Sponsored by..

Friday 8 July 2011

Evil network: hotmailbox.com

The domain hotmailbox.com often comes up when looking at malicious domains, it's a domain used to provide a bulletproof email address for domain registration. The registrar for hotmailbox.com is the scammer's favourite, BIZCN which probably explains why it has lingered for so long.

There are several hundred domains registered through email accounts at hotmailbox.com, all of them are bogus and follow a similar pattern with bogus US addresses. Most of the domains with active websites are hosted in Romania, in netblocks that have a known bad reputation.

You can download a list of domains, IPs and MyWOT ratings for at least some of these domains here [CSV], or if you just want a plain list then keep scrolling down.

Because the hotmailbox.com domains are all in bad blocks or dedicated servers, then it is possible to block access to these IP ranges or individual boxes to prevent infection. I would recommend blocking the following:

84.247.61.0/24 (Sistem Soft Network, Romania)
91.217.162.0/24 (Voejkova Nadezhda, Russia)
94.63.149.0/24 (SC CORAL IT OFFICE SRL, Romania)
94.244.80.7 (Uab Kauno Interneto Sistemos, Lithunia)
95.64.55.0/24 (Netserv Consult SRL, Romania)
96.9.139.208/28 (UAB "Dominant Plius", c/o HOSTNOC, US)
141.136.16.14 (MORE SECURE SRL, Romania)
173.236.34.238 (Inferno Solutions, UK)
184.105.178.85 (Hurricane Electric, US [parked])
188.138.90.110 (Intergenia AG, Germany)
188.138.116.223 (Intergenia AG, Germany)
188.229.0.0/17 (Netserv Consult SRL, Romania)
202.75.41.42 (TM VADS DC Hosting, Malaysia)
209.212.157.208/29 (BONHOST, Ukraine)
212.117.164.39 (root SA, Luxembourg)
217.23.9.247 (Worldstream, Netherlands)
220.112.0.0/18 (Guangzhou For Great Wall Broadband Network, China)

Not every site in those ranges is part of this group, and indeed there may be a few legitimate sites, but you are much more likely to come into contact with a malware site on these IP addresses than a real one, so treat them as "high risk".

If you have any examples of domains using hotmailbox.com that are not listed, then please consider adding them to the Comments.


