The domain name virtualmapping.org sounds legitimate, but isn't.. it's a redirector used on hacked websites. The first time you visit one of these hacked sites via a Google search, you get redirected to a URL at virtualmapping.org/cgi-bin/r.cgi. Subsequent visits don't seem to trigger this, nor does visiting the site directly. It could be an altered .htaccess file.
virtualmapping.org is hosted on 94.63.149.246 which is unsurprisingly enough in Romania, in a Cobalt IT SRL block suballocated to SC Coral IT Office SRL / xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire 94.60.0.0/14 range.. at the very least, block 94.63.149.0/24, 94.63.244.0/24 and 94.60.123.0/24 which are especially toxic.
After hitting virtualmapping.org, visitors are then redirected to one of the following sites on 95.168.178.206, hosted at Netdirekt in Frankfurt but actually allocated to a host called inferno.name (Sogreev Anton, Serbia). 95.168.178.0/24 is full of Russian porn sites, so probably a good thing to block in any case.
Some of the domains that are loading the malware are:
could0.nc-9.com
gets1.nc-9.com
realized2.nc-9.com
summer3.nc-9.com
principle4.nc-9.com
watching4.nc-9.com
and5.nc-9.com
electric6.nc-9.com
plane6.nc-9.com
show7.nc-9.com
fig8.nc-9.com
ever8.nc-9.com
feet8.nc-9.com
league9.nc-9.com
event9.nc-9.com
became0.nc-9.com
sense4.nc-9.com
Basically, anything in the nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.
The payload is a nasty trojan according to various analysis tools (ThreatExpert, Comodo, Anubis). Detection rates are very low. The analysis tools might help you to clean up your PC if you have somehow become infected.
Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains, assistancebeside.com (78.159.100.32) and imagehut4.cn which was actually deleted last year, but was registered to the scumbags at Real Host Ltd.
There's quite a lot to block here, the highest priorities are:
94.63.149.246
95.168.178.206
78.159.100.32
*.nc-9.com
assistancebeside.com
virtualmapping.org
I see no harm in blocking the following /24s:
94.63.149.0/24
95.168.178.0/24
And if you're not afraid to block really quite large address ranges:
94.60.0.0/14
Tuesday, 2 August 2011
virtualmapping.org redirect
Labels:
.htaccess,
inferno.name,
Injection Attacks,
Netdirekt,
Romania,
Serbia
Monday, 1 August 2011
Fake jobs: careers-canada.com
One fake job domain today, and the scammers seem to have shifted to a new target - Canada. This time, the domain is careers-canada.com, registered only yesterday to the fictitious "Alexey Kernel" in the Ukraine.
The standard approach with these scammers is to spoof an email "from" the target's email address (don't worry if you see this, your email account has not been compromised) and the emails offer a variety of illegal jobs including money laundering. It forms part of this long-running scam.
If you have any examples of emails using this domain, please consider sharing them in the Comments.. thanks!
The standard approach with these scammers is to spoof an email "from" the target's email address (don't worry if you see this, your email account has not been compromised) and the emails offer a variety of illegal jobs including money laundering. It forms part of this long-running scam.
If you have any examples of emails using this domain, please consider sharing them in the Comments.. thanks!
Labels:
Canada,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Spam
Saturday, 30 July 2011
Fake job domains 30/7/11
Six new fake job domains today to avoid:
allnew-careers.com
argentina-hire.com
career-lists.com
career4your.com
world-career.com
your-careers.com
The recent approach has been to spam out emails that appear to be "from" the recipient. Sometimes the emails are poorly translated into Spanish, Portuguese or Greek.
The "jobs" on offer are illegal activities such as money laundering and form part of this very long running scam that has been going on for at least two years.
The domain registrant details are fake:
Mail for these domains is being routed through mx.yandex.ru in Russia.
These job offers are completely bogus and could land you in serious trouble with the police. If you have an example email using one of these domains, please consider sharing it in the Comments. Thanks!
allnew-careers.com
argentina-hire.com
career-lists.com
career4your.com
world-career.com
your-careers.com
The recent approach has been to spam out emails that appear to be "from" the recipient. Sometimes the emails are poorly translated into Spanish, Portuguese or Greek.
The "jobs" on offer are illegal activities such as money laundering and form part of this very long running scam that has been going on for at least two years.
The domain registrant details are fake:
Alexey Kernel Email: johnkernel26@yahoo.co.uk Organization: Alexey Kernel Address: Kreshchatyk Street 34 City: Kiev State: Kiev ZIP: 01090 Country: UA Phone: +38.00442794512
Mail for these domains is being routed through mx.yandex.ru in Russia.
These job offers are completely bogus and could land you in serious trouble with the police. If you have an example email using one of these domains, please consider sharing it in the Comments. Thanks!
Labels:
Argentina,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams,
Spam
Friday, 29 July 2011
"Iranian" Advanced Fee Fraud
Claiming to come from Iran, but actually originating from 115.249.131.254 in India, this allegedly Iranian scam is just a new twist on the Nigerian 419 scams that we are all familiar with.. in other words, this is an advanced fee fraud.
Avoid.
From: Ghohestani Hananehsadat Seyedhemed 115.249.131.254@webmail.sphpl.com
Reply-To: iranianhananehsadat@gawab.com
Date: 29 July 2011 07:55
Subject: FROM IRAN.....
