google's safe browsing diagnostics for this block are pretty horrible:
This is the full list of sites that I have found in this block (or are associated with it) , or you can download a more complete list with MyWOT ratings from here.
49oo.info
Abouthealth.name
Adclickmarket.com
Adobesoft.net
Adobesoftware.net
Allrequestsallowed.com
Allrequestsallowed.net
Animegarrett.com
Arinstasche.com
Avsk.ws
Bubendotcom.com
Chyoexte.com
Clickabundant.org
Clickcareless.org
Clickclumsy.org
Coffeescorer.com
Disdarred.info
Dontess.com
Easyregcleaner.net
Easysellerguide.net
Findcopper.org
Findcousin.org
Findfight.org
Findwild.org
Flashupdates.net
Gampbel.biz
Gnarenyawr.com
Guglionesi.net
Iaqhuberschewis.com
Juiceamount.com
Jukdoout0.com
Julianoserhio.com
Ltc-center.com
Montanessi.com
Negnsrevers.com
Nemotired.org
Offpaymentbiz.com
Olarkstats.com
Pipisutka.com
Qgceneuknash.com
Rammjyuke.com
Ranmjyuke.com
Result-lookup.info
Rinderwayr.com
Searchaddition.org
Searchadvertisement.org
Searchaffect.org
Searchafrica.org
Searchafter.org
Searchalthough.org
Searcharound.org
Searchcold.org
Searchdefeated.org
Searchfindaggressive.org
Searchjewel.org
Searchquiet.org
Searchrainy.org
Searchraspy.org
Selinect.ru
Superbulkmanager.com
Swltcho0.com
Teameter.net
Traveleshop.biz
Turbochange.com
Turboprotect.com
Vvps.ws
Xylylon.ru
Zoness.biz
Many of these sites have wholly ficticious WHOIS entries or are registered through known black hat registrars. Some examples and references are:
A simple Google search bring up lots of matches that indicate malicious activity, for example 91.200.240 and 91.200.242. There are also fake business sites such as Adclickmarket.com which gives WHOIS contact details as:
Ad Click Market Ltd.
AdClickMarket (info@adclickmarket.com)
PO Box 279
Alderley Edge
Cheshire,SK9 7UQ
GB
Tel. +44.2854327
AdClickMarket (info@adclickmarket.com)
PO Box 279
Alderley Edge
Cheshire,SK9 7UQ
GB
Tel. +44.2854327
There is no company in the UK with the name Ad Click Market Ltd according to Companies House.
There is also another group of fake businesses using the "Advertising German Group" name, such as traveleshop.biz (also implicated in malware distribution here):
Advertising German Group (AGG)
Niclas Kappel (niclas.kappel@yahoo.com)
Kurt-Schumacher-Str. 5
Bonn
Nordrhein-Westfalen,D-53110
DE
Tel. +490.2284290
Niclas Kappel (niclas.kappel@yahoo.com)
Kurt-Schumacher-Str. 5
Bonn
Nordrhein-Westfalen,D-53110
DE
Tel. +490.2284290
According to SiteVet, the AS48709 block has been bad ever since it was allocated late last year. The digief.eu domain associated with it is currently suspended, and it isn't clear if the WHOIS details for the netblock are accurate (they are probably not).
inetnum: 91.200.240.0 - 91.200.243.255
netname: DIGIEF-NET
descr: Didjief internation kulinari koncept LLC
address: 112 Kifissias Ave & Sina Str.Marousi
address: Athens, Greece
phone: +30 210 6159812
fax-no: +30 210 6159812
person: Adonis Mozanakis
netname: DIGIEF-NET
descr: Didjief internation kulinari koncept LLC
address: 112 Kifissias Ave & Sina Str.Marousi
address: Athens, Greece
phone: +30 210 6159812
fax-no: +30 210 6159812
person: Adonis Mozanakis
abuse-mailbox: abuse@digief.eu
On the subject of reputation, Google's safe browsing diagnostics for this block are pretty horrible:
Safe Browsing
Diagnostic page for AS48709 (XISOFT)
What happened when Google visited sites hosted on this network?
Of the 114 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, waistor.com/, 91.200.240.0/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2011-02-05, and the last time suspicious content was found was on 2011-02-05.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 21 site(s) on this network, including, for example, geodemy.com/, waistor.com/, 91.200.240.0/, that appeared to function as intermediaries for the infection of 2096 other site(s) including, for example, marchex.com/, semettreauvert.com/, fcolimpi.ge/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 58 site(s), including, for example, waistor.com/, searchalthough.org/, pushot.com/, that infected 4866 other site(s), including, for example, fcolimpi.ge/, interhosting.kr/, schoenweb.nl/.
This is the full list of sites that I have found in this block (or are associated with it) , or you can download a more complete list with MyWOT ratings from here.
49oo.info
Abouthealth.name
Adclickmarket.com
Adobesoft.net
Adobesoftware.net
Allrequestsallowed.com
Allrequestsallowed.net
Animegarrett.com
Arinstasche.com
Avsk.ws
Bubendotcom.com
Chyoexte.com
Clickabundant.org
Clickcareless.org
Clickclumsy.org
Coffeescorer.com
Disdarred.info
Dontess.com
Easyregcleaner.net
Easysellerguide.net
Findcopper.org
Findcousin.org
Findfight.org
Findwild.org
Flashupdates.net
Gampbel.biz
Gnarenyawr.com
Guglionesi.net
Iaqhuberschewis.com
Juiceamount.com
Jukdoout0.com
Julianoserhio.com
Ltc-center.com
Montanessi.com
Negnsrevers.com
Nemotired.org
Offpaymentbiz.com
Olarkstats.com
Pipisutka.com
Qgceneuknash.com
Rammjyuke.com
Ranmjyuke.com
Result-lookup.info
Rinderwayr.com
Searchaddition.org
Searchadvertisement.org
Searchaffect.org
Searchafrica.org
Searchafter.org
Searchalthough.org
Searcharound.org
Searchcold.org
Searchdefeated.org
Searchfindaggressive.org
Searchjewel.org
Searchquiet.org
Searchrainy.org
Searchraspy.org
Selinect.ru
Superbulkmanager.com
Swltcho0.com
Teameter.net
Traveleshop.biz
Turbochange.com
Turboprotect.com
Vvps.ws
Xylylon.ru
Zoness.biz
Labels:
Evil Network,
Greece
Tuesday, 21 December 2010
uk-resum.com fake job offer
This fake job offer originated from an IP address in Latvia (84.245.203.63) and solicits replies to a domain uk-resum.com registered in Russia. Most likely it is money laundering and/or a parcel reshipping scam. Also in this cluster are the domains usa-resum.com and resum-europe.com. It seems to be part of a long-running series of job scams going back several years.