8nm2.com
aaaholic.com
aaoutfit.com
aarocket.com
abcartel.com
abminute.com
abutable.com
acgoblin.com
aemodern.com
afchalet.com
agfiesta.com
alexblane.com
alisa-carter.com
analitycscredit.com
asweds.com
automaticsecurityscan.com
awesomepornofree.com
awfulice.com
bcrocket.com
bdcartel.com
bestipdns.com
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com
caldnsserver.com
calmsearch.org
cbhammer.com
cblender.com
cebistro.com
cfaholic.com
clickabundant.org
clickaccept.org
clickadvice.org
clickahead.org
clickalmost.org
clickan.org
clickancient.org
clickany.org
clickanybody.org
clickanybody.org
clickarrogant.org
clickarvada.org
clickattempt.org
clickautomatic.org
clickbad.org
clickbatonrouge.org
clickber.org
clickboa.org
clickbored.org
clickbrake.org
clickbury.org
clickcharleston.org
clickclear.org
clickclever.org
clickdesmoines.org
clickdowe.org
clickdrea.org
clickdreadful.org
clickfer.org
clickflat.org
clickfortlauderdale.org
clickfremont.org
clickhartford.org
clickicy.org
clickill.org
clickjacksonville.org
clickmesquite.org
clicknorman.org
clickodd.org
clickolathe.org
clicksalem.org
clickshy.org
clicksyracuse.org
clickwet.org
comasians.com
comchemicalsns.com
daily-basis.com
daletter.com
darksecurityscan.com
dateoncount.com
dbchalet.com
dnseasy.ru
dnsforwebuse.com
dns-good-you.com
dnshot.ru
dnssuperb.com
dnsundservice.com
dnsvip.ru
domainforuse.com
dowpolenas.org
dynamicip-dns.com
e48i.com
easysecurityscan.com
edsawake.org
edsawake.org
edsback.org
edsbang.org
edsbang.org
edsbeautiful.com
edsbent.com
edsbent.com
edsbid.com
edsblew.com
edscold.com
edsfull.com
edsfull.com
edswoken.org
emptywin.com
engduates.com
excellentdnshost.com
fastsapere.com
fastsofgeld.com
findacid.org
findaddition.org
findadvertisem.org
findalert.org
findangry.org
findattack.org
findawful.org
findbitter.org
findblow.org
findbrake.org
findbrave.org
findcaret.org
findchalk.org
findchance.org
findcheeks.org
findclumsy.org
findcolorful.org
findconsonant.org
findcopper.org
findcurly.org
finddamaged.org
finddistribution.org
finddrawer.org
finddriving.org
finddrop.org
findear.org
findearly.org
findears.org
findearth.org
findeast.org
findexperie.org
findeyes.org
findfertile.org
findfierce.org
findforeign.org
findforget.org
findfort.org
findforth.org
findharsh.org
findinexpensive.org
findinnocent.org
findjolly.org
findjoyous.org
findjuicy.org
findlate.org
findsister.org
findsize.org
findsky.org
findsour.org
findstage.org
findstart.org
findstation.org
findstem.org
findstep.org
findstitch.org
findstone.org
findstraight.org
findstrange.org
finduneven.org
findunsightly.org
findvoiceless.org
findwandering.org
findwet.org
findwicked.org
fixtracker.com
forumaccept.org
forumadd.org
forumadmire.org
forumadmit.org
forumadvise.org
forumafford.org
forumallow.org
forumamuse.org
forumanalyze.org
forumbusy.org
forumcalm.org
forumcold.org
forumcute.org
forumdamp.org
frailwin.com
frequentwin.com
gcocgle.com
goodworkdns.com
goodworkdns.com
googletrackgeo.com
hotmailbox.com
ibtable.com
ibtable.com
imageacid.org
imagebad.org
imagebent.org
imagefipe.org
imagelue.org
install-internet.com
ipbestdns.com
IpCodesNet.com
IpInternetExplorer.com
ipmagicnet.com
ipnetworklegal.com
ipsecurityuse.com
ip-tracing.com
IpWebDirectory.com
koxtable.com
lizamoon.com
m0o0.com
malineip.com
milapop.com
netlinksgo.com
networkdnstrust.com
nondeip.com
op0o.com
ottomip.com
ottomip.com
phlorip.com
pornootrada.com
portalkey.org
s0po.com
searchabout.org
searchact.org
searchadorable.org
searchadvice.org
searchaffect.org
searchafternoon.org
searchago.org
searchairplane.org
searchalaska.org
searchalice.org
searchalike.org
searchallow.org
searchaloud.org
searchalphabet.org
searchalready.org
searchalready.org
searchalso.org
searchalso.org
searchalthough.org
searcham.org
searchamount.org
searchamusement.org
searchand.org
searchangle.org
searchanimal.org
searchanswer.org
searchant.org
searchapparatus.org
searcharound.org
searcharrange.org
searcharrow.org
searchas.org
searchaside.org
searchask.org
searchasleep.org
searchaswe.org
searchat.org
searchate.org
searchatlantic.org
searchatmosphere.org
searchatom.org
searchatomic.org
searchattached.org
searchattention.org
searchbad.org
searchbase.org
searchbat.org
searchbattery.org
searchbattle.org
searchbegan.org
searchbeginning.org
searchbegun.org
searchbehavior.org
searchbehind.org
searchbet.org
searchbetsy.org
searchbeyond.org
searchbigger.org
searchbiggest.org
searchbilly.org
searchbirth.org
searchborn.org
searchbottle.org
searchbound.org
searchbow.org
searchbowl.org
searchbread.org
searchbreak.org
searchbreathe.org
searchbreathing.org
searchbreeze.org
searchbreeze.org
searchbrick.org
searchbrick.org
searchbrief.org
searchclumsy.com
searchcruel.org
searchdead.com
searchdear.org
searchdepressed.org
searchdrab.com
searchdrab.org
searchdull.com
searchelated.org
searchfertile.org
searchfindestablish.org
searchfindfix.org
searchfindfund.org
searchfoggy.org
searchgrieving.org
searchhuge.org
searchhumid.org
searchhushed.org
searchjewel.org
searchlarge.org
searchlazy.org
searchmany.org
searchmeat.org
searchmedical.org
searchmemory.org
searchmetal.org
searchmilk.org
searchminiature.org
searchmisty.org
searchmixed.org
searchmodern.org
searchnumber.org
searchodd.org
searchof.org
searchplant.org
searchrelieved.org
searchways.org
seardall.org
static-ipdns.com
t02j.com
tadygus.com
trafficjoyous.com
u98i.com
ultradnshost.com

Fake jobs: job-britain.com and job4america.com

Two new fake job domains that form part of this long-running series, job-britain.com and job4america.com are pushing fake job offers which will actually be illegal activities like money laundering.

These domains were registered just yesterday to a fake registrant called "Leonid Pravduk". Avoid.

If you have samples of the spam emails using these domains, please consider sharing them in the comments.

Thursday 7 July 2011

Fake jobs: westgroupcv.net, wug-cunsulting.net, wug-joblist.com and wugcv-offers.com

Four new domains forming part of the very long-running "Lapatasker" series of fake job offers:

westgroupcv.net
wug-cunsulting.net
wug-joblist.com
wugcv-offers.com


These job offers will typically involve illegal money mule operations and other fraudulent activities. Unless you enjoy jail time, they are best ignored.

If you have any example emails, please consider sharing them in the comments!

Tuesday 5 July 2011

Sapphire Town Real Estate (sapphiretown.com) suck

I don't normally post twice on one spammer, but the idiots at Sapphire Town Real Estate seem to have hit new levels of stupidity with this spam that they have now sent 283 times, apparently about 1% into a dictionary attack (so I can expect to see it 28,000 more times!)

If they are this stupid when it comes to doing business then I would advise giving them a wide berth.

Update: now 4386 times and counting!

Monday 4 July 2011

Sapphire Town Real Estate "Labour Camps" spam. Just add slaves.

This spam for labour camps was so important to the sender that they sent it 300 times (and counting). Just add slaves, I guess. And in jolly Comic Sans too! Originating IP is 86.96.226.150 in the UAE, all attempts at contacting their abuse department bounce. Classy.

From: Sapphire Town Real Estate stre@emirates.net.ae
Reply-To: info@sapphiretown.com
To: Redacted
Date: 4 July 2011 19:12
Subject: Labour Camps

Dear Valued Customer,
We offer a wide variety of labour camps for rent in ALMUHAISNAH 2nd (Sonapour), AL QUOZ, JEBEL ALI and DIP with your exact requirements and reasonable price.


