Sponsored by..

Wednesday, 21 August 2013

Facebook spam / thenatemiller.co

This fake Facebook spam leads to malware on thenatemiller.co:

Date:      Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Nothing good will come from clicking the link. First victims go to a legitimate but hacked site that attempts to load the following three scripts:
[donotclick]gemclinicstore.com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup.com/toffies/ceiling.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there the victim is directed to a malware landing page at [donotclick]thenatemiller.co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains (listed below in italics).

Recommended blocklist:
72.5.102.146
successchamp.com
dennissellsgateway.com
thenatemiller.co
thenatemiller.info
justinreid.us
waterwayrealtyteam.us
thenatemiller.biz

gemclinicstore.com
mathenyadvisorygroup.com
www.it-planet.gr

Laughable advanced fee fraud scam promises $2.5

Two-and-a-half bucks? I think I'll pass.
From:     Mr Anthony Freed [johnewele12@cantv.net]
Reply-to:     dhlcorriadeliveryservice@live.com
Date:     20 August 2013 21:13
Subject:     Attention please!!!

Attention please!!!

We have registered your ATM CARD of (US $2.5) with DHL Express Courier Company with registration code of ( 9665776) please Contact with your delivery
information:
DHL OFFICE:
Name Dr:Mark Jonson.
E-mail: dhlcorriadeliveryservice@live.com //officedhldelivery service
Tel:+229 98270349.

We have paid for the Insurance & Delivery fee.The only fee you have to pay is their Security fee only.Please indicate the registration Number of ( 22-82797457 )and ask Him how much is their Security fee so that you can pay it.
Best Regards.
Rev.Anthony Fred
I don't think I've seen an Advanced Fee Fraud spam so full of fail for a long time..

Facebook spam / dennissellsgateway.com

This fake Facebook spam leads to malware on dennissellsgateway.com:

Date:      Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Gene Maynard wants to be friends with you on Facebook.

facebook
   
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate hacked site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas.org/jonson/tried.js
[donotclick]italiangardensomaha.com/moocher/pawned.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there, the victim ends up on a hijacked GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway.com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains (listed in italics below).

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
waterwayrealtyteam.us

www.it-planet.gr
italiangardensomaha.com
ftp.crimestoppersofpinellas.org

Update:
Another spam is circulating with a different pitch, but the same malicious payload:

Dear Customer,

The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report at https://account.authorize.net/login/protected/download/settlementreport/

To view details for a specific transaction, please log into the Merchant Interface.

1.Click "Reports" from the main menu
2.Select "Transaction Details by Settlement Date"
3.Select "Settled Transactions" from the Item Type drop-down box.
4.Select the Settlement Date for the batch you would like to view from the "Date" drop-down box
5.Click "Run Report"
6.In the results, click on any transaction ID to view specific details for that transaction.

If you have any questions regarding this settlement report, please contact us by Secure Mail or you can call Customer Support at 1-877-447-3938.

Thank You,
Authorize.Net
*** You received this email because you chose to be a Credit Card Report
recipient. You may change your email options by logging into the Merchant
Interface. Click on Settings and Profile in the Main Menu, and select
Manage Contacts from the General section. To edit a contact, click the
Edit link next to the contact that you would like to edit. Under Email
Types, select or deselect the Email types you would like to receive. Click
Submit to save any changes. Please do not reply to this email.



Monday, 19 August 2013

"You have received a secure message" spam / securedoc.zip

This fake Citi spam contains a malicious attachment:

Date:      Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From:      "secure.email@citi.com" [secure.email@citi.com]
Subject:      You have received a secure message

You have received a secure message
Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm

Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46. The Malwr analysis (and also ThreatExpert) shows that the file first connects to [donotclick]frankcremascocabinets.com/forum/viewtopic.php (a hijacked GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:

[donotclick]lobbyarkansas.com/0d8H.exe
[donotclick]ftp.ixcenter.com/GMMo6.exe
[donotclick]faithful-ftp.com/kFbWXZX.exe

This second part has another very low VirusTotal detection rate of just 3/46. Malwr gives an insight into what the binary is doing, or alternatively you can look at the Comodo CAMAS report or ThreatExpert report

Recommened blocklist:
184.95.37.96/28
frankcremascocabinets.com
giuseppepiruzza.com
gordonpoint.biz
gordonpoint.info
hitechcreature.com
frankcremasco.com
lobbyarkansas.com
ftp.ixcenter.com
faithful-ftp.com

"You requested a new Facebook password" spam / frankcremascocabinets.com

This fake Facebook spam follows on from this one, but has a different malicious landing page at frankcremascocabinets.com:

From:     Facebook [update+hiehdzge@facebookmail.com]
Date:     19 August 2013 17:38
Subject:     You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes to a legitimate hacked site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then directed to a malware payload at [donotclick]frankcremascocabinets.com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server (listed below in italics).

Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
giuseppepiruzza.com
frankcremascocabinets.com
gordonpoint.biz
hitechcreature.com

frankcremasco.com

Facebook spam / hubbywifewines.com

This fake Facebook spam leads to malware on hubbywifewines.com:

Date:      Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password


facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes to a legitimate hacked site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines.com/topic/able_disturb_planning.php hosted on 72.5.102.192 (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods.com.

Recommended blocklist:
72.5.102.192
hubbywifewines.com
hubbywifefoods.com
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it



MONK / Monarchy Resources, Inc pump-and-dump spam

Another day, another pump-and-dump spam run, this time being sent to randomly generated email addresses promoting MONK (Monarchy Resources, Inc). Here are some examples:

Subject: Pick Of The Week... Do Not Miss Out This Time!
Make easy $15'000 Monday!!! Hello, want to receive $15'000 by
next Friday? You would receive lot more if you get this hot
stock on Monday. The stock symbol is: M_O N_K. It's Monarchy
Resources, Inc.. It sells under 48 cents, but it should
see $1'80 shortly! Purchase shares of M_O N_K on Aug, 19
below 48 cents and multiply your cash! It could be
awesome to get $15'000 by Friday. And it's very easy to
receive. On Monday, Aug 19, 2013 order 43'000 shares of M_O
N_K and get over $15'000 by Friday

Subject: Hot Investor News
Pocket your $17'000 now! Howdy, need to pocket $17'000 by this Saturday? You
will get lots more if you purchase this premium stock on Monday. The stock
symbol is: M_ONK. It's MONARCHY RESOURCES INC.. It sits below 42 cents,
but it should see $1'20 promptly! Purchase shares of M_ONK on Mon, Aug
19th, 2013 under 42 cents and multiply your investment. It will be
amazing to earn $17'000 by Saturday. And its very easy to get! On Aug, 19th
order 29'000 shares of M_ONK and receive over $17'000 by Saturday!!!

Subject: Walgreens News!!!
Make easy $12'000 now! Hello, ready to pocket $12'000 by next
Saturday? You would receive lots more if you order this
undervalued stock on Monday. The company symbol is: M O N K.
It's Monarchy Resources, Inc. It goes under 40 cents, but
it could settle $1.90 promptly! Get shares of M O N K on
Monday, Aug 19th, 2013 under 40 cents and quadruple your
investment. It can be amazing to earn $12'000 by Saturday. And
its very easy to do! On Aug, 19 trade 21'000 shares of M O N K
and get over $12'000 by Saturday.

Subject: Profile Alert
Earn fast $13'000 now! Hello, ready to pocket $13'000 by this Thursday?
You can make lot more if you get this new stock on Monday. The stock
symbol is: M_O N_K. Its MONARCHY RESOURCES, INC. It goes under 30
cents, but it should see $1.55 shortly! Get shares of M_O N_K on
Monday, Aug 19 under 30 cents and quadruple your portfolio. It
could be cool to make $13'000 by Thursday. And it's very easy to do! On
Mon, August 19th, 2013 buy 35'000 shares of M_O N_K and pocket over
$13'000 by Thursday!

The spam that I have seen appears to originate primarily from IP addresses in India.

So, what's up with MONK? The stock has only been trading since June and most of that time it has been at around the $1.00 level. At the beginning of August the price dropped to $0.40 and then $0.20 per share (dropping for one point to just $0.10), losing more than 75% of its value since launch (see the stock chart here).


On 16th August there was a flurry of activity as 209,400 shares were bought at around the $0.20 or somewhat under that. Usually this is the spammers taking up a position in the company that they are about to spam. On the next day (a Saturday) the pump-and-dump spam started. So far today about 450,000 shares have been traded, apparently giving the stock a bit of a bump as whoever has hired the spammers tries to cash out.

As with all pump-and-dump spams, the only people making money out of it are the scammers who run it. Any investor who tries to try to invest in these it likely to lose some or all of their investment. Avoid

Malekal.com Joe Job part II

There has been a Joe Job being run against Malekal.com for some time now. However, the joe job has now morphed and includes a reference to this blog (which is kind of annoying).

