Sponsored by..

Friday, 11 January 2013

"Payroll Account Holded by Intuit" spam / dmeiweilik.ru

This fake Intuit (or LinkedIn?) spam leads to malware on dmeiweilik.ru:


Date:      Fri, 11 Jan 2013 06:23:41 +0100
From:      LinkedIn Password [password@linkedin.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Fri, 11 Jan 2013 06:23:41 +0100.

    Finances would be gone away from below account # ending in 0198 on Fri, 11 Jan 2013 06:23:41 +0100
    amount to be seceded: 8057 USD
    Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 06:23:41 +0100
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

====================



From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Lilianna Grimes via LinkedIn
Sent: 10 January 2013 21:04
Subject: Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Fri, 11 Jan 2013 02:03:33 +0500.
•    Finances would be gone away from below account # ending in 8913 on Fri, 11 Jan 2013 02:03:33 +0500
•    amount to be seceded: 9567 USD
•    Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 02:03:33 +0500
•    Log In to Review Operation

Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services


The malicious payload is at [donotclick]dmeiweilik.ru:8080/forum/links/column.php hosted on the same IPs as in this attack:

91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)

The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik.ru
demoralization.ru
dimanakasono.ru
bananamamor.ru
dmeiweilik.ru

Changelog spam / dimanakasono.ru

This fake "Changelog" spam leads to malware on dimanakasono.ru:

From: Ashley Madison [mailto:donotreply@ashleymadison.com]
Sent: 10 January 2013 08:25
Subject: Re: Fwd: Changelog as promised(updated)

Hi,


changelog update - View

L. Cook
The malicious payload is at [donotclick]dimanakasono.ru:8080/forum/links/column.php hosted on the following IPs:

91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)

The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik.ru
demoralization.ru
dimanakasono.ru
bananamamor.ru

Thursday, 10 January 2013

ADP spam / tetraboro.net and advertizing*.com

This fake ADP spam leads to malware on tetraboro.net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly. The most amusing one is the reference to "business butty" which presumably is some sort of sandwich.

Date:      Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
From:      "ADPClientServices@adp.com" [ADPClientServices@adp.com]
Subject:      adp_subj


ADP Urgent Note

Note No.: 33469

Respected ADP Consumer January, 9 2013

Your Processed Payroll Record(s) have been uploaded to the web site:

Click here to Sign In

Please take a look at the following details:

•   Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).

� Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.

This notification was sent to current clients in your company that approach ADP Netsecure.

As general, thank you for choosing ADP as your business butty!

Ref: 33469

The malicious payload is on [donotclick]tetraboro.net/detects/coming_lost-source.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1.com through to advertizing9.com. All of these should be blocked.

5.135.90.19 (OVH, France - suballocated to premiervps.net, UK)
91.227.220.121 (VooServers, UK)
94.102.55.23 (Ecatel, Netherlands)
119.78.243.16 (China Science & Technology Network, China)
198.144.191.50 (New Wave Netconnect, US)
199.233.233.232 (Quickpacket, US)
203.1.6.211 (China Telecom, China)
222.238.109.66 (Hanaro Telecom, Korea)

Plain list:
advertizing1.com
advertizing2.com
advertizing3.com
advertizing4.com
advertizing5.com
advertizing6.com
advertizing7.com
advertizing8.com
advertizing9.com
cookingcarlog.ne
hotelrosaire.net
richbergs.com
royalwinnipegballet.net
tetraboro.net
5.135.90.19
91.227.220.121
94.102.55.23
119.78.243.16
198.144.191.50
199.233.233.232
203.1.6.211
222.238.109.66

Wednesday, 9 January 2013

BBB spam / hotelrosaire.net

This fake BBB spam leads to malware on hotelrosaire.net:

Date:      Wed, 9 Jan 2013 09:21:32 -0600 [10:21:32 EST]
From:      Better Business Bureau <complaint@bbb.org>
Subject:      BBB notification regarding your  cliente's pretense No. 62850348

Better Business Bureau ©
Start With Trust �

Tue, 8 Jan 2013

RE: Complaint N. 62850348

[redacted]

The Better Business Bureau has been booked the above said complaint from one of your users in regard to their business contacts with you. The detailed description of the consumer's anxiety are available for review at a link below. Please give attention to this problem and inform us about your sight as soon as possible.

We pleasantly ask you to click and review the APPEAL REPORT to respond on this claim letter.

We awaits to your prompt reaction.

