Sponsored by..

Thursday, 23 July 2009

"Real Host Ltd" is a real sewer

"Real Host Ltd" occupies 256 IP addresses in the 213.182.197.* range, hosted in Latvia in an address space apparently leased from Junik Ltd.

The netblock registration details claim to belong to an address in Kazakhstan:

person: Alex Spiridonov
address: Kazakhstan, Almaty , Abay street 2a
abuse-mailbox: abusemailhost@gmail.com
phone: + 87771697576
nic-hdl: SA5926-RIPE
source: RIPE # Filtered

This block is of interest because out of hundreds of web sites hosted, there appear to be none at all which are legitimate. And out of all of these, Hit-senders.cn is one of the most interesting because it is currently being used for a zero day Flash/PDF exploit. Many domains are registered to Michell.Gregory2009@yahoo.com who has featured on this blog many times before.

Some other interesting domains are Cashspyware.com, Botnet.su and Iframepartners.com which are pretty much openly operating as black hat sites.

All of these sites are either fraudulent, dangerous to visit or both - so if you receive an email or link pointing to them, leave well alone!

213.182.197.10
Vkontalcte.ru, Private Person, admin@0neway.ru

213.182.197.11
Index683.com, Registration suspended
Presentsdelivery.com, Private Person, abuseemaildhcp@gmail.com

213.182.197.12
Barmatuxa.info, Brad Higginbotham, EmersonDuffyZP@gmail.com
Bombim.cn, KuserElizabeth, eakuser@yahoo.com
Decine.cn, realmaria teresa, popeskusin@yahoo.com

213.182.197.13
0neway.ru, Private Person, onewayru@ya.ru
2todays.com, PrivacyProtect.org
2trades.com, alan pakerson, apakerson@googlemail.com
Adulttopvids.info, Lorraine Hoguseir / LueMettterTeam, lorrainefactr@gmail.com
Caffemax.com, Private Person, abuseemaildhcp@gmail.com
Clicksvideo.com, PrivacyProtect.org
Cutietubeee.com, Mark Cristy, evilinside99@gmail.com
Dasper.ru, Sergey V Levitskiy, levitcky@gmail.com
Dataartsoft.com, John A Backham , igusow@gmail.com
Dslcaffe.com, Private Person, abuseemaildhcp@gmail.com
Freegirla.com, PrivacyProtect.org
Fucksexadult.com, PrivacyProtect.org
Gauleyriverraftinginfo.com, Gordon Freeman, evilinside20@gmail.com
Googep.com, PrivacyProtect.org
Homemadez.com, PrivacyProtect.org
Informatoion.com, Tamara Polishuk, kenylotus@yahoo.com
Insky.biz, PrivacyProtect.org
Koka-tube.info, Budulay Romale, budulay_romale@inbox.ru
Linktovideo.com, PrivacyProtect.org
Mac-videos.com, PrivacyProtect.org
Major-don.com, Carl Lee, levitraviagrashop@rambler.ru
Masstrade.us, Yuri, sypiboryrecinih15976@gmail.com
Myspnace.com, PrivacyProtect.org
Odnoklassniki-and-you.ru, Private Person, newlive09@yandex.ru
Online-defence.cn, GuferDerek, asyonurubu@gmail.com
Onlylo.com, PrivacyProtect.org
Photovideox.com, PrivacyProtect.org
Playtstation.com, PrivacyProtect.org
Pornsamateur.com, PrivacyProtect.org
Serialtxt.com, Breitenbach Margery, breitenbach621@yahoo.com
Sexlevitra.com, Carl Lee, levitraviagrashop@rambler.ru
Sexmamba.com, Igor Bogdanov, Igor
Singleslady.com, Registration suspended
Soundrugs.ru, Private Person, workalliance@mail.ru
Tdssim.com, Djon Digan, major.leva@yahoo.com
Thehat.net, Carl Padilla, thehatnkm@gmail.com
Tube84.com, PrivacyProtect.org
Tubeee.com, Whois Privacy Protection Service
Viagrabe.com, PrivacyProtect.org
Video-tube-online.info, Budulay Romale, budulay_romale@inbox.ru
Videomoviex.com, PrivacyProtect.org
Videos-movie.com, PrivacyProtect.org
Vipbabes.com.ua, Андрей Дехтяренко / Andrei Dehtyareno, may-vit@bk.ru
Virgin-x.com, PrivacyProtect.org
Wikjipedia.com, Tamara Polishuk, kenylotus@yahoo.com
Worldtube.su, Private Person, novikov_ds@bk.ru
Xtubex.org, konstantin ololo, scaryscream@gmail.com
Yesey.net, Bob AKKAWA, akkawa@gmail.com
Yhxoo.com, PrivacyProtect.org
Yourko.com, PrivacyProtect.org
Youtube19.com, PrivacyProtect.org
Youviewx.com, Dedinan Galena, galendediweb78@yahoo.com

213.182.197.14
Cashspyware.com, N/A, faloimitator@list.ru
Casinousa.cn, LucasSteven / Cehhost, steven_lucas_2000@yahoo.com
Hostnsload.cn, LucasSteven, steven_lucas_2000@yahoo.com
Iframepartners.com, Chen Poon, chen.poon1732646@yahoo.com
Megavipsite.cn, LucasSteven, steven_lucas_2000@yahoo.com
Sitewebsupport.com, Michell, Michell.Gregory2009@yahoo.com

213.182.197.20
Best-casinox.com, MyPrivateRegistration.com
Best-prices-pharma.com, Igor Durov, larsontomas@gmail.com
Best-prices-pharmacy.net, Oleg Demin, premiumwebart@gmail.com
Causas-de-impotencia.com, Private Person, premiumwebart@gmail.com
Causas-de-impotencia.net, Private Person, premiumwebart@gmail.com
Css-csript.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Dns-lv9720.com, Michell, Michell.Gregory2009@yahoo.com
Druggs.net, MyPrivateRegistration.com
Druggsonline.com, MyPrivateRegistration.com
Drugsbrokerpharma.com, Oleg Demin, premiumwebart@gmail.com
Edproductos-en-espana.com, Grigory Panin, gragorybland@gmail.com
Erosuka.ru, Private Person, callpartners@gmail.com
Farmacia-venta-on-line.com, Private Person, premiumwebart@gmail.com
Fly-pro.net, MyPrivateRegistration.com
Herbal-impotencecure.com, Oleg Demin, premiumwebart@gmail.com
Hzone66.cn, MichellGregory, Michell.Gregory2009@yahoo.com
Impotence-natural-cure.com, Oleg Demin, premiumwebart@gmail.com
Kamagra-tratamiento-impotencia.com, Mark Nefidov, markglan1@gmail.com
Lkll.net, Damir Stolbische, damirmuh@gmail.com
Marcusmed.com, Steven Lucas, steven_lucas_2000@yahoo.com
Medicamentosgenericosonline.com, Grigory Panin, gragorybland@gmail.com
Microsoftprogram.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Onlinemedicamentosgenericos.com, Grigory Panin, gragorybland@gmail.com
Pharmacy-drugs-broker.com, Oleg Demin, premiumwebart@gmail.com
Pharmacy-drugsbroker.com, Oleg Demin, premiumwebart@gmail.com
Pharmacy-pills-rx.com, Igor Durov, larsontomas@gmail.com
Pharmacy-pillsrx.com, Igor Durov, larsontomas@gmail.com
Rx-onlinestore.com, Igor Durov, larsontomas@gmail.com
Rxtrustedtabs.net, Igor Durov, larsontomas@gmail.com
Smsgogo.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Superflyaccess.com, MyPrivateRegistration.com
Traffcount.cn, LucasSteven / steven_lucas_2000@yahoo.com
Treatment-online.com, Aprichev Igor, info@betting-profits.com
Trust-ed-tablets.com, Igor Durov, larsontomas@gmail.com
Tutuuuu.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Usa-pills-rx.com, Igor Durov, larsontomas@gmail.com
Vitofarmatratamientoimpotencia.com, Private Person, markglan1@gmail.com
Vkpleer.ru, Private Person, callpartners@gmail.com
Vybory2007.ru, Private Person, callpartners@gmail.com
Xxzonexx.com. Chen Poon, chen.poon1732646@yahoo.com
Yandex2.cn, IveevPlansky / SerjCOm, ru@rupoisk.in

