Sponsored by..

Monday, 5 March 2012

BBB Spam FAIL / domain.com

Here's a normal looking BBB spam, which typically would lead to malware:

From:     Milford Finn risk@bbb.org
Date:     5 March 2012 10:42
Subject:     BBB have recieved a customer complaint about your company.


Business Owner/Manager,
One of your business customers has filed a complaint with The Better Business Bureau concerning the negative experience he had with your company. The consumer complaint is attached below. Please submit your response to this matter as within 21 days. The most efficient way to provide your response is by using the Online Complaint system. Please follow the following link to access the above-mentioned customer complaint and submit your response to it:
BBB complaint center

Use the following data to login:

Case ID: #2478119
Password: 65950

The Better Business Bureau  acts in the role of a a neutral third party, and helps you resolve your customer disputes fast and efficiently. We develop and support online Reliability reports on American companies, open to the Public and used by millions of business customers. A satisfactory customer report can have a pronounced positive impact on your business.

We hope for your immediate attention to this matter.

Sincerely,
Kenyon Frye
Dispute Counselor 
Except the idiot spammers have forgotten to include the domain name and have left if at what is presumably the default of domain.com:


Unfortunately, next time the spammers will probably get it right.. in the meantime, here are some example subjects being used in this attack:

  • Better Business Bureau needs your urgent attention. 
  • Better Business Bureau customer complaint. 
  • BBB have recieved a customer complaint about your company. 
  • Your company is accused of illegal financial transactions.

Sunday, 4 March 2012

AVB Logistic Company (avb-logistic.com) is a scam

AVB Logistic Company (avb-logistic.com) looks very much like a real company from the website, but in fact it is a scam operation laundering money, targeted primarily at people in Greece and Italy. It also appears to be related to a similar scam site called Landexpo Logistic (landexpo-logistic.com).

This fake company came to my notice because of a series of comments in another thread (original / Google Translated) which indicates that they may have been recruited through a spam run last year.

The AVB Logistics web site looks professional enough, but there's a reason for that which will become apparent:

AVB gives the following "facts" about itself on the web site:

As an external partner, AVB (Manchester), develops a comprehensive range of logistics and service solutions for trade and industry. In 2007, the group generated sales of 2.0 billion euros and currently employs approximately 8,500 staff in 44 countries. AVB operates in all important markets worldwide and has over 400 locations across all continents
It also claims its address to be:

United Kingdom:     AVB
Zenith,
Paycocke Road,
Basildon, Essex
SS14 3DW
   
E-Mail:     contact@avb-logistic.com
Although there is some evidence that they recently changed this from:

AVB Norris road 57. M29 8FH Manchester. Tel.: +44 161 408 1090.
They claim that their shares have been listed in London since 2000 under the stock ticker symbol TGH.


So, what's wrong with this picture. Well, in reverse order..

TGH is indeed a share on the London Stock market, but it belongs to Textainer Group Holdings Limited (as you might expect a with share with those initials).

There is no such company visible in the list of UK Companies (Companies House Webcheck) as AVB Logistic or AVB (Manchester) although there are plenty of innocent companies with the same name.

The address in Basildon belongs to a different company, Cosco Logistics. There are several companies nearby, none of which are called AVB. There appears to be no company called AVB in Basildon at all according to business listings.

There is no Norris Road in the postcode M29 8FH, but there is a Norris Street. Norris Street is very short, it only has about 4 properties on it, so there is no number 57. A Google search for "44 161 408 1090" reveals no credible references, but it does reveal an apparent scam site called landexpo-logistic.com sharing the same number.

According to their website, AVB Logistic has been in business since at least 2000, but their domain name was only registered on 15th January 2012 through a registrar in Russia with anonymous details:

Registration Service Provided By: RU-TLD.RU
Contact: +007.4012971111

Domain Name: AVB-LOGISTIC.COM

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Creation Date: 15-Jan-2012 
Expiration Date: 15-Jan-2013

Domain servers in listed order:
    ns1.avb-logistic.com
    ns2.avb-logistic.com

It is unlikely that a large and well-established company would only just have created their web site.

