Dynamoo's Blog

Monday, 14 January 2013

BBB spam / terkamerenbos.net

This fake BBB spam leads to malware on terkamerenbos.net:

Date:     Mon, 14 Jan 2013 07:53:04 -0800 [10:53:04 EST]
From:     Better Business Bureau [notify@bbb.org]
Subject:     BBB Pretense ID 68C474U93

Better Business Bureau ©
Start With Trust ©

Mon, 14 Jan 2013

RE: Issue # 68C474U93

[redacted]

The Better Business Bureau has been booked the above said claim from one of your customers with regard to their business relations with you. The detailed description of the consumer's uneasiness are available at the link below. Please give attention to this subject and notify us about your mind as soon as possible.

We amiably ask you to click and review the CLAIM REPORT to meet on this complaint.

We are looking forward to your prompt reaction.

Best regards
Alexis Nguyen
Dispute Councilor
Better Business Bureau

Better Business Bureau
3033 Wilson Blvd, Suite 600   Arlington, VA 22701
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277

This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is at [donotclick]terkamerenbos.net/detects/pull_instruction_assistant.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). The following malicious sites are on the same server:

advertizing9.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
eartworld.net
foxpoolfrance.net
hotelrosaire.net
linuxreal.net
tetraboro.net
royalwinnipegballet.net

ADP spam / dekamerionka.ru

This fake ADP spam leads to malware on dekamerionka.ru:

Date:     Mon, 14 Jan 2013 10:49:06 +0300
From:     Friendster Games [friendstergames@friendster.com]
Subject:     ADP Immediate Notification

ADP Immediate Notification
Reference #: 540328394

Mon, 14 Jan 2013 10:49:06 +0300
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 984259785

HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is on [donotclick]dekamerionka.ru:8080/forum/links/column.php hosted on:
81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
91.224.135.20 (Proservis UAB, Luthunia)
212.112.207.15 (ip4 GmbH, Germany)

Plain list of IPs and domains involved:
81.31.47.124
91.224.135.20
212.112.207.15
dmeiweilik.ru
belnialamsik.ru
demoralization.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dekamerionka.ru

Malware sites to block 14/1/13

A couple of interesting posts over at Malware Must Die! showed some significant nastiness on a few IP ranges you might want to block. The IPs mentioned are:

91.243.115.140 (Aztek Ltd, Russia)
46.166.169.238 (Santrex, Netherlands)
62.76.184.93 (IT House / Clodo-Cloud, Russia)

I'll list the sites on these domains at the end of the post for readability. But in these cases, blocking just the single IPs is not enough as they reside in pretty evil netblocks which should be blocked altogether.

91.243.115.0/24 (Aztek Ltd) is part of this large collection of malware hosts. Perhaps not all sites in the network are malicious, but certainly a lot of them are. I would err on the side of caution and block access to all sites in this /24, legitimate or not.

46.166.169.0/24 (Santrex) is another horrible network. According to Google, out of 4604 tested sites in this block, at least 3201 (70%) are involved in malware distribution. There may be legitimate sites in this /24, but since customer service is allegedly atrocious then it's hard to see why they would stick around. Again, blocking this /24 is probably prudent.

62.76.184.0/21 (IT House / Clodo-Cloud) is quite a large range to block, but I have seen many malicious sites in this range, and like Aztek it is part of this large network of malware hosts and it has a poor reputation. This is only a part of this netblock, if you want to go further you could consider blocking 62.76.160.0/19.

