Date: Tue, 12 Jun 2012 16:56:54 +0200The malicious payload is at [donotclick]kidwingz.net/main.php?page=614411383eef8d9 (report here) which is hosted at 68.71.222.8 (Disney Online, Florida) which is the same IP address used in this similar attack and is therefore definitely worth blocking.
From: "PayPal" [notify@paypal.com]
To: xxxxxxxxxxxxx
Subject: Your Ebay.com transaction details.
Transaction ID: 24818126
Hello xxxxxxxxxxxxx,
You sent a payment of $847.48 USD to Quentin Cotton
Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
It may take a few moments for this transaction to appear in your account.
Seller
Fernando.Edwards@yahoo.com Note to seller
You haven't included a note.
Shipping address - confirmed
4787 Hyde Rd
NY 13104-9402
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Unit price Qty Amount
PHOTAX PLASTIC SLIDE CASE PLUS 175 x 35mm SLIDES
Item# 263420914
$847.48 USD 23 $847.48 USD
Shipping and handling $0.00 USD
Insurance - not offered ----
Total $847.48 USD
Payment $847.48 USD
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Questions? Go to the Help Center at: www.paypal.com/help.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.
You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.
PayPal Email ID PP108
===================
Date: Tue, 12 Jun 2012 16:52:26 +0200
From: "PayPal" [notify@paypal.com]
To: xxxxxxxxxxxxx
Subject: Your Paypal.com transaction confirmation.
Transaction ID: 59064148
Hello xxxxxxxxxxxxx,
You sent a payment of $977.48 USD to Elijah Bray
Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
It may take a few moments for this transaction to appear in your account.
Seller
Abby.Ford@yahoo.com Note to seller
You haven't included a note.
Shipping address - confirmed
4787 Hyde Rd
WY 48034
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Unit price Qty Amount
Vintage photo sexy college girls 1990's or 2000's
Item# 347197370
$977.48 USD 23 $977.48 USD
Shipping and handling $0.00 USD
Insurance - not offered ----
Total $977.48 USD
Payment $977.48 USD
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Questions? Go to the Help Center at: www.paypal.com/help.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.
You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.
PayPal Email ID PP646
Tuesday, 12 June 2012
PayPal / eBay spam and kidwingz.net
"Your Flight Order А994284" / saprolaunimaxim.ru
From: Simonne Storey [sandy@krishermckay.com]
Subject: Your Flight Order А994284
Dear Customer,
FLIGHT NUMBER A45-342
DATE & TIME / JUNE 27, 2012, 10:140 PM
ARRIVING: NEW YORK JFK
TOTAL PRICE : 456.62 USD
Please download and print out your ticket here:
DOWNLOAD
Amercian Airlines{br[1-5]}
The link hoes to a malicious payload on [donotclick]saprolaunimaxim.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IP addresses:
89.108.75.155 (Agava Ltd, Russia)
50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)
The following IPs and domains are also connected to this malware and should be considered hostile:
girlsnotcryz.ru
hamlovladivostok.ru
holigaansongeer.ru
paranoiknepjet.ru
piloramamoskow.ru
pistolitnameste.ru
pushkidamki.ru
spbfotomontag.ru
stroby.ru
uzindexation.ru
31.17.189.212
50.57.43.49
50.57.88.200
89.108.75.155
184.106.200.65
187.85.160.106
Labels:
Malware,
Printer Spam,
RU:8080,
Slicehost,
Viruses
partyysoon.info injection attack in progress
I haven't had much time to analyse this yet, but there seems to be some sort of injection attack using the domain partyysoon.info. It may be targeting sites in Sweden.
Malicious URLs (don't click these, obviously):
hxxp:||partyysoon.info/index.php
hxxp:||partyysoon.info/js_pa/F.class
hxxp:||partyysoon.info/Set.jar
hxxp:||gotchasworkspaces.in/duquduqu1/font.php
hxxp:||beards.christianmomsgetaways.com/index.php?p=b2e04035f7b91e43
These IPs and domains are all related to the attack:
5.10.65.142 (Spinor J Ltd / Ulrik Sjafalander, Sweden)
partyysoon.info
(Part of a small block of 5.10.65.136 - 5.10.65.143)
141.101.239.97 (Leadertelecom, Russia)
beards.christianmomsgetaways.com
volumea.offerscrate.com
wagea.hcop.com
sexof2a0b5.serveusers.com
sexo41e92f.serveusers.com
beds.fivedollarprogram.info
visitora.legitimatepaidsurveystips.info
69.65.42.35 (Gigenet, US)
gotchasworkspaces.in
kopachrats.info
Blocking access to these IPs might be prudent.
