Sponsored by..

Friday, 30 July 2010

Evil network: Microlines (microlines.lv), AS2588 (79.135.128.0/19)

Latvia seems to be getting a bad reputation for supporting criminal activity. The latest accomplice is Microlines (microlines.lv) who mix in a large number of bad sites with a few legitimate ones.

Their netblock AS2588 (79.135.128.0/19) actually ranges from 79.135.128.0 - 79.135.159.255, although the badness is concentrated in 79.135.152.0/24, all legitimate web sites are hosted outside of that /24.

I used the MyWOT API to query the reputation of the hosted domains, and it shows a clear differentiation between the /24 and the rest of the /19. You can download a CSV of the analysis from here.

Out of 157 domains looked at, 4 (2.5%) were rated "excellent", 3 (1.9%) were rated "good", 43 (27.4%) were unrated and 107 (68.1%) were "very poor". You might want to block the whole /19 on that basis, certainly you should block 79.135.152.0 - 79.135.152.255 at the very least.

A list of bad domains to block:
Best-scanner-2010.net
First-online-scanner.com
Nameservice-worldwide.com
Scanner2010.com
Scanner2010.org
Scannerglobal.com
Scannerglobal.net
Super-scanner.net
Super-scanner.org
Volunteer-scan.com
Best-scanner-2010.org
First-online-scanner.net
Scanner2010.net
Best-scanner-2010.com
Huisko.cn
Lokisko.cn
First-online-scanner.org
Ad-parking.net
S-powerlink.com
Creatives-labs.com
Brick-layer888.com
Advdefender.com
Goadvdef.com
Advanced-def.com
Advanceddefender.org
Getadvdef.com
Goadvdef2.com
Kavascansecurity.com
Iuysdjerh.com
Lkhysayte.com
Sadangez.com
Evdoilsdus.com
Hhsdgbes.com
Jkhasels.com
Sfahdasjw.com
Maniyakat.cn
Kljdskrza.com
Kipyatok.cn
Head-moron.cn
Youaskedthedomain.cn
Asdagj.com
Banubanasy.cn
Love2coffe.cn
Sadahesz.com
Rebornendkit.cn
Qsfgyee.com
Sakjgeyq.com
Tottaldomain.cn
Salkjyhx.com
Pogodanet.cn
Vipsocks.cn
Mdsget1.com
Opudsjh.com
Sdasfj6.com
Kjast3z.com
Lkfjfuisdh.com
Safniiyew.com
Mjsgsawz.com
Jkhteqa.com
About-joga.ru
Icq4all.net
Bravqwer.com
Ajhsfget.com
Ajytse5.com
Dkeh38oz.com
Fd1a234sa.com
Ilui45iu7.com
Jhrez76.com
Kjdst6ey.com
Lasur8e.com
Sfah3sz.com
Sjb653xz.com
Sadkajt357.com
Fuchroot.com
Gagainco.com
Mcd0nalds.com
B00tlife.com
Dlkasfgatker.com
Klitar.cn
Breenders.com
Directbinary.com
Gasredbox.com
Kaljv63s.com
Kdy7rsxa.com
Lovinezer.com
Mdmasege.com
Rmbtoor.com
Safe3etfejwqf.com
Wdggtwegww.com
S0cksps.com
87jonsonfd.com
Gosrmecalonl16.com
Gosrmecalonl20.com
Gosrmecalonl21.com
Gosrmecalonl3.com
Gosrmecalonl30.com
Gosrmecalonl4.com
Gosrmecalonl5.com
Gosrmecalonl8.com
Gosrmecalonl9.com
Gosrmecalodnl38.com
Gosrmedicalonl13.com
Gosrmedicalonl14.com
Gosrmedicalonl2.com
Gosrmedicalonl20.com
Gosrmedicalonl1.com
Gosrmedicalonl10.com
Gosrmedicalonl11.com
Gosrmedicalonl16.com
Gosrmedicalonl17.com
Gosrmedicalonl19.com
Gosrmedicalonl3.com
Gosrmedicalonl5.com
Gosrmedicalonl6.com
Gosrmedicalonl7.com
Gosrmedicalonl9.com
Gosrmedicalonl18.com
Sweethost.org
Twowildgirls.net
Profithobby.net
Antiviractive.com
Antivirback.com
Antispysp.com
Webantispy.com
Antispymv.com
Antispynew.com
Antispybox.com
Antispyutil.com
Avmirror.com
Antispymega.com
Cyber-deployment.com

"Toyton Ltd" / todayisp.com / dboxs.org scam

We've seen this scam before, an alleged Chinese registrar claims that someone is buying a domain name similar to the one that you want in an attempt to scare you into buying overpriced domains that you do not need.

From: owen@dboxs.org
To: help@[domain name redacted]
Date: 30 July 2010 06:16
subject: [domain name redacted]

Dear [domain name redacted] team,

Our organization received a formal application from a company who is called Toyton Ltd are applying to register "[domain name redacted]" as their domain name and Internet keyword. In order to prevent cyber piracy,Please explain:

1: Whether this company is your IT supplier or distributor.

2: Whether you are interested in registering these domains first to preservation your company’s brand. (.cn .com.cn .net .asia .eu and keyword etc…)

We are now obligated to inform you this issue ,So we will handle the next step after this audit procedure. Pls understand.

Best regards       
Owen
Mww Group
Internet: www.todayisp.com
Internet: www.dboxs.org 
Email: Owen@dboxs.org

Confidentiality Statement:
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not an intended recipient, any disclosure, copying, distribution, or other action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this message in error please be advised of your obligation to immediately notify sender of the error in transmission, and to destroy all associated documentation.

I always love confidentiality statements on spam!

Both domains are Chinese registered and are hosted in Hong Kong. The email comes from a Chinese IP address.

Registrars are not responsible for checking trademarks. If they were then domains registration would take days and cost a fortune.This is simply an attempt to rip you off.

Thursday, 29 July 2010

freead.name / mybar.us / toolbarcom.org / adsnet.biz

A slightly novel attack, found injected into a Javascript library and using freshly-registered domains. The attack uses obfuscated Javascript to send visitors to one of the following domains: myads.name, adsnet.biz, toolbarcom.org, mybar.us, freead.name, and to the front of this is appended a subdomain of vagi., vain., vale., vars., vary., vasa., vaut., vavs., viny., viol., vrow., vugs., vuln.

Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:

66.221.212.92
66.221.212.94
66.221.212.96
66.221.212.98
66.221.212.99
69.13.73.203
69.13.73.205
69.13.73.248
69.13.73.250
69.13.154.250
69.13.154.251

All of those IPs belong to C I Host, some seem to have legitimate sites hosted on them.

