Sponsored by..

Sunday, 19 September 2010

"hello / how are you?" mystery spam

I'm probably not alone in receiving a shedload of spam with the subject "hello" and the only content of "how are you?" A quick look at my spam filters shows hundreds of these with a small number getting through, presumably because filters are having a hard time blocking on this little data.

It's hard to be sure exactly what it is, but it reminds me the the mystery "podmena traffica test" spam from last year that appeared to be a widescale enumeration of mail systems that allowed spoofing, and those that blocked it. So, this could well be something similar.. an enumeration attempt to see which mailboxes DON'T reject a tiny, simple message like this, and then to use that data in the future to target those mailboxes.

"OK", you may be asking.. "why would you do that if you have the almost unlimited computing power of a botnet at your hands? Why would you need to be selective in your spamming when it does cost you anything?"

One good reason to attack only valid mailboxes with spam and not go for a scattergun "directory harvesting" attack is that mail spam filters specifically look for directory harvesting attacks and then block them and use the data to identify the characteristics of the spam attack. By acting more stealthily, it might be possible to avoid detection for longer and get a higher deliverability rate for spam.

Well, that's a theory anyway.. the best that I can come up with. Any ideas?

Added: here's another idea - the spammer could be looking for vulnerable mail servers to exploit later, this is  a data collection phase to be followed by something evil. Or it could just be a weird prank, of couse.

Friday, 17 September 2010

Networking4Africa.com - scam, spam or Joe Job?

Update: networking4africa.com's response is at the bottom of this post

One of the more interesting things that popped into my spam filter today was this.. at first glance it appears to be some sort of MLM scam spam:
From: steve@networking4.africa.com
Reply-To: steve@networking4.africa.com
Date: 17 September 2010 10:41
Subject: WOW 6 grand a month from your home

STOP!!! what your doing...do you know 3 people that have  $15.00?

And do those people know 3 people that have $15.00?

and what about those people and the ones after that? Join Me With 3 subscribers

and when each subscriber does the same through 10 levels

your income would be $63,982.50 per month

http://www.networking4africa.com

Join Now Pay Nothing Until  September 1st.

just get in now before we open to the public.

What if you just did 10% of that.
could you use and extra $6300.00 a month?****
all that for $15.00....
WoW that's the power of People Knowing People, Knowing People Knowing People....

www.networking4africa.com

Steven McGregor Owner and Ceo of www.Networking4africa.com and www.networking4afica.net
[personal address redacted]
+27.[personal number redacted]

Chat with me on face book http://www.facebook.com/smcgregor3

www.networking4africa.com

Please Note You will get Very rich with This program
So wtf is this? It looks like it is promoting a site called networking4africa.com (and networking4africa.net) which does exist (but more of that in a moment). But there are a couple of anomalies (highlighted) where the domain is quoted wrongly.. kind of odd for a promotional message. Oh, and September 1st is long gone..

Another odd thing is the inclusion of a telephone number and full postal, because be in no doubt that this email is spam. Typically we see this sort of thing when a Joe Job is in progress.. in other words, the spam is being sent maliciously by a third party and the telephone number is included to cause harassment for the victim.

The email originates from 216.59.18.30 which is a dedicated server some outfit called WebExxpurts who are assigned 216.59.18.0/24. A look around the netblock shows something interesting though, a site called iunmetered.com a few IPs away at 216.59.18.10 which is an anonymous VPN service. Given that the originating IP for the spam is a dedicated server (which appears to have no active web sites)  then there's a fair possibility that someone is using iunmetered.com to mask their IP address. But why mask your IP address if you are including a telephone number? It seems bizarre, and again perhaps evidence that "Steven McGregor" did not send the email.

Networking4Africa.com itself is hosted on 12.201.193.120 (a completely different network from the email sender), and the WHOIS details do largely match the ones in the spam, but that proves nothing. But now the plot thickens..

12.201.193.120 is in an IP address range which is allocated to "TEK CHANNEL CONSULTING LLC DBA WHOLSALE BANDWITH" (sic). Tek Channel / Wholesale Bandwidth are a very well known spam-friendly firm that has a ROKSO file at Spamhaus. This range has then been reassigned again to Global Virtual Opportunities Inc of Schert, Texas. This range forms part of AS46549 which has been fingered by Google as being pretty evil:

What happened when Google visited sites hosted on this network?

    Of the 2755 site(s) we tested on this network over the past 90 days, 371 site(s), including, for example, dontforward.com/, helpfulbackpaintips.com/, ultimatesneakers.com/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-09-17, and the last time suspicious content was found was on 2010-09-16.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 16 site(s) on this network, including, for example, latenightwarriors.com/, tricitieslifeinsurance.com/, networkonlinereviews.com/, that appeared to function as intermediaries for the infection of 67 other site(s) including, for example, ccll-gtyarmouth.co.uk/, rogersvillelifeinsurance.com/, mediascout.kr/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 16 site(s), including, for example, aardvarkville.com/, extraganancias.com/, latenightwarriors.com/, that infected 253 other site(s), including, for example, meb.gov.tr/, anakku.com/, tottochan.jp/.


In other words, this doesn't  look like the sort of place a legitimate web site would want to be hosted.
But then what about networking4africa.com itself? Does it tally with the ridiculous "get rich quick" scheme outlined in the email?

It turns out that the site offers an MLM program which gives part of its proceeds to charity. Now, I've never come across any MLM program that is not some sort of scam.. either an out-and-out Ponzi or something that simply fails to deliver what it seems to be promising.

The basic deal is that you join up for $15 of which $5 goes into a fund called the "Helping Portion" which is meant to eventually help children in Africa. What you get for this is unclear, but on the "Products" page are a couple of eBooks (you know the sort of thing).The idea is that if you sign up enough people then you can make a shedload of cash, and some of this will go to the "helping portion".

It gives an example that if 88,572 joined, then it woudl generate $442,860.00 a month for these good causes. But then if 88,572 people simply ponied up $5 a month to Oxfam or a similar charity then it would also generate $442,860.00 a month without participating in some crappy MLM scheme.

And yes.. it is a crappy MLM scheme that is little other than a pyramid scam, according to its own description:

Commissions are paid through a simple unlimited width, 10 level matrix.

This means that you can introduce as many Subscribers as you want and they will appear on your level 1. The subscribers that they refer will be on your level 2 and so on.

You will receive commissions at the following rates for each level:
Level 1 - $2.00
Level 2 - $0.75
Level 3 - $0.75
Level 4 - $0.50
Level 5 - $0.50
Level 6 - $0.50
Level 7 - $0.50
Level 8 - $0.50
Level 9 - $0.75
Level 10 - $0.75

As an example, if you were to only introduce 3 Subscribers and each Subscriber did the same through 10 levels, your income would be $63,982.50 per month. Results will vary from person to person but with a deep matrix your income can be very stable and with unlimited width your potential income is unlimited. 
That's 1 - 3 - 9 - 27 - 81 - 243 - 729 - 2187 - 6561 - 19683 - 59049. Having difficulties visualising that? Well, it looks like this:

..wait, isn't that one of these..?

..yup, it looks like a Pyramid to me.

Now, I don't know South African law and I have absolutely no idea to the legality of this scheme.. but legal or not, it is certainly bullshit and dangling the carrot of starving African children is nothing short of dispicable.

Which brings us full circle to the spam email.. it does bear all the hallmarks of a Joe Job, but the target site is a stain on the Internet anyway..

Update: Steven McGregor emailed me to say:

I apologise for the spam e-mail that you received. We have been under attack by a spammer based in the Philippines who has been trying to shut us down, but I believe that we have put a stop to it now.
Just a couple of points:

    * The email address that you show in the article does not exist and never has.
    * If you look at the full header of the e-mail you will notice that it did not originate from our domain or IP.
    * We have authentication protection so it you contact our provider they will verify the above.
    * If it was a marketing e-mail their would have been a referral link.
    * If I was going to spam I would not include my personal contact details.



[...] We have had everything that we are doing confirmed by an actuary and I don't really care to go into details. The site and our actions cover this sufficiently.[...] Network Marketing is a completely legal business model and not a pyramid scheme.

Thursday, 16 September 2010

Krebs pwnage

Brian Krebs is on the trail of some questionable activities involving an outfit called ePassporte. Now, for those of you who don't know who Brian Krebs is, he's a former Washington Post journalist.. and when he publishes things, things happen.. so the articles are always worth a read if you're interested in information security.

What caught my eye though was this part: "Elias declined to give me his e-mail address, saying I should be able to find it if I really were an investigative reporter."

You can probably guess what happens next..

Thursday, 9 September 2010

Evil network: MAXHOSTING Services, kfppp.com and the BBC Radio 3 compromise

MAXHOSTING are a fairly prolific evil network that I profiled last month, so it isn't a huge surprise to see that the evilness continues as normal.

But one thing that made MAXHOSTING stand out today was their involvement in an apparent compromise on the BBC's website, as reported by The Register.  Google have labelled the BBC's Radio 3 subsite as being potentially dangerous:

Safe Browsing
Diagnostic page for bbc.co.uk/radio3

What is the current listing status for bbc.co.uk/radio3?

    Site is listed as suspicious - visiting this web site may harm your computer.

    Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 15 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-09, and the last time suspicious content was found on this site was on 2010-09-09.

    Malicious software is hosted on 1 domain(s), including kfppp.com/.

    1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including z145235.infobox.ru/.

    This site was hosted on 1 network(s) including AS2818 (BBC).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, bbc.co.uk/radio3 did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

So, what do we know about kfppp.com? Well, it was registered one day ago via black hat domain registrar BIZCN to a fake recipient, and is hosted on a server at 77.78.240.253, which is in Maxhosting's range.. so obviously this is nothing good.

