Sponsored by..

Showing posts sorted by relevance for query endurance international. Sort by date Show all posts
Showing posts sorted by relevance for query endurance international. Sort by date Show all posts

Thursday, 22 March 2012

LinkedIn Spam / cyancellular.com and browncellular.com

Another load of LinkedIn Spam is doing the rounds, this time the payload is at cyancellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.217.78 (Endurance International, US) and also browncellular.com/showthread.php?t=d7ad916d1c0396ff hosted on 174.140.168.207 (Directspace, US)


Be on the lookout for other domains of a similar pattern, if you known of more then please consider adding a comment.. thanks!

Update: indigocellular.com is also part of this same pattern.

Wednesday, 21 March 2012

"LinkedIn Invitation from your colleague" spam / closteage.com

A fake LinkedIn spam leading to malware hosted at closteage.com:

Date:      Wed, 21 Mar 2012 16:24:04 +0200
From:      "Stacy Goss"
Subject:      LinkedIn Invitation from your colleague


LinkedIn
REMINDERS

Invitation notifications:
? From Kadeem Ruiz (Your Colleague)


PENDING MESSAGES

? There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. Š 2010, LinkedIn Corporation.
The payload is at closteage.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 209.59.217.101 (Endurance International, US). Blocking that IP will block any other malicious sites on the same server.

Monday, 5 March 2012

Intuit spam / cogisunet.com

It's Monday.. so it's malware. This new spam run is supposed to be from Intuit.com, but it actually leads to malware hosted on cogisunet.com.

Date:      Mon, 5 Mar 2012 12:30:31 +0100
From:      "INTUIT INC."
Subject:      Please confirm your Intuit.com invoice.

Dear Sir/Madam:

Thank you for buying your accounting software from Intuit Market. We have received it and will send you an e-mail when your order is processed. If you ordered several items, we may deliver them in more than one shipment (at no extra cost to you) to provide faster processing time.

If you have questions about your order, please call 1-800-955-8890.


ORDER INFORMATION

Please download your full invoice
id #221137087563 information at Intuit small business website.

NEED HELP?

    Email us at mktplace_customerservice@intuit.com.
    Call us at 1-800-955-8890.
    Reorder Intuit Checks Quickly and Easily starting with
    the information from your previous order.

To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.

Thanks again for your order,

Intuit Market Customer Service

Privacy , Legal , Contact Us , About Us

You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.

�2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malware is hosted on cogisunet.com/banner.php?aid=73a07bcb51f4be7 on 209.59.213.95 (Endurance International, US). The block 209.59.192.0/19 has a significant problem with malware at the moment, you may want to consider blocking IPs more widely.

Friday, 2 March 2012

Malware sites to block 2/3/12

The Spam Analysis blog has an excellent post analysing what is happening behind the scenes in the malware from some recent spam runs. I've taken their hard work and have broken out the domains and IP addresses that you may want to block.

Note that some of these sites may be legitimate hacked sites. Also 66.96.160.133 is a parking IP,, so there are several thousand other sites on the same address.

Domains:
almeconstruction.com
ampndesignclients.com
buddysbarbq.com
chovattuvt.com
curchamp.com
curcharge.com
curchart.com
ftp.intervene.com.br
impressiveclimate.com
indianwildlifetourism.com
mixestudio.com
pollypaw.com
pollypeaceful.com
ragsnipe.com
sadropped.com
splatstep.com
top59serv.ro
trucktumble.com
truckturtle.com
wonderfulwriggle.com

IPs and hosts:
50.2.7.120 (Infinitie, US)
64.150.166.137 (iPower, US)
66.96.160.133 (Endurance International, US) [parked]
66.232.108.46 (Kevin Shick, US)
74.207.245.244 (Linode, US)
78.47.211.154 (Hetzner, Germany)
85.9.26.253 (GTS, Romania)
112.78.2.141 (Online Data Services JSC, Vietnam)
173.213.90.237 (Serverhub, US)
173.213.90.238 (Serverhub, US)
174.123.39.34 (ThePlanet, US)
174.136.0.68 (Colo4, US)
184.173.192.173 (ThePlanet, US)
200.58.124.129 (Dattatec.com, Argentina)
200.98.197.68 (UOL, Brazil)
209.140.16.128 (Landis Holdings, US)
216.251.43.98 (InternetNamesForBusiness.com, US)