One one domain (mybar.us) is not anonymised:

Registrar URL (registration services):       www.publicdomainregistry.com
Domain Status:                               clientTransferProhibited
Registrant ID:                               DI_11638984
Registrant Name:                             Andrew Black
Registrant Organization:                     N/A
Registrant Address1:                         555 Taylor Rd.
Registrant City:                             Enfield
Registrant State/Province:                   Connecticut
Registrant Postal Code:                      06082
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +860.7492291
Registrant Email:                            dday.rabbit@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11


Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.

The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.

The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.

If you want to block the intermediate domains, they are:
vagi.adsnet.biz
vain.adsnet.biz
vale.adsnet.biz
vars.adsnet.biz
vary.adsnet.biz
vasa.adsnet.biz
vaut.adsnet.biz
vavs.adsnet.biz
viny.adsnet.biz
viol.adsnet.biz
vrow.adsnet.biz
vugs.adsnet.biz
vuln.adsnet.biz
vagi.toolbarcom.org
vain.toolbarcom.org
vale.toolbarcom.org
vars.toolbarcom.org
vary.toolbarcom.org
vasa.toolbarcom.org
vaut.toolbarcom.org
vavs.toolbarcom.org
viny.toolbarcom.org
viol.toolbarcom.org
vrow.toolbarcom.org
vugs.toolbarcom.org
vuln.toolbarcom.org
vagi.mybar.us
vain.mybar.us
vale.mybar.us
vars.mybar.us
vary.mybar.us
vasa.mybar.us
vaut.mybar.us
vavs.mybar.us
viny.mybar.us
viol.mybar.us
vrow.mybar.us
vugs.mybar.us
vuln.mybar.us
vagi.freead.name
vain.freead.name
vale.freead.name
vars.freead.name
vary.freead.name
vasa.freead.name
vaut.freead.name
vavs.freead.name
viny.freead.name
viol.freead.name
vrow.freead.name
vugs.freead.name
vuln.freead.name

Phishing domains on M247 Ltd

I've never heard of M247 Ltd before today until their network came up as providing infrastructure for this scam. A few IPs over from that server is another one at 89.238.165.197 which contains three phishing sites:

Ibloqin.com
Lloydststb-offshore.com  
Nbtibank.com

The sites are currently only displaying "Suspended" if you visit them.. this means nothing though, and it's a fairly common scammer technique to disguise that the site is active. Avoid.

Update: apparently these have now been nuked from orbit.

"eurjobs.org" fake job offer

There are a lot of these going on at the moment, this is another fake job offer trying to rope unsuspecting applicants into doing something illegal.

Date: 29 July 2010 08:23
Subject: Representatives Wanted
   
Civilities


I am a manager of the HR department of a large multinational company. Our company covers a wide range of businesses:
- supporting business in Europe and other countries
– bank accounts opening and maintenance
– private undertaking services
– etc.

There are vacant positions of regional managers in Europe:
- salary 2.400 dollars + bonus
- 1-2 working hours per day
- flextime


If our offer is interesting for you send us the below information on our e-mail address:
h r @ e u r j o b s . o r g [please delete spaces before sending]
Full name:
Country:
E-mail:
Mobile phone-number:



Attention! We need European residents only.

Please provide you name and contact information in order we can find you for further communication.

The domain is currently not resolving, and is registered to a fake address in the WHOIS details. Perhaps of some interest are the two nameservers for the domain:

ns1.usaportall.com [89.238.165.212 - M247 Ltd, Manchester, UK]
ns2.usaportall.com [191.184.23.131 - Apparently invalid IP allocated to LACNIC]

The no doubt fake registrant details are:
      Kacie Cheverton
      105 FOREST DR
      CATONSVILLE, MD 21228
      US
      Phone: +1.4105668199
      Email: roller@consultant.com

Anyway, beware of unsolicited job offers from people you don't know and can't verify, unless you like prison food.

Wednesday, 28 July 2010

"west-epec.com" fake job offer

This is some sort of money laundering or parcel reshipping scam. The domains west-epec.com was registered just yesterday but it appears not to be resolving properly.


Date: 28 July 2010 13:36
Subject: vacancy #876

I am writing to you in the name of the corporation the Human Resources department of which I represent.

Our enterprise has a lot of different lines of business.
-real property
-business support
-company dissolution
-private firm service
-etc

There is a vacancy of a Regional manager in Europe:
-compansation package 2.300 euro +bonus
-taskwork

- 'open-leave' schedule


If you have an intention to cooperate with our company, please send your contact information on our e-mail: Darla@west-epec.com
First Name:
Country of living
City
mail address:
Contact telephone number

Remark! Applicants with the permission to work in Europe!

Please let us know you contact information.
Our manager will contact you to provide answers for the questions you are interested at and invite you for brief interview.

The WHOIS details are probably fake, but consistent with a large number of other fake job websites.

    Aleksandr Lapatau
    Email: lapatasker@earthling.net
    Organization: Private person
    Address: Lenina, 34, 8
    City: Minsk
    State: Minskaya
    ZIP: 456123
    Country: BY
    Phone: +375.172427204 

A Google search for that email address shows lots of similar sites. Avoid.

LAPO LOAN COMPANY LIMITED

Scams evolve in much the same way as plant or animal life. Unsuccessful scams become extinct, very successful ones tend to explode in numbers to the point of over population. In between are a number of scams that inhabit ecological niches where there is just enough return to make them worthwhile.

From: LAPO LOAN COMPANY LIMITED. <lapo.loancompany1@gmail.com>
Reply-To: lapo.loancompany1@gmail.com
Date: 28 July 2010 04:07
subject: (Loan Transfet Updated)

Do you need a loan to pay off your bills and clear off your debt? Do you
have an urgent loan or a business loan? You are refused a loan from your
bank or any financial firm? Do you need a loan to pay off your bills or
buying a house? Do you need a loan to start a business? Get anaffordable
loan at a low interest rate of 3%, contact us at:
lapo.loancompany1@gmail.com

Your Name:
Loan Amount:
Loan Duration:
Your phone number
E-mail: lapo.loancompany1@gmail.com
Obviously it's dodgy.. how many loan companies use a free Gmail address? Digging deeper shows that this originates from 41.217.220.212 (mail.zimele.net) in Kenya. What you can't tell is that the email address has been harvested from a data breach (either accidental or deliberate) at 0catch.com.

Now, most novice users won't know how to inspect mail headers or be able to trace back where the email address came from, but the Gmail thing is a huge red flag. But honestly, the whole pitch is frankly sloppy, badly spelled and unbelievable.. but the thing is that people must fall for this scam (presumably an Advanced Fee Fraud or identity theft gig) from time-to-time, else the scammers wouldn't persevere with it.

