- Blizzard-battle.net
- Blizzard-promotion.com
- Promotions-battle.net
- Promotions-worldofwarcraft.com
- Worldotwarcaft.net
- Wowmovieteaser.com
- Wowtcgpromotion.com
Thursday, 13 August 2009
Some "World of Warcraft" Scam sites
I don't play WoW myself, but there are a whole bunch of bad guys out there trying to rip off player accounts for money. Here are some recent domains hosted at scam-friendly YoHost.org that you should avoid.. if you HAVE entered your password into one of these sites, then change it NOW.
Labels:
Phishing,
World of Warcraft
Wednesday, 12 August 2009
CA eTrust goes nuts with StdWin32 and other false positives
CA eTrust ITM has gone completely nuts today, with a load of seemingly random false positives mostly for StdWin32 in a large number of binaries, including some components of eTrust itself.
The core problem seems to be a signature update from 31.6.6672 to 33.3.7051, there seems to be little consistency in what is being detected as a false positive although there are multiple occurrences of Nokia software, VNC and event DLLs and EXEs belonging to eTrust's core components.
Probably the best thing to do is block the update or change the Realtime scanning behaviour to "disabled" or "report only".
Update: problem seems to have started at about 0525 GMT when the new signature pattern applied. There no consistent pattern to the infected files, it looks like it happens at random. Several other people seem to be having the same issue!
Update 2: Signature pattern 34.0.6674 appears to fix this problem. You can then enjoy repairing your faulty machines.. thanks CA!
Update 3: Amusingly, CA eTrust seems to have deleted its own key components in many cases. I don't know if this is the first recorded case of an anti-virus application mistaking itself as malware!
Update 4: CA have released a statment as follows:
Last night, CA released a new updated antimalware engine. This new release has resulted in false positive detections of a number of files. CA Threat Manager customers are the only customers being affected by this issue. This is not a result of signature updates and does not impact CA consumer Internet security products.
To resolve the issue, CA has rolled back the new engine and re-released its previous antimalware engine. CA customer support representatives are on call to answer customer questions and to provide remediation support. A remediation tool to rename the quarantined files is now available through CA support and will soon be accessible online.
CA is aggressively working to resolve the issue, assist any customers who have been affected, as well as identify the root cause of the incident. We apologize for this inconvenience and look forward to the roll out of our new antimalware engine, which will ultimately offer our customers many benefits including enhanced malware protection and improved performance.
Update 5: Got a mention on El Reg.. funny thing is that I went in to work today wearing my El Reg T-Shirt. Coincidence? Consiparacy? Cockup?
PS: Please remember to read the comments if you are still having problems!
The core problem seems to be a signature update from 31.6.6672 to 33.3.7051, there seems to be little consistency in what is being detected as a false positive although there are multiple occurrences of Nokia software, VNC and event DLLs and EXEs belonging to eTrust's core components.
Probably the best thing to do is block the update or change the Realtime scanning behaviour to "disabled" or "report only".
Update: problem seems to have started at about 0525 GMT when the new signature pattern applied. There no consistent pattern to the infected files, it looks like it happens at random. Several other people seem to be having the same issue!
Update 2: Signature pattern 34.0.6674 appears to fix this problem. You can then enjoy repairing your faulty machines.. thanks CA!
Update 3: Amusingly, CA eTrust seems to have deleted its own key components in many cases. I don't know if this is the first recorded case of an anti-virus application mistaking itself as malware!
Update 4: CA have released a statment as follows:
Last night, CA released a new updated antimalware engine. This new release has resulted in false positive detections of a number of files. CA Threat Manager customers are the only customers being affected by this issue. This is not a result of signature updates and does not impact CA consumer Internet security products.
To resolve the issue, CA has rolled back the new engine and re-released its previous antimalware engine. CA customer support representatives are on call to answer customer questions and to provide remediation support. A remediation tool to rename the quarantined files is now available through CA support and will soon be accessible online.
CA is aggressively working to resolve the issue, assist any customers who have been affected, as well as identify the root cause of the incident. We apologize for this inconvenience and look forward to the roll out of our new antimalware engine, which will ultimately offer our customers many benefits including enhanced malware protection and improved performance.
