Sponsored by..

Friday, 20 February 2009

Point Focus LLC: "The offer you can not say no to!"

"The offer you can not say no to!" Really. I betcha I can. My notes are in bold.


Subject: The offer you can not say no to! ["No": just did, did you see that?]

Point Focus LLC is now expanding!

To deal with the international payments processings we are now looking for people willing to facilitate establishing of our all-round-the-globe business connections and assist saving considerably by tax disbursing reduction. This position of the Financial Assistant involves accepting payments from our Australian, UK and US ( rarer Spanish) clients to your account and resending to our partners.

You are getting paid right by the moment you cash the payment. It's the commission in amount equal to 4% out the sum posted on your account. This very amount you're deducting before sending anything out. So, estimated roughly, you can make up to 2000$ extra monthly.
[A straight money mule operation then, laundering stolen money. 4% for basically doing nothing. Except you will never actually get to keep the 4% when the police catch up with you]

Plus, you get:

- flexi-time (usually 2-3 hours a day)
- Saturdays & Sundays off [woo!]

Requirements:

- Have to be aged 21 or above
- No criminal record [don't worry, you will soon get a criminal record if you participate in this scheme]
- Regular Internet access
- Ability to accept payments using your bank account [for the transfer of stolen money, which will be nice and traceable for the cops]
- Ability to resend the money through Western Union [which is NOT traceable, and is therefore money laundering]


If feel qualified, please, attach the following info to start up with:
[information that we should have known if we were offering you a job]
- Fist Name:
- Last Name:
- Age:
- Sex:
- Country
- State, City, Zip
- Phone number (home and cell)
- Valid email address

NOTE!!!! the email address you use to contact us for the first time is: IBCGroup0@gmail.com , in the subject field put "interested".
[odd that the email address doesn't match the one you sent from]

Please, use only mentioned email address, otherwise we'll fail to receive your response.
Originating IP is 92.84.13.66 in Romania. Just say "no".

Tuesday, 17 February 2009

Weird spam #2: "BREAKING NEWS - The Pope has been discharged from his office"

A genuine "wtf" spam here:

Subject: BREAKING NEWS - The Pope has been discharged from his office
From: "Press Officer"

BREAKING NEWS

Feb. 2009 - The Pope has been discharged from his office!

Find out more at Urgent news
[http://208.91.200.49/interspire/link.php?M=00000&N=5&L=1&F=T]

Unsubscribe me from this contact list
[http://208.91.200.49/interspire/link.php?M=00000&N=5&L=2&F=T]

Powered by Interspire

The page 404s. But wait.. the email was sent from 208.91.200.49 and points to the same IP address. And the domain rcigi.com is hosted a few IPs over at 208.91.200.35.

What is rcigi.com? It calls itself the RC-Institute for Global Individuation and hides behind an anonymous domain registration. The site is either a spoof, or perhaps the domain of some religious nutters. It is hard to tell. Interesting, it is in English and German, and the way the English is written makes me think that it might be a native German speaker writing it.

The site indicates that it is run by a "Dr" Eduard Schellhammer of either Barcelona or Alicante. All the sites linking FROM rcigi.com are registered to Eduard Schellhammer, however it is possible that this is a sophisticated Joe Job and Herr Schellhammer is completely innocent. Still, all very odd.

Weird spam #1: "Warning! Virus detected"

A couple of bits of weird spam today, number one:

Subject: Warning! Virus detected

A possible virus was found in this message.
The virus name is: W32/Netskyb@MM!zip

-----Original Message-----
Hello, check my postcard!
[skipped]
--------------------------

In all cases leading to what appears to be a page on a compromised PHP-powered site, but in each case the page is coming up with a 404. Is it related to this?

Monday, 16 February 2009

UNYK.com: spam or what?

I really, really hate these contact managers that spam out invites to everyone's contacts. UNYK.com seems to be the latest of these:

Subject: Personal invitation from ****************

Hello,

This is a way to never lose contact.

Finally, a smart and simple way to manage your contacts!

With UNYK, I put all my contacts together in one address book that is automatically updated. One of my contacts changes his or her information at UNYK.com: My address book is updated. I change information at UNYK.com: My contacts’ address books are updated. Simple, but life-changing!

Can I add you as one of my contacts? To accept, click here!

You too can create your own smart address book.

Life-changing my arse.. Plaxo has been doing this for years and that's a pretty worthless application to.

If you are a corporate mail administrator, then my advice has always been to block this kind of rubbish. As you might expect, it comes with some downloads that you probably don't want to let anywhere near your users' PCs, and it is bound to generate a load of support calls asking "is this spam?" / "this looks like a good idea, doesn't it?" / "is this a virus?" / "how do I install this?" etcetera.

No, I'm not saying that UNYK.com is evil in any way, it is just that for many sysadmins this sort of stuff costs real money when the users latch onto it. The best thing to do is apply an IP block to 204.92.8.159 to 204.92.8.220, and hopefully you will never be bothered by UNYK.com again.

Friday, 13 February 2009

BitDefender: Trojan.Generic.1423603 in winlogon.exe

This looks like a false positive: BitDefender is reporting Trojan.Generic.1423603 in C:\windows\system32\winlogon.exe. This name is sometimes used by malware, but in this case no other product is detecting anything malicious.

Current pattern is for BitDefender is 2640654, pushed out on Friday 13th February (!).

I will post the ThreatExpert prognosis when I get it.. in the mean time I would suggest that you do NOT try to remove winlogon.exe as you will render your system unbootable. (NOTE: Do NOT reboot your machine as this will most likely break it!)

Update: ThreatExpert indicates that it is clean. Several comments confirm that it is a false positive. The problem seems to be on Windows XP SP3, SP2 does not seem to have the same issue. The MD5 for this file is ed0ef0a136dec83df69f04118870003e

It seems that there are several reports at the BitDefender forum. I would guess that BitDefender are aware of the problem, temporarily disabling the anti-virus scanner may be a good idea else your system may become unusable. Usually these issues are fixed in 24 hours.

Update 2:
If you can't get the winlogon.exe out of quarantine, then this is a copy of the original (English US) file for XP SP3. Use at your own risk - password is "bitdefender".
winlogon_xpsp3.zip

Sunday, 8 February 2009

Good new. Bad news.

A couple of items of interest from The Register:

OpenDNS rolls out Conficker tracking, blocking
This seems like a great idea, especially for small organisations without IDS or traffic monitoring. The problem.. well, OpenDNS has been awfully slow recently and personally I had to stop using it.

Kaspersky breach exposes sensitive database, hacker claims
This looks like a case of an insecure SQL database, leading to a potentially nasty compromise. Kaspersky isn't the first AV vendor to be shown to have poor SQL security. Trend was hit last year, as was CA. In this case, it looks like a potential data breach which is embarrassing. There's no evidence that any Kaspersky product has been compromised, but you can see that it might be possible to leverage credentials exposed in the SQL injection attack and use them elsewhere.

Thursday, 5 February 2009

Snow

It really doesn't usually snow this much around here...








Monday, 2 February 2009

Snow bear

The heaviest snowfall for a zillion years or something in the UK.. it appears to have brought out this snow bear which is lurking in the garden.


I think he's probably harmless enough.

Drive-by cloning of RFID passports

Here's a different type of drive-by attack than the usual one.. security researcher Chris Paget shows that it is possible to read RFID tages from a passing moving vehicle and clone all the information they contain.. for the price of $250 worth of kit off eBay.




UkrTeleGroup vanishes, morphs.

