Sponsored by..

Thursday, 19 May 2011

Scam: "Your money has been recovered"

Originating from a government-owned IP address in China (218.26.2.42), this slightly puzzling advanced fee fraud is deliberately vague about where this $7.6m comes from.. of course, there are no millions stashed away in Hong Kong, but instead you can expect that there will be a LOT of expensive and unexpected fees to pay instead.

From: Mark Edwin admin@ssing.ru
Reply-To: intldeptreconcom@consultant.com
Date: 18 May 2011 01:50
Subject: Your money has been recovered (5/18/2011)

International Debt Recovery and Reconciliation Hong Kong
6/F,Trade Service Center  ,388 Kwun Road
Kowloon, Hong Kong


Tel: 852-3015-1834  Fax: 852-3015-1834


Dear  Beneficiary

                                                                        Re Payment instruction
This is international debt recovery and reconciliation office Hong Kong, our mandate is to settle all outstanding debt owe to contractors and individuals all over the world, thus this debt must have been originated from awarded contracts, inheritance and sweepstakes lottery, If you fall into this category of contractors, individual or lottery winners we advise that you contact this office immediately.We presently recover your $7.6 Million United States Dollars

The directive came in line with the agreement reached in New York U.S.A with the International Moneytary Fund -IMF, World Bank London and Paris Club on creditors and overseas credit Commission for immediate settlements of all Intercontinental debts owed to you by various countries.

1.      Date of Approval: 22-11-2010
2.      Revised Remittance: Not endorsed.
3.      Fund Endorsement payment code No AG-000087GXY-2F-PASS 2001-2010
4.      Date of issue 19-01-2011
5.      Bank Effect payment of beneficiary fund
6.      International  payment: Certifнcate Code No:Not Endorsed

On receipt of your a responds to this fax/email message, please contact our north America payment clearing center bellow.

George Donald
Foreign Affair Officer
Email:
Tel: 1-226-556-3307
Fax: 1-866 964 3856.

However, I will advise that   update this office on a regular bases


Best regards,

 MARK EDWIN
Regional Coordinator
International Credit Commission Hong Kong

Friday, 13 May 2011

New Blogger logo

Google unveiled a new Blogger logo today to reflect their two day outage (another triumph for cloud computing).

Wednesday, 11 May 2011

Fake jobs: first-weboffer.com, weboffers-tech.com, weboffers-tech.com and wug-tech.com

Another batch of domains offering non-existent jobs, part of the long-running "Lapatasker" series. The jobs will include money laundering and other criminal activity.. so probably best acoided.

As with other recent domains, these are registered to a probably fictitious person called Aleksej Iliin, the domains were registered on 10th May.

first-weboffer.com
weboffers-tech.com
weboffers-tech.com
wug-tech.com

Pinball Corporation RIP?

Pinball Corporation is a company that bought the remnants of Zango, a company that had a reputation for pushing slimeware. Last year I pointed out a case where Pinball Corp were clearly not keeping an eye on the actions of their affiliates, and other people have been critical of them too.

Well, there's potentially some good news.. because according to the Washington State Corporations Division, Pinball Corp became inactive on the 2nd May 2011.

PINBALL CORP.
UBI Number602918125
CategoryREG
Profit/NonprofitProfit
Active/InactiveInactive
State Of IncorporationDE
WA Filing Date09/02/2010
Expiration Date09/30/2011
Inactive Date05/02/2011
Registered Agent Information
Agent NameBUSINESS FILINGS INCORPORATED
Address1801 WEST BAY DR NW STE 206
CityOLYMPIA
StateWA
ZIP98502
Special Address Information
Address
City
State
Zip

Governing Persons
TitleNameAddress
President,TreasurerScott, JoelOne Market Plaza
Spear Tower Fl 19
SAN FRANCISCO, CA
SecretarySiefer, SerenaOne Market Plaza
Spear Tower Fl 19
SAN FRANCISCO, CA
DirectorChandratillake, Suranga3600 136th Pl SE
BELLEVUE, WA
DirectorService, Matthew3600 136th Pl SE
BELLEVUE, WA


Of note is that although the corporation appears to be inactive, the website at pinballcorp.com is still running and with no notice about the change of company status. Where Pinball Corp's affiliates stand is unknown, but given the deceptive business practices of a number of them, then I don't think too many people will be shedding a tear.