Date:      Sun, 18 Aug 2013 14:35:33 +0300 [08/18/13 07:35:33 EDT]
Subject:      Email SPAM for malekal.com

Theses emails SPAM are sent from a botnet (check the mails headers), im not
responsible of theses spam emails.
Someone is probably trying to get the site blacklisted or to get bad reputation
(called this "a Joe Job" - see :
http://blog.dynamoo.com/2013/08/malekalcom-joe-job.html )

The responsible is " Reveton Guy ", try to get revenge after a mass shutdown of
their malvertising :

http://www.malekal.com/2013/07/30/en-juicyads-reveton-malvertising/
http://www.malekal.com/2013/07/28/en-plugrush-reveton-malvertising/
http://www.malekal.com/2013/07/26/en-reveton-adxpansion-com-malvertising/

The August 11, they tried to get my website blacklisted using hacked website :
http://www.malekal.com/2013/08/12/en-reveton-go-now-by-hacked-website/
This is rather more subtle than the previous Joe Job, as it appears to be from the Malekal administrator themselves. However, it is being sent by a botnet (probably the same botnet sending the original spam) and is just another way to cause trouble.

These spam emails are tightly targeted to addresses that are most likely to make complaints. If you are going to report these, then I'd appreciate it if you would report the sending IP only rather than just copy-and-pasting all the links in.

Friday, 16 August 2013

"California Human Right Foundation CHRF USA" scam email

It's hard to say whether or not this scam is simply a version of the advanced fee fraud (you can come to the conference, but there will be fees and hotel charges), or if the idea is that you go down to Senegal and get kidnapped. In any case, this is a scam send to an email address scraped from the web via a hijacked email account in Indonesia. Similar scams have been seen before. Avoid.

From:     Mrs Cira Jonas [dede@yongjin.co.id]
Reply-To:     cirajo101@blumail.org
Date:     16 August 2013 18:06
Subject:     2013 USA (CHRF) CONFERENCE/INVITATION!!!

Dear Colleagues,

On behalf of California Human Right Foundation CHRF USA, It is a great privilege for us to invite you to global Congress meeting against Economic Crisis, Child Protection & HIV/AIDS Treatment, Prostitution, Sex Work and forced Labor. The aims of the conference are to bring together researchers and practitioners in an effort to lay the ground work for future collaborative research, advocacy, and program development as well as to educate social service, health care, and criminal justice professionals on human trafficking and the needs and risks of those victimized by the commercial sex industry.

The global Congress meeting against Economic Crisis, Child Protection & HIV/AIDS Treatment, Prostitution, Sex Work and forced Labor is scheduled to take place from October 20th – 24th 203, in California the United States and in Dakar-Senegal, from October 26th – 30th 2013. The global congress is hosted by the Campaign against Child Labor Coalition and sponsored by (The Bill & Melinda Gates Foundation, The William J. Clinton Foundation and other benevolent donors worldwide.

Note that all interested delegates that requires entry visa to enter the United States to attend this meeting will be assisted by the organization, in obtaining the visa in their passport. Free air round trip tickets to attend this meeting will be provided to all participants. The Workshop welcomes paper presentation from any interested participants willing to present papers during the meeting.

For registration information you are to contact the conference secretariat via  Email: info.secretaryallissa@usa.com


Please share the information with your colleagues.

Sincerely,
Mrs Cira Jonas
E-mail: cirajo101@blumail.org
(M.D) Activities Coordinator

ADP spam / ADP_week_invoice.zip|exe

This fake ADP spam has a malicious attachment:

Date:      Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]
From:      "run.payroll.invoice@adp.com" [run.payroll.invoice@adp.com]
Subject:      ADP Payroll INVOICE for week ending 08/16/2013

Your ADP Payroll invoice for last week is attached for your review. If you have any
questions regarding this invoice, please contact your ADP service team at the number
provided on the invoice for assistance.

Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.
There is an attachment ADP_week_invoice.zip which in turn contains a malicious executable file ADP_week_invoice.exe. The payload is exactly the same as this other malicious spam run which is running in parallel.

"CEO Portal Statements & Notices Event" spam / report_{DIGIT[12]}.exe

This fake Wells Fargo email has a malicious attachment:

Date:      Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From:      Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw@wellsfargo.com]
Subject:      CEO Portal Statements & Notices Event


Wells Fargo

Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available

Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp:    Fri, 16 Aug 2013 09:51:17 -0500
Request Name:    MM3P85NRLOXLOFJ
Event Message ID:    S045-77988311

Please do not reply to this email.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46. The Malwr report shows that this malware does various things, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco.com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another hijacked domain, hubbywifecakes.com.