First some good news (via the WaPo Security Fix blog): well known black hat web host UkrTeleGroup appears to have vanished from the internet. The bad news is that seems to have morphed into a company called Internet Path which is masquerading as a US company.

Unfortunately, it does not appear that this is an Atrivo / McColo / Estdomains style situation where the bad guys are permanently shut down.. yet. But perhaps continued pressure on upstream providers might have some effect.. who knows?

Sunday, 1 February 2009

Uh-oh

No doubt the whole of the south of England will grind to a halt under this stuff, to the amusement of people who get REAL snow.. but a rear wheel drive sports car with no snow tyres is not exactly ideal for these conditions.

"Zhudian Machinery" / zhudian-m.com scam

A strange, tersely worded email from some scammer or other:

Subject: Representative Needed
From: "ZHUDIAN MACHINERY"

How would you feel to work for the Zhudian Machinery and earn good money? Contact Qi
Par via email: employment@zhudian-m.com
How would I feel? Well, alarmed and upset probably when the police kick down my door with a warrant because of the money laundering I've been doing for this so called "Zhudian Machinery".

Oddly, the domain is registered with a set of fake details pointing at the UK:

Domain name: ZHUDIAN-M.COM
Created on: 2008-11-05
Updated on: 2008-11-05
Expires on: 2009-11-05
Registrant Name: PETER LLEWELLYN-JONES
Contact: Peter Llewellyn-Jones
Registrant Address: no 43567 broad street
Registrant City: england
Registrant Postal Code: ch1 1lt
Registrant Country: GB
Administrative Contact Organization: Peter Llewellyn-Jones
Administrative Contact Name: Peter Llewellyn-Jones
Administrative Contact Address: no 43567 broad street
Administrative Contact City: england
Administrative Contact Postal Code: ch1 1lt
Administrative Contact Country: GB
Administrative Contact Email: kedenor@gmail.com
Administrative Contact Tel: +44 701 1130444
Administrative Contact Fax: +44 701 1130444
Technical Contact Organization: Technical Support
Technical Contact Name:
Technical Contact Address: Via A Ponti, 6
Technical Contact City: Bergamo
Technical Contact Postal Code: 24126
Technical Contact Country: IT
Technical Contact Email: support@register.it
Technical Contact Phone: +39 035 3230400
Technical Contact Fax: +39 035 3230312
Primary Name Server Hostname: NS1.REGISTER.IT
Secondary Name Server Hostname: NS2.REGISTER.IT

The "CH1 1LT" postcode given is the Chester Grosvenor Hotel but the rest of the address doesn't match and is clearly nonsense. The +44 701 1130444 number given looks like a UK number, but in fact it's a "follow me anywhere" number that is probably just forwarding to another number outside the UK.

Originating IP address is 206.47.199.87 which is well known for spam. Email address was harvested from a "free webspace provider".

Friday, 23 January 2009

Asprox: dbrgf.ru

Another domain to look for in SQL injection attacks is dbrgf.ru, still calling script.js. Checking your proxy logs for ".ru/script.js" is a good idea at the moment.

It might also be worth checking for the string "google-analitycs" as the attacks redirect through a subdomain containing that mis-spelled phrase.

Wednesday, 21 January 2009

Asprox: lijg.ru and dbrgf.ru

A fresh round of SQL injections seem to be on the march, with (at least) two new domains being injected into vulnerable sites: www.lijg.ru and www.dbrgf.ru, calling a script named script.js.

This script redirects through an IFRAME pointing to google-analitycs.lijg.ru, although the payload is unclear.

Including some older domains, the following list seem to be active, either calling script.js or style.js.

  • www.lijg.ru
  • www.dbrgf.ru
  • www.bnmd.kz
  • www.nvepe.ru
  • www.mtno.ru
  • www.wmpd.ru
  • www.msngk6.ru
  • www.dft6s.kz
For the record, the domain registrations are as follows:

domain: LIJG.RU
type: CORPORATE
nserver: ns2.lijg.ru. 68.4.124.142
nserver: ns5.lijg.ru. 74.129.255.164
nserver: ns1.lijg.ru. 68.6.180.109
nserver: ns3.lijg.ru. 67.38.2.113
nserver: ns4.lijg.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN


domain: DBRGF.RU
type: CORPORATE
nserver: ns5.dbrgf.ru. 74.196.121.117
nserver: ns4.dbrgf.ru. 68.105.25.64
nserver: ns1.dbrgf.ru. 75.156.152.67
nserver: ns2.dbrgf.ru. 68.197.137.239
nserver: ns3.dbrgf.ru. 146.57.249.100
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN

Tuesday, 20 January 2009

"Soft Fund Ltd" scam

Soft Fund Ltd is a wholly legitimate Ukrainian company. This email claims to be from Soft Fund Ltd, but isn't.

From: support.softfund@gmail.com

Hello Sir/Madam.

I Alex Feigin,
Director of Soft Fund Ltd specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.

Please contact me for more information via email: SoftFundjob@gmail.com

and send us the following information about yourself:

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.

Thank you,
Director
Alex Feigin ,
Soft Fund Ltd
Alexander Feigin is a director of the REAL Soft Fund Ltd, but this email is completely fake. It is a standard money mule scam, one of many pretending to be from legitimate IT firms in the Ukraine. Soft Fund Ltd have nothing to do with the email, and you should not respond to it.

The originating IP is 209.239.38.111. Two sample subject lines are "Not give a convenient time for you extra income" and "We work closely together! Additional income for you!". Avoid.

"Polish fine art studio" scam

Is this a money mule scam? A package reshipping scam? Something else? It's certainly a scam.. perhaps an art scam designed to process fraudulently obtained artwork. Jennifer's "from" address says "Max" and the email originates from 189.68.40.112 in Brazil.

Subject: I'm looking for somebody to replace me, A

Hello. I am really sorry to bothering you. I am going to get married and leaving to my husband to Cyprus. I have been working with a reliable partner from Poland for 2 years. I had an additional income of 2.000$-4.000$ per month. Because I am not going to live in the USA I offer my friends to cover this position. I have sent emails to all contacts in my address-book. In the USA I was a representative of a Polish fine art studio. I'm not an artist and don't know a lot about it. I controlled pictures acceptance and customers' payments. I got rejected pictures and then I was sending them to other customers with discounts. Sometimes I had to do little things. 2% turnover award fee is usually was paid in addition to $2000.00 month earning , to keep the team spirit. Before Christmas I earned over $5.000,00. If you are interested, please send your CV and Cover Letter directly to the manager at e-mail vitoldklepatski73@gmail.com . I'll be very pleased if you or somebody of your relatives or friends get this position, but not a strange person from an employment agency. When I first walked in it seemed to me that this work is very difficult, but it is not like that, this is very easy job and they showed and taught me everything about my job, and it took me 2 days to learn. People are very nice there and helpful. I think you don't have to miss an opportunity like this. My Best Regards to you my friends and I hope your had a great holidays.
Good luck! Jennifer

Amusing 419 from "EFCC Investigation Office Nigeria"


A novel take on the 419 scam:

Subject: DID YOU AUTHORIZE MR. JOHN WHEELER FOR YOUR FUND CLAIMS
From: Mooreh Rose {mrsrosemooreh44@yahoo.com.hk}
Date: Tue, January 20, 2009 10:51 am

- Attention; Beneficiary, I am Mrs. Rose Moore (Assistance) Chairman from Efcc Investigation Office Nigeria, there is presently a counter claims on your funds by one MR.JOHN WHEELER, who is presently trying to make us believe that you are dead and even explained that you entered into an agreement with him, to help you in receiving your fund, So here comes the big question. Did you sign any Deed of Assignment in favor of (JOHN WHEELER). thereby making him the current beneficiary
with his following account details: MR JOHN WHEELER, AC/NUMBER: 6503809428. ROUTING/122006743, B/NAME:CITI BANK, ADDRESS:NEW YORK,USA, we shall proceed to issue all payments details to the said Mr. John Wheeler, if we do not hear from you within
the next two working days from today Thanks Mrs. Rose Moore (Assistance) Chairman Efcc Investigation Office Nigeria

Clearly if I was dead then I wouldn't be reading the email. Just to wind this particular scammer up, I replied with the one word "yes". That should confuse them.