My name is Ghohestani Hananehsadat Seyedhemed; I was born in Mashad, Iran on 05th March 1991 to Mr and Mrs G. Seyedhemed, who dead in the January 2011 plane crash in Iran that killed more than 80 people including my Father, Mother and younger brother Ali.
http://www.ndtv.com/video/player/news/nearly-80-killed-in-iran-plane-crash/186668
My father was a retired nuclear scientist and has worked in different project in Iran and outside Iran but lately there was a spate of serial killings of Iranian nuclear scientist and my father knew about it and was making arrangement for our trip and relocation to a foreign country and me and my brother was issued international passport on 15th July 2010 in preparation for our relocation and my father also made a deposit in a foreign bank amounting to $24,500,000USD(Twenty Four Million Five Hundred United States Dollars) for the settling in another country.
Since my father died i have been trying to get the funds because i have the deposit documents and contact of his Lawyer who i have spoken with just after my fathers death but as a single lady in Iran you just cannot do anything on your own, you are not allowed to travel out of Iran and moreover with no access to telephone or constant internet. My father’s family took all that my father had here in Iran and forced me into marrying my father’s Friend when i disagreed initially they beat me and said as a single girl i cannot stay alone so i had no choice than to marry him. My life is really miserable because i am not allowed to go out, have visitors or use the phone.I have lost my pride as a woman. Luckily for me, my husband has a daughter my age and she allows me use her computer when she is around actually not knowing what i do here.
Please i am contacting you in the Name of Almighty Allah who i serve and who my family serve to help me in getting these funds. All you need to do is stand as my family member and be next of Kin because the Lawyer told me then to suggest anybody who can stand as the next of kin and he will prepare necessary document but i cannot bring anyone from my father’s family since all they want is to claim my father’s property.
I will send you the deposit certificate and the Lawyers contact so that you can make urgent contact with him. I will also send you my ID or passport for Identification if you need that. You may wonder why i am contacting you, a complete stranger but i trust you more than my father’s brothers who has done no good but harm to me and i know that you will not disappoint me too because i have gone through nights of prayers just to locate a reliable person who can help me out of this problem.
I will need you to reply me with your details as follows to (iranianhananehsadat@gawab.com)
Name.................................
Address.............................
Phone number........................
Age.................................
Sex.................................
Occupation..........................
Email:..............................
As soon as the money is transferred to you. We shall share the total amount 60% for me and 30% for you and 10% for any expenses incurred during this transaction. I want to use my share to get out of Iran and invest in a foreign Country. I hope to hear from you as soon as possible and may Allah bless you and your family.
Respectfully,
Ghohestani Hananehsadat Seyedhemed
Avoid.
Labels:
Advanced Fee Fraud,
Iran,
Scams,
Spam
Fake jobs: chile-hh.com, cl-joblists.com, pt-joblist.com and spain-joblist.com
Four new fake job domains today, targeting victims in South America, Spain and Portugal.
chile-hh.com
cl-joblists.com
pt-joblist.com
spain-joblist.com
These domains were all registered in the past few days. The standard email approach seems to be "from" the victim, and they are often badly translated into Portuguese and Spanish.
The "jobs" on offer are not jobs at all, they usually involve money laundering and other criminal activities. They form part of this very long running scam that has been going on for years.
Three of the four domains have a new (fake) registrant that we haven't seen before:
If you have an example email, please consider sharing it in the comments.
chile-hh.com
cl-joblists.com
pt-joblist.com
spain-joblist.com
These domains were all registered in the past few days. The standard email approach seems to be "from" the victim, and they are often badly translated into Portuguese and Spanish.
The "jobs" on offer are not jobs at all, they usually involve money laundering and other criminal activities. They form part of this very long running scam that has been going on for years.
Three of the four domains have a new (fake) registrant that we haven't seen before:
Alexey Kernel Email: johnkernel26@yahoo.co.uk Organization: Alexey Kernel Address: Kreshchatyk Street 34 City: Kiev State: Kiev ZIP: 01090 Country: UA Phone: +38.00442794512
If you have an example email, please consider sharing it in the comments.
Labels:
Chile,
Job Offer Scams,
Lapatasker,
Money Mule,
Portugal,
Russia,
Scams,
Spain
Thursday, 28 July 2011
Fake jobs: trabajo-lista.com
A single fake domain today, trabajo-lista.com uses the same approach as yesterday's domains, again targeting Spanish language speakers with money laundering jobs and other illegal activities.
Emails will most likely appear to be "from" yourself. This particular scam has been going on now for several years.
If you have a sample, please consider sharing it in the Comments. Thanks!
Emails will most likely appear to be "from" yourself. This particular scam has been going on now for several years.
If you have a sample, please consider sharing it in the Comments. Thanks!
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams,
Spain
Wednesday, 27 July 2011
Fake jobs: chile-hh.com, cv-trabalho.com, espana-hh.com and worldjoblists.com
These domains are being used to advertise fake jobs and appear to be targeting Spanish and Portuguese speakers. They form part of this long-running series of domains associated with fake job offers.
chile-hh.com
cv-trabalho.com
espana-hh.com
worldjoblists.com
The jobs being offered are typically money laundering (lavado de dinero / lavagem de dinheiro) which are highly illegal. It is possible that some other jobs offered may be "back office" functions, including translation into local languages.
The domains are very new, registered in the past two days to:
If you have any examples of mail using these domains, please consider sharing them in the Comments section. Thanks.
chile-hh.com
cv-trabalho.com
espana-hh.com
worldjoblists.com
The jobs being offered are typically money laundering (lavado de dinero / lavagem de dinheiro) which are highly illegal. It is possible that some other jobs offered may be "back office" functions, including translation into local languages.