Avoid this one at all costs.
From: no-reply229@jobsearch.co.uk
Date: 21 December 2010 17:25
subject: We're hiring an additional 15 representatives!
Welcome!
I am writing to you in the name of the corporation the Human Resources department of which I represent.
The business occupation of our corporation is quite significant.
-tangible property
-organization and reorganization of business
-bank account support
-etc
We’re seeking for regional managers in the UK.
- wage packet 2.600 GBP + bonus
- bonus-job
- no fixed office hours
If our proposition is attractive to you, please kindly send your details so that we can contact you: stewart@uk-resum.com
1) First Name:
2) Country of living
3) City
4) E-mail address:
5) Contact telephone number
Important! We deal with UK citizens only!
Please e-mail your name and phone number and we will invite you for interview.jobsearch.co.uk is nothing to do with the scam, the email address is faked. The domain is registered to:
Registrar: Regtime Ltd.
Creation date: 2010-12-20
Expiration date: 2011-12-20
Status: active
Registrant:
Pavel Rogozin
Email: rogoznaks@mail.com
Organization: Private person
Address: Nagatinskaya naberezhnaya d.4 kv.12
City: Moskva
State: Moskovskaya
ZIP: 127456
Country: RU
Phone: +7.4954556713
Creation date: 2010-12-20
Expiration date: 2011-12-20
Status: active
Registrant:
Pavel Rogozin
Email: rogoznaks@mail.com
Organization: Private person
Address: Nagatinskaya naberezhnaya d.4 kv.12
City: Moskva
State: Moskovskaya
ZIP: 127456
Country: RU
Phone: +7.4954556713
Avoid this one at all costs.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Monday, 20 December 2010
Gawker related attack from 174.132.178.37
The recent Gawker media hack is probably related to a spate of malicious activity from 174.132.178.37, trying to log into forums, according to a couple of different reports on the web - [1] [2] - and my own experience of someone trying to get into a forum, presumably with Gawker harvested credentials. The purpose is unknown, but the person behind it may well be trying to use established accounts to spam forums.
Here is a sample email that you might get:
I advise you to contact the web host responsible at abuse -at- theplanet.com with a copy of any evidence. Incidentally, the listed owner of that IP address (although remember that it may have hack) is:
If this has happened to you, why not post a comment below so that ThePlanet.com can see what it going on.
Here is a sample email that you might get:
Dear ----------,
Your account on ---------- has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.
The person trying to log into your account had the following IP address: 174.132.178.37
Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
http://forums.----------.com/login.php?do=lostpw
I advise you to contact the web host responsible at abuse -at- theplanet.com with a copy of any evidence. Incidentally, the listed owner of that IP address (although remember that it may have hack) is:
network:Class-Name:network
network:ID:NETBLK-THEPLANET-BLK-15
network:Auth-Area:174.132.0.0/15
network:Network-Name:TPIS-BLK-174-132-178-0
network:IP-Network:174.132.178.32/28
network:IP-Network-Block:174.132.178.32 - 174.132.178.47
network:Organization-Name:Michael Strouse
network:Organization-City:winter springs
network:Organization-State:FL
network:Organization-Zip:32708
network:Organization-Country:USA
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:
network:ID:NETBLK-THEPLANET-BLK-15
network:Auth-Area:174.132.0.0/15
network:Network-Name:TPIS-BLK-174-132-178-0
network:IP-Network:174.132.178.32/28
network:IP-Network-Block:174.132.178.32 - 174.132.178.47
network:Organization-Name:Michael Strouse
network:Organization-City:winter springs
network:Organization-State:FL
network:Organization-Zip:32708
network:Organization-Country:USA
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:
If this has happened to you, why not post a comment below so that ThePlanet.com can see what it going on.
Friday, 3 December 2010
Beware of worid-of-books.com
worid-of-books.com is a fake book download site punting malicious executables. The strange name can be explained if you substitute the lowercase "i" with an uppercase one, giving worId-of-books.com which is presumably meant to fool people.
The site looks reasonably credible and appears to have about a million downloadable books, but they are not all that they seem to be. If you try to download a book, you get an EXE file instead of a PDF. What's in the EXE file? Well, malware of course! Detection is fairly patchy according to VirusTotal, but this appears to be a Cycbot variant.
Download it a second time and you actually do get a PDF file.. well, an 8 byte file that just says "PDF file" and nothing else. Subsequent attempts seem to fail with an error message of "We are sorry, this book is now being checked. Try to download it later!". It's pretty clear that worid-of-books.com is tracking visitors (perhaps by IP address) to stop them being able to repeat the infection.
The site is hosted on 95.64.111.12 which is Asociatia Family Network Connections / FAMILY-NETWORK in Romania, along with a whole load of other sites. It's worth blocking everything in this IP range.
The ThreatExpert report is here, it might help you clean up your machine if infected.
The site looks reasonably credible and appears to have about a million downloadable books, but they are not all that they seem to be. If you try to download a book, you get an EXE file instead of a PDF. What's in the EXE file? Well, malware of course! Detection is fairly patchy according to VirusTotal, but this appears to be a Cycbot variant.
Download it a second time and you actually do get a PDF file.. well, an 8 byte file that just says "PDF file" and nothing else. Subsequent attempts seem to fail with an error message of "We are sorry, this book is now being checked. Try to download it later!". It's pretty clear that worid-of-books.com is tracking visitors (perhaps by IP address) to stop them being able to repeat the infection.
