Sponsored by..

Tuesday, 23 October 2012

President of French Polynesia (presidence.pf) hacked?

presidence.pf is the web site of the President of French Polynesia, it is hosted on 202.3.245.13 by the Tahitian ISP MANA (along with an alternative domain of presid.pf).

Unfortunately, that's not the only thing lurking on 202.3.245.13. Yesterday I spotted an exploit kit on the same IP, probably Blackhole 2. An examination of the server shows the presence of the following malicious domains on the same IP:

fidelocastroo.ru
secondhand4u.ru
windowonu.ru


There's no evidence that the websites presidence.pf or presid.pf are dangerous, but there are other web sites on the same server which certainly do appear to be quite toxic..

Now, French Polynesia isn't the biggest place in the world, but it's the first time I've seen the site of a president of anywhere potentially compromised in this way.

Monday, 22 October 2012

"Copies of Policies" spam / fidelocastroo.ru

This spam leads to malware on fidelocastroo.ru:

Date:      Mon, 22 Oct 2012 08:05:10 -0500
From:      Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
Subject:      RE: Charley - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.


Charley HEALY,

The malicious payload is on [donotclick]fidelocastroo.ru:8080/forum/links/column.php hosted on the following IPs:

68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (Interneto Vizija, Lithunia)
190.10.14.196 (RACSA, Costa Rica)
202.3.245.13 (MANA, French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)

Plain list for copy and pasting:
68.67.42.41
79.98.27.9
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247

Blocking these IPs should prevent any other attacks on the same server.


Scam: tsnetint.com and tsnetint.org

Another episode in a long-running domain scam, which attempts to get you to buy worthless domain names by scaremongering. In this case the fake company is called "Kenal investment Co. Ltd" (there are several legitimate firms with a similar name). If you get one of these, ignore it and don't give the scammers any money.

The domains quoted are tsnetint.com and tsnetint.org and the originating IP is 117.27.141.168, all hosted in deepest China.


From:     bertram bertram@tsnetint.com
Date:     22 October 2012 06:02
Subject:     Confirmation of Registration

(Letter to the President or Brand Owner, thanks)

Dear President,

We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on October  19, 2012 that a company claimed Kenal investment Co. Ltd were applying to register "dynamoo" as their Net Brand and some domain names through our firm.

Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for Kenal investment Co. Ltd. Looking forward to your prompt reply.

Best Regards,

Bertram  Hong

Registration Dept.

Office:Tel: 86 2885915586 || Fax: +86 2885912116
Address:9/F Libao building No,62 Kehua North Road,Wuhou District,Chengdu City,China
P Please consider the environment before you print this e-mail

Saturday, 20 October 2012

Wowcher and motors.co.uk. Is this spam?

Wowcher are a site trying to emulate Groupon, owned by Associated Newspapers, who also own the Daily Mail ("the newspaper that supported Hitler"*). I've never used their site, and I wouldn't bother given their history of dodgy promotions.

Wowcher have a history of questionable advertising (see here and here for example), so it's not exactly something I would sign up for. However, Wowcher conclude the email with something rather misleading.


You are receiving this email because you have used our services in the past.
If you no longer wish to receive these e-mails, you can unsubscribe from this list.

Have I used their services in the past? No. Definitely not. So where did Wowcher get my email address? Simple - it was passed to them by a website called motors.co.uk. How do I know this? Because I use a unique email address for every service I sign up for, making it easy to trace this sort of activity.

Motors.co.uk is part of a company called Manheim.. but they used to belong to the same company that owns the Daily Mail. They make a business out of all sorts of automotive trades. I signed up with them about two-and-a-half years ago. Until now, the only email I have ever received from them has been on-topic, but I haven't actually seen an email of any type for a long time.

So.. it should be a simple job to log into motors.co.uk and check my marketing preferences. Well.. I tried, and the login didn't work. So.. perhaps I forgot my password. That's easy enough to reset.. but there's a catch.

Oh. Sorry, the email address you entered doesn't appear to be in our records. That's kind of odd, because it certainly appeared in their records enough for them to use it for Wowcher.

Now, motors.co.uk have a privacy policy which gives the game away. It says:

By using the Site, you agree that we may disclose your personal information to any company within the Daily Mail and General Trust plc group of companies

So, the Daily Mail group owns Wowcher, and they got the email from motors.co.uk. And quite annoyingly, the motors.co.uk privacy policy in 2010 does also say that they will pass your email address on to the Daily Mail without asking for any further permission. It's annoying, but it does mean that it isn't spam. I guess I will be clicking that "unsubscribe" link then.