213.182.197.227
Corbsc.com, Chen Poon, chen.poon1732646@yahoo.com
Co5v.cn, TiankaiCui, cuitiankai@googlemail.com

213.182.197.228
Chlenopopik.com, Denis Pupkin, pisssun2006@mail.ru

213.182.197.229
3ballslottery.com, Klan Jored, support@hosting-offshore.biz
44mm.ru, Private Person, mik58109117@ya.ru
Admins-mail.ru, Private Person, ivttyeivrdyl@yandex.ru
Andors.ru, Private Person, 10000002@mail.ru
Antighost.cn, null, dasidoruk@mail.ru
Avpro-labs.com, PrivacyProtect.org via Erdomain.com
Avtoresa.ru, Private Person, 10000002@mail.ru
Businessconsulting312.com, Nikolay Viktorovich Stepashin, businessconsulting312.com@hvosting.ua
Businesscoorptru.cn, Real Host, abuseemaildhcp@gmail.com
Comforttrade.biz, Klan Jored, support@hosting-offshore.biz
Dfds-seaways.biz, Klan Jored, support@hosting-offshore.biz [note, domain has been seized by the trademark holder]
Digitdbofmusic.org, Petr Karlov, dunkanmac3@mail.ru
Elita-online.ru, Private Person, votub@nm.ru
Fedion.ru, Private Person, 10000002@mail.ru
Firex-labz.com, SharedHSD, roomart2008@yandex.ru
Firsttimesite.us, Olah Istvan, olah.istvan.ny@gmail.com
Gbd-carrers.com, Aleksej Bagrov, deretx@rambler.ru
Gerdok.ru, Private Person, 10000002@mail.ru
Gnk-msk2.com, Alexey MIRKINO, 324635647@mail.ru
Isell.cc, Jhon Balsmen, ukmcuk@googlemail.com
Isellcc.com, Jhon Balsmen, ukmcuk@googlemail.com
Kalopes.ru, Private Person, 10000002@mail.ru
Kobash.ru, Private Person, 10000002@mail.ru
Kovero.ru, Private Person, 10000002@mail.ru
Leadingdelivery.com, WhoisPrivacyProtect.com
Leapdelivery.net, WhoisPrivacyProtect.com
Megatt.cn, LucasSteven, steven_lucas_2000@yahoo.com
Midlway.com, Real Host LTD, real2030@gmail.com
Molide.ru, Private Person, 10000002@mail.ru
Motile.ru, Private Person, 10000002@mail.ru
Mssys.net, Klan Jored, support@hosting-offshore.biz
Muhamed.cn, Caroline Krajka, caroline.krajka@gmail.com
Myeasyhosting.us, Olah Istvan, olah.istvan.ny@gmail.com
Newskyag.com, Robert Baker, robertbaker2110@yahoo.com
Obosraca.net, Nungoyanrgrr Pimdulya, cumo@mail.ru
Ru-r.ru, Anton A Baklanov, pinch18@rambler.ru
Slikons.ru, Private Person, 10000002@mail.ru
Smsvor.ru, Private Person, n.shahov@yandex.ru
Superioradz.info, Bryony, blaze_sanchez3@yahoo.com
Swegol.ru, Private Person, 10000002@mail.ru
Uni-tele-com.ru, Private Person, n.shahov@yandex.ru
Valebe.ru, Private Person, 10000002@mail.ru
Vkonlahte.ru, Private Person, eert@inbox.ru
Vkortakt.ru, Private Person, asfsdfgsg@yandex.ru
Waderos.ru, Private Person, 10000002@mail.ru
Webinst.ru, Private Person, 10000002@mail.ru
Wedikas.ru, Private Person, 10000002@mail.ru
Wedows.ru, Private Person, 10000002@mail.ru
Welcomeone.cn, LucasSteven, steven_lucas_2000@yahoo.com
Werobin.ru, Private Person, 10000002@mail.ru
Wetese.ru, Private Person, 10000002@mail.ru
Wldomen.com, Klan Jored, support@hosting-offshore.biz
Wogolot.ru, Private Person, 10000002@mail.ru
Xaker.cn, Real Host, abuseemaildhcp@gmail.com
Xxhackmail.ru, Private Person, 365346546@mail.ru
Xxvhost.com, Klan Jored, support@hosting-offshore.biz
Yes04ka.cn, Gregory, Michell.Gregory2009@yahoo.com
Yourgoogleanalytics.cn, Real Host, abuseemaildhcp@gmail.com
Yourgoogleanalytics.us, Olah Istvan, olah.istvan.ny@gmail.com


213.182.197.230
Benzonasoss.com, Aleksey Melnikov, mel1simkov@gmail.com
Csollw.com, Aleksey Melnikov, mel1simkov@gmail.com
Jlopi.com, Aleksey Melnikov, mel1simkov@gmail.com
Joltuiwater.com, Aleksey Melnikov, mel1simkov@gmail.com
Kartoshkachamp.com, Aleksey Melnikov, mel1simkov@gmail.com
Lipesr.com, Aleksey Melnikov, mel1simkov@gmail.com
Minfpafs.com, Aleksey Melnikov, mel1simkov@gmail.com
Nerkol.com, Aleksey Melnikov, mel1simkov@gmail.com
Updateserversoft.com, Chen Poon, chen.poon1732646@yahoo.com
Vizllp.com, Aleksey Melnikov, mel1simkov@gmail.com
Vmbs4.com, Aleksey Melnikov, mel1simkov@gmail.com
Werkp.com, Aleksey Melnikov, mel1simkov@gmail.com
Wherg.com, Aleksey Melnikov, mel1simkov@gmail.com

213.182.197.233
Banished.ru, Private Person, abuseemaildhcp@gmail.com
Bargian-hunt.com, Sean McCann, sean.mccann.1@hotmail.com
Pornonova.net, Anya Montague, gr4ndth3ft@hotmail.com
Proxyrent.cn, Chen Poon, chen.poon1732646@yahoo.com

213.182.197.234
Updategoogle.cn, Real Host LTD, abuseemaildhcp@gmail.com
Uppgoogle.cn, Real Host LTD, abuseemaildhcp@gmail.com

213.182.197.235
Aepi.ru, Private Person, polevweb@gmail.com
Evamedstore.com, Nikolai Vukolov, baton@bronzemail.net
Traffic-exchange.ru, Aleksej D Brozdov, ru-traffic-exchange@gmail.com

213.182.197.236
1gen1.ru, Andrey G Zubkov, a.zubkov@exeda.info
71sense.info, Vicky Chan, chan.wai.kay.1@gmail.com
71soldo.info, Vicky Chan, chan.wai.kay.1@gmail.com
71speed.info, Vicky Chan, chan.wai.kay.1@gmail.com
71spice.info, Vicky Chan, chan.wai.kay.1@gmail.com
7addition.info, Vicky Chan, chan.wai.kay.1@gmail.com
8addition.info, Vicky Chan, chan.wai.kay.1@gmail.com
8addition.org, Vicky Chan, chan.wai.kay.1@gmail.com
Add-content-filter.info, PrivacyProtect.org
Deonix.biz, Aleksey Melnikov, mel1simkov@gmail.com
Doplin.biz, Aleksey Melnikov, mel1simkov@gmail.com
Gnbd1.cn, Chen Poon, chen.poon1732646@yahoo.com
Hamatauto.biz, Aleksey Melnikov, mel1simkov@gmail.com
Hel90.biz, Aleksey Melnikov, mel1simkov@gmail.com
Lalalabemsbams.name, Aleksey Melnikov, mel1simkov@gmail.com
Tfx2corp.cn, TiankaiCui, cuitiankai@googlemail.com
Vip-internal.ru, Private Person, spy-logs-l12@inbox.ru

213.182.197.237
1gigabayt.com, Hau Cheng, haucheng@yahoo.com
Beauty-hot-pornxxx.com, Aleksey Melnikov, mel1simkov@gmail.com
Downloadoemsoftware.com, Chen Poon, chen.poon1732646@yahoo.com
Fire-hot-pornxxx.com, Aleksey Melnikov, mel1simkov@gmail.com
Hotflashplayer.com, Aleksey Melnikov, mel1simkov@gmail.com
Metroking.ws, Aleksey Melnikov, mel1simkov@gmail.com
Oneminute2u.biz, Aleksey Melnikov, mel1simkov@gmail.com
Rbckc.com, Aurore Hetu, AuroreHetu@fontdrift.com
Scans.cc, PrivacyProtect.org
Sexual69.ru, Artur G Antonov, antonov@rbcmail.ru
Thebestplayer.biz, Aleksey Melnikov, mel1simkov@gmail.com
Verivell.com, Hau Cheng, haucheng@yahoo.com
Xtraff.cn, Hau Cheng, haucheng@yahoo.com

213.182.197.238
Agroautoparts.com, Aleksey Melnikov, mel1simkov@gmail.com

213.182.197.243
Einrock.com, Puprov Ivan, captainjs@yandex.ru
Geo555.com, Vladim Ivanov, captainjs@yandex.ru
Makomset.com, Vladimir Ivanovich, captainjs@yandex.ru
Ribcot.com, Sergeev Kirill Nikolaevich, captainjs@yandex.ru

213.182.197.247
Sex-proector.ru, Private Person, toolssoft@mail.ru

213.182.197.249
Feed-place.cn, Gregory, Michell.Gregory2009@yahoo.com
Hit-senders.cn, Gregory, Michell.Gregory2009@yahoo.com
Search890.com, Chen Poon, chen.poon1732646@yahoo.com
Traffic-searches.cn, Chen Poon, chen.poon1732646@yahoo.com
Vikd3jj-1.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-2.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-3.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-4.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag1.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag2.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag3.com, Dmitry Ostupin, conroetxwelc@gmail.com


213.182.197.251
Botnet.su, Mihail V Morozov, sdhj3jk@yandex.ru
2k90.cn, Real Host LTD, abuseemaildhcp@gmail.com
Abdulabah.cn, LucasSteven, steven_lucas_2000@yahoo.com
Babjr.cn, LucasSteven, steven_lucas_2000@yahoo.com
D4rkst4r.cn, Real Host LTD, abuseemaildhcp@gmail.com
Luks5.cn, LucasSteven / Cehhost, Michell.Gregory2009@yahoo.com
Serverinlit.cn, Real Host LTD, abuseemaildhcp@gmail.com

213.182.197.254
Go-file.ru, Grigoriy M Aleksandrov, aleksandrov@mail333.com

Wednesday, 22 July 2009

Even more pathetic SpamCop.net phish

I thought that phishing emails couldn't get more rubbish than this but it turns out that I was wrong. Enjoy:

Subject: FINAL ACCOUNT UPDATE!!!
From: "SPAMCOP SUPPORT TEAM" <helpdesk@spamcop.net>
Date: Wed, July 22, 2009 7:15 pm

Dear spamcop.net Subscriber,

We are currently carrying-out a mantainace
process to your spamcop.net account, to
complete this, you must reply to
this mail immediately, and enter your
User Name here (,,,,,,,,) And Password here
(.......) if you are the rightful owner of
this account.