The site is hosted on 95.64.111.12 which is Asociatia Family Network Connections / FAMILY-NETWORK in Romania, along with a whole load of other sites. It's worth blocking everything in this IP range.
The ThreatExpert report is here, it might help you clean up your machine if infected.
Evil network: Asociatia Family Network Connections / FAMILY-NETWORK AS49253 (95.64.110.0/23)
Asociatia Family Network Connections / FAMILY-NETWORK is a Romanian network, and their AS49253 netblock seems to have suddenly turned evil.
The SiteVet report for this AS shows a sudden increase in recent weeks, with over 1500 sites that may be malicious included in the 95.64.110.0/23 block. Most of these evil sites are on just one host, 95.64.110.100. There may be some legitimate sites here, but probably too few to worry about.
Most sites registered here appeared to be Russian, some are registered through Chinese registars. The owner of this block is listed as:
Added: the owner of this netblock says that it is no longer in use, so it does appear that it has been hijacked somehow.. that would be consistent with the suddenly bad rankings.
You can see a CSV of domains and MyWOT ratings here, but there are too many domains to list here. Some of the domains have come from MD-ISP-MONITORING in Moldova.
Currently active IPs are:
95.64.110.36
95.64.110.37
95.64.110.43
95.64.110.45
95.64.110.48
95.64.110.50
95.64.110.66
95.64.110.100
95.64.110.105
95.64.111.11
95.64.111.12
95.64.111.14
95.64.111.15
95.64.111.16
..although to be honest, you should just block the lot of them.
The SiteVet report for this AS shows a sudden increase in recent weeks, with over 1500 sites that may be malicious included in the 95.64.110.0/23 block. Most of these evil sites are on just one host, 95.64.110.100. There may be some legitimate sites here, but probably too few to worry about.
Most sites registered here appeared to be Russian, some are registered through Chinese registars. The owner of this block is listed as:
inetnum: 95.64.110.0 - 95.64.111.255
netname: FAMILY-NETWORK
descr: Asociatia Family Network Connections
country: RO
admin-c: CS6903-RIPE
tech-c: CS6903-RIPE
status: ASSIGNED PA
mnt-by: NETSERV-MNT
mnt-routes: FAMILY-NETWORK-MNT
mnt-domains: FAMILY-NETWORK-MNT
source: RIPE # Filtered
person: Claudiu Sandulescu
remarks: Asociatia Family Network Connections
address: Str. Vlahita nr.4, Bl. PM8, Ap. 72
address: Sector 3, Bucuresti
phone: +40728188052
mnt-by: FAMILY-NETWORK-MNT
abuse-mailbox: claudiusandulescu@gmail.com
nic-hdl: CS6903-RIPE
source: RIPE # Filtered
route: 95.64.110.0/23
descr: FAMILY-NETWORK
origin: AS49253
mnt-by: FAMILY-NETWORK-MNT
source: RIPE # Filtered
netname: FAMILY-NETWORK
descr: Asociatia Family Network Connections
country: RO
admin-c: CS6903-RIPE
tech-c: CS6903-RIPE
status: ASSIGNED PA
mnt-by: NETSERV-MNT
mnt-routes: FAMILY-NETWORK-MNT
mnt-domains: FAMILY-NETWORK-MNT
source: RIPE # Filtered
person: Claudiu Sandulescu
remarks: Asociatia Family Network Connections
address: Str. Vlahita nr.4, Bl. PM8, Ap. 72
address: Sector 3, Bucuresti
phone: +40728188052
mnt-by: FAMILY-NETWORK-MNT
abuse-mailbox: claudiusandulescu@gmail.com
nic-hdl: CS6903-RIPE
source: RIPE # Filtered
route: 95.64.110.0/23
descr: FAMILY-NETWORK
origin: AS49253
mnt-by: FAMILY-NETWORK-MNT
source: RIPE # Filtered
Added: the owner of this netblock says that it is no longer in use, so it does appear that it has been hijacked somehow.. that would be consistent with the suddenly bad rankings.
You can see a CSV of domains and MyWOT ratings here, but there are too many domains to list here. Some of the domains have come from MD-ISP-MONITORING in Moldova.
Currently active IPs are:
95.64.110.36
95.64.110.37
95.64.110.43
95.64.110.45
95.64.110.48
95.64.110.50
95.64.110.66
95.64.110.100
95.64.110.105
95.64.111.11
95.64.111.12
95.64.111.14
95.64.111.15
95.64.111.16
..although to be honest, you should just block the lot of them.
Labels:
Evil Network,
Romania
Wednesday, 1 December 2010
Evil network: Informex / INFORMEX-NET AS20564 (193.178.172.0/24)
Informex on AS20564 (193.178.172.0/24) is a Ukranian operation implicated in a lot of bad things including banking trojans.
SiteVet.com fingers this as the 27th worst network on the net, and links it to various malware domains and Zeus servers. There are a couple of hundred domains in this block, all worth blocking.. either by the whole IP address range or use this CSV file with MyWOT rankings, or see the list below.
Their own web server at informex.net is currently suspended (I wonder why), but it shows consistent details with the netblock owner, so at least we can see who allegedly is responsible.
As I said, there's nothing at all of value here so blocking the entire lot will probably be safest for your client PCs.
