Sponsored by..

Saturday, 17 July 2010

Mystery Shopper Scam from "Shoppers Guide Ltd"

Mystery shopper scams aren't exactly rare, but they're not as obvious a scam as some others. The basic idea is that once you get roped in, then eventually the sting will come with you laundering stolen money or an advanced fee fraud. There are some details about typical mystery shopper scams here.

The spam originates from 82.128.2.21 in Nigeria.

From: ADAM SCOTT mystery.shopperonline33415@yahoo.com
Reply-To: mystery.shopperonline33415@yahoo.com
Date: 17 July 2010 15:39
Subject: JOB OFFER

Hello,

         We are a company that conduct surveys and evaluate other companies. We get hired to go to other peoples companies and act like customers in order to know how the staffs are handling their services in relation to their  customers. once we have a contract to do so, you would be directed to the company or outlet, and you would be given the funds you need to do the job(either purchase things or require services), after which you would write a  comment on the staffs activities and give a detailed record of your experience

Examples of details you would forward to us are :

1) How long it took you to get services.
2) Smartness of the attendant
3) Customer service professionalism
4) Sometimes you might be required to upset the attendant, to see how they react to clients when they get tensed.

 And we turn the information over to the company executives and they would  carry out their own duties in improving there services.

   Most companies employ our assistance when people give complains about their services, or when they feel there are needs for them to improve their customer service. your Identity would be kept confidential as the job states (secret shopper) you would be paid $300 for every duty you carry out, and bonus on your transportation allowance, and funds would be given to you if you have to dine as part of the duty.

  Your job will be to evaluate and comment on customer service in a wide variety of shops, stores, restaurant and services in your area. No commitment is made on this job, and you would have flexible hours as it suits you. We will be sending you check for any of your assignments which you will cash at your financial institution and you use the money to carryout the assignment. You do not have to use any money from your pockets. So we will provide you the money for all your assignments.If you are interested

The following information below will be needed :
Full Name:
Address (no Po Box):
City:
State:
Zip code:
Phone Number(s):
Email Address:
Age:
Occupation:

 So we can look at your distance from the locations which you have to put your service into, and your address would also be need for your payments.

Thanks.

Adam Smith
shoppers Guide Ltd
mystery.shopperonline33415@yahoo.com

Thursday, 15 July 2010

"Put your PC in your pocket and use it anywhere, anytime!"

I don't normally republish press releases, but this looks pretty cool. I've used Paragon software before and it seems to do what it says on tin. What this appears to be a a fully featured VM package which consumers can use for free, so it definitely might be worth trying out..

 IRVINE, CA, July 12, 2010 – It’s time to upgrade to a new operating system, but the thought of all the unknown issues may hold you back.  What if your favourite applications haven’t been updated to work with the new OS? There may be unintentional software glitches or bugs that will damage your host computer. One solution would be to create a virtual clone of your current computing environment to test any changes or upgrades before going live on your own PC, but migration to a virtual machine might be too complex and expensive for an average home user. How do you even begin to go virtual?
Paragon Software Group (PSG), the technology leader in innovative data security and data management solutions, invites you to Paragon Go Virtual with the new easy-to-use, free migration tool created for PC users who want to work in a virtual environment without technical risk. How does it work? Paragon Go Virtual allows you to make a virtual clone of your PC in three easy steps: http://www.paragon-software.com/home/go-virtual/how_it_works.html
Availability:
Paragon Go Virtual is available for immediate download, free of charge: http://www.paragon-software.com/home/go-virtual/index.html
 Social Media:
 
 We would like you to leave us a comment here letting us know what you think about it. We value all of  your feedback on our blog  


The BBC News site sucks

I've kept schtum about the BBC News redesign for a couple of days as I suspected that my dislike of it was just because it was different from the layout that they've had for some time (I moaned about the last redesign too).

It does seem that I'm not alone though as a comment on the bottom of this Reg article indicates:

Widespread criticism of the redesign in the blogsphere over its confusing layout, unappealing appearance and the bone-headed decision to demote the prominence of sports coverage is another thing altogether.
Exactly.. the navigation used to be very simple and clear but is now a confused jumble, there's an inexplicable amount of whitespace about the place, there's a stupid panel part way down with your local news that appears to have been designed by a different team entirely, and an overall inefficient use of space with unimportant elements being too visually intrusive. It's Web 2.0 crap in other words.. hell, it's almost as bad as Sky News!

(and before anyone comments, I know that this blog template doesn't work very well in Internet Explorer either, but then I haven't pissed away stacks of public cash on it either).

More unfavourable comments here

Tuesday, 13 July 2010

"Your craiglist account requires attention!!"

A fairly obvious phish:

From: noreply@craigslists.org
Date: 13 July 2010 08:29
Subject: Your craiglist account requires attention!!
   
Please follow the link bellow to avoid expiration of your Account https://www.craigslist.org/account/update

Thank you for using our services
The link in the email actually goes through your.totalinternethost.com/bb.html before bouncing to accounts.craiglist.org.postifedelta.com/icons/crg/ - I'm guessing that the domains are legitimate but their domain admin account has been hacked.

The mail itself is "from" craigslists.org (i.e. more than one list) rather than craigslist.org which is a clue, and also the subject is mis-spelled as craiglist .. usually signs that something it going wrong (and a couple of things that you could block if you roll your own mail filters).

