The past couple of days have seen a lot of identical "Intuit.com" spam runs. Another one is starting up today with a malicious payload on migdaliasbistro.net hosted on 213.179.193.132 (Solidhost, Netherlands) and 41.64.21.71 (Dynamic ADSL, Egypt)
In particular, malware can be found at:
migdaliasbistro.net/main.php?page=4f7249b62ef4f934
migdaliasbistro.net/content/ap2.php?f=86cd2
There's a Wepawet report here.
There are several potentially malicious sites on this server. Blocking the IP address should protect against other evil domains:
perikanzas.com
abc-spain.net
migdaliasbistro.net
twistedtarts.net
Friday, 2 March 2012
Intuit.com spam / migdaliasbistro.net and 213.179.193.132
Malware sites to block 2/3/12
The Spam Analysis blog has an excellent post analysing what is happening behind the scenes in the malware from some recent spam runs. I've taken their hard work and have broken out the domains and IP addresses that you may want to block.
Note that some of these sites may be legitimate hacked sites. Also 66.96.160.133 is a parking IP,, so there are several thousand other sites on the same address.
Domains:
almeconstruction.com
ampndesignclients.com
buddysbarbq.com
chovattuvt.com
curchamp.com
curcharge.com
curchart.com
ftp.intervene.com.br
impressiveclimate.com
indianwildlifetourism.com
mixestudio.com
pollypaw.com
pollypeaceful.com
ragsnipe.com
sadropped.com
splatstep.com
top59serv.ro
trucktumble.com
truckturtle.com
wonderfulwriggle.com
IPs and hosts:
50.2.7.120 (Infinitie, US)
64.150.166.137 (iPower, US)
66.96.160.133 (Endurance International, US) [parked]
66.232.108.46 (Kevin Shick, US)
74.207.245.244 (Linode, US)
78.47.211.154 (Hetzner, Germany)
85.9.26.253 (GTS, Romania)
112.78.2.141 (Online Data Services JSC, Vietnam)
173.213.90.237 (Serverhub, US)
173.213.90.238 (Serverhub, US)
174.123.39.34 (ThePlanet, US)
174.136.0.68 (Colo4, US)
184.173.192.173 (ThePlanet, US)
200.58.124.129 (Dattatec.com, Argentina)
200.98.197.68 (UOL, Brazil)
209.140.16.128 (Landis Holdings, US)
216.251.43.98 (InternetNamesForBusiness.com, US)
Plain IP list:
50.2.7.120
64.150.166.137
66.96.160.133
66.232.108.46
74.207.245.244
78.47.211.154
85.9.26.253
112.78.2.141
173.213.90.237
173.213.90.238
174.123.39.34
174.136.0.68
184.173.192.173
200.58.124.129
200.98.197.68
209.140.16.128
216.251.43.98
Note that some of these sites may be legitimate hacked sites. Also 66.96.160.133 is a parking IP,, so there are several thousand other sites on the same address.
Domains:
almeconstruction.com
ampndesignclients.com
buddysbarbq.com
chovattuvt.com
curchamp.com
curcharge.com
curchart.com
ftp.intervene.com.br
impressiveclimate.com
indianwildlifetourism.com
mixestudio.com
pollypaw.com
pollypeaceful.com
ragsnipe.com
sadropped.com
splatstep.com
top59serv.ro
trucktumble.com
truckturtle.com
wonderfulwriggle.com
IPs and hosts:
50.2.7.120 (Infinitie, US)
64.150.166.137 (iPower, US)
66.96.160.133 (Endurance International, US) [parked]
66.232.108.46 (Kevin Shick, US)
74.207.245.244 (Linode, US)
78.47.211.154 (Hetzner, Germany)
85.9.26.253 (GTS, Romania)
112.78.2.141 (Online Data Services JSC, Vietnam)
173.213.90.237 (Serverhub, US)
173.213.90.238 (Serverhub, US)
174.123.39.34 (ThePlanet, US)
174.136.0.68 (Colo4, US)
184.173.192.173 (ThePlanet, US)
200.58.124.129 (Dattatec.com, Argentina)
200.98.197.68 (UOL, Brazil)
209.140.16.128 (Landis Holdings, US)
216.251.43.98 (InternetNamesForBusiness.com, US)
Plain IP list:
50.2.7.120
64.150.166.137
66.96.160.133
66.232.108.46
74.207.245.244
78.47.211.154
85.9.26.253
112.78.2.141
173.213.90.237
173.213.90.238
174.123.39.34
174.136.0.68
184.173.192.173
200.58.124.129
200.98.197.68
209.140.16.128
216.251.43.98
"Your Intuit.com order confirmation" / curcharge.com
Another fake Intuit order email leading to malware:
The malicious payload is on curcharge.com/search.php?page=73a07bcb51f4be71 hosted on 174.136.0.68 (Colo4, US)
From: INTUIT INC. [mailto:support@careerbuilder.com]
Sent: 01 March 2012 15:26
Subject: Your Intuit.com order confirmation.