Mypctech.net
Dynamicnetwork.ru
Inethunter.ru
Mservicesonline.ru
Mystaticdatas.ru
Dontchangeurmind.com
Seven7news.net
Mistesr.com
Dlphonethems.com
Goodsandserv.com
Jscmsdev.com
Oversportresults.com
Az-investment.org
P2p-group.com
Wrg34gwww333.com
Trusted001.com
Atlantisc.net
Inetercs.com
1change-your-life.com
Be-rock-steady.com
Big-strong-feeling.com
Creative-in-bed.com
Freedom-performance.com
Lookgreat-now.com
Make-me-skinny.com
Master-in-bed.com
Master-in-bed1.com
Natural-performance.com
Nice-white-smiles.com
Presstopgo.com
Pump-reality.com
Pure-natural-power.com
Smooth-movements.com
Sweet-fire-power.com
Sweet-success1.com
Tiger-powers.com
Transform-bedtime.com
Triple-powersa.com
True-in-bed.com
Ultimate-perform.com
Vital-solutionsa.com
White-smile-center.com
1sweet-success.com
Be-always-ready.com
Bedtime-heroes.com
Change-your-life1.com
Dream-kings1.com
Feel-tight-now.com
Freedom-of-age.com
Get-her-happy.com
Goprepackum.com
Greatest-feeling.com
Greenlight-perform.com
Juiced-performance.com
Just-like-gold.com
Make-greatness.com
Make-greatness1.com
Master-of-performance.com
Mister-stronger.com
Only-your-love.com
Perform-magic.com
Perform-magic1.com
Prepackum.com
Winners-perform.com
Fgjlookstmbypxpq.org
Hmkhlviounvozy.org
Hpzoqkpjptqtwro.biz
Icqmgointiwlxo.biz
Jdqqmrtxqvhay.org
Jwymehkjtnrjkrqu.org
Koupvrnospqiluip.info
Lkimqsreoetvqnnv.org
Lxigeqglsfbyyle.net
Mnmmkswxuvlqep.net
Muxklfmqnhzkorsq.net
Nlxhhudkvxziktu.com
Odpjsdqtdumnmj.com
Oqrgtnsqoleyfnn.info
Osyrpcewsuwufw.info
Oszkhkxvmrqrxgp.info
Pcsrtnklvddwnqvp.biz
Pdgwvengffyqdv.biz
Pgioznuvfrgmhwqe.biz
Pmgmzxreftplqnk.com
Pnoeitglysiqq.com
Poxpmrusrdsnlp.com
Qnqlorgefiyrrirs.biz
Qpqugpjnuykqdr.info
Qqikrwpuhdssplu.info
Quysrnkcpjgmk.info
Rpmukxmppxqps.biz
Rrtopnnrmxtulsu.com
Rvgkcpvhnsrix.com
Soinuswqbkwvomp.org
Strlonntjnrexnnt.com
Svphksoppxdkzxva.net
Uwvtlfdoygrtmuvn.org
Vkfkqtwliuwrzs.biz
Vrnhlmoxsqntnzuy.org
Wrdkrkttmlsmxf.org
Xtgpiqullqonpq.biz
Yjhqnlssfpepjgu.info
Yzpqkplwqmpqlem.com
Zbttlmsrwrqeokq.net
Zupfomstceuqxh.com
Irvnseqtnprwekc.info
Jrpdqvjnusnxm.org
Nynqponxkinmoq.com
Piuzlhtwjcfqtpg.net
Smljqmotnovtvt.org
Uoepjgfhkkowizr.biz
Dmpvrxqvqvlmpw.net
Hljuzkosrunitgp.net
Ofojwmovourkkg.net
Syedgulzptgqgp.info
Wrnlfbmjsshqk.com
Cmxqqzproplonnx.info
Malzpeltoquvlp.com
Nlvmyxeqosdtkp.org
Bowlufpyzvvirl.biz
Dnxlxohozwoopr.org
Emkihmmxvgmtkcgl.com
Hgkqngxllqrrnmiz.info
Htmyyyipmkekuynr.com
Hwdouwuknqqpsxmd.com
Ionrssqxsvstzivs.net
Iuxjkahsqrwpyox.org
Jhpkyooltuxqsjhm.info
Jsjyjpsfobqgkg.org
Jtepwqyeuvioouz.biz
Jtlhisjmurjllhti.biz
Jwegwyvqsiejvql.net
Kfvhtqpbqxldgso.org
Klitonyplwwzgg.com
Kmkkblefthoqglpg.info
Kobnjdiimqdolvh.org
Kpqowrbumptldl.org
Kvkkhmrlqylvfpon.com
Llkmtmldfheouhs.info
Ltlzvdtkraspchuj.org
Ndhsmnkqrftkulx.biz
Nijldtopnyogqbwv.com
Nnjwoxtlkjpqom.biz
Nyqnrynqhijmyjs.org
Olepnsytepgvmzep.biz
Opnqhjwpnmmmogwr.org
Ospihkkjvpmeogs.com
Pgjmysmupmbtx.com
Plkrpmjhenxulq.com
Qjlzmqlujmenop.net
Qoyrlzihqqlmwpo.org
Rolktmkupuvretpp.info
Rolwrlwthqpvri.info
Rooggmxuopjgmq.com
Rxmuyhntwfqfyth.org
Sepvsjywabgsupys.org
Snhcykqpytqwrs.info
Snpyrsdprknjrm.org
Snrnrnluokjdsqms.org
Spiotsftcqchqgow.info
Svpoqmonfpxtghfw.net
Upswzirptwvfqs.info
Vbskivpfonknoenp.net
Vhkfuwmqzowhobds.com
Vncnwhkkrsffhlwr.com
Vnfjgutpslxwifpe.org
Vnzfunomqvoznv.org
Vsnwnrnfgpntp.biz
Wdyvkpwfprmrwjrp.com
Dnlosvqsuopnqse.info
Jdwfskrtlqmrvodu.org
Rqhgfkojltsoj.net
Uvzqwuzrnrnhnlm.com
Vsqfpixstrwupl.biz
Yoonelhpvgdpkcx.net
Fmotffizsnjookju.biz
Lcknxpybqzpwmj.com
Qktlvumlcpvgmzju.com
Txqtuiltmsqqjerr.com
Kylvxwjxuypjpix.com
Qehmknmprxrvmwp.info
Trjvprpivnkxcad.biz
Vwloihjzoorjjyp.com
Simpsonstoys.info
Kjgkjbkjbk.com
Maf1sdwe1yu.com
Dualexstream.info
Hp3qvb.in
Alperinathon.com
Ca100jsadsgd.com
Ca300dsahdkjsah.com
Half-living-for-us.com
Jolly-teaside2000.com
Looking4heather.com
Mk200kdshdg.com
Pa200skjdhsg.com
Sj100asdjsh.com
Sj82hags6.com
Us100asdjnagdsajd.com
Appchoko23.com
Vazzterax.net
C3n.ru
Gamemarinost.net
Gamemarisik.net
Dakpowj.com
Iciq.biz
Primegcorp.com
Sdoajd.com
SiteVet.com fingers this as the 27th worst network on the net, and links it to various malware domains and Zeus servers. There are a couple of hundred domains in this block, all worth blocking.. either by the whole IP address range or use this CSV file with MyWOT rankings, or see the list below.
