African Human Right and Refugees Protection Council (AHRRPC) scam

This spam email is actually part of an advanced fee fraud setup:

From:     fernando derossi fernandderossi59@gmail.com
To:     fernandderossi59@gmail.com
Date:     1 February 2014 13:22
Subject:     URGENT FOOD STUFF SUPPLY NEED FOR REFUGEES
Signed by:     gmail.com

Dear Sir:

My company has been mandated to look for a company capable of
supplying food stuffs product listed bellow by the  AFRICAN HUMAN
RIGHT AND REFUGEES PROTECTION COUNCIL (AHRRPC) for  assisting of the
refugee within the war affected countries IN middle east and Africa
like MALI,SYRIA, SOMALIA, CENTRAL AFRICA, and SOUTH SUDAN, which after
going through your company's profile, have decided to know if your
company is interested.

            Below are the list of food Stuffs and the targeted value
needed by (AHRRPC)

1.  Rice
2.  Beans
3.  Milk powder
4.  Sugar
5.  Vegetable Oil
6.  Used Cloths
7.  Wheat Flour
8.  White corn meal
9.  Corn Cooking oil
10. Cumin seed oil
11. Ground nut
12. Sage Oil
13. Soya bean oil
14. Palm oil
15.  Fresh Vegetables
16.  Fresh fruits
17.  Cocoa powder.

We will be happy to work with you company only as representing agent
to secure an allocation for your company while in return your company
will give us comission as soon as your receive your contract value. We
will give you more details about the contract when we recieve your
reply.

Regards,

Mr.Fernando Derossi
AHRRPC AGENT
Website:www.ahrrpc.8k.com
Bamako-Mali in West Africa.

The email links to a website at www.ahrrpc.8k.com which set off all sorts of alarms on my virus scanner, but I think it is just an ad-laden free web hosting site, and purports to be from the African Human Right and Refugees Protection Council (AHRRPC).

Of course, there is no such organisation as this and probably the main thrust of the scam is that there will be an "arrangement fee" payable in order to sell these goods.. and once the fee is paid the scammers will disappear.

One thing that I noticed is that "Mr Fenando Derossi" has a Google+ profile.. so is it a case the the Google account has been hijacked? Well, a simple way to find out is to take the image and upload it to Google Images (by clicking the little camera icon). That gives several positive matches for the photo which has been stolen from a French model and actor called Jean-Georges Brunet. In fact, poor Monsieur Brunet has had his picture stolen before for other types of scam.

Give any approaches from the so-called African Human Right and Refugees Protection Council (AHRRPC) a very wide berth. And remember, if you want to verify who a photo actually belongs to then Google Images is an excellent resource.

Something evil on 192.95.10.208/28

192.95.10.208/28 (OVH, Canada) is being used to deliver exploit kits utlising .pw domains, for an example see this URLquery report.  The following domains are being used in these attack (although there may be more):