Labour Camp in Al Quoz
Total Rooms               = 295
Supervisors Rooms     = 5
Kitchen                      = 7
Dining                        =7
Toilet                        =117
Showers                    =117
Parking for 14 buses and 25 cars
Price                 = AED 1,250 All Inclusive
Labour camp in Al Muhaisnah 2nd
Total Rooms      = 140
Kitchen              = 3
Dining                = 3
Showers            = 60
Toilets               = 60
Price                 = AED 1,200 All Inclusive

Labour Camp for Rent in DIP phase 1
Total Room          = 70
Kitchen & Dining =2
Toilet & Showers = 50
Price                 = AED 1,600 All Inclusive

Labour Camp for Rent in Jebel Ali Ind.3
Total Rooms             = 200
Kitchen & Dining      = 4
Toilets & Showers    = 160
TV, First Aid, Gym & Service Room
Price                 = AED 1,400 All Inclusive
  • Labour Camps & Warehouses for Sale.
  • Residential Building For sale in Bur Dubai.
If you have any questions or concerns, please email us directly stre@eim.ae Or call 050-3479984///04-2576603
This E-mail has been sent to you as a person interested in the information enclosed. If you have received this e-mail in error please notify the originator of the Email If you want your Email to be removed PLEASE reply to info@sapphiretown.com to ''Remove from list''. We sincerely apologize for the possible inconvenience. 

Sunday 3 July 2011

Fake jobs: europe-cv.net, gb-traffic.com and totaljoblists.net

A trio of domains being used to push fake jobs (such as money mule operations) and other illegal activities, part of this long running series. The domains were registered just yesterday.

europe-cv.net
gb-traffic.com
totaljoblists.net

Avoid any offers soliciting a reply to these domains. If you have an example spam email, please consider sharing it in the comments. Thanks!

Thursday 30 June 2011

Fake jobs: au-jobposition.com

Another domain being used to promote money laundering jobs or other criminal enterprises is au-jobposition.com which forms part of this long-running scam.

As usual, avoid. If you have any samples, please consider posting them in the comments section.

Tuesday 28 June 2011

Fake jobs: greece-joblist.com and italia-lavoro.net

A pair of domains offering fake money mule jobs or reshipping mule jobs, the greece-joblist.com and italia-lavoro.net domains seem to be targeting Italian and Greek victims and form part of this long running scam.

If you have any examples (especially non-English ones) please share them in the comments!

Sunday 26 June 2011

yahoolink.php / DreamHost hack

It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:

67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8

Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for  "yahoolink.php" in your favourite search engine to see the scope of the problem.

People who click on the link get redirected through several steps:

vedrozhuk7.com
63.226.210.102
NETPOINT, Utah

(no domain)
188.229.90.71
Securvera SRL, Romania

www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania

The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.

With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.

Thursday 23 June 2011

Peteris Sahurovs and Marina Maslobojeva arrested: Sagade hopefully busted

Another victory for the good guys, according to El Reg.
The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m).

The gang screwed money out of more than a million victims. They installed software on their computers which falsely claimed to have detected viruses or malware. The gang then took payment for supposedly cleaning up the machines.

22-year-old Peteris Sahurovs and 23-year-old Marina Maslobojeva were arrested in Latvia on charges made in court in Minnesota. 
Although there are several bad hosts in Latvia, the one that really stands out is Sagade Ltd. And it looks very much as if Peteris Sahurovs worked for Sagade, his screen name on the internet was piotrek89 which was also the abuse address for the Sagade network.

Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.

The FBI have a press release about it here.

Fake job domains 23/6/11

Another day, another set of fake job domains forming part of this long-running scam. The domains were registered just two days ago to a presumably fictitious character called "Leonid Pravduk".

au-joblists.com
europ-joblist.com
gb-totaljob.com
uk-joblists.com
us-joblists.com


The "job" being offered is usually something like a money mule or taking part in a reshipping scam. In any case, the so-called job is illegal and should be avoided.

If you have a copy of a sample email, please share it in the comments section!

Wednesday 22 June 2011

Some malware sites to block

These domains are associated with the Win32/FakeRean "Fake anti-virus" trojan, and are worth blocking.


Domain IP
laxesepaweno.com 50.23.83.40
fugegewulevu.com 50.23.83.41
tepucazij.com 50.23.83.42
cuhucupivu.com 50.23.84.216
sirakapofeti.com 50.23.84.217
zenevakyfa.com 50.23.84.218
tuwynaropotit.com 50.23.193.236
cikipihigilani.com 50.23.193.237
pifajeniwyt.com 50.23.193.238
wumytaxuboly.com 50.23.200.56
tevisuwapucumu.com 76.73.85.251
jicylegavade.com 76.73.85.252
dolagomosu.com 85.17.239.191
bumucewafypevy.com 85.17.239.192
xaqygacatewuk.com 85.17.239.198
mysupigaqyme.com 173.193.196.178
zypomamuzosa.com 173.249.145.53
nylujusofo.com 173.249.145.54
qajivehucewupo.com 173.249.145.55
wyduzylys.com 174.36.220.136
vyqivaneh.com 174.36.220.136
litubibam.com 174.36.220.138
pykolujij.com 188.240.32.162
gyravatimak.com 188.240.32.163
dubacobimude.com 188.240.32.164
waliwetixybuk.com 204.45.41.82
tixirukemosa.com 204.45.41.83
sumuryvynuh.com 204.45.41.84
dazixydecamur.com
cadyfahirecyci.com
myfofeviqilo.com

The Comodo report for this bit of nastiness is here.