Plain IP list:
50.2.7.120
64.150.166.137
66.96.160.133
66.232.108.46
74.207.245.244
78.47.211.154
85.9.26.253
112.78.2.141
173.213.90.237
173.213.90.238
174.123.39.34
174.136.0.68
184.173.192.173
200.58.124.129
200.98.197.68
209.140.16.128
216.251.43.98

Wednesday, 22 February 2012

AICPA Spam / favoriteburger.net

Following on from yesterday's AICPA spam run, a new domain is in use for the malicious payload, favoriteburger.net/search.php?page=73a07bcb51f4be71 on 209.59.212.14 (Endurance International Group again). The IP is worth blocking, and you may want to consider blocking larger ranges of this ISP who seem to have a problem with this type of malicious site.

Date:      Tue, 20 Feb 2012 22:31:55 -0300
From:      "Gilbert Ayers"
Subject:      Termination of your accountant license.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Cancellation of CPA license due to tax return fraud allegations

Valued accountant officer,

We have received a notice of your possible assistance in income tax refund fraudulent activity for one of your employers. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the fact of filing of a false or fraudulent income tax return on the member's or a client's behalf.

Please be informed of the complaint below and provide your feedback to it within 14 days. The failure to do so within this term will result in termination of your Accountant status.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Wednesday, 1 February 2012

NACHA Spam / sulusify.com

More NACHA spam leading to a malicious payload..

Date:      Wed, 31 Jan 2012 10:43:44 +0200
From:      transactions@nacha.org
Subject:      ACH payment canceled

The ACH transfer (ID: 64930940909169), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     64930940909169
Reason of rejection     See details in the report below
Transaction Report     report_64930940909169.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association
In this case, the malware is at sulusify.com/search.php?page=73a07bcb51f4be71 (it goes through a couple of redirectors first). A Wepawet report is here.

This is on 209.59.221.65 which is the Endurance International Group.. again. There are several malicious IPs in the 209.59.192.0/19 range now, perhaps indicating a deeper problem with this host.

Thursday, 26 January 2012

Some malware sites to block 26/1/12

Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.

Eonix, Canada
173.213.93.203
clostescape.com

Zerigo, US
173.248.190.37
chilleloot.com

Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com

Ixvar, Canada
174.142.247.164
clostery.com

Hostforweb, US
205.234.187.6
sulusient.com

Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com

Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com

Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com

Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com

Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com

Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com

Wednesday, 25 January 2012

Lazy BBB / "ACH transfer pending" spam, chillestruct.com and closteation.com

Here's a lazy spam about an "ACH transfer" that appears to come from the BBB, because the spammers have mixed up the campaigns.

Date:      Wed, 24 Jan 2012 13:31:58 +0100
From:      "manager@bbb.org" [manager@bbb.org]
Subject:      ACH transfer pending

Dear Sir or Madam,

This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:

Transaction ID: 471209863177939
Transaction status: pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours faithfully,
Kathy Quirk
Accounting Department

The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.

Blocking the IPs will prevent any other malicious sites on those servers from causing problems.

Tuesday, 24 January 2012

BBB Spam / chillebucks.com, sulusize.com and sulusity.com

More fake BBB spam leading to a malicious payload, this time hosted on the domain sulusize.com on 174.136.4.211 (Colo4, US). The server appears to be a legitimate hacked server, but blocking traffic to that IP is probably a wise idea if you can do it.

Some sample emails (the usual fake BBB approach):

Date:      Tue, 23 Jan 2012 11:51:58 +0100
From:      "BBB" [info@bbb.org]
Subject:      Better Business Bureau service
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 23387543) from your customer with respect to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this question and suggest us about your position as soon as possible.

We hope to hear from you very soon.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==============

Date:      Tue, 23 Jan 2012 12:16:00 +0100
From:      "Better Business Bureau" [risk.manager@bbb.org]
Subject:      Re: your customer�s complaint ID 83031311
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau notifies you that we have received a complaint (ID 83031311) from one of your customers in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this question and suggest us about your point of view as soon as possible.

