Sponsored by..

Showing posts sorted by relevance for query endurance international. Sort by date Show all posts
Showing posts sorted by relevance for query endurance international. Sort by date Show all posts

Tuesday, 31 January 2012

NACHA Spam / sulusate.com

More NACHA spam leading to a malicious payload:

Date: 31 January 2012 22:55
Subject: ACH transaction fault

The ACH transaction ID: 415864020375, that had been effectuated from your banking account lately, was rejected by the the bank of the recipient.

ACH transfer declined
Transaction ID:     415864020375
Details:     please see the report below for details
Transaction Report     report_415864020375.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

This leads to a malicious payload at sulusate.com/search.php?page=977334ca118fcb8c, hosted on 209.59.220.98 (Endurance International Group, US). A Wepawet report for the malicious page is here.

Blocking the IP will prevent other malicious sites on the same server from doing their stuff. Endurance International has hosted several such malicious sites recently.

Friday, 23 March 2012

"USPS postage labels invoice" spam / indigocellular.com and jadecellular.com

This fake USPS message leads to malware on indigocellular.com:

From:     Elmer Cross USPS_Shipping_Info@usps.com
Date:     23 March 2012 13:42
Subject:     USPS postage labels invoice.

Acct #: 5047483

Dear client:

This is an email confirmation for your order of 1 online shipping label(s) with postage. Your credit card will be charged the following amount:

Transaction ID: #1412337
Print Date/Time: 03/11/2012 02:30 AM CST
Postage Amount: $35.74
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 0583  1282  5071  3122  8696  (Sequence Number 1 of 1)

   

If you need further assistance, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

Refunds for unused postage-paid labels can be requested online up to 7 days after the print date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is an automatically generated message. Please do not respond 

The malicious payload is on indigocellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.218.102 (Endurance International, US). Blocking the IP will prevent other malware on the IP from being a threat.

Update: another current version of this spam redirects to jadecellular.com/showthread.php?t=73a07bcb51f4be71 on 72.249.104.75 (Networld Internet, US)

Friday, 22 July 2016

Marketing1.net spam: "Nous vous offrons toutes nos bases de données européennes avant de fermer"

I recently noted that the spammers at Marketing1.net were at it again, but despite assurances from their host Coreix that they had been suspended, they continue to send out spam. This time in French.

From:    Audrey Martin [info@mapps-fr.net] via bnc3.mailjet.com
Date:    22 July 2016 at 09:10
Subject:    Nous vous offrons toutes nos bases de données européennes avant de fermer
Signed by:    bnc3.mailjet.com

Cher Gérant, Chère Gérante,

Nous nous permettons de vous contacter car vous avez visité notre site Internet dans le passé. Comme vous le savez déjà peut-être, nous avons développé les plus grands annuaires d'entreprises sur CD en Europe. Le logiciel fourni avec les annuaires permet aux utilisateurs d'effectuer des recherches illimitées par secteur d'activité, lieu, tranche de revenus ou fonction, et d'exporter les résultats vers Excel.

Au cours de ces dernières années, des milliers d'entreprises à travers l'Europe ont utilisé nos applications pour générer des listes ciblées pour mener des campagnes de prospection à succès. Nous avons décidé de retirer nos produits du marché parce que la mise à jour des données est trop onéreuse.

Avant de fermer, nous avons décidé, comme ultime geste, de vous offrir quelque chose d'inimaginable.

Nous avons décidé de vous donner toutes nos bases de données européennes. Cela représente un accès à des millions d'entreprises à travers l'Europe. Si vous souhaitez développer votre entreprise à l'étranger maintenant ou dans l'avenir, cela est un cadeau exceptionnel.

Nous vous offrons les 7 applications suivantes:

1) Marketing1 France 2016: 5 million d'entreprises françaises. 650'000 entreprises avec email. export illimité.
2) Top Managers France 2015: 35'000 cadres supérieurs auprès des plus grandes entreprises de France. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.