Originating IP is 83.138.172.72 which seems to be a favourite with 419ers.

Friday, 16 January 2009

Spamcop.net phish

Here's a phish being sent to Spamcop webmail users - the approach has also been used for other webmail systems, so it isn't just Spamcop being targeted:

Subject: UPDATE YOUR SPAMCOP.NET ACCOUNT NOW
From: "spamcop.net webmail update" {info@yahoo.com}

Dear spamcop.net E-mail owners,

This message is from spamcop.net messaging center to all our email account
owners.
We are currently upgrading our data base and e-mail center due to an unusual
activities identified in our email system. We are de-activating all unused
spamcop.net accounts to create space for new accounts. To prevent your account
from being de-activated, you will have to verify your webmail account by
confirming your Webmail identity So that we will know that it's presently a
used account. We have been sending this notice to all our email account owners
and this is the last notice/verification exercise.

CONFIRM YOUR EMAIL IDENTITY BELOW
Last Name: ...........
Username: .......... .
Password : ...........

YOU ARE REQUIRED TO SEND THESE DETAILS TO THE UPDATE TEAM BY SIMPLY
REPLYING TO THIS EMAIL WITH THE REQUESTED DETAILS.

Warning!!! Account owners who fails to update his or her account on receiving
this notice might loose his or her account.

Warning Code:VX2G99AAJ.spamcop.net
Thank you.
"SPAMCOP.NET IT TEAM"

Replying to the email gives a reply-to address of account_up_grade@hotmail.com and the originating IP is 216.241.36.13.

Wednesday, 14 January 2009

MS09-001 prognosis. Install it now? Leave it for later?

It's patch Tuesday again, with just a single update from Microsoft: MS09-001.

If you are administering a corporate network, then the question that you probably ask yourself each week is "do I need to patch my servers"?

The prognosis for this one seems to be.. "maybe". Microsoft's own bulletin summary gives MS09-001 an exploitability index of "3 - Functioning exploit code unlikely". But the flaw itself is rated "Critical" and could lead to remote code execution.. so there is a low probability of a very serious exploit.

It turns out that it is much more likely that an attempted attack using MS09-001 would blue screen the target system - and that is more likely to be a worry, especially on delicate servers. The Microsoft Security blog has a good writeup and recommends the following priorities:

In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly.

Some further reading gives mixed signals: Sophos labels this as a medium threat, SC Magazine reports differing opinions, ZDnet also mentions the denial of service risk, ISC rates it as "Critical" but not "Patch now".

Given that it doesn't take long for the bad guys to implement an exploit for these flaws, and the recent well-publicised spread of the Downadup / Conficker worm then perhaps Microsoft's advice is very pertinent - start by protecting those systems that would suffer the most if they crashed, but there is perhaps not the urgency of the MS08-067 patch that came late last year.

Tuesday, 13 January 2009

"SLG-Logistics Company" scam

Not to be confused with the legitimate S L G Logistics Ltd based in the UK, "SLG-Logistics Company" is a wholly bogus outfit, probably offering a job in money laundering, parcel reshipping or another criminal enterprise.

Originating IP is 87.205.253.77 in Poland, "from" address is Singapore and doesn't match the name or address in the email. A pretty poor attempt overall.

Subject: Job opportunity
From: "Elma Ford" ncbk@pacific.net.sg

Hi, if you are interested in a well-paid part-time(2-3 hours a day) job in a large transportation & logistics company please contact me at e-mail:
pammorrison366@hotmail.com

With best regards,
Pamela Morrison,
Project manager,
SLG-Logistics Company.

Tuesday, 6 January 2009

Ongoing injection attacks against Chinese domains

This looks like a case of the Chinese hacking the Chinese again, with a very large number of domains being injected into legitimate sites. Two IPs to block are 121.14.152.154 and 59.34.197.15. For most companies outside of AsiaPac it may well be feasible to block or monitor all traffic to .cn domains.

The following domains are being used in the injection attacks (there are probably many others in a similar format):

  • Aznylsf.cn
  • Bznylsf.cn
  • Ccswzx3.cn
  • Ccswzx9.cn
  • Cznylsf.cn
  • Eqw002.cn
  • Eqw003.cn
  • Eqw004.cn
  • Eqw006.cn
  • Eqw008.cn
  • Eqw009.cn
  • Eznylsf.cn
  • Falaliee.cn
  • Falaliii.cn
  • Falalioo.cn
  • Falaliqq.cn
  • Falalitt.cn
  • Fznylsf.cn
  • Gznylsf.cn
  • Hhj2.cn
  • Hhj3.cn
  • Hryspac.cn
  • Hryspah.cn
  • Hryspan.cn
  • Hryspao.cn
  • Hryspap.cn
  • Hryspaq.cn
  • Hryspav.cn
  • Hznylsf.cn
  • Iznylsf.cn
  • Jym562.cn
  • Jzll-1.cn
  • Jzll-2.cn
  • Jzll-4.cn
  • Jzll-9.cn
  • Jznylsf.cn
  • Kznylsf.cn
  • Rxgsslla.cn
  • Rxgsslld.cn
  • Rxgsslll.cn
  • Rxgssllt.cn
  • Sllanmb.cn
  • Sllbnmb.cn
  • Slldnmb.cn
  • Sllinmb.cn
  • Sznylsf.cn
  • Tznylsf.cn
  • Vvk2.cn
  • Wrmfwa.cn
  • Wrmfwb.cn
  • Wrmfwc.cn
  • Wrmfwd.cn
  • Wrmfwe.cn
  • Wrmfwf.cn
  • Wrmfwg.cn
  • Wrmfwi.cn
  • Wrmfwj.cn
  • Wrmfwl.cn
  • Wrmfwn.cn
  • Wrmfwo.cn
  • Wrmfwp.cn
  • Wrmfwq.cn
  • Wrmfwt.cn
  • Wrmfwu.cn
  • Wrmfwz.cn
  • Wxjyb.cn
  • Wznylsf.cn
  • Xznylsf.cn
  • Yznylsf.cn
  • Zdq004.cn
  • Zdq005.cn
  • Zdq009.cn
  • Zdq010.cn
  • Zgcgsslle.cn
  • Zgcgssllf.cn
  • Zghncsa.cn
  • Zghncsi.cn
  • Zghncsj.cn
  • Zghncsl.cn
  • Zghncsm.cn
  • Zghncsp.cn
  • Zghncsr.cn
  • Zghncst.cn
  • Zgynkmb.cn
  • Zgynkmd.cn
  • Zgynkmf.cn
  • Zgynkmg.cn
  • Zgynkmk.cn
  • Zgynkms.cn
  • Zznylsf.cn

Monday, 5 January 2009

"Dating Service" bogus job offer

This is most likely a money mule operation, or perhaps one of those sophisticated scams where the bad guys recruit a whole virtual office staff to run the scam for them. Either way, avoid at all costs.

