Sponsored by..

Showing posts sorted by relevance for query 41.64.21.71. Sort by date Show all posts
Showing posts sorted by relevance for query 41.64.21.71. Sort by date Show all posts

Tuesday, 21 February 2012

Some malware sites to block 21/2/12

These sites are being used in current spam runs to distribute the Blackhole Exploit Kit. You may want to block the IPs (mostly home PCs) or domains or both.

bestsecondchance.net
freac.net
likethisjob.com
synergyledlighting.net
sysfilecore.com
systemtestnow.com
thai4me.com
yourbeautifullife.net
41.64.21.71
69.76.48.235
98.213.116.76
115.249.190.46
151.56.49.48
151.70.111.200
174.48.136.189


For the record, those IPs are on the following providers:
41.64.21.71 (Dynamic ADSL, Egypt)
69.76.48.235 (Road Runner, US)
98.213.116.76 (Comcast, US)
115.249.190.46 (Reliance Communication, India)
151.56.49.48 (IUnet, Italy)
151.70.111.200 (IUnet, Italy)
174.48.136.189 (Comcast, US)

Monday, 28 May 2012

Amazon.com spam / anarodas.net

Perhaps I spoke too soon about the quietness on the malware spam front. Here's a spam pretending to be from Amazon.com leading to malware on anarodas.net:

From: digital-no-reply@amazon.com [mailto:Amazon.com]
Sent: 25 May 2012 19:02
To: XXXXXXX
Subject: Your Kindle e-book Amazon.com receipt.

Thanks for your order, XXXXXXX!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address:  XXXXXXX
Billing Address:
Jerry Vance
503-8878 Vel Avenue
GAHANNA
United States
Phone: 614-361-9914   
Order Grand Total: $ 54.99

   

Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     T29-2192561-6011996
Subtotal of items:     $ 54.99
    ------
Total before tax:     $ 54.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 50.00
Gift Certificates:     $ 4.99
    ------
Total for this Order:    $ 54.99

The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 54.99
Sold By: Random House Digital, Inc.
________________________________________

You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
Thanks again for shopping with us.
Amazon.com
Earth's Biggest Selection
Prefer not to receive HTML mail? Click here

The malicious payload is on [do not click]anarodas.net/xor/index.php?showtopic=249281 (report here). The site is hosted on the familiar IP address of 41.64.21.71 which is an ADSL line in Cairo.

Tuesday, 24 April 2012

LinkedIn Spam / leckrefotzen.net

Oh my. Yet another LinkedIn spam run..

Date:      Tue, 24 Apr 2012 16:31:34 -0300
From:      "Russ Connor" [enviousnessi07@linkedin.com]
Subject:      LinkedIn Reminder


LinkedIn
REMINDERS

Invitation notifications:
? From Chaney Cameron (Your Colleague)


PENDING MESSAGES

? There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

The link in the message goes to a malware site at leckrefotzen.net/main.php?page=b7ff54d52bf8dd24 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt. Blocking this IP address would be an excellent idea. Or you could just block linkedin.com emails altogether which would be no great loss either.

Thursday, 19 April 2012

LinkedIn Spam / springrheumatology.net

Another LinkedIn spam run leading to malware, this time on springrheumatology.net

Date:      Thu, 19 Apr 2012 19:34:55 +0100
From:      "Callie Holland" [donor@linkedin.com]
Subject:      LinkedIn Invitation from your co-worker


LinkedIn
REMINDERS

Invitation notifications:
? From Patrick Mcdaniel (Your co-worker)


PENDING MESSAGES

? There are a total of 2 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

=========================

Date:      Thu, 19 Apr 2012 14:57:47 -0300
From:      "Jane Gaston" [lulu9@linkedin.com]
Subject:      LinkedIn Reminder


LinkedIn
REMINDERS

Invitation reminders:
? From Solomon Goff (Your Colleague)


PENDING MESSAGES

? There are a total of 2 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

The malicious payload is at springrheumatology.net/main.php?page=9e32768587b0d9a8 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt, a very good IP address to block.

