Sponsored by..

Wednesday, 22 February 2012

AICPA Spam / favoriteburger.net

Following on from yesterday's AICPA spam run, a new domain is in use for the malicious payload, favoriteburger.net/search.php?page=73a07bcb51f4be71 on 209.59.212.14 (Endurance International Group again). The IP is worth blocking, and you may want to consider blocking larger ranges of this ISP who seem to have a problem with this type of malicious site.

Date:      Tue, 20 Feb 2012 22:31:55 -0300
From:      "Gilbert Ayers"
Subject:      Termination of your accountant license.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Cancellation of CPA license due to tax return fraud allegations

Valued accountant officer,

We have received a notice of your possible assistance in income tax refund fraudulent activity for one of your employers. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the fact of filing of a false or fraudulent income tax return on the member's or a client's behalf.

Please be informed of the complaint below and provide your feedback to it within 14 days. The failure to do so within this term will result in termination of your Accountant status.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Tuesday, 21 February 2012

Some malware sites to block 21/2/12

These sites are being used in current spam runs to distribute the Blackhole Exploit Kit. You may want to block the IPs (mostly home PCs) or domains or both.

bestsecondchance.net
freac.net
likethisjob.com
synergyledlighting.net
sysfilecore.com
systemtestnow.com
thai4me.com
yourbeautifullife.net
41.64.21.71
69.76.48.235
98.213.116.76
115.249.190.46
151.56.49.48
151.70.111.200
174.48.136.189


For the record, those IPs are on the following providers:
41.64.21.71 (Dynamic ADSL, Egypt)
69.76.48.235 (Road Runner, US)
98.213.116.76 (Comcast, US)
115.249.190.46 (Reliance Communication, India)
151.56.49.48 (IUnet, Italy)
151.70.111.200 (IUnet, Italy)
174.48.136.189 (Comcast, US)

AICPA Spam / thai4me.com

Another spam run allegedly from "The American Institute of Certified Public Accountants" (AICPA) leading to malware, this time with a malicious payload on the domain thai4me.com.
From: Guillermo Reed risk.manager@aicpa.org
Date: 20 February 2012 11:18
Subject: Income tax return fraud accusations.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

AICPA logo
Termination of CPA license due to income tax fraud allegations
Dear AICPA member,

We have received a complaint about your possible involvement in income tax return fraud  for one of your clients. According to AICPA Bylaw Paragraph 500 your Certified Public Accountant status can be terminated in case of the aiding of filing of a false or fraudulent tax return on the member's or a client's behalf.

Please be informed of the complaint below and respond to it within 14 days. The failure to provide the clarifications within this period will result in termination of your Accountant status.

Complaint.pdf


The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

=================

Date:      Tue, 20 Feb 2012 12:42:12 +0200
From:      "Devon Staley"
Subject:      Fraudulent tax return assistance accusations.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Valued AICPA member,

We have been notified of your alleged involvement in tax return fraud for one of your employees. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the fact of submitting of a false or fraudulent income tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 21 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

=================

Date:      Tue, 20 Feb 2012 11:38:30 +0100
From:      "Ervin Witherspoon"
Subject:      Termination of your accountant license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud allegations

Dear AICPA member,

We have received a complaint about your recent assistance in income tax refund fraudulent activity on behalf of one of your employees. According to AICPA Bylaw Paragraph 765 your Certified Public Accountant license can be withdrawn in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and provide your feedback to it within 7 days. The failure to provide the clarifications within this term will result in suspension of your Accountant license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The link leads through a legitimate hacked site to thai4me.com/main.php?page=7d486a09d440e84a which attempts to download a Java exploit. The domain thai4me.com is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India). Those IPs also contain other malicious sites, blocking them is probably a good move.

Saturday, 18 February 2012

Why you shouldn't use "The Good Care Guide" (goodcareguide.co.uk)

The Good Care Guide (goodcareguide.co.uk) looks like an admirable thing at first glance - an independent way for user of care services for the elderly and infants to review the quality of care both good and bad. This is particularly useful with care for the elderly where there often isn't much information, and the site has generated a lot of press comment (for example, the BBC, Sky News and the Press Association).