Dear Customer:
Thank you for purchasing your software Intuit Market. We are processing and will message you when your order is processed. If you ordered several items, we may process them in more than one delivery (at no extra cost to you) to ensure quicker delivery.
If you have questions about your order, please call 1-800-955-8890.
ORDER INFORMATION
Please download your full invoice
id #038964148686 information at Intuit small business website.
NEED HELP?
• Email us at mktplace_customerservice@intuit.com.
• Call us at 1-800-955-8890.
• Reorder Intuit Checks Quickly and Easily starting with
the information from your previous order.
To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.
Thanks again for your order,
Intuit Market Customer Service
Privacy , Legal , Contact Us , About Us
You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.
Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.
2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malicious payload is on curcharge.com/search.php?page=73a07bcb51f4be71 hosted on 174.136.0.68 (Colo4, US)
Thursday, 1 March 2012
"Your tax appeal status" / "Your Intuit.com software order" spam and trucktumble.com
Date: Thu, 1 Mar 2012 18:34:39 +0300the second one:
From: "INTUIT INC."
Subject: Your Intuit.com software order.
dear {l1}:
thank you for {l2} intuit market. we {l3} and will {l4} when your {l5}. if you ordered {l6} items, we may {l7} them in more than one {l8} (at no extra cost to you) to {l9}.
if you have questions about your order, please call 1-800-955-8890.
order information
please download your {la}
id #{digit} information at intuit small business website.
need help?
email us at mktplace_customerservice@intuit.com.
call us at 1-800-955-8890.
reorder intuit checks quickly and easily starting with
the information from your previous order.
to help us better serve your needs, please take
a few minutes to let us know how we are doing.
submit your feedback here.
thanks again for your order,
intuit market customer service
privacy , legal , contact us , about us
you have received this business communication as part of our efforts to fulfill your request or service
your account. you may receive this and other business communications from us even if you have opted
out of marketing messages.
please note: this e-mail was sent from an auto-notification system that cannot accept incoming email
please do not reply to this message.
if you receive an email message that appears to come from intuit but that you suspect is a phishing
e-mail, please forward it immediately to spoof@intuit.com. please visit http://security.intuit.com/ for
additional security information.
�2011 intuit, inc. all rights reserved. intuit, the intuit logo, quickbooks, quicken and turbotax,
among others, are registered trademarks of intuit inc.
Date: Thu, 1 Mar 2012 12:33:28 -0300
From: "Jesus Kendall"
Subject: Your tax appeal status.
Dear Business owner,
Hereby you are informed that your Tax Return Appeal id#8179621 has been DECLINED. If you consider that the IRS did not properly assess your case due to a misunderstanding of the facts, be prepared to submit additional information. You can download the rejection details and re-submit your appeal under the following link Online Tax Appeal.
Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday � Friday, 7:00 a.m. � 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).