Their own web server at informex.net is currently suspended (I wonder why), but it shows consistent details with the netblock owner, so at least we can see who allegedly is responsible.
Informex Ltd.
Andriy Lyasota
28 Predslavinskaya Str.
Kiev, 03680
UA
Phone: +1.380442528798
Email: lyasota@terra.es
As I said, there's nothing at all of value here so blocking the entire lot will probably be safest for your client PCs.
Mypctech.net
Dynamicnetwork.ru
Inethunter.ru
Mservicesonline.ru
Mystaticdatas.ru
Dontchangeurmind.com
Seven7news.net
Mistesr.com
Dlphonethems.com
Goodsandserv.com
Jscmsdev.com
Oversportresults.com
Az-investment.org
P2p-group.com
Wrg34gwww333.com
Trusted001.com
Atlantisc.net
Inetercs.com
1change-your-life.com
Be-rock-steady.com
Big-strong-feeling.com
Creative-in-bed.com
Freedom-performance.com
Lookgreat-now.com
Make-me-skinny.com
Master-in-bed.com
Master-in-bed1.com
Natural-performance.com
Nice-white-smiles.com
Presstopgo.com
Pump-reality.com
Pure-natural-power.com
Smooth-movements.com
Sweet-fire-power.com
Sweet-success1.com
Tiger-powers.com
Transform-bedtime.com
Triple-powersa.com
True-in-bed.com
Ultimate-perform.com
Vital-solutionsa.com
White-smile-center.com
1sweet-success.com
Be-always-ready.com
Bedtime-heroes.com
Change-your-life1.com
Dream-kings1.com
Feel-tight-now.com
Freedom-of-age.com
Get-her-happy.com
Goprepackum.com
Greatest-feeling.com
Greenlight-perform.com
Juiced-performance.com
Just-like-gold.com
Make-greatness.com
Make-greatness1.com
Master-of-performance.com
Mister-stronger.com
Only-your-love.com
Perform-magic.com
Perform-magic1.com
Prepackum.com
Winners-perform.com
Fgjlookstmbypxpq.org
Hmkhlviounvozy.org
Hpzoqkpjptqtwro.biz
Icqmgointiwlxo.biz
Jdqqmrtxqvhay.org
Jwymehkjtnrjkrqu.org
Koupvrnospqiluip.info
Lkimqsreoetvqnnv.org
Lxigeqglsfbyyle.net
Mnmmkswxuvlqep.net
Muxklfmqnhzkorsq.net
Nlxhhudkvxziktu.com
Odpjsdqtdumnmj.com
Oqrgtnsqoleyfnn.info
Osyrpcewsuwufw.info
Oszkhkxvmrqrxgp.info
Pcsrtnklvddwnqvp.biz
Pdgwvengffyqdv.biz
Pgioznuvfrgmhwqe.biz
Pmgmzxreftplqnk.com
Pnoeitglysiqq.com
Poxpmrusrdsnlp.com
Qnqlorgefiyrrirs.biz
Qpqugpjnuykqdr.info
Qqikrwpuhdssplu.info
Quysrnkcpjgmk.info
Rpmukxmppxqps.biz
Rrtopnnrmxtulsu.com
Rvgkcpvhnsrix.com
Soinuswqbkwvomp.org
Strlonntjnrexnnt.com
Svphksoppxdkzxva.net
Uwvtlfdoygrtmuvn.org
Vkfkqtwliuwrzs.biz
Vrnhlmoxsqntnzuy.org
Wrdkrkttmlsmxf.org
Xtgpiqullqonpq.biz
Yjhqnlssfpepjgu.info
Yzpqkplwqmpqlem.com
Zbttlmsrwrqeokq.net
Zupfomstceuqxh.com
Irvnseqtnprwekc.info
Jrpdqvjnusnxm.org
Nynqponxkinmoq.com
Piuzlhtwjcfqtpg.net
Smljqmotnovtvt.org
Uoepjgfhkkowizr.biz
Dmpvrxqvqvlmpw.net
Hljuzkosrunitgp.net
Ofojwmovourkkg.net
Syedgulzptgqgp.info
Wrnlfbmjsshqk.com
Cmxqqzproplonnx.info
Malzpeltoquvlp.com
Nlvmyxeqosdtkp.org
Bowlufpyzvvirl.biz
Dnxlxohozwoopr.org
Emkihmmxvgmtkcgl.com
Hgkqngxllqrrnmiz.info
Htmyyyipmkekuynr.com
Hwdouwuknqqpsxmd.com
Ionrssqxsvstzivs.net
Iuxjkahsqrwpyox.org
Jhpkyooltuxqsjhm.info
Jsjyjpsfobqgkg.org
Jtepwqyeuvioouz.biz
Jtlhisjmurjllhti.biz
Jwegwyvqsiejvql.net
Kfvhtqpbqxldgso.org
Klitonyplwwzgg.com
Kmkkblefthoqglpg.info
Kobnjdiimqdolvh.org
Kpqowrbumptldl.org
Kvkkhmrlqylvfpon.com
Llkmtmldfheouhs.info
Ltlzvdtkraspchuj.org
Ndhsmnkqrftkulx.biz
Nijldtopnyogqbwv.com
Nnjwoxtlkjpqom.biz
Nyqnrynqhijmyjs.org
Olepnsytepgvmzep.biz
Opnqhjwpnmmmogwr.org
Ospihkkjvpmeogs.com
Pgjmysmupmbtx.com
Plkrpmjhenxulq.com
Qjlzmqlujmenop.net
Qoyrlzihqqlmwpo.org
Rolktmkupuvretpp.info
Rolwrlwthqpvri.info
Rooggmxuopjgmq.com
Rxmuyhntwfqfyth.org
Sepvsjywabgsupys.org
Snhcykqpytqwrs.info
Snpyrsdprknjrm.org
Snrnrnluokjdsqms.org
Spiotsftcqchqgow.info
Svpoqmonfpxtghfw.net
Upswzirptwvfqs.info
Vbskivpfonknoenp.net
Vhkfuwmqzowhobds.com
Vncnwhkkrsffhlwr.com
Vnfjgutpslxwifpe.org
Vnzfunomqvoznv.org
Vsnwnrnfgpntp.biz
Wdyvkpwfprmrwjrp.com
Dnlosvqsuopnqse.info
Jdwfskrtlqmrvodu.org
Rqhgfkojltsoj.net
Uvzqwuzrnrnhnlm.com
Vsqfpixstrwupl.biz
Yoonelhpvgdpkcx.net
Fmotffizsnjookju.biz
Lcknxpybqzpwmj.com
Qktlvumlcpvgmzju.com
Txqtuiltmsqqjerr.com
Kylvxwjxuypjpix.com
Qehmknmprxrvmwp.info
Trjvprpivnkxcad.biz
Vwloihjzoorjjyp.com
Simpsonstoys.info
Kjgkjbkjbk.com
Maf1sdwe1yu.com
Dualexstream.info
Hp3qvb.in
Alperinathon.com
Ca100jsadsgd.com
Ca300dsahdkjsah.com
Half-living-for-us.com
Jolly-teaside2000.com
Looking4heather.com
Mk200kdshdg.com
Pa200skjdhsg.com
Sj100asdjsh.com