We hope to hear from you very soon.

Regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau

The malware tries to download further code from sulusity.com on 209.59.220.65 (Endurance International Group, US).. another one to block. A Wepawet analysis is here.

Update #1:  another version is doing the rounds with the initial malware hosted on chillebucks.com (69.163.37.22, Bula Networks California).

Update #2: The Wepawet analysis indicates that this might do something with the user's Facebook account as well as the usual malware payload.

Thursday, 19 January 2012

Wire transfer malicious spam / monikabestolucci.ru:8801 and 78.159.118.226

More malicious spam doing the rounds, but this time it's more complicated than before.

From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)

Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652
CURRENT STATUS: PENDING

Please Review your transaction as soon as possible.

The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.

monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.

24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)

Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.

Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173

Friday, 4 March 2016

Marketing1.net spammer rides again.. but for how much longer?

Marketing1.net have been one of the more annoying spammers I've seen over the past few years. Their sporadic spam campaign, sent to scraped email addresses has been going on since at least 2014.

This latest spam claims they are going out of business. I can only hope so.

From:    Audrey Martin [info@mapps-uk.net]
Date:    4 March 2016 at 11:06
Subject:    We are giving away all our European business databases before to close down

Hi there,

We are sending you this email because you visited our website in the past. As you may already know, we have developed the largest business databases on CD in Europe. The software provided with the databases allows to run unlimited searches by Industry/Location/Company Size/Premises type or Job title, and to export the search results to Excel. All from your computer.

We are closing down because the cost to update all databases regularly have become too high. We have had fantastic years developing the Marketing1 applications. Thousands of businesses across Europe have used them to create successful marketing campaigns.

Before to close down, we have decided, as ultimate gesture, to give you something unprecedented.

We are giving you all our European databases. That represents an access to millions of companies across Europe. If you want to expand your business now or in the future, you should not miss this offer.

You will get the 7 following applications:

1) Marketing1 UK 2015: 5.8mio UK Businesses. 800'000 records with email. Unlimited export.
2) Top Managers UK 2015: 30,000 Executives from the 5000 largest companies in the UK (incl. email for all records). Excel file with full data, included.

3) Marketing1 France 2015 (application in French): 5mio French Companies. 650'000 records with email. Unlimited export.
4) Top Managers France 2015: 35,000 Executives from the largest companies in France (incl. email for all records). Excel file with full data, included.

5) Marketing1 Germany 2015 (application in German): 5mio German companies. 1.7 mio records with email. Unlimited export.
6) Top Managers Germany 2015: 50,000 Executives from the largest companies in Germany (incl. email for all records). Excel file with full data, included.

7) Marketing1 Belgium 2015 (application in English):  1.8 mio Belgian companies. 500'000 records with email. Unlimited export.

The value for all those databases, is over £5000. We are offering it all to you for a symbolic price: £99. You only have to pay £99 and you get all the applications above. The offer ends today at 5PM. Do not miss it.

You will immediately get access to a download page from which you can download all applications. The download page will stay online for 6 months (so you can download the applications at a later time).

How to place your order. Free samples
Click here to access the offer page. It contains links to all websites. You can also download free samples for all applications from the same page.


The offer ends today at 5PM. Do not miss it.

To your success,

Best Regards,

Audrey Martin
Marketing1 Team


Unsubscribe: Click here if you do not want to receive any further emails from us

M1 Solutions. 152 City Road, London EC1V 2NX
The link in the spam goes to www.mapps-uk.net (37.220.22.107 - Redstation, UK - fake WHOIS details) and then goes to a landing page at marketing1-euro.net (89.187.85.8 - Pickaweb / Coreix, UK - fake WHOIS details) and then finally to marketing1.net (also 89.187.85.8 with fake WHOIS details). The email also originates from 37.220.22.107.

None of the WHOIS records reflect a real company, and there is scant information about the spammer's real identities.

However, this outfit isn't just a bunch of spammers. They are also liars.

