Sponsored by..

Tuesday 12 January 2010

BoingBoing.net / Bootcampmedia.com ad leads to malware


A malicious ad running on BoingBoing.net is delivering visitors to a PDF exploit.

Given the complicated state of advertising arbitrage, it is unlikely that BoingBoing.net have much control over it. The ad appears to be loading in from ad.yieldmanager.com (which is Yahoo!) and/or ad.z5x.net (DSNR Media Group) both of which are hosted on the same multihomed IP addresses.

The ad itself (pictured) appears to be some sort of get-rich-quick scheme or other.

This ad then directs through ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?z=BootCamp&dim=335848 to traffic.firedogred.com/content?campaign=1219131&sz=2 (this combination of bootcampmedia.com and firedogred.com has been noted before)

The ad then hops to deliver.amerchibchapowered.com/rotate?m=5;b=2;c=1;z=243826 then content.baalcootymalachi.com/track/3388182/S_SE?[snip] loading an image from img.amerchibchapowered.com along the way.

Finally, the visitor is directed to chohivyb.info/cgi-bin/aer/[snip] which contains an exploit detected as Troj/PDFJs-GI by Sophos.

"Boot Camp Media" is run by a guy called Jamie Dalgetty of Guelph, Ontario in Canada. It's unlikely that he's a bad guy, more likely that his ad network is being exploited by a malcious third party.

traffic.firedogred.com is rather more interesting, multihomed on 69.164.215.204, 69.164.215.205, 69.164.215.207, 69.164.215.208 and 69.164.215.210 at Linode, New Jersey. The domain firedogred.com is slightly interesting:

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)

Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM
trafficbuyer@gmail.com has been used for these malicious domains for some months and is well known.

deliver.amerchibchapowered.com is also multihomed at Linode on 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203, 74.207.232.205, 74.207.232.206, 74.207.232.248 and 74.207.232.249. The domain was registered on 7th January 2010 and is hidden by DomainsByProxy.

content.baalcootymalachi.com is hosted on 69.164.196.55 at Linode again, again registered on 7th January via DomainsByProxy.

img.amerchibchapowered.com is hosted on a large number of servers at 174.143.243.90, 174.143.243.162, 174.143.243.220, 174.143.245.236, 98.129.236.154, 98.129.236.239, 98.129.236.254, 98.129.237.14, 98.129.238.99, 98.129.238.101, 98.129.238.102, 98.129.238.103, 98.129.238.105, 98.129.238.106, 98.129.238.112, 174.143.241.174, 174.143.242.58, 174.143.242.109 - these are all hosted at Slicehost.com which is a customer of Rackspace.

Finally, chohivyb.info is hosted on 216.150.79.74 which is some outfit called ezzi.net of New York owned by another outfit called AccessIT. No prizes for guessing that chohivyb.info has been registered only very recently with anonymous details.

216.150.79.74 is a well-known malware server, and that hosts the following domains which you can assume are malicious:

  • Ablxsr.info
  • Ajgdrt.info
  • Alevfq.info
  • Alfwqr.info
  • Alrpsl.info
  • Ameronada.info
  • Bnzbfz.info
  • Bodxmt.info
  • Bplimo.info
  • Briliantio.info
  • Bvqlag.info
  • Bzjsqk.info
  • Ccwarj.info
  • Cityopicos.info
  • Clthth.info
  • Ctksji.info
  • Dasyxe.info
  • Dbivoh.info
  • Dgltup.info
  • Dpuefh.info
  • Dtjblp.info
  • Enhmqq.info
  • Enqpqk.info
  • Euespj.info
  • Exmxfd.info
  • Fblooe.info
  • Fdwghs.info
  • Fopqde.info
  • Fprvsu.info
  • Frgbat.info
  • Fymjjz.info
  • Gelvmf.info
  • Gnautw.info
  • Gnysgg.info
  • Gredotcom.info
  • Grupodanot.info
  • Grxqog.info
  • Gukuny.info
  • Gyckjq.info
  • Hagijd.info
  • Haqdsc.info
  • Hgtbng.info
  • Hjdnps.info
  • Hyiyyi.info
  • Iakecg.info
  • Iaoaxz.info
  • Iewwpn.info
  • Ijaflj.info
  • Iohbvo.info
  • Jhrubd.info
  • Jokirator.info
  • Kbwstb.info
  • Kibfsz.info
  • Klamniton.info
  • Ktebkx.info
  • Kxlglw.info
  • Leeloe.info
  • Lgcezx.info
  • Lkraat.info
  • Lktcaj.info
  • Llchqs.info
  • Lnmrjz.info
  • Lokitoreni.info
  • Lqhczk.info
  • Lywavy.info
  • Lyzocu.info
  • Mallstern.info
  • Manaratora.info
  • Megafrontan.info
  • Mesxql.info
  • Mngmjc.info
  • Monsatrik.info
  • Montrealt.info
  • Mruvienno.info
  • Mrvsnq.info
  • Nalszu.info
  • Ncnzfh.info
  • Neiaea.info
  • Nigrandara.info
  • Njcmug.info
  • Npmkrr.info
  • Ntaxkj.info
  • Obzdkn.info
  • Ocftfa.info
  • Optugj.info
  • Otfcco.info
  • Owpwhi.info
  • Pbrugb.info
  • Plxxii.info
  • Pncgfd.info
  • Ppusmb.info
  • Prbakn.info
  • Qdinql.info
  • Qgxelo.info
  • Qqtwft.info
  • Realuqitor.info
  • Refrentora.info
  • Retuvarot.info
  • Rfouce.info
  • Rljysj.info
  • Rocqdn.info
  • Roeaaj.info
  • Semqef.info
  • Snosrz.info
  • Spgsgh.info
  • Stqvqw.info
  • Swrapz.info
  • Tcoqgo.info
  • Tehfnn.info
  • Top-lister1.info
  • Transforltd.info
  • Tsfxzg.info
  • Tyenxv.info
  • Ugrdzf.info
  • Uliganoinc.info
  • Urupnk.info
  • Utpxno.info
  • Uyguau.info
  • Vbqfdm.info
  • Veqibp.info
  • Vkfaao.info
  • Vwwtlp.info
  • Wddifv.info
  • Wdhcvv.info
  • Wdokxd.info
  • Wevoratora.info
  • Wtstds.info
  • Wvkjxx.info
  • Wvlsam.info
  • Xbhmws.info
  • Xbxynl.info
  • Xcisup.info
  • Xxiyrv.info
  • Ybeaxd.info
  • Yfntrg.info
  • Yqjxkj.info
  • Ywbxen.info
  • Zdkaki.info
  • Zhwtqz.info
  • Zlpbha.info
  • Znkwjc.info
  • Zqpwco.info
Unlocker.org.uk is located on the same server, but it doesn't seem to fit in with the malware delivery and perhaps it is best to assume that it is a coincidence.

Obviously block or null-route these destinations as you feel fit, and do not purchase any ads from firedogred.com!

Added: You probably want to block these too..