If you click through, then you get a convincing looking login page which is an exact copy of the real thing:

This is the fake one (click to enlarge):


Fill in the login details, and the fake page harvests them and sends you on to the REAL page (pictured below) which looks identical. Presumably, victims are meant to think that their login has failed in some way.

The catch? Both the real and fake pages have an identical warning:

WARNING:  scammers may try to steal your account by sending an official-looking email with a link to a fake craigslist login page that looks like this page, hoping you'll type in your username and password.

example of valid craigslist address Look carefully at the web address near the top of your browser to make sure you are on the real craigslist login page, https://accounts.craigslist.org

The safest way to login is go to the craigslist homepage directly by typing in the web address, and then clicking on the 'my account' link.
Both fake and real pages even have a picture to show you what to look for:

On the fake page, the URL in the browser bar clearly does not match the one on the page. But how many people actually read it? Any sysadmin will tell you that there's a hard core of users who don't read or unstand warnings, and obviously there are enough of them to make this scam worthwhile.

Just for the record, these are the IPs in this particular phish:
accounts.craiglist.org.postifedelta.com 
116.12.52.25
Usonyx, Singapore

your.totalinternethost.com
64.191.40.21
Burstnet, Scranton

Sunday, 11 July 2010

I received this mail "from" a contact's web mail account.. well, I say "from", it was actually a dial-up account in Nigeria (41.155.100.234 in this case).


Subject:  HELP!!!

Hello,

      I'm sending this short email with panic in my heart, the situation of things here right now seems so tensed and frighting because I'm  stranded here, apparently l was stuck here in LONDON ENGLAND with family because we were held by muggers on KENTISH TOWN ROAD  yesterday after shopping at the city mall, our wallets were taken from us which has our credit cards and bank cards in it, but we already canceled  them now, our passports were taken as well but the embassy are working on it trying to fix a way to get us an ID that will be valid for us to get  on flight back home but seems like it will take couple of days or three but right now i need a quick loan from you which is very urgent,  so we can use for our upkeep for the next 3days, l promise to pay you back, as soon as i'm back home, l give you my word on that, please email  me as soon as you get this to confirm and let me know if you can be of help.

God bless you. 

What has happened here is that the victim recently received a message from their webmail provider that said that their account might be shut down because of a lack of capacity.. and please could you confirm that it was still in use by sending back the login details. THAT gave the scammers the username and password, and then they raided the contacts to send this plea.

So.. if you receive a mail message like this, then it's a scam.. but don't ignore it, the best thing to do is tell your contact that their mail account has been compromised and that they need to change their password (if they can) and also review any banking or financially sensitive emails that they store, because it is possible that the scammers could have compromised those as well.

Dear Robert Allen and Bob Gatchel.. please shove it where the sun don't shine.

I guess it was naive of me to think that I wouldn't see any more Bob Gatchel spam, but this great big steaming turd of a spam ended up in my inbox promotion some other crap.

From: robertallen1 robertallen1@ewiadvisor.com
Reply-to: jan@multiplestreamsofincome.com
Date: 25 June 2010 04:21
subject    [Redacted], Your Mining Gold with Ebay CD At Absolutely No Cost From Robert Allen
   
 Hi [Redacted],

Robert Allen here with some AWESOME news!  I’m very excited to tell you that my good friend, mentor and online marketing expert - Bob Gatchel - just completed a brand-new program that could show you how to explode your income! 
EXPLODE MY INCOME! AWSEOME!
Do you remember me telling you how I made $94,000 in 24 hours, sitting at home on my computer?  Well … it was Bob Gatchel who made that possible!  He’s a genius when it comes to making money on the Internet. 
No I don't.. I remember someone telling me that they were watching 2Girls1Cup when their mom walked in. Was that you?

Well, Bob has done it again! 
Whatever happened to Britney Spears?

This time he’s revealing how anyone can make $300 to $3,000 a month “mining for gold” on eBay. Ebay?  Yes, Ebay!   You see … due to the recent financial crisis & this “new economy” - Ebay online auctions are in SUPER demand!  This massive demand has created a virtual “online gold rush” … and fortunes are being made because of it!   Bob reveals exactly how anyone can capitalize on this MASSIVE trend right now … even if you never participated on Ebay before!
Wow.. Bob has discovered what people have been doing on eBay for years. Buying stuff that's underpriced and reselling it for a profit! It's not as if you can just Google for ebay tips.. oh wait, maybe you can.

And here is the best part – he’s literally GIVING away this information to anyone who wants it!

That’s right; he’s going to send you the “Mining Gold with eBay” Audio program absolutely free.  I’m talking NO cost, not even shipping and handling. 
So it's a free lunch, is it?

Simply call 1-888-876-1988 and you’ll be connected with my staff that will confirm your address and rush out a copy of this audio to your door.  It’s that easy.

No thanks.