3) Marketing1 UK (Royaume-Uni) 2016 (en anglais): 5,8 million d'entreprises britanniques. 800'000 entreprises avec email. export illimité.
4) Top Managers UK (Royaume-Uni) 2015: 30'000 cadres supérieurs auprès des plus grandes entreprises du Royaume-Uni. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.

5) Marketing1 Belgique 2015 (en anglais): 1,8 million d'entreprises belges. 500'000 entreprises avec email. export illimité. 

6) Marketing1 Allemagne 2016 (en allemand): 5 million d'entreprises allemandes. 1,7 million d'entreprises avec email. export illimité.
7) Top Managers Allemagne 2015: 50'000 cadres supérieurs auprès des plus grandes entreprises d'Allemagne. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.


La valeur pour toutes ces bases de données est d'environ 5000 euros. Nous vous offrons le tout pour un prix symbolique de 49 euros. Vous avez seulement à payer 49 euros et vous obtiendrez toutes les applications ci-dessus. L'offre se termine aujourd'hui à 17 heures.

Vous aurez accès immédiatement à une page de téléchargement depuis laquelle vous pouvez télécharger toutes les applications. La page de téléchargement va rester en ligne pendant six mois (de sorte que vous puissiez les télécharger à une date ultérieure, si vous le souhaitez).


Comment passer commande. échantillons gratuit.
Cliquez ici pour accéder à la page de l'offre. La page contient les liens vers tous les sites. Vous pouvez télécharger des échantillons gratuits pour toutes les applications depuis la même page.


L'offre se termine aujourd'hui à 17 heures. Ne la ratez pas.


J'espère que je ne ai pas pris trop de votre temps précieux, et je vous souhaite plein de succès.

Meilleures salutations,

Audrey Martin
Marketing1 Team


Unsubscribe:
Veuillez cliquer ici si vous ne souhaitez plus recevoir d'emails de notre part

M1 Solutions. 152 City Road, London EC1V 2NX

The link in the email goes to marketing1.site hosted on 66.96.161.163 (Endurance International Group, US) and then redirects to a landing page at marketing1apps.net on 89.187.85.8 (Coreix, UK) which is just a gateway to marketing1.net on that same IP. The email comes from 87.253.234.168, a Mailjet IP in France.

As I mentioned previously, Marketing1.net are always having a closing down sale (but never close down) and if their sample data is anything to go by, it is complete crap. That's in addition to spamming domain contacts. Avoid.

Friday, 10 January 2014

Marketing1.net spam

These spammers sent their sales pitch to a random info@ email address on an unused domain I use. And what are they selling? Email marketing lists.. well, if they used their own mailing list for this then it is obviously crap.

From:     Audrey Martin [info@globalcrm-eu.net]
Reply-To:     info@globalcrm-eu.net
Date:     10 January 2014 07:32
Subject:     Happy New Year! - Followup to our last offer

Dear Madam, Dear Sir

Everyone in our team would like you wish you a happy and successful new year 2014! To help make this year even better for you, we have decided to give 20'000 free business contacts to the first 200 people visiting our website this morning! You don't have to buy anything. You can just visit our website and download the free business contacts!

Over the last year, we have helped hundreds of businesses like yours find new customers and achieve growth by using our highly targeted business database on CD. Our database, available for download from our website, is the only one on the market which includes targeted info on over 5 million Businesses in the UK.

Last December, we decided to take our Business Database CD off the market after a last sale because the cost to update the database regularly had become too high and we want to concentrate on the development of new products.

A lot of businesses since then, requested us to renew our last sale after its discontinuation. Not only have we decided to renew our last offer for a period of 8 hours (until 4PM this afternoon) before finally taking the database off the market, but we have decided to give to the first 200 people visiting our website this morning 20'000 free business contacts.

