The following fake "statistics" domains lead to malware. All have been registered very recently in the past few days and are used as a redirector to other exploit kits. Perhaps they are actually performing black hat statistical tracking. Blocking them (or the associated IPs) would be wise.
bilingstats.org
bombast-atse.org
bombastatse.org
ceastats.org
colinstats.org
expertstats.org
informazionestatistica.org
melestats.org
nonolite.org
statisticaeconomica.org
statspps.org
superbombastatse.org
topbombastatse.org
ufficiostatistica.org
Hosting IPs:
31.193.133.212 (Simply Transit, UK)
91.186.19.42 (Simply Transit, UK)
95.211.180.143 (Leaseweb, Netherlands)
Monday 5 November 2012
Fake statistics domains lead to malware
Labels:
Leaseweb,
Malware,
Simply Transit,
Viruses
Sunday 4 November 2012
Something evil on 31.193.12.3
These are fake AVs and drive-by downloads mostly, some seem to promoted through low-grade banner ads, all hosted on 31.193.12.3 (Burstnet, UK) and suballocated to:
person: Olexii Kovalenko
address: Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
phone: +1 570 343 2200
fax-no: +1 570 343 9533
nic-hdl: OK2455-RIPE
source: RIPE # Filtered
mnt-by: mnt-burst-au
mnt-by: mnt-burst-mu
The registration for the .asia and .eu domains is consistent in the ones I have checked:
Registrant ID:DI_23063626
Registrant Name:Javier
Registrant Organization:n/a
Registrant Address:Nevskaya street 41
Registrant Address2:
Registrant Address3:
Registrant City:Belgorad
Registrant State/Province:Belgorodskaya oblast
Registrant Country/Economy:RU
Registrant Postal Code:494980
Registrant Phone:+007.9487728744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:007uyfo007@mail.ru
I've broken the list into three parts, it's a bit messy sorry..
The first part are a bunch of short domains used with subdomains to create a malicious payload:
List 1:
a1ft.asia
a3ew.asia
ah2b.asia
av5n.asia
c2wj.asia
cj4d.asia
ck3l.asia
bs3d.asia
d4xi.asia
d8dx.asia
dj7k.asia
dk3i.asia
ef1r.asia
f4dw.asia
fj2j.asia
fm5h.asia
g2wy.asia
g4av.asia
gi4b.asia
h2ju.asia
j2qd.asia
j5hn.asia
ja6l.asia
k3lr.asia
l3gv.asia
m1eb.asia
m1eq.asia
m4nj.asia
n0un.asia
n3mi.asia
nw2r.asia
p0rv.asia
p0ry.asia
pq8c.asia
q2hm.asia
q2hv.asia
q3bz.asia
qk3x.asia
r4dx.asia
s6wm.asia
t5ha.asia
t5hj.asia
t5zb.asia
u7bo.asia
uh7f.asia
v8ul.asia
ve4z.asia
w3wc.asia
w3wz.asia
w2jf.asia
x6fr.asia
x8ru.asia
y1uh.asia
y6np.asia
z1ha.asia
jp5s.info
pe5a.info
gw1c.eu
Subdomains in use:
be-ttraccker
dipppboxx
dippbboxx
diiipp-box
diippss-box
faat-llood
fatssllooads
fiilespooisk1
fiilepoiick
filles-looads
fileloood
file-looadds
files-loooads
ffilelooadd
ffile-poiick
ffiles-poiick1
filles-poiick
fille-poiick
ffilespooiisk
fillepoiick
fileppooiisk
filespooiisk
file-ppooiisk
file-pooiisk
files-poiiick
filess-poiick
file-poiicck
filles-pooisk
fiiles-poiisk1
files-poooiisk1
files-pooiiisk1
files-poooisk1
files-pooiick
fiiles-pooiisk
filespooiissk
file-pooiick
files-poiickk
file-poooiisk
files-ppoiick
geettefiiiles1
geetefiiless
geetteffiiles1
gette-fillees1
geette-fiilees1
geetee-fiiles
gette-fillees
getsefilles
getssatfiles
geettefiilees
ggets-filles
j-t0rrreentt1
jjt0rreentts
l0adss-ffiles
l0adss-ffile
l0addes-flilee
l0addesflilee
l0addes-fillee
l0adds-fiile
load-fiilles
load-fiilee
load-fiille
loaddfiiles
qipsefilles
qiips-fiiles1
qips-fiilee
qippfiile1
qippsfiiles1
qip-ffiile1
hhiitfiles1
This list are domains detected through passive DNS detection:
List 2:
babyload.asia
beastlyload.asia
bestialload.asia
childlikeload.asia
childlyload.asia
deliveryload.asia
infantload.asia
inwardload.asia
perfectload.asia
ptload.asia
singleload.asia
soleload.asia
sparingload.asia
supernalload.asia
alonefile.asia
animalfile.asia
childishfile.asia