* And OK, the Daily Mail may have supported Hitler between the wars. But it was also instrumental in achieving some sort of justice for Stephen Lawrence. So not all bad then.

Friday, 19 October 2012

LinkedIn spam / cowonhorse.co

This fake LinkedIn spam leads to malware on cowonhorse.co:

From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
Sent: Fri 19/10/2012 10:29
Subject: Invitation

Hi [redacted], 

User sent you an invitation to connect 6 days ago. How would you like to respond? 

Accept  Ignore Privately

Estelle Garrison 
Interpublic Group (Executive Director Marketing PPS)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

==========

From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
Sent: Fri 19/10/2012 11:39
Subject: New invitation

Hi [redacted], 

User sent you an invitation to connect 14 days ago. How would you like to respond? 

Accept  Ignore Privately
  
Carol Parks 
Automatic Data Processing (Divisional Finance Director)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

==========

From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
Sent: Fri 19/10/2012 12:28
Subject: Invitation

Hi [redacted], 

User sent you an invitation to connect 6 days ago. How would you like to respond? 

Accept  Ignore Privately

Rupert Nielsen 
O'Reilly Automotive (Head of Non-Processing Infrastructure)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

The malicious payload is on [donotclick]cowonhorse.co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before. In my opinion, blocking ALL emails that appear to be from LinkedIn would probably benefit your business.

Thursday, 18 October 2012

Adbobe CS4 spam / leprasmotra.ru

This fake Adobe spam leads to malware on leprasmotra.ru:

Date:      Thu, 18 Oct 2012 10:00:26 -0300
From:      "service@paypal.com" [service@paypal.com]
Subject:      Order N04833

Good morning,

You can download your Adobe CS4 License here -

We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.

Thank you for buying Adobe InDesign CS4 software.

Adobe Systems Incorporated

The malicious payload is at [donotclick]leprasmotra.ru:8080/forum/links/column.php hosted on:

72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)

Blocking access to those IPs is recommended.

NY Traffic Ticket spam / kennedyana.ru

This fake Traffic Ticket spam leads to malware on kennedyana.ru:

Date:      Wed, 17 Oct 2012 03:59:44 +0600
From:      sales1@[redacted]
To:      [redacted]
Subject:      Fwd: NY TRAFFIC TICKET

New-York Department of Motor Vehicles

TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS

Time: 5:16 AM

Date of Offense: 21/01/2012



SPEED OVER 50 ZONE

TO PLEAD CLICK HERE AND FILL OUT THE FORM

The malicious payload is on [donotclick]kennedyana.ru:8080/forum/links/column.php hosted on the following IPs:

68.67.42.41 (Fibrenoire, Canada)
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)



Wednesday, 17 October 2012

LinkedIn spam / 64.111.24.162

This fake LinkedIn spam leads to malware on 64.111.24.162:

From: LinkedIn.Invitations [mailto:8B44145D0@bhuna.net]
Sent: 17 October 2012 10:06
Subject: New invitation is waiting for your response


Hi [redacted],


User sent you an invitation to connect 6 days ago. How would you like to respond?

       
Accept    Ignore Privately

   
    
Alexis Padilla

C.H. Robinson Worldwide (Sales Director)


You are receiving Invitation emails. Unsubscribe.

This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is at [donotclick]64.111.24.162/links/assure_numb_engineers.php allocated to Data 102 in the US and then suballocated to:



network:Network-Name:Buzy Bee Hosting /27
network:IP-Network:64.111.24.160/27
network:IP-Network-Block:64.111.24.160 - 64.111.24.191
network:Org-Name:Buzy Bee Hosting
network:Street-Address:1451 North Challenger Dr
network:City:Pueblo West
network:State:CO
network:Postal-Code:81007
network:Country-Code:US



Blocking the IP (and possibly the /27 block) is probably wise.


Amazon.com spam / sdqhfckuri.ddns.info and ultjiyzqsh.ddns.info

This fake Amazon.com spam leads to malware on sdqhfckuri.ddns.info and ultjiyzqsh.ddns.info:

From: Amazon.Com [mailto:pothooknw@tcsn.net]
Sent: 17 October 2012 06:54
Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
Importance: High


Gift Cards
|     Your Orders
|     Amazon.com


Shipping Confirmation
Order #272-3140048-4213404


Hello,
Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Your estimated delivery date is:
Tuesday, October 9, 2012


Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.