Tuesday, 27 July 2010

Evil network: Najada Ltd, AS49544 (91.216.122.0/24)

This story from Brian Krebs caught my eye, a quick bit of background digging on check-crypt.com revealed a whole new Evil Network in Moldova called Najada Ltd on AS49544 (91.216.122.0/24). The IP address range of 91.216.122.0 - 91.216.122.255 appears to have no legitimate sites at all, featuring fake businesses (including a bunch supposed to be in Finland), illegal downloads and sites with variants of the name Google in them which is never a good sign.

The best thing to do is block traffic to this IP range and/or the domains listed below. Note also that sending abuse reports to abuse@mdhoster.net (who manage the netblock) will possibly be counter productive, so don't bother.

Alliedaeon.com
Softglspace.com
Softglspace.in
A-lot-of-appz.com
Activation-codes.net
Any-filez.net
Arttalksbackblog.com
Blastmovie.net
Check-4-apps.org
Crack-file.net
Crack-serial-numbers.net
Crack-usa.com
Crackandcrack.com
Crackcrack.net
Crackcrackcrack.net
Crackdelivery.net
Crackdownload.net
Crackkeys.net
Crackorginal.net
Crackpatch.net
Crackpatchkeygen.net
Crackprokeygen.net
Crackrapidshare.net
Cracks-explorer.net
Crackserialcode.net
Crackserialkey.net
Crackserialkeygens.net
Crackserialkeys.net
Crackserialnumber.net
Crackserialnumbers.net
Crackshare.net
Cracktrial.net
Crackwin.net
Dlfeed.com
Downloadcracks.net
Etanfilm.com
Fastcrack.net
Fileserialkey.net
Freecrackdownload.net
Freekeygencrack.net
Freeserialkey.net
Fullcrackserial.net
Fullkeygen.net
Fullserialcrack.net
Fullserialnumber.net
Fullserialnumbers.net
Getserial.net
Keygen-crack.net
Keygen-serial.net
Keygenc.net
Keygencrackpatch.net
Keygenerators.net
Keygenforserial.net
Keygenkeygen.net
Keygenned.com
Keygenpatch.net
Keygens-for-soft.org
Keygenserialcrack.net
Keygenserialnumber.net
Keygenserials.net
Keygensite.net
Keygentrial.net
Keygenwin.net
Killtrial.net
Licensekeygen.net
Maximumwarez.com
Microposters.org
Newserialcracks.net
Orginalcrack.net
Patchcrack.net
Registrationcode.net
Registrationkey.net
Registrationkeys.net
Seialkeymaker.net
Serial-codes.net
Serial-crack.net
Serial-key-generator.net
Serial-keygen.net
Serial-keygens.net
Serial-keys.net
Serial-numbers-crack.net
Serialcodesfor.net
Serialcrackcodes.net
Serialcrackkeygen.net
Serialkeycrack.net
Serialkeygencracks.net
Serialkeygenerator.net
Serialkeygenpro.net
Serialkeygens.net
Serialkeynumber.net
Serialkeynumbers.net
Serialnumbercode.net
Serialnumbercrack.net
Serialnumberfor.net
Serialnumberscrack.net
Serialpost.net
Serialserial.net
Shared-fro-you.com
Shared-news.net
Soft-dont-stop.org
Softwareserialnumbers.net
Thecrackserial.net
Trusted-warez.com
Vipcrack.net
Warezpad.net
Wincracks.net
Gegooglee.com
Geogooglefree.com
Googlemaps2.name
Googlemaps3.com
Googlemaps3.net
Seotraffbuss.com
Tracerouteonmap.net
Holopainen-oy.com
Heikkinen-oy.com
Kinnunen-oy.com
Vuorinen-oy.com
Amsterdam-news.org
Onrpg-tds.com
Topsecuritydirect.com
Trinnitti-soft.org
Adwaresoft.org
Citi-online.com
Fesrhyti.com
Lolopingtroll.org
Mxa-host.net
Pussyteenslove.com
Sarahankethere.net
Sexyteentits.info
Shalalopdns.com
Torrentonline.net
Frakinutip.com
Iloverabbits.info
Pezdeshnosti.net
Kansainvalisista.com
Menestys-maksut.com
Finski-pm.com
Estreli-oy.com
Kerava-oy.com
Kaupunki-oy.com
Kuhmo-oy.com
Llogoso.org
Successbizz.org
3423254353446.org
Google-analytice.com
Vk-ont.com
Allvair.org
Ouslier.com
Translate-googlecachecontent.com
Tsbd1984.com
Securitybankingsite.com
Thesecuritybanking.com
Temetoelchile.com
Trolasucia.biz
Global-cache.org
Keygen.in
Keygen.name
Seriall.com
Serialsam.com
Wgetsoft.net
Check-crypt.com
Check-domain.cn
Start-domain.cn
Safe-monitoring-3.in
Mdhoster.net
Routedating.com
Photois.org
Myphotogl.org
Big-moneysystemsell.org
Ad-freepice.org
Club-horse.org
Googlestat.org
Adobe-shockwave.com
Dezdemon.com
Mmsfree.ru
Spy-gsm.ru
Spy4mobile.ru
Spyvk.ru
Statisstics.net
Watchfree.ru
Your-gsm.ru
Gumile.in
Calumbiasoft.biz
Ccsline.net
Financeprogramm.com
Gooble-analytics.com
Hottestchinesebabes.com
Statservice.org
Whitehorce.com
Gorgrengos.com
Mazolfura.com
Zinymenoak.com
Amporno.ru
Vkstyle.net

"Paul Badji: Treat As Urgent" email

Paul Badji is a real diplomat at the UN, this email is NOT from Paul Badji. The UN's name has been used this way before, notably with Ban Ki-moon's name attached. This email is probably the usual Advance Fee Fraud approach, using a couple of links to reputable websites to try to make it look more authentic. Avoid.

Unusually for what appears to be an African scam, the originating IP is 89.39.24.2 in Romania.
From: PAUL BADJI <africacomittee@yahoo.gr>
Reply-To: paulbadji_africaunionworld2@yahoo.com.hk
Date: 24 July 2010 04:18
Subject: Treat As Urgent
   

Greeting to you, I am Mr. Paul Badji Chairman on human right Exercise  Committee (CHREC ) on the Inalienable Rights of the People a member of Africa Union Committee and Special Adviser to Mr. President. Sir, your file appears in my office four days ago Through FMS  Headquarter. that you are the beneficiary  to receive payment of fifteen million British pound on behalf of Late Mrs.Veronica Daniela from Ukraine, Europe, Former Managing Director of Mobile oil and Gas Company Nigeria Ltd. who died in plan crash on Sunday, Oct  22nd, 2005 .

when a Bellview Airline Boeing 737 crashed in the countryside shortly after takeoff from the commercial capital Lagos, 117 people died  .therefore the  Bellview Airline's  management and Mobile oil and Gas Company Nigeria Ltd, has deposited   fifteen million British pound at First Bank Nigeria Plc on behalf of Late Mrs.Veronica Daniela, Signed  approved by secretary of state on Friday 16 2nd July 2010, please confirm the accident  picture to find the true of these site click here: http://www.1001crash.com/index-page-description-accident-Bellview_B737-lg-2-crash-6.html

there for you are to receive this fund in your name as the next of kin which appear in the file, This is to notify you that  the Two companies  have agreed to pay fifteen million British pound to  you  in your name on behalf of Late Mrs.Veronica and to change the decease name to your name. This is regarding the draws organized lately to help individuals whom have lost their earnings in this act.  on Sunday, Oct  22nd, 2005 . . And to build true organizations so as to help the less privileged in the society. you are therefore advised to contact Correspondent paying Bank, First Bank Foreign Remittance Department Chief Director Operations & Services. Requirement is requested by your full Name including your home address, country. And your private telephone number to confirm the file here and to release the fund to you. For more information you are to contact  via Email below.

