Something evil on 192.95.1.190

It looks like there is some sort of exploit kit on 192.95.1.190 (OVH, Canada) [example] spreading through injection attacks although at the moment I can't reproduce the issue. In any case, I would recommend blocking that IP plus these domains that are in use to spread nastiness:

digitalra.biz
drcoupon.biz
eurosync.biz
expertsurvey.biz
flypanda.biz
funelectronics.biz
interfx.biz
interloanz.biz
learinatlas.biz
mapmchawalit.biz
mapsport.biz
metartri.biz
moreycrm.biz
mrhiuts.biz
perfectcore.biz
safemeta.biz
searchcars.biz
sharpice.biz
softanimal.biz

Some of the subdomains in use are listed here. 

Something unpleasant on 89.248.164.219 and 217.23.2.233

The IPs 89.248.164.219 (Ecatel, Netherlands) and 217.23.2.233 and (Worldstream, Netherlands) appear to be hosting some sort of bogus Firefox and Media Player downloads. (You can see the VirusTotal reports here and here).

All the domains in use appear at first glance to be genuine but are basically some sort of typosquatting. A full list of all the subdomains I can find are at the end of the blog, but in the meantime I recommend using the following blocklist:
89.248.164.219
217.23.2.233
antivirous.co.uk
archictecture.com
bacharat.com
bankrupcyloans.com
beadedjewlry.com
blog-skin.com
buisinessplan.com
camgirslive.com
catalag.com
cheatscoads.com
cheepplaneticket.com
deadbeatmom.com
detroitresturants.com
diabeticreciepies.com
dictionairy.co.uk
dieselgeneraters.com
florenceaccomodation.com
forclosedhomelistings.com
franshising.com
freemagzine.com
freerngtones.com
freesudukogames.com
freexxxvideodownloads.com
genology.co.uk
gitaretab.com
guatars.com
itallianfood.com
ladyring.com
lesons.com
magneticjewlry.com
medicalpaymentsolutions.com
milffiles.com
monstercooks.com
mygirly.com
noebook.com
olineauction.com
pacmangames.co.uk
photogallary.co.uk
pokerstatergy.com
proverts.com
rentalaccomodation.com
songlyrices.com
swappingwifes.com
timehare.com
violn.com
wwwmotorcycleparts.com
wwwqwikster.com

