Another name used on the spam is "Ramiro Howell", although there are probably hundreds of fake names. The malicious payload is at chredret.ru/main.php, hosted on 46.249.37.22 (Serverius Holding BV, Netherlands). This is the second "redret" domain in this /24, so blocking 46.249.37.0/24 might be prudent.
Date: Tue, 27 Dec 2011 06:06:18 +0700
From: "Destinee Mills"
Subject: The variant of the contract you've offered has been delcined.
After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
NEW_Contract.doc 44kb
With best wishes
Destinee Mills
Tuesday, 27 December 2011
Contract spam / chredret.ru
Another fake "contract" spam leading to malware, hosted on chredret.ru .
Thursday, 22 December 2011
NACHA Spam / cgredret.ru
More NACHA spam, this time pointing to cgredret.ru (which we've seen before) which delivers a malicious payload.
cgredret.ru has moved since yesterday and is now on 79.137.237.68. Unsurprisingly, it is now on Digital Network JSC in Russia (aka DINETHOSTING). Block access to 79.137.224.0/20 if you can.
Date: Thu, 22 Dec 2011 03:37:35 +0530
From: "NACHA"
Subject: ACH Transfer rejected
ACH transaction, initiated from your checking account, was canceled.
Canceled transaction:
Transfer ID: B2793447923US
Transfer Report: View
GALINA Gunter
NACHA - The Electronic Payment Association
cgredret.ru has moved since yesterday and is now on 79.137.237.68. Unsurprisingly, it is now on Digital Network JSC in Russia (aka DINETHOSTING). Block access to 79.137.224.0/20 if you can.
Wednesday, 21 December 2011
"Hello! Look, I've received an unfamiliar bill.." / cgredret.ru
The spam tsunami continues, this one is a reworking of one seen last month, but with a new payload site.
The malicious payload is on cgredret.ru which I catalogued yesterday (although it didn't have an IP address then). The IP is now 206.72.207.156 (Interserver Inc, USA) along with some other malicious sites. Block the IP rather than the domain if you can.
Date: Wed, 21 Dec 2011 06:43:07 +0700
From: "MERLYN Spicer" [sales1@victimdomain.com]
To:
Subject: Need your help!
Hello! Look, I've received an unfamiliar bill, have you ordered anything?
Here is the bill
Please reply as soon as possible, because the amount is large and they demand the payment urgently.
Looking forward to your answer
Fingerprint: 2ccc03a5-e19549f7
The malicious payload is on cgredret.ru which I catalogued yesterday (although it didn't have an IP address then). The IP is now 206.72.207.156 (Interserver Inc, USA) along with some other malicious sites. Block the IP rather than the domain if you can.
*redirect.ru sites to block
These are another part of the "redret" series of malware sites being promoted by spam, and are worth blocking proactively.
109.70.26.36 (Parked)
iredirect.ru
89.208.34.116 (Digital Network JSC aka DINETHOSTING Russia, block 89.208.32.0/19)
aredirect.ru
91.220.35.38 (Zamanhost Ukraine, block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
No IP allocated
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
109.70.26.36 (Parked)
iredirect.ru
89.208.34.116 (Digital Network JSC aka DINETHOSTING Russia, block 89.208.32.0/19)
aredirect.ru
91.220.35.38 (Zamanhost Ukraine, block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
No IP allocated
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
Labels:
BBB,
DINETHOSTING,
Redret,
Russia,
Ukraine
BBB Spam / curvechirp.com
Yet more BBB spam, this time with a different malicious domain - curvechirp.com, hosted on 184.171.248.47 at TMZHosting LLC, Florida. This range is suballocated from Hostdime and has been seen a few days ago with another attack, so blocking all access to 184.171.248.32/27 is probably prudent.
Payload page is at curvechirp.com/main.php?page=111d937ec38dd17e, at the moment the page is not responding (possibly due to being overloaded as it looks like a cheap VPS).