216.150.79.76
  • Cacorq.info
  • Clxhbz.info
  • Dgrxqh.info
  • Diwiowano.info
  • Dmdurz.info
  • Funkol.info
  • Geetol.info
  • Gitoer.info
  • Gondiroda.info
  • Gutrandin.info
  • Hizfek.info
  • Hopore.info
  • Ivgzda.info
  • Jopqae.info
  • Kolpao.info
  • Nadotraza.info
  • Niraynome.info
  • Ofahitino.info
  • Oirjsa.info
  • Ornotivec.info
  • Pirtaf.info
  • Popsto.info
  • Rellok.info
  • Ruhcsy.info
  • Sacmtf.info
  • Sdoras.info
  • Tapiroten.info
  • Tiizwb.info
  • Traxemere.info
  • Ulmqmq.info
  • Vivibt.info
  • Xsxydj.info
  • Yuncdjbiw.info
  • Yyoqny.info

216.150.79.77
  • Bnodas.info
  • Brasilianstoree.info
  • Byzypub.info
  • Depahugu.info
  • Gionasodor.info
  • Giratunes.info
  • Gyreal.info
  • Hlopki.info
  • Huerin.info
  • Igerinsar.info
  • Jcafuzixa.info
  • Joketarona.info
  • Koevoru.info
  • L-iza.info
  • Laryju.info
  • Manocoraz.info
  • Nbuuf.info
  • Npefu.info
  • Nvihobepo.info
  • Pe-aqemop.info
  • Pyneh.info
  • Retiof.info
  • Rzajexu.info
  • Tolkienad.info
  • Tymane.info
  • Typolazu.info
  • Vfoxoe.info
  • Wanitale.info
  • Yawibyve.info
  • Ydiuvy.info
  • Zoimie.info

Thursday 7 January 2010

"Testkauf" - German language "mystery shopper" scam

For some reason, I've been getting a lot of these German-language spams, mostly originating from Brazil..
Subject: Testkauf

Mitarbeiter fuer Testeinkauf bundesweit gesucht.
Bewerbung bitte an blahblah@yahoo.de
This roughly translates as:

Subject: Test Shopping
Searching nationwide for employees to do test purchasing.
To apply, please contact blahblah@yahoo.de
In each case, the header contain a fake "from" address, the Yahoo! email address changes constantly.. and the mail seems to come from Brazil. This is most likely just a version of the mystery shopper scam, and should be avoided.

Tuesday 22 December 2009

mailbox-email.com scam

Part of a long running dating scam, mailbox-email.com looks like a free email service, but isn't. Hosted on 222.170.127.122 in China, the server also hosts various fake dating and prescription sites.

All of these following sites are some scam or another, avoid them:
  • Adltfuntime.com
  • Adultmeetspot.com
  • Amazmail.com
  • Aprofilepage.com
  • Blowingawaytherestnow.com
  • Email-mailbox.com
  • Findallthebestherenow.com
  • Findnewfriend.net
  • Free-email-chat.com
  • Free-email-connect.com
  • Free-email-fun.com
  • Free-email-live.com
  • Freeextender.net
  • Freemailaccounts.net
  • Freemailnow.net
  • Getitatrxcenternow.com
  • Greatestofrxznow.com
  • Happeningrxcenternow.com
  • Hotlivemailchat.com
  • Kingofthekingofrxznow.com
  • Myemailhome.net
  • Netherlandsdns.com
  • Nodocneededforrxmedznow.com
  • Plygroundadlt.com
  • Realdealrxbrandnamesnow.com
  • Sexyhotlivechat.com
  • Skinny-me.info
  • Ysjhdfjd.com
  • Zeuhiuer.com

Tuesday 15 December 2009

Piradius.Net / Adobe Zero-Day threat

Another good reason not to have Adobe Reader on your PC - the ISC is reporting yet another zero-day threat being exploited by the bad guys, using the domain foruminspace.com.

And guess who is hosting it.. yes, our old friends at Piradius.net, going to show just how dark grey their hat is and demonstrating another very good reason to block 124.217.224.0 - 124.217.255.255.

Saturday 5 December 2009

"freeemailnow.net" scam

The domain freeemailnow.net looks like.. well, it looks like a free e-mail provider. But it isn't, it's part of some sort of fraudulent scheme, most likely a dating scam.

The pitch arrives something like this:

Subject: your profile
From: "Pasquale Clay"
Date: Fri, December 4, 2009 11:55 pm

Hey!
I know you dont know me, but I d like to get to know you.
I stumbled upon your contact information, am looking for a chat friend and maybe more.
Write me back at: snowfall1@freeemailnow.net

i am anxious to talk with you
A look at the SOA records points to ns1.netherlandsdns.com and admin.affilnet.net - affilnet.net is familiar, indicating that this is a re-run of the warmfuzzylove.com scam but again annoyingly missing a picture of a pretty Russian girl.

The registration details for freeemailnow.net are anonymous, nameservers are ns1.netherlandsdns.com and ns2.netherlandsdns.com, both on 222.170.127.122 in China along with freeemailnow.net itself.

There's a bunch of fake pharma sites sharing the same server:

  • Acquireflowherenow.com
  • Acquirerxmedzherenow.com
  • Allthebestatyourfingertips.com
  • Alwaysbetterrx.com
  • Anyrxmedications.com
  • Beatingallcompetition.com
  • Besatifiedmedsnow.com
  • Bestrxbuyshere.com
  • Blowingawaytherestnow.com
  • Championrxsource.com
  • Cheapcodeines.com
  • Choosefr0mthebest.com
  • Codeineoffers.com
  • Codeinepromo.com
  • Crazymedsupplyforyou.com
  • Discount-codeine.com
  • Easyrxhere.com
  • Expressmedz4u.com
  • Findallthebestherenow.com
  • Fingtertiprxmedacces.com
  • Firerxmedication.com
  • Flowagerofgood.com
  • G00dsonline.com
  • Getallyourfavorites.com
  • Getitatrxcenternow.com
  • Getmedicatedonline.com
  • Getrxeasily.com
  • Getrxeasilyonline.com
  • Getrxmedicationsherenow.com
  • Goodzchoices.com
  • Greatestofrxznow.com
  • Greatmedicalshere.com
  • Greatrxdepot.com
  • Greatrxg00ds.com
  • Greatrxonline4u.com
  • Grillindealz4u.com
  • Happeninggoodtime.com
  • Happeningrxcenternow.com
  • Honorablechoice.com
  • Incrediblerx4u.com
  • Kingofthekingofrxznow.com
  • Maxsav3r.com
  • Maxsaverz.com
  • Meddiezcenter.com
  • Medzfromonlinetoyourhome.com
  • Mosthighlysoughtafter.com
  • Neverendingflowages.com
  • Neverwaitrx.com
  • Newrx4champions.com
  • Niceflowofmedz.com
  • Nodocneededforrxmedznow.com
  • Nomorewaitinginlinenow.com
  • Onpointflowage.com
  • Qualitycodeine.com
  • Quickrxmedications.com
  • Readysetgetmedz.com
  • Realdealrxbrandnames.com
  • Realdealrxbrandnamesnow.com
  • Realdealrxrefills.com
  • Refillrx-depot.com
  • Reliableflowagehere.com
  • Reliablemedsource4u.com
  • Reliablerx4uonline.com
  • Rightrxchoice.com
  • Rx-refilldepot.com
  • Rxmainsource.com
  • Rxmedsolution4unow.com
  • Rxmedzatthefingers.com
  • Rxmedzinnotime.com
  • Rxremedies4u.com
  • Rxthatbeatsallothers.com
  • Rxwindowonline.com
  • Rxsourceforwinners.com
  • Selectfromallthebestmeds.com
  • Selectionfromthebest.com
  • Simeplyarx.com
  • Smokingdealz4u.com
  • Swiftestmedz.com
  • Theeasyreliablesourcenow.com
  • Theflowageoccurshere.com
  • Themybetterrx.com
  • Toprxsuppliers.com
  • Toprxsupplierz.com
  • Uniqueflowagesnow.com
  • Wehaveallyourfavorites.com
  • Wehavethemforyou.com
  • Wehavewhaturlookingfornow.com
  • Wehavewhatyourlooking4.com
  • Your-rxs.com
  • Netherlandsdns.com
Anyway, this is the same old scam and it should be avoided along with the fake RX sites that go with it.