Thursday, 12 April 2012

LinkedIn Spam / prospero-marketing.net

This spam leads to malware:

From:     Patrice Burke premonition9@linkedin.com
Date:     12 April 2012 16:33
Subject:     LinkedIn Nofitication service message

LinkedIn
REMINDERS

Invitation reminders:
•  From Kadeem Ruiz (Your classmate)



PENDING MESSAGES

• There are a total of 2 messages awaiting your response. Visit your InBox now.


Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.

The malicious payload is on prospero-marketing.net/main.php?page=5ab26a646c9cf178 (report here) hosted on 85.189.11.134 and 41.64.21.71 which are the same IPs as seen in this attack yesterday.

Wednesday, 11 April 2012

LinkedIn Spam / baiparz.com

This fake LinkedIn message leads to malware:

Date:      Wed, 11 Apr 2012 15:09:48 -0300
From:      "Pasquale Nieves" [warthogv@linkedin.com]
Subject:      LinkedIn Nofitication service message


LinkedIn
REMINDERS

Invitation reminders:
? From Felix Byers (Your Colleague)


PENDING MESSAGES

? There are a total of 2 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

There's a malicious payload at baiparz.com/main.php?page=f93de12c807d28df (report here) which is hosted by Griffin Internet in the UK on 85.189.11.134 and also can be found on the familiar IP address of 41.64.21.71 which is an ADSL subscriber in Egypt.

Wednesday, 14 March 2012

INTUIT / IRS malicious spam and georgekinsman.net

There are two parallel spam campaigns running right not, one in the "Intuit.com invoice" form, one in the "IRS Tax Appeal form".

Both spams lead to a malicious page at georgekinsman.net/main.php?page=c9a5e6d306c55c68 (report here) hosted on the very familiar IP address of 41.64.21.71. Block it if you haven't already.

Tuesday, 13 March 2012

BBB Spam / mynourigen.net

More BBB spam leading to malware, this time at mynourigen.net. For example:

Date:      Tue, 13 Mar 2012 20:39:07 +0700
From:      "BBB"
Subject:      Important! BBB complaint activity report
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have been filed a complaint (ID 92163107) from one of your customers related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this question and let us know of your opinion as soon as possible.

We hope to hear from you very soon.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:      Tue, 13 Mar 2012 14:42:30 +0100
From:      "Better Business Bureau"
Subject:      Your customer complained to BBB
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 31347804) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this issue and let us know of your position as soon as possible.

We hope to hear from you very soon.

Sincerely,

Carlos Baxter

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:      Tue, 13 Mar 2012 14:53:11 +0100
From:      "BBB"
Subject:      BBB important information
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 11043517) from your customer in regard to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this case and let us know of your point of view as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:      Tue, 13 Mar 2012 14:30:45 +0100
From:      "BBB"
Subject:      BBB processing RE: Case ID 06216966
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 06216966) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to view more information on this case and suggest us about your position as soon as possible.

We hope to hear from you very soon.

Kind regards,

Carlos Baxter

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

The malicious payload is on mynourigen.net/main.php?page=dc6f9d2a120107b9 and mynourigen.net/content/ap2.php?f=fa88c - it's the usual mixed bag of exploits.

mynourigen.net is apparently hosted on 41.64.21.71 in Egypt (seen many times before). The following domains are also associated with the same IP and can be considered to be malicious.

abc-spain.net
bonus100get.com
excellentworkchoise.com
foryouhomework.com
freac.net
get100bonus.com
getbonus100.com
icemed.net
likethisjob.com
perfectbusinesschance.net
sony-zeus.net
stafffire.net
synergyledlighting.net
systemtestnow.com
themeparkoupons.net
workatyourhomenow.com
yourbeautifulchance.com
yourbeautifullife.net
yourlifechance.net
yourpersonaldefence.com

Thursday, 8 March 2012

AICPA spam / themeparkoupons.net

Another AICPA spam run is also doing the rounds with a malicious payload on:

themeparkoupons.net/main.php?page=89cd1f8b9fb67fbc
themeparkoupons.net/content/ap2.php?f=4f07a

The IP appears to be 41.64.21.71 (Dynamic ADSL, Egypt). This IP has been seen many times before, so blocking it would be a very good idea.