Here are some samples:
========
Payload page is at curvechirp.com/main.php?page=111d937ec38dd17e, at the moment the page is not responding (possibly due to being overloaded as it looks like a cheap VPS).
Here are some samples:
Date: Wed, 21 Dec 2011 13:37:00 +0100
From: "Better Business Bureau" [manager@bbb.org]
Subject: BBB complaint processing
Attachments: betterbb_logo.jpg
Attention: Owner/Manager
Here with the Better Business Bureau informs you that we have been filed a complaint (ID 54838460) from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to view the details on this question and suggest us about your opinion as soon as possible.
We are looking forward to your prompt reply.
Regards,
Gerard Johnson
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
========
Date: Wed, 21 Dec 2011 14:41:50 +0200
From: "Better Business Bureau" [info@bbb.org]
Subject: Urgent notice from BBB
Attachments: betterbb_logo.jpg
Attn: Owner/Manager
Here with the Better Business Bureau informs you that we have been sent a complaint (ID 67732970) from a customer of yours with respect to their dealership with you.
Please open the COMPLAINT REPORT below to view the details on this case and inform us about your point of view as soon as possible.
We hope to hear from you shortly.
Sincerely,
Theresa Morris
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
BBB Spam / curcandle.net
Yet more BBB themed malware spam this morning, bouncing through a couple of hacked servers to a malicious payload on curcandle.net (174.136.1.223, Colo4Dallas). Blocking access to the IP will also block any other evil domains on the same server.
The payload is on curcandle.net/main.php?page=111d937ec38dd17e although right at the moment it is 404ing. However, the spam run is just 30 minutes old so perhaps it is still under construction.
Some samples:
============
============
============
The payload is on curcandle.net/main.php?page=111d937ec38dd17e although right at the moment it is 404ing. However, the spam run is just 30 minutes old so perhaps it is still under construction.
Some samples:
Date: Wed, 21 Dec 2011 09:55:02 +0100
From: "Better Business Bureau" [manager@bbb.org]
Subject: BBB information regarding your customers complaint
Attachments: betterbb_logo.jpg
Good afternoon,
Here with the Better Business Bureau informs you that we have been sent a complaint (ID 54715375) from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain the details on this matter and inform us about your opinion as soon as possible.
We are looking forward to your prompt reply.
Sincerely,
Rebecca Wilcox
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
============
Date: Wed, 21 Dec 2011 09:54:50 +0100
From: "BBB" [alerts@bbb.org]
Subject: Your customer complained to BBB
Attachments: betterbb_logo.jpg
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 44513446) from one of your customers with respect to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this question and inform us about your opinion as soon as possible.
We are looking forward to hearing from you.
Regards,
Theresa Morris
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
============
Date: Wed, 21 Dec 2011 08:54:38 +0000
From: "BBB" [service@bbb.org]
Subject: Better Business Bureau complaint
Attachments: betterbb_logo.jpg
Attention: Owner/Manager
Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 10822005) from one of your customers related to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this question and inform us about your position as soon as possible.
We are looking forward to your prompt reply.
Kind regards,
Theresa Morris
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
============
Date: Wed, 21 Dec 2011 09:33:03 +0000
From: "BBB" [manager@bbb.org]
Subject: BBB complaint report
Attachments: betterbb_logo.jpg
Attn: Owner/Manager
Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 10942308) from one of your customers in regard to their dealership with you.
Please open the COMPLAINT REPORT below to obtain more information on this question and let us know of your position as soon as possible.
We hope to hear from you very soon.
Faithfully,
Arnold Melendez
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
a*redret.ru domains to block
More malware domains to block, being promoted through malicious spam emails:
89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru
91.220.35.38 (Zamanhost, Ukraine. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
No IP allocated
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru
91.220.35.38 (Zamanhost, Ukraine. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
No IP allocated
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
Labels:
DINETHOSTING,
Malware,
Russia,
Ukraine,
Viruses
b*redret.ru domains to block (updated)
Another set of "Redret" domains, the b*redret.ru series is used in malware distribution. It has some new IP addresses since the last time.