But why has the company apparently become inactive? It turns out that Pinball Corp is a wholly owned subsiduary of a UK firm called Blinkx plc, and the "inactive" date coincides almost exactly with Burst Media (for $30m). Perhaps Blinkx decided that Pinball Corp was no longer something that they wanted to have in their expanded portfolio?

Tuesday, 10 May 2011

SMS Spam: £3750 for an accident you haven't had

There seems to be a huge number of these spam SMS messages doing the rounds recently:
Free Msg; Our records indicate you may be entitled to £3750 for the accident you had. To apply free reply CLAIM to this message. To opt out text STOP.
These message come through if you are registered on TPS or not. There is no identification as to who is sending them, and the number changes regularly (I have seen +447955957379, +447591260334, +447542067695, +44758137217, +447403811563, +447826688283, +447517528462). Sometimes the spam starts FREEMSG. Always the value seems to be £3750. It doesn't matter if you have had an accident or not.

If you are a Vodafone, O2 and Orange customer you can report the SMS spam to your provider: for Orange and O2 forward the message to 7726 (it spells SPAM) or on Vodafone is is 87726 (VSPAM). I have not been able to confirm, but T-Mobile and 3 may also accept forwarded messages to 7726 as well. The carriers should be able to block the spammers if they get enough reports, and take legal action where necessary.

Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!

Replying STOP is probably not a good idea - the spammers may well use it to confirm that the mobile number is active. And replying CLAIM is probably an even worse idea since they are a bunch of low-life spammers who probably cannot be trusted.

Sunday, 8 May 2011

Fake "Lapatasker" job domains, 8/5/11

Another set of domains offering fake jobs via spam, the latest in this long running saga. The domains were registered on 6th May.


first-euro.com
it-hire.com
newgreen-europe.com
newgreen-tech.com
usa-worldoffer.com
world-hire.net


The probably fake registrant details still use the "Aleksej Iliin" alias that we have seen previously.

Jobs offered will most likely include the usual mix of money laundering and other fraudulent activities. Avoid.

Wednesday, 4 May 2011

Fake jobs: new-wughire.com and 1st-consult.com

Two more fake domains being used in the "Lapatasker" series of bogus job offers, registered on 3rd May 2011:

new-wughire.com
1st-consult.com

The (probably fake) WHOIS details point to a familiar alias:

    Aleksej Iliin
    Email: abolan@mail.org
    Organization: Private person
    Address: Okruzhnaya ul. d.5 kv.4
    City: Moskva
    State: Moskovskaya obl.
    ZIP: 183124
    Country: RU
    Phone: +7.4959424617
    Fax: +7.4959424617

Friday, 29 April 2011

Fake jobs: wug-newhire.com and wug-consulting.net

Two more fake "Lapatasker" domains, registered on 27/4/11 but otherwise the same as these.

wug-consulting.net
wug-newhire.com

These will no doubt be used to push money laundering "jobs" and the like, avoid.

Thursday, 28 April 2011

infernomag.com / gtracking.org nastiness

Some sort of .htaccess hack is going on, redirecting users to infernomag.com and then on to a malicious site that looks like it's downloading a Zbot variant. It only seems to work with Internet Explorer, and only when the page is accessed from a search engine (like Google). infernomag.com is hosted on 85.17.132.194 (Leaseweb) which is the same server as gtracking.org which alters the .htaccess file as described here.