Thank you and God bless
Mr. Paul Badji
Special Adviser to Mr. President
Chairman, Committee on the Exercise
of the Inalienable Rights of the People.
Africa Union Committee (AU)
N:B website
Contact Email: badjipaul@rocketmail.com
http://www.africa-union.org/root/au/index/index.htm


Monday, 26 July 2010

Sophos has a fix for .LNK flaw

Install this, if you don't know why you should, then watch this video first.. then install it.

Welcome to "Joomla!" email links to malware

A variant on this malware-laden email, this particular approach pretends to be from Joomla and even goes as far as to fake some of the headers to avoid detection.

From: no_reply_forum@joomla.org [mailto:no_reply_forum@joomla.org]
Sent: 26 July 2010 15:57
Subject: Welcome to "Joomla!"

Welcome to Joomla! forums

Please keep this e-mail for your records. Your account information is as
follows:

----------------------------
Username: haymixer

Board URL: http://cambridge-narrows.ca/
----------------------------

Please visit the following link in order to activate your account:

http://cambridge-narrows.ca/

Your password has been securely stored in our database and cannot be
retrieved. In the event that it is forgotten, you will be able to reset it
using the email address associated with your account.

Thank you for registering.

--
Thanks,
Joomla! Community Forum
cambridge-narrows.ca has been compromised and attempts to load malware from cambridge-narrows.ca/adobe_flash_install.exe

The infected page then also tries to load from thewatches-discount.com:8080/index.php?pid=10 and thecoca-colacompany.com/images/noflash_singlevideo.gif (yes, it really is The Coca-Cola Company).

thewatches-discount.com is multihomed on:
Addresses:  84.16.230.27 [Netdirekt, Germany], 87.106.179.206 [1&1, Germany], 91.121.162.65 [OVH, France], 94.23.224.221 [OVH, France] and 62.212.132.226 [Xenosite, Netherlands]. This gives us a whole batch of dodgy looking sites worth blocking:

84.16.230.27
Applecorn.com
Areadrum.com
Bittag.ru
Blackpr.biz
Bookdisk.ru
Boozelight.ru
Busyspade.com
Chertenok.name
Galneed.ru
Galslime.com
Gigasofa.com
Hillchart.com
Horsedoctor.ru
Jarpub.ru
Lockerz-invite.ru
Marketholiday.ru
Oilrule.ru
Pressurespa.ru
Problemdollars.ru
Raceobject.ru
Roundstorm.com
Sadute.com
Sheepbody.com
Spacememory.ru
Tanspice.com
Tanyear.com
Technaxx.pl
Technaxx.ru
Thecheapviagra.com
Themysite.net
Theviagrapills.com
Tightsales.com
Validplan.com
Waxyblock.com
Yaktrack.ru

87.106.179.206
Ballanteam.com
Splatspa.com
Valbou.com

91.121.162.65
Aionitalian.net
Aionitalian.org
Ashsoftware.ru
Bakedship.ru
Hugejar.com
Inktime.ru
Momhand.ru
Politicalpoets.ru
Taxshelf.ru
Yoursoap.ru
Ashdog.ru
Cornerrat.ru
Mondayring.ru
Relaxedgrape.ru
Warydrunk.ru

62.212.132.226
Bail.nl
Bigeventsbooker.nl
Bouwinkopen.nl
Buyviagraworld.com
Cafemack.com
Cvens.nl
Dateforbusiness.nl
Dealyak.ru
Dekroonvanemmeloord.nl
Diamonddoctor.ru
Directorschaircompany.com
Drunkjeans.com
Earlymale.com
Eventdirectory.nl
Famerule.ru
Familywater.ru
Flevoland-weddingevent.nl
Forum4events.com
Forum4events.nl
Hollandgaatuit.com
Kroonvanemmeloord.nl
Lasteye.com
Liplead.ru
Manamina.nl
Nibourgproductions.nl
Outerrush.com
Prominent-vastgoed.nl
Realgg.nl
Sexysushi.nl
Silencepill.ru
Silencewindow.ru
Sisterqueen.ru
Slaveday.ru
Superjoke.nl
Tintie.ru
Tipbear.ru
Treecorn.ru
Urkinwintersferen.nl
Urkopdeplanken.nl
Vandijk-ict.eu
Zooneed.ru

The other sites on 94.23.224.221 seem to be legitimate.

Sunbelt has a write-up of the last attack with some analysis here.

Friday, 23 July 2010

"Thank you for registering with ImageShack." mail leads to virus

A fairly crude attempt to get clickthroughs to a virus infected site:

From: ImageShack Registration <noreply@yfrog.com>
Date: 23 July 2010 15:46
Subject: Thank you for registering with ImageShack.
   
---------------------------------------------------
Thank you for registering with ImageShack.
---------------------------------------------------

Your username: confidingjc
Your password: 09088066
Your registration link: http://financial-independence.co.za/

Please read this email carefully, it contains important information about your ImageShack account.

Please do not reply to this email, this mailbox is not checked. To report problems use support section of the web site.

---------------------------------------------------
HOW DO I LOGIN?
---------------------------------------------------

Click the 'Login' button located at the top of ImageShack pages in order to login.
Type here your username and password located in this email.

Once you are logged in, you will be presented with your Image Panel.