So... is this an entirely altruistic service? Not really. The Good Care Guide is provided in part by My Family Care Ltd which specialises in providing emergency, out-of-hours and holiday homecare for children and the elderly (e.g. emergencychildcare.co.uk, outofschoolcare.co.uk, emergencyhomecare.co.uk and myfamilycare.co.uk). Not that there appears to be anything wrong with these services, in fact they look to be pretty good and fill an important market niche.

When you sign up to write a review for the Good Care Guide, you have to give pretty much ALL your personal information including home address and telephone number. OK, that's fair enough if you want to make sure that the reviews are genuine..



The catch comes with the privacy policy which to be fair spells out what they are going to do with your personal information very clearly.
With whom we share your information

GCG may share your information with the following entities:
  • Third-party vendors who provide services or functions on our behalf. Third-party vendors have access to and may collect information only as needed to perform their functions and are not permitted to share or use the information for any other purpose.
  • Business partners with whom we may offer products or services in conjunction. You can tell when a third party is involved in a product or service you have requested because their name will appear either with ours or separately.
  • Affiliated Web sites. If you were referred to GCG from another Web site, we may share your registration information, such as your name, email address, mailing address and telephone number about you with that referring Web site. We have not placed limitations on the referring Web sites' use of personal information and we encourage you to review the privacy policies of any Web site that referred you to GCG.
  • Companies within our corporate family. We may share your personal information within the My Family Care Group. This sharing enables us to provide you with information about care services which might interest you.

So basically.. they will share your information with other parts of their own company, any referring website and indeed any third party business partner that they seem fit. OK, everybody needs to run a business but there is no opt out clause. If you want to write a review, then you are agreeing to receive marketing communication by email, post and even telephone regarding care services, essentially without limitation.

The Good Care Guide are not doing anything illegal. But childcare is expensive, and care for the elderly is very expensive. There is a lot of money to be made out of this type of care, and it looks like the operators of the Good Care Guide want a share of this market through their own paid-for services.

Until the Good Care Guide give an opt-out for marketing communications, then I cannot recommend this service as it looks suspiciously like a lead generator rather than a public service.

Friday, 17 February 2012

"Your accountant CPA license termination" spam / biggestsetter.com and 199.30.89.0/24

I haven't seen this spam before, but the malicious payload it leads to is very familiar..

Date:      Fri, 16 Feb 2012 14:35:18 +0200
From:      "Mae Keller"
Subject:      Your accountant CPA license termination.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your alleged participation in tax return fraudulent activity� on behalf of one of your employees. According to AICPA Bylaw Section 700 your Certified Public Accountant license can be cancelled in case of� the occurrence of filing of a misguided or fraudulent income tax return on the member's or a client's behalf.�

Please familiarize yourself with the notification below and respond to it within 7 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Although it claims to be from "The American Institute of Certified Public Accountants" (aicpa.org), the "from" address claims to be the BBB.

Click on the "complaint.pdf" link and you are redirected to biggestsetter.com/search.php?page=73a07bcb51f4be71  which attempts to download the Blackhole Exploit Kit. biggestsetter.com  is hosted on 199.30.89.187 (Zerigo / Central Host Inc). This netblock has been used several times in the past few days so my advice is to block access to 199.30.89.0/24.

Some more examples:

Date:      Fri, 16 Feb 2012 14:40:46 +0100
From:      "Susie Smallwood"
Subject:      Termination of your accountant license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Dear AICPA member,

We have been notified of your recent assistance in income tax refund fraud on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the occurrence of submitting of a misguided or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the complaint below and respond to it within 7 days. The failure to respond within this term will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===============

Date:      Fri, 16 Feb 2012 14:25:24 +0100
From:      "Alvaro Best"
Subject:      Tax return fraud notification.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud allegations

Dear accountant officer,

We have been notified of your possible participation in income tax return fraudulent activity for one of your clients. According to AICPA Bylaw Section 700 your Certified Public Accountant status can be cancelled in case of the act of submitting of a misguided or fraudulent income tax return for your client or employer.

