Sponsored by..

Thursday, 6 October 2011

Something evil on 194.219.29.139

There's something evil on 194.219.29.139 [Forthnet SA, Athens], in this case it appears to related to the SpyEye trojan. In particular, a lot of traffic seems to be going to ce.ms sites, searching your logs for references to ce.ms/main.php might prove fruitful.

All these following sites are malicious:

2fdf2asolhost.cx.cc
3lshegijlsjelsf.ce.ms
3rdkjhgtuhryt67.ce.ms
75pe.be.ma
aficaekooy.qpoe.com
anupadwxst.x24hr.com
arumakhbyu.ygto.com
asgdfsewsd.co.cc
ashlpdfsqf.qpoe.com
avddhzvg.instanthq.com
bestdatastore1.com
bprvnnpqyc.ygto.com
bqafbink.cx.cc
calnlwwofb.yourtrap.com
cgadrhvi.qpoe.com
clothingbusinessstore.info
clothingforyoushop.info
clothingtraffic.info
convenientpayment.info
covgeokzq.instanthq.com
crowpe.servepics.com
cxjigz.my03.com
databusinessone.com
datamallone.com
datamarketone.com
dataoutletone.com
datashopone.com
datashowroomone.com
data-store-1.com
datastore1blog.com
datastore1online.com
datastore1s.com
datastore1shop.com
datastore1site.com
datastore1store.com
datastoreone.com
dhdhdhjh54hh.co.cc
djdqexcw.isasecret.com
dloqfgcio.mefound.com
dpqriw.isasecret.com
dqxylh.my03.com
dttnablz.qpoe.com
ecebvi.my03.com
ednmzirslh.ygto.com
entrari.com
eoxsme.isasecret.com
euvhdowvp.instanthq.com
ewxdemz.isasecret.com
exdlyy.qpoe.com
ezhwsc.yourtrap.com
faduwav.freetcp.com
fipvbsttod.qpoe.com
flytrpp.mefound.com
fmafyj.ygto.com
fokhebfjfh.ygto.com
fqyfbigboi.x24hr.com
freedatastore1.com
free-download-therandomslovo.info
funezgmxl.my03.com
gaagvay.yourtrap.com
gchiebsojm.x24hr.com
gdoyvgieb.qpoe.com
georhur.fartit.com
gjxpgxg.ygto.com
gkgfmca.freetcp.com
gkkdgqfmy.instanthq.com
glyluf.mefound.com
gnmtls.instanthq.com
gtxxczmsb.isasecret.com
gxpeah.isasecret.com
gzadbqwc.my03.com
hbsopvyj.mefound.com
hellomyfriends67.com
hqxrukctww.instanthq.com
hsjhbqto.yourtrap.com
hspeqss.ygto.com
ifkeqj.freetcp.com
ihpvfu.yourtrap.com
ilqwzsqq.my03.com
informationstore1.com
informationstoreone.com
infostoreone.com
irqokfb.yourtrap.com
ivdtqmm.freetcp.com
jbnyvv.fartit.com
jdqcacl.ygto.com
jfdbdh.yourtrap.com
jfexczhud.freetcp.com
jiwxii.x24hr.com
jjqumfo.yourtrap.com
jkfyoik.qpoe.com
jntvkefj.ygto.com
jpxaxin.ygto.com
jtimtp.isasecret.com
kavlnhld.qpoe.com
kntvftiy.fartit.com
kssldi.my03.com
kstxdc.fartit.com
kucbmkpeth.qpoe.com
kumtbzg.freetcp.com
kvsxvfhgd.freetcp.com
kweghfjkgejfrwerjkasdfpo.ce.ms
lagotgdf.yourtrap.com
leemask.in
lenxwlkwn.x24hr.com
lgufpaq.isasecret.com
lhoefbmqpm.my03.com
ljutyucawp.my03.com
lmraufougs.x24hr.com
lqpara.freetcp.com
mahqgq.mefound.com
mail.byteworks.gr
mail.pcc.com.gr
mail.pcchellas.gr
mggzpjujp.my03.com
miwpcp.instanthq.com
mkktnracrl.freetcp.com
mklesklo.x24hr.com
mohlvpn.yourtrap.com
mydatastore1.com
mzxvdj.ygto.com
nacha-onlinereports.com
nerocambodia-megafakahero.org
newdatastore1.com
newthelargestsize.info
nlq1.cx.cc
nlq2.cx.cc
nlq3.cx.cc
nluyaupv.mefound.com
nshyxr.mefound.com
nslvpounp.instanthq.com
nzlprarwhe.yourtrap.com
obalhtwnni.ygto.com
obeaejh.fartit.com
obnihfya.qpoe.com
oisgrqyfbd.yourtrap.com
omrzzn.freetcp.com
onronmx.cx.cc
oodklht.mefound.com
oprwbnwneg.mefound.com
otgnzxhnr.my03.com
pfgphuwrog.yourtrap.com
pleasekindlyuse.com
pmchvicoe.qpoe.com
pnarfrkph.x24hr.com
psilzbwaoj.x24hr.com
qagcqzz.isasecret.com
qdcunen.mefound.com
qeexwxol.instanthq.com
qerfhgkadhsfukhertgrpotgjpoidfg.ce.ms
qerfyhufghasdfvyugeqrtrgpoi.ce.ms
qibmjf.x24hr.com
qorohel.yourtrap.com
qpwnbrxqwv.ygto.com
quickandeasypayment.com
qyldimwv.instanthq.com
qyrcrqd.isasecret.com
rcelrfitq.yourtrap.com
rdumycvvac.instanthq.com
rgrdpxd.instanthq.com
rgstvqjazj.ygto.com
rivehq.cx.cc
rncqdqqflz.instanthq.com
rphhsr.freetcp.com
rvqulvz.instanthq.com
searchengine-8.co.cc
sjwzptjmzs.ygto.com
spkusrqst.isasecret.com
tbpwhmo.instanthq.com
thedatastore1.com
thesmallestextent.info
thmofp.isasecret.com
tijymwgz.ygto.com
tlikndvz.my03.com
tnnlip.fartit.com
tohkdecuz.my03.com
tqurhuysr.freetcp.com
tqykpgzz.freetcp.com
tyfnjdyz.freetcp.com
uajvdsz.x24hr.com
uaziensc.isasecret.com
udtogltty.my03.com
ukrnfo.mefound.com
uqeotsfdy.yourtrap.com
us-creditsecurity.com
uwpozd.fartit.com
vedsxpph.isasecret.com
vlktxk.yourtrap.com
vvbuecbh.yourtrap.com
vxhwkdjli.mefound.com
vzubdvp.x24hr.com
wewnpmee.qpoe.com
wiigzu.instanthq.com
wmvutsa.mefound.com
wnaqyhxxjt.isasecret.com
wwpeacethroughmoderation.cx.cc
wwwapp-ups.net
wwwapp-ups.org
wztmhm.fartit.com
xapxtgkdf.x24hr.com
xezzktfzc.ygto.com
xhqkercj.yourtrap.com
xkvawo.x24hr.com
xndlgcthsf.x24hr.com
xngwbvt.isasecret.com
xqjgutso.qpoe.com
xxotjjgaqp.instanthq.com
yaktijc.instanthq.com
ycmylomyi.yourtrap.com
yfsicntu.my03.com
ygtrejyadk.qpoe.com
yoyljwmmw.qpoe.com
yvzhxbs.yourtrap.com
ywkxvgt.ygto.com
yxghgxfx.isasecret.com
yxhuzn.instanthq.com
zmlrikykf.ygto.com
zngbeeidwd.x24hr.com
zshogenmd.qpoe.com
ztgdtmz.qpoe.com

NA3PA (na3pa.org) Scam: NAPPPA reborn

NOTE: You can find out who was operating NAPPPA here.

Earlier this year, I came across a fake seminar outfit called the North American Program Planning and Policy Academy (NAPPPA) [read the comments for more information] running out of a rented mailbox in Los Angeles. NAPPPA was recently covered by ABC15 in Arizona (see video below).