The site is hosted on 46.4.30.11, an IP address allocated to Hetzner in Germany, but then rented out to a Russian hosting company called reserver.ru

And the reason the site looks so professional? Most of it has been copied directly from a legitimate company called Logwin Logistics, you can see this very clearly on some pages. For example, Logwin's page about Graduates looks like this.



The AVB page at avb-logistic.com/university.htm looks like this:


There are several other pages that are a direct copy.

It's obvious that AVB Logisitic is a fake. But what does it do? Basically, it is a money mule operating being used to launder stolen money - typically from hacked bank accounts.

The "mule" is recruited to receive the stolen money from one account, and then send it out via Wire Transfer (for example, Western Union), taking a percentage of the money as commission along the way. So, for example, a bank account is hacked with €10,000 in it, the money is transferred to the "mule" who keeps 10 (€1000) and wires €9000 off to somewhere else (typically Russia or Ukraine).

But what happens next is that the original theft of €10,000 is discovered - but the mule is liable for the whole amount of money, and often this is where the police get involved. At best, the mule has to repay all €10,000, at worst there could be a criminal investigation.

So.. if approached by these people, probably the best thing to do is ignore them completely and do not reply. If you have moved money through your accounts for these people, then the best thing to do is speak to your bank right away.

Friday, 2 March 2012

"USPS-Notification" spam leads to malware

This "USPS-Notification" spam uses a goo.gl redirector to go to pclr.timingexpress.ru then a malware site hosted on 199.19.215.133 (Vexxhost, Canada)

Date:      Fri, 2 Mar 2012 10:56:41 -0500
From:      "03456465Ȃ"
Subject:      USPS-NotificationΊ #74050379

#�?77-0915398-10516944-5-120


http://goo.gl/XE84B



 Ǫqq06dsgk19y1oup4kt8vrt!

You can see a Wepawet report for the malware here. Blocking access to that IP address might be prudent.

BBB Spam / bitebird.org

Another BBB spam run is in progress leading to malware, this time the payload is on bitebird.org/search.php?page=73a07bcb51f4be71 hosted on 174.136.1.104  (Colo4, US). You know what to do.

Linode blamed for Bitcoin theft

Linode feature so often on this blog that they have their own tag. OK, they're not the worst hosting company in terms of malicious sites on their network, but at the moment they come up regularly.

Now, sometimes a web host is purely black hat - they know exactly what their customers are up to and they don't care. Sometimes a legitimate web host gets duped into renting servers out to the bad guys, but usually they react eventually. Then there's a third possibility - the the servers have been hacked and are running malicious sites without the host's knowledge.

The thing is that over recent weeks, it seems that many servers hosting malware for those BBB / NACHA / IRS / etc emails that many people have been bombarded with look like legitimate servers that have been taken over. Of course, no web host wants to admit that they have insecure management systems, but then sometimes everything comes out in the open.

It turns out that deficiencies in Linode's security has led to the apparent theft of hundreds of thousands of bitcoins (an online currency). As detailed, the attack shows that the attacker appeared to mount the attack with very little trouble, leaving very little evidence behind them except that the bitcoins were missing.

Linode itself acknowledges the problem:

Manager Security Incident

Ensuring the security of our platform is our top priority. We maintain a strong security policy and aim to communicate openly should it ever be compromised. Thus, we are posting to describe a recent incident affecting the Linode Manager.

Here are the facts:

This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted.  All activity via the web portal is logged, and an exhaustive audit has provided the following:

All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin".  The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins.  Those customers affected have been notified.  If you have not received a notification then your account is unaffected.  Again, only eight accounts were affected.

The portal does not have access to credit card information or Linode Manager user passwords.  Only those eight accounts were viewed or manipulated -- no other accounts were viewed or accessed.

Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.
The thing is, this server compromise was immediately obvious because of the loss of bitcoins. But where servers are being used for the Blackhole Exploit Kit or other malware, it's a lot more subtle. I suspect that this isn't the first time recently that Linode has been compromised like this.. and it's probably not the only host with the problem. In recent months, the bad guys have moved their exploit servers from Eastern European cesspits to well-known hosts, many of which are based in the US. Is this all part of the same thing?

