Sponsored by..

Thursday, 1 March 2012

"Scan from a Hewlett-Packard Officejet" spam / caskjfhlkaspsfg.ru

Another malicious spam, this time with an attachment containing obfuscated code leading to caskjfhlkaspsfg.ru.

Date:      Thu, 1 Mar 2012 09:43:50 +0530
From:      ARLYNEO93ESQUIVEL@gmail.com
Subject:      Fwd: Re: Fwd: Scan from a Hewlett-Packard Officejet #603320
Attachments:     HP_Scan-27-499614.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP SmartJet 4931F.



Sent by: ARLYNE
Pages : 9
Attachment Type: .HTM [Internet Explorer/Mozilla Firefox]

The malware is on caskjfhlkaspsfg.ru:8080/images/aublbzdni.php , as with other recent .ru:8080 attacks, this is multihomed on a familiar set of IP addresses:

50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.107.82.98 (Corbina Telecom, Russia)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
96.125.168.172 (Websitewelcome, US)
111.93.161.226 (Tata Teleservices, India)
125.19.103.198 (Bharti Infotel, India)
128.134.57.112 (Kwangun University, Korea)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)

A bare list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.107.82.98
83.238.208.55
95.156.232.102
96.125.168.172
111.93.161.226
125.19.103.198
128.134.57.112
173.203.51.174
184.106.200.65
184.106.237.210
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210

DINETHOSTING / curvecheese.com

DINETHOSTING aka Digital Network JSC are a large Russian host that regularly hosts malware sites. Yesterday I came across the domain curvecheese.com (85.192.45.83) being used in a malicious spam run. This is in a block 85.192.32.0/20 allocated to this host.

I tend to block DINETHOSTING ranges as soon as I see malware on them. If you are blocking this host, I would recommend you add 85.192.32.0/20 to your blocklist.

Tuesday, 28 February 2012

BBB Spam / perikanzas.com and twistedtarts.net

BBB spam.. you must know what it looks like by now. Here are a couple of new domains:

perikanzas.com
41.64.21.71 (Dynamic ADSL, Egypt)
213.179.193.132 (Solidhost, Netherlands)

twistedtarts.net
109.68.33.18 (Mesh Digital, UK)

"Your Flight" spam / cparabnormapoopdsf.ru

This spam comes with a malicious attachment pointing to a page on cparabnormapoopdsf.ru.

Date:      Tue, 27 Feb 2012 03:53:09 +0530
From:      sales1@victimdomain.com
Subject:      Fwd: Your Flight N US787-8929269
Attachments:     FLIGHT_TICKET_N3988-753843.htm

Dear Customer,



FLIGHT NUMBER 8333-452628141

DATE/TIME : MARCH 23, 2011, 16:15 PM

ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT

PRICE : 856.77 USD



Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).

To use your ticket you should print it.

LAKEISHA Wolff,

American Airlines

The payload is at cparabnormapoopdsf.ru:8080/images/aublbzdni.php (report here). As with other .ru:8080 attack, this one is multihomed on some familiar looking IPs:

50.31.1.105 (Steadfast Networks, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)

A bare list for copy-and-pasting:
50.31.1.105
78.83.233.242
83.238.208.55
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210

IRS Spam / pollypeach.com

Another IRS spam run leading to malware, this time on pollypeach.com.

Date:      Tue, 27 Feb 2012 17:02:45 +0600
From:      "Ofelia Childers"
Subject:      IRS notification of your tax appeal status.



Dear Accountant Officer,
Hereby you are notified that your Income Tax Return Appeal id#0184348 has been REJECTED. If you believe the IRS did not properly assess your case due to a misinterpretation of the case details, be prepared to provide additional information. You can obtain the rejection report and re-submit your appeal under the following link Online Tax Appeal.

Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday � Friday, 7:00 a.m. � 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

The malicious payload is on pollypeach.com/search.php?page=73a07bcb51f4be71 and pollypeach.com/content/ap2.php?f=e4649 (see the report here), hosted on 69.163.45.128 (Directspace, US). Blocking the IP rather than the domain will stop any further infections from that server.

NACHA Spam / cgunikqakklsdpfo.ru

A terse version of the familiar NACHA fake spam, leading to malware:

Date:      Mon, 26 Feb 2012 12:16:40 +0530
From:      accounting@victimdomain.com
Subject:      Fwd: ACH and Wire transfers disabled.

Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department

The payload is on cgunikqakklsdpfo.ru:8080/img/?promo=nacha which is multihomed (details below). It's pretty easy to search your outbound logs for connection attempts to .ru:8080 if you haven't got filtering enabled.

The list of IPs gets a little shorter every time, but there are still some familiar hosts here:

50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)

A plain list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.83.233.242
88.191.97.108
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100

BBB and AICPA spam / 110hobart.com

Two spam runs with essentially the same malicious payload..

Date:      Mon, 26 Feb 2012 12:30:50 +0100
From:      "BBB"
Subject:      BBB case ID 73773062
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 73773062) from your customer in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this matter and inform us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Leading to 110hobart.com/main.php?page=f46555a4a5b80a04 and 110hobart.com/content/ap2.php?f=cc677, and also:

Date:      Mon, 26 Feb 2012 11:16:30 +0100
From:      "Adan Jordan"
Subject:      Tax return fraud notification.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud accusations

Valued AICPA member,

We have received a notice of your recent involvement in income tax refund infringement on behalf of one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be cancelled in case of the act of filing of a false or fraudulent tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and respond to it within 21 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066


Leading to 110hobart.com/content/ap2.php?f=cc677 and 110hobart.com/main.php?page=02876dd2afe89394 (a slightly different URL from before)

The IP address is a familiar one, 41.64.21.71 which is allegedly an ADSL subscriber in Cairo. This IP has been used in several attacks recently, blocking it would be a really good idea.

Friday, 24 February 2012

AICPA Spam / synetworks.net and housespect.net

More fake AICPA spam leading to malware..

Date:      Fri, 23 Feb 2012 12:29:00 +0100
From:      "Jonathon Humphrey"
Subject:      Termination of your CPA license.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of Accountant status due to income tax fraud accusations

Dear AICPA member,

We have received a complaint about your alleged participation in income tax fraudulent activity on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be terminated in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.

Please be informed of the complaint below and provide your feedback to it within 7 days. The failure to respond within this term will result in withdrawal of your CPA license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

==================

Date:      Fri, 23 Feb 2012 12:28:45 +0100
From:      "Dominic Moreno"
Subject:      Your accountant license can be revoked.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of Public Account Status due to tax return fraud accusations

Dear accountant officer,

We have been informed of your alleged involvement in income tax fraudulent activity for one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant status can be revoked in case of the aiding of presenting of a incorrect or fraudulent tax return on the member's or a client's behalf.

Please be notified below and provide your feedback to it within 7 days. The failure to do so within this period will result in suspension of your Accountant status.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The links go through a legitimate hacked site to some obfuscated javascipt leading to a malicious payload on synetworks.net/main.php?page=2d057d472cd217e2 and synetworks.net/content/ap2.php?f=3dc5c (report here) hosted on 76.12.101.172 (HostMySite, US). That IP is also home to housespect.net which also appears to be malicious. Blocking the IP should prevent any other malicious sites on the same server from being a problem.

Thursday, 23 February 2012

HP OfficeJet spam / cruoinaikklaoifpa.ru and upjachkajasamns.ru

This isn't from a HP OfficeJet, the attachment leads to malware..

Date:      Thu, 22 Feb 2012 05:04:38 +0700
From:      scanner@victimdomain.com
Subject:      Fwd: Re: Scan from a Hewlett-Packard Officejet #19152659
Attachments:     HP_Officejet_02-23_OFCJET88353.htm

Attached document was scanned and sent



to you using a Hewlett-Packard HP OfficeJet 34612A.