It seems to be a bait-and-switch operation. Seminars are promoted as being held at universities, only to switch venues at the last moment, students complain the the seminars are of very low quality and there are complaints as well that people who have been employed to teach these seminars (often hired via Craigslist) are not getting paid.

Well, a contact informed by that NAPPPA was back, this time peddling seminars under the name of NA3PA and with a website at www.na3pa.org:

From: NA3PA Announcements
Subject: Strategy Session: Program Planning, Evaluation, and Proposals (October 18 - 19, 2011: Los Angeles, CA)


NA3PA will be conducting the Program Planning, Evaluation, and Proposals Strategy Session in Los Angeles, California on October 18 - 19, 2011.  Interested development professionals, researchers, faculty, and graduate students should register as soon as possible, as demand means that seats will fill up quickly. Please forward, post, and distribute this e-mail to your colleagues and listservs.

For more information call (888) 673-8865 or visit our website at http://www.na3pa.org. Please find the program description below:

The Program Planning, Evaluation, and Proposals Strategy Session  is a hands-on, intensive session that leads participants through the entire grant proposal and funding research processes. Through an intense two day practicum, participants will receive an overview of program planning concepts along with advanced writing techniques to develop successful proposals. This results-based session combines individual exercises with group collaboration to allow each participant to leave the session with a Program Planning and Funding Dossier. Exercises leading up to the dossier and organization narrative include a thorough proposal outline, completed worksheets necessary for proposal submissions, and a starting collection of publications and resources to build a development library. Strategy Sessions is designed to provide your organization with the competitive advantage necessary in our modern grants award environment.

This session is ideal for those with a targeted program, but is equally effective for those who can identify their program and funding interests. Completion of the Pre-Session Interview and Assignments is essential to program success and value. Each participant will receive a selection of funding programs tailored to their program and/or areas of interest. Participants without a program will be provided a working example during Pre-Session.

The Program Planning, Evaluation, and Proposals Strategy Session will cover the following during the two day session:

(1) Fundamentals of Program Planning

This session will teach professional program development essentials and program evaluation. While most grantsmanship  "workshops" treat program development and evaluation as separate from the writing of a proposal, this will teach students the relationship between overall program planning and proposal writing.

(2) Strategic Funding Research

At its foundation, this session will address the basics of foundation, corporation, and government grant research. However, this course will emphasize a strategic funding research approach that encourages writers to see research not as something they do before they write a proposal, but as an integrated part of the grant  seeking process. Students will be exposed to online database research tools, as well as publications and directories that contain information about foundation, corporation, and government grant opportunities. Focusing on funding sources and basic social science research, this course teaches students how to use research as part of a strategic grant  acquisition effort.

(3) Professional Proposal Writing

Designed to obtain tangible results, this session will make each student an overall proposal writing   specialist. In addition to teaching the basic components of a grant proposal, successful approaches, and the do's and don'ts of grant writing, this session is infused with expert principles that will lead to a mastery of the process. Strategy resides at the forefront of this session's intent to illustrate grant writing as an integrated, multidimensional, and dynamic endeavor. Each student will learn to stop writing the grant  and to start writing the story. Ultimately, this session will conclude with a completed proposal outline.

Tuition for this two day strategy session is $398.00.

Strategy Session Registration

1. Participants tentatively reserve a seat online at http://www.na3pa.org, by calling the Program Office toll-free at (888) 673-8865, or by sending their name and contact information via email to registrar@na3pa.org.

2. A confirmation email is sent to registrants that includes  session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements. An invoice and agency W9 is also included.

3.Upon attendance confirmation, registrants will receive (usually via email) a Pre-Session packet that will include 1) a Pre-Session Interview, 2) Pre- Session exercises to be completed, 5) a Session Agenda and Schedule, and 4) a receipt.


You have received this invitation due to specific educational affiliation. We respect your privacy and want to ensure that interested parties are made aware of NA3PA strategy sessions and schedules. This is intended to be a one-time announcement. In any event, you should not receive any more announcements unless there is a program next year in your area. To be unlisted from next year's announcement, send an email to remove@na3pa.org and write "Unlist" in the subject line.

The registrations details for the domain na3pa.org are hidden:

Registrant ID:decwp508561qlee2
Registrant Name:Protected Domain Services - Customer ID: DEC-3558115
Registrant Organization:Protected Domain Services - Customer ID: DEC-3558115
Registrant Street1:P.O. Box 6197
Registrant Street2:
Registrant Street3:
Registrant City:Denver
Registrant State/Province:CO
Registrant Postal Code:80206
Registrant Country:US
Registrant Phone:+1.7202492374
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:na3pa.org@protecteddomainservices.com


na3pa.org itself is hosted on 69.72.186.55 at Fortress ITX. If you get a spam from NA3PA (and you can be assured that it is a spam), then forward it to abuse -at- fortressitx.com.

That server also hosts napppanet2.org which has been used before, and similarly has an anonymous registration.

The email is sent from an apparantly address of losangeles@grantfundraising.org - grantfundraising.org is another recently registered anonymised domain.

(Update 21/10/11 - the domain academicresearcher.org is also in use by these people)

This operation appears to be run out of California, apparently from the Hacienda Heights area (the originating IP for the emails is always 173.55.115.38). I know that complaints have been filed with both the BBB and the California AG's office, but no action appears to have been taken.

If you have any experience of "NA3PA" please feel free to share them in the comments.

NOTE: You can find out who was operating NAPPPA here

Wednesday, 5 October 2011

Fake jobs: all-cajobs.com, all-ukjobs.com and alleur-positions.com

Here we go again.. three new domains that form part of this long-running scam.

all-cajobs.coma
all-ukjobs.com
alleur-positions.com

The "jobs" offered are actually illegal activities such as money laundering. You may note that the email appears to come from yourself (here's why).

The domains are registered to a no-doubt fake registrant:

    Hose Sanches
    Email: hosesancges@yahoo.com
    Organization: Hose Sanches
    Address: Campo Grande, 83 1749-812
    City: Lisboa
    State: Lisboa
    ZIP: 1749-812
    Country: PT
    Phone: +35.1217982140

If you have any examples of emails soliciting replies to these domains, please consider sharing them in the Comments. Thanks!

Tuesday, 4 October 2011

SMS Spam: loanslineuk.co.uk / Gary McNeish

Here's an annoying SMS spam sent from +447979520064:
Short on Cash? Need a payday loan? 100% Apps Processed. Up to £750 today. Apply now at www.loanslineuk.co.uk to Opt Out Rply stop
We can easily identify the owner of loanslineuk.co.uk from their WHOIS records:


Domain name:
        loanslineuk.co.uk

    Registrant:
        gary mcneish

    Registrant type:
        Unknown

    Registrant's address:
        flat 3 11a whitworth street
        opal house
        manchester
        M1 3GW
        United Kingdom

loanslineuk.co.uk simply forwards to moneyfix.co.uk via an affiliate link: www.moneyfix.co.uk/Default.aspx?AID=TETRUS&SAID=MONEYFIX_JPD_PARTNER1

The word "TETRUS" in the link is a clue. We can also see Gary McNeish's address on the domain for tetr.us.. well, we could before it was re-registered to an address in the Seychelles:

Registrant ID:                               CR17598876
Registrant Name:                             gary mcneish
Registrant Address1:                         flat 3 11a whitworth street
Registrant Address2:                         opal house
Registrant City:                             manchester
Registrant State/Province:                   lancashire
Registrant Postal Code:                      m1 3gw
Registrant Country:                          United Kingdom
Registrant Country Code:                     UK
Registrant Phone Number:                     +7.799764944
Registrant Email:                            gary@tetrustelecoms.com
Registrant Application Purpose:              P1

If we look at the domain registration for tetrustelecoms.com we see the bogus address:

    tetrus, tetrus  serialsniper@gmail.com
    tetrus
    capital city, lancashire M35 0AE
    SC
    +66.838273350

There can't be many people called Gary McNeish in Manchester, but oddly enough it isn't the same Gary McNeish who was fingered for a fake Data Protection scam in 2002, but this Gary McNeish (Gary John Peter McNeish) was mentioned by the Daily Telegraph recently in an article called "For sale: your mobile phone number" which questioned the way that Mr McNeish obtained telephone numbers for leads.

