Sponsored by..

Monday, 24 October 2011

Scam sites on 84.22.161.169

84.22.161.169 (IOMART Ltd, UK) seems to have some problems with scam sites, such as the one mentioned in this post. I haven't had time to check the whole range, but most of the sites they host are legitimate, these however appear to be bogus.

mailukrsoft.com

    Rogers, Sid  via@viagrasuperpills.com
    March St 43
    San Antonio, Tx 7820 1
    US
    +1.2103354574

mailopal.com

    Weis, Albert  albert.weiso@yahoo.com
    56 Dashington Avenue
    New York State, West  Stay Ville 1179 6
    US
    +1.016312918436

ukraiansoftware.com

    Mitch, Ray  vpx@vpxlpillstore.com
    Po Box 434
    Grand Prairie, Tx 7505 0
    US
    +1.5743436654

ukrdevonline.net

    SMITH, THOMAS  akky@buyaccutane.us
    14664 State Hwy B
    Marshfield, Mo 6570 6
    US
    +1.4177377167

ukrsoft.org

Registrant ID:tu1tWtvki2quecE9
Registrant Name:raymond russ
Registrant Organization:raymond russ
Registrant Street1:229 west 78 street
Registrant Street2:
Registrant Street3:
Registrant City:new york
Registrant State/Province:newyork
Registrant Postal Code:10024-6646
Registrant Country:US
Registrant Phone:+1.2125953001
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:raymondruss@yahoo.com

ukrsoftmail.com

    Smith, David  david.smith791@yahoo.com
    1845 east northgate drive
    Irdi ange, Texas 75062- 47 36
    US
    +1.019277214101

westmailwug.com

    morrison, dennis  morrison.wug78@yahoo.com
    575
    texas, texas fghhy2
    US
    +1.9723479881

westunionhome.com

    Walters, Hank  doggerellhlog@gmail.com
    Railway Circle 55
    Hannibal, Mo 6340 1
    US
    +1.5734564433

westunionweb.com

    Jacks, Michael  griswoldmopar@gmail.com
    Forest Ave 65
    Oak Park, Illinois  6030 1
    US
    +1.7085561232

taurus-analityc.com

    De Gaetano, Richard  xsponger@gmail.com
    1001 Lincoln Avenue
    Lockport, Newyork 14094
    US
    +44.017164336832

taurus-mac.com

    Vanko, Ken  eudociafrequk@gmail.com
    16st 65 Ap 44
    San Diego, Ca 9210 1
    US
    +1.4342268876

The Register blunders, hands itself into the ICO

Oops.

From: The Register marketing@theregister.co.uk
Date: 24 October 2011 18:28
Subject: Apologies from The Register
       
Hello,

This morning the name and email address you used to register for The
Register was mistakenly sent to 3,521 individuals, also readers of
The Register.

We've contacted them asking them to delete the email and respect your
privacy.

We are of course terribly sorry for this error and have reported
ourselves to the ICO. Our initial statement is here:

http://www.theregister.co.uk/2011/10/24/email_blunder/

You are free to edit or delete your account details here:

http://account.theregister.co.uk/register/

If you have any questions or would just like to rant at us please
send emails to mailto:data@theregister.co.uk


Best Regards
The Register

There's a couple of interesting things here - one is that The Register did the decent thing and reported the breach, it will be interesting to see the ICO's reaction when they ignore more serious breaches all the time. The second one is that the email address I used to err register is unique to The Register. Will I start getting spam as a result of it being sent out to 3521 people, or would it require more.

Anyway, Kudos to The Register for coming clean. You can read more about it here.

mailukrsoft.com: job scammers in action

A post over at woozoo.nl caught my eye (in Nederlands, Google Translated to English) about the netherlandjobb.com scam. Robert Krom goes several steps further than I usually do with a good investigation into how the scammers try to rope people in.

Robert identifies mailukrsoft.com  as the next stage in the scam. To me, it looks like it is run by a different crew, but scammers tend to oursource activities to others these days. It appears that one group of scammers may be looking for money mules and then selling them on to others.

Sunday, 23 October 2011

Fake jobs: jobbworld.com and yourjobb.com

Two new domains being used to recruit for fake jobs, which actually turn out to be illegal activities such as money laundering.

jobbworld.com
yourjobb.com

This is part of a long-running scam that has been going on for ages. One characteristic of the spam received is that it appears to come from your own email address (here's why).

If you have any examples of spam using these domains for reply addresses, please consider sharing them in the Comments.

Here is one sample:

Date: 24 October 2011 20:15
Subject: Deeltijdarbeid
   
Ik wil uw aandacht brengen en u te informeren dat Consulting Bedrijf beginnen  proces te inhuren en geven u een
grote kans om carrière te beginnen  nu met veel voordelen en de voordelen van dit werek.