Intuit.com spam / migdaliasbistro.net and 213.179.193.132

The past couple of days have seen a lot of identical "Intuit.com" spam runs. Another one is starting up today with a malicious payload on migdaliasbistro.net hosted on 213.179.193.132 (Solidhost, Netherlands) and 41.64.21.71 (Dynamic ADSL, Egypt)

In particular, malware can be found at:
migdaliasbistro.net/main.php?page=4f7249b62ef4f934
migdaliasbistro.net/content/ap2.php?f=86cd2


There's a Wepawet report here.

There are several potentially malicious sites on this server. Blocking the IP address should protect against other evil domains:
perikanzas.com
abc-spain.net
migdaliasbistro.net
twistedtarts.net

Malware sites to block 2/3/12

The Spam Analysis blog has an excellent post analysing what is happening behind the scenes in the malware from some recent spam runs. I've taken their hard work and have broken out the domains and IP addresses that you may want to block.

Note that some of these sites may be legitimate hacked sites. Also 66.96.160.133 is a parking IP,, so there are several thousand other sites on the same address.

Domains:
almeconstruction.com
ampndesignclients.com
buddysbarbq.com
chovattuvt.com
curchamp.com
curcharge.com
curchart.com
ftp.intervene.com.br
impressiveclimate.com
indianwildlifetourism.com
mixestudio.com
pollypaw.com
pollypeaceful.com
ragsnipe.com
sadropped.com
splatstep.com
top59serv.ro
trucktumble.com
truckturtle.com
wonderfulwriggle.com

IPs and hosts:
50.2.7.120 (Infinitie, US)
64.150.166.137 (iPower, US)
66.96.160.133 (Endurance International, US) [parked]
66.232.108.46 (Kevin Shick, US)
74.207.245.244 (Linode, US)
78.47.211.154 (Hetzner, Germany)
85.9.26.253 (GTS, Romania)
112.78.2.141 (Online Data Services JSC, Vietnam)
173.213.90.237 (Serverhub, US)
173.213.90.238 (Serverhub, US)
174.123.39.34 (ThePlanet, US)
174.136.0.68 (Colo4, US)
184.173.192.173 (ThePlanet, US)
200.58.124.129 (Dattatec.com, Argentina)
200.98.197.68 (UOL, Brazil)
209.140.16.128 (Landis Holdings, US)
216.251.43.98 (InternetNamesForBusiness.com, US)

Plain IP list:
50.2.7.120
64.150.166.137
66.96.160.133
66.232.108.46
74.207.245.244
78.47.211.154
85.9.26.253
112.78.2.141
173.213.90.237
173.213.90.238
174.123.39.34
174.136.0.68
184.173.192.173
200.58.124.129
200.98.197.68
209.140.16.128
216.251.43.98

"Your Intuit.com order confirmation" / curcharge.com

Another fake Intuit order email leading to malware:

From: INTUIT INC. [mailto:support@careerbuilder.com]
Sent: 01 March 2012 15:26
Subject: Your Intuit.com order confirmation.

   
  Dear Customer:

Thank you for purchasing your software Intuit Market. We are processing and will message you when your order is processed. If you ordered several items, we may process them in more than one delivery (at no extra cost to you) to ensure quicker delivery.

If you have questions about your order, please call 1-800-955-8890.   

       

ORDER INFORMATION

Please download your full invoice
id #038964148686 information at Intuit small business website.

NEED HELP?

•    Email us at mktplace_customerservice@intuit.com.
•    Call us at 1-800-955-8890.
•    Reorder Intuit Checks Quickly and Easily starting with
the information from your previous order.
To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.
   
Thanks again for your order,

Intuit Market Customer Service
       

Privacy , Legal , Contact Us , About Us


You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.


2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malicious payload is on curcharge.com/search.php?page=73a07bcb51f4be71 hosted on 174.136.0.68 (Colo4, US)

Thursday, 1 March 2012

"Your tax appeal status" / "Your Intuit.com software order" spam and trucktumble.com

Two different spams with the same payload, the first featuring a massive failure of competency:

Date:      Thu, 1 Mar 2012 18:34:39 +0300
From:      "INTUIT INC."
Subject:      Your Intuit.com software order.

dear {l1}:

thank you for {l2} intuit market. we {l3} and will {l4} when your {l5}. if you ordered {l6} items, we may {l7} them in more than one {l8} (at no extra cost to you) to {l9}.

if you have questions about your order, please call 1-800-955-8890.


