Two new fake job domains that form part of this long-running series, job-britain.com and job4america.com are pushing fake job offers which will actually be illegal activities like money laundering.
These domains were registered just yesterday to a fake registrant called "Leonid Pravduk". Avoid.
If you have samples of the spam emails using these domains, please consider sharing them in the comments.
Friday, 8 July 2011
Fake jobs: job-britain.com and job4america.com
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Thursday, 7 July 2011
Fake jobs: westgroupcv.net, wug-cunsulting.net, wug-joblist.com and wugcv-offers.com
Four new domains forming part of the very long-running "Lapatasker" series of fake job offers:
westgroupcv.net
wug-cunsulting.net
wug-joblist.com
wugcv-offers.com
These job offers will typically involve illegal money mule operations and other fraudulent activities. Unless you enjoy jail time, they are best ignored.
If you have any example emails, please consider sharing them in the comments!
westgroupcv.net
wug-cunsulting.net
wug-joblist.com
wugcv-offers.com
These job offers will typically involve illegal money mule operations and other fraudulent activities. Unless you enjoy jail time, they are best ignored.
If you have any example emails, please consider sharing them in the comments!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Tuesday, 5 July 2011
Sapphire Town Real Estate (sapphiretown.com) suck
I don't normally post twice on one spammer, but the idiots at Sapphire Town Real Estate seem to have hit new levels of stupidity with this spam that they have now sent 283 times, apparently about 1% into a dictionary attack (so I can expect to see it 28,000 more times!)
If they are this stupid when it comes to doing business then I would advise giving them a wide berth.
Update: now 4386 times and counting!
If they are this stupid when it comes to doing business then I would advise giving them a wide berth.
Update: now 4386 times and counting!
Monday, 4 July 2011
Sapphire Town Real Estate "Labour Camps" spam. Just add slaves.
This spam for labour camps was so important to the sender that they sent it 300 times (and counting). Just add slaves, I guess. And in jolly Comic Sans too! Originating IP is 86.96.226.150 in the UAE, all attempts at contacting their abuse department bounce. Classy.
From: Sapphire Town Real Estate stre@emirates.net.ae
Reply-To: info@sapphiretown.com
To: Redacted
Date: 4 July 2011 19:12
Subject: Labour Camps
Dear Valued Customer,We offer a wide variety of labour camps for rent in ALMUHAISNAH 2nd (Sonapour), AL QUOZ, JEBEL ALI and DIP with your exact requirements and reasonable price.
Labour Camp in Al QuozTotal Rooms = 295Supervisors Rooms = 5Kitchen = 7Dining =7Toilet =117Showers =117Parking for 14 buses and 25 carsPrice = AED 1,250 All Inclusive Labour camp in Al Muhaisnah 2ndTotal Rooms = 140Kitchen = 3Dining = 3Showers = 60Toilets = 60Price = AED 1,200 All Inclusive
Labour Camp for Rent in DIP phase 1Total Room = 70Kitchen & Dining =2Toilet & Showers = 50Price = AED 1,600 All Inclusive
Labour Camp for Rent in Jebel Ali Ind.3Total Rooms = 200Kitchen & Dining = 4Toilets & Showers = 160TV, First Aid, Gym & Service RoomPrice = AED 1,400 All InclusiveIf you have any questions or concerns, please email us directly stre@eim.ae Or call 050-3479984///04-2576603
- Labour Camps & Warehouses for Sale.
- Residential Building For sale in Bur Dubai.
This E-mail has been sent to you as a person interested in the information enclosed. If you have received this e-mail in error please notify theoriginator of the Email If you want your Email to be removed PLEASE reply to info@sapphiretown.com to ''Remove from list''. We sincerely apologize for the possible inconvenience.
Labels:
Dubai,
Etisalat,
Sapphire Town Real Estate,
Spam,
Stupidity
Sunday, 3 July 2011
Fake jobs: europe-cv.net, gb-traffic.com and totaljoblists.net
A trio of domains being used to push fake jobs (such as money mule operations) and other illegal activities, part of this long running series. The domains were registered just yesterday.
europe-cv.net
gb-traffic.com
totaljoblists.net
Avoid any offers soliciting a reply to these domains. If you have an example spam email, please consider sharing it in the comments. Thanks!
europe-cv.net
gb-traffic.com
totaljoblists.net
Avoid any offers soliciting a reply to these domains. If you have an example spam email, please consider sharing it in the comments. Thanks!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Thursday, 30 June 2011
Fake jobs: au-jobposition.com
Another domain being used to promote money laundering jobs or other criminal enterprises is au-jobposition.com which forms part of this long-running scam.