Here is a quick reminder of what is offered in our Business Database CD:

- 5 million Businesses in the UK selectable by Industry/Location/Company Size/Premises type/Job title
- Over 300,000 Businesses with email addresses
- 4 million named Decision Makers available by job function
- Unlimited export to .CSV or Excel
- Updated in October

We have decided to give you a last opportunity to get your hands on the database, as we are convinced it can dramatically help your business. We are offering to the first 100 customers placing their order today before 4PM, an unrestricted version of the database with unlimited export capabilities (as opposed to the standard version which has a limit of 50'000 exports) - and this, for a substantially reduced price of £199 instead of £498!  This will end at 4PM today, so don't miss it because some your competitors won't!


20'000 Free Business Contacts

We are so confident that the extensive data can help your business that we are giving away a free sample with 20'000 Business contacts to the first 200 people visiting our website this morning. This allows you to evaluate the quality of the data before completing your purchase. Visit our website to download the free sample and jumpstart your business!

To download the free sample, to get more infos or place your order, click here to visit our website

To your success in 2014 and beyond,

Audrey Martin
Marketing Solutions

Unsubscribe: Click here if you do not want to receive any further emails from us

This is a service from Marketing Solutions

Powered by Hairyspire

The link in the email goes to a domain globalcrm-eu.net on 217.147.82.106 (Iomart, UK) which is also the server sending the spam. The domain is registered with incomplete WHOIS details to mak the sender's identity. From there the victim is sent to m1databases-uk.net on a shared server at 66.96.161.162 (Endurance International Group, US) also with incomplete WHOIS records until they end up on the main site at marketing1.net hosted at 89.187.86.69 (Coreix, UK). The WHOIS details for this last one are inconclusive:

Domain Name: MARKETING1.NET
Registry Domain ID: 91418733_DOMAIN_NET-VRSN
Creation Date: 2002-10-21 18:13:12Z
Registrar Registration Expiration Date: 2014-10-21 18:13:12Z
Registrar: ENOM, INC.
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: MARKETING SOLUTIONS
Registrant Organization: -
Registrant Street: 152 CITY ROAD
Registrant City: LONDON
Registrant State/Province: LONDON
Registrant Postal Code: EC1V 2NX
Registrant Country: GB

Registrant Phone: +1.20814497
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: MAIL@MARKETING1.NET
Registry Admin ID: 
Admin Name: MARKETING SOLUTIONS
Admin Organization: -
Admin Street: 152 CITY ROAD
Admin City: LONDON
Admin State/Province: LONDON
Admin Postal Code: EC1V 2NX
Admin Country: GB
Admin Phone: +1.2081449762
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext:
Admin Email: MAIL@MARKETING1.NET
Registry Tech ID: 
Tech Name: MARKETING SOLUTIONS
Tech Organization: -
Tech Street: 152 CITY ROAD
Tech City: LONDON
Tech State/Province: LONDON
Tech Postal Code: EC1V 2NX
Tech Country: GB
Tech Phone: +1.2081449762
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: MAIL@MARKETING1.NET
Name Server: NS10.DNSMADEEASY.COM
Name Server: NS11.DNSMADEEASY.COM
Name Server: NS12.DNSMADEEASY.COM
Name Server: NS13.DNSMADEEASY.COM
DNSSEC: unSigned
Last update of WHOIS database: 2013-10-22 09:22:28Z

This address is an accommodation address that serves hundreds of different companies. I cannot find a trace of a company called Marketing1 or Marketing Solutions registered to this address at Companies House.

The marketing1.net website looks slick enough..

But again it give no real indication as to who owns or runs the company anywhere. The only contact details are as follows:

Marketing1
152 City Road
UK - London EC1V 2NX

Tel: +44 208 144 9762
email: contact@marketing1.net
The 89.187.86.69 server also contains a number of other related domains with fake or incomplete WHOIS details:
m1data-eu.net
m1data-global.net
m1databases-eu.net
m1databases.net
m1de-tracking.net
m1deglobal-tracking.net
m1sitetracking-eur.net
marketing1-app.net
marketing1-eu.net
marketing1-eur.net
marketing1-europe.net
marketing1-group.net
marketing1-soft.net
marketing1.net
marketing1base.net
marketing1data.net
marketing1europe.net
marketing1global.net
marketing1globalsite.net
marketing1group-europe.net
marketing1group.net
marketing1site-eu.net
marketing1soft.net
marketing1solutions.net
top-managers.com

You should never buy anything promoted through spam, and it is especially important not to buy email lists in this way. You (as the sender) will end up with the legal liability for anything that you do, but Marketing1 masks whoever is the true owner.. so good luck with ever finding that out (I suspect they are not based in the UK at all). Avoid.

