Facebook spam / ipiniadto.ru

The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto.ru:

Date:      Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
From:      FilesTube [filestube@filestube.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303 

The malicious payload is at [donotclick]ipiniadto.ru:8080/forum/links/column.php (report here) hosted on the same IPs as used in this attack:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
heepsteronst.ru
hillairusbomges.ru
hillaryklinton.ru
hinakinioo.ru
hiskinta.ru
hjuiopsdbgp.ru
hohohomaza.ru
hondatravel.ru
humaniopa.ru
humarikanec.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru
ipiniadto.ru

Changelog spam / hohohomaza.ru

Evil changelog spam episode 274, leading to malware on hohohomaza.ru. Hohoho indeed.

Date:      Fri, 22 Mar 2013 11:06:48 -0430
From:      Hank Sears via LinkedIn [member@linkedin.com]
Subject:      Fwd: Changelog as promised (upd.)

Hello,

as promised changelog - View

L. HENDRICKS

The malware landing page is at [donotclick]hohohomaza.ru:8080/forum/links/column.php (report here) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64  (Endurance International Group, US)
80.246.62.143 (Alfahosting / Host Europe, Germany)

Blocklist:
50.22.0.2
66.249.23.64
80.246.62.143
hillaryklinton.ru
hohohomaza.ru
hillairusbomges.ru
hentaimusika.ru
himalayaori.ru
hiskintako.ru
heelicotper.ru
hinpoka.ru

Marketing1.net spam: "Nous vous offrons toutes nos bases de données européennes avant de fermer"

I recently noted that the spammers at Marketing1.net were at it again, but despite assurances from their host Coreix that they had been suspended, they continue to send out spam. This time in French.

From:    Audrey Martin [info@mapps-fr.net] via bnc3.mailjet.com
Date:    22 July 2016 at 09:10
Subject:    Nous vous offrons toutes nos bases de données européennes avant de fermer
Signed by:    bnc3.mailjet.com

Cher Gérant, Chère Gérante,

Nous nous permettons de vous contacter car vous avez visité notre site Internet dans le passé. Comme vous le savez déjà peut-être, nous avons développé les plus grands annuaires d'entreprises sur CD en Europe. Le logiciel fourni avec les annuaires permet aux utilisateurs d'effectuer des recherches illimitées par secteur d'activité, lieu, tranche de revenus ou fonction, et d'exporter les résultats vers Excel.

Au cours de ces dernières années, des milliers d'entreprises à travers l'Europe ont utilisé nos applications pour générer des listes ciblées pour mener des campagnes de prospection à succès. Nous avons décidé de retirer nos produits du marché parce que la mise à jour des données est trop onéreuse.

Avant de fermer, nous avons décidé, comme ultime geste, de vous offrir quelque chose d'inimaginable.

Nous avons décidé de vous donner toutes nos bases de données européennes. Cela représente un accès à des millions d'entreprises à travers l'Europe. Si vous souhaitez développer votre entreprise à l'étranger maintenant ou dans l'avenir, cela est un cadeau exceptionnel.

Nous vous offrons les 7 applications suivantes:

1) Marketing1 France 2016: 5 million d'entreprises françaises. 650'000 entreprises avec email. export illimité.
2) Top Managers France 2015: 35'000 cadres supérieurs auprès des plus grandes entreprises de France. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.

3) Marketing1 UK (Royaume-Uni) 2016 (en anglais): 5,8 million d'entreprises britanniques. 800'000 entreprises avec email. export illimité.
4) Top Managers UK (Royaume-Uni) 2015: 30'000 cadres supérieurs auprès des plus grandes entreprises du Royaume-Uni. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.

5) Marketing1 Belgique 2015 (en anglais): 1,8 million d'entreprises belges. 500'000 entreprises avec email. export illimité. 

6) Marketing1 Allemagne 2016 (en allemand): 5 million d'entreprises allemandes. 1,7 million d'entreprises avec email. export illimité.
7) Top Managers Allemagne 2015: 50'000 cadres supérieurs auprès des plus grandes entreprises d'Allemagne. e-mail fourni avec chaque enregistrement. Base de données complète fournie sous format Excel.


La valeur pour toutes ces bases de données est d'environ 5000 euros. Nous vous offrons le tout pour un prix symbolique de 49 euros. Vous avez seulement à payer 49 euros et vous obtiendrez toutes les applications ci-dessus. L'offre se termine aujourd'hui à 17 heures.