Malicious URLs (don't click these, obviously):
hxxp:||partyysoon.info/index.php
hxxp:||partyysoon.info/js_pa/F.class
hxxp:||partyysoon.info/Set.jar
hxxp:||gotchasworkspaces.in/duquduqu1/font.php
hxxp:||beards.christianmomsgetaways.com/index.php?p=b2e04035f7b91e43
These IPs and domains are all related to the attack:
5.10.65.142 (Spinor J Ltd / Ulrik Sjafalander, Sweden)
partyysoon.info
(Part of a small block of 5.10.65.136 - 5.10.65.143)
141.101.239.97 (Leadertelecom, Russia)
beards.christianmomsgetaways.com
volumea.offerscrate.com
wagea.hcop.com
sexof2a0b5.serveusers.com
sexo41e92f.serveusers.com
beds.fivedollarprogram.info
visitora.legitimatepaidsurveystips.info
69.65.42.35 (Gigenet, US)
gotchasworkspaces.in
kopachrats.info
Blocking access to these IPs might be prudent.
Labels:
Injection Attacks,
Malware,
Sweden,
Viruses
Wire Transfer / HP spam and pistolitnameste.ru
From: "AUSTIN MCDOWELL" [AUSTINMCDOWELLsXmqTdYQvU@hotmail.com]
Date: 11 June 2012 16:54:23 GMT+01:00
Subject: Fwd: Re: Wire Transfer
Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-1987953358499039
CURRENT STATUS: CANCELLED
You can find details in the attached file.(Internet Explorer file)
=============
From: JessicaPecinousky@hotmail.com [mailto:JessicaPecinousky@hotmail.com]
Sent: 11 June 2012 07:13
Subject: Fwd: Wire Transfer Confirmation (FED 5419DS49)
Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-84685588475552771
CURRENT STATUS: CANCELLED
You can find details in the attached file.(Internet Explorer file)
The spammers have their campaigns mixed up - the payload on this is a ZIP file with a HTML file called something similar to HP_DocumentN8983.htm which is the one they use for fake printer spam. The malicious payload is at [donotclick]pistolitnameste.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on 50.57.43.49 and 50.57.88.200 (both Slicehost, US).
The following domains are part of the same malware cluster and should also be avoided:
pistolitnameste.ru
puleneprobivaemye.ru
spbfotomontag.ru
pushkidamki.ru
mazdaforumi.ru
hamlovladivostok.ru
uzindexation.ru
holigaansongeer.ru
paranoiknepjet.ru
piloramamoskow.ru
girlsnotcryz.ru
Monday, 11 June 2012
PayPal Spam / itscholarshipz.net
Date: Mon, 11 Jun 2012 16:06:45 +0200
From: "PayPal" [notify@paypal.com]
Subject: Your Paypal Ebay.com payment.
Transaction ID: 35580191
Hello xxxxxxxxxxxxxxx,
You sent a payment of $777.48 USD to Xavier Parrish
Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
It may take a few moments for this transaction to appear in your account.
Seller
Alexis.Brady@yahoo.com Note to seller
You haven't included a note.
Shipping address - confirmed
419-4138 Pharetra Rd.
AL 43438
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Unit price Qty Amount
Vintage photo sexy college girls 1990's or 2000's
Item# 908906055
$777.48 USD 23 $777.48 USD
Shipping and handling $0.00 USD
Insurance - not offered ----
Total $777.48 USD
Payment $777.48 USD
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Questions? Go to the Help Center at: www.paypal.com/help.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.
You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.
PayPal Email ID PP387
=====================
From: PayPal [mailto:notify@paypal.com]
Sent: 11 June 2012 15:09
Subject: Your Paypal.com transaction confirmation.
Transaction ID: 20148689
Hello xxxxxxxxxxxxxxx,
You sent a payment of $754.48 USD to Quentin Cotton
Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
It may take a few moments for this transaction to appear in your account.
________________________________________
Seller
Myron.Newton@yahoo.com
Note to seller
You haven't included a note.
Shipping address - confirmed
Ap #834-5784 Venenatis Street
AL 43438
United States Shipping details
The seller hasn't provided any shipping details yet.
Description Unit price Qty Amount
TaylorMade R11 Driver Golf Club
Item# 003187238 $754.48 USD 23 $754.48 USD
Shipping and handling $0.00 USD
Insurance - not offered ----
Total $754.48 USD
Payment $754.48 USD
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Questions? Go to the Help Center at: www.paypal.com/help.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.
You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.
