"I have now left the HIGNFY after party. As I looked over my shoulder, Reginald D Hunter was talking to my daughter.#wheresmyshotgunman"
Usually when Tory MPs are involved in online death threats, it's the other way around..
Sponsored by..
Saturday, 12 May 2012
Nadine Dorries: Where's My Shotgun?
You're not in Florida, Nadine. My MP (who I've never actually seen in the flesh at anything I've been to) Tweets about Reginald D Hunter (after being on Have I Got News For You):
Usually when Tory MPs are involved in online death threats, it's the other way around..
Usually when Tory MPs are involved in online death threats, it's the other way around..
Friday, 11 May 2012
Scamworld: 'Get rich quick' schemes mutate into an online monster
Thursday, 10 May 2012
Fake job and credit check sites to avoid
creditdealmanagement.com
creditlevelreport.com
hotdealsmanagement.com
hotoffermanagement.com
rockingdealmanagement.com
rockingdealmanagements.com
rockingoffermanagement.com
rockingscoremanagement.com
tql-billing.com
The WHOIS details are as follows:
creditdealmanagement.com
Aleje Ujazdowskie 88-44
Warszawa
Warszawa,
PL
00545
name:(Sophie Ellis)
mail:(admin@creditdealmanagement.com)
+022.8260898
+022.8260898
Hot Date
creditlevelreport.com
NA
Torrie Ots admin@creditlevelreport.com
+14122666060 fax: +14122666060
123 6th Street
Pittsburgh PA 64213
us
hotdealsmanagement.com
name:(Sophie Ellis)
Email:(admin@creditdealmanagement.com)
tel-- +022.8260898
fax:(+022.8260898)
Hot Date
Aleje Ujazdowskie 88-44
Warszawa
Warszawa,
PL
zipcode:00545
hotoffermanagement.com
Aleje Ujazdowskie 88-44
Warszawa
Warszawa,
PL
00545
name:(Sophie Ellis)
mail:(admin@creditdealmanagement.com)
+022.8260898
+022.8260898
Hot Date
rockingdealmanagement.com
name:(Niko Irlung)
Email:(admin@rockingoffermanagement.com)
tel-- +022.4860345
fax:(+022.4860345)
Rockinig
Aleje Ujazdowskie 54C
Warszawa
Warszawa,
PL
zipcode:00541
rockingdealmanagements.com
NA
Yawn Paul admin@rockingscoremanagement.com
+14122821060 fax: +14122821060
34G W C Jobs
Pittsburgh PA 64421
us
rockingoffermanagement.com
Niko Irlung admin@rockingoffermanagement.com
+022.4860345
+022.4860345
Rockinig
Aleje Ujazdowskie 54C
Warszawa,
Warszawa,
PL 00541
rockingscoremanagement.com
NA
Yawn Paul admin@rockingscoremanagement.com
+14122821060 fax: +14122821060
34G W C Jobs
Pittsburgh PA 64421
us
tql-billing.com
Aleje Ujazdowskie 87-44
Warszawa
Warszawa,
PL
00540
name:(Dill Nilson)
mail:(admin@tql-billing.com)
+022.8277528
+022.8277528 TQL
Wednesday, 9 May 2012
Something evil on 50.30.47.81
www.gredsa.in
www.bbadkf.in
www.bernitto.in
www.hfsless.in
www.burness.in
Tuesday, 8 May 2012
Something odd
http://69.60.122.18269.60.122.182/
http://85.25.130.1285.25.130.12/
http://89.207.129.789.207.129.7/
http://91.230.147.23191.230.147.231/
http://174.37.202.166174.37.202.166/
http://184.22.165.50184.22.165.50/
http://204.45.70.162204.45.70.162/
http://207.244.209.239207.244.209.239/
http://209.85.148.101209.85.148.101/
http://85.25.130.1285.25.130.12/
http://89.207.129.789.207.129.7/
http://91.230.147.23191.230.147.231/
http://174.37.202.166174.37.202.166/
http://184.22.165.50184.22.165.50/
http://204.45.70.162204.45.70.162/
http://207.244.209.239207.244.209.239/
http://209.85.148.101209.85.148.101/
Obviously, these URLs are malformed because the IP address is listed twice. But one of these stands out:
http://91.230.147.23191.230.147.231/ is clearly "91.230.147.231" twice. This IP belongs to Adevir Invest in Russia, and we've seen that name before. The other IPs seem innocent enough, but this traffic pattern is highly suspicious and I can only assume that these IPs are some sort of C&C server.