89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru
91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru
94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru
95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru
95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru
No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru
91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru
94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru
95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru
95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru
No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
Labels:
Bulgaria,
DINETHOSTING,
Redret,
Russia
Tuesday, 20 December 2011
c*redret.ru sites to block (updated)
These "Redret" domains serve up malware and are promoted by spam, some of them have moved around since last week so consider this an updated list.
46.249.37.109 [Serverius Holding B.V, Netherlands]
cpredret.ru
79.137.237.63 [Digital Network JSC, Russia aka DINETHOSTING. Recommend blocking 79.137.224.0/20]
crredret.ru
ctredret.ru
czredret.ru
79.137.237.67 [Digital Network JSC, Russia]
ciredret.ru
coredret.ru
79.137.237.68 [Digital Network JSC, Russia]
caredret.ru
csredret.ru
91.195.11.42 [UkrStar ISP, Ukraine. Recommend blocking 91.195.10.0/23]
206.72.207.156 [Interserver Inc, United States]
cdredret.ru
cfredret.ru
Not hosted at present
cbredret.ru
ccredret.ru
ceredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
46.249.37.109 [Serverius Holding B.V, Netherlands]
cpredret.ru
79.137.237.63 [Digital Network JSC, Russia aka DINETHOSTING. Recommend blocking 79.137.224.0/20]
crredret.ru
ctredret.ru
czredret.ru
79.137.237.67 [Digital Network JSC, Russia]
ciredret.ru
coredret.ru
79.137.237.68 [Digital Network JSC, Russia]
caredret.ru
csredret.ru
91.195.11.42 [UkrStar ISP, Ukraine. Recommend blocking 91.195.10.0/23]
206.72.207.156 [Interserver Inc, United States]
cdredret.ru
cfredret.ru
Not hosted at present
cbredret.ru
ccredret.ru
ceredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
Labels:
DINETHOSTING,
Redret,
Russia,
Serverius,
Ukraine,
UkrStar ISP
BBB Spam / financestuff.serveblog.net
Here's another BBB Spam leading to malware..
Malware payload in on financestuff.serveblog.net/main.php?page=69dbd5a1e3ed6ae9 on 207.210.65.12 (Global Net Access LLC). Block the IP address if you can.
Date: Tue, 20 Dec 2011 11:45:50 +0100
From: "BBB" [support@bbb.org]
Subject: BBB complaint processing
Attachments: betterbb_logo.jpg
Attention: Owner/Manager
Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 24673594) from your customer with respect to their dealership with you.
Please open the COMPLAINT REPORT below to find the details on this issue and let us know of your point of view as soon as possible.
We are looking forward to hearing from you.
Faithfully,
Katherine Schulte
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
Malware payload in on financestuff.serveblog.net/main.php?page=69dbd5a1e3ed6ae9 on 207.210.65.12 (Global Net Access LLC). Block the IP address if you can.
"Scan from a Xerox WorkCentre Pro" / cfredret.ru
This is a fairly common malware spam, pointing to malicious code on cfredret.ru/main.php.
cfredret.ru is hosted on 78.47.193.36, exactly the same IP address as this BBB themed malware spam. Blocking access to 78.47.198.32/29 is a fabulous idea if you can.
Date: Tue, 20 Dec 2011 05:42:20 +0300
From: victimname@gmail.com
Subject: Re: Fwd: Re: Scan from a Xerox WorkCentre Pro #2966272
A Document was sent to you using a Xerox WKC1296130.
Sent by: SHIRLEY
Images : 5
Image (.JPEG) Download
Device: UM85256LL6P68270479
bfe116b5-7dcccccc
cfredret.ru is hosted on 78.47.193.36, exactly the same IP address as this BBB themed malware spam. Blocking access to 78.47.198.32/29 is a fabulous idea if you can.
