Sponsored by..

Thursday, 22 September 2011

Fake jobs: totaljob-us.com

Another fake job offer, part of this long-running series of spam/scam emails.

From: Spam Victim
Sent: 21 September 2011 20:18
To: Spam Victim
Subject: Current Vacancy

Urgente!

Solicitamos personal de cofianza para trabajo a largo plazo en la seccion financiera.
Estudiantes, amas de casa etc...
tambien pueden conseguir trabajo en la empresa, el trabajo no toma mucho tiempo, requiere de mucha responsabilidad.

No es marqueting! Ni nada parecido.
Trabajamos con mas de 10 paises del mundo para hacer nuestras transferencias.
La empresa se dedica a hacer transferencias de dinero local y internacional.

Sus datos personales favor enviar al correo electronico: Ana@totaljob-us.com

Deje su telefono movil para que nuestro operador se contacte con usted.

En espera de sus curriculums,  Ana Sykes

The email appears to come "from" the spam victim (here's why). The domain was registered just yesterday to an "Alexey Kernel" at a fake address in the Ukraine.

Some other "reply to" addresses are:
Casandro@totaljob-us.com
Gad@totaljob-us.com
Prospero@totaljob-us.com
Martirio@totaljob-us.com
Guy@totaljob-us.com
Melvis@totaljob-us.com
Muneca@totaljob-us.com

Subjects include "Current Vacancy", "Job Offer - Flexible Hours", "Get a New Job Today", "Current Open Position", "Administrative Assistant Vacancy" and "Employment Opportunity". Oddly, the subject is in English even though the body of the message is in Spanish.

The jobs offered will be money laundering and other illegal activities. If you have any samples that are different, please consider sharing them in the Comments. Thanks!

Wednesday, 21 September 2011

dossier-ua.com Joe Job

dossier-ua.com is a site that is critical about politics in the Ukraine, and names several individuals and governmental bodies in connection with alleged wrongdoing.

Obviously, they have upset somebody because there is currently a Joe Job campaign against the site, presumably in an attempt to have the site shut down:

Subject: {Snuff filmes|Snuff films}
From: david -at- davidbreach.co.uk
Reply-To: dossieruacom -at- gmail.com

{Hi!|Hello!|Good day!}
You can {see|watch|download} child {pron|porn} and snuff {filmes|films} now for free and without registration.
Just email us what do you want to see (child {pron|porn} or some snuff {filmes|films}) and we will
send you back what did you ordered. Only hardcore cam murders, children fukcing,
awesome bloody maniacs and vrigins may brind you a lot of brillian hours! This is
happened in reality and no any montage so be the one who seen this!

http://dossier-ua.com/?p=852

Contact us to pay for pron:
politblok -at- gmail.com

In this case, the email came from a server called davidbreach.co.uk, a wholly legitimate domain that appears to have been hacked, hosted at Node 4 in the UK. The mail originates from 93.174.141.52 (also Node 4). An examination of the mail headers indicates that it may originally have come from 151.16.60.68, an IP address in Milan, probably a compromised PC.

Dossier-ua.com is a political blog. There is no evidence at all that it is involved in distributing pornography or illegal material. If you receive an email of this nature, you should report it to the abuse address of the sender's IP, it is probably not worth bothering dossier-ua.com's web host.

Evil network: RONET / ro-net.eu (91.229.90.0/23)

RONET (aka. ro-net.eu) seems to be a new netblock occupying the 91.229.90.0/23 (91.229.90.0 - 91.229.91.255) range. This block has several sites recently moved from Netserv Consult SRL (who have a very bad reputation), all of which appear to be involved in criminal activity.

Although the number of sites is very low at present (just 30), the use of a /23 block indicates the perhaps this will be used for more sites very soon. Blocking 91.229.90.0/23 preemptively would probably be an excellent idea.

Here are some examples of evilness:

bywordelectronics.com [91.229.90.11]
Money mule scam / fake jobs [1] [2] [3] [4]

admagnet1.com [91.229.90.35]
Malware distribution [5] [6] [7]

eyebluster-sv1.com [91.229.90.37]
Malware distribution [8]  [9]

Other domains are registered with fake WHOIS details which is never a good sign.

The 91.229.90.0/23 range is registered to:

inetnum:         91.229.90.0 - 91.229.91.255
netname:         RONET
descr:           FOP Varovaev Leonid Gennadevich
country:         EU
org:             ORG-VARO1-RIPE
admin-c:         AV6418-RIPE
tech-c:          AV6418-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          VAROVAEV-MNT
mnt-routes:      VAROVAEV-MNT
mnt-domains:     VAROVAEV-MNT
source:          RIPE # Filtered

organisation:    ORG-VARO1-RIPE
org-name:        FOP Varovaev Leonid Gennadevich
org-type:        OTHER
address:         H-1120 Budapest,  Street Gabor Denes, 4, Hungary
mnt-ref:         VAROVAEV-MNT
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

person:          Anton Varnai
address:         H-1120 Budapest
address:         Street Gabor Denes, 4
address:         Hungary
abuse-mailbox:   abuse@ro-net.eu
phone:           +3614585544
nic-hdl:         AV6418-RIPE
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

% Information related to '91.229.90.0/23AS6753'

route:           91.229.90.0/23
descr:           RONET
origin:          AS6753
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

Of note is the fact that ro-net.eu was only registered two weeks ago with anonymous registration details. Also, note that although the address is in Hungary, the RONET name would indicate that it still has a ROmanian connection.

Another oddity is that the network announces itself as part of AS17088 which is allocated to Currenex, Inc. There seems to be no connection at all between Currenex, Inc and RONET, so perhaps this is an error or some kind of forgery.

You can find a full list of domains and MyWOT ratings in this CSV file. Alternatively, the currently hosted domains are listed below.

admagnet1.com
adopsassistant.com
amaltheiatech.com
arctosinbrasilia.com
bestpccleaners.org
bywordelectronics.com
combo-parts.com
easycleaners.org
eyebluster-stat.com
eyebluster-sv1.com
fixpcexperts.com
hidedns.org
jjoor.com
mediamindcal.com
mediamind-tech.com
mediatechadvice.com
mr-srv.com
newco-op.com
newsecsolutions.com
pc-syscleaner.com
pc-syscleaner.net
pc-syscleaner.org
proton-micro.com
quickwebsupport.net
ro-net.eu
searchelcome.org
softsecsolutions.net
supportnetmail.com
trackingpxl.com
vi-hosts.com

Monday, 19 September 2011

Evil network: Alexey Klimenko / UAHOSTER-NET / uahoster.org / GreatHost-ALTNET, AS41390 (91.217.153.0/24)