In both cases the payload is trucktumble.com/search.php?page=73a07bcb51f4be71 on 64.94.238.71 (Nuclear Fallout Enterprises, US). Blocking the IP will stop other malware on the server causing you a problem, you may even want to block 64.94.238.0/24 because this host is getting a pretty poor reputation.
fff
"Your intuit.com order confirmation" spam / curchamp.com (74.207.245.244)
This fake "Intuit order" spam leads to malware. Apparently it was sent from Careerbuilder (which is kind of odd). Also note the "spoofing" warning near the bottom!
The link goes through two legitimate hacked sites and ends up on curchamp.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 74.207.245.244 (Linode, US). This attempts to use a variety of exploits to take over the user's PC.
Blocking the IP rather than the domain will also stop any other malicious domains on the same server.
From: INTUIT INC. [mailto:noreply@careerbuilder.com]
Sent: 01 March 2012 14:30
Subject: Your intuit.com order confirmation.
Dear Customer:
Thank you for purchasing your software Intuit Market. We are processing and will message you when your order is processed. If you ordered multiple items, we may process them in more than one shipment (at no extra cost to you) to ensure quicker delivery.
If you have questions about your order, please call 1-800-955-8890.
ORDER INFORMATION
Please download your complete order
id #443475245229 information at Intuit small business website.
NEED HELP?
• Email us at mktplace_customerservice@intuit.com.
• Call us at 1-800-955-8890.
• Reorder Intuit Checks Quickly and Easily starting with
the information from your previous order.
To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.
Thanks again for your order,
Intuit Market Customer Service
Privacy , Legal , Contact Us , About Us
You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.
Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.
©2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The link goes through two legitimate hacked sites and ends up on curchamp.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 74.207.245.244 (Linode, US). This attempts to use a variety of exploits to take over the user's PC.
Blocking the IP rather than the domain will also stop any other malicious domains on the same server.
"Scan from a Hewlett-Packard Officejet" spam / caskjfhlkaspsfg.ru
Another malicious spam, this time with an attachment containing obfuscated code leading to caskjfhlkaspsfg.ru.
The malware is on caskjfhlkaspsfg.ru:8080/images/aublbzdni.php , as with other recent .ru:8080 attacks, this is multihomed on a familiar set of IP addresses:
50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.107.82.98 (Corbina Telecom, Russia)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
96.125.168.172 (Websitewelcome, US)
111.93.161.226 (Tata Teleservices, India)
125.19.103.198 (Bharti Infotel, India)
128.134.57.112 (Kwangun University, Korea)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
A bare list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.107.82.98
83.238.208.55
95.156.232.102
96.125.168.172
111.93.161.226
125.19.103.198
128.134.57.112
173.203.51.174
184.106.200.65
184.106.237.210
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210
Date: Thu, 1 Mar 2012 09:43:50 +0530
From: ARLYNEO93ESQUIVEL@gmail.com
Subject: Fwd: Re: Fwd: Scan from a Hewlett-Packard Officejet #603320
Attachments: HP_Scan-27-499614.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP SmartJet 4931F.
Sent by: ARLYNE
Pages : 9
Attachment Type: .HTM [Internet Explorer/Mozilla Firefox]
The malware is on caskjfhlkaspsfg.ru:8080/images/aublbzdni.php , as with other recent .ru:8080 attacks, this is multihomed on a familiar set of IP addresses:
50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.107.82.98 (Corbina Telecom, Russia)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
96.125.168.172 (Websitewelcome, US)
111.93.161.226 (Tata Teleservices, India)
125.19.103.198 (Bharti Infotel, India)
128.134.57.112 (Kwangun University, Korea)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
A bare list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.107.82.98
83.238.208.55
95.156.232.102
96.125.168.172
111.93.161.226
125.19.103.198
128.134.57.112
173.203.51.174
184.106.200.65
184.106.237.210
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210
DINETHOSTING / curvecheese.com
DINETHOSTING aka Digital Network JSC are a large Russian host that regularly hosts malware sites. Yesterday I came across the domain curvecheese.com (85.192.45.83) being used in a malicious spam run. This is in a block 85.192.32.0/20 allocated to this host.
I tend to block DINETHOSTING ranges as soon as I see malware on them. If you are blocking this host, I would recommend you add 85.192.32.0/20 to your blocklist.