Clicking through the link reveals a landing page which clearly claims that this is the last day of their "Sale".


If you click the first link, rather confusingly it gives a different offer with a date of January 15th 2016, claiming that this is the "Last SALE before product discontinuation".


Except it was also the last chance to buy exactly the same product on July 24th 2015..


..and July 10th..


..and June 19th..

..and June 5th..


Get the picture? The data is ALWAYS on sale. So what is this data? Luckily you can download a sample to see just how good the data is. Here is a tiny sample:


Woolworths ceased trading in 2009. And indeed the sample data is full of companies that haven't existed for years or have just plain out of date and inaccurate details.

In other words, the quality of the data is complete shit. The fact that they have to resort to spam to sell this shit indicates that perhaps they have no actual valid data at all. And the fact that they hide who they really are is just the icing on the cake.

Let's hope that these spammers really are closing down. I somehow doubt that they are telling the truth though. Avoid.

Update 2016-07-15

I hadn't heard anything from these spammers for a while, then this plopped into my mailbox..

From:    Audrey Martin [info@mapps-fr.net] via bnc3.mailjet.com
Date:    15 July 2016 at 12:02
Subject:    We are giving away all our European business databases before to close down
Mailing list:    [info.mapps-fr.net.ztmj-xqo6.mj] Filter messages from this mailing list
Signed by:    bnc3.mailjet.com

Good Morning,

We are sending you this email because you visited our website in the past. As you may already know, we are the developer and publisher of Marketing1, the largest business database on CD in the UK. The database is the only one on the market to contain details not available anywhere else on over 5 million Businesses in the UK including 4,6 million named decision makers available by job function and 800,000 Businesses with email addresses.

We did not only develop the UK database, but several ones across Europe. We are closing down because the cost to update all databases regularly have become too high. We have had fantastic years developing the Marketing1 applications. Thousands of businesses across Europe have used them to generate targeted lists for successful marketing campaigns.

Before to close down, we have decided, as ultimate gesture, to give you all our European databases. That represents an access to millions of companies across Europe. There is no catch.

You will get the 7 following applications:

1) Marketing1 UK 2016: 5.8mio UK Businesses. 800'000 records with email. Unlimited export.
2) Top Managers UK 2015: 30,000 Executives from the 5000 largest companies in the UK (incl. email for all records).

3) Marketing1 France 2015: 5mio French Companies. 650'000 records with email. Unlimited export.
4) Top Managers France 2015: 35,000 Executives from the largest companies in France (incl. email for all records). Excel file with full data, included.

5) Marketing1 Germany 2016: 5mio German companies. 1.7 mio records with email. Unlimited export.
6) Top Managers Germany 2015: 50,000 Executives from the largest companies in Germany (incl. email for all records). Excel file with full data, included.

7) Marketing1 Belgium 2015:  1.8 mio Belgian companies. 500'000 records with email. Unlimited export.


How do those applications work
The databases are delivered in a convenient software format. Search by Industry/Location/Company Size/Premises type or Job title, and export the results into Excel or txt files. With unlimited export. All from your computer.

The value for all those databases, is over £5000. We are offering it all to you for a symbolic price: £49. You only have to pay £49 and you get all the applications above. The offer ends today at 3PM. Do not miss it.

You will get access to a download page from which you can download all applications. The download page will stay online for 6 months (so you can download the applications at a later time).


How to place your order. Free samples
Click here to access the offer page. It contains links to all websites. You can also download free samples for all applications from the same page.


The offer ends today at 3PM. Do not miss it.

To your success,

Best Regards,

Audrey Martin
Marketing1 Team

Unsubscribe: Click here if you do not want to receive any further emails from us

M1 Solutions. 152 City Road, London EC1V 2NX
Obviously this is pretty much the same closing down sale they had in March. And here's the ever-changing final date again (which was actually last week)

The domain used in the spam email is marketing1-eu.site (66.96.161.163 - Endurance International Group, US) which forwards to marketing1-co.net (89.187.85.8 - Coreix Ltd, UK) and then onto marketing1.net on the same IP.

As previously established, this company always has a closing down sale, and the data they provide is complete crap. Avoid at all costs.