The domains are very new, registered in the past two days to:
Ricardo Lopez Email: ricardolip2@yahoo.com Organization: Ricardo Lopez Address: ul. Liivalaia 34-10 City: Tallin State: Tallin ZIP: 15040 Country: EE Phone: +3.726317190
If you have any examples of mail using these domains, please consider sharing them in the Comments section. Thanks.
Labels:
Chile,
Job Offer Scams,
Lapatasker,
Money Mule,
Portugal,
Russia,
Scams,
Spain
Tuesday, 26 July 2011
Phishtank FAIL: paypal.de
paypal.de is pretty obviously a legitimate PayPal domain, registered to eBay and hosted on 66.211.168.83 in eBay's address space. However, Phishtank thinks that it is a phish.. well, OK, false positives happen.. but the problem here is that it has been manually verified as a phish which really does show a weakness in the Phishtank verification system. It's not the first time it has happened.
So, if you are in Germany and find that paypal.de is blocked, then this is the reason why.
So, if you are in Germany and find that paypal.de is blocked, then this is the reason why.
Saturday, 23 July 2011
Fake jobs: eur-exlusive.com
Another addition to this series of fake job offers is the domain eur-exlusive.com.
Assuming that this follows the standard pattern of dozens of other domains, then these will be too-good-to-be-true job offers that appear to have been emailed "from" yourself. The jobs on offer will actually be money laundering or some other criminal activity.
The domain was registered on 23th July, to a fake registrant "Ricardo Lopez", allegedly from Estonia. Avoid at all costs.
If you have a sample, please consider sharing it in the Comments.
Assuming that this follows the standard pattern of dozens of other domains, then these will be too-good-to-be-true job offers that appear to have been emailed "from" yourself. The jobs on offer will actually be money laundering or some other criminal activity.
The domain was registered on 23th July, to a fake registrant "Ricardo Lopez", allegedly from Estonia. Avoid at all costs.
If you have a sample, please consider sharing it in the Comments.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Friday, 22 July 2011
Sky survey boll*cks
I'm feeling quite sweary this week, so here's a stupid email from a market research company who are pretending not to be doing it for Sky (I know it's for Sky because it uses an email address only used to sign up to Sky). It's b*llocks basically.
So.. you want me to spend 15 minutes doing market research for Sky - a company that I don't use for broadband - just to help them shape their business? I did very much enjoy telling them that I don't have a TV or broadband access. Maybe this will screw up their survey.
Is this spam? It's hard to tell. I have a pre-existing relationship with Sky, but I'm pretty sure I didn't opt-in for this. It would be much more honest if Sky just admitted that they were behind it. Although perhaps their relationship with Rupert Murdoch's empire might be driving them to keep it quiet..
From: Tpoll Broadband Survey helpdesk@tpoll.net
Date: 22 July 2011 16:19
Subject: A survey about your broadband provider
Dear Mr Dynamoo
A well-known broadband provider has commissioned us here at Tpoll, an independent market research agency, to talk to people about their opinions and experiences with their TV and broadband providers.
The broadband provider in question is very keen to properly understand their customers’ needs, how well the products and services they offer are meeting their needs, and how they compare to other providers. They have asked Tpoll to investigate and we have invited you to take part in an online survey to share your thoughts and opinions.
This survey is organised and run under the rules of the Market Research Society. All responses will be strictly confidential and results will only be looked at on an aggregated level so please be as honest as you can with your answers.
Your answers will be very much appreciated and will be extremely valuable in shaping the products and services the provider offers.
Please click on the link below to start the survey - it should take 10 to 15 minutes to complete.
Click here to begin
Many Thanks,
Elizabeth Green
Tpoll Market Intelligence
So.. you want me to spend 15 minutes doing market research for Sky - a company that I don't use for broadband - just to help them shape their business? I did very much enjoy telling them that I don't have a TV or broadband access. Maybe this will screw up their survey.
Is this spam? It's hard to tell. I have a pre-existing relationship with Sky, but I'm pretty sure I didn't opt-in for this. It would be much more honest if Sky just admitted that they were behind it. Although perhaps their relationship with Rupert Murdoch's empire might be driving them to keep it quiet..
Thursday, 21 July 2011
Etisalat - f*ck you very much
If you've never heard of Etisalat then you are probably lucky. Etisalat is the monopoly telecoms provider in the UAE, and like all monopoly providers it is basically crap.
Why am I bothered? Well, after receiving this same spam 4386 times with no sign of a let-up, then I thought it might be nice if Etisalat educated their customer. Unfortunately, Etisalat's abuse mailbox doesn't work, presumably because it is packed full of complaints and nobody from Etisalat can manage to shift their fat sweaty arses enough to look at it.
Now, not getting a response to abuse complaints is pretty typical and not really worth commenting on. However, I was eventually able to get a response from customer support. And it looked promising!
Anyway, 86.96.226.150 is the culprit to block but if you follow Etisala's own recommendations then block email coming in from 86.96.226.0 - 86.96.239.255 (86.96.224.0/20) just to be on the safe side.
And Etisalat, in the words of the FCC Song, f*ck you very much.
Why am I bothered? Well, after receiving this same spam 4386 times with no sign of a let-up, then I thought it might be nice if Etisalat educated their customer. Unfortunately, Etisalat's abuse mailbox doesn't work, presumably because it is packed full of complaints and nobody from Etisalat can manage to shift their fat sweaty arses enough to look at it.