I tend to block DINETHOSTING ranges as soon as I see malware on them. If you are blocking this host, I would recommend you add 85.192.32.0/20 to your blocklist.
Labels:
DINETHOSTING,
Russia
Tuesday, 28 February 2012
BBB Spam / perikanzas.com and twistedtarts.net
BBB spam.. you must know what it looks like by now. Here are a couple of new domains:
perikanzas.com
41.64.21.71 (Dynamic ADSL, Egypt)
213.179.193.132 (Solidhost, Netherlands)
twistedtarts.net
109.68.33.18 (Mesh Digital, UK)
perikanzas.com
41.64.21.71 (Dynamic ADSL, Egypt)
213.179.193.132 (Solidhost, Netherlands)
twistedtarts.net
109.68.33.18 (Mesh Digital, UK)
"Your Flight" spam / cparabnormapoopdsf.ru
Date: Tue, 27 Feb 2012 03:53:09 +0530
From: sales1@victimdomain.com
Subject: Fwd: Your Flight N US787-8929269
Attachments: FLIGHT_TICKET_N3988-753843.htm
Dear Customer,
FLIGHT NUMBER 8333-452628141
DATE/TIME : MARCH 23, 2011, 16:15 PM
ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT
PRICE : 856.77 USD
Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).
To use your ticket you should print it.
LAKEISHA Wolff,
American Airlines
The payload is at cparabnormapoopdsf.ru:8080/images/aublbzdni.php (report here). As with other .ru:8080 attack, this one is multihomed on some familiar looking IPs:
50.31.1.105 (Steadfast Networks, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
A bare list for copy-and-pasting:
50.31.1.105
78.83.233.242
83.238.208.55
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210
IRS Spam / pollypeach.com
Date: Tue, 27 Feb 2012 17:02:45 +0600
From: "Ofelia Childers"
Subject: IRS notification of your tax appeal status.
Dear Accountant Officer,
Hereby you are notified that your Income Tax Return Appeal id#0184348 has been REJECTED. If you believe the IRS did not properly assess your case due to a misinterpretation of the case details, be prepared to provide additional information. You can obtain the rejection report and re-submit your appeal under the following link Online Tax Appeal.
Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday � Friday, 7:00 a.m. � 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).
The malicious payload is on pollypeach.com/search.php?page=73a07bcb51f4be71 and pollypeach.com/content/ap2.php?f=e4649 (see the report here), hosted on 69.163.45.128 (Directspace, US). Blocking the IP rather than the domain will stop any further infections from that server.
NACHA Spam / cgunikqakklsdpfo.ru
A terse version of the familiar NACHA fake spam, leading to malware:
The payload is on cgunikqakklsdpfo.ru:8080/img/?promo=nacha which is multihomed (details below). It's pretty easy to search your outbound logs for connection attempts to .ru:8080 if you haven't got filtering enabled.
The list of IPs gets a little shorter every time, but there are still some familiar hosts here:
50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
A plain list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.83.233.242
88.191.97.108
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
Date: Mon, 26 Feb 2012 12:16:40 +0530
From: accounting@victimdomain.com
Subject: Fwd: ACH and Wire transfers disabled.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
The payload is on cgunikqakklsdpfo.ru:8080/img/?promo=nacha which is multihomed (details below). It's pretty easy to search your outbound logs for connection attempts to .ru:8080 if you haven't got filtering enabled.
The list of IPs gets a little shorter every time, but there are still some familiar hosts here:
50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
A plain list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.83.233.242
88.191.97.108
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
BBB and AICPA spam / 110hobart.com
Two spam runs with essentially the same malicious payload..
Leading to 110hobart.com/main.php?page=f46555a4a5b80a04 and 110hobart.com/content/ap2.php?f=cc677, and also:
Date: Mon, 26 Feb 2012 11:16:30 +0100
From: "Adan Jordan"
Subject: Tax return fraud notification.
