This is an updated list of evil domains on 194.28.115.150 (Specialist ISP in Transnistria). Blocking all of 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is the best idea, and blocking traffic to .rr.nu ain't a bad one either. But if you can only block by domains names then this is the latest list of malware-laden sites to avoid:
xinthesidersdown.com
sweepstakesandcontestsdo.com
ens122zzzddazz.com
ssi11fica.rr.nu
ari55nea.rr.nu
sre13vea.rr.nu
tartis78tscolla.rr.nu
djust16scotla.rr.nu
courie90rhydra.rr.nu
idaysc65artera.rr.nu
x1010thta.rr.nu
ealis86ticeva.rr.nu
sfl20ewwa.rr.nu
rece76iptsb.rr.nu
xvarfo29urdayec.rr.nu
res11tric.rr.nu
ake60rsc.rr.nu
like90varyc.rr.nu
popre01versed.rr.nu
atr56aid.rr.nu
mentme03talsind.rr.nu
rasvi52llage.rr.nu
inglon03grange.rr.nu
senior78custome.rr.nu
sbandb46aninve.rr.nu
surpr54iseove.rr.nu
tes364rdaf.rr.nu
seamer47icadiff.rr.nu
veryt17hingof.rr.nu
ailway42staging.rr.nu
didat35egraph.rr.nu
nals02south.rr.nu
tampas71overei.rr.nu
ekendd69espitei.rr.nu
funct78ionali.rr.nu
artyi03nflati.rr.nu
ofess10ional.rr.nu
ful26qual.rr.nu
var64iabl.rr.nu
ins62ail.rr.nu
orig10inall.rr.nu
ulty75cream.rr.nu
lco16mpan.rr.nu
refi88nedn.rr.nu
ariney05aleteen.rr.nu
ital10namen.rr.nu
ymi87nin.rr.nu
olddo85esgoin.rr.nu
reque83ntlyin.rr.nu
atchp64ension.rr.nu
ional93phaco.rr.nu
eathin54gcashdo.rr.nu
ati31ngpo.rr.nu
atsda53ngero.rr.nu
ein77gyo.rr.nu
getth82rowapp.rr.nu
tsoc11ketp.rr.nu
vin04gup.rr.nu
tsroy47alpar.rr.nu
eri56orar.rr.nu
andsto57cksstar.rr.nu
train59tsafer.rr.nu
ariae54ither.rr.nu
eighbo02rsbarr.rr.nu
ing80entr.rr.nu
brown74emphas.rr.nu
sto32rybs.rr.nu
ncom24pares.rr.nu
ctab59uwes.rr.nu
spr71ings.rr.nu
ssig49nals.rr.nu
ght91ers.rr.nu
elop28ments.rr.nu
acons09olidat.rr.nu
omp25let.rr.nu
tinc31omeu.rr.nu
cello11rassu.rr.nu
pre86view.rr.nu
ns1.hoperjoper.ru
ns2.hoperjoper.ru
Tuesday, 7 August 2012
Malware sites to block on 194.28.115.150
Labels:
Malware,
Moldova,
Specialist ISP,
Transnistria
123Greetings.com spam / remindingwands.org
This fake 123Greetings.com spam actually delivers malware instead, hosted on remindingwands.org:
Date: Tue, 7 Aug 2012 16:34:21 +0200The malicious payload is at [donotclick]remindingwands.org/main.php?page=861097b084221fd although at the moment it is not responding. This site is hosted on 78.87.123.114 (CYTA, Greece) which is a particularly evil IP that has been seen a lot of lately and can safely be blocked.
From: "123Greetings.com" [ecards@123greetings.com]
Subject: New e-card for you.
Vanna amet.diam.eu@lorem.ca has just sent you an ecard from 123Greetings.com
You can view it by clicking here:
http://www.123greetings.com/send/view/999095:
Thanks to our new tracking feature, you can now access all the ecards received by you in the last 14 days.
Use the link below or copy & paste the link into your browser's address bar.
http://www.123greetings.com/connect/track
Or if you prefer you can go to http://www.123greetings.com/ and type your ecard number (0090593007) in the "Search Box" at the top right of the page.
Your ecard can be downloaded for the next 30 days.
Based on user feedback, 123Greetings.com has launched 6 new pages with the best ecards in the Most Popular/ Most Viewed/ Highest Rated/ Latest Additions/ Popular Now and Always There Sections listed on the homepage.
http://www.123greetings.com/top/most_popular.html
http://www.123greetings.com/top/most_viewed.html
http://www.123greetings.com/top/highest_rated.html
http://www.123greetings.com/top/latest.html
http://www.123greetings.com/top/popular_now.html
http://www.123greetings.com/top/always_there.html
If you need any help in viewing your ecard or any other assistance,
please visit our Help/ FAQ section at: http://help.123greetings.com/
We hope you enjoy your ecard,
Your friends at 123Greetings.com
http://www.123greetings.com
We respect your privacy. You will not be receiving any promotional emails from us
because of this ecard. To view our privacy policy, click on the link below:
http://info.123greetings.com/company/privacy_policy.html
Note: This is an auto generated mail. Please do not reply.
