From: Mark Edwin admin@ssing.ru
Reply-To: intldeptreconcom@consultant.com
Date: 18 May 2011 01:50
Subject: Your money has been recovered (5/18/2011)
International Debt Recovery and Reconciliation Hong Kong
6/F,Trade Service Center ,388 Kwun Road
Kowloon, Hong Kong
Tel: 852-3015-1834 Fax: 852-3015-1834
Dear Beneficiary
Re Payment instruction
This is international debt recovery and reconciliation office Hong Kong, our mandate is to settle all outstanding debt owe to contractors and individuals all over the world, thus this debt must have been originated from awarded contracts, inheritance and sweepstakes lottery, If you fall into this category of contractors, individual or lottery winners we advise that you contact this office immediately.We presently recover your $7.6 Million United States Dollars
The directive came in line with the agreement reached in New York U.S.A with the International Moneytary Fund -IMF, World Bank London and Paris Club on creditors and overseas credit Commission for immediate settlements of all Intercontinental debts owed to you by various countries.
1. Date of Approval: 22-11-2010
2. Revised Remittance: Not endorsed.
3. Fund Endorsement payment code No AG-000087GXY-2F-PASS 2001-2010
4. Date of issue 19-01-2011
5. Bank Effect payment of beneficiary fund
6. International payment: Certifнcate Code No:Not Endorsed
On receipt of your a responds to this fax/email message, please contact our north America payment clearing center bellow.
George Donald
Foreign Affair Officer
Email:
Tel: 1-226-556-3307
Fax: 1-866 964 3856.
However, I will advise that update this office on a regular bases
Best regards,
MARK EDWIN
Regional Coordinator
International Credit Commission Hong Kong
Thursday, 19 May 2011
Scam: "Your money has been recovered"
Originating from a government-owned IP address in China (218.26.2.42), this slightly puzzling advanced fee fraud is deliberately vague about where this $7.6m comes from.. of course, there are no millions stashed away in Hong Kong, but instead you can expect that there will be a LOT of expensive and unexpected fees to pay instead.
Labels:
Advanced Fee Fraud,
Scams,
Spam
Friday, 13 May 2011
New Blogger logo
Google unveiled a new Blogger logo today to reflect their two day outage (another triumph for cloud computing).
Wednesday, 11 May 2011
Fake jobs: first-weboffer.com, weboffers-tech.com, weboffers-tech.com and wug-tech.com
Another batch of domains offering non-existent jobs, part of the long-running "Lapatasker" series. The jobs will include money laundering and other criminal activity.. so probably best acoided.
As with other recent domains, these are registered to a probably fictitious person called Aleksej Iliin, the domains were registered on 10th May.
first-weboffer.com
weboffers-tech.com
weboffers-tech.com
wug-tech.com
As with other recent domains, these are registered to a probably fictitious person called Aleksej Iliin, the domains were registered on 10th May.
first-weboffer.com
weboffers-tech.com
weboffers-tech.com
wug-tech.com
Labels:
Job Offer Scams,
Lapatasker,
Russia,
Scams,
Spam
Pinball Corporation RIP?
Pinball Corporation is a company that bought the remnants of Zango, a company that had a reputation for pushing slimeware. Last year I pointed out a case where Pinball Corp were clearly not keeping an eye on the actions of their affiliates, and other people have been critical of them too.
Well, there's potentially some good news.. because according to the Washington State Corporations Division, Pinball Corp became inactive on the 2nd May 2011.
Of note is that although the corporation appears to be inactive, the website at pinballcorp.com is still running and with no notice about the change of company status. Where Pinball Corp's affiliates stand is unknown, but given the deceptive business practices of a number of them, then I don't think too many people will be shedding a tear.
But why has the company apparently become inactive? It turns out that Pinball Corp is a wholly owned subsiduary of a UK firm called Blinkx plc, and the "inactive" date coincides almost exactly with Burst Media (for $30m). Perhaps Blinkx decided that Pinball Corp was no longer something that they wanted to have in their expanded portfolio?
Well, there's potentially some good news.. because according to the Washington State Corporations Division, Pinball Corp became inactive on the 2nd May 2011.
PINBALL CORP.
UBI Number | 602918125 |
Category | REG |
Profit/Nonprofit | Profit |
Active/Inactive | Inactive |
State Of Incorporation | DE |
WA Filing Date | 09/02/2010 |
Expiration Date | 09/30/2011 |
Inactive Date | 05/02/2011 |
Registered Agent Information | |
Agent Name | BUSINESS FILINGS INCORPORATED |
Address | 1801 WEST BAY DR NW STE 206 |
City | OLYMPIA |
State | WA |
ZIP | 98502 |
Special Address Information | |
Address | |
City | |
State | |
Zip |
Governing Persons
Title | Name | Address |
President,Treasurer | Scott, Joel | One Market Plaza Spear Tower Fl 19 SAN FRANCISCO, CA |
Secretary | Siefer, Serena | One Market Plaza Spear Tower Fl 19 SAN FRANCISCO, CA |
Director | Chandratillake, Suranga | 3600 136th Pl SE BELLEVUE, WA |
Director | Service, Matthew | 3600 136th Pl SE BELLEVUE, WA |
Of note is that although the corporation appears to be inactive, the website at pinballcorp.com is still running and with no notice about the change of company status. Where Pinball Corp's affiliates stand is unknown, but given the deceptive business practices of a number of them, then I don't think too many people will be shedding a tear.
But why has the company apparently become inactive? It turns out that Pinball Corp is a wholly owned subsiduary of a UK firm called Blinkx plc, and the "inactive" date coincides almost exactly with Burst Media (for $30m). Perhaps Blinkx decided that Pinball Corp was no longer something that they wanted to have in their expanded portfolio?
Labels:
Blinkx,
BLNX.L,
Pinball Corporation
Tuesday, 10 May 2011
SMS Spam: £3750 for an accident you haven't had
There seems to be a huge number of these spam SMS messages doing the rounds recently:
If you are a Vodafone, O2 and Orange customer you can report the SMS spam to your provider: for Orange and O2 forward the message to 7726 (it spells SPAM) or on Vodafone is is 87726 (VSPAM). I have not been able to confirm, but T-Mobile and 3 may also accept forwarded messages to 7726 as well. The carriers should be able to block the spammers if they get enough reports, and take legal action where necessary.
Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!
Replying STOP is probably not a good idea - the spammers may well use it to confirm that the mobile number is active. And replying CLAIM is probably an even worse idea since they are a bunch of low-life spammers who probably cannot be trusted.
Free Msg; Our records indicate you may be entitled to £3750 for the accident you had. To apply free reply CLAIM to this message. To opt out text STOP.These message come through if you are registered on TPS or not. There is no identification as to who is sending them, and the number changes regularly (I have seen +447955957379, +447591260334, +447542067695, +44758137217, +447403811563, +447826688283, +447517528462). Sometimes the spam starts FREEMSG. Always the value seems to be £3750. It doesn't matter if you have had an accident or not.
