It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:
67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8
Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for "yahoolink.php" in your favourite search engine to see the scope of the problem.
People who click on the link get redirected through several steps:
vedrozhuk7.com
63.226.210.102
NETPOINT, Utah
(no domain)
188.229.90.71
Securvera SRL, Romania
www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania
The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.
With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.
Sunday, 26 June 2011
yahoolink.php / DreamHost hack
Labels:
DreamHost,
Injection Attacks,
PHP,
Romania
Thursday, 23 June 2011
Peteris Sahurovs and Marina Maslobojeva arrested: Sagade hopefully busted
Another victory for the good guys, according to El Reg.
Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.
The FBI have a press release about it here.
The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m).Although there are several bad hosts in Latvia, the one that really stands out is Sagade Ltd. And it looks very much as if Peteris Sahurovs worked for Sagade, his screen name on the internet was piotrek89 which was also the abuse address for the Sagade network.
The gang screwed money out of more than a million victims. They installed software on their computers which falsely claimed to have detected viruses or malware. The gang then took payment for supposedly cleaning up the machines.
22-year-old Peteris Sahurovs and 23-year-old Marina Maslobojeva were arrested in Latvia on charges made in court in Minnesota.
Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.
The FBI have a press release about it here.
Labels:
Evil Network,
Latvia,
Sagade Ltd
Fake job domains 23/6/11
Another day, another set of fake job domains forming part of this long-running scam. The domains were registered just two days ago to a presumably fictitious character called "Leonid Pravduk".
au-joblists.com
europ-joblist.com
gb-totaljob.com
uk-joblists.com
us-joblists.com
The "job" being offered is usually something like a money mule or taking part in a reshipping scam. In any case, the so-called job is illegal and should be avoided.
If you have a copy of a sample email, please share it in the comments section!
au-joblists.com
europ-joblist.com
gb-totaljob.com
uk-joblists.com
us-joblists.com
The "job" being offered is usually something like a money mule or taking part in a reshipping scam. In any case, the so-called job is illegal and should be avoided.
If you have a copy of a sample email, please share it in the comments section!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Wednesday, 22 June 2011
Some malware sites to block
These domains are associated with the Win32/FakeRean "Fake anti-virus" trojan, and are worth blocking.
The Comodo report for this bit of nastiness is here.
Domain | IP |
laxesepaweno.com | 50.23.83.40 |
fugegewulevu.com | 50.23.83.41 |
tepucazij.com | 50.23.83.42 |
cuhucupivu.com | 50.23.84.216 |
sirakapofeti.com | 50.23.84.217 |
zenevakyfa.com | 50.23.84.218 |
tuwynaropotit.com | 50.23.193.236 |
cikipihigilani.com | 50.23.193.237 |
pifajeniwyt.com | 50.23.193.238 |
wumytaxuboly.com | 50.23.200.56 |
tevisuwapucumu.com | 76.73.85.251 |
jicylegavade.com | 76.73.85.252 |
dolagomosu.com | 85.17.239.191 |
bumucewafypevy.com | 85.17.239.192 |
xaqygacatewuk.com | 85.17.239.198 |
mysupigaqyme.com | 173.193.196.178 |
zypomamuzosa.com | 173.249.145.53 |
nylujusofo.com | 173.249.145.54 |
qajivehucewupo.com | 173.249.145.55 |
wyduzylys.com | 174.36.220.136 |
vyqivaneh.com | 174.36.220.136 |
litubibam.com | 174.36.220.138 |
pykolujij.com | 188.240.32.162 |
gyravatimak.com | 188.240.32.163 |
dubacobimude.com | 188.240.32.164 |
waliwetixybuk.com | 204.45.41.82 |
tixirukemosa.com | 204.45.41.83 |
sumuryvynuh.com | 204.45.41.84 |
dazixydecamur.com | |
cadyfahirecyci.com | |
myfofeviqilo.com |
The Comodo report for this bit of nastiness is here.
Labels:
Fake Anti-Virus,
Trojans
Tuesday, 21 June 2011
"Federal Tax transfer rejected" malware
I've never paid taxes to the IRS and I don't intend to now..