This process we help us to fight against
spam mails.Failure to summit your password,
will render your email address
in-active from our database.

NOTE: If your have done this before, you may ignore
this mail. You will be send a password reset
messenge in next seven (7)
working days after undergoing this process
for security reasons.

Thank you for using spamcop.net!
THE SPAMCOP TEAM


The Reply-To email address is verification_teamss12@yahoo.com.hk, originating IP is 203.59.222.34.

Tuesday, 14 July 2009

43.gs: massive Google SERPs poisoning

I can't tell if this is accidental or deliberate, but there are a whole bunch of spam entries in Google for the 43.gs domain as you can see from this search.

It looks like some sort of redirect or copy, but the odd thing is that the 43.gs subdomain actually points to the legitimate server.

For example, ethviumvthvie.43.gs resolves as 198.246.98.21 which belongs to the US Centers for Disease Control (CDC). For some reason, the CDC server accepts requests for ethviumvthvie.43.gs as a request to display the genuine website.

As a result, Google has about 3.2 million results for 43.gs subdomains, all of which are duplicates of existing sites.

It looks like 43.gs offers some sort of legitimate URL shortening service based on subdomain names rather than the more common tinurl/bit.ly. Have the bad guys found a way to use this to their advantage? Are they suddenly going to switch traffic to somewhere bad?

43.gs is showing a small bump in traffic recently, perhaps as a result of this?

Presumably there is a way of telling your web server to reject this kind of request.

Really pathetic SpamCop.net webmail phish

Probably the most pathetic phish ever - the bad guys nicely provide a space in the email for you to put your username and password and then email it back. Combined with a fairly vague grasp of the English language, then it's hard to see that this would fool anyone at all.

From: "SpamCop Webmaster online" <spamcop.net.webmaster@mchsi.com>
Date: Tue, July 14, 2009 4:11 pm
Cc: recipient list not shown:;
Priority: Normal

Dear SpamCop Webmail online Email Account Owner,

Important notice, harmful virus was detected in your account which can be harmful to our subscriber unit.You are to enter your Username and Password here {____________, __________} to enable us set in an anti virus in your user account to clear up this virus. we do need your co-operation in this, Providing us with this information we enable us insert in your account an anti virus machine for clean up.

We are sorry for the inconveniences this might have cost you. Failure to do this, we are sorry to let you know that your account will be deleted immediately to prevent it from arming our subscriber unit.

Thank you for using SpamCop Webmail,
We are glad at your service,
SpamCop Webmaster online.
Originating IP is an open proxy at 200.65.129.2.

Korea DDOS - run for the hills!

The recent DDOS attacks against Korean and US government sites is well known, with calls for reprisals ranging from "cyber-attacks" to the occasional nutjob suggesting that real bombs are used.

Unfortunately, it turns out that the C&C server for the botnet carrying out the attack may well be in the UK. So perhaps we can expect a rush of malformed packets and/or Tomahawk cruise missiles heading the the UK soon..

via

Monday, 6 July 2009

Phorm: hahahahah

With a bit of luck, it appears that Phorm may be going down the toilet, as BT announce that they are not going to deploy Phorm's deep packet inspection technology. More at the BBC News site.

With a bit of luck, Phorm's share price will end up as a penny stock very soon.

Saturday, 4 July 2009

Piradius.net / Yohost.org - black hat hosting?

Piradius.net is a web host in Malaysia that has cropped up a few times as hosts for this long-running scam.

It seems that this isn't an isolated case. Looking just one server at gives us a number of other fraudulent domains:

  • bestcrisisprices.com - fake ecommerce site registered to Michell.Gregory2009@yahoo.com that has been used for this fraud, this fraud and many others.
  • blizzard-battle.net - fake "World of Warcraft" login page, presumably designed to harvest usernames and passwords.
  • europemedicalnet.com - claims to be a German medical company, in reality it isn't. Purpose unclear, probably run by Manuel Fichter.
  • everyhit.info - front-end for the registry-cleaner-comparisons.com fraudware site.
  • evilcheats.org - registered to kingstonsmith@hushmail.com who is connected with many fraudulent and/or suspect sites.
  • excelcapitals.com - smart looking but suspect "get rich quick" site, apparently based in Panama.
  • flyappraisals.com - fake domain appraisals.
  • flyrating.com - fake domain appraisals.
  • germanymedicalnet.com - currently displaying text from the Pozde.com domain scam.
  • gooogled.com - appears to sell knock-off designer goods.
  • hellas-warez.com - "Warez" as in illegal software downloads.
  • hygetropin-hgh.com - Claims to export prescription drugs from China.
  • indigo-net.org - another "Kingston Smith" domain.
  • jessicassoftware.com - suspiciously cheap software.
  • maximizedlivingscam.com - another "Kingston Smith" domain.
  • nameorange.com - fake domain appraisals.
  • nextdayrelief.com - unconvincing "pharmacy" that claims to be in the US, but hosts in Malaysia
  • pedma.com - fake domain appraisals.
  • podzz.com - fake domain appraisals.
  • poker-bonus-codes.de - Kingston Smith again.
  • pozde.com - fake domain appraisals.
  • r4ishop.com - with prices in pounds sterling, it appears to be passing itself off as a UK-based electronics retailer. In reality, everything is anonymised and it could be based anywhere.
  • rc-chem.net - claims to be a Canadian supplier of steroids, a Google search on the domain is enlightening.
  • replica-prestigious-watches.com - fake designer watches.
  • tropicalnames.com - fake domain appraisals.
  • yohost.org - anonymous hosting.
In fact, it's the last domain "yohost.org" which gives a clue as to what is really going on. Yohost.org looks like a reseller of Piradius.net's hosting and it advertises itself as "100% anonymous hosting and anonymous DNS and domain name services" which is "beyond the reach of virtually any government or law enforcement agency."

If you Google for "anonymous hosting" then Yohost.org comes up as #4. So you can see where their customers are coming from.

Yohost.org also rents other servers from Piradius.net, and they show a mix of sites that appear to be very dodgy indeed, through to sites that appear legitimate.

They appear to run the following IPs and probably others too:

124.217.231.173
124.217.231.209
124.217.250.102
124.217.250.106

Hosting rubbish like this does not enhanced Piradius.net's reputation, they would really be better off booting Yohost.org in order to clean up their IP range.

Thursday, 2 July 2009

Domain scam: ntwifinetwork.com / js-wifi.cn

The old Chinese domain scam has been around for years, but these guys are getting lazy because they haven't changed their domains for months, this is esentially unchanged from April.

Subject: Domain Dispute and Registration
From: "Sunny"
Date: Thu, July 2, 2009 4:07 am

To whom it may concern: 2009-7-2

We are a domain name registration service company in Asia,

Last week we received a formal application submited by Justin Lin who wanted to use the keyword "REDACTED" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.

After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren¡¯t sure whether you have any relation with him. Because these domain names would produce possible dispute, now we have hold down his registration, but if we do not get your company¡¯s an reply in the next 5 working days, we will approve his company's application

In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.



Yours sincerely

Sunny

Checking Department

Tel: 86 513 8532 1087
Fax: 86 513 8532 2065
Email:Sunny@ntwifinetwork.com
Website: www.js-wifi.cn

Our File No.:2272363

Originating IP is 122.193.216.10.

As ever, legitimate domain registrars do not send out this type of email because they are NOT responsible for this activity. Sometimes the Chinese domains get registered, sometimes they are ALREADY registered, and often they never get registered. But before you panic and pay money to these scammers, consider this: there are hundreds of top-level domains in the world. Do you really want to buy your domain for all of them? The answer is probably "no".

The best advice is to ignore this email completely.

Tuesday, 30 June 2009

%SI_subj: miserable spam failure

Possibly one of the most miserable spam failures I have ever seen - the idiot spammer somehow forgot to populate the % fields with actual data. It just goes to reinforce that spammers are stupid.

Subject: %SI_subj
From: "Lily Lovett"
Date: Tue, June 30, 2009 2:47 pm

You don’t need to %SI3_rnd10
rod’s %SI3_rnd11 and %SI3_rnd12 %SI3_rnd13’ jokes!

This is a %SI3_rnd14 for
%SI3_rnd15 your
%SI3_rnd16! It will
%SI3_rnd17 in seconds after she %SI3_rnd18 and %SI3_rnd19 as good as if it was
a %SI3_rnd20 rod!

No more jokes – you will always get %SI3_rnd21 and moans! The huge pack
costs less than 30 %SI3_rnd22!

%SI3_rnd23 can be a %SI3_rnd24! No one will know about your %SI3_rnd25!

%SI3_rnd26 now and save more than $10 regardless of
your order’s size!

The hypertext link goes to %SI_link3 rather than a valid address.

