I've covered Gary McNeish and his SMS spamming outfit before, they are quite possibly behind the majority of financial SMS spam messages that have been doing the rounds lately.
Well, it seems the ICO finally caught up with him and his business partner Christopher Niebel and have hit the pair with a whopping £440,000. The Daily Telegraph reports that they were pumping out up to 840,000 spam SMS messages per day. The BBC has more details about the pair.
It looks like Mr Neibel has suffered the bulk of the fine, with £300,000 ordered to be paid by the ICO. Mr McNeish lives in Thailand (but owns the spamming company Tetrus Telecom) and has been fined £140,000. Mr Neibel seems a bit upset by this according to reports. Tough shit, I say.
Anyway, this is the guy who probably won't be coming back to the UK any time soon..
Check out some of his semi-naked photos here. Classy!
Wednesday, 28 November 2012
Gary McNeish, Christopher Niebel fined £440k for SMS spams
Labels:
Gary McNeish,
SMS,
Spam,
Tetrus Telecoms
Changelog spam / ganadeion.ru
Date: Wed, 28 Nov 2012 05:21:35 -0500The malicious payload is at [donotclick]ganadeion.ru:8080/forum/links/column.php hosted on some familiar looking IP addresses that you should block if you can:
From: LinkedIn Password [password@linkedin.com]
Subject: Re: Changelog as promised (upd.)
Hello,
as prmised updated changelog - View
C. BERGMAN
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
Tuesday, 27 November 2012
Wire transfer spam / gurmanikia.ru
Date: Tue, 27 Nov 2012 01:14:15 -0500The malicious payload is at [donotclick]gurmanikia.ru:8080/forum/links/column.php hosted on the following well-known malicious IPs:
From: Emerita Ayers via LinkedIn [member@linkedin.com]
Subject: RE: Your Wire Transfer N27172774
Dear Customers,
Wire debit transfer was canceled.
Canceled transfer:
FED NUMBER: 6946432301WIRE298280
Transaction Report: View
Federal Reserve Wire Network
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
FedEx spam / PostalReceipt.zip
A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called PostalReceipt.zip
Date: Tue, 27 Nov 2012 13:04:37 -0400In this case the download site was [donotclick]amsterdam.cathedralsoft.com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www.cathedralsoft.com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft.com have been compromised in this attack.
From: "Office Mail" [no_replyFRL@cleveland.com]
Subject: ID (I)JI74 384 428 2295 7492
FedEx
Order: AX-7608-99659670234
Order Date: Sunday, 25 November 2012, 10:35 AM
Dear Customer,
Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
VirusTotal detection rates are very low. I don't currently have an analysis of the malicious payload.
Update: here is another variant, downloading from [donotclick]brandandreputation.net/NOHDPQWPJJ.html (195.249.40.193, TeamInternet Denmark)
Date: Wed, 28 Nov 2012 A.D. 07:34:52 -0400
From: "First-Class UPS logistics" [no.reply-FG@houston.com]
Subject: Tracking Number (A)PSO79 089 360 1947 4933
FedEx
Order: MN-8474-09876452234
Order Date: Sunday, 24 November 2012, 11:36 AM
Dear Customer,
Your parcel has arrived at the post office at November 26.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Detection rates are pretty miserable for this one too. It looks like a Bredolab variant.
Update 2: another variant of the malware, this time downloading via [donotclick]www.cantoncityutah.com/OXSJOVVYOE.html (this tries to open PostalReceipt.zip in a window). Again, VirusTotal detection is not good.
Date: Thu, 29 Nov 2012 A.D. 14:29:38 +0200
From: "Office Mail" [NoReply@baltimore.com]
Subject: Tracking Number (K)IR46 545 922 5276 0059
FedEx
Order: HD-5468-483254683
Order Date: Monday, 25 November 2012, 03:41 PM
Dear Customer,
Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 3: yet another variant.. the payload wasn't working on this one though.
Date: Fri, 30 Nov 2012 A.D. 07:57:38 -0400Update 4: this variant attempts to download [donotclick]catercut.ie/Postal-Receipt.zip (VirusTotal results here) via [donotclick]catercut.ie/KANHEPGVVM.html:
From: "First-Class logistics" [NoReply.368@tucson.com]
Subject: Number (N)GDE82 422 446 0527 6243
FedEx
Order: HD-5468-483254683
Order Date: Tuesday, 26 November 2012, 10:17 AM
Dear Customer,
Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Date: Fri, 30 Nov 2012 A.D. 14:33:35 -0400Update 5: another spam run, same payload as last time (updated VirusTotal results here). Link leads to [donotreply]drillsaw.com.au/VYWFBRIUBU.html which leads to a payload at [donotreply]drillsaw.com.au/Postal-Receipt.zip
From: "UPS Mail" [NOreplyEAY@baltimore.com]
Subject: ID (P)NRB90 564 295 9947 6165
FedEx
Order: HD-5468-483254683
Order Date: Tuesday, 26 November 2012, 10:17 AM
Dear Customer,
Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Date: Fri, 30 Nov 2012 A.D. 22:47:44 -0700Update 6: yet another variant, this time downloading from [donotclick]exodionline.com/job.php?php=receipt (VirusTotal results here).
From: "logistics UPS" [no.reply-UAC@losangeles.com]
Subject: Tracking Detail (L)OK73 487 973 8524 5206
FedEx
Order: HD-5468-483254683
Order Date: Tuesday, 26 November 2012, 10:17 AM
Dear Customer,
Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Date: Sun, 02 Dec 2012 A.D. 15:13:18 -0400Update 7: this variant downloads from [donotclick]www.850spider.de/TYKXVHIFQH.html (report here):
From: "UPS Receipt" [NOreply.815@irvine.com]
Subject: Tracking ID (T)SB58 793 555 5502 9056
FedEx
Order: RM-8723-2307345234
Order Date: Monday, 19 November 2012, 09:32 AM
Dear Customer,
Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Date: Sat, 01 Dec 2012 A.D. 19:50:18 -0500Update 8: this one attempts (and fails) to download the payload from [donotclick]aucs.de/job.php?php=receipt - I haven't seen the payload for this yet.
