Sponsored by..

Friday, 8 July 2011

Fake jobs: job-britain.com and job4america.com

Two new fake job domains that form part of this long-running series, job-britain.com and job4america.com are pushing fake job offers which will actually be illegal activities like money laundering.

These domains were registered just yesterday to a fake registrant called "Leonid Pravduk". Avoid.

If you have samples of the spam emails using these domains, please consider sharing them in the comments.

Thursday, 7 July 2011

Fake jobs: westgroupcv.net, wug-cunsulting.net, wug-joblist.com and wugcv-offers.com

Four new domains forming part of the very long-running "Lapatasker" series of fake job offers:

westgroupcv.net
wug-cunsulting.net
wug-joblist.com
wugcv-offers.com


These job offers will typically involve illegal money mule operations and other fraudulent activities. Unless you enjoy jail time, they are best ignored.

If you have any example emails, please consider sharing them in the comments!

Tuesday, 5 July 2011

Sapphire Town Real Estate (sapphiretown.com) suck

I don't normally post twice on one spammer, but the idiots at Sapphire Town Real Estate seem to have hit new levels of stupidity with this spam that they have now sent 283 times, apparently about 1% into a dictionary attack (so I can expect to see it 28,000 more times!)

If they are this stupid when it comes to doing business then I would advise giving them a wide berth.

Update: now 4386 times and counting!

Monday, 4 July 2011

Sapphire Town Real Estate "Labour Camps" spam. Just add slaves.

This spam for labour camps was so important to the sender that they sent it 300 times (and counting). Just add slaves, I guess. And in jolly Comic Sans too! Originating IP is 86.96.226.150 in the UAE, all attempts at contacting their abuse department bounce. Classy.

From: Sapphire Town Real Estate stre@emirates.net.ae
Reply-To: info@sapphiretown.com
To: Redacted
Date: 4 July 2011 19:12
Subject: Labour Camps

Dear Valued Customer,
We offer a wide variety of labour camps for rent in ALMUHAISNAH 2nd (Sonapour), AL QUOZ, JEBEL ALI and DIP with your exact requirements and reasonable price.


Labour Camp in Al Quoz
Total Rooms               = 295
Supervisors Rooms     = 5
Kitchen                      = 7
Dining                        =7
Toilet                        =117
Showers                    =117
Parking for 14 buses and 25 cars
Price                 = AED 1,250 All Inclusive
Labour camp in Al Muhaisnah 2nd
Total Rooms      = 140
Kitchen              = 3
Dining                = 3
Showers            = 60
Toilets               = 60
Price                 = AED 1,200 All Inclusive

Labour Camp for Rent in DIP phase 1
Total Room          = 70
Kitchen & Dining =2
Toilet & Showers = 50
Price                 = AED 1,600 All Inclusive

Labour Camp for Rent in Jebel Ali Ind.3
Total Rooms             = 200
Kitchen & Dining      = 4
Toilets & Showers    = 160
TV, First Aid, Gym & Service Room
Price                 = AED 1,400 All Inclusive
  • Labour Camps & Warehouses for Sale.
  • Residential Building For sale in Bur Dubai.
If you have any questions or concerns, please email us directly stre@eim.ae Or call 050-3479984///04-2576603
This E-mail has been sent to you as a person interested in the information enclosed. If you have received this e-mail in error please notify the originator of the Email If you want your Email to be removed PLEASE reply to info@sapphiretown.com to ''Remove from list''. We sincerely apologize for the possible inconvenience. 

Sunday, 3 July 2011

Fake jobs: europe-cv.net, gb-traffic.com and totaljoblists.net

A trio of domains being used to push fake jobs (such as money mule operations) and other illegal activities, part of this long running series. The domains were registered just yesterday.

europe-cv.net
gb-traffic.com
totaljoblists.net

Avoid any offers soliciting a reply to these domains. If you have an example spam email, please consider sharing it in the comments. Thanks!

Thursday, 30 June 2011

Fake jobs: au-jobposition.com

Another domain being used to promote money laundering jobs or other criminal enterprises is au-jobposition.com which forms part of this long-running scam.

As usual, avoid. If you have any samples, please consider posting them in the comments section.

Tuesday, 28 June 2011

Fake jobs: greece-joblist.com and italia-lavoro.net

A pair of domains offering fake money mule jobs or reshipping mule jobs, the greece-joblist.com and italia-lavoro.net domains seem to be targeting Italian and Greek victims and form part of this long running scam.