The trouble is that the BBC site seems clean and it is not apparent where the infection is coming from, but the BBC site does carry ad banners for non-UK visitors, and it seems possible that a malvertisement somewhere is to blame. Although Google does sometimes make false positives, this particular report is very specific and I tend to believe that the BBC Radio 3 site is (or was) compromised with malicious code.

A full breakdown of current sites, IP addresses and MyWOT reputations can be downloaded from here.

The best advice is to completely block traffic to 77.78.239.x and 77.78.240.x (or better still, the 77.78.224.0/19 parent block), or block traffic to the domains below.

Divambee35.net
Eagen85.net
Forceclub-us.com
Forceclub-us.net
Indep29.com
Investbabaika.com
Janoodle6.net
Levelin29-online.com
Levelin29-web.com
Levelin29.biz
Levelin29.com
Levelin29.net
Levelin29.org
Levelin29.us
Secsslup.com
Trazi.in
Zabil.in
Search-static.org
Vostokgear.org
The-funny-world.info
Francecore.com
Genreystick.com
Grand-vitaro-club.com
Odistanyachts.com
Statxonline.com
Xsbot.net
Planopetroleumteam.com
Acunetxweb.net
Gvist.org
Gvistello.net
Dottasink.net
Nowisisdudescars.com
Vancouvererrorsonfile.com
Whereisdudescars.com
Zettapetta.net
Google-server09.info
Google-server10.info
Google-server11.info
Google-server12.info
Google-server14.info
Google-server29.info
Google-server31.info
Google-server41.info
Google-server42.info
Google-server43.info
Jhuiuhxfgxhlfkjhjth.info
Jhuiuhxfgxhtfkjhjth.info
Jhuluhxfgxhlfkjhjth.info
Top-teen-porn.info
Traxbax.com
Gumile.in
Pro100-soft.net
Geerht.com
Ruslan7777.com
Hyporesist.com
Installs.tv
Thefriends-place.info
Thefunny-world.info
Easy-answers.info
Theeasy-answers.info
Vstils.ru
Clickwebanalitick.com
Hotporncatalog.com
Ns3emeringo.com
Thevipbuyconterst.com
Youngirlsactions.com
Ciougmxehgjesk.com
Kingdol.com
Pcf-osow.com
Pw2.info
Reservus.com
Server90.org
Homesiteuk.com
Narmedic.org
Pp24.biz
403403.net
Firmar.org
Cebere.net
Cebere.org
Ceberz.net
Ceberz.org
Ceterz.biz
Eccinput.com
Faststat.biz
Mainstatserver.com
Bestviewbar.net
Thestatserver.com
Angelx.info
Deltav.info
Fantasyv.info
Fantasyx.info
Francisx.info
Freel.info
Freev.info
Jeffreyl.info
Lmailing.info
Millionsincomingfrom.biz
Weaponx.info
Xcorps.info
Checkege.ru
Otvetege.ru
Sdalege.ru
Stylysxvk.ru
Vkxstile.ru
1-aa.com
Atringroup.com
Awejkgf.com
Winterleaf.org
Free-pac.net
Tsbd1984.com
Fornaticumlili.biz
Dwnld0020.com
Spmfb2299.com
Thephotos-galleries.info
Hosting-backup.org
Darksiti.net
Asmatrin.com
Mvk.net.ru
Mvk.net.ru
Mynewspages.com
Newsdownloads.cn
Nvk.net.ru
Nvk.net.ru
Rsite.net.ru
Rsite.net.ru
Supercarsinfo.net
Vkhost.net.ru
Vkhost.net.ru
Webvk.net.ru
Webvk.net.ru
Sec-stats.org
Eu-analytics.com
Google-stat.org
Auto-russo-trah.com
55echosend.com
66kooum.com
Avilantup.com
Bytrin.com
Club-world-auto.org
Erityng.com
Govenablog.org
Grebtiklop.com
Hercegovinablog.org
Horsebloggovena.org
Horseblogovena.org
Horsegovena.org
Janesblog.org
Nikranox.org
Roxenda.com
Zrefkilops.com
Activateoursoft.com
Graymageds.com
Orangeosol.com
Yellowaven.com
3423254353446.org
Myteen2011.com
Onrpg-cdn.com
Sed-machinery.com
Helpsupport.biz
Connectionsupport.org
Cansbass.com
Cheni.in
Coani.in
Decdo.in
Jaddf.com
Baffyko.com
Ddret.com
Fgtre.com
Gddff.com
Kkrrn.com
Poiiu.com
Rtyyv.com
Ssadf.com
Ssweq.com
Yyeed.com
Yyutr.com
Ghdre.com
Kvxxr.com
Rchjj.com
Krnnt.com
Kvccg.com
Rcggu.com
Rcsss.com
Wrrrt.com
1host4me.ru
Fun-gsm.ru

Monday, 6 September 2010

Tainted network: InterWeb Media / Gogax.com AS21793 (76.76.96.0/19)

Trading under various names including Gogax, InterWeb Media and Exist Hosting , this Canadian company mixes some extremely dangerous sites with links to organised crime with legitimate businesses.

Gogax's business model appears to be to delegate small chunks of its IP address range to third parties, while presumably hosting the servers for them.  In this case of this this $600,000 fraud the IP addresses were delegated by Gogax to a company called Krutikservers in Azerbaijan.

There are also several fake and/or illegal pharmaceutical sites in the address range, which makes it odd that a legitimate organisation like the Swedish Covenant Hospital should choose to host in the same IP range as criminals.

Google's safe browsing diagnostic is pretty damning:

Safe Browsing
Diagnostic page for AS21793 (GOGAX)

What happened when Google visited sites hosted on this network?

    Of the 595 site(s) we tested on this network over the past 90 days, 35 site(s), including, for example, ajvar.com/, freezlylo.com/, no-ip.be/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-09-05, and the last time suspicious content was found was on 2010-09-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 225 site(s) on this network, including, for example, nakedfridaydresscode.com/, lykqug.cn/, hejaza.cn/, that appeared to function as intermediaries for the infection of 3632 other site(s) including, for example, rubensf.com/, rebeccaflinn.com/, jesus-messiah.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 207 site(s), including, for example, nakedfridaydresscode.com/, lykqug.cn/, hejaza.cn/, that infected 3270 other site(s), including, for example, rubensf.com/, jesus-messiah.com/, ottomiller.com/.



The full list of domains, MyWOT ratings, delegations and a prognosis as to whether it's the sort of site you might want to visit can be found here, below is a summary of some of the more suspect delegates (note that some of the delegate names could be forgeries):

Abdto He
China
Counterfeit Goods

Allen Jason
United States
HYIP schemes

Cecile Dagorne (Possible forged name)
France
Malware distribution

Emil Vdovin
Russia
Fake / illegal pharmaceuticals & counterfeit goods

Global
Argentina
Fake / illegal pharmaceutical

Gogax
Canada / US
Rogue anti-virus, malware distribution, fake / illegal pharamceuticals

James Schumaker (Possible forged name)
US
Fake / illegal pharamceuticals

Krutikservers
Azerbaijan
Fake jobs / money laundering

Loyalty Servers
Russia
Fake / illegal pharamceuticals, malware distribution, hardcore pornography, illegal software downloads

Michael Chekin
Russia
Fake / illegal pharamceuticals

Paule Uvinekov
Ukraine
Child pornography (reference)

Saman Mazaheri
Iran
HYIP schemes

Telekurs Holding (possible forged name)
Switzerland
Malware distribution

Valeria Duarte
Argentina
Fake / illegal pharamceuticals

Vlad Rybak
Ukraine
Fake / illegal pharamceuticals

Weiliang Zhang
China
Counterfeit goods

WellHost
Ukraine
Fake / illegal pharamceuticals, malware distribution

The bad stuff on this network easily outnumbers the legitimate stuff, blocking the entire 76.76.96.0/19 (76.76.96.0 - 76.76.127.255) will probably not cause significant problems. And if you are a legitimate site operator hosting with Gogax.. they it might well be time to change hosts before the whole lot gets blackholed.

Update: 23/5/11

Gogax claims that the block is now clean. However, the MyWOT rankings for this block still show some sites with very poor reputations (you can see a list of domains and ratings here).

Friday, 3 September 2010

Tainted network: Serverconnect.se / serverconnect-dedicateserver-net AS49770 (95.143.193.0/23)

Not a fully evil network, but AS49770 (owned by Serverconnect.se) has been abused by the bad guys for a long, long time. This particular /23 includes fake ad networks, counterfeit goods, torrents, pornography and a suspiciously large number of .ru domains for a Swedish web host.

Known bad domains currently hosted and in the past include:

  • Bellasinteractive.com [1]
  • Mazcostrol.com [2]
  • Nonstopacc.com [3]
  • Jumpmanlocker.com [4]
  • Timoton.com [5]
  • Tomitt.com [6]
  • Atstatec.com [7]
  • Luxor-groupinc.cc and others [8]
  • Tunedads.com and others [9]
  • Wowtribes.com [10]
  • Transworldlife.com [11]
  • Eurotransbiz.com [12]
MalwareURL lists lots of bad activity in this block, MalwareDomainList has more,  and Google's opinion on the block is not good at all.

Safe Browsing
Diagnostic page for AS49770 (SERVERCONNECT)

What happened when Google visited sites hosted on this network?