Here are a few things you can expect to learn from this amazing audio program:

• Expert secrets to making a Fortune on eBay
• How to research and analyze your competition to increase profits
• How to create a massive bidding frenzy, every time
• The art of sniping…to get what you want at the price you need
• Perfect your auction timing to maximize earnings
• How to create raving eBay fans and get 100% positive feedback
• A secret technique all sellers must know that can literally make you thousands
• And much, much more
What about "there's no such thing as a free lunch"?
So, if you’d like harness the power of eBay to add another stream of income to your life, just wait until you learn all of these incredible, cutting edge techniques!  And, the best part is that you can do this without spending ANY money upfront.
Wait... what do you mean about "without spending any money upfront"? That's not quite the same as "free" is it? That kind of implies that you send it to me for free and I have to pay for it later.
Again, all you have to do is call 1-888-876-1988 and tell my staff where you want me to send this incredible audio training program.   Don’t miss out … you’ll kick yourself if you don’t take advantage of this offer!
Dear Robert and staff: please take your incredible audio training program and send it up your arse.

To Your Massive Success!

Robert G. Allen
Wicked.

Please not that product prices and availability are limited time offers and are subject to change.  We respect your privacy.  To remove yourself from this mailing list, click http://www.ewimail.com/unsubscribe.aspx or reply to this message with “unsubscribe” as the subject line or write us at Enlightened Wealth Institute, LC, 5072 N 300 W Provo, UT 84604
Well, at least you managed to include valid unsubscribe details rather than the last Bob Gatchel crap you sent. But you know, I don't think that I'm going to confirm my email address by clicking your so-called "unsubscribe" link.

Incidentally, in the US the BBB rates this lot with a miserable D+ rating  on a scale of A to F. Hardly inspires confidence, does it?

Evil network: Pegashosting Network / pegashosting.com 178.162.135.0/24 (AS28753)

This summary is not available. Please click here to view the post.

hiring-westunion.com scam email

This scam email is recruiting people for money laundering and other criminal activities using the fraudulent domain hiring-westunion.com:

From: Molly Leary
Date: 11 July 2010 01:23
subject: Open Positions

Greetings


I’m addressing you on behalf of the HR department of a large company. Our company covers a wide range of businesses:
- real estate
– accounts opening
– undertaking services
– etc.

We need a person to fill the vacancy of a regional manager in Europe:
- salary 2.400 euro + bonus
- 2–3 working hours per day
- flexible work time


If you are ready to work as a regional manager in Europe send us the below information on email:
c v @ h i r i n g - w e s t u n i o n . c o m [please delete spaces before sending]
Full name:
Country:
E-mail:
Mobile phone-number:



Note! We are searching Europeans only!

Please, write your name and Telephone Number so that our manager could contact you and conduct an interview. 
This domain attempts to pass itself off as the legitimate Western Union company, it was registered a few days ago to what appears to be a real address but is almost definitely fake too:

Domain name: hiring-westunion.com

Registrant Contact:
   PBsoft, inc
   Harry Bishop Harry.PBishop@yahoo.com
   818372-9865 fax: 818372-9865
   2850 Luna Pl
   Granada Hills CA 91344-1644
   us

Administrative Contact:
   Harry Bishop Harry.PBishop@yahoo.com
   818372-9865 fax: 818372-9865
   2850 Luna Pl
   Granada Hills CA 91344-1644
   us

Technical Contact:
   Harry Bishop Harry.PBishop@yahoo.com
   818372-9865 fax: 818372-9865
   2850 Luna Pl
   Granada Hills CA 91344-1644
   us

Billing Contact:
   Harry Bishop Harry.PBishop@yahoo.com
   818372-9865 fax: 818372-9865
   2850 Luna Pl
   Granada Hills CA 91344-1644
   us

DNS:
ns1.pegas-dns.org
ns2.pegas-dns.org

Created: 2010-06-22
Expires: 2011-06-22

The registrar is the scammer's favourite, BIZCN.com of China. The web server and mail is hosted on 178.162.135.108 on PegasHosting Network in the Ukraine. Email originated from 201.246.77.170, an ADSL subscriber in Chile.

This is not a real job, anything that they offer is likely to be some sort of criminal activity such as money laundering, parcel reshipping and other fraudulent back office functions.

Update 19/7/10: the spam is being sent out again, now hosted on 79.119.213.2 in Romania along with  Westunionhiring.com - if you get this, send an abuse complain to the host at abuse -at- rcs-rds.ro

Wednesday, 7 July 2010

Tuesday, 6 July 2010

"Blackberry Storm Promotion" scam email

is fake email appears to have been created to flood an innocent party's mailbox with spam and generate unwanted phone calls (the number may well be a real one belonging to RIM in South Africa). BlackBerry / Research In Motion are nothing to do with this email, it is a hoax.. please ignore it and do not try to contact "Amanda". More on this scam here.


Subject: Blackberry Storm Promotion.


http://www.mobilegazette.com/handsets/blackberry/blackberry-9500/blackberry-storm-9500-combo.jpg
 
Dear All,

 
Blackberry is giving away  free phones as part of their promotional drive.

 
All you need to do is send a copy of this email to 8 people; and you will receive your phone in less than 24 hrs.

Please note that if you send to more than 20 people you will receive two phones.

 
 
Please do not forget to send a copy to: amanda.lee@blackberry.com
 
With Regards,

 
Amanda Lee (Marketing Manager)

Office Number: 0027 11 7838512


Evil network: AS49544 (195.78.108.0/23) / GlobalRouting.eu

AS49544 is a network with IP addresses ranging from 195.78.108.1 - 195.78.109.255 which claims to be in the Netherlands, but may actually be in the Ukraine. The WHOIS details for the range are suspect as they refer to a domain globalrouting.eu which actually appears to be a legitimate weather forecasting service. Everything about the domain registration details smells of a hijack.. I would strongly suggest that contacting ipadmin@globalrouting.eu would be counter-productive in this instance, it may even be dangerous.