PayPal Email ID PP426
The malicious payload is at [donotclick]itscholarshipz.net/main.php?page=888c5b8a2e6174bc hosted on
68.71.222.8 (Disney Online, US) (report here). "Disney Online" appears to be some sort of ISP in Florida.
These other two domains are also hosted on that server and are probably worth avoiding:
defencesupernow.com
homeofficecaptioning.ru
Saturday, 9 June 2012
IMDB "Your password is too weak" spam / thepharmhealth.com
This spam leads to a fake pharma site at thepharmhealth.com:
It's an interesting and novel approach, and it could easily be adapted for malware rather than fake prescriptions. thepharmhealth.com is hosted on 80.232.131.201 (SIA Lattelecom, Latvia).
Date: Sat, 9 Jun 2012 18:20:35 -0700 (PDT)
From: IMDb User Protection [do-not-reply-here@imdb.com]
Subject: Your password is too weak
This is an automatic message from the Internet Movie Database (IMDb) registration system.
Our system detected your password is too weak. Short passwords are easy to guess.
Please follow this link :
https://secure.imdb.com/password_update/imdb/74129625140408804050
If you used your IMDb password at any other sites, you'll need to change those passwords as well.
Regards,
IMDb User Protection help
http://imdb.com/register/
It's an interesting and novel approach, and it could easily be adapted for malware rather than fake prescriptions. thepharmhealth.com is hosted on 80.232.131.201 (SIA Lattelecom, Latvia).
Labels:
Fake Pharma,
Latvia,
Spam
Friday, 8 June 2012
Amazon.com spam / cool-mail.net
Date: Fri, 8 Jun 2012 10:26:01 -0600The victim bounces through a random hacked site and is delivered to a malicious payload on [donotclick]cool-mail.net/main.php?page=640db37c90c88306 (report here) which is hosted on 84.106.114.97 (Ziggo, Netherlands).
From: Amazon.com (digital-no-reply@amazon.com)
Subject: Your Kindle e-book Amazon.com receipt.
Thanks for your order, xxxxxxxxxxxx!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address: xxxxxxxxxxxx
Billing Address:
Av.
GAHANNA
United States
Phone: 1-564-536-5200
Order Grand Total: $ 89.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: Y32-4367039-9487640
Subtotal of items: $ 89.99
------
Total before tax: $ 89.99
Tax Collected: $0.00
------
Grand Total: $ 80.00
Gift Certificates: $ 9.99
------
Total for this Order: $ 89.99
The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
The Witness by Nora Roberts [Kindle Edition] $ 89.99
Sold By: Random House Digital, Inc.
You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
Thanks again for shopping with us.
Amazon.com
Earth's Biggest Selection
Prefer not to receive HTML mail? Click here
=================
Date: Fri, 8 Jun 2012 21:55:42 +0530
From: Amazon.com (digital-no-reply@amazon.com)
Subject: Your Amazon.com order confirmation.
Thanks for your order, xxxxxxxxxxxx!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address: xxxxxxxxxxxx
Billing Address:
370 Id
GAHANNA
United States
Phone: 1-564-536-5200
Order Grand Total: $ 55.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: O10-8086470-1458769
Subtotal of items: $ 55.99
------
Total before tax: $ 55.99
Tax Collected: $0.00
------
Grand Total: $ 50.00
Gift Certificates: $ 5.99
------
Total for this Order: $ 55.99
The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
The Promise: A Novel [Kindle Edition] $ 55.99
Sold By: Random House Digital, Inc.
You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
Thanks again for shopping with us.
Amazon.com
Earth's Biggest Selection
Prefer not to receive HTML mail? Click here
Of some note is the fact that the domain is privacy protected.. normally they just supply fake details. Nameservers are provided by the ns1.grapecomputers.net (31.170.106.39, Bradler & Krantz, Germany) and ns2.grapecomputers.net (77.144.63.18, SFR, France).
The following domains are also associated with these malicious sites and should be avoided:
lifelovework.net
bestcompdefence.net
sitkatacotruck.com
yoursystemdefender.com
which are associated with several other scam and malware sites.
Thursday, 7 June 2012
"[Confirm] 2012 Olympic Draw Note Attach" spam
Frankly I can be a curmudgeonly so-and-so when it comes to big events that I have to pay for out of my taxes, and the Olympics is one of them. But it's a bit late to hand it to the French I suppose, so I was quite pleased to get this email from the "British Olympic and United Kingdom National Lottery" saying that I had won £950,000
Of course, it's all a scam. The email originates from 216.172.135.112 (EGIHosting / AFNCA) which claims to be based in the US, but I've seen this ISP so often with Advanced Fee Fraud emails that it may as well be in Lagos.
http://www.justlottery.com/all-results/UK-Lotto.html
Congratulations
We will like to inform you that your e-mail address has won the sum of £950.000.00 from monthly British Olympic and United Kingdom National Lottery Promotion award held on 1st June, 2012. Your e-mail address was chosen for this promotion as one of the lucky e-mail address through our computer ballot system in British national lottery.
http://www.justlottery.com/all-results/UK-Lotto.html
Ref: UK/9420X2/68.
