Sponsored by..

Monday, 12 March 2012

"URGENT: Your pension could be underperforming" SMS Spam

Arriving just minutes apart from this spam and probably related, these SMS spamming scumbags are back with another pitch:
URGENT: Your pension could be underperforming and could leave you with less then you thought on retirement, reply REVIEW for a free review now, STOP to opt out.
The sending number this time was +447895882070 although this will change as numbers get blocked.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

"Records passed to us show you're entitled to a refund.." SMS Spam

These scumbag SMS spammers again:
Records passed to us show you're entitled to a refund approximately £2560 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop
This is pure and simple spam, there are no "records" showing any such thing. In this case the spam came from +447790682898 although spammers often change their numbers.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

goo.gl/C9bsq link leads to malware

A bit of a shift in spammer tactics here:

From:     Mohit Girsh girshmohit1988@yahoo.com
Date:     12 March 2012 11:54
Dubject:     Electronic payments are suspended #08763672
Signed by:     yahoo.com
   
Id 57-8033394-13999809-0-895
< !--ZZ 81490908 C

 hxxp://goo.gl/C9bsq


hxxp://goo.gl/C9bsq redirects to hxxp://2ecdn.barelybowler.ru/ which is multihomed:

31.176.195.196 (BH Telecom, Bosnia)
31.181.92.124 (Rostelecom , Russia)
37.99.67.48 (2DAY Telecom, Kazakhstan)
41.108.45.166 (Algerie Telecom, Algeria)
41.201.113.112 (Unknown network, Algeria)
46.70.226.182 (Armentel, Armenia)
49.145.121.75 (Philippine Long Distance Telephone Company, Philippines)
58.152.217.249 (PCCW, Hong Kong)
77.34.109.74 (Rostelecom , Russia)
77.125.246.251 (012 Smile, Israel)
83.28.56.41 (Neostrada Plus, Poland)
83.31.168.111 (Neostrada Plus, Poland)
85.29.167.135 (2DAY Telecom, Kazakhstan)
89.208.229.196 (Digital Network JSC, Russia)
91.234.24.217 (Evgeniy Kondratyk, Ukraine)
94.41.158.248 (Ufanet, Russia)
94.41.254.115 (Ufanet, Russia)
95.56.208.29 (Kazakhtelecom, Kazakhstan)
114.37.87.205 (Hinet, Taiwan)
119.42.75.15 (CAT Telecom, Thailand)

This redirects to: hxxp://74.91.121.248/showthread.php?t=72d268be707a5fb7

..which is an exploit kit (see this report) hosted by Nuclear Fallout Enterprises in the US (again).

A plain list of IPs in case you want to copy and paste into a blocklist:

31.176.195.196
31.181.92.124
37.99.67.48
41.108.45.166
41.201.113.112
46.70.226.182
49.145.121.75
58.152.217.249
77.34.109.74
77.125.246.251
83.28.56.41
83.31.168.111
85.29.167.135
89.208.229.196
91.234.24.217
94.41.158.248
94.41.254.115
95.56.208.29
114.37.87.205
119.42.75.15
74.91.121.248

Friday, 9 March 2012

"Scan from a HP Officejet #235612" / cnnvcnsaoljfrut.ru

Another fake OfficeJet spam with a malicious attachment:

Date:      Fri, 9 Mar 2012 05:40:05 +0100
From:      "Valentino CONNELLY"
Subject:      Scan from a HP Officejet #235612
Attachments:     HP_Document_SPK23127.htm

Attached document was scanned and sent



to you using a Hewlett-Packard HP Officejet 2975OF.

Sent: by Valentino
Image(s) : 1
Attachment: HTML [.htm]

Hewlett-Packard Officejet Location: machine location not set
Device: POD866K0PL44119329S

The malware is on cnnvcnsaoljfrut.ru:8080/images/aublbzdni.php  (report here) which is multihomed on a familiar looking list of IP addresses:

78.107.82.98 (Corbina Telecom, Russia)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
111.93.161.226 (Tata Teleservices, India)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, Korea)

Plain list for copy-and-pasting:
78.107.82.98
83.238.208.55
95.156.232.102
111.93.161.226
125.19.103.198
190.81.107.70
194.85.97.121
202.149.85.37
210.56.23.100
211.44.250.173

Something evil on 178.211.33.203 and 109.236.80.151

178.211.33.203 and 109.236.80.151 are a pair of IP addresses distributing some sort of malware in a coordinated attack. They seem to be part of the same attack. The malware itself is still pending analysis, but you might want to block these URLs and/or IPs.