As usual, avoid. If you have any samples, please consider posting them in the comments section.
As usual, avoid. If you have any samples, please consider posting them in the comments section.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Tuesday, 28 June 2011
Fake jobs: greece-joblist.com and italia-lavoro.net
A pair of domains offering fake money mule jobs or reshipping mule jobs, the greece-joblist.com and italia-lavoro.net domains seem to be targeting Italian and Greek victims and form part of this long running scam.
If you have any examples (especially non-English ones) please share them in the comments!
If you have any examples (especially non-English ones) please share them in the comments!
Labels:
Greece,
Italy,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Sunday, 26 June 2011
yahoolink.php / DreamHost hack
It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:
67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8
Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for "yahoolink.php" in your favourite search engine to see the scope of the problem.
People who click on the link get redirected through several steps:
vedrozhuk7.com
63.226.210.102
NETPOINT, Utah
(no domain)
188.229.90.71
Securvera SRL, Romania
www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania
The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.
With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.
67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8
Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for "yahoolink.php" in your favourite search engine to see the scope of the problem.
People who click on the link get redirected through several steps:
vedrozhuk7.com
63.226.210.102
NETPOINT, Utah
(no domain)
188.229.90.71
Securvera SRL, Romania
www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania
The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.
With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.
Labels:
DreamHost,
Injection Attacks,
PHP,
Romania
Thursday, 23 June 2011
Peteris Sahurovs and Marina Maslobojeva arrested: Sagade hopefully busted
Another victory for the good guys, according to El Reg.
Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.
The FBI have a press release about it here.
The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m).Although there are several bad hosts in Latvia, the one that really stands out is Sagade Ltd. And it looks very much as if Peteris Sahurovs worked for Sagade, his screen name on the internet was piotrek89 which was also the abuse address for the Sagade network.
The gang screwed money out of more than a million victims. They installed software on their computers which falsely claimed to have detected viruses or malware. The gang then took payment for supposedly cleaning up the machines.
22-year-old Peteris Sahurovs and 23-year-old Marina Maslobojeva were arrested in Latvia on charges made in court in Minnesota.
Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.
The FBI have a press release about it here.
Labels:
Evil Network,
Latvia,
Sagade Ltd
Fake job domains 23/6/11
Another day, another set of fake job domains forming part of this long-running scam. The domains were registered just two days ago to a presumably fictitious character called "Leonid Pravduk".
au-joblists.com
europ-joblist.com
gb-totaljob.com
uk-joblists.com
us-joblists.com
The "job" being offered is usually something like a money mule or taking part in a reshipping scam. In any case, the so-called job is illegal and should be avoided.
If you have a copy of a sample email, please share it in the comments section!
au-joblists.com
europ-joblist.com
gb-totaljob.com
uk-joblists.com
us-joblists.com
The "job" being offered is usually something like a money mule or taking part in a reshipping scam. In any case, the so-called job is illegal and should be avoided.
If you have a copy of a sample email, please share it in the comments section!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Wednesday, 22 June 2011
Some malware sites to block
These domains are associated with the Win32/FakeRean "Fake anti-virus" trojan, and are worth blocking.
The Comodo report for this bit of nastiness is here.
