Sponsored by..

Thursday, 5 April 2012

US Airways Spam / 174.140.171.117

Another US Airways spam leading to malware on a Directspace IP (174.140.171.117)

Date:      Thu, 5 Apr 2012 18:54:19 +0700
From:      "US Airways - Reservations" [support@myusairways.com]
Subject:      US Airways online check-in.
   
   
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). After that, all you need to do is print your boarding pass and go to the gate.

Confirmation code: 610235

Check-in online: Online reservation details

   
Flight

5266    
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012    

   
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
The malicious payload is on 174.140.171.117 (report here) hosted by Directspace in the US. This is the third time in recent days that Directspace have hosted such a site in this range, the others were 174.140.171.173 (here) and 174.140.166.138 (here).

Malicious spam / Invoice_N{DIG}.zip

We're seeing a huge spam run at the moment with various subject and attachments, but typically using an HTML-in-ZIP attack with an attachment called Invoice_N{DIG}.zip

Subjects include:
DHL: DELIVER CONFIRMATION - FAILED 113996
FW: End of Aug. Statement
FW: Scan from a Xerox W. Pro  #7338339
although there are probably many others.

The attachment leads to a multihomed exploit kit (report here) on:
hxxp://41.168.5.140:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
hxxp://180.235.150.72:8080/navigator/jueoaritjuir.php
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php

Hosts:
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net, Bulgaria)
180.235.150.72 (Ardh Global, Indonesia)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
78.83.233.242
180.235.150.72
211.44.250.173
219.94.194.138

Wednesday, 4 April 2012

US Airways Spam / 174.140.166.138


Another one of a spate of fake US Airways emails, with a link leading to malware:

From:     US Airways - Reservations reservations@myusairways.com
Date:     4 April 2012 14:58
Subject:     US Airways online check-in.

You should check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you have to do is print your boarding pass and go to the gate.

Confirmation code: 266492

Check-in online:  Online reservation details

   
Flight

0312    
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012    


We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.


The malicious payload is on 174.140.166.138 (report here) hosted by Directspace in the US. Avoid.

playbill.com hacked

playbill.com covers listings and tickets for theatre events in New York and London. It's a popular site in the US, ranked 3350 according to Alexa.

Unfortunately, the site has been hacked with exploit code for the Java AtomicReferenceArray unsafe typing (CVE-2012-0507) vulnerability (report here), apparently loading malicious components from dezbvu.dyndns-server.com/forum/s1 (62.76.180.69 - ClodoCloud / IT House Ltd, Russia).

Remember you keep your Java up to date to avoid this sort of drive-by attack.

"End of Aug. Statement" spam / dhjhgfkjsldkjdj.ru

This "End of Aug. Statement" spam uses the same malicious payload as this one earlier today.

From: Margo Lawrence [mailto:robbersab@alumni.insead.edu]
Sent: 04 April 2012 14:17
Subject: Re: FW: End of Aug. Statement

,
as reqeusted I give you inovices issued to you per february (Internet Explorer format).

Regards

Dollie Mcguire  
There's an HTML-in-ZIP attachment, leading to a malicious payload at dhjhgfkjsldkjdj.ru (report here). Blocking access to the IP addresses shown in this post may be prudent.

Intuit.com spam / dhjhgfkjsldkjdj.ru

Another fake Intuit spam leading to malware, this time on dhjhgfkjsldkjdj.ru:

Date:      Wed, 4 Apr 2012 11:33:37 +0100
From:      pXTwWE@gmail.com
Subject:      Dowload your Intuit.com invoice.
Attachments:     Intuit_Order-255798.htm

Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-374-9959 ($2.89/min).
ORDER INFORMATION
Please download your complete order id #5400523 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malware is a Phoenix exploit kit at dhjhgfkjsldkjdj.ru:8080/navigator/jueoaritjuir.php (Wepawet Report here) which is multihomed on the IPs below, a very similar list to this recent spam run.

41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Comite Gestor Da Internet, Brazil)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
78.107.82.98
89.218.55.51
125.19.103.198
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

Tuesday, 3 April 2012

SMS Spam: "We have been trying to contact you regards your recent accident"

These scumbag SMS spammers are at it again:

URGENT: We have been trying to contact you regards your recent accident; you could be due up to £5,100 in compensation. Reply CLAIM for info, STOP to opt out.