From: "First-Class logistics" [NoReply-QEP@baltimore.com]
Subject: Tracking Detail (K)HW33 625 799 6339 9731
FedEx
Order: RM-8723-2307345234
Order Date: Monday, 19 November 2012, 09:32 AM
Dear Customer,
Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Date: Tue, 04 Dec 2012 05:13:30 -0600Update 9: another slightly different version, this one 404s:
From: "U.P.S.Service" [no_replyQQW@tampa.com]
Subject: Tracking Number (X)SO21 772 224 4605 7903
FedEx
Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM
Dear Customer,
Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Date: Wed, 05 Dec 2012 A.D. 06:52:19 -0400Update 10: another version, this downloads from [donotclick]gaffashion.de/KUHZNRQXSG.php?php=receipt , VirusTotal results are patchy.
From: "U.P.S.Service" [NOreplyPCP@birmingham.com]
Subject: ID (I)PFP44 818 840 9369 1257
FedEx
Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM
Dear Customer,
Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Date: Wed, 05 Dec 2012 13:21:13 -0400
From: "logistics UPS" [no.replyDD@cincinnati.com]
Subject: Tracking Number (O)UBF96 497 677 7945 1347
FedEx
Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM
Dear Customer,
Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 11: even more of these today, the volumes seem to be ramping up. Detection rates are pretty miserable.
Subjects spotted:
Tracking Detail (S)AR71 347 275 0953 6096
Number (H)OY68 102 257 0143 6263
Tracking Number (A)WF09 061 710 9662 3209
Tracking Detail (Y)XEY08 661 121 7788 5937
ID (T)TU26 454 839 5856 0273
Number (651)36-651-651-7313-7313
Number (N)QGW24 822 128 6967 5066
Tracking Detail (J)RD66 396 145 5017 2968
Tracking ID (G)EQI40 177 581 4008 9333
Dowload sites:
[donotclick]www.andovar.de/LNYYNMZAMK.php?php=receipt
[donotclick]biggis-musiktruhe.de/PQRZPJPCBG.php?php=receipt
[donotclick]threesolution.org/OGIKYWHWNJ.php?php=receipt
[donotclick]s375670599.online.de/RTJQIUZQOJ.php?php=receipt
[donotclick]Joeyscafeok.com/PHLNPDFSRV.php?php=receipt
[donotclick]www.edibaer.at/CPDWHUDQDM.php?php=receipt
[donotclick]architetturapc.altervista.org/VOWORTEUWM.php?php=receipt
[donotclick]myinci.net/XIGTTUBPNV.php?php=receipt
Update 12: another version with a tweaked malicious binary:
Date: Fri, 07 Dec 2012 08:33:17 -0400
From: "UPS Receipt" [NOreply.IDH@riverside.com]
Subject: ID (D)RH64 621 035 9749 7042
FedEx
Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM
Dear Customer,
Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
In this case, the link goes to [donotclick]www.dol2day.com/QGYAMKOOBH.php?php=receipt which downloads Postal-Receipt.zip containing Postal-Receipt.exe. The VirusTotal results are not good. Another version uses the subject Number (A)CV88 683 994 7812 3447
Update 13: another couple of variants, the payload has morphed again and VirusTotal results are predictably very poor.
Date: Sun, 09 Dec 2012 A.D. 12:20:15 -0400
From: "Priority Mail Postal Service" [GJX_308@neworleans.com]
Subject: Tracking Detail (Y)VH30 307 516 2676 5647
FedEx
Order: SGH-3818-3779326179
Order Date: Monday, 2 December 2012, 12:32 AM
Dear Customer,
Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
====================
Date: Sat, 08 Dec 2012 14:11:29 -0700
From: "UPS Receipt" [NOreply.094@shreveport.com]
Subject: Number (X)UJ39 079 034 0694 8327
FedEx
Order: SGH-0987-4616781861
Order Date: Monday, 2 December 2012, 12:32 AM
Dear Customer,
Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Some other subject lines:
Number (A)CFV63 149 496 9260 0620
Tracking Detail (S)ESQ89 729 953 7596 6283
Some download sites (don't visit these unless you know what you are doing)
www.musikschule-nvp.de/SNDDAAWTBR.php?php=receipt
www.mcfcdonegal.com/OPMUYUCCIV.php?php=receipt
www.beller-das.de/NWAPXATXVT.php?php=receipt
www.trude-hau-rein.de/UWQNZZWFXZ.php?php=receipt
Update 14: just in time for Christmas..
Date: Tue, 25 Dec 2012 00:07:07 +0200The binary has changed again, detection rates are patchy. Anubis reports that the malware calls home to 74.80.220.148:60000 which would make it a Zbot variant.
From: "Office 852" [mu-852@orlando.com]
Subject: Tracking Detail (193)92-193-193-9477-9477
FedEx
Order: VGH-4658-1148074435
Order Date: Friday, 14 December 2012, 01:21 PM
Dear Customer,
Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
Update 15: this one loads via [donotclick]www.eurogleuf.nl/DERZRCUKKY.php?php=receipt , VitusTotal detection rates are just 7/46.
From: Express Mail Service [user-989@louisville.com]
date: 26 December 2012 10:46
subject: Tracking ID (580)53-580-580-3103-3103
FedEx
Order: VGH-2024-9642451224
Order Date: Friday, 14 December 2012, 01:21 PM
Dear Customer,
Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
Update 16: just in time for New Year's day, this one loads via [donotclick]www.subclix.com/QJXBJWUUEJ.php?php=receipt. VT detections are again patchy.