Yours respectfully
Liam Barnes
Dispute Consultant
Better Business Bureau

Better Business Bureau
3053   Wilson Blvd, Suite 600   Arlington, VA 25501
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277


This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

==========================

Date:      Wed, 9 Jan 2013 23:21:42 +0800 [10:21:42 EST]
From:      Better Business Bureau <donotreply@bbb.org>
Subject:      BBB  Complaint No. C1343110

Better Business Bureau ©
Start With Trust ©

Tue, 8 Jan 2013

RE: Case No. C1343110

[redacted]

The Better Business Bureau has been booked the above mentioned complaint from one of your clients as regards their business relations with you. The information about the consumer's anxiety are available for review at a link below. Please pay attention to this question and inform us about your glance as soon as possible.

We pleasantly ask you to overview the COMPLAINT REPORT to reply on this grievance.

We are looking forward to your prompt reaction.

Yours respectfully
Hunter Gomez
Dispute Counselor
Better Business Bureau

Better Business Bureau
3053   Wilson Blvd, Suite 600   Arlington, VA 22801
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277


This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe 

The malicious payload is on [donotclick]hotelrosaire.net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet.net which was seen in another BBB spam run yesterday.

ADP spam / demoralization.ru

This fake ADP spam leads to malware on demoralization.ru:

Date:      Wed, 9 Jan 2013 04:23:03 -0600
From:      Habbo Hotel [auto-contact@habbo.com]
Subject:      ADP Immediate Notification

ADP Immediate Notification
Reference #: 948284271

Wed, 9 Jan 2013 04:23:03 -0600
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.


This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 703814359


HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
� 2013 ADP, Inc. All rights reserved.

The malicious payload is at [donotclick]demoralization.ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)

The following IPs and domains are all related:
82.165.193.26
91.224.135.20
187.85.160.106
demoralization.ru
belnialamsik.ru
bananamamor.ru

Something evil on 173.246.102.246

173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers.

In the example I have seen, the malicious payload is at [donotclick]11.lamarianella.info/read/defined_regulations-frequently.php (report here). These other domains appear to be on the same server, all of which can be assumed to be malicious:

11.livinghistorytheatre.ca
11.awarenesscreateschange.com
11.livinghistorytheatre.com
11.b2cviaggi.com
11.13dayz.com
11.lamarianella.info
11.studiocitynorth.tv
11.scntv.tv

These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain.

Tuesday, 8 January 2013

PPI scam: 0843 410 0078

Short version: 
If you're Googling this number to see who is ringing you, then the short answer is that it is a bunch of scammers trying to get you to make a PPI refund claim. If you end up speaking to a human, then you can either ask them to "remove and suppress" your number, alternatively you can just tell them to fuck off (as there's no real reason to be polite with them).

Long version:
Despite a massive fine handed out to some SMS spammers for pushing PPI and ambulance chasing spam, there are still others about.

One particularly common on is to be called with a recorded message about a PPI refund, and then being given the opportunity to press "5" to connect to an operator.

So, I got one of these today from 0843 410 0078, a number allocated to Jtec UK Ltd (although they are probably just the telecoms provider). It seems that this number block is stuffed full of telepests.

Now, this isn't just spam.. it's a scam. Firstly, I'm not eligible for any PPI refunds, but the scammers are encouraging you to make a fraudulent claim regardless. They're just interested in selling your lead on to the next level in this very seedy world of PPI refund claims.

My conversation with the lady scammer went something like this:

Me: So I'm due a PPI refund am I?

Scammer: Yes, our records indicate that you may be eligible for a refund.

Me: Oh yes? You have records?

Scammer: Yes.

Me: So then, please tell me what my name is.

Scammer: We don't have that information for data protection reasons. [Yeah, but you have my financial records and telephone number, so really you are lying, aren't you?]

At which point I got bored and suggested that the woman fucked off and never called me again, at which point she hung up. I really do recommend being rude to these people incidentally. If you can ruin their afternoon and make them feel shitty about themselves then it's a small victory, they are willing participants in the scam after all.

The problem is that the people working at lead generation at this level will NEVER reveal who they are, and by the time the PPI claim has gotten to someone higher up in the food chain then the lead has been laundered through several middlemen.

Registering with the TPS isn't always as effective as you might think. Mobile numbers seem to expire after a year and need renewing (don't forget, the TPS is run by marketers). If you are TPS registered and still get bombarded with PPI scam calls, then you can try filing an ICO complaint. Or you could try doing it this way. But please remember, if you can make the telepests upset for the whole afternoon then it might make them reconsider their bad career choices..

If you find out who these pests are, or come across any other numbers, please consider sharing them in the Comments. Thanks!