Presumably this is a penile enhancement product. By the looks of it, the spammer you do with an intelligence enhancement product.

Password masking facepalm

A bizarre shot in the security vs usability argument, as reported by El Reg: Masked passwords must go which reports on research saying that masked passwords are more trouble than they are worth.

A key bit of the argument? "Shoulder surfing is largely a phantom problem".. umm yeah, because people's passwords usually just show as blobs or stars so there's no point. If your damned password comes up as plaintext then you can betcha that it WILL be a problem.

Facepalm

Saturday, 27 June 2009

flyrating.com scam

Flyrating.com is a re-run of the flyappraisals.com scam - a fake domain name evaluation service that is spamvertised through a bogus offer to buy a domain.


Although the servers are hosted in Malaysia, there is strong evidence linking these to a person of German origin living in Canada. More information here.

Saturday, 20 June 2009

Mystery mibug-credit.com / wiremouse.com spam

This is one of those "wft" spams.

Subject: Refund of Duplicate Payment
From: "Customer Care Center" <2712@mibug-credit.com>
Date: Sat, June 20, 2009 8:12 pm

Dear Business Partner!

Enclosed is our e-check in the amount of EURO 1,750.00 which represents a refund for your inadvertent duplicate
remittance for payment of transaction no. 267.

We are pleased that our bookkeeping department discovered this overpayment so quickly.

Thank you.

Instant Number Accounts
Credit Cards Bulk and Wholesale
http://mibug-credit.com

Yes, you'd think that there's a malware payload or something, but there isn't. Let's check out the domain registrations details - hosted at 213.208.134.154 in Austria:

owner-contact: P-GFB634
owner-organization: MIBUG CREDIT UG
owner-fname: Georg
owner-lname: BENDL
owner-street: Menzingerstrasse 130
owner-city: MUENCHEN
owner-zip: D80997
owner-country: DE
owner-phone: +49.180523363313143
owner-email: wmt18703@kunde.webmachine.eu

This is meant to be some sort of financial services site, but it was only registered on 8th June 2009.


The site does very little, you can try to open an account (which requires you handing over a bunch of personal information), but there's no way of getting this "refund". There are a few links to wiremouse.com on the site, something that's hosted on the same server.. so let's have a look at what else is on 213.208.134.154:

  • Afrohair.at
  • Altkatholiken.net
  • Bankparadies.com
  • Bmc-london.co.uk
  • Bmc-shop.co.uk
  • Cocodonia.com
  • Firmenparadies.com
  • Jr-austria.com
  • Mibug-credit.com
  • Quotum.at
  • Schmeissfliegen.com
  • Server1.biz
  • Sofortbetrieb.com
  • Tiefpreiszentrum.com
  • Turi-landhaus.com
  • Wiremouse.com
The server identifies itself as Server1.biz, also registered to Georg Bendl, but this time in Aust

Registrant ID: C6565959-B-CO
Registrant Name: Georg BENDL
Registrant Address1: Bacherstrasse 7
Registrant City: GRIES
Registrant Postal Code: A5662
Registrant Country: Austria
Registrant Country Code: AT
Registrant Phone Number: +43.66492436352
Registrant Email: WMT5549@kunde.wmtech.net

Hmmm.. OK, well what about wiremouse.com?

owner-contact: P-NVM192
owner-organization: Managed Offshore Payment Services Limited
owner-fname: Nikolas owner-lname: MAKIN
owner-street: Cariocca Business Park 2 Sawley Road
owner-city: MANCHESTER
owner-zip: GM40 8BB
owner-country: GB
owner-phone: +44.7031887152
owner-email: wmt8464@kunde.webmachine.eu

So, it's based in the UK? Well, the postcode is incorrect.. but in fact, Companies House does have a firm of the name Managed Offshore Payment Services Limited registered. But its accounts are overdue and there is a proposal to "strike off" the firm:

Let's look at bmc-london.co.uk on the same server:

Domain name:
bmc-london.co.uk

Registrant:
Bendl Georg

Registrant type:
Unknown

Registrant's address:
38 Homer Street
LONDON
GW1H 4NH
GB

Registrar:
Key-Systems GmbH [Tag = KEY-SYSTEMS-DE]
URL: http://www.Key-Systems.net

Relevant dates:
Registered on: 04-Sep-2008
Renewal date: 04-Sep-2010

Registration status:
Registered until renewal date.

Name servers:
ns1.webmachine.at
ns2.webmachine.at

This Georg Bendl chap moves around a lot. The address is valid although it's hard to verify if there's a real company operating from that address.

In fact, most domains seem to be registered to "Georg Bendl", but the address is different in almost every case (although Salzburg features more than once).

It's hard to fathom what this spam is about, although these sites do consistently link back to wiremouse.com. Some sort of SEO? A Joe Job? A phish? Email marketing gone horribly wrong? I don't know.

The final clue is the the sending IP address is 62.47.184.176 which is an ADSL subscriber in Austria. Draw your own conclusions, but I would be tempted to give all of these domains a wide berth.

Friday, 19 June 2009

FAIL: "Microsoft has released an update for Microsoft Outlook"

This email looks like it's from Microsoft, but it is really intended to load a trojan onto your PC:

From: Microsoft Customer Support [mailto:no-reply@microsoft.com]
Sent: 18 June 2009 22:47
Subject: Microsoft has released an update for Microsoft Outlook

Critical Update

Update for Microsoft Outlook / Outlook Express (KB910721)
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.
Instructions
• To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:
http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
Quick Details
• File Name: officexp-KB910721-FullFile-ENU.exe
• Version: 1.4
• Date Published: Thu, 18 Jun 2009 16:46:55 -0500
• Language: English
• File Size: 81 KB
System Requirements
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
• This update applies to the following product: Microsoft Outlook / Outlook Express
Contact Us
© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement


Although the link appears to be for the Microsoft web site, underneath is a hidden URL which is quite different. From samples I have plus some scraped from teh interwebs, I came up with the following samples:

hxxp:||update.microsoft.com.ijlijji.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijj1hjf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijjh.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijj1.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijji.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]

The reason why this is a FAIL? None of the domains are registered apart from the .com.mx one, so clicking the links will do precisely nothing. il1if1.com.mx is hosted on a botnet with presumably fake registration details, but it seems to be quite unreliable.

Even though this attack doesn't work, it might be a good idea to keep an eye out for it and advise any end users you have. Also checking your proxy logs for update.microsoft.com.i may well be useful.

Tuesday, 16 June 2009

WebTrends just doesn't get it

WebTrends is a service I used to run a few years ago for web analytics, until the hundreds of dollars per month it was charging for analytics which I could get cheaper elsewere (or now even free) became ridiculous.

So, I stopped using the service and opted out of all email communications as I was no longer interested. So, this bizarre email from WebTrends plops into my mailbox today:


Thank you for taking a moment to look at this email. We know you've unsubscribed from Marketing Communications from us and respect your request, but wanted to let you know that we're making some much-needed changes to our email programming. Our new approach lets you tell us what messages you want. Tell us which of these topics are most valuable to you and we'll limit what we send to what you're interested in. Simply click on the link below to personalise your email subscription. Still not interested? Ignore this message, it'll be the last email you receive from us.
Let's read that again.. "We know you've unsubscribed from Marketing Communications from us and respect your request".. well, clearly you bloody aren't respecting my request, are you?

WebTrends is not the worst offender - some companies simply do not understand the meaning of the word "unsubscribe". Doesn't it mean "don't send me anything unless I change my mind"? It seems it now means "don't send me anything unless you really want to" instead.

Thursday, 11 June 2009

Personal Computer World to close

Noooo! According to the Guardian, Personal Computer World is to close after 31 years of publication. I've read it for 29 of those 31 years. A damned shame, and the only paper-based IT magazine I still read.

Mind you, I'm still upset about BYTE closing and that was 11 years ago!

The last issue of PCW is out on the 18th June. Sniff.

Wednesday, 3 June 2009

mediahousenamemartmovie.cn / nonfathighestlocate.cn injection attack

Another set of injection attacks seem to be doing the rounds, possibly related to the recent Gumblar attack.

In this case, the injected code is an IFRAME pointing to hxxp:||mediahousenamemartmovie.cn:8080/ts/in.cgi?pepsi27 and redirecting to hxxp:||nonfathighestlocate.cn:8080/index.php which attempts to load a Flash exploit (VirusTotal results) and PDF exploit (VirusTotal results). The payload includes a DLL (perhaps C:\WindowsSystem32\1028T.DLL although it may vary) that offers some sort of backdoor functionality (VirusTotal results).

The malware domains are on 89.149.240.64 in Germany, all domains on that server seem to be malware related and should be blocked. The server identifies itself via RDNS as "fuckingl33t.eu" although that proves nothing.
  • Autobestwestern.cn
  • Bestlitediscover.cn
  • Bestwebfind.cn
  • Bigbestfind.cn
  • Bigtopartists.cn
  • Giantnonfat.cn
  • Greatbethere.cn
  • Homenameworld.cn
  • Hugebest.cn
  • Hugebestbuys.cn
  • Hugepremium.cn
  • Hugetopdiscover.cn
  • Litepremium.cn
  • Litetopfinddirect.cn
  • Litetopseeksite.cn
  • Lotbetsite.cn
  • Mediahomenameshoppicture.cn
  • Mediahousenamemartmovie.cn
  • Nameforshop.cn
  • Nanotopdiscover.cn
  • Nonfathighestlocate.cn
  • Thebestyoucanfind.cn
  • Topfindworld.cn
  • Toplitesite.cn
  • Tvnameshop.cn
  • Yourlitetopfind.cn
Nonfathighestlocate.cn was on 89.149.240.64, but then pointed at to 82.208.58.199 in the Czech Republic.