---------------------------------------------------
HOW CAN I CHANGE MY PASSWORD?
---------------------------------------------------

If you want to change your password, use the following link:
http://financial-independence.co.za/
If you have forgot your password, use the following link:
http://financial-independence.co.za/

---------------------------------------------------
HOMEPAGE
---------------------------------------------------

Your friends can access your public images and slideshows at http://financial-independence.co.za/

---------------------------------------------------
COMMON QUESTIONS
---------------------------------------------------
Answers to common questions: http://financial-independence.co.za/

Sincerely,
The ImageShack Team
financial-independence.co.za might well be a hijacked site, it's hard to tell who owns it as the .CO.ZA WHOIS server isn't working. The site is hosted at 207.45.186.34 [Acenet Inc, Michigan]

This leads to a fake Adobe Flash installed (adobe_flash_install.exe) and an exploit site on diamonddoctor.ru:8080 which does some other nasties. diamonddoctor.ru has minimal WHOIS details:

domain:     DIAMONDDOCTOR.RU
nserver:    ns1.dnsofthost.com.
nserver:    ns2.dnsofthost.com.
nserver:    ns3.dnsofthost.com.
nserver:    ns4.dnsofthost.com.
state:      REGISTERED, DELEGATED, VERIFIED
person:     Private Person
phone:      +7 495 7284001
e-mail:     hop@fastermail.ru
registrar:  NAUNET-REG-RIPN
created:    2010.07.13
paid-till:  2011.07.13
source:     TCI

It's no real suprise to see that it is hosted by Netdirekt on  84.16.230.27, along with these other sites which are good candidates to block:

Blackpr.biz
Chertenok.name
Lockerz-invite.ru
Nemerova.name
Technaxx.pl
Technaxx.ru
Tequieroputa.net
Themysite.net

Of note is that again we're seeing support services going through the dnsofthost.com domain that seems to be only used by the bad guys.


Administrator:
  Dmitriy Ilin depot@infotorrent.ru +7.8127047272
  Dmitriy Ilin
  Yuriya Gagarina pr-kt d.24-1 lit.A
  Sankt-Peterburg,Sankt-Peterburg,RUSSIAN FEDERATION 196211


infotorrent.ru seems to be pretty common to this kind of malware attack.

Anyway, a quick fix for corporate administrators is to block messages with "Thank you for registering with ImageShack." for the time being.

Added: forsight.com.au is also a domain being used in the attack, looks to be another hijacked legitimate domain.

Romance Scams

A couple of interesting news stories recently illustrate the dangers of "Romance Scams" or Dating Scams which illustrate the dangers involved. In one, a woman called Brenda Parke details how she was ripped off  by a fraudster to the tune on £57,000.. and kudos to her for having the courage to come forward and shine a light on this activity.

But this isn't the only case, a recent BBC Crimewatch film reveals more about this operation, leading to a successful capture of a romance fraudster in Ghana. In this case the victim had sent £45,000 already and was about to send a staggering £120,000 before the police intervened.

Although most of the dating scam spam I see is Russian in origin, it is also a major criminal activity in Ghana in particular.

"TOYOTA CAR LOTTERY" scam

A ridiculously long and horribly written scam email about winning a Toyota, email relayed through 60.251.190.235 in Taiwan, but apparently soliciting replies to an email address in Hong Kong while claiming to be based in Thailand. It is (of course) some sort of Advanced Fee Fraud. Incidentally, the +(66)896734792 telephone number is Thailand and is well known for being connected with scams.

From: MR.PAUL WILTON <info@yahoo.com>
Reply-To: organizelottoint39l@yahoo.com.hk
Date: 23 July 2010 10:18
subject: TOYOTA CAR LOTTERY
   
Toyota Car Lottery International Promotions Thailand,
Customer Service Department
Toyota Motor Corporations, Thailand.
92/48 Sathon Nua Rd.
Fl 17 Sathorn Thani 2 Bldg Silom,
Bang Rak,Silom, Bangkok 10500,
Thailand.


                                             TOYOTA  MOTORS CORPORATION INTERNATIONAL
                                             PRIZE NOTIFICATION 2010 NEW CARS PROMOTION

We are pleased to inform you of the result of the just concluded annual final draws held on the IST OF January,2010  by Toyota Motor Company in conjunction with the Japan International Email Lottery Worldwide Promotion,your email address was among the 20 Lucky winners who won US$1,000,000.00 each on the Toyota Motors Company Email Promotion programme dated as stated above.This is from the total price of $20 million United State Dollars ($20,000,000.00usd)shared among the 20 lucky winners,you are therefore approved for a lump payment of US$1,000,000.00 Dollars,in cash ,including a Toyota car which is the winning present /amount for the Second category winners.

However the results were released and declared on the 5TH OF MAY 2010, and your email address attached to ticket number 4500542188(TMPWAYZ20051), with serial number  454-17 drew the lucky number 3,8,13,22, 5, 0,27,41 and bonus number 12,your Reference Number:FLS433/453L/GMSA. The online draws was conducted by a random selection of email addresses from an exclusive list of 35,031 E-mail addresses of individuals and corporate bodies picked by an advanced automated random computer search from the internet. However, no tickets were sold but all email addresses were assigned to different ticket numbers for representation and privacy to make sure the money reaches you.

The selection process was carried out through random selection in our computerized email selection machine (TOPAZ) from a database of over 250,000 email addresses drawn from all the continents of the world. This Email Lottery Promotion is approved by the Japanese Gaming Board and also Licensed by the The International Association of Gaming Regulators (IAGR).This lottery is the 3rd of its kind and we intend to sensitize the general public about toyota motors 2010 new cars(Toyota motors 2010 latest cars).As indicated by the computerized selection machine,your lucky winning number falls within our Asia booklet representative office here in THE KINGDOM OF THAILAND as showed in the coupon.

For security reasons, you are advised to keep your winning information confidential and private until your claim is processed and your money remitted to you in whatever manner you deem fit to claim the prize money and the toyota car your winning present.This is part of our precautionary and security measure to avoid double claiming and unwarranted abuse of this program.In other to claim your US$1,000,000.00 winning prize,which has been deposited with THE MANAGEMENT AND BOARD OF UNITED TRUST BANK BANGKOK BRANCH THAILAND, Remember to indicate your reference Number (FLS433/453L/GMSA) to make sure the  winning  prize US$1,000,000.00 and the Toyota car reaches you intact and complete.

The toyota car shipping documents will be forwarded to you to claim ( A toyota car which is the winning present  for second category winners) in any port of your choice,once your winning amount US$1,000,000.00 processed and transfer to you.
However,you are required to fill the form below,together with the name of the port where your winning present a toyota car should be ship to and send it to the online promotion manager of THE TOYOTA MOTOR CORPORATION for verification and then you will be directed to the paying bank above for immediate process and approval of your winning fund and shipping of your (TOYOTA CAR) where the sum of US$1,000,000.00 has already been deposited in your favor under your email address.

FILL THE FORM BELOW;
NAME:.....................................
AGE:........................................
SEX:........................................
ADDRESS:(RESIDENT ADDRESS ONLY)...............................
YOUR OTHER EMAIL:....................................
PHONE:...................................
OCCUPATION:.........................
AMOUNT WON........................
COUNTRY:...............................
NAME AND ADDRESS OF THE PORT FOR SHIPMENT OF YOUR WINNING CAR ......................
SHORT COMMENT ON OUR PRODUCTS .............................................

