Another bunch of "redret" sites to block, either by domain name or IP. These domains are being used as the payloads for spam emails and leave to a malicious web page.
79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia - recommend blocking 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru
79.137.237.67 ((Digital Network JSC again)
ciredret.ru
coredret.ru
cpredret.ru
91.195.11.42 (UkrStar ISP, Ukraine - recommend blocking 91.195.10.0/23)
curedret.ru
Unallocated
caredret.ru
cbredret.ru
ccredret.ru
cdredret.ru
ceredret.ru
cfredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
csredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
Monday, 12 December 2011
c*redret.ru sites to block
Labels:
DINETHOSTING,
Redret,
Russia,
Ukraine,
UkrStar ISP
Evil network revisited: Specialist Ltd / Specialist-ISP-PI2 AS48691(194.28.112.0/22)
Specialist Ltd is a small Black Hat hosting company in Transnistria, a breakaway part of the former Soviet Republic of Moldavia. No UN members recognise Transnistria, and effectively it sits beyond the reach of international law enforcement. Quite a handy place for criminals to do business then.
I first wrote about this block last year, but it recently came into my sights again as the host for a very widespread injection attack using the lilupophilupop.com domain.
Since last year the number of malicious sites has dropped, but there is still not a legitimate site in sight. Most of the bad sites are currently on 194.28.114.102 but you should block access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255) if you can, because this range of IP addresses is nothing but trouble.
A list of sites hosted in this range is at the end of this post, or you can download a CSV with the MyWOT ratings and IP addresses from here.
Google's prognosis of this block is pretty horrible:
The WHOIS details for the bloack are:
Some domains and sites hosted in this block are:
ation72histor.rr.nu
blogsvk.ru
cliffordtravel.biz
comm98andsp.rr.nu
doutl31inesst.rr.nu
earni61ngunde.rr.nu
ensm60erch.rr.nu
eorge00gamee.rr.nu
ggesti51ngbina.rr.nu
globalpoweringgathering.com
globalpoweringgatheringit.com
globalpoweringgatheringon.com
h102-114.net.lan-rybnitsa.com
hoperjoper.ru
iess70elec.rr.nu
ift72hbot.rr.nu
ilto27nint.rr.nu
infoitpoweringgathering.com
infoitpoweringgatheringit.com
infoitpoweringgatheringon.com
inful07commi.rr.nu
lessthenaminutehandle.com
lessthenaseconddeal.com
lilupophilupop.com
lilypophilypop.com
llowe31dmeth.rr.nu
mail.lilupophilupop.com
mail.sweepstakesandcontestsinfo.com
ns1.hoperjoper.ru
ns2.hoperjoper.ru
root.sweepstakesandcontestsinfo.com
sekurepays.org
sical59lymemo.rr.nu
sokoloperkovuske.com
sokoloperkovuskeci.com
sokoloperkovuskedi.com
sweepstakesandcontestsdo.com
sweepstakesandcontestsinfo.com
sweepstakesandcontestsnow.com
tyco93uplin.rr.nu
wbesnancer.org
welcometotheglobaliscom.com
welcometotheglobalisnet.com
welcometotheglobalisorg.com
zevkblog.ru
I first wrote about this block last year, but it recently came into my sights again as the host for a very widespread injection attack using the lilupophilupop.com domain.
Since last year the number of malicious sites has dropped, but there is still not a legitimate site in sight. Most of the bad sites are currently on 194.28.114.102 but you should block access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255) if you can, because this range of IP addresses is nothing but trouble.
A list of sites hosted in this range is at the end of this post, or you can download a CSV with the MyWOT ratings and IP addresses from here.
Google's prognosis of this block is pretty horrible:
Safe Browsing
Diagnostic page for AS48691 (SPECIALIST)
What happened when Google visited sites hosted on this network?
Of the 44 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, rthur87seeks.rr.nu/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2011-12-12, and the last time suspicious content was found was on 2011-12-12.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 15 site(s) on this network, including, for example, lilupophilupop.com/, sweepstakesandcontestsinfo.com/, sweepstakesandcontestsnow.com/, that appeared to function as intermediaries for the infection of 190 other site(s) including, for example, teas.com.au/, rogersplus.ca/, cicomra.org.ar/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 30 site(s), including, for example, lilupophilupop.com/, sweepstakesandcontestsinfo.com/, sweepstakesandcontestsnow.com/, that infected 2524 other site(s), including, for example, jri.ir/, psu.ac.th/, longoservice.it/.
The WHOIS details for the bloack are:
inetnum: 194.28.112.0 - 194.28.115.255
netname: Specialist-ISP-PI2
descr: Specialist, Ltd.
country: MD
org: ORG-SL206-RIPE
admin-c: VP2841-RIPE
tech-c: AB16163-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: SPECIALIST-MNT
mnt-routes: SPECIALIST-MNT
mnt-domains: SPECIALIST-MNT
source: RIPE # Filtered
organisation: ORG-SL206-RIPE
org-name: Specialist, Ltd
org-type: OTHER
descr: Specialist, Ltd, Rybnitsa, MD
address: I. Soltysa 12, Rybnitsa, MD
phone: +373-777-12921
phone: +373-693-18189
phone: +373-777-65071
fax-no: +373-555-43073
mnt-ref: MONITORING-MNT
abuse-mailbox: abuse@lan-rybnitsa.com
mnt-by: SPECIALIST-MNT
source: RIPE # Filtered
person: Vladimir Pilan
address: I. Soltysa 12, Rybnitsa, MD
phone: +373-777-12921
fax-no: +373-555-43073
nic-hdl: VP2841-RIPE
source: RIPE # Filtered
mnt-by: SPECIALIST-MNT
person: Anatoly Belitsky
address: I. Soltysa 12, Rybnitsa, MD
phone: +373-777-65071
fax-no: +373-555-43073
nic-hdl: AB16163-RIPE
source: RIPE # Filtered
mnt-by: SPECIALIST-MNT
route: 194.28.112.0/22
descr: Specialst-route2
origin: AS48691
mnt-by: SPECIALIST-MNT
source: RIPE # Filtered
netname: Specialist-ISP-PI2
descr: Specialist, Ltd.