From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52/39UvZmv.exe
[donotclick]demoscreactivo.com/DKM9.exe
[donotclick]roundaboutcellars.com/Utuw1.exe
[donotclick]bbsmfg.biz/VKPqrms.exe

This executable has an even lower detection rate of just 5/46. You can see the Malwr report for that here.

Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.

Recommended blocklist:
66.151.138.80
hubbywifeco.com
hubbywifecakes.com
208.106.130.52
demoscreactivo.com
roundaboutcellars.com
bbsmfg.biz


Thursday, 15 August 2013

"INCOMING FAX REPORT" spam / chellebelledesigns.com

A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns.com:

From:     Administrator [administrator@victimdomain]
Date:     15 August 2013 16:08
Subject:     INCOMING FAX REPORT : Remote ID: 1043524020

*********************************************************INCOMING FAX REPORT*********************************************************Date/Time: 07/25/2013 02:12:11 ESTSpeed: 66387 bpsConnection time: 04:06Pages: 0Resolution: NormalRemote ID: 1043524020Line number: 7DTMF/DID:Description: June PayrollClick here to view the file online*********************************************************

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
DTMF/DID:
Description: June Payroll

Click here to view the file online

********************************************************* 
Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate hacked site and then on to one of three scripts:
[donotclick]millionaireheaven.com/mable/rework.js
[donotclick]pettigrew.us/airheads/testier.js
[donotclick]www.situ-ingenieurgeologie.de/tuesday/alleviation.js

from there on, the victim is forwarded to a malicious landing page at [donotclick]chellebelledesigns.com/topic/conclusion-western.php using a hacked GoDaddy domain on 173.246.104.55 (Gandi, US). There are other hijacked GoDaddy domains on the same server (listed in italics below):

Recommended blocklist:
173.246.104.55
1800callabe.com
1866callabe.com
chellebelledesign.com
chellebelledesigns.com

millionaireheaven.com
pettigrew.us
www.situ-ingenieurgeologie.de


Something evil on 162.211.231.16

The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example) which have been going on for some time [1] [2] and uses several domains, some of which are listed below.

The WHOIS details for these domains seem to be consistent but are possibly fake:

Registrant ID:CR148448937
Registrant Name:Leonardo Salim Chahda
Registrant Street1:Patron 6755
Registrant Street2:
Registrant Street3:
Registrant City:Capital Federal
Registrant State/Province:Buenos Aires
Registrant Postal Code:1408
Registrant Country:AR
Registrant Phone:+46.444407
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:info@brigitteunderwear.com


All the domains are very recently registered by GoDaddy. The WHOIS details for brigitteunderwear.com (also registered by GoDaddy in 2006) are consistent, but I've seen enough hijacked GoDaddy domains recently to be suspicious that there could be an element of identity theft here, and the named person may well have nothing to do with this attack.

I haven't had time to poke around at the payload too much, but this could well be a good IP to block, or alternatively use the list of domains that I have identified below (it may not be comprehensive, though)

Recommended blocklist:
162.211.231.16
acioepod.biz
acioepod.info
acioepod.org
acioepod.us
adrietod.biz
adrietod.info
adrietod.org
adrietod.us
alienore.biz
alienore.info
alienore.org
alienore.us
alpirute.biz
alpirute.info
alpirute.org
alpirute.us
alpojser.biz
alpojser.info
alpojser.net
alpojser.us
aniopirs.us
bialooes.biz
bialooes.info
bialooes.org
bialooes.us
boriskpr.biz
boriskpr.info
boriskpr.org
boriskpr.us
bugaletir.biz
bugaletir.info
bugaletir.org
bugaletir.us
bugaltoiy.biz
bugaltoiy.info
bugaltoiy.org
bugaltoiy.us
buhortes.biz
buhortes.info
buhortes.org
buhortes.us
caniopeo.us
caoilrsr.biz
caoilrsr.info
caoilrsr.org
caoilrsr.us
ciponeor.biz
ciponeor.info
ciponeor.org
ciponeor.us
deilonei.biz
deilonei.info
deilonei.org
deilonei.us
delovyto.biz
delovyto.info
delovyto.org
delovyto.us
diopoesl.us
diposero.biz
eniroikj.biz
eniroikj.info
eniroikj.org
eniroikj.us
feocipor.biz
feocipor.info
feocipor.org
feocipor.us
foleiord.biz
foleiord.info
foleiord.org
foleiord.us
foliadoe.biz
foliadoe.info
foliadoe.org
foliadoe.us
foprtise.biz
foprtise.info
foprtise.org
foprtise.us
gelaiork.biz
gelaiork.info
gelaiork.org
gelaiork.us
gipoeror.biz
gipoeror.info
gipoeror.org
golerods.biz
golerods.info
golerods.org
golerods.us
imanielo.biz
imanielo.info
imanielo.net
imanielo.us
mokioers.org
nimolpeo.biz
nimolpeo.info
nimolpeo.org
nimolpeo.us
niuritos.biz
niuritos.info
niuritos.org
niuritos.us
okoreiki.biz
okoreiki.info
okoreiki.net
okoreiki.us
openirod.biz
openirod.info
openirod.org
openirod.us
reoiklri.biz
reoiklri.info
reoiklri.org
reoiklri.us
tolikord.biz
tolikord.info
tolikord.org
tolikord.us
viloeirp.biz
viloeirp.org
vilosprs.biz
vilosprs.info
vilosprs.org
vilosprs.us
vokoralr.biz
vokoralr.info
vokoralr.org
vokoralr.us