Please you are adviced to complete the form and send it immediately to our Promotion manager through email for prompt collection of your fund
(CONTACT PROMOTION MANAGER)
TOYOTA MOTORS FOREIGN SERVICES MANAGER
NAME: Dr. Wong Lee
TELEPHONE: +(66)896734792
EMAIL:organizelottoint39l@yahoo.com.hk

WARNING !!

You are to keep all the winning information away from the general public especially your ticket number and ballot number.(this is important as a case of double claiming will not be entertained) Staff of Toyota Motor Company and the Japanese International Lottery Company are not to partake in this Lottery. Accept my hearty congratulations once again! for being selected among the 20 lucky winners .

Yours faithfully,
MR.PAUL WILTON
(V.P FINANCE)
TOYOTA MOTORS CORPORATION LTD.
www.Toyota.co.th

Thursday, 22 July 2010

amanda.lee@blackberry.co.za is not offering a free BlackBerry

A variation on this hoax email analysed at Hoax-Slayer indicates that someone has a grudge against Research in Motion (who make the BlackBerry range of smartphones) in South Africa.

There's a watermarked image stolen from Mobile Gazette to go with it (who are nothing to do with the hoax).. now with a blurry couple of photos from people claiming that they have their free BlackBerry.

This is just a hoax.. nobody is going to send you a €400 smartphone (about 3800 rand) for forwarding a few emails. It probably just exists to harass the company or whoever "Amanda Lee" might be. Don't forward it.

Dear All,
 
Blackberry is giving away  free phones as part of their promotional drive.
 
All you need to do is send a copy of this email to 8 people; and you will receive your phone in less than 24 hrs.
Please note that if you send to more than 20 people you will receive two phones.
 
 
Please do not forget to send a copy to: amanda.lee@blackberry.co.za 
 
With Regards,
 
Amanda Lee (Marketing Manager)
Office Number: 0117838512 


Someone has added to the email:
Hi guys,

This is real we got our phones today , the previous email, had the incorrect email address, should be @blackberry.co.za, and not @blackberry.com

And there are a couple of pictures no doubt ripped from the web:


My best advice is that if you get one, tell the sender that it is a hoax and point them to this post or Hoax-Slayer.

Wednesday, 21 July 2010

Hotbar.com deceptive installation.. again.

Hotbar.com probably needs no introduction as an unpleasant piece of Slimeware, picked up from the ruins of Zango by a Washington State company calling itself Pinball Corporation. Traditionally, companies like Zango and Pinball work on a pay-per-install basis for their software, and recruit affiliates to get the software installed on end user's machines. Anyone who deals with affiliate marketing knows that the actions of your affiliates reflect on the company itself.. you don't want dodgy affiliates tarnishing your reputation.

This particular affiliate of Pinball Corporation does seem to be pretty deceptive though, targeting naive users who don't check what they are downloading properly.

Here is an example, coming up on a search for Google Earth:

The first result reads:
G.Earth Free Download
EarthI0-3D.com/GEarth-Download      New G.Earth. A True 3D Digital. Fly Anywhere On Earth. For Free!
Is earthi0-3d.com Google? Of course not! But it relies on users not to check before they click through..

Google's logo is displayed prominently on the landing page, the whole page really does look like it is from Google, but scrolling down reveals the truth.. in pale grey text on a white background to make it difficult to spot:



This website has no partnership whatsoever with the owner or manufacturer of this software program, and provides ONLY a link to the program.
New computer users should find our services valuable, and a time saver. If you are an advanced computer user, you probably don't need our services. 
Well, it doesn't just provide a link to download the program.. clicking "Free Download" reveals the payload of a mixture of HotBar, ShopperReports, Blinkx and QuestDNS adware.

..but you have the read the small(ish) print. The Google Earth logo is still prominently displayed, along with a great big "Start" button. Now, to be fair it is all spelled out in black and white with links to the EULA, but displayed in a much smaller and less prominent manner than the Google logo.

The download is pretty widely detected as adware by many AV programs. Some of the components are particularly insidious, including QuestDNS that installs all sorts of operating system hooks.

It's not just Google Earth that is targeted in this way, the server that hosts earthi0-3d.com, 174.121.90.107 [ThePlanet.com], also hosts a shedload of other domains that masquerade as well-known applications. (Sorry, it's a long list.. but there's more after it).