In this case, the sender's number is +447788313443 but this will change as the networks block it.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

US Airways Spam / 109.202.98.43

Another US Airways fake email leading to malware:

Date:      Tue, 3 Apr 2012 14:26:03 +0200
From:      "US Airways - Reservations" [reservations@myusairways.com]
Subject:      Confirm your US airways online reservation.
   
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). Then, all you need to do is print your boarding pass and head to the gate.

Confirmation code: 336881

Check-in online: Online reservation details

   
Flight

0989    
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012    

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

The malware is on 109.202.98.43/showthread.php?t=73a07bcb51f4be71 (report here) hosted Global Layer, Netherlands.

"Info in regard to keeping well" spam / ListK LLC

This spam appears to be some sort of probing attack, looking for valid email addresses. In this case, the email was send to an address that didn't actually exist.

From:     Roy Johnson Roy.Johnson@verif1cationtime4.com
Date:     3 April 2012 06:45
Subject:     Info in regard to keeping well.

This is a one time public service message about Attention Deficit
Hyperactivity Disorder (ADHA) and no further emails will be sent.

ADHD (attention deficit hyperactivity disorder), sometimes called ADD
(attention deficit disorder), is linked with hyperactivity, impulsive
behavior, and attention problems in both children and adults. It's
estimated that up to 12 percent of school-aged children and 6 percent of
adults have ADHD, making it harder for them to focus on tasks, manage
their time, control their behavior, or even sit still.  There is no
single test to diagnose ADD/ADHD. To reach a diagnosis, a doctor or
specialist may do a physical exam to rule out any physical problems, as
well as ask questions about behavior in certain situations.  Treatment is
often a combination of medication and behavioral therapy. The goals of
treatment are to help the person control impulsive behaviors, do better
in school or work, and improve social relationships. Keep well.

This appears to be an attempt to bypass spam filters, and also the relevant spam laws by apparently not being a commercial email message.

In this case, the spam went through a relay at 174.142.85.218, but the originating IP appears to be 208.115.221.34, a Limestone Networks IP suballocated to a outfit called  "24Shells, Feasterville, PA 19053, US" who control a small block of 208.115.221.32/29 (208.115.221.32 - 208.115.221.39) in this range.

So far, I have discovered the following (anonymous) domains and IP addresses connected with this spammer:

174.142.85.218 (iWeb / Listk LLC, Canada)
mx.verif1cationtime4.com

208.115.221.34 (Limestone Networks, US. Suballocated to "24Shells, Feasterville, PA 19053, US")
mail.vprtcls3.com

174.142.82.119 (iWeb, Canada)
mail.3vermethod.com

96.31.93.88 (Noc4Hosts, US)
mx.verif1cationtime2.com

209.54.55.171 (Native Hosting, US)
mx.verif1cationtime3.com

216.245.208.34 (24Shells, US)
mail.2vermethod.com

173.236.84.2 (Singlehop, US)
mx.4vermethod.com

74.112.248.179 (Triple8, US)
mail.vprtcls1.com

Out of these IPs, 174.142.85.218 is the most interesting. It belongs to iWeb in Canada (Canada is a great home for spammers) but is suballocated to:

NetRange:       174.142.85.216 - 174.142.85.223
CIDR:           174.142.85.216/29
OriginAS:     
NetName:        IWEB-CL-T215-200CN-1330
NetHandle:      NET-174-142-85-216-1
Parent:         NET-174-142-0-0-1
NetType:        Reassigned
RegDate:        2010-05-14
Updated:        2010-05-14
Ref:            http://whois.arin.net/rest/net/NET-174-142-85-216-1

CustName:       ListK LLC
Address:        1200 Abernathy Road
City:           Atlanta
StateProv:      GA
PostalCode:     30328
Country:        US
RegDate:        2010-05-14
Updated:        2011-11-21
Ref:            http://whois.arin.net/rest/customer/C02496703

ListK LLC has a website at listk.com and are based in Atlanta, Georgia (BBB report here). Their web site gives an indication as to exactly what this spam is about:

NameDiscoverer™ helps clients add net new contacts to their lists by utilizing our proprietary search technology to identify, gather and verify contacts and provide their titles and business email addresses.