Thursday 3 December 2009

"Bank of England" scam email

This is some sort of fraud or phishing attempt, the email originates from richardscott269@msn.com but solicits replies to richardscott555@rediffmail.com - both of these are free email providers, and I'm pretty sure that the Bank of England can afford its own email servers. Avoid.

Subject: Payment Notification
From: "Richard Scott" <richardscott269@msn.com>
Date: Thu, December 3, 2009 10:12 pm

From: Richard Scott
International Settlement Dept.
Bank of England
http://www.bankofengland.co.uk/
Ref: BOE/ISD/ACD/4556/09


ATTN :

The International Settlement department of Bank of England is obligated to contact you for the immediate release of your fund whose account has be come dormant and subsequently transferred to this department as unclaimed fund.Our findings have revealed that the problem behind your inability to have received your fund from the corresponding bank resulted from lack of transparency, insincerity and incessant demand for money by your representative(s) for unusual payments. We have therefore decided to establish a direct transfer payment system (DIPS) with you for the prompt release of your funds without any hitch.

We therefore request that you respond to this email immediately ( forwarding your direct contact telephone number) to enable us proceed with the release of your fund accordingly.

Yours in service,
Richard Scott.

Wednesday 2 December 2009

Incisive Media / writeathomesystems.com spam

Incisive Media is a little-known firm that comprises the rump of the much better known VNU Publications that was sold off into private equity a few years ago.

You might know the name "Incisive Media" through their miserable failure to sustain Personal Computer World which was one of the oldest computer magazines in the world, but they also own several other professional publications.

So, I was a little surprised to see that Incisive now seems to be in the business of sending out get-rich-quick spam.

Subject: Private Equity Europe
From: "Chesther Jane" <mcjane99@gmail.com>
Date: Wed, December 2, 2009 7:21 pm


Respected Friends,
“Who else wants to earn a full-time income writing on the INTERNET? You can start earning money writing online even if you have no prior experience.” If you can write at a 9th grade level, you could easily earn a full time income writing online.
Companies are desperately looking for entry level writers. If you want to start
earning money writing at home, this may be the most important page on the Internet you’ll read all year. Right now, you can make really good money, quickly and easily.
http://miniurl.com/22939
Chesther Jane
to unsubscribe reply REMOVE

Thank you for visiting my site!

http://www.incisivemedia.com/public/showPage.html?page=330349

DISCLAIMER
Private Equity Europe and Incisive Media do not take any responsibility for the
content of this email

The spam originates from 62.140.213.241 which is an Incisive Media IP address, and a close look at the mail headers shows more evidence:

Message-ID: <02 Dec 2009 19:21 IncisiveMailer@www.incisivemedia.com>

The URL miniurl.com/22939 forwards to Caroline.mikepsanderswri.click2sell.eu which is a laughably pathetic work-at-home scheme on the click2sell.eu affiliate network. To give click2sell.eu some credit, they are pretty good at terminating spammers.. which is why spammers try to mask their affiliate URLs.

I said "laughably pathetic", because you end up at writeathomesystems.com which attempts to recruit people to part with cold hard cash in order to learn how to write and market articles on the web.


Now, I'm not the best writer in the world.. and we all make tpyos now and again, but this one has a howler:

Yes, that says "(Prize will be changed tomorrow from $34.95 to $64.95)" when I'm really pretty sure that they mean "price".

Incidentally, a check of the Google cache shows that it was still referring to a price change "tomorrow" six days ago. I think there's a word for that.

Anyway, despite writeathomesystems.com truly crappy ad copy and highly dubious marketing techniques, they are not responsible for the spam. And as already mentioned, I know that click2sell.eu are pretty good at terminating spammers... so who is responsible?

Well, obviously the affiliate is responsible.. but also the people who strenuously deny responsibility are right in the frame.. remember the footer from the Incisive Media spam?

DISCLAIMER
Private Equity Europe and Incisive Media do not take any responsibility for the
content of this email
That's a bit like saying "I don't take any responsibility for taking a shit in your shoes" even though you have just left a big steaming turd in someone's footwear. And one vital question is.. where did the spammers get their email addresses from? Did Incisive sell them on? Or were they scraped?

Friday 27 November 2009

"Please design a logo for me. With pie charts. For free."

Classic.. but wait, there's more to this story too! Language possibly NSFW.


This is the guy who tried to pay a bill with a drawing of a spider.

Mystery Google Toothbrush Mystery

Mystery Google is old news for many.. basically you get the search results that the previous person had typed in, and the possibility of being redirected to a malware site seeded by the previous person is a legitimate concern.



Just out of curiosity, I was poking around at it and got the folllowing message:
mission: write a limerick about toothbrushes and send it to randombystander -at- yahoo.com
Of course, there are no matches for "mission: write a limerick about toothbrushes and send it to randombystander -at- yahoo.com".. except there are now I blogged about it.

Now, only a complete nutjob would actually follow these instructions. So here's my effort:
There was an old battered toothbrush
It was ancient and didn't get used much
You'd be willing to bet
That because of neglect
The owner's teeth surely are now mush
Well.. it sort of rhymes. Let's see if that mailbox actually exists.. it does! :)

Friday 20 November 2009

"please update your blah@blah.blab mailbox" spam

Another version of the Zbot trojan coming in via email, much like this one.

From: operator@blah.blah Sent: 20 November 2009 15:21
To: Blah

Subject: please update your blah@blah.blah mailbox


Dear owner of the blah@blah.blah mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:

http://accounts.blah.blah.verzzi.org.uk/webmail/settings/noflash.php?mode=standart&id=[snip]&email=blah@blah.blah

So far verzzi.co.uk and verzzi.org.uk seem to be domains that are used for this, there are probably many others.

Target page is a fake Flash download:

Target file is flashinstaller.exe with patchy or generic detection at best, according to VirusTotal.

ThreatExpert report is here which could be useful if you are trying to disinfect a machine.

When infected, the machine calls home to 193.104.27.42 in the Ukraine, allegedly belonging to "Vladimir Vasulyovich Kamushnoy" but that could be fake.

Fake WHOIS details for verzzi.co.uk and verzzi.org.uk:

Domain name:
verzzi.co.uk

Registrant:
Suzanne Mendez

Registrant type:
Non-UK Individual

Registrant's address:
Taylor Street Apt. 22
Wilrijk
2771
Belgium

Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:
Registered on: 18-Nov-2009
Renewal date: 18-Nov-2011
Last updated: 19-Nov-2009

Registration status:
Registration request being processed.

Name servers:
ns1.elkinsrealty.net
ns1.winderz.net
The Verzzi domains are hosted on a fast flux botnet, so the good news is that it won't be very reliable if some muppet DOES visit the site.

elkinsrealty.net is one nameserver domain, with obviously fake WHOIS details

Domain Name : elkinsrealty.net
PunnyCode : elkinsrealty.net
Creation Date : 2009-07-02 19:50:00
Updated Date : 2009-11-20 01:11:11
Expiration Date : 2010-07-02 19:49:56


Registrant:
Organization : Elkins Realty
Name : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101

Administrative Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com

Technical Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com

Billing Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com
And for Winderz.net:

Registrant:
R Opitz, Brian
341 Church Road
West Sunbury, PA 16061
US

Domain Name: WINDERZ.NET

Administrative Contact, Technical Contact:
R Opitz, Brian straus2009@live.com
341 Church Road
West Sunbury, PA 16061
US
7246372446


Record expires on 17-Nov-2010.
Record created on 17-Nov-2009.
Database last updated on 20-Nov-2009 10:46:04 EST.