    Of the 288 site(s) we tested on this network over the past 90 days, 5 site(s), including, for example, roditelskyi-dvor.ru/, sicko.se/, klybvolvo.ru/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-09-03, and the last time suspicious content was found was on 2010-08-31.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 21 site(s) on this network, including, for example, mainsyql.com/, elisegm.com/, mediafasts.co.cc/, that appeared to function as intermediaries for the infection of 21 other site(s) including, for example, adrants.com/, thepiratebay.org/, rlslog.net/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, mediafasts.co.cc/, wowtribes.com/, that infected 4 other site(s), including, for example, rlslog.net/, golfreview.com/, mtbr.com/.

There's very little of significant value here, although not all sites are malicious. Blocking 95.143.193.0/23 (95.143.193.0 - 95.143.194.255) will most likely do more good than harm and I suggest you consider it.

You can download a full set of domains, IPs and MyWOT ratings from here. The highest priority domains to block are below:

Mazcostrol.com
Nonstopacc.com
Allregioncode.com
Balmain-discount.com
Balmain-dresses.com
Balmain-jacket.com
Balmain-jeans.com
Balmain-leather.com
Balmain-michael-jackson.com
Balmain-mj.com
Balmain-online-shop.com
Balmain-shirt.com
Balmain-shop.com
Balmain-store.com
Balmain-suede-dress.com
Cheap-balmain.com
Dvdboxset2010.com
Fridaydvdstore.com
Ghdhairsales-uk.com
Hi-tvshows.com
Hi-tvshows.net
I-dvdforsale.com
I-dvdforsale.net
I-herveleger.com
I-manoloblahnik.com
I-manoloblahnik.net
I-moncler.com
Just-moncler.com
Mondaydvdstore.com
My-balmain-store.com
My-balmain.com
My-manolo-blahnik.com
Myshoesbus.com
Onlydvdforsale.com
Onlydvdforsale.net
Onsalegolf.com
Saturdaydvdstore.com
Sundaydvdstore.com
Thursdaydvdstore.com
Tuesdaydvdstore.com
Wensdaydvdstore.com
Wesaledvd.net
Yourtopsales.us
Yourtoryburch.com
Youruggshoes.com
Yslshoes-uk.com
Buy-moncler-coat.com
Buy-moncler-jacket.com
Daily-moncler.com
Discount-moncler-onsale.com
Discount-moncler-shop.com
Discount-moncler-store.com
Moncler-2010.com
Moncler-classics.com
Moncler-downjackets.com
Moncler-everyday.com
Moncler-online-mall.com
Moncler-online-store.com
Moncler-today.com
Moncler-zone.com
Monclerfeatherdress.com
Monclerwinterclothes.com
Monclerwinterdress.com
My-moncler-store.com
Newh0tdvd.com
Rosetta4u.info
5fingerstoreonline.info
5fingerstores.info
5fingerstoresite.info
60daysstore.info
90-mall.info
90day-mall.info
90daymall.info
90daymallnow.info
90daymallonline.info
90daymalls.info
90daymallshop.info
90daymallsite.info
90daymallstore.info
90daymalltoday.info
90daysonline.info
90daysworkoutonline.info
90daysworkouts.info
90daysworkoutsite.info
90daysworkoutstore.info
90mall.info
90mallnow.info
90mallonline.info
90malls.info
90mallshop.info
90mallsite.info
90mallstore.info
90malltoday.info
Abercrombiefitchonline.info
Abercrombiefitchonsale.com
Abercrombiefitchsite.info
Abercrombieonline.info
Abercrombies.info
Abercrombiesite.info
Allfitstore.info
Apparelwholesale.info
Beach-body-insanity.info
Beachbodyinsanitynow.info
Beachbodyinsanityshop.info
Beachbodyinsanitystore.info
Beachbodyinsanitytoday.info
Best90daymall.info
Best90days.info
Best90mall.info
Bestabercrombiefitch.info
Bestbeachbodyinsanity.info
Bestmallonline.info
Bestmbtshoes.info
Bestp90mall.info
Besttshirt.info
Bestvibramshoes.info
Bestworkoutnow.info
Bestworkoutonline.info
Bestworkoutshop.info
Bestworkoutsite.info
Bestworkoutstore.info
Buybagsshop.info
Buybrandbags.info
Buyshoesnow.info
Buyshoesstore.info
Buyshoestoday.info
Dvdboxsetonline.info
Dvdsetsnow.info
Ecb2b.info
Ecb2c.info
Edhardyfactory.com
Extremehomefit.info
Forwholesale.info
Free90daymall.info
Free90daysworkout.info
Free90mall.info
Freebeachbodyinsanity.info
Freebuybags.info
Freedvdsets.info
Freembtshoes.info
Freep90mall.info
Freep90xreview.info
Freetshirt.info
Get-bags.info
Globalsourcesite.info
Globalsourcestore.info
Honestmall.info
Honestshop.info
Insanitysite.info
Inverterwholesale.com
Jersey-supply.com
Letsbuyshoes.info
Lotslinksoflondon.com
Mac-makeups.com
Mbtantishoesonline.info
Mbtdiscountstore.info
Mbtliquidation.info
Mbtretail.info
Mbtshoesnow.info
Mbtshoesshop.info
Mbtshoessite.info
Mbtshoesstore.info
Mbtshoestoday.info
Mbtsonsale.com
Mbtstoresite.com
Mbttoday.info
My5fingerstore.info
My90daymall.info
My90daysworkout.info
My90mall.info
Mybagsonsale.com
Mybestworkout.info
Mydvdboxset.info
Mymbtantishoes.info
Mymbtshoes.biz
Mymbtshoes.info
Myp90mall.info
Myvibram5finger.info
New90daymall.info
New90daysworkout.info
New90mall.info
Newabercrombie.info
Newabercrombiefitch.info
Newbeachbodyinsanity.info
Newbuyshoes.info
Newglobalsource.info
Newmbtshoes.info
Newp90mall.info
Newtees.info
Newvibramshoes.info
Newwholesale.info
Newwholesaleplatform.info
Newworkoutsonsale.info
Nfl-nhljersey.com
Officalp90x.info
Onlinebuydvds.info
Onlinebuyshoes.info
Onlinewholesale.info
Onlywholesaleprice.info
P90mallonline.info
P90mallshop.info
P90mallsite.info
P90mallstore.info
P90xfitnessdvds.com
P90xmall.com
P90xreviewnow.info
P90xreviewonline.info
P90xreviews.info
P90xreviewshop.info
P90xworkoutmallsale.com
Pandorajewellrysale.com
Purchasebags.info
Teesnow.info
Teesonline.info
Teessite.info
Teesstore.info
The5fingerstore.info
The90daymall.info
The90daysworkout.info
The90mall.info
Theabercrombie.info
Theabercrombiefitch.info
Thebestworkout.info
Thehomeworkout.info
Theinsanity.info
Thembtantishoes.info
Thembtshoes.info
Theoffical-p90x.info
Thep90mall.info
Thep90xreview.info
Theshoesshop.info
Thetees.info
Thetshirt.info
Thevibram5finger.info
Theworkoutsonsale.info
Totally-fit.info
Tshirtsite.info
Vibram5finger.info
Vibram5fingersite.info
Vibramshoesnow.info
Vibramshoesonline.info
Vibramshoesshop.info
Vibramshoessite.info
Vibramshoesstore.info
Watchestimes.com
Wholesaleelectronic.info
Wholesalefromhere.info
Wholesalemac.info
Wholesalenet.info
Wholesaleplatform.info
Wholesalestart.info
Workoutsonsale.info
Workoutsonsales.info
Newhotdvd.com
Newrosetta.info
Rosetta-shop.info
Rosetta-store.info
Rosettapro.info
Rosettasoft.info
Rosettstone.info
21ugg.com
21uggboots.com
9webshoe.com
9webshop.com
Air-max-90-shoes.com
Amazonuggs.com
Anynfljerseys.com
Anyugg.com
Aubootsky.com
Aubootsonline.com
Australiaboot.net
Ausuggbootssale.com
Bbbshoe.com
Bendmoon.com
Bhdtrade.com
Bootsgame.com
Bootshead.com
Bootsinbox.us
Bootslove.com
Bootsstreet.com
Cheapsuprashoes.us
Clothesscoop.com
Cosyboots.net
Ebay-cigarettes.com
Ebayuggs.com
Finishboots.com
Fleeceboot.com
Fugems.com
Ghostshoe.com
Gonnaspace.com
Govipshop.com
Hgshoe.com
Hottestuggboots.com
Inbootstock.com
Ineedboots.com
Jumpmanlocker.com
Jumpmanlocker.com.cn
Jumpmanlocker.com.cn
Lacosteralphlauren.com
Lacosteralphlauren.us
Lock-ugg.com
Lolsaleshop.com
Look4clothing.com
Lovesuggs.com
Macktrade.com
Mybootsgame.com
Mybootsid.com
Mybootstrade.com
Mytonyboots.com
Net-ugg.com
New-ugg.com
Nfl007.us
Nfljerseynfl.com
Nike-shoes.com.cn
Nike-shoes.com.cn
Nike99bar.com
Niketrading.com
Nikezone23.com
Nonoshoe.com
Okhairs.com
Pickuggshop.com
Pikmart.com
Pkuggboots.com
Pkuggboots.net
Pololacosteshop.com
Pololatecosshop.com
Pop-ugg.com
Ralphlaurenpolosale.com
Rock-ugg.com
Ruimachina.com
Sellaaa.com
Sheepskinbootsid.com
Sheepskinbootsky.com
Shoeshive.com
Shoeshive.net
Shoestrade.biz
Shoestrade168.cn
Snowboots4sales.com
Snowbootsid.com
Star-ugg.com
Storeboot.com
Tallboot.net
Topcredittrade.com
Topcredittrade3.com
Topcredittrade6.com
Ugg-up.com
Uggbootscheapsales.com
Uggbootsoutletuk.com
Uggbootsuksales.com
Ugglink.com
Uggtopshop.cn
Uggtopshop.com
Uggtopshop.org
Uglyugg.com
Usugg.com
Wholesalemarket168.com
Wiresea.com
World-credittrade.com
Chighdwholesale.com
Pickuggshops.com
Adphil.com
Inshout.com
Timoton.com
Tomitt.com
Tribudd.com
Wifell.com
Ghdonsaleh.com
Ghdsaley.com
Ghdstore2010.com
Mbtsalea.com
Mbtsaleb.com
Mbtstorea.com
Uggonlinei.com
Rseeting.com
Torpalis.com
Daxitymb.com
Quoines.com
Cheratic.com
Clarbt.com
Punnin.com
Sconect.com
Skeptor.com
Ectomor.com
Risoton.com
Expiage.com
2010ugg-uk.com
Branduggonline.com
Chi-chioutlet.com
Chi-store2010.com
Chi-topshop.com
Chivipstore.com
Ghdbrandstore.com
Ghdmylove.com
Masaiantishoes.com
Mbtuk-outlet.com
Mbtuk-outlet.net
Mbtus-outlet.com
Mbtus-outlet.net
Mbtus-store.com
Myuggstreet.com
Outlet-northface.com
Outlet-uggs.com
Outletchi.com
Sparknew.com
Specialuggstore.com
Uggbranchshop.com
Uggbranchstore.com
Uggchainshop.com
Uggcredibleoutlet.com
Uggdirectshops.com
Uggflagshipstores.com
Ugghigh-leveloutlet.com
Uggoutlet-aus.com
Uggoutlet-branch.com
Uggreliantoutlet.com
Uggschain-store.com
Uggsoutletstore.com
Uk-uggs-outlet.com
Discountbrand-online.com
Discountshop-online.com
Monclercoatsite.com
Supermoncler.com
Branduggline.com
Specailuggstore.com
Uggchain-store.com
Ugghigh-lveloutlet.com
Fashiontruereligion.com
Maxchausures.com
Bellasinteractive.com
Ghcanada.com
Dishroe.com
Issector.com
Elisegm.com
Telyware.com
Blasteriox.com
Barathr.com
Pnewum.com
Rasuma.com
Enyki.com
Pravendita.com
Nmtsm.com
Smtpst.com
Admt2.com
Huciv.com
Bexbyz.com
Hiehost.com
Mainsyql.com
Xbevs.com
Niklip.com
Aisviv.com
Hiskweb.com
Debtsle.com
Hornium.com
Liegan.com
Phillacy.com
Sulandry.com
Cathypo.com
Colpint.com
Doxoni.com
Pegbow.com
Margant.com
Examah.com
Leastive.com
Pierran.com
Togueno.com
Honettee.com
Ophori.com
Mattoft.com
Rogloard.com
Epholo.com
Veraph.com
Landsm.com
Rismit.com
Velmace.com
Dedicot.com
Requild.com
Atstatec.com