SmartSender™ is our state-of-the-art email deployment platform that rotates and pulses emails over multiple servers so your emails never get filtered out as part of a bulk send.

eDNA™ helps companies add fresh, deliverable B2B email addresses to their lists using our proprietary technology - not by matching to an existing, tired list of emails off the shelf.

This describes the spam probe exactly, it is using existing contact details to try to form a valid email address, and then probe it from several different IP addresses to try to bypass spam filters.

In my personal opinion, this is unethical and arguably illegal as the spam is indeed part of a commercial offering. If you receive spam from this outfit, you should report it to their hosting providers. I also recommend complaining to the BBB if you are in the US.

Just for reference the mail headers involved are as follows:

Received: from mx.verif1cationtime4.com ([174.142.85.218])
    by ---------- with esmtp (Exim 4.69)
    id 1SEwkh-0006gp-2Y
    for ----------; Tue, 03 Apr 2012 06:58:00 +0100
Received: from 208.115.221.34
        by mail.3vermethod.com (Merak 8.9.1) with ASMTP id NJW04750
        for <---------->; Tue, 03 Apr 2012 01:45:50 -0400
Status:
Message-ID: <20120403014518.8b1d3b8d2d@3b5e>
From: "Roy Johnson"
To: ----------
Date: Tue, 3 Apr 2012 01:45:18 -0400
X-Priority: 3
X-Mailer: SkillCaster
MIME-Version: 1.0
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
    ----------
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled
    version=3.2.5
Subject: Info in regard to keeping well.
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: 7bit
Delivered-To: ----------

Monday, 2 April 2012

US Airways Spam / 174.140.171.173

This spam appears to be from US Airways, but it actually leads to malware on 174.140.171.173.

From:     US Airways - Reservations support@myusairways.com
Date:     2 April 2012 15:15
Subject:     US Airways online check-in confirmation.   
   
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you need to do is print your boarding pass and proceed to the gate.

Confirmation code: 778136

Check-in online:  Online reservation details

   
Flight

7557    
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012    

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved. 

The link goes through a couple of legitimate hacked sites and ends up at 174.140.171.173/showthread.php?t=73a07bcb51f4be71 which contains a malicious payload. This IP is hosted by Directspace in the US.

Saturday, 31 March 2012

txt4aloan.co.uk SMS spam / Sellers Griffin Ltd

I hate SMS Spam.. this one is particularly annoying.

Loan update: Brand new lender, up to £1000 instant approval all online. No Fees. www.txt4aloan.co.uk Cash within 15 mins. Any credit ok. To opt out reply stop.

In this case the sender was +447867397593 although this will probably change when the number gets blocked by the networks.

So who are txt4aloan.co.uk? Well, that's actually a bit unclear because their website claims that they are Sellers Griffin Ltd, and a quick check at Companies House reveals that there is indeed such a firm at the address they claim:

SELLERS GRIFFIN LIMITED
PEEL HOUSE
30 THE DOWNS
ALTRINCHAM
CHESHIRE
WA14 2PX


Sellers Griffin Ltd appears to be owned by someone called Will King. Essentially, this is a lead generator company who think that SMS spam is an appropriate way to drum up business.

However, the WHOIS details for the txt4aloan.co.uk website are completely different:

Domain name:
        txt4aloan.co.uk

    Registrant:
        Inter Financial Ltd

    Registrant type:
        Unknown

    Registrant's address:
        Mont Crevelt House
        St Sampson
        Guernsey
        GY2 4LH
        United Kingdom

That's a completely different company from Sellers Griffin, again it really does exist (and it has its own website on inter-financial.co.uk). Why are there two unrelated entities? It beats us, but it certainly is odd.

Anyway.. a closer look at txt4aloan.co.uk shows just what kind of company they are. Right at the bottom of the page, you can see the interest rate that they charge:
Representative 1737% APR
No.. that's not 17.37%, that's one thousand, seven hundred and thirty-seven percent interest. No wonder they can afford to send out random SMS spam for that kind of money..

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Friday, 30 March 2012

USPS Spam / 174.140.163.119

And there's yet another USPS spam doing the rounds, this time the malicious payload is on 174.140.163.119 (Directspace US, report here).

Block access to that IP if you can.

USPS Spam / 50.116.19.155

Yet another USPS spam is doing the rounds, this time leading to a malicious payload on 50.116.19.155.