Shipment Details

Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
Sold by Amazon.com LLC (Amazon.com)     $109.95

Item Subtotal:     $109.95
Shipping & Handling:     $0.00
Total Before Tax:     $109.95
Shipment Total:     $109.95
Paid by Visa:     $109.95

Returns are easy. Visit our Online Return Center.
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
The malicious payload is at [donotclick]sdqhfckuri.ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh.ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).

Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.

Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either.

Some other subjects seen:
Your Amazon.com order of "Citizen Men's BL2774-05L Eco-Drive Perpetual Calendar Chronograph Watch" has shipped!
Your Amazon.com order of "Casio Men's PAG165-0CR Pathfinder Triple Sensor Multi-Function Sport Watch" has shipped!
Your Amazon.com order of "G-Shock GA-386-1A8 Big Combi Military Series Watch" has shipped!
our Amazon.com order of "Fossil Men's FS2362 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!
Your Amazon.com order of "Timex Ironman Men's Road Trainer Heart Rate Monitor Watch, Black/Orange, Full Size" has shipped!

Tuesday, 16 October 2012

Wire Transfer spam / hotsecrete.net

This fake wire transfer spam leads to malware on hotsecrete.net:

From: Federal Information System [mailto:highjackingucaf10@atainvest.com]
Sent: 16 October 2012 15:59
Subject: Wire Transfer accepted

We have successfully done the following transfer:
________________________________________
Item #: 35043728
Amount: $16,861.99
To: Anthony Glover
Fee: 29.00
Send on Date: 10/16/2012
Service: Domestic Wire
________________________________________

If there is a problem with processing your request we would report to you both by email and on the Manage Accounts tab. You can always check your transfer status via this link Sincerely,
Federal Reserve Bank Automate Notify System
________________________________________


*********************************************


Email Preferences
This is a service warning from Federal Reserve Bank. Please note that you may receive notification note in accordance with your service agreements, whether or not you elect to receive promotional email.
=============================================
Federal Reserve Bank Email, 8th Floor, 170 Seashore Tryon, Ave., Charlotte, TX 89936-0001
Federal Reserve Bank.


The malicious payload is found at [donotclick]hotsecrete.net/detects/exclude-offices_details_warm.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP address that you should block.

LinkedIn spam / 74.91.112.86

This fake LinkedIn spam leads to malware on 74.91.112.86:

From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]
Sent: 16 October 2012 13:50
To: [redacted]
Subject: New invitation is waiting for your response

Hi [redacted],


David sent you an invitation to connect 13 days ago. How would you like to respond?

       
Accept    Ignore Privately


Hilton Suarez

Precision Castparts (Distributor Sales Manager EMEA)

You are receiving Invitation emails. Unsubscribe.

This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is on [donotclick]74.91.112.86/links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there).


Monday, 15 October 2012

Facebook spam / o.anygutterkings.com

This fake Facebook spam leads to malware on o.anygutterkings.com:


Date:      Mon, 15 Oct 2012 20:02:21 +0200
From:      "FB Account"
Subject:      Facebook account

facebook    
Hi [redacted],
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before
Kind regards,

The Facebook Team
   
Sign in to Facebook and start connecting
Sign in


Please use the link below to resume your account :
http://www.facebook.com/home.php
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
Other subjects are: "Account blocked" and "Account activated"

The payload is at [donotclick]o.anygutterkings.com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)

Intuit spam / navisiteseparation.net

This fake Intuit spam leads to malware on navisiteseparation.net:


Date:      Mon, 15 Oct 2012 15:20:13 -0300
From:      "Intuit GoPayment" [crouppywo4@deltamar.net]
Subject:      Welcome - you're accepted for Intuit GoPayment

       
.
Congratulations!
GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
GoPayment
Account Number:     XXXXXXXXXXXXXX55
Email Address:     [redacted]
   
PLEASE NOTE :
    Associated charges for this service may be applied now.
Next step: View or confirm your Access ID



This is {LET:User ID lets you:
Review your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll


The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.



Verify Access ID
Get started:



Step 1: If you have not still, download the Intuit software.



Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.



Easy Manage Your Intuit GoPayment Account

The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
Please don't reply to this message. auto informer system unable to accept incoming messages.
System Terms & Agreements     � 2008-2012 Intuit, INC. All rights reserved.


Sample subjects:

  • Congrats - you're accepted for Intuit GoPayment Merchant 
  • Congratulations - you're approved for Intuit Merchant 
  • Congrats - you're approved for GoPayment Merchant 
  • Welcome - you're accepted for Intuit GoPayment 
The malicious payload is at  [donotclick]navisiteseparation.net/detects/processing-details_requested.php  hosted on 183.81.133.121 (Vodafone, Fiji). The good news is that the domain has been suspended by the registrar, but that IP address has been used many times recently and should be blocked if you can.