    nl-position.com fake job offer

    In what appears to be an update of this fake job offer, there is now a spam run soliciting replies to nl-position.com for "representatives" who will most likely be handling stolen money and goods.

    Date: 3 September 2010 06:30
    Subject: Welcoming speech

    Dear Sir/Madam!

    The Company would like to offer you extra opportunity to get part-time position.
    Today we open offices in some countries of Europe and need "Representatives".

    Responsibilities:
    - Work with clients and partners
    - Collecting information
    - Paper work
    - Online monitoring

    Principle of work:
    - Home office position

    Salary:
    - 60.000 euro per year + bonuses for transactions

    Minimal requirments:
    - Location: Holland
    - Age: +23
    - Secondary education
    - Responsibility

    Wait for your applications to the following address: cv@nl-position.com

    Do not hesitate to contact us and know more.
    Look forward to your applications!

    Best wishes!

    Don Tennant
    Manager of HR department


    The nl-position.com was registered just three days ago to a no doubt fake address:

    Julia Morgan
        Email: info@JuliaNewYork76.com
        Organization: MDS LTD
        Address: 201 Varick Street
        City: New York
        State: NY
        ZIP: 10014
        Country: US
        Phone: +1.8668402756 

    The name servers are ns1.nameself.com and ns2.nameself.com, both based in Russia and commonly used by scammers. Unusually the JuliaNewYork76.com domain is also fake. Both domains have their mail handled by Google.

    These other domains also seem to belong to the same crew, any "job offer" from them can safely be regarded as bogus:

    ca-position.com
    es-position.net
    europ-position.com
    gb-new-position.com
    ms-positions.com
    nl-position.com
    east-europ.com
    inc-europ.com
    it-europ.net
    north-europ.com
    pt-europ.com
    uk-europ.com
    trabajo-europ.com
    west-europ.com

    Wednesday, 25 August 2010

    Evil network: Sagade Ltd / ATECH-SAGADE AS6851 (85.234.190.0/23)

    I've mentioned Sagade Ltd before, it's a totally Black Hat Latvian network that should be blocked on sight. Google's Safe Browsing diagnostic for this range is fairly damning:

    Has this site acted as an intermediary resulting in further distribution of malware?

        Over the past 90 days, 85.234.190.0 appeared to function as an intermediary for the infection of 476 site(s) including lekarnar.com/, mysofa.es/, audiofile.org.ua/.

    Has this site hosted malware?

        Yes, this site has hosted malicious software over the past 90 days. It infected 1999 domain(s), including audiofile.org.ua/, votailprof.it/, capinaremos.com/.
    There's very little point playing whack-a-mole with these Latvian IP addresses. It's probably worth null-routing the entire country until some government agency that isn't being paid off by Russian organised criminals sorts the mess out. There's a list of major Latvian IP address allocations here- unless you do business in the Baltic states, then blocking all of them will probably do no harm.

    Domains in the IP address range 85.234.190.0 - 85.234.191.255 are:
    Marre.in
    Monre.in
    Sdaya.in
    Dnsdnsprovider.com
    Respw.info
    Tonew.info
    Wbypa.info
    Celebsalon.net
    Celebsvideos.net
    Soltberger.net
    Sumerki-saga.com
    Zatmenie-saga.com
    Bestgoogleanalytics.com
    Bestgenerics.org
    Dhag.org
    Autoseon7.com
    Auou.info
    Premiaa.com
    Tdyeah.com
    Oeema.info
    Oeeme.info
    Toptrep.biz
    Staticdnsdns.com
    Aaasphereezine.com
    Aopsompamspn.com
    Hsudsasodams.com
    Ieksmanskasdk.com
    Mopsdiamsas.com
    Alert-system.net
    Ffgde.com
    Gdlka.com
    Khhfg.com
    Nnmty.com
    Ppolr.com
    Rcchr.com
    Rrtyu.com
    Rttye.com
    Trrre.com
    Uyyty.com
    Ccdfr.com
    Ffeeq.com
    Kklou.com
    Kkuyt.com
    Oouty.com
    Ppuut.com
    Ppyur.com
    Ttyww.com
    Wrraa.com
    Yyrew.com
    Bbhty.com
    Ggbdb.com
    Rggsd.com
    Rihdd.com
    Rrryu.com
    Bbgtr.com
    Kjhtr.com
    Wrrrt.com
    Mylote.com
    Tube-free-online.com
    Adminka.org
    Bbcxq.com
    Bnfgd.com
    Cbdfr.com
    Dettt.com
    Fggpr.com
    Ggffr.com
    Hhyyr.com
    Ssmmb.com
    Trdvr.com
    Darkseo.org
    Dbsoft.in
    Domainpc.in
    Exinfo.in
    Lightdebug.in
    Microsoft-security-center.com
    Mxinfo.in
    Statreview.in
    Uimode.in
    Unport.in
    Bestdomainforus.info
    Bestvido.info
    Bluffycrob.info
    Domain-for-email-us.info
    Domain-for-gain-us.info
    Domain-for-lease-us.info
    Domain-for-us.info
    Domainfordollarsus.info
    Domainforemailus.info
    Domainforgainus.info
    Domainforleaseus.info
    Domainforus.info
    Domainforusblog.info
    Domainforusnow.info
    Domainforusonline.info
    Domainforusshop.info
    Domainforussite.info
    Domainforusstore.info
    Domainforustoday.info
    Fffvideo.info
    Freedomainforus.info
    Freevido.info
    Microoplata.info
    Moplata.info
    Mydomainforus.info
    Myvido.info
    Newdomainforus.info
    Newvido.info
    Stupid-domain-for-us.info
    Stupiddomainforus.info
    Thebluffycrob.info
    Thedomainforus.info
    Thefffvideo.info
    Vi-do.info
    Vidonow.info
    Vidoonline.info

    The Walking Dead on FXUK

    Holy moley.. the FX TV channel in the UK certainly runs some intersting shows (Dexter, Breaking Bad, Better Off Ted). This latest one coming in the Autumn is about.. zombies! Yeah, it looks a bit like a 28 Days Later / Mad Max mashup, but it has Egg from This Life in at and Gale Anne Hurd is ivolved.

    Check out the trailer (possibly works in the UK only) or read more here. More information about the show and the graphic novel can be found here.

    Oh yes, in the US it's showing on AMC which has a decent photo gallery and other stuff here.