Tuesday 21 June 2011

"Federal Tax transfer rejected" malware

I've never paid taxes to the IRS and I don't intend to now..

From: Jeannette_Case@irs.gov
Date: 21 June 2011 11:16
Subject: Federal Tax transfer rejected

Your federal Tax payment (ID: 632869994691), recently from your checking account was canceled by the your Bank.

Canceled Tax transfer
Tax Transaction ID: 632869994691
Reason of rejection See details in the report below
FederalTax Transaction Report

tax_report_632869994691.pdf.exe (self-extracting
archive, Adobe PDF)

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD  20785

The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (89.208.149.215, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.

Update 28/9/11: a new version of this email is doing the rounds. This DOES successfully infect vulnerable machines, I will try to find more details.

Nokia N9. Beautiful but doomed.

I've always been a fan of big Nokias, especially the Communicator series. My collection includes a Nokia E90, Nokia 9500, Nokia 9110i, a Nokia 770 tablet and even the rare Nokia 7710 touchscreen phone.

So I should be pretty excited by the Nokia N9. Well, yes.. actually I am excited by the N9 which is Nokia's most powerful phone to date. There's a lovely big OLED screen, a relatively fast processor, lots of memory and the interesting looking MeeGo operating system as well.

But will I be buying one? Probably not. MeeGo is doomed. Nokia announced a switch to Windows earlier this year, but the MeeGo-powered N9 was already in development and is now official. However, it's quite likely that we won't see another MeeGo device from Nokia, leaving the N9 as an orphan. And an expensive orphan at that.

The N9 really should have been announced over a year ago to follow up from the N900, as it is it's a beautiful but ultimately doomed device.. which is quite sad. Perhaps there will be some bargain ones on eBay in the future though..

[Via]

Sunday 19 June 2011

Fake job domains 19/6/111

A whole batch of domains advertising fake jobs today (mostly money mule operations). These were are registered two days ago to the fictitious "Leonid Pravduk" registrant that we have seen recently, and form part of the very long running "Lapatasker" series of scam domains.

europe-hire.net
green-westeurope.com
hosting-europ.com
newgreen-europ.com
traffic-europ.com
us-totaljob.com
usa-totaljob.com


Avoid these, basically.. but if you do have a sample email, feel free to share it in the comments.

Friday 17 June 2011

Fake jobs: totaljob-eu.com

Another day, another fake job domain used for contacting potential money laundering mules, this time totaljob-eu.com which is a part of this long-running scam.

The domain was registered just yesterday to the new "Leonid Pravduk" persona that the scammers seem to be using. Avoid.

    Leonid Pravduk
    Email: leonpravduk@yahoo.com
    Organization: Leonid Pravduk
    Address: ul.Beregovaya 13-2
    City: Doneck
    State: Doneckaya
    ZIP: 83000
    Country: UA
    Phone: +3.80443582153 

Thursday 16 June 2011

SMS Spam: "You have still not claimed the compensation you are due.."

These mystery ambulance-chasing SMS spammers are at it again:
You have still not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOP
In this case the spam comes from +44749353036, but the spammers rotate numbers regularly as they get blacklisted.

If you get one of these, forward the message to 7726 ("SPAM") on T-Mobile, O2, Orange or Three. If you are a Vodafone customer, forward it to 87726 ("VSPAM"). Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.

Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!

Fake jobs: cosulting-eu.com and espana-cvbase.com

Two more fake domains in the long-running "Lapatasker" series:

cosulting-eu.com
espana-cvbase.com

The registration details have changed (see below), but otherwise this is the same old attempt to recruit people for money laundering. Avoid.

Leonid Pravduk
    Email: leonpravduk@yahoo.com
    Organization: Leonid Pravduk
    Address: ul.Beregovaya 13-2
    City: Doneck
    State: Doneckaya
    ZIP: 83000
    Country: UA
    Phone: +3.80443582153 

Tuesday 14 June 2011

SMS Spam: "URGENT! If you took out a Bank Loan prior to 2007.."

This SMS spam is probably from the same bunch of scumbags who brought you this long-running ambulance chasing spam.

URGENT! If you took out a Bank Loan prior to 2007 then you are almost certainly entitled to £2300 in compensation. To claim text 'YES'. Free to apply.
In this case the SMS came from +447591233963, but the spammers vary these all the time to avoid getting blocked.(Update 28/9 they are now using +447968780878 and +447968766208. Update 30/9 and now +44798044443)

Since they don't honour TPS opt-outs, then they are probably not to be trusted.. whoever they are.

If you get one of these, forward the message to 7226 ("SPAM") on T-Mobile, O2 or Orange.. If you are a Vodafone customer, forward it to 87726 ("VSPAM"), on Three the number is 37726 ("3SPAM") Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.

If you see any other telephone numbers for this, please consider letting us known through a Comment.

Fake jobs: usa-jobslist.com

Another addition to this long running scam, usa-jobslist.com is freshly registered and will be used to attempt to recruit people for money laundering and other illegal activities. Avoid.

Monday 13 June 2011

Fake jobs: gb-offerlist.com, high-webtraffic.com and traffic-dc.com

More fake job offers.. or at least more fake something from the crew behind the "Lapatasker" series of dodgy domains:

gb-offerlist.com
high-webtraffic.com
traffic-dc.com


The shift in domain names might mean a shift in tactics, but be assured that any solicitation you get from these email addresses will be a scam.