I can see these following subdomains in use, although it is probably easier just to block the main domains:
exclusiverewards.antivirous.co.uk
exclusiverewards.genology.co.uk
ny4zz.exclusiverewards.itallianfood.com
xo9zz.exclusiverewards.itallianfood.com
jsazz.exclusiverewards.itallianfood.com
xabzz.exclusiverewards.itallianfood.com
tfdzz.exclusiverewards.itallianfood.com
vkizz.exclusiverewards.itallianfood.com
ibmzz.exclusiverewards.itallianfood.com
jtozz.exclusiverewards.itallianfood.com
ntvzz.exclusiverewards.itallianfood.com
ytyzz.exclusiverewards.itallianfood.com
porn-tube.ladyring.com
popularprizes.florenceaccomodation.com
portube.freexxxvideodownloads.com
2h2zz.exclusiverewards.songlyrices.com
hnezz.exclusiverewards.songlyrices.com
kwizz.exclusiverewards.songlyrices.com
o6mzz.exclusiverewards.songlyrices.com
6ppzz.exclusiverewards.songlyrices.com
wrqzz.exclusiverewards.songlyrices.com
3xszz.exclusiverewards.songlyrices.com
tnyzz.exclusiverewards.songlyrices.com
7yyzz.exclusiverewards.songlyrices.com
tszzz.exclusiverewards.songlyrices.com
md2zz.popularprizes.songlyrices.com
4f2zz.popularprizes.songlyrices.com
t43zz.popularprizes.songlyrices.com
rbazz.popularprizes.songlyrices.com
eqazz.popularprizes.songlyrices.com
iwazz.popularprizes.songlyrices.com
vdfzz.popularprizes.songlyrices.com
6kfzz.popularprizes.songlyrices.com
gfhzz.popularprizes.songlyrices.com
zyhzz.popularprizes.songlyrices.com
ukrzz.popularprizes.songlyrices.com
dorzz.popularprizes.songlyrices.com
2aszz.popularprizes.songlyrices.com
6hszz.popularprizes.songlyrices.com
qgtzz.popularprizes.songlyrices.com
3lwzz.popularprizes.songlyrices.com
bfzzz.popularprizes.songlyrices.com
5hzzz.popularprizes.songlyrices.com
bjzzz.popularprizes.songlyrices.com
aqzzz.popularprizes.songlyrices.com
txt-hotties.swappingwifes.com
rewardzone.monstercooks.com
exclusiverewards.guatars.com
popularprizes.dieselgeneraters.com
popularprizes.bacharat.com
popularprizes.beadedjewlry.com
www.exclusiverewards.dictionairy.co.uk
www1.exclusiverewards.dictionairy.co.uk
prizecentral.noebook.com
www.popularprizes.bacharat.com
ecig.timehare.com
cloud.timehare.com
popularprizes.blog-skin.com
pornvids.milffiles.com
porn-tube.camgirslive.com
rewardzone.cheatscoads.com
agentix.deadbeatmom.com
cleanse.deadbeatmom.com
442zz.popularprizes.songlyrices.com
4btzz.popularprizes.songlyrices.com
7yhzz.popularprizes.songlyrices.com
cfzzz.popularprizes.songlyrices.com
hmdzz.popularprizes.songlyrices.com
mpazz.popularprizes.songlyrices.com
nokzz.popularprizes.songlyrices.com
povzz.popularprizes.songlyrices.com
psmzz.popularprizes.songlyrices.com
u4wzz.popularprizes.songlyrices.com
vufzz.popularprizes.songlyrices.com
xehzz.popularprizes.songlyrices.com
rauzz.exclusiverewards.songlyrices.com
sywzz.exclusiverewards.songlyrices.com
wwbzz.exclusiverewards.songlyrices.com
download.wwwqwikster.com
www.download.wwwqwikster.com
www1.download.wwwqwikster.com
watchnow.freerngtones.com
watch-now.freerngtones.com
playingnow.freerngtones.com
watching-now.freerngtones.com
0ozzz.exclusiverewards.itallianfood.com
3o9zz.exclusiverewards.itallianfood.com
bcvzz.exclusiverewards.itallianfood.com
n9vzz.exclusiverewards.itallianfood.com
oxwzz.exclusiverewards.itallianfood.com
yt5zz.exclusiverewards.itallianfood.com
www1.rewardzone.monstercooks.com
exclusive-rewards.dieselgeneraters.com
weightloss.diabeticreciepies.com
popularprizes.wwwmotorcycleparts.com
exclusiverewards.florenceaccomodation.com
www.securessl.forclosedhomelistings.com
congratulations.medicalpaymentsolutions.com
0eizz.exclusiverewards.songlyrices.com
3dxzz.exclusiverewards.songlyrices.com
6lzzz.exclusiverewards.songlyrices.com
7nrzz.exclusiverewards.songlyrices.com
watch-now.magneticjewlry.com
rewardzone.dieselgeneraters.com
popularprizes.pacmangames.co.uk
rewardzone.genology.co.uk
popularprizes.photogallary.co.uk
uh5zz.exclusiverewards.itallianfood.com
jd7zz.exclusiverewards.itallianfood.com
fe7zz.exclusiverewards.itallianfood.com
xxazz.exclusiverewards.itallianfood.com
tqdzz.exclusiverewards.itallianfood.com