If this is related to Gumblar, then the problem could be down to compromised FTP passwords. If your site has been infected with this attack, then you need to carefully check each machine that has FTP access to your website, clean them up and then change your FTP password to something secure.

Monday, 1 June 2009

flyappraisals.com scam

Part of an ongoing domain name scam, flyappraisals.com is a fake domain name appraisal used in conjunction with a bogus unsolicited offer to buy a domain, similar to the following:

We are interested to buy your domain name [redacted] and offer to buy it from you for 65% of the appraised market value.

As of now we accept appraisals from either one of the following leading appraisal companies:

sedo.com
flyappraisals.com
accuratedomains.com


If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use Paypal for amounts less than $2,000 and escrow.com for amounts above $2,000) as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,
Out of these three "appraisal" companies, flyappraisals.com is the cheapest. So, naturally a lot of people will part with some money for an appraisal. Of course, the offer to buy the domain name never comes through and the domain name owner is out of pocket.

It looks like this scam is being run out of Canada, and we have covered it many times before: here, here, here and here. If you live in Canada and have been ripped off, then reporting it to the RCMP may get some results. You should also raise a dispute with PayPal to get a refund.


This particular site has a jolly bit of flash on it, unlike the plain HTML of the old sites. It is hosted on 124.217.231.209 in Malaysia.

Friday, 29 May 2009

Bing.com is coming. W00t!

Microsoft is launching a new search engine called bing.com on Monday. Given the current fashion for "reboots" in movies and TV shows, bing.com can be considered a reboot of live.com which is turn was a reboot of MSN Search, and it follows in the great traditions of Google Killers such as.. errr... Cuil.

Microsoft say:
We took a new approach to go beyond search to build what we call a decision engine. With a powerful set of intuitive tools on top of a world class search service, Bing will help you make smarter, faster decisions. We included features that deliver the best results, presented in a more organized way to simplify key tasks and help you make important decisions faster.

And features like cashback, where we actually give you money back on great products, and Price Predictor, which actually tells you when to buy an airline ticket in order to help get you the best price — help you make smarter decisions, and put money back in your pocket.
I say:
Meh.
Microsoft have never been any good at search, and it's hard to see how this will beat Google when all people want to do is find stuff and move on. Heck, even Google struggles to get people to use more than search - according to Alexa, 90% of Google traffic is for search, image search and mail. If people really wanted more, they would probably use it.

Anyway, we fixed Bing's logo for them.



According the the Internet Archive, the bing.com domain already has a substantial history of fail. Including a bizarre scheme to turn email messages into snail mail post. Hmmmm.

Thursday, 28 May 2009

Podzz.com domain scam

Podzz.com is the latest incarnation of a fraudulent domain appraisal scam being run out of Canada. The basic pitch is that you receive an unsolicited offer for a domain name, with a list of three or more possible appraisal services to evaluate it. In this case, podzz.com is the cheapest, and the most likely for the victim to choose.

Of course, what then happens is that the offer disappears and the victim is out of pocket. We have covered this scam and the people behind it here, here and here. Avoid.

Wednesday, 27 May 2009

"Dealer warning as police investigate security imposters"

I don't usually recycle press releases, but this one is of interest. It's really aimed at mobile phone dealers and details the possibility of customer poaching through stolen paperwork, but it seems to have good general guidance that applies to most companies.

Dealer warning as police investigate security imposters
CRIMINAL gangs posing as security staff are targeting mobile phone dealers, according to experts.

Scammers are trying to trick staff into handing over confidential data by pretending to be from shredding companies according to one of the UK’s largest operators.

Competitors are even reported to be raiding the bins of dealer with lax security at their premises to uncover useful details about contract expiry dates.

Jim Watson, managing director of Shred Easy, which destroys confidential data for mobile phone dealers, said:

“Scammers are targeting dealers to get their hands on valuable paperwork. There has been a spate of people pretending to be working for Shred Easy and our competitors by trying to trick staff into handing over bags of confidential data that has been safely kept within a store.


“Mobile phone dealers are vigilant in terms of securely storing their data but when it comes to the disposal of that information they must be alert to con artists trying to trick them into handing it over.


“Major operators will suffer dearly and some independent dealers could even be put out of business if the data fell into the wrong hands. The loss of confidential phone numbers, contact details as well as details about contracts and customers would be devastating.


“We have already been in contact with the police and made them aware of the details. I can’t go into details about who was targeted for legal reasons but it was a major mobile phone retailer and we’ve ensured their staff are alert and follow the official policy for dealing with confidential waste.


“Dealers must be also be alert to the fact that their competitors are fighting tooth and nail to get their hands on data and in some cases we’ve heard reports of competitors sifting the bins outside dealerships to get confidential customer details so they can be poached at a later date”

Shred Easy offers five top tips for mobile phone dealers:

1) Always ask for identification
2) Only deal with an accredited shredding company
3) Make use of professional ‘onsite shredding vehicles’
4) Store confidential data securely in store
5) Don’t throw paperwork in the bin


See www.shreadeasy.com

While you might think to challenge someone coming into your business premises, how often do you check that people taking waste away are really who they say they are?

Tuesday, 26 May 2009

"Norton Finance" fraudulent loan offer

Norton Finance are a real company that offers loans, typically to people with poor credit ratings. This lazy scam email is not from Norton Finance, but is instead is a scam, routed through IP address 209.226.175.134 in Canada which is well known for fraudulent emails. Avoid.

Subject: home loan or loan for any legitimate reason
From: "NORTON FINANCE COMPANY" bengalfinancial@bellnet.ca
Date: Tue, May 26, 2009 9:48 pm

For further enquires and to apply for a loan from us,please feel free to contact our application desk with details.Send us an email
Mr. Tony White
norton.finance@btinternet.com
Regards,
Stanke Kathryn
(Online Advertiser)
NORTON FINANCE COMPANY (NFC)

Wednesday, 20 May 2009

mig-design.com fraudulent job offer

A straightforward pitch for what is probably a money mule operation.

Subject: Looking for a job? More info here
From: "Shirley Schafer" boss@adabillur.com

Greetings,

If you are still looking for a well-paid part time job (2-4 hours a day) with possible full-time promotion opportunities at one of top-echelon Management Companies, please e-mail your resume/CV or a short description of your former activities.

Use ONLY corporative e-mail address below for all further correspondence:
office@mig-design.com

Necessary information concerning working and cooperation opportunities, financial benefits and advantages is sent by your request.

Yours faithfully,
Recruiting Office,
MIG Management and Design

Let's look at mig-design.com.. actually, don't - it's never a good idea to poke at spamvertised sites unless you know what you are doing. There's not much to see apart from a snazzy logo saying "MIG International Design Group".

The logo has clearly been professionally designed. But it also appears to have been stolen from this site although amusingly the spammers have corrected the obvious spelling error.

Let's check out the WHOIS details:

Name : Michell
Organization : Michell
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
Country :
Postal Code : 85230
Phone Number : 86--56343365
Fax : 86--56343365
Email : Michell.Gregory2009@yahoo.com


A quick Google search for that email address shows several hits.. indeed, it has been used before for the luxgroupnz.com scam.

The IP address of the site is 61.150.91.136 in China and usually in these circumstances it is safe to assume that ALL sites on the same server are suspect:

  • Bsi-investment.com
  • Bsibanksingapore.com
  • Ckinter.cn
  • Ckinter.ru
  • Freeadulttube.com.cn
  • Importfinanceinc.com
  • Intdgroup.com
  • Lloydsinsurer.com
  • Luxgroupww.com
  • Majordesigngroup.net
  • Medikmenty.com
  • Mens-health.com.cn
  • Mig-design.com
  • Mig-disign.com
  • Teentube.com.cn
  • Vsehorosho.info
  • W-trabajo.com
  • Wploy-empleo.com
  • Wtrabajo.com
In this case the email originates from 117.197.0.23 in India.

A flashy logo does not mean that it's a legitimate site. In this case the spammers have just ripped off someone else's identity. Avoid.

Tuesday, 19 May 2009

Phorm Whitewash

The British government's stance on Phorm has always been pretty supine. Despite serious allegation of criminal misconduct by Phorm and BT, the Government has again decided to whitewash the issue after politely ignoring the latest anti-phorm petition.

Thank you for the e-petition on internet advertising technologies and customer privacy.

As your petition states, some Internet Service Providers (ISPs) have been looking at the use of Phorm’s Webwise and Open Internet Exchange (OIX) products. However, the only use of the technology so far has been the trials conducted by BT.

Advertisers and ISPs need to ensure that they comply with all relevant data protection and privacy laws. It is also important that consumers’ privacy is protected and that they are given sufficient information and opportunity to make a clear and informed decision whether to participate in services such as Phorm.