accountantillustrator.pw
actuarydancer.pw
ambassadoradvisor.pw
animatorcarpenter.pw
animatorgovernor.pw
archeractor.pw
archerclub.pw
archerlecturer.pw
archerycartoonist.pw
arenacycling.pw
arenalandlord.pw
arrowcompete.pw
arrowfitness.pw
artistgovernor.pw
athleteexplorer.pw
athleteexterminator.pw
athletehandyman.pw
athleticsbanker.pw
athleticsdrycleaner.pw
attorneygeologist.pw
ballballerina.pw
ballcoroner.pw
ballerinaconsul.pw
ballerinalaundress.pw
balllobbyist.pw
ballracer.pw
baseballdefense.pw
baseballhardball.pw
baseballmechanic.pw
basketballdj.pw
basketballillustrator.pw
batdart.pw
batdj.pw
batmonk.pw
batolympics.pw
batterpool.pw
battingconcierge.pw
battingrunning.pw
biathlonlandscaper.pw
bicyclebarber.pw
bicyclechaplain.pw
bicycleracket.pw
bikegeneral.pw
bikingoptician.pw
biologistcabdriver.pw
bobsleighcaterer.pw
bobsleighcop.pw
bobsleighfirefighter.pw
bobsleighjockey.pw
boccebowling.pw
boccepercussionist.pw
boomerangbobsleigh.pw
boomerangcompete.pw
bowcobbler.pw
bowlerkayaking.pw
boxercashier.pw
bronzehairdresser.pw
buntcop.pw
buntexporter.pw
buntgymnastics.pw
butchernegotiator.pw
canoegardener.pw
carpenterorderly.pw
cartographerlandscaper.pw
catchergeologist.pw
catchlandscaper.pw
championbatting.pw
championshipcobbler.pw
championshipdoorman.pw
championshipgear.pw
championshipjester.pw
championshipjockey.pw
championshipmarketer.pw
clubfarmer.pw
coachbarber.pw
coachgolfer.pw
competeexporter.pw
competepediatrician.pw
competingbowler.pw
competingcoach.pw
competitioncryptographer.pw
competitionexplorer.pw
competitorhairdresser.pw
competitornovelist.pw
conciergemanufacturer.pw
contractorexterminator.pw
crewastronaut.pw
crewmusician.pw
cricketgoalie.pw
cricketjailer.pw
custodiancobbler.pw
cyclebellhop.pw
cyclistcaptain.pw
dartboardequipment.pw
dartboardnavigator.pw
dartboardpathologist.pw
dartlifeguard.pw
decathlonbellhop.pw
decathlondriver.pw
defensenet.pw
defensepaleontologist.pw
dermatologistinstructor.pw
designerbabysitter.pw
designercoach.pw
diamondgolfer.pw
diamondlobbyist.pw
divecycle.pw
diveeconomist.pw
divepainter.pw
diverbabysitter.pw
diverbowler.pw
divingauthor.pw
djnegotiator.pw
dodgeballgolfer.pw
doormanparkranger.pw
driverpawnbroker.pw
editordictator.pw
electricianbaker.pw
engineerastronaut.pw
entomologistbowler.pw
entrepreneurpatrol.pw
epeebowler.pw
epeeintern.pw
epeelandlord.pw
epeelinguist.pw
epeerunning.pw
exercisebatter.pw
exportercatcher.pw
farmerlecturer.pw
fencinghandball.pw
fieldercartographer.pw
fielderpaleontologist.pw
fielderpercussionist.pw
fieldingauctioneer.pw
figureskatingbuilder.pw
figureskatingchemist.pw
footballbunt.pw
footballcustodian.pw
footballlyricist.pw
frisbeebike.pw
gamenurse.pw
gearathlete.pw
generalillustrator.pw
geneticisteconomist.pw
geneticistgolfer.pw
goalbicycling.pw
goalcatcher.pw
goaldj.pw
goalhardball.pw
goaliebilliards.pw
goalielocksmith.pw
goalmedal.pw
goalmedal.pw
goalpawnbroker.pw
goalpercussionist.pw
golferdoorman.pw
golferentomologist.pw
golfingfirefighter.pw
guardcryptographer.pw
guardextra.pw
guardhandyman.pw
gymeducator.pw
gymmarketer.pw
gymnastcardiologist.pw
gymnasticsarchery.pw
gymnasticscobbler.pw
gymnasticsdictator.pw
gymnastnun.pw
halftimeillustrator.pw
handballhome.pw
hardballactress.pw
hardballastronomer.pw
hardballjumper.pw
helmetgolfer.pw
helmetjailer.pw
highjumpbiologist.pw
highjumpcashier.pw
highjumpguide.pw
hoboexporter.pw
hoopbiking.pw
hoopgear.pw
huddlecompete.pw
huddleparalegal.pw
hurdlebutler.pw
hurdlecompetitor.pw
hurdleforeman.pw
hurdlemove.pw
jailercardiologist.pw
javelinskate.pw
joggerdirector.pw
journalisthairdresser.pw
judomayor.pw
jumperfisherman.pw
jumperlibrarian.pw
jumpingorderly.pw
jumpingreferee.pw
karatemanufacturer.pw
karateparalegal.pw
kayakathlete.pw
kayakballerina.pw
kayakerbiologist.pw
kayakercabdriver.pw
kayakingconsul.pw
kayakingoperator.pw
kayakingskating.pw
kayaknurse.pw
kickballnurse.pw
lacrossemuralist.pw
lacrosseorderly.pw
landlordexterminator.pw
landlordgardener.pw
landscapercook.pw
landscaperoptician.pw
lecturergatherer.pw
linguistdetective.pw
locksmithillustrator.pw
maidblacksmith.pw
maidornithologist.pw
marinecellist.pw
martialartslinguist.pw
mayordrummer.pw
monklyricist.pw
movemedal.pw
oboistbowler.pw
olympicscompetition.pw
olympicsengineer.pw
opticiannegotiator.pw
orienteeringjanitor.pw
paintergeneral.pw
paralegalbuilder.pw
paralegaleconomist.pw
pawnbrokermanufacturer.pw
peddlerbellhop.pw
pingpongathlete.pw
pingpongbasketball.pw
pingpongempress.pw
pingponghelmet.pw
pitchactor.pw
pitchdart.pw
pitchjanitor.pw
pitchlifeguard.pw
playchauffeur.pw
playerskate.pw
playingoboist.pw
playoffscycle.pw
playoffspeddler.pw
playorienteering.pw
polekayaking.pw
poolgeneticist.pw
poolnegotiator.pw
quarterbackgeneral.pw
quartergeographer.pw
racedrummer.pw
raceengineer.pw
racercellist.pw
racketarcher.pw
racketbaseball.pw
racketdart.pw
racketleague.pw
racketskate.pw
raftingbarber.pw
raftingdancer.pw
raftingfrisbee.pw
raftingkayaker.pw
relaydrycleaner.pw
relayrace.pw
ridingcabdriver.pw
ridingnurse.pw
runbasketball.pw
rundrummer.pw
runningaccountant.pw
runningactuary.pw
skatepole.pw
skatingmuralist.pw
teacherjockey.pw
toolmakerfisherman.pw