Incidentally, the domains seem legitimate GoDaddy-registered ones, but I am guessing they have been hacked to serve up malware on their *.domainname.com subdomains.

178.211.33.203
*.extensionbay.com
*.kingoftheaquarium.com
*.vicandbarbs.net
*.dancesearcy.com
*.learn2drive4free.com
34107.vicandbarbs.net
30659.vicandbarbs.net
8918.vicandbarbs.net
28980.majesticbetta.com
52734.majesticbetta.com
37926.majesticbetta.com
39168.majesticbetta.com
5139.majesticbetta.com
2673.learn2drive4free.com
51226.kingoftheaquarium.com
59038.kingoftheaquarium.com
29878.kingoftheaquarium.com
50588.kingoftheaquarium.com
24898.dancesearcy.com

109.236.80.151
*.bankingonbankers.com
*.bankdirectoryonline.com
*.californiagoldbook.com
*.ch.redirect.2350283972.bankingonbankers.com
*.google.ch.redirect.2350283972.bankingonbankers.com
*.redirect.2350283972.bankingonbankers.com
2350283972.bankingonbankers.com
31337.bankingonbankers.com
ch.redirect.2350283972.bankingonbankers.com
google.ch.redirect.2350283972.bankingonbankers.com
redirect.2350283972.bankingonbankers.com
www.google.ch.redirect.2350283972.bankingonbankers.com
*.2350283972.bankingonbankers.com
int.ask.com.redirect.384569840.bankdirectoryonline.com
www.google.de.redirect.312464722.bankdirectoryonline.com
www.google.de.query.11111533.bankdirectoryonline.com
www.lr-aloevera.at.search.1639590514.bankdirectoryonline.com
www.google.de.query.39586074.bankdirectoryonline.com
www.surftipp.de.query.320136795.bankdirectoryonline.com
suche.aol.de.query.469388806.bankdirectoryonline.com
www.google.at.redirect.512545616.bankdirectoryonline.com
www.google.de.redirect.3379156420.californiagoldbook.com
www.google.de.search.3333773661.californiagoldbook.com
www.google.de.query.3386209042.californiagoldbook.com
www.google.de.query.3261224572.californiagoldbook.com
www.google.com.tr.search.274580395.californiagoldbook.com
www.google.de.search.342911457.californiagoldbook.com
www.google.com.query.417110658.californiagoldbook.com
www.google.ca.process.983249139.californiagoldbook.com
www.google.de.search.310514469.californiagoldbook.com
www.google.de.redirect.417610242.bankingonbankers.com
www.google.at.url.427019192.bankingonbankers.com
www.google.de.query.3262094134.bankingonbankers.com
www.google.fr.redirect.579034634.bankingonbankers.com
www.google.de.query.3334101725.bankingonbankers.com
www.google.de.url.524065725.bankingonbankers.com
www.google.de.url.341584535.bankingonbankers.com
www.ferienwohnung-hotels-kroatien.de.query.451051745.bankingonbankers.com
www.google.com.br.query.4120413008.bankingonbankers.com
www.google.de.process.277767529.bankingonbankers.com

Will visiting Blinkx.com infect your computer?

I've coved Blinkx before in connection with unwanted software installations. They recently came to my attention again.. and not in a good way.

Let's start with the Google Safe Browsing Diagnostics for blinkx.com:

Safe Browsing

Diagnostic page for blinkx.com

What is the current listing status for blinkx.com?
This site is not currently listed as suspicious.
What happened when Google visited this site?
Of the 1007 pages we tested on the site over the past 90 days, 92 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-03-09, and the last time suspicious content was found on this site was on 2012-03-08.Malicious software includes 6 trojan(s), 1 exploit(s). Successful infection resulted in an average of 2 new process(es) on the target machine.
Malicious software is hosted on 6 domain(s), including miopardenton.bee.pl/, inturpo.com/, ighlandhorn.jesais.fr/.
5 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including inturpo.com/, adv-adserver.com/, adversalservers.com/.
This site was hosted on 32 network(s) including AS209 (QWEST), AS14743 (INTERNAP), AS1299 (TELIANET).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, blinkx.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
Next steps:


Not listed as suspicious? But 92 out of 1007 pages attempt to install malware! That's 9.1% of all pages on the site that Google checked! But people who visit Blinkx don't just visit one page. According to Alexa, the average visitor views 3.88 pages on the site. It also notes that blinkx.com is the 1994th most popular site worldwide.


