Subject: Voice Message from Unknown (996-743-6568)Attached is a file VoiceMessage.zip which in turn contains VoiceMessage.exe which has a VirusTotal detection rate of 11/47. Automated analysis tools [1] [2] show an attempted connection to casbir.com.au on 67.22.142.68 (Cologlobal, Canada). This appears to be the only server on this IP address, so blocking or monitoring it for the time being may be prudent.
Subject: Voice Message from Unknown (433-358-8977)
Subject: Voice Message from Unknown (357-973-7738)
Body:
- - -Original Message- - -
From: 996-743-6568
Sent: Wed, 8 Jan 2014 12:06:38 +0000
To: [redacted]
Subject: Important Message to All Employees
Wednesday, 8 January 2014
More "Voice Message from Unknown" spam
Another bunch of fake "voice message" spams with a malicious payload are doing the rounds, for example:
Labels:
Canada,
EXE-in-ZIP,
Malware,
Spam,
Viruses
Monday, 6 January 2014
"Unauthorized Activity on your Amazon account" phish
The New Year seems to have brought a new wave of phishing emails, here's a new one looking for Amazon credentials.
The next page phishes for even more information:
And now it goes after your credit card information:
And having stolen all your information, you get a nice message to say thank-you:
The hapless victim then gets sent to the genuine Amazon.com website.
In most email clients, floating over the link would clearly demonstrate that this was not the legitimate amazon.com website, and certainly once visited (not something I would recommend) then the address bar at the top of the browser would clearly indicate it is not amazon.com.
If you have accidentally clicked through this email and provided all the details then you should contact your bank immediately and also change your Amazon password plus any other places that you use that same username/password combination.
Date: Mon, 6 Jan 2014 08:19:39 -0000 [03:19:39 EST]The link in the email goes to [donotclick]immedicenter.com/immedicenter/images/yootheme/menu/Amazon/index.php and comes up with a convincing-looking Amazon login page:
From: Amazon [noreply@trysensa.com]
Case- 91289-90990
Unauthorized Activity on your Amazon account.
We recently confirmed that you had unauthorized activity on your Amazon account.
Please be assured that because your card includes "zero-liability fraud protection" , you are not responsible for unauthorized use of your card.
Unfortunately, we have not confirmed your complete information , please follow the instructions below.
Click the link below to validate your account information using our secure server:
Click Here To Active Your Amazon Account
For your protection, you must verify this activity before you can continue using your account
Thank You.
Amazon LTD Security System
The next page phishes for even more information:
And now it goes after your credit card information:
And having stolen all your information, you get a nice message to say thank-you:
The hapless victim then gets sent to the genuine Amazon.com website.
In most email clients, floating over the link would clearly demonstrate that this was not the legitimate amazon.com website, and certainly once visited (not something I would recommend) then the address bar at the top of the browser would clearly indicate it is not amazon.com.
If you have accidentally clicked through this email and provided all the details then you should contact your bank immediately and also change your Amazon password plus any other places that you use that same username/password combination.
Tracking the fake profiles used by scammers
My interest was grabbed by this weirdly mistranslated email, which appears to have been badly written in English and then put through a translator program that has stumbled over the original email's bad punctuation.
So who is this a photo of? Well, if you haven't checked out Google Images you might not know just how good the reverse image search is. Clicking the camera icon allows you to upload an image or reverse search an image by URL:
The results for that photo are pretty revealing and lean heavily towards scams:
This thread on RomanceScam.com explains what is going on very well. The pictures belong to an innocent person called Stuart James who has had their online photo collection plundered by scammers in what adds up to a particularly cruel type of identity theft. It is perhaps an object lesson in not sharing too much online, and it seems to be a particular risk for anyone good looking and/or in the military.
ScamDigger also has a gallery of images commonly used by scammers, with the caveat that the people pictured are all innocent parties which makes interesting (but depressing) viewing.
A reverse image search is certainly useful sometimes at uncovering fake profiles, and it's something that anyone with basic computer skills should be able to do. Note that you can also use TinEye to do a similar search with a slightly different set of results, and I guess there are other reverse image search engines available. but between Google and TinEye you should be able to uncover fake profiles with ease.
From: mark dave [markdave440@gmail.com]This translates roughly as:
Reply-To: markpetersloanfirm@gmail.com
Date: 6 January 2014 00:37
أنا السيد مارك بيترز مشروعة والمقرض القرض السمعة. نحن
شركة ديناميكية بقروض من assistance.We المالية إلى الأفراد
في حاجة إلى المساعدة المالية، التي لديها سوء الائتمان أو في حاجة الى المال
لتسديد الفواتير، للاستثمار في بأعمال تجارية ترغب في استخدام هذه الوسيلة لأبلغكم
أننا تقديم المساعدة موثوقة والمستفيد كما نكون سعداء لتقديم لكم
وloan.contact بنا عبر عنوان البريد الإلكتروني: markpetersloanfirm@gmail.com
وتشمل الخدمات المقدمة؛ إعادة تمويل، تحسين المنزل، قرض الاستثمار، السيارات
القروض، وتوطيد الدين، خط الائتمان، والرهن العقاري الثانية، والأعمال التجارية
القروض، والقروض الشخصية، قروض السيارات، قروض السيارات.
يرجى الكتابة الى الوراء اذا كانت مهتمة.
الاسم الكامل:
البلد والدولة:
المدينة:
الجنسية:
مبلغ القرض المطلوب:
الجنس:
الإيجار الشهري:
الاتصال الهاتف:
الرمز البريدي:
مدة القرض:
هل تتكلم اللغة الإنجليزية:
I Mr. Mark Peters legitimate and reputable loan lender. WeObviously this is a scam, but it turns out the "Mark Dave" has a Google+ profile with the following photo:
Dynamic company with loans from financial assistance.We to individuals
In need of financial assistance, that have a bad credit or in need of money
To pay bills, to invest in the business want to use this medium to inform you
We provide reliable and beneficiary assistance as be glad to offer you
And loan.contact us via e-mail address: Markpetersloanfirm@gmail.com
The services provided include; refinance, home improvement, investment loan, car
Loans, debt consolidation, credit line, and a second mortgage, and business
Loans, personal loans, car loans, car loans.
Please write back if interested.
Full name:
Country and State:
City:
Nationality:
The loan amount required:
Gender:
Monthly rent:
Contact Phone:
Zip Code:
Loan term:
Do you speak English:
We are waiting for your responds.
So who is this a photo of? Well, if you haven't checked out Google Images you might not know just how good the reverse image search is. Clicking the camera icon allows you to upload an image or reverse search an image by URL:
The results for that photo are pretty revealing and lean heavily towards scams:
This thread on RomanceScam.com explains what is going on very well. The pictures belong to an innocent person called Stuart James who has had their online photo collection plundered by scammers in what adds up to a particularly cruel type of identity theft. It is perhaps an object lesson in not sharing too much online, and it seems to be a particular risk for anyone good looking and/or in the military.
ScamDigger also has a gallery of images commonly used by scammers, with the caveat that the people pictured are all innocent parties which makes interesting (but depressing) viewing.
A reverse image search is certainly useful sometimes at uncovering fake profiles, and it's something that anyone with basic computer skills should be able to do. Note that you can also use TinEye to do a similar search with a slightly different set of results, and I guess there are other reverse image search engines available. but between Google and TinEye you should be able to uncover fake profiles with ease.
Thursday, 2 January 2014
Windows.old, and the Windows XP to Windows 8.1 gotcha
So I finally got around to the long over-due task of migrating my main system off Windows XP 32-bit (because it is going out of support soon) to Windows 8.1 64-bit because.. well, it's cheaper to go the Windows 8.x route than Windows 7 and 8 does have some interesting features.
You can't really upgrade Windows XP to Windows 8.1 in the traditional sense, it is basically a completely new installation but it does retain your original Windows XP data so you can get to it later. But there's a gotcha here.
Windows 8.1 is a free upgrade to Windows 8, and I already had a Windows 8 upgrade disk that I bought a few months back. Upgrading from Windows XP to Windows 8 does create a set of backup files in a folder called windows.old so you can recover your data, including what was in the C:\Documents and Settings folder. So, in theory you just copy the old data from that folder into your new Documents folder.
Here's the gotcha. If you're like me, you've probably been putting off the Windows 8 upgrade until you can have Windows 8.1 which brings back the Start button. So the obvious next step is to do that (although you need to install KB2871389 to show Windows 8.1 in the app store). You can then do the 3GB+ download to install Windows 8.1 over Windows 8 which runs pretty smoothly. But before you do that.. remember to take your data out of the windows.old folder!
The trap here is that when you upgrade from Windows 8 to Windows 8.1, the contents of the windows.old folder are deleted and overwritten again, destroying the backup data from Windows XP.
Uh-oh. It's a good job that I'm paranoid about backups, so nothing was lost. But it's easy to see that people could lose data if they don't recover it from windows.old before they did the Windows 8.1 upgrade.
It really, really is worth investing in some offline storage or other backup medium before you do this. I took the opportunity to clone Windows XP to a new SSD drive before doing the upgrade and I disconnected the original hard disk, and I also made an offline backup to be on the safe side. But if I had just ploughed on and done the deed then I would have lost irreplaceable data.
Windows 8.1 is.. well, weird. But it does run very quickly on my four-year-old Dell Precision workstation with the SSD drive and a memory upgrade. Apart from the vanishing data it all went remarkably smoothly (if you are knowledgeable about Windows systems) and it didn't require any unpleasantness such as driver disks. The application troubleshooting is pretty awesome for apps that don't run properly under the new OS, and there are only a few really ancient 16-bit apps that I can't get to work that need recoding. Ah well, it should keep the computer up-to-date with security updates until 2023 which should easily be longer than the expected lifespan of the machine..
You can't really upgrade Windows XP to Windows 8.1 in the traditional sense, it is basically a completely new installation but it does retain your original Windows XP data so you can get to it later. But there's a gotcha here.
Windows 8.1 is a free upgrade to Windows 8, and I already had a Windows 8 upgrade disk that I bought a few months back. Upgrading from Windows XP to Windows 8 does create a set of backup files in a folder called windows.old so you can recover your data, including what was in the C:\Documents and Settings folder. So, in theory you just copy the old data from that folder into your new Documents folder.
Here's the gotcha. If you're like me, you've probably been putting off the Windows 8 upgrade until you can have Windows 8.1 which brings back the Start button. So the obvious next step is to do that (although you need to install KB2871389 to show Windows 8.1 in the app store). You can then do the 3GB+ download to install Windows 8.1 over Windows 8 which runs pretty smoothly. But before you do that.. remember to take your data out of the windows.old folder!
The trap here is that when you upgrade from Windows 8 to Windows 8.1, the contents of the windows.old folder are deleted and overwritten again, destroying the backup data from Windows XP.
Uh-oh. It's a good job that I'm paranoid about backups, so nothing was lost. But it's easy to see that people could lose data if they don't recover it from windows.old before they did the Windows 8.1 upgrade.
It really, really is worth investing in some offline storage or other backup medium before you do this. I took the opportunity to clone Windows XP to a new SSD drive before doing the upgrade and I disconnected the original hard disk, and I also made an offline backup to be on the safe side. But if I had just ploughed on and done the deed then I would have lost irreplaceable data.
Windows 8.1 is.. well, weird. But it does run very quickly on my four-year-old Dell Precision workstation with the SSD drive and a memory upgrade. Apart from the vanishing data it all went remarkably smoothly (if you are knowledgeable about Windows systems) and it didn't require any unpleasantness such as driver disks. The application troubleshooting is pretty awesome for apps that don't run properly under the new OS, and there are only a few really ancient 16-bit apps that I can't get to work that need recoding. Ah well, it should keep the computer up-to-date with security updates until 2023 which should easily be longer than the expected lifespan of the machine..
Friday, 27 December 2013
Odd "Wire transfer to your account" spam
Almost all spam tends to be some sort of scam or some sort of malware. I can't quite figure this one out though.
The email originates from a Gmail IP address, and given the Nigerian sounding name it could simply be a scam email gone wrong, but I would strongly advise you not to open it in any case, just it case it is something far more malicious.