mudzz.exclusiverewards.itallianfood.com
p8hzz.exclusiverewards.itallianfood.com
soizz.exclusiverewards.itallianfood.com
2hkzz.exclusiverewards.itallianfood.com
qpvzz.exclusiverewards.itallianfood.com
rewardzone.archictecture.com
rewardzone.florenceaccomodation.com
rewardzone.rentalaccomodation.com
uj8zz.exclusiverewards.songlyrices.com
usdzz.exclusiverewards.songlyrices.com
ashzz.exclusiverewards.songlyrices.com
cmkzz.exclusiverewards.songlyrices.com
6omzz.exclusiverewards.songlyrices.com
agqzz.exclusiverewards.songlyrices.com
vjszz.exclusiverewards.songlyrices.com
42wzz.exclusiverewards.songlyrices.com
sbxzz.exclusiverewards.songlyrices.com
ouxzz.exclusiverewards.songlyrices.com
gh0zz.popularprizes.songlyrices.com
oh3zz.popularprizes.songlyrices.com
vy3zz.popularprizes.songlyrices.com
nd4zz.popularprizes.songlyrices.com
zj8zz.popularprizes.songlyrices.com
jf9zz.popularprizes.songlyrices.com
knbzz.popularprizes.songlyrices.com
dtczz.popularprizes.songlyrices.com
ffdzz.popularprizes.songlyrices.com
xjezz.popularprizes.songlyrices.com
fofzz.popularprizes.songlyrices.com
dljzz.popularprizes.songlyrices.com
5wkzz.popularprizes.songlyrices.com
9zlzz.popularprizes.songlyrices.com
dxmzz.popularprizes.songlyrices.com
plnzz.popularprizes.songlyrices.com
xsozz.popularprizes.songlyrices.com
zwozz.popularprizes.songlyrices.com
gzozz.popularprizes.songlyrices.com
vrszz.popularprizes.songlyrices.com
t4tzz.popularprizes.songlyrices.com
99wzz.popularprizes.songlyrices.com
9swzz.popularprizes.songlyrices.com
ycxzz.popularprizes.songlyrices.com
securessl.forclosedhomelistings.com
news-alert.bankrupcyloans.com
exclusiverewards.medicalpaymentsolutions.com
popularprizes.medicalpaymentsolutions.com
surveycentral.pokerstatergy.com
popularprizes.genology.co.uk
exclusiverewards.dictionairy.co.uk
exclusiverewards.pacmangames.co.uk
rewardzone.violn.com
playgames.lesons.com
nowplay.catalag.com
txtpussy.mygirly.com
fucknow.proverts.com
xxxtube.proverts.com
win.timehare.com
agentixs.timehare.com
mensfitness.timehare.com
rewardzone.blog-skin.com
globalrewards.blog-skin.com
exclusive-rewards.blog-skin.com
exclusive-rewards.gitaretab.com
www.rewardzone.cheatscoads.com
download.franshising.com
nowplay.freemagzine.com
4cpzz.rewardzone.songlyrices.com
ehrzz.rewardzone.songlyrices.com
43uzz.popularprizes.songlyrices.com
a73zz.popularprizes.songlyrices.com
bnkzz.popularprizes.songlyrices.com
kvxzz.popularprizes.songlyrices.com
n5zzz.popularprizes.songlyrices.com
ntlzz.popularprizes.songlyrices.com
nx9zz.popularprizes.songlyrices.com
nzazz.popularprizes.songlyrices.com
obzzz.popularprizes.songlyrices.com
oyxzz.popularprizes.songlyrices.com
somzz.popularprizes.songlyrices.com
teizz.popularprizes.songlyrices.com
xjnzz.popularprizes.songlyrices.com
yt3zz.popularprizes.songlyrices.com
3z4zz.exclusiverewards.songlyrices.com
855zz.exclusiverewards.songlyrices.com
cqfzz.exclusiverewards.songlyrices.com
phjzz.exclusiverewards.songlyrices.com
q7gzz.exclusiverewards.songlyrices.com
tyvzz.exclusiverewards.songlyrices.com
z3nzz.exclusiverewards.songlyrices.com
hotmail.download.wwwqwikster.com
www1.watch-now.freerngtones.com
a5vzz.exclusiverewards.itallianfood.com
c7rzz.exclusiverewards.itallianfood.com
gnszz.exclusiverewards.itallianfood.com
hbjzz.exclusiverewards.itallianfood.com
i6jzz.exclusiverewards.itallianfood.com
okbzz.exclusiverewards.itallianfood.com
owozz.exclusiverewards.itallianfood.com
ucqzz.exclusiverewards.itallianfood.com
popularprizes.olineauction.com
rewardzone.buisinessplan.com
www1.surveycentral.pokerstatergy.com
globalpromotions.pokerstatergy.com
www1.news-alert.bankrupcyloans.com
www1.watch-now.magneticjewlry.com
congratulations.freesudukogames.com
exclusiverewards.freesudukogames.com
exclusive-rewards.cheepplaneticket.com
www1.rewardzone.dieselgeneraters.com
globalrewards.dieselgeneraters.com
exclusiverewards.dieselgeneraters.com
rewardzone.detroitresturants.com
www1.securessl.forclosedhomelistings.com
axizz.exclusiverewards.songlyrices.com
cqdzz.exclusiverewards.songlyrices.com