If you want to block the correctly formed IPs then they are as follows:
69.60.122.18
85.25.130.12
89.207.129.7
91.230.147.231
174.37.202.166
184.22.165.50
204.45.70.162
207.244.209.239
209.85.148.10
Saturday, 5 May 2012
Fake job offer: HRT F1 TEAM
Date: Sat, 5 May 2012 16:43:33 +0300
From: "Rebecca Hoffmeister / HRT F1 TEAM" [gormon.82@digiton.ru]
Subject: Job Offer - Payment Department
Hello !
We are a first-rate company specializing in the implementation of accessories for cars. Apart from this primary mission, we also provide full support to our clients during all stages of the purchase of our product, from the resolution of the contract to the payment and delivery of the product to the customer. To that end, the subdivisions of our company form a quite large network.
At the present time, there is one position open in our company as an agent in the department of payment control. The first month of work will be probationary and will include training programs on corporate ethics and also the basics of inspection and control of payment between parties in a transaction.
We guarantee:
- A suitable wage
- We guarantee you sufficient money to be added to your main salary, provided you have a wish to work hard and to follow all our instructions on time
- Benefits package
- Free training
Our requirements for candidates:
- Punctual and diligent fulfillment of directions from the manager
- Ability to effectively organize work time
- Process work requests necessary to maintain an effective payments transfer program
- Close access to the infrastructure of our city
- Uphold a high level of integrity and ethics
- Good time management skills
If you are interested in this position, send us a short resume by e-mail: hrtf1team@juno.com
Rebecca Hoffmeister - Payment Manager
HRT F1 TEAM
Instead this is a money mule (money laundering) operation which will end up with serious trouble with the police and your bank. Avoid.
Friday, 4 May 2012
USPS Spam / computerpills.net
Date: Fri, 4 May 2012 08:50:52 -0500
From: "Cathryn Small" [USPS_Shipping_Support@usps.com]
Subject: Your USPS shipment postage labels receipt.
Acct #: 0443907
Dear client:
This is an email confirmation for your order of 3 online shipping label(s) with postage. Your credit card will be charged the following amount:
Transaction ID: #1537194
Print Date/Time: 03/15/2012 02:30 PM CST
Postage Amount: $43.70
Credit Card Number: XXXX XXXX XXXX XXXX
Priority Mail Regional Rate Box B # 5153 9371 4727 8289 2238 (Sequence Number 1 of 1)
If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .
You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.
Thank you for choosing the United States Postal Service
Click-N-Ship: The Online Shipping Solution
Click-N-Ship has just made on line shipping with the USPS even better.
New Enhanced International Label and Customs Form: Updated Look and Easy to Use!
* * * * * * * *
This is a post-only message
The malicious payload is an exploit kit at computerpills.net/main.php?page=beb0bb4c8ebd96e5 hosted on 37.59.68.23 (OVH, UK) which is the same server used in this attack, the payload looks to be the same as the one used in this other attack, with a very low detection rate at VirusTotal of just 3/42.
LinkedIn spam / 184.154.220.226
Date: Fri, 4 May 2012 -04:52:32 -0800The malware is hosted on 184.154.220.226/showthread.php?t=34c79594e8b8ac0f (Singlehop, US) which is a very heavily obfuscated exploit page with a not very impressive VirusTotal detection rate of 2/42. Blocking the IP is a good proactive step to stop this from being a problem.