infernomag.com then redirects users to one of at least two Leaseweb-hosted servers at 85.17.19.201 and 85.17.19.203 (possibly others). These servers have a number of domains on them that appear to belong to legitimate domains registered at GoDaddy by (mostly) UK users - it is likely that their domain control panels have been compromised. Examples are:

actually2.weddingphotographersurrey.net
amount9.gwdempseyjr.com
are5.gwdempseyjr.com
background1.photographbcn.com
brought0.gwdempseyjr.com
captain5.photographbcn.com
captain6.gwdempseyjr.com
charge7.photographbcn.com
signal6.photographbcn.com
completely8.gwdempseyjr.com
congress1.airduct-ventcleaning-mn.com
hard9.photographbcn.com
leading1.airduct-ventcleaning-mn.com
party4.gwdempseyjr.com
providence5.gwdempseyjr.com
safe1.gwdempseyjr.com
she1.weddingphotographerkent.net
tax6.weddingphotographersurrey.net
theory7.weddingphotographerkent.net
am1.theimperialsuspects.com
area6.bettyjaneware.com
belief7.theimperialsuspects.com
contact2.theimperialsuspects.com
cultural5.boneki.com
direct2.theimperialsuspects.com
enemy2.theimperialsuspects.com
baby3.trycue.com
liberal6.trycue.com
most0.ladyofvirtuestore.com
professional0.ladyofvirtuestore.com

Two domains on those servers that do not fit the pattern are:
gfaster.net
fortreecom.net

The WHOIS details are probably fake, for infernomag.com and gtracking.org they are:

   Felix Maurer
   sherman66@ymail.com
   Waldowstr. 61
   Gschwend   Gschwend
   74417   DE
   +49 98466101

fortreecom.net uses the same email address but a different name:

    Bernd Austerlit        (sherman66@ymail.com)
    Alt Reinickendorf 94
    Ziemetshausen
    Bayern,86471
    DE
    Tel. +82.84991251

Detection rates are rubbish. AntiVir detects the payload as TR/Dropper.Gen, BitDefender as Gen:Variant.Zbot.34, Ikarus as Trojan.Win32.Pirminay and Sophos as Mal/Ponmocup-A. Other products do not seem to detect anything at all.

Blocking those IPs of 85.17.132.194, 85.17.19.201 and 85.17.19.203 is safer than trying to block the domains. Blocking the whole /24s instead would probably cause very little inconvenience.

Fake "Lapatasker" job domains 28/4/11

This particular scam has been around for a couple of years and is so common now that I've christened this group of scam domains "Lapatasker" after the email address used in some of the older WHOIS details.


New domains for this scam (all registered on 26/4/11) are:

1job-europ.com
consult-europ.com
middle-consult.com
westconsult-eu.com

The (probably fake) contact details on the domains are:

    Vilechka Pelka
    Email: rewerta12@yahoo.com
    Organization: Nord Atlantic.
    Address: 15 Av Albert Ier 143
    City: Braine l'Alleud
    State: Braine l'Alleud
    ZIP: 1420
    Country: BE
    Phone: +3.3223874153
    Fax: +3.3223874152

As ever, avoid.

Tuesday, 26 April 2011

Some German scam sites

These are allegedly German companies, but:
  • They are all very recently registered (4th and 17th April 2011)
  • The registrar is in China (BIZCN.COM)
  • The web host is in Romania
  • In each case a Yahoo email address has been used
The host is "Enter Net Team" / "Power Host" in Romania. Blocking 86.55.96.0/23 is a quick win if you can do it.

blocher-finance.com
dxxm-group.com
eg-finanzen.com
eseira-finanzen.com
eseira-gruppe.com
esse-gruppe.com
fil-finanzen.com
frost-finanzen.com
geissler-finance.com
geld-group.com
genser-group.com
grueneberg-and-partners.com
hanza-gruppe.com
hod-group.com
horst-finanzen.com
jix-finance.com
koeppl-finanzen.com
krenosz-finance.com
nitte-gruppe.com
nogl-group.com
pius-group.com
puemmler-and-partners.com
schem-group.com
somex-gruppe.com
temi-group.com
volkse-finanzen.com
wedi-group.com
werx-finanzen.com
werx-gruppe.com
wolgast-and-partners.com