Date:      Fri, 30 Mar 2012 13:47:28 +0200
From:      "Danielle Connor" [USPS_Shipping_Services@usps.com]
Subject:      Your USPS shipment postage labels receipt.


Acct #: 7112220

Dear client:

This is an email confirmation for your order of 2 online shipping label(s) with postage. We will charge you the following amount:

Transaction Number: #2056017
Print Date/Time: 03/14/2012 02:30 AM CST
Postage Amount: $25.69
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 4065 2488 7608 7525 8269 (Sequence Number 1 of 1)

   

If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is a post-only message

The malicious payload is on 50.116.19.155/data/ap2.php?f=4203d and 50.116.19.155/showthread.php?t=73a07bcb51f4be71 (report here) hosted by Linode.

Thursday, 29 March 2012

USPS Spam / 50.56.208.113

Currently there is an email attack running similar to this one earlier today, but in this case the malware is on 50.56.208.113:8080/showthread.php?t=73a07bcb51f4be7 (report here), hosted on Slicehost in the US. Another Slicehost IP to block!

USPS Spam / clearschooner.com

Another USPS spam leading to malware on clearschooner.com:

Date:      Thu, 29 Mar 2012 09:02:35 -0300
From:      "Leonardo Randolph" [USPS_Shipping_Services@usps.com]
Subject:      Your USPS shipment postage labels receipt.


Acct #: 8481973

Dear client:

This is an email confirmation for your order of 1 online shipping label(s) with postage. Your credit card will be charged the following amount:

Transaction ID: #2392415
Print Date/Time: 03/13/2012 02:30 AM CST
Postage Amount: $41.63
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 0354 0258 5729 7186 4971 (Sequence Number 1 of 1)

   

For further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is an automatically generated message. Please do not respond

The malware is on clearschooner.com/showthread.php?t=73a07bcb51f4be71 (report here), hosted on 50.116.50.82 (Linode, US). Blocking the IP will prevent other malcious sites on the same IP from being a problem.

"Scan from a Xerox WorkCentre Pro #25825448" spam / samsonikonyou.ru

Another malicious HTML-in-ZIP attack, this time leading to malware on samsonikonyou.ru

From: ROSALBA Poe [mailto:victimname@hotmail.com]
Sent: 28 March 2012 19:34
Subject: Scan from a Xerox WorkCentre Pro #25825448

Please open the attached document. It was scanned and sent

to you using a Xerox Center Pro .
Sent by: Guest
Number of Images: 8
Attachment File Type: .HTML

Device Name: XR550PDD9SM84547752

In the ZIP is an HTML file called Invoice_NO_Mailen.htm which contains obfuscated javascript leading to a malware site on samsonikonyou.ru:8080/navigator/jueoaritjuir.php (report here). This is hosted on a similar set of IPs to this attack yesterday.

41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
202.143.147.35 (Ministry of Education, Thailand)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
216.24.194.2 (Psychz Networks, US)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
125.19.103.198
180.235.150.72
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
216.24.194.2
219.94.194.138

Wednesday, 28 March 2012

"Scan from a Hewlett-Packard ScanJet" with zip attachment / superproomgh.ru

This fake HP email has a ZIP attachment, containing an HTML file that leads to malware. The ZIP format is presumably being used to get past virus scanners.

Subject: Re:  Scan from a Hewlett-Packard ScanJet 20382282 


Attached document was scanned and sent
to you using a Hewlett-Packard NetJet 280904SL.

SENT BY : ETSUKO
PAGES : 9
FILETYPE: .HTM [Internet Explorer File]
(See attached file: HP_Jet_27_P683.zip)

The HTML file leads to malware at superproomgh.ru:8080/navigator/jueoaritjuir.php (report here) which is multihomed on the following IPs:

41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
125.19.103.198 (Bharti Infotel Ltd, India)
202.143.147.35 (Ministry of Education, Thailand)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)


Plain list for copy-and-pasting:
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
125.19.103.198
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

Tuesday, 27 March 2012

USPS Spam / 184.82.202.46

From WeAreSpammers:

This link goes to malware via baumanmarketing.com (195.78.33.120, Croatia.. most likely a hacked legitimate site) the it goes to billdirect.jiffyinc.com (184.106.64.60, Slicehost UK) until it hits a malware page on 184.82.202.46 (HOSTNOC, US). Originating IP is 111.242.113.138 (HINET, Taiwan). A Wepawet report is available here.

