Redret domains to block 10/1/12

After a quite couple of weeks, the Redret spam has started again using the domains and IPs listed below. Some are familiar, some are new. In some cases blocking whole IP ranges is the best idea.

46.249.37.22 (Serverius Holdings, Netherlands)
clredret.ru

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
aredirect.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

No IP at present
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
cbredret.ru
ccredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru

Airline ticket spam / ckredret.ru

Despite a whole pile of Redret malware spam at the end of the year, the past couple of weeks have been very quiet. However, a new campaign has started up directing visitors via a hacked legitimate site to ckredret.ru/main.php which is hosted on 203.170.193.102 (IDC Cyberworld, Thailand).

Date:      Tue, 9 Jan 2012 08:33:24 +0700
From:      sales1@victimdomain.com
Subject:      Re: Your Flight N US966-282315527

Dear Customer,



FLIGHT NUMBER 5821-5704164

DATE/TIME : JANUARY 23, 2011, 16:12 PM

ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT

PRICE : 552.06 USD



Download your ticket here:

VIEW



KAYCEE Ramirez,

American Airlines

Right at the moment the site is failing to resolve, but that could simply be a loading issue. Blocking the 203.170.193.102 IP address would be a good idea as it will stop any other malicious sites on the same server.

"Elavon 2012 Update" phish

Elavon deals with payment processing. This email is not from Evalon.

From: "Elavon, Inc." [sobolan@myvirtualmerchan-02.com]
Date:Fri, 06 Jan 2012 16:09:48 +0100
Subject: Urgent-Notification

--Elavon 2012 Update--
Dear Customer,

We regret to inform you that your retail merchant account is locked.
To re-activate it please download the file attached to this e-mail and update your login information.

2012 Elavon Inc,
-Please note only RETAIL account are locked-
-Example : Market Segmet : Retail-

Attached is a file called myvirtualmerchant_login.html which is the phish itself, displaying the following screen.

The form itself sends the details to mail.xinsanjing.com on 220.189.213.181. (HangZhou XinSanJing Food Co. Ltd. China) which is possibly a hacked server. In this case the email originated from 209.91.252.206 in Puerto Rico.

If you use Elavon's services, watch out for this phish.

"Your Changelog UPDATED" / cjredret.ru

Another spam, another "redret" domain. This time the spam is a "changelog" one, the malicious payload is on cjredret.ru/main.php.

Date:      Thu, 29 Dec 2011 07:59:51 +0200
From:      accounting@victimdomain.com
Subject:      Re: Fwd: Your Changelog UPDATED

Hello,

as promised chnglog updated -: View Changelog

Carey CATHERINE

The site is hosted on 91.222.137.170 (Delta-X, Ukraine), the same IP address as yesterday. If you don't have any reason to send traffic to the Ukraine, blocking access to 91.222.136.0/22 might be prudent.

"HP Officejet" spam / chredret.ru

More spam pointing to a malicious web page at chredret.ru/main.php (after redirecting through a legitimate but hacked site), but this time using the old "HP Officejet" approach.

Date:      Wed, 28 Dec 2011 05:32:16 +0700
From:      VG2EBrady@gmail.com
Subject:      Re: Fwd: Re: Scan from a HP Officejet #8056528

A document was scanned and sent to you using a Hewlett-Packard JET SK868691M



Sent to you by: SHEA
Pages : 3
Filetype: Image (.jpeg) View

Location: GDOSO.1.3TH
Device: OP685S9OD6236672

The domain chredret.ru  was used in this spam run yesterday, but now the server has moved from 46.249.37.22 to 91.222.137.170 (Delta-X, Ukraine). I don't know Delta-X at all, but the SiteVet and Google reports are not good, so you might want to consider blocking the entire range 91.222.136.0/22.

Contract spam / chredret.ru

Another fake "contract" spam leading to malware, hosted on chredret.ru .