Sent by: FELICE
Images : 0
Attachment Type: .HTML [Internet Explorer]

HP Officejet Location: --

The .htm file attempts to redirect the victim to a malicious page at cruoinaikklaoifpa.ru:8080/images/aublbzdni.php and as with this recent spate of ".ru:8080" sites it is multihomed. It then tries to download additional malware from upjachkajasamns.ru:8080/images/jw.php?i=8 on the same IP addresses. The list is pretty similar to this one with a few additions.

46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
79.101.30.15 (Serbia Telekom, Serbia)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
147.83.22.79 (Universitat Politecnica de Catalunya, Spain)
173.203.51.174 (Slicehost US)
184.106.200.65 (Slicehost US)
184.106.237.210 (Slicehost US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)

A plain list for copy-and-pasting:
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
69.60.117.183
78.83.233.242
79.101.30.15
88.191.97.108
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
147.83.22.79
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226

AICPA Spam / srsopen.net

Another fake spam email claiming to be from AICPA, but actually leading to malware, this time on srsopen.net.

Date:      Thu, 22 Feb 2012 11:29:29 +0100
From:      "Guadalupe Kessler"
Subject:      Fraudulent tax return assistance accusations.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Valued accountant officer,

We have received a complaint about your alleged participation in income tax infringement for one of your employers. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the event of presenting of a incorrect or fraudulent tax return for your client or employer.

Please be notified below and respond to it within 21 days. The failure to respond within this term will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The malicious payload is at srsopen.net/main.php?page=78581944265196f1 , as usual the first step is a legitimate hacked site. srsopen.net is hosted on two familiar IP addresses, 115.249.190.46 and 41.64.21.71 most recently seen here.

"You may be entitled to up to £3000 from mis-sold PPI" SMS Spam

I hadn't heard anything from these scummy SMS spammers recently, I assumed they had been busted in one of the recent crackdowns.
Urgent - You may be entitled to up to £3000 from mis-sold PPI on loans or credit cards. For a free no obligation check reply PPI or STOP to opt out
The sending number was +447866079549, although these spammers change their number more often than their underwear.

If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Wednesday, 22 February 2012

NACHA Spam / campingomotion.com

Another NACHA spam with a malicious payload:

From: The Electronic Payments Association filmeboo@filmeboo.com
Reply-To: The Electronic Payments Association
Date: 22 February 2012 21:46
Subject: Technical failure report

Valued Customer,

Unfortunately we notify you , that Direct Deposit payment (#ACH603865004417US) could not be completed, because of discontinued receipient account.

Direct Deposit procedure incomplete
Transaction # :     ACH603865004417US
Information:     Please download and print the transfer correction request below adjust the recipient banking details.
Transfer Report     report-ACH603865004417US.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2012 NACHA - The Electronic Payments Association

The malicious payload is on campingomotion.com/search.php?page=977334ca118fcb8c, IP 199.230.54.75 (Servint, US). Block the IP address in addition to the domain if you can.

"Urgent! Check the access to your card!" / cpojkjfhotzpod.ru

Another malicious spam pointing to cpojkjfhotzpod.ru:8080

Date:      Wed, 21 Feb 2012 06:09:01 -0800
From:      "Keitha Hanks"
Subject:      Urgent! Check the access to your card!

We have detected operations with large amounts on your card which fact had not previously been observed. Please, familiarize yourself with the copies and contact us in case these transfers of amounts were not made by you.
operations screenshot.jpg 103kb

With best regards
Keitha Hanks
MD5 check sum: xxxxxxxxxxxxxxxxxxxxx


The link in the spam goes to a legitimate hacked site and then cpojkjfhotzpod.ru:8080/images/aublbzdni.php as seen in this spam run. Blocking the list of IPs mentioned in that post is probably prudent.