order information

please download your {la}
id #{digit} information at intuit small business website.

need help?

    email us at mktplace_customerservice@intuit.com.
    call us at 1-800-955-8890.
    reorder intuit checks quickly and easily starting with
    the information from your previous order.

to help us better serve your needs, please take
a few minutes to let us know how we are doing.
submit your feedback here.

thanks again for your order,

intuit market customer service

privacy , legal , contact us , about us

you have received this business communication as part of our efforts to fulfill your request or service
your account. you may receive this and other business communications from us even if you have opted
out of marketing messages.

please note: this e-mail was sent from an auto-notification system that cannot accept incoming email
please do not reply to this message.

if you receive an email message that appears to come from intuit but that you suspect is a phishing
e-mail, please forward it immediately to spoof@intuit.com. please visit http://security.intuit.com/ for
additional security information.


�2011 intuit, inc. all rights reserved. intuit, the intuit logo, quickbooks, quicken and turbotax,
among others, are registered trademarks of intuit inc.
the second one:

Date:      Thu, 1 Mar 2012 12:33:28 -0300
From:      "Jesus Kendall"
Subject:      Your tax appeal status.

Dear Business owner,
Hereby you are informed that your Tax Return Appeal id#8179621 has been DECLINED. If you consider that the IRS did not properly assess your case due to a misunderstanding of the facts, be prepared to submit additional information. You can download the rejection details and re-submit your appeal under the following link Online Tax Appeal.

Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday � Friday, 7:00 a.m. � 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

In both cases the payload is trucktumble.com/search.php?page=73a07bcb51f4be71 on 64.94.238.71 (Nuclear Fallout Enterprises, US). Blocking the IP will stop other malware on the server causing you a problem, you may even want to block 64.94.238.0/24 because this host is getting a pretty poor reputation.


fff

"Your intuit.com order confirmation" spam / curchamp.com (74.207.245.244)

This fake "Intuit order" spam leads to malware. Apparently it was sent from Careerbuilder (which is kind of odd). Also note the "spoofing" warning near the bottom!

From: INTUIT INC. [mailto:noreply@careerbuilder.com]
Sent: 01 March 2012 14:30
Subject: Your intuit.com order confirmation.

  Dear Customer:

Thank you for purchasing your software Intuit Market. We are processing and will message you when your order is processed. If you ordered multiple items, we may process them in more than one shipment (at no extra cost to you) to ensure quicker delivery.

If you have questions about your order, please call 1-800-955-8890.

ORDER INFORMATION

Please download your complete order
id #443475245229 information at Intuit small business website.

NEED HELP?

•    Email us at mktplace_customerservice@intuit.com.
•    Call us at 1-800-955-8890.
•    Reorder Intuit Checks Quickly and Easily starting with
the information from your previous order.
To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.
   
Thanks again for your order,

Intuit Market Customer Service


Privacy , Legal , Contact Us , About Us


You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.


©2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The link goes through two legitimate hacked sites and ends up on curchamp.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 74.207.245.244 (Linode, US). This attempts to use a variety of exploits to take over the user's PC.

Blocking the IP rather than the domain will also stop any other malicious domains on the same server.

"Scan from a Hewlett-Packard Officejet" spam / caskjfhlkaspsfg.ru

Another malicious spam, this time with an attachment containing obfuscated code leading to caskjfhlkaspsfg.ru.

Date:      Thu, 1 Mar 2012 09:43:50 +0530
From:      ARLYNEO93ESQUIVEL@gmail.com
Subject:      Fwd: Re: Fwd: Scan from a Hewlett-Packard Officejet #603320
Attachments:     HP_Scan-27-499614.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP SmartJet 4931F.



Sent by: ARLYNE
Pages : 9
Attachment Type: .HTM [Internet Explorer/Mozilla Firefox]

The malware is on caskjfhlkaspsfg.ru:8080/images/aublbzdni.php , as with other recent .ru:8080 attacks, this is multihomed on a familiar set of IP addresses:

50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.107.82.98 (Corbina Telecom, Russia)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
96.125.168.172 (Websitewelcome, US)
111.93.161.226 (Tata Teleservices, India)
125.19.103.198 (Bharti Infotel, India)
128.134.57.112 (Kwangun University, Korea)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)

A bare list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.107.82.98
83.238.208.55
95.156.232.102
96.125.168.172
111.93.161.226
125.19.103.198
128.134.57.112
173.203.51.174
184.106.200.65
184.106.237.210
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210

DINETHOSTING / curvecheese.com

DINETHOSTING aka Digital Network JSC are a large Russian host that regularly hosts malware sites. Yesterday I came across the domain curvecheese.com (85.192.45.83) being used in a malicious spam run. This is in a block 85.192.32.0/20 allocated to this host.