Date:      Tue, 27 Dec 2011 06:06:18 +0700
From:      "Destinee Mills"
Subject:      The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
NEW_Contract.doc 44kb


With best wishes
Destinee Mills

Another name used on the spam is "Ramiro Howell", although there are probably hundreds of fake names. The malicious payload is at chredret.ru/main.php, hosted on 46.249.37.22 (Serverius Holding BV, Netherlands). This is the second "redret" domain in this /24, so blocking 46.249.37.0/24 might be prudent.

NACHA Spam / cgredret.ru

More NACHA spam, this time pointing to cgredret.ru (which we've seen before) which delivers a malicious payload.

Date:      Thu, 22 Dec 2011 03:37:35 +0530
From:      "NACHA"
Subject:      ACH Transfer rejected

ACH transaction, initiated from your checking account, was canceled.



Canceled transaction:



Transfer ID: B2793447923US

Transfer Report: View



GALINA Gunter

NACHA - The Electronic Payment Association

cgredret.ru has moved since yesterday and is now on 79.137.237.68. Unsurprisingly, it is now on Digital Network JSC in Russia (aka DINETHOSTING). Block access to 79.137.224.0/20 if you can.

"Hello! Look, I've received an unfamiliar bill.." / cgredret.ru

The spam tsunami continues, this one is a reworking of one seen last month, but with a new payload site.

Date:      Wed, 21 Dec 2011 06:43:07 +0700
From:      "MERLYN Spicer" [sales1@victimdomain.com]
To:     
Subject:      Need your help!

Hello! Look, I've received an unfamiliar bill, have you ordered anything?
Here is the bill

Please reply as soon as possible, because the amount is large and they demand the payment urgently.

Looking forward to your answer



Fingerprint: 2ccc03a5-e19549f7

The malicious payload is on cgredret.ru which I catalogued yesterday (although it didn't have an IP address then). The IP is now 206.72.207.156 (Interserver Inc, USA) along with some other malicious sites. Block the IP rather than the domain if you can.

*redirect.ru sites to block

These are another part of the "redret" series of malware sites being promoted by spam, and are worth blocking proactively.

109.70.26.36 (Parked)
iredirect.ru

89.208.34.116 (Digital Network JSC aka DINETHOSTING Russia, block 89.208.32.0/19)
aredirect.ru

91.220.35.38 (Zamanhost Ukraine, block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru

No IP allocated
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru

BBB Spam / curvechirp.com

Yet more BBB spam, this time with a different malicious domain - curvechirp.com, hosted on 184.171.248.47 at TMZHosting LLC, Florida. This range is suballocated from Hostdime and has been seen a few days ago with another attack, so blocking all access to 184.171.248.32/27 is probably prudent.

Payload page is at curvechirp.com/main.php?page=111d937ec38dd17e, at the moment the page is not responding (possibly due to being overloaded as it looks like a cheap VPS).

Here are some samples:

Date:      Wed, 21 Dec 2011 13:37:00 +0100
From:      "Better Business Bureau" [manager@bbb.org]
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau informs you that we have been filed a complaint (ID 54838460) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to view the details on this question and suggest us about your opinion as soon as possible.

We are looking forward to your prompt reply.

Regards,

Gerard Johnson

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

========

Date:      Wed, 21 Dec 2011 14:41:50 +0200
From:      "Better Business Bureau" [info@bbb.org]
Subject:      Urgent notice from BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 67732970) from a customer of yours with respect to their dealership with you.

Please open the COMPLAINT REPORT below to view the details on this case and inform us about your point of view as soon as possible.

We hope to hear from you shortly.

Sincerely,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

BBB Spam / curcandle.net

Yet more BBB themed malware spam this morning, bouncing through a couple of hacked servers to a malicious payload on curcandle.net (174.136.1.223, Colo4Dallas). Blocking access to the IP will also block any other evil domains on the same server.

The payload is on curcandle.net/main.php?page=111d937ec38dd17e although right at the moment it is 404ing. However, the spam run is just 30 minutes old so perhaps it is still under construction.

Some samples:

Date:      Wed, 21 Dec 2011 09:55:02 +0100
From:      "Better Business Bureau" [manager@bbb.org]
Subject:      BBB information regarding your customer’s complaint
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 54715375) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this matter and inform us about your opinion as soon as possible.