    Evil network: Latnet Serviss Ltd (latnet.lv) AS2588 (159.148.117.0/24)

    Latvia is definitely becoming a problem when it comes to black hat hosting. The 159.148.117.0/24 range (159.148.117.0 - 159.148.117.255) is another malicious block, forming part of AS2588 belonging to Latnet (similar to microlines.lv). At a rough calculation, roughly half the IP address ranges I am currently blocking are based in Latvia.

    This bunch of domains is a mix of fake pharma sites, browser exploits, illegal downloads and possibly some hijacked domains. In any case, there is nothing of use here and either blocking the entire IP range, or the list below is probably a good idea.

    There's a more detailed file with MyWOT ratings and IP addresses to download here.

    Bitssit.com
    Solid-pay-gate.com
    Bombastats.com
    1001meds.info
    101doctors.info
    101health.info
    11doctors.info
    333tabs.info
    5meds.info
    911drugs.info
    99pharmacy.info
    99pills.info
    Abouttabs.info
    Actualdrugs.info
    Actualtabs.info
    Addhealth.info
    Addpills.info
    Advancedsoft.in
    Allpills.info
    Anyhealth.info
    Anymeds.info
    Anytabs.info
    Atlanticdrugs.info
    Atlantictabs.info
    Bestwesthost.info
    Bluedoctor.info
    Buycheapnow3.info
    Buyfdatabs.info
    Buygeneric1.info
    Buyld.info
    Buyonline5.info
    Buytramadol5.info
    Buytramadolf.info
    Buytramadolk.info
    Buytramadolp.info
    Buytramadolt.info
    Buytramadoly.info
    Buyxanax1.info
    Buyxanaxk.info
    Cheap2tramadol.info
    Cheaponline2.info
    Cheaprt.info
    Cheaptramadolh.info
    Cheaptramadoli.info
    Cheaptramadolss.info
    Cheaptramadolw.info
    Cheaptramadolz.info
    Cheapxanaxz.info
    Doctor01.info
    Doctorarea.info
    Doctordaily.info
    Doctorgiant.info
    Doctorjones.info
    Dogoal.in
    Drugs01.info
    Drugs12.info
    Drugsapple.info
    Drugsbasket.info
    Drugsblue.info
    Drugscenter.info
    Drugsclub.info
    Drugscompany.info
    Drugsdaily.info
    Drugsfast.info
    Drugsgood.info
    Drugslife.info
    Drugsreview.info
    Drugstoree.info
    Fasttabs.info
    Fdapillsonline.info
    Fulink.in
    Fustat.in
    Generictramadolb.info
    Generictramadolc.info
    Generictramadoln.info
    Generictramadolr.info
    Generictramadolv.info
    Genericxanaxn.info
    Getonlinehealth.info
    Getonlinemeds.info
    Haycorn.info
    Health911.info
    Healthbasket.info
    Healthblue.info
    Healthgreat.info
    Healthlabel.info
    Kinghealth.info
    Kingpills.info
    Knownmeds.info
    Knowntabs.info
    Labeldrugs.info
    Labelhealth.info
    Meds01.info
    Meds333.info
    Meds4him.info
    Medsapple.info
    Medsarea.info
    Medsdaily.info
    Medsexpress.info
    Medsguard.info
    Medshealth.info
    Medslife.info
    Medslocate.info
    Medssearch.info
    Mmlist.in
    Mmsoft.in
    Moderndrugs.info
    Modernpills.info
    Mxstat.in
    Needsdoctor.info
    Olstat.in
    Online01.info
    Onlinecasinosbestusa.info
    Onlineow.info
    Ordercheapnow6.info
    Orderoj.info
    Orderonline4.info
    Ordertramadold.info
    Ordertramadole.info
    Ordertramadolj.info
    Ordertramadolo.info
    Ordertramadolx.info
    Orderxanaxx.info
    Owndoctor.info
    Pacificdoctor.info
    Pills007.info
    Pills01.info
    Pills4him.info
    Pills4men.info
    Pillsaccept.info
    Pillsarea.info
    Pillsblue.info
    Pillscontrol.info
    Pillsdaily.info
    Pillsfast.info
    Pillsgood.info
    Pillslabel.info
    Pillslife.info
    Pillslocate.info
    Pillsoffice.info
    Pillsreview.info
    Pillssearch.info
    Pillstoday.info
    Pillsworld.info
    Realtabs.info
    Rx999.info
    Safedoctor.info
    Searchtabs.info
    Sermyagino.info
    Ssmode.in
    Ssnews.in
    Tabs01.info
    Tabs4him.info
    Tabs5.info
    Tabsaccept.info
    Tabsapple.info
    Tabsarea.info
    Tabscenter.info
    Tabsclub.info
    Tabscompany.info
    Tabscontrol.info
    Tabsdaily.info
    Tabsexpress.info
    Tabsguard.info
    Tabsguide.info
    Tabslife.info
    Tabsoffice.info
    Tabspills.info
    Tabsreview.info
    Tabssearch.info
    Tabsworld.info
    Todaypills.info
    Todaytabs.info
    Tramadolonline7.info
    Tramadolonlinea.info
    Tramadolonlineg.info
    Tramadolonlinel.info
    Tramadolonlineq.info
    Tramadolonlineu.info
    Tramadoltramadol1.info
    Tramadoltramadol10.info
    Tramadoltramadol2.info
    Tramadoltramadol3.info
    Tramadoltramadol4.info
    Tramadoltramadol5.info
    Tramadoltramadol6.info
    Tramadoltramadol7.info
    Tramadoltramadol8.info
    Tramadoltramadol9.info
    Uiplus.in
    Usaapharm.info
    Usausaonlinecasinossuper.info
    Xanaxonlinee.info
    Xanaxonlinel.info
    Pupseg.net
    Pupseg.org
    Pixelstatservice.com
    Mybesttubeporn.com
    Rowfirst.com
    Java-9update.com
    Update-00server.com
    Hqll.ru
    Xacz.ru
    Aloa.asia
    Vniz.asia
    Bbls.ru
    Vaseagruzitkorm.com
    Vaseajretikru.com
    Ewacx.com
    Yacver.com
    Security-defencing.com
    Mypctech.net
    1200kb.net
    Banfieldsbest.com
    Btp-tags.com
    Doit-4-u.com
    In-ta.net
    Media-share.org
    Mwcdirect.com
    Pixel-pie.com
    Planetsoldat.com
    Sainser.com
    Wnizip.com
    Thebestporn.in
    Cormoupo.info
    Zombie-world.org
    Alterparadigma.net
    Brickplayer.ru
    Chilauter.ru
    Compromendes.com
    Moretds.org
    Danjg.com
    Aftui.in
    Ammew.info
    Armrm.in
    Aspow.info
    Clasd.in
    Coerw.info
    Demim.in
    Diasw.info
    Diaui.in
    Expew.info
    Eynew.info
    Gatui.in
    Harui.in
    Highw.info
    Homow.in
    Jenyx.in
    Jusui.in
    Katre.in
    Lisni.in
    Manui.in
    Marsw.in
    Marui.in
    Micre.in
    Neigw.info
    Ningl.in
    Nitan.in
    Nvenc.in
    Nvene.in
    Nvild.in
    Nvill.in
    Pockw.info
    Praaw.info
    Pulpm.in
    Racew.info
    Recei.in
    Recky.in
    Recto.in
    Regaw.info
    Rendm.in
    Sepsd.in
    Slovw.in
    Socyx.in
    Stpsd.in
    Synre.in
    Thiui.in
    Torsw.in
    Uianh.in
    Volnv.in
    Yxiac.in
    California-ns.com

    UPDATE 2014-06-25:  It's been a long time since I wrote this, and it looks like the block was cleaned up some time ago and now contains some Latvian government sites.

    Tuesday, 24 August 2010

    north-europ.com job offer scam

    This is a fraudulent job offer originating from an IP address in Vietnam, with a ridiculous salary for doing next to nothing:

    Hello message

    We are in a hurry to offer you position in the building Company.
    In few words our Company provides huge circle of building services like
    building, landscaping, interior and exterior design of premises, houses etc.

    We offer you:
    - career growth
    - flexible working day
    - minimal requirements to become the part of our team

    Job description:
    - type of work: part time position
    - the place to work: your home office
    - territory of work: you area(city)
    - salary: 60.000 euro per year + percents of transactions
    - principle of work: work with clients/partners getting tasks online

    If you are interested please respond with the C.V. or minimal contact data to the e-mail: Allison@north-europ.com


    Attention!
    We are interested in cooperation to the people who live in Europe.
    north-europ.com uses Google to handle its mail and doesn't have a website. The WHOIS details have a very familiar email address of lapatasker@earthling.net.

        Aleksandr Lapatau
        Email: lapatasker@earthling.net
        Organization: Private person
        Address: Lenina, 34, 8
        City: Minsk
        State: Minskaya
        ZIP: 456123
        Country: BY
        Phone: +375.172427204

    Infrastructure is in various locations around Russia. Avoid.

    There's more to this than meets the eye..

    This is a straightforward money mule pitch, so nothing very interesting in the message itself..

    From: james roberts <jamesroberts02@sify.com>
    Reply-to: james.roberts@sify.com
    Date: 24 August 2010 13:13
    subject: JOB OFFER:APPLY IF YOU ARE INTERESTED.
       

      Hello,
          
            My name is JAMES ROBERTS , a designer also the Manager of JAMES ROBERTS FABRIC and Consultant live and work here in United Kingdom,will you like to work online from home and get paid without affecting your present job?
              
            Actually I need a representative who can be working for the company as online book-keeper. We make lots of supplies to some of our clients in the USA/CANADA/EUROPE, for which I do come to USA/CANADA/EUROPE to receive payment and have it cashed after I supply them raw materials. It’s always too expensive and stressful for me to come down and receive such payment twice in a month so I therefore decided to contact you.
          