BBB Spam / blumtam.com
More BBB spam, this time attempting to deliver users to a malicious payload on blumtam.com. A couple of samples:
Payload is on blumtam.com/main.php?page=69dbd5a1e3ed6ae9 hosted on 78.47.198.36, a Hetzner AG address suballocated to an outfit called QHoster Ltd in Bulgaria. Blocking access to 78.47.198.32/29 would probably be prudent.
Date: Tue, 20 Dec 2011 00:34:38 -0800and
From: "BBB" [alerts@bbb.org]
Subject: Re: your customer�s complaint ID 82235322
Attachments: betterbb_logo.jpg
Attention: Owner/Manager
Here with the Better Business Bureau would like to inform you that we have been sent a complaint (ID 82235322) from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT below to obtain the details on this case and let us know of your position as soon as possible.
We hope to hear from you shortly.
Kind regards,
Fernando Grodhaus
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
Date: Tue, 20 Dec 2011 11:09:23 +0200
From: "BBB" [alerts@bbb.org]
Subject: BBB case ID 59988329
Attachments: betterbb_logo.jpg
Hello,
Here with the Better Business Bureau would like to notify you that we have been filed a complaint (ID 59988329) from a customer of yours related to their dealership with you.
Please open the COMPLAINT REPORT below to view more information on this matter and let us know of your opinion as soon as possible.
We are looking forward to hearing from you.
Faithfully,
Theresa Morris
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
Payload is on blumtam.com/main.php?page=69dbd5a1e3ed6ae9 hosted on 78.47.198.36, a Hetzner AG address suballocated to an outfit called QHoster Ltd in Bulgaria. Blocking access to 78.47.198.32/29 would probably be prudent.
Monday, 19 December 2011
DHL malware spam / secure.dhldispatches.com
This DHL themed spam leads to malware:
secure.dhldispatches.com (hosted on 116.240.194.69, Primus Australia) looks like a DHL page, but it carries a malicious payload which is loads from 118.88.25.36 (Dedicated Servers Australia). Blocking access to both those IPs may be prudent. The Wepawet report for this one is here.
From: DHL Express
Sent: 19 December 2011 10:03
Subject: DHL Express Dispatch Confirmation
Order number: 9672834463
Your order has now been dispatched and your DHL Express air waybill number is 9672834463.
To follow the progress of your shipment and print invoice for your records, please go to :
http://secure.dhldispatches.com/tracking/
IMPORTANT INFORMATION:
DHL Express will deliver your order between 9am-5pm GMT, Monday to Friday. If you are unavailable, DHL Express will leave a card so you can contact them to reschedule.
All orders must be signed for upon delivery.
Please note, we are unable to change the shipping address on your order now it has been dispatched. Your purchase should arrive in perfect condition. If you are unhappy with the quality, please let us know immediately.
Yours sincerely,
Customer Care
www.dhl.com
For assistance email customercare@dhl.com or call 0800 099 27671 from the UK, +44 (0)20 2781 62512 from the rest of the world, 24 hours a day, seven days a week
CONFIDENTIALITY NOTICE
The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, you must not read, use or disseminate the information. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of DHL Express Deliveries.
secure.dhldispatches.com (hosted on 116.240.194.69, Primus Australia) looks like a DHL page, but it carries a malicious payload which is loads from 118.88.25.36 (Dedicated Servers Australia). Blocking access to both those IPs may be prudent. The Wepawet report for this one is here.
FDIC spam / splatstack.net
More FDIC spam leading to malware, this time at splatstack.net.
The link goes via a couple of hacked sites to a malicious payload splatstack.net/main.php?page=abfd0d069b45c17e hosted on 173.255.253.115 (Linode). Blocking access to that IP address will probably be prudent.