We can work out the probability of infection using the data, it's is (1-(1-(92/1007))^3.88)) which equates to a 31% possibility that the average blinkx.com visitor will be exposed to malware. OK, that's assuming that the data is accurate, and since I know for a fact there are more than 1007 pages on Blinkx and that Alexa data has its critics.. well, take that figure as being indicative rather than 100% accurate.

Compete.com reports that over 5 million US visitors look at the site per month. There are doubtless millions more visiting this site. So exactly how many people have been infected while visiting blinkx.com?

My suggestions? If you are an IT administrator, I think you want to seriously consider if allowing your users to visit blinkx.com is in line with your corporate governance strategy..

Thursday, 8 March 2012

AICPA spam / themeparkoupons.net

Another AICPA spam run is also doing the rounds with a malicious payload on:

themeparkoupons.net/main.php?page=89cd1f8b9fb67fbc
themeparkoupons.net/content/ap2.php?f=4f07a

The IP appears to be 41.64.21.71 (Dynamic ADSL, Egypt). This IP has been seen many times before, so blocking it would be a very good idea.

"Inter-company inv. from Aleris International Corp. " / cruikdfoknaofa.ru

The so-called invoice attached to this email leads to malware:

Date:      Thu, 8 Mar 2012 08:06:00 +0100
From:      "EDDIE HERRINGTON"
Subject:      Re: Inter-company inv. from Aleris International Corp.
Attachments:     Invoice_l8004324237.htm

Hallo



Attached the corp. invoice for the period July 2011 til Aug. 2011.



Thanks a lot for supporting this process



EDDIE HERRINGTON

Aleris International Corp.

The malware is on cruikdfoknaofa.ru:8080/images/aublbzdni.php  (report here). This domain is multihomed on the following IPs:

78.107.82.98 (Corbina Telecom, Russia)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
111.93.161.226 (Tata Teleservices, India)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, Korea)
Plain list:
78.107.82.98
83.238.208.55
95.156.232.102
111.93.161.226
125.19.103.198
190.81.107.70
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
211.44.250.173

Wednesday, 7 March 2012

BBB Spam / babblesunet.com

Yet another identikit BBB Spam run this morning, with a malicious payload on the site babblesunet.com.

The bad stuff is on babblesunet.com/showthread.php?t=73a07bcb51f4be71 hosted on 69.163.40.209 (Directspace, US). Blocking the IP address should stop any other malicious sites on that server from causing harm.

Intuit spam / sony-zeus.net

Another fake INTUIT spam run is in progress, this time using the domain sony-zeus.net to deliver the payload.

The malware is hosted on sony-zeus.net/content/ap2.php?f=ef572 and sony-zeus.net/main.php?page=fac4e861546108ef on 213.179.193.132 (Solidhost, Netherlands). We've seen this IP before, so it is well worth blocking.

BBB Spam / cjhsdvbfbczuet.ru

Today's spam runs are just firing up now, with a fake BBB spam containing at attachment that tries to direct visitors to cjhsdvbfbczuet.ru.

Date:      Wed, 7 Mar 2012 -06:40:22 -0800
From:      "FANNY Baez"
Subject:      Better Business Bureau Complaint
Attachments:     Complaint_ID87rP25441.htm

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 323259211) from a customer of yours in regard to their dealership with you.


Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Firefox)
to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,
FANNY Baez

Dispute Counselor
Better Business Bureau

The payload site is at cjhsdvbfbczuet.ru:8080/images/aublbzdni.php but at the moment it doesn't seem to be resolving so there are no IPs to block. However, monitoring your logs for .ru:8080 from time-to-time could help detect users who have clicked through.

SMS Spam: "You could be entitled up to £4856 in compensation.."