Domain servers in listed order:

NS1.WINDERZ.NET 198.177.253.152
NS2.WINDERZ.NET 210.217.45.138
ns1.winderz.net and ns1.elkinsrealty.net are on 198.177.253.152 (Allerion Inc, Altlanta)
ns2.elkinsrealty.net is on 210.217.15.41 (Korea Telecom)
ns2.winderz.net is on 210.217.45.138 (Korea Telecom)

In this case the email "came" from operator@victimdomain - filtering your own domain at the gateway (or the "operator" address) could be useful.

Update: full list so far..
dirddrf.be
dlsports.be
ftpddrs.be
modertps.be
verzzi.co.uk
verzzi.org.uk
verzzq.co.uk
verzzq.me.uk
verzzq.org.uk
verzzg.co.uk
verzzg.me.uk
verzzg.org.uk
verzzm.co.uk
verzzm.me.uk
verzzm.org.uk
verzzn.co.uk
verzzn.me.uk
verzzn.org.uk


Thursday 19 November 2009

Warning: Affilnet.net

Just as a follow-up to the warmfuzzylove.com scam, the same server (98.126.22.178) now hosts Affilnet.net which may be trying to pass itself off as Affili.net which is a legitimate marketing agency, although at the moment the site appear to be blank.

The domain was previously registered to Warner Brothers (of all people!) but was reregistered to an anonymous registrant on 13th November.

Given that the pattern of registration and server being used are consistent with an existing scam, then any approach from Affilnet.net should be regarded as being suspicious unless proven otherwise.

Avira detects TR/Crypt.XPACK.Gen in MW2

I don't play Modern Warfare 2 - but some reports indicate that it has a virus in it.

What seems to be happening is that Avira is coming up with a generic detection of TR/Crypt.XPACK.Gen on a temporary file (perhaps ~B8.tmp) in C:\Documents and Settings\%USERNAME%\Local Settings\Temp.

However, "TR/Crypt.XPACK.Gen" is a generic detection - Avira is scanning the file and determining that it might be suspicious because it has been compressed with a commercial packer (a bit like a ZIP file). It is almost definitely a false positive that will be fixed quite soon.

If you like, you can head to the Avira Support Forums although where there is a short thread about it.

Wednesday 18 November 2009

T-Mobile & LBM: Just a coincidence?

In what appears to be a systematic plundering of customer records, T-Mobile staff have sold hundreds of thousands (or perhaps millions) of customer details to rival operators. Given that a lead for an expiring mobile phone contract seems to sell for around 50p to £2 a pop, this is possibly a significant slice of cash.

One question is: who sold the data. But a more pertinent one is: who bought the data?

It is probably just a sheer coincidence that I have previously documented unexplained cold calling for T-Mobile customers from a company called LBM Direct Marketing in the UK.

This current round of cold calling is on behalf of O2. LBM appears to have subscriber details - when they finally do talk to you rather than putting the phone down, they greet you by name. [..] The caller denied that they worked for LBM, and claimed to be working for O2 [..]. Our attempts to talk to a supervisor at LBM resulted in the caller putting the phone down. In this case, they do seem to know the name of the subscriber ([..] the phone had previously been with Vodafone and then transferred to T-Mobile)
This is probably not an isolated incident - expiring mobile phone contract leads are valuable and are regularly traded, and we're not just talking about T-Mobile here.. it seems to be very widespread, and T-Mobile deserve some kudos for tackling the issue.

Just in case you missed all the furore, T-Mobile have a news article about it:

Sunday 15 November 2009

Who is My-Data-Source.com?

My spidey sense started to tingle when I got this spam:


Subject: Your friend Workathomesystem[6194] would like to tell you about the Site
From: HR6194@workathomesystem.org
Date: Sun, November 15, 2009 4:09 am

Hello, my name is Derek Lindsay, and I am the Director of My-Data-Source.com. I
would personally like to invite you to become part of our team doing work-at-home data entry. We have guided thousands of team members to success using our new type of data-entry job called Global Data Entry. Some members are currently making $300 - $2000 and more per day, using our program and guidance. We have been dealing with online data entry for over 7 years. Do you have a few minutes? I will explain more.The Legitimacy of Our Company and the Programs We Offer If you are hearing Data-Entry Jobs before then I would like to make something very clear first. We are NOT a get-rich-quick company. If you are visiting our Web site looking for this type of opportunity then I am sorry to inform you that the programs we offer are not get-rich-quick schemes. We are a legitimate company, offering legitimate work-from-home data-entry job opportunities that have proven success and that we stand behind 100% with our satisfaction guarantee. If you were to ask us the biggest difference between My-Data-Source.com and all of the other work-from-home programs on the Internet, the answer would be this - With My-Data-Source.com, we give you training courses before you could do the the actual job to perform and get paid as we will explain on this page with our newest sources of Data Processing Jobs that pays. We will also provide you other programs that you will find when you became a member and that all you are getting is a list of links to jobs that you will need to apply to. WE ARE PROVIDING TRAINING COURSE AND THE ACTUAL DATA PROCESSING JOBS WITH OUR My-DATA-SOURCE.com TRAINING CENTER AND DATA PROCESSING JOBS THAT PAYS! Join our team, get started with complete instructions and guidance on our program.
Click this link: (snip)
The spam redirects through an affiliate link of mikepsandersmyd.click2sell.eu after first taking a couple of hops through TinyURL to avoid reporting. Originating IP is 200.46.204.144 in Panama.

My-Data-Source.com is one of those work-from-home programs that you have to pay to join. Is it a scam though? A good place to start is by looking for general advice on this sort of scheme from reputable sources, for example the BBB, National Consumer League, ScamBusters, and Consumer Direct.

One important thing is to know who you are dealing with - and My-Data-Source.com doesn't mention any real contact details anywhere on their website. The domain was registered to an anonymous registrant on 1st September 2009, so it has only been around for a few months. So, no clue there.. so it is impossible to know who you are actually dealing with.

Another thing to look at are testimonials - you can find these at www.my-data-source.com/testimonials.php - they all look fantastic, but in fact they turn up for all sorts of different sites on the web and clearly do not relate to My-Data-Source.com directly.

The so-called testimonials give a clue though - many of these are on "cookie cutter" sites, basically the same site with a different name. That's never a good sign as it looks like someone is trying to hide something. Sites that appear to be largely the same are:

  • my-data-team.com
  • global-data-entry.com
  • mydatateam.net
  • earn-clickhere.com
  • mydatateamjobs.com
  • mydataentryjobs.net
  • my-data-source.com
  • onlinedataworkjobs.co.uk
my-data-team.com is the longest established of these sites, registered in 2006 to someone called Gary Endres in Concord, California. It does seem to have a verifiable address, but comes with a poor rating at the BBB. But although the text content is largely the same as My-Data-Source.com, the site layout is different.. but they both have the same testimonials!

onlinedataworkjobs.co.uk takes exactly the content and claims to have been in business for 5 years, although the domain was only registered on 14th May 2009 to a company called "United Service Solutions" (who are not listed anywhere as a UK company) apparently based out of a flat in Bristol. Doesn't fill you with confidence, eh?

Where it is possible to find a registrant for these sites, then they all appear to be different. So, either they are reselling some else's "work at home" product, or they are just copy-and-pasting content from someone else.

There are very few clues as to the owner of My-data-source.com except for the name "Mike P Sanders" embedded in the affiliate link. When you try to sign up for program, eBay gives an email address of mikepsanders@gmail.com

..but here's an oddity, when the domain was originally registered, the registrant was "Lyndon Dave Ardimer"and a straight Google for that name points to a website called primemarketers.com which contains a number of ads for various schemes.. including My-data-source.com posted by Mike Sanders. So, is Mike P Sanders actually Lyndon Dave Ardimer? Or it this Derek Lindsay? Or Timothy Darwin (who's name appears on many of these sites)? At this point, the lead vanishes into a mass of affiliate programs and offshore marketers.