Date: Mon, 19 Dec 2011 05:32:49 -0600
From: "Greta Bullock"
Subject: Blockage of your transactions
Attn: Financial Department
By this message we would like to inform you about the latest amendments in the Federal Deposit Insurance Corporation coverage rules. During the period from December 31, 2010 to December 31, 2012 all funds in a "noninterest-bearing transaction account" are provided with a full insurance coverage by the Federal Deposit Insurance Corporation. Please note, that this arrangement is temporary and separate from the Federal Deposit Insurance Corporation's basic insurance rules.
The term "noninterest-bearing transaction account" implies a usual checking account or demand deposit account on which the insured depository institution pays no interest. For more information about this temporary FDIC unlimited coverage, please refer to: http://iimtstudies.com/e3f4e0/index.html
Yours faithfully,
Greta Bullock
Federal Deposit Insurance Corporation
The link goes via a couple of hacked sites to a malicious payload splatstack.net/main.php?page=abfd0d069b45c17e hosted on 173.255.253.115 (Linode). Blocking access to that IP address will probably be prudent.
Scam: "CareerQuick Staffing" / careermanagement.com.ua
This is another take on RockSmith Management scam, linked to these dodgy work-at-home sites, apparently with an Australian connection.
careermanagement.com.ua is a Ukrainian domain, it is hosted on 85.121.39.3, which is a known black-hat host in Romania (Monyson Grup S.A), although as we said before this appears to be an Australian crew running the scam. The layout of the site echoes careerquickstaffing.com, a site that has already been suspended for spamming.
Date: Mon, 26 Sep 2011 05:48:19 +0530
From: "Terence Mooney" [terence.mooney@voicecom.co.za]
Subject: Reminder: Employment Opportunity Followup
Hello
Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application, but can not do so until you complete our
internal application.
The pay range for available positions range from $35.77 per hour to $57.62 per hour.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:
http://careermanagement.com.ua/
Also, the following perks are potentially available:
- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program
Please take the time to follow the directions and complete the entire
application process.
Best Regards,
Rock Smith Management
careermanagement.com.ua is a Ukrainian domain, it is hosted on 85.121.39.3, which is a known black-hat host in Romania (Monyson Grup S.A), although as we said before this appears to be an Australian crew running the scam. The layout of the site echoes careerquickstaffing.com, a site that has already been suspended for spamming.
Labels:
Australia,
Job Offer Scams,
Romania,
Spam
Friday, 16 December 2011
NACHA Spam/ ragsnip.com
Yet another round of fake NACHA spam leading to malware is doing the rounds, this time the payload is on ragsnip.com/main.php?page=111d937ec38dd17e hosted on 207.210.96.226 (Global Net Access LLC, Atlanta). Blocking access to the IP is preferable to the domain as there may be other malicious domains on the same server.
An example spam email from this run (it seems no different to all the other ones):
An example spam email from this run (it seems no different to all the other ones):
Date: Fri, 16 Dec 2011 16:43:21 +0100
From: "transactions@nacha.org" [transactions@nacha.org]
Subject: Information on your pending transaction
Attention: Accounting Department
This message contains a report about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #: 007457776956967
Status of the transaction: pending
In order to resolve this matter, please review the transaction details using the link below as soon as possible.
Faithfully yours,
Kathy Quirk
Accounting Department
NACHA Spam / ragsnub.com
More NACHA spam is doing the rounds, this time redirecting through a legitimate hacked site to ragsnub.com/main.php?page=69dbd5a1e3ed6ae9 on 184.171.248.35 (Hostdime, Florida).
There may be other bad domains on that server, so blocking access to the IP is the safest approach.
There may be other bad domains on that server, so blocking access to the IP is the safest approach.
Thursday, 15 December 2011
NACHA Spam / evrymonthnighttry.com and glasseseverydaynow.com
More NACHA themed spam this morning that redirects victims through a hacked legitimate site to a malware laden page, this time hosted on evrymonthnighttry.com or glasseseverydaynow.com.
These sites are hosted on 46.183.217.119 (Dataclub, Latvia). I can't see anything at all of value in 46.183.216.0/21 so blocking access to all of that range might be prudent.