Date: Sun, 06 Jan 2013 A.D. 05:11:30 -0500Example download sites:
From: "Worldwide Express Mail Service" <support_489@coloradosprings.com>
To: [redacted]
Subject: Tracking Number (I)FG03 107 566 0859 2689
FedEx
Order: HJF-8295-96674032
Order Date: Thursday, 27 December 2012, 10:41 AM
Dear Customer,
Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
================
Date: Sat, 05 Jan 2013 19:25:48 -0400
From: "Worldwide Express Mail" <support.800@portland.com>
To: [redacted]
Subject: Number (M)EG25 627 586 0611 4432
*+++
FedEx
Order: HJF-9667-27583280
Order Date: Thursday, 27 December 2012, 10:41 AM
Dear Customer,
Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
================
Date: Sat, 05 Jan 2013 A.D. 13:57:18 -0400
From: "First-Class Mail Postal Service" <support.813@baltimore.com>
To: [redacted]
Subject: Number (V)TGS29 427 081 6880 9243
FedEx
Order: HJF-3918-81582364
Order Date: Thursday, 27 December 2012, 10:41 AM
Dear Customer,
Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
================
Date: Sat, 05 Jan 2013 09:05:00 -0400
From: "First-Class Mail Service" <DTU.160@baltimore.com>
To: [redacted]
Subject: Tracking Detail (S)JYD60 835 496 0448 5921
FedEx
Order: HJF-8882-94725648
Order Date: Thursday, 27 December 2012, 10:41 AM
Dear Customer,
Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
[donotclick]omahadisability.com/UWOJIEUBLS.php?php=receipt
[donotclick]p-g-maintenance.co.uk/YLFDRZWNJP.php?php=receipt
[donotclick]cctvsecuritysystemshouston.com/XUAJAIPISI.php?php=receipt
[donotclick]itiyam.com/WEQOHWFEAK.php?php=receipt
Note the these URLs seem to be hardened against analysis, if you can't access them check your user agent and referrer strings.
Update 17: and more, this time with the following details:
Tracking Number (B)TXP55 992 494 4822 1645
Number (N)DD46 790 881 6344 2460
Order: HJF-4121-39707012
Order: HJF-2424-11089225
[donotclick]jcpub.com/SXYUXBKFQF.php?php=receipt
[donotclick]travelclinicsswansea.com/INJIETKYXV.php?php=receipt
Update 18: another spam run, detection rates are a bit better for this one:
Date: Wed, 09 Jan 2013 06:35:16 +0200Variants:
From: "Shipping Service" [IAL_792@chesapeake.com]
Subject: Tracking Detail (V)QT48 601 848 0556 8882
FedEx
Order: JN-3254-98757378
Order Date: Thursday, 3 January 2013, 11:23 AM
Dear Customer,
Your parcel has arrived at the post office at January 6.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
GET & PRINT RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Tracking ID (R)EBE08 923 976 4800 2506
Tracking ID (Y)OKX60 559 414 2225 0045
Order: JN-8274-10502299
Order: JN-9593-93771591
Sample download sites:
[donotclick]fibam.be/CMNVTXINXV.php?php=receipt
[donotclick]sofa-session.ch/PRRVWKCUQJ.php?php=receipt
Update 19: another spam run with the following characteristics:
Subject: Tracking Number (E)KA09 359 952 5829 0864Update 20: another one, this time downloading from [donotclick]businesscoaching24.com/BWMIZNPQAT.php?receipt=802_195210783
Order: JN-9160-75660784
Download site: [donotclick]endlich-ein-dsl-anschluss.de/HUPAHPNHTC.php?receipt=ss00_323
VirusTotal report
Date: Sun, 27 Jan 2013 13:09:22 +0100Detection rates are patchy according to VirusTotal. The ThreatExpert report is here.
From: "Priority Mail Postal Service" [clients-669@columbus.com]
Subject: Number (L)BVT74 159 159 2182 2182
Fed Ex
Order: HCD-7626-14749451
Order Date: Thursday, 17 January 2013, 11:10 AM
Dear Customer,
Your parcel has arrived at the post office at January 21.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
GET & PRINT RECEIPT
Best Regards, The FedEx Team.
FedEx 1995-2012
Update 21: another sample, this time from [donotclick]mydrugstoreus.net/get_file.php?print_receipt=ss00_323, VirusTotal results are 16/46.
Date: Tue, 05 Feb 2013 19:20:36 -0400Update 22: this one downloads from [donotclick]zdsw.net/get_file.php?receipt_print=ss00_323 with VirusTotal detections at 12/46.
From: "Manager David Riddle" [manager@tampa.us]
Subject: Order Detail
FedEx
Tracking ID: 4013-85911016
Date: Monday, 28 January 2013, 09:22 AM
Dear Client,
Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
According to ThreatExpert, this version attempts to connect to the following IP addresses which may be worth blocking:
Date: Wed, 06 Feb 2013 18:29:28 -0400
From: "Manager William Burt" [service@greensboro.us]
Subject: Shipping Info
FedEx
Tracking ID: 5739-64600336
Date: Monday, 28 January 2013, 09:22 AM
Dear Client,
Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
46.4.178.174
66.84.10.68
66.232.145.174
77.79.81.166
80.90.198.43
81.93.248.152
84.38.159.166
85.186.22.146
85.214.50.161
89.19.20.202
94.101.86.146
173.255.203.178
190.111.176.13
202.153.132.24
202.169.224.202
217.11.63.194
Update 23: this variant downloads from [donotclick]www.ocadaval.com/tmp/vsgnpg.php?receipt_print=ss00_323 with VirusTotal detections of 16/46:
From: Manager Jayden Dickson [support@santaana.us]Update 24: downloading from [donotclick]www.olmuccio.com/tmp/0iuziv.php?receipt_print=ss00_323 and with VirusTotal detections of just 10/46.
Date: 8 February 2013 03:33:48 CET
Subject: Tracking Info
FedEx
7475-42208096 Monday, 4 January 2013, 08:24 AM
Your parcel has arrived at February 6.Courier was unable to deliver the parcel to you at 6 February 05:51 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
Date: Mon, 11 Feb 2013 A.D. 13:35:56 -0500Update 25: downloading from [donotclick]www.onzeklus.com/tmp/gnnvyg.php?receipt_print=ss00_323 with VirusTotal detections at just 7/44.
From: "Manager Daniel Acevedo" [manager@lexington.us]
Subject: Order Information
FedEx
Tracking ID: 2803-20131928
Date: Monday, 4 January 2013, 09:42 AM
Dear Client,
Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
Date: Wed, 13 Feb 2013 A.D. 16:28:00 -0400Update 26: downloading from [donotclick]www.assembleserver.net/clients/comp/mirror.php?receipt_print=ss00_323 with VirusTotal detections of just 5/46.