Update 5: Got a mention on El Reg.. funny thing is that I went in to work today wearing my El Reg T-Shirt. Coincidence? Consiparacy? Cockup?
PS: Please remember to read the comments if you are still having problems!
Labels:
CA,
eTrust,
False Positive
Sunday, 9 August 2009
Fleos.com and Flyappraisal.com scams
Two more domain appraisal scams following on from this one, Fleos.com has been around for a few days and is a copy of the flyappraisals.com / flyrating.com fraud.
In the same vein, the scammers have also registered Flyappraisal.com which will not doubt be used for another batch of fake domain appraisal fraud soon.
Avoid these, and if you have paid for a so-called appraisal via PayPal, then use the PayPal dispute procedure to get your money back.
In the same vein, the scammers have also registered Flyappraisal.com which will not doubt be used for another batch of fake domain appraisal fraud soon.
Avoid these, and if you have paid for a so-called appraisal via PayPal, then use the PayPal dispute procedure to get your money back.
pddomains.com scam
This is part of a long-running scam where you receive an unsolicited offer for a domain name.. the scam is that you are offered a choice of three appraisal services, the cheapest of which is controlled by the scammer. Once you have paid for your appraisal, the offer to buy the domain mysteriously dries up.
The site looks professional enough, but it's a cookie-cutter design that has been used for previous frauds here, here, here and here although sometimes the same crew use this design.
Email originates from 64.186.128.191 in the US and points to a domain on 124.217.231.209 in Malaysia. WHOIS details are anonymised and the domain was only registered on 7th August, nontheless the most likely perpetrator is detailed here.
If you have paid for an appraisal, then you should start a PayPal dispute to get a refund. Hopefully, that will also get the fraudster's account shut down.
Subject: Offer to buy [redacted]
From: "Resale Domain" <resaledomain@gmail.com>
Date: Sun, August 9, 2009 6:00 am
Dear Sir,
we are interested to buy your domain name [redacted] and offer 65% of the appraised market value.
As of now we accept appraisals from either one of the following leading appraisal companies:
sedo.com
pddomains.com
accuratedomains.com
If you already have an appraisal please forward it to us.
As soon as we have received your appraisal we will send you our payment (we use Paypal for amounts less than $2,000 and escrow.com for amounts above $2,000) as well as further instructions on how to complete the transfer of the domain name.
We appreciate your business,
Thank you,
B. Phillips
Resale Domain
The site looks professional enough, but it's a cookie-cutter design that has been used for previous frauds here, here, here and here although sometimes the same crew use this design.
Email originates from 64.186.128.191 in the US and points to a domain on 124.217.231.209 in Malaysia. WHOIS details are anonymised and the domain was only registered on 7th August, nontheless the most likely perpetrator is detailed here.
If you have paid for an appraisal, then you should start a PayPal dispute to get a refund. Hopefully, that will also get the fraudster's account shut down.
Labels:
Domains,
pddomains.com,
Scams,
Spam
Tuesday, 28 July 2009
MS09-034 is coming..
Just a reminder that Microsoft are announcing an out-of-band patch today to fix a critical IE / Visual Studio flaw. If you manually authorise updates to client PCs via WSUS, then you will need to break the usual schedule and deploy this as soon as you can.
More info here and here.
More info here and here.
Friday, 24 July 2009
"Best Crisis Prices": dotbestshop.com / bestcrisisprices.com fake shops
I mentioned bestcrisesprices.com a few weeks ago, and it seems that they have a new domain called dotbestshop.com which is also a fake ecommerce site.
Both sites are hosted on an an anonymous hosting account at 124.217.231.121 in Malaysia, the domain contact details are either anonymous or fake. The contact details on the website are also fake, and have been stolen from legitimate businesses.
It claims to be a member of the BBB, but it isn't as the BBB reports that it is mis-using their logo.
This is part of a large organized crime ring, nominally connected with China. Although it claims to be based in Louisiana, there is no evidence at all that this is a US operation. Avoid dealing with them at all costs.
Both sites are hosted on an an anonymous hosting account at 124.217.231.121 in Malaysia, the domain contact details are either anonymous or fake. The contact details on the website are also fake, and have been stolen from legitimate businesses.