Now, not getting a response to abuse complaints is pretty typical and not really worth commenting on. However, I was eventually able to get a response from customer support. And it looked promising!
Thank you for contacting Etisalat Customer Care Center.Great.. I thought. Better late than never. So I waited.. and the next reply was basically a "fuck you" from Etisalat:
Further to your email, please accept our sincere apologies for any inconvenience happened. We had escalated the issue to the concerned department and will update you soon after we receive a reply. Kindly bear with us for the delay. reference number 388135
Once again we thank you for contacting us and looking forward to serving you in the future. For any further clarification please contact Etisalat Customer Care Center.
Thank you for contacting Etisalat Customer Care Center.Wait.. what? The solution to Etisalat allowing customers to spam is.. basically to block email from Etisalat? So basically it is just too much effort for Etisalat to actually do anything. Maybe the airconditioning is broken in the Etisalat support offices and their arses are just too fat and sweaty today..
Kindly enable sufficient anti spam settings or add filters in your email to overcome the situation.
Once again we thank you for contacting us and looking forward to serving you in the future. For any further clarification please contact Etisalat Customer Care Center.
Anyway, 86.96.226.150 is the culprit to block but if you follow Etisala's own recommendations then block email coming in from 86.96.226.0 - 86.96.239.255 (86.96.224.0/20) just to be on the safe side.
And Etisalat, in the words of the FCC Song, f*ck you very much.
Fake jobs: world-chilecv.com
Just a single fake job domain today, world-chilecv.com is an addition to this long-running series of so-called job offers which actually turn out to be money laundering or some other criminal activity.
The domain in question was registered just yesterday to the no-doubt fake reigstrant:
This domain was registered only yesterday. Avoid.
The domain in question was registered just yesterday to the no-doubt fake reigstrant:
Ricardo Lopez Email: ricardolip2@yahoo.com Organization: Ricardo Lopez Address: ul. Liivalaia 34-10 City: Tallin State: Tallin ZIP: 15040 Country: EE Phone: +3.726317190
This domain was registered only yesterday. Avoid.
Labels:
Chile,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Wednesday, 20 July 2011
Epsilon Breach Spam Run
The Epsilon Data Breach from a few months back certainly made headlines, but I haven't seen much in the way of spam activity that I could directly attribute to it. Until now.
At first glance it looks like a standard money mule spam, but there are two odd things. One is the "Subject" line which has the actual name of the spam victim. Not their email address, their real name.. more of this in a minute. The other odd thing is that the "From" address appears to be valid, and the email really has originated from Hotmail, presumably in some sort of auto-generated spamming account.
The inclusion of the recipient's name in the subject is the odd thing. In this case, I had a bunch of largely unrelated users in different countries with very similar email messages. So where had the names come from? Well, there were a couple of anomalies which gave a clue.. in two cases the "Subject" name was a family member, and not the actual recipient.
This narrowed down the possibilities, and it became apparent that the users had registered for something in the name of a family member, but using their own email account. And in one case that tied directly to a company which was a victim of the Epsilon data breach.
Looking over the other spam recipients, the majority were on the mailing list of Hilton Honors, Marriott Rewards, Marks and Spencer, Capital One or other Epsilon customers. Some didn't fit the pattern, but were connected with Pixmania, Plentyoffish.com and Play.com which were all hacked at about the same time. So perhaps the spammer's list is made up of data from more than one source.
Do I know for sure that this is connected with the Epsilon breach? No. But the inclusion of the family member's names indicates that they were harvested externally, the majority of users could be shown to have a connection to companies involved in the Epsilon breach, and the small number who couldn't seemed to be users of other breached companies.
This spam was very crude in its actual pitch. But I'm guessing that this will be the first of many more targeted spam/scam emails using this stolen data.
From: Olga Sunday [mailto:SundayqyOhilga@hotmail.com]
Sent: 18 July 2011 17:31
To: Spam Victim
Subject: Spam Victim
Hello.
Don't miss unique employment opportunity.
The company is seeking for enthusiastic representative in United Kingdom to help us spread out our activity in the Europe area.
easy training available.
Superb income potential.
Conditions:
- 18+ age
- Only basic knowledge of Internet & computer.
- 2-3 free hours per day
Candidates must be smart and commerce motivated. Operate only few hours per day.
Everyone located in the United Kingdom can become our representative.
Thank you for your attention.
_______________________
Current News : honor rolls for monday, july , .
At first glance it looks like a standard money mule spam, but there are two odd things. One is the "Subject" line which has the actual name of the spam victim. Not their email address, their real name.. more of this in a minute. The other odd thing is that the "From" address appears to be valid, and the email really has originated from Hotmail, presumably in some sort of auto-generated spamming account.
The inclusion of the recipient's name in the subject is the odd thing. In this case, I had a bunch of largely unrelated users in different countries with very similar email messages. So where had the names come from? Well, there were a couple of anomalies which gave a clue.. in two cases the "Subject" name was a family member, and not the actual recipient.
This narrowed down the possibilities, and it became apparent that the users had registered for something in the name of a family member, but using their own email account. And in one case that tied directly to a company which was a victim of the Epsilon data breach.
Looking over the other spam recipients, the majority were on the mailing list of Hilton Honors, Marriott Rewards, Marks and Spencer, Capital One or other Epsilon customers. Some didn't fit the pattern, but were connected with Pixmania, Plentyoffish.com and Play.com which were all hacked at about the same time. So perhaps the spammer's list is made up of data from more than one source.