These other numbers appear to be related:
0843 410 2215
0843 410 2576
0843 410 4770
0843 410 0269 (claimed to be from a nonexistant company called "PPI Assistance")

This is the same scam, but may be a different outfit:
01277 509018

BBB Spam / royalwinnipegballet.net

This fake BBB spam leads to malware on royalwinnipegballet.net:

Date:      Tue, 8 Jan 2013 19:18:34 +0200 [12:18:34 EST]
From:      Better Business Bureau <information@bbb.org>
To:      [redacted]Subject:      BBB information regarding your customer's appeal ¹ 96682901

Better Business Bureau ©
Start With Trust ©

Mon, 7 Jan 2013

RE: Complaint # 96682901

[redacted]

The Better Business Bureau has been registered the above mentioned appeal from one of your clients as regards their business contacts with you. The details of the consumer's worry are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.

We graciously ask you to open the CLAIM REPORT to answer on this reclamation.

We are looking forward to your prompt answer.

Faithfully yours
Alex Green
Dispute Counselor
Better Business Bureau

Better Business Bureau
3063  Wilson Blvd, Suite 600  Arlington, VA 27201
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277
 

This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

====================

Date:      Tue, 8 Jan 2013 19:12:58 +0200 [12:12:58 EST]
From:      Better Business Bureau <donotreply@bbb.org>
Subject:      Better Business Beareau   Pretense ¹ C6273504
Priority:      High Priority 1

 Better Business Bureau ©
Start With Trust ©

Mon, 7 Jan 2013

RE: Issue No. C6273504

[redacted]

The Better Business Bureau has been registered the above said reclamation from one of your users in respect of their business contacts with you. The information about the consumer's anxiety are available visiting a link below. Please give attention to this problem and notify us about your mind as soon as possible.

We kindly ask you to overview the APPEAL REPORT to meet on this claim letter.

We are looking forward to your prompt rebound.

Yours respectfully
Julian Morales
Dispute Advisor
Better Business Bureau

Better Business Bureau
3013   Wilson Blvd, Suite 600  Arlington, VA 20701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277


This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
The malicious payload is on [donotclick]royalwinnipegballet.net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)


"Federal ACH Announcement" spam / cookingcarlog.net

This rather terse spam leads to malware on cookingcarlog.net:

From:     Federal Reserve Services@sys.frb.org [ACHR_59273219@fedmail.frb.org]
Date:     8 January 2013 15:11
Subject:     FedMail (R): Federal ACH Announcement - End of Day - 12/27/12

Please find the ACH Letter of Advice Reporting from the Federal Reserve System clicking here. 
The link in the email goes to an exploit kit on [donotclick]cookingcarlog.net/detects/occasional-average-fairly.php (report here) which is hosted on 89.207.132.144 (Snel Internet Services, Netherlands).

Added - a BBB spam is also doing the rounds with the same payload:

 Better Business Bureau ©
Start With Trust �

Mon, 7 Jan 2013

RE: Case N. 54809787

[redacted]

The Better Business Bureau has been recorded the above said claim from one of your customers in respect to their dealings with you. The detailed description of the consumer's worry are available for review at a link below. Please pay attention to this issue and communicate with us about your judgment as soon as possible.

We pleasantly ask you to click and review the CLAIM REPORT to meet on this claim letter.

We are looking forward to your prompt response.

WBR
Mason Turner
Dispute Consultant
Better Business Bureau

Better Business Bureau
3063   Wilson Blvd, Suite 600  Arlington, VA 22701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277

Malware sites to block 8/1/13

These IPs and domains appear to be active in malicious spam runs today:

41.168.5.140
42.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik.ru

Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.

Update: some sample emails pointing to a malicious landing page at  [donotclick]belnialamsik.ru:8080/forum/links/column.php:


Date:      Tue, 8 Jan 2013 10:05:55 +0100
From:      Shavonda Duke via LinkedIn [member@linkedin.com]
Subject:      Re: Fwd: Security update for banking accounts.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department

================

Date:      Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
From:      FilesTube [filestube@filestube.com]
Subject:      Fwd: Re: Banking security update.

Dear Online Account Operator,

Your ACH  transactions have been
temporarily disabled.
 View details

Best regards,
Security department

Wednesday, 2 January 2013

Malware sites to block 2/1/13 part II

This summary is not available. Please click here to view the post.

Malware sites to block 2/1/13

The following sites and IPs seem to be active today, being pushed out by spam campaigns. I'll post email samples when I get them. Perhaps.

91.224.135.20
187.85.160.106
210.71.250.131

afjdoospf.ru
akionokao.ru
bilainkos.ru
bumarazhkaio.ru
bunakaranka.ru

Saturday, 29 December 2012

"How Fatima Started Islam" spam

This nasty anti-Islam email has been doing the rounds recently, I've received it several times over the past few months and decided that it was worth a closer look..

