Christwire.org hacked with sokoloperkovuske.com redirect

This summary is not available. Please click here to view the post.

yahlink.php / DreamHost hack

Almost identical in every way to this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.

It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.

In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 78.129.132.26 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:

bepfinance.com
brentnallfg.com
estatediary.com
forfreeblog.net
freeblogpro.org
freetrialmail.com
krokodilius8.com
lucky-bet.in
pubertavad.com
russwoman.ru
superblogonline.org
thebloggin.net
vedrozhuk7.com
yourtraveldiary.net

Users are then directed to another host in Romania, 188.229.89.230 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 188.229.0.0/17 range and you can safely block access to the entire lot.

The final step is to a host called drugstorehealthrisks.net hosted on 90.182.175.232 which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:

fatdrugstoremeds.net
healthrxinsurance.net
healthrxpharmacyinsurance.com
healthtabletsnook.net

Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:

67.205.0.0/18
69.163.128.0/17
75.119.192.0/19
208.97.128.0/18

..although blocking access to the Romanian 188.229.0.0/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.

Fake jobs: cl-exlusive.com, europ-exlusive.com, totalworld-job.com, uk-cvlists.com and uk-exlusive.com

Five new domains offering fake jobs (actually money laundering and other illegal activities), forming part of this long running series of scams.

cl-exlusive.com
europ-exlusive.com
totalworld-job.com
uk-cvlists.com
uk-exlusive.com

The domains were created yesterday, registered to a no-doubt fake registrant:

Registrant:
    Luca Drue
    Email: lucadrue@yahoo.fr
    Organization: Luca Drue
    Address: 27, BERESTYANSKAYA STR
    City: Minsk
    State: Minsk
    ZIP: BY-220123
    Country: BY
    Phone: +37.5172749317
    Fax: +37.5172749311

If you have a sample email soliciting replies to one of these domains, please consider sharing it in the comments.

Fake HMRC site: confirm-hmrc.com / onlineservice.confirm-hmrc.com

This is a rather new phishing site, pretending to be a tax refund from the UK's HMRC agency pointing to the domain confirm-hmrc.com (subdomains www.confirm-hmrc.com and onlineservice.confirm-hmrc.com).

Although the phish looks convincing, the HMRC don't do tax refunds in this way. Usually they will just transfer the money to your bank account or alternatively send you a cheque. Furthermore, in my experience the HMRC only communicate by post and not electronic mail.

The site hosted on 218.108.75.53 in China. The same server also has the fraudulent domains account-update-westernunion.com, account-westernunion.com and accounts-westernunion.com. The domain registration details are fake:

Domain Name.......... confirm-hmrc.com
  Creation Date........ 2011-07-12
  Registration Date.... 2011-07-12
  Expiry Date.......... 2012-07-12
  Organisation Name.... wu wu
  Organisation Address. 12 na
  Organisation Address.
  Organisation Address. miami
  Organisation Address. 12311
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... wu wu
  Admin Address........ 12 na
  Admin Address........
  Admin Address........ miami
  Admin Address........ 12311
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... sadasda@re.com
  Admin Phone.......... +1.12312312312
  Admin Fax............

Tech Name............ wu wu
  Tech Address......... 12 na
  Tech Address.........
  Tech Address......... miami
  Tech Address......... 12311
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... sadasda@re.com
  Tech Phone........... +1.12312312312
  Tech Fax.............
  Name Server.......... ns2.confirm-hmrc.com
  Name Server.......... ns1.confirm-hmrc.com

Blocking traffic to 218.108.75.0/24 will probably do no harm.

Evil network: hotmailbox.com

The domain hotmailbox.com often comes up when looking at malicious domains, it's a domain used to provide a bulletproof email address for domain registration. The registrar for hotmailbox.com is the scammer's favourite, BIZCN which probably explains why it has lingered for so long.

There are several hundred domains registered through email accounts at hotmailbox.com, all of them are bogus and follow a similar pattern with bogus US addresses. Most of the domains with active websites are hosted in Romania, in netblocks that have a known bad reputation.

You can download a list of domains, IPs and MyWOT ratings for at least some of these domains here [CSV], or if you just want a plain list then keep scrolling down.