Wednesday, 14 August 2013

ADP spam / hubbywifeburgers.com

This fake ADP spam leads to malware on hubbywifeburgers.com:

Date:      Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From:      "ADPClientServices@adp.com" [service@citibank.com]
Subject:      ADP Security Management Update

ADP Security Management Update

Reference ID: 39866

Dear ADP Client August 2013

This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security Management (formally ADP Netsecure). This is where you manage your users� access to ADP�s Internet services, and includes the self-service registration process.

Effective August 15th, ADP Security Management will reflect a new user interface. This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management.

Please review the following information:

� Click here to view more details of the enhancements in Phase 2

� Complete the What�s New in Security Management Service here (Expected to take about 15 minutes)

� View the Supported Browsers and Operating Systems, listed here. These are updated to reflect more current versions to ensure proper presentation of the updated user interface. It is important to note that the new ADP Security Management is best accessed using Microsoft Internet Explorer Version 8 or Mozilla Firefox Version 3.6, at minimum.

This email was sent to active users in your company that access ADP Netsecure with a security role of �security master� or �security admin�. You may have other users that also access ADP Netsecure with other security roles. Please inform those users of these enhancements, noting that the above resources will have some functionality that does not apply to their role.

As always, thank you for choosing ADP as your business partner! If you have any questions, please contact your ADP Technical Support organization.

Ref: 0725 MSAMALONIS1@TWNSHP

[This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.]


Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in the message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Cherry Hill Township provides a secure environment for all information concerning our residents and all other business concerns. The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.


Yeah.. click the link. What could possibly go wrong? Well, first you go to a legitimate hacked site that tried to load one of the following three scripts:

[donotclick]e-equus.kei.pl/perusing/cassie.js
[donotclick]cncnc.biz/pothooks/addict.js
[donotclick]khalidkala.com/immigration/unkind.js

From there, the victim is sent to a malware site that uses a hijacked GoDaddy domain at [donotclick]hubbywifeburgers.com/topic/nearby-promptly.php hosted on 199.195.116.51 (A2 Hosting, US - report here). This IP probably contains other hijacked domains from the same owner.

Recommended blocklist:
199.195.116.51
hubbywifeburgers.com
e-equus.kei.pl
cncnc.biz
khalidkala.com

Gmail Compose.. another app screwed up by Google

If you use Gmail then you've probably seen the "new compose" experience before. And turned it off. Well, Google never listed to feedback now Gmail joins a long list of applications that Google have screwed up, including Blogger, Google Play Music, Google Maps for Android and don't get me started on Google Reader and iGoogle.


The new compose experience attempts to be minimalist, but in reality it's either too small, or too big. If you are reply to a message then you get a tiny box at the bottom of the screen, a long way from the top of the email you are trying to reply to. And all the usual buttons have been hidden away because.. well, goodness only knows. It's a mess.

With these latest bodged updates, I really think that Google is jumping the shark and changing applications for no good reason at all. Android in particular is becoming a disaster area with important apps being screwed up completely. Perhaps it's time to buy a Lumia?

Tuesday, 13 August 2013

Bank of American spam / Instructions Secured E-mail.zip

This fake Bank of American spam has a malicious attachment:

Date:      Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From:      "Alphonso.Wilcox" [Alphonso.Wilcox@bankofamerica.com]
Subject:      Instructions Secured E-mail.pdf

I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.

Thanks,

Amado.Underwood
Bank of America
Principal Business Relationship Manager
Direct - 915-045-4237 office
Cell - 915-070-4128 cell
Amado.Underwood@bankofamerica.com

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. 
Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.