Please find the complaint below below and respond to it within 14 days. The failure to provide the clarifications within this period will result in withdrawal of your Accountant status.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===============

Date:      Fri, 16 Feb 2012 14:21:48 +0100
To:      
Subject:      Fraudulent tax return assistance accusations.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your possible assistance in tax return fraudulent activity on behalf of one of your employers. According to AICPA Bylaw Section 500 your Certified Public Accountant license can be withdrawn in case of the fact of submitting of a incorrect or fraudulent tax return for your client or employer.

Please find the complaint below below and respond to it within 21 days. The failure to respond within this period will result in withdrawal of your CPA license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

freac.net is back with a BBB spam run

freac.net is a domain used by malicious spam email pretending to be from the BBB or NACHA, as in this example. In that case, freac.net was apparently hosted on an IP belonging to Huawei in the US, but shortly afterwards it went non-resolving.

Well, freac.net is back and so is the spam promoting it.. e.g.

Date:      Fri, 16 Feb 2012 14:30:35 +0530
From:      "BBB"
Subject:      BBB case ID 28764441
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 28764441) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to find more information on this case and let us know of your position as soon as possible.

We are looking forward to hearing from you.

Regards,

Carlos Baxter

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

===========

Date:      Fri, 16 Feb 2012 14:26:31 +0530
From:      "BBB"
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have been sent a complaint (ID 78067910) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this case and inform us about your opinion as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Currenly freac.net is hosted on 46.4.226.18 and 41.64.21.71, the first is a server rented from Hetzner in Germany, oddly the second is an ADSL line in Cairo.

Anyway, blocking those IPs will stop any further infections from those IPs. A Wepawet report for this infection is here.

Thursday, 16 February 2012

"Scan from a Hewlett-Packard Officejet" malicious spam / cserimankra.ru and samaragotodokns.ru

Another spam run with a malicious attachment:

Date:      Fri, 16 Feb 2012 11:24:56 +0700
From:      "VICTOR TALLEY"
Subject:      Scan from a Hewlett-Packard Officejet 3906171
Attachments:     HP_Scan-02.16_N05556.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 97687P.

Sent by: VICTOR
Images : 9
Attachment Type: .HTML [Internet Explorer]

Hewlett-Packard Location: machine location not set
Device: PFJ722DS0IDJ4996064
The attachment attempts to download malicious code from cserimankra.ru:8080/images/aublbzdni.php  which is multihomed (report here) and then attempts to download more malcode from samaragotodokns.ru:8080/images/jw.php?i=8

These .ru sites are hosted on a familiar set of IP addresses, very similar to the ones found here.

46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.76.184.100 (Comcast, US)
69.60.117.183 (Colopronto, US)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
111.93.161.226 (Tata Teleservices, India)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, South Korea)

If you need a bare set of IP addresses for pasting into a blocklist:

46.137.251.11
50.31.1.105
50.57.77.119
50.76.184.100
69.60.117.183
87.120.41.155
88.191.97.108
111.93.161.226
173.203.51.174
173.255.229.33
184.106.151.78
184.106.237.210
190.81.107.70
190.106.129.43
200.169.13.84
204.12.252.82
210.56.23.100
211.44.250.173

Update: cgolidaofghjtr.ru is being used in a similar spam run and is on the same servers.

Something evil on 212.95.54.22 (inferno.name)

Something evil is lurking on 212.95.54.22, a server belonging to black hat host inferno.name (mentioned here before).

I've never seen a legitimate site hosted by inferno.name, and I recommend that you block their IP ranges.. I ideidentified the following list last August, I haven't had the change to go back and check it again.

46.22.211.0/25
80.79.124.128/26
92.48.122.32/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
188.143.232.0/23
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

These are the some of malicious sites hosted on that server, it appears to be some sort of injection attack although it is still being analysed.