More details:
jix-finance.com
86.55.96.11
Guenter Frost guenterfrost@yahoo.com
+49.1745053607 fax: +49.1745053607
Frauenlobstr.32
Berlin Berlin 12437
de

frost-finanzen.com
86.55.96.13
Georgios Mavridis georgiosmavridis50@yahoo.com
+49.1773305251 fax: +49.1773305251
Gerolsteiner Str. 119
Cologne Nordrhein-Westfalen 50937
de

puemmler-and-partners.com
86.55.96.15
Tanja Geissler geisslertanja@yahoo.com
+49.1776444216 fax: +49.1776444216
Lindenstr.38
Kreuzau Nordrhein-Westfalen 52372
de

eseira-finanzen.com
86.55.96.17
Christos Papachristou papachristou.christos@yahoo.com
+49.15202603534 fax: +49.15202603534
Haubersbronnerstr. 6
Urbach Thueringen 73660
de

wolgast-and-partners.com
86.55.96.19
Mike Grueneberg gruenebergmike@yahoo.com
+49.15223628764 fax: +49.15223628764
Walter friedrich str.56
Berlin Berlin 13125
de

somex-gruppe.com
86.55.96.21
Heidrun Lorenz heidrunlorenz@yahoo.com
+49.16099222185 fax: +49.16099222185
Flutgrabenweg 1a
Neumarkt Bayern 92318
de

schem-group.com
86.55.96.23
Ludwig Detlef ludwigdetlef@ymail.com
+49.15203113478 fax: +49.15203113478
Kalk-Muelheimerstr.210
Koeln Nordrhein-Westfalen 51103
de

werx-finanzen.com
86.55.96.25
Daniel Koeppl daniel.koeppl@yahoo.com
+49.15111521688 fax: +49.15111521688
Reinhardsleiten 8
Pielenhofen Bayern 93188
de

nitte-gruppe.com
86.55.96.27
Hans Mausolff hansmausolff@yahoo.com
+49.17649615986 fax: +49.17649615986
Potsdamer Str. 41
Berlin Berlin 14163
de

eseira-gruppe.com
86.55.96.29
Juliane Mausolff julianemausolff@yahoo.com
+49.3031808844 fax: +49.3031808844
Potsdamer Str. 41
Berlin Berlin 14163
de

hanza-gruppe.com
86.55.96.31
Denis Wolgast deniswolgast@yahoo.com
+49.16098119639 fax: +49.16098119639
Am Heidberg 34
Henstedt-Ulzburg Schleswig-Holstein 24558
de

nogl-group.com
86.55.96.33
Lena Puemmler lenapuemmler@yahoo.com
+49.17663727804 fax: +49.17663727804
Neuer Kamp 2
Drebber Niedersachsen 49457
de

dxxm-group.com
86.55.96.35
Bianka Sturhahn biankasturhahn@ymail.com
+49.1723276172 fax: +49.1723276172
Plass 3
Doerentrup Nordrhein-Westfalen 32694
de

geld-group.com
86.55.96.37
Frank Swoboda polskeswine@yahoo.com
+49.15776817588 fax: +49.15776817588
Otto-Hahn-Str. 7a
Alsdorf Nordrhein-Westfalen 52477
de

krenosz-finance.com
86.55.96.39
Olaf Sedello olafsedello@yahoo.com
+49.2254847434 fax: +49.2254847434
Triftstrasse 42
Weilerswist Nordrhein-Westfalen 53919
de

werx-gruppe.com
86.55.96.41
Andreas Kubasik andreaskubasik@ymail.com
+49.15229234145 fax: +49.15229234145
Gartenstrasse 24a
Pleinfeld Bayern 91785
de

grueneberg-and-partners.com
86.55.96.43
Josef Schedlbauer josefschedlbauer@yahoo.com
+49.1712755823 fax: +49.1712755823
Bergstrasse 21a
Regen Bayern 94209
de

geissler-finance.com
86.55.96.45
Vadim Kruglov vadimkruglov@rocketmail.com
+49.1629098777 fax: +49.1629098777
Schuetzenstrasse 23
Friesoythe Niedersachsen 26169
de

esse-gruppe.com
86.55.96.47
Gerhard Krenosz gerhardkrenosz@yahoo.com
+49.21117806832 fax: +49.21117806832
Ludolf Strasse 15
Duesseldorf Nordrhein-Westfalen 40597
de