According to Companies House, Tetrus Ltd was dissolved on 22/3/11, so it should no longer be trading.

If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Added: The Slough Times has some more background information here.

Several AdWords phishing sites at Prolexic

Prolexic is an anti-DDOS specialist hosting firm with a reputation for being one of the good guys. It's a bit of a surprise to see Google AdWords phishing sites on a Prolexic server, hopefully they won't be there for long.

The phishing messages look something like this:

From: Google AdWords
Subject: Google AdWords: You have a new alert.

------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message. If you
have any questions, please our Help Center to find answers to
frequently asked questions.
------------------------

Dear Valued Customer, 

You have a new alert from Google Adwords.

Sign in to your AdWords account at http://www.googlernn.com/Select/login

Yours Sincerely,
The Google AdWords Team

It's difficult to know just how many phishing sites are on this server, however the following can be identified:

www.adwords-opt.com
www.adworlsmn.com
www.googlcmn.com
www.googlcnm.com
www.google-bnc.com
www.google-etnm.com
www.google-mnt.com
www.google-mnz.com
www.google-nmz.com
www.googlernn.com
www.googlhnxm.com
www.googlhon.com
www.googlmen.com
www.googlm-hmn.com
www.googlmncn.com
www.googlmnc-n.com
www.googlmnx.com
www.googlmp.com
www.googl-pmn.com
www.googl-rpm.com
www.googlthn.com
www.googlzmn.com
www.googmlbe.com

Sites appear to be hosted on 72.52.4.95 along with thousands of legitimate sites. All the domains have been registered in the past few days with hidden domain registrations.

Monday, 3 October 2011

Something evil on 46.16.240.13

There's something evil on 46.16.240.13 that forms part of a banking trojan. Whatever the trojan is, it sends traffic to a set of randomly generated domains with a url ending in pontis.com/index.php.

Most of these domains aren't registered at present, but a few are and they live on 46.16.240.13 with nameservers at 46.16.240.14 and 46.16.240.15. This IP belongs to iNet in the Ukraine.. I suggest blocking 46.16.240.0/24 completely as every site I have ever seen there has been malicious.

These domains seem to be active (a full list is at the end of the post including some inactive ones):

bdpeapontis.com
ljroapontis.com
llcpapontis.com
tbnpapontis.com
cuzqapontis.com
bpgwapontis.com
swbxapontis.com


WHOIS details:

bdpeapontis.com
   Frederic Ebner frederic_ebners@yahoo.com
   +1.2136748631 fax: +1.2136748631
   10216 Chrysanthemum Ln.
   Los Angeles CA 90077
   us

ljroapontis.com
   Justo Marquez Sanchez justomarquezsanchez@ymail.com
   +34.659192650 fax: +34.659192650
   Calle Las Monjas, 1
   Granada Granada 18600
   es

llcpapontis.com
   Helmut Koenig koenighelmut@yahoo.com
   +49.1733201046 fax: +49.1733201046
   Oberhofer Str. 26
   Zella-Mehlis Thuringen 98544
   de

tbnpapontis.com
   Armin Blocher arminblocher@rocketmail.com
   +49.02771801325 fax: +49.02771801325
   Langgasse 1
   Dillenburg Niedersachsen 35685
   de

cuzqapontis.com
   Denis Goertz denis.goertz@yahoo.com
   +49.1639836914 fax: +49.1639836914
   hochstr. 61
   Nettetal Lobberich Sachsenanhalt 41334
   de

bpgwapontis.com
   Pius Walleser walleser32@yahoo.com
   +49.1754218358 fax: +49.1754218358
   Kesslerstrasse 5
   Breisach Sachsen-Anhalt 79206
   de

swbxapontis.com
   Denis Goertz denis.goertz@yahoo.com
   +49.1639836914 fax: +49.1639836914
   hochstr. 61
   Nettetal Lobberich Sachsenanhalt 41334
   de

These registrant details have been used in malicious sites before, see "some German scam sites" for more details.

I don't know what trojan is causing this, or how the machine got infected. If you have any more details, please consider sharing them in the Comments. Thanks!