*.1905188000.1959caddylimousine.com
*.1959caddylimousine.com
*.2358552833.59caddylimousine.com
*.2851874892.elegantdesign-dfw.org
*.3278164984.elegantdesign-dfw.info
*.59caddylimousine.com
*.alvolo.co.uk.process.1905188000.1959caddylimousine.com
*.ca.redirect.3278164984.elegantdesign-dfw.info
*.co.uk.process.1905188000.1959caddylimousine.com
*.com.process.2851874892.elegantdesign-dfw.org
*.elegantdesign-dfw.info
*.elegantdesign-dfw.org
*.google.ca.redirect.3278164984.elegantdesign-dfw.info
*.google.com.process.2851874892.elegantdesign-dfw.org
*.google.it.process.2358552833.59caddylimousine.com
*.it.process.2358552833.59caddylimousine.com
*.process.1905188000.1959caddylimousine.com
*.process.2358552833.59caddylimousine.com
*.process.2851874892.elegantdesign-dfw.org
*.redirect.3278164984.elegantdesign-dfw.info
*.uk.process.1905188000.1959caddylimousine.com
1905188000.1959caddylimousine.com
212-95-54-22.local
2358552833.59caddylimousine.com
2851874892.elegantdesign-dfw.org
3278164984.elegantdesign-dfw.info
alvolo.co.uk.process.1905188000.1959caddylimousine.com
ca.redirect.3278164984.elegantdesign-dfw.info
co.uk.process.1905188000.1959caddylimousine.com
com.process.2851874892.elegantdesign-dfw.org
europschool.net.url.2523133614.elegantdesign-dfw.net
flyksa.com.redirect.465141941.59caddylimo.com
google.ca.redirect.3278164984.elegantdesign-dfw.info
google.com.process.2851874892.elegantdesign-dfw.org
google.it.process.2358552833.59caddylimousine.com
it.process.2358552833.59caddylimousine.com
oekb36.at.process.340120129.1959caddylimo.com
oekb36.at.redirect.411115172.59cadillaclimousine.com
process.1905188000.1959caddylimousine.com
process.2358552833.59caddylimousine.com
process.2851874892.elegantdesign-dfw.org
redirect.3278164984.elegantdesign-dfw.info
suche.aol.de.search.410468745.elegantdesign-dfw.org
uk.process.1905188000.1959caddylimousine.com
www.alvolo.co.uk.process.1905188000.1959caddylimousine.com
www.berrywestra.nl.search.43565349.1959caddylimousine.com
www.dianaamft.de.search.413644068.59caddylimo.com
www.feuerwehr-schweiz.ch.redirect.461037769.1959caddylimousine.com
www.frnd.de.query.333082952.1959caddylimo.com
www.frnd.de.url.318686353.elegantdesign-dfw.org
www.gaestehaus-schuett-niendorf.de.redirect.411264880.jennyspecialoffer.info
www.google.at.url.4079944488.59caddylimousine.com
www.google.ca.redirect.3278164984.elegantdesign-dfw.info
www.google.com.process.2851874892.elegantdesign-dfw.org
www.google.com.query.3384746824.elegantdesign-dfw.info
www.google.de.process.314184094.1959cadillaclimo.com
www.google.de.process.3384063282.59caddylimo.com
www.google.de.process.3464400104.elegantdesign-dfw.org
www.google.de.process.36453841.59cadillaclimo.com
www.google.de.process.412658054.59cadillaclimousine.com
www.google.de.query.15292270.elegantdesign-dfw.net
www.google.de.query.332541317.59cadillaclimousine.com
www.google.de.query.335211808.elegantdesign-dfw.org
www.google.de.query.3384406282.jennyspecialoffer.info
www.google.de.query.3464386393.59caddylimousine.com
www.google.de.query.464367892.1959caddylimo.com
www.google.de.redirect.3384265678.elegantdesign-dfw.info
www.google.de.redirect.3384350356.1959cadillaclimousine.com
www.google.de.redirect.3464464836.1959cadillaclimo.com
www.google.de.redirect.464534470.1959cadillaclimo.com
www.google.de.search.3384394923.1959cadillaclimo.com
www.google.de.search.3384492708.elegantdesign-dfw.com
www.google.de.search.382410083.1959cadillaclimousine.com
www.google.de.search.393679898.59caddylimousine.com
www.google.de.search.4082654881.1959caddylimousine.com
www.google.de.search.412756816.59caddylimousine.com
www.google.de.search.462774118.elegantdesign-dfw.info
www.google.de.search.463016893.59cadillaclimousine.com
www.google.de.url.15149077.59caddylimo.com
www.google.de.url.2523853156.elegantdesign-dfw.net
www.google.de.url.2531191013.1959cadillaclimousine.com
www.google.de.url.314298327.1959cadillaclimo.com
www.google.de.url.337083412.1959cadillaclimousine.com
www.google.de.url.3375711067.elegantdesign-dfw.net
www.google.es.process.3254798273.1959cadillaclimo.com
www.google.gr.process.11965077.1959cadillaclimousine.com
www.google.it.process.2358552833.59caddylimousine.com
www.google.nl.redirect.455319947.59caddylimo.com
www.google.nl.search.4251017144.1959cadillaclimousine.com
www.kefalonia-animal-trust.de.url.397020850.59cadillaclimousine.com
www.kgse.de.process.465129127.elegantdesign-dfw.info
www.klassik-in-berlin.de.search.464418679.59cadillaclimo.com
www.landwarenshop.de.search.463324361.59cadillaclimo.com
www.losan.de.redirect.318546405.1959cadillaclimousine.com
www.mein-unterrichtsmaterial.de.query.3254956884.1959cadillaclimousine.com
www.rafoeg.de.process.463558035.59caddylimo.com
www.sportfoto-vogler.de.process.337602454.elegantdesign-dfw.com
www.sportfoto-vogler.de.url.337492263.jennyspecialoffer.info
www.torleute.de.redirect.341391517.59caddylimo.com
www.welte.de.search.397762316.1959cadillaclimo.com