The IP forms part of a /28 block belonging to a known bad actor:
NetRange:       192.95.10.208 - 192.95.10.223
CIDR:           192.95.10.208/28
OriginAS:       AS16276
NetName:        OVH-CUST-413973
NetHandle:      NET-192-95-10-208-1
Parent:         NET-192-95-0-0-1
NetType:        Reassigned
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/net/NET-192-95-10-208-1

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859113

I believe that these IPs are connected with a black hat host r5x.org and IPs with these WHOIS details are very often used in exploit kit attacks. I would strongly recommend that you block 192.95.10.208/28 in addition to the domains listed above.

"Windsor Telecom Fax2Email" spam

Another day, another fake Fax spam with a malicious payload:

Date:      Fri, 31 Jan 2014 10:00:23 +0000 [05:00:23 EST]
From:      Windsor Telecom Fax2Email [no-reply@windsor-telecom.co.uk]
Subject:      Fax Message on 08983092722 from

FAX MESSAGEYou have received a fax on your fax number: 08983092722 from.The fax is
attached to this email.PLEASE DO NOT REPLY BACK TO THIS MESSAGE. 

Attached is an archive file FAX MESSAGE.ZIP which in turn contains a malicious executable FAX MESSAGE.EXE with a VirusTotal detection rate of 4/50. Well, I say malicious but both Malwr and Anubis report that the payload does not execute properly, however that might just be an issue with those particular sandboxes and it does not mean that it will fail to run on all systems.

"Last Month Remit" spam

This fake "Last Month Remit" spam does a pretty good job of looking like it comes from your own organisation..

Date:      Thu, 30 Jan 2014 12:22:05 +0000 [07:22:05 EST]
From:      Administrator [victimdomain]

>
Subject:      FW: Last Month Remit

File Validity:Thu, 30 Jan 2014 12:22:05 +0000
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ? Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it. The deception even goes as far as faking the mail headers:

Received:     

    (qmail 6160 invoked from network); 30 Jan 2014 12:22:06 -0000
    from unknown (192.168.1.88) by [redacted] with QMQP; 30 Jan 2014 12:22:06 -0000
    from 95-177-119-126.aurora.managedbroadband.co.uk (95.177.119.126) by [redacted] with SMTP; 30 Jan 2014 12:22:05 -0000
    from docs743.[victimdomain] (10.0.0.170) by [victimdomain] (10.0.0.31) with Microsoft SMTP Server (TLS) id U5G10C1E; Thu, 30 Jan 2014 12:22:05 +0000
    from docs7075.[victimdomain] (10.39.36.29) by smtp.[victimdomain] (10.0.0.131) with Microsoft SMTP Server id MJ25NOGJ; Thu, 30 Jan 2014 12:22:05 +0000

Going to to bother of inserting fake mail headers is odd, because anyone who knew enough to check the headers would probably also realist that the attached ZIP file with an EXE in it was probably bad news.

In this case, the attachment is called Remit_[victimdomain].zip  which in turn contains a malicious executable called Remit.exe which has an icon that makes it look like a PDF file.

This file has a VirusTotal detection rate of 10/49. Automated analysis tools [1] [2] [3] show an attempted connection to poragdas.com  on 182.18.143.140 (Pioneer Elabs, India) which is a server that has been seen before, and excelbizsolutions.com on 103.13.99.167 on (CtrlS Private, India).