Expanded list:
aacuapontis.com
aammapontis.com
aaneapontis.com
aazgapontis.com
actsapontis.com
aikcapontis.com
aitgapontis.com
akflapontis.com
amayapontis.com
amucapontis.com
aohxapontis.com
aotbapontis.com
asziapontis.com
awqcapontis.com
awxiapontis.com
bbqrapontis.com
bbubapontis.com
bfqpapontis.com
bfyaapontis.com
bhiyapontis.com
bhjcapontis.com
bhkgapontis.com
bhriapontis.com
bhwiapontis.com
bjifapontis.com
bjnxapontis.com
bjrpapontis.com
blnkapontis.com
bndyapontis.com
bnojapontis.com
bnyyapontis.com
bdpeapontis.com
bpgwapontis.com
brqdapontis.com
bvqoapontis.com
bvsfapontis.com
bvwbapontis.com
bvyqapontis.com
bxetapontis.com
bxsjapontis.com
bxxrapontis.com
caqsapontis.com
ccbdapontis.com
ccewapontis.com
cclhapontis.com
ccqmapontis.com
cenyapontis.com
cezgapontis.com
cgjmapontis.com
cmmqapontis.com
coasapontis.com
cojpapontis.com
conhapontis.com
cqhfapontis.com
cqhqapontis.com
cqjyapontis.com
csfqapontis.com
cslgapontis.com
cuvfapontis.com
cuzqapontis.com
cwisapontis.com
dbabapontis.com
dbslapontis.com
dfcsapontis.com
dfgqapontis.com
dfyeapontis.com
dhfxapontis.com
djduapontis.com
djnrapontis.com
dlkuapontis.com
dnayapontis.com
dnpgapontis.com
dnpnapontis.com
dpjkapontis.com
dpjmapontis.com
dpjtapontis.com
dpohapontis.com
druvapontis.com
dtjvapontis.com
dtqqapontis.com
dxvwapontis.com
dxxcapontis.com
dzplapontis.com
dzrtapontis.com
dzsgapontis.com
eaxmapontis.com
eazpapontis.com
ecmsapontis.com
eefwapontis.com
eejrapontis.com
egeiapontis.com
egekapontis.com
egxgapontis.com
ekbiapontis.com
ekcuapontis.com
ekrmapontis.com
emjrapontis.com
eorpapontis.com
eozpapontis.com
eqdhapontis.com
esfdapontis.com
eupkapontis.com
ewrqapontis.com
ewzoapontis.com
eylqapontis.com
eytbapontis.com
fbmnapontis.com
fbnoapontis.com
fbpwapontis.com
fdbeapontis.com
fdbyapontis.com
fdjoapontis.com
fdxoapontis.com
ffpkapontis.com
fhclapontis.com
fheyapontis.com
fhkeapontis.com
fjvuapontis.com
floqapontis.com
flydapontis.com
fnauapontis.com
fnpkapontis.com
fpouapontis.com
frjyapontis.com
frrpapontis.com
fttzapontis.com
fvxvapontis.com
fvzlapontis.com
fxrdapontis.com
fxyxapontis.com
fzboapontis.com
fzenapontis.com
fzhmapontis.com
ggnkapontis.com
gikuapontis.com
gkdaapontis.com
gknoapontis.com
gohmapontis.com
gqjnapontis.com
gwhzapontis.com
gwzmapontis.com
gyomapontis.com
gypcapontis.com
hbhqapontis.com
hbpiapontis.com
hdqvapontis.com
hfdeapontis.com
hfilapontis.com
hfjuapontis.com
hfxdapontis.com
hfykapontis.com
hhorapontis.com
hhsiapontis.com
hjaqapontis.com
hjojapontis.com
hjuiapontis.com
hnfbapontis.com
hniaapontis.com
hpcfapontis.com
hpvsapontis.com
hravapontis.com
hrocapontis.com
htxxapontis.com
hvekapontis.com
hvrjapontis.com
hxpkapontis.com
hxrfapontis.com
hzelapontis.com
hzrfapontis.com
iaocapontis.com
icbfapontis.com
ieppapontis.com
ieqgapontis.com
iisuapontis.com
ikqaapontis.com
ikvnapontis.com
imbwapontis.com
imuaapontis.com
isbdapontis.com
ispoapontis.com
iulpapontis.com
iupfapontis.com
iuseapontis.com
iwpfapontis.com
iwyeapontis.com
iyjfapontis.com
jbcjapontis.com
jdudapontis.com
jfrxapontis.com
jhorapontis.com
jjdjapontis.com
jlaiapontis.com
jlsyapontis.com
jnhcapontis.com
jnokapontis.com
jnpxapontis.com
jnsgapontis.com
jnysapontis.com
jpsfapontis.com
jrciapontis.com
jvepapontis.com
jvqkapontis.com
jvyrapontis.com
jxmqapontis.com
jxviapontis.com
jzwkapontis.com
kaoaapontis.com
kcntapontis.com
kczuapontis.com
kebvapontis.com
kedyapontis.com
keecapontis.com
kezvapontis.com
kgacapontis.com
kgvpapontis.com
kkyyapontis.com
kmaoapontis.com
kmgoapontis.com
kmsqapontis.com
kmywapontis.com
kqrdapontis.com
kqxhapontis.com
kscoapontis.com
kuaiapontis.com
kujbapontis.com
kylkapontis.com
kyrvapontis.com
lbwbapontis.com
ldckapontis.com
ldkpapontis.com
ldsdapontis.com
lfcpapontis.com
lffuapontis.com
lfslapontis.com
lfxnapontis.com
lhirapontis.com
lhlpapontis.com
lhwkapontis.com
ljkzapontis.com
ljroapontis.com
llcpapontis.com
lldiapontis.com
lpcpapontis.com
lpcrapontis.com
lpgqapontis.com
lrauapontis.com
lrxgapontis.com
ltdnapontis.com
ltriapontis.com
lttrapontis.com
lvhbapontis.com
lvhzapontis.com
lvnbapontis.com
lvpmapontis.com
lxgmapontis.com
lxpxapontis.com
lzfzapontis.com
lzkhapontis.com
lzlcapontis.com
lzpnapontis.com
lztvapontis.com
lzuzapontis.com
madeapontis.com
makwapontis.com
marrapontis.com
mavwapontis.com
mcvlapontis.com
mebfapontis.com
meboapontis.com
menqapontis.com
menrapontis.com
mgrkapontis.com
mgviapontis.com
mikuapontis.com
mkugapontis.com
mkvzapontis.com
mmrrapontis.com
mmvpapontis.com
mmzsapontis.com
moigapontis.com
moueapontis.com
mozyapontis.com
muhvapontis.com
mwasapontis.com
mwfbapontis.com
mydcapontis.com
myjnapontis.com
mysmapontis.com
nbfkapontis.com
nbnwapontis.com
ndocapontis.com
nhweapontis.com
nlafapontis.com
nlbdapontis.com
nlosapontis.com
nlstapontis.com
nnnqapontis.com
nnoiapontis.com
npklapontis.com
npvdapontis.com
nrniapontis.com
nrsmapontis.com
nrwpapontis.com
nrxyapontis.com
nrzeapontis.com
ntjhapontis.com
ntslapontis.com
nvqhapontis.com
nvqnapontis.com
nzhmapontis.com
nzviapontis.com
nzvyapontis.com
oauoapontis.com
oecwapontis.com
oehyapontis.com
ogikapontis.com
oipaapontis.com
oiqkapontis.com
oitvapontis.com
okiwapontis.com
oknjapontis.com
oocmapontis.com
oubuapontis.com
owusapontis.com
oybtapontis.com
oypqapontis.com
pbfzapontis.com
pfqaapontis.com
pftcapontis.com
pfuoapontis.com
pfxnapontis.com
phrnapontis.com
plpmapontis.com
plwhapontis.com
plzhapontis.com
pnkpapontis.com
pntuapontis.com
pnyhapontis.com
ppvvapontis.com
ptwfapontis.com
pxdtapontis.com
pxgwapontis.com
pzycapontis.com
qennapontis.com
qepcapontis.com
qepvapontis.com
qgdgapontis.com
qgneapontis.com
qkxiapontis.com
qooqapontis.com
qqtkapontis.com
qsxnapontis.com
quieapontis.com
qullapontis.com
qwoiapontis.com
qwvmapontis.com
qyswapontis.com
rbjkapontis.com
rbjuapontis.com
rbpqapontis.com
rbyyapontis.com
rhncapontis.com
rhtxapontis.com
rldvapontis.com
rngsapontis.com
rnlyapontis.com
rnuvapontis.com
rpbnapontis.com
rpmaapontis.com
rprcapontis.com
rpsoapontis.com
rpweapontis.com
rrxrapontis.com
rtnhapontis.com
rtzoapontis.com
rvltapontis.com
rvqaapontis.com
rvwaapontis.com
rvxmapontis.com
rxboapontis.com
rxgxapontis.com
rxloapontis.com
rzbyapontis.com
rzymapontis.com
saqcapontis.com
satsapontis.com
scrrapontis.com
seasapontis.com
seiwapontis.com
sekuapontis.com
senbapontis.com
sifrapontis.com
siymapontis.com
smcmapontis.com
smusapontis.com
sqfwapontis.com
sssuapontis.com
swbxapontis.com
swfhapontis.com
swpeapontis.com
swucapontis.com
syflapontis.com
sywwapontis.com
tbgaapontis.com
tbnpapontis.com
tddiapontis.com
tdkdapontis.com
tdtnapontis.com
tfwrapontis.com
thnsapontis.com
thuoapontis.com
tjnxapontis.com
tlelapontis.com
tlupapontis.com
tlvhapontis.com
tnmzapontis.com
tnqlapontis.com
tnyvapontis.com
tpndapontis.com
truzapontis.com
ttqsapontis.com
ttwqapontis.com
ttzvapontis.com
tvbvapontis.com
tvikapontis.com
tvjhapontis.com
tvuiapontis.com
tvvwapontis.com
ucbbapontis.com
uecyapontis.com
uehmapontis.com
ugkuapontis.com
ugmcapontis.com
uibrapontis.com
uifaapontis.com
uivzapontis.com
ukseapontis.com
umpvapontis.com
uqkmapontis.com
uqvrapontis.com
uuxoapontis.com
uwgwapontis.com
vblvapontis.com
vfhaapontis.com
vhhoapontis.com
vjhdapontis.com
vjxvapontis.com
vlpdapontis.com
vndxapontis.com
vparapontis.com
vpjzapontis.com
vpnjapontis.com
vrkaapontis.com
vtgcapontis.com
vvdpapontis.com
vveyapontis.com
vvvtapontis.com
vxfiapontis.com
vxjtapontis.com
vxxiapontis.com
vzdqapontis.com
vzifapontis.com
vzqgapontis.com
waleapontis.com
wclhapontis.com
wctpapontis.com
wetuapontis.com
wezwapontis.com
wgfoapontis.com
wgmqapontis.com
wiblapontis.com
wifqapontis.com
wmbsapontis.com
wmzeapontis.com
wopnapontis.com
wqbiapontis.com
wqbqapontis.com
wqbuapontis.com
wqpwapontis.com
wqxxapontis.com
wsiaapontis.com
wslcapontis.com
wwsyapontis.com
wwxhapontis.com
wylhapontis.com
wywqapontis.com
xbpuapontis.com
xfelapontis.com
xftvapontis.com
xhozapontis.com
xhqfapontis.com
xhrwapontis.com
xjcbapontis.com
xjdfapontis.com
xjflapontis.com
xjzjapontis.com
xlpnapontis.com
xnckapontis.com
xnohapontis.com
xnqcapontis.com
xpqzapontis.com
xrflapontis.com
xvioapontis.com
xvmqapontis.com
xznkapontis.com
ycfzapontis.com
ycxkapontis.com
yebfapontis.com
yenfapontis.com
yervapontis.com
ygeoapontis.com
yghuapontis.com
ygjcapontis.com
yoiwapontis.com
yoruapontis.com
yspoapontis.com
ysqoapontis.com
ysrqapontis.com
yuvvapontis.com
ywplapontis.com
zbbiapontis.com
zbjbapontis.com
zbkdapontis.com
zdlsapontis.com
zdqoapontis.com
zdztapontis.com
zfulapontis.com
zhjvapontis.com
zjkaapontis.com
zjpgapontis.com
zlgaapontis.com
zlqtapontis.com
znfuapontis.com
zrbqapontis.com
zrkaapontis.com
ztypapontis.com
zvimapontis.com

Fake jobs: firstjob-market.com, tech-newposition.com and ukjob-market.com

Three new fake job domains today, apparently forming part of this long running scam.

firstjob-market.com
tech-newposition.com
ukjob-market.com

Emails send soliciting replies to these domains may appear to come from your own email address (here's why). The so-called jobs being offered are actually criminal activities such as money laundering.