Domain | IP |
laxesepaweno.com | 50.23.83.40 |
fugegewulevu.com | 50.23.83.41 |
tepucazij.com | 50.23.83.42 |
cuhucupivu.com | 50.23.84.216 |
sirakapofeti.com | 50.23.84.217 |
zenevakyfa.com | 50.23.84.218 |
tuwynaropotit.com | 50.23.193.236 |
cikipihigilani.com | 50.23.193.237 |
pifajeniwyt.com | 50.23.193.238 |
wumytaxuboly.com | 50.23.200.56 |
tevisuwapucumu.com | 76.73.85.251 |
jicylegavade.com | 76.73.85.252 |
dolagomosu.com | 85.17.239.191 |
bumucewafypevy.com | 85.17.239.192 |
xaqygacatewuk.com | 85.17.239.198 |
mysupigaqyme.com | 173.193.196.178 |
zypomamuzosa.com | 173.249.145.53 |
nylujusofo.com | 173.249.145.54 |
qajivehucewupo.com | 173.249.145.55 |
wyduzylys.com | 174.36.220.136 |
vyqivaneh.com | 174.36.220.136 |
litubibam.com | 174.36.220.138 |
pykolujij.com | 188.240.32.162 |
gyravatimak.com | 188.240.32.163 |
dubacobimude.com | 188.240.32.164 |
waliwetixybuk.com | 204.45.41.82 |
tixirukemosa.com | 204.45.41.83 |
sumuryvynuh.com | 204.45.41.84 |
dazixydecamur.com | |
cadyfahirecyci.com | |
myfofeviqilo.com |
The Comodo report for this bit of nastiness is here.
Labels:
Fake Anti-Virus,
Trojans
Tuesday, 21 June 2011
"Federal Tax transfer rejected" malware
I've never paid taxes to the IRS and I don't intend to now..
The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (89.208.149.215, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.
From: Jeannette_Case@irs.gov
Date: 21 June 2011 11:16
Subject: Federal Tax transfer rejected
Your federal Tax payment (ID: 632869994691), recently from your checking account was canceled by the your Bank.
Canceled Tax transfer Tax Transaction ID: 632869994691 Reason of rejection See details in the report below FederalTax Transaction Report
tax_report_632869994691.pdf.exe (self-extracting
archive, Adobe PDF)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (89.208.149.215, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.
Update 28/9/11: a new version of this email is doing the rounds. This DOES successfully infect vulnerable machines, I will try to find more details.
Nokia N9. Beautiful but doomed.
I've always been a fan of big Nokias, especially the Communicator series. My collection includes a Nokia E90, Nokia 9500, Nokia 9110i, a Nokia 770 tablet and even the rare Nokia 7710 touchscreen phone.
So I should be pretty excited by the Nokia N9. Well, yes.. actually I am excited by the N9 which is Nokia's most powerful phone to date. There's a lovely big OLED screen, a relatively fast processor, lots of memory and the interesting looking MeeGo operating system as well.
But will I be buying one? Probably not. MeeGo is doomed. Nokia announced a switch to Windows earlier this year, but the MeeGo-powered N9 was already in development and is now official. However, it's quite likely that we won't see another MeeGo device from Nokia, leaving the N9 as an orphan. And an expensive orphan at that.
The N9 really should have been announced over a year ago to follow up from the N900, as it is it's a beautiful but ultimately doomed device.. which is quite sad. Perhaps there will be some bargain ones on eBay in the future though..
[Via]
So I should be pretty excited by the Nokia N9. Well, yes.. actually I am excited by the N9 which is Nokia's most powerful phone to date. There's a lovely big OLED screen, a relatively fast processor, lots of memory and the interesting looking MeeGo operating system as well.
But will I be buying one? Probably not. MeeGo is doomed. Nokia announced a switch to Windows earlier this year, but the MeeGo-powered N9 was already in development and is now official. However, it's quite likely that we won't see another MeeGo device from Nokia, leaving the N9 as an orphan. And an expensive orphan at that.
The N9 really should have been announced over a year ago to follow up from the N900, as it is it's a beautiful but ultimately doomed device.. which is quite sad. Perhaps there will be some bargain ones on eBay in the future though..
[Via]
Sunday, 19 June 2011
Fake job domains 19/6/111
A whole batch of domains advertising fake jobs today (mostly money mule operations). These were are registered two days ago to the fictitious "Leonid Pravduk" registrant that we have seen recently, and form part of the very long running "Lapatasker" series of scam domains.
europe-hire.net
green-westeurope.com
hosting-europ.com
newgreen-europ.com
traffic-europ.com
us-totaljob.com
usa-totaljob.com
Avoid these, basically.. but if you do have a sample email, feel free to share it in the comments.
europe-hire.net
green-westeurope.com
hosting-europ.com
newgreen-europ.com
traffic-europ.com
us-totaljob.com
usa-totaljob.com
Avoid these, basically.. but if you do have a sample email, feel free to share it in the comments.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Friday, 17 June 2011
Fake jobs: totaljob-eu.com
Another day, another fake job domain used for contacting potential money laundering mules, this time totaljob-eu.com which is a part of this long-running scam.