The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (89.208.149.215, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.
From: Jeannette_Case@irs.gov
Date: 21 June 2011 11:16
Subject: Federal Tax transfer rejected
Your federal Tax payment (ID: 632869994691), recently from your checking account was canceled by the your Bank.
Canceled Tax transfer Tax Transaction ID: 632869994691 Reason of rejection See details in the report below FederalTax Transaction Report
tax_report_632869994691.pdf.exe (self-extracting
archive, Adobe PDF)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (89.208.149.215, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.
Update 28/9/11: a new version of this email is doing the rounds. This DOES successfully infect vulnerable machines, I will try to find more details.
Nokia N9. Beautiful but doomed.
I've always been a fan of big Nokias, especially the Communicator series. My collection includes a Nokia E90, Nokia 9500, Nokia 9110i, a Nokia 770 tablet and even the rare Nokia 7710 touchscreen phone.
So I should be pretty excited by the Nokia N9. Well, yes.. actually I am excited by the N9 which is Nokia's most powerful phone to date. There's a lovely big OLED screen, a relatively fast processor, lots of memory and the interesting looking MeeGo operating system as well.
But will I be buying one? Probably not. MeeGo is doomed. Nokia announced a switch to Windows earlier this year, but the MeeGo-powered N9 was already in development and is now official. However, it's quite likely that we won't see another MeeGo device from Nokia, leaving the N9 as an orphan. And an expensive orphan at that.
The N9 really should have been announced over a year ago to follow up from the N900, as it is it's a beautiful but ultimately doomed device.. which is quite sad. Perhaps there will be some bargain ones on eBay in the future though..
[Via]
So I should be pretty excited by the Nokia N9. Well, yes.. actually I am excited by the N9 which is Nokia's most powerful phone to date. There's a lovely big OLED screen, a relatively fast processor, lots of memory and the interesting looking MeeGo operating system as well.
But will I be buying one? Probably not. MeeGo is doomed. Nokia announced a switch to Windows earlier this year, but the MeeGo-powered N9 was already in development and is now official. However, it's quite likely that we won't see another MeeGo device from Nokia, leaving the N9 as an orphan. And an expensive orphan at that.
The N9 really should have been announced over a year ago to follow up from the N900, as it is it's a beautiful but ultimately doomed device.. which is quite sad. Perhaps there will be some bargain ones on eBay in the future though..
[Via]
Sunday, 19 June 2011
Fake job domains 19/6/111
A whole batch of domains advertising fake jobs today (mostly money mule operations). These were are registered two days ago to the fictitious "Leonid Pravduk" registrant that we have seen recently, and form part of the very long running "Lapatasker" series of scam domains.
europe-hire.net
green-westeurope.com
hosting-europ.com
newgreen-europ.com
traffic-europ.com
us-totaljob.com
usa-totaljob.com
Avoid these, basically.. but if you do have a sample email, feel free to share it in the comments.
europe-hire.net
green-westeurope.com
hosting-europ.com
newgreen-europ.com
traffic-europ.com
us-totaljob.com
usa-totaljob.com
Avoid these, basically.. but if you do have a sample email, feel free to share it in the comments.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Friday, 17 June 2011
Fake jobs: totaljob-eu.com
Another day, another fake job domain used for contacting potential money laundering mules, this time totaljob-eu.com which is a part of this long-running scam.
The domain was registered just yesterday to the new "Leonid Pravduk" persona that the scammers seem to be using. Avoid.
The domain was registered just yesterday to the new "Leonid Pravduk" persona that the scammers seem to be using. Avoid.
Leonid Pravduk
Email: leonpravduk@yahoo.com
Organization: Leonid Pravduk
Address: ul.Beregovaya 13-2
City: Doneck
State: Doneckaya
ZIP: 83000
Country: UA
Phone: +3.80443582153
Email: leonpravduk@yahoo.com
Organization: Leonid Pravduk
Address: ul.Beregovaya 13-2
City: Doneck
State: Doneckaya
ZIP: 83000
Country: UA
Phone: +3.80443582153
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Thursday, 16 June 2011
SMS Spam: "You have still not claimed the compensation you are due.."