The no-doubt-fake registrant details are:

    Lucia Geleca
    Email: lucpolema@yahoo.fr
    Organization: Lucia Geleca
    Address: 12 rue des Camelias
    City: Alfortville
    State: Alfortville
    ZIP: 94141
    Country: FR
    Phone: +33.0148934367

Although the address is genuine, it almost definitely bogus.

If you have any examples of spam emails "from" these domains, please consider sharing them in the Comments. Thanks!

Thursday, 29 September 2011

lastest-skype-updates.com spam

Here's a spam with a twist.
From: Skype.com skype@[spammer's email redacted for legal reasons]
Reply-To: newsletter@skype-systems.com
Date: 29 September 2011 07:23
Subject: New Updates Have Been Released For Skype ! Download Now‏

This is to notify that new updates have been released for Skype.

http://www.lastest-skype-updates.com/

Following are major new features :

* Up to 5-way group video call.
* Redesigned calling experience.
* Improved video snapshots gallery.
* Improved browser plugins performance on some websites.
* Reduced false positives on browser plugin phone number recognition.
* New presence icons.
* Improved handling of calling attempts made when the user has run out of credit.
* Improved access to sharing functionality

To download the latest version , go to :

http://www.lastest-skype-updates.com/

Start downloading the update right now and let us know what you think
about it.

Talk soon,

The people at Skype
The email has been sent to an address harvested from the Epsilon data breach. That's not surprising.. what is surprising is that it has been sent through a UK company that specialises in selling mailing lists and sending bulk commercial email. Perhaps dealing in stolen data is an honest mistake, but perhaps the ICO would like to make that determination.

DNS resolution for this site seems to flip between 87.106.104.178 [1&1, UK] and 122.224.4.108 [Ninbo Lanzhong Network Ltd, China]. Of these, the Chinese address is the most interesting with the follow slimeware domains hosted:

2011-skype-software-download.com
2011-skype-software-download.net
2011-skype-software-download.org
2011-skype-software-update.net
2011-skype-software-upgrade.com
2011-skype-software-upgrade.net
2011-skype-software-upgrade.org
adobe-acrobat-reader11.com
adobe-acrobat-reader11.net
adobe-acrobat-reader11.org
adobe-acrobat11-download.com
adobe-acrobat11-upgrade.com
adobe-pdf-reader11.com
adobe-pdf-reader11.net
adobe-pdf-reader11.org
adobe-reader11-download.com
adobe-reader11-upgrade.com
adobemailer.org
official-2011-skype-download.com
official-2011-skype-update.com
official-2011-skype-upgrade.com
official-skype-download.com
official-skype-software.com
official-skype-update.com
skype-software-downloads.com
skype-software-downloads.net
skype-software-downloads.org
skypemailer.com

If you live in the UK and have the technical expertise to identify the owner of the sending IP address, please consider filing a complaint with the ICO to make sure that they understand the issue.

Monday, 26 September 2011

SMS Spam: "Due to a new legislation, those struggling with debt .."

Some sort of debt management spam this time. You can bet that these people will probably charge a lot for their services, and dealing with spammers is usually a bad idea in any case.
Due to a new legislation, those struggling with debt can now apply to have it written off. For Free information reply INFO or to opt-out text stop. Free Text!
In this case, the spam originated from +447977237820 although these numbers change regularly.

If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

There's a good article about protecting yourself from unscrupulous debt management companies here.

Sunday, 25 September 2011

Fake jobs: hire-position.com and work-position.net

Two new fake job domains with a twist, possibly the same scammers who are behind this long-running spam/scam campaign.

hire-position.com
work-position.net

Domains were registered just yesterday via a Russian registrar to an address in Spain which is most likely fake:

    Ivan Gonsalez
    Email: ivan4gonzalez@yahoo.es
    Organization: Ivan Gonsalez
    Address: P. de Extremadura 151
    City: Madrid
    State: Madrid
    ZIP: 28011
    Country: ES
    Phone: +34.914641145 

This rabbit hole goes a bit deeper than usual, because the ivan4gonzalez@yahoo.es email address has been used before, for the domain girsland.ru

domain: GIRSLAND.RU
nserver: ns1.strategy-recruiting.org.
nserver: ns2.strategy-recruiting.org.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
e-mail: ivan4gonzalez@yahoo.es
registrar: REGTIME-REG-RIPN
created: 2011.07.26
paid-till: 2012.07.26
source: TCI

Girsland.ru has a reputation for being spammy and it looks like a typical romance scam site. As with hire-position.com and work-position.net, it's odd that a Spanish address is being used for domains that are either Russian TLD or are being registered through a Russian registrar.

Girsland.ru is hosted on 173.234.8.215 at Ubiquity Server Solutions Atlanta, although it looks like the IP block might be rented out to a company called Nobis Technology Group LLC in Arizona.There are some nasty things going on in that IP neighbourhood according to SiteVet.

What else can we find on 173.234.8.215? It turns out that there's a rich vein of nastiness here.

actionfg.com - "Action Financial. All of your financial services in one place."
Chinese registrar, fake WHOIS details. Fake check scam. [1] [2]
Michael L. Walter
Michael Walter MichaelLWalter@teleworm.com
314-849-7082 fax: 314-849-7011
2523 Ash Avenue
Saint Louis MO 63126
us
NS: ns1.wapcco.net and ns2.wapcco.net

adena-job.com.
Chinese registrar, fake WHOIS details. Fake job offers. [3]
Name: Ana Bates
Organization: Ana N. Bates
Address: 789 Pinchelone Street
City: Herndon
Province/state: VA
Country: us
Postal Code: 22090
Email: AnaNBates@ymail.com
NS: ns1.needafishingboat.net and ns2.needafishingboat.net

adenafinance.com - "Adena Finance. All of your financial services in one place."
Chinese registrar, fake WHOIS details.

Eric M. Dillinger
Eric Dillinger EricMDillinger@gmail.com
+1.5305125808 fax: +1.5305125808
1467 Hill Croft Farm Road
Sacramento CA 95814
us
NS: ns1.needafishingboat.net and ns2.needafishingboat.net

arrowfg.com - "Arrow Financial Group"
Chinese registrar, fake WHOIS details. Money mule scam [4] [5]
William K. Breen
William Breen WilliamKBreen@teleworm.com
606-542-3946 fax: 606-542-3922
62 Meadowcrest Lane
Flat Lick KY 40982
us
NS: ns1.careerhiring-solutions.org and ns2.careerhiring-solutions.org

freeblogpro.org - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution. [6] [7]
Registrant ID:TOD-42629838
Registrant Name:Gertrude Mcmillan
Registrant Organization:Gertrude D. Mcmillan
Registrant Street1:250 Reynolds Alley
Registrant Street2:
Registrant Street3:
Registrant City:Long Beach
Registrant State/Province:CA
Registrant Postal Code:90808
Registrant Country:US
Registrant Phone:+1.5623772946
Registrant Phone Ext.:
Registrant FAX:+1.5623772946
Registrant FAX Ext.:
Registrant Email:GertrudeDMcmillan@gmail.com
NS: NS1.SLOWSTATUS.NET and NS2.SLOWSTATUS.NET

krokodilius8.com
Chinese registrar, fake WHOIS details. Malware distribution. [8]