country: MD
org: ORG-SL206-RIPE
admin-c: VP2841-RIPE
tech-c: AB16163-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: SPECIALIST-MNT
mnt-routes: SPECIALIST-MNT
mnt-domains: SPECIALIST-MNT
source: RIPE # Filtered
organisation: ORG-SL206-RIPE
org-name: Specialist, Ltd
org-type: OTHER
descr: Specialist, Ltd, Rybnitsa, MD
address: I. Soltysa 12, Rybnitsa, MD
phone: +373-777-12921
phone: +373-693-18189
phone: +373-777-65071
fax-no: +373-555-43073
mnt-ref: MONITORING-MNT
abuse-mailbox: abuse@lan-rybnitsa.com
mnt-by: SPECIALIST-MNT
source: RIPE # Filtered
person: Vladimir Pilan
address: I. Soltysa 12, Rybnitsa, MD
phone: +373-777-12921
fax-no: +373-555-43073
nic-hdl: VP2841-RIPE
source: RIPE # Filtered
mnt-by: SPECIALIST-MNT
person: Anatoly Belitsky
address: I. Soltysa 12, Rybnitsa, MD
phone: +373-777-65071
fax-no: +373-555-43073
nic-hdl: AB16163-RIPE
source: RIPE # Filtered
mnt-by: SPECIALIST-MNT
route: 194.28.112.0/22
descr: Specialst-route2
origin: AS48691
mnt-by: SPECIALIST-MNT
source: RIPE # Filtered
Some domains and sites hosted in this block are:
ation72histor.rr.nu
blogsvk.ru
cliffordtravel.biz
comm98andsp.rr.nu
doutl31inesst.rr.nu
earni61ngunde.rr.nu
ensm60erch.rr.nu
eorge00gamee.rr.nu
ggesti51ngbina.rr.nu
globalpoweringgathering.com
globalpoweringgatheringit.com
globalpoweringgatheringon.com
h102-114.net.lan-rybnitsa.com
hoperjoper.ru
iess70elec.rr.nu
ift72hbot.rr.nu
ilto27nint.rr.nu
infoitpoweringgathering.com
infoitpoweringgatheringit.com
infoitpoweringgatheringon.com
inful07commi.rr.nu
lessthenaminutehandle.com
lessthenaseconddeal.com
lilupophilupop.com
lilypophilypop.com
llowe31dmeth.rr.nu
mail.lilupophilupop.com
mail.sweepstakesandcontestsinfo.com
ns1.hoperjoper.ru
ns2.hoperjoper.ru
root.sweepstakesandcontestsinfo.com
sekurepays.org
sical59lymemo.rr.nu
sokoloperkovuske.com
sokoloperkovuskeci.com
sokoloperkovuskedi.com
sweepstakesandcontestsdo.com
sweepstakesandcontestsinfo.com
sweepstakesandcontestsnow.com
tyco93uplin.rr.nu
wbesnancer.org
welcometotheglobaliscom.com
welcometotheglobalisnet.com
welcometotheglobalisorg.com
zevkblog.ru
Labels:
Evil Network,
Moldova,
Specialist ISP,
Transnistria
BBB Spam / eryirs.com
This is the second BBB malware spam run of the day, with a new domain and IP address.
The malicious payload is eryirs.com/main.php?page=69dbd5a1e3ed6ae9 which is hosted on 67.211.195.169 (Arima Networks, Canada). Blocking access to 67.211.195.169 is probably a good idea in case there are other malicious sites on the server.
The no-doubt-fake WHOIS details for the domain are:
Damian Masuicca
Damian Masuicca
damott st
lacona
NY
13083
US
Phone: +1.2022392869
Email Address: stopgop@ymail.com
Date: Mon, 12 Dec 2011 14:10:59 +0100
From: "service@bbb.org" [service@bbb.org]
Subject: BBB assistance Re: Case # 52010425
Attachments: main_logo.jpg
Attn: Owner/Manager
The Better Business Bureau has been sent the above mentioned complaint from one of your clients on the subject of their business relations with you.
The detailed information about the consumer's concern is contained in attached file.
Please examine this question and let us know about your opinion.
We encourage you to click here to reply this complaint.
We look forward to your urgent response.
Faithfully yours,
Roland Dani
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The malicious payload is eryirs.com/main.php?page=69dbd5a1e3ed6ae9 which is hosted on 67.211.195.169 (Arima Networks, Canada). Blocking access to 67.211.195.169 is probably a good idea in case there are other malicious sites on the server.
The no-doubt-fake WHOIS details for the domain are:
Damian Masuicca
Damian Masuicca
damott st
lacona
NY
13083
US
Phone: +1.2022392869
Email Address: stopgop@ymail.com
BBB Spam (again) / lazysit.net and 174.140.163.118
It looks like another BBB themed malware/spam run is on the loose.. there are probably many variations, but here is one that plopped into my spam filter:
This link goes via a couple of legitimate hacked sites to a payload site at lazysit.net/main.php?page=abfd0d069b45c17e on 174.140.163.118. The IP address looks like it might be a legitimate but hacked server, blocking the IP address rather than the domain should block any other malicious sites on the same server.
Date: Mon, 12 Dec 2011 10:36:39 +0100
From: "info@bbb.org" [info@bbb.org]
Subject: Better Business Bureau Case # 94181989
Attachments: main_logo.jpg
Attn: Owner/Manager
The Better Business Bureau has got the above-referenced complaint from one of your customers on the subject of their business relations with you.
The details of the consumer's concern are presented in enclosed document.
Please give attention to this issue and advise us of your point of view.
We encourage you to click here to respond this complaint.
We look forward to your urgent attention to this matter.
Yours faithfully,
Stacie Nieves
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
This link goes via a couple of legitimate hacked sites to a payload site at lazysit.net/main.php?page=abfd0d069b45c17e on 174.140.163.118. The IP address looks like it might be a legitimate but hacked server, blocking the IP address rather than the domain should block any other malicious sites on the same server.
Friday, 9 December 2011
NACHA Spam.. again.. and wonderfulwrench.com
The spammers have been busy today, here's another one leading to malware.
The malicious payload is on wonderfulwrench.com/main.php?page=977334ca118fcb8c on 46.45.137.205 (Safya Net, Turkey). We saw the same IP range yesterday, so I recommend blocking access to 46.45.137.0/24 at the least, or 46.45.136.0/21 if you want to be a bit more aggressive in your filtering.
Date: Fri, 9 Dec 2011 13:28:41 -0300
From: "The Electronic Payments Association"
Subject: ACH transaction rejected
The ACH transaction (ID: 870526083755), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.