From: Andrew Chukwu [andrewchukw@gmail.com]I know better than to open unsolicited .DOC files, so I put it through VirusTotal.. and it came out clean. Joe Sandbox, Malwr, and Malware Tracker all report it as clean too. In fact, the only thing it seems to contain is the following string:
Date: 27 December 2013 13:24
Subject: Wire transfer to your account
Please review and follow the instruction to get your payment slip,
please get back to us as soon as you get it
Best of Luck
file:///C:/DOCUME~1/AGV/LOCALS~1/Temp/New%20Invoice.htmThe metadata says:
Os: Windows Version 5.1 Code page: 1252 Author: AGV Template: Normal Last Saved By: AGV Revision Number: 1 Name of Creating Application: Microsoft Office Word Total Editing Time: 01:00 Create Time/Date: Thu Dec 26 10:15:00 2013 Last Saved Time/Date: Thu Dec 26 10:16:00 2013 Number of Pages: 1 Number of Words: 8 Number of Characters: 48 Security: 0
The email originates from a Gmail IP address, and given the Nigerian sounding name it could simply be a scam email gone wrong, but I would strongly advise you not to open it in any case, just it case it is something far more malicious.
Monday, 23 December 2013
"Hearing of your case in Court NR#6976" spam
I've had quite a few spams with a similar payload to this that I can't even Unzip. Go figure. But this one is an interesting variation.
Updated: a couple of other variants.. and the ISC have a report now too.
Update 2 [31/12/2013] in the past couple of days there has been a renewed spam run with some slightly different details. For some reason I cannot analyse the contents of the ZIP file, but you can be sure that it is malicious.
Sample emails:
Date: Tue, 31 Dec 2013 06:45:59 -0700 [08:45:59 EST]
From: Notice to Appear [support.7@lw.com]
Subject: Urgent court notice No#14110
Notice of appearance,
Hereby you are informed that you are due in the court of New York
on the 19 of January, 2014 at 10:00 am for the hearing of your case.
You are kindly asked to prepare and bring the documents relating to
the case to Court on the specified date.
Please, download the copy of the court notice attached herewith to
read the details.
Note: The case may be heard by the judge in your absence if you do not
come.
Yours truly,
Clark Murphy
Clerk to the Court.
============================
Date: Mon, 30 Dec 2013 17:03:29 -0400 [12/30/13 16:03:29 EST]
From: Notice to Appear [aa.support933@jonesday.com]
Subject: Notice of appearance in court NR#4723
Notice to Appear,
Hereby you are notified that you have been scheduled to appear for
your hearing that
will take place in the court of Washington in January 17, 2014 at
10:00 am.
Please bring all documents and witnesses relating to this case with
you to Court on your hearing date.
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Yours truly,
Evie Mason
Clerk to the Court.
============================
Date: Mon, 30 Dec 2013 13:05:54 -0600 [12/30/13 14:05:54 EST]
From: Notice to Appear [order.040@gibsondunn.com]
Subject: Hearing of your case in Court No7712
Notice to Appear in Court,
This is to advise that you are required to attend
the court of Los Angeles in January 11, 2014 for the hearing of your
case.
Please, kindly prepare and bring the documents related to this case to
Court on the date mentioned above.
Attendance is compulsory.
The copy of the court notice is attached to this letter, please,
download and read it thoroughly.
ALLEN Walsh
Clerk to the Court.
Sample attachments:
Court_Notice_Latham_and_Watkins__NY07550.zip
Court_Notice_Jones_Day_Wa#6152.zip
Court_Notice_Los_Angeles_No0216.zip
Update 3: [8/1/2014] another slight variation of this has gone out in the past day or so..
Date: Mon, 06 Jan 2014 18:12:16 -0400 [01/06/14 17:12:16 EST]
From: Court attendance notification [help151@perkinscoie.com]
Subject: Court attendance notification #No597
Pretrial notice,
Hereby we inform that you are obliged to come as a defendant
to The Court of Louisiana in February 23, 2014 at 10:30 a.m.
for the hearing of your case of illegal software use.
If necessary you have a right to obtain a lawyer for your protection.
You are kindly asked to have an identity document with you.
Personal appearance is compulsory.
Please find the plaint note with more detailed case information
attached to this letter and study it thoroughly.
Court clerk,
Donna Tailor
============================
Date: Tue, 07 Jan 2014 10:56:43 -0500 [01/07/14 10:56:43 EST]
From: Pretrial Notice [notice_support.6@alston.com]
Subject: Judicial summons No8365
Pretrial notice,
Hereby we inform that you are obliged to come as a defendant
to The Court of Atlanta in February 19, 2014 at 10:00 a.m.
for the hearing of your case of illegal software use.
If necessary you have a right to obtain a lawyer for your protection.
You are kindly asked to have an identity document with you.
Personal appearance is compulsory.
Please find the plaint note with more detailed case information
attached to this letter and study it thoroughly.
Court clerk,
Karen Mason
============================
Date: Tue, 07 Jan 2014 A.D. 18:33:05 -0400 [01/07/14 17:33:05 EST]
From: Pretrial Notice [support.3@alston.com]
Subject: Judicial summons No3877
Pretrial notice,
Hereby we inform that you are obliged to come as a defendant
to The Court of Atlanta in February 20, 2014 at 10:00 a.m.
for the hearing of your case of illegal software use.
If necessary you have a right to obtain a lawyer for your protection.
You are kindly asked to have an identity document with you.
Personal appearance is compulsory.
Please find the plaint note with more detailed case information
attached to this letter and study it thoroughly.
Court clerk,
Mary Smith
============================
Date: Wed, 08 Jan 2014 02:54:03 -0500 [02:54:03 EST]
From: Pretrial Notice [notice_support.8@alston.com]
Subject: Notice of appearance in court No96162
Pretrial notice,
Hereby we inform that you are obliged to come as a defendant
to The Court of Atlanta in February 12, 2014 at 09:00 a.m.
for the hearing of your case of illegal software use.
If necessary you have a right to obtain a lawyer for your protection.
You are kindly asked to have an identity document with you.
Personal appearance is compulsory.
Please find the plaint note with more detailed case information
attached to this letter and study it thoroughly.
Court clerk,
Alison Tailor
Sample attachment names:
Plaint_Note_Document_06_01#0478.zip
Plaint Note_06_01_2014_No2964.zip
Plaint_Note_Document_06_01#1619.zip
Plaint_Note_Document_06_01#6017.zip
This malware is detected by 28/48 scanners at VirusTotal, but the Malwr analysis of what it does seems pretty inconclusive.
Date: Mon, 23 Dec 2013 10:05:38 -0500 [10:05:38 EST]There is an attachment Court_Notice_Jones_Day_Wa#8127.zip which in turn contains an executable Court_Notice_Jones_Day_Washington.exe which is presumably malicious, but I can't analyse it. The VirusTotal detection rate for the ZIP is 4/49.
From: Notice to Appear [support.6@jonesday.com]
Subject: Hearing of your case in Court NR#6976
Notice to Appear,
Hereby you are notified that you have been scheduled to appear for
your hearing that
will take place in the court of Washington in January 9, 2014 at 10:00
am.
Please bring all documents and witnesses relating to this case with
you to Court on your hearing date.
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Yours truly,
Alison Smith
Clerk to the Court.
Updated: a couple of other variants.. and the ISC have a report now too.
Date: Mon, 23 Dec 2013 20:02:52 -0400 [19:02:52 EST]
From: Notice to Appear [ticket_support.6@jonesday.com]
Subject: Hearing of your case in Court NR#2682
Notice to Appear,
Hereby you are notified that you have been scheduled to appear for
your hearing that
will take place in the court of Washington in January 15, 2014 at
09:00 am.
Please bring all documents and witnesses relating to this case with
you to Court on your hearing date.
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Yours truly,
Olivia Tailor
Clerk to the Court.
--------------
Date: Mon, 23 Dec 2013 11:21:46 -0700 [13:21:46 EST]
From: Notice to Appear [ticket_support.8@jonesday.com]
Subject: Notice of appearance in court NR#5365
Notice to Appear,
Hereby you are notified that you have been scheduled to appear for
your hearing that
will take place in the court of Washington in January 19, 2014 at
09:00 am.
Please bring all documents and witnesses relating to this case with
you to Court on your hearing date.
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Yours truly,
Jennifer Tailor
Clerk to the Court.
--------------
Date: Mon, 23 Dec 2013 21:37:10 -0700 [12/23/13 23:37:10 EST]
From: Notice to Appear [ticket_support.8@jonesday.com]
Subject: Urgent court notice NR#31620
Notice to Appear,
Hereby you are notified that you have been scheduled to appear for
your hearing that
will take place in the court of Washington in January 11, 2014 at
11:00 am.
Please bring all documents and witnesses relating to this case with
you to Court on your hearing date.
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Yours truly,
Barbara Smith
Clerk to the Court.
Update 2 [31/12/2013] in the past couple of days there has been a renewed spam run with some slightly different details. For some reason I cannot analyse the contents of the ZIP file, but you can be sure that it is malicious.
Sample emails:
Date: Tue, 31 Dec 2013 06:45:59 -0700 [08:45:59 EST]
From: Notice to Appear [support.7@lw.com]
Subject: Urgent court notice No#14110
Notice of appearance,
Hereby you are informed that you are due in the court of New York
on the 19 of January, 2014 at 10:00 am for the hearing of your case.
You are kindly asked to prepare and bring the documents relating to
the case to Court on the specified date.
Please, download the copy of the court notice attached herewith to
read the details.
Note: The case may be heard by the judge in your absence if you do not
come.
Yours truly,
Clark Murphy
Clerk to the Court.
============================
Date: Mon, 30 Dec 2013 17:03:29 -0400 [12/30/13 16:03:29 EST]
From: Notice to Appear [aa.support933@jonesday.com]
Subject: Notice of appearance in court NR#4723
Notice to Appear,
Hereby you are notified that you have been scheduled to appear for
your hearing that
will take place in the court of Washington in January 17, 2014 at
10:00 am.
Please bring all documents and witnesses relating to this case with
you to Court on your hearing date.
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Yours truly,
Evie Mason
Clerk to the Court.
============================
Date: Mon, 30 Dec 2013 13:05:54 -0600 [12/30/13 14:05:54 EST]
From: Notice to Appear [order.040@gibsondunn.com]
Subject: Hearing of your case in Court No7712
Notice to Appear in Court,
This is to advise that you are required to attend
the court of Los Angeles in January 11, 2014 for the hearing of your
case.
Please, kindly prepare and bring the documents related to this case to
Court on the date mentioned above.
Attendance is compulsory.
The copy of the court notice is attached to this letter, please,
download and read it thoroughly.
ALLEN Walsh
Clerk to the Court.
Sample attachments:
Court_Notice_Latham_and_Watkins__NY07550.zip
Court_Notice_Jones_Day_Wa#6152.zip
Court_Notice_Los_Angeles_No0216.zip
Update 3: [8/1/2014] another slight variation of this has gone out in the past day or so..
Date: Mon, 06 Jan 2014 18:12:16 -0400 [01/06/14 17:12:16 EST]
From: Court attendance notification [help151@perkinscoie.com]
Subject: Court attendance notification #No597
Pretrial notice,
Hereby we inform that you are obliged to come as a defendant
to The Court of Louisiana in February 23, 2014 at 10:30 a.m.
for the hearing of your case of illegal software use.
If necessary you have a right to obtain a lawyer for your protection.
You are kindly asked to have an identity document with you.
Personal appearance is compulsory.
Please find the plaint note with more detailed case information
attached to this letter and study it thoroughly.
Court clerk,
Donna Tailor
============================
Date: Tue, 07 Jan 2014 10:56:43 -0500 [01/07/14 10:56:43 EST]
From: Pretrial Notice [notice_support.6@alston.com]
Subject: Judicial summons No8365
Pretrial notice,
Hereby we inform that you are obliged to come as a defendant
to The Court of Atlanta in February 19, 2014 at 10:00 a.m.
for the hearing of your case of illegal software use.
If necessary you have a right to obtain a lawyer for your protection.
You are kindly asked to have an identity document with you.
Personal appearance is compulsory.
Please find the plaint note with more detailed case information
attached to this letter and study it thoroughly.