            I am willing to  pay you 10% for every payment receive by you from our clients who makes payment through you.   Please note you don't have to be a book keeper to apply for the job.
          
            Kindly get back to me as soon as possible if you are interested in this job offer with your details:
          
            FULL NAMES...................
            ADDRESS ..................
            STATE..................
            ZIPCODE................
            COUNTRY................
            PHONE NUMBER(S)........
            GENDER.................
            AGE....................
            OCCUPATION.............
              
            Yours Faithfully,
         
            JAMES ROBERTS

    But the headers tell an interesting story..

    Received: from mail.pna.ps ([213.244.123.84])
        by ********** with esmtp (Exim 4.69)
        id 1Onsd0-0004Yt-Jc
        for **********; Tue, 24 Aug 2010 13:29:22 +0100
    Received: from User (unknown [60.18.167.17])
        by mail.pna.ps (Postfix) with ESMTPA id ED6A94476F;
        Tue, 24 Aug 2010 15:12:09 +0300 (IDT)

    You can only really trust the last hop before it hits your mail server (in truth, not always then either). That IP is 213.244.123.84 which is indeed mail.pna.ps.

    So what the heck is .ps? Well, it turns out to be the TLD for Palestine, and the PNA is the Palestinian National Authority, with servers that look to be based in Ramallah on the West Bank.  So, it looks like the PNA mail servers are either insecure or compromised.

    Did you even know that Palestine had a TLD of its own? I didn't.. so I guess this spam has tought me something!

    Friday, 13 August 2010

    Weird scam mashup makes little sense

    This is a weird mashup of an FBI scare scam and a lottery scam, spelling out very clearly that it is really an advanced fee fraud. It makes no sense.. why would the FBI be informing you that you had won the lottery in the UK anyway? Bin it.

    From: Federal Bureau Of Investigation <soundsit@btconnect.com>
    Date: 2010/8/13
    Subject: *Alert*
    To:




    FEDERAL BUREAU OF INVESTIGATION
    Anti-Terrorist and International Fraud Division
    601 4th Street NW, Washington, DC 20535

    Attn: Beneficiary

    RE: AUTHETICATED LOTTERY WINNINGS

    This is to officially inform you that it has come to our notice and we have thoroughly completed an Investigation with the help of our Intelligence Monitoring Network System that you legally won the sum of $850,000.00 US Dollars from a Lottery Organization in the United Kingdom. During our investigation we discovered that your e-mail won the Lottery from an online balloting system and we have authorized this winning to be authentic and paid to you via a Certified Cashier's Check. Normally, it will take up to 15 business days for an International Check to be cashed by your local bank. We have successfully come to an agreement with this organization on your behalf that funds are to be drawn from a registered bank within the United States of America so as to enable you cash the check instantly without any delay, henceforth the stated amount of $850,000.00 US Dollars has been deposited with Chase Manhattan Bank.

    We have completed this investigation and you are hereby approved to receive the winning prize as we have verified the entire transaction to be Legitimate, Safe and 100% risk free of scams and frauds of any nature, due to the fact that the funds have been deposited at Chase Manhattan Bank you will be required to settle the following bills directly to the lottery claims agent in-charge of this transaction whom is located at the liaison office of the Lottery Organization in Washington, DC. According to our records, you are required to pay for the following:

    (1) Deposit Fee's (Fee's paid by the organization for the deposit into Chase Manhattan Bank)
    (2) Cashier's Check Conversion Fee (Fee for converting the EFT into a Certified Cashier's Check)
    (3) Shipping Fee's (The charge for shipping the Cashier's Check to your nominated destination)

    The total amount is $349.99 (Three Hundred & Fourty Nine United States Dollars & Ninety Nine Cents). We have tried our possible best to have the lottery organization deduct the $349.99 from your lottery winning but the funds have already been deposited at Chase Manhattan Bank and cannot be accessed by anyone apart from you the winner. Therefore you will be required to pay the needed funds to your lotto claims Agent in-charge of this transaction. The payment will NOT reflect at the Chase Manhattan Bank with the given transaction code (US8976-003) until you have covered the processing fees needed.

    In order to proceed with this transaction, Click Here (ericaclain@gala.net) to contact your claims agent Mrs. Erica Molin .You may be required to call her for verbal verification and e-mail her with the following informations:

    FULL NAME:
    LOCAL ADDRESS (INCLUDING CITY/STATE/ZIPCODE):
    AGE/GENDER/OCCUPATION:
    CONTACT PHONE NUMBERS (CELL & HOME):

    You will also be required to request details on how to pay up the required $349.99 in order to immediately ship your prize of $850,000.00 USD via Certified Cashier's Check drawn from Chase Manhattan Bank, Also include the following transaction code in order for her to immediately identify this transaction: US8976-003. This letter will serve as proof that the Federal Bureau Of Investigation is authorizing you to pay the required $349.99 ONLY to your claims agent via the information in which she shall send to you upon your request, if you do not receive your winning prize of $850,000.00 US Dollars we shall be held responsible for the loss and this shall invite a penalty of $3,000 which will be made PAYABLE ONLY by you (The Winner).

    Robert Anderson, Jr.
    Special Agent in Charge

    NOTE: In order to ensure your check gets delivered to you ASAP, you are advised to immediately contact Mrs. Erica Molin (ericaclain@gala.net) via contact information provided above and make the required payment of $349.99 to information in which she will provide you.

    Thursday, 12 August 2010

    "Spam King Leo Kuvayev Jailed on Child Sex Charges"

    A spammer.. and a kiddy fiddler (allegedly), notable Russian spammer Leo Kuvayev has been jailed on remand on charges of raping 50 children. I hear that Russian prisons are not very nice..

    More at Krebs on Security.

    Battle.Net / WOW Phish domains

    I don't play World of Warcraft of Starcraft..but lots of people do and Blizzard accounts (used for playing the game online) are often a target for phishers. Why? Well, these accounts can be resold and are worth real money.

    This post at the Sunbelt software blog caught my eye.. but knowing that fake WOW / Blizzard sites don't tend to travel alone I did some digging and came up with a whole batch of them on neighbouring IPs.

    58.64.158.233
    Ba11ile.net
    Baititle.net
    Eu-batile.net
    Eu-battlie.net

    58.64.158.238
    Barittle.net
    Bartiile.net
    Bartlie.net
    Bartllie.net
    Barttirle.net
    Barttle.net
    Blizzte.net
    Eu-de-battle.net
    Bliizte.net
    Blrttle.net
    Battrlie.net
    Bartzle.net
    Battiale.net
    Barttlie.net

    58.64.158.240
    Usbatt1ee.net

    58.64.158.244
    De-bartle.net

    Registrant details are:
      Name           : Ji XiaoWei
      Organization   : Ji XiaoWei
      Address        : LiShui Dengtalu 25
      City           : LiShui
      Province/State : Zhejiang
      Country        : CN
      Postal Code    : 323700
      Phone Number   : 86-0578-7245132
      Fax            : 86-0578-7245132
      Email          : qnpv@163.com

    These are all fake, so avoid

    Saturday, 7 August 2010

    "Your Free Money with Grants 4 CD Set At Absolutely No Cost From Robert Allen"

    I quite enjoy this spammy crap I get from Robert Allen, in all its breathless uselessness, from a company that only rates a D+ from the BBB.