The Government is committed to ensuring that people’s privacy is fully protected. Legislation is in place for this purpose and is enforced by the Information Commissioner’s Office (ICO). ICO looked at this technology, to ensure that any use of Phorm or similar technology is compatible with the relevant privacy legislation. ICO has published its view on Phorm on its website:

[link]

ICO is an independent body, and it would not be appropriate for the Government to second guess its decisions. However, ICO has been clear that it will be monitoring closely all progress on this issue, and in particular any future use of Phorm’s technology. They will ensure that any such future use is done in a lawful, appropriate and transparent manner, and that consumers’ rights are fully protected.
In other words - private companies unlawfully spying on citizens is no concern of the government.

Conspiracy theorist like to point out that Phorm's web monitoring technology is exactly the sort of thing that the government wants to do. Fortunately, it looks like Phorm is perhaps on their last legs after launch of this bizarre foaming-at-the-mouth blog that they started recently.

The government's complete disdain for British citizens is astonishing, and will probably be reflected in a humiliating result in next month's European and local elections. But then if voting really changed anything, this government probably would make it illegal.

Monday, 18 May 2009

NameOrange / nameorange.com scam

Another variant of this scam and this scam linked to a guy called Manuel Fichter - the basic pitch is that you get an email offering to buy your domain name which lists a number of "approved" domain appraisers, the one that appears to be cheapest is actually run by the scammer.



Avoid this one. If you live in Canada and believe that you have been defrauded, then contact your local RCMP and make a complaint about:

Manuel Fichter
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada

martuz.cn injection attack

In the past couple of weeks, thousands of websites were hit with an injection attack pointing to gumblar.cn.. this week it has changed to martuz.cn. It's not a SQL injection attack as far as I can tell, the smart money is that it is using compromised FTP credentials, possibly harvested from end-user PCs rather than a problem with the web server itself.

A typical attack is that JS files on the victim's server are altered with an obfuscated (i.e. partly encrypted) script which might vector through martuz.cn/vid/?id=5718066 or martuz.cn/vid/?id=575730 or something similar, then leading to martuz.cn/vid/?id=3 or another similarly named page (the exact URLs may vary depending on the client software).

There's a writeup about martuz.cn here and here, in the meantime blocking traffic to the domain and the IP address 95.129.145.58 will probably be a good idea.

Wednesday, 13 May 2009

419ers hit by the downturn?

A strangely worded 419 scam arrived today in a format I haven't seen before. Perhaps the economic downturn is having an effect on the supply of gullible people?

Subject: THAT IS ALL I CAN DO FOR YOU
From: "RICHARD GOZNEY" bhcommission1@mail2consultant.com
Date: Tue, May 12, 2009 6:56 pm

BRITISH HIGH COMMISSION
DANGOTE HOUSE,
AGUYI IRONSI STREET, MAITAMA DISTRICT,
ABUJA,NIGERIA..
TEL: +234-8039672472


Attention

After long silence from you we came to realize that you may have given up your compensation due to lack of money for the Certificates.

I have been able to settle for the Certificates which amounts to US$1800 so i expect you to pay me back once you receive your card.

You have to reconfirm your delivery address for the EMS courier company to mail your ATM card to you without delay. Note that you are entitled to settle for their safe keeping fee of $250.

Make haste to send down your address and i shall provide you with the information of their cashier for you to send the safe keeping fee of $250 to her.
I am looking forward to your immediate response.

Yours in Service,

Mr. Richard Gozney

Despite the Nigerian address the email originates from 200.7.198.3 in Ecuador, although the phone number is definitely Nigerian and has been used for this type of scam many times before.

Tuesday, 12 May 2009

"Western Union Transfer MTCN: 2474153681" trojan

Another EXE-in-ZIP trojan, this time disguised as an Excel spreadsheet. The pitch is:

Subject: Western Union Transfer MTCN: 2474153681
From: "Western Union Support Team" support@westernunion.com
Date: Tue, May 12, 2009 11:00 pm

Dear Customer!

The money transfer you have sent on the 22nd of April was not collected by the
recipient.
According to the Western Union contract the transfers which are not received in 15
days are to be returned to sender.
To collect cash you need to print the invoice attached to this email and visit the
nearest Western Union agency.

Thank you!
In this case there was an attachment called Invoice_8773.zip containing a file named Invoice_8773.exe. Because of the really stupid way that Windows (by default) hides the file extensions and the fact that the bad guys have given this executable a convincing icon, it will look something like this when unzipped:

VirusTotal identifies is as a variant of Zbot, the ThreatExpert prognosis has more details in case you are trying to clean it up.

If you can block EXE-in-ZIP files at your mail perimeter, then that is always the best defence against this kind of attack.

Monday, 11 May 2009

Michael Price / BizSummits.org unsolicited bulk email

I've had a few of these in the past, but this time my spidey sense was tingling.

Subject: Roger, Website discussion on April 21st.
From: "Pat Weller" pat@mktgalliance.org
Date: Mon, May 11, 2009 1:49 pm

Hi Roger, let me know if you might be interested in attending our
upcoming program, "Does Your Website Produce the Results You Want? How to
Drive Conversions by Writing Better Content" on Monday, April 27th. You
can view the complete details at www.mktgalliance.org/webconversations

Businesses of all sizes can benefit greatly from these ideas that have
proven to work based on experiences with hundreds of websites. Thomas
Young, Internet Marketing Consultant and CEO with Intuitive Websites,
will be making the presentation. He will review conversion strategies,
effective taglines, using captions on photos, how to avoid blocks of text,
bullet items in web copy, how to avoid brochure copy and marketing-speak,
calls to action and more. I hope you and your team will join us.

Best regards,

Pat Weller
Program Director
Marketing Alliance
600 North Park Centre
Seventeenth Floor
Mail back to decline further
Atlanta, GA 30328
www.mktgalliance.org/webconversations


Well, I'm not called "Roger" and I can't quite figure out where that came from. The email came from 66.232.113.10 which is the same IP as mktgalliance.org, so that really confirms it as genuine.

A look at the WHOIS details are interesting:

BizSummits
Michael Price (MPrice@BizSummits.org)
+1.8006003389
Fax:
1200 Abernathy Rd, 17th Floor
Atlanta, GA 30328
US

Alright, ten points for having (apparently) genuine contact details (it matches their BBB report), minus several million points for blasting out unsolicited emails to random addresses.

Is it spam? Well, it's certainly unsolicited commercial email and in this case it was sent to an email address that didn't actually exist. Annoyingly, it could well be CAN SPAM compliant. But it falls within the scope of the Boulder Pledge so best avoided.

Here are some other domains associated with BizSummits:
  • mybizteleseminars.net
  • customerservicesummit.net
  • theopsbenchmarkalliance.com
  • associationgrowthsummit.net
  • mktgalliance.org
DavesPlanet.net has more information here, the Other Librarian blog indicates that it has been going on for years here, and a Google Search shows just how widespread these unsolicited emails are. Do you really want to do business with a company like this?

Underwater mobile phone

Need a phone that works under water? Well, the Samsung B2100 Solid Extreme does. But as they used to say on TV.. "kids, don't try this at home".


Friday, 1 May 2009

webmail.upgrade@spamcop.net phish

A fairly lazy attempt to phish SpamCop accounts, originating from 200.85.160.12 in Nicaragua. If you're a SpamCop subscriber, then report it via the usual mechanism. The Reply-To address is webmailupgrader@consultant.com, so you should be able to tell that it is a fake.

Subject: Spamcop Email Verification
From: "Spamcop Webmail Notice" webmail.upgrade@spamcop.net
Date: Fri, May 1, 2009 5:11 pm
To: webmail.upgrade@spamcop.net

Dear Spamcop Webmail Account Owner,
We are currently performing maintenance for Our Spamcop
Digital Webmail Customers.We intend upgrading our Digital
Webmail Security Server for better online services. We are
canceling unused Spamcop webmail email account to create
more space for new accounts.To prevent your account from
closing you will have to update it below to know it's status
as a currently used account.

CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username :=====================================
Email Password :=====================================
Date of Birth :======================================

Warning!!! Any account owner that refuses to update his/her
webmail account within three (3) days of this update
notification will loose his/her account permanently.

Thank You For Your Support

Friday, 24 April 2009

"WorldPay CARD transaction Confirmation" (again)

A repeat of a trojan spam run from a few months ago ,this fake "WorldPay CARD transaction Confirmation" email comes with a nasty payload.

Subject: WorldPay CARD transaction Confirmation
Date: Fri, April 24, 2009 5:28 pm

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team

This confirmation only indicates that your transaction has been processed
successfully.
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that
your order has been accepted, and to deliver any goods or services you have ordered.
In this case there was a ZIP file called WorldPay_NR9712.zip (the filename may vary) with an executable in named WorldPay_NR9712.exe. When unzipped it looks a bit like a Windows Help file.

Detection rates are very poor, with only Microsoft flagging it up as something specific (PWS:Win32/Zbot.M). The ThreatExpert prognosis also indicates that it is malware (by the way, if you are dealing with an infected machine the ThreatExpert report can help you clean it up).

If you can, it is always a good idea to block EXE-in-ZIP attachments at the perimeter.

"IBC Group" fake job offer

There are lots of wholly legitimate firms called "IBC Group" or something similar. This one claims to be an "international business consultancy".. and yet they are using a free Google Mail address rather than a corporate one. It is just another money mule scam, although the 5% fee they are offering is surprisingly low (of course, this is stolen money so all you will end up with is a jail sentence).

