Sponsored by..

Thursday, 21 July 2011

Fake jobs: world-chilecv.com

Just a single fake job domain today, world-chilecv.com is an addition to this long-running series of so-called job offers which actually turn out to be money laundering or some other criminal activity.

The domain in question was registered just yesterday to the no-doubt fake reigstrant:

Ricardo Lopez
    Email: ricardolip2@yahoo.com
    Organization: Ricardo Lopez
    Address: ul. Liivalaia 34-10
    City: Tallin
    State: Tallin
    ZIP: 15040
    Country: EE
    Phone: +3.726317190 


This domain was registered only yesterday. Avoid.

Wednesday, 20 July 2011

Epsilon Breach Spam Run

The Epsilon Data Breach from a few months back certainly made headlines, but I haven't seen much in the way of spam activity that I could directly attribute to it. Until now.

From: Olga Sunday [mailto:SundayqyOhilga@hotmail.com]
Sent: 18 July 2011 17:31
To: Spam Victim
Subject: Spam Victim

Hello.
Don't miss unique employment opportunity.
The company is seeking for enthusiastic representative in United Kingdom to help us spread out our activity in the Europe area.
easy training available.
Superb income potential.

Conditions:
- 18+ age
- Only basic knowledge of Internet & computer.
- 2-3 free hours per day

Candidates must be smart and commerce motivated. Operate only few hours per day.
Everyone located in the United Kingdom can become our representative.
Thank you for your attention.

_______________________
Current News : honor rolls for monday, july , . 

At first glance it looks like a standard money mule spam, but there are two odd things. One is the "Subject" line which has the actual name of the spam victim. Not their email address, their real name.. more of this in a minute. The other odd thing is that the "From" address appears to be valid, and the email really has originated from Hotmail, presumably in some sort of auto-generated spamming account.

The inclusion of the recipient's name in the subject is the odd thing. In this case, I had a bunch of largely unrelated users in different countries with very similar email messages. So where had the names come from? Well, there were a couple of anomalies which gave a clue.. in two cases the "Subject" name was a family member, and not the actual recipient.

This narrowed down the possibilities, and it became apparent that the users had registered for something in the name of a family member, but using their own email account. And in one case that tied directly to a company which was a victim of the Epsilon data breach.

Looking over the other spam recipients, the majority were on the mailing list of Hilton Honors, Marriott Rewards, Marks and Spencer, Capital One or other Epsilon customers. Some didn't fit the pattern, but were connected with Pixmania, Plentyoffish.com and Play.com which were all hacked at about the same time. So perhaps the spammer's list is made up of data from more than one source.

Do I know for sure that this is connected with the Epsilon breach? No. But the inclusion of the family member's names indicates that they were harvested externally, the majority of users could be shown to have a connection to companies involved in the Epsilon breach, and the small number who couldn't seemed to be users of other breached companies.

This spam was very crude in its actual pitch. But I'm guessing that this will be the first of many more targeted spam/scam emails using this stolen data.

Sunday, 17 July 2011

Fake jobs: eur-cvlist.com, gr-hire.com and world-cvlist.com

Three new fake jobs domains following this pattern, offering bogus jobs which will actually turn out to be money laundering or some other criminal activity.

eur-cvlist.com
gr-hire.com
world-cvlist.com

One characteristic of recent emails is that they appear to come "from" the recipient, as the spammers have forged the "from" field (which is very easy to do).

The registrant details for the domain are no doubt fake:

    Ricardo Lopez
    Email: ricardolip2@yahoo.com
    Organization: Ricardo Lopez
    Address: ul. Liivalaia 34-10
    City: Tallin
    State: Tallin
    ZIP: 15040
    Country: EE
    Phone: +3.726317190 

The domains were registered two days ago on 15th July. If you have samples of spam using these domains, please consider sharing them in the comments.

Thursday, 14 July 2011

yahlink.php / DreamHost hack

Almost identical in every way to this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.

It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.