This sordid little corner of the internet came up while investigating some SpyEye C&C servers on 91.217.153.110:

webchoke.com
webdisar.com
webdecay.com
webawoke.com

These servers sit in a netblock of  91.217.153.0/24 (91.217.153.0 - 91.217.153.255) and form part of AS41390 (more of which later). The contact details for the block are:

inetnum:        91.217.153.0 - 91.217.153.255
netname:        UAHOSTER-NET
descr:          PP Alexey Klimenko
country:        UA
org:            ORG-PAK5-RIPE
admin-c:        AK6545-RIPE
tech-c:         AK6545-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         ROWER-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-routes:     ROWER-MNT
mnt-domains:    ROWER-MNT
source:         RIPE #Filtered
                                     
organisation:   ORG-PAK5-RIPE
org-name:       PP Alexey Klimenko
org-type:       OTHER
address:        Ukraine, Sevastopol,
address:        Heroev Sevastopola 21-10
phone:          +380994015332
abuse-mailbox:  abuse@uahoster.org
mnt-ref:        ROWER-MNT
mnt-by:         ROWER-MNT
source:         RIPE #Filtered
                                      
person:         Alexey Klimenko
address:        Ukraine, Sevastopol,
address:        Heroev Sevastopola 21-10
phone:          +380994015332
nic-hdl:        AK6545-RIPE
mnt-by:         ROWER-MNT
source:         RIPE #Filtered

                                      
route:          91.217.153.0/24
descr:          GreatHost-ALTNET
origin:         AS41390
mnt-by:         ROWER-MNT
source:         RIPE #Filtered

These details largely match those on the domain uahoster.org which is hosted in the domain.

An examination of the sites on 91.217.153.0/24 show a high proportion of malware, work-at-home-scams, money mule operations, phishing (especially for VKontakte credentials), fake prescription sites, and dubious pay-per-install schemes. Just about the only sites that don't fit into these categories are porn sites. There seems to be nothing worth visiting in this range, so blocking 91.217.153.0/24 is probably a good idea.

A list of sites can be found at the end of this post, alternatively you can download a list with IP addresses and myWOT rating from here [csv].

91.217.153.0/24 resides in AS41390, which appears to consist of three loosely connected blocks:

91.217.153.0/24   GreatHost-ALTNET
194.247.48.0/24   WorkStone-AltNET
195.3.144.0/22    RN DATA DC

Usually, all the networks in an AS belong to the same company. In this case two of them say "Altnet". In fact, we came across Altnet and AS41390 last year when they were hosting crap on the 195.3.144.0/22 range. They seem to have changed their name since then, and the new "RN DATA DC" block does seem largely clean. Altnet are (or were) a colo, so perhaps the "GreatHost" block is in one of their datacenters.

This is what Google thinks of AS41390:

Safe Browsing
Diagnostic page for AS41390 (RN)


What happened when Google visited sites hosted on this network?

    Of the 180 site(s) we tested on this network over the past 90 days, 4 site(s), including, for example, fusker.lv/, claw429.ltd.ua/, airline-promo.com/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-09-18, and the last time suspicious content was found was on 2011-09-18.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 4 site(s) on this network, including, for example, filesd.in/, bradpittfanclub.org/, rotatobanner.com/, that appeared to function as intermediaries for the infection of 57 other site(s) including, for example, healthcarevolunteer.com/, aratilis.org/, thejourneyonline.org/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 37 site(s), including, for example, cokk87.com/, chairframeede.com/, filesd.in/, that infected 668 other site(s), including, for example, imevial.cl/, daum.net/, cinemundo.cl/.

SiteVet's prognosis is also not very good. It has to be said though that the bulk of the bad activity is in the 256 IPs (and less than 200 sites) in the 91.217.153.0/24 range. Blocking access to 91.217.153.0/24 will probably be sufficient, or if you block by domains only then use the following list:

11vk.ru
2011vk.com
2011vk.ru
2-bloggers.com
4sale-drugs.com
ackerman-gmbh.com
adaltamo.com
adaltest.com
adaltest.in
adaltpornpics.in
adaporntumul.com
adfgsfgrsdf.com
aeroshark.com
agathonbernard-sarl.com
albertathomas-sarl.com
allavi.in
american-pharm.com
anicetrichard-sarl.com
aquarium-stakany.org
asiawatertrade.org
augustelaurent-sarl.com
augustinmichel-sarl.com
austerlitz-gmbh.com
avjobnews.com
azhenordavid-sarl.com
belbci.com
berchtwald-gmbh.com
besthottestsites.com
b-l-investments.org
bradpittfanclub.org
brand-viagra.com
bulilit.tk
buylicens.com
buyperfecthealth.com
buyviagraed.com
caminsiders.com
casinonewsblog.org
chairframeede.com
chjobnews.com
clmeyer-gmbh.com
cokk87.com
com-message.in
com-watch-id181222ooo.info
com-watch-id181223ooo.org
dajobnews.com
datatrsfdl.com
dateforall.org
degasu.org
divalis.org
donotbesoshy.com
dorotydiary.org
drjobnews.com
drunkenhole.com
duerrgmbh.com
ed-italia.name
eetryy.com
eichelberger-gmbh.com
elox.ru
etzel-gmbh.com
exotic-tour.in
fajobnews.com
fejd23.com
first-choice-investments.org
floes-blog.com
fotkarus.ru
frankfurter-gmbh.com
freejoinsites4u.com
freesites4you.com
freitag-gmbh.com
freud-gmbh.com
fruehaufgmbh.com
fuhasp.com
gejobnews.com
gentelmen.info
gghjobnews.com
googlad.in
h0n.ru
haknuto-maknuto.com
hartmanngmbh.com
hojobnews.com
holydolly.com
honey18girls.com
hotandwillinq.com
inpills.com
installcash.org
iojobnews.com
isp5.ru
isp7.ru
ispromo.info
ispromo.net
jasamjebenadomena.com
jaspercruiser.com
jaspertrawler.com
jobnewsis.com
jobnewslir.com
jujobnews.com
kevc.ru
klugegmbh.com
koertig-gmbh.com
kupeer-gmbh.com
libeetlead.com
liebepillen.net
lipu11.com
londonredbus.org
lujobnews.com
maill-password.com
mercetgroup.org
mfks.org
mismojebenadomena.com
mmstx.ru
m-timesinvestment.org
muller-zoits.com
muzloid.net
nature-c-clinic.com
odnuklassniki.net
oklahomasporttv.org
oojobnews.com
opensitehere.com
pillsonline.ws
pojobnews.com
porntumov.com
potenstabletter.com
prnrservice.com
psjobnews.com
purplealititi.com
pusikuracbre.com
quacricketert.com
rojobnews.com
scanmedipc-derop.tk
secure-med.net
sexmagics.com
skypallete.net
softp0rtal.net
sve-ce-da-nas-pojebe.com
sve-ce-da-nas-pojebe.net
tabforhealth.com
tdsfree.org
tishh.com
tishh.org
tisijebenadomena.com
tornadogames.org
transport7.com
traypka.ru
tyujobnews.com
uahoster.org
usaglobalmail.com
viagrabuyonline.net
visionbridgel.com
vitaline.in
vk11.ru
vk-11.ru
vk2011.ru
vk-2011.ru
vkao.ru
vkee.ru
vkgost.ru
vk-newyear.ru
vkoa.ru
vkonatikte.ru
vkonatkite.ru
vkontaklle.ru
vkontakte-id.com
vkonzakte.ru
vk-opros.ru
vvsmail.com
vz33.ru
webawoke.com
webchoke.com
webdecay.com
webdisar.com
webstrong.ru
weib-gmbh.com
whitenikana.com
windowsupdatews.com
woadaplorntum.com
xevk.ru
ypijobnews.com

Saturday, 17 September 2011

Fake jobs: careers-consult.com, europe-career.com and usa-newcareer.com

Three new domains used to adveritise bogus jobs (which will actually be money laundering or other criminal activities)

careers-consult.com
europe-career.com
usa-newcareer.com


The approach is the same as the domains registered two days ago, and indeed this has been going on for several years. The spam may appear to come from your own email address (here's why).