Because the hotmailbox.com domains are all in bad blocks or dedicated servers, then it is possible to block access to these IP ranges or individual boxes to prevent infection. I would recommend blocking the following:

84.247.61.0/24 (Sistem Soft Network, Romania)
91.217.162.0/24 (Voejkova Nadezhda, Russia)
94.63.149.0/24 (SC CORAL IT OFFICE SRL, Romania)
94.244.80.7 (Uab Kauno Interneto Sistemos, Lithunia)
95.64.55.0/24 (Netserv Consult SRL, Romania)
96.9.139.208/28 (UAB "Dominant Plius", c/o HOSTNOC, US)
141.136.16.14 (MORE SECURE SRL, Romania)
173.236.34.238 (Inferno Solutions, UK)
184.105.178.85 (Hurricane Electric, US [parked])
188.138.90.110 (Intergenia AG, Germany)
188.138.116.223 (Intergenia AG, Germany)
188.229.0.0/17 (Netserv Consult SRL, Romania)
202.75.41.42 (TM VADS DC Hosting, Malaysia)
209.212.157.208/29 (BONHOST, Ukraine)
212.117.164.39 (root SA, Luxembourg)
217.23.9.247 (Worldstream, Netherlands)
220.112.0.0/18 (Guangzhou For Great Wall Broadband Network, China)

Not every site in those ranges is part of this group, and indeed there may be a few legitimate sites, but you are much more likely to come into contact with a malware site on these IP addresses than a real one, so treat them as "high risk".

If you have any examples of domains using hotmailbox.com that are not listed, then please consider adding them to the Comments.

