Sponsored by..

Monday, 23 January 2012

Tylers Coffees (tylerscoffees.com) tastes of spam

Here's an annoying spam I have been getting lately:

From:      "Coffee News" [news.coffee@yahoo.com]
Subject:      Check out this coffee

       
Acid Free Coffee
A little cup of java can mean a big problem for stomachs. Acid levels in coffee, as well as impurities and resins, may wreak havoc on the digestive tract. Our customers with sensitive stomachs are relieved to learn that they can still continue enjoying a great cup of coffee whenever they want.

Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
    for $5
      
Where it Comes From


The Finest hand-picked Arabica beans are shipped from South America to our roasting factory in Arizona.We use Swiss Water Based Process to decaffeinate our Arabica coffee beans
Read more
How We Make It
       
We use a “Z-Roasting” process that optimizes the time the coffee beans are cooked; the result is high levels of caffeine and free of acid. Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
Read more
Regular vs. Decaf
       
Regular: Rockets you forward with level of caffeine that exceeds most other coffee brands.

Decaf: Same great taste as the regular coffee minus the rocket energy, so that you can finally take that sleep you deserve.

Either way - you will LOVE IT !!

Read more

If you want us to take you off our mailing list, please click on the link below
Not interested anymore? Unsubscribe here.

I've seen this several times, to begin with they were trying to use tinyurl.com to mask their URL, but they're pretty good at terminating spammers.

Subsequent runs use the domain justcoffee-noacid.com in the emails. Although the domain has anonymous WHOIS details, it's notable that the spammer is using Piradius Net, a black hat web host from Malaysia as a host. We've seen these guys before.

justcoffee-noacid.com has a miminal amount of content, and depending on which link you click through, you either get redirected to tylerscoffees.com or you get a spammy page tempting you to click through.

In all cases the spam comes through 118.123.6.123  in China.

tylerscoffees.com is a website belonging to Tylers Coffee, a firm in Arizona.

The domain is registered to:

      ornsteins, ian  ian@innovativeformulations.com
      1810 s 6th ave
      tucson, Arizona 85713
      United States
      (520) 628-1553      Fax -- (520) 628-1580

The company seems to be legitimate (although personally I have doubts about their claims over "acidic coffee"), but it looks like someone has decided to try some web site promotion without fully checking what was being done. Spamming out from China via a black hat host in Malaysia is one very easy way to damage your brand..

Friday, 20 January 2012

0catch.com and malicious BBB spam

We're currently seeing a spate of malicious BBB spam (like this) being routed through free web hosting sites operated by 0catch.com.

A simple way of blocking this attack is to block the 0catch.com domains. I've never found anything really valuable hosted by this firm, so you probably won't be missing much.

These are all the domains that I can find, if you know of any others then please consider sharing them in the comments:

00freehost.com
00freeweb.com
012webpages.com
0catch.com
0-catch.com
100freemb.com
100megsfree5.com
150m.com
1freewebspace.com
1sweethost.com
741.com
angelcities.com
arcadepages.com
bigheadhosting.net
builtfree.org
designcarthosting.com
digitalzones.com
dreamstation.com
easyfreehosting.com
envy.nu
exactpages.com
ez-sites.ws
fcpages.com
freecities.com
freehostyou.com
freesite.org
freewaywebhost.com
freewebpages.org
freewebportal.com
freewebsitehosting.com
fw.bz
greatnow.com
instantwebgenius.com
just-allen.com
justicewasgreen.com
maddsites.com
megz-bytes.com
mindnmagick.com
o-f.com
parknhost.com
reco.ws
servetown.com
usafreespace.com
virtue.nu
website-home.ws
wtcsites.com

Thursday, 19 January 2012

Wire transfer malicious spam / monikabestolucci.ru:8801 and 78.159.118.226

More malicious spam doing the rounds, but this time it's more complicated than before.

From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)

Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652
CURRENT STATUS: PENDING

Please Review your transaction as soon as possible.

The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.

monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.

24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)

Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.

Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173

BBB Spam / freecities.com and 78.129.132.82

A couple of BBB spams, both leading to malware on different domains on the same IP of 78.129.132.82 (Rapidswitch / Iomart Hosting, UK).