If you have any sample emails using this domain to solicit replies, please consider sharing them in the Comments. Thanks!

Thursday, 15 September 2011

Fake jobs: ca-jobcareer.com, uk-jobcareer.com and usa-jobcareer.com

Three new domains offering fake jobs, targeting US, UK and Canadian victims:

ca-jobcareer.com
uk-jobcareer.com
usa-jobcareer.com

The "jobs" on offer are typically money laundering and other illegal activities, and form part of this long running scam. The emails may appear to have been sent from your own account (here's why).

The domains were registered two days ago to "Alexey Kernel" in Kiev, although this is probably a fake name and address.

If you have samples of spam emails using these domains, please consider sharing them in the comments. Thanks!

Wednesday, 14 September 2011

Some fake Bundeskriminalamt and Bundespolizei sites

Here are some more fake sites pretending to be the Bundeskriminalamt and Bundespolizei (agencies of the German Federal Police) which are probably worth blocking, following on from these.

193.105.240.204 [Sia Vps Hosting, Latvia]
bundespolizei-de.net
bundespolizei-de.org
bundespolizei-online.com
dpolg-bundespolizei.org
inter-bundeskriminalamt.org

77.87.229.14 [Invalid pointer to bundespolizei.de]
inter-bundeskriminalamt.eu
dpolg-bundespolizei.org [also on 193.105.240.204]
inter-bundeskriminalamt.org [also on 193.105.240.204]

211.154.153.49 [China Motion Network Communication]
agentbundeskriminalamt.net
bundeskriminalamtde.net
onlinebundeskriminalamt.net
torrentbundeskriminalamt.net

Note that 77.87.229.14 is actually the real IP for bundespolizei.de, but the scammers are pointing their DNS records to it, presumably to cause confusion.

You can safely block access to 193.105.240.0/24 (Sia VPS) without much fear of losing anything important. The Chinese netblock is more mixed, but blocking at least 211.154.153.49 might be a good idea if you are in Germany.

Injection attack: malavasso.com, migraviro.com and montenegrorio.com

Three more domains being used in injection attacks today:

malavasso.com
migraviro.com
montenegrorio.com

The payload is the Sinowal trojan. Malicious software is hosted on 95.64.45.43 which is well-known very dark grey hat host Netserv Consult SRL of Romania. Blocking 95.64.0.0/17 (95.64.0.0 - 95.64.127.255) will probably do no harm.

The (possibly fake) registrant for these domains is:
Registrant Contact:
   Xicheng Co.
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Administrative Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Technical Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Billing Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

bundespol.com is not the Bundespolizei

Another fake Bundespolizei today, bundespol.com is registered through  a Chinese registrar and then is anonymised through a Chinese WHOIS privacy service

The site doesn't resolve yet, but it is almost identical to bundespol.net which is fingered in this attack. In that case, the fake Bundespolizei site was hosted on 188.229.97.2 which is Netserv Consult SRL in Romania (incidentally, blocking 188.229.0.0/17 will probably do you no harm).

There's a whole bunch of fake Bundespolizei at the moment, but I'm guessing that this particular bunch of scammers may well try the same thing in other countries very soon.

Tuesday, 13 September 2011

Fake banks on 88.191.36.45

88.191.36.45 [Proxad, France] is hosting a series of fake banking domains, one of which is detailed by F-Secure.The domains target Finnish and Spanish banks.

The following sites appear to be hosted on that IP:

bbva-es.com
nordea-vf.com
nordeasfi.com
nordea-if.com
nordea-fis.com
osuuspankki-fi.com


Some sites might use the following subdomains: kultaraha, solo1, solo2, www and xxx.

The (fake) registrant details are:
  Admin Name........... Arthur Williams
  Admin Address........ lake tarson 41
  Admin Address........
  Admin Address........ new york city
  Admin Address........ 90121
  Admin Address........ NY
  Admin Address........ UNITED STATES
  Admin Email.......... sir.arthur999@hotmail.com
  Admin Phone.......... +1.802716100

Blocking access to 88.191.36.45 would probably be a good idea if you have Spanish or Finnish users.

Injection attack: cbchhuacyus.com, ibccmsuiyus.com and wbccmquwyus.com

There is currently a Sinowal injection attack doing the rounds, redirecting traffic to the following domains on 46.165.192.97:

cbchhuacyus.com
ibccmsuiyus.com
wbccmquwyus.com

There may well be other domains on the same server, blocking traffic to 46.165.192.97 would probably be prudent. The payload is being analysed (I will post an update later), but detection rates are not good.

Fake "internationalservicecheck.com" email

International Service Check (internationalservicecheck.com) is a legitimate mystery shopping company based in Germany. This email claims to come from International Service Check, but does not and it will be some sort of mystery shopping scam instead.

From: INTERNATIONAL SERVICE CHECK / Multisearch GmbH <shopping@internationalservicecheck.com>Subject: Application for New Mystery Shoppers.
Date: 12 Sep 2011 17:10:21 -0500
Reply-To: adele.green@aol.com

We have a mystery shopping assignment in your area and we would like you to participate"

INTERNATIONAL SERVICE CHECK / Multisearch GmbH is accepting applications for qualified individuals to become mystery shoppers. Its fun and rewarding,
and you choose when and where you want to shop. You are never obligated to accept an assignment.
There is no charge to become a shopper and you do not need previous experience. After you sign up, you will have
access to training materials via e-mail, fax or postal mail.

ABOUT US

INTERNATIONAL SERVICE CHECK / Multisearch GmbH is the premier mystery shopping company; serving clients across America with over 500,000
shoppers available and ready to help businesses better serve their customers. Continual investment in the latest internet and
communication technologies coupled with over 16 years of know-how means working with INTERNATIONAL SERVICE CHECK / Multisearch GmbH is a satisfying and
rewarding experience.

Secret shopping as been seen on ABC NEWS, NBC NEWS, L.A.TIMES.
Mystery Shopping provides an insight into what happens when hard won prospective buyers are in contact with your sales and
customer service teams. INTERNATIONAL SERVICE CHECK / Multisearch GmbH’s range of Mystery Shopping services cover every aspect of the customer experience –
on-site and face-to-face, on the telephone and electronically, through your website.

We conduct evaluations by personal visits and/or by E-mail. "Mystery Shoppers" are independent contractors that conduct
"shops", complete online evaluation forms and get paid "per assignment".
We consider our shoppers part of our extended team. Most of our staff, including management, still Mystery Shop
and are aware of the challenges and rewards. We negotiate the best possible compensation for our
shoppers and will not accept business that is unfair to our team. If we wouldn't accept the shop, we don't expect you to.