koeppl-finanzen.com
86.55.96.49
Holm Mrazek holmmrazek@yahoo.com
+49.17685370230 fax: +49.17685370230
Sonnenstrasse 222
Dortmund Nordrhein-Westfalen 44137
de

hod-group.com
86.55.96.51
Gisela Huber ghuber56@yahoo.com
+49.17666649956 fax: +49.17666649956
Althoehensteigstr. 7
Stephanskirchen Hessen 83071
de

volkse-finanzen.com
86.55.96.53
Denis Goertz denis.goertz@yahoo.com
+49.1639836914 fax: +49.1639836914
hochstr. 61
Nettetal Lobberich Sachsenanhalt 41334
de

blocher-finance.com
86.55.96.55
Helmut Koenig koenighelmut@yahoo.com
+49.1733201046 fax: +49.1733201046
Oberhofer Str. 26
Zella-Mehlis Thuringen 98544
de

fil-finanzen.com
86.55.96.57
Bernecker Josef berneckerjosef@yahoo.com
+49.9422859853 fax: +49.9422859853
Stadtplatz 42
Bogen Bayern 94327
de

eg-finanzen.com
86.55.96.59
Pius Walleser walleser32@yahoo.com
+49.1754218358 fax: +49.1754218358
Kesslerstrasse 5
Breisach Sachsen-Anhalt 79206
de

temi-group.com
86.55.96.61
Horst Werner woerner963@yahoo.com
+49.1728189733 fax: +49.1728189733
Rilkestrasse 3
Bad Schussenried Rheinland-Pfalz 88427
de

horst-finanzen.com
86.55.96.63
Kai Hermann hkaihermann@yahoo.com
+49.9942808801 fax: +49.9942808801
Tafertsbergstrasse 12
Prackenbach Rheinland-Pfalz 94267
de

wedi-group.com
86.55.96.65
Joseph Bauer bauer.joseph81@yahoo.com
+49.8555941395 fax: +49.8555941395
Hofaecker 4
Grafenau Hamburg 94481
de

pius-group.com
86.55.96.67
Daniela Habermann habermann_d@yahoo.com
+49.17694209180 fax: +49.17694209180
tecklenburgerstrasse 29
Ladbergen Bayern 49549
de

genser-group.com
86.55.96.69
Armin Blocher arminblocher@rocketmail.com
+49.02771801325 fax: +49.02771801325
Langgasse 1
Dillenburg Niedersachsen 35685
de

Evil network: Leksim Ltd / RELNET-NET AS5577 (62.122.72.0/21)

Implicated in malware distribution, botnet C&Cs and spam, the network range 62.122.72.0/21 (62.122.72.0 - 62.122.79.255) is currently quite active in evil activities (you can find examples here and here and the SiteVet report here).

There aren't many sites in this block, and they are almost all either in 62.122.73.0/24 and 62.122.75.0/24 (but blocking the /21 is safer).. but the vast majority of sites are rated deep red at MyWOT (a full list of sites and ratings can be downloaded here).

Who owns the block? The RIPE WHOIS details are:

inetnum:         62.122.72.0 - 62.122.79.255
netname:         RELNET-NET
descr:           "Leksim" Ltd.
country:         EU
remarks:         trouble: spam/scam/abuse issues send *ONLY* to: abuse@rel-net.eu
org:             ORG-TA388-RIPE
admin-c:         JT384-RIPE
tech-c:          BS594-RIPE
tech-c:          MR10655-RIPE
status:          ASSIGNED PI
mnt-by:          RELNET
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-routes:      RELNET
mnt-domains:     RELNET
source:          RIPE # Filtered
mnt-routes:      ROOT-MNT

organisation:    ORG-TA388-RIPE
org-name:        "Leksim" Ltd.
org-type:        OTHER
address:         Stationsplein 30, 2910 MJ Capelle aan den IJssel,  The Netherlands
phone:           +31 10 2391391
fax-no:          +31 10 2391392
admin-c:         JT384-RIPE
tech-c:          BS594-RIPE
mnt-ref:         RELNET
mnt-by:          RELNET
source:          RIPE # Filtered

