Subject: Signal LinkedIn MailThe malware is on 199.115.229.55/showthread.php?t=977334ca118fcb8c (report here) hosted by Volumedrive in the US, which subsequently tries to download further malware from electrosa.com/8zvW2XE.exe (a site that has been used a lot in recent days). That domain and IP are worth blocking.
REMINDERS
Invitation reminders:
• From Scott Burwell (Product Director at SNCF)
PENDING MESSAGES
• There are a total of 44 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.
Thursday, 26 April 2012
LinkedIn spam / 199.115.229.55
This LinkedIn spam leads to malware on 199.115.229.55 after bouncing through a couple of legitimate hacked sites, a technique that we haven't seen for a couple of weeks.
Facebook spam / bioldrugstore.com
This fake Facebook spam leads to a fake pharma site, but it could easily be adapted for malware.
The payload is a pharma site at bioldrugstore.com hosted on 61.132.200.24 and 111.123.180.9 in China (two IPs that are full of fake pharma stores) and 213.162.209.177 in Spain.
This type of spam run can easily be adapted for malware, so keep an eye out for unexpected Facebook notifications.
Date: Thu, 26 Apr 2012 09:33:46 -0700
From: "Facebook" [notification+xxxxxxxxxxx@facebookemail.com]
Subject: Welcome back to Facebook
Hello,
The Facebook account associated with xxxxxxxxxxx was recently reactivated.
If you were not the one who reactivated this account, please visit our Help Center to cancel the request.
http://www.facebook.com/help/?topic=security
Thanks,
The Facebook Team
The payload is a pharma site at bioldrugstore.com hosted on 61.132.200.24 and 111.123.180.9 in China (two IPs that are full of fake pharma stores) and 213.162.209.177 in Spain.
This type of spam run can easily be adapted for malware, so keep an eye out for unexpected Facebook notifications.
Labels:
China,
Facebook,
Fake Pharma,
Printer Spam
Wednesday, 25 April 2012
Facebook spam / 216.119.142.235
Some fake Facebook spam leading to malware, this time on 216.119.142.235.
The malicious payload can be found on 216.119.142.235/showthread.php?t=34c79594e8b8ac0f (report here) hosted by A2 Hosting in the US.
Date: Wed, 25 Apr 2012 05:48:16 +0200
From: Facebook [notification+n6vn0x357cp5@facebookmail.com]
Subject: CARMELLA OSBORN wants to be friends on Facebook.
CARMELLA OSBORN wants to be friends with you on Facebook.
CARMELLA OSBORN
Confirm Friend Request
See All Requests
This message was sent to xxxxxxxxxxxx. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload can be found on 216.119.142.235/showthread.php?t=34c79594e8b8ac0f (report here) hosted by A2 Hosting in the US.
Something evil on 85.17.222.80, lpicture.info and ghjvodka.info
Some sites appear to have been hit by a sophisticated multi-part injection attack that triggers only once per IP (so difficult to track down).
There are two injected elements, one is a .in site hosted on 85.17.222.80 [Leaseweb, Netherlands] which could be one of the following:
sds.vaselisa.in
dds.kiriloid.in
drf.yerevano.in
sddr.margarit.in
cd.fancyclu.in
There's a pretty inconclusive Wepawet report here but be assured that these domains have a malicious payload.
The second injection is a reference to lpicture.info which is hosted on 95.168.173.151, this is a Leasweb Germany IP address suballocated to inferno.name who appear to be a Serbian firm fronted in the UK. I strongly recommend blocking all their IP ranges (listed here) if you can. lpicture.info merely forwards to a malicious payload on ghjvodka.info (report here) and that in turn is listed on 37.59.198.55 (OVH, France) along with some other suspect looking sites that lead be to conclude that this IP address is worth blocking too:
ns2.deftheory.org
abcvodka.info
defvodka.info
ghjvodka.info
abcfree.info
ns1.abcfree.info
deffree.info
ghjfree.info
ns1.ghjfree.info
klmfree.info
opqfree.info
ns1.opqfree.info
rstfree.info
uvwfree.info
ns1.uvwfree.info
xyzfree.info
ns1.xyzfree.info
deflocal.info
ns1.deflocal.info
ghjlocal.info
klmlocal.info
noplocal.info
ghjseat.info
klmseat.info
ns1.klmseat.info
This malware seems to be quite good at avoid analysis. But if you can block these IPs then I strongly recommend that you block them.
There are two injected elements, one is a .in site hosted on 85.17.222.80 [Leaseweb, Netherlands] which could be one of the following:
sds.vaselisa.in
dds.kiriloid.in
drf.yerevano.in
sddr.margarit.in
cd.fancyclu.in
There's a pretty inconclusive Wepawet report here but be assured that these domains have a malicious payload.
The second injection is a reference to lpicture.info which is hosted on 95.168.173.151, this is a Leasweb Germany IP address suballocated to inferno.name who appear to be a Serbian firm fronted in the UK. I strongly recommend blocking all their IP ranges (listed here) if you can. lpicture.info merely forwards to a malicious payload on ghjvodka.info (report here) and that in turn is listed on 37.59.198.55 (OVH, France) along with some other suspect looking sites that lead be to conclude that this IP address is worth blocking too:
ns2.deftheory.org
abcvodka.info
defvodka.info
ghjvodka.info
abcfree.info
ns1.abcfree.info
deffree.info
ghjfree.info
ns1.ghjfree.info
klmfree.info
opqfree.info
ns1.opqfree.info
rstfree.info
uvwfree.info
ns1.uvwfree.info
xyzfree.info
ns1.xyzfree.info
deflocal.info
ns1.deflocal.info
ghjlocal.info
klmlocal.info
noplocal.info
ghjseat.info
klmseat.info
ns1.klmseat.info
This malware seems to be quite good at avoid analysis. But if you can block these IPs then I strongly recommend that you block them.