Court clerk,
Karen Mason
============================
Date: Tue, 07 Jan 2014 A.D. 18:33:05 -0400 [01/07/14 17:33:05 EST]
From: Pretrial Notice [support.3@alston.com]
Subject: Judicial summons No3877
Pretrial notice,
Hereby we inform that you are obliged to come as a defendant
to The Court of Atlanta in February 20, 2014 at 10:00 a.m.
for the hearing of your case of illegal software use.
If necessary you have a right to obtain a lawyer for your protection.
You are kindly asked to have an identity document with you.
Personal appearance is compulsory.
Please find the plaint note with more detailed case information
attached to this letter and study it thoroughly.
Court clerk,
Mary Smith
============================
Date: Wed, 08 Jan 2014 02:54:03 -0500 [02:54:03 EST]
From: Pretrial Notice [notice_support.8@alston.com]
Subject: Notice of appearance in court No96162
Pretrial notice,
Hereby we inform that you are obliged to come as a defendant
to The Court of Atlanta in February 12, 2014 at 09:00 a.m.
for the hearing of your case of illegal software use.
If necessary you have a right to obtain a lawyer for your protection.
You are kindly asked to have an identity document with you.
Personal appearance is compulsory.
Please find the plaint note with more detailed case information
attached to this letter and study it thoroughly.
Court clerk,
Alison Tailor
Sample attachment names:
Plaint_Note_Document_06_01#0478.zip
Plaint Note_06_01_2014_No2964.zip
Plaint_Note_Document_06_01#1619.zip
Plaint_Note_Document_06_01#6017.zip
This malware is detected by 28/48 scanners at VirusTotal, but the Malwr analysis of what it does seems pretty inconclusive.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
QuickBooks spam / Invoice.zip
This fake QuickBooks spam has a malicious attachment:
Attached to the message is a file Invoice.zip which has a VirusTotal detection rate of 5/44, which in turn contains a malicious executable Invoice.exe with a detection rate of 5/49.
Automated analysis [1] [2] [3] shows an attempted connection to wifordgallery.com on 174.127.73.250 (Hosting Services Inc, US), it appears to be the only domain on that server so blocking the IP or domain itself may give you some protection against this current run of malware.
Date: Mon, 23 Dec 2013 07:54:35 -0800 [10:54:35 EST]
From: QuickBooks Invoice [auto-invoice@quickbooks.com]
Subject: Important - Payment Overdue
Please find attached your invoices for the past months. Remit the payment by 12/23/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Randal Owen
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
Attached to the message is a file Invoice.zip which has a VirusTotal detection rate of 5/44, which in turn contains a malicious executable Invoice.exe with a detection rate of 5/49.
Automated analysis [1] [2] [3] shows an attempted connection to wifordgallery.com on 174.127.73.250 (Hosting Services Inc, US), it appears to be the only domain on that server so blocking the IP or domain itself may give you some protection against this current run of malware.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Thursday, 19 December 2013
"FSA needed - 1800 GBP/month" fake job offer
This job offer is a fake..
The email comes from an IP address in Arizona rather than the UK. It's unclear what the so-called job is, but it is likely to be money laundering or some other criminal activity. Avoid.
Date: 19 December 2013 14:43
Subject: FSA needed - 1800 GBP/month
Having seen your CV that we gained from a staffing agency, we'd like to offer you a job.
We are a small independent company located in United Kingdom. The main field of our business is IT outsourcing services, including the search of clients for potential employees and matching the most ideal candidate for each company's request.
We are happy to extend this opportunity to you. This position does not require any special experience and agents are hired on part-time basis for 1 month probationary period. During which the applicants receive online training and support.
Salary during the training period will amount up to GBP 1,500 and you will be entitled to a commission of 8% on all of your operations. You will be eligible to participate in our benefit program.
Requirements: internet, phone and e-mail availability, ability to work 2-3 hours a day Monday through Friday, PC user skills.
Candidates should send their electronic application to newcareer93@gmail.com.
To expedite the communication process, please fill in the required information below:
=====FORM=====FORM=====
Forename: _____________________
Surname:________________________
Country of residence:______________________
Contact phone:________________________
Preferred call time:_____________________
=====FORM=====FORM=====
Thank You,
Emma Wilkinson
The email comes from an IP address in Arizona rather than the UK. It's unclear what the so-called job is, but it is likely to be money laundering or some other criminal activity. Avoid.
Labels:
Job Offer Scams,
Spam
"New Voicemail Message" spam from "Elfin Cars Sports"
This fake voicemail message from "Elfin Cars Sports" has a malicious attachment:
Automated analysis tools [1] [2] show an attempted connection to plantautomation-technology.com on 216.151.164.211 (NJ Tech Solutions, US) and anuudyog.com on 66.7.149.156 (Web Werks, US).
The attachment is VoiceMail.zip with a VirusTotal detection rate of 9/49, which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file, and this has a also detection rate of 9/49 (but with slightly different detections).
Date: Thu, 19 Dec 2013 08:36:56 -0600 [09:36:56 EST]
From: Voice Mail [noreply@spamcop.net]
Subject: New Voicemail Message
New Voicemail Message
You have been left a 1:02 long message (number 1) in mailbox from "Elfin Cars Sports"
07594434593, on Thursday, December 19, 2013 at 07:20:02 AM
The voicemail message has been attached to this email - which you can play on most
computers.
Please do not reply to this message. This is an automated message which comes from an
unattended mailbox. This information contained within this e-mail is confidential to, and
is for the exclusive use of the addressee(s). If you are not the addressee, then any
distribution, copying or use of this e-mail is prohibited. If received in error, please
advise the sender and delete/destroy it immediately. We accept no liability for any loss
or damage suffered by any person arising from use of this e-mail.
Automated analysis tools [1] [2] show an attempted connection to plantautomation-technology.com on 216.151.164.211 (NJ Tech Solutions, US) and anuudyog.com on 66.7.149.156 (Web Werks, US).
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Wednesday, 18 December 2013
"VISA - Recent Transactions Report" spam / payment-history-n434543-434328745231.zip
This fake VISA spam comes with a malicious attachment:
Date: Wed, 18 Dec 2013 14:32:50 -0500 [14:32:50 EST]Attached to the message is an archive file payment-history-n434543-434328745231.zip with a VirusTotal detection rate of 10/48, which in turn contains payment-history-n434543-434328745231.exe with a detection rate of 10/49. Automated analysis tools [1] [2] indicate a network connection to bestdatingsitesreview4u.com on 38.102.226.126 (PSInet, US). This appears to be the only site on that server, blocking either the IP or domain temporarily may help mitigate against infection.
From: Visa [Eddie_Jackson@visa.com]
Subject: VISA - Recent Transactions Report
Dear Visa card holder,
A recent review of your transaction history determined that your card was used in
possible fraudulent transactions. For security reasons the requested transactions were
refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Virgie_Cruz
Data Protection Officer
VISA EUROPE LIMITED
1 Sheldon Square
London W2 6WH
United Kingdom
CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (Visa Europe Limited.) that
is proprietary, privileged, confidential and/or protected from disclosure under
applicable law. If you are not the intended recipient, you are hereby notified that any
viewing, copying, disclosure or distributions of this electronic message are violations
of federal law. Please notify the sender, by email or telephone (+44 (0)20 7795 3492), of
any unintended recipients and delete the original message without making any copies.
Thank You
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Tuesday, 17 December 2013
Video: Parcel Reshipping Scams, Parcel Mules and Fake Job Offers
A brief presentation on how parcel reshipping scams work, and the role of parcel mules and fake job offers.
Labels:
Job Offer Scams,
Money Mule,
Scams,
Spam
Monday, 16 December 2013
yiyu-ipr.org domain scam
Yet another Chinese domain scam, this time trying to punt the "Tiger Direct" trademark (which I don't own!).
I don't know if the WHOIS details for this domain are genuine, but there are:
Registrant ID:f0dda025f296d026
Registrant Name:David Tang
Registrant Organization:YIYU LAW OFFICE
Registrant Street1:chengdushi
Registrant Street2:
Registrant Street3:
Registrant City:chengdushi
Registrant State/Province:sichuan
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.2887775008
Registrant Phone Ext.:
Registrant FAX:+86.2862465008
Registrant FAX Ext.:
Registrant Email:296304138@qq.com
These other domains are all associated with the same outfit and you can probably assume that any similar pitch from them is a scam.
yiyu-ipr.org
yiyuinternational.com
yiyuit.org
yiyuiprlaw.com
yiyulaw.com
yiyullc.com
yy-ipr.org
yyipr.org
chadlaw.asia
chadlaw.org
chadlawoffice.org
chadiprlaw.org
marchiorousa.asia
wanbaojisige.com
From: lisa [lisa@yiyu-ipr.org]This scam has been running for a long time. In reality registrars are in no way responsible for checking trademarks before registration, and my experience is that even after these dire warnings nobody actually registers the domains in any case.
Date: 16 December 2013 04:04
Subject: International Trademark " tigerdirect"
(Please forward this to your CEO or President, because this is urgent. Thank you.)
Dear President & CEO,
We are an IPR registration service law office in China. On Dec.13, 2013, we received an application from "TD Investment Co., Ltd." wants to register the following Trademark and Domains:
Trademark:
tigerdirect
Domains:
tigerdirect.com.hk
tigerdirect.com.tw
tigerdirect.hk
tigerdirect.net.cn
tigerdirect.org.cn
tigerdirect.tw
Based on the registration procedure, we found that the name is the same as your company's name,and we must check these for you. If your company and this "TD Investment Co., Ltd." are the same company,there is no need to reply to us,We will accept their application and will register those for them soon. If your company has no relationships with that company nor authorized,please reply to us asap at latest within 7 workdays. But if we can't get any information from your side over 7 workdays,we will unconditionally approve the application submitted by "TD Investment Co., Ltd." Thanks for your cooperation.
Kind Regards,
Lisa Zeng
***************************************************
Lisa Zeng / Attorney
YIYU Chengdu Office(Head Office)
3/F,1st Building Citang Street No.8,
Qingyang District, ChengDu, China.
Tel: +86 28 8777 5008
Fax: +86 28 6246 5008
Web: http://www.yiyu-ipr.org
This e-mail contains information (including any attachments) intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient or the authorized employee or agent responsible for delivering it to the intended recipient, any dissemination, publication or copying of this e-mail is strictly prohibited and may be illegal. If you have received this communication in error, please notify the sender. Thank you for your cooperation.
P Please consider the environment before you print this e-mail.
I don't know if the WHOIS details for this domain are genuine, but there are:
Registrant ID:f0dda025f296d026
Registrant Name:David Tang
Registrant Organization:YIYU LAW OFFICE
Registrant Street1:chengdushi
Registrant Street2:
Registrant Street3:
Registrant City:chengdushi
Registrant State/Province:sichuan
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.2887775008
Registrant Phone Ext.:
Registrant FAX:+86.2862465008
Registrant FAX Ext.:
Registrant Email:296304138@qq.com
These other domains are all associated with the same outfit and you can probably assume that any similar pitch from them is a scam.
yiyu-ipr.org
yiyuinternational.com
yiyuit.org
yiyuiprlaw.com
yiyulaw.com
yiyullc.com
yy-ipr.org
yyipr.org
chadlaw.asia
chadlaw.org
chadlawoffice.org
chadiprlaw.org
marchiorousa.asia
wanbaojisige.com
Wednesday, 11 December 2013
"Wells Fargo" spam / WF_Docs_121113.exe
This fake Wells Fargo spam has a malicious attachment:
Automated analysis [1] [2] [3] shows an attempted connection to hortonnovak.com on 194.28.87.121 (Hostpro, Ukraine). There is only one site that I can see on this IP, so I would recommend blocking one or the other or both of them.
Date: Wed, 11 Dec 2013 17:03:26 +0100 [11:03:26 EST]Attached to the email is a ZIP file starting with WF_Docs_ and ending with the first part of the recipient's email address, inside that is a ZIP file with the date encoded into the filename WF_Docs_121113.exe. VirusTotal detections for the ZIP are 6/49 and are 6/47 for the EXE.
From: Kerry Pettit [Kerry.Pettit@wellsfargo.com]
Subject: FW: Important docs
We have received this documents from your bank, please review attached documents.