person:          Justin Thomson
address:         Stationsplein 30
address:         2910 MJ Capelle aan den IJssel
address:         THE NETHERLANDS
abuse-mailbox:   abuse@rel-net.eu
mnt-by:          RELNET
phone:           +31 10 2391391
nic-hdl:         JT384-RIPE
source:          RIPE # Filtered

person:          Bernd Spiess
address:         Gabelsberger Strasse 15
address:         9021 Klagenfurt
address:         AUSTRIA
mnt-by:          RELNET
phone:           +43 46 3223501
nic-hdl:         BS594-RIPE
source:          RIPE # Filtered

person:          Marcel Russo
address:         31, z.a. am Bann
address:         L-3375 Leudelange
address:         LUXEMBURG
mnt-by:          RELNET
phone:           + 352 2551301
nic-hdl:         MR10655-RIPE
source:          RIPE # Filtered


But is this "Leksim Ltd" or Relnet? Relnet's contact details (for rel-net.eu, relnet.eu, relnet.hu) are very different:

domain:        relnet.hu
registrant:    Relnet Technologia Ltd.
registrant:    Relnet Technológia Kft.
    
tech-c:    Dávid András
address:   Véső 7
address:   1133 Budapest
address:   HU
phone:     06-70-452-4603
fax-no:    06-1-350-1355
e-mail:    hostmaster@relnet.hu
hun-id:    2000466058

If you Google the first three names you get some very telling results.

Blocking the /21 is probably the best idea. I can identify the following domains in this block in case you want to block by domain name, or for more detail download the CSV version.

abussgf.com
adnologi.com
apicurl.com
asherhiftn.com
banner-count.com
belliali.com
best-figure.com
biznage.com
blank-record.com
cahodofo.com
chethole.com
clckil.com
clckli.com
cr0zybaner.com
cr0zybanner.com
croozybannir.com
crozybannir.com
data-saver.org
denizab.com
dhfodminmont.com
eleophy.com
fathone.com
fr0udsafetycheck0n.com
goodse.org
gredigns.com
gulderpoin.com
ineloitond.com
kicksho.com
krasivoe-telo.com
lineacount.info
lineweather.com
livesecpayment.com
livesecsuite.com
live-sec-suite.com
live-security-suite.com
liveslicense.com
livespayment.com
livessupport.com
lkckclckli1i.com
lsspayment.com
lsssupport.com
luffer.info
majusef.com
maketh.info
minteddi.com
mizaterp.com
monitor-info.com
mypersonalhttp.com
nonepersonal.com
nuensmidts.com
onlinedietolog.net
osago-msk.com
perleme.com
pinokolder.com
sileeber.com
spy-soft.org
tangoing.info
telemarker.ru
thestopbadware.com
thyrogl.com
tinnily.info
uatwdminmont.com
umogultvon.com
unmarine.info
virtepgulm.com
vkontacte.org
vkontakle.net
warwork.info
w-opay.com
w-optim.com
wovens.info
yafraudcheckonline.com
yledmanager.com
zblvdminmont.com
zumugolter.com

Friday, 22 April 2011

Fake job domains 22/4/11

Another list of fake job domains relating to this long running scam and in addition to these recent ones. Solicitations are sent by spam are are attempting to recruit people for money laundering etc, so best avoided.

australia-union.com
europ-hire.com
europ-union.com
next-jobb.com
usa-1job.com


Registrant details (no doubt fake) are:

    Vilechka Pelka
    Email: rewerta12@yahoo.com
    Organization: Nord Atlantic.
    Address: 15 Av Albert Ier 143
    City: Braine l'Alleud
    State: Braine l'Alleud
    ZIP: 1420
    Country: BE
    Phone: +3.3223874153
    Fax: +3.3223874152

ygnetwork-ltd.com domain scam

This scam has been around for years - basically, you get an unsolicited email from a company claiming to be a domain registrar in China (it is usually China) that says that someone is trying to register a domain similar to one that you already own. The idea is that the recipient will panic and buy an overpriced and basically worthless domain from them.

If you are worried about domain poaching, then usually the best place to start is your own domain registrar or another well-known reliable vendor, rather than responding to this unsolicited approach.