So who is My-Data-Source.com? As you can see, it is difficult if not impossible to determine if there's a real company involved anywhere in this scheme. Should you shell out $50 to join up with a company with no discernible history or physical location? Almost every consumer advice site says that you shouldn't get involved in any type of work-at-home scheme unless you can verify real contact details.. so on that basis, perhaps give this one a miss!

Friday 13 November 2009

warmfuzzylove.com scam

Another dating scam, but they could even be bothered with a picture of a pretty Russian girl.

Subject: re:
From: "jody"
Date: Fri, November 13, 2009 10:49 pm

Hi there:

My name is jody. I was just looking at your picture online and i would
love to chat with you tonight. i just moved close to you and i have no
friends yet :(

you can send a message to my private email jody@warmfuzzylove.com

i would love to hear from you !!!!
warmfuzzylove.com was registered with anonymous details on 4th November 2009 and is hosted on 98.126.22.178 which also handles all the mail. The same server also hosts personals-online.net and singasong4u.com, both also recently registered with anonymous details.

Of course, "Jody" is probably a fat middle-aged man from a former Soviet Republic who will unexpectedly need some money wiring to them. Avoid.

Thursday 12 November 2009

support@nacha.org: "Please review the transaction report"

This is the Zbot trojan or something, very much like this one.


From: Electronic Payments Association [mailto:support@nacha.org]
Sent: 12 November 2009 14:58

Subject: Please review the transaction report


Dear bank account holder,
The ACH transaction, recently initiated from your bank account (by you or any third party), was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

------------------------------------------------------------------
Copyright ©2009 by NACHA - The Electronic Payments Association



The underlying link goes to nacha.org.fffazsf.org.uk which is itself hosted on some sort of Fast Flux botnet. The landing page attempts to get a user to download report.exe ( a Zbot variant). It also opens an IFRAME to 121.12.170.177 in China, a well-known malware domain.



VirusTotal shows patchy detections, still being analysed by ThreatExpert.

The domain name registration is obviously fake:


Domain name: fffazsf.org.uk
Registrant:
Matthew Hughes
Registrant type:
Non-UK Individual
Registrant's address:
203 Striding Ridge Drive Goldsboro 3881 Belgium
Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:

Registered on: 12-Nov-2009

Renewal date: 12-Nov-2011
Last updated: 12-Nov-2009
Registration status:
Registration request being processed.
Name servers: ns1.pa-estate.com ns1.tradesdomains.net
Dig deeper at pa-estate.com and we see a familiar email address:

Name : Michell
Organization : Michell

Address : 8663 Sudley Road
City : Manassas
Province/State : beijing

Country : United States

Postal Code : 20108

Phone Number : 571-866-7585793

Fax : 571-866-7585793

Email : Michell.Gregory2009@yahoo.com


A Google Search for that address comes up with over 24,000 references!

tradesdomains.net is registered differently:

Dolorous Lane
fergunis@gmail.com

512 Stonegate Pl

Brentwood
TN

37027

US

Phone: +1.6155546664


ns1.pa-estate.com and ns1.tradesdomains.net are hosted at 207.210.101.253 (Global Net Access, LLC ) which also hosts puioypai.org which looks suspect too. ns2.tradesdomains.net is on 195.178.190.48 (Bahnhof Internet, Sweden).

Added: the email comes from several different addresses, including:
  • report@nacha.org
  • support@nacha.org
  • info@nacha.org
Subjects include:
  • Your ACH transaction was rejected by The Electronic Payments Association (NACHA)
  • Please review the transaction report
  • Your ACH transaction was rejected
Domains spotted so far:
  • nacha.org.tttteacf.co.uk
  • nacha.org.tttteacx.org.uk
  • nacha.org.redaczxm.me.uk
  • nacha.org.fffazsx.co.uk
Some additional nameservers:
  • ns1.pa-estate.net
  • ns1.video-format.com

Tuesday 10 November 2009

media-servers.net hit bu superkahn.ru injection attack

media-servers.net is some sort of advertising agency that doesn't advertise who it belongs to and hides its WHOIS details behind privacy protection. A look at the historical WHOIS records show the following contact details:

Registrant:
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel

Domain Name: MEDIA-SERVERS.NET
Created on: 19-Sep-04
Expires on: 19-Sep-13
Last Updated on: 17-Feb-09

Administrative Contact:
Administrator, Domain domadmin@netposition.com
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel
+972.9723928600 Fax --

Technical Contact:
Administrator, Domain domadmin@netposition.com
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel
+972.9723928600 Fax --
Their site is infected with injected code pointing to superkahn.ru:8080/index.php - probably the people who own media-servers.net know nothing about it, but they don't make it easy to be contacted.

superkahn.ru is registered to:

domain: SUPERKAHN.RU
type: CORPORATE
nserver: ns1.freeonlinednshost.com.
nserver: ns2.freeonlinednshost.com.
nserver: ns3.freeonlinednshost.com.
nserver: ns4.freeonlinednshost.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 4912 219900
e-mail: dibs@freemailbox.ru
registrar: NAUNET-REG-RIPN
created: 2009.10.28
paid-till: 2010.10.28
source: TC-RIPN

This is multihomed on:
91.121.88.218 (OVH, Paris)
91.121.108.53 (OVH, Paris)
94.23.211.214 (OVH, Paris)
94.75.198.241 (Leaseweb, Amsterdam)
82.192.88.35 (Leaseweb, Amsterdam)

Websense report that this runs a variety of exploit attempts against unpatched Microsoft and Abode products. Quantcast figures say that almost a million US visitors access this site per month, so a lot more worldwide.

Friday 6 November 2009

"Congratulations!! You have won todays Macbook Air.".

Another day, another badly detected trojan:

Subject: Congratulations
From: "Media Service"

Congratulations!! You have won todays Macbook Air.
Please open attached file and see datails.

Attachments:
winner.zip 21 k [ application/zip ]


winner.zip contains winner.exe detected by some products as the Sasfis Trojan.

ThreatExpert report is here, malware phones home to 193.104.27.4 and 193.104.27.91 in the Ukraine.

Thursday 5 November 2009

BBC websites down - possible DDOS attack?

The BBC's websites (e.g. news.bbc.co.uk and www.bbc.co.uk) are either down or very slow to respond from multiple ISPs and countries. It feels like a DDOS attack, but I cannot confirm it.

It's not trending on Twitter yet, but you can see that it's a widespread issue in real time. The BBC was subject to a major DDOS attack almost exactly a year ago.


Update: the BBC have a statement blaming "network problems" here. Perhaps they should be blaming Siemens?

Wednesday 4 November 2009

Cracking logo, Gromit

Google celebrates 20 years of Wallace and Gromit. Genius.

Tuesday 27 October 2009

"Facebook Password Reset Confirmation" trojan

This trojan claims to be something to do with a Facebook password reset, but it's a plain old EXE-in-ZIP trojan attack.


Subject: Facebook Password Reset Confirmation.
From: "The Facebook Team" <service@facebook.com>


Hey fortunes ,


Because of the measures taken to provide safety to our clients, your password has
been changed.

You can find your new password in attached document.


Thanks,
The Facebook Team

Attachments:
Facebook_Password_6c6eb.zip

The Trojan is widely detected as a version of Bredolab. ThreatExpert report is here.

Remember, if you can block EXE-in-ZIP files at your mail gateway, it is well worth doing.

Saturday 24 October 2009

Uh.. what?