From:     Laurel Pettit [kqmdy@agenta.de]
Date:     27 December 2012 22:39
Subject:     Re: more infomation about islam

How Fatima Started Islam

A book like no other on this earth.  Not a few cartoons or an infantile movie trailer but 234 page novel which insults Islam like no other.  A parody of the always drunk proprietor of "Mohammad's Saloon & Brothel" with his completely ridiculous life exposed.  This moronic child molestating coward and fool who bumps his way through life oblivious to his manipulation as the figurehead of another new religion.  Learn about his adopted son and heir Ali, the biggest swish ever to sashay across Arabia while sadistically running Mecca's largest boy's brothel.  Only $9.99 to laugh at, mock, and ridicule those fanatics who do not enjoy being ridiculed.  A well written and extremely funny parody at Amazon.com.

http://www.amazon.com/How-Fatima-Started-Islam-Mohammads/dp/0578032902/ref=sr_1_1?ie=UTF8&qid=1339884134&sr=8-1&keywords=how+fatima+started+islam
 link to Amazon.com
https://www.amazon.com/How-Fatima-Started-Islam-Mohammads/dp/0578032902/ref
Observe the never sober Mohammad having sex with camels, pre-adolescent girls and boys, the mutilations, murders, terrorism, sneak attacks, back stabbings and mental illnesses.  Absolutely no other novel is similar.  Stick up for America by sticking it to Radical Islam.

Also: There is a subtle effort to dissuade Americans from buying or reading this parody.  The Mullahs of Radical Islam HATE the fact that we in the West can still purchase this book.  They are pressuring and threatening Amazon to stop offering the novel for sale.  They demand a world wide ban with criminal penalties under Sharia Law.  Out of 6,000,000 Amazon books "How Fatima Started Islam" has the second lowest review rating, why, because Amazon has been flooded with well over 100 negative reviews with the lowest possible rating, reviewers who openly state that they would never ever buy or read a book insulting The Prophet, yet they take the time to tell you not to read it.  The second lowest rating is a badge of honor, it shows how much the Ayatollahs of BAGHDAD and DAMASCUS and the murderous terrorist who killed our ambassador and burned our embassy in BENGHAZI  do not want you to buy HFSI. Do not let these radical tin pot madmen, who think they rule the world and everyone in it, dictate to you what you may or may not read; purchase this important, well written, and extremely funny book.

Well, they're right about one thing.. the reviews are terrible. And they're terrible because this has been spammed out on a regular basis.

But where does this spam come from? Here is the key part of the mail header:

Received: from [183.131.24.233] (port=1249 helo=mailbook.simalbok9v.com)
    by [redacted] with smtp (Exim 4.80)
    (envelope-from <kqmdy@agenta.de>)
    id 1ToM6k-0001GW-12
    for [redacted]; Thu, 27 Dec 2012 22:39:22 +0000
Received: from cpe-184-56-141-86.neo.res.rr.com (HELO cpe-184-56-141-86.neo.res.rr.com) ([184.56.141.86])
From: "Laurel Pettit" <kqmdy@agenta.de>


183.131.24.233 is an IP address in China (Zhejiang Telecom). The domain simalbok9v.com doesn't actually exist though, the mail relay was spoofing it. But it's the email address before it that gives a least a little clue as to the sender. 184.56.141.86 is a Road Runner subscriber in Cleveland, in the US.

Alas, it doesn't tell us who it is, but it DOES tell us that it originates from within the US, and this spam is illegal under the CAN-SPAM act.

Now, I'm quite curious as to who else has looked at the headers to see what pattern there is. And I'm open to the possibility that this could be a Joe Job. But I certainly ain't gonna buy that book..

Update: the spam is still doing the rounds and is still originating from a Road Runner subscriber at 184.56.141.86, but now there is a new Chinese mail relay at 122.240.59.40.

Received: from [122.240.59.40] (port=2892 helo=mailbook.simalbok9v.com)
    by [redacted] with smtp (Exim 4.80)
    (envelope-from <crvll@fresnosheriff.org>)
    id 1Tp6dX-00071A-Qk
    for [redacted]; Sun, 30 Dec 2012 00:20:20 +0000
Received: from cpe-184-56-141-86.neo.res.rr.com (HELO cpe-184-56-141-86.neo.res.rr.com) ([184.56.141.86])
From: "Brianna Collins" <crvll@fresnosheriff.org>

FedACH Announcement spam / incinteractive.net

This fake whatever-the-heck-it-is spam leads to malware on incinteractive.net:
Date:      Fri, 28 Dec 2012 22:45:28 +0900
From:      "Federal Reserve Banking Services@sys.frb.org" [ACHR_58976105@FedMail.frb.org]
Subject:      FedMail (R): FedACH Announcement - End of Day - 12/27/12