Vous aurez accès immédiatement à une page de téléchargement depuis laquelle vous pouvez télécharger toutes les applications. La page de téléchargement va rester en ligne pendant six mois (de sorte que vous puissiez les télécharger à une date ultérieure, si vous le souhaitez).


Comment passer commande. échantillons gratuit.
Cliquez ici pour accéder à la page de l'offre. La page contient les liens vers tous les sites. Vous pouvez télécharger des échantillons gratuits pour toutes les applications depuis la même page.


L'offre se termine aujourd'hui à 17 heures. Ne la ratez pas.


J'espère que je ne ai pas pris trop de votre temps précieux, et je vous souhaite plein de succès.

Meilleures salutations,

Audrey Martin
Marketing1 Team


Unsubscribe:
Veuillez cliquer ici si vous ne souhaitez plus recevoir d'emails de notre part

M1 Solutions. 152 City Road, London EC1V 2NX

The link in the email goes to marketing1.site hosted on 66.96.161.163 (Endurance International Group, US) and then redirects to a landing page at marketing1apps.net on 89.187.85.8 (Coreix, UK) which is just a gateway to marketing1.net on that same IP. The email comes from 87.253.234.168, a Mailjet IP in France.

As I mentioned previously, Marketing1.net are always having a closing down sale (but never close down) and if their sample data is anything to go by, it is complete crap. That's in addition to spamming domain contacts. Avoid.

"Scan from a Xerox W. Pro" spam / ilianorkin.ru

This fake printer spam leads to malware on ilianorkin.ru:

From: officejet@[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307

A Document was sent to you using a XEROX WorkJet PRO 481864299.

SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD

The malicious payload is at [donotclick]ilianorkin.ru:8080/forum/links/column.php (report here) hosted on:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hondatravel.ru
hillaryklinton.ru
hinakinioo.ru
hjuiopsdbgp.ru
hillairusbomges.ru
heepsteronst.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru

Malware sites to block 2/3/12

The Spam Analysis blog has an excellent post analysing what is happening behind the scenes in the malware from some recent spam runs. I've taken their hard work and have broken out the domains and IP addresses that you may want to block.

Note that some of these sites may be legitimate hacked sites. Also 66.96.160.133 is a parking IP,, so there are several thousand other sites on the same address.

Domains:
almeconstruction.com
ampndesignclients.com
buddysbarbq.com
chovattuvt.com
curchamp.com
curcharge.com
curchart.com
ftp.intervene.com.br
impressiveclimate.com
indianwildlifetourism.com
mixestudio.com
pollypaw.com
pollypeaceful.com
ragsnipe.com
sadropped.com
splatstep.com
top59serv.ro
trucktumble.com
truckturtle.com
wonderfulwriggle.com

IPs and hosts:
50.2.7.120 (Infinitie, US)
64.150.166.137 (iPower, US)
66.96.160.133 (Endurance International, US) [parked]
66.232.108.46 (Kevin Shick, US)
74.207.245.244 (Linode, US)
78.47.211.154 (Hetzner, Germany)
85.9.26.253 (GTS, Romania)
112.78.2.141 (Online Data Services JSC, Vietnam)
173.213.90.237 (Serverhub, US)
173.213.90.238 (Serverhub, US)
174.123.39.34 (ThePlanet, US)
174.136.0.68 (Colo4, US)
184.173.192.173 (ThePlanet, US)
200.58.124.129 (Dattatec.com, Argentina)
200.98.197.68 (UOL, Brazil)
209.140.16.128 (Landis Holdings, US)
216.251.43.98 (InternetNamesForBusiness.com, US)

Plain IP list:
50.2.7.120
64.150.166.137
66.96.160.133
66.232.108.46
74.207.245.244
78.47.211.154
85.9.26.253
112.78.2.141
173.213.90.237
173.213.90.238
174.123.39.34
174.136.0.68
184.173.192.173
200.58.124.129
200.98.197.68
209.140.16.128
216.251.43.98

Wire Transfer spam / hondatravel.ru

This fake Wire Transfer spam leads to malware on hondatravel.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 26 March 2013 11:52
Subject: Re: Wire Transfer Confirmation (FED_4402D79813)

Dear Bank Account Operator,
WIRE TRANSFER: FED68081773954793456
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]hondatravel.ru:8080/forum/links/column.php (report here) hosted on:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)

These IPs were seen earlier with this attack.

Changelog spam / hillairusbomges.ru

This fake changelog spam leads to malware on hillairusbomges.ru:

Date:      Thu, 21 Mar 2013 03:01:59 -0500 [04:01:59 EDT]
From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject:      Re: Changelog Oct.