Update 15/11/12:
94.100.17.128/26 (94.100.17.128 - 94.100.17.191) is another inferno.name range that you should probably block.

NACHA Spam / billydimple.com and biggestblazer.com

Here we go again, another NACHA spam leading to a malicious payload..

From:  The Electronic Payments Association risk_manager@nacha.org
Date: 15 February 2012 13:52
Subject: Rejected ACH payment

The ACH transaction (ID: 44103676925895), recently initiated from your bank account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     44103676925895
Rejection Reason     See details in the report below
Transaction Report     report_44103676925895.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association
The malware is on biggestblazer.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 199.30.89.180 (Central Host Inc / Zerigo.. yet again). It attempts to download additional components from billydimple.com/forum/index.php?showtopic=656974  on 69.164.205.122 (Linode.. again).

I've now seen several malicious sites in the 199.30.89.0/24 range, it might be worth considering blocking the whole lot.

Wednesday, 15 February 2012

"Submit your tax refund request" malware / synergyledlighting.net

This spam leads to a malicious payload on synergyledlighting.net - a domain we have seen a lot of recently with a habit of moving around.

Date:      Wed, 14 Feb 2012 18:06:23 +0530
From:      "Rolland Quintana"
Subject:      Submit your tax refund request
Attachments:     irs_logo.jpg

After the last annual computations of your financial activity we have determined that you are eligible to get a tax refund of $802.

Please submit the tax refund request and allow us 3-9 days in order to process it.

The delay of a refund can be caused by a variety of reasons.

E.g., sending incorrect records or not meeting a deadline.

To learn the details of your tax refund please open this link.

Best regards,
Tax Refund Department
Internal Revenue Service

The malware starts at synergyledlighting.net/main.php?page=6d63cba62f5eb9a0 and then downloads various components (report here). Today synergyledlighting.net is on 178.211.40.29 (Sayfa Net, Turkey). This is one where blocking both the IP and domain is probably a good idea.

SOCA seize rnbxclusive.com. Due process, anyone?

I've never heard of RnBXclusive (rnbxclusive.com), but it is a site to do with Urban Music which isn't really my cup of tea. However, visitors to the site today get a message from SOCA saying:

SOCA has taken control of this domain name.    
The individuals behind this website have been arrested for fraud.