Richard J. Aguilar
Richard Aguilar RichardJAguilar@gmail.com
+1.2523933705 fax: +1.2523933705
3458 Green Acres Road
Swansboro NC 28584
us
NS: ns1.barcellons.com and ns2.barcellons.com

rdm-gool.net - "Surprise!!!"
Chinese registrar, fake WHOIS details. Probably malware distribution.
Lincoln P. Miller
Lincoln Miller LincolnPMiller@gmail.com
+1.4156774378 fax: +1.4156774378
813 Boring Lane
San Francisco CA 94108
us
NS: ns1.slowstatus.net and ns2.slowstatus.net

recruitarrowfg.com
Chinese registrar, fake WHOIS details. Fake job offers [9] [10]
Name: Fletcher Leach
Organization: Fletcher C. Leach
Address: 180 Deer Ridge Drive
City: Millburn
Province/state: NJ
Country: us
Postal Code: 07041
Email: FletcherCLeach@aol.com
NS: ns1.careerhiring-solutions.org and ns2.careerhiring-solutions.org

superblogonline.org - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution [11] [12]
Registrant ID:TOD-42637428
Registrant Name:Ernest Thomas
Registrant Organization:Ernest R. Thomas
Registrant Street1:228 Riverside Drive
Registrant Street2:
Registrant Street3:
Registrant City:Athens
Registrant State/Province:GA
Registrant Postal Code:30606
Registrant Country:US
Registrant Phone:+1.7068186834
Registrant Phone Ext.:
Registrant FAX:+1.7068186834
Registrant FAX Ext.:
Registrant Email:ErnestRThomas@aol.com
NS: NS1.SLOWSTATUS.NET and NS2.SLOWSTATUS.NET

thebloggin.net - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution [13] [14]
Justin R. Martinez
Justin Martinez JustinRMartinez@aol.com
+1.3235224026 fax: +1.3235224026
2898 Evergreen Lane
Pomona CA 91766
us
NS: ns1.slowstatus.net and ns2.slowstatus.net

yourtraveldiary.net - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution [15]
Name: Paula Huerta
Organization: Paula A. Huerta
Address: 3993 Payne Street
City: Hillsville
Province/state: VA
Country: us
Postal Code: 24343
Email: PaulaAHuerta@gmail.com
NS: ns1.slowstatus.net and ns2.slowstatus.net

Querying the namesevers reveals some more domains that look worth blocking as well. In total, blocking the following related domains will probably be a very good thing to do.

actionfg.com
adenafinance.com
adena-job.com
admnxm.com
adxreport.com
arrowfg.com
barcellons.com
betononasos228.net
careerhiring-solutions.org
club-bork.com
computer-giga.net
com-watch-id2181222ooo.info
dramchinatea.net
estatediary.com
findepotdirect.com
finwizonline.com
forfreeblog.net
freebloghub.com
freeblogpro.org
freetrialmail.com
friendsadirect.com
fun-bork.com
generalcreate.net
girsland.ru
hire-position.com
hostfrontpage.com
krokodilius8.com
latinitjobs.com
needafishingboat.net
obellisk.com
ouroldfriends.com
rdm-gool.net
recruitarrowfg.com
slowstatus.net
superblogonline.org
thebloggin.net
trialreg.com
wapcco.net
workasite.com
work-position.net
yourtraveldiary.net

Friday, 23 September 2011

dfrgcc.com injection attack in progress

Thousands of sites are currently being hit by an injection attack pointing to dfrgcc.com/ur.php a domain registered to someone using the infamous hotmailbox.com domain for email.

   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

The site is hosted on 188.229.88.103 which is the equally infamous Netserv Consult SRL in Romania. 188.229.88.103 hosts the following sites:

bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
booknunu.com
bookvila.com
bookzula.com
dfrgcc.com
file-dl.com
xxxtubes8.com


These domains are pretty familiar, having previously been hosted in Lithuania. This marks them out as the same people behind the infamous LizaMoon attack.

Netserv Consult SRL host a wide variety of bad sites. Blocking 188.229.0.0/17 (188.229.0.0 - 188.229.127.255) will probably do you no harm.

Thursday, 22 September 2011

Evil network: Relikts BVK / Sagade Ltd (46.252.130.0/23)

One of the most persistently evil IP ranges on the net, Sagade Ltd appears to deal exclusively with criminals and it is hard to find any legitimate customers at all. Despite the arrest of two people closely related to Sagade, the 46.252.130.0/23 netblock seems to be very much active and still up to its old tricks.

Sites in this block are used for injection attacks, malware distribution, phishing and money mule recruitment.

The contact details for this block are:

inetnum:        46.252.130.0 - 46.252.131.255
netname:        Sagade
descr:          users
country:        LV
admin-c:        AK6804-RIPE
tech-c:         AK6804-RIPE
status:         ASSIGNED PA
mnt-by:         andrejskaminskis-mnt
source:         RIPE #Filtered

person:         Andrejs Kaminskis
address:        Latgales 32/34, Rezekne, Latvia
phone:          +37127580487
e-mail:         reliktbvk@gmail.com
nic-hdl:        AK6804-RIPE
mnt-by:         andrejskaminskis-mnt
source:         RIPE #Filtered
                                     
route:          46.252.130.0/23
descr:          users
origin:         AS52055
mnt-by:         andrejskaminskis-mnt
source:         RIPE #Filtered

This gives the "Sagade" netname, Digging deeper into AS52055 gives:

aut-num:        AS52055
as-name:        Relikt
descr:          SIA "Relikts BVK"
org:            ORG-SB308-RIPE
import:         from AS15626 accept ANY
export:         to AS15626 announce AS52055
admin-c:        AK6804-RIPE
tech-c:         AK6804-RIPE
notify:         reliktbvk@gmail.com
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         andrejskaminskis-mnt
mnt-routes:     andrejskaminskis-mnt
changed:        reliktbvk@gmail.com 20110601
source:         RIPE

Was the block transferred from Sagade to Relikts BVK? Possibly. RIPE gives the following contact details:

SIA "Relikts BVK"
Latgales 32/34
LV-4601 Rezekne
LATVIA

phone:   +37127580487
fax:  +37125390001
e-mail:  reliktbvk (at) gmail (dot) com
So, what's so evil on the  Relikts BVK / Sagade Ltd block. Here are some examples:


acrossuniverseitbenet.com (46.252.130.6)
Injection attacks [1] [2] [3]

acrossuniverseitbeorg.com (46.252.130.6)
Injection attacks [4] [5]

globalpoweringgathering.com (46.252.130.6)
Injection attacks [6] [7]

globalpoweringgatheringon.com (46.252.130.6)
Injection attacks [8] [9] [10]

infoitpoweringgatheringit.com (46.252.130.6)
Injection attacks [11]

infoitpoweringgatheringon.com (46.252.130.6)
Injection attacks [12]

lessthenaseconddeal.com (46.252.130.6)
Injection attacks [13]

cryptsnet.net (46.252.130.34)
Malware distribution [14] [15]

yahoostat.com (46.252.130.121)
Malware distribution [16]  [17] [18]

ipcountstat.ru (46.252.130.122)
Malware distribution [19] 

elita-od.ru (46.252.130.156)
Phishing [20]

katherinegordonwilliams.com (46.252.130.205)
Injection attacks [21]

facebook-surprise-njwo.tk (46.252.131.7)
Malware distribution [22] [23]

ddk100.com (46.252.131.8)
Malware distribution [24] [25] [26]

tubemoviesforfree.com (46.252.131.28)
Malware distribution [27]

your24domain.com (46.252.131.55)
Malware distribution [28] 

Clearly, blocking access to 46.252.130.0/23 is an excellent idea, or use the list of domains at the end of the post. You can download a full list of current Relikts / Sagade hosted site from here [csv] with myWOT ratings attached.