8nm2.com

aaaholic.com

aaoutfit.com

aarocket.com

abcartel.com

abminute.com

abutable.com

acgoblin.com

aemodern.com

afchalet.com

agfiesta.com

alexblane.com

alisa-carter.com

analitycscredit.com

asweds.com

automaticsecurityscan.com

awesomepornofree.com

awfulice.com

bcrocket.com

bdcartel.com

bestipdns.com

bookaros.com

bookarra.com

bookavio.com

bookdolo.com

bookfula.com

bookgusa.com

bookmonn.com

bookmono.com

bookmylo.com

booknunu.com

bookpolo.com

booksgou.com

booksoco.com

booksolo.com

booktuba.com

bookvila.com

bookvivi.com

bookvoxy.com

bookzoul.com

bookzula.com

caldnsserver.com

calmsearch.org

cbhammer.com

cblender.com

cebistro.com

cfaholic.com

clickabundant.org

clickaccept.org

clickadvice.org

clickahead.org

clickalmost.org

clickan.org

clickancient.org

clickany.org

clickanybody.org

clickanybody.org

clickarrogant.org

clickarvada.org

clickattempt.org

clickautomatic.org

clickbad.org

clickbatonrouge.org

clickber.org

clickboa.org

clickbored.org

clickbrake.org

clickbury.org

clickcharleston.org

clickclear.org

clickclever.org

clickdesmoines.org

clickdowe.org

clickdrea.org

clickdreadful.org

clickfer.org

clickflat.org

clickfortlauderdale.org

clickfremont.org

clickhartford.org

clickicy.org

clickill.org

clickjacksonville.org

clickmesquite.org

clicknorman.org

clickodd.org

clickolathe.org

clicksalem.org

clickshy.org

clicksyracuse.org

clickwet.org

comasians.com

comchemicalsns.com

daily-basis.com

daletter.com

darksecurityscan.com

dateoncount.com

dbchalet.com

dnseasy.ru

dnsforwebuse.com

dns-good-you.com

dnshot.ru

dnssuperb.com

dnsundservice.com

dnsvip.ru

domainforuse.com

dowpolenas.org

dynamicip-dns.com

e48i.com

easysecurityscan.com

edsawake.org

edsawake.org

edsback.org

edsbang.org

edsbang.org

edsbeautiful.com

edsbent.com

edsbent.com

edsbid.com

edsblew.com

edscold.com

edsfull.com

edsfull.com

edswoken.org

emptywin.com

engduates.com

excellentdnshost.com

fastsapere.com

fastsofgeld.com

findacid.org

findaddition.org

findadvertisem.org

findalert.org

findangry.org

findattack.org

findawful.org

findbitter.org

findblow.org

findbrake.org

findbrave.org

findcaret.org

findchalk.org

findchance.org

findcheeks.org

findclumsy.org

findcolorful.org

findconsonant.org

findcopper.org

findcurly.org

finddamaged.org

finddistribution.org

finddrawer.org

finddriving.org

finddrop.org

findear.org

findearly.org

findears.org

findearth.org

findeast.org

findexperie.org

findeyes.org

findfertile.org

findfierce.org

findforeign.org

findforget.org

findfort.org

findforth.org

findharsh.org

findinexpensive.org

findinnocent.org

findjolly.org

findjoyous.org

findjuicy.org

findlate.org

findsister.org

findsize.org

findsky.org

findsour.org

findstage.org

findstart.org

findstation.org

findstem.org

findstep.org

findstitch.org

findstone.org

findstraight.org

findstrange.org

finduneven.org

findunsightly.org

findvoiceless.org

findwandering.org

findwet.org

findwicked.org

fixtracker.com

forumaccept.org

forumadd.org

forumadmire.org

forumadmit.org

forumadvise.org

forumafford.org

forumallow.org

forumamuse.org

forumanalyze.org

forumbusy.org

forumcalm.org

forumcold.org

forumcute.org

forumdamp.org

frailwin.com

frequentwin.com

gcocgle.com

goodworkdns.com

goodworkdns.com

googletrackgeo.com

hotmailbox.com

ibtable.com

ibtable.com

imageacid.org

imagebad.org

imagebent.org

imagefipe.org

imagelue.org

install-internet.com

ipbestdns.com

IpCodesNet.com

IpInternetExplorer.com

ipmagicnet.com

ipnetworklegal.com

ipsecurityuse.com

ip-tracing.com

IpWebDirectory.com

koxtable.com

lizamoon.com

m0o0.com

malineip.com

milapop.com

netlinksgo.com

networkdnstrust.com

nondeip.com

op0o.com

ottomip.com

ottomip.com

phlorip.com

pornootrada.com

portalkey.org

s0po.com

searchabout.org

searchact.org

searchadorable.org

searchadvice.org

searchaffect.org

searchafternoon.org

searchago.org

searchairplane.org

searchalaska.org

searchalice.org

searchalike.org

searchallow.org

searchaloud.org

searchalphabet.org

searchalready.org

searchalready.org

searchalso.org

searchalso.org

searchalthough.org

searcham.org

searchamount.org

searchamusement.org

searchand.org

searchangle.org

searchanimal.org

searchanswer.org

searchant.org

searchapparatus.org

searcharound.org

searcharrange.org

searcharrow.org

searchas.org

searchaside.org

searchask.org

searchasleep.org

searchaswe.org

searchat.org

searchate.org

searchatlantic.org

searchatmosphere.org

searchatom.org

searchatomic.org

searchattached.org

searchattention.org

searchbad.org

searchbase.org

searchbat.org

searchbattery.org

searchbattle.org

searchbegan.org

searchbeginning.org

searchbegun.org

searchbehavior.org

searchbehind.org

searchbet.org

searchbetsy.org

searchbeyond.org

searchbigger.org

searchbiggest.org

searchbilly.org

searchbirth.org

searchborn.org

searchbottle.org

searchbound.org

searchbow.org

searchbowl.org

searchbread.org

searchbreak.org

searchbreathe.org

searchbreathing.org

searchbreeze.org

searchbreeze.org

searchbrick.org

searchbrick.org

searchbrief.org

searchclumsy.com

searchcruel.org

searchdead.com

searchdear.org

searchdepressed.org

searchdrab.com

searchdrab.org

searchdull.com

searchelated.org

searchfertile.org

searchfindestablish.org

searchfindfix.org

searchfindfund.org

searchfoggy.org

searchgrieving.org

searchhuge.org

searchhumid.org

searchhushed.org

searchjewel.org

searchlarge.org

searchlazy.org

searchmany.org

searchmeat.org

searchmedical.org

searchmemory.org

searchmetal.org

searchmilk.org

searchminiature.org

searchmisty.org

searchmixed.org

searchmodern.org

searchnumber.org

searchodd.org

searchof.org

searchplant.org

searchrelieved.org

searchways.org

seardall.org

static-ipdns.com

t02j.com

tadygus.com

trafficjoyous.com

u98i.com

ultradnshost.com

Fake jobs: job-britain.com and job4america.com

Two new fake job domains that form part of this long-running series, job-britain.com and job4america.com are pushing fake job offers which will actually be illegal activities like money laundering.

These domains were registered just yesterday to a fake registrant called "Leonid Pravduk". Avoid.

If you have samples of the spam emails using these domains, please consider sharing them in the comments.

Fake jobs: westgroupcv.net, wug-cunsulting.net, wug-joblist.com and wugcv-offers.com

Four new domains forming part of the very long-running "Lapatasker" series of fake job offers:

westgroupcv.net
wug-cunsulting.net
wug-joblist.com
wugcv-offers.com

These job offers will typically involve illegal money mule operations and other fraudulent activities. Unless you enjoy jail time, they are best ignored.

If you have any example emails, please consider sharing them in the comments!