It claims to be a member of the BBB, but it isn't as the BBB reports that it is mis-using their logo.
This is part of a large organized crime ring, nominally connected with China. Although it claims to be based in Louisiana, there is no evidence at all that this is a US operation. Avoid dealing with them at all costs.
Labels:
Fake Retailers,
Scams
Thursday, 23 July 2009
Even the bad guys need a back office
Last November, I posted a warning about Ran-De-Vou which was recruiting for translators.. the problem being that the company was part of an organised crime ring and the translations themselves were aided phishing and the like.
Well, "Juice" gave them a go and the result is this interesting insight into the bad guys' back office functions.. enjoy!
Well, "Juice" gave them a go and the result is this interesting insight into the bad guys' back office functions.. enjoy!
Labels:
Job Offer Scams
"Real Host Ltd" is a real sewer
This summary is not available. Please
click here to view the post.
Wednesday, 22 July 2009
Even more pathetic SpamCop.net phish
I thought that phishing emails couldn't get more rubbish than this but it turns out that I was wrong. Enjoy:
The Reply-To email address is verification_teamss12@yahoo.com.hk, originating IP is 203.59.222.34.
Subject: FINAL ACCOUNT UPDATE!!!
From: "SPAMCOP SUPPORT TEAM" <helpdesk@spamcop.net>
Date: Wed, July 22, 2009 7:15 pm
Dear spamcop.net Subscriber,
We are currently carrying-out a mantainace
process to your spamcop.net account, to
complete this, you must reply to
this mail immediately, and enter your
User Name here (,,,,,,,,) And Password here
(.......) if you are the rightful owner of
this account.
This process we help us to fight against
spam mails.Failure to summit your password,
will render your email address
in-active from our database.
NOTE: If your have done this before, you may ignore
this mail. You will be send a password reset
messenge in next seven (7)
working days after undergoing this process
for security reasons.
Thank you for using spamcop.net!
THE SPAMCOP TEAM
The Reply-To email address is verification_teamss12@yahoo.com.hk, originating IP is 203.59.222.34.
Tuesday, 14 July 2009
43.gs: massive Google SERPs poisoning
I can't tell if this is accidental or deliberate, but there are a whole bunch of spam entries in Google for the 43.gs domain as you can see from this search.
It looks like some sort of redirect or copy, but the odd thing is that the 43.gs subdomain actually points to the legitimate server.
For example, ethviumvthvie.43.gs resolves as 198.246.98.21 which belongs to the US Centers for Disease Control (CDC). For some reason, the CDC server accepts requests for ethviumvthvie.43.gs as a request to display the genuine website.
As a result, Google has about 3.2 million results for 43.gs subdomains, all of which are duplicates of existing sites.
It looks like 43.gs offers some sort of legitimate URL shortening service based on subdomain names rather than the more common tinurl/bit.ly. Have the bad guys found a way to use this to their advantage? Are they suddenly going to switch traffic to somewhere bad?
43.gs is showing a small bump in traffic recently, perhaps as a result of this?
Presumably there is a way of telling your web server to reject this kind of request.
It looks like some sort of redirect or copy, but the odd thing is that the 43.gs subdomain actually points to the legitimate server.
For example, ethviumvthvie.43.gs resolves as 198.246.98.21 which belongs to the US Centers for Disease Control (CDC). For some reason, the CDC server accepts requests for ethviumvthvie.43.gs as a request to display the genuine website.
As a result, Google has about 3.2 million results for 43.gs subdomains, all of which are duplicates of existing sites.
It looks like 43.gs offers some sort of legitimate URL shortening service based on subdomain names rather than the more common tinurl/bit.ly. Have the bad guys found a way to use this to their advantage? Are they suddenly going to switch traffic to somewhere bad?
43.gs is showing a small bump in traffic recently, perhaps as a result of this?
Presumably there is a way of telling your web server to reject this kind of request.
Really pathetic SpamCop.net webmail phish
Probably the most pathetic phish ever - the bad guys nicely provide a space in the email for you to put your username and password and then email it back. Combined with a fairly vague grasp of the English language, then it's hard to see that this would fool anyone at all.
From: "SpamCop Webmaster online" <spamcop.net.webmaster@mchsi.com>Originating IP is an open proxy at 200.65.129.2.