What is amazing about this operation is that they still have upstream providers who are happy to allow this clearly criminal operation to continue.

acrossuniverseitbenet.com
acrossuniverseitbeorg.com
alsochooseand.com
amateursexreality.com
antivirussystem2011get.com
antivirussystem2011up.com
blogmydurov.ru
com-12bcb778b7793d78.ru
com-id239900477415089629.ru
cryptsnet.net
ddk100.com
djbest.org
elita-od.ru
enter-way.net
exof.net
facebook-surprise-njwo.tk
facebook-surprise-njww.tk
fire6495ksd.com
forsando.com
geryeter.in
globalpoweringgathering.com
globalpoweringgatheringit.com
globalpoweringgatheringon.com
gopston.in
gopstop.in
grapndet.com
hoperjoper.ru
hqxvideofree.com
infoitpoweringgatheringit.com
infoitpoweringgatheringon.com
intoawebthere.com
ipcountstat.ru
joiurew.in
juicypic.net
katherinegordonwilliams.com
lessthenaseconddeal.com
nanokefo.ru
od-priz.ru
od-prizs.ru
prinderkales.org
rapepornrape.com
rape-rape-rape.com
ru-14743094540009320.ru
ru-id205000000001140736703.ru
ru-id4605191385644259564425.ru
ru-ig419544039061293.ru
shabgdr.com
sierra-express.net
spedzone.ru
stats02-advertsting.com
stylus2641fm.com
trabniyd.com
tubemoviesforfree.com
urllogtolswile.com
usfinanceinst.com
vkon-blog.ru
yahoostat.com
your24domain.com
zeknex.mobi

Fake jobs: totaljob-us.com

Another fake job offer, part of this long-running series of spam/scam emails.

From: Spam Victim
Sent: 21 September 2011 20:18
To: Spam Victim
Subject: Current Vacancy

Urgente!

Solicitamos personal de cofianza para trabajo a largo plazo en la seccion financiera.
Estudiantes, amas de casa etc...
tambien pueden conseguir trabajo en la empresa, el trabajo no toma mucho tiempo, requiere de mucha responsabilidad.

No es marqueting! Ni nada parecido.
Trabajamos con mas de 10 paises del mundo para hacer nuestras transferencias.
La empresa se dedica a hacer transferencias de dinero local y internacional.

Sus datos personales favor enviar al correo electronico: Ana@totaljob-us.com

Deje su telefono movil para que nuestro operador se contacte con usted.

En espera de sus curriculums,  Ana Sykes

The email appears to come "from" the spam victim (here's why). The domain was registered just yesterday to an "Alexey Kernel" at a fake address in the Ukraine.

Some other "reply to" addresses are:
Casandro@totaljob-us.com
Gad@totaljob-us.com
Prospero@totaljob-us.com
Martirio@totaljob-us.com
Guy@totaljob-us.com
Melvis@totaljob-us.com
Muneca@totaljob-us.com

Subjects include "Current Vacancy", "Job Offer - Flexible Hours", "Get a New Job Today", "Current Open Position", "Administrative Assistant Vacancy" and "Employment Opportunity". Oddly, the subject is in English even though the body of the message is in Spanish.

The jobs offered will be money laundering and other illegal activities. If you have any samples that are different, please consider sharing them in the Comments. Thanks!

Wednesday, 21 September 2011

dossier-ua.com Joe Job

dossier-ua.com is a site that is critical about politics in the Ukraine, and names several individuals and governmental bodies in connection with alleged wrongdoing.

Obviously, they have upset somebody because there is currently a Joe Job campaign against the site, presumably in an attempt to have the site shut down:

Subject: {Snuff filmes|Snuff films}
From: david -at- davidbreach.co.uk
Reply-To: dossieruacom -at- gmail.com

{Hi!|Hello!|Good day!}
You can {see|watch|download} child {pron|porn} and snuff {filmes|films} now for free and without registration.
Just email us what do you want to see (child {pron|porn} or some snuff {filmes|films}) and we will
send you back what did you ordered. Only hardcore cam murders, children fukcing,
awesome bloody maniacs and vrigins may brind you a lot of brillian hours! This is
happened in reality and no any montage so be the one who seen this!

http://dossier-ua.com/?p=852

Contact us to pay for pron:
politblok -at- gmail.com

In this case, the email came from a server called davidbreach.co.uk, a wholly legitimate domain that appears to have been hacked, hosted at Node 4 in the UK. The mail originates from 93.174.141.52 (also Node 4). An examination of the mail headers indicates that it may originally have come from 151.16.60.68, an IP address in Milan, probably a compromised PC.

Dossier-ua.com is a political blog. There is no evidence at all that it is involved in distributing pornography or illegal material. If you receive an email of this nature, you should report it to the abuse address of the sender's IP, it is probably not worth bothering dossier-ua.com's web host.

Evil network: RONET / ro-net.eu (91.229.90.0/23)

RONET (aka. ro-net.eu) seems to be a new netblock occupying the 91.229.90.0/23 (91.229.90.0 - 91.229.91.255) range. This block has several sites recently moved from Netserv Consult SRL (who have a very bad reputation), all of which appear to be involved in criminal activity.

Although the number of sites is very low at present (just 30), the use of a /23 block indicates the perhaps this will be used for more sites very soon. Blocking 91.229.90.0/23 preemptively would probably be an excellent idea.

Here are some examples of evilness:

bywordelectronics.com [91.229.90.11]
Money mule scam / fake jobs [1] [2] [3] [4]

admagnet1.com [91.229.90.35]
Malware distribution [5] [6] [7]

eyebluster-sv1.com [91.229.90.37]
Malware distribution [8]  [9]

Other domains are registered with fake WHOIS details which is never a good sign.

The 91.229.90.0/23 range is registered to:

inetnum:         91.229.90.0 - 91.229.91.255
netname:         RONET
descr:           FOP Varovaev Leonid Gennadevich
country:         EU
org:             ORG-VARO1-RIPE
admin-c:         AV6418-RIPE
tech-c:          AV6418-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          VAROVAEV-MNT
mnt-routes:      VAROVAEV-MNT
mnt-domains:     VAROVAEV-MNT
source:          RIPE # Filtered

organisation:    ORG-VARO1-RIPE
org-name:        FOP Varovaev Leonid Gennadevich
org-type:        OTHER
address:         H-1120 Budapest,  Street Gabor Denes, 4, Hungary
mnt-ref:         VAROVAEV-MNT
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

person:          Anton Varnai
address:         H-1120 Budapest
address:         Street Gabor Denes, 4
address:         Hungary
abuse-mailbox:   abuse@ro-net.eu
phone:           +3614585544
nic-hdl:         AV6418-RIPE
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

% Information related to '91.229.90.0/23AS6753'

route:           91.229.90.0/23
descr:           RONET
origin:          AS6753
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

Of note is the fact that ro-net.eu was only registered two weeks ago with anonymous registration details. Also, note that although the address is in Hungary, the RONET name would indicate that it still has a ROmanian connection.

Another oddity is that the network announces itself as part of AS17088 which is allocated to Currenex, Inc. There seems to be no connection at all between Currenex, Inc and RONET, so perhaps this is an error or some kind of forgery.