Please overview the ACH Advice Statement from the Federal Reserve System by clicking here.
The malicious payload is at [donotclick]incinteractive.net/detects/wishs_continually.php hosted on the well-known IP of 59.57.247.185 in China which also hosts these following malicious domains:

sessionid0147239047829578349578239077.pl
tv-usib.com
atsushitani.com
proxfied.net
incinteractive.net
timesofnorth.net
latticesoft.net
incinteractive.net


Friday, 28 December 2012

IRS Spam / tv-usib.com

This fake IRS spam leads to malware on tv-usib.com:
Date:      Thu, 27 Dec 2012 22:14:44 +0400
From:      Internal Revenue Service [information@irs.gov]
Subject:      Your transaction is not approved

Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.

Canceled Tax transfer
Tax Transaction ID:     3870703170305
Rejection ID     See details in the report below
Federal Tax Transaction Report     tax_report_3870703170305.pdf (Adobe Acrobat Document)

Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon
The malicious payload is at [donotclick]tv-usib.com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:


sessionid0147239047829578349578239077.pl
tv-usib.com
proxfied.net
timesofnorth.net
latticesoft.net

Wednesday, 26 December 2012

NACHA spam / bunakaranka.ru:

This fake ACH / NACHA spam leads to malware on bunakaranka.ru:

Date:      Wed, 26 Dec 2012 06:48:11 +0100
From:      Tagged [Tagged@taggedmail.com]
Subject:      Re: Fwd: Banking security update.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department
The malicious payload is on [donotclick]bunakaranka.ru:8080/forum/links/column.php hosted on the following well-known IPs:

91.224.135.20 (Proservis UAB, Lithuania)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)


Plain list:
91.224.135.20
187.85.160.106
210.71.250.131

Associated domains:
bunakaranka.ru
afjdoospf.ru
angelaonfl.ru
akionokao.ru
apendiksator.ru
bilainkos.ru

E-billing spam / proxfied.net

There are various e-billing spam emails circulating today, pointing to malware on proxfied.net:


Date:      Wed, 26 Dec 2012 18:49:37 +0300
From:      alets-no-reply@customercenter.citibank.com
Subject:      Your Further eBill from Citibank Credit Card


       
Member: [redacted]

Add alerts@serviceemail2.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
New eBill Available

   
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 175.36
Minimum Amount Due: 175.36

How do I view this bill?
1. Sign on to Citibank Online using this link.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to review your bill details. Select the icon to see your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on by clicking this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care Service
P. O. Box 6200
Sioux Hills, SD 57870

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

3843054050826645

1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187

====================


Date:      Wed, 26 Dec 2012 10:50:38 -0500
From:      alerts@serviceemail6.citibank.com
To:      [redacted]
Subject:      Your got Renewed eBill Available from AT&T Bill


       
Member: [redacted]

Add citibankonline@customercenter.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
Fresh eBill Available

   
Account Number: **************4
Due Date: 12/28/2012
Amount Due: 74.93
Minimum Amount Due: 74.93

How do I view this bill?
1. Sign on to Citibank Online clicking this link.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to overview your bill details. Select the icon to see your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact AT&T Bill directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its objective is to help you check that the e-mail was real sent by Citibank. If you have questions, please click "Contact Us" link at the nottom of this message. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on clicking here and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

Should you going to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 9000
Sioux Falls, SD 57897

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at this link and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

7835212473101882

8/6J/472774/910/JM/TK/XD/9078/SYSTE2T /GI793670607303856/5644

====================


Date:      Wed, 26 Dec 2012 17:37:12 +0200
From:      alerts@customercenter.citibank.com
To:      <[redacted]>
Subject:      Your just received Fresh eBill Ready for review from Citibank Credit Card


       
Member: [redacted]

Add customerservice@serviceemail9.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
Fresh eBill Should Be Complete

   
Account Number: **************0
Due Date: 28/22/2012
Amount Due: 529.80
Minimum Amount Due: 529.80

How do I view this bill?
1. Sign on to Citibank Online by clicking here.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to see your bill details. Select the icon to get your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its aim is to help you check that the e-mail was actually sent by Citibank. If you have questions, please visit our Contact Us page. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on clicking here and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 9000
Sioux Falls, SD 30415

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at click here and clicking on "Contact Us" from the "Help / Contact Us" menu.

© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

3612654275931761

2/IC/009813/854/GU/7J/5F/0102/SYSTE0T /J4044525669689549/3261

====================


Date:      Wed, 26 Dec 2012 09:04:44 -0600
From:      alets-no-reply@serviceemail6.citibank.com
To:      <[redacted]>
Subject:      New eBill is Now Available. From: AT&T Bill


       
Member: [redacted]

Add customerservice@citibank.com to your address book to ensure delivery.