Example 1:

Date:      Thu, 18 Jan 2012 10:24:33 +0000
From:      "Better Business Bureau"
Subject:      Urgent information from BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have received a complaint (ID 38423165) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.

We are looking forward to your prompt reply.

Regards,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Example 2:

Date:      Thu, 18 Jan 2012 11:27:55 +0100
From:      "Better Business Bureau"
Subject:      BBB complaint report
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 52266668) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to find more information on this issue and let us know of your point of view as soon as possible.

We hope to hear from you very soon.

Sincerely,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

In these two examples, the malicious payload is on wihdshop.net/main.php?page=c61c8ae4358e765e and ionsclinics.net/main.php?page=4875f07aa6fe472a (Wepawet report is here) , reached through a page on a freecities.com web site (apparently part of 0catch.com). You could consider blocking access to the entire freecities.com domain, but you should certainly block 78.129.132.82 if you can.

These other domains are hosted on 78.129.132.82 and are probably malicious:

0riginalcheck.net
ambasadorka.com
centerjobdepart.com
comparmory.org
digitalarmory.net
gitadocs.com
gitafiles.com
ionsclinics.net
lifesdigi.org
marketjob.net
nextddefence.com
originalsyst.org
ourdefence.net
stafffire.net
stub-search.net
systemdwall.com
theyardesale.com
wihdshop.net
yourdefse.com


Update:  angelcities.com is also being used as an intermediate infection step, also part of 0catch.com. It looks like the intermediate sites might be freshly created, there is no indication that 0catch.com sites have been breached.

Wednesday, 18 January 2012

Something evil on 95.211.115.228 and 46.249.37.22.

A set of malicious sites, linked to the Redret gang, hosted on 95.211.115.228 (Leaseweb, Netherlands). Blocking the IP rather than the individual domains will also protect against other malicious sites on the same server.

child-re-ninth-ebusiness.com
childregardingninthebusiness.com
childreninthebusiness.com
childsubjectninthcompany.com
childsubjectninthebiz.com
childsubjectninthebusiness.com
custom-t-shirtsfromhansen.com
extentthahansen.com
freeholidaynew.com
hirtsfromhansen.com
holidaygreat.com
holidaynewsite.com
myholidaynew.com
range-the-hansen.com


Another server in this same network is 46.249.37.22 (Serverius Holding, Netherlands)

1o345.info
1op45.info
2012-my-happy.com
2012myownhappy.com
543oh.info
54mo1.info
54po1.info
akvitea.com
alurbrilance.com
arowipes.com
avangeit.com
bitcast.in
bitcube.in
bitechnica.in
bitfire.in
bitware.in
bitwire.in
businessnfamily.com
companynfamily.com
companynpeople.com
customtshirtsfromhansen.com
domtrixsov.com
drinki.in
familycommercial.com
freeautomag.info
funnytshirtsfromhansen.com
glad-year.com
globaltracking02234.info
great-happy.com
happy-period.com
happy-term.com
happychock.biz
happytwelvemonths.com
ho345.info
iflos.com
ivairiu.com
joyful-year.com
jsijdewhg.com
kalalog-testov.com
latest-happy.com
makdacs00.com
makiajdleavseh.com
merry-year.com
modern-happy.com
muravied222.com
odnonoshnicy.com
plsk3mme.com
q234.info
s00n.in
safe-t-shirtsfromhansen.com
safetshirtsfromhansen.com
serdjuchka.biz
stop-prysham.com
timetracking02234.info
uskoriteliinterneta.biz
xxxtubedirty.com


The third server in the group is 203.170.193.102, which has already been identified here.

doofyonmycolg.ru / coolwebzuzuzu.ru now on 203.170.193.102

The malicious domains doofyonmycolg.ru and coolwebzuzuzu.ru have now shifted IPs since yesterday. The new address is 203.170.193.102 (IDC Cyberworld, Thailand). This server also hosts two "Redret" domains, also as identified yesterday, so these malicious emails are presumably from the same crew.