Sj82hags6.com
Us100asdjnagdsajd.com
Appchoko23.com
Vazzterax.net
C3n.ru
Gamemarinost.net
Gamemarisik.net
Dakpowj.com
Iciq.biz
Primegcorp.com
Sdoajd.com
Labels:
Evil Network,
Ukraine
Friday, 26 November 2010
Dynamoo.com is 10!
Dynamoo.com is 10 years old this week! Registered way back on 24th November 2000.. there wasn't much to see back then. Some would argue that there still isn't! Anyway, here's what the site looked like when it was first archived.
My first web site was created sometime in the mid 1990s (can't remember exactly when) and looked like this.
I largely learned about web design in the mid-90's and I think it still shows!
My first web site was created sometime in the mid 1990s (can't remember exactly when) and looked like this.
I largely learned about web design in the mid-90's and I think it still shows!
Slimeware sites to block
If you work in corporate IT, then you've probably had users come across sites that appear to be things like Acrobat Reader, Google Earth or some other application.. but are in fact a deceptive way to install some other software (typically some sort of adware). I call this "slimeware".
This list of sites are (in my view) [CSV] offering applications of limited use that you might want to consider blocking. Some example sites trade heavily on well-known names like Avast, Yahoo Messenger, Nero and other well-known apps. Quite a lot of these are sourced via MarketBay. Scroll down for some sample screenshots.
The list includes over 1000 sites of dubious value and a much shorter list of IP addresses (below) which might be easier, plus MyWOT ratings as a guide to the nastiness of the sites. You can download it from http://www.dynamoo.com/files/slimeware01.csv
IP Addresses:
64.38.49.191
64.141.101.204
64.141.103.177
64.150.190.80
67.212.90.67
67.212.90.71
67.212.90.72
67.212.90.73
67.214.176.218
67.215.2.90
67.215.2.98
67.215.2.99
67.215.2.100
84.22.98.11
208.82.121.34
208.82.121.46
208.82.121.69
208.82.121.140
Sample screenshots:
This list of sites are (in my view) [CSV] offering applications of limited use that you might want to consider blocking. Some example sites trade heavily on well-known names like Avast, Yahoo Messenger, Nero and other well-known apps. Quite a lot of these are sourced via MarketBay. Scroll down for some sample screenshots.
The list includes over 1000 sites of dubious value and a much shorter list of IP addresses (below) which might be easier, plus MyWOT ratings as a guide to the nastiness of the sites. You can download it from http://www.dynamoo.com/files/slimeware01.csv
IP Addresses:
64.38.49.191
64.141.101.204
64.141.103.177
64.150.190.80
67.212.90.67
67.212.90.71
67.212.90.72
67.212.90.73
67.214.176.218
67.215.2.90
67.215.2.98
67.215.2.99
67.215.2.100
84.22.98.11
208.82.121.34
208.82.121.46
208.82.121.69
208.82.121.140
Sample screenshots:
Wednesday, 24 November 2010
MarketBay.. yuk!
This post on the Sunbelt blog about apparently bogus anti-virus software rang a bell.. there was something eerily familiar about this whole operation that I'd seen before. A close examination of these so-called anti-virus sites shows a link to marketbay.com - so these look like some autogenerated affiliate sites or other.
MarketBay are pretty well known for shady practices, for example here and here. Before they were called marketbay.com, they were known as yourclick.com and run by a firm apparently called Three W Networks Ltd (Google it). Everything is hidden behind a shell company in the Bahamas, with a name of David Da Silva connected to it, although this is a fairly common name and it may well be assumed. The company recently changed name to Media Entertainment Guide, still quoting the Da Silva name and a Bahamas address as seen in the WHOIS for marketbay.org which is not privacy protected (unlike marketbay.com).
[As a side note, the historical WHOIS records for marketbay.com identify a previous owner who confirmed that the domain was sold to another party]
The software punted by MarketBay looks to be of questionable use, but that's an accusation that can be made against any one of a number of businesses.. caveat emptor and all that. But at the very least you can say that affiliates are marketing this software deceptively.