The majority of music files that were available via this site were stolen from the artists.    
If you have downloaded music using this website you may have committed a criminal offence which carries a maximum penalty of up to 10 years imprisonment and an unlimited fine under UK law.      
     
Your IP     Your Browser     Your OS     Time / Date
193.110.241.235
    Firefox10.0.1     WinXP     06:46:37
15/02/2012
   
    The above information can be used to identify you and your location.

SOCA has the capability to monitor and investigate you, and can inform your internet service provider of these infringements.

You may be liable for prosecution and the fact that you have received this message does not preclude you from prosecution.

As a result of illegal downloads young, emerging artists may have had their careers damaged. If you have illegally downloaded music you will have damaged the future of the music industry.

Visit pro-music.org for a list of legal music sites on the web.

One annoyance is that SOCA display the IP address of the visitor and basically accuse the visitor of being a criminal. But, more seriously, SOCA's message indicates that the site operator was guilty of illegal activities without a trial. Remember courts? Judges? That sort of thing? Any good lawyer could probably argue that SOCA's statement is prejudicial.

Also of interest, the .com name is registered through GoDaddy in the US, the site is hosted on 83.138.166.114 which appears to be in a Rackspace facility in the UK. It looks like SOCA might have gained control of the server rather than the domain name which shows no WHOIS changes.

TorrentFreak have some additional information here.

Tuesday, 14 February 2012

NACHA Spam / biggestloop.com

Another NACHA spam leading to a malicious payload, this time on biggestloop.com.

Date:      Tue, 13 Feb 2012 19:06:18 +0100
From:      "The Electronic Payments Association"
Subject:      Your ACH transfer
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 54525654754524), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     54525654754524
Rejection Reason     See details in the report below
Transaction Report     report_54525654754524.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

I can't believe that there is a person in the world receiving this who will not have received hundreds of versions of the same thing before, but the spammers continue. The malicious payload is at biggestloop.com/main.php?page=27f6207e33edeeca (analysis here) on 206.214.68.57 (B2Net Solutions, Canada). Block the IP if you can. Better still, write some filters for your email system to keep the things far, far away.

This why I won't be using F-Secure Mobile Security

F-Secure Mobile Security is not a bad product - it includes anti-theft software, a virus scanner and a supposedly secure browser. In the UK, F-Secure charge £29.95 a year for this, which is pricey for an Android application, but usually F-Secure products are very good. You can get a month's free trial before you buy.

It has some strengths and weaknesses. But I won't upgrading to the paid version. Why not? Well, every day the same nag message comes up:
F-Secure would like to have your phone number for the purposes of possible product information and marketing related messaging. The cost of approval is that of one-stime standard SMS to Finland. Do you agree?
There are two buttons.. Yes and No. Click "No" and the message seems to go away.. until the next day. And the day after that. And the day after that. You get the picture. Either this is a bug or it is a very aggressive attempt to get you to agree to SMS marketing. Either way it's a big turnoff and I'll be looking for another product to protect my Android..

NACHA Spam / freac.net

Another NACHA spam, this time with a malicious payload on the site freac.net.

Date:      Tue, 13 Feb 2012 11:12:12 +0100
From:      "The Electronic Payments Association" [alerts@nacha.org]
Subject:      ACH transaction canceled
Attachments:     nacha_logo.jpg

The ACH transfer (ID: 14282248034397), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     14282248034397
Rejection Reason     See details in the report below
Transaction Report     report_14282248034397.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is on freac.net/main.php?page=cd12dfacc57c3f82 (report here) which is on IP address 12.133.182.133 (Huawei Technologies, US). Blocking access to the IP address will prevent any other malicious sites on the server from being a problem.

"Arch Coal Corp" spam lead to malware / coajsfooioas.ru and tuberkulesneporok.ru

A slightly different spam from the usual Xerox rubbish, but with a similar malicious payload.. this time on the domains coajsfooioas.ru and tuberkulesneporok.ru.