Kerry Pettit
Wells Fargo Accounting
817-295-1849 office
817-884-0882 cell Kerry.Pettit@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
Automated analysis [1] [2] [3] shows an attempted connection to hortonnovak.com on 194.28.87.121 (Hostpro, Ukraine). There is only one site that I can see on this IP, so I would recommend blocking one or the other or both of them.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Ukraine,
Viruses
"Your friend has just sent you a pic" spam / IMG003299.zip
This fake WhatsApp message has a malicious attachment.
Attached to the email is an archive IMG003299.zip (VirusTotal detections 7/43) which in turn contains a malicious executable IMG003299.exe (VirusTotal detections 9/49). Automated analysis tools [1] [2] [3] don't reveal very much about the malware in question however.
Date: Wed, 11 Dec 2013 18:29:19 +0700 [06:29:19 EST]
Subject: Your friend has just sent you a pic
Hi!
Your friend has just sent you a photograph in WhatsApp. Open attachments to see what it is.
� 2013 WhatsApp Inc
Attached to the email is an archive IMG003299.zip (VirusTotal detections 7/43) which in turn contains a malicious executable IMG003299.exe (VirusTotal detections 9/49). Automated analysis tools [1] [2] [3] don't reveal very much about the malware in question however.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Tuesday, 10 December 2013
Fake Amazon.co.uk order spam / AM-ORDER-65HNA1972.exe
This fake Amazon spam has a malicious attachment:
Automated analysis tools seem to be timing out [1] [2] indicating perhaps that it has been hardened against sandbox analysis.
Date: Tue, 10 Dec 2013 11:19:03 +0200 [04:19:03 EST]Attached is an archive file AM-ORDER-65HNA1972.zip (VirusTotal detections 9/47) which in turn contains a malicious executable AM-ORDER-65HNA1972.exe (VirusTotal detections 9/49) which has an icon to make it look like some sort of document.
From: blackjacksxjt@yahoo.com
Subject: order #822-8266277-7103199
Good evening,
Thank you for your order. We�ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.Order Details
Order #481-0295978-7625805 Placed on December 8, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon.co.uk
Automated analysis tools seem to be timing out [1] [2] indicating perhaps that it has been hardened against sandbox analysis.
Labels:
Amazon,
EXE-in-ZIP,
Malware,
Spam
Evil network: R5X.org / OVH
Russian web host R5X.org has featured on this blog a few times before, but I took the opportunity to look at it a little more closely. What I found wasn't nice.
Out of 300 domains that I found hosted now or recently in R5X.org's space (rented from OVH), 177 (59%) are flagged as malicious by Google, and 230 (77%) are flagged as spam or malware by SURBL. MyWOT ratings indicate that there are no legitimate sites in the IP address ranges I checked.
R5X.org doesn't have a network of its own but it rents IPs from OVH. I have identified several small netblocks which I strongly recommend that you block, although there may be others.
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30
According to the WHOIS details, the blocks are suballocated to:
organisation: ORG-RL152-RIPE
org-name: R5X.org ltd
org-type: OTHER
address: Krasnoselskaja 15-219
address: 346579 Moscow
address: RU
abuse-mailbox: abuse@r5x.org
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Last year when R5X.org was using Hetzner, there was a name Tomas Gailiavicius associated with R5X although I do not know if that was accurate.
A list of all the domains I can find, current IP addresses, MyWOT rating, the Google prognosis and SURBL codes can be found here [csv] else I recommend using the following blocklist:
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30
airmicro.biz
alertimagine.biz
alertnovel.biz
analyzeidea.biz
analyzeideal.biz
analyzeimprovise.biz
anoticegenuine.biz
appearancemanager.biz
aprilfoolsheavenly.biz
aprilfoolsstylish.biz
aprilfoolstrend.biz
ardaymarvl.biz
artimpact.biz
assayfresh.biz
assayimagination.biz
assaythink.biz
assessinspire.biz
auditforward.biz
auditinnovation.biz
auditstrategy.biz
azimuthcalculating.biz
batillbicdaylook.biz
blackholerapture.biz
blackhoneydo.biz
blobhotel.com
bombepear.biz
bondcontracts.biz
boxingdaymarvel.biz
briefthink.biz
browseinspire.biz
canadadayglamorous.biz
ccenvicionety.biz
ccoutfutute.biz
celectgenuine.biz
checkbegin.biz
checkfuture.biz
checkimprovise.biz
checkimptovice.biz
checklead.biz
checkoriginal.biz
checkoutimprovise.biz
checkoutinnovation.biz
checkoutinvent.biz
check-out-invent.biz
checkoutmint.biz
checkoutnew.biz
choicedesign.biz
chqqwyottqqqg.biz
cityju.biz
claimpermanent.biz
clipalarm.biz
columbusdaystylish.biz
commentfocuc.biz
commentform.biz
commentforward.biz
commentfotwetd.biz
comthytria.biz
considerdesign.biz
coolcraft.biz
coolcv.biz
coonotho.biz
criticalgenuine.biz
criticizeprogress.biz
critiqueinnovation.biz
critiqueoriginal.biz
critiquepioneer.biz
critiqueprogress.biz
ctitiquenewmint.biz
cummetynew.biz
cupcakelemon.biz
custardpeach.biz
datasearch.biz
dattheupfront.com
dbolohokno.biz
dcolocdns.biz
ddcorpcdn.biz
decadiet.biz
degreeexplore.biz
degreeforward.biz
degreeimage.biz
degteeinnovete.biz
dfixedddns.biz
dfreecdn.biz
dfreshatnet.biz
dglibling.org
diagnoseimagine.biz
diagnosethink.biz
diccuccdecign.biz
digiedu.biz
dindaclubz.biz
dinwhatyoutrus.com
dinwheremyon.biz
diwalisplendid.biz
dknuspit.biz
dmineworl.com
dminicdn.biz
dojoplan.com
donthecolo.biz
dtnek.biz
dtryandgetit.com
dunicombix.biz
dwewellgo.biz
dwhyyouathere.org
dyesweboz.biz
dzalkombi.biz
easterprincess.biz
ecceyincpite.biz
emancipationdaymarvel.biz
enelyzeideel.biz
enelyzeimptovice.biz
evaluateresearch.biz
examineconcept.biz
examinesee.biz
examinevisionary.biz
explorefuture.biz
eyenovel.biz
eyethink.biz
fathersdaydelight.biz
feedbackdiscover.biz
feedbackfresh.biz
feedbackmove.biz
feedbeckdiccovet.biz
feelconcept.biz
fluagdaychic.biz
futureaqua.biz
gelatolime.biz
gradefocus.biz
gradeimagine.biz
gradesfresh.biz
grandparntdaycharming.biz
greatsimply.biz
groundhogdaycharm.biz
guyfawkdayfahionabl.biz
hanukkahlooks.biz
heliumvenal.biz
higifts.biz
homecomputer.biz
independencedaygallant.biz
injunctionpositions.biz
innocentfulltime.biz
inspectinstitute.biz
inspectionimagination.biz
inspectoriginal.biz
inspectresearch.biz
instantdevelopment.biz
internetcrea.biz
ithealthcare.biz
iwantfilm.biz
iwantmega.biz
judgebegins.biz
kwanzaavanity.biz
lawyeravailable.biz
lctiondayfabulou.biz
lctoqdoycott.biz
lightfund.biz
likeinspire.biz
lincolnsbirthdaydazzle.biz
lookbackidea.biz
lookbackprogress.biz
lookbeckptogtecc.biz
lookoriginal.biz
mackids.biz
magicbizic.biz
mapviral.biz
mardigraslooks.biz
markforge.biz
maydaylganc.biz
mcwar.info
measurestyle.biz
mediationjob.biz
meecutectyle.biz
meringuebreadfruit.biz
mmorialdayattractiv.biz
mmorialdaychic.biz
muttnikcontntmnt.biz
mypioneer.biz
newtellypioneet.biz
notefresh.biz
noteftech.biz
noteresearch.biz
noticedream.biz
noticeform.biz
noticeforward.biz
noticefotm.biz
observemodern.biz
othtdoyttqd.biz
ovetviewnewfotm.biz
penumbraoptimism.biz
picksearch.biz
planetarycontentment.biz
plantabicrycontntmnt.biz
pocinctity.biz
pointcctyle.biz
pointsnovel.biz
precessionrelieved.biz
pridntdaynchant.biz
probediscover.biz
profilechange.biz
ptobemint.biz
qualityconcept.biz
quectmodetn.biz
quectnewimptovice.biz
questnew.biz
questsee.biz
randayflar.biz
rangeinnovation.biz
rateidea.biz
ratewish.biz
readvisionary.biz
recapcreate.biz
recapimagination.biz
remarkinstitute.biz
retrospectfuture.biz
retrospectmove.biz
retrospectschange.biz
reviewimprovise.biz
reviewmint.biz
reviewstyle.biz
rohhahanahfabulou.biz
rohhahanahway.biz
roshhashanahlovely.biz
sayinstitute.biz
scannew.biz
scanvisionary.biz
scoreoriginal.biz
scoringchange.biz
scoringdiscover.biz
scoringprogress.biz
scoutforward.biz
scoutinstitute.biz
screenthink.biz
seelabs.biz
selectgenuine.biz
sentryforge.biz
settlementgig.biz
shakedownconcept.biz
shakedowncreate.biz
spiralhotel.tk
summaryinnovation.biz
summarymint.biz
sundaebanana.biz
surveyresearch.biz
surveythink.biz
sustainagency.biz
synodicintent.biz
synopsislab.biz
synopsisnovel.biz
synopsisstrategy.biz
tallystyle.biz
tecepimeginetion.biz
tectideel.biz
tectteceetch.biz
tectthink.biz
teedinctitute.biz
tellydteem.biz
temetknewleb.biz
testimonyjobs.biz
testresearch1.biz
testthink.biz
tettocpenewctmove.biz
ticketdnewevelop.biz
tlttygtpy.biz
tnewecepcteete.biz
todiotionont.biz
tortekiwi.biz
truffleraspberry.biz
ttnikcontntnt.biz
ttoqlbcqotcol.biz
ttydiccovet.biz
ttyvicionety.biz
usurycontracts.biz
valentinespell.biz
valntincharming.biz
valntindaycoutur.biz
valntintrnd.biz
viewfotmnew.biz
viewmove.biz
vigiladvance.biz
vigiledvence.biz
vipscan.biz
vqolqtqdoyodl.biz
waxingtriumph.biz
wetchimptovice.biz
yomkippurmodel.biz
yourtheme.biz
youtgenuine.biz
yvanity.biz
zodiacafraid.biz
Out of 300 domains that I found hosted now or recently in R5X.org's space (rented from OVH), 177 (59%) are flagged as malicious by Google, and 230 (77%) are flagged as spam or malware by SURBL. MyWOT ratings indicate that there are no legitimate sites in the IP address ranges I checked.
R5X.org doesn't have a network of its own but it rents IPs from OVH. I have identified several small netblocks which I strongly recommend that you block, although there may be others.
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30
According to the WHOIS details, the blocks are suballocated to:
organisation: ORG-RL152-RIPE
org-name: R5X.org ltd
org-type: OTHER
address: Krasnoselskaja 15-219
address: 346579 Moscow
address: RU
abuse-mailbox: abuse@r5x.org
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Last year when R5X.org was using Hetzner, there was a name Tomas Gailiavicius associated with R5X although I do not know if that was accurate.