Stores and organizations such as The Gap, Wal-Mart, Pizza Hut, and Bank. One amongst many others pay for Secret Shoppers to
shop in their establishments and report their experiences. On top of being paid for shopping you are also allowed to keep
purchases for free. INTERNATIONAL SERVICE CHECK / Multisearch GmbH NEVER charge fees to the shopper. Training, tips for improvement, and shopping
opportunities are provided free to registered shoppers. Mystery shoppers are either paid a pre-arranged fee for a particular shop, a
reimbursement for a purchase or a combination of both.

We boast super fast payouts and expect high quality reporting in return to keep our clients satisfied.

We hold a strong belief in the fact that nothing is more important than the customers perceptions and this can
only be realized using "real consumers" (YOU) to perform evaluations. The same cannot be said for using
industry insiders or people from within the company, as their opinions are naturally subjective and biased. The
only opinions that count are ones of real consumers since they are the ones making purchases.

You will be required to interact with the shop clerk.

The assignment will pay $150 per assignment

If you feel you are a good candidate, then fill out the application form below
to this email (adele.green@aol.com) and we will get back to you shortly with the assignment:

PERSONAL INFORMATION:

Full Name :
Street Address:
City:
State:
Zip Code:
Cell Phone Number:
Home Phone Number:
Age:
Current Occupation:
Email Address:

AVAILABILITY:

Days/Hours Available

Monday.............................................
Tuesday.............................................
Wednesday.............................................
Thursday.............................................
Friday.............................................
Saturday.............................................


Hours Available: from _______ to ______

We await your urgent response.

Sincerely yours,
Adele Green.
© 2011 INTERNATIONAL SERVICE CHECK / Multisearch GmbH   All Rights Reserved.
If you accept this job offer, then you will not be dealing with International Service Check.

The email originates from a server at 70.32.113.152 which belongs to Fivecube Pte in Singapore (the server is physically in California), although most likely this is either a compromised server or a customer. An examination of the mail headers indicate that it may originate from 69.92.92.47, a Cable One subscriber in Seminole, Oklahoma. The Reply-To address is adele.green@aol.com althought this is probably fake, so do not assume that it really is someone of that name behind it.

Monday, 12 September 2011

bundespolizei-online.com is not the Bundespolizei

bundespolizei-online.com is a fake domain pretending to be the Bundespolizei (German Federal Police). It appears to be part of a malware scam that has been around for a while, where the victim is told that they have done something illegal and need to pay a fine to the police.

The text of the message might vary, but the last scam domain  was used in conjunction with a message that read:

Es ist ungesetzliche Tätigkeit enthüllt
Achtung!!!
Ein Vorgang illegaler Aktivitäten wurde erkannt.
Das Betriebssystem wurde im Zusammenhang mit Verstoßen gegen die Gesetze der Bundesrepublik Deutschland gesperrt! Es wurde folgender Verstoß festgestelltt: Ihre IP Adresse lautet "x.x.x.x" mit dieser IP wurden Seiten mit pornografischen Inhalten,Kinderpornographie, Sodomie und Gewalt gegen Kinder aufgerufen Auf Ihrem Computer wurden ebenfalls Videodateien mit pornografischen Inhalten, Elementen von Gewalt und Kinderpornografie festgestellt! Es wurden auch Emails in Form von Spam, mit terroristischen Hintergründen, verschickt. Diese Sperre des Computers dient dazu, Ihre illegalen Aktivitäten zu unterbinden.
Ihre IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
Um die Sperre des Computers aufzuheben, sind Sie dazu verflichtet eine Strafe von 100 Euro zu zahlen. Sie haben zwei Möglichkeiten die Zahlung von 100 Euro zu leisten.

    1) Die Zahlung per Ukash begleichen:
    Dazu geben Sie bitte den erworbenen Code in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email (einzahlung@dpolg-bundespolizei.org) versenden.
    2) Die Zahlung per Paysafecard begleichen:
    Dazu geben Sie bitte den erworbenen Code (gegebenfalls inkl. Passwort) in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email(einzahlung@dpolg-bundespolizei.org) versenden.
This roughly translates as:

It is illegal activity revealed
Attention!
An operation of illegal activity has been detected.
The operating system was blocked in connection with Violating the laws of the Federal Republic of Germany! It was festgestelltt following violation: Your IP address is "xxxx" with the IP were pages containing pornography, child pornography, bestiality and violence invoked against children on the computer were also video files containing pornography, found elements of violence and child pornography! There were also emails sent in the form of spam, with terrorist backgrounds. This serves to lock the computer to stop your illegal activities.
Your IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
To unlock the computer, you have to pay a penalty verflichtet of 100 €. You have two ways to make the payment of 100 €.

     1 pay) Payment via Ukash:
     You enter the acquired code into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, you have the code by email (einzahlung@dpolg-bundespolizei.org) ship.
     2) The payment by paysafecard to pay:
     You enter the acquired code (if necessary including password) into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, so you must send the code by email (einzahlung@dpolg-bundespolizei.org).

A €100 fine for terrorist likes and download child pornography? Obviously this is nonsense, but the victim might well try to pay to get rid of the trojan.

The bundespolizei-online.com is quite interesting to look at. First, there is the WHOIS record:

    Steffen Schüssler
    Email: t-mart-admin@teiekom.de
    Organization: Hostmaster T-Systems
    Address: Vahrenwalder Strasse 240-247
    City: Hannover
    State: Hannover
    ZIP: 30159
    Country: DE
    Phone: +49.43171633486
    Fax: +49.43171633486

It looks legitimate enough. T-Systems is the hosting division of Deutsche Telekom, and the email address looks legitimate at first glance.. but wait, it says teiekom.de and not telekom.de which can't be right.

The domain is registered through the Russian registrar Regtime Ltd. The site bundespolizei-online.com is hosted on 193.105.240.204 in Latvia. Latvia is pretty much a hotbed of crime, and the AS12578 block has a pretty bad reputation, and the whole 193.105.240.0/24 range looks quite toxic. As is common with malicious sites such as this, all the mail is handled by Google.

So.. if you see a message soliciting an email reply to bundespolizei-online.com or running on the same website then it is malware, and you should try to disinfect your machine using up-to-date antivirus software, or you could try following the instructions here.

Friday, 9 September 2011

Why am I sending myself spam?

One of the most comment questions I get about spam is: "Why am I sending myself spam?" The most common answer to this is: "It's a forgery, you are are not sending yourself spam at all".

This answer requires some explanation, but the most important thing is that when you see spam both "To" and "From" you at the same time then it DOES NOT mean that someone has hacked into your email account. However, if a friend or contact is getting spam email "From" you  then it is quite possible that someone HAS hacked your email account and you should take appropriate action.

These mail forgeries are incredibly simple to do. Part of the problem is that the protocols that email runs on were written in the early 1980s when there was no such thing as email spam. Basically, when one computer connects to another computer to send mail then usually the receiving computer trusts that the sending computer is telling the truth about the sender.