"Department of Treasury Notice of Outstanding Obligation" spam / FMS-Case.exe

This spam says Salesforce.com at the top but the rest is allegedly from some US Government department or other (pay attention people!). Anyway, it has a malicious attachment.

Date:      Wed, 4 Dec 2013 08:24:02 -0500 [08:24:02 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      Department of Treasury Notice of Outstanding Obligation - Case CWK8SSU4K6CN852

Important  please review and sign the attached document!

We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.

In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue.  Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Questions should be directed to the Federal Service Desk at:

http://www.bpn.gov/ccr/Help.aspx
Phone : 1-866-606-6762
Int. Phone 1-344-206-6275 for international calls
For DSN, dial 809-463-9774. Wait for a dial tone, and then dial 866-606-4580.

Attached is a file FMS-Case-CWK8SSU4K6CN852.zip which in turn contains a malicious executable FMS-Case.exe which has a VirusTotal detection rate of 7/49. Automated analysis tools [1] [2] show an attempted connection to worldofchamps.com on 198.1.78.171 (Websitewelcome, US) and a download from [donotclick]deshapran.com/img/deshp.exe on 182.18.143.140 (Pioneer eLabs, India). This second part has a VirusTotal detection rate of 6/47, although automated analysis tools are inconclusive. I recommend blocking both those domains.

Fake Amazon.co.uk spam / Order details.zip

This fake Amazon spam comes with a malicious attachment:

Date:      Wed, 4 Dec 2013 11:07:00 +0200 [04:07:00 EST]
From:      "AMAZON.CO.UK" [SALES@AMAZON.CO.UK]
Subject:      order ID718-4116431-2424056

      Good evening,  Thanks for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.  

  
   Order Details
      Order ID757-7743075-1612424  Placed on December 1, 2013 Order details and invoice in attached file.
  
       Need to make changes to your order? Visit our Help page for more information and video guides.  
  
       We hope to see you again soon.   Amazon.co.uk 

Attached is a ZIP file Order details.zip which in turn contains a malicious executable Order details.exe which has a VirusTotal detection rate of 15/49. Automated analysis tools [1] [2] are fairly inconclusive, but do show some apparent traffic to 79.187.164.155 (TP, Poland) plus the creation of a key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Start WingMan Profiler to run the malware at startup.

"british-googleapps.com" (and other googleapps.com domains) job scam

This following spam email is attempting to recruit money mules:

From:     arwildcbrender@victimdomain.com
to:     arwildcbrender@victimdomain.com
date:     4 December 2013 07:49
subject:     Employment you've been searching!

Hello, We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.

An at home Key Account Manager Position is a great opportunity for stay at home parents
or anyone who wants to work in the comfort of their own home.

This is a part time job / flexible hrs for European citizens only,This is in view of our not having a branch office presently in Europe,
also becouse of paypal and ebay policies wich is prohibit to work directly with residents of some countries.

Requirements: computer with Internet access, valid email address, good typing skills.
If you fit the above description and meet the requirements, please apply to this ad stating your location.

You will be processing orders from your computer. How much you earn is up to you.
The average is in the region of 750-1000 GBP per week, depending on whether you work full or part time.

Region: United Kingdom only.

If you would like more information, please contact us stating where you are located and our job reference number - 42701-759/3HR.
Please only SERIOUS applicants.

If you are interested, please reply to: Gene@british-googleapps.com

Sample subjects include:
Employment you've been searching!
Career opportunity inside
Job ad - see details! Sent through Search engine

Other "reply-to" addresses spotted:
Gene@british-googleapps.com
Dewitt@british-googleapps.com
Robbie@british-googleapps.com
Leila@british-googleapps.com

british-googleapps.com is registered with completely fake details and uses a mail server on 50.194.47.186 (Comcast Business, US) to process mail. There are several other similar domain names being used for the same scam:

british-googleapps.com
germany-googleapps.com
consulting-googleapps.com
usa-googleapps.com
us-googleapps.com
canada-googleapps.com
consult-googleapps.com
arbeit-googleapps.com
consulting-googleapps.com
job-googleapps.com

In addition to those, all these following IPs and domains are in use by the scammers either now or recently. All the domains are registered through scam-friendly Chinese registrar BIZCN to ficticious registrants.