Subject: Business
Date: Fri, April 24, 2009 12:29 pm

Dear SMALL BUSINESS OWNER
We are being a private international business consultancy (IBC GROUP) striving hard to perform the best to achieve optimal results in gaining efficiency of our client’s ventures. In this global economy crash time we turn to alternative solutions for our clients from Eastern Europe who are obliged to pay off US or Western Europe originated transfer taxes, which at times may be as much as 35%.
Therefore, we are raising up this appeal to those small business owners who have both desire and possibility to stand up as our partners and who may use their business accounts to operate internal transactions for their further remittance to our clients . As being held on a larger scale, your personal benefit will be 5% off every payment posted to your account (or company’s). It may become a considerable upgrade for you and your company.
If this comes up your alley, please, come back for details by: Katherin.Mills@gmail.com

with the following:
First Name:
Last Name:
Country:
State:
City:
Phone (Landline):
Phone (CELL):
Email:

Thank you in advance,
IBC GROUP.


Originating IP is 88.242.82.65 in Turkey.

Wednesday, 22 April 2009

Russian / Italian spam

One of the major hurdles that spammers and scammers face is language. A typical eastern bloc scammer usually won't be able to speak any language like a native other than their own, and a poorly worded pitch is often an obvious sign of a scam.

Machine translations rarely make sense, and the best translators are always native speakers of that language. So, a professional fraud crew will often try to recruit linguistic experts to give their message more of an edge.

In this case, the spammers are trying to recruit someone who speaks Italian and presumably Russian. That's a target audience of around 60 to 70 million people who might well fall for an Italian language scam.

В наше бюро переводов требуются специалисты по итальянскому языку.
Если Вам нужен дополнительный заработок (~1000$ в месяц) - эта вакансия для Вас!
Ездить и ходить - никуда не нужно! Достаточно просто иметь доступ к интернету и телефон!
Никаких финансовых вложений с вашей стороны не нужно! И это не тендер!

Если Вам все еще интересно наше предложение - просто кратко ответьте на следующие
вопросы:
1. Имя
2. Город проживания
3. Где обучались языку и на каком уровне им владеете.

Наш e-mail: lONicholsonbronze@gmail.com

После этого в течении некоторого времени мы обязательно свяжемся с Вами!

Всего хорошего, надеемя на долгое сотрудничество!
This translates approximately to:

We need specialists to provide translations to the Italian language. If you need additional income (about $1000 per month) - this position is for you! You do not need to drive or walk anywhere! You just need to have access to the Internet and a telephone.

If you are interested in our offer - just briefly answer the following questions:
1. Name
2. City of residence
3. Where did you learn the language and how proficient are you.

Out email is: [random Gmail account]

After this we will contact you in a short while.

Have a good time, hoping for a long cooperation!

Our samples originate from ADSL and dial-up subscribers in Turkey and India. The Gmail address is different in each one.

Don't be tempted by an unsolicited "job offer" like this. You are extremely unlikely to be paid, and you could end up in serious trouble with the police.

Tuesday, 21 April 2009

"August Insurance USA" scam

Another fraudulent job offer, this time originating from 190.43.155.148 in Peru. It doesn't really matter what the exact fraud is, this could well be a "back office" operation. But it's a scam nonetheless. Avoid.

Subject: Good vacancy August Insurance USA.
Date: Tue, April 21, 2009 12:07 am
Priority: High

College degree but not enough experience?

Responsible for managing the day to day operations of various facilities to ensure the operations,
maintenance, and vendor management standards of the contract are met in a cost effective, safe and efficient manner.

Requirements
Candidates must possess the following:

- Effective interpersonal skills & communication skills
- Demonstrated leadership and team building abilities
- Self-confidence, flexibility and a positive attitude
- U.S. work authorization

Selected individuals will be trained to enhance leadership and networking skills in
preparation for an executive role within our company.

Compensation based solely on personal performance. For immediate consideration
please contact.

All positions will be filled immediately due to our recent expansion.

You may email your resume in Word to: CHmayHooper@gmail.com
Needless to say, don't send 'em anything. And if you have agreed to "work" for them, demand some verifiable proof that they exist.

Monday, 20 April 2009

barefootsies.com: possible Joe Job.

The Waledac gang strike again with an uncharacteristic spam advertising a foot fetish site.

From: [redacted]
Sent: 19 April 2009 22:53
To: [redacted]
Subject: Free foot fetish pics

Amatuer, girl-girl feet tickling movies, and foot worship movies at http://barefootsies.com/
Spammers sending out links to porn sites is not exactly big news. Except in this case, the registrant and the hosting server is identical the the blizzardimagehosting.com spam run from a few days ago. What's more, the WHOIS details for barefootsies.com appear to be valid.

Studios, First Choice
1st Choice Studios
6741 Sprinkle Rd, Ste 293
Portage, Michigan 49002
United States
2694929957 Fax --

It turns out that this domain is for sale along with some others.

But, as the the blizzardimagehosting.com run, this doesn't exactly fit into the usual Waledac approach and it could well be a Joe Job attack.

Friday, 17 April 2009

Waledac: freeservesms.com

Waledac is pretty common these days, and it usually tries to point the victim to a fake video codec that is actually a trojan, often through a sensational "news" headline or the promise of nudity.

This particular pitch promises something quite different:
Do you want to test your partner or just to read somebody's SMS? This program is exactly what you need then!
It's so easy! You don't need to install it at the mobile phone of your partner.
Just download the program and you will able to read all SMS when you are online.
Be aware of everything! This is an extremely new service!


The download file is called smstrap.exe. So this magical piece of software can read someone else's SMS messages without having to install software on the phone, right? Wrong.. it's just another variant of the Waledac trojan (see the VirusTotal results, ThreatExpert prognosis).

In this case the domain in use is freeservesms.com although it is likely that there will be others. For the records, the WHOIS details are:

Domain Name : freeservesms.com

Registrant Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Administrative Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Technical Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Billing Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Status :
clientDeleteProhibited
clientTransferProhibited

Domain Name Server :
ns1.moneymedal.com
ns2.moneymedal.com
ns3.moneymedal.com
ns4.moneymedal.com
ns5.moneymedal.com
ns6.moneymedal.com

Registration Date :2009-4-13
Expiration Date : 2010-4-13
Added: downloadfreesms.com is punting the same malware.


Wednesday, 15 April 2009

"Yadu Investment Co., Ltd." / ntwifinetwork.com / tech-wifi.com

This email (supposedly from a Chinese domain registrar) follows a well-worn path of trying to sell useless names to owners of existing dot coms.

From: Joy [mailto:Joy@ntwifinetwork.com]
Sent: 10 April 2009 07:47
To: [redacted]
Subject: Notice of Intellectual Property Protection

Dear Sir/Madam: 2009-4-10

We are a domain name registration service company in Asia,
Last week we received a formal application submited by “Yadu Investment Co., Ltd.” Which wanted to use the keyword " [redacted]" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.
After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren’t sure whether you have any relation with this company. Because these domain names would produce possible dispute, now we have hold down this registration, but if we do not get your company’s an reply in the next 5 working days, we will approve his application
In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.

Yours sincerely

Joy

Checking Department


Tel: 86 513 8532 2060
Fax: 86 513 8532 2065
Email :Joy@ntwifinetwork.com
Website: www.ntwifinetwork.com
Mail No.: [redacted]

Registrars DO NOT check trademarks before registrations (the exception is "sunrise registrations" for completely new top-level domains). This is an attempt to get you to buy an overpriced domain name that you don't need.

This mail may come from twifinetwork.com, tech-wifi.com or other domains, the domains are hosted on 174.138.60.95, some of the wording is lifted from asiaregistry.com although it is not possible to tell if they are affiliated.

If you are concerned about securing these domains, then most registrars now deal in Asian TLDs and can register them for you, else you are probably same to ignore it.

btw, the pitch is not new and has been used here, here and here.

Monday, 13 April 2009

Tropicalnames.com scam

tropicalnames.com is the new name for the pedma.com domain appraisal scam. The basic pitch is that you get an unsolicited offer for a domain name, along with a list of recognised appraisal companies. The cheapest company is controlled by the scammers who sent the email (apparently operating out of Canada).

Domain was registered on 3rd April 2008 with anonymised details and is hosted on 124.217.231.173 in Malaysia. If you get one of these, treat it as spam and file a complaint with abuse -at- piradius.net.

Sunday, 12 April 2009

"Mikeyy Mooney" / StalkDaily.com - someone is lying

The rules of spam are a semi-humorous and semi-serious look at the behavior of spammers.

Well, one hot spam topic is the recent StalkDaily.com XSS attack on Twitter. This cross-site attack basically spams out ads via a victim's contact list, and although it is arguable if this is "hacking", it certainly is spamming.

So, let's look at the "rules of spam" and how they apply in this case.

Rule #0: Spam is theft.
Using Twitter's services to send spam is theft. But perhaps the main financial cost to Twitter is that this kind of rubbish will put people of using the service. Of course, Twitter doesn't actually seem to make any money, but that's another issue..

Rule #1: Spammers lie.
So, when the spam attack took place, some people must have started to make complaints about StalkDaily.com, a domain registered on 22nd March to an anonymous registrant. The owner of StalkDaily.com responded as follows:

For everyone wondering, I did NOT promote and/or was involved with the spamming ON Twitter. All bad things you are hearing about this site is not true. Please reconsider as I am not the person who did this.
So, that clearly states that StalkDaily.com is not behind the XSS attack. So what's going on? Is it a Joe Job? Here's the odd thing.. Joe Jobs normally target established sites (not one less than a month old), and why waste an XSS exploit like this on a Joe Job when Twitter will probably close it?