The conversation between the two computers looks something like this:

HELO
MAIL FROM: sender@sender.domain
RCPT TO: recipient@recipient.domain
DATA
This is the body text of the email.
.
QUIT

What might come as a shock is that the sender's email address specified in "MAIL FROM" can be anything at all, including being the same as recipient. This is technically known as spoofing (i.e. it is a form of forgery), and it explains as well why spam often seems to come from nonsense email addresses. There are some ways of stopping spoofing, such as SPF, but they are not very widely used.

One reason why spammers like to send spam "from" the victim is because it will often get through the victim's spam filters. In general, you should not whitelist your own email address in your spam filter for this reason. Fixing spoofing at a filter level is possible, but every email system and spam filter is different and this is really one for experienced IT support people to resolve for you.

I mentioned earlier about a different scenario - one where the mail appears to be "From" a contact. Although superficially it might appear to be similar, in this case it usually means that an email account has been hacked into, typically the person that the mail is "from". If you receive spam from someone you know then the best thing to do is contact them offline and let them know that there's a problem.

Thursday, 8 September 2011

9/11 reflections

You've probably noticed that the tenth anniversary of the September 11th attacks is coming around in a few days time. There's a lot a material around covering all sorts of aspects, but one of the things that I distinctly remember (as a distant observer) was that there were a lot of important things happening, but it was hard to find out what was happening because the 2001-era web couldn't cope with the thirst for information. I wrote about it few days afterwards because it was probably the first time that the web had to deal with such a monumental news story.

In some respects the situation is very different ten years on. News sites are much more resilient, Twitter gives us real-time updates of major events, YouTube can give us raw eyewitness footage just minutes after things have happened. But the recent attacks in Oslo demonstrate just how fragile technology can still be.

Anyway, you can read my thoughts a decade on here if you like.

Tuesday, 6 September 2011

Fake jobs: allworld-career.com, greece-newcareer.com, new-joboffers.com and worldjob-career.com

Four new domains offering a variety of fake and illegal jobs, part of a very long running series of scam emails.

allworld-career.com
greece-newcareer.com
new-joboffers.com
worldjob-career.com


These fake domains have been set up to solicit replies to bogus job offers, including money laundering and other illegal activities. The emails may appear to have been sent from your own account, but this is a simple forgery and does not mean that your email account has been compromised.

The registrant details are no doubt fake:

    Alexey Kernel
    Email: johnkernel26@yahoo.co.uk
    Organization: Alexey Kernel
    Address: Kreshchatyk Street 34
    City: Kiev
    State: Kiev
    ZIP: 01090
    Country: UA
    Phone: +38.00442794512 

All these domains have been registered in the past couple of days.

If you have a sample spam with one of these in, please consider sharing it in the Comments. Thanks!

Saturday, 3 September 2011

Fake jobs: usa-newcareers.com

usa-newcareers.com is another domain being used for offer fake jobs (usually criminal activities such as money laundering). Is is part of this long running scam and is essentially just a variant of us-newcareer.com registered a few days ago. The domain was registered yesterday to a presumably fake registrant.

One feature of these scam emails is that they appear to come from yourself, this is just a simple forgery and it does not mean that your mail account has been compromised. If you have any examples of spam using this domain, please consider sharing it in the comments.

Wednesday, 31 August 2011

dpolg-bundespolizei.org is not DPolG or the Bundespolizei

DPolG is a staff a association of the German Federal Police (Bundespolizei). So you might expect that dpolg-bundespolizei.org is something to do with the DPolG.. especially when the www.dpolg-bundespolizei.org resolves to 77.87.229.14, which is the same IP address as bundespolizei.de which is the German Federal Police.

But something is very wrong with this domain.Let's start with the WHOIS details:

Domain ID:D163178250-LROR
Domain Name:DPOLG-BUNDESPOLIZEI.ORG
Created On:30-Aug-2011 11:02:35 UTC
Last Updated On:30-Aug-2011 11:02:35 UTC
Expiration Date:30-Aug-2012 11:02:35 UTC
Sponsoring Registrar:Regtime Ltd. (R1602-LROR)
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CO1014850-RT
Registrant Name:ALex Potolot
Registrant Organization:ALex Potolot
Registrant Street1:49-12 Shepherd Street
Registrant Street2:
Registrant Street3:
Registrant City:London
Registrant State/Province:London
Registrant Postal Code:W12 7HF
Registrant Country:GB
Registrant Phone:+44.2073290240
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:apotolot@yahoo.com

It's kind of odd that a German police domain should be registered to a person in the UK using a free email address. But what is odder is that the address does not exist. Although there is a Shepherd Street in London, the postcode is not W12 7HF, that's the postcode for Stanlake Road in Hammersmith. Shepherd Street's postcode begins W1J 7Jx in any case, and there's no number 49 on that road (it is approximately the location of the Park Lane Mews Hotel).

Let's check the nameservers:
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
Nameself.com is DNS service for Russian registrar WebNames.ru. (aka Regtime Ltd) who are also the domain registrar. Why would the German police use a Russian registrar?

The next clue is in the MX handlers - these are the servers that handle mail for dpolg-bundespolizei.org:

  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT1.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT2.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX2.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX3.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX4.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX5.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 10 ASPMX.L.GOOGLE.COM
So, the domain is using Google for mail handling. DPolG use their own mailservers, not Google.

Something is definitely amiss here, and it wouldn't be the first time that the Bundespolizei name was used for malicious purposes as there has been a recent rash of malware using it. On balance, a domain with a fake UK address registered via a Russian registrar and using Google for mail handling is unlikely to be legitimate. Avoid.




Monday, 29 August 2011

Fake jobs: consult-position.com, instant-job.com, newweb-career.com, uk-bestjob.com and web-newcarer.com

A new set of domains pushing illegal money laundering jobs and other criminal activities as part of this long running operation.

consult-position.com
instant-job.com
newweb-career.com
uk-bestjob.com
web-newcarer.com


Typically, these emails will appear to be "from" you as well as "to" you.. this is just a forgery and it doesn't mean that your mail is hacked.

Don't be tempted by the jobs on offer, typical positions are for money mules, reshipping scams or sometimes back-office functions such as translating emails or signing paperwork. Don't bother replying to the email as no good will come of it.

If you have an example of any emails using this address, please consider sharing it in the Comments. Thanks!

Friday, 26 August 2011

Fake jobs: us-newcareer.com

Operating the same money laundering scam/spam as this batch of domains, and forming part of this very long running scam, the domain us-newcareer.com was freshly registered two days ago.

The jobs offered by anyone soliciting replies to this email address are all criminal activities and should be avoided. The spam email messages may appear to be coming from your own email address, but this is a simple forgery and it does not mean that your computer or mail account is compromised.

If you have examples of spam emails using the domain, please consider sharing them in the Comments. Thanks!

Wednesday, 24 August 2011

Fake jobs: greece-career.com, il-career.com, mc-jobs.com and oae-career.com

Four new domains peddling fake jobs today, forming part of this very long running scam.

greece-career.com
il-career.com
mc-jobs.com
oae-career.com

The "jobs" offered are actually criminal activities such as money laundering. It may be that the email appears to come "from" you as well (the from address is trivially easy to fake, it doesn't mean that your machine is infected with anything).