Out of the /23 there seem to be exactly zero legitimate sites, many of them are involved in malware distribution. It is probably worth blocking the entire IP address range. Google's safe browsing diagnostic for the AS is damning:

What happened when Google visited sites hosted on this network?

Of the 4157 site(s) we tested on this network over the past 90 days, 96 site(s), including, for example, stimulus.nu/, turisticki-aranzmani.com/, webconsulenti.net/, served content that resulted in malicious software being downloaded and installed without user consent.

The last time Google tested a site on this network was on 2010-07-05, and the last time suspicious content was found was on 2010-07-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

Over the past 90 days, we found 73 site(s) on this network, including, for example, skottles.com/, baidustatz.com/, pinalbal.com/, that appeared to function as intermediaries for the infection of 9529 other site(s) including, for example, managerz.nl/, 189ppc.com/, czonline.net/.

Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 182 site(s), including, for example, convart.com/, skottles.com/, augami.net/, that infected 11610 other site(s), including, for example, managerz.nl/, forosdz.com/, 189ppc.com/.
The suspect WHOIS details for the range are:


inetnum:        195.78.108.0 - 195.78.109.255
netname:        GlobalRouting-NL-NET
mnt-routes:     SERVERBOOST-MNT
remarks:        Global Routing
remarks:        i3d rotterdam route
remarks:        for abuse please contact ipadmin@globalrouting.eu
org:            ORG-POIS1-RIPE
country:        EU
admin-c:        greu
tech-c:         greu
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         globalrouting
mnt-lower:      RIPE-NCC-END-MNT
mnt-routes:     globalrouting
mnt-domains:    globalrouting
source:         RIPE # Filtered
descr:          PI Obodovsky Ivan Sergeevich

organisation:   ORG-POIS1-RIPE
org-name:       Global Routing
org-type:       OTHER
address:        Piet Paaltjensplein 70, 3030 TZ Rotterdam, The Netherlands
e-mail:         ipadmin@globalrouting.eu
mnt-ref:        globalrouting
mnt-by:         globalrouting
source:         RIPE # Filtered

role:           GlobalRouting contact role
address:        Piet Paaltjensplein 70, 3030 TZ Rotterdam, The Netherlands
mnt-by:         globalrouting
e-mail:         ipadmin@globalrouting.eu
admin-c:        rkgr
tech-c:         rkgr
nic-hdl:        greu
source:         RIPE # Filtered

route:          195.78.108.0/23
descr:          GLOBALROUTING
origin:         AS49544
mnt-by:         SERVERBOOST-MNT
source:         RIPE # Filtered

Sites hosted on the range include:

8porn-tube-free.info
All-tube-porn.biz
All-tube-porn.com
All-tube-porn.info
All-tube-porn.net
All-tube-porn.org
Free-checker-spyware.com
Free-checker-spyware.net
Free-checker-spyware.org
Free-download-host.info
Free-porn-tube8.biz
Free-spyware-checker.biz
Free-tube-adult.com
Free-tube-porn.net
Hot-porn-online.com
Hot-porn-tube.biz
Hot-porn-tube.info
Hot-porn-tube.net
Hot-porn-tube.org
Hot-tube-porn.com
Jeasoftware.info
My-adult-tube.com
My-free-tube.com
Now-download-host.com
Now-download-host.info
Now-download-host.net
Now-download-host.org
Now-download-hosting.biz
Now-download-hosting.com
Now-download-hosting.info
Now-download-hosting.net
Now-download-hosting.org
Online-porn-tube.com
Online-tube-porn.com
Pohsoft.info
Porn-tube-adult.com
Porn-tube-free.com
Porn-tube-free.info
Porn-tube-free.net
Porn-tube-free.org
Porn-tube8-free.biz
Porn-tube8-free.com
Porn-tube8-free.info
Porn-tube8-free.net
Porn-tube8-free.org
Retdownload.info
Riupdate.info
Spyware-checker.org
Spyware-free-checker.biz
Spyware-free-checker.com
Spyware-free-checker.info
Spyware-free-checker.net
Spyware-free-checker.org
Tmclean.info
Turboshare.biz
Goodelizrl.info
Kenyeiiaiqmyrick.info
Ligiaglrrandi.info
Milionarybook.info
Mynewgf.biz
Newgetpayday.com
Nyrmurrayriaci.info
Peierqqvangelena.info
Shopiping.com
Thissdomainwassoldd.com
Enrierrarell.info
Ath8net.com
Messorg.com
Adskape.biz
Adskape.com
Adskape.info
Adskape.net
Adskape.ru
Iner.kz
Misa.kz
Zragore.info
Afran.org
Augami.net
Otilard.com
Btgwert.net
Download-host-free.biz
Download-host-free.com
Download-host-free.org
Download-host-now.biz
Free-checker-malware.com
Free-checker-malware.net
Free-checker-malware.org
Free-checker-spyware.biz
Free-checker-spyware.info
Free-malware-checker.info
Free-malware-checker.net
Free-porn-tube8.info
Free-porn-tube8.net
Free-tube8-porn.com
Free-tube8-porn.info
Jkeowq.in
Kterot.in
Ktoewp.in
Kyjoer.in
Kypync.in
Kyuorr.in
Kyuwew.in
Leotpu.in
Lkctjo.in
Malware-checker-free.org
Malware-free-checker.com
Malware-free-checker.net
Malware-free-checker.org
Uwfjti.in
Myitunesclub.com
Mytunesclubs.com
Camption.com
Icpa-network.com
Matsion.com
Newitunesclub.com
Bogleanalytics.net
Pop-under.ru
Popunder.ru
4vodka.ru
Bastion.in
Bestgoldshow.com
Favarote.com
Freeodnoklassniki.info
Fullgsmcontrol.com
Goldsdirect.com
Homeinteriorview.com
Lastingviewestates.com
Mobiread.info
Myodnoklassniki.info
Odspy.com
Odspy.net
Odspy.org
Oknolens.info
Phonereader.ru
Proguard.in
Secretodnoklassniki.com
Sexsekret.com
Shpionodnoklassniki.com
Shpionvkontakte.com
Spy-odnoklassniki.com
Spy-vkontakte.com
Spyod.com
Spyvkontakte.info
Syserror.ru
Theodnoklassniki.info
V2kontakte.info
Viewbarworld.com
Vkontaktespy.info
Vkontaktus.ru
1000-ga.ru
1000-gektar.ru
1000g.ru
1001-ga.ru
1designs.ru
5vn.ru
B2b-site.ru
Chudomira.ru
Diplom-vam.ru
G1000.ru
Gek1000.ru
Gotovki77.ru
Hombrus.ru
Images-web.ru
Imagesweb.ru
Karkas-2900.ru
Karkas4dom.ru
Kredit-russia.info
Logvian.ru
M505.net
Mnogo-vakansii.ru
Mnogvak.ru
Netpost.su
Nsvp.ru
Prdomen.mobi
Prestiged.ru
Rabota-dlya-vas.ru
Royalmall.ru
Seminartut.ru
Uznaiseo.ru
Vam-pismo.su
Vip-osobnyak.ru
Yandex-top10.ru
Yandextop10.com
Z303.net
Liveinjamaika.info
Looking4reserve.com
Antivirus-on-line.net
Updates-online.net
Widnow-scanning-online.net
Golivnik.com
Ndnsgw.net
2u-panama.com
Big-push2010.com
Digitalway10.net
Drain-brain2.com
Foxcox555.com
Grainstudy.com
Kexpex123.com
Realdream4me.com
Admikasdom.com
Formgrabb.com
Kislota2010.com
Msmsmm.com
Noloader.com
Nowm32.com
Se-code.net
Secbanking.com
The-goodlike.com
Wstat.cn

Your best bet is to block the entire IP range and/or monitor for client traffic going to it.

Thursday, 1 July 2010

ultrasantifa.blogspot.com apparent Joe Job

This strange looking email plopped into my mailbox:

Date: 1 July 2010 07:31
subject: hola
   
We are european fascists ! Fight for racial purity ! Our time begins! We are strong and can build new Reich! Join to us! We call on all people visit out sites. On them you will find information about war against system! Sieg heil fascist, nordic nazi! Adresses of our sites you can see below: http://ultrasantifa.blogspot.com
Given that fascists rarely seem to advertise themselves via spam and the whole language seems over the top I thought it looked a but suspect and worth of some further investigation.

ultrasantifa.blogspot.com is (or rather was) a blog entitled "Antifa Ultras and Hooligans". Antifa means "anti-fascist", and this Russian language blog featured radical anti-fascist ideas and football, usually both at the same time. The blog linked to some other sites that might well be advocating violence, but there was certainly no way that this was a pro-fascist blog.

So, this appears to be a Joe Job and it also appears to have been successful as ultrasantifa.blogspot.com is currently 404ing. So, presumably neither Google (who hosted the blog) nor the people complaining about the spam actually checked the site..

Just for the record the email originated from 41.145.224.130, an IP address in South Africa, but I guess it's just part of a botnet-for-hire.

Sagade Ltd is still evil

I blogged about AS6851 / Sagade Ltd / ATECH-SAGADE a little while ago. A Java-based drive-by download from one of their servers brought them to my attention again.

Basically, 91.188.59.0 - 91.188.59.255 is completely evil and has no legitimate use as far as I can see. Block this range if you can. At the moment the following sites are hosted, none of which appear to be good:

AS6851
1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
Td0.ru
Fgavno.ru
Kerrimckeetq.info
Marguriiexyhamlin.info
Privatetechnology.biz
Systemcodec.net
Traffcash.biz
Maiamaribeihlv.info
Fastglobosearch.com
Kimirleonarda.info
Fastprosearch.com
Nitrosearch.info
Syscodec.net
System-codec.com
Mokato.com
Viasot.com
Brenz.pl
Chura.pl
Ghura.pl
Lometr.pl
Trenz.pl
Zief.pl
Best-web-365.com
Better-web-247.com
Better-web-365.com
Better-web-777.com
My-best-web.com
Pakwer.com
Facebook-hacking.com
Hack-vk.ru
Hacked-facebook.com
Hacks-centre.com
Icq-hk.com
Icq-lom.ru
Message-history.ru
Myspace-hk.com
Polomali.ru
Twitter-hk.com
Vk-lom.ru
Vzlomaem-kontakt.ru
Vzlomaem-vk.ru
Hitstable.com
Macromediasetup.com
Dewesan.cn
Domen-zaibisya.com
Get-money-now.net
Webgetsmart.com
Webmovedesigns.com
Mediagotech.com
Networkget.com
Webgetwisdom.com
Websitecoolgo.com
Edscorpor.com
Edsctrum.com
Edsletter.com
Edsnewter.com
Edsogos.com
Edsprofit.com
Edsrise.com
Edsspectr.com
Edstofee.com
Engduates.com
Blogslivehost.in
Freeblogshost.in
Mysuperblogs.in
Freeliveblog.in
Blogs4free.in
Host4blogs.in
Freehomeblogs.in
Myhomeblog.in
Webblog4you.in
Getfreeblog.in
Blogservice.in
Freejournal.in
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Manytis.com
Winepsy.com
Yourprofitclub.net
Yourerolive.com
Bombastats.com
Happyinstalls.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Hnarmettis.com
Mnuyetsgrr.com
Nuvolokijj.com
Smackbybitch.com
Videosite1.com
Fuck-studies.com
Ns00ns11.com
Sys-mesage.com
Syssmessage.com
Sysstem-mesage.com
Traffic-server1.org
Traffic-source.org
Traffic-source1.org
Trafficserver1.org
Trafic-source.org
Traficserver.org
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Eupharmacie.eu
Propeciacheappills.com
Allforyouplus.net
Asianrapemovies.com
Hotfilesfordownload.com
Hotquickiefuck.com
Rape-rape-rape.com
Rapepornrape.com
Sasha-blonde.com
You-porn-movies.com
Youfoundporn.com
Youpornfiles.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Downloadfreenow.in
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Youvideoxxx.com
Cern-a.com
Xbasex.com
Asspuc.com
Bux.kz
Kinorik.com
Pussylover.in
Conikor.com
Igottrafa.in
Life-dvd.ru
Maydaydom1.in
Magnabent.com
Gillestmh.com
Gillestmh.info
Indyvettes.info
Perviewguide.com
Perviewguide.info
Tesmundo.info
Todostes.info
Allhomeinfo.com
Allhomeinfo.net
Cheapsoftware.cc
Deswelt.com
Deswelt.net
Rodfirst.com
Solaruploaderz.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com

These sites are either involved in illegal activities or malware distribution, avoid them.

Read this, install this.

Read this, install this.

FIVE STARS GOLD MINING CO. LTD

Sometimes the dangers of fraud are worse than just losing money. This particular scam email seems to be designed to tempt you to travel to Ghana, where there's a fair chance that you might be kidnapped (as happened in this case). Although Nigeria has the worst reputation for fraud and kidnap in Africa, Ghana is not far behind.

A couple of other telltale signs that this particular spam is not legitimate are that it was sent to a nonexistant email address from a computer in Japan that had been compromised with a virus.

Gold costs about $40,000 per kilo, this scam email is offering 250 kg of quite pure gold for $24,000 when the true value would be closer to $10 million. Note that if you actually do travel to Ghana to inspect this "bargain gold" then you are also effectively saying that you have at least $24,000 in cash assets in the back.. you may as well write KIDNAP ME on your forehead!


From: FROM: FIVE STARS GOLD MINING CO. LTD.)
Reply-To: 5xminingoldaccra@discuz.org
Date: 30 June 2010 19:42
Subject: FROM: FIVE STARS GOLD MINING CO. LTD.)
Attention:

we are agent to FIVE STARS GOLD MINING CO. LTD. We are located in Accra, the Capital city of Ghana. We are a certified and duly registered agent dealing with a Gold Company in the Republic of Ghana. They have mining concessions in the Kumasi region and Western Regions of Ghana.

Their monthly product is between 275kgs to 325kgs. They have over 1000MT of Gold in our Storage.

At Present, we have Commodity: Gold (AU) Nuggets in Ghana
Origin: Ghana
Quantity: 250kgs
Quality: 23+ carat
Purity: 98% ++
Price: $24,000USD
Delivery: Buyers destination.

we write to inform you that in other to proceed with our offer, we need the following information for necessary legal documentation.

1: Your Full Names.
2: Your Mailing Address
3: A scan copy of your international passport.
4: Your Direct Mobile Number.

However, you will be require to make a contingent trip to Ghana to see the Gold. Kindly let us know how many kilos you are willing to buy at this time.

We will be happy to hear your desire to doing business with us. We can assure you that we will give you an appreciable offer. your passport this week. Hope to hear from you soon.
Attach is a copy of the pictures.

Have a good day.

Mrs Joyce Kate. 
 
 


Wednesday, 30 June 2010

German language money mule email

Money mule (money laundering) emails are pretty common in English, but this one is in German. It is really no different from any other scam job offer and should be avoided at all costs. In this case, the message solicits replies to a free email address at net.hr.

Date: Wed, 30 Jun 2010 21:28:14 +0100
From: "Pauline wurth"
Subject: HI

Sehr geehrte Damen und Herren,
wir suchen zur Zeit aktive Mitarbeiter fuer lang und kurzfristige Arbeit in den Bereich Testeinkaufer und Kurier landesweit. Die Stellen sind ab sofort frei und sofort zu belegen.