The detection rate for this initial malware is just 9/45 at VirusTotal.

This is a pony/gate downloader [1] which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack, and it also utilises a hijacked GoDaddy domain.

The download then attempts to download a second stage from the from the following locations [2] (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs.com/D5F7G.exe
[donotclick]betterbacksystems.com/kvq.exe
[donotclick]www.printdirectadvertising.com/vfMJH.exe
[donotclick]S381195155.onlinehome.us/vmkCQg8N.exe

The second stage has an even lower detection rate of just 3/45. The analyses by Comodo CAMAS and Malwr do give some detail as to how this part infects the target system.

Recommended blocklist:
192.81.135.132
guterprotectionperfection.com
Missionsearchjobs.com
betterbacksystems.com
www.printdirectadvertising.com
S381195155.onlinehome.us

Pharma sites to block

These fake pharma sites and IPs seem related to these malware domains, and follows on from this list last week.

31.184.241.32 (Petersburg Internet Network, Russia)
46.29.18.176 (Sprint SA, Poland)
61.57.103.241 (Taoyuan TBC, Taiwan)
61.133.234.105 (Haidong Telecom, China)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.204.162.81 (Network Communication, Poland)
91.204.162.95 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)
185.5.99.145 (Biznes-host.pl, Poland)
185.8.106.161 (HybridServers, Lithunia)
197.231.210.165 (Inspiring Networks LTD, Seychelles)
199.180.100.82 (PEG TECH INC, US)
199.180.100.85 (PEG TECH INC, US)

Recommended blocklist:
31.184.241.0/24
46.29.18.176
61.57.103.241
61.133.234.105
91.199.149.0/24
91.204.162.0/24
91.216.163.92
185.5.99.145
185.8.106.161
197.231.210.165
199.180.100.82
199.180.100.85
0xm0v3t1.mediastoreplus.com
17z2h9ue.mediastoreplus.com
1dsnx7pjs.mediastoreplus.com
2hdija03.mediastoreplus.com
2pillsonline.com
353.mediastoreplus.com
3qtpidpzlw.mediastoreplus.com
4ow5mu5.mediastoreplus.com
53zx71we.mediastoreplus.com
6gi.mediastoreplus.com
7boma.mediastoreplus.com
7umio9jjc.mediastoreplus.com
8hk0oib.mediastoreplus.com
8vi8.mediastoreplus.com
androidrugstoretablet.com
b6m0z.mediastoreplus.com
benedictaselie.com
bidh.ru
biotechealthcarepills.pl
boschmedicaremeds.com
briannecarlotta.com
b-wfkif3p.mediastoreplus.com
canadaipad.com
canadiancanada.com
coopaq.ru
danyetteeaster.com
dehxqc.elut.ru
dieein.com
dietrxhcg.com
dl6xmehg.mediastoreplus.com
drugslnessmedicine.com
drugstorepillsdrugs.com
drugstorepillwalgreens.com
dysm.ru
eyg.mediastoreplus.com
fvecare.com
gtyktdli.com
hece.ru
herbalburdette.com
herbalpillecstasy.com
htta.ru
inningmedicare.com
inningmedicare.pl
jdok.mediastoreplus.com
joam.ru
jsp0.mediastoreplus.com
jvtbkpmtkv.mediastoreplus.com
kaleic.ru
knei.ru
kxh.mediastoreplus.com
l3l1h.mediastoreplus.com
laug.ru
li2.mediastoreplus.com
mbid.ru
medicaidarmedicare.com
medicaretabletandroid.com
medicinetabletsurface.com
medopioid.pl
menono.ru
menutabmed.com
mwpzi.mediastoreplus.com
myviagragenerics.pl
n3zb4o5u9.mediastoreplus.com
nexuslevitra.com
nispw96.mediastoreplus.com
oshu.ru
patientsviagramedicare.com
pharmedtransplant.com
pharmreit.com
pharmysmartrend.com
pilldrugprescription.net
pillsstreetinsider.com
prescriptioncarecenter.com
prescriptionmedicinepatients.com
prescriptionmedwalgreen.com
qgb7zxj.mediastoreplus.com
quzkobeox.com
ruld.ru
rxdrugspills.ru
rxnicu.com
rzu1b.mediastoreplus.com
s5bw.mediastoreplus.com
shelbieleni.com
sieh.ru
skah.ru
tabcialbenghazi.com
tabherbalsummary.com
thegenericsprescription.com
torontocanadapharm.com
torontotab.pl
us0cyezkn.mediastoreplus.com
viagramedicaid.com
viagramedicineveterinary.com
viagramedicineveterinary.pl
vsn268zo3.mediastoreplus.com
w5lpytop.mediastoreplus.com
weightdietpharm.com
welnesslevinikita.com
welnessnsmt.com
wpakq.mediastoreplus.com
wroo.ru
ya3zwmrmgk.mediastoreplus.com
zva4p7457.mediastoreplus.com
zwig.ru

Malware sites to block 13/8/13

These IPs and domains belong to this gang and this list follows on from the one I made last week.