From: "Manager William Burt" [client@wichita.us]
Subject: Shipping Service
FedEx
Tracking ID: 2890-49318193
Date: Monday, 4 January 2013, 09:42 AM
Dear Client,
Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
Date: Fri, 15 Feb 2013 10:44:44 -0400According to Anubis, the malware attempts to call home to the following IPs:
From: "Manager Jayden Soto" [manager@norfolk.us]
Subject: Shipping Info
FedEx
Tracking ID: 4374-23102840
Date: Monday, 11 February 2013, 10:22 AM
Dear Client,
Your parcel has arrived at February 14.Courier was unable to deliver the parcel to you at 14 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
66.84.10.68
72.29.84.159
87.118.122.19
94.101.86.146
173.255.203.178
Update 27: downloading from[donotclick]/phillipsflorist.co.uk/wp-content/plugins/akismet/mirror.php?receipt=ss00_323 with a detection rate of 4/45.
Date: Wed, 20 Feb 2013 10:00:38 -0400According to Anubis, this malware tries to call home to:
From: "Manager Mason Marsh" [service@anaheim.us]
Subject: Order Shipped
FedEx
Tracking ID: 9702-66479247
Date: Monday, 11 February 2013, 10:22 AM
Dear Client,
Your parcel has arrived at February 18.Courier was unable to deliver the parcel to you at 18 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
50.115.116.201
81.93.248.152
87.118.122.19
94.23.193.229
190.111.176.13
213.229.106.32
Update 28: another version, with a download site of [donotclick]www.2handhome.com/components/.ebgv3m.php?receipt=838_129704313 and a VirusTotal score of just 6/45.
Date: Wed, 13 Mar 2013 05:54:18 -0700According to Anubis, the malware calls home to:
From: "Manager Liam Ortega" [support@lincoln.us]
Subject: Tracking Information
FedEx
Tracking ID: 6673-95490112
Date: Monday, 4 March 2013, 10:22 AM
Dear Client,
Your parcel has arrived at March 7.Courier was unable to deliver the parcel to you at 7 March 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
87.106.51.52:8080
91.121.156.162:8080
80.67.6.226:8080
93.125.30.232:8080
174.120.225.57:8080
91.121.28.146:8080
193.23.226.15:8080
BeyondTek IT / Beyond Tek IT / beyondtekit.com spam
Here's an annoying spammer.. but who are they exactly?
So who are BeyondTekIT? (They also spell their name Beyond Tek IT and BeyondTek IT). The WHOIS details for the beyondtekit.com (and beyondtechit.com) are no help because they are anonymised. So, perhaps their website gives a clue.. and indeed they give the following contact details:
A bit of hard searching around shows that this is not a US based company at all, but is actually based in India (the email mentions an Indian connection). Their real website is at beyondtech.in and clearly mentions the maildrop address on their contact page.
The WHOIS details for this domain are:
Registrant ID:SB23414228
Registrant Name:Nishant Rastogi
Registrant Organization:One MG
Registrant Street1:23, North Boag Road, TNagar
Registrant Street2:
Registrant Street3:
Registrant City:Chennai
Registrant State/Province:Tamil Nadu
Registrant Postal Code:600017
Registrant Country:IN
Registrant Phone:+91.9444034408
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:mail@onemg.in
I personally wouldn't recommend giving any personal details to spammers, and I certainly wouldn't recommend giving details to a company that seems to spend some effort to conceal who they really are. But, bear in mind that there are no anti-spam laws in India which explains the high level of Indian spam messages (think SEO spam) that we see, so under Indian law they are probably not doing anything wrong, but surely if they are trading as a California entity then they need to be registered?
From: Nick Snow ---- BeyondTekIT Nick@beyondtekit.comThe spam (and it is spam) originates from a server on 216.14.62.75 (Telepacific Communications, Los Angeles) which also hosts the beyondtekit.com and beyondtechit.com domains.
Date: 27 November 2012 10:24
Subject: Your IT Jobs - HR
Hello:
The IT market is extremely HOT right now and there is no doubt that, there is a severe shortage of qualified, experienced IT candidates and an over-abundance of IT jobs being advertised by companies all over the country. It seems, most qualified candidates are in such high demand that they are getting multiple offers, which is making it difficult for companies to fill certain positions.
That being said please let me know if you currently have any hard-to-fill IT positions at that we could provide candidates for. We can assist with contract, contract-to-hire/temp-to-perm, or permanent positions.
We have candidates available across all technologies and skill-sets, including (this is only a partial list):
Programmers/Developers - Java, C++, .Net, Ruby, Web, Perl, Python, PHP, ColdFusion, etc
Systems Analysts / Business Analysts
QA Engineers/Analysts/Testers
DBA's - SQL Server, Oracle, MySQL, etc
SAP Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Oracle Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Data Warehouse/Business Intelligence Developers/Engineers - ETL, SSIS, SSAS, SSRS, Cognos, etc
Project Managers
Systems Administrators - Linux, Window, etc
Executive - CIO, CTO, VP of IT, etc
PS - We have just started offering our clients a business model of hiring off-site developers, who can be your employees but working from our office in India. Please ask me for more details, and I can send you our PowerPoint presentation.
Thank you.
Nick Snow
BeyondTek IT
Tel: 714-572-1544
nick@beyondtekit.com
www.BeyondTekIT.com
So who are BeyondTekIT? (They also spell their name Beyond Tek IT and BeyondTek IT). The WHOIS details for the beyondtekit.com (and beyondtechit.com) are no help because they are anonymised. So, perhaps their website gives a clue.. and indeed they give the following contact details:
BeyondTek ITSo, this is a California company. So it must be registered in the State of California? Err.. no. There is no business entity of this name. So let's check out the address.. well, that turns out to be a store called Postal Max that rents out mailboxes.
1057 E. Imperial Highway, Suite 509
Placentia, CA 92870
Phone: 714-572-1544
Fax: 714-364-9705
General Inquiries: info@beyondtekit.com
Candidate Resume Submittals: resume@beyondtekit.com
A bit of hard searching around shows that this is not a US based company at all, but is actually based in India (the email mentions an Indian connection). Their real website is at beyondtech.in and clearly mentions the maildrop address on their contact page.
The WHOIS details for this domain are:
Registrant ID:SB23414228
Registrant Name:Nishant Rastogi
Registrant Organization:One MG
Registrant Street1:23, North Boag Road, TNagar
Registrant Street2:
Registrant Street3:
Registrant City:Chennai
Registrant State/Province:Tamil Nadu
Registrant Postal Code:600017
Registrant Country:IN
Registrant Phone:+91.9444034408
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:mail@onemg.in
I personally wouldn't recommend giving any personal details to spammers, and I certainly wouldn't recommend giving details to a company that seems to spend some effort to conceal who they really are. But, bear in mind that there are no anti-spam laws in India which explains the high level of Indian spam messages (think SEO spam) that we see, so under Indian law they are probably not doing anything wrong, but surely if they are trading as a California entity then they need to be registered?