"Copies of Policies" spam / linkrdin.ru

Another "Copies of Policies" spam, this time leading to malware on linkrdin.ru:

From: [support@victimdomain.com]
Date: 15 October 2012 07:15
Subject: RE: SANTOS - Copies of Policies.


Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,
and a copy of the most recent schedule.

The malicious payload is on [donotclick]linkrdin.ru:8080/forum/links/column.php (report here) hosted on the same IPs as this spam:

68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)

Friday, 12 October 2012

Wire Transfer spam / geforceexlusive.ru

This fake wire transfer spam leads to malware on geforceexlusive.ru:

From: Xanga [mailto:noreply@xanga.com]
Sent: 12 October 2012 11:27
Subject: Fwd: Wire Transfer Confirmation (FED_6537H57898)

Dear Bank Account Operator,
WIRE TRANSFER: WRE-282857636652198
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]geforceexlusive.ru:8080/forum/links/column.php hosted on the following IPs:

68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)

These IPs are worth blocking as they will probably also be used in future attacks.




ADP spam / 184.164.151.54

Yet more ADP-themed spam, this time leading to malware on 184.164.151.54:

Date:      Fri, 12 Oct 2012 14:48:18 +0530
From:      "ADPClientServices" [ADPClientServices@adp.com]
Subject:      ADP Urgent Notification

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services

The malicious payload is at [donotclick]184.164.151.54/links/rules_familiar-occurred.php (hosted by the ironically named Secured Servers LLC in the US aka Jolly Works hosting of the Philippines).

ADP Spam / 198.143.159.108

Yet more fake ADP spam (there has been a lot over the past 24 hours) is being pushed out. This time there's a malicious payload at [donotclick]198.143.159.108/links/rules_familiar-occurred.php (Singlehop, US).

Avoid.

Thursday, 11 October 2012

"Copies of Policies" spam / windowsmobilever.ru

This slightly odd spam leads to malware on windowsmobilever.ru:


Date:      Thu, 11 Oct 2012 10:55:37 -0500
From:      "Amazon.com" [account-update@amazon.com]
Subject:      RE: DONNIE - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

DONNIE LOCKWOOD,

==========

Date:      Thu, 11 Oct 2012 12:26:25 -0300
From:      accounting@[redacted]
Subject:      RE: MARGURITE - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

MARGURITE Moss,

Anyone who clicks on the link will end up on an exploit kit at [donotclick]windowsmobilever.ru:8080/forum/links/column.php (report here) hosted on:

68.67.42.41 (Fibrenoire , Canada)
203.80.16.81 (MYREN, Malaysia)

These two IPs are currently involved in several malicious spam runs and should be blocked if you can.

ADP Spam / 108.61.57.66

There's masses of ADP-themed spam today. Here is another one:

Date:      Thu, 11 Oct 2012 14:53:17 -0200
From:      "ADP.Message" [986E3877@dixys.com]
Subject:      ADP Generated Message

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.

If you have any questions, please contact your administrator for assistance.


---------------------------------------------------------------------

Digital Certificate About to Expire

---------------------------------------------------------------------

The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.

Days left before expiration: 3

Expiration date: Oct 14 23:59:59 GMT-03:59 2012

---------------------------------------------------------------------

Renewing Your Digital Certificate

--------------------------------------------------------------------

1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp

2. Follow the instructions on the screen.

3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.

In this case the malicious payload is at [donotclick]108.61.57.66/links/assure_numb_engineers.php  hosted by Choopa LLC in the US. The IP is probably worth blocking to be on the safe side.

LinkedIn spam / inklingads.biz

The bad guys are very busy today with all sorts of spam campaigns, including lots of messages as below pointing to malware on

From: LinkedIn Notification [mailto:hewedngq6@omahahen.org]
Sent: 11 October 2012 15:59
Subject: LinkedIn Reminder
Importance: High

LinkedIn
REMINDERS
Invite events:
From Thaddeus Sosa ( Your servant)

PENDING EVENTS
There are a total of 3 messages awaiting your action. See your InBox immediately.
Don't wish to get email info letters? Adjust your notifications settings.
LinkedIn values your privacy. In no circumstances has LinkedIn made your notifications email acceptable to any third-party LinkedIn member without your permission. 2010, LinkedIn Corporation.
The malicious payload is on [donotclick]inklingads.biz/detects/invite-request_checking.php hosted on 183.81.133.121 (Vodafone, Fiji)