From: John <john.chen@ygnetwork-ltd.com>
Date: 22 April 2011 06:26
Subject: Urgent notice of Intellectual Property protection

Dear Manager:

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On April 21st 2011. We received HAITONG  company's application, they want to register " dynamoo" as its Internet keyword and CN/Asia domain names. It is china and Asia domain names. But after checking we find this domain name conflict with your company, in order to deal with this matter better, so we send you email, and want to confirm whether this company is your distributor or business partner in China?

I'm looking forward to hearing from you!

Best Regards,

John
Oversea marketing manager
Office: +86(0)21 6191 8696
Mobile: +86 1366152 9704
Fax: +86(0)21 6191 8697
web: www.ygnetwork-ltd.com

Friday, 15 April 2011

"Cake Decoration Lesson" spam

I can only assume that this is some sort of strange scam. The email originates from 74.55.158.162 which is flagged as being quite spammy.

Subject: CAKE DECORATION LESSON::::::::::::::::::
From: Omiky Aneke <omikychartin@blumail.org>
Reply-To: omiky1aneke@yahoo.co.uk

Hello,
How are you doing today ?  My name is OMIKY ANEKE I want to book for CAKE DECORATION LESSON Workshops Classes with you while on a 2weeks holidays in your
country.We are a group of 10 people seeking for CAKE DECORATION LESSON: Workshops
training while on holidays and as part of our plans we need CAKE DECORATION LESSON for the whole 2weeks in
your area.
I would like to book for 2weeks classes for 3 hours each day Monday to
Saturday (morning hours) for a group of 10. We are asking for 3 hours per
day for 2weeks - Monday - Saturday. A total of 36 hrs
Do you have a training facility where you conduct classes? We can arrange
for this,if not available.   Do you have rooms or is there any hotel close
to your facility?
DATE: 7TH JUNE 2011 TO 21 JUNE 2011
I would love to know the possibility of working with you during this
period.Kindly get back to me with your proposals so that we can make booking
asap.
The group would be performing for a group of family members over there. I
would love to get the total cost or a quote/estate. What are your payment
options?  Do you accept credit cards? I would be grateful if you will be
willing to do the work to teach quality classes and make us happy

Regards
OMIKY

Beats the heck outta me.

Sunday, 10 April 2011

More fake job domains

Another list of fake job domains, almost identical to this one. Avoid.

1best-position.com
1consulting-online.com
allweb-consulting.com
besteuro-hire.com
consult-wugposition.com
first-newoffer.com
world-hire.com
wug-hire.com
wug-myoffer.com

wug-hire.com fake job offer

Yet another installment in this endless series of fake job offers, the domain wug-hire.com is being used as a reply-to address for this particular scam. The "wug" name has been used before in this spam run.

Subject: We have vacancies to be filled by Europe residents only

Good afternoon!

I am writing to you in the name of the corporation the Human Resources department of which I represent.

Our enterprise has a lot of different lines of business.
-real property
-business support
-company dissolution
-private firm service
-etc

We propose the opportunity for jobseekers in Europe:
-compansation 2.600 euro + bonus
-taskwork
- flexible hours

If our offer kindled your interest, please feel free to contact us. Brooks@wug-hire.com
First Name:
Country of living
City
mail address:
Contact telephone number



Attn! You can apply for this vacancy if you have a permission to work in Europe!

Please e-mail your name and phone number and we will invite you for interview. 

Usually these fake jobs involve laundering stolen money via wire transfer, but sometimes they involve other "back office" functions such as registering fake businesses, identity theft, auction fraud and many other things which are best avoided unless you really want to spend time in jail.

The WHOIS details are almost definitely fake, but for the record they are:

    Vilechka Pelka
    Email: rewerta12@yahoo.com
    Organization: Nord Atlantic.
    Address: 15 Av Albert Ier 143
    City: Braine l'Alleud
    State: Braine l'Alleud
    ZIP: 1420
    Country: BE
    Phone: +3.3223874153
    Fax: +3.3223874152

Saturday, 2 April 2011

alisa-carter.com, lizamoon.com and worid-of-books.com

The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these sites appear to be on the same server at 95.64.9.18 belonging to Intermedia TOP SRL.