I tend to block DINETHOSTING ranges as soon as I see malware on them. If you are blocking this host, I would recommend you add 85.192.32.0/20 to your blocklist.

Tuesday, 28 February 2012

BBB Spam / perikanzas.com and twistedtarts.net

BBB spam.. you must know what it looks like by now. Here are a couple of new domains:

perikanzas.com
41.64.21.71 (Dynamic ADSL, Egypt)
213.179.193.132 (Solidhost, Netherlands)

twistedtarts.net
109.68.33.18 (Mesh Digital, UK)

"Your Flight" spam / cparabnormapoopdsf.ru

This spam comes with a malicious attachment pointing to a page on cparabnormapoopdsf.ru.

Date:      Tue, 27 Feb 2012 03:53:09 +0530
From:      sales1@victimdomain.com
Subject:      Fwd: Your Flight N US787-8929269
Attachments:     FLIGHT_TICKET_N3988-753843.htm

Dear Customer,



FLIGHT NUMBER 8333-452628141

DATE/TIME : MARCH 23, 2011, 16:15 PM

ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT

PRICE : 856.77 USD



Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).

To use your ticket you should print it.

LAKEISHA Wolff,

American Airlines

The payload is at cparabnormapoopdsf.ru:8080/images/aublbzdni.php (report here). As with other .ru:8080 attack, this one is multihomed on some familiar looking IPs:

50.31.1.105 (Steadfast Networks, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)

A bare list for copy-and-pasting:
50.31.1.105
78.83.233.242
83.238.208.55
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210

IRS Spam / pollypeach.com

Another IRS spam run leading to malware, this time on pollypeach.com.

Date:      Tue, 27 Feb 2012 17:02:45 +0600
From:      "Ofelia Childers"
Subject:      IRS notification of your tax appeal status.



Dear Accountant Officer,
Hereby you are notified that your Income Tax Return Appeal id#0184348 has been REJECTED. If you believe the IRS did not properly assess your case due to a misinterpretation of the case details, be prepared to provide additional information. You can obtain the rejection report and re-submit your appeal under the following link Online Tax Appeal.

Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday � Friday, 7:00 a.m. � 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

The malicious payload is on pollypeach.com/search.php?page=73a07bcb51f4be71 and pollypeach.com/content/ap2.php?f=e4649 (see the report here), hosted on 69.163.45.128 (Directspace, US). Blocking the IP rather than the domain will stop any further infections from that server.

NACHA Spam / cgunikqakklsdpfo.ru

A terse version of the familiar NACHA fake spam, leading to malware:

Date:      Mon, 26 Feb 2012 12:16:40 +0530
From:      accounting@victimdomain.com
Subject:      Fwd: ACH and Wire transfers disabled.

Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department

The payload is on cgunikqakklsdpfo.ru:8080/img/?promo=nacha which is multihomed (details below). It's pretty easy to search your outbound logs for connection attempts to .ru:8080 if you haven't got filtering enabled.

The list of IPs gets a little shorter every time, but there are still some familiar hosts here:

50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)

A plain list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.83.233.242
88.191.97.108
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100

BBB and AICPA spam / 110hobart.com

Two spam runs with essentially the same malicious payload..

Date:      Mon, 26 Feb 2012 12:30:50 +0100
From:      "BBB"
Subject:      BBB case ID 73773062
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 73773062) from your customer in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this matter and inform us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Leading to 110hobart.com/main.php?page=f46555a4a5b80a04 and 110hobart.com/content/ap2.php?f=cc677, and also:

Date:      Mon, 26 Feb 2012 11:16:30 +0100
From:      "Adan Jordan"
Subject:      Tax return fraud notification.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud accusations

Valued AICPA member,

We have received a notice of your recent involvement in income tax refund infringement on behalf of one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be cancelled in case of the act of filing of a false or fraudulent tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and respond to it within 21 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066


Leading to 110hobart.com/content/ap2.php?f=cc677 and 110hobart.com/main.php?page=02876dd2afe89394 (a slightly different URL from before)

The IP address is a familiar one, 41.64.21.71 which is allegedly an ADSL subscriber in Cairo. This IP has been used in several attacks recently, blocking it would be a really good idea.