I really hate these scumbags:

IMPORTANT - You could be entitled up to £4856 in compensation from mis-sold PPI on credit cards or loans. Please reply PPI for info or STOP to opt out. 

In this case, the sender's number is +447436261356 although this will change regularly to avoid detection.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Tuesday, 6 March 2012

BBB Spam / 72.14.187.169

This is the second malicious spam run of the day, leading to a malware payload on 72.14.187.169

Date:      Tue, 6 Mar 2012 14:00:18 +0200
From:      "Tom Santana"
Subject:      Better Business Bureau needs your urgent attention.
 
Business Owner/Manager,
One of your recent customers has submitted a complaint with The Better Business Bureau regarding the negative experience he had with your company. The consumer report is attached below. Please submit your feedback to this matter as within 14 days. The fastest way to provide your response is via the Online Complaint system. Please follow the following Internet address to evaluate the above-mentioned customer complaint and provide your response to it:
BBB complaint center

Use the following data to login:

Case ID: #1422518
Password: 41964

The Better Business Bureau provides an efficient third-party role, and helps you resolve your customer disputes impartially and on mutually beneficial terms. We develop and maintain online Reliability reports on American companies, available to the Public and used by millions of business customers. A good customer report can have a distinctly positive impact on your business.

We hope for your immediate attention to this matter.

Sincerely,
Honorato Cobb
Dispute Counselor

Better Business Bureau Serving Metropolitan New York, Inc.
30 East 33rd St., 12th Floor
New York, NY 10016
Office Hours: 9-5 Monday through Friday
212.533.6200
Fax: 212.477.4912
Inquiry@newyork.bbb.org

The malicious payload is on 72.14.187.169/q.php?f=e4a98&e=4 and 72.14.187.169/q.php?f=e4a98&e=1  which is a Linode IP (no surprises there!) Blocking access to the IP would be prudent.

Intuit.com spam / icemed.net

It's lunchtime here.. which means that the malware spam campaigns tend to kick off. One of these is this Intuit.com spam:

Date:      Tue, 6 Mar 2012 14:04:46 +0200
From:      "INTUIT INC."
Subject:      Dowload your Intuit.com invoice.

Dear Client:

Thank you for placing an order with Intuit Market. We have received it and will let you know when your order is processed. If you ordered several items, we may process them in more than one shipment (at no extra cost to you) to ensure quicker delivery.

If you have questions about your order, please call 1-800-955-8890.


ORDER INFORMATION

Please download your invoice
id #318651746029 information at Intuit small business website.

NEED HELP?

    Email us at mktplace_customerservice@intuit.com.
    Call us at 1-800-955-8890.
    Reorder Intuit Checks Quickly and Easily starting with
    the information from your previous order.

To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.

Thanks again for your order,

Intuit Market Customer Service

Privacy , Legal , Contact Us , About Us

You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.


�2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax,
among others, are registered trademarks of Intuit Inc.

The malicious payload is at icemed.net/content/ap2.php?f=b74bf and icemed.net/main.php?page=ffa1bed3ef7ceb23 (report here). This is hosted on 213.179.193.132 (Solidhost, Netherlands), 41.64.21.71 (Dynamic ADSL, Egypt). We've seen these IPs before, so they are well worth blocking.

Monday, 5 March 2012

Intuit spam / cogisunet.com

It's Monday.. so it's malware. This new spam run is supposed to be from Intuit.com, but it actually leads to malware hosted on cogisunet.com.

Date:      Mon, 5 Mar 2012 12:30:31 +0100
From:      "INTUIT INC."
Subject:      Please confirm your Intuit.com invoice.

Dear Sir/Madam:

Thank you for buying your accounting software from Intuit Market. We have received it and will send you an e-mail when your order is processed. If you ordered several items, we may deliver them in more than one shipment (at no extra cost to you) to provide faster processing time.

If you have questions about your order, please call 1-800-955-8890.


ORDER INFORMATION

Please download your full invoice
id #221137087563 information at Intuit small business website.

NEED HELP?

    Email us at mktplace_customerservice@intuit.com.
    Call us at 1-800-955-8890.
    Reorder Intuit Checks Quickly and Easily starting with
    the information from your previous order.

To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.

Thanks again for your order,

Intuit Market Customer Service

Privacy , Legal , Contact Us , About Us

You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.