Winning No: 01 06 2012: (05) (06) (34) (42) (45) (46) BB (22)
You are hereby advised to contact our authorized coordinator and provide the above information to avoid delays/mistake.
Payment Coordinator
Mr. Justin King
Email: uk.kingagency1@live.com OR inforwin1@games.com
Tel: +44-702-407-2224.
MOBILE ONLINE DOCUMENTATION FORM
Full Names: ……………………………….
Contact Address: ………………………….
Nationality: ……………………………….
Country of Resident: ………………….......
Contact Number: ………………………….
Occupation: ……………………………….
Winning Email: …………………………...
Your Age: …………………………………
Sex: ………………………………………..
Ref. Number: ………………………………
Winning No: ………………………………
Beneficiary Amount: ………………………
Yours Faithfully,
Dr. Steve Heinderson
Director Customer Service/Claims Dept.
Of course, it's all a scam. The email originates from 216.172.135.112 (EGIHosting / AFNCA) which claims to be based in the US, but I've seen this ISP so often with Advanced Fee Fraud emails that it may as well be in Lagos.
Labels:
Advanced Fee Fraud,
Spam
Wednesday, 6 June 2012
Fake Craiglist emails / paranoiknepjet.ru
From: craigslist - automated message, do not reply
Sent: 06 June 2012 14:32
Subject: POST/EDIT/DELETE : "Film maker & Actor/Actress" (crew)
IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
• PUBLISH YOUR AD
• EDIT (OR CONFIRM AN EDIT TO) YOUR AD
• VERIFY YOUR EMAIL ADDRESS
• DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL - you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
========================
From: craigslist - automated message, do not reply
Sent: Tue 05/06/2012 21:43
Subject: POST/EDIT/DELETE : "Real professional tattoo work" (cycle)
IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
• PUBLISH YOUR AD
• EDIT (OR CONFIRM AN EDIT TO) YOUR AD
• VERIFY YOUR EMAIL ADDRESS
• DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL - you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
The link in the email leads to a malicious payload at [donotclick]http://paranoiknepjet.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on some IP addresses we have already seen.
50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106
I can identify the following domains on those IPs, all of which can be considered to be malicious:
girlsnotcryz.ru
holigaansongeer.ru
immerialtv.ru
insomniacporeed.ru
mazdaforumi.ru
norilsknikeli.ru
opimmerialtv.ru
piloramamoskow.ru
spbfotomontag.ru
uzindexation.ru
Added:another one..
Date: Wed, 6 Jun 2012 02:48:02 +0000
From: "craigslist - automated message, do not reply" [robot@craigslist.org]
Subject: POST/EDIT/DELETE : "we have moving supplies "check us out"" (sublets / temporary)
IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
PUBLISH YOUR AD
EDIT (OR CONFIRM AN EDIT TO) YOUR AD
VERIFY YOUR EMAIL ADDRESS
DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL - you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
Labels:
Craigslist,
Malware,
RU:8080,
Spam,
Viruses
"Scan from a HP ScanJet" spam / uzindexation.ru
This fake HP OfficeJet spam leads to malware on uzindexation.ru:
The malware can be found at [donotclick]uzindexation.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) which is hosted on a bunch of IP addresses we saw in this attack:
50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)
184.106.200.65 (Slicehost, US)
187.85.160.106 (Ksys Soluções Web, Brazil)
From: Ashley Madison [mailto:donotreply@ashleymadison.com]
Sent: 05 June 2012 04:12
Subject: Scan from a HP ScanJet #593159
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 6821P.
Sent by: Daxton
Images : 3
Attachment Type: .HTM [INTERNET EXPLORER]
Hewlett-Packard Officejet Location: machine location not set
Device: ODS400LA6DS57679188
The malware can be found at [donotclick]uzindexation.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) which is hosted on a bunch of IP addresses we saw in this attack:
50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)
184.106.200.65 (Slicehost, US)
187.85.160.106 (Ksys Soluções Web, Brazil)
Monday, 4 June 2012
"Your Paypal Ebay.com payment" spam / adnroidsoft.net
Date: Mon, 4 Jun 2012 10:43:57 -0400
From: "PayPal" [notify@paypal.com]
Subject: Your Paypal Ebay.com payment.