A list of all the domains I can find, current IP addresses, MyWOT rating, the Google prognosis and SURBL codes can be found here [csv] else I recommend using the following blocklist:
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30
airmicro.biz
alertimagine.biz
alertnovel.biz
analyzeidea.biz
analyzeideal.biz
analyzeimprovise.biz
anoticegenuine.biz
appearancemanager.biz
aprilfoolsheavenly.biz
aprilfoolsstylish.biz
aprilfoolstrend.biz
ardaymarvl.biz
artimpact.biz
assayfresh.biz
assayimagination.biz
assaythink.biz
assessinspire.biz
auditforward.biz
auditinnovation.biz
auditstrategy.biz
azimuthcalculating.biz
batillbicdaylook.biz
blackholerapture.biz
blackhoneydo.biz
blobhotel.com
bombepear.biz
bondcontracts.biz
boxingdaymarvel.biz
briefthink.biz
browseinspire.biz
canadadayglamorous.biz
ccenvicionety.biz
ccoutfutute.biz
celectgenuine.biz
checkbegin.biz
checkfuture.biz
checkimprovise.biz
checkimptovice.biz
checklead.biz
checkoriginal.biz
checkoutimprovise.biz
checkoutinnovation.biz
checkoutinvent.biz
check-out-invent.biz
checkoutmint.biz
checkoutnew.biz
choicedesign.biz
chqqwyottqqqg.biz
cityju.biz
claimpermanent.biz
clipalarm.biz
columbusdaystylish.biz
commentfocuc.biz
commentform.biz
commentforward.biz
commentfotwetd.biz
comthytria.biz
considerdesign.biz
coolcraft.biz
coolcv.biz
coonotho.biz
criticalgenuine.biz
criticizeprogress.biz
critiqueinnovation.biz
critiqueoriginal.biz
critiquepioneer.biz
critiqueprogress.biz
ctitiquenewmint.biz
cummetynew.biz
cupcakelemon.biz
custardpeach.biz
datasearch.biz
dattheupfront.com
dbolohokno.biz
dcolocdns.biz
ddcorpcdn.biz
decadiet.biz
degreeexplore.biz
degreeforward.biz
degreeimage.biz
degteeinnovete.biz
dfixedddns.biz
dfreecdn.biz
dfreshatnet.biz
dglibling.org
diagnoseimagine.biz
diagnosethink.biz
diccuccdecign.biz
digiedu.biz
dindaclubz.biz
dinwhatyoutrus.com
dinwheremyon.biz
diwalisplendid.biz
dknuspit.biz
dmineworl.com
dminicdn.biz
dojoplan.com
donthecolo.biz
dtnek.biz
dtryandgetit.com
dunicombix.biz
dwewellgo.biz
dwhyyouathere.org
dyesweboz.biz
dzalkombi.biz
easterprincess.biz
ecceyincpite.biz
emancipationdaymarvel.biz
enelyzeideel.biz
enelyzeimptovice.biz
evaluateresearch.biz
examineconcept.biz
examinesee.biz
examinevisionary.biz
explorefuture.biz
eyenovel.biz
eyethink.biz
fathersdaydelight.biz
feedbackdiscover.biz
feedbackfresh.biz
feedbackmove.biz
feedbeckdiccovet.biz
feelconcept.biz
fluagdaychic.biz
futureaqua.biz
gelatolime.biz
gradefocus.biz
gradeimagine.biz
gradesfresh.biz
grandparntdaycharming.biz
greatsimply.biz
groundhogdaycharm.biz
guyfawkdayfahionabl.biz
hanukkahlooks.biz
heliumvenal.biz
higifts.biz
homecomputer.biz
independencedaygallant.biz
injunctionpositions.biz
innocentfulltime.biz
inspectinstitute.biz
inspectionimagination.biz
inspectoriginal.biz
inspectresearch.biz
instantdevelopment.biz
internetcrea.biz
ithealthcare.biz
iwantfilm.biz
iwantmega.biz
judgebegins.biz
kwanzaavanity.biz
lawyeravailable.biz
lctiondayfabulou.biz
lctoqdoycott.biz
lightfund.biz
likeinspire.biz
lincolnsbirthdaydazzle.biz
lookbackidea.biz
lookbackprogress.biz
lookbeckptogtecc.biz
lookoriginal.biz
mackids.biz
magicbizic.biz
mapviral.biz
mardigraslooks.biz
markforge.biz
maydaylganc.biz
mcwar.info
measurestyle.biz
mediationjob.biz
meecutectyle.biz
meringuebreadfruit.biz
mmorialdayattractiv.biz
mmorialdaychic.biz
muttnikcontntmnt.biz
mypioneer.biz
newtellypioneet.biz
notefresh.biz
noteftech.biz
noteresearch.biz
noticedream.biz
noticeform.biz
noticeforward.biz
noticefotm.biz
observemodern.biz
othtdoyttqd.biz
ovetviewnewfotm.biz
penumbraoptimism.biz
picksearch.biz
planetarycontentment.biz
plantabicrycontntmnt.biz
pocinctity.biz
pointcctyle.biz
pointsnovel.biz
precessionrelieved.biz
pridntdaynchant.biz
probediscover.biz
profilechange.biz
ptobemint.biz
qualityconcept.biz
quectmodetn.biz
quectnewimptovice.biz
questnew.biz
questsee.biz
randayflar.biz
rangeinnovation.biz
rateidea.biz
ratewish.biz
readvisionary.biz
recapcreate.biz
recapimagination.biz
remarkinstitute.biz
retrospectfuture.biz
retrospectmove.biz
retrospectschange.biz
reviewimprovise.biz
reviewmint.biz
reviewstyle.biz
rohhahanahfabulou.biz
rohhahanahway.biz
roshhashanahlovely.biz
sayinstitute.biz
scannew.biz
scanvisionary.biz
scoreoriginal.biz
scoringchange.biz
scoringdiscover.biz
scoringprogress.biz
scoutforward.biz
scoutinstitute.biz
screenthink.biz
seelabs.biz
selectgenuine.biz
sentryforge.biz
settlementgig.biz
shakedownconcept.biz
shakedowncreate.biz
spiralhotel.tk
summaryinnovation.biz
summarymint.biz
sundaebanana.biz
surveyresearch.biz
surveythink.biz
sustainagency.biz
synodicintent.biz
synopsislab.biz
synopsisnovel.biz
synopsisstrategy.biz
tallystyle.biz
tecepimeginetion.biz
tectideel.biz
tectteceetch.biz
tectthink.biz
teedinctitute.biz
tellydteem.biz
temetknewleb.biz
testimonyjobs.biz
testresearch1.biz
testthink.biz
tettocpenewctmove.biz
ticketdnewevelop.biz
tlttygtpy.biz
tnewecepcteete.biz
todiotionont.biz
tortekiwi.biz
truffleraspberry.biz
ttnikcontntnt.biz
ttoqlbcqotcol.biz
ttydiccovet.biz
ttyvicionety.biz
usurycontracts.biz
valentinespell.biz
valntincharming.biz
valntindaycoutur.biz
valntintrnd.biz
viewfotmnew.biz
viewmove.biz
vigiladvance.biz
vigiledvence.biz
vipscan.biz
vqolqtqdoyodl.biz
waxingtriumph.biz
wetchimptovice.biz
yomkippurmodel.biz
yourtheme.biz
youtgenuine.biz
yvanity.biz
zodiacafraid.biz
Labels:
Evil Network,
Malware,
OVH,
R5X.org,
Russia
"EUROPOL" scareware / something evil on 193.169.87.247
193.169.87.247 ("PE Ivanov Vitaliy Sergeevich", Ukraine) is currently serving up scareware claiming that the victim's PC is locked, using the following domains:
a1751.com
b4326.com
d2178.com
f1207.com
h5841.com
k6369.com
The scareware is multilingual and detects the country that the visitor is calling from. In this case I visited from the UK and got the following:
The text varies depending on the country the visitor is in, for example URLquery displays the text in Norwegian.
The bad guys use subdomains to obfuscate the domain somewhat, so instead of just getting f1207.com (for example), you get europol.europe.eu.id176630100-8047697129.f1207.com instead which looks a little more official. You can see some more examples here.
All the domains in use are registered through scam-friendly registrar BIZCN to:
Registrant Name: Zhong Si
Registrant Organization: Xicheng Co.
Registrant Street: Huixindongjie 15 2
Registrant City: Beijing
Registrant State/Province: Chaoyang
Registrant Postal Code: 101402
Registrant Country: cn
Registrant Phone: 01066569215
Registrant Phone Ext:
Registrant Fax: 01066549216
Registrant Fax Ext:
Registrant Email: zhongguancun@yahoo.com
Now, I would normally suggest that the WHOIS details were fake but a Google search for the email address shows that it has been active for over two years including this injection attack I documented in September 2011. It is possible therefore that Zhong Si and Xicheng Co are actually responsible.
193.169.87.247 is regiesterd to "PE Ivanov Vitaliy Sergeevich" (i.e. Vitaliy Ivanov or Виталий Сергеевич Иванов) as follows:
organisation: ORG-IV2-RIPE
org-name: PE Ivanov Vitaliy Sergeevich
org-type: OTHER
address: 42-A Tobolskaya street, office 230, Kharkov, Ukraine
mnt-ref: MNT-IV25
mnt-by: MNT-IV25
source: RIPE # Filtered
193.169.87.247 forms part of 193.169.86.0/23 AS48031 which has a so-so reputation according to Google, it does look like there are a lot of legitimate sites in the neighbourhood as well as these malicious ones.
Recommended blocklist:
193.169.87.247
a1751.com
b4326.com
d2178.com
f1207.com
h5841.com
k6369.com
Update: a similar attack has also taken place on 193.169.86.250 on the same netblock.
a1751.com
b4326.com
d2178.com
f1207.com
h5841.com
k6369.com
The scareware is multilingual and detects the country that the visitor is calling from. In this case I visited from the UK and got the following:
Europol EUROPEAN CYBERCRIME CENTRE Europol EC3
All activities of this computer have been recorded. All your files are encrypted.
ATTENTION!
All your files are encrypted to prevent their distribution and use.
Due to violations of the law, your browser has been blocked
because of at least one of the reasons below.
1. You have been subjected to violation of Copyright and Related Rights Law and illegally using or distributing copyrighted contents such as Video, Music or\and Software (files were found in your browser's temporary files and your documents), thus conflicting with Article 1, Section 8, Clause 8 of the Criminal Code of the United Kingdom.
Article 1, Section 8, Cause 8 of the Criminal Code states a fine or two hundred minimal wages or a deprivation of liberty of two to eight years.
2. You have been viewing or distributing prohibited Pornographic contents: Child Porno photos and such, were found in browser's temporary files and your documents.
Thus, you are violating article 202 of the Criminal Code of the United Kingdom. Article 202 of the Criminal Code states a deprivation of liberty of four to twelve years.
3. Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected with malware, thus you are violating the law of Neglectful Use of your Personal Computer. Article 210 of the Criminal Code declares a fine of up to £50,000 and/or deprivation of liberty of four to nine years.
Pursuant to the amendment of the Criminal Code of the United Kingdom of May 28, 2011, this law infringement (if it is a first time offence) may be considered as conditional in case you pay the fine.
To unlock your computer and avoid other legal consequences, you are obliged to pay a release fee of £200, payable through Ukash (you must purchase the Ukash card and enter the code). You can buy the card at any store or gas station, payzone or paypoint.
Find the nearest epay or payzone location.
Go to any location with a PayPoint or Payzone terminal.
Ask for Ukash: £200.00 (one voucher code).
Please note: Fine can only be paid within 12 hours. As soon as 12 hours expire, the possibility to pay the fine is lost forever. All your PC data will be detained and criminal's procedure will be initiated against you if the fine will not be paid!
The text varies depending on the country the visitor is in, for example URLquery displays the text in Norwegian.
The bad guys use subdomains to obfuscate the domain somewhat, so instead of just getting f1207.com (for example), you get europol.europe.eu.id176630100-8047697129.f1207.com instead which looks a little more official. You can see some more examples here.
All the domains in use are registered through scam-friendly registrar BIZCN to:
Registrant Name: Zhong Si
Registrant Organization: Xicheng Co.
Registrant Street: Huixindongjie 15 2
Registrant City: Beijing
Registrant State/Province: Chaoyang
Registrant Postal Code: 101402
Registrant Country: cn
Registrant Phone: 01066569215
Registrant Phone Ext:
Registrant Fax: 01066549216
Registrant Fax Ext:
Registrant Email: zhongguancun@yahoo.com
Now, I would normally suggest that the WHOIS details were fake but a Google search for the email address shows that it has been active for over two years including this injection attack I documented in September 2011. It is possible therefore that Zhong Si and Xicheng Co are actually responsible.