If you are a Vodafone, O2 and Orange customer you can report the SMS spam to your provider: for Orange and O2 forward the message to 7726 (it spells SPAM) or on Vodafone is is 87726 (VSPAM). I have not been able to confirm, but T-Mobile and 3 may also accept forwarded messages to 7726 as well. The carriers should be able to block the spammers if they get enough reports, and take legal action where necessary.
Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!
Replying STOP is probably not a good idea - the spammers may well use it to confirm that the mobile number is active. And replying CLAIM is probably an even worse idea since they are a bunch of low-life spammers who probably cannot be trusted.
Sunday, 8 May 2011
Fake "Lapatasker" job domains, 8/5/11
Another set of domains offering fake jobs via spam, the latest in this long running saga. The domains were registered on 6th May.
first-euro.com
it-hire.com
newgreen-europe.com
newgreen-tech.com
usa-worldoffer.com
world-hire.net
The probably fake registrant details still use the "Aleksej Iliin" alias that we have seen previously.
Jobs offered will most likely include the usual mix of money laundering and other fraudulent activities. Avoid.
first-euro.com
it-hire.com
newgreen-europe.com
newgreen-tech.com
usa-worldoffer.com
world-hire.net
The probably fake registrant details still use the "Aleksej Iliin" alias that we have seen previously.
Jobs offered will most likely include the usual mix of money laundering and other fraudulent activities. Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Russia
Wednesday, 4 May 2011
Fake jobs: new-wughire.com and 1st-consult.com
Two more fake domains being used in the "Lapatasker" series of bogus job offers, registered on 3rd May 2011:
new-wughire.com
1st-consult.com
The (probably fake) WHOIS details point to a familiar alias:
new-wughire.com
1st-consult.com
The (probably fake) WHOIS details point to a familiar alias:
Aleksej Iliin
Email: abolan@mail.org
Organization: Private person
Address: Okruzhnaya ul. d.5 kv.4
City: Moskva
State: Moskovskaya obl.
ZIP: 183124
Country: RU
Phone: +7.4959424617
Fax: +7.4959424617
Email: abolan@mail.org
Organization: Private person
Address: Okruzhnaya ul. d.5 kv.4
City: Moskva
State: Moskovskaya obl.
ZIP: 183124
Country: RU
Phone: +7.4959424617
Fax: +7.4959424617
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Friday, 29 April 2011
Fake jobs: wug-newhire.com and wug-consulting.net
Two more fake "Lapatasker" domains, registered on 27/4/11 but otherwise the same as these.
wug-consulting.net
wug-newhire.com
These will no doubt be used to push money laundering "jobs" and the like, avoid.
wug-consulting.net
wug-newhire.com
These will no doubt be used to push money laundering "jobs" and the like, avoid.
Labels:
Job Offer Scams,
Lapatasker
Thursday, 28 April 2011
infernomag.com / gtracking.org nastiness
Some sort of .htaccess hack is going on, redirecting users to infernomag.com and then on to a malicious site that looks like it's downloading a Zbot variant. It only seems to work with Internet Explorer, and only when the page is accessed from a search engine (like Google). infernomag.com is hosted on 85.17.132.194 (Leaseweb) which is the same server as gtracking.org which alters the .htaccess file as described here.
infernomag.com then redirects users to one of at least two Leaseweb-hosted servers at 85.17.19.201 and 85.17.19.203 (possibly others). These servers have a number of domains on them that appear to belong to legitimate domains registered at GoDaddy by (mostly) UK users - it is likely that their domain control panels have been compromised. Examples are:
actually2.weddingphotographersurrey.net
amount9.gwdempseyjr.com
are5.gwdempseyjr.com
background1.photographbcn.com
brought0.gwdempseyjr.com
captain5.photographbcn.com
captain6.gwdempseyjr.com
charge7.photographbcn.com
signal6.photographbcn.com
completely8.gwdempseyjr.com
congress1.airduct-ventcleaning-mn.com
hard9.photographbcn.com
leading1.airduct-ventcleaning-mn.com
party4.gwdempseyjr.com
providence5.gwdempseyjr.com
safe1.gwdempseyjr.com
she1.weddingphotographerkent.net
tax6.weddingphotographersurrey.net
theory7.weddingphotographerkent.net
am1.theimperialsuspects.com
area6.bettyjaneware.com
belief7.theimperialsuspects.com
contact2.theimperialsuspects.com
cultural5.boneki.com
direct2.theimperialsuspects.com
enemy2.theimperialsuspects.com
baby3.trycue.com
liberal6.trycue.com
most0.ladyofvirtuestore.com
professional0.ladyofvirtuestore.com
Two domains on those servers that do not fit the pattern are:
gfaster.net
fortreecom.net
The WHOIS details are probably fake, for infernomag.com and gtracking.org they are:
fortreecom.net uses the same email address but a different name:
Detection rates are rubbish. AntiVir detects the payload as TR/Dropper.Gen, BitDefender as Gen:Variant.Zbot.34, Ikarus as Trojan.Win32.Pirminay and Sophos as Mal/Ponmocup-A. Other products do not seem to detect anything at all.
Blocking those IPs of 85.17.132.194, 85.17.19.201 and 85.17.19.203 is safer than trying to block the domains. Blocking the whole /24s instead would probably cause very little inconvenience.
infernomag.com then redirects users to one of at least two Leaseweb-hosted servers at 85.17.19.201 and 85.17.19.203 (possibly others). These servers have a number of domains on them that appear to belong to legitimate domains registered at GoDaddy by (mostly) UK users - it is likely that their domain control panels have been compromised. Examples are:
actually2.weddingphotographersurrey.net
amount9.gwdempseyjr.com
are5.gwdempseyjr.com
background1.photographbcn.com
brought0.gwdempseyjr.com
captain5.photographbcn.com
captain6.gwdempseyjr.com
charge7.photographbcn.com
signal6.photographbcn.com
completely8.gwdempseyjr.com
congress1.airduct-ventcleaning-mn.com
hard9.photographbcn.com
leading1.airduct-ventcleaning-mn.com
party4.gwdempseyjr.com
providence5.gwdempseyjr.com
safe1.gwdempseyjr.com
she1.weddingphotographerkent.net
tax6.weddingphotographersurrey.net
theory7.weddingphotographerkent.net
am1.theimperialsuspects.com
area6.bettyjaneware.com
belief7.theimperialsuspects.com
contact2.theimperialsuspects.com
cultural5.boneki.com
direct2.theimperialsuspects.com
enemy2.theimperialsuspects.com
baby3.trycue.com
liberal6.trycue.com
most0.ladyofvirtuestore.com
professional0.ladyofvirtuestore.com
Two domains on those servers that do not fit the pattern are:
gfaster.net
fortreecom.net
The WHOIS details are probably fake, for infernomag.com and gtracking.org they are:
Felix Maurer
sherman66@ymail.com
Waldowstr. 61
Gschwend Gschwend
74417 DE
+49 98466101
sherman66@ymail.com
Waldowstr. 61
Gschwend Gschwend
74417 DE
+49 98466101
fortreecom.net uses the same email address but a different name:
Bernd Austerlit (sherman66@ymail.com)
Alt Reinickendorf 94
Ziemetshausen
Bayern,86471
DE
Tel. +82.84991251
Alt Reinickendorf 94
Ziemetshausen
Bayern,86471
DE
Tel. +82.84991251
Detection rates are rubbish. AntiVir detects the payload as TR/Dropper.Gen, BitDefender as Gen:Variant.Zbot.34, Ikarus as Trojan.Win32.Pirminay and Sophos as Mal/Ponmocup-A. Other products do not seem to detect anything at all.