Transaction ID: 73013749
Hello -----------,
You sent a payment of $950.48 USD to Quentin Cotton
Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
It may take a few moments for this transaction to appear in your account.
Seller
Carroll.Dickinson@yahoo.com Note to seller
You haven't included a note.
Shipping address - confirmed
4787 Hyde Rd
Manlius
United States
Shipping details
The seller hasn't provided any shipping details yet.
Description Unit price Qty Amount
1927 Supermarine S.5 & Gloster seaplane Schneider Trophy Race Photograph
Item# 059770363
$950.48 USD 23 $950.48 USD
Shipping and handling $0.00 USD
Insurance - not offered ----
Total $950.48 USD
Payment $950.48 USD
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Questions? Go to the Help Center at: www.paypal.com/help.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.
You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.
PayPal Email ID PP303
The link in the email goes to a malicious payload at [donotclick]adnroidsoft.net/main.php?page=017f3bb5c2be6a41 (report here) hosted on 120.197.89.124 (China Mobile Communications Corporation). Unless you do business with China, you might want to consider blocking 120.192.0.0/11 to be on the safe side.
Other sites on the same IP which may also be malicious are:
bestcompdefence.net
lifelovework.net
Sunday, 3 June 2012
"Your Job Application is Pending" / rockingcreditoffer.com scam
We've seen a variant of this "Rock Force Management" scam a couple of times before (here and here).
Then we get bounced through a series of redirectors:
5url.net/e7D ->
xkteen.com.br/conlact.php?c=rockingcreditoffer&t=com?dejaryfi ->
rockingcreditoffer.com?dejaryfi
One characteristic of these scam pages is the number "(240) 718-4632" which is displayed on each one.
After filling in some basic details, the scam starts to become clear.
The problem is that by the time the scam becomes apparent, you have already furnished the scammers with your personally identifiable information which they will sell on to other scammers and spammers.
In this case the originating IP was 222.253.76.159 in Vietnam, the rockingcreditoffer.com scam site was hosted on 91.217.162.100 (Voejkova Nadezhda, a Russian firm hosting across the border in Ukraine). Give this one a wide berth..
Date: Sun, 3 Jun 2012 21:04:25 +0200
From: "Gracie Vega" [bog@cerex.com]
Subject: Your Job Application is Pending
Hello Advantage
Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application,
but can not do so until you complete our internal application.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:
http://5url.net/e7D
Also, the following perks are potentially available:
- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program
Please take the time to follow the directions and complete the entire application process.
----------
Then we get bounced through a series of redirectors:
5url.net/e7D ->
xkteen.com.br/conlact.php?c=rockingcreditoffer&t=com?dejaryfi ->
rockingcreditoffer.com?dejaryfi
One characteristic of these scam pages is the number "(240) 718-4632" which is displayed on each one.
After filling in some basic details, the scam starts to become clear.
All job applicants on this site are now required to check their credit score online and submit them here in order to proceed.There's a button labelled "Please click here to obtain your credit score (Authorized Credit Retrieval Agent)" which is this case leads to a 404 page, but before we have seen it going to a get-rich-quick scam page instead.
The purpose of this verification is to prevent fraud and authenticate the profile of all our applicants. Please take note this is a verification process only and the result of your credit score will not in any way affect your job application. We just need to know that you are a real person.
The problem is that by the time the scam becomes apparent, you have already furnished the scammers with your personally identifiable information which they will sell on to other scammers and spammers.
In this case the originating IP was 222.253.76.159 in Vietnam, the rockingcreditoffer.com scam site was hosted on 91.217.162.100 (Voejkova Nadezhda, a Russian firm hosting across the border in Ukraine). Give this one a wide berth..
Labels:
Job Offer Scams,
Scams,
Spam
"Digg Verification" spam / dietpilldrugstore.com
This spam appears to be from Digg, but it leads to a fake pharmacy. It could easily be adapted to distribute malware though, and this is the first time that I have seen a fake Digg message such as this.