Labels:
inferno.name,
Injection Attacks,
Leaseweb,
Malware,
OVH,
Viruses
Something evil on 82.211.45.81 and 82.211.45.82
82.211.45.81 (Accelerated IT Services GmbH, Germany) is another server with a bunch of subdomains of hacked GoDaddy accounts, apparently being used to deliver payloads from other sites that have a hacked .htaccess file.
82.211.45.0/24 doesn't appear to host anything at all apart from these malicious sites and is a good candidate to block.
The hacked GoDaddy accounts have been set to point everything except www. to the server on 82.211.45.81. Hacked domains on this server appear to be:
revolution-clan.com
banknewsdirectories.com
psychicwireless.com
greenbankingemagazine.com
greenbankingemag.com
Many of these hijacked domains are registered to:
BankNews Publications
5115 Roe Blvd, Ste 200
Shawnee Mission, Kansas 66205
United States
It appears that BankNews Publications have lost control of their GoDaddy account.
82.211.45.81 will actually resolve for any subdomain at all for these hacked domains, but these are a sample of malicious subdomains hosted on this server:
jiqjmiglxjmedma.greenbankingemagazine.com
xihjpxpomxfjra.greenbankingemagazine.com
eqokikmxjmivxhb.greenbankingemagazine.com
xhfbjaimtcxmymb.greenbankingemagazine.com
hrxjxmesskisnxb.greenbankingemagazine.com
icmiiycxxfmevhxdc.greenbankingemagazine.com
imliismmsfdxtld.greenbankingemagazine.com
iayxdmbrqsmue.greenbankingemagazine.com
frbiptiuimxsmwe.greenbankingemagazine.com
xhbixmhmmipxsnkye.greenbankingemagazine.com
ibimuijzrxqlgmf.greenbankingemagazine.com
eimxgjruxpf.greenbankingemagazine.com
xgbgpuicyxmcsf.greenbankingemagazine.com
ixmfisqirydauf.greenbankingemagazine.com
bmnufhoixlg.greenbankingemagazine.com
hqvqbwmqqimxxmg.greenbankingemagazine.com
axvsiqiyminyug.greenbankingemagazine.com
gfmeivxnpiizfh.greenbankingemagazine.com
cxvrqiorimxgh.greenbankingemagazine.com
emkksximxuwiglh.greenbankingemagazine.com
mxmgohioxwexnyh.greenbankingemagazine.com
ijxeowhxemiumuij.greenbankingemagazine.com
gizhpirtxlmxmmkrj.greenbankingemagazine.com
exvmxopmispfwj.greenbankingemagazine.com
jmisxvxyxkymymsk.greenbankingemagazine.com
mipboqmkhxk.greenbankingemagazine.com
hlxgpiwhmemkmxk.greenbankingemagazine.com
gnmmbuoikxphiml.greenbankingemagazine.com
wehherixammvmsl.greenbankingemagazine.com
mxesvvmjvrmipixl.greenbankingemagazine.com
gmxsgedclvimin.greenbankingemagazine.com
mhvhfxixmauoun.greenbankingemagazine.com
xmltmwnixunvjo.greenbankingemagazine.com
xiegvmslxpqxiicp.greenbankingemagazine.com
miexxiivpfrcstmp.greenbankingemagazine.com
ixxevkmeipurmnp.greenbankingemagazine.com
emhxxjikflnimyp.greenbankingemagazine.com
ixicqgodvmisgq.greenbankingemagazine.com
gxcoximiwdidyjhq.greenbankingemagazine.com
exhymgkixnilbr.greenbankingemagazine.com
gcjnigxxmgvkir.greenbankingemagazine.com
hbjpmjfwmvidmxir.greenbankingemagazine.com
xeftvrmijbjr.greenbankingemagazine.com
imgximffxnzhhemr.greenbankingemagazine.com
cqimhvmrxrmbnr.greenbankingemagazine.com
xifmcxfairyuymt.greenbankingemagazine.com
mxhlieitefmkpt.greenbankingemagazine.com
xmfxiignkgefzlu.greenbankingemagazine.com
mmfimxggguihjxyu.greenbankingemagazine.com
thiqxxtgisqobmiv.greenbankingemagazine.com
dmxinxeoesimxivmjpv.greenbankingemagazine.com
foxfqgqaimkrv.greenbankingemagazine.com
mcbhxyxnikwrhw.greenbankingemagazine.com
bjetxchegicmiy.greenbankingemagazine.com
xfxpizijvmmsrqiy.greenbankingemagazine.com
gxrimhyukcxmiujy.greenbankingemagazine.com
mhmxjnpincxqly.greenbankingemagazine.com
iesqabdoumximz.greenbankingemagazine.com
ihmmlxgpyykvmz.greenbankingemagazine.com
hncrpmvdxibixmxa.greenbankingemag.com
cjkximmyjmgixvbza.greenbankingemag.com
himrnxxzwoiumza.greenbankingemag.com
gumiivcoiexfvmc.greenbankingemag.com
iihxmxrlyizympzc.greenbankingemag.com
mgifxrmvjmid.greenbankingemag.com
fimbigxycwibfme.greenbankingemag.com
hrxijizjivtjcmf.greenbankingemag.com
mmgobixyixhemqyig.greenbankingemag.com
lkqjimmimxgng.greenbankingemag.com
gsnxmimxixfsqihymkh.greenbankingemag.com
bjaxieuamimvxvph.greenbankingemag.com
mesxxlhiosh.greenbankingemag.com
ihjuxbmfkxznixh.greenbankingemag.com
mfhkcifavyxxh.greenbankingemag.com
hsmxmmndvxigxsidij.greenbankingemag.com
zsmbdqvbimbxrik.greenbankingemag.com
jxumeqpvhipixk.greenbankingemag.com
jyzxmxktxipl.greenbankingemag.com
mhupgmtgixkbn.greenbankingemag.com
zexrmixhxqvtsrin.greenbankingemag.com
goxixmggdxrdmpn.greenbankingemag.com
meirqvmmxjjxqkio.greenbankingemag.com
hirqrexuxixadmo.greenbankingemag.com
bxlfiszdqdxmixrip.greenbankingemag.com