If you have any examples (especially non-English ones) please share them in the comments!

Sunday, 26 June 2011

yahoolink.php / DreamHost hack

It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:

67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8

Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for  "yahoolink.php" in your favourite search engine to see the scope of the problem.

People who click on the link get redirected through several steps:

vedrozhuk7.com
63.226.210.102
NETPOINT, Utah

(no domain)
188.229.90.71
Securvera SRL, Romania

www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania

The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.

With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.

Thursday, 23 June 2011

Peteris Sahurovs and Marina Maslobojeva arrested: Sagade hopefully busted

Another victory for the good guys, according to El Reg.
The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m).

The gang screwed money out of more than a million victims. They installed software on their computers which falsely claimed to have detected viruses or malware. The gang then took payment for supposedly cleaning up the machines.

22-year-old Peteris Sahurovs and 23-year-old Marina Maslobojeva were arrested in Latvia on charges made in court in Minnesota. 
Although there are several bad hosts in Latvia, the one that really stands out is Sagade Ltd. And it looks very much as if Peteris Sahurovs worked for Sagade, his screen name on the internet was piotrek89 which was also the abuse address for the Sagade network.

Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.

The FBI have a press release about it here.

Fake job domains 23/6/11

Another day, another set of fake job domains forming part of this long-running scam. The domains were registered just two days ago to a presumably fictitious character called "Leonid Pravduk".

au-joblists.com
europ-joblist.com
gb-totaljob.com
uk-joblists.com
us-joblists.com


The "job" being offered is usually something like a money mule or taking part in a reshipping scam. In any case, the so-called job is illegal and should be avoided.

If you have a copy of a sample email, please share it in the comments section!

Wednesday, 22 June 2011

Some malware sites to block

These domains are associated with the Win32/FakeRean "Fake anti-virus" trojan, and are worth blocking.


Domain IP
laxesepaweno.com 50.23.83.40
fugegewulevu.com 50.23.83.41
tepucazij.com 50.23.83.42
cuhucupivu.com 50.23.84.216
sirakapofeti.com 50.23.84.217
zenevakyfa.com 50.23.84.218
tuwynaropotit.com 50.23.193.236
cikipihigilani.com 50.23.193.237
pifajeniwyt.com 50.23.193.238
wumytaxuboly.com 50.23.200.56
tevisuwapucumu.com 76.73.85.251
jicylegavade.com 76.73.85.252
dolagomosu.com 85.17.239.191
bumucewafypevy.com 85.17.239.192
xaqygacatewuk.com 85.17.239.198
mysupigaqyme.com 173.193.196.178
zypomamuzosa.com 173.249.145.53
nylujusofo.com 173.249.145.54
qajivehucewupo.com 173.249.145.55
wyduzylys.com 174.36.220.136
vyqivaneh.com 174.36.220.136
litubibam.com 174.36.220.138
pykolujij.com 188.240.32.162
gyravatimak.com 188.240.32.163
dubacobimude.com 188.240.32.164
waliwetixybuk.com 204.45.41.82
tixirukemosa.com 204.45.41.83
sumuryvynuh.com 204.45.41.84
dazixydecamur.com
cadyfahirecyci.com
myfofeviqilo.com

The Comodo report for this bit of nastiness is here.

Tuesday, 21 June 2011

"Federal Tax transfer rejected" malware

I've never paid taxes to the IRS and I don't intend to now..

From: Jeannette_Case@irs.gov
Date: 21 June 2011 11:16
Subject: Federal Tax transfer rejected

Your federal Tax payment (ID: 632869994691), recently from your checking account was canceled by the your Bank.

Canceled Tax transfer
Tax Transaction ID: 632869994691
Reason of rejection See details in the report below
FederalTax Transaction Report

tax_report_632869994691.pdf.exe (self-extracting
archive, Adobe PDF)

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD  20785

The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (89.208.149.215, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.

Update 28/9/11: a new version of this email is doing the rounds. This DOES successfully infect vulnerable machines, I will try to find more details.

Nokia N9. Beautiful but doomed.

I've always been a fan of big Nokias, especially the Communicator series. My collection includes a Nokia E90, Nokia 9500, Nokia 9110i, a Nokia 770 tablet and even the rare Nokia 7710 touchscreen phone.