You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Revocation of Public Account Status due to tax return fraud accusations
Valued AICPA member,
We have received a notice of your recent involvement in income tax refund infringement on behalf of one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be cancelled in case of the act of filing of a false or fraudulent tax return on the member's or a client's behalf.
Please familiarize yourself with the notification below and respond to it within 21 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
Leading to 110hobart.com/content/ap2.php?f=cc677 and 110hobart.com/main.php?page=02876dd2afe89394 (a slightly different URL from before)
The IP address is a familiar one, 41.64.21.71 which is allegedly an ADSL subscriber in Cairo. This IP has been used in several attacks recently, blocking it would be a really good idea.
Date: Mon, 26 Feb 2012 12:30:50 +0100
From: "BBB"
Subject: BBB case ID 73773062
Attachments: betterbb_logo.jpg
Attention: Owner/Manager
Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 73773062) from your customer in regard to their dealership with you.
Please open the COMPLAINT REPORT below to obtain the details on this matter and inform us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
Arnold Melendez
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
Leading to 110hobart.com/main.php?page=f46555a4a5b80a04 and 110hobart.com/content/ap2.php?f=cc677, and also:
Date: Mon, 26 Feb 2012 11:16:30 +0100
From: "Adan Jordan"
Subject: Tax return fraud notification.
You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Revocation of Public Account Status due to tax return fraud accusations
Valued AICPA member,
We have received a notice of your recent involvement in income tax refund infringement on behalf of one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be cancelled in case of the act of filing of a false or fraudulent tax return on the member's or a client's behalf.
Please familiarize yourself with the notification below and respond to it within 21 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
Leading to 110hobart.com/content/ap2.php?f=cc677 and 110hobart.com/main.php?page=02876dd2afe89394 (a slightly different URL from before)
The IP address is a familiar one, 41.64.21.71 which is allegedly an ADSL subscriber in Cairo. This IP has been used in several attacks recently, blocking it would be a really good idea.
Friday, 24 February 2012
AICPA Spam / synetworks.net and housespect.net
More fake AICPA spam leading to malware..
Date: Fri, 23 Feb 2012 12:29:00 +0100The links go through a legitimate hacked site to some obfuscated javascipt leading to a malicious payload on synetworks.net/main.php?page=2d057d472cd217e2 and synetworks.net/content/ap2.php?f=3dc5c (report here) hosted on 76.12.101.172 (HostMySite, US). That IP is also home to housespect.net which also appears to be malicious. Blocking the IP should prevent any other malicious sites on the same server from being a problem.
From: "Jonathon Humphrey"
Subject: Termination of your CPA license.
You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Termination of Accountant status due to income tax fraud accusations
Dear AICPA member,
We have received a complaint about your alleged participation in income tax fraudulent activity on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be terminated in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.
Please be informed of the complaint below and provide your feedback to it within 7 days. The failure to respond within this term will result in withdrawal of your CPA license.
Complaint.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
==================
Date: Fri, 23 Feb 2012 12:28:45 +0100
From: "Dominic Moreno"
Subject: Your accountant license can be revoked.
You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Termination of Public Account Status due to tax return fraud accusations
Dear accountant officer,
We have been informed of your alleged involvement in income tax fraudulent activity for one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant status can be revoked in case of the aiding of presenting of a incorrect or fraudulent tax return on the member's or a client's behalf.
Please be notified below and provide your feedback to it within 7 days. The failure to do so within this period will result in suspension of your Accountant status.
Complaint.doc
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
Thursday, 23 February 2012
HP OfficeJet spam / cruoinaikklaoifpa.ru and upjachkajasamns.ru
This isn't from a HP OfficeJet, the attachment leads to malware..
The .htm file attempts to redirect the victim to a malicious page at cruoinaikklaoifpa.ru:8080/images/aublbzdni.php and as with this recent spate of ".ru:8080" sites it is multihomed. It then tries to download additional malware from upjachkajasamns.ru:8080/images/jw.php?i=8 on the same IP addresses. The list is pretty similar to this one with a few additions.