Your Account: Important Notification
   
Fresh eBill Ready for review

   
Account Number: **************4
Due Date: 12/28/2012
Amount Due: 232.34
Minimum Amount Due: 232.34

How do I view this bill?
1. Sign on to Citibank Online by clicking here.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to see your bill details. Select the icon to get your bill summary.

Please not try to reply to this message.

If you have any questions about your bill, please contact AT&T Bill directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you be sure that the e-mail was in reality sent by Citibank. If you have questions, please visit our Contact Us page. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign in using this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care Service
P. O. Box 5800
Sioux Hills, NC 52846

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at click to open and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

5252192738554872

8/B8/851199/374/4J/PL/0Y/1754/SYSTEYZ /S7493944434265957/9990

====================


Date:      Wed, 26 Dec 2012 09:54:12 -0500
From:      customerservice@citibank.com
To:      <[redacted]>
Subject:      Your Further eBill from American Express


       
Member: [redacted]

Add customerservice@serviceemail8.citibank.com to your address book to ensure delivery.

Your Account: Important Note
   
Fresh eBill Available

   
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 56.92
Minimum Amount Due: 56.92

How do I view this bill?
1. Sign on to Citibank Online clicking this link.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to overview your bill details. Select the icon to show your bill summary.

Please do not reply to this message.

If you have any questions about your bill, please contact American Express directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its target is to help you check that the e-mail was really sent by Citibank. If you have questions, please click "Contact Us" link at the nottom of this message. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on with this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 6000
Sioux Wheels, NC 56012

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at this link and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

4530267461705664

6/2P/193057/917/70/O0/HE/0121/SYSTER5 /9I438409026123046/3702
The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:

sessionid0147239047829578349578239077.pl
latticesoft.net
proxfied.net

Tuesday, 25 December 2012

Godless Eastern bloc commie athiests

Honestly, who sends this sort of crap out on Christmas day? Umm.. equally, who checks their spam filter on Christmas day. Anyway, this is what the godless eastern bloc pinko commies athiests spammers are sending out today.

Date:      Tue, 25 Dec 2012 22:56:51 -0700
From:      "Ticket Support"
Subject:      Password Assistance

Thank you for your letter of Dec 25, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Regards, Yuonne Ferro, Support Team manager.
Some variants of the body text:
"Thank you for contacting us, your information arrived today."
"Thank you for your letter regarding our products and services, your information arrived today."
"Thank you for considering our products and services, your information arrived today."

Some alternative sender names:
"Jonie Gunther", "Noreen Macklin", "Bonny Oconnell"

The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker. Given their awful reputation, I am surprised that they haven't been de-peered. Yet.

There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP:

bloodgenerics.com
canadapharmcanadian.net
canadawelnesscent.com
comprisingmeds.pl
dietwelness.com
drugherbalpills.com
drugstorebp.com
drugtoretabletsfitness.ru
eijmnssh.net
ewggesaj.net
garciniaherbal.com
healthcaremedprescription.com
herbalwelgarcinia.net
isvlhnvo.com
jozejhyqn.com
kbcbhgdw.com
kidneyprescriptiondiet.com
labwydehyj.com
levitrakbw.com
medsbp.com
medsmedicinedisease.com
medsprotein.com
mydrugstorerx.com
outlooklnessasale.com
patientswelnesshealthcare.com
pharmacycialismeningitis.net
pharmacydrugstablets.ru
pharmacyhealthpharmacy.ru
pillmedshealth.ru
pillscarehealthcare.com
pillsdrugstoredrugs.ru
pillsdrugstorepills.ru
pillspharmacyrx.ru
pillstabletshealthdrugstore.ru
pilltabletsfitness.ru
reliablerxpillstablets.ru
remedycutrxpills.ru
retailersmeds.com
romneyrx.net
rxcatholic.com
rxdiscounttabletspharmacy.ru
rxdrugstoremedicines.ru
rxdrugstoretreatments.ru
rxpharmacycaremeds.ru
rxpharmacytabletspharmacy.ru
rxpharmacytechmeds.ru
rxpharmacytreatments.ru
rxwellbeing.ru
sabonatabmed.com
swissrxpharmacy.ru
tabdisease.nl
tabletdropsrx.ru
tabletdrugsfitness.ru
tabletdrugstorehealth.ru
tabletgenerics.com
tablethealthphysicians.net
tabletlevitripad.com
tabletpillsdrugs.ru
tabletpillspills.ru
tabletrxdrugs.ru
tabletrxtreatments.ru
tsunamipill.com
viagraherbaltea.com

Sunday, 23 December 2012

"SecureMessage" spam / infiesdirekt.asia, pacesetting.asia and siteswillsrockf.net

Another fake "SecureMessage" spam leading to malware, the same in principle to this spam run and again hosted on the same Serverius-owned IPs of 46.249.42.161 and 46.249.42.168.