hqucyipjmoxmp.greenbankingemag.com
ixhrhjmvllifxgmr.greenbankingemag.com
alvpvmboxixgsu.greenbankingemag.com
immhrnjpomieijxu.greenbankingemag.com
eailofxsmlwxaw.greenbankingemag.com
hrbfigxmkgy.greenbankingemag.com
mihskdifqfnxmcxy.greenbankingemag.com
mehjuxipsnbib.revolution-clan.com
hmjujigmkxfgxb.revolution-clan.com
gxqemihgmxfmtec.revolution-clan.com
mailbfhqcxqnc.revolution-clan.com
hxlilulrxmmqvc.revolution-clan.com
xeiaocohgixjme.revolution-clan.com
ltmxmjpxrmopioe.revolution-clan.com
idbkkgmjxymkipf.revolution-clan.com
cixvitmkguocxf.revolution-clan.com
hxpmvviqqpixiag.revolution-clan.com
fmxrxvmwimnzhiyig.revolution-clan.com
mfaoodswxixiekxg.revolution-clan.com
fmexxnnuiqihmfh.revolution-clan.com
imgjoxmrutfihj.revolution-clan.com
caxilhipuqumhmj.revolution-clan.com
igrjonnqgxximximj.revolution-clan.com
zkziwmijjxhobxmj.revolution-clan.com
mxwyxspkzbjmipk.revolution-clan.com
hxtsvxvtifmvirk.revolution-clan.com
gmsixlmqohxxql.revolution-clan.com
mhsjwmiehbxpiln.revolution-clan.com
emhinyyybqfxo.revolution-clan.com
jsxkmlxbxjreiq.revolution-clan.com
mmjvxexmyiravxnq.revolution-clan.com
xxacnrzimihhxayq.revolution-clan.com
xfhioimkynmltfs.revolution-clan.com
gebdxeivxhmls.revolution-clan.com
amibxpmvxjizqmvht.revolution-clan.com
igevqsxmnxqdmiit.revolution-clan.com
hmxjmiiugnxrhou.revolution-clan.com
meiqpqixrhamxzu.revolution-clan.com
hpiixmflehmmv.revolution-clan.com
xamiyicvhlxmiuov.revolution-clan.com
bshmmvxmvngixv.revolution-clan.com
ximxelmimdariya.banknewsdirectories.com
xihreeumnkkb.banknewsdirectories.com
xfgngivmpinmlb.banknewsdirectories.com
hxmrvtgfivivb.banknewsdirectories.com
eipcnxptdmximc.banknewsdirectories.com
mfrixougkoixmoc.banknewsdirectories.com
lxiqxmckvfe.banknewsdirectories.com
mfimgoexrmxkrliie.banknewsdirectories.com
epijmmqfqorxie.banknewsdirectories.com
fiihgxgeexmdvxme.banknewsdirectories.com
hzdxvktqcimxe.banknewsdirectories.com
fihlysaiajxmf.banknewsdirectories.com
cyismxdeixorrf.banknewsdirectories.com
gmsvijiqpxuxxmsrf.banknewsdirectories.com
migsoowwmrbxf.banknewsdirectories.com
wvixxyqemxf.banknewsdirectories.com
ijraqaymmmixbg.banknewsdirectories.com
migydrxjietrmg.banknewsdirectories.com
maxmiuxynjuiyg.banknewsdirectories.com
gifkkxiejimeah.banknewsdirectories.com
hqymxltxxiymztk.banknewsdirectories.com
lrmbkemoxpumil.banknewsdirectories.com
lmruitlmoxbbxil.banknewsdirectories.com
fievxumflwumnl.banknewsdirectories.com
mgeooxipnimpwl.banknewsdirectories.com
mgsrbgnnmiinixxl.banknewsdirectories.com
ibxevkxnkxvmnyl.banknewsdirectories.com
grmxbxximpomilfizl.banknewsdirectories.com
ihvmqxxmixkmgnqbn.banknewsdirectories.com
eymmnmzoihxnhxn.banknewsdirectories.com
mhpmiyrpciixvmko.banknewsdirectories.com
glxlzxkimizkmilmo.banknewsdirectories.com
xcjuvlmimisuklxo.banknewsdirectories.com
ihqxkiompoixqjp.banknewsdirectories.com
ijpixxmxwokpcipp.banknewsdirectories.com
gqveemmjoiexp.banknewsdirectories.com
fepxmehilsxkgq.banknewsdirectories.com
hpmiuvdxdimiuxbr.banknewsdirectories.com
grprpxmvrmoimr.banknewsdirectories.com
mxomwibexks.banknewsdirectories.com
hxipmtiaxyslxlms.banknewsdirectories.com
xihxjolxstjmits.banknewsdirectories.com
emkkdxmxykfiys.banknewsdirectories.com
maxfvubvisqmmbt.banknewsdirectories.com
eemimqmfgnilsxiju.banknewsdirectories.com
jiswfixzydxmkxv.banknewsdirectories.com
gitxipmcmhbuxmsw.banknewsdirectories.com
imhomjflumixysw.banknewsdirectories.com
icfrmirfynxmay.banknewsdirectories.com
cxiajrmuxugmrhy.banknewsdirectories.com
amlxxkbselyoiy.banknewsdirectories.com
fbomuvlimcjbxxiy.banknewsdirectories.com
hmxoigtxrnifmikmy.banknewsdirectories.com
ifmunqxvmorsa.psychicwireless.com
ibjcxymktdqnmximb.psychicwireless.com
hlliwutmbxmxvb.psychicwireless.com
jbximmiskbxamxqec.psychicwireless.com
xjiaursmvcoixc.psychicwireless.com
idkifjufidxmjfe.psychicwireless.com
idkmrxqkposxtme.psychicwireless.com
efqfxnqjeismif.psychicwireless.com
xxhalhimsxhisvoif.psychicwireless.com
xfmsoppgmijwmxif.psychicwireless.com
frmnxukmcaixlf.psychicwireless.com
hihhxeumtmkamf.psychicwireless.com
bpmxkieeehxyxf.psychicwireless.com
xiihcjhrmoxfndg.psychicwireless.com
xhmmgrkvoqvig.psychicwireless.com
mhrmmxxndxiknntg.psychicwireless.com
xixgvjvlqymwxg.psychicwireless.com
mixxbmvzlhksmzg.psychicwireless.com
imhxbgqgmvgyxidh.psychicwireless.com
ieirocexviomeh.psychicwireless.com
xftiimyeksmrmxaj.psychicwireless.com
xaltixqgmegqhj.psychicwireless.com
Update: it seems that the adjacent IP, 82.211.45.82, is also hosting a similar set of malicious sites.