Date: Tue, July 14, 2009 4:11 pm
Cc: recipient list not shown:;
Priority: Normal
Dear SpamCop Webmail online Email Account Owner,
Important notice, harmful virus was detected in your account which can be harmful to our subscriber unit.You are to enter your Username and Password here {____________, __________} to enable us set in an anti virus in your user account to clear up this virus. we do need your co-operation in this, Providing us with this information we enable us insert in your account an anti virus machine for clean up.
We are sorry for the inconveniences this might have cost you. Failure to do this, we are sorry to let you know that your account will be deleted immediately to prevent it from arming our subscriber unit.
Thank you for using SpamCop Webmail,
We are glad at your service,
SpamCop Webmaster online.
Korea DDOS - run for the hills!
The recent DDOS attacks against Korean and US government sites is well known, with calls for reprisals ranging from "cyber-attacks" to the occasional nutjob suggesting that real bombs are used.
Unfortunately, it turns out that the C&C server for the botnet carrying out the attack may well be in the UK. So perhaps we can expect a rush of malformed packets and/or Tomahawk cruise missiles heading the the UK soon..
via
Unfortunately, it turns out that the C&C server for the botnet carrying out the attack may well be in the UK. So perhaps we can expect a rush of malformed packets and/or Tomahawk cruise missiles heading the the UK soon..
via
Monday, 6 July 2009
Phorm: hahahahah
With a bit of luck, it appears that Phorm may be going down the toilet, as BT announce that they are not going to deploy Phorm's deep packet inspection technology. More at the BBC News site.
With a bit of luck, Phorm's share price will end up as a penny stock very soon.
With a bit of luck, Phorm's share price will end up as a penny stock very soon.
Labels:
Phorm
Thursday, 2 July 2009
Domain scam: ntwifinetwork.com / js-wifi.cn
The old Chinese domain scam has been around for years, but these guys are getting lazy because they haven't changed their domains for months, this is esentially unchanged from April.
Originating IP is 122.193.216.10.
As ever, legitimate domain registrars do not send out this type of email because they are NOT responsible for this activity. Sometimes the Chinese domains get registered, sometimes they are ALREADY registered, and often they never get registered. But before you panic and pay money to these scammers, consider this: there are hundreds of top-level domains in the world. Do you really want to buy your domain for all of them? The answer is probably "no".
The best advice is to ignore this email completely.
Subject: Domain Dispute and Registration
From: "Sunny"
Date: Thu, July 2, 2009 4:07 am
To whom it may concern: 2009-7-2
We are a domain name registration service company in Asia,
Last week we received a formal application submited by Justin Lin who wanted to use the keyword "REDACTED" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.
After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren¡¯t sure whether you have any relation with him. Because these domain names would produce possible dispute, now we have hold down his registration, but if we do not get your company¡¯s an reply in the next 5 working days, we will approve his company's application
In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.
Yours sincerely
Sunny
Checking Department
Tel: 86 513 8532 1087
Fax: 86 513 8532 2065
Email:Sunny@ntwifinetwork.com
Website: www.js-wifi.cn
Our File No.:2272363
Originating IP is 122.193.216.10.
As ever, legitimate domain registrars do not send out this type of email because they are NOT responsible for this activity. Sometimes the Chinese domains get registered, sometimes they are ALREADY registered, and often they never get registered. But before you panic and pay money to these scammers, consider this: there are hundreds of top-level domains in the world. Do you really want to buy your domain for all of them? The answer is probably "no".
The best advice is to ignore this email completely.
Tuesday, 30 June 2009
%SI_subj: miserable spam failure
Possibly one of the most miserable spam failures I have ever seen - the idiot spammer somehow forgot to populate the % fields with actual data. It just goes to reinforce that spammers are stupid.
The hypertext link goes to %SI_link3 rather than a valid address.
Presumably this is a penile enhancement product. By the looks of it, the spammer you do with an intelligence enhancement product.
Subject: %SI_subj
From: "Lily Lovett"
Date: Tue, June 30, 2009 2:47 pm
You don’t need to %SI3_rnd10
rod’s %SI3_rnd11 and %SI3_rnd12 %SI3_rnd13’ jokes!