Date:      Tue, 13 Feb 2012 04:59:42 +0900
From:      "DELL AVILES" Arch Coal Corp . [AfinaGuridi@auburn.edu]
Subject:      Re: Intercompany inv. from Arch Coal Corp.
Attachments:     Invoice_02_7_h158329.htm

Good day

Attached the intercompany inv. for the period Dec. 2011 til Jan.. 2012.

Thanks a lot for supporting this process

DELL AVILES

Arch Coal Corp. 

The obfuscated javascript in the attachment attempts to download malicious code from coajsfooioas.ru:8080/images/aublbzdni.php followed by more code from tuberkulesneporok.ru:8080/images/jw.php?i=8 (Wepawet report here).

These domains are multihosted on the same IPs as listed here. Blocking access to those IPs should stop further malware attacks from being successful.

Monday, 13 February 2012

"Scan from a Xerox W. Pro #6999878 " spam / ckolmadiiasf.ru

This spam comes with a malicious attachment that attempts to download malware from ckolmadiiasf.ru:8080/images/aublbzdni.php

Date:      Mon, 12 Feb 2012 07:57:23 +0700
From:      scan@victimdomain.com
Subject:      Fwd: Scan from a Xerox W. Pro #6999878
Attachments:     Xerox_Doc-l1616.htm

Please open the attached document. It was scanned and sent



to you using a Xerox WorkCentre Pro.



Sent by: SUSANNAH
Number of Images: 6
Attachment File Type: .HTML [Internet Explorer Format]

Xerox WorkCentre Location: machine location not set
Device Name: XEROX5427OD9ID86

This is one of those cases where the malicious domain is massively multihomed (there's a plain list at the end of the post if you want to copy and paste):

46.105.97.103 (OVH Systems, France)
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost, US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast Business Communications, US)
69.60.117.183 (Colopronto, US)
72.22.83.93 (iPower, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
87.120.41.155 (Neterra Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
93.189.88.198 (SiliconTower, Spain)
98.158.180.244 (Hosting Services Inc, US)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
174.122.121.154 (ThePlanet, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)

Looks familiar? Well, it is almost identical to this list with a few servers taken out of action.

46.105.97.103
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
78.83.233.242
87.120.41.155
88.191.97.108
93.189.88.198
98.158.180.244
173.203.51.174
173.255.229.33
174.122.121.154
184.106.151.78
184.106.237.210
190.106.129.43
200.169.13.84
204.12.252.82

NACHA Spam / cooldcloud.com and twistcosm.com

Yet more NACHA spam leading to a malicious payload, this time on cooldcloud.com.

Date:      Mon, 12 Feb 2012 08:16:16 -1100
From:      "The Electronic Payments Association"
Subject:      ACH transfer rejected
Attachments:     nacha_logo.jpg

The ACH transfer (ID: 1366285882700), recently initiated from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transaction
Transaction ID:     1366285882700
Rejection Reason     See details in the report below
Transaction Report     report_1366285882700.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:      Mon, 12 Feb 2012 19:06:12 +0000
From:      "The Electronic Payments Association"
Subject:      ACH transfer rejected
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 9485030409966), recently sent from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     9485030409966
Rejection Reason     See details in the report below
Transaction Report     report_9485030409966.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is at cooldcloud.com/search.php?page=73a07bcb51f4be71 hosted on 74.91.117.227 (Nuclear Fallout Enterprises... again). Blocking the IP is best as that will protect against other malware, although you may want to block more widely given the problems with this host.

The malware tries to download additional content from twistcosm.com/forum/index.php?showtopic=656974 on 199.30.89.139 (Central Host / Zerigo Inc), another problem hosting company.

You can find a Wepawet report here.

NACHA Spam / beaverday.biz

More fake NACHA spam, this time with a malicious payload on the domain beaverday.biz.

From:  The Electronic Payments Association office@officecar.ro
Reply-To:  The Electronic Payments Association
To:  itd@sos.com.ph
Date:  13 February 2012 10:06
Subject:  ACH transfer error

Dear Chief Accounting Officer,

We are sorry to inform you, that Direct Deposit payment (ID801400587332) has not been credited to the receiver account, because of partially missing banking details.