A case of "WTF is this spam trying to do"? It looks like this noobie spammer thinks that sending out millions of copies of their banking details is going to be the path for riches.. rather than (say) identity theft. Spam originates from 123.139.106.235 in Shannxi Province, China which matches with the banking details.

Out of a possibly misguided sense of pity, I have omitted some of the digits from the account number!

Subject: Electronic mail messages webmaster:
From: "The webmaster"

HELLO:
You will actively support god. Each user donated $500 a lifelong use
email. As senior members...

You are christians, please send email forwarded others thirty times,
and charitable donations to me, god will bless you! God will
organization

hello:

Please send money into my account at Bank of China.
Bank name: the bank of China
A/CNO£Âº 2979 7702 0007 xxx
INA/CWITH£Âº Zhang Lu Xi
Address: 38 Juhua Yuan, Xi'an 710001, Shaanxi Prov., China
Swiftcode: BKCH CN BJ 620

You can use high-speed does not capture email


E-mail the webmaster 2009.10.23.

Tuesday 20 October 2009

Police Fail


Never mind the slightly dubious issue of mapping crime hotspots, the announcement of a new service using data from the UK's police force to map crime was always going to generate a lot of interest.

The map is meant to look something like the image on the right (click to enlarge), but because this is the UK the server is clearly underspecified for the amount of interest that it is generating, because anyone who actually tries to visit maps.police.uk gets the rather predictable result below:


It's all a bit reminiscent of when the 1901 Census site went offline for months. Is it beyond the capabilities of the people implementing to judge demand?

Incidentally, the Met have a similar mapping system sensibly powered by Google, which seems to work quite well.

Monday 19 October 2009

Google indexing private Google Voice transcripts?

A disturbing item from the Boy Genius Report indicates that seemingly private Google Voice transcripts are appearing in Google search results with a seemingly simple search string. Although some of these are "test" messages, one or two do seem to be the real deal. Oops.









Wednesday 14 October 2009

"A new settings file for the blah@blah.blah mailbox"

A clever bit of social engineering, looks like Zbot:

From: alert@blahblah.tld
Subject: A new settings file for the name@blahblah.tld mailbox

Dear user of the blahblah.tld mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (name@blahblah.tld) settings were changed. In order to apply the new set of settings click on the following link:

http://blahblah.tld/owa/service_directory/settingsphp
?email=name@blahblah.tld&from=blahblag.tld&fromname=name
Best regards, blahblah.tld Technical Support.


The link is a forgery, underneath it is actually blahblah.tld.polikka.eu/owa/service_directory/settings.php
?email=name@blahblah.tld&from=blahblah.tld&fromname=name

polikka.eu was registered just today, the registration details are:

Domäne
Name
polikka
Status
REGISTRIERT
Registriert
October 14, 2009
Letzte Aktualisierung
October 14, 2009, 4:35 pm

Registrant
Name
Spasova, Galia
Unternehmen/Organisation
Galia Spasova
Sprache
Englisch
Adresse
j.k. Droujba-1
44231 paris
Frankreich
Telefon
+32.8834336218
E-Mail
gsmailva@ge-88.com

Probably fake you might think, except that "j.k. Droujba-1" is an address in Sofia, not Paris. And it belongs to a company called GE-88 Ltd who have a website of ge-88.com. So, the email address in the WHOIS does seem to trace back to a Bulgarian company. And what does GE-88 Ltd do? Ummm.. well, it appears to manufacture alloys. It could be fake, perhaps their mailserver is compromised..

Nameservers are ns1.supranull.com and ns1.trapsing.net (96.31.81.80 - Noc4Hosts Inc) (although the site is not resolving at the moment).

Just as I was typing this in, another one came through using the domain oikkkkua.co.uk as a redirector:

Domain name:
oikkkkua.co.uk

Registrant:
Evelyn Wilson

Registrant type:
Non-UK Individual

Registrant's address:
805 E. Stocker
paris
68554
Belgium

Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:
Registered on: 14-Oct-2009
Renewal date: 14-Oct-2011
Last updated: 14-Oct-2009

Registration status:
Registration request being processed.

Name servers:
ns1.horstsolution.net
ns1.soon-moon.com

Again, this one isn't resolving yet but it was just registered today.

Suspect ad network leads to PDF exploit

This was picked up from an ad apparently running on grooveshark.com

An ad from ad.technoratimedia.com loads an ad from ad.yieldmanager.com.. so far, pretty normal.

The next step is:
ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?ajecscp=1254835789307&z=BootCamp&dim=335848

This domain is protected by DomainsByProxy, registered in December 2007 and is hosted 208.113.133.105.

The site has the following contact details:
Address

Bootcamp Media
121 Wyndham St. N.
Suite 202
Guelph, Ontario, Canada
N1H 4E9
Phone

1-519-515-0094
Fax

1-519-515-0151


Bootcampmedia.com has a near-zero profile, but it may well be a legitimate company.

After this, the visitor starts to go well off the beaten track. The next hop is traffic.firedogred.com/content?campaign=1219131&sz=2

firedogred.com is registered to:

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --


That email address of trafficbuyer@gmail.com is well known. The subdomain traffic.firedogred.com is dual-homed on 207.57.97.233 and 161.58.56.25 (both NTT America, Inc).

The next hop is show.sheathssubtotal.info/rotate?m=3;b=2;c=0;z=406377

sheathssubtotal.info was regisitered on 17th September with the same "trafficbuyer@gmail.com" contact details as firedogred.com.

show.sheathssubtotal.info is dual homed on 140.174.93.100, 161.58.192.228 (both NTT America, Inc).

Yet another hop, this time to content.neighbanner882.info/track/3388081/S_SE?{munged}

neighbanner882.info was created on 7th August 2009, registered to trafficbuyer@gmail.com (again). content.neighbanner882.info is hosted on 69.164.196.55 at some outfit called Linode.

Yet another hop, this time to winckag.com which is currently down but was hosted on 89.149.251.71 (Netdirekt E.k) who are pretty well known for hosting bad sites (but they may well have nuked this one already, and if so.. well done!)

The owners of winckag.com have something to hide..

Registrant:
Contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA

Domain name: WINCKAG.COM


Administrative Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
Technical Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457


Registration Service Provider:
domainsnext.com, Sales@DomainsNext.com
+1.9494979623
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.


Registrar of Record: TUCOWS, INC.
Record last updated on 04-Oct-2009.
Record expires on 04-Oct-2010.
Record created on 04-Oct-2009.

Registrar Domain Name Help Center:
http://domainhelp.tucows.com

Domain servers in listed order:
NS1.WINCKAG.COM 200.63.45.62
NS2.WINCKAG.COM 200.63.45.62


This loads an image from img.sheathssubtotal.info/120x600/54019.gif multihomed on 174.143.241.174, 174.143.243.90, 174.143.243.162 (some sort of cloud hosting) and then loads the following:
winckag.com/base/data/p29.php
winckag.com/base/data/vou.png

Those nameservers on 200.63.45.62 are interesting, that's PanamaServer.com who are well known for supporting malware.

Finally, winckag.com appears to try to load a Troj/PDFJs-DY trojan onto the victim's machine.

You should certainly avoid ads running on firedogred.com, sheathssubtotal.info, neighbanner882.info, winckag.com or any domain registered to trafficbuyer@gmail.com. Make up your own mind about Boot Camp Media - these small ad networks are very often targeted by the bad guys, but they really need to get their act together.

Tuesday 13 October 2009

Piradius.net running Zbot infrastructure servers

Piradius.net appears to be up to its dark grey hat antics again with a server at 124.217.251.179 which is providing services to the current run of Zbot trojans, as seen (for example) with this recent ThreatExpert report.