Blocking those IPs of 85.17.132.194, 85.17.19.201 and 85.17.19.203 is safer than trying to block the domains. Blocking the whole /24s instead would probably cause very little inconvenience.
Fake "Lapatasker" job domains 28/4/11
This particular scam has been around for a couple of years and is so common now that I've christened this group of scam domains "Lapatasker" after the email address used in some of the older WHOIS details.
New domains for this scam (all registered on 26/4/11) are:
1job-europ.com
consult-europ.com
middle-consult.com
westconsult-eu.com
The (probably fake) contact details on the domains are:
As ever, avoid.
New domains for this scam (all registered on 26/4/11) are:
1job-europ.com
consult-europ.com
middle-consult.com
westconsult-eu.com
The (probably fake) contact details on the domains are:
Vilechka Pelka
Email: rewerta12@yahoo.com
Organization: Nord Atlantic.
Address: 15 Av Albert Ier 143
City: Braine l'Alleud
State: Braine l'Alleud
ZIP: 1420
Country: BE
Phone: +3.3223874153
Fax: +3.3223874152
Email: rewerta12@yahoo.com
Organization: Nord Atlantic.
Address: 15 Av Albert Ier 143
City: Braine l'Alleud
State: Braine l'Alleud
ZIP: 1420
Country: BE
Phone: +3.3223874153
Fax: +3.3223874152
As ever, avoid.
Labels:
Job Offer Scams,
Lapatasker
Tuesday, 26 April 2011
Some German scam sites
These are allegedly German companies, but:
blocher-finance.com
dxxm-group.com
eg-finanzen.com
eseira-finanzen.com
eseira-gruppe.com
esse-gruppe.com
fil-finanzen.com
frost-finanzen.com
geissler-finance.com
geld-group.com
genser-group.com
grueneberg-and-partners.com
hanza-gruppe.com
hod-group.com
horst-finanzen.com
jix-finance.com
koeppl-finanzen.com
krenosz-finance.com
nitte-gruppe.com
nogl-group.com
pius-group.com
puemmler-and-partners.com
schem-group.com
somex-gruppe.com
temi-group.com
volkse-finanzen.com
wedi-group.com
werx-finanzen.com
werx-gruppe.com
wolgast-and-partners.com
More details:
jix-finance.com
86.55.96.11
Guenter Frost guenterfrost@yahoo.com
+49.1745053607 fax: +49.1745053607
Frauenlobstr.32
Berlin Berlin 12437
de
frost-finanzen.com
86.55.96.13
Georgios Mavridis georgiosmavridis50@yahoo.com
+49.1773305251 fax: +49.1773305251
Gerolsteiner Str. 119
Cologne Nordrhein-Westfalen 50937
de
puemmler-and-partners.com
86.55.96.15
Tanja Geissler geisslertanja@yahoo.com
+49.1776444216 fax: +49.1776444216
Lindenstr.38
Kreuzau Nordrhein-Westfalen 52372
de
eseira-finanzen.com
86.55.96.17
Christos Papachristou papachristou.christos@yahoo.com
+49.15202603534 fax: +49.15202603534
Haubersbronnerstr. 6
Urbach Thueringen 73660
de
wolgast-and-partners.com
86.55.96.19
Mike Grueneberg gruenebergmike@yahoo.com
+49.15223628764 fax: +49.15223628764
Walter friedrich str.56
Berlin Berlin 13125
de
somex-gruppe.com
86.55.96.21
Heidrun Lorenz heidrunlorenz@yahoo.com
+49.16099222185 fax: +49.16099222185
Flutgrabenweg 1a
Neumarkt Bayern 92318
de
schem-group.com
86.55.96.23
Ludwig Detlef ludwigdetlef@ymail.com
+49.15203113478 fax: +49.15203113478
Kalk-Muelheimerstr.210
Koeln Nordrhein-Westfalen 51103
de
werx-finanzen.com
86.55.96.25
Daniel Koeppl daniel.koeppl@yahoo.com
+49.15111521688 fax: +49.15111521688
Reinhardsleiten 8
Pielenhofen Bayern 93188
de
nitte-gruppe.com
86.55.96.27
Hans Mausolff hansmausolff@yahoo.com
+49.17649615986 fax: +49.17649615986
Potsdamer Str. 41
Berlin Berlin 14163
de
eseira-gruppe.com
86.55.96.29
Juliane Mausolff julianemausolff@yahoo.com
+49.3031808844 fax: +49.3031808844
Potsdamer Str. 41
Berlin Berlin 14163
de
hanza-gruppe.com
86.55.96.31
Denis Wolgast deniswolgast@yahoo.com
+49.16098119639 fax: +49.16098119639
Am Heidberg 34
Henstedt-Ulzburg Schleswig-Holstein 24558
de
nogl-group.com
86.55.96.33
Lena Puemmler lenapuemmler@yahoo.com
+49.17663727804 fax: +49.17663727804
Neuer Kamp 2
Drebber Niedersachsen 49457
de
dxxm-group.com
86.55.96.35
Bianka Sturhahn biankasturhahn@ymail.com
+49.1723276172 fax: +49.1723276172
Plass 3
Doerentrup Nordrhein-Westfalen 32694
de
geld-group.com
86.55.96.37
Frank Swoboda polskeswine@yahoo.com
+49.15776817588 fax: +49.15776817588
Otto-Hahn-Str. 7a
Alsdorf Nordrhein-Westfalen 52477
de
krenosz-finance.com
86.55.96.39
Olaf Sedello olafsedello@yahoo.com
+49.2254847434 fax: +49.2254847434
Triftstrasse 42
Weilerswist Nordrhein-Westfalen 53919
de
werx-gruppe.com
86.55.96.41
Andreas Kubasik andreaskubasik@ymail.com
+49.15229234145 fax: +49.15229234145
Gartenstrasse 24a
Pleinfeld Bayern 91785
de
grueneberg-and-partners.com
86.55.96.43
Josef Schedlbauer josefschedlbauer@yahoo.com
+49.1712755823 fax: +49.1712755823
Bergstrasse 21a
Regen Bayern 94209
de
geissler-finance.com
86.55.96.45
Vadim Kruglov vadimkruglov@rocketmail.com
+49.1629098777 fax: +49.1629098777