0perai0.com
7zip2010.com
Adaware10-uk.com
Adaware10-us.com
Adawarepro10.com
Adobereader10-pro.com
Adobereader2010.com
Adobe-readeruk.com
Adobe-reader-uk.com
Adobe-readerus.com
Adobe-reader-us.com
Ares10.com
Ar-proversion.com
Audacityi0.com
Babelfish10-uk.com
Babelfish10-us.com
Bearshare10-prodownloads.com
Bearsharefast.com
Bit10-cometpro.com
Bitcometfast.com
Bitcometi0.com
Bitcometpro.com
Biti0-latest-comet.com
Bitlordfast.com
Bitlordi0.com
Bitnewcomet.com
Bit-new-comet.com
Bitnewlord.com
Bit-new-lord.com
Century21games.com
C-new-cleaneri0.com
Convertxtodvdpro.com
Corelpaint2010.com
Descarga-activex.com
Divx10-uk.com
Divx10-us.com
Div-xi0.com
Downsoftloads.com
Earth-20i0.com
Earthi0-3d.com
Emulenouveau-fr.com
Eplig.com
Fastnewlime.com
F-frostwirei0-pro.com
Flash-playerdownloads.com
Flashplayernew2010.com
Flashplayernew-uk.com
Flashplayerpro10.com
Flashplayeruk.com
Flashplayer-us.com
Freezonlinetvpro.com
F-reviewfrostwirei0.com
Frost10-prowire.com
Frost10-wire.com
Frostfreewire.com
Frost-profrostwire.com
Frostpro-wire.com
Frost-pro-wire10.com
Frost-prowire-2010.com
Frost-review.com
Frost-us-prowire.com
Frost-us-wire.com
Frostwire10-frostdownloads.com
Frost-wire10-pro.com
Frost-wirei0-frostpro.com
Gamescentury.com
G-earthi0.com
Getactivex.com
Getdirectx.com
Getnetframework.com
Girlstar-fun.com
Googleearth10.com
Internetdownmanagerpro.com
Irfanviewpro.com
Itunespro10.com
Jetaudiopro.com
Justfree-screensavers.com
Kidstoys-fun.com
Latestopenoffice.com
Limewireeasy.com
Live-messenger-windows.com
Live-msn10-messenger.com
Live-newmessenger-promsn.com
Liveprodownloads.com
Liveprotube.com
Live-torrents.com
Livetube-pro.com
Livetvnowpro.com
Messenger10-livepro-newmsn.com
Messenger-msni0-live.com
Messenger-msn-live.com
Messengerplus-live-msn10.com
Messengerpro-live-msn2010.com
Monfirefoxonline.com
Msn10-live-messenger.com
Msn-live10-messenger.com
Msn-messenger-new.com
Msn-messenger-windows.com
Myfrostwire10.com
Myfrost-wire10-pro.com
Mylimewire10.com
Mylimewirepro10.com
Mylivelimewire10.com
Mymariobrosfree.com
Mymessenger-live-promsn.com
Mymsn-live-newmessenger10.com
Myworldlime.com
Ner0-burni0.com
Newadobe-proreader.com
Newadobe-readerpro.com
Newadreaderpro.com
Newbit-comet-2010.com
Newbitcometi0.com
Newbittornado10.com
Newbit-torrent10.com
Newcoreldraw2010.com
Newdivxpro10.com
Newfastlime10.com
Newflash-playepro.com
Newflash-proplayer.com
Newlimefast.com
Newlimefree.com
Newlimeworld.com
Newmessenger-live-promsn.com
Newoffice10.com
Newopenoffice2010.com
Newopen-proofficeuk.com
Newopen-proofficeus.com
Newovernet10.com
Newphotoscape2010.com
Newpicasapro.com
Newshareaza10.com
Newsoulseek10.com
Newutorrent-free.com
Of-suite3-officei0.com
Openi0-latest-office.com
Openoffice10-officedownloads.com
Openofficenew2010.com
Openofficenewuk.com
Openofficenew-uk.com
Openofficenewus.com
Openofficenew-us.com
Playlegends.com
Play-mario-free.com
Play-mario-now.com
Proadobe10.com
Proadobereader10.com
Proadvancedsystemcare.com
Proaudacity10.com
Probitcomet.com
Probitcomet10.com
Probitlord10.com
Procamfrog10.com
Proccleaner10.com
Proflvplayer.com
Progommediaplayer.com
Proicq2010.com
Pro-lime-wire.com
Prolivetvnow.com
Promirc2010.com
Promocion-aba.com
Pro-nero-10.com
Pro-newutorrent.com
Proopenoffice10.com
Proorbit10.com
Propowerdvd.com
Proquicktime10.com
Prosopcast10.com
Prospybot2010.com
Pro-utorrent10.com
Pro-web-solutions.com
Prowinrar10.com
Prowinzip2010.com
Proytdownloader.com
Quicknewtime.com
Quicktime10-uk.com
Quicktime10-us.com
Rankdriven.com
Schnellfirefox10.com
Seo-sem-worldwide.com
Skype10.com
Smartdefragpro.com
Speedylime10.com
Suite3-office.com
Suite-office3.com
Suite-office3.net
Suiteprooffice-2010.com
Superlime10.com
Teamviewerpro2010.com
Trilliani0.com
Ufreetorrent.com
Uklimefree.com
Uprotorrent-2010.com
U-reviewbitcomet.com
U-reviewfrostwire.com
U-reviewsuiteoffice3.com
U-reviewtorrent.com
U-review-torrent.com
Uslimewire10.com
Utorrent10-udownloads.com
Utorrent-free.com
Utorrenti0.com
Vafdrivers.com
Vafscanner.com
Vaftv.com
Virtualdjpro-uk.com
Virtualdjpro-us.com
Virtualnewdj.com
Virtual-new-dj.com
Virtualnewdj.info
Virtual-newdj-2010.com
Virtuals-dj2010.com
Vlcmediaplayerpro.com
Vlcpro-vdownloads.com
Vlc-videolan-fr.com
V-virtual-prodj.com
Winamp10-uk.com
Winamp10-us.com
Winmediaplayer-fr.com
Winmoviemaker.com
Winrar10-uk.com
Winrar10-us.com
Winzip10-uk.com
Winzip10-us.com
W-media-player.com
Wmedia-playerdownloads.com
W-media-playerpro.com
Worldlime10.com
Youfreetube-loader.com
Youlive-tube.com
You-pro-tube.com
Ytdownloader-uk.com
Ytdownloader-us.com


Most domains have some sort of anonymous registration, but not all.. and one points the finger at a company in the Canary Islands:

Company: Payments interactive S.L.U
Name: fuentes martins de souza vicente alan
Address: camino de la fallera 1
City: santa cruz de tenerife
Country: CANARY ISLANDS
Postal Code: 38789
Phone: +34669061555
Fax:
Email: daniel.hylander@paymentsint.com
We can track down paymentsint.com to a server at 67.19.106.170 [ThePlanet.com] and there are a whole load of other domains you might want to avoid too.. (another long list, sorry)

Apuestadeporte.es
Audiobooks21.com
Bestfarmvilleapp.com
Bestfarmvilletoolbar.com
Bestfarmvilletricks.com
Bestwebhostingtop.com
Casinosypoker.es
Conocer-gente.es
Debelleza.es
Deseguros.es
Easyfarmvilleapp.com
Easyfarmvilletips.com
Easyfarmvilletoolbar.com
Easyfarmvilletricks.com
Economiayfinanzas.es
Emule10-italy.com
Emule10.com
Emule2010site.com
Emulenow.com
Evonynow.com
Farmappextreme.com
Farmtipsrextreme.com
Farmtoolbarextreme.com
Farmtricksrextreme.com
Fastestbrowsers.com
Fastfirefox10.com
Firefox-us.com
Flashgames2010.com
Flashplayernew.com
Flaviocoiro.com
Freenewares.com
Freenewutorrent.com
Freeopenoffice10.com
Freewinrar10.com
Fungamesgirls.com
Generar-ingresos-extra.com
Getfarmville.com
Haiti-foundation.org
Idolnew.com
Isoftware.es
Lastopenoffice.com
Latestnewinternetexplorer.com
Megauploadpro.com
Melollevo.net
Melosllevo.com
Melosllevo.es
Mininovaonline.com
Morpheusnow.com
Msnmessenger-fr.com
Mybitcomet10.com
Mybitlord10.com
Myedonkey10.com
Myexploreronline.com
Myfirefox10.com
Myfirefoxfast.com
Myfirefoxworld.com
Myfrostwirepro.com
Mygnutella10.com
Mymorpheus10.com
Napsternow.com
Neuenfirefoxonline.com
Newadobepro.com
Newadobereader.com
Newadobereaderpro.com
Newares10.com
Newbabelfish.com
Newbearsharepro.com
Newbitcomet.com
Newbitlord.com
Newbittorrent.com
Newedonkeypro.com
Newfarmville.com
Newfarmvilleapp.com
Newfarmvilletips.com
Newfarmvilletoolbar.com
Newfarmvilletricks.com
Newfirefoxpro.com
Newfirefoxworld.com
Newgnutellapro.com
Newgoogleearth10.com
Newrapidsharepro.com
Newreaderpro.com
Newskype2010.com
Newtvidol.com
Newutorrent10.com
Newvcdplayer.com
Newvirtualdj.com
Newwindowsmediaplayerpro.com
Ofertaturismo.es
Outlet-foto.com
Outlet-sport.com
Paymentsint.com
Photofiltrenew.com
Proadobeflashplayer.com
Proadobereader.com
Prolimewirenow.com
Prowirelime.com
Qualityblogs.es
Quecompras.es
Registryscanner-pc.com
Reviews21.com
Revistatv.es
Solococina.es
Solosalud.es
Speedyfirefox10.com
Theluckyhoroscope.com
Thunderbirdnow.com
Todoinfantil.es
Topconsolas.es
Topillsreviews.com
Tuguu.com
Tvtopchannel.com
Uklimefast.com
Usfirefoxbrowser.com
Utorrentfast.com
Vafdriver.com
Virtualdjnow.com
Virtualgirlfree.com
Web-uk-hosting.com
Web-us-hosting.com
Wmediaplayernow.com