The following domains appear to be hosted on 203.170.193.102, all of which appear to be malicious in some way:

1god.in
aerostrips.com
arrayhansen.com
available78.de.ms
backozifice.net
betbits.com
boeingmiles.com
ccredret.ru
chronvofu.dlinkddns.com
ckredret.ru
collection-hansen.com
companyandfamily.com
ease.breastedchestedboobiestits.com
familyownedcompany.com
family-ownedcompany.com
filkso.in
freemmsservice.com
freetracking02234.info
greatglad.com
krasivayfigura.com
latestglad.com
libraryhansen.com
lkskjje43d.com
mc-3.in
metropannolike.in
mobiletracking02234.info
myskyinfo.in
oeit.in
olanuc.dlinkddns.com
onlinetelephonika.info
orfasde.dlinkddns.com
p38-adsrv.nl.ai
p66-adservices.nl.ai
pedastera.cu.cc
portfoliohansen.com
rifalogs.com
saldo7.us
schenledi.dlinkddns.com
seifancold.dlinkddns.com
sgsk43tgsdlflfbcbg.uni.me
skyinfo.in
tanildirtystories.com
tshirtsfromhansen.com
usaloaosns.com
zadpol.cu.cc
zareqah.cu.cc
zverovod.in

Scam sites to block on 209.25.137.196

Here's a site of very professional looking scam sites, incuding fake investment firms and escrow companies. Most of these have been registered over the past few weeks with anonymous details.

atlasconsultancyltd.com
bfsauthority.org
bltradinggrp.com
chicagobgllc.com
crawfordcapitalpartners.com
fidelitycorporategroup.com
grenfellassociates.com
johnsonsterlingconsultancy.com
knowltonadvisors.com
mediatransfersltd.com
millerconsultancyservices.com
morganpremiergrp.com
notanordinarysite.com
peregrineintlgroup.com
scmrcom.org
sftcommission.org
tatecarverconsultancy.com
toddwhitefinancial.com
warrenfisherassociates.com
wellsconsultancy.com
winchesterconsultancygrp.com


also hosted on the same server:
mentemptation.com
webhostingbreaker.com

Some of the trading names used by these scammers (some may be similar to legitimate companies):
  • Atlas Consultancy
  • Brussels Financial Supervisory Authority
  • BL Trading Group
  • Chicago Business Group LLC
  • Crawford Capital Partners
  • Fidelity Corporate Group
  • Grenfell and Blackrock Associates
  • Johnson Sterling Consultancy
  • Knowlton Group
  • Media Transfers Limited
  • Miller Counsulting Group
  • Morgan Premier Group
  • Peregrine International Group
  • Swiss Commodity Market Regulatory Commission
  • Swiss Financial Trading Commission
  • Tate and Carver Consultancy Group
  • Todd and White Financial Marketing Services
  • Warren Fisher and Associates
  • Wells Capital Management
  • Winchester Consultancy Group
Do not be fooled by how good the sites look.. they are very, very convincing. Here is are some examples:



The sites are all hosted on 209.25.137.196 which looks like a rented server from LiquidNet, Florida. Also hosted on the same server is webhostingbreaker.com (possibly based in the Philippines) which might be the black hat reseller involved.

Part of this network was fingered a few weeks ago here, and it still appears to be active. Avoid at all costs.

How to access Wikipedia during the blackout

Wikipedia is blacked out because of a protest about SOPA. But what happens if you really, really need Wikipedia?

The good news is that you can still access it on your smartphone, or by accessing the mobile site directly. You can also temporarily by disabling Javascript in your browser when visiting the site (specifically blocking scripts from bits.wikimedia.org). Using Firefox + NoScript is an easy way to do this.

The Wikimedia foundation have a technical description of how the blackout is implemented here.

Added: the stylesheet itself appears to be at http://bits.wikimedia.org/en.wikipedia.org/load.php?debug=false&lang=en&modules=site&only=styles&skin=vector&*  so blocking that temporarily might help.

If you are managing a large number of users who need access, you can block access to bits.wikimedia.org/en.wikipedia.org/ which will allow access to content but screws up the layout.