It also attempts to load an exploit from a site called bbb-complains.org which is not resolving at present.
A couple of example emails:
and
These sites are hosted on 46.183.217.119 (Dataclub, Latvia). I can't see anything at all of value in 46.183.216.0/21 so blocking access to all of that range might be prudent.
It also attempts to load an exploit from a site called bbb-complains.org which is not resolving at present.
A couple of example emails:
Date: Thu, 15 Dec 2011 07:42:51 +0000
From: "risk.manager@nacha.org" [risk.manager@nacha.org]
Subject: Your ACH transaction details
Attention: Accounting Department
This message includes an important information regarding the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction ID: 079788807282357
Transaction status: pending
In order to resolve this matter, please use the link below to review the transaction details as soon as possible.
Yours faithfully,
Anthony Cooley
Chief Accountant
and
Date: Thu, 15 Dec 2011 07:30:43 +0000
From: "alert@nacha.org" [alert@nacha.org]
Subject: Your pending ACH debit transfer
Dear Sir or Madam,
Please find below a report about the ACH debit transfer sent on your behalf, that was kept back by our bank:
Transaction #: 638798200851317
Status of the transaction: pending
In order to resolve this matter, please review the transaction details using the link below as soon as possible.
Yours truly,
Kevin Hunt
Chief Accountant
Fake Facebook spam / caredret.ru
More toxic spam.
In this case, the link goes via a hacked legitimate site and gets redirected to a malicious page on caredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). Block access to 79.137.224.0/20 if you can, there is nothing legitimate hosted here.
Date: Thu, 15 Dec 2011 11:52:56 +0700
From: Facebook [notification+VGNDUO7NQM4R@facebookmail.com]
Subject: LUCY Snow wants to be friends on Facebook.
LUCY Snow wants to be friends with you on Facebook.
LUCY Snow
Confirm Friend Request
See All Requests
This message was sent to victim@victimdomain.com. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
In this case, the link goes via a hacked legitimate site and gets redirected to a malicious page on caredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). Block access to 79.137.224.0/20 if you can, there is nothing legitimate hosted here.
Labels:
DINETHOSTING,
Facebook,
Malware,
Spam,
Viruses
FDIC spam / sownload.zapto.org and 63.223.78.19
The spam tsunami continues today with a set of new malware URLs to block. This one allegedly comes from the FDIC in the US.
The link goes through a legitimate hacked site and tries to direct the user to a malicious page at sownload.zapto.org/main.php?page=db3408bf080473cf hosted on 63.223.78.199 (InfraVPS Network Solutions, Philippines). Blocking the IP address is preferable because there may more other malicious domains on that server.
Date: Fri, 16 Dec 2011 04:12:15 +0400
From: "Freeman Ballard" [Freeman.Ballard@campioni.info]
Subject: URGENT! Security system updates
Dear Sirs,
In order to prevent new cases of wire fraud, we have introduced a new security system. In this connection all the account transactions of our customers have been suspended unless the special security requirements are met.. In order to rehabilitate your account, you need to
Install a special security software. Please use the link below to read the instructions for the installation of the latest security version.
We apologize for the inconveniences caused to you by this measure.
Please do not hesitate to contact us if you have any questions.
Sincerely yours,
FDIC Call Center 1-877-275-3342 (1-877-ASKFDIC)
or Email Address: consumer-service@fdic.gov
8:00 am - 8:00 pm ET; Monday-Friday
9:00 am - 5:00 pm ET; Saturday-Sunday
For the Hearing Impaired Toll Free 1-800-925-4618 / Local (VA) 703-562-2289
The link goes through a legitimate hacked site and tries to direct the user to a malicious page at sownload.zapto.org/main.php?page=db3408bf080473cf hosted on 63.223.78.199 (InfraVPS Network Solutions, Philippines). Blocking the IP address is preferable because there may more other malicious domains on that server.
Labels:
Malware,
Philippines,
Spam,
Viruses
Subscribe to:
Posts (Atom)