These following domains are all connected to these two attacks:
amgstaying.net
awczh.portrelay.com
bestchange001.ru
bestchange002.ru
bestchange003.ru
bestchange004.ru
bestchange005.ru
bestchange006.ru
bestchange007.ru
bestchange050.ru
bestchange051.ru
bestchange053.ru
bestchange054.ru
blydjkqtj.2waky.com
clientlink011.ru
clientlink015.ru
clientlink018.ru
clientlink024.ru
clientlink026.ru
clientlink027.ru
clientlink034.ru
clientlink038.ru
clientlink040.ru
clientlink042.ru
clientlink046.ru
clientlink063.ru
clientlink067.ru
clientlink070.ru
clientlink073.ru
clientlink074.ru
clientlink075.ru
clientlink076.ru
clientlink077.ru
clientlink078.ru
clientlink079.ru
clientlink080.ru
clientlink083.ru
clientlink084.ru
clientlink085.ru
clientlink086.ru
clientlink087.ru
clientlink089.ru
clientlink090.ru
clientlink091.ru
clientlink093.ru
clientlink094.ru
clientlink095.ru
clientlink100.ru
coshqa.2waky.com
diresofnetbook.com
djondonetwork.com
dukcwhmc.portrelay.com
ewarmz.2waky.com
fiendishtask.info
frnujzogt.2waky.com
glcuofjx.2waky.com
glrozxsjk.portrelay.com
gvcrtf.2waky.com
hrwusuf.portrelay.com
husvmp.portrelay.com
hvgzklbx.portrelay.com
igrhcsfdx.portrelay.com
imvkmu.portrelay.com
inherentlywriters.info
ipaeh.portrelay.com
iqtbzwa.2waky.com
jbygu.2waky.com
jjfzxpim.2waky.com
jzkwt.2waky.com
khmdkcath.portrelay.com
ksgha.2waky.com
lbuym.2waky.com
lgoqsh.portrelay.com
museumsnimble.net
ndcukbk.2waky.com
nvzlyez.portrelay.com
oaigq.2waky.com
owowgjqof.2waky.com
oyobalz.2waky.com
pavingcorroborated.org
pefmpltrz.2waky.com
pjmbpvacm.portrelay.com
pxsthim.portrelay.com
qqmtqy.portrelay.com
reservedir003.ru
rndhezha.portrelay.com
root.kaovo.com
simplicitypernicious.org
snxecl.2waky.com
supportservice001.ru
supportservice002.ru
supportservice003.ru
supportservice004.ru
supportservice005.ru
supportservice006.ru
supportservice008.ru
supportservice009.ru
supportservice010.ru
supportservice011.ru
supportservice012.ru
supportservice013.ru
supportservice014.ru
supportservice015.ru
supportservice016.ru
supportservice017.ru
supportservice018.ru
supportservice019.ru
supportservice020.ru
supportservice021.ru
supportservice022.ru
supportservice023.ru
supportservice025.ru
supportservice028.ru
supportservice029.ru
supportservice030.ru
supportservice031.ru
supportservice032.ru
supportservice033.ru
supportservice035.ru
supportservice038.ru
supportservice042.ru
supportservice044.ru
supportservice047.ru
supportservice054.ru
supportservice055.ru
supportservice058.ru
supportservice060.ru
supportservice064.ru
supportservice065.ru
supportservice066.ru
supportservice068.ru
supportservice069.ru
supportservice075.ru
supportservice078.ru
supportservice082.ru
supportservice083.ru
supportservice085.ru
supportservice089.ru
supportservice093.ru
supportservice095.ru
supportservice096.ru
supportservice097.ru
supportservice098.ru
tezjytph.portrelay.com
tpfoc.2waky.com
trghfx.2waky.com
uretf.2waky.com
utilityremember.net
uzmai.portrelay.com
vzaxmfgz.portrelay.com
wfeanf.2waky.com
wibeay.2waky.com
wpacule.portrelay.com
xycoordinatesskinny.org
yfvvmj.portrelay.com
zbwss.portrelay.com
zrwhrkm.portrelay.com
zzspkyrcr.portrelay.com

Friday, 11 January 2013

"Payroll Account Holded by Intuit" spam / dmeiweilik.ru

This fake Intuit (or LinkedIn?) spam leads to malware on dmeiweilik.ru:

Date:     Fri, 11 Jan 2013 06:23:41 +0100
From:     LinkedIn Password [password@linkedin.com]
Subject:     Payroll Account Holded by Intuit

Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Fri, 11 Jan 2013 06:23:41 +0100.

    Finances would be gone away from below account # ending in 0198 on Fri, 11 Jan 2013 06:23:41 +0100
    amount to be seceded: 8057 USD
    Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 06:23:41 +0100
    Log In to Review Operation

Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

====================

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Lilianna Grimes via LinkedIn
Sent: 10 January 2013 21:04
Subject: Payroll Account Holded by Intuit

Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Fri, 11 Jan 2013 02:03:33 +0500.
•    Finances would be gone away from below account # ending in 8913 on Fri, 11 Jan 2013 02:03:33 +0500
•    amount to be seceded: 9567 USD
•    Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 02:03:33 +0500
•    Log In to Review Operation

Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]dmeiweilik.ru:8080/forum/links/column.php hosted on the same IPs as in this attack:

91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)

The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik.ru
demoralization.ru
dimanakasono.ru
bananamamor.ru
dmeiweilik.ru

Changelog spam / dimanakasono.ru

This fake "Changelog" spam leads to malware on dimanakasono.ru:

From: Ashley Madison [mailto:donotreply@ashleymadison.com]
Sent: 10 January 2013 08:25
Subject: Re: Fwd: Changelog as promised(updated)

Hi,

changelog update - View

L. Cook

The malicious payload is at [donotclick]dimanakasono.ru:8080/forum/links/column.php hosted on the following IPs:

91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
212.112.207.15 (ip4 GmbH, Germany)

The following IPs and domains are related and should be blocked:
91.224.135.20
187.85.160.106
212.112.207.15
belnialamsik.ru
demoralization.ru
dimanakasono.ru
bananamamor.ru

Thursday, 10 January 2013

ADP spam / tetraboro.net and advertizing*.com

This fake ADP spam leads to malware on tetraboro.net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly. The most amusing one is the reference to "business butty" which presumably is some sort of sandwich.