Domains were registered two days ago to "Alexey Kernel", which is no doubt a fake name.

greece-career.com presumably targets Greek nationals, and il-career.com looks to be targeting Israelis. The other two are less clear, but our best guess is that mc-jobs.com might be targeting Macedonia (but the TLD is .mk) and oae-career.com might be the UAE and is just a typo. This continues the pattern of going after non-English speaking victims who might be fooled more easily by a scam email in their own language.

If you have any examples of this spam, please consider sharing them in the Comments. Thanks!

Monday, 22 August 2011

HMRC phish: refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com

Here's a bunch of web sites and domains being used to peddle fake HMRC (UK tax office) refunds:

www.refund1-hmrc.com
www.refund2-hmrc.com
www.refund3-hmrc.com
www.refund4-hmrc.com
www.handler123.com

The fake emails look something like this:

From: HM Revenue & Customs Billing Department [mailto:hmrc@refund1-hmrc.com]
Sent: 22 August 2011 09:36
To: [redacted]
Subject: Billing Notifcation


Refund Notification


This e-mail has been sent to you by HM Revenue & Customs to inform you that we must pay you back 478 GBP.
Please complete all the information to process your refund

Please allow 2 weeks for you money to be availabe in your account. (eg: address, phone)
Total refund amount: 478 GBP

To ensure that your service is not interrupted, we request you to confirm and update your information today by following the link below:

Refund Notification


Thank you for your prompt attention to this matter. Do not reply to this e-mail.
Mail sent to this address cannot be answered.

Member [redacted]

© HM Revenue & Customs 2011 

The emails actually come from  refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com so

If you click through the link then you get a pretty standard phishing page trying to get credit card details, personal information and passwords.

The HMRC don't send tax refund messages by email, so any such notification should be considered bogus.

The phishing sites are hosted on 211.154.91.246 in China, blocking that IP would be a good idea, but you could go further and block 211.154.64.0/19 as it looks like a cable modem range and there shouldn't really be any legitimate sites hosted here.

Domain registration details are clearly fake:


Domain Name.......... refund1-hmrc.com
  Creation Date........ 2011-08-22
  Registration Date.... 2011-08-22
  Expiry Date.......... 2012-08-22
  Organisation Name.... scotia bank
  Organisation Address. hah
  Organisation Address.
  Organisation Address. there
  Organisation Address. 123131
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... scotia bank
  Admin Address........ hah
  Admin Address........
  Admin Address........ there
  Admin Address........ 123131
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... bbuubbh2@yahoo.com
  Admin Phone.......... +1.1233213121
  Admin Fax............

Tech Name............ scotia bank
  Tech Address......... hah
  Tech Address.........
  Tech Address......... there
  Tech Address......... 123131
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... bbuubbh2@yahoo.com
  Tech Phone........... +1.1233213121
  Tech Fax.............
  Name Server.......... ns1.refund1-hmrc.com
  Name Server.......... ns2.refund1-hmrc.com



The nameservers are hosted on 200.29.238.90 in Colombia (CONSULNETWORK LTDA).

Thursday, 11 August 2011

Fake jobs: unionhire.net, wugcareer.com and wugoffers.net

Three new fake job domains registered in the past couple of days to the fake "Alexey Kernel" registrant, forming part of this very long running scam.

unionhire.net
wugcareer.com
wugoffers.net


As before, there is a series of spam messages advertising so-called "jobs" from these companies, but in reality they are criminal activities such as money laundering.

If you have a sample email, please consider sharing it in the Comments. Thanks!


Something evil on 95.168.177.144: reddingtaxcm.com and inferno.name

reddingtaxcm.com is a legitimate domain that is registered at GoDaddy and has been hijacked to serve up malware, hosted on 95.168.177.144 (NetDirekt, Germany but more below..).

The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.

Although the IP 95.168.177.144 is allocated to NetDirekt (now Leaseweb Germany), it belongs to part of a range suballocated to inferno.name of Serbia (apparently also known as v3Servers.net). Inferno featured recently in this blog with another similar malware attack, that time on 95.168.178.206. 95.168.177.0/4 seems to be full of (possibly fake) pharma sites.

A lot of other IP addresses associated with this company are implicated with forum spamming.

Just in case you want to block traffic to/from inferno.name (although there may well be legitimate sites and servers in these ranges) then I have identified the following IP ranges, although there may well be more:

46.22.211.0/25
80.79.124.128/26
92.48.122.32/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
188.143.232.0/23
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

As for 95.168.177.144, watch for traffic going to subdomains of reddingtaxcm.com, for example:

command0.reddingtaxcm.com
danger0.reddingtaxcm.com
costs0.reddingtaxcm.com
fifteen1.reddingtaxcm.com
countries1.reddingtaxcm.com
evil3.reddingtaxcm.com
placed4.reddingtaxcm.com
itself4.reddingtaxcm.com
democratic5.reddingtaxcm.com
dark5.reddingtaxcm.com
original5.reddingtaxcm.com
tuesday5.reddingtaxcm.com
source6.reddingtaxcm.com
cover6.reddingtaxcm.com
highest6.reddingtaxcm.com
college7.reddingtaxcm.com
during9.reddingtaxcm.com
condition9.reddingtaxcm.com
complex9.reddingtaxcm.com
headed0.reddingtaxcm.com

Thursday, 4 August 2011

Something evil on 79.133.196.124

I don't quite have the full picture on this, but it looks like some Scandinavian sites have been compromised in some way and are redirecting to a malware server on 79.133.196.124 in Poland which is serving up fake AV applications.

Blocking access to 79.133.196.124 is probably a very good idea. The following sites appear to be hosted on that server and should be blocked if you can't do so by IP address, alternatively just block access to all .co.cc and .rr.nu domains if you can.


www1.aideray.in
www1.bestrusprotect.rr.nu
www1.bestshprotect.rr.nu
www1.besturprotect.rr.nu
www1.bestzoprotect.rr.nu
www1.bestzyprotect.rr.nu
www1.fastcowsecure.rr.nu
www1.fastengsecure.rr.nu
www1.fastjeasecure.in
www1.firstytholder.in
www1.mystedguard.rr.nu
www1.novirotall.rr.nu
www1.novirtyall.rr.nu
www1.personal-wantivir.com
www1.savefslf-holder.co.cc
www1.simpleermaster.com
www1.test.thebest-poscaner.in
www1.thebestarmydhec.co.cc
www2.bestshchecker.rr.nu
www2.firstlrnetwork.rr.nu
www2.hardobcleaner.rr.nu
www2.hard-sentineluuu.rr.nu
www2.harduvscaner.rr.nu
www2.powerab-army.rr.nu
www2.powerarmycv.rr.nu
www2.safeholderbp.rr.nu
www2.safeholdergv.rr.nu
www2.safeichecker.rr.nu
www2.safe-softgr.rr.nu
www2.savednscaner.rr.nu
www2.saveojnetwork.rr.nu
www2.simplejnsoft.rr.nu
www2.smartsentinelmc.rr.nu
www2.strongckguard.rr.nu
www2.strongnetworkcj.rr.nu
www2.strongyhcleaner.rr.nu
www2.topdefensehg.rr.nu
www2.topiy-security.rr.nu
www2.top-suitele.rr.nu

Tuesday, 2 August 2011

virtualmapping.org redirect

The domain name virtualmapping.org sounds legitimate, but isn't.. it's a redirector used on hacked websites. The first time you visit one of these hacked sites via a Google search, you get redirected to a URL at virtualmapping.org/cgi-bin/r.cgi. Subsequent visits don't seem to trigger this, nor does visiting the site directly. It could be an altered .htaccess file.

virtualmapping.org is hosted on 94.63.149.246 which is unsurprisingly enough in Romania, in a Cobalt IT SRL block suballocated to SC Coral IT Office SRL / xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire 94.60.0.0/14 range.. at the very least, block 94.63.149.0/24, 94.63.244.0/24 and 94.60.123.0/24 which are especially toxic.