If you have any other problem please contact us by clicking on the following link:
http://help.123greetings.com/contact_us.html
This email was sent by 123Greetings.com, Inc., 1674 Broadway, New York, NY 10019.
"Your Photos" spam / pussyriotss.ru
pussyriotss.ru? Well, if you follow the news in Russia at all then you will have heard of the Pussy Riot case. The IP addresses for pussyriotss.ru are:
190.120.228.92 (Infolink, Panama)
116.12.49.68 (Usonyx , Singapore)
These IPs are also associated with spb-koalitia.ru and a whole bunch of other badness, blocking them would be prudent.
Malware sites to block 7/8/12
A small selection of malicious domains to add to your blocklist this morning:
advancementwowcom.org
headtoheadblaster.org
searchlesswebwasher.info
voicecontroldevotes.info
swetadeline.com
threeffect.net
advancementwowcom.org
headtoheadblaster.org
searchlesswebwasher.info
voicecontroldevotes.info
swetadeline.com
threeffect.net
Labels:
Malware
Monday, 6 August 2012
LinkedIn spam / headtoheadblaster.org
This LinkedIn spam attempts to load malware from headtoheadblaster.org:
The malicious payload is at [donotclick]headtoheadblaster.org/main.php?page=f6857febef53e332 (report here) although at the time of writing it does not seem to be resolving.
Date: Mon, 6 Aug 2012 17:07:08 +0300
From: "LinkedIn Invitations" [invitations@linkedin.com]
To: [redacted]
Subject: Your friend sent you an invitation to join LinkedIn group.
This is a notification that on August 5, Gage Herring sent you an invitation to become part of their professional network at LinkedIn.
Accept Gage Herring Invitation
On August 5, Gage Herring wrote:
> To: [redacted]
>
> I'd like to add you to my professional network on LinkedIn.
>
> Gage Herring
You are receiving Reminder emails for pending invitations. Unsubscribe.
� 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.
==========
Date: Mon, 6 Aug 2012 10:02:02 -0400
From: "LinkedIn Invitations" [invitations@linkedin.com]
To: [redacted]
Subject: LinkedIn inviation notificaltion.
This is a notification that on August 5, Daniel Martinez sent you an invitation to join their professional network at LinkedIn.
Accept Daniel Martinez Invitation
On August 5, Daniel Martinez wrote:
> To: [redacted]
>
> I'd like to add you to my professional network on LinkedIn.
>
> Daniel Martinez
You are receiving Reminder emails for pending invitations. Unsubscribe.
� 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.
The malicious payload is at [donotclick]headtoheadblaster.org/main.php?page=f6857febef53e332 (report here) although at the time of writing it does not seem to be resolving.
"Welcome to PayPal" spam / spb-koalitia.ru
Subject: Welcome to PayPal - Choose your way to pay
Welcome
Hello [victim],
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.
Here is what we have on file for you. Take a second to confirm we have your correct information.
[reciptient]@victimdomain.com
Confirmation Code
1509-3962-8257-3886-7087
Transfer Information
Amount: 18217.81 $
Reciever: Marcie William
E-mail: [another-recipient]@victimdomain.com
Accept Decline
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP9335
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
The malicious payload is on [donotclick]spb-koalitia.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following (familiar looking IPs):
67.227.183.77 (LiquidWeb / SourceDNS, US)
203.80.16.81 (Myren Infrastructure, Malaysia)
213.170.99.11 (Quantum Communications, Russia)
The following domains and IPs are all related:
41.66.137.155
41.168.5.140
62.76.188.138
62.76.190.208
67.227.183.77
78.83.233.242
87.120.41.155
87.204.199.100
173.224.208.60
41.66.137.155
199.71.212.78
203.80.16.81
203.172.140.202
213.170.99.11
moskow-carsharing.ru
mysqlfordummys.ru
leprisoruim.ru
onerussiaboard.ru
online-gaminatore.ru
spb-koalitia.ru
zenedin-zidane.ru
autoaxident.com spam / Lalchand Sobhani
This spam is preying on people in the UK who have had a accident, but it is actually based in India. It starts off with a pitch similar to this one:
The spam leads you to a side called autoaxident.com on 174.122.93.250 which appears to belong to Confluence Networks in the UAE. The WHOIS details are privacy protected (never a good sign for this type of site). Nameservers show an Indian connection, they are dns1.bigrock.in and dns2.bigrock.in. The spam is sent through a relay service at 74.117.60.126 (lbsmtp.org, India).
The website has no contact details or privacy policy, it is basically just a collector. However, sending a query does generate a response..
The originating IP was 14.98.247.162 (TATA Indicom, India), so there's the Indian connection again.
Several things don't stand up with this pitch. One of them is the solicitor's name of "Mr. Lamb Brook". That's quite an unusual name, and it probably comes as no surprise to find that there is no such solicitor listed by the Law Society in the UK. Oddly, the telephone number quoted seems potentially valid and is a London number. Update: the name of the law firm is Lamb Brooks and not an individual solicitor, note however that Lamb Brooks are not sending out this unsolicited mail, I suspect that they are not even aware of it.