Robtex reports the the server is also being used as the NS for a number of Zbot related domains, notably x2dns.ru, cedns.ru, updata-1.com, admin-systems.com, db-1.net, upd01.net, ssl-updates.net and several others connected with this spam run. 124.217.251.179 is also the download server for various Zbot components.

Although Piradius.net probably has many legitimate customers (primarily from Malaysia, Thailand and South-East Asia), it seems to have a lot of bad ones too (including Yohost.org). Prudent network administrators may want to consider blocking 124.217.224.0 - 124.217.255.255 which will probably not cause too many problems.

Wednesday 7 October 2009

Orwellian Black Opel


I thought I'd get a photo of the Google Streetview car while it was having a rest.. and before it got me :)

Tuesday 6 October 2009

htmlads.ru injection attack

Another injection attack following on from this one, htmlads.js looks like it is being injected into IIS 6.0 servers. In this case, the string to look for in your logs in htmlads.js/ads. js which is worth checking for and blocking if you can.

For the records, the domain registration details are:

domain: HTMLADS.RU
type: CORPORATE
nserver: ns1.htmlads.ru. 75.34.216.140
nserver: ns2.htmlads.ru. 216.119.45.147
nserver: ns3.htmlads.ru. 72.48.193.152
nserver: ns4.htmlads.ru. 71.108.37.140
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private person
phone: +7 496 4047474
e-mail: tau@8081.ru
registrar: REGRU-REG-RIPN
created: 2009.10.05
paid-till: 2010.10.05
source: TC-RIPN

Monday 5 October 2009

Are your personal details on Jigsaw.com?

An interesting post caught my eye about a site called Jigsaw.com over at the CluBlog. It's a sort of collective where people trade other people's business card information, and it might well be the reason why my number of irrelevant direct marketing calls has gone through the roof.

The blog post also usefully tells you how to remove your details - recommended reading!

Sunday 4 October 2009

Injection attacks: adbnr.ru

adbnr.ru seems to be the latest domain to be used by the bad guys in this current round of injection attacks. The injected code to look for is adbnr.ru/ads.js (obviously don't visit that page unless you know what you are doing). That leads to a heavily obfuscated piece of Javascript which I haven't dissected yet.. but really there is no doubt that it is going to try to do something very bad to your computer!

Domain is registered to:
domain: ADBNR.RU
type: CORPORATE
nserver: ns1.adbnr.ru. 75.155.243.39
nserver: ns2.adbnr.ru. 173.93.171.160
nserver: ns3.adbnr.ru. 71.108.37.140
nserver: ns4.adbnr.ru. 67.84.154.208
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private person
phone: +7 812 5706062
e-mail: omit@blogbuddy.ru
registrar: REGRU-REG-RIPN
created: 2009.09.29
paid-till: 2010.09.29
source: TC-RIPN

Both the telephone number and email address have been connected with malware attacks before.

Looks like it is using a fast flux botnet for hosting, but blocking adbnr.ru should be effective.

Thursday 1 October 2009

ads-t.ru and adtcp.ru: Asprox is back

I haven't had time to look at this fully, but it seems that a fresh round of Asprox attacks have started after several months of inactivity - in this case the domains ads-t.ru and adtcp.ru are in use.

Read more at CyberCrime & Doing Time.

Wednesday 23 September 2009

max-apprais.com and top-name.net scam

max-apprais.com and top-name.net appear to be two fake domain appraisal companies being "recommended" to domain owners as part of a long-running scam which we have touched on many times before.

max-apprais.com was created on 12th September to an anonymous registrant, hosted on 202.157.181.9 at Katz Global Singapore. It's a copy of max-appraisal.com which is hosted on 124.217.231.209 at well-known black hat hosts YoHost.org.

top-name.net is a very familiar template hosted on 66.7.196.186 (Hostdime, Florida) also to an anonymous registrant (although it appears to be a Canadian resident behind all of this spam).


sedo.com are a well-known and wholly legitimate company and are nothing do to with the spam or scam.

The "pitch" email looks like this:

From: "Domain Trade LLC"
Date: Wed, September 23, 2009 4:26 am

Dear sir,
we are interested to purchase your domain [redacted] and offer between 50% and 65% of the appraised value.
We accept appraisals from companies such as

http://www.sedo.com/
http://top-name.net/
http://max-apprais.com/


If you already have an appraisal please forward it to us.

Please let us know whether you are interested. Upon review of your valuation and in case of an agreement we send payments via PayPal for amounts less than $2,000 and via Escrow.com for amounts above $2,000, as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Domain Trade LLC
Originating IP for the spam is 74.55.131.10

Of course, once they have taken your money for the appraisal, then you will never hear from them again.

If you have been conned by these scammers then start a PayPal dispute to get your money back. We understand that Sedo may offer a refund in any case as they are well aware of this scam. You might also want to file a complaint with the police, especially if you live in Canada where the perp appears to be based.

Tuesday 15 September 2009

Rogue ads on answers.com: dotastoc.com

I'm still trying to track this one down, but somewhere on answers.com is a rogue ad that does through several hops to reach a fake anti-virus application. Don't visit any of the following sites unless you know what you are doing!
  1. dotastoc.com/442417.js?sid=bWtuamJoX2NvZmZlZS1jODMuZG90YXN0b2MuY29t [212.95.56.102, Germany - Netdirekt E.k]
  2. mknjbhyju.exxl.pl/coffee-c83/xalei.html [209.51.196.244, Ohio - XLHost.com Inc]
  3. mknjbh_coffee-c83.dotastoc.com/index.html ?Ref=http%3A%2F%2Fwww.google.co.uk %2Fsearch%3Fhl%3Den%26q%3D[redacted]%26btnG%3DSearch%26meta%3D
  4. myth-busters.cn/go.php?id=2009-01&key=cd19f5036&p=1 [94.102.48.29, Netherlands - Ecatel]
  5. 09computerquickscan.com [multihomed at 78.46.118.1, 78.46.201.89, 78.46.251.41, 88.198.81.153, 88.198.120.177, Germany Hetzner Online AG]
Step 3 requires a referer string to work, depending on the string you may get redirected, for example to usdisturbed.cn/?pid=229&sid=4b5855 [193.169.12.70, Belize "Financial Company Titan Ltd"] then fast-virus-scan4.com [91.213.126.100, Costa Rica Centerinfocom Ltd or 93.169.12.70 again]

Lots of suspect IP addresses there, 212.95.56.102 is the first step and also hosts these following domains that also look suspect:

  • Anidmenonpderche.com
  • Dotastoc.com
  • Ewyuewssf.com
  • Fishbiss.com
  • Iggiksc.com
  • Lur2cont.com
  • Niuk.ru
  • Pornokogu.com
  • Uewiosdasda.com
fast-virus-scan4.com is also being used in some .htaccess attacks, where the hacked site only redirects to the fake virus scanner if accessed through Google or some other search engine, not if it is visited directly.

Update: answers.com appear to have tracked down and removed the ad, although some other sites have been hit by a very similar attack.

YoHost.org on the move to Dragonara.net

It looks like black-hat host YoHost.org is on the move to a set of IP addresses owned by "Dragonara Alliance Ltd" (dragonara.net) - a company that claims to be Swiss (and appears to use hosting in Switzerland) but is registered in the British Virgin Islands.

Dragonara claims to be a high-reliability host where clients can weather out DDOS attacks, which is a useful service. However, a lot of the sites it host seem to be quite dubious, and a lot of sites seems to be pushing "replica" (i.e. fake) Swiss watches. The fact that a Swiss company is hosting sites in Switzerland that appear to be selling fake Swiss watches is something that might end up in an interesting conversation with some Swiss lawyers.