50.194.47.186
175.67.90.27
95.94.135.113
220.67.126.175
googleapps-works.com
googleapps-work.com
googleapps-career.com
googleapps-consult.com
googleapps-jobs.com
googleapps-offer.com
googleapps-cz.com
googleapps-espana.com
googleapps-euro.com
googleapps-us.com
googleapps-usa.com
googleapps-pl.com
googleapps-work.com
googleapps-japan.com
googleapps-italy.com
googleapps-ro.com
googleapps-nl.com
googleapps-spain.com
googleapps-gb.com
googleapps-greece.com
googleapps-group.com
googleapps-japan.com
googleapps-nz.com
googleapps-offer.com
googleapp-consult.com
carrer-trade.com
us-trades.com
worlds-trade.com
google-trade.com
trades-consult.com
googletrade-usa.com
google-usatrade.com
careerin-google.com
google-lavorare.com
works-google.com
consult-google.com
consulting-google.com
apple-praca.com
careerin-mac.com‎
apple-euro.com
job-in-apple.com
jobin-apple.com
jobin-usa.com
jobin-za.com
jobin-google.com
jobin-yahoo.com
job-italia.com
job-newzealand.com
job-greece.com
munca-bucuresti.com
romania-work.com
outsourcing-lavoro.com
outsourcing-consult.com
jobs-consult.com
jobmark-eu.com
worlds-diploms.com
italia-lavorare.com
lavoro-it.com
trade-outsource.com
warszawapraca.com
usa-findjob.com
medshorediet.com
hotalibre.com
wickedpl.com
eventlore.net
elcacareo.net
washin-factory.net
australia-attractions.net
conawaystrickler.net

Another day, another fake eFax spam

These fake eFax spams are getting a bit dull. As you might expect, this one comes with a malicious attachment.

Date:      Tue, 3 Dec 2013 15:15:03 -0800 [18:15:03 EST]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Fax transmission: -5219616961-5460126761-20130705352854-84905.zip

Please find attached to this email a facsimile transmission we have just received on your behalf

(Do not reply to this email as any reply will not be read by a real person) 

Attached is a ZIP file which in this case is called -2322693863-6422657608-20130705409306-09249.zip (with a VirusTotal detection rate of 6/48) which in turn contains a malicious executable fax-report.exe which has an icon that makes it look like a PDF file and has a VirusTotal detection rate of 4/48.

Automated analysis tools [1] [2] [3] show an attempted communication with tuhostingprofesional.net on 188.121.51.69 (GoDaddy, Netherlands) which contains about 8 legitimate domains which may or may not have been compromised.

Registered Express Corporation (RGTX) pump and dump spam

It's taken me a few days to get around to this due to moving house, but here's a new pump-and-dump spam run promoting a stock Registered Express Corporation (OTC:RGTX).

As ever, there are a massive number of different subjects and random body-texts, for example:

Subject: This Bottom Bouncer has taken off!
Subject: Our analysis right on the MONEY!
Subject: Seven Reasons To Love This Company
Subject: Breakout coming!
Subject: Get Ready for Another Money Making New Trade Idea Tomorrow
Subject: What a HUGE day we had!

Over The Counter Morning Highlight! Land Your Orders In Early
To Gain Big!!!

Registered Express Corporation (RG TX)
Per share price: 0.0148

Safe, Reliable, Secure. Confirmable Shipment of Electronic
Docs.


---
Это сообщение свободно от вирусов и вредоносного ПО благодаря защите от вирусов avast!
http://www.avast.com

=========

Pink Sheet AM Alarm! Obtain Your Orders In Early To Score
Large!!!

Registered Express, Corp. (R_G-T X)
Buy at: $0.0148

Secure, Safe, Reliable. Verifiable Transfer of E-Documents.

=========

Pink Sheet Daily Signal! Pull Your Buy Order In Soon To Rack Up
Huge.

REGISTERED EXPRESS, CORP. (R-G T X)
Latest Pricing: .0148

Safe, Reliable, Secure!!! Verifiable Delivery of Electronic
Documents.

=========

Exchange Morning Signal! Pull Your Buy Order In Beforehand To Rack Up
Massive.

Registered Express Corporation (R_G T X)
Priced at: .0148

Secure, Safe, Reliable! Correct Delivery of E-Documents.

=========

Happy Turkey Day

Exchange Morning Alert! Score Your Buy Order In Quick To Gain
Massive!!!

Registered Express Corp (RG_TX)
Last Trade: $0.0148

Safe, Secure, Reliable!!! Confirmable Transmission of E-Docs.

=========

Pink Sheet AM Alarm!!! Grab Your Buy Order In Quick To Gain Big!!!

Registered Express Corporation (R-G-T X)
Now: .0148

Secure, Safe, Reliable. Confirmable Consignment of E-Docs.

The spam volumes are not as high as some previous pump-and-dump runs, and the first incident that I can see is on Saturday 23rd November, a typical approach to try to pump the market when it opens on Monday morning.