festivefile.asia
finefile.asia
infantilefile.asia
innerfile.asia
largestfile.asia
sacredfile.asia
alertloads.asia
artloads.asia
artisticalloads.asia
animateloads.asia
chronicloads.asia
excitableloads.asia
friendlessloads.asia
licitloads.asia
lonelyloads.asia
lovingloads.asia
nakedloads.asia
primalloads.asia
primevalloads.asia
stateloads.asia
vivaciousloads.asia
vivirloads.asia
activefiles.asia
alertfiles.asia
alivefiles.asia
artfiles.asia
artisticalfiles.asia
drawnfiles.asia
looadfilees.asia
primevalfiles.asia
quickfiles.asia
savagefiles.asia
arimara1.org.ua
arimara3.org.ua
akciya.pp.ua
lis4.biz.ua
affectionateload.org
file-load.net
gbait.com
tevon.tk
joload.mooo.com
loadfile.us.to
8-loaadiing.info
agents-load1.info
ageentoloods.info
lloadfi1es.info
resonantfile.info
stabilitytrojanssaver.info
v-x.info
windowsinspectionon-line.info
lodifiles.eu
alfabiblioteka.ru
book-darom.ru
detki-travel.ru
haxo.ru
loads-filse.ru
lptds.ru
megaload2filebaza.ru
j-torents.ru
jumpcat.ru
u8l.ru
zona-trafika.ru
Finally, this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment.
Many of these domains show as evil in Google's Safe Browsing Diagnostics (example) and I can file zero legitimate domains on this IP.
person: Olexii Kovalenko
address: Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
phone: +1 570 343 2200
fax-no: +1 570 343 9533
nic-hdl: OK2455-RIPE
source: RIPE # Filtered
mnt-by: mnt-burst-au
mnt-by: mnt-burst-mu
The registration for the .asia and .eu domains is consistent in the ones I have checked:
Registrant ID:DI_23063626
Registrant Name:Javier
Registrant Organization:n/a
Registrant Address:Nevskaya street 41
Registrant Address2:
Registrant Address3:
Registrant City:Belgorad
Registrant State/Province:Belgorodskaya oblast
Registrant Country/Economy:RU
Registrant Postal Code:494980
Registrant Phone:+007.9487728744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:007uyfo007@mail.ru
I've broken the list into three parts, it's a bit messy sorry..
The first part are a bunch of short domains used with subdomains to create a malicious payload:
List 1:
a1ft.asia
a3ew.asia
ah2b.asia
av5n.asia
c2wj.asia
cj4d.asia
ck3l.asia
bs3d.asia
d4xi.asia
d8dx.asia
dj7k.asia
dk3i.asia
ef1r.asia
f4dw.asia
fj2j.asia
fm5h.asia
g2wy.asia
g4av.asia
gi4b.asia
h2ju.asia
j2qd.asia
j5hn.asia
ja6l.asia
k3lr.asia
l3gv.asia
m1eb.asia
m1eq.asia
m4nj.asia
n0un.asia
n3mi.asia
nw2r.asia
p0rv.asia
p0ry.asia
pq8c.asia
q2hm.asia
q2hv.asia
q3bz.asia
qk3x.asia
r4dx.asia
s6wm.asia
t5ha.asia
t5hj.asia
t5zb.asia
u7bo.asia
uh7f.asia
v8ul.asia
ve4z.asia
w3wc.asia
w3wz.asia
w2jf.asia
x6fr.asia
x8ru.asia
y1uh.asia
y6np.asia
z1ha.asia
jp5s.info
pe5a.info
gw1c.eu
Subdomains in use:
be-ttraccker
dipppboxx
dippbboxx
diiipp-box
diippss-box
faat-llood
fatssllooads
fiilespooisk1
fiilepoiick
filles-looads
fileloood
file-looadds
files-loooads
ffilelooadd
ffile-poiick
ffiles-poiick1
filles-poiick
fille-poiick
ffilespooiisk
fillepoiick
fileppooiisk
filespooiisk
file-ppooiisk
file-pooiisk
files-poiiick
filess-poiick
file-poiicck
filles-pooisk
fiiles-poiisk1
files-poooiisk1
files-pooiiisk1
files-poooisk1
files-pooiick
fiiles-pooiisk
filespooiissk
file-pooiick
files-poiickk
file-poooiisk
files-ppoiick
geettefiiiles1
geetefiiless
geetteffiiles1
gette-fillees1
geette-fiilees1
geetee-fiiles
gette-fillees
getsefilles
getssatfiles
geettefiilees
ggets-filles
j-t0rrreentt1
jjt0rreentts
l0adss-ffiles
l0adss-ffile
l0addes-flilee
l0addesflilee
l0addes-fillee
l0adds-fiile
load-fiilles
load-fiilee
load-fiille
loaddfiiles
qipsefilles
qiips-fiiles1
qips-fiilee
qippfiile1
qippsfiiles1
qip-ffiile1
hhiitfiles1
This list are domains detected through passive DNS detection:
List 2:
babyload.asia
beastlyload.asia
bestialload.asia
childlikeload.asia