The email address of "Annie Thomas" alaska05@rediffmail.com also gives some clues. rediffmail.com is almost exclusively used in India, thus confirming that this is an Indian-based scam again, Googling this email address shows several clues with a background of buying and selling leads.
This thread ties the email address up with a user called lalchand38 and this is linked to a Twitter account at https://twitter.com/LCS38 (Lalchand / @LCS38) who appears to be Lalchand Sobhani who also uses an email address of lalchand38@yahoo.com. You can see his dating profile here and there are several other matches on Google for the same email address which show an interesting variety of enterprises including shipping prescription medications from India to the US.
So Annie Thomas is either Lalchand Sobhani or someone working for him. The solicitor in the UK does not exist. Mr Sobhani has gone to some efforts to hide his involvement here too.
What is probably going on here is lead generation through spam. Lalchand Sobhani is probably trying to generate personal injury leads to resell on to others. In any case, dealing with spammers is unlikely to be beneficial and it could lead to you being seriously out of pocket.
From: UL05 UL05@app12.sarvdns.org
Reply-To: UL05@app12.sarvdns.org
Date: 3 August 2012 17:26
Subject: Accident Injuries
Auto Axident
Claim Comfort
Home
Injury / Claim types
Contact Us
Welcome
Header Image
We are the accident claim specialists, offering free advice, downloads and access to top no win no fee personal injury solicitors.There are many types of Personal Injury like
Road Traffic Accident
Work Accident
Accident at Sea
Aircraft Accident
Faulty Product Accident
Hairdressing Accident
Holiday Accident
Medical Negligency Accident
Public Place Accident
Did you have an injury in the last two years?
If yes, Apply for Compensation below.
Apply for Claim here
Step 1
RTA ( SELF MEDICATING CLAIMANT )
[snipped]
© Copyright 2012 autoaxident.com. All Rights Reserved.
Powered by SARV Mail
Click here to unsubscribe
The spam leads you to a side called autoaxident.com on 174.122.93.250 which appears to belong to Confluence Networks in the UAE. The WHOIS details are privacy protected (never a good sign for this type of site). Nameservers show an Indian connection, they are dns1.bigrock.in and dns2.bigrock.in. The spam is sent through a relay service at 74.117.60.126 (lbsmtp.org, India).
The website has no contact details or privacy policy, it is basically just a collector. However, sending a query does generate a response..
from: AnnieThomas alaska05@rediffmail.com
date: 6 August 2012 08:15
subject: Re: RTA - Injuries
Awaiting your reply.
Annie Thomas
From: "Swati"[alaska05@rediffmail.com]
Sent: Sat, 04 Aug 2012 14:11:40
Subject: RTA - Injuries
Dear Mr. Xxxx Xxxx
Thanks for sending us your message.
Please send your contact phone number and address.
Also if you have time please fill up form available at www.autoaxident.com and press continue button instead of submit to get the full claim form to be filled.
Upon receipt of your phone number solicitor Mr. Lamb Brook will contact you for compensation for your injury
---
Annie Thomas
Customer Care Executive
Auto Accident Claim Company
London
Phone No. +44 20 3286 4645
Website - www.autoaxident.com
The originating IP was 14.98.247.162 (TATA Indicom, India), so there's the Indian connection again.
Several things don't stand up with this pitch. One of them is the solicitor's name of "Mr. Lamb Brook". That's quite an unusual name, and it probably comes as no surprise to find that there is no such solicitor listed by the Law Society in the UK. Oddly, the telephone number quoted seems potentially valid and is a London number. Update: the name of the law firm is Lamb Brooks and not an individual solicitor, note however that Lamb Brooks are not sending out this unsolicited mail, I suspect that they are not even aware of it.
The email address of "Annie Thomas" alaska05@rediffmail.com also gives some clues. rediffmail.com is almost exclusively used in India, thus confirming that this is an Indian-based scam again, Googling this email address shows several clues with a background of buying and selling leads.
This thread ties the email address up with a user called lalchand38 and this is linked to a Twitter account at https://twitter.com/LCS38 (Lalchand / @LCS38) who appears to be Lalchand Sobhani who also uses an email address of lalchand38@yahoo.com. You can see his dating profile here and there are several other matches on Google for the same email address which show an interesting variety of enterprises including shipping prescription medications from India to the US.
So Annie Thomas is either Lalchand Sobhani or someone working for him. The solicitor in the UK does not exist. Mr Sobhani has gone to some efforts to hide his involvement here too.
What is probably going on here is lead generation through spam. Lalchand Sobhani is probably trying to generate personal injury leads to resell on to others. In any case, dealing with spammers is unlikely to be beneficial and it could lead to you being seriously out of pocket.
Friday, 3 August 2012
AT&T spam / searchlesswebwasher.info
Date: Fri, 3 Aug 2012 16:54:24 +0100
From: "AT&T Online Services" <alert@email.att-mail.com>
Subject: Your AT&T bill is ready to be paid now.