Contract spam / cpojkjfhotzpod.ru

Another spam run (will they ever end?) this time with a malicious .htm attachment that tries to download from cpojkjfhotzpod.ru. Here are some examples:

Date:      Wed, 21 Feb 2012 07:17:49 +0800
From:      "LARUE Riley"
Subject:      Fw: Contract from LARUE
Attachments:     Contract_Scan_N5005.htm

Good afternoon,



In the attached file I am forwarding you the Translation of the Job Contract

that I have just received yesterday. I am really sorry for the delay.



Best regards,

LARUE Riley, secretary

==========

Date:      Wed, 21 Feb 2012 05:17:01 +0700
From:      "DELORIS Hensley"
Subject:      Fw: Contract of 09.06.2011
Attachments:     Contract_Scan_N0395.htm

Dear Customers,

In the attached file I am forwarding you the Translation of the Job Contract

that I have just received yesterday. I am really sorry for the delay.



Best regards,

DELORIS Hensley, secretary

===========


Date:      Wed, 21 Feb 2012 09:10:09 +0900
From:      "ALISHA MCMILLIAN"
Subject:      Fw: Contract from ALISHA
Attachments:     Contract_Scan_N67448.htm

Dear Customers,

In the attached file I am transferring you the Translation of the Sales Contract



that I have just received today. I am really sorry for the delay.

Best regards,

ALISHA MCMILLIAN, secretary

==========

Date:      Wed, 21 Feb 2012 04:41:45 +0700
From:      "Drake Milton"
Subject:      Fw: Contract of 09.06.2011
Attachments:     Contract_Scan_N7682.htm

Hello,

In the attached file I am forwarding you the Translation of the Purchase Contract

that I have just received a minute ago. I am really sorry for the delay.

Best regards,

Drake Milton, secretary

==========

The malicous payload is on cpojkjfhotzpod.ru:8080/images/aublbzdni.php which is multihomed on several IP addresses, most of which we have seen before (and many of which are with Slicehost). A plain list is at the end for copy-and-pasting.

46.137.251.11 Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast, US)
69.60.117.183(Colopronto, US)
72.22.83.93 (iPower, US)
79.101.30.15 (Serbia Telekom, Serbia)
83.170.91.152 (UK2.NET, UK)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
94.20.30.91 (Delta Telecom, Azerbaijan)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
173.203.51.174 (Slicehost, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)

46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
79.101.30.15
83.170.91.152
87.120.41.155
88.191.97.108
94.20.30.91
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
173.203.51.174
184.106.151.78
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226

BBB Spam / energirans.net

Yet another malicious fake BBB spam run, this time with a malicious payload on the domain energirans.net.

Date:      Wed, 21 Feb 2012 11:21:48 +0100
From:      "BBB"
Subject:      Better Business Bureau complaint
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 15343433) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The link in the email goes to a legitimate hacked site and then via some obfuscated javascript to energirans.net/main.php?page=598991e7306ac07e where it attempts to infect the machine with the Blackhole Exploit kit.

energirans.net is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India) which are the same IPs as found in this spam run. Blocking them is probably a very good idea.

AICPA Spam / favoriteburger.net

Following on from yesterday's AICPA spam run, a new domain is in use for the malicious payload, favoriteburger.net/search.php?page=73a07bcb51f4be71 on 209.59.212.14 (Endurance International Group again). The IP is worth blocking, and you may want to consider blocking larger ranges of this ISP who seem to have a problem with this type of malicious site.

Date:      Tue, 20 Feb 2012 22:31:55 -0300
From:      "Gilbert Ayers"
Subject:      Termination of your accountant license.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Cancellation of CPA license due to tax return fraud allegations

Valued accountant officer,

We have received a notice of your possible assistance in income tax refund fraudulent activity for one of your employers. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the fact of filing of a false or fraudulent income tax return on the member's or a client's behalf.