Do I know for sure that this is connected with the Epsilon breach? No. But the inclusion of the family member's names indicates that they were harvested externally, the majority of users could be shown to have a connection to companies involved in the Epsilon breach, and the small number who couldn't seemed to be users of other breached companies.
This spam was very crude in its actual pitch. But I'm guessing that this will be the first of many more targeted spam/scam emails using this stolen data.
Labels:
Data Breach,
Epsilon,
Spam
Sunday, 17 July 2011
Fake jobs: eur-cvlist.com, gr-hire.com and world-cvlist.com
Three new fake jobs domains following this pattern, offering bogus jobs which will actually turn out to be money laundering or some other criminal activity.
eur-cvlist.com
gr-hire.com
world-cvlist.com
One characteristic of recent emails is that they appear to come "from" the recipient, as the spammers have forged the "from" field (which is very easy to do).
The registrant details for the domain are no doubt fake:
The domains were registered two days ago on 15th July. If you have samples of spam using these domains, please consider sharing them in the comments.
eur-cvlist.com
gr-hire.com
world-cvlist.com
One characteristic of recent emails is that they appear to come "from" the recipient, as the spammers have forged the "from" field (which is very easy to do).
The registrant details for the domain are no doubt fake:
Ricardo Lopez
Email: ricardolip2@yahoo.com
Organization: Ricardo Lopez
Address: ul. Liivalaia 34-10
City: Tallin
State: Tallin
ZIP: 15040
Country: EE
Phone: +3.726317190
Email: ricardolip2@yahoo.com
Organization: Ricardo Lopez
Address: ul. Liivalaia 34-10
City: Tallin
State: Tallin
ZIP: 15040
Country: EE
Phone: +3.726317190
The domains were registered two days ago on 15th July. If you have samples of spam using these domains, please consider sharing them in the comments.
Labels:
Greece,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Friday, 15 July 2011
Christwire.org hacked with sokoloperkovuske.com redirect
This summary is not available. Please
click here to view the post.
Labels:
.htaccess,
Fake Anti-Virus,
Korea,
Latvia
Thursday, 14 July 2011
yahlink.php / DreamHost hack
Almost identical in every way to this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.
It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.
In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 78.129.132.26 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:
bepfinance.com
brentnallfg.com
estatediary.com
forfreeblog.net
freeblogpro.org
freetrialmail.com
krokodilius8.com
lucky-bet.in
pubertavad.com
russwoman.ru
superblogonline.org
thebloggin.net
vedrozhuk7.com
yourtraveldiary.net
Users are then directed to another host in Romania, 188.229.89.230 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 188.229.0.0/17 range and you can safely block access to the entire lot.
The final step is to a host called drugstorehealthrisks.net hosted on 90.182.175.232 which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:
fatdrugstoremeds.net
healthrxinsurance.net
healthrxpharmacyinsurance.com
healthtabletsnook.net
Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:
67.205.0.0/18
69.163.128.0/17
75.119.192.0/19
208.97.128.0/18
..although blocking access to the Romanian 188.229.0.0/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.
It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.
In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 78.129.132.26 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:
bepfinance.com
brentnallfg.com
estatediary.com
forfreeblog.net
freeblogpro.org
freetrialmail.com
krokodilius8.com
lucky-bet.in
pubertavad.com
russwoman.ru
superblogonline.org
thebloggin.net
vedrozhuk7.com
yourtraveldiary.net
Users are then directed to another host in Romania, 188.229.89.230 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 188.229.0.0/17 range and you can safely block access to the entire lot.
The final step is to a host called drugstorehealthrisks.net hosted on 90.182.175.232 which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:
fatdrugstoremeds.net
healthrxinsurance.net
healthrxpharmacyinsurance.com
healthtabletsnook.net
Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:
67.205.0.0/18
69.163.128.0/17
75.119.192.0/19
208.97.128.0/18
..although blocking access to the Romanian 188.229.0.0/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.
Labels:
DreamHost,
Injection Attacks,
Netserv Consult SRL,
PHP,
Romania
Wednesday, 13 July 2011
Fake jobs: cl-exlusive.com, europ-exlusive.com, totalworld-job.com, uk-cvlists.com and uk-exlusive.com
Five new domains offering fake jobs (actually money laundering and other illegal activities), forming part of this long running series of scams.
cl-exlusive.com
europ-exlusive.com
totalworld-job.com
uk-cvlists.com
uk-exlusive.com
The domains were created yesterday, registered to a no-doubt fake registrant:
If you have a sample email soliciting replies to one of these domains, please consider sharing it in the comments.
cl-exlusive.com
europ-exlusive.com
totalworld-job.com
uk-cvlists.com
uk-exlusive.com
The domains were created yesterday, registered to a no-doubt fake registrant:
Registrant:
Luca Drue
Email: lucadrue@yahoo.fr
Organization: Luca Drue
Address: 27, BERESTYANSKAYA STR
City: Minsk
State: Minsk
ZIP: BY-220123
Country: BY
Phone: +37.5172749317
Fax: +37.5172749311
Luca Drue
Email: lucadrue@yahoo.fr
Organization: Luca Drue
Address: 27, BERESTYANSKAYA STR
City: Minsk
State: Minsk
ZIP: BY-220123
Country: BY
Phone: +37.5172749317
Fax: +37.5172749311
If you have a sample email soliciting replies to one of these domains, please consider sharing it in the comments.