<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
att.com | Support | My AT&T Account
<td style="padding: 0px 10px 0px 10px;" width:34%="" valign="top">
Your online bill is ready to be viewed
Dear Valued Customer,
A new bill for your AT&T account is ready.
Any operations completed after your bill period expires will not be shown in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.
Service Account ending in Bill Amount Due Date
Internet and Home Phone 3 $808.32 08/06/2012
Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.
Thank you for choosing AT&T. We value your business and look forward to serving you!
Thank you,
AT&T Online Services
www.att.com
Contact Us
AT&T Support - quick & easy support is available 24/7.
Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.
<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
AT&T Online Services
Get more time to do what you want. What would you do?
Show me how
Automatic Payments
Save time and pay your monthly bill automatically!
Sign up now
Special Offers
Visit our Special Offers to check out our best promotions.
Learn more
Online Information
AT&T Community
Repair
Home Phone
Special Offers
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.
�2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy
The malicious payload is at [donotclick]searchlesswebwasher.info/main.php?page=6df8994172330e77 (report here) hosted on 78.87.123.114 which is part of a small range of IP addresses which can probably be safely blocked:
inetnum: 78.87.123.112 - 78.87.123.119
netname: GB13561-static
descr: tomeaspl-static
country: GR
admin-c: GB13561-RIPE
tech-c: GB13561-RIPE
status: ASSIGNED PA
mnt-by: CYTA-HELLAS
source: RIPE # Filtered
person: GEORGIOS BASILAKIS
address: TOMEAS PLIROFORIKIS EPE
address: FILELLHNON 8
address: HRAKLEIO KRHTHS
address: GREECE
phone: +302810327452
nic-hdl: GB13561-RIPE
mnt-by: CYTA-HELLAS
source: RIPE # Filtered
route: 78.87.64.0/18
descr: CYTANET - For CYTA HELLAS
origin: AS6866
mnt-by: CYTANET-NOC
source: RIPE # Filtered
netname: GB13561-static
descr: tomeaspl-static
country: GR
admin-c: GB13561-RIPE
tech-c: GB13561-RIPE
status: ASSIGNED PA
mnt-by: CYTA-HELLAS
source: RIPE # Filtered
person: GEORGIOS BASILAKIS
address: TOMEAS PLIROFORIKIS EPE
address: FILELLHNON 8
address: HRAKLEIO KRHTHS
address: GREECE
phone: +302810327452
nic-hdl: GB13561-RIPE
mnt-by: CYTA-HELLAS
source: RIPE # Filtered
route: 78.87.64.0/18
descr: CYTANET - For CYTA HELLAS
origin: AS6866
mnt-by: CYTANET-NOC
source: RIPE # Filtered
"Your Photos" spam / moskow-carsharing.ru
From: [redacted]The malicious payload is at [donotclick]moskow-carsharing.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
Sent: venerdì 3 agosto 2012 17:09
To: [redacted]
Subject: Your Photos
Hi,
your photos - http://www.[redacted].com/upload.htm
67.227.183.77
203.80.16.81
213.170.99.11
The following domain names are also related and should be blocked:
ipadvssonyx.ru
leprisoruim.ru
mysqlfordummys.ru
onerussiaboard.ru
online-cammunity.ru
online-gaminatore.ru
switched-games.ru
AT&T spam / globixlowerright.org
Date: Fri, 3 Aug 2012 11:03:52 -0300The link goes through a legitimate (but hacked) site and attempts to load a malware page at [donotclick]globixlowerright.org/main.php?page=6df8994172330e77 (report here) but at the moment it is not resolving as the domain appears to have been de-registered.
From: "AT&T Online Services" [att-services@email.att-mail.com]
Subject: Pay your AT&T bill online
<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
att.com | Support | My AT&T Account
<td style="padding: 0px 10px 0px 10px;" width:34%="" valign="top">
Your online bill is ready to be accessed
Dear Esteemed Customer,
A new bill for your AT&T services is prepared.
Any transactions completed after your bill period expires will not be shown in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.
Service Account ending in Bill Amount Due Date
Internet and Home Phone {LET:0 $460.46 08/06/2012
Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.
Thank you for choosing AT&T. We value your business and look forward to serving you!
Thank you,
AT&T Online Services
www.att.com
Contact Us
AT&T Support - quick & easy support is available 24/7.
Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.
<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
AT&T Online Services
Get more time to do what you want. What would you do?
Show me how
Automatic Payments
Save time and pay your monthly bill automatically!
Sign up now
Special Offers
Visit our Special Offers to check out our best promotions.
Learn more
Online Information
AT&T Community
Repair
Home Phone
Special Offers
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.
�2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy
==========
Date: Fri, 3 Aug 2012 10:25:59 -0300
From: "AT&T Online Services" [att-services@email.att-mail.com]
Subject: Your AT&T bill is ready to be viewed
<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
att.com | Support | My AT&T Account
<td style="padding: 0px 10px 0px 10px;" width:34%="" valign="top">
Your online bill is ready to be accessed
Dear Valued Customer,
A new bill for your AT&T account is ready.