Good morning,
as prmised updated changelog - View

L. LOYD

The malicious payload is at [donotclick]hillairusbomges.ru:8080/forum/links/column.php (report here) hosted on:
50.22.0.2 (Softlayer / Monday Sessions Media, US)
66.249.23.64 (Endurance International Group, US)
188.165.202.204 (OVH, France)

Blocklist:
50.22.0.2
66.249.23.64
188.165.202.204
gxnaika.ru
hentaimusika.ru
forumla.ru
gulivaerinf.ru
foruminanki.ru
heelicotper.ru
forumny.ru
hillairusbomges.ru
hillaryklinton.ru
hinpoka.ru
hifnsiiip.ru

NACHA Spam / sulusify.com

More NACHA spam leading to a malicious payload..

Date:      Wed, 31 Jan 2012 10:43:44 +0200
From:      transactions@nacha.org
Subject:      ACH payment canceled

The ACH transfer (ID: 64930940909169), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     64930940909169
Reason of rejection     See details in the report below
Transaction Report     report_64930940909169.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

In this case, the malware is at sulusify.com/search.php?page=73a07bcb51f4be71 (it goes through a couple of redirectors first). A Wepawet report is here.

This is on 209.59.221.65 which is the Endurance International Group.. again. There are several malicious IPs in the 209.59.192.0/19 range now, perhaps indicating a deeper problem with this host.

eFax Corporate spam / hjuiopsdbgp.ru

This fake eFax spam leads to malware on hjuiopsdbgp.ru:

Date:      Tue, 26 Mar 2013 06:23:36 +0800
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Pages.htm



Fax Message [Caller-ID: 378677295]

You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.

* The reference number for this fax is [eFAX-677484317].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.

The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp.ru:8080/forum/links/column.php (report here) hosted on the following IPs:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
hjuiopsdbgp.ru
heepsteronst.ru

Marketing1.net spammer rides again.. but for how much longer?

Marketing1.net have been one of the more annoying spammers I've seen over the past few years. Their sporadic spam campaign, sent to scraped email addresses has been going on since at least 2014.

This latest spam claims they are going out of business. I can only hope so.

From:    Audrey Martin [info@mapps-uk.net]
Date:    4 March 2016 at 11:06
Subject:    We are giving away all our European business databases before to close down

Hi there,

We are sending you this email because you visited our website in the past. As you may already know, we have developed the largest business databases on CD in Europe. The software provided with the databases allows to run unlimited searches by Industry/Location/Company Size/Premises type or Job title, and to export the search results to Excel. All from your computer.

We are closing down because the cost to update all databases regularly have become too high. We have had fantastic years developing the Marketing1 applications. Thousands of businesses across Europe have used them to create successful marketing campaigns.

Before to close down, we have decided, as ultimate gesture, to give you something unprecedented.

We are giving you all our European databases. That represents an access to millions of companies across Europe. If you want to expand your business now or in the future, you should not miss this offer.

You will get the 7 following applications:

1) Marketing1 UK 2015: 5.8mio UK Businesses. 800'000 records with email. Unlimited export.
2) Top Managers UK 2015: 30,000 Executives from the 5000 largest companies in the UK (incl. email for all records). Excel file with full data, included.

3) Marketing1 France 2015 (application in French): 5mio French Companies. 650'000 records with email. Unlimited export.
4) Top Managers France 2015: 35,000 Executives from the largest companies in France (incl. email for all records). Excel file with full data, included.

5) Marketing1 Germany 2015 (application in German): 5mio German companies. 1.7 mio records with email. Unlimited export.
6) Top Managers Germany 2015: 50,000 Executives from the largest companies in Germany (incl. email for all records). Excel file with full data, included.

7) Marketing1 Belgium 2015 (application in English):  1.8 mio Belgian companies. 500'000 records with email. Unlimited export.

The value for all those databases, is over £5000. We are offering it all to you for a symbolic price: £99. You only have to pay £99 and you get all the applications above. The offer ends today at 5PM. Do not miss it.

You will immediately get access to a download page from which you can download all applications. The download page will stay online for 6 months (so you can download the applications at a later time).

How to place your order. Free samples
Click here to access the offer page. It contains links to all websites. You can also download free samples for all applications from the same page.


The offer ends today at 5PM. Do not miss it.

To your success,

Best Regards,

Audrey Martin
Marketing1 Team


Unsubscribe: Click here if you do not want to receive any further emails from us

M1 Solutions. 152 City Road, London EC1V 2NX

The link in the spam goes to www.mapps-uk.net (37.220.22.107 - Redstation, UK - fake WHOIS details) and then goes to a landing page at marketing1-euro.net (89.187.85.8 - Pickaweb / Coreix, UK - fake WHOIS details) and then finally to marketing1.net (also 89.187.85.8 with fake WHOIS details). The email also originates from 37.220.22.107.