Date:     Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
From:     "ADPClientServices@adp.com" [ADPClientServices@adp.com]
Subject:     adp_subj

ADP Urgent Note

Note No.: 33469

Respected ADP Consumer January, 9 2013

Your Processed Payroll Record(s) have been uploaded to the web site:

Click here to Sign In

Please take a look at the following details:

•   Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).

� Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.

This notification was sent to current clients in your company that approach ADP Netsecure.

As general, thank you for choosing ADP as your business butty!

Ref: 33469

The malicious payload is on [donotclick]tetraboro.net/detects/coming_lost-source.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1.com through to advertizing9.com. All of these should be blocked.

5.135.90.19 (OVH, France - suballocated to premiervps.net, UK)
91.227.220.121 (VooServers, UK)
94.102.55.23 (Ecatel, Netherlands)
119.78.243.16 (China Science & Technology Network, China)
198.144.191.50 (New Wave Netconnect, US)
199.233.233.232 (Quickpacket, US)
203.1.6.211 (China Telecom, China)
222.238.109.66 (Hanaro Telecom, Korea)

Plain list:
advertizing1.com
advertizing2.com
advertizing3.com
advertizing4.com
advertizing5.com
advertizing6.com
advertizing7.com
advertizing8.com
advertizing9.com
cookingcarlog.ne
hotelrosaire.net
richbergs.com
royalwinnipegballet.net
tetraboro.net
5.135.90.19
91.227.220.121
94.102.55.23
119.78.243.16
198.144.191.50
199.233.233.232
203.1.6.211
222.238.109.66

Wednesday, 9 January 2013

BBB spam / hotelrosaire.net

This fake BBB spam leads to malware on hotelrosaire.net:

Date:     Wed, 9 Jan 2013 09:21:32 -0600 [10:21:32 EST]
From:     Better Business Bureau <complaint@bbb.org>
Subject:     BBB notification regarding your cliente's pretense No. 62850348

Better Business Bureau ©
Start With Trust �

Tue, 8 Jan 2013

RE: Complaint N. 62850348

[redacted]

The Better Business Bureau has been booked the above said complaint from one of your users in regard to their business contacts with you. The detailed description of the consumer's anxiety are available for review at a link below. Please give attention to this problem and inform us about your sight as soon as possible.

We pleasantly ask you to click and review the APPEAL REPORT to respond on this claim letter.

We awaits to your prompt reaction.

Yours respectfully
Liam Barnes
Dispute Consultant
Better Business Bureau

Better Business Bureau
3053   Wilson Blvd, Suite 600   Arlington, VA 25501
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277

This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

==========================

Date:     Wed, 9 Jan 2013 23:21:42 +0800 [10:21:42 EST]
From:     Better Business Bureau <donotreply@bbb.org>
Subject:     BBB Complaint No. C1343110

Better Business Bureau ©
Start With Trust ©

Tue, 8 Jan 2013

RE: Case No. C1343110

[redacted]

The Better Business Bureau has been booked the above mentioned complaint from one of your clients as regards their business relations with you. The information about the consumer's anxiety are available for review at a link below. Please pay attention to this question and inform us about your glance as soon as possible.

We pleasantly ask you to overview the COMPLAINT REPORT to reply on this grievance.

We are looking forward to your prompt reaction.

Yours respectfully
Hunter Gomez
Dispute Counselor
Better Business Bureau

Better Business Bureau
3053   Wilson Blvd, Suite 600   Arlington, VA 22801
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277

This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is on [donotclick]hotelrosaire.net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet.net which was seen in another BBB spam run yesterday.

ADP spam / demoralization.ru

This fake ADP spam leads to malware on demoralization.ru:

Date:     Wed, 9 Jan 2013 04:23:03 -0600
From:     Habbo Hotel [auto-contact@habbo.com]
Subject:     ADP Immediate Notification

ADP Immediate Notification
Reference #: 948284271

Wed, 9 Jan 2013 04:23:03 -0600
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 703814359

HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
� 2013 ADP, Inc. All rights reserved.

The malicious payload is at [donotclick]demoralization.ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)

The following IPs and domains are all related:
82.165.193.26
91.224.135.20
187.85.160.106
demoralization.ru
belnialamsik.ru
bananamamor.ru