Rejected transfer
Transaction ID: 870526083755
Reason of rejection See details in the report below
Transaction Report report_870526083755.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
© 2011 NACHA - The Electronic Payments Association
The malicious payload is on wonderfulwrench.com/main.php?page=977334ca118fcb8c on 46.45.137.205 (Safya Net, Turkey). We saw the same IP range yesterday, so I recommend blocking access to 46.45.137.0/24 at the least, or 46.45.136.0/21 if you want to be a bit more aggressive in your filtering.
"The variant of the contract you've offered has been delcined."
The recent spam avalanche continues:
This leads to a malicious payload on ciredret.ru/main.php, hosted on 91.195.11.42 (as with this other spam/virus run), so blocking 91.195.10.0/23 (UkrStar ISP, Ukraine) is a very good idea at the moment.
Date: Fri, 9 Dec 2011 -01:35:13 -0800
From: "Josie Carlson" [TateAlmgren@concentric.net]
Subject: The variant of the contract you've offered has been delcined.
After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
Contract.doc 64kb
With respect to you
Josie Carlson
SHA512 check sum: [redacted]
This leads to a malicious payload on ciredret.ru/main.php, hosted on 91.195.11.42 (as with this other spam/virus run), so blocking 91.195.10.0/23 (UkrStar ISP, Ukraine) is a very good idea at the moment.
Malware: Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped! / ageoloft.info, floreli.info and certerpen.info
This malware spam leads via a legitimate hacked site to floreli.info or ageoloft.info or certerpen.info, although there are probably more. If you have the names of other payload domains please consider add ingthem in the Comments. Both these sites are hosted on 91.195.11.42.
The payload is on floreli.info/main.php?page=525447c096f8efbf or ageoloft.info/main.php?page=525447c096f8efbf and consists of the blackhole exploit kit leading to the Cridex Trojan.
Blocking the range 91.195.10.0/23 (UkrStar ISP, Ukraine) a good proactive move as several malware attacks have been hosted there in the past few days.
Domains spotted so far:
ageoloft.info
floreli.info
certerpen.info
Some sample email subjects:
Your Amazon.com order of "Omron BTS-829C Fat Loss ..." has shipped!
Your Amazon.com order of "Omron DRM-151A Fat Loss ..." has shipped!
Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!
Your Amazon.com order of "Omron KGZ-387E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNB-885D Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNH-875H Fat Loss ..." has shipped!
Your Amazon.com order of "Omron REM-787E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron QYM-632R Fat Loss ..." has shipped!
Your Amazon.com order of "Omron UHA-584I Fat Loss ..." has shipped!
From: Issac Britt [mailto:delphiniumsfte62@retela.co.jp]
Sent: 09 December 2011 14:05
Subject: Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!
Hello,
Shipping Confirmation
Order # 649-2723315-2651369
Your estimated delivery date is:
Tuesday, December 13, 2011
Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Shipment Details
Omron FXB-414M Fat Loss Monitor, Black $149.95
Item Subtotal: $149.95
Shipping & Handling: $0.00
Total Before Tax: $149.95
Shipment Total: $149.95
Paid by Visa: $149.95
You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.
Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
The payload is on floreli.info/main.php?page=525447c096f8efbf or ageoloft.info/main.php?page=525447c096f8efbf and consists of the blackhole exploit kit leading to the Cridex Trojan.
Blocking the range 91.195.10.0/23 (UkrStar ISP, Ukraine) a good proactive move as several malware attacks have been hosted there in the past few days.
Domains spotted so far:
ageoloft.info
floreli.info
certerpen.info
Some sample email subjects:
Your Amazon.com order of "Omron BTS-829C Fat Loss ..." has shipped!
Your Amazon.com order of "Omron DRM-151A Fat Loss ..." has shipped!
Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!
Your Amazon.com order of "Omron KGZ-387E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNB-885D Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNH-875H Fat Loss ..." has shipped!
Your Amazon.com order of "Omron REM-787E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron QYM-632R Fat Loss ..." has shipped!
Your Amazon.com order of "Omron UHA-584I Fat Loss ..." has shipped!
Labels:
Malware,
Spam,
Ukraine,
UkrStar ISP,
Viruses
BBB Spam / combiplease.com
The BBB spam run is back today, with a malicious payload on combiplease.com (174.140.165.194), pretty much the same pattern as yesterday and earlier in the week.
This example is from this morning:
Blocking 174.140.165.194 may be a good idea as other malicious domains may crop up on the same IP address.
This example is from this morning:
Date: Fri, 9 Dec 2011 09:39:28 +0200
From: "risk@bbb.org" [alerts@bbb.org]
Subject: Re: Case # 48783457
Attachments: main_logo.jpg
Attn: Owner/Manager
The Better Business Bureau has got the above-referenced complaint from one of your associates in respect of their business relations with you.
The detailed information about the consumer's concern is contained in enclosed file.
Please give attention to this question and inform us about your standpoint.
Please click here to reply this complaint.
We look forward to your prompt response.
Yours faithfully,
Anita Emil
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
Blocking 174.140.165.194 may be a good idea as other malicious domains may crop up on the same IP address.
Thursday, 8 December 2011
Malware: "Your new contract" / coredret.ru
Spam season continues with this fake "contract" email with a link that leads to a malicious payload on coredret.ru/main.php.
coredret.ru is hosted on 91.195.11.41 (UkrStar ISP, Ukraine). 91.195.10.0/23 is very sparsely populated, so blocking access to it should cause no problems.
Date: Thu, 8 Dec 2011 01:58:25 +0700
From: "Daisy Newby" [CadenHolmgren@hanmail.net]
Subject: Your new contract
As we arranged the day before yesterday in the in your place we've got the contract ready, plase study it carefully and let us know whether you accept all the issues.
We've attached the copy of the contract below
Contract.doc 36kb
Best Wishes
Daisy Newby
Fingerprint: bfe69dcc-ccc03723
coredret.ru is hosted on 91.195.11.41 (UkrStar ISP, Ukraine). 91.195.10.0/23 is very sparsely populated, so blocking access to it should cause no problems.
BBB Spam / combijump.com / combimyself.com / combigave.com
A new version of yesterday's spam, this current crop of "BBB Complaint" emails lead to a malicious payload on combijump.com on 46.45.137.206. combimyself.com and combigave.com is on the same server and can also be assumed to be malicious.
VirusTotal detection on the target page is poor. 46.45.137.206 is on a Turkish network called Safya Net, I cannot vouch for its reputation however and it might be worth blocking the /24.
VirusTotal detection on the target page is poor. 46.45.137.206 is on a Turkish network called Safya Net, I cannot vouch for its reputation however and it might be worth blocking the /24.