Schuetzenstrasse 23
Friesoythe Niedersachsen 26169
de
esse-gruppe.com
86.55.96.47
Gerhard Krenosz gerhardkrenosz@yahoo.com
+49.21117806832 fax: +49.21117806832
Ludolf Strasse 15
Duesseldorf Nordrhein-Westfalen 40597
de
koeppl-finanzen.com
86.55.96.49
Holm Mrazek holmmrazek@yahoo.com
+49.17685370230 fax: +49.17685370230
Sonnenstrasse 222
Dortmund Nordrhein-Westfalen 44137
de
hod-group.com
86.55.96.51
Gisela Huber ghuber56@yahoo.com
+49.17666649956 fax: +49.17666649956
Althoehensteigstr. 7
Stephanskirchen Hessen 83071
de
volkse-finanzen.com
86.55.96.53
Denis Goertz denis.goertz@yahoo.com
+49.1639836914 fax: +49.1639836914
hochstr. 61
Nettetal Lobberich Sachsenanhalt 41334
de
blocher-finance.com
86.55.96.55
Helmut Koenig koenighelmut@yahoo.com
+49.1733201046 fax: +49.1733201046
Oberhofer Str. 26
Zella-Mehlis Thuringen 98544
de
fil-finanzen.com
86.55.96.57
Bernecker Josef berneckerjosef@yahoo.com
+49.9422859853 fax: +49.9422859853
Stadtplatz 42
Bogen Bayern 94327
de
eg-finanzen.com
86.55.96.59
Pius Walleser walleser32@yahoo.com
+49.1754218358 fax: +49.1754218358
Kesslerstrasse 5
Breisach Sachsen-Anhalt 79206
de
temi-group.com
86.55.96.61
Horst Werner woerner963@yahoo.com
+49.1728189733 fax: +49.1728189733
Rilkestrasse 3
Bad Schussenried Rheinland-Pfalz 88427
de
horst-finanzen.com
86.55.96.63
Kai Hermann hkaihermann@yahoo.com
+49.9942808801 fax: +49.9942808801
Tafertsbergstrasse 12
Prackenbach Rheinland-Pfalz 94267
de
wedi-group.com
86.55.96.65
Joseph Bauer bauer.joseph81@yahoo.com
+49.8555941395 fax: +49.8555941395
Hofaecker 4
Grafenau Hamburg 94481
de
pius-group.com
86.55.96.67
Daniela Habermann habermann_d@yahoo.com
+49.17694209180 fax: +49.17694209180
tecklenburgerstrasse 29
Ladbergen Bayern 49549
de
genser-group.com
86.55.96.69
Armin Blocher arminblocher@rocketmail.com
+49.02771801325 fax: +49.02771801325
Langgasse 1
Dillenburg Niedersachsen 35685
de
- They are all very recently registered (4th and 17th April 2011)
- The registrar is in China (BIZCN.COM)
- The web host is in Romania
- In each case a Yahoo email address has been used
blocher-finance.com
dxxm-group.com
eg-finanzen.com
eseira-finanzen.com
eseira-gruppe.com
esse-gruppe.com
fil-finanzen.com
frost-finanzen.com
geissler-finance.com
geld-group.com
genser-group.com
grueneberg-and-partners.com
hanza-gruppe.com
hod-group.com
horst-finanzen.com
jix-finance.com
koeppl-finanzen.com
krenosz-finance.com
nitte-gruppe.com
nogl-group.com
pius-group.com
puemmler-and-partners.com
schem-group.com
somex-gruppe.com
temi-group.com
volkse-finanzen.com
wedi-group.com
werx-finanzen.com
werx-gruppe.com
wolgast-and-partners.com
More details:
jix-finance.com
86.55.96.11
Guenter Frost guenterfrost@yahoo.com
+49.1745053607 fax: +49.1745053607
Frauenlobstr.32
Berlin Berlin 12437
de
frost-finanzen.com
86.55.96.13
Georgios Mavridis georgiosmavridis50@yahoo.com
+49.1773305251 fax: +49.1773305251
Gerolsteiner Str. 119
Cologne Nordrhein-Westfalen 50937
de
puemmler-and-partners.com
86.55.96.15
Tanja Geissler geisslertanja@yahoo.com
+49.1776444216 fax: +49.1776444216
Lindenstr.38
Kreuzau Nordrhein-Westfalen 52372
de
eseira-finanzen.com
86.55.96.17
Christos Papachristou papachristou.christos@yahoo.com
+49.15202603534 fax: +49.15202603534
Haubersbronnerstr. 6
Urbach Thueringen 73660
de
wolgast-and-partners.com
86.55.96.19
Mike Grueneberg gruenebergmike@yahoo.com
+49.15223628764 fax: +49.15223628764
Walter friedrich str.56
Berlin Berlin 13125
de
somex-gruppe.com
86.55.96.21
Heidrun Lorenz heidrunlorenz@yahoo.com
+49.16099222185 fax: +49.16099222185
Flutgrabenweg 1a
Neumarkt Bayern 92318
de
schem-group.com
86.55.96.23
Ludwig Detlef ludwigdetlef@ymail.com
+49.15203113478 fax: +49.15203113478
Kalk-Muelheimerstr.210
Koeln Nordrhein-Westfalen 51103
de
werx-finanzen.com
86.55.96.25
Daniel Koeppl daniel.koeppl@yahoo.com
+49.15111521688 fax: +49.15111521688
Reinhardsleiten 8
Pielenhofen Bayern 93188
de
nitte-gruppe.com
86.55.96.27
Hans Mausolff hansmausolff@yahoo.com
+49.17649615986 fax: +49.17649615986
Potsdamer Str. 41
Berlin Berlin 14163
de
eseira-gruppe.com
86.55.96.29
Juliane Mausolff julianemausolff@yahoo.com
+49.3031808844 fax: +49.3031808844
Potsdamer Str. 41
Berlin Berlin 14163
de
hanza-gruppe.com
86.55.96.31
Denis Wolgast deniswolgast@yahoo.com
+49.16098119639 fax: +49.16098119639
Am Heidberg 34
Henstedt-Ulzburg Schleswig-Holstein 24558
de
nogl-group.com
86.55.96.33
Lena Puemmler lenapuemmler@yahoo.com
+49.17663727804 fax: +49.17663727804
Neuer Kamp 2
Drebber Niedersachsen 49457
de
dxxm-group.com
86.55.96.35
Bianka Sturhahn biankasturhahn@ymail.com
+49.1723276172 fax: +49.1723276172
Plass 3
Doerentrup Nordrhein-Westfalen 32694
de
geld-group.com
86.55.96.37