These mystery ambulance-chasing SMS spammers are at it again:
If you get one of these, forward the message to 7726 ("SPAM") on T-Mobile, O2, Orange or Three. If you are a Vodafone customer, forward it to 87726 ("VSPAM"). Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!
You have still not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOPIn this case the spam comes from +44749353036, but the spammers rotate numbers regularly as they get blacklisted.
If you get one of these, forward the message to 7726 ("SPAM") on T-Mobile, O2, Orange or Three. If you are a Vodafone customer, forward it to 87726 ("VSPAM"). Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!
Fake jobs: cosulting-eu.com and espana-cvbase.com
Two more fake domains in the long-running "Lapatasker" series:
cosulting-eu.com
espana-cvbase.com
The registration details have changed (see below), but otherwise this is the same old attempt to recruit people for money laundering. Avoid.
cosulting-eu.com
espana-cvbase.com
The registration details have changed (see below), but otherwise this is the same old attempt to recruit people for money laundering. Avoid.
Leonid Pravduk Email: leonpravduk@yahoo.com Organization: Leonid Pravduk Address: ul.Beregovaya 13-2 City: Doneck State: Doneckaya ZIP: 83000 Country: UA Phone: +3.80443582153
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Tuesday, 14 June 2011
SMS Spam: "URGENT! If you took out a Bank Loan prior to 2007.."
This SMS spam is probably from the same bunch of scumbags who brought you this long-running ambulance chasing spam.
Since they don't honour TPS opt-outs, then they are probably not to be trusted.. whoever they are.
If you get one of these, forward the message to 7226 ("SPAM") on T-Mobile, O2 or Orange.. If you are a Vodafone customer, forward it to 87726 ("VSPAM"), on Three the number is 37726 ("3SPAM") Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
If you see any other telephone numbers for this, please consider letting us known through a Comment.
In this case the SMS came from +447591233963, but the spammers vary these all the time to avoid getting blocked.(Update 28/9 they are now using +447968780878 and +447968766208. Update 30/9 and now +44798044443)URGENT! If you took out a Bank Loan prior to 2007 then you are almost certainly entitled to £2300 in compensation. To claim text 'YES'. Free to apply.
Since they don't honour TPS opt-outs, then they are probably not to be trusted.. whoever they are.
If you get one of these, forward the message to 7226 ("SPAM") on T-Mobile, O2 or Orange.. If you are a Vodafone customer, forward it to 87726 ("VSPAM"), on Three the number is 37726 ("3SPAM") Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
If you see any other telephone numbers for this, please consider letting us known through a Comment.
Fake jobs: usa-jobslist.com
Another addition to this long running scam, usa-jobslist.com is freshly registered and will be used to attempt to recruit people for money laundering and other illegal activities. Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams,
Spam
Monday, 13 June 2011
Fake jobs: gb-offerlist.com, high-webtraffic.com and traffic-dc.com
More fake job offers.. or at least more fake something from the crew behind the "Lapatasker" series of dodgy domains:
gb-offerlist.com
high-webtraffic.com
traffic-dc.com
The shift in domain names might mean a shift in tactics, but be assured that any solicitation you get from these email addresses will be a scam.
gb-offerlist.com
high-webtraffic.com
traffic-dc.com
The shift in domain names might mean a shift in tactics, but be assured that any solicitation you get from these email addresses will be a scam.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams,
Spam
Thursday, 9 June 2011
Fake jobs: europe-joblist.com
Another fake "Lapatasker" job offer domain, europe-joblist.com was registered just yesterday to "Aleksej Iliin".
The standard pitch is for a job that actually involves money laundering or some other criminal activity. Avoid.
The standard pitch is for a job that actually involves money laundering or some other criminal activity. Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Russia,
Scams,
Spam
Wednesday, 8 June 2011
94.244.80.7 / bookpolo.com / booksolo.com / bookgusa.com injection attacks
The crew responsible for the LizaMoon and Worid-Of-Books.com are back with a new set of injection attacks, this time hosted on 94.244.80.7 in Lithuania.