In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 78.129.132.26 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:

bepfinance.com
brentnallfg.com
estatediary.com
forfreeblog.net
freeblogpro.org
freetrialmail.com
krokodilius8.com
lucky-bet.in
pubertavad.com
russwoman.ru
superblogonline.org
thebloggin.net
vedrozhuk7.com
yourtraveldiary.net

Users are then directed to another host in Romania, 188.229.89.230 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 188.229.0.0/17 range and you can safely block access to the entire lot.

The final step is to a host called drugstorehealthrisks.net hosted on 90.182.175.232 which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:

fatdrugstoremeds.net
healthrxinsurance.net
healthrxpharmacyinsurance.com
healthtabletsnook.net


Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:

67.205.0.0/18
69.163.128.0/17
75.119.192.0/19

208.97.128.0/18

..although blocking access to the Romanian 188.229.0.0/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.

Wednesday, 13 July 2011

Fake jobs: cl-exlusive.com, europ-exlusive.com, totalworld-job.com, uk-cvlists.com and uk-exlusive.com

Five new domains offering fake jobs (actually money laundering and other illegal activities), forming part of this long running series of scams.

cl-exlusive.com
europ-exlusive.com
totalworld-job.com
uk-cvlists.com
uk-exlusive.com


The domains were created yesterday, registered to a no-doubt fake registrant:

Registrant:
    Luca Drue
    Email: lucadrue@yahoo.fr
    Organization: Luca Drue
    Address: 27, BERESTYANSKAYA STR
    City: Minsk
    State: Minsk
    ZIP: BY-220123
    Country: BY
    Phone: +37.5172749317
    Fax: +37.5172749311

If you have a sample email soliciting replies to one of these domains, please consider sharing it in the comments.

Tuesday, 12 July 2011

Fake HMRC site: confirm-hmrc.com / onlineservice.confirm-hmrc.com

This is a rather new phishing site, pretending to be a tax refund from the UK's HMRC agency pointing to the domain confirm-hmrc.com (subdomains www.confirm-hmrc.com and onlineservice.confirm-hmrc.com).

Although the phish looks convincing, the HMRC don't do tax refunds in this way. Usually they will just transfer the money to your bank account or alternatively send you a cheque. Furthermore, in my experience the HMRC only communicate by post and not electronic mail.

The site hosted on 218.108.75.53 in China. The same server also has the fraudulent domains account-update-westernunion.com, account-westernunion.com and accounts-westernunion.com. The domain registration details are fake:

Domain Name.......... confirm-hmrc.com
  Creation Date........ 2011-07-12
  Registration Date.... 2011-07-12
  Expiry Date.......... 2012-07-12
  Organisation Name.... wu wu
  Organisation Address. 12 na
  Organisation Address.
  Organisation Address. miami
  Organisation Address. 12311
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... wu wu
  Admin Address........ 12 na
  Admin Address........
  Admin Address........ miami
  Admin Address........ 12311
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... sadasda@re.com
  Admin Phone.......... +1.12312312312
  Admin Fax............

Tech Name............ wu wu
  Tech Address......... 12 na
  Tech Address.........
  Tech Address......... miami
  Tech Address......... 12311
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... sadasda@re.com
  Tech Phone........... +1.12312312312
  Tech Fax.............
  Name Server.......... ns2.confirm-hmrc.com
  Name Server.......... ns1.confirm-hmrc.com

Blocking traffic to 218.108.75.0/24 will probably do no harm.

Friday, 8 July 2011

Evil network: hotmailbox.com

The domain hotmailbox.com often comes up when looking at malicious domains, it's a domain used to provide a bulletproof email address for domain registration. The registrar for hotmailbox.com is the scammer's favourite, BIZCN which probably explains why it has lingered for so long.

There are several hundred domains registered through email accounts at hotmailbox.com, all of them are bogus and follow a similar pattern with bogus US addresses. Most of the domains with active websites are hosted in Romania, in netblocks that have a known bad reputation.

You can download a list of domains, IPs and MyWOT ratings for at least some of these domains here [CSV], or if you just want a plain list then keep scrolling down.