xmwyrwhkqlhpm.magasinez-en-vrac.com
fmyyxxhgthyr.magasinez-en-vrac.com
hfiuqgcixyoy.magasinez-en-vrac.com
wqkxgkpxxmiukyr.cashbackdevil.com
fixolsmhiahjs.cashbackdevil.com
82.211.45.0/24 doesn't appear to host anything at all apart from these malicious sites and is a good candidate to block.
The hacked GoDaddy accounts have been set to point everything except www. to the server on 82.211.45.81. Hacked domains on this server appear to be:
revolution-clan.com
banknewsdirectories.com
psychicwireless.com
greenbankingemagazine.com
greenbankingemag.com
Many of these hijacked domains are registered to:
BankNews Publications
5115 Roe Blvd, Ste 200
Shawnee Mission, Kansas 66205
United States
It appears that BankNews Publications have lost control of their GoDaddy account.
82.211.45.81 will actually resolve for any subdomain at all for these hacked domains, but these are a sample of malicious subdomains hosted on this server:
jiqjmiglxjmedma.greenbankingemagazine.com
xihjpxpomxfjra.greenbankingemagazine.com
eqokikmxjmivxhb.greenbankingemagazine.com
xhfbjaimtcxmymb.greenbankingemagazine.com
hrxjxmesskisnxb.greenbankingemagazine.com
icmiiycxxfmevhxdc.greenbankingemagazine.com
imliismmsfdxtld.greenbankingemagazine.com
iayxdmbrqsmue.greenbankingemagazine.com
frbiptiuimxsmwe.greenbankingemagazine.com
xhbixmhmmipxsnkye.greenbankingemagazine.com
ibimuijzrxqlgmf.greenbankingemagazine.com
eimxgjruxpf.greenbankingemagazine.com
xgbgpuicyxmcsf.greenbankingemagazine.com
ixmfisqirydauf.greenbankingemagazine.com
bmnufhoixlg.greenbankingemagazine.com
hqvqbwmqqimxxmg.greenbankingemagazine.com
axvsiqiyminyug.greenbankingemagazine.com
gfmeivxnpiizfh.greenbankingemagazine.com
cxvrqiorimxgh.greenbankingemagazine.com
emkksximxuwiglh.greenbankingemagazine.com
mxmgohioxwexnyh.greenbankingemagazine.com
ijxeowhxemiumuij.greenbankingemagazine.com
gizhpirtxlmxmmkrj.greenbankingemagazine.com
exvmxopmispfwj.greenbankingemagazine.com
jmisxvxyxkymymsk.greenbankingemagazine.com
mipboqmkhxk.greenbankingemagazine.com
hlxgpiwhmemkmxk.greenbankingemagazine.com
gnmmbuoikxphiml.greenbankingemagazine.com
wehherixammvmsl.greenbankingemagazine.com
mxesvvmjvrmipixl.greenbankingemagazine.com
gmxsgedclvimin.greenbankingemagazine.com
mhvhfxixmauoun.greenbankingemagazine.com
xmltmwnixunvjo.greenbankingemagazine.com
xiegvmslxpqxiicp.greenbankingemagazine.com
miexxiivpfrcstmp.greenbankingemagazine.com
ixxevkmeipurmnp.greenbankingemagazine.com
emhxxjikflnimyp.greenbankingemagazine.com
ixicqgodvmisgq.greenbankingemagazine.com
gxcoximiwdidyjhq.greenbankingemagazine.com
exhymgkixnilbr.greenbankingemagazine.com
gcjnigxxmgvkir.greenbankingemagazine.com
hbjpmjfwmvidmxir.greenbankingemagazine.com
xeftvrmijbjr.greenbankingemagazine.com
imgximffxnzhhemr.greenbankingemagazine.com
cqimhvmrxrmbnr.greenbankingemagazine.com
xifmcxfairyuymt.greenbankingemagazine.com
mxhlieitefmkpt.greenbankingemagazine.com
xmfxiignkgefzlu.greenbankingemagazine.com
mmfimxggguihjxyu.greenbankingemagazine.com
thiqxxtgisqobmiv.greenbankingemagazine.com
dmxinxeoesimxivmjpv.greenbankingemagazine.com
foxfqgqaimkrv.greenbankingemagazine.com
mcbhxyxnikwrhw.greenbankingemagazine.com
bjetxchegicmiy.greenbankingemagazine.com
xfxpizijvmmsrqiy.greenbankingemagazine.com
gxrimhyukcxmiujy.greenbankingemagazine.com
mhmxjnpincxqly.greenbankingemagazine.com
iesqabdoumximz.greenbankingemagazine.com
ihmmlxgpyykvmz.greenbankingemagazine.com
hncrpmvdxibixmxa.greenbankingemag.com
cjkximmyjmgixvbza.greenbankingemag.com
himrnxxzwoiumza.greenbankingemag.com
gumiivcoiexfvmc.greenbankingemag.com
iihxmxrlyizympzc.greenbankingemag.com
mgifxrmvjmid.greenbankingemag.com
fimbigxycwibfme.greenbankingemag.com
hrxijizjivtjcmf.greenbankingemag.com
mmgobixyixhemqyig.greenbankingemag.com
lkqjimmimxgng.greenbankingemag.com
gsnxmimxixfsqihymkh.greenbankingemag.com
bjaxieuamimvxvph.greenbankingemag.com
mesxxlhiosh.greenbankingemag.com
ihjuxbmfkxznixh.greenbankingemag.com
mfhkcifavyxxh.greenbankingemag.com
hsmxmmndvxigxsidij.greenbankingemag.com
zsmbdqvbimbxrik.greenbankingemag.com
jxumeqpvhipixk.greenbankingemag.com
jyzxmxktxipl.greenbankingemag.com
mhupgmtgixkbn.greenbankingemag.com
zexrmixhxqvtsrin.greenbankingemag.com