Thursday 9 June 2011

Fake jobs: europe-joblist.com

Another fake "Lapatasker" job offer domain, europe-joblist.com was registered just yesterday to "Aleksej Iliin".

The standard pitch is for a job that actually involves money laundering or some other criminal activity. Avoid.

Wednesday 8 June 2011

94.244.80.7 / bookpolo.com / booksolo.com / bookgusa.com injection attacks

The crew responsible for the LizaMoon and Worid-Of-Books.com are back with a new set of injection attacks, this time hosted on 94.244.80.7 in Lithuania.

The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com


Registrant details are familiar and fake:

JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 1180
us

Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.

The whole 94.244.64.0/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.

Tuesday 7 June 2011

Fake jobs: allconsult-eu.com, es-joblist.com and us-joblist.com

Another bunch of fake "Lapatasker" job offers, part of a long-running series. Jobs offered will including such illegal activities as money laundering and receiving stolen goods, so worth avoiding.

allconsult-eu.com
es-joblist.com
us-joblist.com

Contact details on the domain are probably fake ("Aleksej Iliin" again):

    Aleksej Iliin
    Email: abolan@mail.org
    Organization: Private person
    Address: Okruzhnaya ul. d.5 kv.4
    City: Moskva
    State: Moskovskaya obl.
    ZIP: 183124
    Country: RU
    Phone: +7.4959424617
    Fax: +7.4959424617

All domains were registered on 5th June.

Tuesday 31 May 2011

Liver Transplant spam

A weird one here.. somebody offering bits of their liver for sale. Of course it could be a scam, but it might even be genuine (which is perhaps more disconcerting). Originating IP address is 95.167.110.9 in Russia.

From: Alex alexsilpo@yahoo.com
Date: 30 May 2011 10:37
subject: Liver transplant.
   
Hello.
I found your e-mail adress on medical site of transplant and liver problems.
My name is Alex, I am 31 years european man, I never drank alcohol and did not smoke cigarettes, my blood is O+ and I have a good health. If you need liver transplant I am ready to give part of my liver, but I want to receive a big compensation for that...

If you do not need liver transplant, but you know somebody who need it, please send my message to this person or keep it just in case.

alexsilpo@yahoo.com
alexsilpo@hotmail.com
alexsilpoeu@yandex.ua


Alex

P.S. If I was mistaken, I am sorry, I will not disturb you any more.

Fake jobs: 1new-position.com, gb-hire.net, gb-jbprogramm.com, online-vacancy.net and us-vacancy.net

Another installment of this long-running job scam, the following domains are newly registered (2 days ago) and are most likely to be used to recruit people for money laundering and other criminal activities. Avoid.

1new-position.com
gb-hire.net
gb-jbprogramm.com
online-vacancy.net
us-vacancy.net

Domains are registered to the "Aleksej Iliin" persona that we have seen many times before.

Tuesday 24 May 2011

gb-offers.com bogusjob offers

Another domain offering bogus jobs in money laundering or other illegal activities is gb-offers.com, part of the long running "Lapatasker" series of scams. As with other recent domains, this too is registered to the (probably fake) "Aleksej Iliin" person.

Avoid.

Friday 20 May 2011

Fake jobs: au-position.org and europjob.org

Two new(ish) fake job domains in the "Lapatasker" series, au-position.org and europjob.org are being used to recruit money mules etc etc.

As usual, avoid.

Thursday 19 May 2011

Scam: "Your money has been recovered"

Originating from a government-owned IP address in China (218.26.2.42), this slightly puzzling advanced fee fraud is deliberately vague about where this $7.6m comes from.. of course, there are no millions stashed away in Hong Kong, but instead you can expect that there will be a LOT of expensive and unexpected fees to pay instead.

From: Mark Edwin admin@ssing.ru
Reply-To: intldeptreconcom@consultant.com
Date: 18 May 2011 01:50
Subject: Your money has been recovered (5/18/2011)

International Debt Recovery and Reconciliation Hong Kong
6/F,Trade Service Center  ,388 Kwun Road
Kowloon, Hong Kong


Tel: 852-3015-1834  Fax: 852-3015-1834


Dear  Beneficiary

                                                                        Re Payment instruction
This is international debt recovery and reconciliation office Hong Kong, our mandate is to settle all outstanding debt owe to contractors and individuals all over the world, thus this debt must have been originated from awarded contracts, inheritance and sweepstakes lottery, If you fall into this category of contractors, individual or lottery winners we advise that you contact this office immediately.We presently recover your $7.6 Million United States Dollars

The directive came in line with the agreement reached in New York U.S.A with the International Moneytary Fund -IMF, World Bank London and Paris Club on creditors and overseas credit Commission for immediate settlements of all Intercontinental debts owed to you by various countries.

1.      Date of Approval: 22-11-2010
2.      Revised Remittance: Not endorsed.
3.      Fund Endorsement payment code No AG-000087GXY-2F-PASS 2001-2010
4.      Date of issue 19-01-2011
5.      Bank Effect payment of beneficiary fund
6.      International  payment: Certifнcate Code No:Not Endorsed

On receipt of your a responds to this fax/email message, please contact our north America payment clearing center bellow.

George Donald
Foreign Affair Officer
Email:
Tel: 1-226-556-3307
Fax: 1-866 964 3856.

However, I will advise that   update this office on a regular bases


Best regards,

 MARK EDWIN
Regional Coordinator
International Credit Commission Hong Kong

Friday 13 May 2011

New Blogger logo

Google unveiled a new Blogger logo today to reflect their two day outage (another triumph for cloud computing).