You can find a full list of domains and MyWOT ratings in this CSV file. Alternatively, the currently hosted domains are listed below.

admagnet1.com
adopsassistant.com
amaltheiatech.com
arctosinbrasilia.com
bestpccleaners.org
bywordelectronics.com
combo-parts.com
easycleaners.org
eyebluster-stat.com
eyebluster-sv1.com
fixpcexperts.com
hidedns.org
jjoor.com
mediamindcal.com
mediamind-tech.com
mediatechadvice.com
mr-srv.com
newco-op.com
newsecsolutions.com
pc-syscleaner.com
pc-syscleaner.net
pc-syscleaner.org
proton-micro.com
quickwebsupport.net
ro-net.eu
searchelcome.org
softsecsolutions.net
supportnetmail.com
trackingpxl.com
vi-hosts.com

Monday, 19 September 2011

Evil network: Alexey Klimenko / UAHOSTER-NET / uahoster.org / GreatHost-ALTNET, AS41390 (91.217.153.0/24)

This sordid little corner of the internet came up while investigating some SpyEye C&C servers on 91.217.153.110:

webchoke.com
webdisar.com
webdecay.com
webawoke.com

These servers sit in a netblock of  91.217.153.0/24 (91.217.153.0 - 91.217.153.255) and form part of AS41390 (more of which later). The contact details for the block are:

inetnum:        91.217.153.0 - 91.217.153.255
netname:        UAHOSTER-NET
descr:          PP Alexey Klimenko
country:        UA
org:            ORG-PAK5-RIPE
admin-c:        AK6545-RIPE
tech-c:         AK6545-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         ROWER-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-routes:     ROWER-MNT
mnt-domains:    ROWER-MNT
source:         RIPE #Filtered
                                     
organisation:   ORG-PAK5-RIPE
org-name:       PP Alexey Klimenko
org-type:       OTHER
address:        Ukraine, Sevastopol,
address:        Heroev Sevastopola 21-10
phone:          +380994015332
abuse-mailbox:  abuse@uahoster.org
mnt-ref:        ROWER-MNT
mnt-by:         ROWER-MNT
source:         RIPE #Filtered
                                      
person:         Alexey Klimenko
address:        Ukraine, Sevastopol,
address:        Heroev Sevastopola 21-10
phone:          +380994015332
nic-hdl:        AK6545-RIPE
mnt-by:         ROWER-MNT
source:         RIPE #Filtered

                                      
route:          91.217.153.0/24
descr:          GreatHost-ALTNET
origin:         AS41390
mnt-by:         ROWER-MNT
source:         RIPE #Filtered

These details largely match those on the domain uahoster.org which is hosted in the domain.

An examination of the sites on 91.217.153.0/24 show a high proportion of malware, work-at-home-scams, money mule operations, phishing (especially for VKontakte credentials), fake prescription sites, and dubious pay-per-install schemes. Just about the only sites that don't fit into these categories are porn sites. There seems to be nothing worth visiting in this range, so blocking 91.217.153.0/24 is probably a good idea.

A list of sites can be found at the end of this post, alternatively you can download a list with IP addresses and myWOT rating from here [csv].

91.217.153.0/24 resides in AS41390, which appears to consist of three loosely connected blocks:

91.217.153.0/24   GreatHost-ALTNET
194.247.48.0/24   WorkStone-AltNET
195.3.144.0/22    RN DATA DC

Usually, all the networks in an AS belong to the same company. In this case two of them say "Altnet". In fact, we came across Altnet and AS41390 last year when they were hosting crap on the 195.3.144.0/22 range. They seem to have changed their name since then, and the new "RN DATA DC" block does seem largely clean. Altnet are (or were) a colo, so perhaps the "GreatHost" block is in one of their datacenters.

This is what Google thinks of AS41390:

Safe Browsing
Diagnostic page for AS41390 (RN)


What happened when Google visited sites hosted on this network?

    Of the 180 site(s) we tested on this network over the past 90 days, 4 site(s), including, for example, fusker.lv/, claw429.ltd.ua/, airline-promo.com/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-09-18, and the last time suspicious content was found was on 2011-09-18.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 4 site(s) on this network, including, for example, filesd.in/, bradpittfanclub.org/, rotatobanner.com/, that appeared to function as intermediaries for the infection of 57 other site(s) including, for example, healthcarevolunteer.com/, aratilis.org/, thejourneyonline.org/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 37 site(s), including, for example, cokk87.com/, chairframeede.com/, filesd.in/, that infected 668 other site(s), including, for example, imevial.cl/, daum.net/, cinemundo.cl/.

SiteVet's prognosis is also not very good. It has to be said though that the bulk of the bad activity is in the 256 IPs (and less than 200 sites) in the 91.217.153.0/24 range. Blocking access to 91.217.153.0/24 will probably be sufficient, or if you block by domains only then use the following list:

11vk.ru
2011vk.com
2011vk.ru
2-bloggers.com
4sale-drugs.com
ackerman-gmbh.com
adaltamo.com
adaltest.com
adaltest.in
adaltpornpics.in
adaporntumul.com
adfgsfgrsdf.com
aeroshark.com
agathonbernard-sarl.com
albertathomas-sarl.com
allavi.in
american-pharm.com
anicetrichard-sarl.com
aquarium-stakany.org
asiawatertrade.org
augustelaurent-sarl.com
augustinmichel-sarl.com
austerlitz-gmbh.com
avjobnews.com
azhenordavid-sarl.com
belbci.com
berchtwald-gmbh.com
besthottestsites.com
b-l-investments.org
bradpittfanclub.org
brand-viagra.com
bulilit.tk
buylicens.com
buyperfecthealth.com
buyviagraed.com
caminsiders.com
casinonewsblog.org
chairframeede.com
chjobnews.com
clmeyer-gmbh.com
cokk87.com
com-message.in
com-watch-id181222ooo.info
com-watch-id181223ooo.org
dajobnews.com
datatrsfdl.com
dateforall.org
degasu.org
divalis.org
donotbesoshy.com
dorotydiary.org
drjobnews.com
drunkenhole.com
duerrgmbh.com
ed-italia.name
eetryy.com
eichelberger-gmbh.com
elox.ru
etzel-gmbh.com
exotic-tour.in
fajobnews.com
fejd23.com
first-choice-investments.org
floes-blog.com
fotkarus.ru
frankfurter-gmbh.com
freejoinsites4u.com
freesites4you.com
freitag-gmbh.com
freud-gmbh.com
fruehaufgmbh.com
fuhasp.com
gejobnews.com
gentelmen.info
gghjobnews.com
googlad.in
h0n.ru
haknuto-maknuto.com
hartmanngmbh.com
hojobnews.com
holydolly.com
honey18girls.com
hotandwillinq.com
inpills.com
installcash.org
iojobnews.com
isp5.ru
isp7.ru
ispromo.info
ispromo.net
jasamjebenadomena.com
jaspercruiser.com
jaspertrawler.com
jobnewsis.com
jobnewslir.com
jujobnews.com
kevc.ru
klugegmbh.com
koertig-gmbh.com
kupeer-gmbh.com
libeetlead.com
liebepillen.net
lipu11.com
londonredbus.org
lujobnews.com
maill-password.com
mercetgroup.org
mfks.org
mismojebenadomena.com
mmstx.ru
m-timesinvestment.org
muller-zoits.com
muzloid.net
nature-c-clinic.com
odnuklassniki.net
oklahomasporttv.org
oojobnews.com
opensitehere.com
pillsonline.ws
pojobnews.com
porntumov.com
potenstabletter.com
prnrservice.com
psjobnews.com
purplealititi.com
pusikuracbre.com
quacricketert.com
rojobnews.com
scanmedipc-derop.tk
secure-med.net
sexmagics.com
skypallete.net
softp0rtal.net
sve-ce-da-nas-pojebe.com
sve-ce-da-nas-pojebe.net
tabforhealth.com
tdsfree.org
tishh.com
tishh.org
tisijebenadomena.com
tornadogames.org
transport7.com
traypka.ru
tyujobnews.com
uahoster.org
usaglobalmail.com
viagrabuyonline.net
visionbridgel.com
vitaline.in
vk11.ru
vk-11.ru
vk2011.ru
vk-2011.ru
vkao.ru
vkee.ru
vkgost.ru
vk-newyear.ru
vkoa.ru
vkonatikte.ru
vkonatkite.ru
vkontaklle.ru
vkontakte-id.com
vkonzakte.ru
vk-opros.ru
vvsmail.com
vz33.ru
webawoke.com
webchoke.com
webdecay.com
webdisar.com
webstrong.ru
weib-gmbh.com
whitenikana.com
windowsupdatews.com
woadaplorntum.com
xevk.ru
ypijobnews.com

Saturday, 17 September 2011

Fake jobs: careers-consult.com, europe-career.com and usa-newcareer.com

Three new domains used to adveritise bogus jobs (which will actually be money laundering or other criminal activities)

careers-consult.com
europe-career.com
usa-newcareer.com


The approach is the same as the domains registered two days ago, and indeed this has been going on for several years. The spam may appear to come from your own email address (here's why).

If you have any sample emails using this domain to solicit replies, please consider sharing them in the Comments. Thanks!