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
79.101.30.15 (Serbia Telekom, Serbia)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
147.83.22.79 (Universitat Politecnica de Catalunya, Spain)
173.203.51.174 (Slicehost US)
184.106.200.65 (Slicehost US)
184.106.237.210 (Slicehost US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
A plain list for copy-and-pasting:
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
69.60.117.183
78.83.233.242
79.101.30.15
88.191.97.108
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
147.83.22.79
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226
Date: Thu, 22 Feb 2012 05:04:38 +0700
From: scanner@victimdomain.com
Subject: Fwd: Re: Scan from a Hewlett-Packard Officejet #19152659
Attachments: HP_Officejet_02-23_OFCJET88353.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP OfficeJet 34612A.
Sent by: FELICE
Images : 0
Attachment Type: .HTML [Internet Explorer]
HP Officejet Location: --
The .htm file attempts to redirect the victim to a malicious page at cruoinaikklaoifpa.ru:8080/images/aublbzdni.php and as with this recent spate of ".ru:8080" sites it is multihomed. It then tries to download additional malware from upjachkajasamns.ru:8080/images/jw.php?i=8 on the same IP addresses. The list is pretty similar to this one with a few additions.
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
79.101.30.15 (Serbia Telekom, Serbia)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
147.83.22.79 (Universitat Politecnica de Catalunya, Spain)
173.203.51.174 (Slicehost US)
184.106.200.65 (Slicehost US)
184.106.237.210 (Slicehost US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
A plain list for copy-and-pasting:
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
69.60.117.183
78.83.233.242
79.101.30.15
88.191.97.108
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
147.83.22.79
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226
AICPA Spam / srsopen.net
Another fake spam email claiming to be from AICPA, but actually leading to malware, this time on srsopen.net.
The malicious payload is at srsopen.net/main.php?page=78581944265196f1 , as usual the first step is a legitimate hacked site. srsopen.net is hosted on two familiar IP addresses, 115.249.190.46 and 41.64.21.71 most recently seen here.
Date: Thu, 22 Feb 2012 11:29:29 +0100
From: "Guadalupe Kessler"
Subject: Fraudulent tax return assistance accusations.
You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.
Termination of CPA license due to income tax fraud allegations
Valued accountant officer,
We have received a complaint about your alleged participation in income tax infringement for one of your employers. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the event of presenting of a incorrect or fraudulent tax return for your client or employer.
Please be notified below and respond to it within 21 days. The failure to respond within this term will result in cancellation of your Accountant license.
Complaint.pdf
The American Institute of Certified Public Accountants.
Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The malicious payload is at srsopen.net/main.php?page=78581944265196f1 , as usual the first step is a legitimate hacked site. srsopen.net is hosted on two familiar IP addresses, 115.249.190.46 and 41.64.21.71 most recently seen here.
"You may be entitled to up to £3000 from mis-sold PPI" SMS Spam
I hadn't heard anything from these scummy SMS spammers recently, I assumed they had been busted in one of the recent crackdowns.
If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Urgent - You may be entitled to up to £3000 from mis-sold PPI on loans or credit cards. For a free no obligation check reply PPI or STOP to opt outThe sending number was +447866079549, although these spammers change their number more often than their underwear.
If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
Wednesday, 22 February 2012
NACHA Spam / campingomotion.com
Another NACHA spam with a malicious payload:
The malicious payload is on campingomotion.com/search.php?page=977334ca118fcb8c, IP 199.230.54.75 (Servint, US). Block the IP address in addition to the domain if you can.
From: The Electronic Payments Association filmeboo@filmeboo.com
Reply-To: The Electronic Payments Association
Date: 22 February 2012 21:46
Subject: Technical failure report
Valued Customer,
Unfortunately we notify you , that Direct Deposit payment (#ACH603865004417US) could not be completed, because of discontinued receipient account.
Direct Deposit procedure incomplete
Transaction # : ACH603865004417US
Information: Please download and print the transfer correction request below adjust the recipient banking details.