Subject: Available positions for new year. Reg.ID: SGF-SF7S8

To Your Attention,

Dating Service announces new job openings in 2009:

Part time employment is now available in our company for USA people.

Feel free to request an application by e-mailing us only at: Dating.Srvc@gmail.com

Best Regards,
Dating Service

Sunday, 4 January 2009

"Your new e-mail has been successfuly added" PayPal phish


A slightly different approach from the usual PayPal phish rubbish:

Subject: Your new e-mail has been successfuly added
From: "service@paypal.com" noreply@vodafone.net

Dear PayPal member,

You have added joemontgo85@sbcglobal.net as a new email address for your PayPal account.

If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your PayPal account.


Thank you for using PayPal!
The PayPal Team

Please do not reply to this email.
This mailbox is not monitored and you will not receive a response.

----------------------------------------------------------------------------------------
Copyright © 1999-2009 PayPal. All rights reserved.

PayPal Email ID PP007
Quite when PayPal started to send email from a vodafone.net account passed me by. The phish jumps through two legitimate but compromised web sites at ol4b.com and imuze.co.uk before it hits a standard PayPal phishing page. It looks like joemontgo85@sbcglobal.net might be consistent for this spam run though.

Friday, 2 January 2009

"podmena traffica test" spam

There seem to be some strange spam emails doing the rounds, with a body text of "podmena traffica test".. what gives?

It makes a bit more sense if you transliterate it into Cyrillic, which leaves you with a Russlish phrase "подмена трафика тест" and that simply translates as "spoofing traffic test".

The subject is a random spammy one, the originating IP looks like part of a botnet.

I'm pretty sure these are coming through "to" and "from" the same email address, so it may well be someone enumerating mailservers looking for SMTP spoofing protection.. in other words, testing addresses to see if they work and then recording the server's SMTP response.

Why? Who knows.. spammers don't usually care about efficiency if they are using a botnet, because they are not paying for bandwidth or equipment. These type of "probes" are seen sometimes and can be safely deleted.

Monday, 29 December 2008

SQL injection: msngk6.ru, dft6s.kz and mcuve.cn

A new bunch of domains being used in SQL injection attacks at the moment:
  • www.msngk6.ru
  • www.dft6s.kz
These are calling a script called style.js and follow on from these, most likely the work of the Asprox gang. The registration details are probably fake, but for the record are:

domain: MSNGK6.RU
type: CORPORATE
nserver: ns2.msngk6.ru. 75.63.155.106
nserver: ns3.msngk6.ru. 146.57.249.100
nserver: ns1.msngk6.ru. 76.240.151.177
nserver: ns4.msngk6.ru. 24.247.215.75
state: REGISTERED, DELEGATED
person: Aleksandr A Zamaraev
phone: +7 495 7412992
e-mail: zamaraev@namebanana.net
registrar: NAUNET-REG-RIPN
created: 2008.12.17
paid-till: 2009.12.17
source: TC-RIPN
The domain mcuve.cn is different, calling 1.js. This is related to the recent 17gamo.com domain which exploits a number of things including this recent IE7 vulnerability.

Check your proxy logs for .cn/1.js and .ru/style.js plus .kz/style.js to keep on top of these. It is often worth monitoring all traffic to .cn, .ru and .kz domains for manual review.

Monday, 22 December 2008

Asprox SQL injections are back

The Silent Noise blog reports that a fresh round of SQL injection attacks by the Asprox crew are under way. They seem to be using a variety of .ru and .kz domain names, although at the moment they all redirect to 79.135.168.18 in the Lebanon.. the whole 79.135.168.* block is pretty bad and has been covered here before.

inetnum: 79.135.168.0 - 79.135.168.255
netname: LB-NET
descr: Lebanon private dedicated service
country: LB
admin-c: MHB1111-RIPE
tech-c: MHB1111-RIPE
remarks: abuse mailbox: moh.b@lubnannetworks.biz
status: ASSIGNED PA
mnt-by: SISTEM-NET-MNT
source: RIPE # Filtered

person: Mohamed Baga
address: Basha Garden bldg, 5th floor LB
address: Jisr El Bacha Main Road
address: Beirut - Lebanon
e-mail: moh.b@lubnannetworks.biz
remarks: abuse mailbox: moh.b@lubnannetworks.biz
phone: +961 1 512341
nic-hdl: MHB1111-RIPE
source: RIPE # Filtered

route: 79.135.160.0/19
descr: Sistemnet Telecom
origin: AS44097
mnt-by: Sistem-Net-MNT
source: RIPE # Filtered
The endpoint appears to be a PDF exploit running on 79.135.168.18 - it's worth blocking or checking for anyaccess to this server, and also check your logs for accesses to ".kz/style.js" and ".ru/style.js" too.

Currently active domains are:
  • www.bnmd.kz
  • www.nvepe.ru
  • www.mtno.ru
  • www.wmpd.ru
Some notable impacted sites:
  • frontweb.vuse.vanderbilt.edu (Vanderbilt University)
  • maryvillecollege.edu (Maryville College)
  • guildford.ac.uk (Guildford University)
  • many .gov.ar (Argentina) and .gov.cn (China) sites
  • navigationusa.com (Online retailer)
  • worldcricketstore.com (Online retailer)
A Google search and Yahoo search indicate the extent of the problem (obviously, you don't want to visit any of these impacted sites).

Saturday, 20 December 2008

"Classmates Info Center": Currently planning the 2009 Year Reunion

There's a fake "Classmates" email being spammed out, that leads to a fake video that needs a fake "Adoble Media Player" called Adobe_Player10.exe and as you would probably guess, at the end of all this fakery is a nasty trojan.



Subject: Currently planning the 2009 Year Reunion
From: "Classmates Info Center" personalvideo@classmates.com

Your Classmates Events: Reunion January 16th 2009

" With pride and joy we invite you to share a special day in our lives and join us
for the Class Reunion on Friday, January 16th 2009.
Bring the gang from Our High School back together again!
Great party - from start to finish! "

Proceed to view details:

http://video.classmates.logon.user-gandy3ts0.updateyourplayer.com/messages.htm?/identification/INVITATION=vvffx2dckssqnle



Your favorite people are already here, so use ClassmatesTM to bring them together.

With best regards, Josh Jacobson. Customer Service Department.
Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.




The landing page looks like this:


Detection rates are poor according to VirusTotal. ThreatExpert's report is right here. It installs a rootkit and does all sorts of nasty things. Avoid.

Friday, 19 December 2008

Beijing AUG Networks Technology Co / augnetworks.cn scam

This is certainly spam.. but is it a scam? Most likely..

Subject: Dynamoo Domain name and Internet keyword Registration
From: "tom.xu"

Dec 19, 2008

Dynamoo

Domain name & Internet keyword

Dear Sir/Madam,

We are Beijing AUG Networks Technology Co., Ltd which is the domain name and internet keyword registration service company in China. We received a formal application from a company who is applying to register " dynamoo " as their domain name and Internet keyword on Dec 16, 2008.Since through our investigation we found that this word has been in use by your company, and this may involve your company name or trade mark so we inform you in no time. If you consider the domain name and internet keyword are important to your company and it is necessary to protect them by registering them first, contact us soon.