Wednesday 11 May 2011

Fake jobs: first-weboffer.com, weboffers-tech.com, weboffers-tech.com and wug-tech.com

Another batch of domains offering non-existent jobs, part of the long-running "Lapatasker" series. The jobs will include money laundering and other criminal activity.. so probably best acoided.

As with other recent domains, these are registered to a probably fictitious person called Aleksej Iliin, the domains were registered on 10th May.

first-weboffer.com
weboffers-tech.com
weboffers-tech.com
wug-tech.com

Pinball Corporation RIP?

Pinball Corporation is a company that bought the remnants of Zango, a company that had a reputation for pushing slimeware. Last year I pointed out a case where Pinball Corp were clearly not keeping an eye on the actions of their affiliates, and other people have been critical of them too.

Well, there's potentially some good news.. because according to the Washington State Corporations Division, Pinball Corp became inactive on the 2nd May 2011.

PINBALL CORP.
UBI Number602918125
CategoryREG
Profit/NonprofitProfit
Active/InactiveInactive
State Of IncorporationDE
WA Filing Date09/02/2010
Expiration Date09/30/2011
Inactive Date05/02/2011
Registered Agent Information
Agent NameBUSINESS FILINGS INCORPORATED
Address1801 WEST BAY DR NW STE 206
CityOLYMPIA
StateWA
ZIP98502
Special Address Information
Address
City
State
Zip

Governing Persons
TitleNameAddress
President,TreasurerScott, JoelOne Market Plaza
Spear Tower Fl 19
SAN FRANCISCO, CA
SecretarySiefer, SerenaOne Market Plaza
Spear Tower Fl 19
SAN FRANCISCO, CA
DirectorChandratillake, Suranga3600 136th Pl SE
BELLEVUE, WA
DirectorService, Matthew3600 136th Pl SE
BELLEVUE, WA


Of note is that although the corporation appears to be inactive, the website at pinballcorp.com is still running and with no notice about the change of company status. Where Pinball Corp's affiliates stand is unknown, but given the deceptive business practices of a number of them, then I don't think too many people will be shedding a tear.

But why has the company apparently become inactive? It turns out that Pinball Corp is a wholly owned subsiduary of a UK firm called Blinkx plc, and the "inactive" date coincides almost exactly with Burst Media (for $30m). Perhaps Blinkx decided that Pinball Corp was no longer something that they wanted to have in their expanded portfolio?

Tuesday 10 May 2011

SMS Spam: £3750 for an accident you haven't had

There seems to be a huge number of these spam SMS messages doing the rounds recently:
Free Msg; Our records indicate you may be entitled to £3750 for the accident you had. To apply free reply CLAIM to this message. To opt out text STOP.
These message come through if you are registered on TPS or not. There is no identification as to who is sending them, and the number changes regularly (I have seen +447955957379, +447591260334, +447542067695, +44758137217, +447403811563, +447826688283, +447517528462). Sometimes the spam starts FREEMSG. Always the value seems to be £3750. It doesn't matter if you have had an accident or not.

If you are a Vodafone, O2 and Orange customer you can report the SMS spam to your provider: for Orange and O2 forward the message to 7726 (it spells SPAM) or on Vodafone is is 87726 (VSPAM). I have not been able to confirm, but T-Mobile and 3 may also accept forwarded messages to 7726 as well. The carriers should be able to block the spammers if they get enough reports, and take legal action where necessary.

Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!

Replying STOP is probably not a good idea - the spammers may well use it to confirm that the mobile number is active. And replying CLAIM is probably an even worse idea since they are a bunch of low-life spammers who probably cannot be trusted.

Sunday 8 May 2011

Fake "Lapatasker" job domains, 8/5/11

Another set of domains offering fake jobs via spam, the latest in this long running saga. The domains were registered on 6th May.


first-euro.com
it-hire.com
newgreen-europe.com
newgreen-tech.com
usa-worldoffer.com
world-hire.net


The probably fake registrant details still use the "Aleksej Iliin" alias that we have seen previously.

Jobs offered will most likely include the usual mix of money laundering and other fraudulent activities. Avoid.

Wednesday 4 May 2011

Fake jobs: new-wughire.com and 1st-consult.com

Two more fake domains being used in the "Lapatasker" series of bogus job offers, registered on 3rd May 2011:

new-wughire.com
1st-consult.com

The (probably fake) WHOIS details point to a familiar alias:

    Aleksej Iliin
    Email: abolan@mail.org
    Organization: Private person
    Address: Okruzhnaya ul. d.5 kv.4
    City: Moskva
    State: Moskovskaya obl.
    ZIP: 183124
    Country: RU
    Phone: +7.4959424617
    Fax: +7.4959424617

Friday 29 April 2011

Fake jobs: wug-newhire.com and wug-consulting.net

Two more fake "Lapatasker" domains, registered on 27/4/11 but otherwise the same as these.

wug-consulting.net
wug-newhire.com

These will no doubt be used to push money laundering "jobs" and the like, avoid.