The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com
Registrant details are familiar and fake:
Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.
The whole 94.244.64.0/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.
The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com
Registrant details are familiar and fake:
JamesNorthone James Northone jamesnorthone@hotmailbox.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 1180
us
Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.
The whole 94.244.64.0/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.
Labels:
Injection Attacks,
Lithunia,
LizaMoon
Tuesday, 7 June 2011
Fake jobs: allconsult-eu.com, es-joblist.com and us-joblist.com
Another bunch of fake "Lapatasker" job offers, part of a long-running series. Jobs offered will including such illegal activities as money laundering and receiving stolen goods, so worth avoiding.
allconsult-eu.com
es-joblist.com
us-joblist.com
Contact details on the domain are probably fake ("Aleksej Iliin" again):
All domains were registered on 5th June.
allconsult-eu.com
es-joblist.com
us-joblist.com
Contact details on the domain are probably fake ("Aleksej Iliin" again):
Aleksej Iliin
Email: abolan@mail.org
Organization: Private person
Address: Okruzhnaya ul. d.5 kv.4
City: Moskva
State: Moskovskaya obl.
ZIP: 183124
Country: RU
Phone: +7.4959424617
Fax: +7.4959424617
Email: abolan@mail.org
Organization: Private person
Address: Okruzhnaya ul. d.5 kv.4
City: Moskva
State: Moskovskaya obl.
ZIP: 183124
Country: RU
Phone: +7.4959424617
Fax: +7.4959424617
All domains were registered on 5th June.
Labels:
Job Offer Scams,
Lapatasker,
Russia,
Scams,
Spam
Tuesday, 31 May 2011
Liver Transplant spam
A weird one here.. somebody offering bits of their liver for sale. Of course it could be a scam, but it might even be genuine (which is perhaps more disconcerting). Originating IP address is 95.167.110.9 in Russia.
From: Alex alexsilpo@yahoo.com
Date: 30 May 2011 10:37
subject: Liver transplant.
Hello.
I found your e-mail adress on medical site of transplant and liver problems.
My name is Alex, I am 31 years european man, I never drank alcohol and did not smoke cigarettes, my blood is O+ and I have a good health. If you need liver transplant I am ready to give part of my liver, but I want to receive a big compensation for that...
If you do not need liver transplant, but you know somebody who need it, please send my message to this person or keep it just in case.
alexsilpo@yahoo.com
alexsilpo@hotmail.com
alexsilpoeu@yandex.ua
Alex
P.S. If I was mistaken, I am sorry, I will not disturb you any more.
Fake jobs: 1new-position.com, gb-hire.net, gb-jbprogramm.com, online-vacancy.net and us-vacancy.net
Another installment of this long-running job scam, the following domains are newly registered (2 days ago) and are most likely to be used to recruit people for money laundering and other criminal activities. Avoid.
1new-position.com
gb-hire.net
gb-jbprogramm.com
online-vacancy.net
us-vacancy.net
Domains are registered to the "Aleksej Iliin" persona that we have seen many times before.
1new-position.com
gb-hire.net
gb-jbprogramm.com
online-vacancy.net
us-vacancy.net
Domains are registered to the "Aleksej Iliin" persona that we have seen many times before.
Labels:
Job Offer Scams,
Lapatasker,
Scams,
Spam
Tuesday, 24 May 2011
gb-offers.com bogusjob offers
Another domain offering bogus jobs in money laundering or other illegal activities is gb-offers.com, part of the long running "Lapatasker" series of scams. As with other recent domains, this too is registered to the (probably fake) "Aleksej Iliin" person.
Avoid.
Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Russia,
Scams,
Spam
Friday, 20 May 2011
Fake jobs: au-position.org and europjob.org
Two new(ish) fake job domains in the "Lapatasker" series, au-position.org and europjob.org are being used to recruit money mules etc etc.
As usual, avoid.
As usual, avoid.
Labels:
Job Offer Scams,
Lapatasker,
Scams,
Spam
Subscribe to:
Posts (Atom)