�2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malware is hosted on cogisunet.com/banner.php?aid=73a07bcb51f4be7 on 209.59.213.95 (Endurance International, US). The block 209.59.192.0/19 has a significant problem with malware at the moment, you may want to consider blocking IPs more widely.

BBB Spam FAIL / domain.com

Here's a normal looking BBB spam, which typically would lead to malware:

From:     Milford Finn risk@bbb.org
Date:     5 March 2012 10:42
Subject:     BBB have recieved a customer complaint about your company.


Business Owner/Manager,
One of your business customers has filed a complaint with The Better Business Bureau concerning the negative experience he had with your company. The consumer complaint is attached below. Please submit your response to this matter as within 21 days. The most efficient way to provide your response is by using the Online Complaint system. Please follow the following link to access the above-mentioned customer complaint and submit your response to it:
BBB complaint center

Use the following data to login:

Case ID: #2478119
Password: 65950

The Better Business Bureau  acts in the role of a a neutral third party, and helps you resolve your customer disputes fast and efficiently. We develop and support online Reliability reports on American companies, open to the Public and used by millions of business customers. A satisfactory customer report can have a pronounced positive impact on your business.

We hope for your immediate attention to this matter.

Sincerely,
Kenyon Frye
Dispute Counselor 
Except the idiot spammers have forgotten to include the domain name and have left if at what is presumably the default of domain.com:


Unfortunately, next time the spammers will probably get it right.. in the meantime, here are some example subjects being used in this attack:

  • Better Business Bureau needs your urgent attention. 
  • Better Business Bureau customer complaint. 
  • BBB have recieved a customer complaint about your company. 
  • Your company is accused of illegal financial transactions.

Sunday, 4 March 2012

AVB Logistic Company (avb-logistic.com) is a scam

AVB Logistic Company (avb-logistic.com) looks very much like a real company from the website, but in fact it is a scam operation laundering money, targeted primarily at people in Greece and Italy. It also appears to be related to a similar scam site called Landexpo Logistic (landexpo-logistic.com).

This fake company came to my notice because of a series of comments in another thread (original / Google Translated) which indicates that they may have been recruited through a spam run last year.

The AVB Logistics web site looks professional enough, but there's a reason for that which will become apparent:

AVB gives the following "facts" about itself on the web site:

As an external partner, AVB (Manchester), develops a comprehensive range of logistics and service solutions for trade and industry. In 2007, the group generated sales of 2.0 billion euros and currently employs approximately 8,500 staff in 44 countries. AVB operates in all important markets worldwide and has over 400 locations across all continents
It also claims its address to be:

United Kingdom:     AVB
Zenith,
Paycocke Road,
Basildon, Essex
SS14 3DW
   
E-Mail:     contact@avb-logistic.com
Although there is some evidence that they recently changed this from:

AVB Norris road 57. M29 8FH Manchester. Tel.: +44 161 408 1090.
They claim that their shares have been listed in London since 2000 under the stock ticker symbol TGH.


So, what's wrong with this picture. Well, in reverse order..

TGH is indeed a share on the London Stock market, but it belongs to Textainer Group Holdings Limited (as you might expect a with share with those initials).

There is no such company visible in the list of UK Companies (Companies House Webcheck) as AVB Logistic or AVB (Manchester) although there are plenty of innocent companies with the same name.

The address in Basildon belongs to a different company, Cosco Logistics. There are several companies nearby, none of which are called AVB. There appears to be no company called AVB in Basildon at all according to business listings.

There is no Norris Road in the postcode M29 8FH, but there is a Norris Street. Norris Street is very short, it only has about 4 properties on it, so there is no number 57. A Google search for "44 161 408 1090" reveals no credible references, but it does reveal an apparent scam site called landexpo-logistic.com sharing the same number.

According to their website, AVB Logistic has been in business since at least 2000, but their domain name was only registered on 15th January 2012 through a registrar in Russia with anonymous details:

Registration Service Provided By: RU-TLD.RU
Contact: +007.4012971111

Domain Name: AVB-LOGISTIC.COM

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Creation Date: 15-Jan-2012 
Expiration Date: 15-Jan-2013

Domain servers in listed order:
    ns1.avb-logistic.com
    ns2.avb-logistic.com

It is unlikely that a large and well-established company would only just have created their web site.