193.169.87.247 is regiesterd to "PE Ivanov Vitaliy Sergeevich" (i.e. Vitaliy Ivanov or Виталий Сергеевич Иванов) as follows:
organisation: ORG-IV2-RIPE
org-name: PE Ivanov Vitaliy Sergeevich
org-type: OTHER
address: 42-A Tobolskaya street, office 230, Kharkov, Ukraine
mnt-ref: MNT-IV25
mnt-by: MNT-IV25
source: RIPE # Filtered
193.169.87.247 forms part of 193.169.86.0/23 AS48031 which has a so-so reputation according to Google, it does look like there are a lot of legitimate sites in the neighbourhood as well as these malicious ones.
Recommended blocklist:
193.169.87.247
a1751.com
b4326.com
d2178.com
f1207.com
h5841.com
k6369.com
Update: a similar attack has also taken place on 193.169.86.250 on the same netblock.
Monday, 9 December 2013
Malware sites to block 9/12/2013
These malicious sites and IPs are related to this attack (thanks to the folks at ThreatTrack Security for the tip). Although a lot of the sites are not currently resolving, those that are up are hosted on 37.59.254.224 and 37.59.232.208 which are a pair of OVH IPs suballocated to:
organisation: ORG-RL152-RIPE
org-name: R5X.org ltd
org-type: OTHER
address: Krasnoselskaja 15-219
address: 346579 Moscow
address: RU
abuse-mailbox: abuse@r5x.org
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
R5X.org IPs have featured a couple of times before here [1] [2] so I would suggest blocking any that you find. I'll do some research on those soon, but in the meantime I would recommend blocking the following IPs and domains. Domains that are already flagged by Google are highlighted.
37.59.232.208/28
37.59.254.224/28
activresa.biz
adskills.biz
aircoach.biz
alertnovel.biz
alertsieve.biz
allba.biz
allbat.biz
alldental.biz
analyzebroil.biz
appcars.biz
appgather.biz
appraisecore.biz
artgauther.biz
artgolf.biz
assaythink.biz
assessimprovise.biz
assessinspire.biz
assessjell.biz
atvilla.biz
auditform.biz
auditinnovation.biz
autosquare.biz
bighype.biz
biovote.biz
bizspiecial.biz
blackconstruction.biz
blackla.biz
booktv.biz
brandprinting.biz
briefsearch.biz
celectgenuine.biz
checkcan.biz
checkimprovise.biz
checklead.biz
checkoriginal.biz
checkouthash.biz
checkoutimprovise.biz
checkoutinnovation.biz
checkoutmint.biz
choiceoil.biz
choiceprogress.biz
choiceshell.biz
citycomputer.biz
classicbon.biz
clickresearch.biz
codeway.biz
commentfocus.biz
comwin.biz
coolcraft.biz
cosong.biz
creativegeo.biz
critiqueoriginal.biz
critiquepreserve.biz
dailyaqua.biz
dailyteach.biz
dailyyaqua.biz
datasoccer.biz
degreeaerate.biz
degreedream.biz
degreeforward.biz
degreefresh.biz
degreeimage.biz
designdating.biz
diagnosethink.biz
diagnoseturn.biz
digitalquant.biz
digitalra.biz
directtiny.biz
discussexplore.biz
discussinspire.biz
djmeta.biz
drcoupon.biz
eurosync.biz
evaluatebrown.biz
evaluatefresh.biz
examinesearch.biz
experptware.biz
expertsurvey.biz
eyenovel.biz
eyerise.biz
eyethink.biz
facequant.biz
feedbackfresh.biz
feedbackmove.biz
firstozip.biz
firststudy.biz
flypanda.biz
flyradio.biz
foodneo.biz
freebill.biz
funelectronics.biz
gaugefuture.biz
gaugegenuine.biz
gaugeimage.biz
globalhoneydo.biz
gotpuppy.biz
gradefocus.biz
gradeimagine.biz
gradeschange.biz
gradesdesign.biz
gradesfresh.biz
gradesimagine.biz
gradewhisk.biz
hexvox.biz
ideatablet.biz
ideawatches.biz
imagepop.biz
inspectionprogress.biz
inspectstrategy.biz
instantconsulting.biz
instaontent.biz
interbpixo.biz
interfx.biz
interloan.biz
interpixo.biz
jobgrow.biz
judgebegins.biz
judgelab.biz
judgelabzs.biz
learinatlas.biz
learnatlas.biz
lifehuman.biz
lightcasa.biz
likecore.biz
localbuddy.biz
lookbackcreate.biz
lookbackgenuine.biz
lookbackidea.biz
lookdevelop.biz
macresume.biz
magicse.biz
mapchawalit.biz
mapmchawalit.biz
mapmove.biz
mapsport.biz
markforge.biz
maxliberty.biz
mccolor.biz
measurefocus.biz
measurewedge.biz
medialiving.biz
mediavliving.biz
megalittle.biz
megasi.biz
micromicro.biz
microtheme.biz
miniint.biz
morecrm.biz
moreve.biz
moviehello.biz
movielegal.biz
movieprice.biz
neodating.biz
netknowledge.biz
newsnice.biz
newtellypioneet.biz
nextsuccess.biz
notesee.biz
noticechange.biz
noticedream.biz
noticegenuine.biz
observebrown.biz
observewedge.biz
okmagazine.biz
onbytce.biz
onbyte.biz
onlincerobo.biz
onlinerobo.biz
openphotography.biz
optioncoddle.biz
optionescallop.biz
optionstrategy.biz
ournext.biz
ourrecipe.biz
overvieworiginal.biz
perfectcore.biz
peterqwwhite.biz
petfaast.biz
petwhite.biz
petzen.biz
photosuper.biz
pickmarinate.biz
planetbright.biz
planextbright.biz
playgraphics.biz
playlittle.biz
pointname.biz
pointtraining.biz
polypink.biz
popmom.biz
popmotm.biz
powerrtie.biz
probediscover.biz
profilechange.biz
profilepioneer.biz
profreelance.biz
profrqeelance.biz
projectcharity.biz
provote.biz
qualitybegin.biz
qualitycan.biz
qualityconcept.biz
qualitydebone.biz
qualityschirr.biz
questnew.biz
rangeinspire.biz
rangerender.biz
rangetop.biz
rankmodern.biz
ratebigdata.biz
ratedream.biz
rateimagine.biz
ratewish.biz
readdiscover.biz
readstrategy.biz
readvisionary.biz
recapgenuine.biz
recapimagination.biz
redbike.biz
redbiqke.biz
remarkdevelop.biz
remarkinstitute.biz
reviewmint.biz
reviewstyle.biz
revuewhisk.biz
runfair.biz
safemeta.biz
savedash.biz
savedecor.biz
saydeglaze.biz
sayinstitute.biz
sayzest.biz
scanbeat.biz
scanskewer.biz
scoringfocus.biz
scoringsprinkle.biz
scoutforward.biz
scoutinstitute.biz
scoutsearch.biz
scoutskewer.biz
screenthink.biz
searchcars.biz
seekbodybuilding.biz
seekdiet.biz
seekimg.biz
seekiumg.biz
seelabs.biz
selectexplore.biz
selectjell.biz
sentrymeasure.biz
sentrymodern.biz
shakedownconcept.biz
shakedowngrease.biz
sharework.biz
sharpice.biz
silvekrkitchen.biz
silverkitchen.biz
simplegeo.biz
simpllegeo.biz
simplyportal.biz
simplyvintage.biz
skycrnedit.biz
socialtrain.biz
sociaulmicro.biz
softanimal.biz
softflex.biz
spaceshow.biz
star123.biz
startprinting.biz
studibothe.biz
studiothe.biz
surveyskim.biz
surveywedge.biz
tecepimeginetion.biz
tectideel.biz
televintage.biz
testmash.biz
testthink.biz
tettocpenewctmove.biz
thinkisoftware.biz
thinkmetal.biz
thinkurban.biz
tickersweeten.biz
ticketdnewevelop.biz
tierovercook.biz
tierwarm.biz
tnewecepcteete.biz
true3d.biz
truetrack.biz
trydiscover.biz
tryforward.biz
ttyvicionety.biz
urbanyour.biz
usaab.biz
usafuture.biz
usalion.biz
usana.biz
usanat.biz
usatrvack.biz
videoleo.biz
vipscan.biz
vipwicsh.biz
virtualpush.biz
virtuqalspark.biz
watchgel.biz
webbipolar.biz
winarc.biz
worlddigest.biz
wwwems.biz
youcoqnsultant.biz
yourform.biz
yourglaze.biz
youtgenuine.biz
zenweight.biz
1stnerd.biz
activesa.biz
aerofinance.biz
airlead.biz
airmicro.biz
alertcaramelize.biz
alertimagine.biz
alertpulp.biz
alerttenderize.biz
analyzeidea.biz
analyzeknead.biz
analyzesteep.biz
appraisesliver.biz
appwebdesign.biz
artgather.biz
artimpact.biz
assayinspire.biz
assayseparate.biz
assessfocus.biz
assessoil.biz
assessscore.biz
assesssoak.biz
assesssteam.biz
assessstir.biz
assessturn.biz
assesswhisk.biz
auditbarbecue.biz
auditcut.biz
auditgel.biz
auditserve.biz
autoglam.biz
besttechnology.biz
bizspecial.biz
blackhoneydo.biz
briefjell.biz
browsegarnish.biz
browsejell.biz
browsezest.biz
checkoutmeasure.biz
checkoutroll.biz
checkoutsnip.biz
checkparboil.biz
checkpercolate.biz
choicesear.biz
cityju.biz
clickdiscover.biz
commentbarbecue.biz
commentbrown.biz
commentdevil.biz
commentpeel.biz
commentpress.biz
commentseason.biz
considerbaste.biz
considerclarify.biz
considerscramble.biz
considershuck.biz
coolcv.biz
coolno.biz
cosmogift.biz
criticalescallop.biz
criticalmeasure.biz
criticalsear.biz
criticizebaste.biz
criticizeoil.biz
criticizesouse.biz
critiquechurn.biz
critiquemint.biz
critiquesoak.biz
critiquestrain.biz
critiquesweeten.biz
cybervirtual.biz
cynopcnewicleb.biz
datasearch.biz
decadiet.biz
decaintel.biz
decavo.biz
degreeinnovate.biz
degreeshuck.biz
diagnosegrind.biz
diagnoseimagine.biz
diagnosemicrowave.biz
diagnosethin.biz
diagnosetruss.biz
digiedu.biz
digitoalquant.biz
discussblend.biz
discussdesign.biz
djcraft.biz
djposot.biz
djpost.biz
djzen.biz
dot123.biz
drimpact.biz
ecoemail.biz
ecoify.biz
ecotrans.biz
eduwi.biz
euroalt.biz
evaluatebaste.biz
evaluatejell.biz
evaluatemix.biz
expertware.biz
explorelab.biz
explorepeel.biz
eyeflambe.biz
eyefreeze.biz
eyemold.biz
feedbackbroil.biz
feedbackgrate.biz
feedbackserve.biz
feedbackskin.biz
feelinnovate.biz
feellayer.biz
feelroll.biz
feelseason.biz
feelstir.biz
firstzip.biz
freepush.biz
freshcloud.biz
funrealty.biz
futureaqua.biz
futurecake.biz
futuregeo.biz
gamemon.biz
gaugebeat.biz
gaugegrease.biz
gaugeice.biz
gaugerender.biz
getventure.biz
goking.biz
gotus.biz
gradeaerate.biz
gradeaerateq.biz
gradefreeze.biz
gradesbatter.biz
gradescallop.biz
gradesfold.biz
gradesinnovation.biz
gradesmash.biz
greatsimply.biz
healthvintage.biz
higifts.biz
homecomputer.biz
ideascript.biz
ideasurf.biz
ideawwatches.biz
imagemag.biz
imdinrectory.biz
imdirectory.biz
infoobesity.biz
inspectglaze.biz
inspectinstitute.biz
inspectoriginal.biz
inspectsnip.biz
inspecttoast.biz
instantdevelopment.biz
instantent.biz
interloanz.biz
internetcrea.biz
ithealthcare.biz
iwantfilm.biz
iwantmega.biz
judgecaramelize.biz
judgecured.biz