The email looks pretty convincing, but the link in it is a redirector to a bogus pharamacy site at dietpilldrugstore.com on 94.155.49.57 (ITD Network, Bulgaria). That IP address has a number of other fake pharma sites (listed below) and is probably worth blocking.
genericspillsgroup.com
hightramplate.com
levitrameds.com
medcontab.com
medicaremedsgroup.com
medicarewelnessdebt.com
medslevitraleiby.com
medsmedicinegroup.com
movietestworld.com
mycanadatablet.com
mypillhealthcare.com
myprescriptionmedicine.com
myrxhealthcare.com
mytabdiet.com
newcanadatablet.com
newhealthprescription.com
newherbalpharmacy.com
newpharmacymedicare.com
newtabletdrugstore.com
newtablethealthcare.com
newviagrasale.com
pakistanlispharmacy.com
patientsviagracare.com
pharmacyhealthcarepatients.com
From: Digg [mailto:noreply@e.digg.com]
Sent: Sun 03/06/2012 13:00
Subject: Digg Verification
Problem viewing this email?
View it in your browser.
Hi xxxxxx@xxx.xxx
Thank you for registering with us at Facebook social sharing. We look forward to seeing you around the site.
Now your friends can see what you're reading around the web. Also you can add or delete any article from your activity. Click the Social button to turn this off.
What is Facebook Social Share?
Share your Digg experience with your Facebook friends. Let your friends see what you're reading as you discover the best news around the web.
The email looks pretty convincing, but the link in it is a redirector to a bogus pharamacy site at dietpilldrugstore.com on 94.155.49.57 (ITD Network, Bulgaria). That IP address has a number of other fake pharma sites (listed below) and is probably worth blocking.
genericspillsgroup.com
hightramplate.com
levitrameds.com
medcontab.com
medicaremedsgroup.com
medicarewelnessdebt.com
medslevitraleiby.com
medsmedicinegroup.com
movietestworld.com
mycanadatablet.com
mypillhealthcare.com
myprescriptionmedicine.com
myrxhealthcare.com
mytabdiet.com
newcanadatablet.com
newhealthprescription.com
newherbalpharmacy.com
newpharmacymedicare.com
newtabletdrugstore.com
newtablethealthcare.com
newviagrasale.com
pakistanlispharmacy.com
patientsviagracare.com
pharmacyhealthcarepatients.com
Labels:
Bulgaria,
Fake Pharma,
Spam
Friday, 1 June 2012
LinkedIn spam / immerialtv.ru
This fake LinkedIn spam leads to malware:
The payload is on [donotclick]immerialtv.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)
184.106.200.65 (Slicehost, US)
187.85.160.106 (Ksys Soluções Web, Brazil)
Plain list for copy-and-pasting:
50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106
Those IPs host the following domains which can also be assumed to be hostile:
immerialtv.ru
opimmerialtv.ru
piloramamoskow.ru
Date: Fri, 1 Jun 2012 02:45:50 +0000
From: LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject: Please confirm your email address
Click here to confirm your email address.
If the above link does not work, you can paste the following address into your browser:
You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.
We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.
If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.
Thank you for using LinkedIn!
--The LinkedIn Team
� 2012, LinkedIn Corporation
The payload is on [donotclick]immerialtv.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)
184.106.200.65 (Slicehost, US)
187.85.160.106 (Ksys Soluções Web, Brazil)
Plain list for copy-and-pasting:
50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106
Those IPs host the following domains which can also be assumed to be hostile:
immerialtv.ru
opimmerialtv.ru
piloramamoskow.ru
Tuesday, 29 May 2012
Orwellian Black Opel II
Google's Orwellian Black Opels are back on the prowl, updating Street View. Here's me watching them watching me :)
I don't know this one (LJ08 VVC) is the same Opel Astra I pictured in 2009, but the camera assembly has certainly changed since then.
I don't know this one (LJ08 VVC) is the same Opel Astra I pictured in 2009, but the camera assembly has certainly changed since then.
Labels:
Google Maps,
Google Streetview
Monday, 28 May 2012
Amazon.com spam / anarodas.net
From: digital-no-reply@amazon.com [mailto:Amazon.com]
Sent: 25 May 2012 19:02
To: XXXXXXX
Subject: Your Kindle e-book Amazon.com receipt.
Thanks for your order, XXXXXXX!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address: XXXXXXX
Billing Address:
Jerry Vance
503-8878 Vel Avenue
GAHANNA
United States
Phone: 614-361-9914
Order Grand Total: $ 54.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: T29-2192561-6011996
Subtotal of items: $ 54.99
------
Total before tax: $ 54.99
Tax Collected: $0.00
------
Grand Total: $ 50.00
Gift Certificates: $ 4.99
------
Total for this Order: $ 54.99
The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 54.99
Sold By: Random House Digital, Inc.
________________________________________
You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
Thanks again for shopping with us.
Amazon.com
Earth's Biggest Selection
Prefer not to receive HTML mail? Click here
The malicious payload is on [do not click]anarodas.net/xor/index.php?showtopic=249281 (report here). The site is hosted on the familiar IP address of 41.64.21.71 which is an ADSL line in Cairo.