This is a %SI3_rnd14 for
%SI3_rnd15 your
%SI3_rnd16! It will
%SI3_rnd17 in seconds after she %SI3_rnd18 and %SI3_rnd19 as good as if it was
a %SI3_rnd20 rod!
No more jokes – you will always get %SI3_rnd21 and moans! The huge pack
costs less than 30 %SI3_rnd22!
%SI3_rnd23 can be a %SI3_rnd24! No one will know about your %SI3_rnd25!
%SI3_rnd26 now and save more than $10 regardless of
your order’s size!
The hypertext link goes to %SI_link3 rather than a valid address.
Presumably this is a penile enhancement product. By the looks of it, the spammer you do with an intelligence enhancement product.
Password masking facepalm
A bizarre shot in the security vs usability argument, as reported by El Reg: Masked passwords must go which reports on research saying that masked passwords are more trouble than they are worth.
A key bit of the argument? "Shoulder surfing is largely a phantom problem".. umm yeah, because people's passwords usually just show as blobs or stars so there's no point. If your damned password comes up as plaintext then you can betcha that it WILL be a problem.
Facepalm
A key bit of the argument? "Shoulder surfing is largely a phantom problem".. umm yeah, because people's passwords usually just show as blobs or stars so there's no point. If your damned password comes up as plaintext then you can betcha that it WILL be a problem.
Facepalm
Saturday, 27 June 2009
flyrating.com scam
Flyrating.com is a re-run of the flyappraisals.com scam - a fake domain name evaluation service that is spamvertised through a bogus offer to buy a domain.
Although the servers are hosted in Malaysia, there is strong evidence linking these to a person of German origin living in Canada. More information here.
Although the servers are hosted in Malaysia, there is strong evidence linking these to a person of German origin living in Canada. More information here.
Labels:
Appraisals,
Domains,
PayPal,
Scams,
Spam
Saturday, 20 June 2009
Mystery mibug-credit.com / wiremouse.com spam
This is one of those "wft" spams.
Yes, you'd think that there's a malware payload or something, but there isn't. Let's check out the domain registrations details - hosted at 213.208.134.154 in Austria:
owner-contact: P-GFB634
owner-organization: MIBUG CREDIT UG
owner-fname: Georg
owner-lname: BENDL
owner-street: Menzingerstrasse 130
owner-city: MUENCHEN
owner-zip: D80997
owner-country: DE
owner-phone: +49.180523363313143
owner-email: wmt18703@kunde.webmachine.eu
This is meant to be some sort of financial services site, but it was only registered on 8th June 2009.
The site does very little, you can try to open an account (which requires you handing over a bunch of personal information), but there's no way of getting this "refund". There are a few links to wiremouse.com on the site, something that's hosted on the same server.. so let's have a look at what else is on 213.208.134.154:
Registrant ID: C6565959-B-CO
Registrant Name: Georg BENDL
Registrant Address1: Bacherstrasse 7
Registrant City: GRIES
Registrant Postal Code: A5662
Registrant Country: Austria
Registrant Country Code: AT
Registrant Phone Number: +43.66492436352
Registrant Email: WMT5549@kunde.wmtech.net
Hmmm.. OK, well what about wiremouse.com?
owner-contact: P-NVM192
owner-organization: Managed Offshore Payment Services Limited
owner-fname: Nikolas owner-lname: MAKIN
owner-street: Cariocca Business Park 2 Sawley Road
owner-city: MANCHESTER
owner-zip: GM40 8BB
owner-country: GB
owner-phone: +44.7031887152
owner-email: wmt8464@kunde.webmachine.eu
So, it's based in the UK? Well, the postcode is incorrect.. but in fact, Companies House does have a firm of the name Managed Offshore Payment Services Limited registered. But its accounts are overdue and there is a proposal to "strike off" the firm:
Let's look at bmc-london.co.uk on the same server:
Domain name:
bmc-london.co.uk
Registrant:
Bendl Georg
Registrant type:
Unknown
Registrant's address:
38 Homer Street
LONDON
GW1H 4NH
GB
Registrar:
Key-Systems GmbH [Tag = KEY-SYSTEMS-DE]
URL: http://www.Key-Systems.net
Relevant dates:
Registered on: 04-Sep-2008
Renewal date: 04-Sep-2010
Registration status:
Registered until renewal date.