    Hello Conrad,
    One day we must talk about where you got your mailing list from.
    It’s Robert Allen checking in with some MAJOR NEWS for you!
    Major news? You've discovered you have some horrible terminal disease that causes you to die through continuous pustulant eruptions? No? Shame.
    I am very excited to announce an amazing new program that reveals how anyone can quickly and easily get FREE MONEY from the Government.
    What, you want me to become a failed bank?
    No technical jargon or complicated procedures, simple, straight forward advice and methods on how to locate the free money that you are entitled to.
    Which government is this exactly?
    Best of all, you can get your own copy of this hot, new course for free.
    Why do I feel that there will be a catch?
    Read on … because this is exciting!
    This must be a definition of "exciting" that I wasn't previously aware of.
    My friend and colleague Rex Hudson just put the finishing touches on his brand new, “FREE MONEY with GRANTS” audio training course, and I’ve convinced him to give you, a free copy of this info packed 4 disc audio library!
    How did that go? "Rex, I'd really like to send a free copy of this training course to Conrad!" "Oh Robert, I'm not really sure I want to do that!" "Oh come on Rex, he's a great guy!" "Oh alright then Robert".
    Over the course of his long and varied investment career, Rex has held SEC licenses for Stock, Bond, Insurance, Options and Commodities.   As an MBA and the VP of Investments for a National Bank he also held a Municipal Bond Principle License and operated as a Registered Investment Advisor.  As the investment manager Rex held discretionary investment authority on over $850 Million in assets.  The bottom line is Rex knows money!
    He's a stockbroker and banker, basically. But now he works for the "Enlightened Wealth Institute" as "Vice President of Training" which is a bit of an interesting career move.
    Now you can have a chance to learn from the master – and get his best, proven techniques for getting FREE MONEY from the GOVERNMENT.
    I did say he was a banker.
    Rex’s FREE MONEY with GRANTS is your one stop source for BILLIONS of dollars that is ready, available, and waiting to be claimed! This easy to listen and easy to follow 4 disc audio program tells you exactly what to do to find your share of this FREE MONEY.
    Dollars? Can I have pounds instead?
    FREE MONEY with GRANTS audio program contains simple plan for putting
    cash in your hands. And this is FREE MONEY THAT YOU NEVER HAVE TO
    PAY BACK!
    Champagne does taste so much better when it has been paid for by the taxpayer.
    Find out how to get free money grants from Uncle Sam!
    Find out how to get free money grants from private foundations!
    Find out how to borrow money with government guarantees!
    Discover the huge opportunity in selling to the government!
    I don't have an Uncle Sam. Wait, Robert.. you didn't think I was American did you?
    These are some of the best kept secrets of our government – and now you will know there are BILLIONS OF DOLLARS sitting, waiting to be claimed. And MILLIONS of people are eligible to receive free money from the government.
    Honestly, no.. I don't think these are the best kept secrets of the US Government. I mean, they probably even have leaflets and stuff.
    The FREE MONEY WITH GRANTS audio program is your ultimate guide to getting your share of free money from the government.
    You can keep shouting FREE MONEY WITH GRANTS all you like but you are still not going to convince me. Actually, I'm starting to get a headache now.
    Rex’s “FREE MONEY with GRANTS” quick cash program could easily retail $69.95,
    but in true “Nothing Down” fashion, I’ve arranged for you to get this fantastic new 4 CD audio training course for FREE … not even shipping and handling!
    Nearly seventy dollars? Well, you can put whatver price on it you like.. it doesn't mean that it will sell. Look at the bidding wars going on for these items.. oh wait, they're not even shifting for 99 cents. And by "nothing down" I guess you mean that I don't have to pay anything NOW for them.. but what about later?
    All you have to do is dial toll free 1-888-384-4047 RIGHT NOW and let me know where to ship your course! That’s it … it’s as simple as that!
    Please ship it firmly up your own backside.
    I am very excited about Rex’s “FREE MONEY with GRANTS” 4 CD audio training
    program and I look forward to sending you your FREE COPY!
    Massive Success,
    Wicked!
    Robert Allen
    P.S. Don’t Wait! Call toll free 1-888-384-4047 RIGHT NOW. This offer is NOT going to last forever. Rex is only allowing us to give away a very limited number of these hot courses. So act now so you don’t miss out! Get your copy today!
    I'll pass if it's OK with you.
    Please note that product prices and availability are limited time offers and are subject to change.  We respect your privacy.  To remove yourself from this mailing list, click http://www.ewimail.com/unsubscribe.aspx or reply to this message with “unsubscribe” as the subject line or write us at Enlightened Wealth Institute, LC, 5072 N 300 W Provo, UT 84604
    But apparently you don't respect my intelligence by sending me this crap.

    Friday, 6 August 2010

    Evil network: MAXHOSTING Services / GlobalNET Bosnia (AS42560 / 77.78.239.0/23)

    Back in May they were called Maximus Hosting Services but I guess it's always embarrassing  when you're not number on in Google for your own name.. so now this outfit from Russia appears to be calling itself MAXHOSTING SERVICES. Note that it looks like there are several Russian businesses of a very similar name, presumably most of which are legitimate.

    inetnum:        77.78.239.0 - 77.78.240.255
    netname:        MAXHOSTING-SERVICES
    remarks: ### in case of abuse please contact: godaccs@gmail.com  ###
    descr:          MAXHOSTING-SERVICES
    country:        MD
    admin-c:        VM3351-RIPE
    tech-c:         VM3351-RIPE
    status:         ASSIGNED PA
    mnt-by:         BA-GLOBALNET
    source:         RIPE # Filtered

    person:         Vadim Makarenko
    address:        Leningradskaya 28 kv 26, Bendery, Moldova
    e-mail:         godaccs@gmail.com
    phone:          +373-680-45324
    nic-hdl:        VM3351-RIPE
    source:         RIPE # Filtered

    route:          77.78.192.0/18
    descr:          GlobalNET Bosnia
    origin:         AS42560
    mnt-by:         BA-GLOBALNET
    source:         RIPE # Filtered

    It looks like it is working closely with GlobalNET Bosnia.. which is kind of weird because Russia doesn't exactly have a shortage of dodgy web hosts. GlobalNET operate AS42560 77.78.192.0/18, MAXHOSTING appear to have rented out half of that to give 77.78.224.0/19 i.e. 77.78.224.0 - 77.78.255.255. The other half of the GlobalNET range is mostly legitimate apart from an apparent Stelivo phishing site on 77.78.192.140 called justadultchat.co.uk

    Anway,  77.78.224.0/19 is a real sewer consisting of fake job sites, phishing, hacking sites, fake escrow sites, illegal downloads, malware and other nasty stuff. According to ratings from the WOT API it is mostly toxic rubbish, and even the sites with "good" rankings are involved in something illegal.

    77.78.224.0/19 is certainly worth blocking, and/or the domains listed below. If you want the IP addresses and the WOT ratings in a handy form then you can download them from here, else there's a list of the currently dodgy domains below:

    Clairvoyantcss.info
    Honstrategy.info
    2iii.org
    Divambee35.net
    Eagen85.net
    Forceclub-us.com
    Forceclub-us.net
    Janoodle6.net
    Zabil.in
    King-invest.org
    Search-static.org
    Vostokgear.org
    Francecore.com
    Genreystick.com
    Grand-vitaro-club.com
    Odistanyachts.com
    Statxonline.com
    Xsbot.net
    Planopetroleumteam.com
    Acunetxweb.net
    Dottasink.net
    Nowisisdudescars.com
    Onlineisdudescars.com
    Whereisdudescars.com
    Zettapetta.net
    Google-server09.info
    Google-server10.info
    Google-server11.info
    Google-server12.info
    Google-server14.info
    Google-server29.info
    Google-server31.info
    Google-server41.info
    Google-server42.info
    Google-server43.info
    Jhuiuhxfgxhlfkjhjth.info
    Jhuiuhxfgxhtfkjhjth.info
    Jhuluhxfgxhlfkjhjth.info
    Top-teen-porn.info
    Kalashmalash.org
    Pro100-soft.net
    Ruslan7777.com
    Hyporesist.com
    Vstils.ru
    Clickwebanalitick.com
    Hotporncatalog.com
    Ns3emeringo.com
    Thevipbuyconterst.com
    Youngirlsactions.com
    Kingdol.com
    Pcf-osow.com
    Utorrentde.com
    Homesiteuk.com
    Firmar.org
    Sabadel4444z.org
    Superlayout.org
    Ceberm.com
    Ceberm.net
    Ceberm.org
    Ceberz.net
    Ceberz.org
    Ceterz.biz
    Bestviewbar.net
    Thestatserver.com
    Donservers.ru
    Checkege.ru
    Friendsparty.org
    Otvetege.ru
    Sdalege.ru
    1host4me.ru
    Stylysxvk.ru
    Vkxstile.ru
    1-aa.com
    222-abbb.com
    Caucasus-a.com
    Altdmnfrsh.com
    Suphazgdman.com
    Free-pac.net
    Ebay-sc.com
    Albums-onlinenow.info
    Albums-onlines.info
    Albums-photo.info
    Dwnld0020.com
    Fotodownloads.info
    Myfotoalbums.info
    Photo-downloadsonline.info
    Photo-downloadssite.info
    Spmfb2299.com
    Thefotoalbums.info
    Thefotodownloads.info
    Videophotodownloads.info
    Hosting-backup.org
    Darksiti.net
    Ditdum.com
    Onlinejbanking.com
    Asmatrin.com
    Mvk.net.ru
    Mynewspages.com
    Newsdownloads.cn
    Nvk.net.ru
    Rsite.net.ru
    Supercarsinfo.net
    Vkhost.net.ru
    Webvk.net.ru
    Sec-stats.org
    Eu-analytics.com
    Statistics-of-world.org
    Google-stat.org
    Auto-russo-trah.com
    Sed-machinery.com
    55echosend.com
    66kooum.com
    Avilantup.com
    Bytrin.com
    Club-world-auto.org
    Erityng.com
    Govenablog.org
    Grebtiklop.com
    Hercegovinablog.org
    Horsebloggovena.org
    Horseblogovena.org
    Horsegovena.org
    Janesblog.org
    Nikranox.org
    Roxenda.com
    Zrefkilops.com
    18trucero.org
    29topiccat.org
    42bubbletag.org
    52chatshare.org
    53cogilith.org
    59trilia.org
    62pixonoodle.org
    70eanu.org
    7jetdrive.org
    81wordfly.org
    84chatterworks.org
    90snapset.org
    92dynalith.org
    94brainworks.org
    96chatterfeed.org
    Divambee35.org
    Eagen85.org
    Edgepath61.org
    Leenoodle20.org
    Linkbuzz76.org
    Myjam19.org
    Myzoom84.org
    Photopath49.org
    Pixomia65.org
    Shuffleshots22.org
    Toppulse32.org
    Wikimbo94.org
    Yonu9.org
    Zalith76.org
    Zoodeo10.org
    Gerero.info
    Adrevbillst.com
    Ellennommists.com
    Hasterulits.com
    Hellopattern.com
    Jungle-team.com
    Letstrywithme.com
    Newbraga.cn
    Newporto.cn
    Quarittle.com
    Rettinasl.com
    Signnowonline.net
    Thecargotime.com
    Theleoideas.com
    Thewrongroad.com
    Topshowcar.com
    Tryfindithere.com
    Eiueuiuewi.com
    Connectionsupport.org
    Helpsupport.biz
    Belgrad-noc.org
    Avalonassistants.com
    Bettertasks.com
    Blogsonline.info
    Bongblogs.net
    Bonglove.net
    Eblognow.info
    Freeeblog.info
    Freespeechblog.info
    Freetravelblog.info
    Freeymail.info
    Kmails.info
    Love4net.net
    Mailsblog.info
    Mailsstore.info
    Myeblog.info
    Newblogs.info
    Sendingmail.info
    Smails.info
    Smileonline.info
    Themails.info
    Theymail.info
    Adjustedresults.com
    Resultscache.com
    Deutschenoote.com
    Pootervom.com
    Gl-transport.com
    N-transport.com
    Hilary-blog.net
    Jacksonstatue.com
    Allhdmovies.com
    Office-direct.org
    Office-exchange.biz
    Office-exchange.info
    Mybisiness.org
    Onlinerentalparadise.com
    Kernet.name
    Lizazebrova.name
    Mksdjhfu.com
    Mlhsgdhh.com
    Myasjhaa.com
    Escrow-ento.com
    Shop-n-ship.net
    Arbeit-vitrea.com
    Careers-at-lexor.com
    Careers-at-stendal.com
    Careers-at-vitrea.com
    Careers-stendal.com
    Europe-stendal.com
    Hallway-careers.com
    Hallway-group-careers.com
    Hallway-group-jobs.com
    Hallway-jobs.com
    Hallway-news.com
    Hallway-today.com
    Immobilie-vitrea.com
    Jobs-at-hallway-group.com
    Jobs-at-lexor.com
    Jobs-at-stendal.com
    Jobs-at-stendalgroup.com
    Jobs-lexor.com
    Jobs-stendal.com
    Karrieren-immobilie-vitrea.com
    Karrieren-vitrea.com
    Lexor-careers.com
    Lexor-consulting.com
    Lexor-jobs.com
    Lexorsl.com
    Lexor-sl.com
    Lexor-sl-careers.com
    Lexor-sl-consulting.com
    News-stendal.com
    Stendal-applications.com
    Stendalcareers.com
    Stendal-careers-now.com
    Stendal-careers-today.com
    Stendal-consulting.com
    Stendal-consulting-group.com
    Stendaljobs.com
    Stendal-news.com
    Stendaltoday.com
    Stendal-today.com
    Vitrea-arbeit.com
    Vitrea-deutchland.eu
    Vitrea-estate.eu
    Vitreaestate-agent.com
    Vitrea-estate-agents.com
    Vitreaestatecareers.com
    Vitreaestate-europe.com
    Vitrea-immobilie.com
    Vitrea-immobilie-karrieren.com
    Vitreajobs.com
    Vitrea-karrieren.com
    Vitreanews.com
    Vitrea-today.com
    Vitrea-uk.com
    Careers-at-duolux.com
    Careers-at-feonix.com
    Careers-at-trilane.com
    Careers-kivox.com
    Careers-tekset.com
    Careers-trilane.com
    Duoluxcareers.com
    Duolux-careers.com
    Duoluxconsulting.com
    Duolux-consulting.com
    Duoluxjobs.com
    Duolux-jobs.com
    Feonixcareers.com
    Feonix-careers.com
    Feonixconsulting.com
    Feonix-consulting.com
    Feonixjob.com
    Feonixjobs.com
    Feonix-jobs.com
    Job-at-duolux.com
    Job-at-feonix.com
    Jobs-at-trilane.com
    Jobs-kivox.com
    Jobs-tekset.com
    Jobstrilane.com
    Kivox-careers.com
    Kivox-company.com
    Kivox-consulting.com
    Kivox-jobs.com
    Kivox-today.com
    Tekset-careers.com
    Tekset-consulting.com
    Tekset-jobs.com
    Tekset-news.com
    Trilanecareers.com
    Trilane-careers.com
    Trilaneconsulting.com
    Trilane-consulting.com
    Trilane-jobs.com
    Work-at-duolux.com
    Work-at-tekset.com
    Cancun-rx.com
    Ebaysquaretrade.com
    Com-id82115326.net
    Dragporno.ru
    Megaru.com
    Nafani.net
    Pop-banner.ru
    Watchporno.ru
    Xlivetv.ru
    Qzzb.ru
    Best-freemovie.com
    Best-freemovies.com
    Dasoundservices.com
    Datingprivates.com
    Datingteen.net
    Datingteenonline.net
    Datingwork.com
    Freemoviebest.com
    Free-moviebest.com
    Fremoviesbest.com
    Moviebest-free.com
    Moviefree-best.com
    Moviesbest-free.com
    Moviesfree-best.com
    Myalternativedating.com
    Naebalova.net
    Releaseadultsex.com
    Releaseating.com
    Thefreedating.com
    Webalternativedating.com
    Webfreeadultsexnet.com
    Darkode.com