Labels:
Chile,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Tuesday, 12 July 2011
Fake HMRC site: confirm-hmrc.com / onlineservice.confirm-hmrc.com
This is a rather new phishing site, pretending to be a tax refund from the UK's HMRC agency pointing to the domain confirm-hmrc.com (subdomains www.confirm-hmrc.com and onlineservice.confirm-hmrc.com).
Although the phish looks convincing, the HMRC don't do tax refunds in this way. Usually they will just transfer the money to your bank account or alternatively send you a cheque. Furthermore, in my experience the HMRC only communicate by post and not electronic mail.
The site hosted on 218.108.75.53 in China. The same server also has the fraudulent domains account-update-westernunion.com, account-westernunion.com and accounts-westernunion.com. The domain registration details are fake:
Domain Name.......... confirm-hmrc.com
Creation Date........ 2011-07-12
Registration Date.... 2011-07-12
Expiry Date.......... 2012-07-12
Organisation Name.... wu wu
Organisation Address. 12 na
Organisation Address.
Organisation Address. miami
Organisation Address. 12311
Organisation Address. AL
Organisation Address. UNITED STATES
Admin Name........... wu wu
Admin Address........ 12 na
Admin Address........
Admin Address........ miami
Admin Address........ 12311
Admin Address........ AL
Admin Address........ UNITED STATES
Admin Email.......... sadasda@re.com
Admin Phone.......... +1.12312312312
Admin Fax............
Tech Name............ wu wu
Tech Address......... 12 na
Tech Address.........
Tech Address......... miami
Tech Address......... 12311
Tech Address......... AL
Tech Address......... UNITED STATES
Tech Email........... sadasda@re.com
Tech Phone........... +1.12312312312
Tech Fax.............
Name Server.......... ns2.confirm-hmrc.com
Name Server.......... ns1.confirm-hmrc.com
Blocking traffic to 218.108.75.0/24 will probably do no harm.
Although the phish looks convincing, the HMRC don't do tax refunds in this way. Usually they will just transfer the money to your bank account or alternatively send you a cheque. Furthermore, in my experience the HMRC only communicate by post and not electronic mail.
The site hosted on 218.108.75.53 in China. The same server also has the fraudulent domains account-update-westernunion.com, account-westernunion.com and accounts-westernunion.com. The domain registration details are fake:
Domain Name.......... confirm-hmrc.com
Creation Date........ 2011-07-12
Registration Date.... 2011-07-12
Expiry Date.......... 2012-07-12
Organisation Name.... wu wu
Organisation Address. 12 na
Organisation Address.
Organisation Address. miami
Organisation Address. 12311
Organisation Address. AL
Organisation Address. UNITED STATES
Admin Name........... wu wu
Admin Address........ 12 na
Admin Address........
Admin Address........ miami
Admin Address........ 12311
Admin Address........ AL
Admin Address........ UNITED STATES
Admin Email.......... sadasda@re.com
Admin Phone.......... +1.12312312312
Admin Fax............
Tech Name............ wu wu
Tech Address......... 12 na
Tech Address.........
Tech Address......... miami
Tech Address......... 12311
Tech Address......... AL
Tech Address......... UNITED STATES
Tech Email........... sadasda@re.com
Tech Phone........... +1.12312312312
Tech Fax.............
Name Server.......... ns2.confirm-hmrc.com
Name Server.......... ns1.confirm-hmrc.com
Blocking traffic to 218.108.75.0/24 will probably do no harm.
Friday, 8 July 2011
Evil network: hotmailbox.com
The domain hotmailbox.com often comes up when looking at malicious domains, it's a domain used to provide a bulletproof email address for domain registration. The registrar for hotmailbox.com is the scammer's favourite, BIZCN which probably explains why it has lingered for so long.
There are several hundred domains registered through email accounts at hotmailbox.com, all of them are bogus and follow a similar pattern with bogus US addresses. Most of the domains with active websites are hosted in Romania, in netblocks that have a known bad reputation.
You can download a list of domains, IPs and MyWOT ratings for at least some of these domains here [CSV], or if you just want a plain list then keep scrolling down.
Because the hotmailbox.com domains are all in bad blocks or dedicated servers, then it is possible to block access to these IP ranges or individual boxes to prevent infection. I would recommend blocking the following:
84.247.61.0/24 (Sistem Soft Network, Romania)
91.217.162.0/24 (Voejkova Nadezhda, Russia)
94.63.149.0/24 (SC CORAL IT OFFICE SRL, Romania)
94.244.80.7 (Uab Kauno Interneto Sistemos, Lithunia)
95.64.55.0/24 (Netserv Consult SRL, Romania)
96.9.139.208/28 (UAB "Dominant Plius", c/o HOSTNOC, US)
141.136.16.14 (MORE SECURE SRL, Romania)
173.236.34.238 (Inferno Solutions, UK)
184.105.178.85 (Hurricane Electric, US [parked])
188.138.90.110 (Intergenia AG, Germany)
188.138.116.223 (Intergenia AG, Germany)
188.229.0.0/17 (Netserv Consult SRL, Romania)
202.75.41.42 (TM VADS DC Hosting, Malaysia)
209.212.157.208/29 (BONHOST, Ukraine)
212.117.164.39 (root SA, Luxembourg)
217.23.9.247 (Worldstream, Netherlands)
220.112.0.0/18 (Guangzhou For Great Wall Broadband Network, China)
Not every site in those ranges is part of this group, and indeed there may be a few legitimate sites, but you are much more likely to come into contact with a malware site on these IP addresses than a real one, so treat them as "high risk".