Name servers:
ns1.webmachine.at
ns2.webmachine.at
This Georg Bendl chap moves around a lot. The address is valid although it's hard to verify if there's a real company operating from that address.
In fact, most domains seem to be registered to "Georg Bendl", but the address is different in almost every case (although Salzburg features more than once).
It's hard to fathom what this spam is about, although these sites do consistently link back to wiremouse.com. Some sort of SEO? A Joe Job? A phish? Email marketing gone horribly wrong? I don't know.
The final clue is the the sending IP address is 62.47.184.176 which is an ADSL subscriber in Austria. Draw your own conclusions, but I would be tempted to give all of these domains a wide berth.
Subject: Refund of Duplicate Payment
From: "Customer Care Center" <2712@mibug-credit.com>
Date: Sat, June 20, 2009 8:12 pm
Dear Business Partner!
Enclosed is our e-check in the amount of EURO 1,750.00 which represents a refund for your inadvertent duplicate
remittance for payment of transaction no. 267.
We are pleased that our bookkeeping department discovered this overpayment so quickly.
Thank you.
Instant Number Accounts
Credit Cards Bulk and Wholesale
http://mibug-credit.com
Yes, you'd think that there's a malware payload or something, but there isn't. Let's check out the domain registrations details - hosted at 213.208.134.154 in Austria:
owner-contact: P-GFB634
owner-organization: MIBUG CREDIT UG
owner-fname: Georg
owner-lname: BENDL
owner-street: Menzingerstrasse 130
owner-city: MUENCHEN
owner-zip: D80997
owner-country: DE
owner-phone: +49.180523363313143
owner-email: wmt18703@kunde.webmachine.eu
This is meant to be some sort of financial services site, but it was only registered on 8th June 2009.
The site does very little, you can try to open an account (which requires you handing over a bunch of personal information), but there's no way of getting this "refund". There are a few links to wiremouse.com on the site, something that's hosted on the same server.. so let's have a look at what else is on 213.208.134.154:
- Afrohair.at
- Altkatholiken.net
- Bankparadies.com
- Bmc-london.co.uk
- Bmc-shop.co.uk
- Cocodonia.com
- Firmenparadies.com
- Jr-austria.com
- Mibug-credit.com
- Quotum.at
- Schmeissfliegen.com
- Server1.biz
- Sofortbetrieb.com
- Tiefpreiszentrum.com
- Turi-landhaus.com
- Wiremouse.com
Registrant ID: C6565959-B-CO
Registrant Name: Georg BENDL
Registrant Address1: Bacherstrasse 7
Registrant City: GRIES
Registrant Postal Code: A5662
Registrant Country: Austria
Registrant Country Code: AT
Registrant Phone Number: +43.66492436352
Registrant Email: WMT5549@kunde.wmtech.net
Hmmm.. OK, well what about wiremouse.com?
owner-contact: P-NVM192
owner-organization: Managed Offshore Payment Services Limited
owner-fname: Nikolas owner-lname: MAKIN
owner-street: Cariocca Business Park 2 Sawley Road
owner-city: MANCHESTER
owner-zip: GM40 8BB
owner-country: GB
owner-phone: +44.7031887152
owner-email: wmt8464@kunde.webmachine.eu
So, it's based in the UK? Well, the postcode is incorrect.. but in fact, Companies House does have a firm of the name Managed Offshore Payment Services Limited registered. But its accounts are overdue and there is a proposal to "strike off" the firm:
Let's look at bmc-london.co.uk on the same server:
Domain name:
bmc-london.co.uk
Registrant:
Bendl Georg
Registrant type:
Unknown
Registrant's address:
38 Homer Street
LONDON
GW1H 4NH
GB
Registrar:
Key-Systems GmbH [Tag = KEY-SYSTEMS-DE]
URL: http://www.Key-Systems.net
Relevant dates:
Registered on: 04-Sep-2008
Renewal date: 04-Sep-2010
Registration status:
Registered until renewal date.
Name servers:
ns1.webmachine.at
ns2.webmachine.at
This Georg Bendl chap moves around a lot. The address is valid although it's hard to verify if there's a real company operating from that address.