    "Thank you for scheduling your online payment" email leads to malware

    The spammers seem to be busy today, using an old trick of embedded a spam in a template lifted from a legitimate business. This particular one is from Chase bank in the US, they key "hook" they use to get people to click is:
    Thank you for scheduling your recent credit card payment online. Your ($USD) $117.00 payment will post to your credit card account (CREDIT CARD) on 08/06/2010. 

    This seems to be exactly the same attack as used here and here, although in this case the intermediate site had already been cleaned up and the malicious payload could not be delivered.

    Best Buy "Thank You, Your Anti-Virus Protection Plan has been renewed" email leads to malware

    To prove that the Bad Guys have a sense of humour at least, this fake email claims to be a renewal subscription for Webroot:

    From: Best Buy Subscription Software [mailto:noresponse@softwaresubscription.bestbuy.com]
    Sent: 06 August 2010 11:23
    Subject: Thank You, Your Anti-Virus Protection Plan has been renewed

    Dear [victim]

    Your Webroot Spysweeper with AntiVirus Product Protection Plan has been successfully renewed and charged to the credit card you have on file with us. With this automatic renewal, you will continue to have uninterrupted anti-virus software protection on your PC for another year plus these great benefits:

    òÀâ Best in Class Security Software
    òÀâ No hassle automatic renewals makes sure that you will never go unprotected
    òÀâ Receive all version updates free of charge
    òÀâ Cancel at any time and received a refund for any unused months of protection
    òÀâ Simple Customer Support, Call 1-888-BESTBUY with any questions

    -------------------------------------------------------------
    Here are the details of your renewed Protection Plan:
    -------------------------------------------------------------
    Product: Webroot Spysweeper with AntiVirus Product
    Protection Plan: Annual
    Best Buy Serial Number: WBR00AV000044180817
    Transaction Date: 7/19/2010
    Renewal Price: $43.54


    If you have any questions about your protection plan or your recent renewal, please contact our Customer Support Team at 1-888-BESTBUY (1-888-237-8289), and ask for the Subscription Software Team.

    Thank you again for your business, and being a Best Buy Customer.

    Sincerely,

    Best Buy Stores, L.P.
    ddd

    Payload and approach seem to be exactly the same as this one, with a Bredolab dropper. Again, it routes through yummyeyes.ru and you should look for the same log entries of .ru:8080 and /x.html to make sure you are clean.

    In this case the intermediate step is a hacked site at peninsula.co.nz/x.html but it probably varies.

    If you are not in the US, then blocking bestbuy.com at your mail perimeter will do no harm.

    "Thanks for planning your event with Evite" mail leads to malware

    We're seeing a batch of fake emails "from" Evite [info@mailva.evite.com] with the subject "Thanks for planning your event with Evite"

    Hi [victim],
    Did you and your guests take photos at your event:
    Curt's 30th Birthday!?
    Click the button below to create an email asking your guests to share their photos.

    Or click the button below to upload your own photos.


    The link in the email leads to a hacked site (so far beroemdnaakt.net/x.html and www.myadexpert.org/x.html) but these are just intermediate steps, the payload site is at yummyeyes.ru:8080/index.php?pid=10 which then tries to download a poorly detected version of the Bredolab trojan.

    yummyeyes.ru is multihomed on the OVH network:
    188.165.95.133
    188.165.192.106
    188.165.212.54
    91.121.108.61
    91.121.122.81

    Best bet is to block evite.com at your mail gateway, block yummyeyes.ru and monitor your outbound web logs files for hits to .ru:8080 and /x.html.

    Thursday, 5 August 2010

    "Shifflett Martin Stores" scam

    As far as I can tell, there is no such company as "Shifflett Martin Stores", although there may be legitimate companies with a similar name, but this particular  job offer is a fraud.

    From the insistence that potential employees / victims have a bank account with either Wells Fargo or Wachovia indicates that they will probably be accepting wire transfers from bank accounts where the password has been stolen (because transfers between accounts in the same bank are usually immediate).

    From: Ceaser <marrrtttiii@yahoo.com>
    Reply-To: gapstarrrss11@aol.com
    Date: 5 August 2010 07:29
    Subject: Help Wanted

     I am  Ceaser Martin, owner of Shifflett Martin Stores  I seek an online virtual assistant to accept payments on my behalf in the United States of America. Requirements  **Applicants must have a Wells Fargo or Wachovia bank account*** You are also eligible to apply if you can open a new Wells Fargo or Wachovia account. Great pay (15% of each payment processed), flexible and will not affect your present employment. Interested and meet the requirements? Send Full Names, Address, Direct Telephone Number and email address to gapstarrrss11@aol.com

    Originating IP is 80.8.199.189, an open proxy in Réunion of all places.

    Wednesday, 4 August 2010

    "Anatomy Of An Attempted Malware Scam"

    If you work in IT Security then malicious ads are a regular pain in the backside.. and you probably wonder why "reputable" ad networks get talked into running them. This article is possibly the best thing I have read on the problem, written from the ad network's point of view. It seems the Bad Guys do go to extraordinary lengths to try to look genuine, but sometimes the simplest checks can reveal that they are not what they seem.

    Hat Tip