goxixmggdxrdmpn.greenbankingemag.com
meirqvmmxjjxqkio.greenbankingemag.com
hirqrexuxixadmo.greenbankingemag.com
bxlfiszdqdxmixrip.greenbankingemag.com
hqucyipjmoxmp.greenbankingemag.com
ixhrhjmvllifxgmr.greenbankingemag.com
alvpvmboxixgsu.greenbankingemag.com
immhrnjpomieijxu.greenbankingemag.com
eailofxsmlwxaw.greenbankingemag.com
hrbfigxmkgy.greenbankingemag.com
mihskdifqfnxmcxy.greenbankingemag.com
mehjuxipsnbib.revolution-clan.com
hmjujigmkxfgxb.revolution-clan.com
gxqemihgmxfmtec.revolution-clan.com
mailbfhqcxqnc.revolution-clan.com
hxlilulrxmmqvc.revolution-clan.com
xeiaocohgixjme.revolution-clan.com
ltmxmjpxrmopioe.revolution-clan.com
idbkkgmjxymkipf.revolution-clan.com
cixvitmkguocxf.revolution-clan.com
hxpmvviqqpixiag.revolution-clan.com
fmxrxvmwimnzhiyig.revolution-clan.com
mfaoodswxixiekxg.revolution-clan.com
fmexxnnuiqihmfh.revolution-clan.com
imgjoxmrutfihj.revolution-clan.com
caxilhipuqumhmj.revolution-clan.com
igrjonnqgxximximj.revolution-clan.com
zkziwmijjxhobxmj.revolution-clan.com
mxwyxspkzbjmipk.revolution-clan.com
hxtsvxvtifmvirk.revolution-clan.com
gmsixlmqohxxql.revolution-clan.com
mhsjwmiehbxpiln.revolution-clan.com
emhinyyybqfxo.revolution-clan.com
jsxkmlxbxjreiq.revolution-clan.com
mmjvxexmyiravxnq.revolution-clan.com
xxacnrzimihhxayq.revolution-clan.com
xfhioimkynmltfs.revolution-clan.com
gebdxeivxhmls.revolution-clan.com
amibxpmvxjizqmvht.revolution-clan.com
igevqsxmnxqdmiit.revolution-clan.com
hmxjmiiugnxrhou.revolution-clan.com
meiqpqixrhamxzu.revolution-clan.com
hpiixmflehmmv.revolution-clan.com
xamiyicvhlxmiuov.revolution-clan.com
bshmmvxmvngixv.revolution-clan.com
ximxelmimdariya.banknewsdirectories.com
xihreeumnkkb.banknewsdirectories.com
xfgngivmpinmlb.banknewsdirectories.com
hxmrvtgfivivb.banknewsdirectories.com
eipcnxptdmximc.banknewsdirectories.com
mfrixougkoixmoc.banknewsdirectories.com
lxiqxmckvfe.banknewsdirectories.com
mfimgoexrmxkrliie.banknewsdirectories.com
epijmmqfqorxie.banknewsdirectories.com
fiihgxgeexmdvxme.banknewsdirectories.com
hzdxvktqcimxe.banknewsdirectories.com
fihlysaiajxmf.banknewsdirectories.com
cyismxdeixorrf.banknewsdirectories.com
gmsvijiqpxuxxmsrf.banknewsdirectories.com
migsoowwmrbxf.banknewsdirectories.com
wvixxyqemxf.banknewsdirectories.com
ijraqaymmmixbg.banknewsdirectories.com
migydrxjietrmg.banknewsdirectories.com
maxmiuxynjuiyg.banknewsdirectories.com
gifkkxiejimeah.banknewsdirectories.com
hqymxltxxiymztk.banknewsdirectories.com
lrmbkemoxpumil.banknewsdirectories.com
lmruitlmoxbbxil.banknewsdirectories.com
fievxumflwumnl.banknewsdirectories.com
mgeooxipnimpwl.banknewsdirectories.com
mgsrbgnnmiinixxl.banknewsdirectories.com
ibxevkxnkxvmnyl.banknewsdirectories.com
grmxbxximpomilfizl.banknewsdirectories.com
ihvmqxxmixkmgnqbn.banknewsdirectories.com
eymmnmzoihxnhxn.banknewsdirectories.com
mhpmiyrpciixvmko.banknewsdirectories.com
glxlzxkimizkmilmo.banknewsdirectories.com
xcjuvlmimisuklxo.banknewsdirectories.com
ihqxkiompoixqjp.banknewsdirectories.com
ijpixxmxwokpcipp.banknewsdirectories.com
gqveemmjoiexp.banknewsdirectories.com
fepxmehilsxkgq.banknewsdirectories.com
hpmiuvdxdimiuxbr.banknewsdirectories.com
grprpxmvrmoimr.banknewsdirectories.com
mxomwibexks.banknewsdirectories.com
hxipmtiaxyslxlms.banknewsdirectories.com
xihxjolxstjmits.banknewsdirectories.com
emkkdxmxykfiys.banknewsdirectories.com
maxfvubvisqmmbt.banknewsdirectories.com
eemimqmfgnilsxiju.banknewsdirectories.com
jiswfixzydxmkxv.banknewsdirectories.com
gitxipmcmhbuxmsw.banknewsdirectories.com
imhomjflumixysw.banknewsdirectories.com
icfrmirfynxmay.banknewsdirectories.com
cxiajrmuxugmrhy.banknewsdirectories.com
amlxxkbselyoiy.banknewsdirectories.com
fbomuvlimcjbxxiy.banknewsdirectories.com
hmxoigtxrnifmikmy.banknewsdirectories.com
ifmunqxvmorsa.psychicwireless.com
ibjcxymktdqnmximb.psychicwireless.com
hlliwutmbxmxvb.psychicwireless.com
jbximmiskbxamxqec.psychicwireless.com
xjiaursmvcoixc.psychicwireless.com
idkifjufidxmjfe.psychicwireless.com
idkmrxqkposxtme.psychicwireless.com
efqfxnqjeismif.psychicwireless.com
xxhalhimsxhisvoif.psychicwireless.com
xfmsoppgmijwmxif.psychicwireless.com
frmnxukmcaixlf.psychicwireless.com