After hitting virtualmapping.org, visitors are then redirected to one of the following sites on 95.168.178.206, hosted at Netdirekt in Frankfurt but actually allocated to a host called inferno.name (Sogreev Anton, Serbia). 95.168.178.0/24 is full of Russian porn sites, so probably a good thing to block in any case.

Some of the domains that are loading the malware are:
could0.nc-9.com
gets1.nc-9.com
realized2.nc-9.com
summer3.nc-9.com
principle4.nc-9.com
watching4.nc-9.com
and5.nc-9.com
electric6.nc-9.com
plane6.nc-9.com
show7.nc-9.com
fig8.nc-9.com
ever8.nc-9.com
feet8.nc-9.com
league9.nc-9.com
event9.nc-9.com
became0.nc-9.com
sense4.nc-9.com

Basically, anything in the nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.

The payload is a nasty trojan according to various analysis tools (ThreatExpert, Comodo, Anubis). Detection rates are very low. The analysis tools might help you to clean up your PC if you have somehow become infected.

Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains, assistancebeside.com (78.159.100.32) and imagehut4.cn which was actually deleted last year, but was registered to the scumbags at Real Host Ltd.

There's quite a lot to block here, the highest priorities are:
94.63.149.246
95.168.178.206
78.159.100.32
*.nc-9.com
assistancebeside.com
virtualmapping.org

I see no harm in blocking the following /24s:
94.63.149.0/24
95.168.178.0/24

And if you're not afraid to block really quite large address ranges:
94.60.0.0/14

Monday, 1 August 2011

Fake jobs: careers-canada.com

One fake job domain today, and the scammers seem to have shifted to a new target - Canada. This time, the domain is careers-canada.com, registered only yesterday to the fictitious "Alexey Kernel" in the Ukraine.

The standard approach with these scammers is to spoof an email "from" the target's email address (don't worry if you see this, your email account has not been compromised) and the emails offer a variety of illegal jobs including money laundering. It forms part of this long-running scam.

If you have any examples of emails using this domain, please consider sharing them in the Comments.. thanks!

Saturday, 30 July 2011

Fake job domains 30/7/11

Six new fake job domains today to avoid:

allnew-careers.com
argentina-hire.com
career-lists.com
career4your.com
world-career.com
your-careers.com


The recent approach has been to spam out emails that appear to be "from" the recipient. Sometimes the emails are poorly translated into Spanish, Portuguese or Greek.

The "jobs" on offer are illegal activities such as money laundering and form part of this very long running scam that has been going on for at least two years.

The domain registrant details are fake:

Alexey Kernel
    Email: johnkernel26@yahoo.co.uk
    Organization: Alexey Kernel
    Address: Kreshchatyk Street 34
    City: Kiev
    State: Kiev
    ZIP: 01090
    Country: UA
    Phone: +38.00442794512 

Mail for these domains is being routed through mx.yandex.ru in Russia.

These job offers are completely bogus and could land you in serious trouble with the police. If you have an example email using one of these domains, please consider sharing it in the Comments. Thanks!

Friday, 29 July 2011

"Iranian" Advanced Fee Fraud

Claiming to come from Iran, but actually originating from 115.249.131.254 in India, this allegedly Iranian scam is just a new twist on the Nigerian 419 scams that we are all familiar with.. in other words, this is an advanced fee fraud.

From: Ghohestani Hananehsadat Seyedhemed 115.249.131.254@webmail.sphpl.com
Reply-To: iranianhananehsadat@gawab.com
Date: 29 July 2011 07:55
Subject: FROM IRAN.....
   
         My name is Ghohestani Hananehsadat Seyedhemed; I was born in Mashad, Iran on 05th March 1991 to Mr and Mrs G. Seyedhemed, who dead in the January 2011 plane crash in Iran that killed more than 80 people including my Father, Mother and younger brother Ali.
http://www.ndtv.com/video/player/news/nearly-80-killed-in-iran-plane-crash/186668

 My father was a retired nuclear scientist and has worked in different project in Iran and outside Iran but lately there was a spate of serial killings of Iranian nuclear scientist and my father knew about it and was making arrangement for our trip and relocation to a foreign country and me and my brother was issued international passport on 15th July 2010 in preparation for our relocation and my father also made a deposit in a foreign bank amounting to $24,500,000USD(Twenty Four Million Five Hundred United States Dollars) for the settling in another country.

 Since my father died i have been trying to get the funds because i have the deposit documents and contact of his Lawyer who i have spoken with just after my fathers death but as a single lady in Iran you just cannot do anything on your own, you are not allowed to travel out of Iran and moreover with no access to telephone or constant internet. My father’s family took all that my father had here in Iran and forced me into marrying my father’s Friend when i disagreed initially they beat me and said as a single girl i cannot stay alone so i had no choice than to marry him. My life is really miserable because i am not allowed to go out, have visitors or use the phone.I have lost my pride as a woman. Luckily for me, my husband has a daughter my age and she allows me use her computer when she is around actually not knowing what i do here.

 Please i am contacting you in the Name of Almighty Allah who i serve and who my family serve to help me in getting these funds. All you need to do is stand as my family member and be next of Kin because the Lawyer told me then to suggest anybody who can stand as the next of kin and he will prepare necessary document but i cannot bring anyone from my father’s family since all they want is to claim my father’s property.

 I will send you the deposit certificate and the Lawyers contact so that you can make urgent contact with him. I will also send you my ID or passport for Identification if you need that. You may wonder why i am contacting you, a complete stranger but i trust you more than my father’s brothers who has done no good but harm to me and i know that you will not disappoint me too because i have gone through nights of prayers just to locate a reliable person who can help me out of this problem.

 I will need you to reply me with your details as follows to (iranianhananehsadat@gawab.com)

Name.................................
Address.............................
Phone number........................
Age.................................
Sex.................................
Occupation..........................
Email:..............................


 As soon as the money is transferred to you. We shall share the total amount 60% for me and 30% for you and 10% for any expenses incurred during this transaction. I want to use my share to get out of Iran and invest in a foreign Country. I hope to hear from you as soon as possible and may Allah bless you and your family.


Respectfully,
Ghohestani Hananehsadat Seyedhemed

Avoid.

Fake jobs: chile-hh.com, cl-joblists.com, pt-joblist.com and spain-joblist.com

Four new fake job domains today, targeting victims in South America, Spain and Portugal.

chile-hh.com
cl-joblists.com
pt-joblist.com
spain-joblist.com

These domains were all registered in the past few days. The standard email approach seems to be "from" the victim, and they are often badly translated into Portuguese and Spanish.