Tuesday, 17 January 2012

Scan from a Xerox W. Pro spam / coolwebzuzuzu.ru

Another malicious spam, this time leading to an exploit page on coolwebzuzuzu.ru/main.php.

Date:      Tue, 16 Jan 2012 02:50:00 +0000
From:      officejet@victimdomain.com
Subject:      Fwd: Fwd: Scan from a Xerox W. Pro #9522304

A Document was sent to you using a XEROX OFFICE N220337423.

SENT BY: LAURA
IMAGES : 6
FORMAT (.JPG) DOWNLOAD

DEVICE: PD55695SK7AO559107L

coolwebzuzuzu.ru is hosted on 66.225.237.222, HostForWeb in Chicago. There is another malware site on an adjacent IP. You might want to block both IPs or even the whole /24 to be on the safe side.

UPS Spam / doofyonmycolg.ru

This UPS (or is it USPS?) spam is attempting to direct visitors to a malicious web page at doofyonmycolg.ru/main.php. This looks like a variant of the Redret campaign we have seen recently.

Date:      Tue, 16 Jan 2012 02:16:45 -0300
From:      "UPS TEAM 121" [support.350@ups.com]
Subject:      UPS Tracking Number H4825887305

Your USPS .US for big savings!     Can't see images? CLICK HERE.   
UPS UPS TEAM 477   
UPS - UPS MANAGER 559 >>
  
Not Ready to Open an Account?   
      
    The UPS Store® can help with full service packing and shipping.  
    Learn More >>  
  
UPS - Your UPS Customer Services

DEAR, victim@victimdomain.com.

DEAR CLIENT , Delivery Confirmation: Failed

Track your Shipment now!

With best regards , Your UPS Services.
  
                      
Shipping         Tracking         Calculate Time & Cost         Open an Account
                      
@ 2011 United Parcel Service of America, Inc. USPS CUSTOMER SERVICES, the UPS brandmark, and the color brown are

trademarks of United Parcel Service of America, Inc. All rights reserved.


This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to

Your USPS .US marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.

Your USPS .US, 1 Glenlake Parkway, NE - Atlanta, GA 30331

Attn: Customer Communications Department 

doofyonmycolg.ru is hosted on 66.225.237.223. There is another malicious site on 66.225.237.222, there may be others. This IP is allocated to HostForWeb Inc, Chicago. Blocking the IP rather than the domain may help protect against other malicious sites on the same server.

Redret domains to block 17/1/12

The Redret domains have shifted around a little since last week, indicating perhaps more malicious activity to come.

Of note, cvredret.ru and cxredret.ru are both multihomed on several IP addresses (both domains are on the same set of addresses). Those domains can be found on 91.208.181.205, 93.189.88.198, 213.193.231.210, 78.47.135.105, 78.129.233.8, 85.214.204.32, and 87.106.201.119.

Changes since last time are highlighted.

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru
clredret.ru

78.47.135.105 (Hetzner Online, Germany)
cvredret.ru
cxredret.ru

78.129.233.8 (Rapidswitch, UK)
cvredret.ru
cxredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

85.214.204.32 (Strato AG, Germany)
cvredret.ru
cxredret.ru

87.106.201.119 (1&1, Spain)
cvredret.ru
cxredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
aredirect.ru
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.208.181.205 (Oxalide, France)
cvredret.ru
cxredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
aaredret.ru
abredret.ru
acredret.ru
adredret.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

93.189.88.198 (Silicontower, Spain)
cvredret.ru
cxredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

203.170.193.102 (IDC Cyberworld, Thailand)
cbredret.ru
ccredret.ru

213.193.213.210 (Trueserver, Netherlands)
cvredret.ru
cxredret.ru

No IP at present
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cwredret.ru
cyredret.ru

Friday, 13 January 2012

"Your order for helicopter for the weekend" / ccredret.ru

Another Redret spam leading to a malicious payload..