hihhxeumtmkamf.psychicwireless.com
bpmxkieeehxyxf.psychicwireless.com
xiihcjhrmoxfndg.psychicwireless.com
xhmmgrkvoqvig.psychicwireless.com
mhrmmxxndxiknntg.psychicwireless.com
xixgvjvlqymwxg.psychicwireless.com
mixxbmvzlhksmzg.psychicwireless.com
imhxbgqgmvgyxidh.psychicwireless.com
ieirocexviomeh.psychicwireless.com
xftiimyeksmrmxaj.psychicwireless.com
xaltixqgmegqhj.psychicwireless.com
Update: it seems that the adjacent IP, 82.211.45.82, is also hosting a similar set of malicious sites.
xmwyrwhkqlhpm.magasinez-en-vrac.com
fmyyxxhgthyr.magasinez-en-vrac.com
hfiuqgcixyoy.magasinez-en-vrac.com
wqkxgkpxxmiukyr.cashbackdevil.com
fixolsmhiahjs.cashbackdevil.com
Labels:
Evil Network,
GoDaddy,
Malware,
Viruses
Tuesday, 24 April 2012
LinkedIn Spam / leckrefotzen.net
Oh my. Yet another LinkedIn spam run..
The link in the message goes to a malware site at leckrefotzen.net/main.php?page=b7ff54d52bf8dd24 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt. Blocking this IP address would be an excellent idea. Or you could just block linkedin.com emails altogether which would be no great loss either.
Date: Tue, 24 Apr 2012 16:31:34 -0300
From: "Russ Connor" [enviousnessi07@linkedin.com]
Subject: LinkedIn Reminder
REMINDERS
Invitation notifications:
? From Chaney Cameron (Your Colleague)
PENDING MESSAGES
? There are a total of 3 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.
The link in the message goes to a malware site at leckrefotzen.net/main.php?page=b7ff54d52bf8dd24 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt. Blocking this IP address would be an excellent idea. Or you could just block linkedin.com emails altogether which would be no great loss either.
nikjju.com injection attack in progress
The ISC is warning of an injection attack using the domain nikjju.com. The WHOIS details of this domain are very familiar:
The hotmailbox.com domain is a sign of evil, and these are likely to be the "LizaMoon" crew who have been very active over the past couple of years. nikjju.com is hosted on 31.210.100.242 (INTER NET BILGISAYAR LTD STI, Turkey although blocking the domain will help as well because these malicious sites tend to be highly mobile.
Registrant Contact:
JamesNorthone
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us
JamesNorthone
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us
The hotmailbox.com domain is a sign of evil, and these are likely to be the "LizaMoon" crew who have been very active over the past couple of years. nikjju.com is hosted on 31.210.100.242 (INTER NET BILGISAYAR LTD STI, Turkey although blocking the domain will help as well because these malicious sites tend to be highly mobile.
Labels:
Injection Attacks,
LizaMoon,
Turkey
Myspace spam / newprescriptionmedical.com
This spam leads to a fake pharmacy on newprescriptionmedical.com, but it could be easily adapted for malware.
newprescriptionmedical.com is hosted on 95.168.193.182 (Supernetwork, Czech Republic) along with a bunch of other fake pharma sites and is worth blocking.
Date: Tue, 24 Apr 2012 20:13:58 -0700
From: "Myspace" [noreply@message.myspace.com]
Subject: Account Cancellation
myspace
Your request to cancel your Myspace account has been received.
You must follow this link to complete or cancel your request.
You will receive an email shortly with instructions for confirming that you wish to cancel.
Thank you for using Myspace!
The Myspace Team
http://www.myspace.com
Have questions? Visit our help page. Myspace, 8391 Beverly Blvd, #349, Los Angeles, CA 90048.
� Myspace Inc. All Rights Reserved.
newprescriptionmedical.com is hosted on 95.168.193.182 (Supernetwork, Czech Republic) along with a bunch of other fake pharma sites and is worth blocking.
Labels:
Fake Pharma,
Malware,
Spam
US Airways Spam / 208.117.43.8
Another US Airways spam run, leading to malware on 208.117.43.8 (as with this Pizza spam campaign).
====================
Some other subjects include:
Confirm your US airways online reservation.
US Airways online check-in confirmation.
The malicious payload is on 208.117.43.8/showthread.php?t=73a07bcb51f4be71(report here). Blocking this IP would probably be a good idea.