5.39.14.148 (OVH, France)
5.231.57.253 (GHOSTnet, Germany)
15.185.121.30 (HP Cloud Services, US)
24.173.170.230 (Time Warner Cable, US)
37.99.18.145 (2day Telecom, Kazakhstan)
42.121.84.12 (Aliyun Computing Co / Alibaba Advertising Co, China)
50.2.109.148 (Eonix Corporation, US)
50.56.172.149 (Rackspace, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chunghwa Telecom, Taiwan)
61.36.178.236 (LG DACOM, Korea)
65.190.51.124 (Time Warner Cable, US)
66.230.163.86 (Goykhman And Sons LLC, US)
68.174.239.70 (Time Warner Cable, US)
74.207.251.67 (Linode, US)
75.147.133.49 (Comcast Business Communcations, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork SRO, Czech Republic)
89.163.170.134 (Unitedcolo, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobiltel EAD, Bulgaria)
95.188.76.14 (Sibirtelecom OJSC, Russia)
95.138.165.133 (Rackspace, UK)
109.107.128.13 (The Blue Zone East, Jordan)
114.112.172.34 (Worldcom Teda Networks Technology, China)
123.202.15.170 (Hong Kong Broadband Network, Hong Kong)
140.113.87.153 (TANET, Taiwan)
140.116.72.75 (TANET, Taiwan)
173.224.211.216 (Psychz Networks, US)
177.53.80.39 (Cordeirópolis Ltda, Brazil)
185.5.54.162 (Interneto Vizija UAB, Lithunia)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
190.95.222.196 (Homenet CIA. Ltda / Telconet, Ecuador)
198.211.115.228 (Digital Ocean Inc, US)
199.231.188.226 (Interserver Inc, US)
202.197.127.42 (CERNET, China)
204.124.182.30 (Volumedrive, US)
209.222.67.251 (Razor Inc, US)
212.68.34.88 (Mars Global Datacenter Services, Turkey)
216.158.67.42 (Webnx Inc, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

Recommended blocklist:
5.39.14.148
5.231.57.253
15.185.121.30
24.173.170.230
37.99.18.145
42.121.84.12
50.2.109.148
50.56.172.149
59.77.36.225
59.124.33.215
61.36.178.236
65.190.51.124
66.230.163.86
68.174.239.70
74.207.251.67
75.147.133.49
78.47.248.101
88.86.100.2
89.163.170.134
95.87.1.19
95.111.32.249
95.188.76.14
95.138.165.133
109.107.128.13
114.112.172.34
123.202.15.170
140.113.87.153
140.116.72.75
173.224.211.216
177.53.80.39
185.5.54.162
186.251.180.205
188.132.213.115
188.134.26.172
190.85.249.159
190.95.222.196
198.211.115.228
199.231.188.226
202.197.127.42
204.124.182.30
209.222.67.251
212.68.34.88
216.158.67.42
217.64.107.108
50plus-login.com
abundanceguys.net
acautotentsale.net
allgstat.ru
amnsreiuojy.ru
amods.net
antidoctorpj.com
askfox.net
astarts.ru
autocompletiondel.net
avini.ru
badstylecorps.com
bbmasterbuilders.net
beachfiretald.com
beldenindcontacts.net
blindsay-law.net
bnamecorni.com
boardsxmeta.com
boats-sale.net
breakingtextediti.com
briltox.com
businessdocu.net
buycushion.net
calenderlabor.net
casinocnn.net
cbstechcorp.net
centow.ru
condalinneuwu37.net
condrskajaumaksa66.net
controlsalthoug.com
creativerods.net
credit-find.net
crossplatformcons.com
culturalasia.net
cyberflorists.su
datapadsinthi.net
devicesta.ru
dulethcentury.net
ehnihjrkenpj.ru
endom.net
evishop.net
exhilaratingwiki.net
exnihujatreetrichmand77.net
exowaps.com
fitstimekeepe.net
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
frontsidecash.net
frutpass.ru
gatumi.com
gondorskiedelaahuetebanj88.net
gonulpalace.net
gormoshkeniation68.net
gotoraininthecharefare88.net
hdmltextvoice.net
hotkoyou.net
includedtight.com
info-for-health.net
inningmedicare.pl
intcheck.com
jonkrut.ru
kneeslapperz.net
legalizacionez.com
lhobbyrelated.com
liliputttt9999.info
lucams.net
made-bali.net
magiklovsterd.net
medusascream.net
micnetwork100.com
microsoftnotification.net
mifiesta.ru
mirris.ru
mobile-unlocked.net
moonopenomy.com
motobrio.net
musicstudioseattle.net
namastelearning.net
neplohsec.com
nightclubdisab.su
nvufvwieg.com
onsayoga.net
onsespotlight.net
ordersdeluxe.com
organizerrescui.pl
pacifista.ru
palmer-ford.net
partyspecialty.su
pinterest.com.onsayoga.net
prysmm.net
pure-botanical.net
quill.com.account.settings.musicstudioseattle.net
raekownholida.com
relectsdispla.net
restless.su
ringosfulmobile.com
saberig.net
sai-uka-sai.com
scourswarriors.su
sensetegej100.com
sensing-thefuture.com
seoworkblog.net
suburban.su
tagcentriccent.net
tagcentriccent.pl
taltondark.net
templateswell.net
thegalaxyatwork.com
thesecuritylistfx.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com
u-janusa.net
viperlair.net
vip-proxy-to-tor.com
wildgames-orb.net
workeschaersecure.net
x-pertwindscreens.net
zestrecommend.com
zukkoholsresv.pl