Transfer Report report-ACH603865004417US.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
2012 NACHA - The Electronic Payments Association
The malicious payload is on campingomotion.com/search.php?page=977334ca118fcb8c, IP 199.230.54.75 (Servint, US). Block the IP address in addition to the domain if you can.
"Urgent! Check the access to your card!" / cpojkjfhotzpod.ru
Date: Wed, 21 Feb 2012 06:09:01 -0800
From: "Keitha Hanks"
Subject: Urgent! Check the access to your card!
We have detected operations with large amounts on your card which fact had not previously been observed. Please, familiarize yourself with the copies and contact us in case these transfers of amounts were not made by you.
operations screenshot.jpg 103kb
With best regards
Keitha Hanks
MD5 check sum: xxxxxxxxxxxxxxxxxxxxx
The link in the spam goes to a legitimate hacked site and then cpojkjfhotzpod.ru:8080/images/aublbzdni.php as seen in this spam run. Blocking the list of IPs mentioned in that post is probably prudent.
Contract spam / cpojkjfhotzpod.ru
Date: Wed, 21 Feb 2012 07:17:49 +0800
From: "LARUE Riley"
Subject: Fw: Contract from LARUE
Attachments: Contract_Scan_N5005.htm
Good afternoon,
In the attached file I am forwarding you the Translation of the Job Contract
that I have just received yesterday. I am really sorry for the delay.
Best regards,
LARUE Riley, secretary
==========
Date: Wed, 21 Feb 2012 05:17:01 +0700
From: "DELORIS Hensley"
Subject: Fw: Contract of 09.06.2011
Attachments: Contract_Scan_N0395.htm
Dear Customers,
In the attached file I am forwarding you the Translation of the Job Contract
that I have just received yesterday. I am really sorry for the delay.
Best regards,
DELORIS Hensley, secretary
===========
Date: Wed, 21 Feb 2012 09:10:09 +0900
From: "ALISHA MCMILLIAN"
Subject: Fw: Contract from ALISHA
Attachments: Contract_Scan_N67448.htm
Dear Customers,
In the attached file I am transferring you the Translation of the Sales Contract
that I have just received today. I am really sorry for the delay.
Best regards,
ALISHA MCMILLIAN, secretary
==========
Date: Wed, 21 Feb 2012 04:41:45 +0700
From: "Drake Milton"
Subject: Fw: Contract of 09.06.2011
Attachments: Contract_Scan_N7682.htm
Hello,
In the attached file I am forwarding you the Translation of the Purchase Contract
that I have just received a minute ago. I am really sorry for the delay.
Best regards,
Drake Milton, secretary
==========
The malicous payload is on cpojkjfhotzpod.ru:8080/images/aublbzdni.php which is multihomed on several IP addresses, most of which we have seen before (and many of which are with Slicehost). A plain list is at the end for copy-and-pasting.
46.137.251.11 Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast, US)
69.60.117.183(Colopronto, US)
72.22.83.93 (iPower, US)
79.101.30.15 (Serbia Telekom, Serbia)
83.170.91.152 (UK2.NET, UK)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
94.20.30.91 (Delta Telecom, Azerbaijan)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
173.203.51.174 (Slicehost, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
79.101.30.15
83.170.91.152
87.120.41.155
88.191.97.108
94.20.30.91
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
173.203.51.174
184.106.151.78
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226
BBB Spam / energirans.net
Yet another malicious fake BBB spam run, this time with a malicious payload on the domain energirans.net.
energirans.net is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India) which are the same IPs as found in this spam run. Blocking them is probably a very good idea.
Date: Wed, 21 Feb 2012 11:21:48 +0100The link in the email goes to a legitimate hacked site and then via some obfuscated javascript to energirans.net/main.php?page=598991e7306ac07e where it attempts to infect the machine with the Blackhole Exploit kit.
From: "BBB"
Subject: Better Business Bureau complaint
Attachments: betterbb_logo.jpg
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 15343433) from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT below to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
Rebecca Wilcox
Dispute Counselor
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
energirans.net is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India) which are the same IPs as found in this spam run. Blocking them is probably a very good idea.
Subscribe to:
Posts (Atom)