"Copies of Policies" spam / ganiopatia.ru
Date: Mon, 26 Nov 2012 02:31:10 -0500
From: sales1@victimdomain.com
Subject: RE: ALINA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
ALINA Prater,
==========
Date: Mon, 26 Nov 2012 02:26:33 +0300
From: ALISHIADBSukwQEf@aol.com
Subject: RE: ALISHIA - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
ALISHIA Gee,
==========
From: accounting@victimdomain.com
Sent: 26 November 2012 08:42
Subject: RE: MARCELLE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
MARCELLE SPENCE,
==========
From: accounting@victimdomain.com
Sent: 26 November 2012 07:54
Subject: RE: KASSIE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
KASSIE ROMANO,
The malicious payload is at [donotclick]ganiopatia.ru:8080/forum/links/column.php hosted on the following IPs:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
Note that ganalionomka.ru is also on the same cluster of servers and will also be malicious. These IP addresses have been used for malware several times, blocking access to them would be a good idea.
Friday, 23 November 2012
Malware sites to blog 23/11/12 - Part 2
Some more bad domains, closely related to this malicious spam run, spotted at the GFI blog, hosted on 192.155.83.191 (Linode, US)
192.155.83.191
5.estasiatica.com
5.finesettimana.com
5.italycook.com
5.hdsfm.com
5.eventiduepuntozero.com
5.finesettimana.net
192.155.83.191
5.estasiatica.com
5.finesettimana.com
5.italycook.com
5.hdsfm.com
5.eventiduepuntozero.com
5.finesettimana.net
Malware sites to block 23/11/12
This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one). The payload is apparently "Ponyloader".
The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them.
Malware servers:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (DirectSpace Networks, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US / Jolly Works Hosting, Philippines)
Plain list of IPs for copy-and-pasting:
50.116.16.118
64.94.101.200
69.194.194.216
70.42.74.152
94.76.235.199
173.246.103.59
173.246.103.112
173.246.103.124
173.246.103.184
173.246.104.21
174.140.168.143
198.74.52.86
209.188.0.118
Apparently malicious domains and subdomains:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (Gandi, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US)
1.alikeword.com
1.basicwheel.com
1.bigbroshark.net
1.blueseadolphin.net
1.callteamverve.com
1.connectedwheel.com
1.forrest-lake.info
1.killerwheel.com
1.lake-forrest.com
1.lake-forrest.info
1.lake-forrest.net
1.lowcowroller.com
1.lowcowroller.net
1.metallbeaar.net
1.rabbitharky.com
1.rabbitharky.net
1.roboxanger.net
2.5900bracknell.info
2.alikeword.com
2.allenpremierhomes.com
2.aloeups.com
2.alohevera.com
2.basicwheel.com
2.bigbroshark.net
2.blueseadolphin.net
2.boxanh.com
2.callteamverve.com
2.carrollton-realestate.com
2.connectedwheel.com
2.forrest-lake.info
2.frommyhousetoyours.com
2.killerwheel.com
2.lake-forrest.com
2.lake-forrest.info
2.lake-forrest.net
2.lowcowroller.com
2.lowcowroller.net
2.metallbeaar.net
2.pacbancwholesale.com
2.pacificbancwholesale.com
2.rabbitharky.com
2.rabbitharky.net
2.refiinc.com
2.roboxanger.net
2.taxreliefofamerica.com
2.webdedang.com
2.webdedang.net
2.wholesalepbm.com
2.zerocostfha.com
2.zfhaloan.com
3.alikeword.com
3.amandahuynh.com
3.basicwheel.com
3.bigbroshark.net
3.bluepointmortgage.com
3.blueseadolphin.net
3.callteamverve.com
3.connectedwheel.com
3.coolerpillow.com
3.directfhafunding.com
3.forrest-lake.info
3.gutterkings.biz
3.helpmemodify.com
3.insulkings.com
3.killerwheel.com
3.lake-forrest.com
3.lake-forrest.info
3.lake-forrest.net
3.lowcowroller.com
3.lowcowroller.net
3.markmatta.com
3.metallbeaar.net
3.rabbitharky.com
3.rabbitharky.net
3.roboxanger.net
4.alikeword.com
4.androidislamic.com
4.basicwheel.com
4.bigbroshark.net
4.blueseadolphin.net
4.callteamverve.com
4.collecorvino.org
4.connectedwheel.com
4.dlevo.com
4.forrest-lake.info
4.habitacoesferiasacores.com
4.icedambusters.net
4.icedambusters.org
4.insul-king.com
4.insulking.org
4.insul-king.org
4.insul-kings.org
4.islamicandroid.com
4.islamicmid.com
4.islamictab.com
4.killerwheel.com
4.lake-forrest.com
4.lake-forrest.info
4.lake-forrest.net
4.lowcowroller.com
4.lowcowroller.net
4.lowellgeneralcarjacking.com
4.lowellgeneralhospitalcarjacking.com
4.lowellgeneralhospitalcarjacking.net
4.metallbeaar.net
4.rabbitharky.com
4.rabbitharky.net
4.roboxanger.net
5.alikeword.com
5.attilacrm.com
5.basicwheel.com
5.bigbroshark.net
5.bitwin.com
5.blueseadolphin.net
5.callteamverve.com
5.connectedwheel.com
5.forrest-lake.info
5.killerwheel.com
5.lake-forrest.com
5.lake-forrest.info
5.lake-forrest.net
5.lowcowroller.com
5.lowcowroller.net
5.metallbeaar.net
5.rabbitharky.com
5.rabbitharky.net
5.roboxanger.net
6.alikeword.com
6.alohevera.com
6.basicwheel.com
6.bigbroshark.net
6.blueseadolphin.net
6.callteamverve.com
6.connectedwheel.com
6.fionabuchanan.com
6.forevergreen.us.com
6.forrest-lake.info
6.grapafood.com
6.hotels-rooms.com
6.incidentalrecruitment.com
6.killerwheel.com
6.lake-forrest.com
6.lake-forrest.info
6.lake-forrest.net
6.lowcowroller.com
6.lowcowroller.net