If you have any examples of domains using hotmailbox.com that are not listed, then please consider adding them to the Comments.
There are several hundred domains registered through email accounts at hotmailbox.com, all of them are bogus and follow a similar pattern with bogus US addresses. Most of the domains with active websites are hosted in Romania, in netblocks that have a known bad reputation.
You can download a list of domains, IPs and MyWOT ratings for at least some of these domains here [CSV], or if you just want a plain list then keep scrolling down.
Because the hotmailbox.com domains are all in bad blocks or dedicated servers, then it is possible to block access to these IP ranges or individual boxes to prevent infection. I would recommend blocking the following:
84.247.61.0/24 (Sistem Soft Network, Romania)
91.217.162.0/24 (Voejkova Nadezhda, Russia)
94.63.149.0/24 (SC CORAL IT OFFICE SRL, Romania)
94.244.80.7 (Uab Kauno Interneto Sistemos, Lithunia)
95.64.55.0/24 (Netserv Consult SRL, Romania)
96.9.139.208/28 (UAB "Dominant Plius", c/o HOSTNOC, US)
141.136.16.14 (MORE SECURE SRL, Romania)
173.236.34.238 (Inferno Solutions, UK)
184.105.178.85 (Hurricane Electric, US [parked])
188.138.90.110 (Intergenia AG, Germany)
188.138.116.223 (Intergenia AG, Germany)
188.229.0.0/17 (Netserv Consult SRL, Romania)
202.75.41.42 (TM VADS DC Hosting, Malaysia)
209.212.157.208/29 (BONHOST, Ukraine)
212.117.164.39 (root SA, Luxembourg)
217.23.9.247 (Worldstream, Netherlands)
220.112.0.0/18 (Guangzhou For Great Wall Broadband Network, China)
Not every site in those ranges is part of this group, and indeed there may be a few legitimate sites, but you are much more likely to come into contact with a malware site on these IP addresses than a real one, so treat them as "high risk".
If you have any examples of domains using hotmailbox.com that are not listed, then please consider adding them to the Comments.
8nm2.com |
aaaholic.com |
aaoutfit.com |
aarocket.com |
abcartel.com |
abminute.com |
abutable.com |
acgoblin.com |
aemodern.com |
afchalet.com |
agfiesta.com |
alexblane.com |
alisa-carter.com |
analitycscredit.com |
asweds.com |
automaticsecurityscan.com |
awesomepornofree.com |
awfulice.com |
bcrocket.com |
bdcartel.com |
bestipdns.com |
bookaros.com |
bookarra.com |
bookavio.com |
bookdolo.com |
bookfula.com |
bookgusa.com |
bookmonn.com |
bookmono.com |
bookmylo.com |
booknunu.com |
bookpolo.com |
booksgou.com |
booksoco.com |
booksolo.com |
booktuba.com |
bookvila.com |
bookvivi.com |
bookvoxy.com |
bookzoul.com |
bookzula.com |
caldnsserver.com |
calmsearch.org |
cbhammer.com |
cblender.com |
cebistro.com |
cfaholic.com |
clickabundant.org |
clickaccept.org |
clickadvice.org |
clickahead.org |
clickalmost.org |
clickan.org |
clickancient.org |
clickany.org |
clickanybody.org |
clickanybody.org |
clickarrogant.org |
clickarvada.org |
clickattempt.org |
clickautomatic.org |
clickbad.org |
clickbatonrouge.org |
clickber.org |
clickboa.org |
clickbored.org |
clickbrake.org |
clickbury.org |
clickcharleston.org |
clickclear.org |
clickclever.org |
clickdesmoines.org |
clickdowe.org |
clickdrea.org |
clickdreadful.org |
clickfer.org |
clickflat.org |
clickfortlauderdale.org |
clickfremont.org |
clickhartford.org |
clickicy.org |
clickill.org |
clickjacksonville.org |
clickmesquite.org |
clicknorman.org |
clickodd.org |
clickolathe.org |
clicksalem.org |
clickshy.org |
clicksyracuse.org |
clickwet.org |
comasians.com |
comchemicalsns.com |
daily-basis.com |
daletter.com |
darksecurityscan.com |
dateoncount.com |
dbchalet.com |
dnseasy.ru |
dnsforwebuse.com |
dns-good-you.com |
dnshot.ru |
dnssuperb.com |
dnsundservice.com |
dnsvip.ru |
domainforuse.com |
dowpolenas.org |
dynamicip-dns.com |
e48i.com |
easysecurityscan.com |
edsawake.org |
edsawake.org |
edsback.org |
edsbang.org |
edsbang.org |
edsbeautiful.com |
edsbent.com |
edsbent.com |
edsbid.com |
edsblew.com |
edscold.com |
edsfull.com |
edsfull.com |
edswoken.org |
emptywin.com |
engduates.com |
excellentdnshost.com |
fastsapere.com |
fastsofgeld.com |
findacid.org |
findaddition.org |
findadvertisem.org |
findalert.org |
findangry.org |
findattack.org |
findawful.org |
findbitter.org |
findblow.org |
findbrake.org |
findbrave.org |
findcaret.org |
findchalk.org |
findchance.org |
findcheeks.org |
findclumsy.org |
findcolorful.org |
findconsonant.org |
findcopper.org |
findcurly.org |
finddamaged.org |
finddistribution.org |
finddrawer.org |
finddriving.org |
finddrop.org |
findear.org |