Any transactions made after your bill period expires will not be reflected in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.
Service Account ending in Bill Amount Due Date
Home Phone 1 $718.25 08/06/2012
Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.
Thank you for choosing AT&T. We value your business and look forward to serving you!
Thank you,
AT&T Online Services
www.att.com
Contact Us
AT&T Support - quick & easy support is available 24/7.
Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.
<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
AT&T Online Services
Get more time to do what you want. What would you do?
Show me how
Automatic Payments
Save time and pay your monthly bill automatically!
Sign up now
Special Offers
Visit our Special Offers to check out our best promotions.
Learn more
Online Information
AT&T Community
Repair
Home Phone
Special Offers
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.
�2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy
==========
Date: Fri, 3 Aug 2012 15:17:49 +0200
From: "AT&T Online Services" [att-services@email.att-mail.com]
Subject: Your AT&T bill is ready to be paid now.
<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
att.com | Support | My AT&T Account
<td style="padding: 0px 10px 0px 10px;" width:34%="" valign="top">
Your online bill is ready to be viewed
Dear Valued Customer,
A new bill for your AT&T services is prepared.
Any payments made after your bill period ends will not be shown in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.
Service Account ending in Bill Amount Due Date
Internet access 5 $373.39 08/06/2012
Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.
Thank you for choosing AT&T. We value your business and look forward to serving you!
Thank you,
AT&T Online Services
www.att.com
Contact Us
AT&T Support - quick & easy support is available 24/7.
Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.
<td style="padding: 0px 10px 0px 10px;" width:33%="" valign="top">
AT&T Online Services
Get more time to do what you want. What would you do?
Show me how
Automatic Payments
Save time and pay your monthly bill automatically!
Sign up now
Special Offers
Visit our Special Offers to check out our best promotions.
Learn more
Online Information
AT&T Community
Repair
Home Phone
Special Offers
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.
�2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy
yg-network.org / Keyya Ltd domain scam
This is part of a domain scam that has been going on for years..
Basically the idea is to panic you into buying worthless domains from a dodgy Chinese registrar. Of course, there is no company actually trying to register these domains.. and even if there was there is no responsibility for the registrar to check trademark ownership (except in a tiny handful of cases such as sunrise registrations).
What's more.. I already own the .asia version of this domain name, so it is impossible that someone else is trying to register it.
So, this one is definitely a scam. Stay away.
from: Angela info@gytrademark.com
to: sales@[redacted].com
date: 3 August 2012 03:21
subject: Notice of Internet Intellectual Property
Dear Manager,
(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)
This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On July 30th 2012, We received Keyya Ltd's application that they are registering the name "[redacted]" as their Internet Keyword and "[redacted].cn "、"[redacted].com.cn " 、"[redacted].asia "domain names etc.., they are China and ASIA domain names. But after auditing we found the brand name been used by your company. As the domain name registrar in China, it is our duty to notice you, so we are sending you this email to check. According to the principle in China, your company is the owner of the trademark, In our auditing time we can keep the domain names safe for you firstly, but our audit period is limited, if you object the third party application these domain names and need to protect the brand in china and Asia by yourself, please let the responsible officer contact us as soon as possible. Thank you!
Best Regards,
Angela Zhang
General Manager
Anhui Office (Head Office)
Registration Department Manager
Room 1008 Shenhui Building
Haitian Road, Huli Anhui, China
Office: +86 0553 4994789
Fax: +86 0553 4994789
web: www.yg-network.org
Basically the idea is to panic you into buying worthless domains from a dodgy Chinese registrar. Of course, there is no company actually trying to register these domains.. and even if there was there is no responsibility for the registrar to check trademark ownership (except in a tiny handful of cases such as sunrise registrations).
What's more.. I already own the .asia version of this domain name, so it is impossible that someone else is trying to register it.
So, this one is definitely a scam. Stay away.
Thursday, 2 August 2012
"Reset Your LinkedIn Password" spam / mysqlfordummys.ru
This fake LinkedIn email leads to malware on the oddly named domain of mysqlfordummys.ru:
Flaws in SQL server implementations are a hacker's favourite target, so perhaps there is a wry sense of humour here. Anyway, the malicious payload is at [donotclick]mysqlfordummys.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on 203.80.16.81 (MYREN Infrastructure, Malaysia)
The following domains and IPs are all related, you should block access to them if you can:
ipadvssonyx.ru
mysqlfordummys.ru
onerussiaboard.ru
online-cammunity.ru
online-gaminatore.ru
switched-games.ru
zenedin-zidane.ru
41.66.137.155
41.168.5.140
62.76.188.138
62.76.190.208
62.213.64.161
78.83.233.242
85.143.166.243
87.120.41.155
87.204.199.100
173.224.208.60
184.106.189.124
199.71.212.78
203.80.16.81
203.172.140.202
Date: Thu, 2 Aug 2012 02:27:38 -0300
From: LinkedIn Password [password@linkedin.com]
Subject: Reset Your LinkedIn Password
Hi altera,
Can’t remember your LinkedIn password? No problem - it happens.