Kind Regards,

Tom Xu

Registration Comissioner

Tel/fax: +86-10-82797446

Email: tom.xu@augnetworks.cn

Website: www.augnetworks.cn

augnetworks.cn was only registered on 23/11/2008 to "Beijing AUG Networks Co", it is in no way an official registrar and the company probably doesn't even exist. Domain registrars are not actually responsible for checking trademarks, they most likely have had no such approach from a customer and really the whole thing is designed to make you panic into buying something you don't need.

There's more on Chinese domain malpractice here.

Tuesday, 16 December 2008

MS08-078: Out-of-band patch for IE coming

Microsoft are issuing an out-of-band patch tomorrow (17th December) for the well-publicised flaw in Internet Explorer. This is another one of those "patch now" things - see here for more details.

"IE 7 users: stop looking at porn now!"


This zero day vulnerability in Internet Explorer has already been very widely publicised. There are no effective workarounds for the problem until Microsoft patch it.. apart from using a different browser.

The aptly named Zero Day blog has this sage piece of advice: "IE 7 users: stop looking at porn now!" Simply put, randomly surfing for smut, warez, illegal torrents or anything like that* is likely to infect your machine if you are running IE.

In fact, because there's no such thing as a safe site you should consider ditching IE altogether. If you're running Windows then probably one of the safest things you can do is get Firefox, add the NoScript extension and then ensure that your PC is fully up-to-date by using the Secunia Software Inspector. Even security firms such as CA and Trend Micro have had their sites compromised to serve up malware in the past, so you can never be to careful...

* or Myspace.. or Facebook..

Wednesday, 10 December 2008

Vulnerability in WordPad Text Converter Could Allow Remote Code Execution

Most people will rarely use WordPad these days, but it's installed on pretty much every Windows system out there. So when Microsoft announce a vulnerability in WordPad, it could spell trouble.. essentially, a specially-crafted WordPad file could run arbitrary code on your system.

WordPad documents have a .DOC or .WRI extension, and if you have Word installed (or a similar product) then .DOC files will default to loading in Word instead. So, to mitigate against this you could simply block .WRI files at your proxy and/or mail filter. Or you could use Windows XP SP3 or Vista.. but that's not exactly a quick fix. Or you could deassociate .WRI files from WordPad using a policy.

There aren't a lot of WRI files to test with on the web, so here's a harmless file I prepared earlier:

Sunday, 7 December 2008

Spammers try and fail with fake Classmates email

We've seen this particular attack several times before - an email for a bank or other service that requires some sort of software installation to proceed.. in this case, masquerading as an update to Flash for some nonsense to do with Classmates.com.

Subject: Classmates Organisation.Reunion Website Builder
From: "Classmates Messagebox#329" invitation591@classmates.com

Dear Classmates customer.
Classmates Day 2009 soon!

Video Invitation from your Classmates "2009 Classmates Day Announcement!" prepared to view.
Reunite Your High School Classmates and Celebrate This Day!
Your Classmates Are Waiting to Hear From You!

Proceed to view Your invitation now>>

With best regards, Lowell Abernathy.
Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.

Unfortunately, the stupidity of spammer is such the they have messed up the incredibly long URL, and if the users click on the link they'll get nowhere. The spammer is trying to send visitors to a subdomains of clasmatessup.com but they have forgotten the dot before com and instead are sending visitors to clasmatessupcom.

If you go to the effort of correcting the link, you get redirected to a site on a fast flux botnet which prompts you: Can't see the video? please download the Adobe_Player v10 Converter and this leads to a downloaded called AdobePlayer10.exe which actually doesn't appear to be malware (at the moment) as it identifies itself as "IIS Fortezza Setup Utility" which is a security add-on to Microsoft IIS servers, usually called fortutil.exe.

So, it's all kinda strange. Let's have a look at the WHOIS details for the domain:
Domain name: clasmatessup.com

Registrant Contact:
inc inc
Greff Frelos inc@yahoo.com
4576810811 fax: 4576810811
8883 Sh Road
New York NY 10003
us

[blah blah]

DNS:
ns1.licence-dsl.com
ns2.licence-dsl.com

Created: 2008-12-07
Expires: 2009-12-07
Of course, these are fake. The registrar is BIZCN.COM, who are often a registrar of choice for spammers. Of real interest are the name servers, ns1.licence-dsl.com is 207.150.183.180, ns2.licence-dsl.com is 66.34.177.43. 207.150.183.180 is an IP address connected with the Srizbi botnet and is a name server for a whole buncha domains.

If you run a corporate mail system, it might well be worth blocking email "from" classmates.com in any case, even if this time the spam is hugely unsuccessful, because all the bad guys will do is repackage it up and send it out again.

Saturday, 6 December 2008

Joe Job against GoldPoll.com: welcome to the murky world of HYIP

GoldPoll.com is a web site about HYIPs (High Yield Investment Programs) that is hosted in the British Virgin Islands to an anonymous (possibly Panamanian) registrant, and until recently the registrar was the well-known fraudster's friend EstDomains. Despite this unpromising pedigree, it does appear that GoldPoll.com is legitimate..

..well, as legitimate as anything is in the world of HYIPs. Most HYIPs are generally just a front for Ponzi schemes and offer ridiculous payout rates such as 2% interest per day (about 624% per year) which are clearly unsustainable.

Anyway, as you can imagine there are a LOT of fraudulent HYIP schemes (are there any that are actually legitimate?) GoldPoll.com attempts to flag up schemes that aren't paying up.. which means that they have obviously annoyed some HYIP scammer somewhere who has decided to carry out a Joe Job against GoldPoll.com:

Subject: Gold Poll
From: goldpoll.com.ads@gmail.com
Date: Sat, December 6, 2008 3:57 pm

The most relevant information about the top HYIP programs from the best hyip monitoring. http://www.goldpoll.com


We personally invest in each HYIP and check the reliability of everyday payments. Click on any HYIP name to be redirected to it. Click on Program Details to get further information about a HYIP, find other members' posts and vote yourself.

goldpoll.com

Now GoldPoll.com states: "We never send SPAM and hate SPAMmers. Please don't trust in any e-mail that appeared to be from us and not stated on our Newsletters Archive!" which of course doesn't mean that much.. but a close investigation of the offending email indicates that it came from 211.95.78.71 in China. Now, 211.95.78.71 isn't just any IP address, it happens to be a server where a number of HYIP related domains are hosted:

  • Accuramoney.com
  • Bestinvestfar.com
  • Bestnethosta.com
  • Dalamonda.com
  • Google-analyser.com
  • Google-optimise.com
  • Google-spider.com
  • Healthcarem.com
  • Heroesadvent.com
  • Homegome.com
  • Injektus.com
  • Jampadventures.com
  • Libertyreiserve.com
  • Libertyrescerve.com
  • Luckautomachine.com
  • Luckjewel.com
  • Maxcargotrade.com
  • Ordtechnologies.com
  • Platinumtvonline.com
  • Sekermen.com
  • Toguessgame.com
  • Trancgroup.com
  • Webtradersite.com

It seems that there is a related server to this at 64.63.1.204, at least one of the domains (nasdaq-invest.com) is on GoldPoll.com's blacklist (there may be others).