Thursday 28 April 2011

infernomag.com / gtracking.org nastiness

Some sort of .htaccess hack is going on, redirecting users to infernomag.com and then on to a malicious site that looks like it's downloading a Zbot variant. It only seems to work with Internet Explorer, and only when the page is accessed from a search engine (like Google). infernomag.com is hosted on 85.17.132.194 (Leaseweb) which is the same server as gtracking.org which alters the .htaccess file as described here.

infernomag.com then redirects users to one of at least two Leaseweb-hosted servers at 85.17.19.201 and 85.17.19.203 (possibly others). These servers have a number of domains on them that appear to belong to legitimate domains registered at GoDaddy by (mostly) UK users - it is likely that their domain control panels have been compromised. Examples are:

actually2.weddingphotographersurrey.net
amount9.gwdempseyjr.com
are5.gwdempseyjr.com
background1.photographbcn.com
brought0.gwdempseyjr.com
captain5.photographbcn.com
captain6.gwdempseyjr.com
charge7.photographbcn.com
signal6.photographbcn.com
completely8.gwdempseyjr.com
congress1.airduct-ventcleaning-mn.com
hard9.photographbcn.com
leading1.airduct-ventcleaning-mn.com
party4.gwdempseyjr.com
providence5.gwdempseyjr.com
safe1.gwdempseyjr.com
she1.weddingphotographerkent.net
tax6.weddingphotographersurrey.net
theory7.weddingphotographerkent.net
am1.theimperialsuspects.com
area6.bettyjaneware.com
belief7.theimperialsuspects.com
contact2.theimperialsuspects.com
cultural5.boneki.com
direct2.theimperialsuspects.com
enemy2.theimperialsuspects.com
baby3.trycue.com
liberal6.trycue.com
most0.ladyofvirtuestore.com
professional0.ladyofvirtuestore.com

Two domains on those servers that do not fit the pattern are:
gfaster.net
fortreecom.net

The WHOIS details are probably fake, for infernomag.com and gtracking.org they are:

   Felix Maurer
   sherman66@ymail.com
   Waldowstr. 61
   Gschwend   Gschwend
   74417   DE
   +49 98466101

fortreecom.net uses the same email address but a different name:

    Bernd Austerlit        (sherman66@ymail.com)
    Alt Reinickendorf 94
    Ziemetshausen
    Bayern,86471
    DE
    Tel. +82.84991251

Detection rates are rubbish. AntiVir detects the payload as TR/Dropper.Gen, BitDefender as Gen:Variant.Zbot.34, Ikarus as Trojan.Win32.Pirminay and Sophos as Mal/Ponmocup-A. Other products do not seem to detect anything at all.

Blocking those IPs of 85.17.132.194, 85.17.19.201 and 85.17.19.203 is safer than trying to block the domains. Blocking the whole /24s instead would probably cause very little inconvenience.

Fake "Lapatasker" job domains 28/4/11

This particular scam has been around for a couple of years and is so common now that I've christened this group of scam domains "Lapatasker" after the email address used in some of the older WHOIS details.


New domains for this scam (all registered on 26/4/11) are:

1job-europ.com
consult-europ.com
middle-consult.com
westconsult-eu.com

The (probably fake) contact details on the domains are:

    Vilechka Pelka
    Email: rewerta12@yahoo.com
    Organization: Nord Atlantic.
    Address: 15 Av Albert Ier 143
    City: Braine l'Alleud
    State: Braine l'Alleud
    ZIP: 1420
    Country: BE
    Phone: +3.3223874153
    Fax: +3.3223874152

As ever, avoid.

Tuesday 26 April 2011

Some German scam sites

These are allegedly German companies, but:
  • They are all very recently registered (4th and 17th April 2011)
  • The registrar is in China (BIZCN.COM)
  • The web host is in Romania
  • In each case a Yahoo email address has been used
The host is "Enter Net Team" / "Power Host" in Romania. Blocking 86.55.96.0/23 is a quick win if you can do it.

blocher-finance.com
dxxm-group.com
eg-finanzen.com
eseira-finanzen.com
eseira-gruppe.com
esse-gruppe.com
fil-finanzen.com
frost-finanzen.com
geissler-finance.com
geld-group.com
genser-group.com
grueneberg-and-partners.com
hanza-gruppe.com
hod-group.com
horst-finanzen.com
jix-finance.com
koeppl-finanzen.com
krenosz-finance.com
nitte-gruppe.com
nogl-group.com
pius-group.com
puemmler-and-partners.com
schem-group.com
somex-gruppe.com
temi-group.com
volkse-finanzen.com
wedi-group.com
werx-finanzen.com
werx-gruppe.com
wolgast-and-partners.com

More details:
jix-finance.com
86.55.96.11
Guenter Frost guenterfrost@yahoo.com
+49.1745053607 fax: +49.1745053607
Frauenlobstr.32
Berlin Berlin 12437
de

frost-finanzen.com
86.55.96.13
Georgios Mavridis georgiosmavridis50@yahoo.com
+49.1773305251 fax: +49.1773305251
Gerolsteiner Str. 119
Cologne Nordrhein-Westfalen 50937
de

puemmler-and-partners.com
86.55.96.15
Tanja Geissler geisslertanja@yahoo.com
+49.1776444216 fax: +49.1776444216
Lindenstr.38
Kreuzau Nordrhein-Westfalen 52372
de

eseira-finanzen.com
86.55.96.17
Christos Papachristou papachristou.christos@yahoo.com
+49.15202603534 fax: +49.15202603534
Haubersbronnerstr. 6
Urbach Thueringen 73660
de

wolgast-and-partners.com
86.55.96.19
Mike Grueneberg gruenebergmike@yahoo.com
+49.15223628764 fax: +49.15223628764
Walter friedrich str.56
Berlin Berlin 13125
de

somex-gruppe.com
86.55.96.21
Heidrun Lorenz heidrunlorenz@yahoo.com
+49.16099222185 fax: +49.16099222185
Flutgrabenweg 1a
Neumarkt Bayern 92318
de