Please use this link to reset your password within the next 1 day:
Click here
Then sign in to LinkedIn with your new password and the email address where you received this message.
Thanks for using LinkedIn!
Flaws in SQL server implementations are a hacker's favourite target, so perhaps there is a wry sense of humour here. Anyway, the malicious payload is at [donotclick]mysqlfordummys.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on 203.80.16.81 (MYREN Infrastructure, Malaysia)
The following domains and IPs are all related, you should block access to them if you can:
ipadvssonyx.ru
mysqlfordummys.ru
onerussiaboard.ru
online-cammunity.ru
online-gaminatore.ru
switched-games.ru
zenedin-zidane.ru
41.66.137.155
41.168.5.140
62.76.188.138
62.76.190.208
62.213.64.161
78.83.233.242
85.143.166.243
87.120.41.155
87.204.199.100
173.224.208.60
184.106.189.124
199.71.212.78
203.80.16.81
203.172.140.202
"Pay your AT&T bill online" spam / unboxhibernation.org
From: Tonya Bates [mailto:robot@craigslist.org]
Sent: 02 August 2012 14:08
Subject: Pay your AT&T bill online
Importance: High
att.com | Support | My AT&T Account
Your online bill is ready to be downloaded
Dear Valued Customer,
A new bill for your AT&T account is ready.
Any operations completed after your bill period expires will not be reflected in the bill amount listed directly below. If you have made a recent payment, please refer to the current balance on the Account Overview and the Bill & Payments pages.
Service Account ending in Bill Amount Due Date
Home Phone 6 $355.26 08/06/2012
Log in to online account management to view your bill and bill notices, maintain your email account or make a payment. If you are not registered for online account management, you must do so to view and print your full bill and bill notices at www.att.com/managemyaccount.
Log in to online account management to view your bill, maintain your email account or make a payment.
Thank you for choosing AT&T. We value your business and look forward to serving you!
Thank you,
AT&T Online Services
www.att.com
Contact Us
AT&T Support - quick & easy support is available 24/7.
Moving Soon?
Stay connected with AT&T. Visit us online at att.com/move.
AT&T Online Services
Get more time to do what you want. What would you do?
Show me how
Automatic Payments
Save time and pay your monthly bill automatically!
Sign up now
Special Offers
Visit our Special Offers to check out our best promotions.
Learn more
Online Information
AT&T Community
Repair
Home Phone
Special Offers
________________________________________
PLEASE DO NOT REPLY TO THIS MESSAGE
All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above.
2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy
The malicious payload is at [donotclick]unboxhibernation.org/main.php?page=19152be46559e39d (report here) hosted on 78.87.123.114 (CYTA Hellas, Greece) which also hosts the apparently legitimate site infosector.gr, although some DNS results are coming back with 211.157.105.160 in China instead.. and this IP address is definitely malicious as it contains the following malware domains:
advancementwowcom.org
damidc.com
retweetadministrator.org
stafffire.net
unboxhibernation.org
Blocking both IPs may well be prudent.
Also, the following nameservers are indicative of an evil host, keep an eye out for them..
ns1.ashton-pitt.net
64.37.54.215
ns2.ashton-pitt.net
111.214.135.11
Wednesday, 1 August 2012
xinthesidersdown.com injection attack in progress
There is currently an injection attack using a script pointing to [donotclick]xinthesidersdown.com/sl.php doing the rounds. The malicious code is hosted on 194.28.115.150, the same IP address as used in this attack yesterday.
Labels:
Injection Attacks,
Malware,
Moldova,
Specialist ISP,
SQL Injection,
Transnistria,
Viruses
Tuesday, 31 July 2012
Something evil on 194.28.115.150 and lasimp04risoned.rr.nu
The following domains appear to be part of an ongoing injection attack (using lasimp04risoned.rr.nu at present). They are hosted by black-hat web host Specialist ISP in Transnistria. Block the IP range of 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is a very good idea as this is one of the worst netblocks I know of.