Please be informed of the complaint below and provide your feedback to it within 14 days. The failure to do so within this term will result in termination of your Accountant status.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Tuesday, 21 February 2012

Some malware sites to block 21/2/12

These sites are being used in current spam runs to distribute the Blackhole Exploit Kit. You may want to block the IPs (mostly home PCs) or domains or both.

bestsecondchance.net
freac.net
likethisjob.com
synergyledlighting.net
sysfilecore.com
systemtestnow.com
thai4me.com
yourbeautifullife.net
41.64.21.71
69.76.48.235
98.213.116.76
115.249.190.46
151.56.49.48
151.70.111.200
174.48.136.189


For the record, those IPs are on the following providers:
41.64.21.71 (Dynamic ADSL, Egypt)
69.76.48.235 (Road Runner, US)
98.213.116.76 (Comcast, US)
115.249.190.46 (Reliance Communication, India)
151.56.49.48 (IUnet, Italy)
151.70.111.200 (IUnet, Italy)
174.48.136.189 (Comcast, US)

AICPA Spam / thai4me.com

Another spam run allegedly from "The American Institute of Certified Public Accountants" (AICPA) leading to malware, this time with a malicious payload on the domain thai4me.com.
From: Guillermo Reed risk.manager@aicpa.org
Date: 20 February 2012 11:18
Subject: Income tax return fraud accusations.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

AICPA logo
Termination of CPA license due to income tax fraud allegations
Dear AICPA member,

We have received a complaint about your possible involvement in income tax return fraud  for one of your clients. According to AICPA Bylaw Paragraph 500 your Certified Public Accountant status can be terminated in case of the aiding of filing of a false or fraudulent tax return on the member's or a client's behalf.

Please be informed of the complaint below and respond to it within 14 days. The failure to provide the clarifications within this period will result in termination of your Accountant status.

Complaint.pdf


The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

=================

Date:      Tue, 20 Feb 2012 12:42:12 +0200
From:      "Devon Staley"
Subject:      Fraudulent tax return assistance accusations.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Valued AICPA member,

We have been notified of your alleged involvement in tax return fraud for one of your employees. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the fact of submitting of a false or fraudulent income tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 21 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

=================

Date:      Tue, 20 Feb 2012 11:38:30 +0100
From:      "Ervin Witherspoon"
Subject:      Termination of your accountant license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud allegations

Dear AICPA member,

We have received a complaint about your recent assistance in income tax refund fraudulent activity on behalf of one of your employees. According to AICPA Bylaw Paragraph 765 your Certified Public Accountant license can be withdrawn in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and provide your feedback to it within 7 days. The failure to provide the clarifications within this term will result in suspension of your Accountant license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The link leads through a legitimate hacked site to thai4me.com/main.php?page=7d486a09d440e84a which attempts to download a Java exploit. The domain thai4me.com is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India). Those IPs also contain other malicious sites, blocking them is probably a good move.

Saturday, 18 February 2012

Why you shouldn't use "The Good Care Guide" (goodcareguide.co.uk)

The Good Care Guide (goodcareguide.co.uk) looks like an admirable thing at first glance - an independent way for user of care services for the elderly and infants to review the quality of care both good and bad. This is particularly useful with care for the elderly where there often isn't much information, and the site has generated a lot of press comment (for example, the BBC, Sky News and the Press Association).

So... is this an entirely altruistic service? Not really. The Good Care Guide is provided in part by My Family Care Ltd which specialises in providing emergency, out-of-hours and holiday homecare for children and the elderly (e.g. emergencychildcare.co.uk, outofschoolcare.co.uk, emergencyhomecare.co.uk and myfamilycare.co.uk). Not that there appears to be anything wrong with these services, in fact they look to be pretty good and fill an important market niche.

When you sign up to write a review for the Good Care Guide, you have to give pretty much ALL your personal information including home address and telephone number. OK, that's fair enough if you want to make sure that the reviews are genuine..