The site is hosted on 46.4.30.11, an IP address allocated to Hetzner in Germany, but then rented out to a Russian hosting company called reserver.ru

And the reason the site looks so professional? Most of it has been copied directly from a legitimate company called Logwin Logistics, you can see this very clearly on some pages. For example, Logwin's page about Graduates looks like this.



The AVB page at avb-logistic.com/university.htm looks like this:


There are several other pages that are a direct copy.

It's obvious that AVB Logisitic is a fake. But what does it do? Basically, it is a money mule operating being used to launder stolen money - typically from hacked bank accounts.

The "mule" is recruited to receive the stolen money from one account, and then send it out via Wire Transfer (for example, Western Union), taking a percentage of the money as commission along the way. So, for example, a bank account is hacked with €10,000 in it, the money is transferred to the "mule" who keeps 10 (€1000) and wires €9000 off to somewhere else (typically Russia or Ukraine).

But what happens next is that the original theft of €10,000 is discovered - but the mule is liable for the whole amount of money, and often this is where the police get involved. At best, the mule has to repay all €10,000, at worst there could be a criminal investigation.

So.. if approached by these people, probably the best thing to do is ignore them completely and do not reply. If you have moved money through your accounts for these people, then the best thing to do is speak to your bank right away.

Friday, 2 March 2012

"USPS-Notification" spam leads to malware

This "USPS-Notification" spam uses a goo.gl redirector to go to pclr.timingexpress.ru then a malware site hosted on 199.19.215.133 (Vexxhost, Canada)

Date:      Fri, 2 Mar 2012 10:56:41 -0500
From:      "03456465È‚"
Subject:      USPS-Notificationá¿› #74050379

#�?77-0915398-10516944-5-120


http://goo.gl/XE84B



 Çªqq06dsgk19y1oup4kt8vrt!

You can see a Wepawet report for the malware here. Blocking access to that IP address might be prudent.

BBB Spam / bitebird.org

Another BBB spam run is in progress leading to malware, this time the payload is on bitebird.org/search.php?page=73a07bcb51f4be71 hosted on 174.136.1.104  (Colo4, US). You know what to do.

Linode blamed for Bitcoin theft

Linode feature so often on this blog that they have their own tag. OK, they're not the worst hosting company in terms of malicious sites on their network, but at the moment they come up regularly.

Now, sometimes a web host is purely black hat - they know exactly what their customers are up to and they don't care. Sometimes a legitimate web host gets duped into renting servers out to the bad guys, but usually they react eventually. Then there's a third possibility - the the servers have been hacked and are running malicious sites without the host's knowledge.

The thing is that over recent weeks, it seems that many servers hosting malware for those BBB / NACHA / IRS / etc emails that many people have been bombarded with look like legitimate servers that have been taken over. Of course, no web host wants to admit that they have insecure management systems, but then sometimes everything comes out in the open.

It turns out that deficiencies in Linode's security has led to the apparent theft of hundreds of thousands of bitcoins (an online currency). As detailed, the attack shows that the attacker appeared to mount the attack with very little trouble, leaving very little evidence behind them except that the bitcoins were missing.

Linode itself acknowledges the problem:

Manager Security Incident

Ensuring the security of our platform is our top priority. We maintain a strong security policy and aim to communicate openly should it ever be compromised. Thus, we are posting to describe a recent incident affecting the Linode Manager.

Here are the facts:

This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted.  All activity via the web portal is logged, and an exhaustive audit has provided the following:

All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin".  The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins.  Those customers affected have been notified.  If you have not received a notification then your account is unaffected.  Again, only eight accounts were affected.

The portal does not have access to credit card information or Linode Manager user passwords.  Only those eight accounts were viewed or manipulated -- no other accounts were viewed or accessed.

Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.
The thing is, this server compromise was immediately obvious because of the loss of bitcoins. But where servers are being used for the Blackhole Exploit Kit or other malware, it's a lot more subtle. I suspect that this isn't the first time recently that Linode has been compromised like this.. and it's probably not the only host with the problem. In recent months, the bad guys have moved their exploit servers from Eastern European cesspits to well-known hosts, many of which are based in the US. Is this all part of the same thing?