Because the hotmailbox.com domains are all in bad blocks or dedicated servers, then it is possible to block access to these IP ranges or individual boxes to prevent infection. I would recommend blocking the following:

84.247.61.0/24 (Sistem Soft Network, Romania)
91.217.162.0/24 (Voejkova Nadezhda, Russia)
94.63.149.0/24 (SC CORAL IT OFFICE SRL, Romania)
94.244.80.7 (Uab Kauno Interneto Sistemos, Lithunia)
95.64.55.0/24 (Netserv Consult SRL, Romania)
96.9.139.208/28 (UAB "Dominant Plius", c/o HOSTNOC, US)
141.136.16.14 (MORE SECURE SRL, Romania)
173.236.34.238 (Inferno Solutions, UK)
184.105.178.85 (Hurricane Electric, US [parked])
188.138.90.110 (Intergenia AG, Germany)
188.138.116.223 (Intergenia AG, Germany)
188.229.0.0/17 (Netserv Consult SRL, Romania)
202.75.41.42 (TM VADS DC Hosting, Malaysia)
209.212.157.208/29 (BONHOST, Ukraine)
212.117.164.39 (root SA, Luxembourg)
217.23.9.247 (Worldstream, Netherlands)
220.112.0.0/18 (Guangzhou For Great Wall Broadband Network, China)

Not every site in those ranges is part of this group, and indeed there may be a few legitimate sites, but you are much more likely to come into contact with a malware site on these IP addresses than a real one, so treat them as "high risk".

If you have any examples of domains using hotmailbox.com that are not listed, then please consider adding them to the Comments.