childlyload.asia
deliveryload.asia
infantload.asia
inwardload.asia
perfectload.asia
ptload.asia
singleload.asia
soleload.asia
sparingload.asia
supernalload.asia
alonefile.asia
animalfile.asia
childishfile.asia
festivefile.asia
finefile.asia
infantilefile.asia
innerfile.asia
largestfile.asia
sacredfile.asia
alertloads.asia
artloads.asia
artisticalloads.asia
animateloads.asia
chronicloads.asia
excitableloads.asia
friendlessloads.asia
licitloads.asia
lonelyloads.asia
lovingloads.asia
nakedloads.asia
primalloads.asia
primevalloads.asia
stateloads.asia
vivaciousloads.asia
vivirloads.asia
activefiles.asia
alertfiles.asia
alivefiles.asia
artfiles.asia
artisticalfiles.asia
drawnfiles.asia
looadfilees.asia
primevalfiles.asia
quickfiles.asia
savagefiles.asia
arimara1.org.ua
arimara3.org.ua
akciya.pp.ua
lis4.biz.ua
affectionateload.org
file-load.net
gbait.com
tevon.tk
joload.mooo.com
loadfile.us.to
8-loaadiing.info
agents-load1.info
ageentoloods.info
lloadfi1es.info
resonantfile.info
stabilitytrojanssaver.info
v-x.info
windowsinspectionon-line.info
lodifiles.eu
alfabiblioteka.ru
book-darom.ru
detki-travel.ru
haxo.ru
loads-filse.ru
lptds.ru
megaload2filebaza.ru
j-torents.ru
jumpcat.ru
u8l.ru
zona-trafika.ru
Finally, this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment.
Many of these domains show as evil in Google's Safe Browsing Diagnostics (example) and I can file zero legitimate domains on this IP.
Labels:
Evil Network,
Malware,
Viruses
Friday 2 November 2012
Wire Transfer spam / webmoniacs.ru
Date: Fri, 2 Nov 2012 06:23:10 +0700The malicious payload is at [donotclick]webmoniacs.ru:8080/forum/links/column.php hosted on:
From: "service@paypal.com" [service@paypal.com]
Subject: RE: Wire Transfer cancelled
Dear Sirs,
The Wire transfer was canceled by the other bank.
Canceled transaction:
FED REFERENCE NUMBER: 628591160ACH34584
Transaction Report: View
The Federal Reserve Wire Network
65.99.223.24 (RimuHosting, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domain are all connected and should be blocked:
50.22.102.132
62.76.186.190
65.99.223.24
68.67.42.41
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
203.80.16.81
209.51.221.247
213.251.171.30
denegnashete.ru
dianadrau.ru
donkihotik.ru
fidelocastroo.ru
finitolaco.ru
fionadix.ru
forumibiza.ru
kiladopje.ru
lemonadiom.ru
manekenppa.ru
panacealeon.ru
panalkinew.ru
pionierspokemon.ru
ponowseniks.ru
rumyniaonline.ru
webmoniacs.ru
windowonu.ru
Intuit spam / savedordercommunicates.info
This fake Intuit spam leads to malware on savedordercommunicates.info:
The malicious payload is at [donotclick]savedordercommunicates.info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich.org. Blocking this IP would be wise.
Date: Sat, 3 Nov 2012 02:11:17 +0800
From: "Intuit Information System" [roughervm73@biolconseils.ch]
Subject: Notification Only: Transaction Received by Intuit
Direct Deposit Service Message
Communicatory Only
We rejected your payroll on November 1, 2012 at 626 AM Central Time.
Money would be left from the account No. ending in: XXX1 on November 2, 2012.
quantum to be left: $7 639.16
Paychecks would be deferred to your staff' accounts on: November, 2, 2012
Go to web site by clicking here to Overview Transaction
Funds are typically withdrawn before usual banking hours so please make sure you have sufficient Funds accessible by 12 a.m. on the date Finances are to be gone away.
Intuit must complete your payroll by 4 p.m. Eastern time, two banking days before your paycheck date or your customers will not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve link.
Thank you for your business.
Regards,
Intuit Payroll Services
An substantial information regarding latest Refused Transactions is waiting for you.