From: LinkedIn Password [password@linkedin.com]
Subject: Reset Your LinkedIn Password
Hi hippy,
Can’t remember your LinkedIn password? No problem - it happens.
Please use this link to reset your password within the next 1 day:
Click here
Then sign in to LinkedIn with your new password and the email address where you received this message.
Thanks for using LinkedIn!
Xvideos.com IP hosting malware C&C servers
This summary is not available. Please
click here to view the post.
Thursday, 3 May 2012
How to access The Pirate Bay on Virgin Media
I don't approve of pirating copyrighted material, but I also don't approve of censorship.On balance I think that censorship is the worst of the two, so I was quite annoyed to find that Virgin Media is censoring the Pirate Bay.
Here's a newsflash. Not everything listed on the Pirate Bay is actually subject to copyright. As with many things, it's what you do with a tool like the Pirate Bay that counts. So, let's say that you have a legitimate use for looking at the Pirate Bay and you're a Virgin Media customer (or another UK ISP that has blocked TPB).. how do you do it?
Well, there's a mirror of The Pirate Bay hosted on the same IP address and domain as the UK's Pirate Party at https://tpb.pirateparty.org.uk/. Not many people know that all UK political parties have to be registered at the Electoral Commission, and the Pirate Party is indeed a properly registered political party (click to enlarge)..
Although the technology employed by Virgin Media is perfectly capable of blocking part of a website and leaving the rest accessible, it's quite possible that censoring part of a website belonging to a legally constituted political party might just be a step too far..
It isn't Virgin Media's fault (they have a shedload of their own, this is not one of them), but something they've been obliged to do through the courts.Sorry, the web page you have requested is not available through Virgin Media.
Virgin Media has received an order from the Courts requiring us to prevent access to this site in order to help protect against copyright infringement.
If you are a Virgin Media home broadband customer, for more information on why certain web pages are blocked, please click here.
If you are a Virgin Media Business customer, or are trying to view this page through your company's internet connection, please click here.
Here's a newsflash. Not everything listed on the Pirate Bay is actually subject to copyright. As with many things, it's what you do with a tool like the Pirate Bay that counts. So, let's say that you have a legitimate use for looking at the Pirate Bay and you're a Virgin Media customer (or another UK ISP that has blocked TPB).. how do you do it?
Well, there's a mirror of The Pirate Bay hosted on the same IP address and domain as the UK's Pirate Party at https://tpb.pirateparty.org.uk/. Not many people know that all UK political parties have to be registered at the Electoral Commission, and the Pirate Party is indeed a properly registered political party (click to enlarge)..
Although the technology employed by Virgin Media is perfectly capable of blocking part of a website and leaving the rest accessible, it's quite possible that censoring part of a website belonging to a legally constituted political party might just be a step too far..
Samsung Galaxy S III
[Via]
Facebook spam / chicleart.net
Date: Thu, 3 May 2012 11:57:48 -0300
From: "Facebook" [noreply@facebookmail.com]
Subject: Most recent events on Facebook
Hi xxxxxxxxxx,
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site as before.
Thanks and regards,
The Facebook Team
Sign in to Facebook and start connecting
Sign in
follow the link below :
http://www.facebook.com/home.php
This message was sent to xxxxxxxxx@xxx.xxx. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
==================
Date: Thu, 3 May 2012 15:53:38 +0100
From: "Facebook" [noreply@facebookmail.com]
Subject: New comment on your status update
Hi xxxxxxxxxx,
You have blocked your Facebook account. You can resume your account at any time by logging into Facebook with your old login email address and password. You will then be able to use the site as before.
Thanks and regards,
The Facebook Team
Sign in to Facebook and start connecting
Sign in
follow the link below :
http://www.facebook.com/home.php
This message was sent to xxxxxxxxx@xxx.xxx. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
==================
Date: Thu, 3 May 2012 14:09:11 +0000
From: "Facebook" [alert@facebookmail.com]
Subject: New comment on your status update
Hi xxxxxxxxxx,
You have deactivated your Facebook account. You can reactivate your account whenever you wish by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in the same way as before.