Wednesday, 7 December 2011
Pizza spam / ciredret.ru
Another installment in the tsunami of malware-laden spam doing the rounds.. this time it is for pizza!
The link goes through a legitimate hacked site to a malicious payload on ciredret.ru/main.php, hosted on 79.137.237.63. Unsuprisingly this is Digital Network JSC in Moscow (aka DINETHOSTING) who are involved in much of the recent malware spam runs. Blocking 79.137.224.0/20 is highly recommended.
Update 23/12/11: Another pizza malware run, this time leading to cgredret.ru hosted on 79.137.237.68 , no surprise to find that it is Digital Network JSC again..
From: Pizza by ATTILIO [mailto:Russo@victimdomain.com]
Sent: 06 December 2011 18:25
Subject: Re: Fwd: Order confirmation
You’ve just ordered pizza from our site
Pizza Italian Trio with extras:
- Ham
- Jalapenos
- Green Peppers
- Jalapenos
- No Cheese
- No Sauce
________________________________________
Pizza Veggie Lover's with extras:
- Italian Sausage
- Jalapenos
- Pineapple
- Black Olives
- Easy On Cheese
- No Sauce
________________________________________
Pizza Supreme with extras:
- Chicken
- Jalapenos
- Extra Cheese
- Extra Sauce
________________________________________
Drinks
- Bacardi x 2
- Dr. Pepper x 5
- Cherry Coke x 2
- Coca-Cola x 2
- Mirinda x 4
- Limonade x 5
- Carling x 5
________________________________________Total Due: 187.31$
If you haven’t made the order and it’s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don’t do that shortly, the order will be confirmed and delivered to you.
Best wishes
Pizza by ATTILIO
Fingerprint: a50c3e6f-8a5c87de
The link goes through a legitimate hacked site to a malicious payload on ciredret.ru/main.php, hosted on 79.137.237.63. Unsuprisingly this is Digital Network JSC in Moscow (aka DINETHOSTING) who are involved in much of the recent malware spam runs. Blocking 79.137.224.0/20 is highly recommended.
Update 23/12/11: Another pizza malware run, this time leading to cgredret.ru hosted on 79.137.237.68 , no surprise to find that it is Digital Network JSC again..
Date: Fri, 23 Dec 2011 -06:10:36 -0800
From: "ANTONINO`s Pizzeria"
Subject: Re: Fwd: Order confirmation
You̢۪ve just ordered pizza from our site
Pizza Hawaiian Luau with extras:
- Bacon Pieces
- Pepperoni
- Pepperoni
- Diced Tomatoes
- No Cheese
- Extra Sauce
Pizza Meat Lover's with extras:
- Pepperoni
- Bacon Pieces
- Pineapple
- Easy On Cheese
- Easy On Sauce
Pizza Hawaiian Luau with extras:
- Pork
- Black Olives
- Onions
- No Cheese
- Easy On Sauce
Drinks
- Sprite x 2
- Hancock x 6
- White wine x 6
- Carling x 3
Total Charge: 207.31$
If you haven̢۪t made the order and it̢۪s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don̢۪t do that shortly, the order will be confirmed and delivered to you.
Best Regards
ANTONINO`s Pizzeria
Malware: BBB "Complaint from your customers" and billycharge.com
Another day, another spam campaign leading to the Blackhole Exploit Kit.
A link in the email goes to a legitimate but hacked site, users are forwarded to billycharge.com on 79.137.237.63. This IP is on Digital Networks CJSC in Russia (aka DINETHOSTING), a wholly black hat operation - you should block access to 79.137.224.0/20 if you haven't already done so. The Wepawet report is here , VT shows 0/43 detections for the exploit page although the download malware should tickle at least some scanners.
Some other subjects and senders being used in this spam:
Date: Wed, 7 Dec 2011 08:33:03 +0000
From: "::Better Business Bureau::" [risk.manager@bbb.org]
Subject: Complaint from your customers
Attachments: bbb_logo.jpg
Attn: Owner/Manager
The Better Business Bureau has been sent the above mentioned complaint from one of your customers on the subject of their dealings with you.
The detailed information about the consumer's concern is explained in enclosed document.
Please review this matter and notify us of your position.
Please click here to reply this complaint.
We look forward to your prompt reply.
Yours faithfully,
Shawna Dennis
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
A link in the email goes to a legitimate but hacked site, users are forwarded to billycharge.com on 79.137.237.63. This IP is on Digital Networks CJSC in Russia (aka DINETHOSTING), a wholly black hat operation - you should block access to 79.137.224.0/20 if you haven't already done so. The Wepawet report is here , VT shows 0/43 detections for the exploit page although the download malware should tickle at least some scanners.
Some other subjects and senders being used in this spam:
- BBB assistance Re: Case # [random number]
- BBB Complaint activity report
- BBB processing
- BBB service Re: Case # [random number]
- Better Business Bureau Case # [random number]
- Complaint from your customers
- Please review your customer's complaint
- Re: BBB Case # [random number]
- Re: Case # [random number]
- Your customer's complaint
- Your customer's concern
- admin@bbb.org
- alert@bbb.org
- alerts@bbb.org
- info@bbb.org
- manager@bbb.org
- risk.manager@bbb.org
- risk@bbb.org
- service@bbb.org
- support@bbb.org
Tuesday, 6 December 2011
"Epidemic in Guinea" spam / curedret.ru
An interesting twist on malware spam:
Perhaps the spammers have a sense of irony, because if you click the link you get directed to a legitimate but hacked site and then bounced to curedret.ru on 79.137.237.63 which attempts to load the Blackhole Exploit kit. This belongs to Digital Networks CJSC (aka DINETHOSTING) in Russia.. blocking the entire 79.137.224.0/20 range is probably a very good idea as this block is full of malicious sites. The Wepawet report for this page is here.