Please DO NOT reply to this message. automative notification system not configured to accept incoming messages..
Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries.
Intuit Inc. Customer Care
87566
San Paolo City, AZ 15203
The malicious payload is at [donotclick]savedordercommunicates.info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich.org. Blocking this IP would be wise.
Thursday 1 November 2012
Discover card spam / netgear-india.net
From: Discover Account Notes [mailto:no-reply@notify.discover.com]
Sent: Thu 01/11/2012 15:32
Subject: Great Details Changes in your Discover card Account Terms
Account Services | Customer Care Services
Account ending in XXX1
An substantial communication regarding latest Declined Transfers is waiting for you.
Log In to Read Information
Honored Discover Client,
There is an serious message waiting for you from Discover® card. Please read the message mindfully and keep it with your file.
To ensure optimal privacy, please log in to view your message at Discover.com.
Please click on this link if you have forgotten your UserID or Password.
Add information@service.discover.com to your address book to ensure delivery of these notifications.
VITAL NOTE
This message was delivered to [redacted] for Discover debit card account number ending with XXX1.
You are receiving this e-mail because you have account at Discover.com.
Log in to change your e-mail address or overview your account e-mail options.
If you have any questions about your account, please Login to leave us a message securely and we would be glad to support you.
Please DO NOT reply to this message. auto informer system cannot accept incoming email.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Banking Ltd.
P.O. Box 84265
Salt Lake City, SC 76433
2012 Discover Bank, Member FDIC
[redacted]
========
From: Discover Account Notes [mailto:donotreply@service.discover.com]
Sent: Thu 01/11/2012 16:36
Subject: Substantial Information about your Discover Account
Account Center | Customer Center
Account ending in XXX9
An significant message regarding latest Approved Activity is waiting for you.
Log In to Overview Details
Respective Cardholder,
There is an important message waiting for you from Discover® card. Please read the message carefully and keep it with your archive.
To ensure optimal privacy, please sign in to read your data at Discover.com.
Please visit discover.com if you have forgotten your Login ID or Password.
Add discover@information.discover.com to your trusted emails to ensure delivery of these messages.
VITAL NOTIFICATION
This e-mail was sent to [redacted] for Discover card account No. ending with XXX9.
You are receiving this e-mail because you member of Discover.com.
Log in to change your e-mail address or view your account e-mail settings.
If you have any questions about your account, please Enter your account to leave us a message securely and we would be blissful to help you.
Please don't reply to this message. auto-notification system cannot accept incoming mail.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Banking Llc.
P.O. Box 85486
Seashore City, NV 91138
2012 Discover Bank, Member FDIC
[redacted]
The malicious payload is at [donotclick]netgear-india.net/detects/discover-important_message.php hosted on 183.180.134.217 (RAT CO, Japan). The following domains are on that same IP, and judging by the registration details they should also be considered as malicious:
itracrions.pl
radiovaweonearch.com
steamedboasting.info
solla.at
netgear-india.net
puzzledbased.net
stempare.net
questionscharges.net
bootingbluray.net
Wednesday 31 October 2012
HP ScanJet spam / donkihotik.ru
This fake printer message leads to malware on donkihotik.ru:
The malicious payload is at [donotclick]donkihotik.ru:8080/forum/links/column.php which is hosted on the same IP addresses as this attack yesterday.
Date: Wed, 31 Oct 2012 05:06:42 +0300
From: LinkedIn Connections
Subject: Re: Fwd:Scan from a HP ScanJet #26531
Attachments: HP-Scan-44974.htm
Attached document was scanned and sent
to you using a Hewlett-Packard Officejet PRO.
Sent: by Bria
Image(s) : 6
Attachment: Internet Explorer file [.htm]
Hewlett-Packard Officejet Location: machine location not set
The malicious payload is at [donotclick]donkihotik.ru:8080/forum/links/column.php which is hosted on the same IP addresses as this attack yesterday.
Labels:
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
"Your Apple ID has been disabled" phish
I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam email (this one, for example).
It just goes to show that the bad guys will try to phish anything these days..
From: Apple no_reply@macapple.comThe phish is hosted at [donotclick]app.apple.com.proiectmaxim.ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name..
Reply-To: no_reply@macapple.com
Date: 31 October 2012 06:08
Subject: Your Apple ID has been disabled
Apple ID Support
Dear [redacted] ,
This Apple ID has been disabled!
For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.
To verify your Apple ID, we recommend that you go to:
Verify Now >
It just goes to show that the bad guys will try to phish anything these days..