Direct Deposit procedure incomplete
Transaction ID :     801400587332
Details:     Please use the transfer correction request below provide the correct banking information.
Transfer Status     report-801400587332.doc (Micro soft Word Document)

Home About Us Site Map Contact Us NACHA Inquiries NACHA Privacy Policy NACHA Code of Conduct Disclaimer
Membership Education ACH Network ACH Rules Risk & Compliance News & Resources NACHA eStore

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2012 NACHA - The Electronic Payments Association

The payload is a Blackhole exploit kit at beaverday.biz/search.php?page=977334ca118fcb8c (Wepawet report here) which is hosted on 199.30.89.139 (Central Host Inc / Zerigo.net), just a few IPs away from 199.30.89.135 as used in this spam run a few days ago. I have also seen malicious activity on 199.30.91.44 in the same /21.. perhaps Zerigo / Central Host have a problem? Block IPs as you feel is appropriate..

Sunday, 12 February 2012

"Scan from a Xerox WorkCentre Pro" spam with malicious attachment / cojsdhfhhlsl.ru

Here's a slightly new twist on a very familiar theme, with an email attachment that contains an HTML page with obfuscated javascript.. leading to malware.

Date:      Sun, 11 Feb 2012 12:26:18 +0100
From:      "JANICE Heller" [KailaStuck@engineeringdesign.com]
Subject:      Re: Scan from a Xerox WorkCentre Pro #383806
Attachments:     Xerox_Doc_X30366.htm

Please open the attached document. It was scanned and sent

to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 8
Attachment File Type: .HTML [Internet Explorer Format]

WorkCentre Pro Location: machine location not set
Device Name: KDX157PS0MSUDX382782

The file Xerox_Doc_X30366.htm attempts to open a malicious web page at cojsdhfhhlsl.ru:8080/images/aublbzdni.php which contains the Blackhole exploit kit (the Wepawet report is here).

This domain is multihomed on some very familar looking IP addresses.. in fact, they are almost identical to this spam attack. If you have blocked those IPs then you will be protected against this one.

For the record, the IPs and hosts are:
46.105.97.103 (OVH Systems, France)
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost, US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast Business Communications, US)
69.60.117.183 (Colopronto, US)
72.22.83.93 (iPower, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
87.120.41.155 (Neterra Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
93.189.88.198 (SiliconTower, Spain)
98.158.180.244 (Hosting Services Inc, US)
125.214.74.8 (Web24 Pty Ltd, Australia)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
174.122.121.154 (ThePlanet, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
209.114.47.158 (Slicehost, US)

If you need a plain listing for pasting into a blocklist, use:
46.105.97.103
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
78.83.233.242
87.120.41.155
88.191.97.108
93.189.88.198
98.158.180.244
125.214.74.8
173.203.51.174
173.255.229.33
174.122.121.154
184.106.151.78
184.106.200.65
184.106.237.210
190.106.129.43
200.169.13.84
204.12.252.82
209.114.47.158

Friday, 10 February 2012

Malformed "nacha5_sbj}" spam leads to malware

Some stupid spammer has screwed up their campaign:

Date:      Fri, 9 Feb 2012 20:07:15 +0430
From:      payment@nacha.org
Subject:      nacha5_sbj}
Attachments:     nacha.jpg

The following information concerns the ACH transfer that was originally effectuated by you or any other person on 02-02-2012.

Transaction ID:
    89024101013314
Transaction status:    declined
Supplementary information:    Please read the detailed report

Faithfully,
Violette Coirs.

2012 NACHA - The Electronic Payments Association

This is a system generated email. Please do not respond.

The malicious payload is synergyledlighting.net/main.php?page=4e4959105994cf84  hosted on 131.94.130.132 (Florida International University, US) and 173.236.78.113 (Singlehop, US). That same domain was found in this spam, although one of the IPs has changed since then.

The Florida International University IP address gives a clue as to what is going on here - these servers are most likely hacked rather than rented. This also explains why some IPs have seemingly legitimate sites on them. Still, blocking access to these IPs is the safest thing to do.