There are several variants of the spam, but they are all very similar and look something like this:

Date:      Sun, 23 Dec 2012 14:26:32 +0530
From:      "Secure.Message"
Subject:      Alert: New message

Click here to view the online version.

Hello [redacted],

You have 4 new messages.

Read now
� Copyright 2012 SecureMessage. All rights reserved.

If you would like to update your profile or unsubscribe, please click here.

PLEASE DO NOT REPLY TO THIS MESSAGE.

If you require Technical Support, please check Support Center for information.
I suspect that there is more malicious activity in the 46.249.42.0/24 range and blocking access to it would be a very good thing to do.

These are the malicious domains that I can currently identify on those IPs:

46.249.42.161
new-dating-2010.asia
bestdating-2010.asia
datingcool-2010.asia
great-dating2010.asia
freshdating2010.asia
moderndating2010.asia
newmeeting2010.asia
newdatingafter2010.asia
datingbest2010.asia
datingcool2011.asia
datingbest2011.asia
site-dating-2012.asia
great-dating-2012.asia
best-dating-2012.asia
greatdating-2012.asia
newdatingworld2012.asia
site-dating2012.asia
great-dating2012.asia
best-dating2012.asia
freshdating2012.asia
cooldating2012.asia
moderndating2012.asia
greatdating2012.asia
bestdating2012.asia
latestdating2012.asia
newmeeting2012.asia
datingcool2012.asia
newdatingafter2012.asia
datingbest2012.asia
dating-2013.asia
new-dating2013.asia
x-dating2013.asia
my-dating2013.asia
mydating2013.asia
matic.asia
puzdoc.asia
cattified.asia
feebled.asia
jugated.asia
collected.asia
urrected.asia
bested.asia
mail.bested.asia
www.bested.asia
huckleland.asia
softlywood.asia
offiable.asia
quisible.asia
juggle.asia
tactiate.asia
evasive.asia
braging.asia
coppinging.asia
dishing.asia
skylarking.asia
fooling.asia
banning.asia
honing.asia
appearing.asia
undering.asia
muleteering.asia
mail.muleteering.asia
www.muleteering.asia
genering.asia
abjecting.asia
concreting.asia
comfiting.asia
retorting.asia
overcasting.asia
pacesetting.asia
purveying.asia
kenlying.asia
opennessman.asia
legmen.asia
worsen.asia
disten.asia
lusion.asia
firmation.asia
audration.asia
putation.asia
sequestion.asia
outgo.asia
irrito.asia
gentleship.asia
fastender.asia
linger.asia
rapier.asia
emulsier.asia
safekeeper.asia
sourer.asia
bosser.asia
dencies.asia
in-fies.asia
infies.asia
topinfies.asia
superinfies.asia
terlies.asia
mities.asia
mail.mities.asia
www.mities.asia
mangles.asia
wangles.asia
samenesses.asia
pyxes.asia
lickings.asia
versionless.asia
deodorless.asia
pulsiveness.asia
centiveness.asia
infiesdirekt.asia
infiessofort.asia
initialist.asia
malcy.asia
belably.asia
whimsibly.asia
spacingly.asia
eningly.asia
toningly.asia
campingly.asia
wimpingly.asia
gueringly.asia
playingly.asia
monly.asia
distantly.asia
grottory.asia
eagerry.asia
mail.eagerry.asia
www.eagerry.asia
tipsy.asia
fresh-dating-2010.info
new-dating-2010.info
greatdating-2010.info
bestdating-2010.info
datingcool-2010.info
datingbest-2010.info
site-dating2010.info
great-dating2010.info
best-dating2010.info
sitedating2010.info
fresh-dating-2013.ru
new-dating-2013.ru
greatdating-2013.ru
bestdating-2013.ru
datingcool-2013.ru
datingbest-2013.ru
site-dating2013.ru
great-dating2013.ru
best-dating2013.ru
sitedating2013.ru

46.249.42.168
stelspendingswow.name
siteswillsrockf.com
moniretsstates.info
stelspendingswow.info
monicats5b.net
siteswillsrockf.net
audiodevelop.net
organizationmeens.net
libstringnets.net
finderpolicy.net



Saturday, 22 December 2012

"New message received" spam / siteswillsrockf.com and undering.asia

This malicious spam run is part of this large cluster of malicious sites that I wrote about yesterday.


Date:      Sat, 22 Dec 2012 16:55:38 +0300
From:      "Secure.Message" [FAA55EEEE@valencianadeparketts.es]
Subject:      New message received

Click here to view the online version.