There are a whole bunch of these c*redret.ru sites, at the moment the following are active on this IP address:
crredret.ru
ctredret.ru
curedret.ru
czredret.ru
Update: these are coming in for several different countries, payload appears to be the same:
Epidemic in Alabama
Epidemic in Austria
Epidemic in Bangladesh
Epidemic in Belgium
Epidemic in Bermuda
Epidemic in Burkina Faso
Epidemic in Canada
Epidemic in Cape Verde
Epidemic in Chad
Epidemic in Chile
Epidemic in Costa Rica
Epidemic in Croatia
Epidemic in Gambia
Epidemic in Germany
Epidemic in Guam
Epidemic in Guinea
Epidemic in Hong Kong (China)
Epidemic in Indonesia
Epidemic in Iran
Epidemic in Ireland
Epidemic in Israel
Epidemic in Kazakhstan
Epidemic in Kentucky
Epidemic in Kuwait
Epidemic in Maine
Epidemic in Mali
Epidemic in Mayotte
Epidemic in Mexico
Epidemic in Monaco
Epidemic in Montana
Epidemic in Montserrat
Epidemic in New Mexico
Epidemic in Ohio
Epidemic in Oman
Epidemic in Pakistan
Epidemic in Pennsylvania
Epidemic in Russia
Epidemic in Saint Vincent and the Grenadines
Epidemic in Tokelau
Epidemic in Tunisia
Epidemic in Turkey
Epidemic in United Kingdom
Epidemic in United States
Epidemic in United States Virgin Islands
Epidemic in Utah
Epidemic in Wallis and Futuna
Epidemic in Wisconsin
Epidemic in Zimbabwe
Date: Tue, 6 Dec 2011 10:19:25 +0530
From: "MARIE Grover" [victimname@hotmail.com]
Subject: Re: Epidemic in Guinea
The government is hiding this fact, but there is a new epidemic in Guinea
I got to know it from friends of mine, they are there right now. Here you can find the instruction what to do not get infected
Read it!
Perhaps the spammers have a sense of irony, because if you click the link you get directed to a legitimate but hacked site and then bounced to curedret.ru on 79.137.237.63 which attempts to load the Blackhole Exploit kit. This belongs to Digital Networks CJSC (aka DINETHOSTING) in Russia.. blocking the entire 79.137.224.0/20 range is probably a very good idea as this block is full of malicious sites. The Wepawet report for this page is here.
There are a whole bunch of these c*redret.ru sites, at the moment the following are active on this IP address:
crredret.ru
ctredret.ru
curedret.ru
czredret.ru
Update: these are coming in for several different countries, payload appears to be the same:
Epidemic in Alabama
Epidemic in Austria
Epidemic in Bangladesh
Epidemic in Belgium
Epidemic in Bermuda
Epidemic in Burkina Faso
Epidemic in Canada
Epidemic in Cape Verde
Epidemic in Chad
Epidemic in Chile
Epidemic in Costa Rica
Epidemic in Croatia
Epidemic in Gambia
Epidemic in Germany
Epidemic in Guam
Epidemic in Guinea
Epidemic in Hong Kong (China)
Epidemic in Indonesia
Epidemic in Iran
Epidemic in Ireland
Epidemic in Israel
Epidemic in Kazakhstan
Epidemic in Kentucky
Epidemic in Kuwait
Epidemic in Maine
Epidemic in Mali
Epidemic in Mayotte
Epidemic in Mexico
Epidemic in Monaco
Epidemic in Montana
Epidemic in Montserrat
Epidemic in New Mexico
Epidemic in Ohio
Epidemic in Oman
Epidemic in Pakistan
Epidemic in Pennsylvania
Epidemic in Russia
Epidemic in Saint Vincent and the Grenadines
Epidemic in Tokelau
Epidemic in Tunisia
Epidemic in Turkey
Epidemic in United Kingdom
Epidemic in United States
Epidemic in United States Virgin Islands
Epidemic in Utah
Epidemic in Wallis and Futuna
Epidemic in Wisconsin
Epidemic in Zimbabwe
Monday, 5 December 2011
czredret.ru is getting on my nerves
I don't know what has been going on with spam for the past couple of weeks, but there has been a tidal wave of the same old spam hammering away at filters over and over again. Today, about half are directing traffic to a Blackhole exploit kit on czredret.ru (see an analysis here).
The spam today is about airline tickets, but it could be on anything.. including the infamous NACHA spam that we keep seeing.
czredret.ru is hosted on 188.190.99.26 in the Ukraine, a block allocated to:
Google's prognosis of this block (AS197145) isn't brilliant:
If you don't do business in the Ukraine then it could well be worth blocking 188.190.96.0/19 just to be on the safe side.
The spam today is about airline tickets, but it could be on anything.. including the infamous NACHA spam that we keep seeing.
czredret.ru is hosted on 188.190.99.26 in the Ukraine, a block allocated to:
inetnum: 188.190.96.0 - 188.190.127.255
netname: INFIUM
descr: Infium LTD
country: UA
org: ORG-INFI1-RIPE
admin-c: INF20-RIPE
tech-c: INF20-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: NETASSIST-MNT
mnt-routes: NETASSIST-MNT
mnt-domains: NETASSIST-MNT
source: RIPE #Filtered
organisation: ORG-INFI1-RIPE
org-name: Infium Ltd.
org-type: OTHER
address: 61129, Ukraine, Kharkov, Traktorostroiteley 156/41 ave, office 200
mnt-ref: INFIUM-MNT
mnt-by: INFIUM-MNT
source: RIPE #Filtered
person: Infium Ltd
address: 61129, Kharkov, Ukraine, Traktorostroiteley 156/41, office 200
abuse-mailbox: abusemail@infiumhost.com
phone: +380577632339
phone: +1425606-33-07
nic-hdl: INF20-RIPE
mnt-by: INFIUM-MNT
source: RIPE #Filtered
netname: INFIUM
descr: Infium LTD
country: UA
org: ORG-INFI1-RIPE
admin-c: INF20-RIPE
tech-c: INF20-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: NETASSIST-MNT
mnt-routes: NETASSIST-MNT
mnt-domains: NETASSIST-MNT
source: RIPE #Filtered
organisation: ORG-INFI1-RIPE
org-name: Infium Ltd.
org-type: OTHER
address: 61129, Ukraine, Kharkov, Traktorostroiteley 156/41 ave, office 200
mnt-ref: INFIUM-MNT
mnt-by: INFIUM-MNT
source: RIPE #Filtered
person: Infium Ltd
address: 61129, Kharkov, Ukraine, Traktorostroiteley 156/41, office 200
abuse-mailbox: abusemail@infiumhost.com
phone: +380577632339
phone: +1425606-33-07
nic-hdl: INF20-RIPE
mnt-by: INFIUM-MNT
source: RIPE #Filtered
Google's prognosis of this block (AS197145) isn't brilliant:
Safe BrowsingSiteVet's report shows that while it isn't a brilliant block, it certain has problems.
Diagnostic page for AS197145 (ASINFIUM)
What happened when Google visited sites hosted on this network?