Now, the IP address of 67.212.90.64/28 is rather more fruitful to examine. It's a very small block of IP addresses, listed as belonging to Mango Ideas in Canada (note: these sites are no longer hosted there as of March 2011)
There is certainly nothing worth visiting in 67.212.90.64/28 and blocking the whole lot would probably save you some headaches, The block seems to be clean, but for research interest, the sites that WERE hosted are listed in this this CSV file with MyWOT ratings attached.
Update 23/3/11: It appears that most of the sites are no longer hosted here (they appear to have moved to other Canadian hosts), there are a few remaining sites that I can't vouch for one way or another.. as it is, I would suggest that this block is now clean and no longer evil.
Mr Kennedy says that he assumes that the bad sites were probably put on there by a reseller or perhaps a compromised account, and they have a very strict anti-abuse policy.
MarketBay are pretty well known for shady practices, for example here and here. Before they were called marketbay.com, they were known as yourclick.com and run by a firm apparently called Three W Networks Ltd (Google it). Everything is hidden behind a shell company in the Bahamas, with a name of David Da Silva connected to it, although this is a fairly common name and it may well be assumed. The company recently changed name to Media Entertainment Guide, still quoting the Da Silva name and a Bahamas address as seen in the WHOIS for marketbay.org which is not privacy protected (unlike marketbay.com).
[As a side note, the historical WHOIS records for marketbay.com identify a previous owner who confirmed that the domain was sold to another party]
The software punted by MarketBay looks to be of questionable use, but that's an accusation that can be made against any one of a number of businesses.. caveat emptor and all that. But at the very least you can say that affiliates are marketing this software deceptively.
Now, the IP address of 67.212.90.64/28 is rather more fruitful to examine. It's a very small block of IP addresses, listed as belonging to Mango Ideas in Canada (note: these sites are no longer hosted there as of March 2011)
Update 23/3/11: It appears that most of the sites are no longer hosted here (they appear to have moved to other Canadian hosts), there are a few remaining sites that I can't vouch for one way or another.. as it is, I would suggest that this block is now clean and no longer evil.
Mr Kennedy says that he assumes that the bad sites were probably put on there by a reseller or perhaps a compromised account, and they have a very strict anti-abuse policy.
Labels:
Canada,
Fake Anti-Virus,
MarketBay
Friday, 19 November 2010
It's 30 for a reason, part 2
This guy claims that he was doing 20mph before he demolished about 15 metres of fencing, two gateposts and one gate before hitting my house.. backwards. I am largely disinclined to believe him.
I don't know what you have to do to pass a driving test in Lithuania where this guy hails from. I suspect driving backwards into a house isn't part of the test though.
But.. this isn't the first time that this has happened either. Three years ago we were lucky not to be picking body parts out of the garden after this accident.
And the speed limit? 30 miles per hour. It's 30 for a reason..
I don't know what you have to do to pass a driving test in Lithuania where this guy hails from. I suspect driving backwards into a house isn't part of the test though.
But.. this isn't the first time that this has happened either. Three years ago we were lucky not to be picking body parts out of the garden after this accident.
And the speed limit? 30 miles per hour. It's 30 for a reason..
Monday, 8 November 2010
theciosummits.org / CIO Summits spam
theciosummits.org / CIO Summits is the same outfit as BizSummits who have a particular spamming technique that has been seen before.
The technique appears to be that they search a website for strings that look like names, and then they try and guess the email address for that person at that domain. Email addresses tend to follow a limited number of formats, so it probably gets a reasonable success rate, but even so.. the name is still scraped and the recipient emailed without opting in to anything.
Who is James Studer exactly? It turns out that he was a contributor to the Orange Book, which I have a section about on my website.. and as with the BizSummits spam I've seen before, the pattern is exactly the same.
CIO Summit's pitch looks fairly deceptive. They have guessed an email address, apparently to make it look like we have a prior relationship. It's worth noting as well that the BBB give parent BizSummits a very poor "F" rating which definitely makes it look like one to avoid.
The technique appears to be that they search a website for strings that look like names, and then they try and guess the email address for that person at that domain. Email addresses tend to follow a limited number of formats, so it probably gets a reasonable success rate, but even so.. the name is still scraped and the recipient emailed without opting in to anything.
From: Jason Williams <jwilliams@theciosummits.org>
To: James Studer [redacted]
Date: 8 November 2010 15:06
subject: James, just following-up.
Hi James, is now a better time to reach out to you in regards to the CIO
Summit? You received a request on behalf of our Board due to your key
role in the technology field and I'm curious to know if a decision has
been made.
The CIO Summit is an invitation-only group comprised of the very best
executives and visionaries in technology. We meet monthly by
teleconference to exchange what is working, what is not, strategies and
ideas. It is a confidential forum with dedicated groups of other
successful VPs and key executives whose only agenda is to help each other
outperform. Our site is at www.theciosummits.org
I am certain you will find the experience both enjoyable and useful in
your efforts. Please take a look and let me know of your decision. Thanks,
James.
Sincerely,
Jason Williams
CIO Summits
Tel. (803) 712-3027
www.theciosummits.org
The information contained in this message is confidential and intended
only for James Studer. If you have received this message in error, please
delete it or mail us back if you no longer wish to receive further
invites. For my records, I show your contact information as: James Studer,
Dynamoocom, [redacted] 800-688-6115 If needed, you can reach
us at 201 17th St, #1200, Atlanta, GA 30363. Thank you.
Who is James Studer exactly? It turns out that he was a contributor to the Orange Book, which I have a section about on my website.. and as with the BizSummits spam I've seen before, the pattern is exactly the same.
CIO Summit's pitch looks fairly deceptive. They have guessed an email address, apparently to make it look like we have a prior relationship. It's worth noting as well that the BBB give parent BizSummits a very poor "F" rating which definitely makes it look like one to avoid.
Labels:
BizSummits,
Spam,
theciosummits.org
Massive yourfreeworld.com / downlinegoldmine.com spam run
Sometimes it is difficult to tell if a spam run is a Joe Job, or if the spammer is really a moron.