8nm2.com
aaaholic.com
aaoutfit.com
aarocket.com
abcartel.com
abminute.com
abutable.com
acgoblin.com
aemodern.com
afchalet.com
agfiesta.com
alexblane.com
alisa-carter.com
analitycscredit.com
asweds.com
automaticsecurityscan.com
awesomepornofree.com
awfulice.com
bcrocket.com
bdcartel.com
bestipdns.com
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com
caldnsserver.com
calmsearch.org
cbhammer.com
cblender.com
cebistro.com
cfaholic.com
clickabundant.org
clickaccept.org
clickadvice.org
clickahead.org
clickalmost.org
clickan.org
clickancient.org
clickany.org
clickanybody.org
clickanybody.org
clickarrogant.org
clickarvada.org
clickattempt.org
clickautomatic.org
clickbad.org
clickbatonrouge.org
clickber.org
clickboa.org
clickbored.org
clickbrake.org
clickbury.org
clickcharleston.org
clickclear.org
clickclever.org
clickdesmoines.org
clickdowe.org
clickdrea.org
clickdreadful.org
clickfer.org
clickflat.org
clickfortlauderdale.org
clickfremont.org
clickhartford.org
clickicy.org
clickill.org
clickjacksonville.org
clickmesquite.org
clicknorman.org
clickodd.org
clickolathe.org
clicksalem.org
clickshy.org
clicksyracuse.org
clickwet.org
comasians.com
comchemicalsns.com
daily-basis.com
daletter.com
darksecurityscan.com
dateoncount.com
dbchalet.com
dnseasy.ru
dnsforwebuse.com
dns-good-you.com
dnshot.ru
dnssuperb.com
dnsundservice.com
dnsvip.ru
domainforuse.com
dowpolenas.org
dynamicip-dns.com
e48i.com
easysecurityscan.com
edsawake.org
edsawake.org
edsback.org
edsbang.org
edsbang.org
edsbeautiful.com
edsbent.com
edsbent.com
edsbid.com
edsblew.com
edscold.com
edsfull.com
edsfull.com
edswoken.org
emptywin.com
engduates.com
excellentdnshost.com
fastsapere.com
fastsofgeld.com
findacid.org
findaddition.org
findadvertisem.org
findalert.org
findangry.org
findattack.org
findawful.org
findbitter.org
findblow.org
findbrake.org
findbrave.org
findcaret.org
findchalk.org
findchance.org
findcheeks.org
findclumsy.org
findcolorful.org
findconsonant.org
findcopper.org
findcurly.org
finddamaged.org
finddistribution.org
finddrawer.org
finddriving.org
finddrop.org
findear.org
findearly.org
findears.org
findearth.org
findeast.org
findexperie.org
findeyes.org
findfertile.org
findfierce.org
findforeign.org
findforget.org
findfort.org
findforth.org
findharsh.org
findinexpensive.org
findinnocent.org
findjolly.org
findjoyous.org
findjuicy.org
findlate.org
findsister.org
findsize.org
findsky.org
findsour.org
findstage.org
findstart.org
findstation.org
findstem.org
findstep.org
findstitch.org
findstone.org
findstraight.org
findstrange.org
finduneven.org
findunsightly.org
findvoiceless.org
findwandering.org
findwet.org
findwicked.org
fixtracker.com
forumaccept.org
forumadd.org
forumadmire.org
forumadmit.org
forumadvise.org
forumafford.org
forumallow.org
forumamuse.org
forumanalyze.org
forumbusy.org
forumcalm.org
forumcold.org
forumcute.org
forumdamp.org
frailwin.com
frequentwin.com
gcocgle.com
goodworkdns.com
goodworkdns.com
googletrackgeo.com
hotmailbox.com
ibtable.com
ibtable.com
imageacid.org
imagebad.org
imagebent.org
imagefipe.org
imagelue.org
install-internet.com
ipbestdns.com
IpCodesNet.com
IpInternetExplorer.com
ipmagicnet.com
ipnetworklegal.com
ipsecurityuse.com
ip-tracing.com
IpWebDirectory.com
koxtable.com
lizamoon.com
m0o0.com
malineip.com
milapop.com
netlinksgo.com
networkdnstrust.com
nondeip.com
op0o.com
ottomip.com
ottomip.com
phlorip.com
pornootrada.com
portalkey.org
s0po.com
searchabout.org
searchact.org
searchadorable.org
searchadvice.org
searchaffect.org
searchafternoon.org
searchago.org
searchairplane.org
searchalaska.org
searchalice.org
searchalike.org
searchallow.org
searchaloud.org
searchalphabet.org
searchalready.org
searchalready.org
searchalso.org
searchalso.org
searchalthough.org
searcham.org
searchamount.org
searchamusement.org
searchand.org
searchangle.org
searchanimal.org
searchanswer.org
searchant.org
searchapparatus.org
searcharound.org
searcharrange.org
searcharrow.org
searchas.org
searchaside.org
searchask.org
searchasleep.org
searchaswe.org
searchat.org
searchate.org
searchatlantic.org
searchatmosphere.org
searchatom.org
searchatomic.org
searchattached.org
searchattention.org
searchbad.org
searchbase.org
searchbat.org
searchbattery.org
searchbattle.org
searchbegan.org
searchbeginning.org
searchbegun.org
searchbehavior.org
searchbehind.org
searchbet.org
searchbetsy.org
searchbeyond.org
searchbigger.org
searchbiggest.org
searchbilly.org
searchbirth.org
searchborn.org
searchbottle.org
searchbound.org
searchbow.org
searchbowl.org
searchbread.org
searchbreak.org
searchbreathe.org
searchbreathing.org
searchbreeze.org
searchbreeze.org
searchbrick.org
searchbrick.org
searchbrief.org
searchclumsy.com
searchcruel.org
searchdead.com
searchdear.org
searchdepressed.org
searchdrab.com
searchdrab.org
searchdull.com
searchelated.org
searchfertile.org
searchfindestablish.org
searchfindfix.org
searchfindfund.org
searchfoggy.org
searchgrieving.org
searchhuge.org
searchhumid.org
searchhushed.org
searchjewel.org
searchlarge.org
searchlazy.org
searchmany.org
searchmeat.org
searchmedical.org
searchmemory.org
searchmetal.org
searchmilk.org
searchminiature.org
searchmisty.org
searchmixed.org
searchmodern.org
searchnumber.org
searchodd.org
searchof.org
searchplant.org
searchrelieved.org
searchways.org
seardall.org
static-ipdns.com
t02j.com
tadygus.com
trafficjoyous.com
u98i.com
ultradnshost.com

Fake jobs: job-britain.com and job4america.com

Two new fake job domains that form part of this long-running series, job-britain.com and job4america.com are pushing fake job offers which will actually be illegal activities like money laundering.