Sunday, 27 May 2012
When idiots attack
The Wikipedia article for the Ripoff Report is one of those battlegrounds that combines edits from fans of the site, scammers who have been exposed by the site who are trying to settle scores, some people with genuine grievances and concerns about the way the site operates and neutral parties just trying to keep the whole thing together.
Usually, the edits are quite small. But then someone replaced the article with this edit with following text containing a number of obviously false allegations:
Almost all the old text from the article was deleted, and the highlighted section above added. What the heck is a "Fraud star" anyway? So who wrote this illiterate drivel? Well, Wikipedia helpfully records the editor's IP address of 74.92.194.46, which is..
Googling for "nations warranty" marietta is pretty revealing and it leads us to this SEC complaint from 2008 which says:
As a result of this fraud, the company was liquidated. Presumably whoever posted the Wikipedia edits confuses free market economics with fraud.
Here's the odd thing.. the SEC actions took place in 2008, so why start griping four years later? There's only a single entry that I can find on Ripoff Report here, and that dates from other three years ago. Not really very current, is it? Or perhaps Nations Warranty have popped up again under a new name?
Usually, the edits are quite small. But then someone replaced the article with this edit with following text containing a number of obviously false allegations:
Ripoff Report is a privately owned and operated for-profit website founded by consumer advocate Ed Magedson. Who is a fraud star and he is also a Child molester. He used to live in Tampa, Florida, people say he is hiding now in Arizona but actually he lives out side of the USA. FBI is looking for him as well. He claims that he is the consumer advocate. In reality he is actually a communist and he does now not want to Free market to spread out. He is a real scammer and extortionist! People be care full!! The Ripoff Report has been online since December 1998 and is operated by Xcentric Ventures, LLC is a fradulent company which is based in Tempe, Arizona.[1] Ed Magedson is the site's current Editor-in-Chief.
If we want to grow Free Economy and grow America we must stop this fraudulent monster. He caused a serious damage too many good people. All he cares about his own money! He must be brought to justice!
At the same token Google, Yahoo and Bing are supporting him! He must be black listed in all search engines!
Almost all the old text from the article was deleted, and the highlighted section above added. What the heck is a "Fraud star" anyway? So who wrote this illiterate drivel? Well, Wikipedia helpfully records the editor's IP address of 74.92.194.46, which is..
Network | |
---|---|
NetRange | 74.92.194.40 - 74.92.194.47 |
CIDR | 74.92.194.40/29 |
Name | NATIONS-WARRANTY-GROUP |
Handle | NET-74-92-194-40-1 |
Parent | CBC-ATLANTA-6 (NET-74-92-192-0-1) |
Net Type | Reassigned |
Origin AS | |
Customer | Nations Warranty Group (C01796119) |
Registration Date | 2007-11-20 |
Last Updated | 2007-11-20 |
Comments |
Customer | |
---|---|
Name | Nations Warranty Group |
Handle | C01796119 |
Street | 2820 Lassiter RdC , |
City | marietta |
State/Province | GA |
Postal Code | 30062 |
Country | US |
Registration Date | 2007-11-20 |
Last Updated | 2011-03-19 |
Comments |
Googling for "nations warranty" marietta is pretty revealing and it leads us to this SEC complaint from 2008 which says:
The Commission alleges that since approximately January 2008, Mikula, a recidivist securities law violator, and Craddock, acting individually or through Nations Warranty or JW&P Consulting, have used misrepresentations and omissions of material fact to offer and sell approximately $2.8 million of securities issued by Nations Warranty in unregistered transactions to approximately 120 investors.
The Complaint alleges that Mikula, operating through his wholly-owned entity JW&P Consulting, and Craddock used material misrepresentations and omissions of material facts to offer and sell short-term promissory notes issued by Nations Warranty. The notes were sold with terms of either 100 or 220 days, and promised rates of return of 4% or 5% per month, respectively. Among the misrepresentations and omissions, the defendants described Nations Warranty to investors as a profitable company when, in fact, Nations Warranty has incurred a net loss of at least $1.2 million during 2008. Defendants also claimed the Nations Warranty notes were "guaranteed" when, in fact, they were not.
Furthermore, Defendants represented that JW&P Consulting had evaluated the risks of investing in Nations Warranty notes and had found the risks acceptable. However, Defendants failed to disclose that JW&P Consulting was nothing more than Mikula himself and that Mikula had been enjoined in a Commission action in July 2007 for operating a Ponzi scheme.