The IP address range to look out for is 194.8.74.1 - 194.8.75.255. The sites listed below are for information purposes only, many may well be perfectly legitimate. If you have any observations, then please use the comments.


194.8.75.34
Liberty72.com
Music-ultra.net
Virtuelldigitale.net

194.8.75.66
Filmkeuze.org
Superadult.org

194.8.75.77
Tyolaly.com

194.8.75.80
Ireplicastore.com

194.8.75.82
Billing-sat.tv

194.8.75.90
Bkjace.com
Jessicareplicas.com
Swissreplicastore.com

194.8.75.94
Good-good-movie.com
I-want-she.com
Oem-workshop.org
Online-oem-store.com
Red-paradise.com
Russian-paradise.com
Net-doktor.eu

194.8.75.98
Highrisefinance.com


194.8.75.107
Watch-replica.net

194.8.75.116
Yohost.org

194.8.75.118
Sadelae.com
Tiffanysets.com
Tyakcek.com

194.8.75.119
Apoace11.com
Beanells.com
Mymodelwatches.com

194.8.75.120
Gaemacs.com
Replicasmart.com

194.8.75.121
Brangelinareplicas.com
Geakcon.com

194.8.75.122
Kejhlle.com
Watch-replicas.com

194.8.75.123
Akeean.com
Brandreplica.com
Sharesdigger.com

194.8.75.124
Beauhi.com
Tiffanylovers.com

194.8.75.125
50st.ru

194.8.75.126
Ppoeatt.com

194.8.75.127
Tyaopce.com

194.8.75.128
Bieaken.com

194.8.75.129
Dakealls.com

194.8.75.135
Replicawatchesreviews.com

194.8.75.141
Agent-service.info
Barlenelectronics.com
Iluvtotravel.com
Sapnastudio.org
Strahovoy-partner.info
Strahovoypartner.ru
Thefbo.com

194.8.75.143
Csmfinance.com

194.8.75.165
Halarona.com

194.8.75.180
Replicas99.com

194.8.75.181
79eurovilla.com

194.8.75.199
Dvd4play.com

194.8.75.202
Thc-torrents.org

*********

194.8.74.12
Aowei.net.ru
Babytrance.us
House-of-friendship.com
Jurassic.net.ru
Kemcua.net
Lightning.net.ru
Tiroteen.net

194.8.74.45
Odnoixniki.com

194.8.74.100
Shara.info

194.8.74.101
Dw-plus.tv

194.8.74.120
Battlenetlogins.com
Directransfer.net
Diyxbox360.com
Flexfolders.com
Hygetropin-hgh.com
Immune-research.com
Premiuma.net
Privacysecured.com
Reversephonenet.com
Tiffanybazaar.com
Topregfix.com
Uc-forum.com
Ucdownloads.com
Vintagevdb.com
Xbox360redlightsguide.com

194.8.74.127
Dw24.tv

194.8.74.129
Anyshop.ch
Huasi.ch
Sowa.ch
Swisstuerk.ch

194.8.74.132
Hotelinsider.info

194.8.74.135
Dw-mobile.org

194.8.74.154
Vaultinvestment.com

194.8.74.158
Fi-success.com
Financijskabuducnost.com
Financijskabuducnost.net
Forexdonos.com
Forexdonos.net
Forexdonos.org
Forexnalozba.com
Forexnalozba.org
Forexnalozbe.com
Forexnalozbe.net
Forexnalozbe.org
Fx-donos.com
Fx-donos.net
Fx-donos.org
Tx-invest.net
Ultra-forex.com
Ultra-forex.net

194.8.74.190
Parnenairdesign.com
Rs-promotion.com
Syjsw.com

194.8.74.193
Practicalsilver.com
Silverurban.com
Solid925silver.com
Tiffanynsnow.com

194.8.74.231
Relsat.org

Thursday 10 September 2009

Fake HMRC tax refund messages

Looks like there's a spam run in progress with the following fake tax refund message:
From: HM Revenue & Customs [mailto:rsa.messages@hmrc.rsamessages.co.uk]
Sent: 10 September 2009 10:16
Subject: [ HMRC MESSAGE ID NUMBER: 381716209 ]

(This is an outbound message only. Please do not reply.)



Dear Applicant,

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs. Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I'm writing to confirm that after the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 327.54 GBP

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

If you have any questions, please refer to our Frequently Asked Questions (FAQs) or visit our head office address can be found on our web site at http://www.hmrc.co.uk/

Yours sincerely,
Kevin Taylor
Manager, HM Revenue & Customs Tax Credit

TAX RETURN FOR THE YEAR 2009
RECALCULATION OF YOUR TAX REFUND
HMRC 2008-2009
LOCAL OFFICE No. 3819
TAX CREDIT OFFICER: Kevin Taylor
TAX REFUND ID NUMBER: 381716209
REFUND AMOUNT: 327.54 GBP


This e-mail is generated by RSA Security United Kingdom on behalf of HM Renenue & Customs


Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.


or another variant:


From: HM Revenue & Customs [mailto:officer.robinson@hmrc.co.uk]
Sent: 10 September 2009 10:23
Subject: TAX REFUND ID NUMBER: 381716209

TAX RETURN FOR THE YEAR 2009

RECALCULATION OF YOUR TAX REFUND

HMRC 2008-2009

LOCAL OFFICE No. 3819

TAX CREDIT OFFICER: NEIL ROBINSON

TAX REFUND ID NUMBER: 381716209

REFUND AMOUNT: 344.79

Dear Applicant,

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs.

Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I am sending this email to announce: After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 344.79

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

Our head office address can be found on our web site at http://www.hmrc.co.uk/

Sincerely,

NEIL ROBINSON

HMRC Tax Credit Officer

officer.robinson@hmrc.co.uk

Preston

PR1 0SB



There's an attachment in both cases that attempt to harvest personal details (basically everything you need for identity theft) and sends it off to the attacker. In this case, domains used are jub23bi.biz and xgen99.biz although there are probably others. Scanning your outbound log files for /luk.php or /luk1.php or .biz/luk might reveal anyone who has fallen for it.


Obviously, if you've entered you details into something like this then you need to contact your bank as soon as possible and explain that your account has been compromised.

Friday 4 September 2009

Macez.com domain scam

Yet another fake domain appraisal scam following on from this one, macez.com has actually been registered for a while but only came into use in September. If you receive an email recommending this appraisal site, delete it. If you have paid for a fake appraisal with PayPal, then you should open up a dispute about the transaction.

Wednesday 26 August 2009

Razor blade spam

Here's a new one.. razor blade spam! Gillette Mach 3 Blades are apparently the most stolen retail product in the world, so perhaps it is unsurprising to see spam for what is bound to be fake Mach 3 razor blades.


Subject: Gillette Mach 3 Razor Blades - Best Prices 28414010
Date: Wed, August 26, 2009 10:37 pm

9732866
If you have trouble viewing this email click here. You could make a gift for you boy
friend,farther or sell the items on Ebay.

7657
If you are not a member, or received this email from a friend, and would like to
join our Rewards program, click here.

You've received this message because you've registered to receive email from M3mach.
If you no longer wish to receive email from us click here.

View our privacy policy.
Please don't direct response this mail box.
Contact Us click here.
www.M3mach.com


A pack of 8 Mach 3 blades retails for about $18 in the US, these folks claim to be selling them for less than $7..


..which means that these are fakes. Fake razor blades are just fine if you don't mind facial lacerations, rashes and nasty blood diseases. Looks like they also sell fake condoms too.

This may well be the start of a new trend. Who knows what the spammers will try to sell next? Tinned meat?