  • Al-moeed.com
  • Boodjewel.com
  • Deluxeinvestment.org
  • E-investbank.net
  • Fastprofit-2008.com
  • Futureinvest.biz
  • Gpttalkpro.com
  • Higaintrade.com
  • Hyip-profits.com
  • Hyip-world.com
  • Hyipchecking.com
  • Hyipozaurus.biz
  • Katyadumper.com
  • Libertyrieserve.com
  • Mcdump.com
  • Monemoke.com
  • Moneyinvests.biz
  • More-invest-2009.com
  • Nasdaq-invest.com
  • Pensioninsurancefund.com
  • Perfectservers1.us
  • Photos-vn.com
  • Realforex.us
  • Sectrustbonline.com
  • Solid-fund.com
  • Supervirtualcards.com
  • Teekypleaze.com
  • Tieudiemchinh.com
  • Tomerbusiness.com
  • Tophyipsite.com
  • Ukoblos.com
  • Userinvest.com
  • Wertor.info
  • Wmrub.com
If you are an HYIP investor, then take some of these domain names and Google for them, and you'll get the measure of [un]reliable they are. You can pretty much guarantee that they are closely related.

But really my best advice is to avoid HYIP altogether. It's basically just a form of gambling, but with much worse odds in the long run.

Wednesday, 3 December 2008

"Alpha Soft Company" bogus employment offer

Alpha Soft Company is a wholly legitimate Ukrainian software development company, this fake job offer is being sent out by someone pretending to be Alpha Soft, and who is fraudulently using the name of Taras Vergovsky (who is a director) in order to make the offer seem more credible.

There have been a few similar emails targeting companies from the Ukraine recently, for example: Infopulse, JavaRealm Software, VM-Soft, SocMart. They all follow a similar pattern and wording, and all mention the name of a senior person within the company.. and they are all bogus. In short, this is just another money laundering scam that should be avoided at all costs.




Hello Sir/Madam.

I Taras Vergovsky, Director of Alpha Soft Company specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.

Please contact me for more information via email: alphasoft.ua.job@gmail.com

and send us the following information about yourself:

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.

Thank you,
Taras Vergovsky ,
Alpha Soft Company




Some email addresses to look out for are alphasoft.ua.job@gmail.com, sup.alphasoft@gmail.com, job.alphasoft@gmail.com.. there are probably others. Sending IP is 217.170.2.228.

Tuesday, 2 December 2008

Awesome or what? The Nokia N97.



Announced a couple of hours ago, the Nokia N97 is a pretty awesome looking bit of kit. We've waited a long, long time for Nokia to come up with something like this.. although I don't think that I will be giving up the Nokia E90 just yet, since the rumour is that there will be a touchscreen Communicator next year (probably announced at Mobile World Congress).

It's not cheap: €550 (around £450 or $650) SIM-free before tax. You can get a laptop for that. Very tempting though...

Friday, 28 November 2008

French "Bill Gates" lottery scam

A colourful lottery scam featuring Bill Gates. The pitch is that the Bill Gates Foundation is running a lottery and you have won €400,000 which for some reason will be paid through a bank in the Ivory Coast. It is all written in fairly simple French, and it isn't difficult to see that the pitch is basically the same as in English.



Subject: Toutes Nos "Felicitation !!!!! Vous Venez De Gagnez La Somme De 400.000Euros"

From: lottery_cristal2008

Bonjour Mme / M,

Nous vous contactons par cette presente pour vous informer de votregain à la Bill Gates fondation ISABELLE CHEVALIER

Ceci n'étant donc pas un spam ni un virus, veuillez trouver en fichier joint votre notification de gain.

Cordialement.

Mme ISABELLE CHEVALIER

Directrice des Opérations

INTERNATIONALE BILL GATES

FONDATION.

Contact Agent

NOM ET PRENOMS : Bouah Williams Herve

numéro de téléphone: 0225-02 73 98 90

E-mail:cabinet_bouah_williams_herve@yahoo.fr





Unusually, the scam comes with a PDF attachment that gives more details. On the principle that unsolicited PDF files can often come with nasty surprises, here is a JPG version for you to enjoy (click to enlarge):

A strange mismash of elements that looks unconvincing, but it does seem that people still fall for this type of trick.

Wednesday, 26 November 2008

SINOCHEM bogus job offer

Nice for them to label this as "spam". SINOCHEM is a legitimate and huge Chinese chemicals company, but they did not send this email. Why would SINOCHEM need to use a Yahoo! email account anyway? Liu Deshu really is the president of SINOCHEM though, it's a case of the scammers trying to use a real name to make it more convincing.




Subject: Spam: Free: Collection Officer Needed
From: "Sinochem Company"

China National Chemicals Import & Export Corporation(SINOCHEM)
Tower A2,Fuxingmenai,
Street,Beijing,
People's Republic of China.
PC: 100080.

REF:SC/08/00867546.

Dear Sir/Madam,

We need Representatives from all over the World and as specified.

North America

Collection Officer wanted in this region who will assist in retrieving debts
from our clients in USA & CANADA.

EUROPE, ASIA, SOUTH AMERICA & AUSTRALIAS

Someone needed to assist in setting up a Branch of our Company in his/her
country.

If interested, please supply the following:

1) Name
2) Country

Send your response via email SPECIFICALLY to sinochemcorp221@yahoo.cn

Respectfully Submitted,
Mr. Liu Deshu.
President.
Sinochem Trading Company.


Tuesday, 25 November 2008

bobbear.co.uk "Joe Job" attack

BobBear.co.uk is a comprehensive resource covering money laundering and parcel reshipping scams. Recently it has been under a DDOS attack from the Bad Guys. They have followed this up with a Joe Job,with a series of offensive email messages apparently "from" Bob Harrison who runs BobBear. This has happened before.

The messages have a faked "from" addresses @tiscali.co.uk and @gmail.com account, presumably those belonging to Bob Harrison in an attempt to get his mailboxes shut down.

Sample subjects are:
  • Fukkah
  • Bitched
  • Butthole
  • Penises
  • Mutha Fuker
  • Suck
  • Polack

Sample body text:
  • your son sexy nigger boob knobz knobs
  • your father pusse phuker
  • your mother asholes retard
  • your son cnts cock head bitches knobs
  • our daughter mutha fucker phuc
  • your dad phuck sluts
  • your son cocksucker fuker
There are probably hundreds of hosts sending out this mail, but I have seen 128.130.173.77 and 65.98.57.10 repeatedly.

Don't bother complaining to Tiscali or Gmail about this, BobBear is not sending out the spam. Instead, use a reporting service such as SpamCop to send a complaint back to whoever manages the sending machine.

Monday, 24 November 2008

"Ran-De-Vou Co." proofreading scam

Sometimes it is hard to see what the scam is with some of the job offers, except that undoubtedly it IS a scam. This job offer from the ficticious "Ran-De-Vou Co." offers a proofreading job which is kind of unusual at first glance.



Subject: Successful Positions Available

Dear Job Seeker,

We are glad to inform you about new vacancy opening in the area of proofreading at
Ran-De-Vou Co.


Part time job Description:

We provide you with business messages which require revision and your task is to
make necessary
corrections as an english speaking person, and e-mail them back to us.


Payment:

There is no fixed salary for this vacancy. We offer $5.00 per 1Kb of the text which
you revise (the workload is about 4-5 Kb a day).
The salary is paid once a month, and begins with the date of the first revision you
make.
(Example: by editing 5Kb of texts a day you earn $1000.00 a month)


Requirements:

-Applicant must be a US citizen
-Applicant must be of a legal age: 21+
-Applicant should be skilled in computer usage, and American English


Feel free to submit the application form which follows only to e-mail:
ran.devou.gr@gmail.com
__________
FULL NAME:
HOME ADDRESS:
CITY, STATE, ZIP CODE:
Phone number (home or cell, but SHOULD BE available any day time):
E-MAIL:
AGE:
OCCUPATION:
EDUCATION:
----------

You will receive a response from us in 24 hours.