So I should be pretty excited by the Nokia N9. Well, yes.. actually I am excited by the N9 which is Nokia's most powerful phone to date. There's a lovely big OLED screen, a relatively fast processor, lots of memory and the interesting looking MeeGo operating system as well.

But will I be buying one? Probably not. MeeGo is doomed. Nokia announced a switch to Windows earlier this year, but the MeeGo-powered N9 was already in development and is now official. However, it's quite likely that we won't see another MeeGo device from Nokia, leaving the N9 as an orphan. And an expensive orphan at that.

The N9 really should have been announced over a year ago to follow up from the N900, as it is it's a beautiful but ultimately doomed device.. which is quite sad. Perhaps there will be some bargain ones on eBay in the future though..

[Via]

Sunday, 19 June 2011

Fake job domains 19/6/111

A whole batch of domains advertising fake jobs today (mostly money mule operations). These were are registered two days ago to the fictitious "Leonid Pravduk" registrant that we have seen recently, and form part of the very long running "Lapatasker" series of scam domains.

europe-hire.net
green-westeurope.com
hosting-europ.com
newgreen-europ.com
traffic-europ.com
us-totaljob.com
usa-totaljob.com


Avoid these, basically.. but if you do have a sample email, feel free to share it in the comments.

Friday, 17 June 2011

Fake jobs: totaljob-eu.com

Another day, another fake job domain used for contacting potential money laundering mules, this time totaljob-eu.com which is a part of this long-running scam.

The domain was registered just yesterday to the new "Leonid Pravduk" persona that the scammers seem to be using. Avoid.

    Leonid Pravduk
    Email: leonpravduk@yahoo.com
    Organization: Leonid Pravduk
    Address: ul.Beregovaya 13-2
    City: Doneck
    State: Doneckaya
    ZIP: 83000
    Country: UA
    Phone: +3.80443582153 

Thursday, 16 June 2011

SMS Spam: "You have still not claimed the compensation you are due.."

These mystery ambulance-chasing SMS spammers are at it again:
You have still not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOP
In this case the spam comes from +44749353036, but the spammers rotate numbers regularly as they get blacklisted.

If you get one of these, forward the message to 7726 ("SPAM") on T-Mobile, O2, Orange or Three. If you are a Vodafone customer, forward it to 87726 ("VSPAM"). Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.

Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!

Fake jobs: cosulting-eu.com and espana-cvbase.com

Two more fake domains in the long-running "Lapatasker" series:

cosulting-eu.com
espana-cvbase.com

The registration details have changed (see below), but otherwise this is the same old attempt to recruit people for money laundering. Avoid.

Leonid Pravduk
    Email: leonpravduk@yahoo.com
    Organization: Leonid Pravduk
    Address: ul.Beregovaya 13-2
    City: Doneck
    State: Doneckaya
    ZIP: 83000
    Country: UA
    Phone: +3.80443582153 

Tuesday, 14 June 2011

SMS Spam: "URGENT! If you took out a Bank Loan prior to 2007.."

This SMS spam is probably from the same bunch of scumbags who brought you this long-running ambulance chasing spam.

URGENT! If you took out a Bank Loan prior to 2007 then you are almost certainly entitled to £2300 in compensation. To claim text 'YES'. Free to apply.
In this case the SMS came from +447591233963, but the spammers vary these all the time to avoid getting blocked.(Update 28/9 they are now using +447968780878 and +447968766208. Update 30/9 and now +44798044443)

Since they don't honour TPS opt-outs, then they are probably not to be trusted.. whoever they are.

If you get one of these, forward the message to 7226 ("SPAM") on T-Mobile, O2 or Orange.. If you are a Vodafone customer, forward it to 87726 ("VSPAM"), on Three the number is 37726 ("3SPAM") Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.

If you see any other telephone numbers for this, please consider letting us known through a Comment.

Fake jobs: usa-jobslist.com

Another addition to this long running scam, usa-jobslist.com is freshly registered and will be used to attempt to recruit people for money laundering and other illegal activities. Avoid.

Monday, 13 June 2011

Fake jobs: gb-offerlist.com, high-webtraffic.com and traffic-dc.com

More fake job offers.. or at least more fake something from the crew behind the "Lapatasker" series of dodgy domains:

gb-offerlist.com
high-webtraffic.com
traffic-dc.com


The shift in domain names might mean a shift in tactics, but be assured that any solicitation you get from these email addresses will be a scam.