Sapphire Town Real Estate (sapphiretown.com) suck

I don't normally post twice on one spammer, but the idiots at Sapphire Town Real Estate seem to have hit new levels of stupidity with this spam that they have now sent 283 times, apparently about 1% into a dictionary attack (so I can expect to see it 28,000 more times!)

If they are this stupid when it comes to doing business then I would advise giving them a wide berth.

Update: now 4386 times and counting!

Sapphire Town Real Estate "Labour Camps" spam. Just add slaves.

This spam for labour camps was so important to the sender that they sent it 300 times (and counting). Just add slaves, I guess. And in jolly Comic Sans too! Originating IP is 86.96.226.150 in the UAE, all attempts at contacting their abuse department bounce. Classy.

From: Sapphire Town Real Estate stre@emirates.net.ae
Reply-To: info@sapphiretown.com
To: Redacted
Date: 4 July 2011 19:12
Subject: Labour Camps

Dear Valued Customer,

We offer a wide variety of labour camps for rent in ALMUHAISNAH 2^nd (Sonapour), AL QUOZ, JEBEL ALI and DIP with your exact requirements and reasonable price.

Labour Camp in Al Quoz Total Rooms               = 295 Supervisors Rooms     = 5 Kitchen                      = 7 Dining                        =7 Toilet                        =117 Showers                    =117 Parking for 14 buses and 25 cars Price                 = AED 1,250 All Inclusive	Labour camp in Al Muhaisnah 2nd Total Rooms      = 140 Kitchen              = 3 Dining                = 3 Showers            = 60 Toilets               = 60 Price                 = AED 1,200 All Inclusive
Labour Camp for Rent in DIP phase 1 Total Room          = 70 Kitchen & Dining =2 Toilet & Showers = 50 Price                 = AED 1,600 All Inclusive	Labour Camp for Rent in Jebel Ali Ind.3 Total Rooms             = 200 Kitchen & Dining      = 4 Toilets & Showers    = 160 TV, First Aid, Gym & Service Room Price                 = AED 1,400 All Inclusive

• Labour Camps & Warehouses for Sale.
• Residential Building For sale in Bur Dubai.

If you have any questions or concerns, please email us directly stre@eim.ae Or call 050-3479984///04-2576603
This E-mail has been sent to you as a person interested in the information enclosed. If you have received this e-mail in error please notify the originator of the Email If you want your Email to be removed PLEASE reply to info@sapphiretown.com to ''Remove from list''. We sincerely apologize for the possible inconvenience. 

Fake jobs: europe-cv.net, gb-traffic.com and totaljoblists.net

A trio of domains being used to push fake jobs (such as money mule operations) and other illegal activities, part of this long running series. The domains were registered just yesterday.

europe-cv.net
gb-traffic.com
totaljoblists.net

Avoid any offers soliciting a reply to these domains. If you have an example spam email, please consider sharing it in the comments. Thanks!

Fake jobs: au-jobposition.com

Another domain being used to promote money laundering jobs or other criminal enterprises is au-jobposition.com which forms part of this long-running scam.

As usual, avoid. If you have any samples, please consider posting them in the comments section.

Fake jobs: greece-joblist.com and italia-lavoro.net

A pair of domains offering fake money mule jobs or reshipping mule jobs, the greece-joblist.com and italia-lavoro.net domains seem to be targeting Italian and Greek victims and form part of this long running scam.

If you have any examples (especially non-English ones) please share them in the comments!

yahoolink.php / DreamHost hack

It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:

67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8

Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for  "yahoolink.php" in your favourite search engine to see the scope of the problem.

People who click on the link get redirected through several steps:

vedrozhuk7.com
63.226.210.102
NETPOINT, Utah

(no domain)
188.229.90.71
Securvera SRL, Romania

www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania

The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.

With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.

Peteris Sahurovs and Marina Maslobojeva arrested: Sagade hopefully busted

Another victory for the good guys, according to El Reg.

The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m).

The gang screwed money out of more than a million victims. They installed software on their computers which falsely claimed to have detected viruses or malware. The gang then took payment for supposedly cleaning up the machines.

22-year-old Peteris Sahurovs and 23-year-old Marina Maslobojeva were arrested in Latvia on charges made in court in Minnesota. 

Although there are several bad hosts in Latvia, the one that really stands out is Sagade Ltd. And it looks very much as if Peteris Sahurovs worked for Sagade, his screen name on the internet was piotrek89 which was also the abuse address for the Sagade network.

Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.

The FBI have a press release about it here.