Tuesday, 6 March 2012

Intuit.com spam / icemed.net

It's lunchtime here.. which means that the malware spam campaigns tend to kick off. One of these is this Intuit.com spam:

Date:      Tue, 6 Mar 2012 14:04:46 +0200
From:      "INTUIT INC."
Subject:      Dowload your Intuit.com invoice.

Dear Client:

Thank you for placing an order with Intuit Market. We have received it and will let you know when your order is processed. If you ordered several items, we may process them in more than one shipment (at no extra cost to you) to ensure quicker delivery.

If you have questions about your order, please call 1-800-955-8890.


ORDER INFORMATION

Please download your invoice
id #318651746029 information at Intuit small business website.

NEED HELP?

    Email us at mktplace_customerservice@intuit.com.
    Call us at 1-800-955-8890.
    Reorder Intuit Checks Quickly and Easily starting with
    the information from your previous order.

To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.

Thanks again for your order,

Intuit Market Customer Service

Privacy , Legal , Contact Us , About Us

You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.


�2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax,
among others, are registered trademarks of Intuit Inc.

The malicious payload is at icemed.net/content/ap2.php?f=b74bf and icemed.net/main.php?page=ffa1bed3ef7ceb23 (report here). This is hosted on 213.179.193.132 (Solidhost, Netherlands), 41.64.21.71 (Dynamic ADSL, Egypt). We've seen these IPs before, so they are well worth blocking.

Friday, 2 March 2012

Intuit.com spam / migdaliasbistro.net and 213.179.193.132

The past couple of days have seen a lot of identical "Intuit.com" spam runs. Another one is starting up today with a malicious payload on migdaliasbistro.net hosted on 213.179.193.132 (Solidhost, Netherlands) and 41.64.21.71 (Dynamic ADSL, Egypt)

In particular, malware can be found at:
migdaliasbistro.net/main.php?page=4f7249b62ef4f934
migdaliasbistro.net/content/ap2.php?f=86cd2


There's a Wepawet report here.

There are several potentially malicious sites on this server. Blocking the IP address should protect against other evil domains:
perikanzas.com
abc-spain.net
migdaliasbistro.net
twistedtarts.net

Tuesday, 28 February 2012

BBB Spam / perikanzas.com and twistedtarts.net

BBB spam.. you must know what it looks like by now. Here are a couple of new domains:

perikanzas.com
41.64.21.71 (Dynamic ADSL, Egypt)
213.179.193.132 (Solidhost, Netherlands)

twistedtarts.net
109.68.33.18 (Mesh Digital, UK)

BBB and AICPA spam / 110hobart.com

Two spam runs with essentially the same malicious payload..

Date:      Mon, 26 Feb 2012 12:30:50 +0100
From:      "BBB"
Subject:      BBB case ID 73773062
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 73773062) from your customer in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this matter and inform us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Leading to 110hobart.com/main.php?page=f46555a4a5b80a04 and 110hobart.com/content/ap2.php?f=cc677, and also:

Date:      Mon, 26 Feb 2012 11:16:30 +0100
From:      "Adan Jordan"
Subject:      Tax return fraud notification.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud accusations

Valued AICPA member,

We have received a notice of your recent involvement in income tax refund infringement on behalf of one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be cancelled in case of the act of filing of a false or fraudulent tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and respond to it within 21 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066


Leading to 110hobart.com/content/ap2.php?f=cc677 and 110hobart.com/main.php?page=02876dd2afe89394 (a slightly different URL from before)

The IP address is a familiar one, 41.64.21.71 which is allegedly an ADSL subscriber in Cairo. This IP has been used in several attacks recently, blocking it would be a really good idea.

Thursday, 23 February 2012

AICPA Spam / srsopen.net

Another fake spam email claiming to be from AICPA, but actually leading to malware, this time on srsopen.net.