Of the 536 site(s) we tested on this network over the past 90 days, 14 site(s), including, for example, myegy.com/, ql3a-soft.com/, irkasoft.ru/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2011-12-05, and the last time suspicious content was found was on 2011-12-05.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 9 site(s) on this network, including, for example, playingfieldforallstore.com/, immerconsult.com/, seafarers333.co.cc/, that appeared to function as intermediaries for the infection of 15 other site(s) including, for example, alexsandra.ucoz.net/, seafarers.ucoz.ru/, fpbqax.in/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 11 site(s), including, for example, myshop-ideal.com/, retailer-ideal.com/, abrorl.dlinkddns.com/, that infected 74 other site(s), including, for example, carrollmanorathletic.com/, nihadragab.com/, fathyradwan.com/.
If you don't do business in the Ukraine then it could well be worth blocking 188.190.96.0/19 just to be on the safe side.
Spam: "Federal Tax payment canceled / Rejected Federal Tax payment " and twistloft.com
There's nothing particularly new with this IRS spam, but because spammers are stupid, all the examples that I have seen today have an invalid link and cannot be clicked through.
Here is a sample:
After debugging the invalid URL and going through a couple of hacked legitimate sites, we find the malicious payload on twistloft.com/main.php?page=111d937ec38dd17e (The Wepawet report is here, do not visit this site unless you know what you are doing), hosted on 65.254.63.228. Blocking access that IP and domain name might be prudent.
Here is a sample:
Date: Mon, 5 Dec 2011 11:29:03 +0100
From: Bernadine_Woody@irs.gov
Subject: Federal Tax payment canceled
Your Tax payment (ID: 6318017800684), recently from your bank account was rejected by the your financial institution.
Canceled Tax transfer
Tax Transaction ID: 6318017800684
Reason for rejection See details in the report below
FederalTax Transaction Report tax_report_6318017800684.pdf (Adobe Acrobat Reader Document)
How does IRS e-file work?
A. You or your tax professional, prepare your tax return. In many cases, the tax professional is also the Electronic Return Originator (ERO) who is authorized to file your return electronically to the IRS. Ask your tax professional to file your return through IRS e-file.
You sign your electronic tax return by either using a Self-Select PIN for e-file for a completely paperless return, or by signing Form 8453, U.S. Individual Income Tax Transmittal for an IRS e-file Return.See " If the return is electronic, how do I sign it?" for more information.
After you sign the return using a Self-Select PIN or Form 8453,the ERO transmits the return to the IRS or to a third-party transmitter who then forwards the entire electronic record to the IRS for processing. Once received at the IRS, the return is automatically checked by computers for errors and missing information. If it cannot be processed, it is sent back to the originating transmitter (usually the ERO) to clarify any necessary information. After correction, the transmitter retransmits the return to the IRS. Within 48 hours of electronically sending your return to IRS, the IRS sends an acknowledgment to the transmitter stating the return is accepted for processing. This is your proof of filing and assurance that the IRS has your return information. The Authorized IRS e-file Provider then sends Form 8453 to the IRS.
If due a refund, you can expect to receive it in approximately three weeks from the acknowledgment date - even faster with Direct Deposit (half the time as when filed on paper). If you owe tax, see "What if I owe Money?" for payment options available this year.
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
After debugging the invalid URL and going through a couple of hacked legitimate sites, we find the malicious payload on twistloft.com/main.php?page=111d937ec38dd17e (The Wepawet report is here, do not visit this site unless you know what you are doing), hosted on 65.254.63.228. Blocking access that IP and domain name might be prudent.
Scam: RockSmith Management / rocksmithmanagement.com
This scam has been around for a while, it's part of a nasty cluster of scam sites that have an Australian connection.
The spam comes from a fake address, delivered from an illegally compromised PC. In this example, the spam appears to come from mulattorcxf826@uncw.edu (which is fake) through a well-known spam server in China, 221.212.109.135. Of course, faking the sender address breaks the CAN SPAM act in the US (where the sender pretends to be), as does the lack of real contact details.
The link forwards to rocksmithmanagement.com (but it could be any one of a variety of similarly named scam sites), as listed here.
Of note is the phone number on the first screen - (240) 718-4632 is listed in a number of similar scam sites. I don't know if it is valid or not, it might even belong to a legitimate company. There is no point in ringing it in any case as the scam unfolrd..
The next page is more worrying as it harvests personal details such as your name, phone number and email address. Yes, that would be acceptable for a job site.. but these details are not used at all by this process, so presumably they will be used for spamming purposes.
Once you have signed away your personal details, you get to the "final step" which offers you the chance o check your credit report or view the jobs on offer. On the bottom of the page is a "Privacy Policy" and "Terms of Service" link.. except they aren't links at all, just underlined text. In fact, there is no privacy policy or identifying text anywhere on the site.
If you click on the prominent "Clicking Here" link, you get redirected through referer.us/moxiinternal.go2cloud.org/aff_c?offer_id=2&aff_id=1002&aff_sub=020 to a site called sixfigurekit.com run by an outfit called the "Six Figure Program". The BBB rates the Six Figure Programs as an F in Florida, an F in Illinois but bizarrely a B in New York. On balance it looks pretty poor.
Regardless of where or not the Six Figure Program is a legitimate business or not, it certainly isn't a credit check.. and in this case the spam victim has been duped into clicking the link in order to be exposed to this frankly ridiculous scheme.
So what happens if the victim clicks on the other link on the page? They simply get redirected to a page on indeed.com (branded "RockGrade Management" / rockgrademanagement.com) which returns exactly the same results as if the victim had gone directly to indeed.com in the first place.
But wait.. remember the name, phone number and email address you supplied? What happened to them? They're not needed for indeed.com, so it looks likely that the victim has just given themselves up for even more spam.
All the evidence that I have been able to find links this to a site called websitedesignbrisbane.org in Australia. You can complain about Australian companies at ACMA, although it is difficult to identify exactly which company runs that particular site, but it bills itself as "Jetstream Web Site Design + SEO", presumably of Brisbane.
The spam comes from a fake address, delivered from an illegally compromised PC. In this example, the spam appears to come from mulattorcxf826@uncw.edu (which is fake) through a well-known spam server in China, 221.212.109.135. Of course, faking the sender address breaks the CAN SPAM act in the US (where the sender pretends to be), as does the lack of real contact details.
Date: Sat, 3 Dec 2011 11:15:17 +0800
From: "Ralph Nguyen" [mulattorcxf826@uncw.edu]
Subject: Please Complete Your Job Application
Dear Applicant
Thank you for expressing your interest in open employment openings in your area.