We are looking forward to your prompt reply.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

============

Date:      Wed, 21 Dec 2011 09:54:50 +0100
From:      "BBB" [alerts@bbb.org]
Subject:      Your customer complained to BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 44513446) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this question and inform us about your opinion as soon as possible.

We are looking forward to hearing from you.

Regards,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

============

Date:      Wed, 21 Dec 2011 08:54:38 +0000
From:      "BBB" [service@bbb.org]
Subject:      Better Business Bureau complaint
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 10822005) from one of your customers related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this question and inform us about your position as soon as possible.

We are looking forward to your prompt reply.

Kind regards,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

============

Date:      Wed, 21 Dec 2011 09:33:03 +0000
From:      "BBB" [manager@bbb.org]
Subject:      BBB complaint report
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 10942308) from one of your customers in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this question and let us know of your position as soon as possible.

We hope to hear from you very soon.

Faithfully,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

a*redret.ru domains to block

More malware domains to block, being promoted through malicious spam emails:

89.208.34.116  (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru

91.220.35.38 (Zamanhost, Ukraine. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru

95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru

No IP allocated
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru

b*redret.ru domains to block (updated)

Another set of "Redret" domains, the b*redret.ru series is used in malware distribution. It has some new IP addresses since the last time.

89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru

91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru

94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru

No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru

c*redret.ru sites to block (updated)

These "Redret" domains serve up malware and are promoted by spam, some of them have moved around since last week so consider this an updated list.

46.249.37.109 [Serverius Holding B.V, Netherlands]
cpredret.ru

79.137.237.63 [Digital Network JSC, Russia aka DINETHOSTING. Recommend blocking 79.137.224.0/20]
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 [Digital Network JSC, Russia]
ciredret.ru
coredret.ru

79.137.237.68 [Digital Network JSC, Russia]
caredret.ru
csredret.ru

91.195.11.42 [UkrStar ISP, Ukraine. Recommend blocking 91.195.10.0/23]


206.72.207.156 [Interserver Inc, United States]
cdredret.ru
cfredret.ru

Not hosted at present
cbredret.ru
ccredret.ru
ceredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru

BBB Spam / financestuff.serveblog.net

Here's another BBB Spam leading to malware..

Date:      Tue, 20 Dec 2011 11:45:50 +0100
From:      "BBB" [support@bbb.org]
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 24673594) from your customer with respect to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this issue and let us know of your point of view as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Katherine Schulte

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Malware payload in on financestuff.serveblog.net/main.php?page=69dbd5a1e3ed6ae9 on 207.210.65.12 (Global Net Access LLC). Block the IP address if you can.

"Scan from a Xerox WorkCentre Pro" / cfredret.ru

This is a fairly common malware spam, pointing to malicious code on cfredret.ru/main.php.

Date:      Tue, 20 Dec 2011 05:42:20 +0300
From:      victimname@gmail.com
Subject:      Re: Fwd: Re: Scan from a Xerox WorkCentre Pro #2966272

A Document was sent to you using a Xerox WKC1296130.



Sent by: SHIRLEY
Images : 5
Image (.JPEG) Download

Device: UM85256LL6P68270479



bfe116b5-7dcccccc

cfredret.ru is hosted on 78.47.193.36, exactly the same IP address as this BBB themed malware spam. Blocking access to 78.47.198.32/29 is a fabulous idea if you can.

BBB Spam / blumtam.com

More BBB spam, this time attempting to deliver users to a malicious payload on blumtam.com. A couple of samples:

Date:      Tue, 20 Dec 2011 00:34:38 -0800
From:      "BBB" [alerts@bbb.org]
Subject:      Re: your customer�s complaint ID 82235322
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have been sent a complaint (ID 82235322) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this case and let us know of your position as soon as possible.

We hope to hear from you shortly.