Recommended blocklist:
103.13.99.167
182.18.143.140
poragdas.com
excelbizsolutions.com

WTF is s15443877[.]onlinehome-server[.]info?

Something that caught my eye was this Google Safebrowsing diagnostic for [donotclick]s15443877.onlinehome-server.info:

Safe Browsing

Diagnostic page for s15443877.onlinehome-server.info

What is the current listing status for s15443877.onlinehome-server.info?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 1746 pages we tested on the site over the past 90 days, 582 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-01-29, and the last time suspicious content was found on this site was on 2014-01-29.Malicious software includes 166 scripting exploit(s), 166 trojan(s), 89 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 198 domain(s), including mendozaempleos.com/, e-veleta.com/, forogozoropoto.2waky.com/.
155 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chebro.es/, formandfinishpdr.com/, mendozaempleos.com/.
This site was hosted on 1 network(s) including AS8560 (ONEANDONE-AS).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, s15443877.onlinehome-server.info did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

Not only are (exactly) one third of the pages crawled hosting malware, but there are a staggering 198 domains spreading it. Usually it's just a handful of sites, but this is the most I've ever seen.

VirusTotal also shows some historical evil going on with the IP of 212.227.141.247 (1&1, Germany) and a Google of the site contents shows thousands of hits of what appears to be scraped content in Spanish.

It's hard to say just what this site is, but with Google diagnostics like that then it is unlikely to be anything good and blocking s15443877.onlinehome-server.info or 212.227.141.247 might be prudent.

"Adopt a puppy scam" is a new twist

This offer to adopt a puppy for free is a scam:

From:     Shirley Eason shirleyeason5@gmail.com
Reply-To:     shirleyeason5@gmail.com
Date:     30 January 2014 09:29
Subject:     Adopt this little puppy @ 0$

My name is Shirley Eason, Presently diagnosed of acute brain injury from a ghastly car accident that led to lost of my son and husband 3 years ago.

I'm looking for a good heart fellow to take over my 9weeks English Bulldog,right now I have been ask to move to Aged home. ofcourse I'm not allowed to take webster.

I'm willing to send Webster overseas if you can convince me he's on good hands.

I want to share the love I have for Webster across the world to anyone who have passion for animals.

You will receive more photos on response to this mail.
http://www.sendspace.com/file/pa5p12
http://www.sendspace.com/file/ytalxs

Hugs and kisses from a beautiful heart

Warm Regards

What's on the end of those Sendspace links? Well, indeed there are a couple of pictures of a puppy.

So.. it's a free puppy? What could possibly go wrong? Well, lots..

Let's do a bit of detective work starting with finding the origin of those photos. A trip to Google Images followed by a click of the camera icon allows you to upload a picture to do a reverse image search. We can easily find a match for that photo here and here, and it turns out that although the dog really is called Webster he's not up for adoption at all, but is for sale by a reputable and unconnected party who has had their photo stolen.

So, what is the scam? Bearing in mind that poor old Webster is worth a couple of thousand dollars but the scammer is asking for nothing? Well, as with all advanced fee fraud scams there are going to be up-front expenses that aren't mentioned, such as shipping fees, vet bills, certificates and all sort of other things.. and once the victim has paid all the money then Webster will still not turn up because of course the scammer doesn't actually have the dog to begin with.

Now, we're pretty sure that you won't try to acquire a dog advertised by spam.. but if you are, well.. don't.

Incidentally, the origins of the email appear to be a computer at 75.130.67.30 (Charter Communicaations, Tennessee) via a server at 68.15.225.129 (ommailex1.iiiinc.com) although it is unlikely that the owner of either of those two systems is aware of the scam either.

Fake Vodafone MMS spam comes with a malicious attachment

This fake Vodafone MMS spam comes with a nasty payload:

Date:      Thu, 30 Jan 2014 03:55:04 -0500 [03:55:04 EST]
From:      mms.service6885@mms.Vodafone.co.uk
Subject:      image Id 312109638-PicOS97F TYPE==MMS

Received from: 447219637920 | TYPE=MMS 

Despite the Vodafone references in the header, this message comes from a random infected PC somewhere and not the Vodafone network.

The email doesn't quite render properly in my sample:

The spam is probably preying on the fact that most people have heard of MMS but very rarely use it. Attached is a file IMG0000008849902.zip which in turn contains a malicious executable IMG0000008849902.exe, this has a VirusTotal detection rate of just 2/50.  Automated analysis tools are inconclusive [1] [2] as the sample appears to time out.