You can probably safely block these IPs and all of these sites, there doesn't seem to be anything of value here.

This is definitely a somewhat deceptive approach to installation, but it does rely on a fair degree of user stupidity too. However, any IT person will probably tell you that there are a hard core of users who really are daft enough to fall for something like this, and really the best thing that you can do it pre-emptively block the whole lot.

There is a very questionable use of trademarks here, and perhaps some of those trademark owners might like to take some action of their own...

Saturday, 17 July 2010

"Pollux Enterprise Ltd" money mule scam

Pollux Enterprise Ltd appears to be a genuine company in Hong Kong. This email claims to be from Pollux Enterprise Ltd, but isn't.. it's a Money Mule scam which is basically money laundering. Email originates from 95.154.240.2 which appears to be Turkish, not Hong Kong. Avoid.

From: Pollux Enterprise Ltd pollux.recruit@gmail.comReply-To: pollux.recruit@gmail.com
Date: 17 July 2010 20:15
subject: Job and recruitment available ( Your present job not affected ).
   

If you have access to a computer, and have up to three hours spare time per-
week, would you like to work part or full time online from
home and get paid weekly? If yes, then please read carefully.
_____________________________________________________________________
ABOUT US
______________________________________________________________________
Pollux Enterprise Ltd was Established in 1999 in Hong Kong and we specializes
in worldwide export of fashion accessories, hair ornaments and fashion jewelry.
We strive to market chic and trendy accessories that intrigue fashion-conscious
ladies around the globe.

Backed by the vast manufacturing base in China and the East-West sensibility
uniquely found in Hong Kong,
______________________________________________________________________
JOB POSITION
_______________________________________________________________________
We are currently seeking part/full time employees for our ever-growing
Foreign Payment Receiving Officer. Through extensive demographic research, we
have discovered a wealth of untapped human resources that, for one reason or
another, need the freedom to work from home and consider becoming part of our company.
as part of our ongoing Multi Level Marketing Network, we seek capable individuals to work for
us as our representative.You can easily make $500 - $2,000 or more in a week by
working for us as Sub-contractor in your geographical location, you will be in charge
of collecting payment on behalf of our affiliates and Smallbusine ss organizations
that are registered under us. Note that no form of investment is needed from you and this job will take
only 1-3 hours of your time per week.
______________________________________________________________________
JOB RESPONSIBILITY
_______________________________________________________________________
The position of Foreign Payment Receiving Officer entails the following duties:
coordinate payments from our clients, receive payments which come in form of Certified
Check, process payments at your local bank, and forward 90% of funds
received to the proper branch office, as instructed.
The remaining 10% is your gratuity. Since this position
is need-based, you will have plenty of free time while enjoying a good income.
_______________________________________________________________________
RENUMERATION
_______________________________________________________________________
Ev ery assignment in form of payment received from clients, you're entitled to
10% which excludes the cost of processing western union to any regional office
accountant Also you get a monthly salary of $1500 which comes at the end of every
month, plus other incentives and benefits that accrue, which includes tax holidays.
________________________________________________________________________
INTERESTED APPLICANTS (HOW TO APPLY)
________________________________________________________________________
Interested applicants should reply with:

Full Name:-
Contact Address:-
Gender:-
Occupation:-
Phone Number(s):-
E-mail Address(Optional):-

Our Human Resource Managers can contact you via email, with further details if the management
decides you're a successful candidate.

We look forward to working with you.

NB: Ignore this mail if you are not interested in this offer.

Mr. Alfred Tsang
Unit 7-9, 6/F Yale Industrial Centre
61-63 Au Pui Wan Street, Shatin

Mystery Shopper Scam from "Shoppers Guide Ltd"

Mystery shopper scams aren't exactly rare, but they're not as obvious a scam as some others. The basic idea is that once you get roped in, then eventually the sting will come with you laundering stolen money or an advanced fee fraud. There are some details about typical mystery shopper scams here.

The spam originates from 82.128.2.21 in Nigeria.

From: ADAM SCOTT mystery.shopperonline33415@yahoo.com
Reply-To: mystery.shopperonline33415@yahoo.com
Date: 17 July 2010 15:39
Subject: JOB OFFER

Hello,

         We are a company that conduct surveys and evaluate other companies. We get hired to go to other peoples companies and act like customers in order to know how the staffs are handling their services in relation to their  customers. once we have a contract to do so, you would be directed to the company or outlet, and you would be given the funds you need to do the job(either purchase things or require services), after which you would write a  comment on the staffs activities and give a detailed record of your experience

Examples of details you would forward to us are :

1) How long it took you to get services.
2) Smartness of the attendant
3) Customer service professionalism
4) Sometimes you might be required to upset the attendant, to see how they react to clients when they get tensed.

 And we turn the information over to the company executives and they would  carry out their own duties in improving there services.

   Most companies employ our assistance when people give complains about their services, or when they feel there are needs for them to improve their customer service. your Identity would be kept confidential as the job states (secret shopper) you would be paid $300 for every duty you carry out, and bonus on your transportation allowance, and funds would be given to you if you have to dine as part of the duty.

  Your job will be to evaluate and comment on customer service in a wide variety of shops, stores, restaurant and services in your area. No commitment is made on this job, and you would have flexible hours as it suits you. We will be sending you check for any of your assignments which you will cash at your financial institution and you use the money to carryout the assignment. You do not have to use any money from your pockets. So we will provide you the money for all your assignments.If you are interested

The following information below will be needed :
Full Name:
Address (no Po Box):
City:
State:
Zip code:
Phone Number(s):
Email Address:
Age:
Occupation:

 So we can look at your distance from the locations which you have to put your service into, and your address would also be need for your payments.

Thanks.

Adam Smith
shoppers Guide Ltd
mystery.shopperonline33415@yahoo.com