The "jobs" on offer are not jobs at all, they usually involve money laundering and other criminal activities. They form part of this very long running scam that has been going on for years.

Three of the four domains have a new (fake) registrant that we haven't seen before:

Alexey Kernel
    Email: johnkernel26@yahoo.co.uk
    Organization: Alexey Kernel
    Address: Kreshchatyk Street 34
    City: Kiev
    State: Kiev
    ZIP: 01090
    Country: UA
    Phone: +38.00442794512 

If you have an example email, please consider sharing it in the comments.

Thursday, 28 July 2011

Fake jobs: trabajo-lista.com

A single fake domain today, trabajo-lista.com uses the same approach as yesterday's domains, again targeting Spanish language speakers with money laundering jobs and other illegal activities.

Emails will most likely appear to be "from" yourself. This particular scam has been going on now for several years.

If you have a sample, please consider sharing it in the Comments. Thanks!

Wednesday, 27 July 2011

Fake jobs: chile-hh.com, cv-trabalho.com, espana-hh.com and worldjoblists.com

These domains are being used to advertise fake jobs and appear to be targeting Spanish and Portuguese speakers. They form part of this long-running series of domains associated with fake job offers.

chile-hh.com
cv-trabalho.com
espana-hh.com
worldjoblists.com


The jobs being offered are typically money laundering (lavado de dinero / lavagem de dinheiro) which are highly illegal. It is possible that some other jobs offered may be "back office" functions, including translation into local languages.

The domains are very new, registered in the past two days to:

Ricardo Lopez
    Email: ricardolip2@yahoo.com
    Organization: Ricardo Lopez
    Address: ul. Liivalaia 34-10
    City: Tallin
    State: Tallin
    ZIP: 15040
    Country: EE
    Phone: +3.726317190 

If you have any examples of mail using these domains, please consider sharing them in the Comments section. Thanks.

Tuesday, 26 July 2011

Phishtank FAIL: paypal.de

paypal.de is pretty obviously a legitimate PayPal domain, registered to eBay and hosted on 66.211.168.83 in eBay's address space. However, Phishtank thinks that it is a phish.. well, OK, false positives happen.. but the problem here is that it has been manually verified as a phish which really does show a weakness in the Phishtank verification system. It's not the first time it has happened.



So, if you are in Germany and find that paypal.de is blocked, then this is the reason why.

Saturday, 23 July 2011

Fake jobs: eur-exlusive.com

Another addition to this series of fake job offers is the domain eur-exlusive.com.

Assuming that this follows the standard pattern of dozens of other domains, then these will be too-good-to-be-true job offers that appear to have been emailed "from" yourself. The jobs on offer will actually be money laundering or some other criminal activity.

The domain was registered on 23th July, to a fake registrant "Ricardo Lopez", allegedly from Estonia. Avoid at all costs.

If you have a sample, please consider sharing it in the Comments.

Friday, 22 July 2011

Sky survey boll*cks

I'm feeling quite sweary this week, so here's a stupid email from a market research company who are pretending not to be doing it for Sky (I know it's for Sky because it uses an email address only used to sign up to Sky). It's b*llocks basically.

From: Tpoll Broadband Survey helpdesk@tpoll.net
Date: 22 July 2011 16:19
Subject: A survey about your broadband provider

Dear Mr Dynamoo

A well-known broadband provider has commissioned us here at Tpoll, an independent market research agency, to talk to people about their opinions and experiences with their TV and broadband providers.

The broadband provider in question is very keen to properly understand their customers’ needs, how well the products and services they offer are meeting their needs, and how they compare to other providers. They have asked Tpoll to investigate and we have invited you to take part in an online survey to share your thoughts and opinions.

This survey is organised and run under the rules of the Market Research Society. All responses will be strictly confidential and results will only be looked at on an aggregated level so please be as honest as you can with your answers.

Your answers will be very much appreciated and will be extremely valuable in shaping the products and services the provider offers.

Please click on the link below to start the survey - it should take 10 to 15 minutes to complete.

Click here to begin

Many Thanks,

Elizabeth Green



Tpoll Market Intelligence

So.. you want me to spend 15 minutes doing market research for Sky - a company that I don't use for broadband - just to help them shape their business? I did very much enjoy telling them that I don't have a TV or broadband access. Maybe this will screw up their survey.

Is this spam? It's hard to tell. I have a pre-existing relationship with Sky, but I'm pretty sure I didn't opt-in for this. It would be much more honest if Sky just admitted that they were behind it. Although perhaps their relationship with Rupert Murdoch's empire might be driving them to keep it quiet..

Thursday, 21 July 2011

Etisalat - f*ck you very much

If you've never heard of Etisalat then you are probably lucky. Etisalat is the monopoly telecoms provider in the UAE, and like all monopoly providers it is basically crap.

Why am I bothered? Well, after receiving this same spam 4386 times with no sign of a let-up, then I thought it might be nice if Etisalat educated their customer. Unfortunately, Etisalat's abuse mailbox doesn't work, presumably because it is packed full of complaints and nobody from Etisalat can manage to shift their fat sweaty arses enough to look at it.

Now, not getting a response to abuse complaints is pretty typical and not really worth commenting on. However, I was eventually able to get a response from customer support. And it looked promising!
Thank you for contacting Etisalat Customer Care Center.

Further to your email, please accept our sincere apologies for any inconvenience happened. We had escalated the issue to the concerned department and will update you soon after we receive a reply. Kindly bear with us for the delay. reference number 388135

Once again we thank you for contacting us and looking forward to serving you in the future. For any further clarification please contact Etisalat Customer Care Center.
Great.. I thought. Better late than never. So I waited.. and the next reply was basically a "fuck you" from Etisalat:
Thank you for contacting Etisalat Customer Care Center.
Kindly enable sufficient anti spam settings or add filters in your email to overcome the situation.
Once again we thank you for contacting us and looking forward to serving you in the future. For any further clarification please contact Etisalat Customer Care Center.
Wait.. what? The solution to Etisalat allowing customers to spam is.. basically to block email from Etisalat? So basically it is just too much effort for Etisalat to actually do anything. Maybe the airconditioning is broken in the Etisalat support offices and their arses are just too fat and sweaty today..

Anyway, 86.96.226.150 is the culprit to block but if you follow Etisala's own recommendations then block email coming in from 86.96.226.0 - 86.96.239.255 (86.96.224.0/20) just to be on the safe side.

And Etisalat, in the words of the FCC Song, f*ck you very much.

Fake jobs: world-chilecv.com

Just a single fake job domain today, world-chilecv.com is an addition to this long-running series of so-called job offers which actually turn out to be money laundering or some other criminal activity.

The domain in question was registered just yesterday to the no-doubt fake reigstrant:

Ricardo Lopez
    Email: ricardolip2@yahoo.com
    Organization: Ricardo Lopez
    Address: ul. Liivalaia 34-10
    City: Tallin
    State: Tallin
    ZIP: 15040
    Country: EE
    Phone: +3.726317190 


This domain was registered only yesterday. Avoid.