Hello [redacted],



You have 5 new messages.

Read now
� Copyright 2012 SecurePrivateMessage. All rights reserved.



If you would like to update your profile or unsubscribe, please click here.



PLEASE DO NOT REPLY TO THIS MESSAGE.

If you require Technical Support, please check Support Center for information.


Unlike most recent campaigns where the first link in the email is a legitimate but hacked site, this one links directly to a malware server at [donotclick]undering.asia/link.php?login.aspx=[emailaddress]&id=[redacted]  with a link that features the email address as part of the URL (presumably to confirm that the address is live). The next step is a redirector link at [donotclick]undering.asia/?affid=00110&promo_type=5&promo_opt=1 which loads a fake anti-virus page, and then it attempts to download a Java exploit from [donotclick]siteswillsrockf.com/?a=YWZmaWQ9MDAxMTA=

undering.asia is hosted on 46.249.42.161, and siteswillsrockf.com on 46.249.42.168. Seeing two malicious sites so closely together indicates that there is a problem with the netblock, so having a closer look at those IPs shows:

inetnum:        46.249.42.0 - 46.249.42.255
netname:        CUST339-170918-147
descr:          Customer ip range
remarks:        Please send email to "cust339@serverius.eu" for complaints
remarks:        regarding portscans, DoS attacks and spam.
country:        NL
admin-c:        CUST339
tech-c:         CUST339
status:         ASSIGNED PA
mnt-by:         serverius-mnt
source:         RIPE # Filtered

person:         Customer No339
remarks:        This IP space is used by a Serverius datacenter customer.
address:        www.serverius.com
phone:          +31 (0)88 73 78 374
nic-hdl:        CUST339
mnt-by:         SERVERIUS-mnt
source:         RIPE # Filtered

route:          46.249.32.0/19
descr:          Serverius Route Object
origin:         AS50673
mnt-by:         SERVERIUS-MNT
source:         RIPE # Filtered


The block 46.249.42.0/24 seems to have been suballocated to an unidentified customer of Serverius who have a long history of badness in their IP ranges. Based on this, I would suggest that you add the 46.249.42.0/24 range to your blocklist to prevent other unidentified malicious servers in this block from being a problem.

There are lots of other suspect domains on these two IPs as well:
46.249.42.161
new-dating-2010.asia
bestdating-2010.asia
datingcool-2010.asia
great-dating2010.asia
freshdating2010.asia
moderndating2010.asia
newmeeting2010.asia
newdatingafter2010.asia
datingbest2010.asia
datingcool2011.asia
datingbest2011.asia
site-dating-2012.asia
great-dating-2012.asia
best-dating-2012.asia
greatdating-2012.asia
newdatingworld2012.asia
site-dating2012.asia
great-dating2012.asia
best-dating2012.asia
freshdating2012.asia
cooldating2012.asia
moderndating2012.asia
greatdating2012.asia
bestdating2012.asia
latestdating2012.asia
newmeeting2012.asia
datingcool2012.asia
newdatingafter2012.asia
datingbest2012.asia
dating-2013.asia
new-dating2013.asia
x-dating2013.asia
my-dating2013.asia
mydating2013.asia
matic.asia
puzdoc.asia
feebled.asia
collected.asia
huckleland.asia
quisible.asia
juggle.asia
evasive.asia
dishing.asia
skylarking.asia
fooling.asia
banning.asia
honing.asia
undering.asia
muleteering.asia
genering.asia
abjecting.asia
concreting.asia
retorting.asia
legmen.asia
disten.asia
firmation.asia
audration.asia
outgo.asia
irrito.asia
gentleship.asia
fastender.asia
rapier.asia
safekeeper.asia
sourer.asia
mangles.asia
samenesses.asia
deodorless.asia
pulsiveness.asia
initialist.asia
malcy.asia
belably.asia
spacingly.asia
campingly.asia
wimpingly.asia
playingly.asia
grottory.asia
tipsy.asia
fresh-dating-2010.info
new-dating-2010.info
greatdating-2010.info
bestdating-2010.info
datingcool-2010.info
datingbest-2010.info
site-dating2010.info
great-dating2010.info
best-dating2010.info
sitedating2010.info
fresh-dating-2013.ru
new-dating-2013.ru
greatdating-2013.ru
bestdating-2013.ru
datingcool-2013.ru
datingbest-2013.ru
site-dating2013.ru
great-dating2013.ru
best-dating2013.ru
sitedating2013.ru

46.249.42.168
siteswillsrockf.com
moniretsstates.info
monicats5b.net
audiodevelop.net
organizationmeens.net
finderpolicy.net