judgeresearch.biz
learnsolutions.biz
levitin.biz
lifelocal.biz
lightfund.biz
likebutterfly.biz
likegel.biz
likehash.biz
likescramble.biz
lookbackskim.biz
lookbackvisionary.biz
lookbackwhip.biz
lookmicrowave.biz
lookpoach.biz
lookrefrigerate.biz
lookshred.biz
looktoast.biz
lovedo.biz
mackids.biz
mapviral.biz
markbegin.biz
markchop.biz
markcut.biz
markjell.biz
marksaute.biz
markskewer.biz
measurefry.biz
measurelabs.biz
measurerefrigerate.biz
measuresaute.biz
megaperformance.biz
metahitech.biz
metartri.biz
metatri.biz
microelastic.biz
minidelivery.biz
moreycrm.biz
mrhits.biz
mrhiuts.biz
mrroom.biz
mychurn.biz
myfroth.biz
mypioneer.biz
mypoach.biz
myseparate.biz
neopan.biz
neosource.biz
netveri.biz
nextsolid.biz
nextvoice.biz
notebeat.biz
notebraise.biz
notebread.biz
notebutterfly.biz
notegrease.biz
notequarter.biz
noterender.biz
noteresearch.biz
noticebake.biz
noticefry.biz
observemodern.biz
observemold.biz
okimmo.biz
onsweet.biz
optionpoach.biz
ourbooks.biz
overviewbind.biz
overviewform.biz
overviewoil.biz
oxyhelp.biz
pcincome.biz
petfast.biz
pickheat.biz
pickquarter.biz
picksearch.biz
picksweeten.biz
pickvision.biz
pointsdevelop.biz
pointsgrate.biz
pointsnovel.biz
pointsstyle.biz
pointswarm.biz
powertie.biz
probebrush.biz
probedrain.biz
probemint.biz
probeshred.biz
profilebarbecue.biz
profilefrost.biz
profileprocess.biz
profilesmoke.biz
qualitydough.biz
qualitymeasure.biz
qualityroast.biz
qualityscald.biz
questdebone.biz
questdeglaze.biz
questflavor.biz
questflip.biz
questimprovise.biz
questmodern.biz
questsee.biz
questthin.biz
questtoast.biz
rangebutterfly.biz
rangedice.biz
rangedough.biz
rangeglaze.biz
rangeinnovation.biz
rangemash.biz
rangetopz.biz
rankbeat.biz
rankjulienne.biz
rankshred.biz
rateescallop.biz
rateidea.biz
rateideal.biz
rateschirr.biz
readfrost.biz
readinstitute.biz
readroll.biz
readthicken.biz
recapblacken.biz
recapbread.biz
recapcream.biz
redcoffee.biz
redopginion.biz
redopinion.biz
remarkage.biz
remarkblanche.biz
remarkboil.biz
remarkdip.biz
remarkferment.biz
remarkgenuine.biz
remarkheat.biz
remarkjell.biz
remarkpreserve.biz
remarktruss.biz
retrospectblend.biz
retrospectcreate.biz
retrospectdeglaze.biz
retrospectferment.biz
retrospectfuture.biz
retrospectquarter.biz
retrospectschange.biz
reviewimprovise.biz
reviewsear.biz
reviewunmold.biz
revuecream.biz
revuedevelop.biz
revuegrate.biz
revueimage.biz
revuelayer.biz
revuepuree.biz
rungeek.biz
runpoker.biz
runrank.biz
safeconsult.biz
saverobot.biz
sayfilter.biz
saygarnish.biz
sayglaze.biz
sayheat.biz
scangrease.biz
scanimagination.biz
scannew.biz
scanpress.biz
scansmoke.biz
scoredecorate.biz
scoredescale.biz
scoreferment.biz
scoremacerate.biz
scoresliver.biz
scorevision.biz
scoringbatter.biz
scoringboil.biz
scoringchange.biz
scoringdiscover.biz
scoringleaven.biz
scoringoriginal.biz
scoringsimmer.biz
scoringthin.biz
scoutdescale.biz
scoutnovel.biz
screenchop.biz
screenpreserve.biz
screentemper.biz
searchbe.biz
seepercolate.biz
seepoach.biz
selectdiscover.biz
sentryprepare.biz
sentrysnip.biz
sentrytoss.biz
sentrywedge.biz
shakedownclarify.biz
shakedowncreate.biz
shakedowndry.biz
shakedowngel.biz
shakedowngenuine.biz
shakedownpoach.biz
shakedownpress.biz
shakedownprocess.biz
shakedownzest.biz
sharerebel.biz
sharpmy.biz
silversuccess.biz
silversurvival.biz
simplefreelance.biz
skycredit.biz
skyipad.biz
socialmicro.biz
sosecure.biz
spyjuice.biz
spymac.biz
spyslice.biz
studioroom.biz
studygarnish.biz
summarychar.biz
summarycut.biz
summaryfold.biz
sunmagazine.biz
surveygarnish.biz
surveyinfuse.biz
surveythink.biz
synopsisrender.biz
synopsiswhisk.biz
tallydough.biz
tallydrain.biz
tallyglaze.biz
tallymicrowave.biz
tallyoil.biz
tallysaute.biz
tallystyle.biz
testchop.biz
testdice.biz
testdrizzle.biz
testmelt.biz
testresearch1.biz
testrub.biz
thinkgame.biz
thinksoftware.biz
tickercaramelize.biz
tickerfrost.biz
tickerseason.biz
tierchurn.biz
tierdesign.biz
tierpreserve.biz
timequality.biz
tradeenergy.biz
truehotels.biz
trybeat.biz
tryblacken.biz
trybrown.biz
trybutterfly.biz
ultrafa.biz
usatrack.biz
valuesoak.biz
videocoffee.biz
viewbind.biz
viewbroil.biz
viewform.biz
viewmold.biz
viewresearch.biz
viewseason.biz
vipwish.biz
virtualspark.biz
watchflavor.biz
watchimprovise.biz
watchsteam.biz
worldfish.biz
worldninja.biz
youconsultant.biz
yourcore.biz
yourdeglaze.biz
yourdip.biz
yourflavor.biz
yourflip.biz
yourmint.biz
yourmodern.biz
yoursear.biz
yourtheme.biz
yourthink.biz
organisation: ORG-RL152-RIPE
org-name: R5X.org ltd
org-type: OTHER
address: Krasnoselskaja 15-219
address: 346579 Moscow
address: RU
abuse-mailbox: abuse@r5x.org
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
R5X.org IPs have featured a couple of times before here [1] [2] so I would suggest blocking any that you find. I'll do some research on those soon, but in the meantime I would recommend blocking the following IPs and domains. Domains that are already flagged by Google are highlighted.
37.59.232.208/28
37.59.254.224/28
activresa.biz
adskills.biz
aircoach.biz
alertnovel.biz
alertsieve.biz
allba.biz
allbat.biz
alldental.biz
analyzebroil.biz
appcars.biz
appgather.biz
appraisecore.biz
artgauther.biz
artgolf.biz
assaythink.biz
assessimprovise.biz
assessinspire.biz
assessjell.biz
atvilla.biz
auditform.biz
auditinnovation.biz
autosquare.biz
bighype.biz
biovote.biz
bizspiecial.biz
blackconstruction.biz
blackla.biz
booktv.biz
brandprinting.biz
briefsearch.biz
celectgenuine.biz
checkcan.biz
checkimprovise.biz
checklead.biz
checkoriginal.biz
checkouthash.biz
checkoutimprovise.biz
checkoutinnovation.biz
checkoutmint.biz
choiceoil.biz
choiceprogress.biz
choiceshell.biz
citycomputer.biz
classicbon.biz
clickresearch.biz
codeway.biz
commentfocus.biz
comwin.biz
coolcraft.biz
cosong.biz
creativegeo.biz
critiqueoriginal.biz
critiquepreserve.biz
dailyaqua.biz
dailyteach.biz
dailyyaqua.biz
datasoccer.biz
degreeaerate.biz
degreedream.biz
degreeforward.biz
degreefresh.biz
degreeimage.biz
designdating.biz
diagnosethink.biz
diagnoseturn.biz
digitalquant.biz
digitalra.biz
directtiny.biz
discussexplore.biz
discussinspire.biz
djmeta.biz
drcoupon.biz
eurosync.biz
evaluatebrown.biz
evaluatefresh.biz
examinesearch.biz
experptware.biz
expertsurvey.biz
eyenovel.biz
eyerise.biz
eyethink.biz
facequant.biz
feedbackfresh.biz
feedbackmove.biz
firstozip.biz
firststudy.biz
flypanda.biz
flyradio.biz
foodneo.biz
freebill.biz
funelectronics.biz
gaugefuture.biz
gaugegenuine.biz
gaugeimage.biz
globalhoneydo.biz
gotpuppy.biz
gradefocus.biz
gradeimagine.biz
gradeschange.biz
gradesdesign.biz
gradesfresh.biz
gradesimagine.biz
gradewhisk.biz
hexvox.biz
ideatablet.biz
ideawatches.biz
imagepop.biz
inspectionprogress.biz
inspectstrategy.biz
instantconsulting.biz
instaontent.biz
interbpixo.biz
interfx.biz
interloan.biz
interpixo.biz
jobgrow.biz
judgebegins.biz
judgelab.biz
judgelabzs.biz
learinatlas.biz
learnatlas.biz
lifehuman.biz
lightcasa.biz
likecore.biz
localbuddy.biz
lookbackcreate.biz
lookbackgenuine.biz
lookbackidea.biz
lookdevelop.biz
macresume.biz
magicse.biz
mapchawalit.biz
mapmchawalit.biz
mapmove.biz
mapsport.biz
markforge.biz
maxliberty.biz
mccolor.biz
measurefocus.biz
measurewedge.biz
medialiving.biz
mediavliving.biz
megalittle.biz
megasi.biz
micromicro.biz
microtheme.biz
miniint.biz
morecrm.biz
moreve.biz
moviehello.biz
movielegal.biz
movieprice.biz
neodating.biz
netknowledge.biz
newsnice.biz
newtellypioneet.biz
nextsuccess.biz
notesee.biz
noticechange.biz
noticedream.biz
noticegenuine.biz
observebrown.biz
observewedge.biz
okmagazine.biz
onbytce.biz
onbyte.biz
onlincerobo.biz
onlinerobo.biz
openphotography.biz
optioncoddle.biz
optionescallop.biz
optionstrategy.biz
ournext.biz
ourrecipe.biz
overvieworiginal.biz
perfectcore.biz
peterqwwhite.biz
petfaast.biz
petwhite.biz
petzen.biz
photosuper.biz
pickmarinate.biz
planetbright.biz
planextbright.biz
playgraphics.biz
playlittle.biz
pointname.biz
pointtraining.biz
polypink.biz
popmom.biz
popmotm.biz
powerrtie.biz
probediscover.biz
profilechange.biz
profilepioneer.biz
profreelance.biz
profrqeelance.biz
projectcharity.biz
provote.biz
qualitybegin.biz
qualitycan.biz
qualityconcept.biz
qualitydebone.biz
qualityschirr.biz
questnew.biz
rangeinspire.biz
rangerender.biz
rangetop.biz
rankmodern.biz
ratebigdata.biz
ratedream.biz
rateimagine.biz
ratewish.biz
readdiscover.biz
readstrategy.biz
readvisionary.biz
recapgenuine.biz
recapimagination.biz
redbike.biz
redbiqke.biz
remarkdevelop.biz
remarkinstitute.biz
reviewmint.biz
reviewstyle.biz
revuewhisk.biz
runfair.biz
safemeta.biz
savedash.biz
savedecor.biz
saydeglaze.biz
sayinstitute.biz
sayzest.biz
scanbeat.biz
scanskewer.biz
scoringfocus.biz
scoringsprinkle.biz
scoutforward.biz
scoutinstitute.biz
scoutsearch.biz
scoutskewer.biz
screenthink.biz
searchcars.biz
seekbodybuilding.biz
seekdiet.biz
seekimg.biz
seekiumg.biz
seelabs.biz
selectexplore.biz
selectjell.biz
sentrymeasure.biz
sentrymodern.biz
shakedownconcept.biz
shakedowngrease.biz
sharework.biz
sharpice.biz
silvekrkitchen.biz
silverkitchen.biz
simplegeo.biz
simpllegeo.biz
simplyportal.biz
simplyvintage.biz
skycrnedit.biz
socialtrain.biz