We are happy to inform you that our placement specialists will be reviewing
available positions for you within the next hour.
Based on your profile, you may qualify for opportunities currently available with a monthly salary in the
$4000 to $8700 range.
To maximize your earnings potential, please complete our full application form first:
http://go.likejav.com/9bcf1f
In addition to a highly competitive base pay, applicants that qualify will also enjoy additional benefits such as:
* 2 wks. paid vacation time (per annum);
* Tuition allowance;
* 401(k)
* full benefits package
* generous retirement plan
To retain your priority placement, please complete your application at your earliest convenience.
We look forward to finding the right job for you.
Rockforce Management
Bringing the best candidates and the right jobs together.
The link forwards to rocksmithmanagement.com (but it could be any one of a variety of similarly named scam sites), as listed here.
Of note is the phone number on the first screen - (240) 718-4632 is listed in a number of similar scam sites. I don't know if it is valid or not, it might even belong to a legitimate company. There is no point in ringing it in any case as the scam unfolrd..
The next page is more worrying as it harvests personal details such as your name, phone number and email address. Yes, that would be acceptable for a job site.. but these details are not used at all by this process, so presumably they will be used for spamming purposes.
Once you have signed away your personal details, you get to the "final step" which offers you the chance o check your credit report or view the jobs on offer. On the bottom of the page is a "Privacy Policy" and "Terms of Service" link.. except they aren't links at all, just underlined text. In fact, there is no privacy policy or identifying text anywhere on the site.
If you click on the prominent "Clicking Here" link, you get redirected through referer.us/moxiinternal.go2cloud.org/aff_c?offer_id=2&aff_id=1002&aff_sub=020 to a site called sixfigurekit.com run by an outfit called the "Six Figure Program". The BBB rates the Six Figure Programs as an F in Florida, an F in Illinois but bizarrely a B in New York. On balance it looks pretty poor.
Regardless of where or not the Six Figure Program is a legitimate business or not, it certainly isn't a credit check.. and in this case the spam victim has been duped into clicking the link in order to be exposed to this frankly ridiculous scheme.
So what happens if the victim clicks on the other link on the page? They simply get redirected to a page on indeed.com (branded "RockGrade Management" / rockgrademanagement.com) which returns exactly the same results as if the victim had gone directly to indeed.com in the first place.
But wait.. remember the name, phone number and email address you supplied? What happened to them? They're not needed for indeed.com, so it looks likely that the victim has just given themselves up for even more spam.
All the evidence that I have been able to find links this to a site called websitedesignbrisbane.org in Australia. You can complain about Australian companies at ACMA, although it is difficult to identify exactly which company runs that particular site, but it bills itself as "Jetstream Web Site Design + SEO", presumably of Brisbane.
Labels:
Australia,
Job Offer Scams,
Scams,
Spam
Thursday, 1 December 2011
Spammers are stupid
What's wrong with this spam?
Yup.. the headers are for a LinkedIn themed spam, the body is a NACHA themed one with a link to a malicious file. The bad guys are sending out so many of these that they must be getting confused.
The link goes through a number of legitimate hacked sites and eventually ends up at biggestamigo.com on 92.55.144.82 in Romania (I would recommend blocking the whole 92.55.144.0/24 block at least, or even 92.55.144.0/21 if you want to be on the safe side). The payload looks like a typical exploit kit.
Date: Thu, 1 Dec 2011 17:55:30 +0900
From: "LinkedIn" [linkedin@em.linkedin.com]
To: Victim
Subject: So now you're on LinkedIn: What's next?
The ACH transaction (ID: 730771521612), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.
Rejected transfer
Transaction ID: 730771521612
Reason of rejection See details in the report below
Transaction Report report_730771521612.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
© 2011 NACHA - The Electronic Payments Association
Yup.. the headers are for a LinkedIn themed spam, the body is a NACHA themed one with a link to a malicious file. The bad guys are sending out so many of these that they must be getting confused.
The link goes through a number of legitimate hacked sites and eventually ends up at biggestamigo.com on 92.55.144.82 in Romania (I would recommend blocking the whole 92.55.144.0/24 block at least, or even 92.55.144.0/21 if you want to be on the safe side). The payload looks like a typical exploit kit.
Saturday, 26 November 2011
Fake jobs: working-ca.com
Another fake job domain, working-ca.com seems to be part of this long-running scam. I hadn't spotted this one before, so thanks to our reader who sent it in. Note that this is not connected with the legitimate site WorkingCA.com . The jobs offered are actually illegal activities such as money laundering.
and
The registrant details for the domain are probably fake, but here they are anyway:
Hello, We have an excellent opportunity for an apprentice applicant to
join a rapidly expanding company.
An at home Key Account Manager Position is a great opportunity for stay
at home parents
or anyone who wants to work in the comfort of their own home.
This is a part time job / flexible hrs for Canadians only,This is in
view of our not having a branch office presently in Canada,
also becouse of paypal and ebay policies wich is prohibit to work
directly with residents of some countries.
Requirements: computer with Internet access, valid email address, good
typing skills.
If you fit the above description and meet the requirements, please apply
to this ad stating your location.
You will be processing orders from your computer. How much you earn is
up to you.
The average is in the region of CA$750- CA$1000 per week, depending on
whether you work full or part time.
Region: Canada only.
If you would like more information, please contact us stating where you
are located and our job reference number - 70570-868/4HR.
Please only SERIOUS applicants.
If you are interested, please reply to: Weldon@working-ca.com
and
Hello, We have an excellent opportunity for an apprentice applicant to
join a rapidly expanding company.
An at home Key Account Manager Position is a great opportunity for stay
at home parents
or anyone who wants to work in the comfort of their own home.
This is a part time job / flexible hrs for Canadians only,This is in
view of our not having a branch office presently in Canada,
also becouse of paypal and ebay policies wich is prohibit to work
directly with residents of some countries.
Requirements: computer with Internet access, valid email address, good
typing skills.
If you fit the above description and meet the requirements, please apply
to this ad stating your location.
You will be processing orders from your computer. How much you earn is
up to you.
The average is in the region of CA$750- CA$1000 per week, depending on
whether you work full or part time.
Region: Canada only.
If you would like more information, please contact us stating where you
are located and our job reference number - 35097-781/2HR.
Please only SERIOUS applicants.