Date:      Fri, 12 Jan 2012 04:53:25 +0100
From:      "Keila Farley" [HannaMarcelino@ameritrade.com]
Subject:      Your order for helicopter for the weekend

Your order for our air carriage services has been received and processed. The chopper will be at your disposal from 3.30 a.m. sunday to 16.00 wednesday. Once again, the rates are as follows:
1 hour in the air: 794$
Takeoff / Landing: 163$
1 hour idle time on the ground: 166$
Longest flight is 3 hours.
When flying for longer distances, a co-pilot is needed, and the cost accordingly grows by 114$ per hour.


Invoice.doc 581kb
With Best Regards
Keila Farley
The malicious payload is delivered via a legitimate hacked site which redirects to ccredret.ru/main.php, hosted on 67.215.3.153 (GloboTech, California). That same IP was seen recently with another Redret domain, and you should block access to it if you can.

fff

Thursday, 12 January 2012

"John Dillinger" / "Apple Store - Important information about your Apple ID"

This email was actually sent by Apple, apparently to a famous bank robber, John Dillinger.

Date: Thu, 12 Jan 2012 01:37:23 +0000 (GMT)
From: Apple [appleid@id.apple.com]
Subject: Apple Store - Important information about your Apple ID

    Apple Online Store   
Order Status     Account     Help    
   
   
Dear John Dillinger
Welcome to the Apple Online Store. We wanted to share some information with you about your Apple ID, which allows you to personalize your Apple Online Store experience and helps you access other Apple resources.
Your Apple ID is your current email address.  You can use the password you created when you set up your account online. If you forget or need to reset your password, go to My Apple ID.
By using your Apple ID on the Apple Online Store, you have access to your account information online.  You can save carts until you're ready to place an order, check the status of or change your order, track your shipments, view your order history, maintain your account information, check Apple Gift Card balances, and much more.
Additionally, your Apple ID gives you access to other Apple resources, including:
• Buying music, movies, TV shows, and more at the iTunes Store
• Buying or downloading applications for your iPod touch or iPhone using the App Store
• Ordering photos and photobooks through iPhoto
• Registering your Apple products
• Accessing support for your products from AppleCare
• Getting One to One personal training and other services at an Apple Retail Store
Sign in to Your Account, to take advantages of the benefits of your Apple ID on the Apple Online Store. To learn more about your Apple ID, visit the Your Account section of online Help.
We also want you to know that the security of your personal information is important to us.  For more information on how Apple protects your personal information, please refer to the Apple Customer Privacy Policy.
Thank you for choosing Apple,
The Apple Store Team
http://store.apple.com
1-800-MY-APPLE


Indeed, an Apple account has been created for this email address. But not by me. Upon inspection, the Apple account has no information in it apart from the "John Dillinger" name, and it's a simple matter to reset the password to thwart whatever it going on here.

The email is quite genuine, coming from an Apple IP (17.254.6.195) and with all the links pointing to Apple and not another site. And it seems that I am not alone in receiving this email.

If you have had the same email, please consider letting me know in the comments!

Tuesday, 10 January 2012

"Our chances to win an action are higher than ever" spam / clredret.ru

A weird spam, leading to a malicious download at clredret.ru/main.php via a random hacked site.
Date:      Tue, 9 Jan 2012 08:39:05 +0300
From:      victimname@gmail.com
Subject:      Re: Our chances to win an action are higher than ever.

We discussed it with the administration representatives, and if we confess our non-essential faults to improve their statistics, the key cause will be closed due to the lack of the government interest to the action We have prepared your declaratory text for the court. Please read it carefully and if anything in it dissatisfies you, inform us.

Speech.doc 489kb


With Respect To You
Jeramiah Cohen

As mentioned earlier, clredret.ru is on 46.249.37.22 (Serverius Holdings, Netherlands) and that IP is well worth blocking.

Redret domains to block 10/1/12

After a quite couple of weeks, the Redret spam has started again using the domains and IPs listed below. Some are familiar, some are new. In some cases blocking whole IP ranges is the best idea.