Tuesday 30 October 2012
Craiglist spam / fionadix.ru
Date: Tue, 30 Oct 2012 06:26:07 +0600
From: Tai Seals [AntonyHaugland@fibermail.hu]
Subject: POST/EDIT/DELETE : "tattoos tattoos tattoos" (talent)
IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
PUBLISH YOUR AD
EDIT (OR CONFIRM AN EDIT TO) YOUR AD
VERIFY YOUR EMAIL ADDRESS
DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL - you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
==========
Date: Tue, 30 Oct 2012 06:23:41 -0500
From: LinkedIn Connections [connections@linkedin.com]
Subject: POST/EDIT/DELETE : "Appliance repair" (financial)
IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!
FOLLOW THE WEB ADDRESS BELOW TO:
PUBLISH YOUR AD
EDIT (OR CONFIRM AN EDIT TO) YOUR AD
VERIFY YOUR EMAIL ADDRESS
DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:
Click here
PLEASE KEEP THIS EMAIL - you may need it to manage your posting!
Your posting will expire off the site 7 days after it was created.
Thanks for using craigslist!
The malicious payload is at [donotclick]fionadix.ru:8080/forum/links/column.php (report here) hosted on some familiar IPs:
68.67.42.41 (Fibrenoire, Canada)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, United States)
Additional name server IPs:
50.22.102.132 (Softlayer, United States)
62.76.186.190 (Clodo-Cloud, Russia)
84.22.100.108 (Cyberbunker, Netherlands)
213.251.171.30 (OVH, France)
Plain list for copy-and-pasting:
50.22.102.132
62.76.186.190
68.67.42.41
84.22.100.108
203.80.16.81
209.51.221.247
213.251.171.30
manekenppa.ru
kiladopje.ru
lemonadiom.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
windowonu.ru
panalkinew.ru
fionadix.ru
reedcouk.com fake job offer / Fort Huachuca hacked?
This fake job offer from "reedcouk.com" is trying to recruit people for money laundering or other criminal activities, it is not from the real reed.co.uk. However, part of the infrastructure supporting this scam appears to belong the the US military.
Lavern E. Davis
Lavern Davis info@reedcouk.com
816-680-7849 fax: 816-680-7331
4218 White Oak Drive
Strasburg MO 64090
us
The domain was registered on 30th October 2012 (today!) via BIZCN.COM, a crime-friendly domain registrar in China. Mail for this domain is handled by a server at 46.249.46.161 (Serverius, Netherlands) which is also ns1.zupyx.net, one of the nameservers for the fake reedcouk.com domain. Who owns zupyx.net? That looks like another fake registration:
Vivian L Resnick
221 Shaker Road
Northfield, NH 03276-4444
US
Phone: +1.6032868211
Email: clinicadelta@aol.com
zupyx.net was only registered on 19th September 2012. But the plot thickens if we look at ns2.zupyx.net (the other namesever being used by reedcouk.com) we can see that it is hosted on 132.79.132.67 which appears to be a hacked US military server at Fort Huachuca:
NetRange: 132.79.0.0 - 132.79.255.255
CIDR: 132.79.0.0/16
OriginAS:
NetName: NGB-NGNET
NetHandle: NET-132-79-0-0-1
Parent: NET-132-0-0-0-0
NetType: Direct Assignment
RegDate: 1990-03-05
Updated: 2008-12-24
Ref: http://whois.arin.net/rest/net/NET-132-79-0-0-1
OrgName: Headquarters, USAISC
OrgId: HEADQU-3
Address: NETC-ANC CONUS TNOSC
City: Fort Huachuca
StateProv: AZ
PostalCode: 85613
Country: US
RegDate: 1990-03-26
Updated: 2011-08-17
Ref: http://whois.arin.net/rest/org/HEADQU-3
OrgTechHandle: REGIS10-ARIN
OrgTechName: Registration
OrgTechPhone: +1-800-365-3642
OrgTechEmail: registra@nic.mil
OrgTechRef: http://whois.arin.net/rest/poc/REGIS10-ARIN
You have to bear in mind that this military installation deals with military intelligence.. although you can be pretty certain that whatever server is running this bogus nameserver is public facing only. Hopefully.
This IP address also hosts a suspicious domain called trabalharpt.com:
Samantha K. Haley
Samantha Haley info@trabalharpt.com
+1.8127473193 fax: +1.8127473193
778 Heliport Loop
Blue Ash IN 45242
us
Again, this is registered through BIZCN.COM in China, and was only registered one week ago on 24th October 2012. There's no reason for a domain like this to be hosted on what appears to be a US military server.
There are probably some other bad domains being supported by these nameservers, but I haven't been able to identify them yet.
From: sales@[victimdomain].comThe spam appears to come "from" the recipients own email address (here's why). The bogus domain reedcouk.com is registered as follows:
To: sales@[victimdomain].com
Date: 30 October 2012 22:33
Subject: Employment opportunity
I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.