If you have any questions please reply only at our e-mail: ran.devou.gr@gmail.com

Sincerely, Ran-De-Vou Co. Team



Unlike the usual money mule and parcel reshipping scam jobs, this really does seem to be asking for a proofreader. And given the poor quality of English seen in some of these scams, it is easy to understand why. In fact, there is a whole underground fake career network aimed at recruiting virtual office staff for these bogus outfits. Unfortunately for these "employees", they are usually the people that end up having to deal with the police when the scam gets busted.

Avoid.

Saturday, 22 November 2008

"Louvre Tec Products Ltd" job offer scam

LouvreTec is a wholly legitimate New Zealand company using the domains www.louvretec.co.nz, louvretec.net, louvretec.com and other similar names.

This fraudulent job offer is not from LouvreTec, but it looks like it is.

Subject: Work Online With US
From: "Louvre Tec Products Ltd" Job@louvretec.co.nz

You could make 5,000 pounds online in a week without delaying your present job...


Hit REPLY for more details..

NOTICE: IF YOU ARE SERIOUS TO GET EMPLOYED ONLINE, YOU MUST REGULARLY CHECK YOUR JUNK OR/ BULK OR/ SPAM FOLDERS IN OTHER NOT TO LOSE SOME OF OUR MESSAGES.
Although it appears to be "from" louvretec.co.nz, hitting "reply" comes up with a completely different email address of louvretecproductsltd.n.z@emailaccount.com. The scammers are hoping that no-one will notice this. (In case you are wondering why it is different, it's an annoying feature called the "reply to" address).

£5000 a week sounds good.. after all, that's over a quarter of a million quid a year. Yeah right..

One interesting thing with this spam is the bit at the bottom. The scammers realise that spam filters tend to remove junk like this, so they are asking you to check your junk messages for job offers. Not a good idea.

Originating IP address is 78.159.123.169, which claims to be in the UK and the message was sent to an email address stolen from a UK online retailer.

Wednesday, 19 November 2008

ISC: Large quantity SQL Injection mitigation

The ISC have given some good guidance on SQL injection mitigation, in case your server has been hit by Asprox or something similar. It's complicated stuff, and if you don't understand it, then it is definitely worth hiring a professional to fix your database.

Tuesday, 18 November 2008

Microsoft Morro: free anti-virus software for consumers

This might be a good deal for cash-strapped consumers, but a bad deal for other anti-virus companies.

Anyway, "Microsoft Morro" is the name given to this idea of giving away free anti-virus software to consumers. I will say that Microsoft's malware scanning technology is actually pretty darned good, but having a security monoculture is not a good idea.

I think perhaps McAfee, Symantec and some other AV vendors might be lawyering up on this one..

Friday, 14 November 2008

McColo dead - spam 69% down

If there was any doubt the McColo was behind a vast majority of the world spam, then I think the figures speak for themselves. We're seeing a 69% drop in spam volumes day-on-day (although we still only have one day's worth of post-McCole data). It will be interesting to see how long this takes to recover back to "normal" levels of awfulness.

Thursday, 13 November 2008

Estdomains and McColo sentenced to death


After some hesitation, ICANN have finally decided to terminate Estdomains, who most people in the security industry regarded as a rogue registrar with unhealthy connections to organised crime.

Another piece of good news is that McColo has been knocked offline - it turns out that they were hosting a number of command and control servers for botnets plus a load of other unpleasant stuff. Spam levels have dropped by a massive two-thirds as a result. Nice work.. and a big thanks to all those involved!

Monday, 10 November 2008

"DOMAIN LISTINGS CENTER" spam


For some reason, I am seeing a big upswing in Canadian spam at the moment. This one is a very misleading offer entitled "ANNUAL WEBSITE SEARCH ENGINE SUBMISSION" for a domain that I have parked and have never used. It is only when you get near the bottom that the message carries a disclaimer "Note that THIS IS NOT A BILL. This is a solicitation. You are under no obligation to pay the amounts stated unless you accept this offer".




DOMAIN LISTINGS CENTER
8171 Yonge St. Suite# 149
Thornhill, ON L3T 2C6
Canada

--------------------------------------------------------------------------------
NOTICE
--------------------------------------------------------------------------------

(Please make necessary changes)
ATT: name
address
,
WWW.domain.com

DESCRIPTION OF SERVICES:
Premium Package




ANNUAL WEBSITE SEARCH ENGINE SUBMISSION
FROM DECEMBER 1,2008 THRU DECEMBER 1,2018
OR
FROM DECEMBER 1,2008 THRU DECEMBER 1,2013

TOTAL
$295.00

$185.00


SUBSCRIPTION INCLUDES:




Custom keyword research
Optimized title and meta tags
Submission to 900 search engines and directories
safe follow-up re-submissions every 3 months
Helpful professional support


THIS IS NOT A BILL. This is a solicitation. You are under no obligation to pay the amount(s) stated unless you accept this offer.


--------------------------------------------------------------------------------

Domain Name

WWW.domain.com Amount

Requested Reply

November 10th,2008

THIS NOTICE IS A SOLICITATION AND A RECEIPT OF PAYMENT WILL CONFIRM YOUR ANNUAL SUBMISSION
*100% SATISFACTION IS GUARANTEED OR YOUR MONEY BACK

Please select the number of years you would like to signup for
[ ] 10 Years .......... $295 (Best Value, Most Recommended!)
[ ] 5 Years .......... $185
[ ] 2 Years .......... $99
[ ] 1 Years .......... $75
If you have other domains you may list them below (please send a separate check for each domain and write your domain name on the memo section of the check)
Other domain(s) __________________ , __________________ , __________________


Total $ _______

________________________________
Signature

________________________________
Date


Payment by Check or Money Order
Print and mail a copy of this order form along with a check or money order to the address listed below:
Domain Listings Center
8171 Yonge St. Suite# 149
Thornhill, ON L3T 2C6
Canada

Please do not forget to include a copy of this order form along with your payment!


www.domain.com


--------------------------------------------------------------------------------

By accepting this offer, you agree not to hold DLC liable for any part. Note that THIS IS NOT A BILL. This is a solicitation.
You are under no obligation to pay the amounts stated unless you accept this offer. The information in this letter contains confidential and/or legally privileged information from the notification processing department of the Domain Listing Services Inc.
This information is intended only for the use of the individual(s) named above. If you do not wish to receive further updates from DLC send an email to dolistscent3272@operamail.com to unsubscribe.
If you are not the intended recipient, you are hereby notified that disclosure, copying, distribution or the taking of any action in reliance on the contents for this letter is strictly prohibited.

* 100% satisfaction guaranteed, you may request a refund within 30 days if your are not satisfied with our services.



Originating IP is 72.51.46.77. File it in the trash where it belongs.

Saturday, 8 November 2008

SGP / melsongroup.net scam job offer

This is a generic sort of money mule scam email, of interest because it has the domain name melsongroup.net registered to handle the email. This seems to be one of a series hosted on Yahoo! There are lots of companies called SGP, none of them is involved in this.




Subject: Join the team of winners!