As a result of this fraud, the company was liquidated. Presumably whoever posted the Wikipedia edits confuses free market economics with fraud.
Here's the odd thing.. the SEC actions took place in 2008, so why start griping four years later? There's only a single entry that I can find on Ripoff Report here, and that dates from other three years ago. Not really very current, is it? Or perhaps Nations Warranty have popped up again under a new name?
Zinio spam wastes everyone's time
I've never heard of Zinio before, but apparently they produce electronic versions of magazines or something. I've certainly never opted in to receiving mail from them, but they do seem to be a legitimate company. Presumably they bought my email address from a third party in good faith.
But the annoying this is that if you're going to spam out advertisement emails.. well, at least check the basics.
There's some horribly mangled HTML that prevents it from loading properly, but the key annoyance is that this so-called special offer expired on "April 30, 2012 midnight PST" but the email was only sent on the 26th May from an IP address of 66.150.202.2. The email is digitally signed as being from zinio@pgs.zinio.com.
Well, Zinio.. I might just pass you up on your craptastic offer.
But the annoying this is that if you're going to spam out advertisement emails.. well, at least check the basics.
Date: 26 May 2012 09:38:52 -0400
From: "Zinio Digital Magazines" [zinio@pgs.zinio.com]
Subject: Limited Time Offer: Make a purchase on Zinio and get $5 in Zinio Perks!
Exclusive Offers From Zinio! � View as a web page �
shop | featured | my library | tell a friend
Get Credit For Purchasing What You Love!
For a limited time, make a purchase on Zinio and get $5 in Zino Perks, good towards over 5000 digital publications!
Simply choose your favorite magazines anytime before April 30, 2012 midnight PST and receive your Zinio Perks within 72 hours.
Click here and choose from thousands of titles now!
National Geographic Interactive
Subscribe and Save 67%!
Buy Now �
Us Weekly
Subscribe and Save 68%!
Buy Now �
Harvard Business Review
Subscribe and Save 53%!
Buy Now �
Maxim
Subscribe and Save 79%!
Buy Now �
New Scientist
Subscribe and Save 76%!
Buy Now �
Macworld
Subscribe and Save 76%!
Buy Now �
Subscribe and Save 48%!
Buy Now �
HELLO! magazine
Subscribe and Save 50%!
Buy Now �
This email was sent to: xxxxxxxxxxxxxxxxxxx@xxxxx.xxx
We respect your right to privacy, please manage your preferences here.
Zinio LLC - 114 Sansome Street, 4th Floor, San Francisco, CA 94104
There's some horribly mangled HTML that prevents it from loading properly, but the key annoyance is that this so-called special offer expired on "April 30, 2012 midnight PST" but the email was only sent on the 26th May from an IP address of 66.150.202.2. The email is digitally signed as being from zinio@pgs.zinio.com.
Well, Zinio.. I might just pass you up on your craptastic offer.
Thursday, 24 May 2012
24by7technohelp.com / 24by7onlinesolution.com scam
Technical support scammers call the wrong person in this video..
The website involved is 24by7technohelp.com (there is another site on the same server called 24by7onlinesolution.com doing the same thing). These sites are hosted on 208.91.199.77 (Confluence Networks, British Virgin Islands). I've had the Confluence Networks range of 208.91.196.0/22 blocked for some time with no ill effects..
More on this story here.
[Via]
The website involved is 24by7technohelp.com (there is another site on the same server called 24by7onlinesolution.com doing the same thing). These sites are hosted on 208.91.199.77 (Confluence Networks, British Virgin Islands). I've had the Confluence Networks range of 208.91.196.0/22 blocked for some time with no ill effects..
More on this story here.
[Via]
Labels:
Scams
Where's the malware spam?
You might have noticed that I haven't posted details of any malware spam in the past few days. This is because.. well, there really hasn't been much in the way of malware spam, with only one major campaign in the past three weeks.
When malware spam drops, I notice that fake pharma spam pops up instead, and furthermore malware spam runs are hardly ever at weekends when pharma takes over. And yes.. there's been an uptick of pharma spam lately which follows the pattern.
This malware spam run has been going on for months now, with a few breaks of a few weeks each time. I can't believe that anything fundamental has changed. So stay alert!
When malware spam drops, I notice that fake pharma spam pops up instead, and furthermore malware spam runs are hardly ever at weekends when pharma takes over. And yes.. there's been an uptick of pharma spam lately which follows the pattern.
This malware spam run has been going on for months now, with a few breaks of a few weeks each time. I can't believe that anything fundamental has changed. So stay alert!
Subscribe to:
Posts (Atom)