Frank Swoboda polskeswine@yahoo.com
+49.15776817588 fax: +49.15776817588
Otto-Hahn-Str. 7a
Alsdorf Nordrhein-Westfalen 52477
de
krenosz-finance.com
86.55.96.39
Olaf Sedello olafsedello@yahoo.com
+49.2254847434 fax: +49.2254847434
Triftstrasse 42
Weilerswist Nordrhein-Westfalen 53919
de
werx-gruppe.com
86.55.96.41
Andreas Kubasik andreaskubasik@ymail.com
+49.15229234145 fax: +49.15229234145
Gartenstrasse 24a
Pleinfeld Bayern 91785
de
grueneberg-and-partners.com
86.55.96.43
Josef Schedlbauer josefschedlbauer@yahoo.com
+49.1712755823 fax: +49.1712755823
Bergstrasse 21a
Regen Bayern 94209
de
geissler-finance.com
86.55.96.45
Vadim Kruglov vadimkruglov@rocketmail.com
+49.1629098777 fax: +49.1629098777
Schuetzenstrasse 23
Friesoythe Niedersachsen 26169
de
esse-gruppe.com
86.55.96.47
Gerhard Krenosz gerhardkrenosz@yahoo.com
+49.21117806832 fax: +49.21117806832
Ludolf Strasse 15
Duesseldorf Nordrhein-Westfalen 40597
de
koeppl-finanzen.com
86.55.96.49
Holm Mrazek holmmrazek@yahoo.com
+49.17685370230 fax: +49.17685370230
Sonnenstrasse 222
Dortmund Nordrhein-Westfalen 44137
de
hod-group.com
86.55.96.51
Gisela Huber ghuber56@yahoo.com
+49.17666649956 fax: +49.17666649956
Althoehensteigstr. 7
Stephanskirchen Hessen 83071
de
volkse-finanzen.com
86.55.96.53
Denis Goertz denis.goertz@yahoo.com
+49.1639836914 fax: +49.1639836914
hochstr. 61
Nettetal Lobberich Sachsenanhalt 41334
de
blocher-finance.com
86.55.96.55
Helmut Koenig koenighelmut@yahoo.com
+49.1733201046 fax: +49.1733201046
Oberhofer Str. 26
Zella-Mehlis Thuringen 98544
de
fil-finanzen.com
86.55.96.57
Bernecker Josef berneckerjosef@yahoo.com
+49.9422859853 fax: +49.9422859853
Stadtplatz 42
Bogen Bayern 94327
de
eg-finanzen.com
86.55.96.59
Pius Walleser walleser32@yahoo.com
+49.1754218358 fax: +49.1754218358
Kesslerstrasse 5
Breisach Sachsen-Anhalt 79206
de
temi-group.com
86.55.96.61
Horst Werner woerner963@yahoo.com
+49.1728189733 fax: +49.1728189733
Rilkestrasse 3
Bad Schussenried Rheinland-Pfalz 88427
de
horst-finanzen.com
86.55.96.63
Kai Hermann hkaihermann@yahoo.com
+49.9942808801 fax: +49.9942808801
Tafertsbergstrasse 12
Prackenbach Rheinland-Pfalz 94267
de
wedi-group.com
86.55.96.65
Joseph Bauer bauer.joseph81@yahoo.com
+49.8555941395 fax: +49.8555941395
Hofaecker 4
Grafenau Hamburg 94481
de
pius-group.com
86.55.96.67
Daniela Habermann habermann_d@yahoo.com
+49.17694209180 fax: +49.17694209180
tecklenburgerstrasse 29
Ladbergen Bayern 49549
de
genser-group.com
86.55.96.69
Armin Blocher arminblocher@rocketmail.com
+49.02771801325 fax: +49.02771801325
Langgasse 1
Dillenburg Niedersachsen 35685
de
Labels:
Germany,
Job Offer Scams,
Romania
Evil network: Leksim Ltd / RELNET-NET AS5577 (62.122.72.0/21)
Implicated in malware distribution, botnet C&Cs and spam, the network range 62.122.72.0/21 (62.122.72.0 - 62.122.79.255) is currently quite active in evil activities (you can find examples here and here and the SiteVet report here).
There aren't many sites in this block, and they are almost all either in 62.122.73.0/24 and 62.122.75.0/24 (but blocking the /21 is safer).. but the vast majority of sites are rated deep red at MyWOT (a full list of sites and ratings can be downloaded here).
Who owns the block? The RIPE WHOIS details are:
inetnum: 62.122.72.0 - 62.122.79.255
netname: RELNET-NET
descr: "Leksim" Ltd.
country: EU
remarks: trouble: spam/scam/abuse issues send *ONLY* to: abuse@rel-net.eu
org: ORG-TA388-RIPE
admin-c: JT384-RIPE
tech-c: BS594-RIPE
tech-c: MR10655-RIPE
status: ASSIGNED PI
mnt-by: RELNET
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: RELNET
mnt-domains: RELNET
source: RIPE # Filtered
mnt-routes: ROOT-MNT
organisation: ORG-TA388-RIPE
org-name: "Leksim" Ltd.
org-type: OTHER
address: Stationsplein 30, 2910 MJ Capelle aan den IJssel, The Netherlands
phone: +31 10 2391391
fax-no: +31 10 2391392
admin-c: JT384-RIPE
tech-c: BS594-RIPE
mnt-ref: RELNET
mnt-by: RELNET
source: RIPE # Filtered
person: Justin Thomson
address: Stationsplein 30
address: 2910 MJ Capelle aan den IJssel
address: THE NETHERLANDS
abuse-mailbox: abuse@rel-net.eu
mnt-by: RELNET
phone: +31 10 2391391
nic-hdl: JT384-RIPE
source: RIPE # Filtered
person: Bernd Spiess
address: Gabelsberger Strasse 15
address: 9021 Klagenfurt
address: AUSTRIA
mnt-by: RELNET
phone: +43 46 3223501
nic-hdl: BS594-RIPE
source: RIPE # Filtered
person: Marcel Russo
address: 31, z.a. am Bann
address: L-3375 Leudelange
address: LUXEMBURG
mnt-by: RELNET
phone: + 352 2551301
nic-hdl: MR10655-RIPE
source: RIPE # Filtered
But is this "Leksim Ltd" or Relnet? Relnet's contact details (for rel-net.eu, relnet.eu, relnet.hu) are very different:
If you Google the first three names you get some very telling results.