If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.
Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is 2000 GBP per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (UK time).
Region: United Kingdom.
Please note that there are no startup fees or deposits to start working for us.
To request an application form, schedule your interview and receive more information about this position
please reply to Bob@reedcouk.com with your personal identification number for this position IDNO: 0797
Lavern E. Davis
Lavern Davis info@reedcouk.com
816-680-7849 fax: 816-680-7331
4218 White Oak Drive
Strasburg MO 64090
us
The domain was registered on 30th October 2012 (today!) via BIZCN.COM, a crime-friendly domain registrar in China. Mail for this domain is handled by a server at 46.249.46.161 (Serverius, Netherlands) which is also ns1.zupyx.net, one of the nameservers for the fake reedcouk.com domain. Who owns zupyx.net? That looks like another fake registration:
Vivian L Resnick
221 Shaker Road
Northfield, NH 03276-4444
US
Phone: +1.6032868211
Email: clinicadelta@aol.com
zupyx.net was only registered on 19th September 2012. But the plot thickens if we look at ns2.zupyx.net (the other namesever being used by reedcouk.com) we can see that it is hosted on 132.79.132.67 which appears to be a hacked US military server at Fort Huachuca:
NetRange: 132.79.0.0 - 132.79.255.255
CIDR: 132.79.0.0/16
OriginAS:
NetName: NGB-NGNET
NetHandle: NET-132-79-0-0-1
Parent: NET-132-0-0-0-0
NetType: Direct Assignment
RegDate: 1990-03-05
Updated: 2008-12-24
Ref: http://whois.arin.net/rest/net/NET-132-79-0-0-1
OrgName: Headquarters, USAISC
OrgId: HEADQU-3
Address: NETC-ANC CONUS TNOSC
City: Fort Huachuca
StateProv: AZ
PostalCode: 85613
Country: US
RegDate: 1990-03-26
Updated: 2011-08-17
Ref: http://whois.arin.net/rest/org/HEADQU-3
OrgTechHandle: REGIS10-ARIN
OrgTechName: Registration
OrgTechPhone: +1-800-365-3642
OrgTechEmail: registra@nic.mil
OrgTechRef: http://whois.arin.net/rest/poc/REGIS10-ARIN
You have to bear in mind that this military installation deals with military intelligence.. although you can be pretty certain that whatever server is running this bogus nameserver is public facing only. Hopefully.
This IP address also hosts a suspicious domain called trabalharpt.com:
Samantha K. Haley
Samantha Haley info@trabalharpt.com
+1.8127473193 fax: +1.8127473193
778 Heliport Loop
Blue Ash IN 45242
us
Again, this is registered through BIZCN.COM in China, and was only registered one week ago on 24th October 2012. There's no reason for a domain like this to be hosted on what appears to be a US military server.
There are probably some other bad domains being supported by these nameservers, but I haven't been able to identify them yet.
Friday 26 October 2012
"Your Photos" spam / manekenppa.ru
From: Acacia@redacted.com [mailto:Acacia@redacted.com]
Sent: 26 October 2012 10:14
Subject: Your Photos
Hi,
I have attached your photos to the mail (Open with Internet Explorer).
In this case there is an attachment called Image_DIG691233.htm that leads to a malware laden page at [donotclick]manekenppa.ru:8080/forum/links/column.php hosted on some familiar looking IPs:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
We've seen these IPs before and they are well worth blocking.
ADP Spam / steamedboasting.info
This fake ADP spam leads to malware on steamedboasting.info:
This is an alternative variant with the same malicious payload:
From: ClientService@adp.com [mailto:ClientService@adp.com]The malicious payload is at [donotclick]steamedboasting.info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting.info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification
ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344
This is an alternative variant with the same malicious payload:
Date: Fri, 26 Oct 2012 16:32:10 +0530
From: "noreply@adp.com" [noreply@adp.com]
Subject: ADP Prompt Communication
ADP Speedy Notification
Reference #: 27585
Dear ADP Client October, 25 2012
Your Transaction Statement(s) have been put onto the web site:
Web site link
Please see the following notes:
• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).
?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.
This message was sent to operating users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business partner!
Ref: 27585 [redacted]
apl.de.ap spam
I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east.
Although those look like tinyurl links, they're not.. they go through a redirector at ykadl.net on 109.236.88.71, the same IP used to send the spam.
The WHOIS details for the spammer domain are:
Technical Name: Domain Admin
Technical Company: Create-Send.net
Technical Address: 57 Kingsway Avenue
Technical Address: Auckland
Technical Address:
Technical Address: Auckland
Technical Address: Na
Technical Address: 1010
Technical Address: New Zealand
Technical Email: info@create-send.net
Technical Tel: +64.279237205
Anyway, here's the spam in case you really want to buy tickets from a shady bunch of spammers..