The catch comes with the privacy policy which to be fair spells out what they are going to do with your personal information very clearly.
With whom we share your information

GCG may share your information with the following entities:
  • Third-party vendors who provide services or functions on our behalf. Third-party vendors have access to and may collect information only as needed to perform their functions and are not permitted to share or use the information for any other purpose.
  • Business partners with whom we may offer products or services in conjunction. You can tell when a third party is involved in a product or service you have requested because their name will appear either with ours or separately.
  • Affiliated Web sites. If you were referred to GCG from another Web site, we may share your registration information, such as your name, email address, mailing address and telephone number about you with that referring Web site. We have not placed limitations on the referring Web sites' use of personal information and we encourage you to review the privacy policies of any Web site that referred you to GCG.
  • Companies within our corporate family. We may share your personal information within the My Family Care Group. This sharing enables us to provide you with information about care services which might interest you.

So basically.. they will share your information with other parts of their own company, any referring website and indeed any third party business partner that they seem fit. OK, everybody needs to run a business but there is no opt out clause. If you want to write a review, then you are agreeing to receive marketing communication by email, post and even telephone regarding care services, essentially without limitation.

The Good Care Guide are not doing anything illegal. But childcare is expensive, and care for the elderly is very expensive. There is a lot of money to be made out of this type of care, and it looks like the operators of the Good Care Guide want a share of this market through their own paid-for services.

Until the Good Care Guide give an opt-out for marketing communications, then I cannot recommend this service as it looks suspiciously like a lead generator rather than a public service.

Friday, 17 February 2012

"Your accountant CPA license termination" spam / biggestsetter.com and 199.30.89.0/24

I haven't seen this spam before, but the malicious payload it leads to is very familiar..

Date:      Fri, 16 Feb 2012 14:35:18 +0200
From:      "Mae Keller"
Subject:      Your accountant CPA license termination.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your alleged participation in tax return fraudulent activity� on behalf of one of your employees. According to AICPA Bylaw Section 700 your Certified Public Accountant license can be cancelled in case of� the occurrence of filing of a misguided or fraudulent income tax return on the member's or a client's behalf.�

Please familiarize yourself with the notification below and respond to it within 7 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Although it claims to be from "The American Institute of Certified Public Accountants" (aicpa.org), the "from" address claims to be the BBB.

Click on the "complaint.pdf" link and you are redirected to biggestsetter.com/search.php?page=73a07bcb51f4be71  which attempts to download the Blackhole Exploit Kit. biggestsetter.com  is hosted on 199.30.89.187 (Zerigo / Central Host Inc). This netblock has been used several times in the past few days so my advice is to block access to 199.30.89.0/24.

Some more examples:

Date:      Fri, 16 Feb 2012 14:40:46 +0100
From:      "Susie Smallwood"
Subject:      Termination of your accountant license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Dear AICPA member,

We have been notified of your recent assistance in income tax refund fraud on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the occurrence of submitting of a misguided or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the complaint below and respond to it within 7 days. The failure to respond within this term will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===============

Date:      Fri, 16 Feb 2012 14:25:24 +0100
From:      "Alvaro Best"
Subject:      Tax return fraud notification.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud allegations

Dear accountant officer,

We have been notified of your possible participation in income tax return fraudulent activity for one of your clients. According to AICPA Bylaw Section 700 your Certified Public Accountant status can be cancelled in case of the act of submitting of a misguided or fraudulent income tax return for your client or employer.

Please find the complaint below below and respond to it within 14 days. The failure to provide the clarifications within this period will result in withdrawal of your Accountant status.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===============

Date:      Fri, 16 Feb 2012 14:21:48 +0100
To:      
Subject:      Fraudulent tax return assistance accusations.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your possible assistance in tax return fraudulent activity on behalf of one of your employers. According to AICPA Bylaw Section 500 your Certified Public Accountant license can be withdrawn in case of the fact of submitting of a incorrect or fraudulent tax return for your client or employer.

Please find the complaint below below and respond to it within 21 days. The failure to respond within this period will result in withdrawal of your CPA license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066