Blocking the /21 is probably the best idea. I can identify the following domains in this block in case you want to block by domain name, or for more detail download the CSV version.
abussgf.com
adnologi.com
apicurl.com
asherhiftn.com
banner-count.com
belliali.com
best-figure.com
biznage.com
blank-record.com
cahodofo.com
chethole.com
clckil.com
clckli.com
cr0zybaner.com
cr0zybanner.com
croozybannir.com
crozybannir.com
data-saver.org
denizab.com
dhfodminmont.com
eleophy.com
fathone.com
fr0udsafetycheck0n.com
goodse.org
gredigns.com
gulderpoin.com
ineloitond.com
kicksho.com
krasivoe-telo.com
lineacount.info
lineweather.com
livesecpayment.com
livesecsuite.com
live-sec-suite.com
live-security-suite.com
liveslicense.com
livespayment.com
livessupport.com
lkckclckli1i.com
lsspayment.com
lsssupport.com
luffer.info
majusef.com
maketh.info
minteddi.com
mizaterp.com
monitor-info.com
mypersonalhttp.com
nonepersonal.com
nuensmidts.com
onlinedietolog.net
osago-msk.com
perleme.com
pinokolder.com
sileeber.com
spy-soft.org
tangoing.info
telemarker.ru
thestopbadware.com
thyrogl.com
tinnily.info
uatwdminmont.com
umogultvon.com
unmarine.info
virtepgulm.com
vkontacte.org
vkontakle.net
warwork.info
w-opay.com
w-optim.com
wovens.info
yafraudcheckonline.com
yledmanager.com
zblvdminmont.com
zumugolter.com
There aren't many sites in this block, and they are almost all either in 62.122.73.0/24 and 62.122.75.0/24 (but blocking the /21 is safer).. but the vast majority of sites are rated deep red at MyWOT (a full list of sites and ratings can be downloaded here).
Who owns the block? The RIPE WHOIS details are:
inetnum: 62.122.72.0 - 62.122.79.255
netname: RELNET-NET
descr: "Leksim" Ltd.
country: EU
remarks: trouble: spam/scam/abuse issues send *ONLY* to: abuse@rel-net.eu
org: ORG-TA388-RIPE
admin-c: JT384-RIPE
tech-c: BS594-RIPE
tech-c: MR10655-RIPE
status: ASSIGNED PI
mnt-by: RELNET
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: RELNET
mnt-domains: RELNET
source: RIPE # Filtered
mnt-routes: ROOT-MNT
organisation: ORG-TA388-RIPE
org-name: "Leksim" Ltd.
org-type: OTHER
address: Stationsplein 30, 2910 MJ Capelle aan den IJssel, The Netherlands
phone: +31 10 2391391
fax-no: +31 10 2391392
admin-c: JT384-RIPE
tech-c: BS594-RIPE
mnt-ref: RELNET
mnt-by: RELNET
source: RIPE # Filtered
person: Justin Thomson
address: Stationsplein 30
address: 2910 MJ Capelle aan den IJssel
address: THE NETHERLANDS
abuse-mailbox: abuse@rel-net.eu
mnt-by: RELNET
phone: +31 10 2391391
nic-hdl: JT384-RIPE
source: RIPE # Filtered
person: Bernd Spiess
address: Gabelsberger Strasse 15
address: 9021 Klagenfurt
address: AUSTRIA
mnt-by: RELNET
phone: +43 46 3223501
nic-hdl: BS594-RIPE
source: RIPE # Filtered
person: Marcel Russo
address: 31, z.a. am Bann
address: L-3375 Leudelange
address: LUXEMBURG
mnt-by: RELNET
phone: + 352 2551301
nic-hdl: MR10655-RIPE
source: RIPE # Filtered
But is this "Leksim Ltd" or Relnet? Relnet's contact details (for rel-net.eu, relnet.eu, relnet.hu) are very different:
domain: relnet.hu
registrant: Relnet Technologia Ltd.
registrant: Relnet Technológia Kft.
tech-c: Dávid András
address: Véső 7
address: 1133 Budapest
address: HU
phone: 06-70-452-4603
fax-no: 06-1-350-1355
e-mail: hostmaster@relnet.hu
hun-id: 2000466058
registrant: Relnet Technologia Ltd.
registrant: Relnet Technológia Kft.
tech-c: Dávid András
address: Véső 7
address: 1133 Budapest
address: HU
phone: 06-70-452-4603
fax-no: 06-1-350-1355
e-mail: hostmaster@relnet.hu
hun-id: 2000466058
If you Google the first three names you get some very telling results.
Blocking the /21 is probably the best idea. I can identify the following domains in this block in case you want to block by domain name, or for more detail download the CSV version.
abussgf.com
adnologi.com
apicurl.com
asherhiftn.com
banner-count.com
belliali.com
best-figure.com
biznage.com
blank-record.com
cahodofo.com
chethole.com
clckil.com
clckli.com
cr0zybaner.com
cr0zybanner.com
croozybannir.com
crozybannir.com
data-saver.org
denizab.com
dhfodminmont.com
eleophy.com
fathone.com
fr0udsafetycheck0n.com
goodse.org
gredigns.com
gulderpoin.com
ineloitond.com
kicksho.com
krasivoe-telo.com
lineacount.info
lineweather.com
livesecpayment.com
livesecsuite.com
live-sec-suite.com
live-security-suite.com
liveslicense.com
livespayment.com
livessupport.com
lkckclckli1i.com
lsspayment.com
lsssupport.com
luffer.info
majusef.com
maketh.info
minteddi.com
mizaterp.com
monitor-info.com
mypersonalhttp.com
nonepersonal.com
nuensmidts.com
onlinedietolog.net
osago-msk.com
perleme.com
pinokolder.com
sileeber.com
spy-soft.org
tangoing.info
telemarker.ru
thestopbadware.com
thyrogl.com
tinnily.info
uatwdminmont.com
umogultvon.com
unmarine.info
virtepgulm.com
vkontacte.org
vkontakle.net
warwork.info
w-opay.com
w-optim.com
wovens.info
yafraudcheckonline.com
yledmanager.com
zblvdminmont.com
zumugolter.com
Labels:
Evil Network,
Hungary
Friday, 22 April 2011
Fake job domains 22/4/11
Another list of fake job domains relating to this long running scam and in addition to these recent ones. Solicitations are sent by spam are are attempting to recruit people for money laundering etc, so best avoided.
australia-union.com
europ-hire.com
europ-union.com
next-jobb.com
usa-1job.com
Registrant details (no doubt fake) are:
australia-union.com
europ-hire.com
europ-union.com
next-jobb.com
usa-1job.com
Registrant details (no doubt fake) are:
Vilechka Pelka
Email: rewerta12@yahoo.com
Organization: Nord Atlantic.