Date: Tue, 24 Apr 2012 20:12:38 +0700
From: "US Airways - Reservations" [reservations@myusairways.com]
Subject: Please confirm your US Airways online registration.
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you have to do is print your boarding pass and head to the gate.
Confirmation code: 749251
Check-in online: Online reservation details
Flight
6138
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
====================
Some other subjects include:
Confirm your US airways online reservation.
US Airways online check-in confirmation.
The malicious payload is on 208.117.43.8/showthread.php?t=73a07bcb51f4be71(report here). Blocking this IP would probably be a good idea.
Labels:
Malware,
Spam,
US Airways,
Viruses
Pizza spam / 208.117.43.8
Another Pizza spam leading to malware:
Date: Tue, 24 Apr 2012 02:21:42 +0800The malware is hosted on 208.117.43.8/showthread.php?t=34c79594e8b8ac0f (report here) hosted by Steadfast Networks in the US. There's also an attempted download of an executable from electrosa.com/8zvW2XE.exe on 188.40.0.195 (Hetzner, South Africa) although this looks like a legitimate hacked site.
From: "ORSO`s Pizzeria"
Subject: Re: Fwd: Order confirmation 93278
You've just ordered pizza from our site
Pizza Ultimate Cheese Lover's with extras:
- Ham
- Italian Sausage
- Chicken
- Black Olives
- Green Peppers
- Pineapple
- Easy On Cheese
- Extra Sauce
Pizza Italian Trio with extras:
- Italian Sausage
- Pork
- Chicken
- Diced Tomatoes
- Black Olives
- Easy On Cheese
- Easy On Sauce
Pizza Spicy Sicilian with extras:
- Italian Sausage
- Pork
- Diced Tomatoes
- Onions
- Jalapenos
- Easy On Cheese
- No Sauce
Pizza Meat Lover's with extras:
- Italian Sausage
- Black Olives
- Black Olives
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Triple Meat Italiano with extras:
- Ham
- Beef
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Ultimate Cheese Lover's with extras:
- Italian Sausage
- Pepperoni
- Onions
- Onions
- No Cheese
- Easy On Sauce
Drinks
- Carling x 3
- Hancock x 3
- Dr. Pepper x 4
Total Due: 131.51$
If you haven't made the order and it's a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don't do that shortly, the order will be confirmed and delivered to you.
With Respect
ORSO`s Pizzeria
Monday, 23 April 2012
"Scan from a HP ScanJet" spam / 199.15.252.136
Another fake printer spam leading to malware..
The malicious payload is on 199.15.252.136/showthread.php?t=34c79594e8b8ac0f (report here) hosted by Electric Postage in the US.
From: CheyanneDelasancha@hotmail.com
Date: 23 April 2012 13:18
Subject: Re: Fwd: Scan from a HP ScanJet #352369989
A document was scanned and sent to you using a Hewlett-Packard QJet 8125331KSent to you by: CAMERON
Pages : 9
Filetype(s): Images (.jpeg) Download
Location: MSK.3FL.
Device: DEV674O1JF7863855Mailprint: 1169d03a-fe6923a5 =
A document was scanned and sent to you using a Hewlett-Packard QJet 8125331K
Sent to you by: CAMERON
Pages : 9
Filetype(s): Images (.jpeg) Download
Location: MSK.3FL.
Device: DEV674O1JF7863855
Mailprint: 1169d03a-fe6923a5
The malicious payload is on 199.15.252.136/showthread.php?t=34c79594e8b8ac0f (report here) hosted by Electric Postage in the US.
Labels:
Malware,
Printer Spam,
Spam,
Viruses
Ning "Sign in Issue" spam / mycanadarx.com
This fake email from Ning (whatever that is) leads to a fake pharmacy site on mycanadarx.com, but it could easily be adapted for malware.
From: Ning Help Center [mailto:helpcenter@ning.com]mycanadarx.com is hosted on 95.168.193.182 in the Czech Republic with a whole load of other fake pharma sites.
Sent: 23 April 2012 17:22
Subject: Sign In Issue
Hello!
Thanks for contacting us. We're writing to let you know we've received your message.
We strive to respond to tickets about issues as quickly as possible.
To provide us with additional details or updates, you can simply Login to Your Account.
Please be sure to leave the subject and body of this email in place. If you are able to resolve the issue, please let us know!
Many common issues are explained in http://help.ning.com/?faq=3800.
Thanks again!
The Ning Team
Summary:
ref:_00D80cCLt._50040JSbrh:ref
Labels:
Fake Pharma,
Spam
"Welcome to LiveJournal" spam / dietpharmacyeat.com
This "LiveJournal" spam actually leads to a fake pharma site, but it could be adapted easily to deliver malware:
In this case, the fake pharma site is dietpharmacyeat.com. Always check the link carefully before clicking on this type of email, it might not be as it seems.
Date: Sun, 22 Apr 2012 04:21:28 +0000
From: "LiveJournal.com" [do-not-reply@livejournal.com]
Subject: Welcome to LiveJournal
Congratulations! Thanks for creating a new journal at LiveJournal!
Please click here to complete validation and set your primary email*
(If you are unable to click on the link, copy and paste code into your browser window.)
Code: 33416121.5p9rmuuyqvzp7tw
All the best,
The LiveJournal Team
http://www.livejournal.com/
* About your primary email address: Your first validated email address (also known as primary email) is the only way to confirm that you own the journal, so please use only your most secure email address. If you chose a less secure address in the process of registration, we recommend that you change it and confirm your new address.
In this case, the fake pharma site is dietpharmacyeat.com. Always check the link carefully before clicking on this type of email, it might not be as it seems.
Labels:
Fake Pharma,
Spam
"MediaWiki Mail" Spam / carewelhealth.com
A novel spam, in this case leading to a fake pharmacy on carewelhealth.com.. but it could just as easily be malware.
Of course, the IP address of 105.191.258.285 is invalid, but most people probably won't be looking too closely. Keep an eye out for this type of spam. it might well lead to something nastier than a fake Viagra merchant.