The following sites are on that malicious server:
alexblane.com
alisa-carter.com
lizamoon.com
t6ryt56.info
tadygus.com
worid-of-books.com


Right now the safest thing to do is block traffic to 95.64.8.0/23 (95.64.8.0 - 95.64.9.255) at the very least. But given that there are several bad networks now within the mostly Romanian 95.64.0.0/16, there's very little to lose in blocking the whole /16 for now if you don't have dealings with Romania.

If you need to block by domain, then the list below is everything that I can identify in this block.

abrogatesdv.info
antiviric.net
atlaty.com
atydut.com
bancard.cc
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
buroti.com
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fileac.com
financeprogramm.com
fop22.info
fre94.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
itapos.com
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
lsrato.com
machmit.cc
mag20.info
memhys.com
mia16.info
mineral-beauty.net
morafu.com
mupoga.com
muposs.com
nlosaf.com
nuzzlefgf.info
nwolbcom.cc
nyb90.info
obduratexv.info
obfuscate98y.info
onfiro.com
online-security.cc
opa63.info
ova22.info
pes89.info
plauditaz.info
plethoradtb.info
podyme.com
poisor.com
posjuc.com
posunn.com
prettyharp.ru
qertys.com
reprieve8mf.info
scoolq.com
ser55.info
servat.cc
serwaz.com
testaz.cc
tmwars.com
usudom.com
xxxpornteensex.com
advancedwebanalytic.com
alexblane.com
alisa-carter.com
alternative-art-ltd.net
alternativeart-ltd.com
artmarket-llc.net
artsolveltd.cc
artsolveltdco.at
astech-groupde.cc
blitznet-de.eu
chelpgroup-llc.net
chepl-groupllc.biz
competitor-uk-group.net
competitorgroup-ltd.com
ddk100.com
ddk2200.com
deemno.com
drakulaworld.net
drysdale-antcorp.at
drysdale-group-inc.cc
findsubstantial.org
foto-album-mnck.tk
fotoshare-2dknc.com
google-1aa.com
googlesite.ws
joomlaext.org
kunde.ws
lizamoon.com
mailwbg6.com
micr0updates.com
myblog-search.com
ocservice-de.net
oregon-ltd-uk.net
qead-llc.biz
saleoke.com
squit-group-llc.biz
surprise-knsma.tk
surprise-knsmd.tk
surprise-knsmf.tk
surprise-knsmo.tk
surprise-knsmp.tk
surprise-knsmq.tk
surprise-knsmr.tk
surprise-knsms.tk
surprise-knsmt.tk
surprise-knsmu.tk
surprise-knsmw.tk
t6ryt56.info
tadygus.com
worid-of-books.com

Thursday, 31 March 2011

alleurope-consult.com job scam

Another fake job offer in this long running job scam, alleurope-consult.com is probably another money mule operation. The email is pretty terse and doesn't allude to much:

Subject: Work for specialists!

Good day.

Our company would like to offer you a Good day part-time job.


Location:  the Europe Union

If you are interested, please reply to : Ladonna@alleurope-consult.com

All the best.
HR department,
LadonnaGore

WHOIS details don't tell you much either as the could be fake, they're the same as for west-ugroup.net:

    Aleksej Iliin
    Email: abolan@mail.org
    Organization: Private person
    Address: Okruzhnaya ul. d.5 kv.4
    City: Moskva
    State: Moskovskaya obl.
    ZIP: 183124
    Country: RU
    Phone: +7.4959424617
    Fax: +7.4959424617

Avoid, basically.

Monday, 28 March 2011

Wanna buy an aircraft carrier?

Because we British have decided that we don't need to have aircraft carriers, because we're not bombing anywhere in particular at the moment.. apart from Libya.. and maybe a few other countries that we noticed along the way, then we've put the ex-flagship Ark Royal up on an auction site.

What cracks me up is the "Add to Wishlist" and "Add to Cart" buttons on the bottom.

Before you get over excited, these pocket aircraft carriers are mostly suitable for helicopters or V/STOL jets which aren't included in the price.