6.metallbeaar.net
6.negutterking.org
6.negutterkings.biz
6.negutterkings.info
6.negutterkings.net
6.negutterkings.org
6.nomoreicedams.com
6.nomoreicedams.net
6.rabbitharky.com
6.rabbitharky.net
6.roboxanger.net
7.alikeword.com
7.basicwheel.com
7.bigbroshark.net
7.blueseadolphin.net
7.callteamverve.com
7.connectedwheel.com
7.forrest-lake.info
7.killerwheel.com
7.lake-forrest.com
7.lake-forrest.info
7.lake-forrest.net
7.lowcowroller.com
7.lowcowroller.net
7.metallbeaar.net
7.rabbitharky.com
7.rabbitharky.net
7.roboxanger.net
8.alikeword.com
8.aloeventures.com
8.aloeverasoftdrinks.com
8.aloevirgin.com
8.basicwheel.com
8.bigbroshark.net
8.blueseadolphin.net
8.cafesexcelentes.com
8.callteamverve.com
8.connectedwheel.com
8.corporatemodeler.com
8.elbancodelospobres.com
8.foodex.us
8.forrest-lake.info
8.joanvaldez.com
8.killerwheel.com
8.klipette.com
8.koguis.com
8.lake-forrest.com
8.lake-forrest.info
8.lake-forrest.net
8.lowcowroller.com
8.lowcowroller.net
8.metallbeaar.net
8.rabbitharky.com
8.rabbitharky.net
8.roboxanger.net
9.alikeword.com
9.basicwheel.com
9.bigbroshark.net
9.blueseadolphin.net
9.bohmamei.com
9.boondocksdistillery.com
9.callteamverve.com
9.connectedwheel.com
9.forrest-lake.info
9.hclinstitute.com
9.i-am-a-pussy.com
9.killerwheel.com
9.lake-forrest.com
9.lake-forrest.info
9.lake-forrest.net
9.lowcowroller.com
9.lowcowroller.net
9.metallbeaar.net
9.rabbitharky.com
9.rabbitharky.net
9.roboxanger.net
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com
Or if you just want to block domains rather than subdomains:
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com
The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them.
Malware servers:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (DirectSpace Networks, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US / Jolly Works Hosting, Philippines)
Plain list of IPs for copy-and-pasting:
50.116.16.118
64.94.101.200
69.194.194.216
70.42.74.152
94.76.235.199
173.246.103.59
173.246.103.112
173.246.103.124
173.246.103.184
173.246.104.21
174.140.168.143
198.74.52.86
209.188.0.118
Apparently malicious domains and subdomains:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (Gandi, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US)
1.alikeword.com
1.basicwheel.com
1.bigbroshark.net
1.blueseadolphin.net
1.callteamverve.com
1.connectedwheel.com
1.forrest-lake.info
1.killerwheel.com
1.lake-forrest.com
1.lake-forrest.info
1.lake-forrest.net
1.lowcowroller.com
1.lowcowroller.net
1.metallbeaar.net
1.rabbitharky.com
1.rabbitharky.net
1.roboxanger.net
2.5900bracknell.info
2.alikeword.com
2.allenpremierhomes.com
2.aloeups.com
2.alohevera.com
2.basicwheel.com
2.bigbroshark.net
2.blueseadolphin.net
2.boxanh.com
2.callteamverve.com
2.carrollton-realestate.com
2.connectedwheel.com
2.forrest-lake.info
2.frommyhousetoyours.com
2.killerwheel.com
2.lake-forrest.com
2.lake-forrest.info
2.lake-forrest.net
2.lowcowroller.com
2.lowcowroller.net
2.metallbeaar.net
2.pacbancwholesale.com
2.pacificbancwholesale.com
2.rabbitharky.com
2.rabbitharky.net
2.refiinc.com
2.roboxanger.net
2.taxreliefofamerica.com
2.webdedang.com
2.webdedang.net
2.wholesalepbm.com
2.zerocostfha.com
2.zfhaloan.com
3.alikeword.com
3.amandahuynh.com
3.basicwheel.com
3.bigbroshark.net
3.bluepointmortgage.com
3.blueseadolphin.net
3.callteamverve.com
3.connectedwheel.com
3.coolerpillow.com
3.directfhafunding.com
3.forrest-lake.info
3.gutterkings.biz
3.helpmemodify.com
3.insulkings.com
3.killerwheel.com
3.lake-forrest.com
3.lake-forrest.info
3.lake-forrest.net
3.lowcowroller.com
3.lowcowroller.net
3.markmatta.com
3.metallbeaar.net
3.rabbitharky.com
3.rabbitharky.net
3.roboxanger.net
4.alikeword.com
4.androidislamic.com
4.basicwheel.com
4.bigbroshark.net
4.blueseadolphin.net
4.callteamverve.com
4.collecorvino.org
4.connectedwheel.com
4.dlevo.com
4.forrest-lake.info
4.habitacoesferiasacores.com
4.icedambusters.net
4.icedambusters.org
4.insul-king.com
4.insulking.org
4.insul-king.org
4.insul-kings.org
4.islamicandroid.com
4.islamicmid.com
4.islamictab.com
4.killerwheel.com
4.lake-forrest.com
4.lake-forrest.info
4.lake-forrest.net
4.lowcowroller.com
4.lowcowroller.net
4.lowellgeneralcarjacking.com
4.lowellgeneralhospitalcarjacking.com
4.lowellgeneralhospitalcarjacking.net
4.metallbeaar.net
4.rabbitharky.com
4.rabbitharky.net
4.roboxanger.net
5.alikeword.com
5.attilacrm.com
5.basicwheel.com
5.bigbroshark.net
5.bitwin.com
5.blueseadolphin.net
5.callteamverve.com
5.connectedwheel.com
5.forrest-lake.info
5.killerwheel.com
5.lake-forrest.com
5.lake-forrest.info
5.lake-forrest.net
5.lowcowroller.com
5.lowcowroller.net
5.metallbeaar.net
5.rabbitharky.com
5.rabbitharky.net
5.roboxanger.net
6.alikeword.com
6.alohevera.com
6.basicwheel.com
6.bigbroshark.net
6.blueseadolphin.net
6.callteamverve.com
6.connectedwheel.com
6.fionabuchanan.com
6.forevergreen.us.com
6.forrest-lake.info
6.grapafood.com
6.hotels-rooms.com
6.incidentalrecruitment.com
6.killerwheel.com
6.lake-forrest.com
6.lake-forrest.info
6.lake-forrest.net
6.lowcowroller.com
6.lowcowroller.net
6.metallbeaar.net