The domain was registered just yesterday to the new "Leonid Pravduk" persona that the scammers seem to be using. Avoid.
The domain was registered just yesterday to the new "Leonid Pravduk" persona that the scammers seem to be using. Avoid.
Leonid Pravduk
Email: leonpravduk@yahoo.com
Organization: Leonid Pravduk
Address: ul.Beregovaya 13-2
City: Doneck
State: Doneckaya
ZIP: 83000
Country: UA
Phone: +3.80443582153
Email: leonpravduk@yahoo.com
Organization: Leonid Pravduk
Address: ul.Beregovaya 13-2
City: Doneck
State: Doneckaya
ZIP: 83000
Country: UA
Phone: +3.80443582153
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Thursday, 16 June 2011
SMS Spam: "You have still not claimed the compensation you are due.."
These mystery ambulance-chasing SMS spammers are at it again:
If you get one of these, forward the message to 7726 ("SPAM") on T-Mobile, O2, Orange or Three. If you are a Vodafone customer, forward it to 87726 ("VSPAM"). Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!
You have still not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOPIn this case the spam comes from +44749353036, but the spammers rotate numbers regularly as they get blacklisted.
If you get one of these, forward the message to 7726 ("SPAM") on T-Mobile, O2, Orange or Three. If you are a Vodafone customer, forward it to 87726 ("VSPAM"). Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!
Fake jobs: cosulting-eu.com and espana-cvbase.com
Two more fake domains in the long-running "Lapatasker" series:
cosulting-eu.com
espana-cvbase.com
The registration details have changed (see below), but otherwise this is the same old attempt to recruit people for money laundering. Avoid.
cosulting-eu.com
espana-cvbase.com
The registration details have changed (see below), but otherwise this is the same old attempt to recruit people for money laundering. Avoid.
Leonid Pravduk Email: leonpravduk@yahoo.com Organization: Leonid Pravduk Address: ul.Beregovaya 13-2 City: Doneck State: Doneckaya ZIP: 83000 Country: UA Phone: +3.80443582153
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Tuesday, 14 June 2011
SMS Spam: "URGENT! If you took out a Bank Loan prior to 2007.."
This SMS spam is probably from the same bunch of scumbags who brought you this long-running ambulance chasing spam.
Since they don't honour TPS opt-outs, then they are probably not to be trusted.. whoever they are.
If you get one of these, forward the message to 7226 ("SPAM") on T-Mobile, O2 or Orange.. If you are a Vodafone customer, forward it to 87726 ("VSPAM"), on Three the number is 37726 ("3SPAM") Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
If you see any other telephone numbers for this, please consider letting us known through a Comment.
In this case the SMS came from +447591233963, but the spammers vary these all the time to avoid getting blocked.(Update 28/9 they are now using +447968780878 and +447968766208. Update 30/9 and now +44798044443)URGENT! If you took out a Bank Loan prior to 2007 then you are almost certainly entitled to £2300 in compensation. To claim text 'YES'. Free to apply.
Since they don't honour TPS opt-outs, then they are probably not to be trusted.. whoever they are.
If you get one of these, forward the message to 7226 ("SPAM") on T-Mobile, O2 or Orange.. If you are a Vodafone customer, forward it to 87726 ("VSPAM"), on Three the number is 37726 ("3SPAM") Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.
If you see any other telephone numbers for this, please consider letting us known through a Comment.
Fake jobs: usa-jobslist.com
Another addition to this long running scam, usa-jobslist.com is freshly registered and will be used to attempt to recruit people for money laundering and other illegal activities. Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams,
Spam
Monday, 13 June 2011
Fake jobs: gb-offerlist.com, high-webtraffic.com and traffic-dc.com
More fake job offers.. or at least more fake something from the crew behind the "Lapatasker" series of dodgy domains:
gb-offerlist.com
high-webtraffic.com
traffic-dc.com
The shift in domain names might mean a shift in tactics, but be assured that any solicitation you get from these email addresses will be a scam.
gb-offerlist.com
high-webtraffic.com
traffic-dc.com
The shift in domain names might mean a shift in tactics, but be assured that any solicitation you get from these email addresses will be a scam.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams,
Spam
Subscribe to:
Posts (Atom)