Over the past few hours, a massive spam run has been caught by several spamtraps and has also been spammed out heaving to spamcop.net email addresses:
WHOS details are consistent with the message:
Registrant :
Name: Rohit kumar Seth
Organization: Dr. M.Seth & Co.
Address: S-5,Naveen Shahdara
City: Delhi
State: DE
Postal Code: 110032
Country: IN
Phone: +91.0112232
Fax:
Email: rolovedeep@yahoo.com
The originating IP is 64.244.62.22 [Point North Networks / XO Communications, US] pointing to two spamvertised sites, downlinegoldmine.com on 72.29.67.174 and yourfreeworld.com on 66.7.201.119 [both at Hostime, Orlando].
Almost all MLMs are some sort of scam, and these are two sites promoting MLMs. But these sites also promote "safe email sendlists", but clearly sending hundreds of spam emails to spamtraps is clearly a poor definition of "safelist".. it's almost as if this activity is deliberately designed to generate spam complaints..
..and here's the thing. There's no evidence linking 64.244.62.22 to the alleged sender, and sending massive amounts of the same email to SpamCop.net addresses is either a massively stupid move, or it could be a deliberate attack on these sites by an unknown party.
In my opinion, both yourfreeworld.com and downlinegoldmine.com look like crappy sites that are worth avoiding.
Over the past few hours, a massive spam run has been caught by several spamtraps and has also been spammed out heaving to spamcop.net email addresses:
From: Rohit Seth - YourFreeWorld <seth@yourfreeworld.com>
Date: 8 November 2010 07:39
Subject: Amazing New MLM Scripts, Mass Mailers, Downline Builders
- Hide quoted text -
Check out our amazing range of money making matrix scripts, bulk emailers, safelists, banner ad scripts and downline builders.
Check out our latest additions too by bookmarking our site and checking it often.
Our ingenious affiliate program integrates your ClickBank ID into your affiliate link. So when someone comes to our page and conducts a search for any ClickBank product, YOU can make up to 75% commissions with very little effort!
"Imagine earning commissions hand over fist 24 hours a day, 7 days a week, 365 days of the year -- even while you're sleeping! This is truly a no-effort style affiliate program that maximises multiple income streams."
http://www.yourfreeworld.com
or make monster cash for the holidays by becoming a reseller of our fantastic scripts, it's that simple!
http://www.downlinegoldmine.com
If you are ready to start to MAKE MONEY online, Downlinegoldmine.com is the place to do it! We will give you the keys to build your Downline, to create your own Downline Program and to learn winning techniques so that you can sit back and let the earnings begin!
From the desk of Rohit Seth
Delhi
India
WHOS details are consistent with the message:
Registrant :
Name: Rohit kumar Seth
Organization: Dr. M.Seth & Co.
Address: S-5,Naveen Shahdara
City: Delhi
State: DE
Postal Code: 110032
Country: IN
Phone: +91.0112232
Fax:
Email: rolovedeep@yahoo.com
The originating IP is 64.244.62.22 [Point North Networks / XO Communications, US] pointing to two spamvertised sites, downlinegoldmine.com on 72.29.67.174 and yourfreeworld.com on 66.7.201.119 [both at Hostime, Orlando].
Almost all MLMs are some sort of scam, and these are two sites promoting MLMs. But these sites also promote "safe email sendlists", but clearly sending hundreds of spam emails to spamtraps is clearly a poor definition of "safelist".. it's almost as if this activity is deliberately designed to generate spam complaints..
..and here's the thing. There's no evidence linking 64.244.62.22 to the alleged sender, and sending massive amounts of the same email to SpamCop.net addresses is either a massively stupid move, or it could be a deliberate attack on these sites by an unknown party.
In my opinion, both yourfreeworld.com and downlinegoldmine.com look like crappy sites that are worth avoiding.
Monday, 1 November 2010
europa-consult.com job offer scam
Another scam email in a long-running series of fake job offers, this time using the domain europa-consult.com (not to be confused with any companies of a similar name).
The WHOIS details look very familiar:
Avoid.
for CV #19
EXPANDING COMPANY LOOKING FOR SALES SUPPORT/ADMINISTRATIVE ASSISTANT TO HELP US! FULL IN HOUSE PRODUCT TRAINING IS PROVIDED!
COMPETITIVE INDIVIDUALS.....START ASAP!
Who are we:
We are an international leading property investment and development company.
Our firm has recently acquired new clients and are continuing to expand to new locations across the US.
We are inlolved in a variety of activities that include construction, realty management, investment sector,
rental services etc. Right now we are working on more than 10 objects around the world, primarily in Europe, United Kingdom and North America.
Our Mission:
If you have an oustanding experience in sales and administration, we would welcome you immediately!
If you don't have a formal qualification but have gained skills and knowledge through experience - apply today!
We also equip new grads or candidates with no experience with the experience they need to build a successful business in the field of sales,
advertising, or marketing. Many high school grads or college & university students hear employers tell them they need more experience.
WE ARE LOOKING TO GIVE YOU THAT EXPERIENCE!
What you'll be doing: You will conduct comprehensive residential and/or small commercial property audits.
Other duties of the Administrative Assistant/Sales Support include, but are not limited to:
Incorporating effective priorities for the virtual office function
Administer day-to-day financial responsibilities for our clients
Reporting online daily
Preparing brief summary reports, and weekly financial reports
What's in it for you: - Excellent Pay (guaranteed Euro 725/weekly) - Great Opportunity
All compensation/salary is paid biweekly. Compensation involves uncapped earnings and bonuses.
If you are interested, please reply to : info@europa-consult.com with your latest CV.
Best regards,
Claire Haynes
Hiring Manager
The WHOIS details look very familiar:
Registrant: Aleksandr Lapatau Email: lapatasker@earthling.net Organization: Private person Address: Lenina, 34, 8 City: Minsk State: Minskaya ZIP: 456123 Country: BY Phone: +375.172427204
Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Spam
Subscribe to:
Posts (Atom)