Date:      Thu, 22 Feb 2012 11:29:29 +0100
From:      "Guadalupe Kessler"
Subject:      Fraudulent tax return assistance accusations.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Valued accountant officer,

We have received a complaint about your alleged participation in income tax infringement for one of your employers. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the event of presenting of a incorrect or fraudulent tax return for your client or employer.

Please be notified below and respond to it within 21 days. The failure to respond within this term will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The malicious payload is at srsopen.net/main.php?page=78581944265196f1 , as usual the first step is a legitimate hacked site. srsopen.net is hosted on two familiar IP addresses, 115.249.190.46 and 41.64.21.71 most recently seen here.

Wednesday, 22 February 2012

BBB Spam / energirans.net

Yet another malicious fake BBB spam run, this time with a malicious payload on the domain energirans.net.

Date:      Wed, 21 Feb 2012 11:21:48 +0100
From:      "BBB"
Subject:      Better Business Bureau complaint
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 15343433) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The link in the email goes to a legitimate hacked site and then via some obfuscated javascript to energirans.net/main.php?page=598991e7306ac07e where it attempts to infect the machine with the Blackhole Exploit kit.

energirans.net is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India) which are the same IPs as found in this spam run. Blocking them is probably a very good idea.

Tuesday, 21 February 2012

AICPA Spam / thai4me.com

Another spam run allegedly from "The American Institute of Certified Public Accountants" (AICPA) leading to malware, this time with a malicious payload on the domain thai4me.com.
From: Guillermo Reed risk.manager@aicpa.org
Date: 20 February 2012 11:18
Subject: Income tax return fraud accusations.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

AICPA logo
Termination of CPA license due to income tax fraud allegations
Dear AICPA member,

We have received a complaint about your possible involvement in income tax return fraud  for one of your clients. According to AICPA Bylaw Paragraph 500 your Certified Public Accountant status can be terminated in case of the aiding of filing of a false or fraudulent tax return on the member's or a client's behalf.

Please be informed of the complaint below and respond to it within 14 days. The failure to provide the clarifications within this period will result in termination of your Accountant status.

Complaint.pdf


The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

=================

Date:      Tue, 20 Feb 2012 12:42:12 +0200
From:      "Devon Staley"
Subject:      Fraudulent tax return assistance accusations.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Valued AICPA member,

We have been notified of your alleged involvement in tax return fraud for one of your employees. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the fact of submitting of a false or fraudulent income tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 21 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

=================

Date:      Tue, 20 Feb 2012 11:38:30 +0100
From:      "Ervin Witherspoon"
Subject:      Termination of your accountant license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud allegations

Dear AICPA member,

We have received a complaint about your recent assistance in income tax refund fraudulent activity on behalf of one of your employees. According to AICPA Bylaw Paragraph 765 your Certified Public Accountant license can be withdrawn in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and provide your feedback to it within 7 days. The failure to provide the clarifications within this term will result in suspension of your Accountant license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The link leads through a legitimate hacked site to thai4me.com/main.php?page=7d486a09d440e84a which attempts to download a Java exploit. The domain thai4me.com is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India). Those IPs also contain other malicious sites, blocking them is probably a good move.

Friday, 17 February 2012

freac.net is back with a BBB spam run

freac.net is a domain used by malicious spam email pretending to be from the BBB or NACHA, as in this example. In that case, freac.net was apparently hosted on an IP belonging to Huawei in the US, but shortly afterwards it went non-resolving.

Well, freac.net is back and so is the spam promoting it.. e.g.

Date:      Fri, 16 Feb 2012 14:30:35 +0530
From:      "BBB"
Subject:      BBB case ID 28764441
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 28764441) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to find more information on this case and let us know of your position as soon as possible.

We are looking forward to hearing from you.

Regards,

Carlos Baxter

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

===========

Date:      Fri, 16 Feb 2012 14:26:31 +0530
From:      "BBB"
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have been sent a complaint (ID 78067910) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this case and inform us about your opinion as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Currenly freac.net is hosted on 46.4.226.18 and 41.64.21.71, the first is a server rented from Hetzner in Germany, oddly the second is an ADSL line in Cairo.

Anyway, blocking those IPs will stop any further infections from those IPs. A Wepawet report for this infection is here.