aelis30greek.rr.nu
aff29ili.rr.nu
aljo73hnsto.rr.nu
ambers00supplem.rr.nu
ano98the.rr.nu
appoin62tmentba.rr.nu
asciia28rmcover.rr.nu
ati92oni.rr.nu
ation82gamma.rr.nu
avia83resou.rr.nu
bear37sall.rr.nu
bitr07aryc.rr.nu
bles41steve.rr.nu
carrie01rskans.rr.nu
che59mica.rr.nu
chn34olo.rr.nu
comme17rcial.rr.nu
cons63isten.rr.nu
cos69tbu.rr.nu
cov59erm.rr.nu
cthu85srisc.rr.nu
ctsc60anli.rr.nu
eates01publi.rr.nu
ection18depres.rr.nu
elew72isst.rr.nu
enedm79ultina.rr.nu
enegat43ivecon.rr.nu
engag75edfol.rr.nu
enge75sfra.rr.nu
enormousw1illa.com
ens122zzzddazz.com
entio21nsamba.rr.nu
esgen48erally.rr.nu
eside00ntwin.rr.nu
fee89edi.rr.nu
gra98desi.rr.nu
hitam41ultime.rr.nu
hoperjoper.ru
iab35ilit.rr.nu
ialac93idcod.rr.nu
icans11deskto.rr.nu
ident08winner.rr.nu
impo82rtse.rr.nu
int99onin.rr.nu
ion68you.rr.nu
ited51pala.rr.nu
ive23lit.rr.nu
kpo82stp.rr.nu
lasimp04risoned.rr.nu
lighte93dnickel.rr.nu
limina94tedefi.rr.nu
mainglobilisi.com
mals30ynta.rr.nu
mpa89qaut.rr.nu
mtube-ssl.com
ncomp97aredli.rr.nu
neou44slypa.rr.nu
ngsin45dividu.rr.nu
nstitu42tional.rr.nu
nting91uncle.rr.nu
nusi60ngmus.rr.nu
ocat47edha.rr.nu
ocum04entat.rr.nu
oneflo30orcall.rr.nu
onsco10mdexpo.rr.nu
ort26ibm.rr.nu
ort53hori.rr.nu
ovie26tther.rr.nu
pxm-tube.com
qtr49exis.rr.nu
raff60icke.rr.nu
rlyspa21rcleona.rr.nu
rsm95ario.rr.nu
scue08doral.rr.nu
selle33rsjunk.rr.nu
sicb79enef.rr.nu
sor52tium.rr.nu
ssic2061thligh.rr.nu
ssmo24king.rr.nu
sweepstakesandcontestsdo.com
sweepstakesandcontestsinfo.com
syno98nepet.rr.nu
takeo46versav.rr.nu
tanswe24ringni.rr.nu
tarts63exten.rr.nu
timel08arges.rr.nu
tiona82lclos.rr.nu
tormco48nstitu.rr.nu
tssign51stechno.rr.nu
vada86subje.rr.nu
velit30eratu.rr.nu
viv17eddr.rr.nu
whyi70splay.rr.nu
yint60eres.rr.nu
ysoci94alspec.rr.nu
zbol42lahg.rr.nu
aelis30greek.rr.nu
aff29ili.rr.nu
aljo73hnsto.rr.nu
ambers00supplem.rr.nu
ano98the.rr.nu
appoin62tmentba.rr.nu
asciia28rmcover.rr.nu
ati92oni.rr.nu
ation82gamma.rr.nu
avia83resou.rr.nu
bear37sall.rr.nu
bitr07aryc.rr.nu
bles41steve.rr.nu
carrie01rskans.rr.nu
che59mica.rr.nu
chn34olo.rr.nu
comme17rcial.rr.nu
cons63isten.rr.nu
cos69tbu.rr.nu
cov59erm.rr.nu
cthu85srisc.rr.nu
ctsc60anli.rr.nu
eates01publi.rr.nu
ection18depres.rr.nu
elew72isst.rr.nu
enedm79ultina.rr.nu
enegat43ivecon.rr.nu
engag75edfol.rr.nu
enge75sfra.rr.nu
enormousw1illa.com
ens122zzzddazz.com
entio21nsamba.rr.nu
esgen48erally.rr.nu
eside00ntwin.rr.nu
fee89edi.rr.nu
gra98desi.rr.nu
hitam41ultime.rr.nu
hoperjoper.ru
iab35ilit.rr.nu
ialac93idcod.rr.nu
icans11deskto.rr.nu
ident08winner.rr.nu
impo82rtse.rr.nu
int99onin.rr.nu
ion68you.rr.nu
ited51pala.rr.nu
ive23lit.rr.nu
kpo82stp.rr.nu
lasimp04risoned.rr.nu
lighte93dnickel.rr.nu
limina94tedefi.rr.nu
mainglobilisi.com
mals30ynta.rr.nu
mpa89qaut.rr.nu
mtube-ssl.com
ncomp97aredli.rr.nu
neou44slypa.rr.nu
ngsin45dividu.rr.nu
nstitu42tional.rr.nu
nting91uncle.rr.nu
nusi60ngmus.rr.nu
ocat47edha.rr.nu
ocum04entat.rr.nu
oneflo30orcall.rr.nu
onsco10mdexpo.rr.nu
ort26ibm.rr.nu
ort53hori.rr.nu
ovie26tther.rr.nu
pxm-tube.com
qtr49exis.rr.nu
raff60icke.rr.nu
rlyspa21rcleona.rr.nu
rsm95ario.rr.nu
scue08doral.rr.nu
selle33rsjunk.rr.nu
sicb79enef.rr.nu
sor52tium.rr.nu
ssic2061thligh.rr.nu
ssmo24king.rr.nu
sweepstakesandcontestsdo.com
sweepstakesandcontestsinfo.com
syno98nepet.rr.nu
takeo46versav.rr.nu
tanswe24ringni.rr.nu
tarts63exten.rr.nu
timel08arges.rr.nu
tiona82lclos.rr.nu
tormco48nstitu.rr.nu
tssign51stechno.rr.nu
vada86subje.rr.nu
velit30eratu.rr.nu
viv17eddr.rr.nu
whyi70splay.rr.nu
yint60eres.rr.nu
ysoci94alspec.rr.nu
zbol42lahg.rr.nu
Labels:
Evil Network,
Malware,
Moldova,
Specialist ISP,
Transnistria,
Viruses
Friday, 27 July 2012
Malware on online-gaminatore.ru
89.111.177.151
203.80.16.81
78.83.233.242
These IPs have been used several times recently and should be blocked.