6.negutterking.org
6.negutterkings.biz
6.negutterkings.info
6.negutterkings.net
6.negutterkings.org
6.nomoreicedams.com
6.nomoreicedams.net
6.rabbitharky.com
6.rabbitharky.net
6.roboxanger.net
7.alikeword.com
7.basicwheel.com
7.bigbroshark.net
7.blueseadolphin.net
7.callteamverve.com
7.connectedwheel.com
7.forrest-lake.info
7.killerwheel.com
7.lake-forrest.com
7.lake-forrest.info
7.lake-forrest.net
7.lowcowroller.com
7.lowcowroller.net
7.metallbeaar.net
7.rabbitharky.com
7.rabbitharky.net
7.roboxanger.net
8.alikeword.com
8.aloeventures.com
8.aloeverasoftdrinks.com
8.aloevirgin.com
8.basicwheel.com
8.bigbroshark.net
8.blueseadolphin.net
8.cafesexcelentes.com
8.callteamverve.com
8.connectedwheel.com
8.corporatemodeler.com
8.elbancodelospobres.com
8.foodex.us
8.forrest-lake.info
8.joanvaldez.com
8.killerwheel.com
8.klipette.com
8.koguis.com
8.lake-forrest.com
8.lake-forrest.info
8.lake-forrest.net
8.lowcowroller.com
8.lowcowroller.net
8.metallbeaar.net
8.rabbitharky.com
8.rabbitharky.net
8.roboxanger.net
9.alikeword.com
9.basicwheel.com
9.bigbroshark.net
9.blueseadolphin.net
9.bohmamei.com
9.boondocksdistillery.com
9.callteamverve.com
9.connectedwheel.com
9.forrest-lake.info
9.hclinstitute.com
9.i-am-a-pussy.com
9.killerwheel.com
9.lake-forrest.com
9.lake-forrest.info
9.lake-forrest.net
9.lowcowroller.com
9.lowcowroller.net
9.metallbeaar.net
9.rabbitharky.com
9.rabbitharky.net
9.roboxanger.net
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com
Or if you just want to block domains rather than subdomains:
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com
Something evil on 5.135.192.16/30
It looks like there are a set of exploit sites in the range 5.135.192.16/30 serving up TrueType exploits (such as CVE-2011-3402) which is being pushed by a malicious URL at [donotclick]mwko.zsomteltepngs.info/40c0dee71a9b9d715539b7d56c3d5f23.eot . The potentially malicious sites in this range include:
10bloodek.info
1bloodek.info
5helnima.net
anotepad.info
asomteltepngs.info
jhqp.bcodec.info
ksmuaelteory.net
mwko.zsomteltepngs.info
osmuaelteory.net
psmuaelteory.net
qfgc.hlegolaj.net
qsomteltepngs.info
rsomelostell.net
shelnima.net
whelnima.net
xsomteltepngs.info
ysomteltepngs.info
zbav.hsomteltepngs.info
If you're interesting in blocking whole domains rather than subdomains then here's a list you can use:
10bloodek.info
1bloodek.info
5helnima.net
anotepad.info
asomteltepngs.info
bcodec.info
hlegolaj.net
hsomteltepngs.info
ksmuaelteory.net
osmuaelteory.net
psmuaelteory.net
qsomteltepngs.info
rsomelostell.net
shelnima.net
whelnima.net
xsomteltepngs.info
ysomteltepngs.info
zsomteltepngs.info
The netblock is controlled by OVH, but suballocated:
organisation: ORG-AL263-RIPE
org-name: Anton Legaev
org-type: OTHER
address: Ukraine, 61033, Kharkiv, Sadovo-Naveregnaja 21-1
abuse-mailbox: angelesgower@inbox.com
phone: +3.809287783621
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Blocking access to this (small) IP range and/or these domains should offer some protection, although the best bet is to make sure that your user PCs are fully patched at all times.
10bloodek.info
1bloodek.info
5helnima.net
anotepad.info
asomteltepngs.info
jhqp.bcodec.info
ksmuaelteory.net
mwko.zsomteltepngs.info
osmuaelteory.net
psmuaelteory.net
qfgc.hlegolaj.net
qsomteltepngs.info
rsomelostell.net
shelnima.net
whelnima.net
xsomteltepngs.info
ysomteltepngs.info
zbav.hsomteltepngs.info
If you're interesting in blocking whole domains rather than subdomains then here's a list you can use:
10bloodek.info
1bloodek.info
5helnima.net
anotepad.info
asomteltepngs.info
bcodec.info
hlegolaj.net
hsomteltepngs.info
ksmuaelteory.net
osmuaelteory.net
psmuaelteory.net
qsomteltepngs.info
rsomelostell.net
shelnima.net
whelnima.net
xsomteltepngs.info
ysomteltepngs.info
zsomteltepngs.info
The netblock is controlled by OVH, but suballocated:
organisation: ORG-AL263-RIPE
org-name: Anton Legaev
org-type: OTHER
address: Ukraine, 61033, Kharkiv, Sadovo-Naveregnaja 21-1
abuse-mailbox: angelesgower@inbox.com
phone: +3.809287783621
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Blocking access to this (small) IP range and/or these domains should offer some protection, although the best bet is to make sure that your user PCs are fully patched at all times.
Labels:
Evil Network,
OVH,
Ukraine
"Changlog 10.2011" spam / efaxinok.ru
Date: Fri, 23 Nov 2012 10:14:22 +0600The victim is enticed to click on the attachment which leads to a malicious payload on [donotclick]efaxinok.ru:8080/forum/links/column.php hosted on the following IPs:
From: "Contact" [customer-notification@ups.com]
Subject: Re: Changlog 10.2011
Attachments: changelog-212.htm
Good morning,
as promised changelog (Internet Explorer File)
202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66
These are the same IPs as used in this attack yesterday, and it forms part of a long-running malcious spam run which appears to have been going on forever. Of note, there's a new domain in this cluster of delemiator.ru which I haven't seen yet being used in a malicious spam run, but it probably will be.