None of the WHOIS records reflect a real company, and there is scant information about the spammer's real identities.

However, this outfit isn't just a bunch of spammers. They are also liars.

Clicking through the link reveals a landing page which clearly claims that this is the last day of their "Sale".

If you click the first link, rather confusingly it gives a different offer with a date of January 15th 2016, claiming that this is the "Last SALE before product discontinuation".

Except it was also the last chance to buy exactly the same product on July 24th 2015..

..and July 10th..

..and June 19th..

..and June 5th..

Get the picture? The data is ALWAYS on sale. So what is this data? Luckily you can download a sample to see just how good the data is. Here is a tiny sample:

Woolworths ceased trading in 2009. And indeed the sample data is full of companies that haven't existed for years or have just plain out of date and inaccurate details.

In other words, the quality of the data is complete shit. The fact that they have to resort to spam to sell this shit indicates that perhaps they have no actual valid data at all. And the fact that they hide who they really are is just the icing on the cake.

Let's hope that these spammers really are closing down. I somehow doubt that they are telling the truth though. Avoid.

Update 2016-07-15

I hadn't heard anything from these spammers for a while, then this plopped into my mailbox..

From:    Audrey Martin [info@mapps-fr.net] via bnc3.mailjet.com
Date:    15 July 2016 at 12:02
Subject:    We are giving away all our European business databases before to close down
Mailing list:    [info.mapps-fr.net.ztmj-xqo6.mj] Filter messages from this mailing list
Signed by:    bnc3.mailjet.com

Good Morning,

We are sending you this email because you visited our website in the past. As you may already know, we are the developer and publisher of Marketing1, the largest business database on CD in the UK. The database is the only one on the market to contain details not available anywhere else on over 5 million Businesses in the UK including 4,6 million named decision makers available by job function and 800,000 Businesses with email addresses.

We did not only develop the UK database, but several ones across Europe. We are closing down because the cost to update all databases regularly have become too high. We have had fantastic years developing the Marketing1 applications. Thousands of businesses across Europe have used them to generate targeted lists for successful marketing campaigns.

Before to close down, we have decided, as ultimate gesture, to give you all our European databases. That represents an access to millions of companies across Europe. There is no catch.

You will get the 7 following applications:

1) Marketing1 UK 2016: 5.8mio UK Businesses. 800'000 records with email. Unlimited export.
2) Top Managers UK 2015: 30,000 Executives from the 5000 largest companies in the UK (incl. email for all records).

3) Marketing1 France 2015: 5mio French Companies. 650'000 records with email. Unlimited export.
4) Top Managers France 2015: 35,000 Executives from the largest companies in France (incl. email for all records). Excel file with full data, included.

5) Marketing1 Germany 2016: 5mio German companies. 1.7 mio records with email. Unlimited export.
6) Top Managers Germany 2015: 50,000 Executives from the largest companies in Germany (incl. email for all records). Excel file with full data, included.

7) Marketing1 Belgium 2015:  1.8 mio Belgian companies. 500'000 records with email. Unlimited export.


How do those applications work
The databases are delivered in a convenient software format. Search by Industry/Location/Company Size/Premises type or Job title, and export the results into Excel or txt files. With unlimited export. All from your computer.

The value for all those databases, is over £5000. We are offering it all to you for a symbolic price: £49. You only have to pay £49 and you get all the applications above. The offer ends today at 3PM. Do not miss it.

You will get access to a download page from which you can download all applications. The download page will stay online for 6 months (so you can download the applications at a later time).


How to place your order. Free samples
Click here to access the offer page. It contains links to all websites. You can also download free samples for all applications from the same page.


The offer ends today at 3PM. Do not miss it.

To your success,

Best Regards,

Audrey Martin
Marketing1 Team

Unsubscribe: Click here if you do not want to receive any further emails from us

M1 Solutions. 152 City Road, London EC1V 2NX

Obviously this is pretty much the same closing down sale they had in March. And here's the ever-changing final date again (which was actually last week)

The domain used in the spam email is marketing1-eu.site (66.96.161.163 - Endurance International Group, US) which forwards to marketing1-co.net (89.187.85.8 - Coreix Ltd, UK) and then onto marketing1.net on the same IP.

As previously established, this company always has a closing down sale, and the data they provide is complete crap. Avoid at all costs.