Date: Sun, 22 Apr 2012 16:09:12 +0000
From: MediaWiki Mail [wiki@wikimedia.org]
Subject: Account details on Wikipedia
Wikipedia
Someone (probably you, from IP address 105.191.258.285) requested a reminder of your account details for Wikipedia. The following user account is associated with this e-mail address: xxxxxxxxxxx
This reminder will expire in 7 days.
If you didn't initiate the request on Wikipedia, feel free to cancel this message and uncheck the "Reminder" checkbox in your account.
Thanks, and once again Welcome!
http://en.wikipedia.org
Of course, the IP address of 105.191.258.285 is invalid, but most people probably won't be looking too closely. Keep an eye out for this type of spam. it might well lead to something nastier than a fake Viagra merchant.
Labels:
Fake Pharma,
Spam
I love this..
St George's Day and the 30th Anniversary of the ZX Spectrum.. Google have managed to combine both into one logo.. I love it!
Labels:
Google
Friday, 20 April 2012
NACHA Spam / 85.25.189.174
Another NACHA spam, leading to malware on 85.25.189.174:
The malicious payload is on 85.25.189.174/showthread.php?t=34c79594e8b8ac0f hosted by Intergenia / PlusServer in Germany. Avoid.
From: CarleySpan@hotmail.com
Date: 19 April 2012 21:25
Subject: Your ACH transaction N73848938
The ACH credit transfer, initiated from your checking acc., was canceled by the other financial institution.
Canceled transaction:
Transaction ID: A7635857812UA
ACH Report: View
LINDSEY Zimmerman
NACHA - The Electronic Payment Association
The malicious payload is on 85.25.189.174/showthread.php?t=34c79594e8b8ac0f hosted by Intergenia / PlusServer in Germany. Avoid.
Labels:
Intergenia,
Malware,
NACHA,
Spam,
Viruses
New Blogger interface: It's all too horrible to contemplate.
If you use Blogger, you'll know that it has a new interface. It's horrible. OK, the old interface was horrible but usable at the same time. This is just horrible, with the familiar looking elements seeming sprinkled at random over the new interface.
There are a lot of companies at the moment doing a similar thing.. making over their tried and tested (but tired) old software interfaces and coming up with something pastel-ly and awful. Or perhaps I'm just a Luddite?
Update: you can share your feedback on the Blogger forum which is full of similar complaints.
There are a lot of companies at the moment doing a similar thing.. making over their tried and tested (but tired) old software interfaces and coming up with something pastel-ly and awful. Or perhaps I'm just a Luddite?
Update: you can share your feedback on the Blogger forum which is full of similar complaints.
LinkedIn spam / mysalepharmacy.com
Here's a very convincing looking LinkedIn spam:
There are three hyperlinks in the message, two of them are to LinkedIn and one of them is to a fake pharma site on mysalepharmacy.com on 178.19.108.195 in Poland.
Personally, I hate LinkedIn emails. Blocking everything that appears to be from linkedin.com will not have any adverse impact on your life.
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Email Confirmation
Sent: 20 April 2012 09:54
Subject: Please confirm your email address
Click here to confirm your email address.
If the above link does not work, you can paste the following address into your browser:
https://www.linkedin.com/e/vAIspiNMa9UrLxwLy8OkxtE3ZZ5hfZkRMg0f2bmzDWANi
You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.
If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
Thank you for using LinkedIn!
--The LinkedIn Team
http://www.linkedin.com/
© 2012, LinkedIn Corporation
There are three hyperlinks in the message, two of them are to LinkedIn and one of them is to a fake pharma site on mysalepharmacy.com on 178.19.108.195 in Poland.
Personally, I hate LinkedIn emails. Blocking everything that appears to be from linkedin.com will not have any adverse impact on your life.
Labels:
Fake Pharma,
LinkedIn,
Spam
Thursday, 19 April 2012
LinkedIn Spam / springrheumatology.net
Another LinkedIn spam run leading to malware, this time on springrheumatology.net
The malicious payload is at springrheumatology.net/main.php?page=9e32768587b0d9a8 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt, a very good IP address to block.
Date: Thu, 19 Apr 2012 19:34:55 +0100
From: "Callie Holland" [donor@linkedin.com]
Subject: LinkedIn Invitation from your co-worker
REMINDERS
Invitation notifications:
? From Patrick Mcdaniel (Your co-worker)
PENDING MESSAGES
? There are a total of 2 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.
=========================
Date: Thu, 19 Apr 2012 14:57:47 -0300
From: "Jane Gaston" [lulu9@linkedin.com]
Subject: LinkedIn Reminder
REMINDERS
Invitation reminders:
? From Solomon Goff (Your Colleague)
PENDING MESSAGES
? There are a total of 2 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.
The malicious payload is at springrheumatology.net/main.php?page=9e32768587b0d9a8 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt, a very good IP address to block.
"Scan from a Xerox W. Pro" spam / 184.22.115.24
Another malicious (and fake) printer spam leading to malware:
In this case the malicious payload is on 184.22.115.24/showthread.php?t=34c79594e8b8ac0f (report here) which is hosted by HostNOC in the US.
From: MollieFaw@hotmail.com [mailto:MollieFaw@hotmail.com]
Sent: 19. april 2012 10:40
Subject: Re: Fwd: Fwd: Scan from a Xerox W. Pro #55048919
A Document was sent to you using a XEROX SuperJet 036582425.SENT BY : MIRIAM
IMAGS : 97
FORMAT (.JPG) DOWNLOAD
DEVICE: 69972L7ODS736028L
In this case the malicious payload is on 184.22.115.24/showthread.php?t=34c79594e8b8ac0f (report here) which is hosted by HostNOC in the US.
Labels:
Malware,
Printer Spam,
Spam,
Viruses
Subscribe to:
Posts (Atom)