Sie fragen sich bestimmt wie wir auf Sie aufmerksam geworden sind. Die Bundesagentur fur Arbeit hat uns Ihre Personaldaten ubermittelt, damit wir selbst mit Ihnen in den Kontakt treten konnten. Leider konnen wir auf der Etappe noch nicht eine personalisierte Anwerbung vornehmen und bitten Sie hoflichst um eine Entschuldigung und um Ihr Verstandnis fur die Tatsache, dass wir Sie nicht angerufen haben oder Sie noch nicht bei Ihrem Namen nennen.

Voraussetzungen die Sie mitbringen sollten:

- Computer-Grundkenntnisse Internet, Email, Drucken
- Puenktlichkeit und Genauigkeit
- telefonische erreichbarkeit
- Volljaehrig

Was wir Ihnen bieten:
- Abwechslungsreiche Taetigkeit
- Flexible Arbeitszeiten auch in Teilzeit
- Fortlaufendes Training durch verschiedene Aufgaben
- 5 Tage-Woche
- Urlaubsgeld / Weihnachtsgeld

Die Arbeitszeit betraegt 2-3 Stunden 5 Tage die Woche. Der Verdienst betraegt 1150 Euro pro monat netto. Sie koennen die Taetigkeit auch als Zweit-Beruf ausfuehren. Fuer Rentner sind die Stellen besonders gut geeignet. Ein Firmenfahrzeug stellen wir Ihnen auf Wunsch zur Verfuegung. Weitere Informationen gibt es nach einer kurzen Bewerbung.

Wenn wir Ihr Interesse geweckt haben, dann freuen wir uns auf Ihre Antwort mit kurzen Bewerbungen an unsere Bewerbung-Stelle: denispred@net.hr


which translates roughly as:

Ladies and Gentlemen,
We are currently looking for active employees for long and short-term work in the area of test purchasing and nationwide couriers. The positions are now free to be filled immediately.

You may wonder why you have heard from us. The Federal Agency for Labour has given us your personal data so that we could contact you directly. Unfortunately we can not at the stage yet to make a personalized recruitment message and ask politely for you to forgive us and for your understanding for the fact that we can not yet address you by name.

You should fulfill the following requirements:

- Basic computer skills Internet, Email, Printing
- Punctuality and precision
- Telephone accessibility
- Age of majority

What we offer:
- Varied activity
- Flexible working hours and part-time
- Ongoing training through various tasks
- 5 day week
- Holiday / Christmas money

The working time is 2-3 hours 5 days a week. The reward is €1150 per month net. You can choose the activity as a second job. Pensioners are particularly well suited to our jobs. A company car can be found on request. Further information is available after a short job application.

If we have aroused your interest, we look forward to your reply with short resumes to our application address: denispred@net.hr

netmps.com scam job offer

Another scam email from a fake company calling itself NetTemps Inc (there are several legitimate companies with similar names though). The job itself is likely to be money laundering or some other illegal activity.

Date: Wed, 30 Jun 2010 14:28:47 -0300
From: "Crowell1924"
Subject: hiring

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.                          
      
Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.                   
        
If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number.                    
                           
We are eager to help you find a better job and improve your career!    
            
If you have questions, please do not hesitate to e-mail me on:   
               
e u r o p e @ n e t m p s . c o m      [please delete spaces in the email address before sending it to us]                           
                           
Yours sincerely,                            
Juliette Barnes  
NetTemps Inc    
WHOIS details are the usual rubbish:

Registrant Name: Maria Varshavskaya
Registrant Organization: NA
Registrant Street1: ul. Elninskaya d.14 k.1 kv.10
Registrant Street2:
Registrant City: Moskva
Registrant State/Province: Moskva
Registrant Postal Code: 121615
Registrant Country: RU
Registrant Phone: 7.4959219347
Registrant Phone Ext.:
Registrant FAX: 7.4959219347
Registrant Email: rabid@fastermail.ru
Admin Name: Maria Varshavskaya
Admin Organization: NA
Admin Street1: ul. Elninskaya d.14 k.1 kv.10
Admin Street2:
Admin City: Moskva
Admin State/Province: Moskva
Admin Postal Code: 121615
Admin Country: RU
Admin Phone: 7.4959219347
Admin Phone Ext.:
Admin FAX: 7.4959219347
Admin Email: rabid@fastermail.ru
Billing Name: Maria Varshavskaya
Billing Organization: NA
Billing Street1: ul. Elninskaya d.14 k.1 kv.10
Billing Street2:
Billing City: Moskva
Billing State/Province: Moskva
Billing Postal Code: 121615
Billing Country: RU
Billing Phone: 7.4959219347
Billing Phone Ext.:
Billing FAX: 7.4959219347
Billing Email: rabid@fastermail.ru
Tech Name: Maria Varshavskaya
Tech Organization: NA
Tech Street1: ul. Elninskaya d.14 k.1 kv.10
Tech Street2:
Tech City: Moskva
Tech State/Province: Moskva
Tech Postal Code: 121615
Tech Country: RU
Tech Phone: 7.4959219347
Tech Phone Ext.:
Tech FAX: 7.4959219347
Tech Email: rabid@fastermail.ru
Name Servers:
ns1.loopcool.net
ns1.growthire.com


Plus a few related evil domains to avoid

  • loopcool.net
  • netmps.com
  • netpts.org
  • nettempsin.co.uk
  • nettes.org
  • nettms.eu
  • nettms.net
  • nettps.net
  • growthire.com
You can read more on this particular bogus job offer here, here and here.