Best regards,
The Facebook Team
Sign in to Facebook and start connecting
Sign in
follow the link below :
http://www.facebook.com/home.php
This message was sent to xxxxxxxxx@xxx.xxx. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is on chicleart.net/main.php?page=8decfe38488713cc on 37.59.68.23 hosted by OVH in the UK.
tsnet-china.com / "Klver Industrial Co. Ltd" domain scam.
From: jeff jeff@tsnet-china.com
To:
Date: 3 May 2012 10:02
Subject: Regarding " dynamoo " Dispute
(If you are not in charge of this please transfer this email to your President or appropriate person, thanks)
Dear President,
We are the department of Asian Domain registration service in china, have something to confirm with you. We formally received an application on May 2, 2012. One company which self-styled "Klver Industrial Co. Ltd" were applying to register "dynamoo" as Network Brand and following domain names:
dynamoo.asia
dynamoo.cn
dynamoo.com.cn
dynamoo.com.tw
dynamoo.hk
dynamoo.in
dynamoo.net.cn
dynamoo.org.cn
dynamoo.tw
After our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we will finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we will handle this issue better. Out of the time limit we will unconditionally finish the registration for "Klver Industrial Co. Ltd".
Best Regards,
Jeff Yang
Registration Dept.
Tel: +862885915586 || Fax: +862885912116
Address:8/F XiYu building No,52 JinDun Road,QingYang District,Chengdu City,China.
The idea here is to panic the domain owner into registering a bunch of worthless domains. Do I really care if someone registers a bunch of Asian domain names (sub of which are on really crappy second level domains)? No, I don't. And neither should you.
Here's the thing: domain registrars for common domains* like this DO NOT carry out these checks. It isn't their responsibility. In reality, they will NOT contact you prior to registration. There is almost definitely no company interested in buying these domains. And remember, there are hundreds of top-level domains.. you could spend a LOT of money securing worthless variations for no reason.
Give this one a wide berth. If you really do want to find a registrar for additional domains, shop around to find a reliable and inexpensive registrar rather than dealing with spammers.
* some "sunrise" registrations for new top-level domains do check trademark ownership when they are launched.
Tuesday, 1 May 2012
Isn't it amazing..
Sometimes people make those connections that you should have seen your case. In this case, the post managed to link together several strands of my own blog that I hadn't managed to do myself.. namely: Inter Financial Ltd, Gary NcNeish and Piradius.net
It looks like Mr McNeish might have his fingers in quite a few spam pies..
"Invitation FACEBOOK" hoax
Subject: Fwd: FW: PLEASE CIRCULATE
PLEASE CIRCULATE THIS NOTICE TO FRIENDS AND FAMILY ON YOUR CONTACT LIST
In the coming days, you should be aware…
Do not open any message with an attachment called:
"Invitation FACEBOOK"
Regardless of who sent it
It is a virus that opens an Olympic torch and burns the whole hard
disc C of your computer
This virus will be received from someone you have in your address book
That's why you should send this message to all your contacts. It is
better to receive this email 25 times than to receive the virus and
open it
If you receive email called: "Invitation FACEBOOK", though sent by a friend,
do not open but delete it immediately
CNN said it is a new virus discovered recently and that has been
classified by Microsoft as the most destructive virus ever
It is a Trojan Horse that asks you to install an adobe flash plug-in.
Once you install it, it's all over. And there is no repair yet for
this kind of virus. This virus simply destroys the Zero Sector of the
Hard Disc, where the vital information of their function is saved
THE INFORMATION HAS BEEN CHECKED WITH SNOPES
http://www.snopes.com/computer/virus/youtube.asp
DO exercise caution with emails that appear to be from Facebook, PayPal, LinkedIn or any one of a variety of services.. you can usually check the true destination of a link in an email by floating the pointer over it. DON'T circulate silly hoaxes like this because it simply wastes everybody's time.