---

From: Damon Mcneill USPS_Shipping_Services@usps.com
To: donotemail@wearespammers.com
Date: 27 March 2012 12:06
Subject: USPS postage labels order confirmation.

Your USPS delivery
Acct #: 9869890

Dear client:

This is an email confirmation for your order of 5 online shipping label(s) with postage. We will charge you the following amount:

Transaction Number: #7887095
Print Date/Time: 03/13/2012 02:30 AM CST
Postage Amount: $23.88
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 1653  4367  1992  2294  3630  (Sequence Number 1 of 1)



If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

Refunds for unused postage-paid labels can be requested online up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is a post-only message

Monday, 26 March 2012

Evil network: Komplit Plyus LLC / AS56697 (91.226.78.0/24)

I came across Komplit Plyus LLC / AS56697 (91.226.78.0/24) while having a look at this injection attack. At first glance it looked like everything in this /24 was dodgy. After taking a close look, I cannot find a single legitimate site in this range and would strongly recommend that you block it.

A full list of domains and MyWOT scores can be found here.Alternatively, I have highlighted some of the non-pharma sites below, which appear to contain malware sites, money mule sites and other nastiness.

adalbrechtmeier-gmbh.com
alvinconsultingjobs.com
alvinconsulting-jobs.com
autorizacia.ru
baxor-ertagi.com
beeline-mms.net
bee-mms.com
besthottestsites.com
bitrealestate.com
bitrealestate.net
canalcountryartisans.net
careersatalvinconsulting.com
dagoatrapist.com
ddc1000.com
deutschenoote.com
dnd-lawyers.com
dsgc.biz
ebay-sa.com
estsales.com
eucash.biz
fgthyj.com
freejoinsites4u.com
freesites4you.com
gbfhju.com
gertalt-gmbh.com
glich.ru
gomms.ru
goo-log.com
hjfghj.com
id2837627733333.ru
in-auth.com
jobsatalvinconsulting.com
jobs-at-alvinconsulting.com
johanauch-gmbh.com
jokeywagner-gmbh.com
julia-oliver-blog.com
kenlandoverseas.com
kontrolatelefonu.com
korbldalman-gmbh.com
langinform.ru
lost-pass.com
lufthansa-shipper.com
mailboxexchange.net
mdstoreonline.com
mmsmix.com
modelmilfs.com
mts-mms.com
myvideo-4.ru
net-mover.com
orgkomitet.net
proftrans.org
rnailgoogle.com
ru-cgi-bin.in
ru-log.in
skypeinto.com
smhaulage.com
soqqa-topish-kere.com
statmail.ru
stat-mail.ru
statsmy.com
stmyst.com
tg-group.com
thesoftforfree.ru
thesoftfree.ru
tk77.org
useac.net
vzlom-pochty.ru
wimbach-gmbh.com
win-auth.ru
yourpagestat.com
yourpagestats.com
zakaz-xak.com

gbfhju.com/r.php injection attack in progress

I haven't seen much buzz about this injection attack yet, but several hundred thousand pages have been infected with an injection attack pointing to gbfhju.com/r.php.

According to this Google search there are 236,000 hits for the search string "gbfhju.com/r.php". The sites seem to be randomly distributed through the web, although I couldn't spot any infected UK or US Government or University sites.

The domain gbfhju.com is registered with a set of details that should be familiar to IT security researchers:

Domain name: gbfhju.com

Registrant Contact:
   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Administrative Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Technical Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Billing Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

DNS:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com

Created: 2012-03-17
Expires: 2013-03-17


These details are connected to the LizaMoon gang. The site is hosted on 91.226.78.148 which is Komplit Plyus in Russia.91.226.78.0/24 is a real sewer of malware sites, money mule and phishing sites and fake pharma outlets and is well worth blocking.

The following domains are hosted on 91.226.78.148 and they can all be assumed to be dangerous:

fgthyj.com
gbfhju.com
hjfghj.com
statsmy.com
stmyst.com
yourpagestat.com
yourpagestats.com


These other domains are also being used in injection attacks (usually overlapping each other). Blocking the IP range will stop any other attacks coming from this hosting provider.