RGTX has been through a few incarnations, most recently as a firm specialising the the secure transmission of electronics documents. According to its own reports [1] [2] this firm has never had an income, holds no notable cash reserves and basically borrows cash against its own intellectual property and business value. Registered Express says that it is a business in development, it is not clear if and when it will ever start to make an income.

A look at the stock charts show that shares are traded in moderate volumes. On the 21st and 22nd November (before the spam run) a total of 849,477 shares were traded, about ten times the volume of the previous two days.

We know from past experience that either the spammers or another involved part will move in and buy stock before the spam run. I estimate that about 750,000 shares were bought in this way at between $0.012 and $0.020.  Since then about three million shares have been traded, presumably people being motivated by the spam run or who are simply following the increase in volume with a speculative buy.

The folks at RGTX are probably not involved in the spam run. My previous analysis on these stocks indicates that these stocks are usually in terminal decline. Buying stocks on the basis of a spammed email would be exceptionally foolish and should be avoided.

"ADP - Reference #274135902580" spam / Transaction.exe

Is it Salesforce or ADP? Of course.. it is neither.

Date:      Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      ADP - Reference #274135902580

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.

Transaction details are shown in the attached file.

Reference #274135902580

This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.

Attached is a file Transaction_274135902580.zip which in turn contains a malicious executable named Transaction.exe which has an icon to make it look like a PDF file and a VirusTotal detection rate of 8/48.

Malwr reports an attempted connection to seribeau.com on 103.6.196.152 (Exa Bytes Network, Malaysia). This IP has several hundred legitimate web sites on it, and it is not possible to determine if these are clean or infected.

Something evil on 46.19.139.236

46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java exploit kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples. These are the domains that I can find running from this IP:

ihavefound.boostprep.com
greedka.byjohnwhitaker.com
green.byjohnwhitaker.com
calc.clermontjumps.com
createmore.clermontjumps.com
freesam.clermontjumps.com
team.clermontjumps.com
breast.ddghost.com
edit.ddghost.com
podkast.ddghost.com
fingerpro.golfrangefinderpro.com
goingup.golfrangefinderpro.com
hksnet.golfrangefinderpro.com
wolfram.golfrangefinderpro.com
bracers.harrismetals.net
cupholder.harrismetals.biz
marriage.harrismetals.biz
materials.harrismetals.biz
stockings.harrismetals.biz
resume.hemorrhoidhometreatmentremedy.com
automatic.herdprogram.com
changed.herdprogram.com
selection.herdprogram.com
variator.herdprogram.com
customers.houston-heights-realtor.com
employee.houston-heights-realtor.com
management.houston-heights-realtor.com
salesmanager.houston-heights-realtor.com
trunam.migweldersforsale.org
demonstration.modelagent.com
promotion.modelagent.com
resume.modelagent.com
servers.modelagent.com
grand.q-host.com
coaches.redbrickplayers.org
concrete.redbrickplayers.org
fiit.redbrickplayers.org
newone.redbrickplayers.org
teams.redbrickplayers.org
button.roadally.org
cars.roadally.org
forums.roadally.org
honest.shattertag.com
server.shattertag.com
service.shattertag.com
tagger.shattertag.com
enter.skillstuff.com
horners.skillstuff.com
sim4you.skillstuff.com
skill.skillstuff.com
urllink.skillstuff.com
servers.sleepets.com
somethingnew.sleepets.com
buddies.southlakehosting.com
goodie.southlakehosting.com
goodluck.southlakehosting.com
honest.southlakehosting.com
namefiest.sugarlandtxhouses.com
soft4you.sugarlandtxhouses.com
blogs.treatmentforeczemaguide.com
disconnected.treatmentforeczemaguide.com
italia.treatmentforeczemaguide.com
template.treatmentforeczemaguide.com
ball.wildbounce.com
savannah.wildbounce.com

These seem to be a mix of GoDaddy, 1&1 and eNom registered domains that have been hijacked. Ones listed in italics have been flagged as malicious by Google:
boostprep.com
byjohnwhitaker.com
clermontjumps.com
ddghost.com
golfrangefinderpro.com
harrismetals.net
harrismetals.biz
hemorrhoidhometreatmentremedy.com
herdprogram.com
houston-heights-realtor.com
migweldersforsale.org
modelagent.com
q-host.com
redbrickplayers.org
roadally.org
shattertag.com
skillstuff.com
sleepets.com
southlakehosting.com
sugarlandtxhouses.com
treatmentforeczemaguide.com
wildbounce.com