Friday, 24 February 2012

AICPA Spam / synetworks.net and housespect.net

More fake AICPA spam leading to malware..

Date:      Fri, 23 Feb 2012 12:29:00 +0100
From:      "Jonathon Humphrey"
Subject:      Termination of your CPA license.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of Accountant status due to income tax fraud accusations

Dear AICPA member,

We have received a complaint about your alleged participation in income tax fraudulent activity on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be terminated in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.

Please be informed of the complaint below and provide your feedback to it within 7 days. The failure to respond within this term will result in withdrawal of your CPA license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

==================

Date:      Fri, 23 Feb 2012 12:28:45 +0100
From:      "Dominic Moreno"
Subject:      Your accountant license can be revoked.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of Public Account Status due to tax return fraud accusations

Dear accountant officer,

We have been informed of your alleged involvement in income tax fraudulent activity for one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant status can be revoked in case of the aiding of presenting of a incorrect or fraudulent tax return on the member's or a client's behalf.

Please be notified below and provide your feedback to it within 7 days. The failure to do so within this period will result in suspension of your Accountant status.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The links go through a legitimate hacked site to some obfuscated javascipt leading to a malicious payload on synetworks.net/main.php?page=2d057d472cd217e2 and synetworks.net/content/ap2.php?f=3dc5c (report here) hosted on 76.12.101.172 (HostMySite, US). That IP is also home to housespect.net which also appears to be malicious. Blocking the IP should prevent any other malicious sites on the same server from being a problem.

Thursday, 23 February 2012

HP OfficeJet spam / cruoinaikklaoifpa.ru and upjachkajasamns.ru

This isn't from a HP OfficeJet, the attachment leads to malware..

Date:      Thu, 22 Feb 2012 05:04:38 +0700
From:      scanner@victimdomain.com
Subject:      Fwd: Re: Scan from a Hewlett-Packard Officejet #19152659
Attachments:     HP_Officejet_02-23_OFCJET88353.htm

Attached document was scanned and sent



to you using a Hewlett-Packard HP OfficeJet 34612A.



Sent by: FELICE
Images : 0
Attachment Type: .HTML [Internet Explorer]

HP Officejet Location: --

The .htm file attempts to redirect the victim to a malicious page at cruoinaikklaoifpa.ru:8080/images/aublbzdni.php and as with this recent spate of ".ru:8080" sites it is multihomed. It then tries to download additional malware from upjachkajasamns.ru:8080/images/jw.php?i=8 on the same IP addresses. The list is pretty similar to this one with a few additions.

46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
79.101.30.15 (Serbia Telekom, Serbia)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
147.83.22.79 (Universitat Politecnica de Catalunya, Spain)
173.203.51.174 (Slicehost US)
184.106.200.65 (Slicehost US)
184.106.237.210 (Slicehost US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)

A plain list for copy-and-pasting:
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
69.60.117.183
78.83.233.242
79.101.30.15
88.191.97.108
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
147.83.22.79
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226

AICPA Spam / srsopen.net

Another fake spam email claiming to be from AICPA, but actually leading to malware, this time on srsopen.net.

Date:      Thu, 22 Feb 2012 11:29:29 +0100
From:      "Guadalupe Kessler"
Subject:      Fraudulent tax return assistance accusations.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Valued accountant officer,

We have received a complaint about your alleged participation in income tax infringement for one of your employers. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the event of presenting of a incorrect or fraudulent tax return for your client or employer.

Please be notified below and respond to it within 21 days. The failure to respond within this term will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The malicious payload is at srsopen.net/main.php?page=78581944265196f1 , as usual the first step is a legitimate hacked site. srsopen.net is hosted on two familiar IP addresses, 115.249.190.46 and 41.64.21.71 most recently seen here.