We didn't have to wait long for an answer:

I have came clean and have accepted the responsibility for the worm, read the interview here, http://www.bnonews.com/news/242.html.

That's kind of 100% different from the last denial. The operator of StalkDaily.com is clearly lying about something, perhaps everything.

Rule #2: If a spammer seems to be telling the truth, see Rule #1.
As we have discovered, StalkDaily.com's denial was proved to be a lie. Or perhaps there denial is a lie. In any case, you should not do business with liars or spammers.

Rule #3: Spammers are stupid.
And this dude is as stupid as they get. Sure, stupid in a very smart kind of way.. but the kind of stupid that doesn't thing what the consequences might be.

Rule #4: The natural course of a spamming business is to go bankrupt.
I can hear the sound of Twitter lawyering up. Hahahah.


The StalkDaily.com website points to a pseudo-news article at BNOnews fingering someone called "Mikeyy Mooney". And there's a large collection of material relating to "Mikeyy Mooney" at sqworl. But is it really "Mikeyy Mooney"? The admission itself comes from whoever operaters StalkDaily.com.. and we have already established that they are a liar. The sqworl documents point to someone in Louisiana.. the BNOnews article says New York. Last time I looked at a map, these were two different places.

Perhaps a closer look at StalkDaily.com's server might be interesting. 74.200.253.195 hosts the following domains:

  • Haxyou.com
  • Michangelomooney.com
  • Stalkdaily.com
Wait.. Michangelo? Is this guy a teenage mutant ninja turtle?

Most of these sites have anonymous WHOIS details, except for Haxyou.com which is registered to some guy called Ryan who appears to be a distinctly different biological entity.

This is the bottom line - the operator of StalkDaily.com is a liar. They may even be lying that they are "Mikeyy Mooney." Perhaps Twitter can do us all a favour and subpoena the domain records before suing this idiot into the ground.

"Body parts" murder II

The gruesome body parts murder has a new installment with the discovery of a fifth body part, quite near to some of the others. You can see a the distribution of finds on Google Maps.

This adds another element to the data set. The route between points "A" and "B" is curious and uses a lot of back roads, if that IS the route. Clearly these grisly finds have a pattern, but can they be traced back to the origin?

Thursday, 9 April 2009

"Body parts" murder

One mystery gripping this part of the UK is the mysterious "body parts" murder, where part of a dismembered victim have been left near the roadside in several locations: Wheathampstead, Puckeridge and Cottered in Hertfordshire and the head was dumped in Asfordby, Leicestershire.

Given that the Puckeridge part was reportedly left by the northbound carriageway, that gives a clue as the the direction that the "dumper" was travelling. And making an assumption that the head was the last part to be dumped because it was the furthest away from the others, then you can take these four data points and plot them into Google Maps.

You can see more here. Of course, speculation is just that, but if does appear that the dumper did a loop around Hertfordshire perhaps near the A414, A10, A507 and then drove up the A1 for about an hour before turning off. Yes, there's a technology aspect here - a tool like Google Maps makes it very easy to visualise this sort of data.

OK, this is all pretty gruesome and don't forget that someone has lost their life. But there's a grim fascination as to where the next discovery will be. Will that fit into the pattern?

Wednesday, 8 April 2009

secretdesiresuk.com spam

Yuck.

Subject: SecretDesires - The Ultimate Social Networking for Singles and Couples
From: "Secret Desires"
Date: Wed, April 8, 2009 5:25 pm

Are you a couple or single looking for FUN??

Worldwide Coverage with Audio and Video Cam Chat Rooms!

Virtual Kisses and Profile Voting!

Profile Pictures and Videos!

Massive Video Database growing Daily!

Come and Enjoy the Ride!!

You must add at least one valid profile picture to remain a FREE member!!

Secret Desires - What's Yours??
Originating IP is 78.145.126.63, secretdesiresuk.com is hosted on 174.132.193.251. The domain is registered to HostGator rather than the actual registrants, who are..


Debbie 'n' Paul. They say: "SecretDesiresUK is the culmination of 3 years of false starts and hard work by Debbie and Paul, of Orion Network Designs. We are both Swingers and have worked in the Adult Industry long enough to understand exactly what people want from an Adult Social Networking Site."

What? Like spam?

Let's log in. No confirmation of email address is needed. Bad luck Mr President.

67 members. And yes, the photograph gallery shows plenty of "members". Including some nudie shots of Debbie 'n' Paul. Yuk.

I'm not prudish, and frankly I believe that consenting adults should be able to get on with whatever they want to in private. But spamming this crap out at random is just going to get the wrong kind of attention.

If you get one of these, forward the email to security -at- hostgator.com.

Saturday, 4 April 2009

luxgroupnz.com / LuxGroup scam

There are lots of legitimate ocmpanies with the name LuxGroup or Lux Group or something similar. This particular fake "LuxGroup" uses the domain luxgroupnz.com to push some sort of fraudulent job offer, probably a money mule or some other criminal activity.

Subject: A better career with LuxGroup

Good Day,

Major International Company is ready to offer you part(1-2 hours a day) and full time(5-8 hours per day) job in the USA. If you are interested, get back to us by email and send your resume or a short description of your former activities. Excellent career growth perspectives and merited salary.

For more info about terms, conditions and financial remuneration, get back ONLY to our corporative email address below: advjob@luxgroupnz.com

With regards,
Lux Group, Hiring Department
The luxgroupnz.com domain was registered on April 1st 2009 through XIN NET TECHNOLOGY CORPORATION to:

Name : Michell
Organization : Michell
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
Country :
Postal Code : 85230
Phone Number : 86--56343365
Fax : 86--56343365
Email : Michell.Gregory2009@yahoo.com

Site is hosted on 222.73.37.250, name services are proved by NS1.CHOSTSERVICE.COM and NS2.CHOSTSERVICE.COM. Other domains hosted on that server are:

  • A-finance.net
  • A-finance.org
  • Aiminfo.info
  • Careertrip.cn
  • Danunafig.ru
  • Dessgif.com
  • Hot-jobster.cn
  • I-love-pets.ru
  • Icm-mail.biz
  • Icm-network.net
  • Isearchword.info
  • Itellu.info
  • Itellu.ru
  • Lastyp.ru
  • Mountain-travel.ru
  • Mycotteges.ru
  • Oceananswers.info
  • Oceanofsearches.info
  • Pinigeliai.com
  • Temp-biz.cn
  • U-search.info
  • Yadrenamat.ru
  • Yaponamat.ru
Some of these other domains have also been used for fraudulent offers.

If you get one of these ignore it.

Friday, 3 April 2009

Hostfresh dead?

Sandi reports that Hostfresh has been de-peered, the latest organized criminal web host to be removed from the interwebs.

This Hong-Kong based outfit provided the back end hosting for malware infections including early versions of Conficker. It has been increasing apparent that they are basically an outpost of the Russian Business Network.

Hostfresh-hosted domains have scattered, but it probably won't be long until they find another RBN-friendly host that doesn't know what happened to Atrivo, McCole, Ukrtelegroup and Estdomains.

Thursday, 2 April 2009

BlizzardImageHosting.com - possible Joe Job

We have an email trap that seems to be hit exclusively by a low number of Waledac related spam (fake "terror reports", pharma spam, penis enlargement etc). We know that this particular address was harvested from a compromised PC, so the only people who have the address are the Bad Guys.

Unexpectedly then, the following email turned up:

From: (removed)
Sent: 01 April 2009 20:33
To: (removed)
Subject: Free Image Hosting

BlizzardImageHosting.com is a new leader in online image & photo hosting,
portfolios, and slideshow creation. We offer features you wont find
at other image hosting sites and we offer it FOR FREE!

- Upload Unlimited Images
- Share Images With Anyone and Anywhere
- Get Gigabytes of Monthly Bandwidth

and much more...

Sign up now!
http://blizzardimagehosting.com/index.php

(c) 2003-2009 Blizzard Image Hosting All Rights Reserved

So, my initial thoughts were that blizzardimagehosting.com were in league with the bad guys. Let's check out their WHOIS details:

Marquee, Media Networks webmaster -at- marqueemediaonline.com
Marquee Media Networks
6741 Sprinkle Road, Ste 293
Portage
MI
49002
US
Phone: +1.2694929957
Fax: +1.2694929958
The address is actually a branch of PakMail, but that probably means in this case that Marquee Media Networks rents a post box. The WHOIS details for marqueemediaonline.com indicate a name of Christopher Maher. So do these WHOIS details look suspicious? Not really. Usually, Waledac related domains come with WHOIS details that indicate telltale traces in China or Russia, the details for blizzardimagehosting.com are not inherently suspicious.

Marquee Media operates a web server at 216.17.107.72, which contains an ill-advised mix of adult sites and general interest sites (porn sites and fishing on the same server?) all the WHOIS details are consistent, and there seems to be nothing illegal going on.

Here's the thing - nothing at all about blizzardimagehosting.com fits the Waledac profile. This seems to be a small business running out of Illinois, nothing more. At a best guess, Marquee Media has somehow displeased the Waledac gang, either through something to do with adult content or web hosting.

So.. if you get a spam for blizzardimagehosting.com then treat it with scepticism, and as far as I am concerned this company is probably not guilty of this spam run and instead it looks like a Joe Job.