sociaulmicro.biz
softanimal.biz
softflex.biz
spaceshow.biz
star123.biz
startprinting.biz
studibothe.biz
studiothe.biz
surveyskim.biz
surveywedge.biz
tecepimeginetion.biz
tectideel.biz
televintage.biz
testmash.biz
testthink.biz
tettocpenewctmove.biz
thinkisoftware.biz
thinkmetal.biz
thinkurban.biz
tickersweeten.biz
ticketdnewevelop.biz
tierovercook.biz
tierwarm.biz
tnewecepcteete.biz
true3d.biz
truetrack.biz
trydiscover.biz
tryforward.biz
ttyvicionety.biz
urbanyour.biz
usaab.biz
usafuture.biz
usalion.biz
usana.biz
usanat.biz
usatrvack.biz
videoleo.biz
vipscan.biz
vipwicsh.biz
virtualpush.biz
virtuqalspark.biz
watchgel.biz
webbipolar.biz
winarc.biz
worlddigest.biz
wwwems.biz
youcoqnsultant.biz
yourform.biz
yourglaze.biz
youtgenuine.biz
zenweight.biz
1stnerd.biz
activesa.biz
aerofinance.biz
airlead.biz
airmicro.biz
alertcaramelize.biz
alertimagine.biz
alertpulp.biz
alerttenderize.biz
analyzeidea.biz
analyzeknead.biz
analyzesteep.biz
appraisesliver.biz
appwebdesign.biz
artgather.biz
artimpact.biz
assayinspire.biz
assayseparate.biz
assessfocus.biz
assessoil.biz
assessscore.biz
assesssoak.biz
assesssteam.biz
assessstir.biz
assessturn.biz
assesswhisk.biz
auditbarbecue.biz
auditcut.biz
auditgel.biz
auditserve.biz
autoglam.biz
besttechnology.biz
bizspecial.biz
blackhoneydo.biz
briefjell.biz
browsegarnish.biz
browsejell.biz
browsezest.biz
checkoutmeasure.biz
checkoutroll.biz
checkoutsnip.biz
checkparboil.biz
checkpercolate.biz
choicesear.biz
cityju.biz
clickdiscover.biz
commentbarbecue.biz
commentbrown.biz
commentdevil.biz
commentpeel.biz
commentpress.biz
commentseason.biz
considerbaste.biz
considerclarify.biz
considerscramble.biz
considershuck.biz
coolcv.biz
coolno.biz
cosmogift.biz
criticalescallop.biz
criticalmeasure.biz
criticalsear.biz
criticizebaste.biz
criticizeoil.biz
criticizesouse.biz
critiquechurn.biz
critiquemint.biz
critiquesoak.biz
critiquestrain.biz
critiquesweeten.biz
cybervirtual.biz
cynopcnewicleb.biz
datasearch.biz
decadiet.biz
decaintel.biz
decavo.biz
degreeinnovate.biz
degreeshuck.biz
diagnosegrind.biz
diagnoseimagine.biz
diagnosemicrowave.biz
diagnosethin.biz
diagnosetruss.biz
digiedu.biz
digitoalquant.biz
discussblend.biz
discussdesign.biz
djcraft.biz
djposot.biz
djpost.biz
djzen.biz
dot123.biz
drimpact.biz
ecoemail.biz
ecoify.biz
ecotrans.biz
eduwi.biz
euroalt.biz
evaluatebaste.biz
evaluatejell.biz
evaluatemix.biz
expertware.biz
explorelab.biz
explorepeel.biz
eyeflambe.biz
eyefreeze.biz
eyemold.biz
feedbackbroil.biz
feedbackgrate.biz
feedbackserve.biz
feedbackskin.biz
feelinnovate.biz
feellayer.biz
feelroll.biz
feelseason.biz
feelstir.biz
firstzip.biz
freepush.biz
freshcloud.biz
funrealty.biz
futureaqua.biz
futurecake.biz
futuregeo.biz
gamemon.biz
gaugebeat.biz
gaugegrease.biz
gaugeice.biz
gaugerender.biz
getventure.biz
goking.biz
gotus.biz
gradeaerate.biz
gradeaerateq.biz
gradefreeze.biz
gradesbatter.biz
gradescallop.biz
gradesfold.biz
gradesinnovation.biz
gradesmash.biz
greatsimply.biz
healthvintage.biz
higifts.biz
homecomputer.biz
ideascript.biz
ideasurf.biz
ideawwatches.biz
imagemag.biz
imdinrectory.biz
imdirectory.biz
infoobesity.biz
inspectglaze.biz
inspectinstitute.biz
inspectoriginal.biz
inspectsnip.biz
inspecttoast.biz
instantdevelopment.biz
instantent.biz
interloanz.biz
internetcrea.biz
ithealthcare.biz
iwantfilm.biz
iwantmega.biz
judgecaramelize.biz
judgecured.biz
judgeresearch.biz
learnsolutions.biz
levitin.biz
lifelocal.biz
lightfund.biz
likebutterfly.biz
likegel.biz
likehash.biz
likescramble.biz
lookbackskim.biz
lookbackvisionary.biz
lookbackwhip.biz
lookmicrowave.biz
lookpoach.biz
lookrefrigerate.biz
lookshred.biz
looktoast.biz
lovedo.biz
mackids.biz
mapviral.biz
markbegin.biz
markchop.biz
markcut.biz
markjell.biz
marksaute.biz
markskewer.biz
measurefry.biz
measurelabs.biz
measurerefrigerate.biz
measuresaute.biz
megaperformance.biz
metahitech.biz
metartri.biz
metatri.biz
microelastic.biz
minidelivery.biz
moreycrm.biz
mrhits.biz
mrhiuts.biz
mrroom.biz
mychurn.biz
myfroth.biz
mypioneer.biz
mypoach.biz
myseparate.biz
neopan.biz
neosource.biz
netveri.biz
nextsolid.biz
nextvoice.biz
notebeat.biz
notebraise.biz
notebread.biz
notebutterfly.biz
notegrease.biz
notequarter.biz
noterender.biz
noteresearch.biz
noticebake.biz
noticefry.biz
observemodern.biz
observemold.biz
okimmo.biz
onsweet.biz
optionpoach.biz
ourbooks.biz
overviewbind.biz
overviewform.biz
overviewoil.biz
oxyhelp.biz
pcincome.biz
petfast.biz
pickheat.biz
pickquarter.biz
picksearch.biz
picksweeten.biz
pickvision.biz
pointsdevelop.biz
pointsgrate.biz
pointsnovel.biz
pointsstyle.biz
pointswarm.biz
powertie.biz
probebrush.biz
probedrain.biz
probemint.biz
probeshred.biz
profilebarbecue.biz
profilefrost.biz
profileprocess.biz
profilesmoke.biz
qualitydough.biz
qualitymeasure.biz
qualityroast.biz
qualityscald.biz
questdebone.biz
questdeglaze.biz
questflavor.biz
questflip.biz
questimprovise.biz
questmodern.biz
questsee.biz
questthin.biz
questtoast.biz
rangebutterfly.biz
rangedice.biz
rangedough.biz
rangeglaze.biz
rangeinnovation.biz
rangemash.biz
rangetopz.biz
rankbeat.biz
rankjulienne.biz
rankshred.biz
rateescallop.biz
rateidea.biz
rateideal.biz
rateschirr.biz
readfrost.biz
readinstitute.biz
readroll.biz
readthicken.biz
recapblacken.biz
recapbread.biz
recapcream.biz
redcoffee.biz
redopginion.biz
redopinion.biz
remarkage.biz
remarkblanche.biz
remarkboil.biz
remarkdip.biz
remarkferment.biz
remarkgenuine.biz
remarkheat.biz
remarkjell.biz
remarkpreserve.biz
remarktruss.biz
retrospectblend.biz
retrospectcreate.biz
retrospectdeglaze.biz
retrospectferment.biz
retrospectfuture.biz
retrospectquarter.biz
retrospectschange.biz
reviewimprovise.biz
reviewsear.biz
reviewunmold.biz
revuecream.biz
revuedevelop.biz
revuegrate.biz
revueimage.biz
revuelayer.biz
revuepuree.biz
rungeek.biz
runpoker.biz
runrank.biz
safeconsult.biz
saverobot.biz
sayfilter.biz
saygarnish.biz
sayglaze.biz
sayheat.biz
scangrease.biz
scanimagination.biz
scannew.biz
scanpress.biz
scansmoke.biz
scoredecorate.biz
scoredescale.biz
scoreferment.biz
scoremacerate.biz
scoresliver.biz
scorevision.biz
scoringbatter.biz
scoringboil.biz
scoringchange.biz
scoringdiscover.biz
scoringleaven.biz
scoringoriginal.biz
scoringsimmer.biz
scoringthin.biz
scoutdescale.biz
scoutnovel.biz
screenchop.biz
screenpreserve.biz
screentemper.biz
searchbe.biz
seepercolate.biz
seepoach.biz
selectdiscover.biz
sentryprepare.biz
sentrysnip.biz
sentrytoss.biz
sentrywedge.biz
shakedownclarify.biz
shakedowncreate.biz
shakedowndry.biz
shakedowngel.biz
shakedowngenuine.biz
shakedownpoach.biz
shakedownpress.biz
shakedownprocess.biz
shakedownzest.biz
sharerebel.biz
sharpmy.biz
silversuccess.biz
silversurvival.biz
simplefreelance.biz
skycredit.biz
skyipad.biz
socialmicro.biz
sosecure.biz
spyjuice.biz
spymac.biz
spyslice.biz
studioroom.biz
studygarnish.biz
summarychar.biz
summarycut.biz
summaryfold.biz
sunmagazine.biz
surveygarnish.biz
surveyinfuse.biz
surveythink.biz
synopsisrender.biz
synopsiswhisk.biz
tallydough.biz
tallydrain.biz
tallyglaze.biz
tallymicrowave.biz
tallyoil.biz
tallysaute.biz
tallystyle.biz
testchop.biz
testdice.biz
testdrizzle.biz
testmelt.biz
testresearch1.biz
testrub.biz
thinkgame.biz
thinksoftware.biz
tickercaramelize.biz
tickerfrost.biz
tickerseason.biz
tierchurn.biz
tierdesign.biz
tierpreserve.biz
timequality.biz
tradeenergy.biz
truehotels.biz
trybeat.biz
tryblacken.biz
trybrown.biz
trybutterfly.biz
ultrafa.biz
usatrack.biz
valuesoak.biz
videocoffee.biz
viewbind.biz
viewbroil.biz
viewform.biz
viewmold.biz
viewresearch.biz
viewseason.biz
vipwish.biz
virtualspark.biz
watchflavor.biz
watchimprovise.biz
watchsteam.biz
worldfish.biz
worldninja.biz
youconsultant.biz
yourcore.biz
yourdeglaze.biz
yourdip.biz
yourflavor.biz
yourflip.biz
yourmint.biz
yourmodern.biz
yoursear.biz
yourtheme.biz
yourthink.biz
"TNT UK Limited Self Billing Invoice" malware spam
This fairly terse spam email comes with a malicious attachment:
Automated analysis tools [1] [2] [3] show an attempted connection to 2dlife.com on 5.9.182.220 (JoneSolutions.Com, Philippines). I can see only two domains on this server, the other one being 2dlife.fr so I would assume that both are compromised and blocking access to this IP address is the way to go.
Date: Mon, 9 Dec 2013 20:32:19 +0800 [07:32:19 EST]Attached is an archive file called TNT UK Self Billing Invoice.zip (VirusTotal detection rate 6/49) which in turn contains a malicious executable TNT UK Self Billing Invoice.exe (detection rate 6/47) which has an icon that make it look like a PDF file.
From: Accounts Payable TNT [accounts.payable@tnt.co.uk]
Subject: TNT UK Limited Self Billing Invoice 5321378841
Download the attachment. Invoice will be automatically shown by double click.
Automated analysis tools [1] [2] [3] show an attempted connection to 2dlife.com on 5.9.182.220 (JoneSolutions.Com, Philippines). I can see only two domains on this server, the other one being 2dlife.fr so I would assume that both are compromised and blocking access to this IP address is the way to go.
Labels:
EXE-in-ZIP,
Malware,
Philippines,
Spam,
Viruses
Subscribe to:
Posts (Atom)