UPDATE 2014-05-09: these grubby spammers are at it again, using the domain m1-datacrmeu.net to mask their true domain. I took a look at these "20'000" free records, and the ones I checked were laughably out-of-date. No wonder the database is so cheap!

Wednesday, 6 November 2013

"Invoice 17731 from Victoria Commercial Ltd" spam leads to DOC exploit

This fake invoice email leads to a malicious Word document:

From: Dave Porter [mailto:dave.porter@blueyonder.co.uk]
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd

Dear Customer :

Your invoice is attached to the link below:
[donotclick]http://www.vantageone.co.uk/invoice17731.doc
Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Victoria Commercial Ltd
The email originates from bosmailout13.eigbox.net [66.96.186.13] which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone.co.uk/invoice17731.doc which appears to be a hacked legitimate web site.

Detection rates have continued to improve throughout the day and currently stand at 10/47. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.

A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys.com
feeds.nsupdatedns.com

It is the same attack as described by Blaze's Security Blog and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60
feed404.dnsquerys.com
feeds.nsupdatedns.com
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
static.invoice-appmy.com
vantageone.co.uk

Friday, 17 May 2013

Newegg.com spam / balckanweb.com

This fake Newegg.com spam leads to malware:

Date:      Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
From:      Newegg [info@newegg.com]
Subject:      Newegg.com - Payment Charged
Priority:      High Priority 1


Newegg logo    
My Account     My Account |     Customer Services     Customer Services

Twitter     Twitter     You Tube     You Tube     Facebook     Facebook     Myspace     Myspace
click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Office     MarketPlace     Outlet     More

Customer ID: [redacted]
Account Number: 23711731
Dear Customer,

Thank you for shopping at Newegg.com.

We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.

If you have any questions, please use our LiveChat function or visit our Contact Us Page.

Once You Know, You Newegg.

Your Newegg.com Customer Service Team


ONCE YOU KNOW, YOU NEWEGG. Ž
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Š 2000-2013 Newegg Inc. All rights reserved.

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb.com/news/unpleasant-near_finally-events.php (report here) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)

The domains and IPs indicate that this is part of the "Amerika" spam run.

Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119
balckanweb.com
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net

Thursday, 28 March 2013

Facebook spam / ipiniadto.ru

The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto.ru:

Date:      Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
From:      FilesTube [filestube@filestube.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303 
The malicious payload is at [donotclick]ipiniadto.ru:8080/forum/links/column.php (report here) hosted on the same IPs as used in this attack:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
heepsteronst.ru
hillairusbomges.ru
hillaryklinton.ru
hinakinioo.ru
hiskinta.ru
hjuiopsdbgp.ru
hohohomaza.ru
hondatravel.ru
humaniopa.ru
humarikanec.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru
ipiniadto.ru


"Scan from a Xerox W. Pro" spam / ilianorkin.ru

This fake printer spam leads to malware on ilianorkin.ru:

From: officejet@[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307

A Document was sent to you using a XEROX WorkJet PRO 481864299.

SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]ilianorkin.ru:8080/forum/links/column.php (report here) hosted on:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hondatravel.ru
hillaryklinton.ru
hinakinioo.ru
hjuiopsdbgp.ru
hillairusbomges.ru
heepsteronst.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru

Wednesday, 27 March 2013

"British Airways E-ticket receipts" spam / illuminataf.ru

This fake airline ticket spam leads to malware on illuminataf.ru:


Date:      Wed, 27 Mar 2013 03:23:05 +0100
From:      "Xanga" [noreply@xanga.com]
Subject:      British Airways E-ticket receipts
Attachments:     E-Ticket-Receipt.htm

e-ticket receipt
Booking reference: JQ15191488
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 51298446. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The attackment E-Ticket-Receipt.htm (which has a poor detection rate) leads to a malicious payload at [donotclick]illuminataf.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
223.4.209.134 (Alibaba (China) Technology Co, China)

Blocklist:
66.249.23.64
69.46.253.241
223.4.209.134
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
heepsteronst.ru
hjuiopsdbgp.ru
hondatravel.ru
illuminataf.ru
iliminattii.ru

Tuesday, 26 March 2013

Wire Transfer spam / hondatravel.ru

This fake Wire Transfer spam leads to malware on hondatravel.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 26 March 2013 11:52
Subject: Re: Wire Transfer Confirmation (FED_4402D79813)

Dear Bank Account Operator,
WIRE TRANSFER: FED68081773954793456
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]hondatravel.ru:8080/forum/links/column.php (report here) hosted on:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)

These IPs were seen earlier with this attack.

eFax Corporate spam / hjuiopsdbgp.ru

This fake eFax spam leads to malware on hjuiopsdbgp.ru:

Date:      Tue, 26 Mar 2013 06:23:36 +0800
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Pages.htm



Fax Message [Caller-ID: 378677295]

You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.

* The reference number for this fax is [eFAX-677484317].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.
The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp.ru:8080/forum/links/column.php (report here) hosted on the following IPs:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
hjuiopsdbgp.ru
heepsteronst.ru


Monday, 25 March 2013

"Scan from a HP ScanJet" spam / humaniopa.ru

This fake printer spam leads to malware on humaniopa.ru:

Date:      Mon, 25 Mar 2013 03:57:54 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Scan from a HP ScanJet #928909620
Attachments:     Scanned_Document.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 98278P.

Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set
The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
hohohomaza.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
humaniopa.ru
humarikanec.ru


Friday, 22 March 2013

Changelog spam / hohohomaza.ru

Evil changelog spam episode 274, leading to malware on hohohomaza.ru. Hohoho indeed.

Date:      Fri, 22 Mar 2013 11:06:48 -0430
From:      Hank Sears via LinkedIn [member@linkedin.com]
Subject:      Fwd: Changelog as promised (upd.)

Hello,

as promised changelog - View

L. HENDRICKS

The malware landing page is at [donotclick]hohohomaza.ru:8080/forum/links/column.php (report here) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64  (Endurance International Group, US)
80.246.62.143 (Alfahosting / Host Europe, Germany)

Blocklist:
50.22.0.2
66.249.23.64
80.246.62.143
hillaryklinton.ru
hohohomaza.ru
hillairusbomges.ru
hentaimusika.ru
himalayaori.ru
hiskintako.ru
heelicotper.ru
hinpoka.ru

Changelog spam / hillairusbomges.ru

This fake changelog spam leads to malware on hillairusbomges.ru:

Date:      Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]
From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject:      Re: Changelog Oct.

Good morning,
as prmised updated changelog - View

L. LOYD
The malicious payload is at [donotclick]hillairusbomges.ru:8080/forum/links/column.php (report here) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
188.165.202.204 (OVH, France)

Blocklist:
50.22.0.2
66.249.23.64
188.165.202.204
gxnaika.ru
hentaimusika.ru
forumla.ru
gulivaerinf.ru
foruminanki.ru
heelicotper.ru
forumny.ru
hillairusbomges.ru
hillaryklinton.ru
hinpoka.ru
hifnsiiip.ru

Friday, 15 March 2013

RU:8080 Malware sites to block 15/3/13

These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos.ru seems to be very active this morning. Block 'em if you can:

5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24
forumilllionois.ru
foruminanki.ru
forumla.ru
forum-la.ru
forumny.ru
forum-ny.ru
giimiiifo.ru
gilaogbaos.ru
giliaonso.ru
gimiinfinfal.ru
gimilako.ru
gimimniko.ru
giminaaaao.ru
giminalso.ru
giminanvok.ru
giminkfjol.ru
gimiuitalo.ru
guioahgl.ru
guuderia.ru
forumla.ru
gimiiiank.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru
giminkfjol.ru
forumla.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru

For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy)

Monday, 11 March 2013

Wire Transfer spam / giminanvok.ru

Another wire transfer spam, this time leading to malware on giminanvok.ru:

Date:      Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Fwd: Wire Transfer (5600LJ65)

Dear Bank Account Operator,


WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]giminanvok.ru:8080/forum/links/column.php (report pending) hosted on the same IPs used earlier today:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)

 I strongly recommend that you block access to these IPs if you can.


Wire Transfer spam / gimikalno.ru

This fake wire transfer spam leads to malware on gimikalno.ru:

Date:      Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From:      Xanga [noreply@xanga.com]
Subject:      Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)

Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]gimikalno.ru:8080/forum/links/column.php (report here) hosted on:

5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)

Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100
gimikalno.ru
guuderia.ru
forum-la.ru
forumla.ru
gimalayad.ru
gosbfosod.ru
ginagion.ru
giliaonso.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumkianko.ru

Tuesday, 19 February 2013

UPS Spam / emmmhhh.ru

The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462

You can use UPS .COM to:
 Ship Online
 Schedule a Pickup
 Open a UPS .COM Account


   
Welcome to UPS Team
Hi, [redacted].

DEAR CUSTOMER , We were not able to delivery the post package

PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.

With best regards , UPS Customer Services.    


    ________________________________________
Copyright 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the Your USPS Team brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the Your USPS Customer Services Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.    
There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh.ru:8080/forum/links/column.php hosted on:

50.31.1.104 (Steadfast Networks, US)
66.249.23.64 (Endurance International, US)
195.210.47.208 (PS Internet Company, Kazakhstan)

The following IPs and domains are all malicious and should be blocked:
50.31.1.104
66.249.23.64
195.210.47.208
efjjdopkam.ru
eipuonam.ru
ejiposhhgio.ru
ejjiipprr.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
emmmhhh.ru
enakinukia.ru
epilarikko.ru
epionkalom.ru
esigbsoahd.ru
estipaindo.ru
ewinhdutik.ru
exiansik.ru
exibonapa.ru


Thursday, 5 April 2012

US Airways Spam / 209.59.218.94

Another US Airways spam, malformed this time, pointing to malware on 209.59.218.94.

Date:      Thu, 5 Apr 2012 14:10:48 +0000
From:      "US Airways - Reservations" [usair@myusairways.com]
Subject:      Confirm your US airways online reservation.


you {l2} check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying {l3}). {l4}, all you {l5} to do is print your boarding pass and {l6} to the gate.

confirmation code: {digit}

check-in online: online reservation details
  
flight

{digit}   
departure city and time

washington, dc (dca) 10:00pm

depart date: 4/5/2012   


we are committed to protecting your privacy. your information is kept private and confidential. for information about our privacy policy visit usairways.com.

us airways, 111 w. rio salado pkwy, tempe, az 85281 , copyright us airways , all rights reserved.


The malicious payload is at 209.59.218.94/showthread.php?t=73a07bcb51f4be71 (report here). This is hosted by Endurance International in the US.

Thursday, 22 March 2012

LinkedIn Spam / cyancellular.com and browncellular.com

Another load of LinkedIn Spam is doing the rounds, this time the payload is at cyancellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.217.78 (Endurance International, US) and also browncellular.com/showthread.php?t=d7ad916d1c0396ff hosted on 174.140.168.207 (Directspace, US)


Be on the lookout for other domains of a similar pattern, if you known of more then please consider adding a comment.. thanks!

Update: indigocellular.com is also part of this same pattern.