46.249.37.22 (Serverius Holdings, Netherlands)
clredret.ru

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
aredirect.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

No IP at present
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
cbredret.ru
ccredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru

Airline ticket spam / ckredret.ru

Despite a whole pile of Redret malware spam at the end of the year, the past couple of weeks have been very quiet. However, a new campaign has started up directing visitors via a hacked legitimate site to ckredret.ru/main.php which is hosted on 203.170.193.102 (IDC Cyberworld, Thailand).

Date:      Tue, 9 Jan 2012 08:33:24 +0700
From:      sales1@victimdomain.com
Subject:      Re: Your Flight N US966-282315527

Dear Customer,



FLIGHT NUMBER 5821-5704164

DATE/TIME : JANUARY 23, 2011, 16:12 PM

ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT

PRICE : 552.06 USD



Download your ticket here:

VIEW



KAYCEE Ramirez,

American Airlines

Right at the moment the site is failing to resolve, but that could simply be a loading issue. Blocking the 203.170.193.102 IP address would be a good idea as it will stop any other malicious sites on the same server.

Friday, 6 January 2012

"Elavon 2012 Update" phish

Elavon deals with payment processing. This email is not from Evalon.

From: "Elavon, Inc." [sobolan@myvirtualmerchan-02.com]
Date:Fri, 06 Jan 2012 16:09:48 +0100
Subject: Urgent-Notification

--Elavon 2012 Update--
Dear Customer,

We regret to inform you that your retail merchant account is locked.
To re-activate it please download the file attached to this e-mail and update your login information.

2012 Elavon Inc,
-Please note only RETAIL account are locked-
-Example : Market Segmet : Retail-

Attached is a file called myvirtualmerchant_login.html which is the phish itself, displaying the following screen.

The form itself sends the details to mail.xinsanjing.com on 220.189.213.181. (HangZhou XinSanJing Food Co. Ltd. China) which is possibly a hacked server. In this case the email originated from 209.91.252.206 in Puerto Rico.

If you use Elavon's services, watch out for this phish.

Thursday, 29 December 2011

"Your Changelog UPDATED" / cjredret.ru

Another spam, another "redret" domain. This time the spam is a "changelog" one, the malicious payload is on cjredret.ru/main.php.

Date:      Thu, 29 Dec 2011 07:59:51 +0200
From:      accounting@victimdomain.com
Subject:      Re: Fwd: Your Changelog UPDATED

Hello,

as promised chnglog updated -: View Changelog

Carey CATHERINE

The site is hosted on 91.222.137.170 (Delta-X, Ukraine), the same IP address as yesterday. If you don't have any reason to send traffic to the Ukraine, blocking access to 91.222.136.0/22 might be prudent.

Wednesday, 28 December 2011

"HP Officejet" spam / chredret.ru

More spam pointing to a malicious web page at chredret.ru/main.php (after redirecting through a legitimate but hacked site), but this time using the old "HP Officejet" approach.


Date:      Wed, 28 Dec 2011 05:32:16 +0700
From:      VG2EBrady@gmail.com
Subject:      Re: Fwd: Re: Scan from a HP Officejet #8056528

A document was scanned and sent to you using a Hewlett-Packard JET SK868691M



Sent to you by: SHEA
Pages : 3
Filetype: Image (.jpeg) View

Location: GDOSO.1.3TH
Device: OP685S9OD6236672

The domain chredret.ru  was used in this spam run yesterday, but now the server has moved from 46.249.37.22 to 91.222.137.170 (Delta-X, Ukraine). I don't know Delta-X at all, but the SiteVet and Google reports are not good, so you might want to consider blocking the entire range 91.222.136.0/22.

Tuesday, 27 December 2011

Contract spam / chredret.ru

Another fake "contract" spam leading to malware, hosted on chredret.ru .

Date:      Tue, 27 Dec 2011 06:06:18 +0700
From:      "Destinee Mills"
Subject:      The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
NEW_Contract.doc 44kb


With best wishes
Destinee Mills
Another name used on the spam is "Ramiro Howell", although there are probably hundreds of fake names. The malicious payload is at chredret.ru/main.php, hosted on 46.249.37.22 (Serverius Holding BV, Netherlands). This is the second "redret" domain in this /24, so blocking 46.249.37.0/24 might be prudent.