If you are interested, please reply to: Tristan@working-ca.com
The registrant details for the domain are probably fake, but here they are anyway:
Kevin Tesalo Email: kevintesalo@yahoo.fr Organization: Kevin Tesalo Address: 2 avenue des Beguines City: Cergy Saint Christophe State: Cergy Saint Christophe ZIP: 95811 Country: FR Phone: +33.124335612
Labels:
Canada,
Job Offer Scams,
Lapatasker,
Money Mule,
Russia
Thursday, 24 November 2011
Fake jobs: jobinhollandart.com and europjobs.eu
Here are two new domains promoting fake jobs: jobinhollandart.com and europjobs.eu
This series of emails seems to be different from this one, but the pitch is still the same - the bad guys are trying to recruit people for money laundering activities and other criminal acts.
jobinhollandart.com shares back-end infrastructure with europjobs.eu and a domain called israelcallingcard.net. You can assume that europjobs.eu will also be used for fraudulent activities.
The MX records point to 68.68.20.166, (Bluemile Inc, Ohio). Nameservers are on 173.213.79.90 (Ionix, Nevada) and 170.19.177.33 (Cooper Neff, Pennsylvania).
The WHOIS records for all these domains are probably fake:
jobinhollandart.com
Diane R. Coleman
Diane Coleman DianeRColeman@aol.com
+1.3612298028 fax: +1.3612298028
1327 Boone Street
Corpus Christi TX 78476
us
israelcallingcard.net
Neva Kilpatrick
5636 GUILFORD AVE
INDIANAPOLIS, IN 46220
US
Phone: +1.3178112099
Email: ironeggman@yahoo.com
europjobs.eu
Name Sarka Sirotkova
Organisation
Language English
Address
Email
This series of emails seems to be different from this one, but the pitch is still the same - the bad guys are trying to recruit people for money laundering activities and other criminal acts.
Date: 24 November 2011 06:27
Subject: Virtuele Manager vacature
Ons bedrijf is een snel groeiende internationale adviesbureau dat de diensten tot 46 landen verleent..
We hebben succesvol geweest voor een lange periode van werk in nauwe samenwerking met een aantal
organisaties voor onderzoek en investeringen over heel Europa.
We hebben vele boeiende projecten in de financiële diensten, financiële steun,
die eisen dat WUG bedrijf is voortdurend groeien en ontwikkelen..
Dankzij de uitbreiding van onze zaken ons bedrijf is op zoek naar een individu om de positie
van regionalefinanciële vertegenwoordiger te vullen.
Wij stellen voor werken in een internationale omgeving met een vriendelijk team
van hoog gekwalificeerde professionals en leren van de leider in deze opwindende industrie..
Belangrijke verantwoordelijkheden:
- Handhaving van de database op de website met behulp van onze speciale software
- Het opstellen van de verslagen
- Omgaan met bestaande en nieuwe komen klanten
- Werken met Internet en E-mail
Wij hebben vereist:
- Hoger onderwijs
- Klant minded-responsieve/vermogen/wens om te dienen van klanten
- Technische kennis - goed Windows begrip
- Proactief - zoeken naar oplossingen
- Een goede beheersing van het Engels (verplicht)
Wij waarborgen:
- Volledig betaald opleiding
- Competitief loon 2300 Euro per maand
- Mogelijkheid voor promotie
- Een sociaal pakket (verzekering, enz.)
- Speciaal ontworpen bonussysteem
Stuur uw gedetailleerde cv's in het Engels voor onze overweging op onze e-mail
met vermelding van de Financieel Vertegenwoordiger functie.
Succesvolle kandidaten zullen worden gecontacteerd met betrekking tot de tijd voor het interview..
Amie@jobinhollandart.com
jobinhollandart.com shares back-end infrastructure with europjobs.eu and a domain called israelcallingcard.net. You can assume that europjobs.eu will also be used for fraudulent activities.
The MX records point to 68.68.20.166, (Bluemile Inc, Ohio). Nameservers are on 173.213.79.90 (Ionix, Nevada) and 170.19.177.33 (Cooper Neff, Pennsylvania).
The WHOIS records for all these domains are probably fake:
jobinhollandart.com
Diane R. Coleman
Diane Coleman DianeRColeman@aol.com
+1.3612298028 fax: +1.3612298028
1327 Boone Street
Corpus Christi TX 78476
us
israelcallingcard.net
Neva Kilpatrick
5636 GUILFORD AVE
INDIANAPOLIS, IN 46220
US
Phone: +1.3178112099
Email: ironeggman@yahoo.com
europjobs.eu
Name Sarka Sirotkova
Organisation
Language English
Address
Labels:
Job Offer Scams,
Spam
Wednesday, 23 November 2011
b*redret.ru domains to block
Some of the recent surge of spam emails going around uses a set of .ru domains with a discernible pattern of b*redret.ru.
Blocking these access to these domains and/or IPs might be a useful proactive step.
173.212.222.54 (Hostnoc, Scranton)
buredret.ru
195.254.135.72 (FastWeb SRL, Romania. Recommend blocking 195.254.134.0/23)
bqredret.ru
btredret.ru
bwredret.ru
bzredret.ru
89.208.34.116 (Digital Networks SRL, Russia. Recommend blocking 89.208.34.0/24)
baredret.ru
biredret.ru
bvredret.ru
94.199.51.108 (23vnet Kft, Hungary)
bkredret.ru
blredret.ru
bpredret.ru
bsredret.ru
95.163.89.193 (Digital Networks JSC, Russia. Recommend blocking 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru
Unallocated / invalid IPs
boredret.ru
brredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bxredret.ru
byredret.ru
Blocking these access to these domains and/or IPs might be a useful proactive step.
173.212.222.54 (Hostnoc, Scranton)
buredret.ru
195.254.135.72 (FastWeb SRL, Romania. Recommend blocking 195.254.134.0/23)
bqredret.ru
btredret.ru
bwredret.ru
bzredret.ru
89.208.34.116 (Digital Networks SRL, Russia. Recommend blocking 89.208.34.0/24)
baredret.ru
biredret.ru
bvredret.ru
94.199.51.108 (23vnet Kft, Hungary)
bkredret.ru
blredret.ru
bpredret.ru
bsredret.ru
95.163.89.193 (Digital Networks JSC, Russia. Recommend blocking 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru
Unallocated / invalid IPs
boredret.ru
brredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bxredret.ru
byredret.ru
Labels:
DINETHOSTING,
Redret,
Russia,
Viruses
Subscribe to:
Posts (Atom)