schem-group.com
86.55.96.23
Ludwig Detlef ludwigdetlef@ymail.com
+49.15203113478 fax: +49.15203113478
Kalk-Muelheimerstr.210
Koeln Nordrhein-Westfalen 51103
de

werx-finanzen.com
86.55.96.25
Daniel Koeppl daniel.koeppl@yahoo.com
+49.15111521688 fax: +49.15111521688
Reinhardsleiten 8
Pielenhofen Bayern 93188
de

nitte-gruppe.com
86.55.96.27
Hans Mausolff hansmausolff@yahoo.com
+49.17649615986 fax: +49.17649615986
Potsdamer Str. 41
Berlin Berlin 14163
de

eseira-gruppe.com
86.55.96.29
Juliane Mausolff julianemausolff@yahoo.com
+49.3031808844 fax: +49.3031808844
Potsdamer Str. 41
Berlin Berlin 14163
de

hanza-gruppe.com
86.55.96.31
Denis Wolgast deniswolgast@yahoo.com
+49.16098119639 fax: +49.16098119639
Am Heidberg 34
Henstedt-Ulzburg Schleswig-Holstein 24558
de

nogl-group.com
86.55.96.33
Lena Puemmler lenapuemmler@yahoo.com
+49.17663727804 fax: +49.17663727804
Neuer Kamp 2
Drebber Niedersachsen 49457
de

dxxm-group.com
86.55.96.35
Bianka Sturhahn biankasturhahn@ymail.com
+49.1723276172 fax: +49.1723276172
Plass 3
Doerentrup Nordrhein-Westfalen 32694
de

geld-group.com
86.55.96.37
Frank Swoboda polskeswine@yahoo.com
+49.15776817588 fax: +49.15776817588
Otto-Hahn-Str. 7a
Alsdorf Nordrhein-Westfalen 52477
de

krenosz-finance.com
86.55.96.39
Olaf Sedello olafsedello@yahoo.com
+49.2254847434 fax: +49.2254847434
Triftstrasse 42
Weilerswist Nordrhein-Westfalen 53919
de

werx-gruppe.com
86.55.96.41
Andreas Kubasik andreaskubasik@ymail.com
+49.15229234145 fax: +49.15229234145
Gartenstrasse 24a
Pleinfeld Bayern 91785
de

grueneberg-and-partners.com
86.55.96.43
Josef Schedlbauer josefschedlbauer@yahoo.com
+49.1712755823 fax: +49.1712755823
Bergstrasse 21a
Regen Bayern 94209
de

geissler-finance.com
86.55.96.45
Vadim Kruglov vadimkruglov@rocketmail.com
+49.1629098777 fax: +49.1629098777
Schuetzenstrasse 23
Friesoythe Niedersachsen 26169
de

esse-gruppe.com
86.55.96.47
Gerhard Krenosz gerhardkrenosz@yahoo.com
+49.21117806832 fax: +49.21117806832
Ludolf Strasse 15
Duesseldorf Nordrhein-Westfalen 40597
de

koeppl-finanzen.com
86.55.96.49
Holm Mrazek holmmrazek@yahoo.com
+49.17685370230 fax: +49.17685370230
Sonnenstrasse 222
Dortmund Nordrhein-Westfalen 44137
de

hod-group.com
86.55.96.51
Gisela Huber ghuber56@yahoo.com
+49.17666649956 fax: +49.17666649956
Althoehensteigstr. 7
Stephanskirchen Hessen 83071
de

volkse-finanzen.com
86.55.96.53
Denis Goertz denis.goertz@yahoo.com
+49.1639836914 fax: +49.1639836914
hochstr. 61
Nettetal Lobberich Sachsenanhalt 41334
de

blocher-finance.com
86.55.96.55
Helmut Koenig koenighelmut@yahoo.com
+49.1733201046 fax: +49.1733201046
Oberhofer Str. 26
Zella-Mehlis Thuringen 98544
de

fil-finanzen.com
86.55.96.57
Bernecker Josef berneckerjosef@yahoo.com
+49.9422859853 fax: +49.9422859853
Stadtplatz 42
Bogen Bayern 94327
de

eg-finanzen.com
86.55.96.59
Pius Walleser walleser32@yahoo.com
+49.1754218358 fax: +49.1754218358
Kesslerstrasse 5
Breisach Sachsen-Anhalt 79206
de

temi-group.com
86.55.96.61
Horst Werner woerner963@yahoo.com
+49.1728189733 fax: +49.1728189733
Rilkestrasse 3
Bad Schussenried Rheinland-Pfalz 88427
de

horst-finanzen.com
86.55.96.63
Kai Hermann hkaihermann@yahoo.com
+49.9942808801 fax: +49.9942808801
Tafertsbergstrasse 12
Prackenbach Rheinland-Pfalz 94267
de

wedi-group.com
86.55.96.65
Joseph Bauer bauer.joseph81@yahoo.com
+49.8555941395 fax: +49.8555941395
Hofaecker 4
Grafenau Hamburg 94481
de

pius-group.com
86.55.96.67
Daniela Habermann habermann_d@yahoo.com
+49.17694209180 fax: +49.17694209180
tecklenburgerstrasse 29
Ladbergen Bayern 49549
de

genser-group.com
86.55.96.69
Armin Blocher arminblocher@rocketmail.com
+49.02771801325 fax: +49.02771801325
Langgasse 1
Dillenburg Niedersachsen 35685
de