Kind regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

and

Date:      Tue, 20 Dec 2011 11:09:23 +0200
From:      "BBB" [alerts@bbb.org]
Subject:      BBB case ID 59988329
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have been filed a complaint (ID 59988329) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to view more information on this matter and let us know of your opinion as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Payload is on blumtam.com/main.php?page=69dbd5a1e3ed6ae9 hosted on 78.47.198.36, a Hetzner AG address suballocated to an outfit called QHoster Ltd in Bulgaria. Blocking access to 78.47.198.32/29 would probably be prudent.

DHL malware spam / secure.dhldispatches.com

This DHL themed spam leads to malware:

From: DHL Express
Sent: 19 December 2011 10:03
Subject: DHL Express Dispatch Confirmation

Order number: 9672834463

Your order has now been dispatched and your DHL Express air waybill number is 9672834463.

To follow the progress of your shipment and print invoice for your records, please go to :
http://secure.dhldispatches.com/tracking/

IMPORTANT INFORMATION:
 
DHL Express will deliver your order between 9am-5pm GMT, Monday to Friday. If you are unavailable, DHL Express will leave a card so you can contact them to reschedule.

All orders must be signed for upon delivery.

Please note, we are unable to change the shipping address on your order now it has been dispatched. Your purchase should arrive in perfect condition. If you are unhappy with the quality, please let us know immediately.

Yours sincerely,

Customer Care
www.dhl.com

For assistance email customercare@dhl.com or call 0800 099 27671 from the UK, +44 (0)20 2781 62512 from the rest of the world, 24 hours a day, seven days a week


CONFIDENTIALITY NOTICE
The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, you must not read, use or disseminate the information. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of DHL Express Deliveries.

secure.dhldispatches.com (hosted on 116.240.194.69, Primus Australia) looks like a DHL page, but it carries a malicious payload which is loads from 118.88.25.36 (Dedicated Servers Australia). Blocking access to both those IPs may be prudent. The Wepawet report for this one is here.

FDIC spam / splatstack.net

More FDIC spam leading to malware, this time at splatstack.net.

Date:      Mon, 19 Dec 2011 05:32:49 -0600
From:      "Greta Bullock"
Subject:      Blockage of your transactions

Attn: Financial Department


By this message we would like to inform you about the latest amendments in the Federal Deposit Insurance Corporation coverage rules. During the period from December 31, 2010 to December 31, 2012 all funds in a "noninterest-bearing transaction account" are provided with a full insurance coverage by the Federal Deposit Insurance Corporation. Please note, that this arrangement is temporary and separate from the Federal Deposit Insurance Corporation's basic insurance rules.

The term "noninterest-bearing transaction account" implies a usual checking account or demand deposit account on which the insured depository institution pays no interest. For more information about this temporary FDIC unlimited coverage, please refer to: http://iimtstudies.com/e3f4e0/index.html

Yours faithfully,
Greta Bullock
Federal Deposit Insurance Corporation

The link goes via a couple of hacked sites to a malicious payload splatstack.net/main.php?page=abfd0d069b45c17e hosted on 173.255.253.115 (Linode). Blocking access to that IP address will probably be prudent.

Scam: "CareerQuick Staffing" / careermanagement.com.ua

This is another take on RockSmith Management scam, linked to these dodgy work-at-home sites, apparently with an Australian connection.

Date:      Mon, 26 Sep 2011 05:48:19 +0530
From:      "Terence Mooney" [terence.mooney@voicecom.co.za]
Subject:      Reminder: Employment Opportunity Followup

Hello

Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application, but can not do so until you complete our
internal application.

The pay range for available positions range from $35.77 per hour to $57.62 per hour.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

http://careermanagement.com.ua/

Also, the following perks are potentially available:

- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program

Please take the time to follow the directions and complete the entire
application process.


Best Regards,

Rock Smith Management

careermanagement.com.ua is a Ukrainian domain, it is hosted on 85.121.39.3, which is a known black-hat host in Romania (Monyson Grup S.A), although as we said before this appears to be an Australian crew running the scam. The layout of the site echoes careerquickstaffing.com, a site that has already been suspended for spamming.