Although those look like tinyurl links, they're not.. they go through a redirector at ykadl.net on 109.236.88.71, the same IP used to send the spam.
The WHOIS details for the spammer domain are:
Technical Name: Domain Admin
Technical Company: Create-Send.net
Technical Address: 57 Kingsway Avenue
Technical Address: Auckland
Technical Address:
Technical Address: Auckland
Technical Address: Na
Technical Address: 1010
Technical Address: New Zealand
Technical Email: info@create-send.net
Technical Tel: +64.279237205
Anyway, here's the spam in case you really want to buy tickets from a shady bunch of spammers..
From: DNA alex@ykadl.net
Reply-To: DNA [alex@ykadl.net]
Date: 26 October 2012 04:48
Subject: Black Eyed Peas/ APL DE AP in Dubai
Signed by: ykadl.net
BLACK EYE PEAS founding member APL DE AP heads to Dubai
BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.
Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.
APL DE AP and the other members of the Black Eyed Peas have been on a hiatus from the band for the last year.In 2011 The Black Eyed Peas were ranked 12th on the Billboard's Decade-End Chart Artist of the Decade, the group performed in February 2011 at the halftime show of Super Bowl XLV.
✻TICKETS COST 165AED for this fabulous International Star event with full bar facilities, waiter service and live food stations.✻
TICKETS ARE NOW AVAILABLE ON:
✻TIMEOUT***TICKETINGCO***MARHABA***PLATINUM✻
TIMEOUT * http://tinyurl.com/bvrtjxx
PLATINUM LIST * http://tinyurl.com/cs8wdox
TICKETINGCO * http://tinyurl.com/cctq2s8
✻ FOR VIP TABLE RESERVATIONS CALL 050 1428363✻
For more info@dnapre.com✻21+ ✻ ID required ✻ Couples & mixed groups preferred.✻ Normal club policies apply ✻
✻THIS WILL BE A SELLOUT EVENT. Get your Tickets fast.✻
Share This
UnsubscribeForward to a Friend
inserted image
inserted image
Click here to opt-out
Thursday 25 October 2012
"End of Aug. Statement required" spam / kiladopje.ru
From: ZaireLomay@mail.com [mailto:ZaireLomay@mail.com]In this case, there's an attachment called Invoices-23-2012.htm with some obfuscated Javascript to direct visitors to a malware laden page at [donotclick]kiladopje.ru:8080/forum/links/column.php hosted on:
Sent: 24 October 2012 20:58
Subject: Re: FW: End of Aug. Statement required
Hi,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domains are all related and should be blocked if you can:
68.67.42.41
72.18.203.140
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247
fidelocastroo.ru
finitolaco.ru
kennedyana.ru
kiladopje.ru
lemonadiom.ru
leprasmotra.ru
ponowseniks.ru
secondhand4u.ru
windowonu.ru
Wednesday 24 October 2012
BBB Spam / samplersmagnifyingglass.net
This fake BBB spam leads to malware on samplersmagnifyingglass.net:
Some other domains also associated with this IP are:
the-mesgate.net
hotsecrete.net
agmnxsmn.com
art-london.net
asmsxcm.com
buzziskin.net
ifmncmn.com
stafffire.net
sxmnmn.com
tizarrefetishkin.com
Date: Wed, 24 Oct 2012 22:10:18 +0430The malicious payload is on [donotclick]samplersmagnifyingglass.net/detects/confirming_absence_listing.php hosted on 183.81.133.121, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking.
From: "Better Business Bureau" [noreply@bbb.org]
Subject: Better Business Beareau Appeal #42790699
Attention: Owner/Manager
Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.
Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.
On a website above please enter your complain id: 42790699 to review it.
We are looking forward to hearing from you.
-----------------------------------
Faithfully,
Rebecca Wilcox
Dispute advisor
Better Business Bureau
Some other domains also associated with this IP are:
the-mesgate.net
hotsecrete.net
agmnxsmn.com
art-london.net
asmsxcm.com
buzziskin.net
ifmncmn.com
stafffire.net
sxmnmn.com
tizarrefetishkin.com
Wire Transfer spam / ponowseniks.ru
Date: Wed, 24 Oct 2012 04:26:12 -0500The .htm attachment attempts to redirect the user to a malicious page at [donotclick]ponowseniks.ru:8080/forum/links/column.php hosted on some familar IP addresses:
From: FedEx [info@emails.fedex.com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 9649AA02)
Attachments: Report_Trans99252.htm
Dear Bank Operator,
WIRE TRANSFER: FEDW-30126495944197210
STATUS: REJECTED
You can find details in the attached file.(Internet Explorer format)
202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
Contract spam / fidelocastroo.ru
Date: Tue, 23 Oct 2012 12:33:51 -0800The .htm attachment contains obfuscated javascript that attempts to direct the visitor to a malicious [donotclick]fidelocastroo.ru:8080/forum/links/column.php. This domain name has been used in several recent attacks and is currently multihomed on some familiar IP addresses:
From: "Wilburn TIMMONS" [HIWilburn@hotmail.com]
Subject: Fw: Contract from Wilburn
Attachments: Contract_Scan_DS23656.htm
Hello,
In the attached file I am transferring you the Translation of the Job Contract that I have just received today. I am really sorry for the delay.