Address: 15 Av Albert Ier 143
City: Braine l'Alleud
State: Braine l'Alleud
ZIP: 1420
Country: BE
Phone: +3.3223874153
Fax: +3.3223874152
Email: rewerta12@yahoo.com
Organization: Nord Atlantic.
Address: 15 Av Albert Ier 143
City: Braine l'Alleud
State: Braine l'Alleud
ZIP: 1420
Country: BE
Phone: +3.3223874153
Fax: +3.3223874152
Labels:
Job Offer Scams,
Lapatasker,
Money Mule
ygnetwork-ltd.com domain scam
This scam has been around for years - basically, you get an unsolicited email from a company claiming to be a domain registrar in China (it is usually China) that says that someone is trying to register a domain similar to one that you already own. The idea is that the recipient will panic and buy an overpriced and basically worthless domain from them.
If you are worried about domain poaching, then usually the best place to start is your own domain registrar or another well-known reliable vendor, rather than responding to this unsolicited approach.
If you are worried about domain poaching, then usually the best place to start is your own domain registrar or another well-known reliable vendor, rather than responding to this unsolicited approach.
From: John <john.chen@ygnetwork-ltd.com>
Date: 22 April 2011 06:26
Subject: Urgent notice of Intellectual Property protection
Dear Manager:
This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On April 21st 2011. We received HAITONG company's application, they want to register " dynamoo" as its Internet keyword and CN/Asia domain names. It is china and Asia domain names. But after checking we find this domain name conflict with your company, in order to deal with this matter better, so we send you email, and want to confirm whether this company is your distributor or business partner in China?
I'm looking forward to hearing from you!
Best Regards,
John
Oversea marketing manager
Office: +86(0)21 6191 8696
Mobile: +86 1366152 9704
Fax: +86(0)21 6191 8697
web: www.ygnetwork-ltd.com
Friday, 15 April 2011
"Cake Decoration Lesson" spam
I can only assume that this is some sort of strange scam. The email originates from 74.55.158.162 which is flagged as being quite spammy.
Beats the heck outta me.
Subject: CAKE DECORATION LESSON::::::::::::::::::
From: Omiky Aneke <omikychartin@blumail.org>
Reply-To: omiky1aneke@yahoo.co.uk
Hello,
How are you doing today ? My name is OMIKY ANEKE I want to book for CAKE DECORATION LESSON Workshops Classes with you while on a 2weeks holidays in your
country.We are a group of 10 people seeking for CAKE DECORATION LESSON: Workshops
training while on holidays and as part of our plans we need CAKE DECORATION LESSON for the whole 2weeks in
your area.
I would like to book for 2weeks classes for 3 hours each day Monday to
Saturday (morning hours) for a group of 10. We are asking for 3 hours per
day for 2weeks - Monday - Saturday. A total of 36 hrs
Do you have a training facility where you conduct classes? We can arrange
for this,if not available. Do you have rooms or is there any hotel close
to your facility?
DATE: 7TH JUNE 2011 TO 21 JUNE 2011
I would love to know the possibility of working with you during this
period.Kindly get back to me with your proposals so that we can make booking
asap.
The group would be performing for a group of family members over there. I
would love to get the total cost or a quote/estate. What are your payment
options? Do you accept credit cards? I would be grateful if you will be
willing to do the work to teach quality classes and make us happy
Regards
OMIKY
Beats the heck outta me.
Sunday, 10 April 2011
More fake job domains
Another list of fake job domains, almost identical to this one. Avoid.
1best-position.com
1consulting-online.com
allweb-consulting.com
besteuro-hire.com
consult-wugposition.com
first-newoffer.com
world-hire.com
wug-hire.com
wug-myoffer.com
1best-position.com
1consulting-online.com
allweb-consulting.com
besteuro-hire.com
consult-wugposition.com
first-newoffer.com
world-hire.com
wug-hire.com
wug-myoffer.com
Labels:
Job Offer Scams,
Lapatasker,
Money Mule
wug-hire.com fake job offer
Yet another installment in this endless series of fake job offers, the domain wug-hire.com is being used as a reply-to address for this particular scam. The "wug" name has been used before in this spam run.
Usually these fake jobs involve laundering stolen money via wire transfer, but sometimes they involve other "back office" functions such as registering fake businesses, identity theft, auction fraud and many other things which are best avoided unless you really want to spend time in jail.
The WHOIS details are almost definitely fake, but for the record they are:
Subject: We have vacancies to be filled by Europe residents only
Good afternoon!
I am writing to you in the name of the corporation the Human Resources department of which I represent.
Our enterprise has a lot of different lines of business.
-real property
-business support
-company dissolution
-private firm service
-etc
We propose the opportunity for jobseekers in Europe:
-compansation 2.600 euro + bonus
-taskwork
- flexible hours
If our offer kindled your interest, please feel free to contact us. Brooks@wug-hire.com
First Name:
Country of living
City
mail address:
Contact telephone number
Attn! You can apply for this vacancy if you have a permission to work in Europe!
Please e-mail your name and phone number and we will invite you for interview.
Usually these fake jobs involve laundering stolen money via wire transfer, but sometimes they involve other "back office" functions such as registering fake businesses, identity theft, auction fraud and many other things which are best avoided unless you really want to spend time in jail.
The WHOIS details are almost definitely fake, but for the record they are:
Vilechka Pelka
Email: rewerta12@yahoo.com
Organization: Nord Atlantic.
Address: 15 Av Albert Ier 143
City: Braine l'Alleud
State: Braine l'Alleud
ZIP: 1420
Country: BE
Phone: +3.3223874153
Fax: +3.3223874152
Email: rewerta12@yahoo.com
Organization: Nord Atlantic.
Address: 15 Av Albert Ier 143
City: Braine l'Alleud
State: Braine l'Alleud
ZIP: 1420
Country: BE
Phone: +3.3223874153
Fax: +3.3223874152
Labels:
Job Offer Scams,
Lapatasker,
Money Mule
Saturday, 2 April 2011
alisa-carter.com, lizamoon.com and worid-of-books.com
The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these sites appear to be on the same server at 95.64.9.18 belonging to Intermedia TOP SRL.
The following sites are on that malicious server:
alexblane.com
alisa-carter.com
lizamoon.com
t6ryt56.info
tadygus.com
worid-of-books.com
Right now the safest thing to do is block traffic to 95.64.8.0/23 (95.64.8.0 - 95.64.9.255) at the very least. But given that there are several bad networks now within the mostly Romanian 95.64.0.0/16, there's very little to lose in blocking the whole /16 for now if you don't have dealings with Romania.