These domains were registered just yesterday to a fake registrant called "Leonid Pravduk". Avoid.

If you have samples of the spam emails using these domains, please consider sharing them in the comments.

Thursday, 7 July 2011

Fake jobs: westgroupcv.net, wug-cunsulting.net, wug-joblist.com and wugcv-offers.com

Four new domains forming part of the very long-running "Lapatasker" series of fake job offers:

westgroupcv.net
wug-cunsulting.net
wug-joblist.com
wugcv-offers.com


These job offers will typically involve illegal money mule operations and other fraudulent activities. Unless you enjoy jail time, they are best ignored.

If you have any example emails, please consider sharing them in the comments!

Tuesday, 5 July 2011

Sapphire Town Real Estate (sapphiretown.com) suck

I don't normally post twice on one spammer, but the idiots at Sapphire Town Real Estate seem to have hit new levels of stupidity with this spam that they have now sent 283 times, apparently about 1% into a dictionary attack (so I can expect to see it 28,000 more times!)

If they are this stupid when it comes to doing business then I would advise giving them a wide berth.

Update: now 4386 times and counting!

Monday, 4 July 2011

Sapphire Town Real Estate "Labour Camps" spam. Just add slaves.

This spam for labour camps was so important to the sender that they sent it 300 times (and counting). Just add slaves, I guess. And in jolly Comic Sans too! Originating IP is 86.96.226.150 in the UAE, all attempts at contacting their abuse department bounce. Classy.

From: Sapphire Town Real Estate stre@emirates.net.ae
Reply-To: info@sapphiretown.com
To: Redacted
Date: 4 July 2011 19:12
Subject: Labour Camps

Dear Valued Customer,
We offer a wide variety of labour camps for rent in ALMUHAISNAH 2nd (Sonapour), AL QUOZ, JEBEL ALI and DIP with your exact requirements and reasonable price.


Labour Camp in Al Quoz
Total Rooms               = 295
Supervisors Rooms     = 5
Kitchen                      = 7
Dining                        =7
Toilet                        =117
Showers                    =117
Parking for 14 buses and 25 cars
Price                 = AED 1,250 All Inclusive
Labour camp in Al Muhaisnah 2nd
Total Rooms      = 140
Kitchen              = 3
Dining                = 3
Showers            = 60
Toilets               = 60
Price                 = AED 1,200 All Inclusive

Labour Camp for Rent in DIP phase 1
Total Room          = 70
Kitchen & Dining =2
Toilet & Showers = 50
Price                 = AED 1,600 All Inclusive

Labour Camp for Rent in Jebel Ali Ind.3
Total Rooms             = 200
Kitchen & Dining      = 4
Toilets & Showers    = 160
TV, First Aid, Gym & Service Room
Price                 = AED 1,400 All Inclusive
  • Labour Camps & Warehouses for Sale.
  • Residential Building For sale in Bur Dubai.
If you have any questions or concerns, please email us directly stre@eim.ae Or call 050-3479984///04-2576603
This E-mail has been sent to you as a person interested in the information enclosed. If you have received this e-mail in error please notify the originator of the Email If you want your Email to be removed PLEASE reply to info@sapphiretown.com to ''Remove from list''. We sincerely apologize for the possible inconvenience. 

Sunday, 3 July 2011

Fake jobs: europe-cv.net, gb-traffic.com and totaljoblists.net

A trio of domains being used to push fake jobs (such as money mule operations) and other illegal activities, part of this long running series. The domains were registered just yesterday.

europe-cv.net
gb-traffic.com
totaljoblists.net

Avoid any offers soliciting a reply to these domains. If you have an example spam email, please consider sharing it in the comments. Thanks!

Thursday, 30 June 2011

Fake jobs: au-jobposition.com

Another domain being used to promote money laundering jobs or other criminal enterprises is au-jobposition.com which forms part of this long-running scam.

As usual, avoid. If you have any samples, please consider posting them in the comments section.

Tuesday, 28 June 2011

Fake jobs: greece-joblist.com and italia-lavoro.net

A pair of domains offering fake money mule jobs or reshipping mule jobs, the greece-joblist.com and italia-lavoro.net domains seem to be targeting Italian and Greek victims and form part of this long running scam.