In fact, most domains seem to be registered to "Georg Bendl", but the address is different in almost every case (although Salzburg features more than once).
It's hard to fathom what this spam is about, although these sites do consistently link back to wiremouse.com. Some sort of SEO? A Joe Job? A phish? Email marketing gone horribly wrong? I don't know.
The final clue is the the sending IP address is 62.47.184.176 which is an ADSL subscriber in Austria. Draw your own conclusions, but I would be tempted to give all of these domains a wide berth.
Labels:
Spam
Friday, 19 June 2009
FAIL: "Microsoft has released an update for Microsoft Outlook"
This email looks like it's from Microsoft, but it is really intended to load a trojan onto your PC:
Although the link appears to be for the Microsoft web site, underneath is a hidden URL which is quite different. From samples I have plus some scraped from teh interwebs, I came up with the following samples:
hxxp:||update.microsoft.com.ijlijji.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijj1hjf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijjh.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijj1.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijji.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
The reason why this is a FAIL? None of the domains are registered apart from the .com.mx one, so clicking the links will do precisely nothing. il1if1.com.mx is hosted on a botnet with presumably fake registration details, but it seems to be quite unreliable.
Even though this attack doesn't work, it might be a good idea to keep an eye out for it and advise any end users you have. Also checking your proxy logs for update.microsoft.com.i may well be useful.
From: Microsoft Customer Support [mailto:no-reply@microsoft.com]
Sent: 18 June 2009 22:47
Subject: Microsoft has released an update for Microsoft Outlook
Critical Update
Update for Microsoft Outlook / Outlook Express (KB910721)
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.
Instructions
• To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:
http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
Quick Details
• File Name: officexp-KB910721-FullFile-ENU.exe
• Version: 1.4
• Date Published: Thu, 18 Jun 2009 16:46:55 -0500
• Language: English
• File Size: 81 KB
System Requirements
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
• This update applies to the following product: Microsoft Outlook / Outlook Express
Contact Us
© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement
Although the link appears to be for the Microsoft web site, underneath is a hidden URL which is quite different. From samples I have plus some scraped from teh interwebs, I came up with the following samples:
hxxp:||update.microsoft.com.ijlijji.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijj1hjf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijjh.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijj1.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijji.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
The reason why this is a FAIL? None of the domains are registered apart from the .com.mx one, so clicking the links will do precisely nothing. il1if1.com.mx is hosted on a botnet with presumably fake registration details, but it seems to be quite unreliable.
Even though this attack doesn't work, it might be a good idea to keep an eye out for it and advise any end users you have. Also checking your proxy logs for update.microsoft.com.i may well be useful.
Tuesday, 16 June 2009
WebTrends just doesn't get it
WebTrends is a service I used to run a few years ago for web analytics, until the hundreds of dollars per month it was charging for analytics which I could get cheaper elsewere (or now even free) became ridiculous.
So, I stopped using the service and opted out of all email communications as I was no longer interested. So, this bizarre email from WebTrends plops into my mailbox today:
WebTrends is not the worst offender - some companies simply do not understand the meaning of the word "unsubscribe". Doesn't it mean "don't send me anything unless I change my mind"? It seems it now means "don't send me anything unless you really want to" instead.
So, I stopped using the service and opted out of all email communications as I was no longer interested. So, this bizarre email from WebTrends plops into my mailbox today:
Thank you for taking a moment to look at this email. We know you've unsubscribed from Marketing Communications from us and respect your request, but wanted to let you know that we're making some much-needed changes to our email programming. Our new approach lets you tell us what messages you want. Tell us which of these topics are most valuable to you and we'll limit what we send to what you're interested in. Simply click on the link below to personalise your email subscription. Still not interested? Ignore this message, it'll be the last email you receive from us.Let's read that again.. "We know you've unsubscribed from Marketing Communications from us and respect your request".. well, clearly you bloody aren't respecting my request, are you?
WebTrends is not the worst offender - some companies simply do not understand the meaning of the word "unsubscribe". Doesn't it mean "don't send me anything unless I change my mind"? It seems it now means "don't send me anything unless you really want to" instead.
Subscribe to:
Posts (Atom)