Fake job domains 23/6/11

Another day, another set of fake job domains forming part of this long-running scam. The domains were registered just two days ago to a presumably fictitious character called "Leonid Pravduk".

au-joblists.com
europ-joblist.com
gb-totaljob.com
uk-joblists.com
us-joblists.com

The "job" being offered is usually something like a money mule or taking part in a reshipping scam. In any case, the so-called job is illegal and should be avoided.

If you have a copy of a sample email, please share it in the comments section!

Some malware sites to block

These domains are associated with the Win32/FakeRean "Fake anti-virus" trojan, and are worth blocking.

Domain	IP
laxesepaweno.com	50.23.83.40
fugegewulevu.com	50.23.83.41
tepucazij.com	50.23.83.42
cuhucupivu.com	50.23.84.216
sirakapofeti.com	50.23.84.217
zenevakyfa.com	50.23.84.218
tuwynaropotit.com	50.23.193.236
cikipihigilani.com	50.23.193.237
pifajeniwyt.com	50.23.193.238
wumytaxuboly.com	50.23.200.56
tevisuwapucumu.com	76.73.85.251
jicylegavade.com	76.73.85.252
dolagomosu.com	85.17.239.191
bumucewafypevy.com	85.17.239.192
xaqygacatewuk.com	85.17.239.198
mysupigaqyme.com	173.193.196.178
zypomamuzosa.com	173.249.145.53
nylujusofo.com	173.249.145.54
qajivehucewupo.com	173.249.145.55
wyduzylys.com	174.36.220.136
vyqivaneh.com	174.36.220.136
litubibam.com	174.36.220.138
pykolujij.com	188.240.32.162
gyravatimak.com	188.240.32.163
dubacobimude.com	188.240.32.164
waliwetixybuk.com	204.45.41.82
tixirukemosa.com	204.45.41.83
sumuryvynuh.com	204.45.41.84
dazixydecamur.com
cadyfahirecyci.com
myfofeviqilo.com

The Comodo report for this bit of nastiness is here.

"Federal Tax transfer rejected" malware

I've never paid taxes to the IRS and I don't intend to now..

From: Jeannette_Case@irs.gov
Date: 21 June 2011 11:16
Subject: Federal Tax transfer rejected

Your federal Tax payment (ID: 632869994691), recently from your checking account was canceled by the your Bank.

Canceled Tax transfer
Tax Transaction ID:	632869994691
Reason of rejection	See details in the report below
FederalTax Transaction Report	tax_report_632869994691.pdf.exe (self-extracting archive, Adobe PDF)

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD  20785

The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (89.208.149.215, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.

Update 28/9/11: a new version of this email is doing the rounds. This DOES successfully infect vulnerable machines, I will try to find more details.

Nokia N9. Beautiful but doomed.

I've always been a fan of big Nokias, especially the Communicator series. My collection includes a Nokia E90, Nokia 9500, Nokia 9110i, a Nokia 770 tablet and even the rare Nokia 7710 touchscreen phone.

So I should be pretty excited by the Nokia N9. Well, yes.. actually I am excited by the N9 which is Nokia's most powerful phone to date. There's a lovely big OLED screen, a relatively fast processor, lots of memory and the interesting looking MeeGo operating system as well.

But will I be buying one? Probably not. MeeGo is doomed. Nokia announced a switch to Windows earlier this year, but the MeeGo-powered N9 was already in development and is now official. However, it's quite likely that we won't see another MeeGo device from Nokia, leaving the N9 as an orphan. And an expensive orphan at that.

The N9 really should have been announced over a year ago to follow up from the N900, as it is it's a beautiful but ultimately doomed device.. which is quite sad. Perhaps there will be some bargain ones on eBay in the future though..

[Via]

Fake job domains 19/6/111

A whole batch of domains advertising fake jobs today (mostly money mule operations). These were are registered two days ago to the fictitious "Leonid Pravduk" registrant that we have seen recently, and form part of the very long running "Lapatasker" series of scam domains.

europe-hire.net
green-westeurope.com
hosting-europ.com
newgreen-europ.com
traffic-europ.com
us-totaljob.com
usa-totaljob.com

Avoid these, basically.. but if you do have a sample email, feel free to share it in the comments.

Fake jobs: totaljob-eu.com

Another day, another fake job domain used for contacting potential money laundering mules, this time totaljob-eu.com which is a part of this long-running scam.

The domain was registered just yesterday to the new "Leonid Pravduk" persona that the scammers seem to be using. Avoid.

    Leonid Pravduk
    Email: leonpravduk@yahoo.com
    Organization: Leonid Pravduk
    Address: ul.Beregovaya 13-2
    City: Doneck
    State: Doneckaya
    ZIP: 83000
    Country: UA
    Phone: +3.80443582153