Monday, 12 August 2013

Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:

Date:      Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Willie Powell wants to be friends with you on Facebook.

facebook
   
interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.

Willie Powell
Willie Powell
   
Bao Aguliar
Bibi Akel
   
Eleanora Casella
Murray Carsten
   
Jordana Fiqueroa
Jona Fiorelli
   
Leisha Heape
Lacresha Hautala
   
Monnie Carrillo
Missy Carreiro
find more pages
         
go to facebook
the message was sent to {mailto_username}@{mailto_domain}. if you do not want to receive these e-mail. letters from facebook, please give up subscription.
facebook, inc., attention: department 415, po box 10005, palo alto, ca 94303
Is it me, or does everyone look the same?

The link in the email goes through a legitimate hacked site and then on to one of three scripts:
[donotclick]golift.biz/lisps/seventeen.js
[donotclick]fh-efront.clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus.org/products/cleats.js

From there, the victim is redirected to a hijacked GoDaddy domain with a malicious payload at [donotclick]guterhelmet.com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains (in italics below)

Recommended blocklist:
192.81.135.132
golift.biz
fh-efront.clickandlearn.at
ftp.elotus.org
guterglove.com
grandrapidsleaffilter.com
greenbayleaffilter.com
guterhelmet.com
guterprosva.com






Saturday, 10 August 2013

CNN: " Canadian teenager Rehtaeh Parsons" spam leads to malware

The bad guys don't have much of a sense of shame. This fake CNN email leads to malware on hubbynwifewines.com:

Date:      Sat, 10 Aug 2013 01:33:17 +0330 [18:03:17 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: " Canadian teenager Rehtaeh Parsons"

2 face charges in case of Canadian girl who hanged self after alleged rape
By Stephanie Gallman and Phil Gast, CNN
updated 6:39 AM EDT, Fri August 9, 2013
Canadian teenager Rehtaeh Parsons, who was allegedly gang-raped and bullied, has died, her family said. Parsons, 17, was hospitalized after she tried to hang herself on Thursday, April 4. The high school student from Halifax, Nova Scotia, was taken off life support three days later.

Canadian teenager Rehtaeh Parsons

Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening.  Full story >>

The link in the email goes through a legitimate but hacked site and ends up running one of three scripts:
[donotclick]1494ccc706155932.lolipop.jp/canard/lockup.js
[donotclick]ftp.adaware.net/earwax/philosophic.js
[donotclick]hargobindtravels.com/coloratura/nesting.js

The victim is then sent to a malware payload site at [donotclick]hubbynwifewines.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 72.249.76.197.

Recommended blocklist:
72.249.76.197
1494ccc706155932.lolipop.jp
ftp.adaware.net
hargobindtravels.com
housewalla.com
hubby-wife.com
hubbynwife.com
hubbynwifecakes.com
hubbynwifewines.com
hubbynwifedesigns.com