Thursday, 26 July 2012
"Federal Tax transfer" spam / retweetadministrator.org
Date: Thu, 26 Jul 2012 20:56:10 +0530
From: "Internal Revenue Service" [alerts@irs.gov]
Subject: Federal Tax transfer returned
Your federal Tax payment (ID: 632004160993), recently from your checking account was rejected by the your financial institution.
Canceled Tax transfer
Tax Transaction ID: 632004160993
Rejection Reason See details in the report below
Tax Transaction Report tax_report_632004160993.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Thu, 26 Jul 2012 20:55:41 +0530
From: "Internal Revenue Service" [support@irs.gov]
Subject: Rejected Federal Tax transaction
Your Tax payment (ID: 766644379032), recently initiated from your checking account was rejected by the your financial institution.
Rejected Tax transfer
Tax Transaction ID: 766644379032
Reason of rejection See details in the report below
FederalTax Transaction Report tax_report_766644379032.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Thu, 26 Jul 2012 12:00:54 -0300
From: "Internal Revenue Service" [support@irs.gov]
Subject: Rejected Federal Tax transfer
Your federal Tax payment (ID: 776394251906), recently from your checking account was returned by the your financial institution.
Canceled Tax transfer
Tax Transaction ID: 776394251906
Reason of rejection See details in the report below
FederalTax Transaction Report tax_report_776394251906.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
The malicious payload is on [donotclick]retweetadministrator.org/main.php?page=8b45f871830c6e5a (report here) hosted on 89.253.231.202 (Rusonyx Ltd, Moscow).
"Adobe CS4 License" spam / online-gaminatore.ru
Date: Thu, 26 Jul 2012 09:24:01 +0900
From: FentonpJsGh9LIsiah@aol.com
Subject: Order N81149
Dear Sirs,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated
The malicious payload is at [donotclick]online-gaminatore.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
89.111.177.151 (Garant-Park-Telecom, Russia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
These IPs should be blocked if you can.
Wednesday, 25 July 2012
"Wire Transfer" spam / furnitura-forums.ru
This fake "Wire Transfer" spam (or is it UPS?) leads to malware on furnitura-forums.ru:
The attachment Wire_ID88283.htm attempts to load malware from [donotclick]furnitura-forums.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
78.83.233.242 (Spectrum Net JSC, Bulgaria)
203.80.16.81 (Myren, Malaysia)
..these two IP addresses also host some other malware sites and are worth blocking:
porschedesignrussia.ru
bmwforummsk.ru
phpforkiddies.ru
forumanarhist.ru
Date: Wed, 25 Jul 2012 09:12:43 -0500
From: "Express MyUps" [upsservices@ups.com]
Subject: Fwd: Re: Wire Transfer
Attachments: Wire_ID88283.htm
Dear Operator,
WIRE FID: NO-004394626739460
STATUS: CANCELLED
You can find details in the attached file.
The attachment Wire_ID88283.htm attempts to load malware from [donotclick]furnitura-forums.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
78.83.233.242 (Spectrum Net JSC, Bulgaria)
203.80.16.81 (Myren, Malaysia)
..these two IP addresses also host some other malware sites and are worth blocking:
porschedesignrussia.ru
bmwforummsk.ru
phpforkiddies.ru
forumanarhist.ru
US Airways spam / reformattedfilmmaker.org and algebrayep.org
This fake US Airways spam leads to malware on reformattedfilmmaker.org:
The malicious payload is at [dotnotclick]reformattedfilmmaker.org/main.php?page=70ec803a01c84ddc (report here) hosted on the same Chinese IP address of 221.131.129.200 that was used in a similar spam run yesterday.
UPDATE: a similar US Airways spam run is also underway with a malicious payload on algebrayep.org on the same IP address.
Date: Wed, 25 Jul 2012 09:46:57 -0500
From: "US Airways - Reservations" [support@myusairways.com]
Subject: Confirm your US airways online reservation.
You should check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you have to do is print your boarding pass and go to the gate.
Confirmation code: 210916
Check-in online: Online reservation details
Flight
4817
Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 7/26/2012
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.
US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.
The malicious payload is at [dotnotclick]reformattedfilmmaker.org/main.php?page=70ec803a01c84ddc (report here) hosted on the same Chinese IP address of 221.131.129.200 that was used in a similar spam run yesterday.
UPDATE: a similar US Airways spam run is also underway with a malicious payload on algebrayep.org on the same IP address.
Labels:
Amerika,
Malware,
Spam,
US Airways,
Viruses
Subscribe to:
Posts (Atom)