"Voice Message from Unknown" spam (again)

This fake voice message spam comes with a malicious attachment:

Date:      Wed, 29 Jan 2014 14:45:36 +0100 [08:45:36 EST]
From:      Administrator [docs0@victimdomain.net]
Subject:      Voice Message from Unknown (644-999-4348)

 Unity Messaging System

- - -Original Message- - -

From: 644-999-4348

Sent: Wed, 29 Jan 2014 14:45:36 +0100

To: [redacted]

Subject: Important Message to All Employees 

Attached is an archive Message.zip which in turn contains a malicious executable VoiceMessage.exe which has a VirusTotal detection rate of just 6/50. Automated analysis tools [1] [2] [3] show attempted connections to kitchenrescue.com on 184.107.74.34 (iWeb, Canada) and ask-migration.com on 173.192.21.195 (Softlayer, US). In particular, it attempts to download some sort of encrypted file [donotclick]kitchenrescue.com/login.kitchenrescue.com/images/items/wav.enc which I have not been able to identify.

The Green Organisation (thegreenorganisation.info) spam

Perhaps The Green Organisation (thegreenorganisation.info) has good intentions, but sending out unsolicited bulk email is just going to get them regarded as The Spam Organisation.

From:     Green Organisation greenorganisation@rkwmail.co.uk
Date:     29 January 2014 02:43
Subject:     FAO: The Chief Executive and anyone involved with the built environment

FREE ENTRIES FOR BUILT ENVIRONMENT AWARDS

You can submit a free entry in the Green Apple Built Environment and Architectural Heritage Awards, as long as it arrives by February 28.

The top prize is a holiday for two in the world’s greenest resort – AquaCity in the High Tatras mountains of Slovakia.

There are three chances to win in each category, with Gold, Silver and Bronze trophies for the top three.

You also have the chance to represent your country in the European Business Awards for the Environment, as the Green Apple Awards is one of the few UK campaigns accepted as an official feeder scheme into the Brussels-led initiative.

If any of your building/construction projects helps the environment in any way, you are invited to submit an entry.

Every company or council is entitled to a free entry and all winners receive invitations for the glittering presentation ceremony at the Crystal, London in June, with food and drink included.

You can win…

• A prestigious trophy and certificate

• A holiday for two in the world’s greenest resort

• International recognition

• Qualification into Europe

• Massive publicity

• And we will plant a tree on behalf of each company submitting an entry.

And all free of charge!

The Green Apple Awards for the Built Environment 2014

 You can enter online, by email or by post and you will find more information at www.thegreenorganisation.info or you can phone 01604 810507.

CLOSING DATE FEBRUARY 28, 2014

It’s free – and easy!

The Green Organisation, The Mill House, Mill Lane, Earls Barton, Northampton NN6 0NR.

Unsubscribe

The email originates from 81.168.114.179 which resolves as rkwmail.co.uk (hosted by Eclipse Internet in the UK). The WHOIS details for that domain are:

Domain name:
        rkwmail.co.uk

    Registrant:
        Roger Wolens

    Registrant type:
        UK Individual

    Registrant's address:
        Mill House
        Earls Barton
        Northamptonshire
        NN6 0NR
        United Kingdom

When we look at the spamvertised domain thegreenorganisation.info we see some broadly similar details:

Registrant ID:DI_9170956
Registrant Name:Domain Contact (103845)
Registrant Organization:The Green Organisation
Registrant Street1:The Mill Barn, Mill Lane
Registrant Street2:
Registrant Street3:
Registrant City:Earls Barton
Registrant State/Province:Northants
Registrant Postal Code:NN6 0NR
Registrant Country:GB
Registrant Phone:+44.1604810507
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:rogerwolens@btconnect.com


So whois is Roger Wolens? Well, he appears to be the owner of The Green Organisation. So the next thing I wondered is.. exactly what is The Green Organisation. They answer this question on their own website:

THE GREEN ORGANISATION  has been established since 1994 as an international, independent, non-profit, non-political, non-activist environment group, dedicated to recognising, rewarding and promoting environmental best practice around the world.

Note that The Green Organisation is not a charity but a business. We can look that up on DueDil to see what it thinks:

OK, that seems to look like a non-profit to me. In fact a hunt around their website shows nothing suspect or untowards, although if it is really the hugely successful enterprise that it claims to be then I wonder why it is promoting itself through spam.