findearly.org |
findears.org |
findearth.org |
findeast.org |
findexperie.org |
findeyes.org |
findfertile.org |
findfierce.org |
findforeign.org |
findforget.org |
findfort.org |
findforth.org |
findharsh.org |
findinexpensive.org |
findinnocent.org |
findjolly.org |
findjoyous.org |
findjuicy.org |
findlate.org |
findsister.org |
findsize.org |
findsky.org |
findsour.org |
findstage.org |
findstart.org |
findstation.org |
findstem.org |
findstep.org |
findstitch.org |
findstone.org |
findstraight.org |
findstrange.org |
finduneven.org |
findunsightly.org |
findvoiceless.org |
findwandering.org |
findwet.org |
findwicked.org |
fixtracker.com |
forumaccept.org |
forumadd.org |
forumadmire.org |
forumadmit.org |
forumadvise.org |
forumafford.org |
forumallow.org |
forumamuse.org |
forumanalyze.org |
forumbusy.org |
forumcalm.org |
forumcold.org |
forumcute.org |
forumdamp.org |
frailwin.com |
frequentwin.com |
gcocgle.com |
goodworkdns.com |
goodworkdns.com |
googletrackgeo.com |
hotmailbox.com |
ibtable.com |
ibtable.com |
imageacid.org |
imagebad.org |
imagebent.org |
imagefipe.org |
imagelue.org |
install-internet.com |
ipbestdns.com |
IpCodesNet.com |
IpInternetExplorer.com |
ipmagicnet.com |
ipnetworklegal.com |
ipsecurityuse.com |
ip-tracing.com |
IpWebDirectory.com |
koxtable.com |
lizamoon.com |
m0o0.com |
malineip.com |
milapop.com |
netlinksgo.com |
networkdnstrust.com |
nondeip.com |
op0o.com |
ottomip.com |
ottomip.com |
phlorip.com |
pornootrada.com |
portalkey.org |
s0po.com |
searchabout.org |
searchact.org |
searchadorable.org |
searchadvice.org |
searchaffect.org |
searchafternoon.org |
searchago.org |
searchairplane.org |
searchalaska.org |
searchalice.org |
searchalike.org |
searchallow.org |
searchaloud.org |
searchalphabet.org |
searchalready.org |
searchalready.org |
searchalso.org |
searchalso.org |
searchalthough.org |
searcham.org |
searchamount.org |
searchamusement.org |
searchand.org |
searchangle.org |
searchanimal.org |
searchanswer.org |
searchant.org |
searchapparatus.org |
searcharound.org |
searcharrange.org |
searcharrow.org |
searchas.org |
searchaside.org |
searchask.org |
searchasleep.org |
searchaswe.org |
searchat.org |
searchate.org |
searchatlantic.org |
searchatmosphere.org |
searchatom.org |
searchatomic.org |
searchattached.org |
searchattention.org |
searchbad.org |
searchbase.org |
searchbat.org |
searchbattery.org |
searchbattle.org |
searchbegan.org |
searchbeginning.org |
searchbegun.org |
searchbehavior.org |
searchbehind.org |
searchbet.org |
searchbetsy.org |
searchbeyond.org |
searchbigger.org |
searchbiggest.org |
searchbilly.org |
searchbirth.org |
searchborn.org |
searchbottle.org |
searchbound.org |
searchbow.org |
searchbowl.org |
searchbread.org |
searchbreak.org |
searchbreathe.org |
searchbreathing.org |
searchbreeze.org |
searchbreeze.org |
searchbrick.org |
searchbrick.org |
searchbrief.org |
searchclumsy.com |
searchcruel.org |
searchdead.com |
searchdear.org |
searchdepressed.org |
searchdrab.com |
searchdrab.org |
searchdull.com |
searchelated.org |
searchfertile.org |
searchfindestablish.org |
searchfindfix.org |
searchfindfund.org |
searchfoggy.org |
searchgrieving.org |
searchhuge.org |
searchhumid.org |
searchhushed.org |
searchjewel.org |
searchlarge.org |
searchlazy.org |
searchmany.org |
searchmeat.org |
searchmedical.org |
searchmemory.org |
searchmetal.org |
searchmilk.org |
searchminiature.org |
searchmisty.org |
searchmixed.org |
searchmodern.org |
searchnumber.org |
searchodd.org |
searchof.org |
searchplant.org |
searchrelieved.org |
searchways.org |
seardall.org |
static-ipdns.com |
t02j.com |
tadygus.com |
trafficjoyous.com |
u98i.com |
ultradnshost.com |
Labels:
Evil Network,
Intergenia,
Netserv Consult SRL,
Romania
Fake jobs: job-britain.com and job4america.com
Two new fake job domains that form part of this long-running series, job-britain.com and job4america.com are pushing fake job offers which will actually be illegal activities like money laundering.
These domains were registered just yesterday to a fake registrant called "Leonid Pravduk". Avoid.
If you have samples of the spam emails using these domains, please consider sharing them in the comments.
These domains were registered just yesterday to a fake registrant called "Leonid Pravduk". Avoid.
If you have samples of the spam emails using these domains, please consider sharing them in the comments.
Labels:
Job Offer Scams,
Lapatasker,
Money Mule,
Russia,
Scams
Subscribe to:
Posts (Atom)