Thursday, 22 November 2012
Facebook spam / ceredinopl.ru
This fake Facebook (or is it Habbo?) spam leads to malware on ceredinopl.ru:
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
216.24.196.66 (Psychz Networks, US)
The following IPs and domains are all connected:
202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66
ceredinopl.ru
investinindia.ru
hamasutra.ru
feronialopam.ru
monacofrm.ru
bamanaco.ru
ionalio.ru
investomanio.ru
veneziolo.ru
fanatiaono.ru
analunakis.ru
Date: Thu, 22 Nov 2012 01:30:38 -0700The malicious payload is at [donotclick]ceredinopl.ru:8080/forum/links/column.php hosted on the following IPs:
From: Habbo Hotel [auto-contact@habbo.com]
Subject: You have notifications pending
Hi,
Here's some activity you may have missed on Facebook.
REFUGIA MERRILL has posted statuses, photos and more on Facebook.
Go To Facebook
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
216.24.196.66 (Psychz Networks, US)
The following IPs and domains are all connected:
202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66
ceredinopl.ru
investinindia.ru
hamasutra.ru
feronialopam.ru
monacofrm.ru
bamanaco.ru
ionalio.ru
investomanio.ru
veneziolo.ru
fanatiaono.ru
analunakis.ru
Malware sites to block 22/11/12
This is part of a newish cluster of malware sites being promoted through finance related spam, spotted by GFI Labs here and on this blog here.
50.61.155.86 (Fortress ITX,US)
69.194.196.5 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
173.246.103.112 (Gandi, US)
192.155.83.186 (Linode, US)
192.155.83.191 (Linode, US)
198.74.53.207 (Linode, US)
Plain list of IPs and domains for copy-and-pasting:
5.estasiatica.com
5.chinottoneri.com
6.grapainterfood.com
6.grapaimport.com
6.grapafood.com
6.pascesoir.net
50.61.155.86
69.194.196.5
70.42.74.152
173.246.103.112
192.155.83.186
192.155.83.191
198.74.53.207
50.61.155.86 (Fortress ITX,US)
69.194.196.5 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
173.246.103.112 (Gandi, US)
192.155.83.186 (Linode, US)
192.155.83.191 (Linode, US)
198.74.53.207 (Linode, US)
Plain list of IPs and domains for copy-and-pasting:
5.estasiatica.com
5.chinottoneri.com
6.grapainterfood.com
6.grapaimport.com
6.grapafood.com
6.pascesoir.net
50.61.155.86
69.194.196.5
70.42.74.152
173.246.103.112
192.155.83.186
192.155.83.191
198.74.53.207
Tuesday, 20 November 2012
5.estasiatica.com / 66.228.57.248
It looks like another variant of this malicious spam run could be brewing on 5.estasiatica.com / 66.228.57.248 (Linode, US). A bit of pre-emptive blocking might be in order..
BLNX.L shares takes a dump
I've covered Blinkx (BLNX.L) before, and you can say that I'm not a fan of the company, the way it does business or its ethical stance.
So it's quite amusing to see Blinx shares take a dump and drop 10% today. Why? Because of their associate with Michael Richard Lynch, a director of Blinkx and also former CEO of Autonomy Corporation, who finds himself in the centre of a massive row with new owners HP. HP have written off 87% of the value of their acquisition over alleged false accounting practices.
Presumably BLNX.L shareholders are worried that some of the toxic effects of this meltdown will also impact them. If these as-yet unproven allegations prove true, then who knows..
So it's quite amusing to see Blinx shares take a dump and drop 10% today. Why? Because of their associate with Michael Richard Lynch, a director of Blinkx and also former CEO of Autonomy Corporation, who finds himself in the centre of a massive row with new owners HP. HP have written off 87% of the value of their acquisition over alleged false accounting practices.
Presumably BLNX.L shareholders are worried that some of the toxic effects of this meltdown will also impact them. If these as-yet unproven allegations prove true, then who knows..
"Don't forget about meeting tomorrow" spam / hamasutra.ru
From: Lula Stevens [mailto:JolieWright@shaw.ca]
Sent: 20 November 2012 05:57
Subject: Don't forget about meeting tomorrow
Don't forget this report for meeting tomorrow.
See attached file. (Internet Explorer file)
In the sample I have seen, there is an attachment called Report.htm with some obfuscated javascript leading to a malicious payload at [donotclick]hamasutra.ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.196.66 (Psychz Networks, US)
Plain list:
82.165.193.26
202.180.221.186
203.80.16.81
216.24.196.66
Malware sites to block 20/11/12
This summary is not available. Please
click here to view the post.
Labels:
Evil Network,
Leaseweb,
Malware,
Netherlands,
OVH,
Russia,
Serverius,
TheFirst-RU
Monday, 19 November 2012
"Southwest Airlines" spam / headerandfooterprebuilt.pro
Date: Mon, 19 Nov 2012 19:33:04 +0000
From: "Southwest Airlines" [no-reply@luv.southwest.com]
To: [redacted]
Subject: Southwest Airlines Confirmation: 5927NI
[redacted] 2012-11-19 86KY9Z INITIAL SLC WN PHX0.00T/TFF 0.00 END AY3.50$SLC2.50 1445164773311 2013-11-22 1655 2012-11-20 Depart SAN LEONARD CITY UT (SLC) at 8:08 PM on Southwest Airlines Arrive in PHOENIX AZ (PHX) at 9:02 PM
You're all set for your traveling!
My Account | Review My Itinerary Online
Check Up Online | Check Flight Status | Change Flight | Special Offers | Hotel Deals | Car Deals
Ready for lift-off!
Thanks Southwest for your travel! You can find everything you need to know about your booking below. Happy voyage!
Upcoming Cruise: 11/20/12 - SLC - Phx Knight
The malicious payload is at [donotclick]headerandfooterprebuilt.pro/detects/quality_flyes-ticket_check.php hosted on 198.27.94.80 (OVH, US). There are probably other Bad Things on that IP address, I just can't see them yet.. blocking it would be a good precaution.
Subscribe to:
Posts (Atom)