If you need to block by domain, then the list below is everything that I can identify in this block.
abrogatesdv.info
antiviric.net
atlaty.com
atydut.com
bancard.cc
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
buroti.com
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fileac.com
financeprogramm.com
fop22.info
fre94.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
itapos.com
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
lsrato.com
machmit.cc
mag20.info
memhys.com
mia16.info
mineral-beauty.net
morafu.com
mupoga.com
muposs.com
nlosaf.com
nuzzlefgf.info
nwolbcom.cc
nyb90.info
obduratexv.info
obfuscate98y.info
onfiro.com
online-security.cc
opa63.info
ova22.info
pes89.info
plauditaz.info
plethoradtb.info
podyme.com
poisor.com
posjuc.com
posunn.com
prettyharp.ru
qertys.com
reprieve8mf.info
scoolq.com
ser55.info
servat.cc
serwaz.com
testaz.cc
tmwars.com
usudom.com
xxxpornteensex.com
advancedwebanalytic.com
alexblane.com
alisa-carter.com
alternative-art-ltd.net
alternativeart-ltd.com
artmarket-llc.net
artsolveltd.cc
artsolveltdco.at
astech-groupde.cc
blitznet-de.eu
chelpgroup-llc.net
chepl-groupllc.biz
competitor-uk-group.net
competitorgroup-ltd.com
ddk100.com
ddk2200.com
deemno.com
drakulaworld.net
drysdale-antcorp.at
drysdale-group-inc.cc
findsubstantial.org
foto-album-mnck.tk
fotoshare-2dknc.com
google-1aa.com
googlesite.ws
joomlaext.org
kunde.ws
lizamoon.com
mailwbg6.com
micr0updates.com
myblog-search.com
ocservice-de.net
oregon-ltd-uk.net
qead-llc.biz
saleoke.com
squit-group-llc.biz
surprise-knsma.tk
surprise-knsmd.tk
surprise-knsmf.tk
surprise-knsmo.tk
surprise-knsmp.tk
surprise-knsmq.tk
surprise-knsmr.tk
surprise-knsms.tk
surprise-knsmt.tk
surprise-knsmu.tk
surprise-knsmw.tk
t6ryt56.info
tadygus.com
worid-of-books.com
The following sites are on that malicious server:
alexblane.com
alisa-carter.com
lizamoon.com
t6ryt56.info
tadygus.com
worid-of-books.com
Right now the safest thing to do is block traffic to 95.64.8.0/23 (95.64.8.0 - 95.64.9.255) at the very least. But given that there are several bad networks now within the mostly Romanian 95.64.0.0/16, there's very little to lose in blocking the whole /16 for now if you don't have dealings with Romania.
If you need to block by domain, then the list below is everything that I can identify in this block.
abrogatesdv.info
antiviric.net
atlaty.com
atydut.com
bancard.cc
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
buroti.com
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fileac.com
financeprogramm.com
fop22.info
fre94.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
itapos.com
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
lsrato.com
machmit.cc
mag20.info
memhys.com
mia16.info
mineral-beauty.net
morafu.com
mupoga.com
muposs.com
nlosaf.com
nuzzlefgf.info
nwolbcom.cc
nyb90.info
obduratexv.info
obfuscate98y.info
onfiro.com
online-security.cc
opa63.info
ova22.info
pes89.info
plauditaz.info
plethoradtb.info
podyme.com
poisor.com
posjuc.com
posunn.com
prettyharp.ru
qertys.com
reprieve8mf.info
scoolq.com
ser55.info
servat.cc
serwaz.com
testaz.cc
tmwars.com
usudom.com
xxxpornteensex.com
advancedwebanalytic.com
alexblane.com
alisa-carter.com
alternative-art-ltd.net
alternativeart-ltd.com
artmarket-llc.net
artsolveltd.cc
artsolveltdco.at
astech-groupde.cc
blitznet-de.eu
chelpgroup-llc.net
chepl-groupllc.biz
competitor-uk-group.net
competitorgroup-ltd.com
ddk100.com
ddk2200.com
deemno.com
drakulaworld.net
drysdale-antcorp.at
drysdale-group-inc.cc
findsubstantial.org
foto-album-mnck.tk
fotoshare-2dknc.com
google-1aa.com
googlesite.ws
joomlaext.org
kunde.ws
lizamoon.com
mailwbg6.com
micr0updates.com
myblog-search.com
ocservice-de.net
oregon-ltd-uk.net
qead-llc.biz
saleoke.com
squit-group-llc.biz
surprise-knsma.tk
surprise-knsmd.tk
surprise-knsmf.tk
surprise-knsmo.tk
surprise-knsmp.tk
surprise-knsmq.tk
surprise-knsmr.tk
surprise-knsms.tk
surprise-knsmt.tk
surprise-knsmu.tk
surprise-knsmw.tk
t6ryt56.info
tadygus.com
worid-of-books.com
Labels:
Injection Attacks,
Romania,
SQL Injection
Thursday, 31 March 2011
alleurope-consult.com job scam
Another fake job offer in this long running job scam, alleurope-consult.com is probably another money mule operation. The email is pretty terse and doesn't allude to much:
WHOIS details don't tell you much either as the could be fake, they're the same as for west-ugroup.net:
Aleksej Iliin
Email: abolan@mail.org
Organization: Private person
Address: Okruzhnaya ul. d.5 kv.4
City: Moskva
State: Moskovskaya obl.
ZIP: 183124
Country: RU
Phone: +7.4959424617
Fax: +7.4959424617
Avoid, basically.
Subject: Work for specialists!
Good day.
Our company would like to offer you a Good day part-time job.
Location: the Europe Union
If you are interested, please reply to : Ladonna@alleurope-consult.com
All the best.
HR department,
LadonnaGore
WHOIS details don't tell you much either as the could be fake, they're the same as for west-ugroup.net:
Aleksej Iliin
Email: abolan@mail.org
Organization: Private person
Address: Okruzhnaya ul. d.5 kv.4
City: Moskva
State: Moskovskaya obl.
ZIP: 183124
Country: RU
Phone: +7.4959424617
Fax: +7.4959424617
Avoid, basically.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Monday, 28 March 2011
Wanna buy an aircraft carrier?
Because we British have decided that we don't need to have aircraft carriers, because we're not bombing anywhere in particular at the moment.. apart from Libya.. and maybe a few other countries that we noticed along the way, then we've put the ex-flagship Ark Royal up on an auction site.
What cracks me up is the "Add to Wishlist" and "Add to Cart" buttons on the bottom.
Before you get over excited, these pocket aircraft carriers are mostly suitable for helicopters or V/STOL jets which aren't included in the price.
What cracks me up is the "Add to Wishlist" and "Add to Cart" buttons on the bottom.
Before you get over excited, these pocket aircraft carriers are mostly suitable for helicopters or V/STOL jets which aren't included in the price.
Labels:
Stupidity
Subscribe to:
Posts (Atom)