PayPal Spam / 72.46.140.14
Date: Tue, 1 May 2012 14:31:26 +0300
From: "PayPal" [notify@paypal.com]
Subject: RE:You just sent a payment to Enrique Peterson
You just sent a payment
Transaction ID: 2SM69324P0770102B
Hello xxxxxxxxxxxxxx,
Thanks for using PayPal. It may take a few moments for this transaction to appear in your account.
Merchant
Enrique Peterson
wcEnrique22@hotmail.com
Note to Thad Peterson
You haven't sent a note.
Shipping address - confirmed
Michael Pepe
P.O. Box 173
Cheektowaga, NY�14225
United States
Total $140.00 USD
Payment $60.00 USD
Payment sent to Enrique Peterson
Help Centre | Resolution Centre | Security Centre
This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP1526
The malicious payload is on 72.46.140.14/showthread.php?t=9d77a9163cda8dbe (report here) and is hosted by Versaweb in the US, suballocated to "Silver Knight Enterprises Corp" of Las Vegas.
Update: here is another variant
Date: Tue, 1 May 2012 19:54:34 +0700
From: "PayPal" [notify@paypal.com]
Subject: RE:You just sent a payment to Jame Peterson
You just sent a payment
Transaction ID: 2SM69324P0770102B
Hello xxxxxxxxxxxxxxx,
Thanks for using PayPal. It may take a few moments for this transaction to appear in your account.
Merchant
Jame Peterson
wcJame22@hotmail.com
Note to Thad Peterson
You haven't sent a note.
Shipping address - confirmed
Michael Pepe
P.O. Box 173
Cheektowaga, NY�14225
United States
Total $100.00 USD
Payment $60.00 USD
Payment sent to Jame Peterson
Help Centre | Resolution Centre | Security Centre
This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP1526
Monday, 30 April 2012
LinkedIn spam / 74.91.120.210
Date: Mon, 30 Apr 2012 17:51:37 +0530
From: "LinkedIn reminder" [reminder@linkedin.com]
Subject: LInkedin pending messages
REMINDERS
Invitation reminders:
• From Scott Burwell (Colleague at Nortel)
PENDING MESSAGES
• There are a total of 36 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.
The malicious payload is at 74.91.120.210/showthread.php?t=9d77a9163cda8dbe (report here) hosted by Nuclearfallout Enterprises in the US.
91.121.84.204 / 64.244.61.40 malware
Blocking access to these IPs would be prudent.
Friday, 27 April 2012
"Amazon.com Password Assistance" spam / healthcarewelbizness.com
Date: Fri, 27 Apr 2012 04:47:10 +0000 (UTC)
From: "Amazon.com" [account-update@amazone.com]
Subject: Amazon.com Password Assistance
We received a request to reset the password associated with this e-mail address. Please follow the instructions below.
Click the link below to complete or cancel request using our secure server:
https://www.amazon.com/ap/forgotpassword?arb=cf4c17ba-4659-06c6-ff0f-58f6e8b50a66
If clicking the link doesn't seem to work, you can copy and paste the link into your browser's address window, or retype it there.
Amazon.com will never e-mail you and ask you to disclose or verify your Amazon.com password, credit card, or banking account number. Thanks for visiting Amazon.com!
healthcarewelbizness.com is hosted on 46.183.216.215 (Dataclub, Latvia) along with a whole load of other toxic websites that are best avoided.
"New message from.." spam / 74.91.114.83
Date: Fri, 27 Apr 2012 07:13:47 -0300
From: KristineLippitt@hotmail.com
Subject: New message from KYLIE NIX
KYLIE NIX 3:01am April 27
Hello!
...
Click here to view full message
View Conversation on Facebook ?� Reply to this email to message KYLIE NIX.
The payload is on 74.91.114.83/showthread.php?t=34c79594e8b8ac0f (report here) hosted by TurkTelecom in Turkey.
Subscribe to:
Posts (Atom)