SGP is an integrated financial group. We offer to our clients a
full range of financial services.
Our clients have all the possibilities to find solutions to all
financial problems of financial market - from bank services and
insurance to assets management and complex operations on stock
markets, from simple consumer goods to complex programs of financial
management of large corporations, institutional and private investors.
SGP - is a large participant of the financial market, leader in many
segments. However leadership is not a goal for us, but a way to realize
the mission of the company - providing for long-term increase in income
of our clients and shareholders.
Considering our development we need reliable and ambitious young people
on a position of Transfer Manager.
The duties of the Manager include processing of money transfers arriving
to his accounts from our clients. After all the required procedures of
executing documents of transactions you have to transfer the money to
accounts specified by our operators. All you need is free time (3 or
more hours a day), skills of team working and reliability. The wage at
the initial stage will be 5000$ of the total month turnover.
Requirements:
- Higher education;
- Age - 21 and more;
- Confident PC user (Microsoft Office), mail programs and Internet
- Foreign language (English is preferred)
We offer:
- Constant training
- Possibility of career and self-development
- Probation period and work in a dynamic and friendly atmosphere and team
- Competitive wage
- Bonuses according to job results
If you have become interested in this position please send your CV to
jacinthe@melsongroup.net.


Thursday, 6 November 2008

"JavaRealm Software" job offer scam

JavaRealm Software (javarealm.com) is a wholly legitimate software development company from the Ukraine. This fraudulent job offer uses the "JavaRealm" name and the name "Sergey Skugarev" which does appear to be similar to an employee of JavaRealm who is not involved in this scam.



Subject: looking for employees

Hello Sir/Madam.

I Sergey Skugarev, Director of JavaRealm Software specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.

Please contact me for more information via email: javarealm.jobinfo@gmail.com

and send us the following information about yourself:

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.

Thank you,
Sergey Skugarev ,
JavaRealm Software



This is a straightforward money mule scam. We have seen this type of scam targeting Ukranian companies before, here and here. Avoid this one at all costs.

Stupid but sophisticated "Lloyds TSB" phish

Spammers are generally pretty stupid. This particular phish looks pretty normal to being with:

Customer Service department
Lloyds TSB Bank
September 26th, 2008


To all business and personal customers

We would like to inform you about recent change in Lloyds TSB terms and conditions of banking services. Lloyds TSB has updated terms and conditions for both business and personal customers. Each customer should read and accept current terms and conditions.
Failure to accept new terms and conditions may lead to blocking of current services. Such as loans, credit cards, online banking, savings accounts, bill payments. Take a moment to read through new terms and conditions. There are two convenient ways to request updated terms and conditions. You can request them by mail or use online banking to confirm the new terms of service. Please follow the link below to review and confirm updated terms and conditions.
www.lloydstsb.com/terms

Thank you for banking with the most trusted UK bank,
Lloyds TSB Customer Service Team

We know that this is a phish because a) it was sent to a harvested address and b) Lloyds TSB don't send out emails like this. So a typical next step would be to check the source code to find where the phishing site is.

So the only hypertext link in the document is to http://www.lloydstsb.com which is the real Lloyds TSB bank. A closer look shows an attempted image load from http://lloydstlb.com/images/logo_lloydstsb.gif which is the phishing site hosted on a botnet. The domain is registered to BIZCN.COM who seem to have taken over this sort of business from Estdomains.

The fake site looks pretty convincing.. even if no-one will click through to it.

The login screen looks authentic too.

The next step looks exactly like the genuine login. The "memorable information" prompt asks for 3 letters from a longer passphrase, specifically letters 1, 3 and 5.

But guess what, when you enter the information it tells you that you did it incorrectly and asks for letters 2, 4 and 6 instead. So now they have letters 1-6.

Blah blah blah..

But what's this at the bottom? Yup, more characters from the memorable phrase are needed..

Finally, a confirmation:
So, like many modern phishing sites the actually web site is very credible looking, even the domain name looks reasonable if you only glance at it. Fortunately for the intended victims, the idiots have messed up the spam and.. this time at least.. nobody will get this far.

Wednesday, 5 November 2008

"App LLC Group." scam

Another ridiculously worded scam job offer, essentially identical to this one.

Subject: How for short time to earn $1200 in a week? Read!
"Sucky sucky long time five dollar" to you too.

HELLO EVERYONE!
Woot!


Please take your time and read about this genuine offer, job position.Make money
spending only few hours a day, if you are located in Australia! This position either
can replace your current job, or can be as an extra income for you. Denmark
successful company - Apple Sales Group brought this opportunity for you.
Advertisement itself is brought to you via Google ads (Paid advertisement, assigning
e-mail business account). The most convenient and smart position for anybody who has
couple hours a day, Monday-Friday. You will be able to make 1400+ AUD a week! It's
either - you do want to participate in this, or - you do not, that's what makes it a
genuine offer and worth reading and finding out more. If you meet requirements - do
not hesitate to receive full information:
1400 AUD? You said $1200 a moment ago. Are we talking US$ or AU$? At least I know it's "Genuine" because you said so twice. Shame about the really bad English, all the Danish people I know speak English very well.

*You are 18+ y/o
*You are Reliable and Enthusiastic person.
*You Have 2-3 Hours a Day of Your Spare/Free Time, Monday-Friday(Saturday).
*You Are Located in United Kingdom/Ireland.
*You Have Access to Internet 2-3 Hours A Day, Monday-Friday(Saturday).
Didn't you just say Australia? These are different countries, you know.

Reference:
"The Most Creative Opportunity of The Month" - "Two Time" Magazine, quote by Angela
Roer.
"Consider This Opportunity" - "Behind The Truth" Magazine, quote by Marcus Stowee.
"I can't believe I was so stupid" - "State Penitentiary newsletter", quote by hapless money mule victim.

To receive full information reply only to e-mail: apple.swed404@gmail.com
with subject "More Information" and one of our representatives will assist you
shortly.
Thank you for your interest and Good Luck!


Best Regards,
App LLC Group.
Apple.Swed404? Sweden? I thought you said you were based in Denmark? App LLC? That wasn't the company name you gave earlier.

Originating IP is 95.57.7.182 in Kazakhstan. That country has featured in these fake job offers before (here and here).

Tuesday, 4 November 2008

"Recovery KEYS for your account" trojan

Another day, another ZIP-in-EXE trojan with a lot of spaces in it.


Subject: Recovery KEYS for your account

Good afternoon, [victim]

There are the keys to recover your personal account. In order to use them later,
please, preserve them in a sure place.

Sincerely, Dick Riddle

Attachment: the_Keys.zip

The ZIP files contains an EXE that looks like a Word document, The_Keys.doc[88 spaces].exe. Worryingly, VirusTotal detects nothing at all. The trojan is cleary related to this one and this one.

Monday, 3 November 2008

"Colorado Business Bank - Network Security and Monitoring"


These banks get more obscure all the time, but still carry the same sort of malicious payload.



Subject: Colorado Business Bank - Network Security and Monitoring
From: "Colorado Business Bank Account Service" alert@cobizbank.com

COLORADO BUSINESS BANK NOTICE:

Colorado Business Bank has registered our secure Web sites with VeriSign and use VeriSign Server IDs.
VeriSign Server IDs enable you to verify the authenticity of our secure Web site and to communicate with our Web site securely via SSL (Secure Sockets Layer) encryption.

Proceed to customer service department>>

Sincerely, Everett Torres.
Copyright - Colorado Business Bank, a part of COBIZ BANK.



VirusTotal detections are the usual mixed bag. Most detections seem to be generic (e.g. W32/Packed_FSG.D, TR/Crypt.FSPM.Gen, Trojan.Win32.Packed.gen, TrojanDownloader:Win32/Suceret.gen!A)