Tuesday, 22 June 2010

Virus / Malware on Nokia.com / miisolutions.net

Nokia.com appears to have been compromised through a third-party script:


europe.nokia.com (e.g. hxxp:||europe.nokia.com/support/download-software/nokia-pc-suite) ->
nokia.tt.omtrdc.net ->
omniture-nokia.secure.miisolutions.net ->
oploya.fancountblogger.com:8080

Details on the general attack can be found here. It appears that miisolutions.net has had malicious code injected into the script, rather than it being Nokia.com itself that has been hacked.At the time of writing the malicious code is still present.

Update: the infected page at miisolutions.net has been taken down.

Wednesday, 16 June 2010

"OFFICIAL WARNING FROM FBI" scam

An old scam, pretty much the flipside of the usual Advanced Fee Fraud. This one preys upon innocent victims by accusing them of money laundering, but the details don't pan out. Quite apart from the ridiculous proposition and free email addresses used, phrases like "shady", "waded in", "graft" and exclamation marks are something you would never expect to see in an official communication from law enforcement. Besides, I really don't think that the FBI email you if they suspect you are up to terrorist activities..

From: Anti Graft.
Reply-to: antiterrorist.crimesdiv.2010@megafastmail.com
date    16 June 2010 09:37
subject    OFFICIAL WARNING FROM FBI.

ANTI-TERRORIST AND MONETARY CRIMES DIVISION
FBI HEADQUARTERS IN WASHINGTON, D.C.
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
Website: www.fbi.gov
Phone: 202-595-1344

DATE:15/06/2010

It has been discovered that your contract/inheritance/winning FUND was about being transferred to an unknown account under your name. This attempt was perpetrated by someone who claims to be working for you, and that you have given him due authority to have the FUND moved to the account specified below:

SOUTHWESTERN FEDERAL CREDIT UNION
WESCORP 924 OVERLAND COURT
SAN DIMAS, CA 91772. USA.
ACCOUNT NUMBER: 322079133
ABA/ROUTING NUMBER: 1220-41-21-9
SHARETYPE NO.: 25
FINAL CREDIT  HABIB FENZI AND CO. (Beneficiary).

The Federal Bureau of Investigation (F.B.I.) waded in after being alerted by the supposed bank. We investigated and found that there is a possible money laundering activity in play.The FUND US$10,500,000.00(Ten Million Five Hundred Thousand United States Dollars) was found to be deposited in Bank of America in your name pending your consent to have it transferred to the new account indicated above. It was further revealed that initial FUND transfer originated from Nigeria to England and now here in Bank of America in USA.

These transfers did not follow due process in line with the international FUND transfer rules and regulation.Consequently,we suspect this be a terrorism funding, drug related fund deposit and/or money laundering. As stated above, the FUND has your name on it; and you must have it cleared of any connection with any of these illegal activities.Be informed that FAILURE to have this cleared out will attract a JAIL TERM.We will not hesitate to visit the full weight of the law upon you if you do not clear this fund.There is every indication that you are involved in this shady deal.

Finally, you are expected to have the CLEARANCE DOCUMENT obtain from where the FUND originated from to have you and your fund cleared. Only then shall we release your FUND as clean money devoid of any illegality, and you will be free of any involvement. To this end, you are to contact Mr. Peter Anderson of the Anti Graft Department of Economic and Financial Crimes Commission (E.F.C.C.) Nigeria and have the DIPLOMATIC IMMUNITY SEAL of TRANSFER (DIST) CLEARANCE DOCUMENT obtained. Contact him through this direct email address:efccantigraft.nigeria@megafastmail.com,Direct Line:+234 8028493286 Note that you have 72hrs to obtain this crucial Documentation.

This has to be cleared!

You are warned!

Faithfully Yours
Robert S. Mueller III
FBI Director
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
www.fbi.gov

Tuesday, 15 June 2010

west-vacancy.com scam

This email from a wholly fake company called west-vacancy.com is really recruiting for a money laundering job or something very similar. The domain itself was registered just a few days ago to a no-doubt fake registrant. Mail is handled by Google, there is no website but in this case the email originated from 188.16.123.52 in Russia.

Date: 15 June 2010 12:32
Subject: vacancy number 358

I introduce a large multinational enterprise the co-worker of the HR department of which I am. Our company has been working in different fields, such as:
- companies setting-up
- companies winding-up
- opening accounts in Europe
- etc.

We need employees in Europe:
- salary 2.400 euro + bonus
- 1 - 2 working hours per day
- free timetable

If you are interested in this job, please, send us your contact information: Cornell@west-vacancy.com
Name:
Surname:
Country:
E-mail:
Mobile phone-number:

Be informed! Candidates from Europe are needed only

Please, write your Telephone Number and our manager will contact you to conduct an interview.
For what it is worth, these are the registrant details of the fake domain:

Domain name: west-vacancy.com

Name servers:
    ns1.nameself.com
    ns2.nameself.com


Registrant:
    Aleksandr Lapatau
    Email: lapatasker@earthling.net
    Organization: Private person
    Address: Lenina, 34, 8
    City: Minsk
    State: Minskaya
    ZIP: 456123
    Country: BY