If you have any examples (especially non-English ones) please share them in the comments!

Sunday, 26 June 2011

yahoolink.php / DreamHost hack

It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:

67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8

Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for  "yahoolink.php" in your favourite search engine to see the scope of the problem.

People who click on the link get redirected through several steps:

vedrozhuk7.com
63.226.210.102
NETPOINT, Utah

(no domain)
188.229.90.71
Securvera SRL, Romania

www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania

The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.

With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.

Thursday, 23 June 2011

Peteris Sahurovs and Marina Maslobojeva arrested: Sagade hopefully busted

Another victory for the good guys, according to El Reg.
The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m).

The gang screwed money out of more than a million victims. They installed software on their computers which falsely claimed to have detected viruses or malware. The gang then took payment for supposedly cleaning up the machines.

22-year-old Peteris Sahurovs and 23-year-old Marina Maslobojeva were arrested in Latvia on charges made in court in Minnesota. 
Although there are several bad hosts in Latvia, the one that really stands out is Sagade Ltd. And it looks very much as if Peteris Sahurovs worked for Sagade, his screen name on the internet was piotrek89 which was also the abuse address for the Sagade network.

Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.

The FBI have a press release about it here.

Fake job domains 23/6/11

Another day, another set of fake job domains forming part of this long-running scam. The domains were registered just two days ago to a presumably fictitious character called "Leonid Pravduk".

au-joblists.com
europ-joblist.com
gb-totaljob.com
uk-joblists.com
us-joblists.com


The "job" being offered is usually something like a money mule or taking part in a reshipping scam. In any case, the so-called job is illegal and should be avoided.

If you have a copy of a sample email, please share it in the comments section!

Wednesday, 22 June 2011

Some malware sites to block

These domains are associated with the Win32/FakeRean "Fake anti-virus" trojan, and are worth blocking.


Domain IP
laxesepaweno.com 50.23.83.40
fugegewulevu.com 50.23.83.41
tepucazij.com 50.23.83.42
cuhucupivu.com 50.23.84.216
sirakapofeti.com 50.23.84.217
zenevakyfa.com 50.23.84.218
tuwynaropotit.com 50.23.193.236
cikipihigilani.com 50.23.193.237
pifajeniwyt.com 50.23.193.238
wumytaxuboly.com 50.23.200.56
tevisuwapucumu.com 76.73.85.251
jicylegavade.com 76.73.85.252
dolagomosu.com 85.17.239.191
bumucewafypevy.com 85.17.239.192
xaqygacatewuk.com 85.17.239.198
mysupigaqyme.com 173.193.196.178
zypomamuzosa.com 173.249.145.53
nylujusofo.com 173.249.145.54
qajivehucewupo.com 173.249.145.55
wyduzylys.com 174.36.220.136
vyqivaneh.com 174.36.220.136
litubibam.com 174.36.220.138
pykolujij.com 188.240.32.162
gyravatimak.com 188.240.32.163
dubacobimude.com 188.240.32.164
waliwetixybuk.com 204.45.41.82
tixirukemosa.com 204.45.41.83
sumuryvynuh.com 204.45.41.84
dazixydecamur.com
cadyfahirecyci.com
myfofeviqilo.com

The Comodo report for this bit of nastiness is here.

Tuesday, 21 June 2011

"Federal Tax transfer rejected" malware

I've never paid taxes to the IRS and I don't intend to now..

From: Jeannette_Case@irs.gov
Date: 21 June 2011 11:16
Subject: Federal Tax transfer rejected

Your federal Tax payment (ID: 632869994691), recently from your checking account was canceled by the your Bank.

Canceled Tax transfer
Tax Transaction ID: 632869994691
Reason of rejection See details in the report below
FederalTax Transaction Report

tax_report_632869994691.pdf.exe (self-extracting
archive, Adobe PDF)

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD  20785

The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (89.208.149.215, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.

Update 28/9/11: a new version of this email is doing the rounds. This DOES successfully infect vulnerable machines, I will try to find more details.