Best regards,
Wilburn TIMMONS, secretary
202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
Tuesday 23 October 2012
Intuit spam / montrealhotpropertyguide.com
This fake Intuit spam leads to malware on montrealhotpropertyguide.com:
The malicious payload is on [donotclick]montrealhotpropertyguide.com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US).
Date: Tue, 23 Oct 2012 14:45:14 +0200
From: "Intuit QuickBooks Customer Service" [35378B458@aubergedesbichonnieres.com]
Subject: Intuit QuickBooks Order
Dear [redacted],
Thank you for placing an order with Intuit QuickBooks!
We have received your payment information and it is currently being processed.
ORDER INFORMATION
Order #: 366948851674
Order Date: Oct 22, 2012
[ View order ]
Qty Item Price
1 Intuit QuickBooks Pro Download 2 2012 $183.96***
Subtotal:
Sales Tax:
Total for this Order:
$183.96
$0.00
$183.96
*Appropriate credit will be applied to your account.
Please Note: Sales tax calculations are estimated. The final sales tax calculation will comply with local regulations.
NEED HELP?
Questions about your order? Please visit Customer Service.
Join Us On Facebook
Close More Sales
Save Time
Privacy | Legal | Contact Us | About Intuit
You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.
If you receive an email message that appears to come from Intuit but that you suspect is a phishing email, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.
Please note: This email was sent from an auto-notification system that cannot accept incoming email. Please do not reply to this message.
� 2012 Intuit Inc. or its affiliates. All rights reserved.
The malicious payload is on [donotclick]montrealhotpropertyguide.com/links/showed-clearest-about.php hosted on 64.111.26.15 (Data 102, US).
NACHA spam / bwdlpjvehrka.ddns.info
This fake NACHA spam leads to malware on bwdlpjvehrka.ddns.info:
Date: Tue, 23 Oct 2012 05:44:05 +0200The malicious payload is at [donotclick]bwdlpjvehrka.ddns.info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move.
From: "noreply@direct.nacha.org"
Subject: Notification about the rejected Direct Deposit payment
Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::
Details
Please contact your financial institution to acquire the new version of the software.
Sincerely yours
ACH Network Rules Department
NACHA | The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
President of French Polynesia (presidence.pf) hacked?
presidence.pf is the web site of the President of French Polynesia, it is hosted on 202.3.245.13 by the Tahitian ISP MANA (along with an alternative domain of presid.pf).
Unfortunately, that's not the only thing lurking on 202.3.245.13. Yesterday I spotted an exploit kit on the same IP, probably Blackhole 2. An examination of the server shows the presence of the following malicious domains on the same IP:
fidelocastroo.ru
secondhand4u.ru
windowonu.ru
There's no evidence that the websites presidence.pf or presid.pf are dangerous, but there are other web sites on the same server which certainly do appear to be quite toxic..
Now, French Polynesia isn't the biggest place in the world, but it's the first time I've seen the site of a president of anywhere potentially compromised in this way.
Unfortunately, that's not the only thing lurking on 202.3.245.13. Yesterday I spotted an exploit kit on the same IP, probably Blackhole 2. An examination of the server shows the presence of the following malicious domains on the same IP:
fidelocastroo.ru
secondhand4u.ru
windowonu.ru
There's no evidence that the websites presidence.pf or presid.pf are dangerous, but there are other web sites on the same server which certainly do appear to be quite toxic..
Now, French Polynesia isn't the biggest place in the world, but it's the first time I've seen the site of a president of anywhere potentially compromised in this way.
Monday 22 October 2012
"Copies of Policies" spam / fidelocastroo.ru
Date: Mon, 22 Oct 2012 08:05:10 -0500
From: Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
Subject: RE: Charley - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Charley HEALY,
The malicious payload is on [donotclick]fidelocastroo.ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (Interneto Vizija, Lithunia)
190.10.14.196 (RACSA, Costa Rica)
202.3.245.13 (MANA, French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Plain list for copy and pasting:
68.67.42.41
79.98.27.9
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247
Blocking these IPs should prevent any other attacks on the same server.
Subscribe to:
Posts (Atom)