Als u besloten om onderbreking in uw carrière te maken, of u op een moederschapsverlof bent,
onlangs gepensioneerde of gewoon op zoek naar enkele aanvullende tijdelijk baan, dit standpunt is enkel voor u gemaakt.

Werkende uuren: Flexibele tijdschema van van 1 tot 3 uur per dag. We garanderen ongeveer 20 uur een week bezetting.
Salaris en voordelen: begin salaris is variërend van 2000 tot 2500 euro per maand,
vermeerderd met extra commissie als u alle taken nauwkeurig vervullen.

Regio: Europese Unie.

Houd er rekening mee dat er geen betalingen of elke andere trucs om te gaan werken voor ons zijn.

Indien geïnteresseerd en wil u verzoeken een aanvraagformulier toepassen voor deze positie,
uw interview plannen en of gewoon meer informatie ontvangen over deze positie voordat u toepast,
kunt u antwoord op deze e-mail en stuur ons uw contact informatie.

In het onderwerp van e-mail Geef uw persoonlijk identificatienummer voor deze positie IDNO: 04459

Als u geïnteresseerd bent, kunt u reageren op: Damion@yourjobb.com,bedank!

And another one that seems to drift between Dutch and Czech for a while..

Subject: Vacature
   
Ik wil uw aandacht brengen en u te informeren dat Consulting Bedrijf beginnen  proces te inhuren en geven u een
grote kans om carričre te beginnen  nu met veel voordelen en de voordelen van dit werek.

Als u besloten om onderbreking in uw carričre te maken, of u op een moederschapsverlof bent,
onlangs gepensioneerde of gewoon op zoek naar enkele aanvullende tijdelijk baan, dit standpunt is enkel voor u gemaakt.

Werkende uuren: Flexibele tijdschema van van 1 tot 3 uur per dag. We garanderen ongeveer 20 uur een week bezetting.
Salaris en voordelen: begin salaris is variërend van 2000 tot 2500 euro per maand,
vermeerderd met extra commissie als u alle taken nauwkeurig vervullen.

Regio: Europese Unie.

Houd er rekening mee dat er geen betalingen of elke andere trucs om te gaan werken voor ons zijn.

Indien geďnteresseerd en wil u verzoeken een aanvraagformulier toepassen voor deze positie,
uw interview plannen en of gewoon meer informatie ontvangen over deze positie voordat u toepast,
kunt u antwoord op deze e-mail en stuur ons uw contact informatie.

In het onderwerp van e-mail Geef uw persoonlijk identificatienummer voor deze positie IDNO: 64594

Als u geďnteresseerd bent, kunt u reageren op: Fidel@yourjobb.com,bedank!

Thursday, 20 October 2011

Fake jobs: canada-newjob.com, netherlandjobb.com and newjobrecruit.com

Another bunch of domains being used to peddle fake jobs:

canada-newjob.com
netherlandjobb.com
newjobrecruit.com

These domains form part of this long running scam. You may find that the emails appear to come from your own email address (here's why).

The domain registrant details are no doubt fake:

    Adolf Nureng
    Email: adolfnureng@yahoo.dk
    Organization: Adolf Nureng
    Address: Spellingevej 3 Ro
    City: Gudhjem
    State: Gudhjem
    ZIP: 3703
    Country: DK
    Phone: +45.70225632

The jobs offered will actually be criminal activities such as money laundering. If you have any examples of emails using these domains, please consider sharing them in the Comments. Thanks!

Here is one example:

Date: 20 October 2011 13:17
Subject: Huidige vacature

Wij werven aan!

Wij bieden part-time of full-time posities in de EU.
Momenteel is onze team van specialisten is het ontwikkelen van vooruitstrevende en innovatieve
manier van samenwerking met onze klant dus breiden we ons netwerk van vertegenwoordigers in heel Europa.

Wij bieden volledig betaalde trainingen om u te begeleiden door uw werk, competitief salaris,
vrij werk schema en andere voordelen die uw samenwerking met ons zeer aangenaam.
Wilt u bij ons bedrijf te sluiten, moet u ervoor zorgen dat u houdt de Europese verblijf
en je bezit een sterk verlangen om te werken.

Als je eenmaal hebt besloten om ons aan te sluiten, gelieve ons dan uw contactgegevens
en wij nemen zo spoedig contact met u op om een interview te plannen.

Onze contactgegevens: Rolland@netherlandjobb.com

Hartelijk dank voor uw interesse!

In this case, the email originated from 178.172.136.117 in Belarus.

Wednesday, 12 October 2011

"Scan from a Hewlett-Packard Officejet 745065" and 94.23.116.30

These fake "Scan from a Hewlett-Packard Officejet" emails have been around for a little while now. Here's a slightly new verson:

From: hp@victimdomain.com
Date: 11 October 2011 23:41
Subject: Scan from a Hewlett-Packard Officejet 745065
   
A document was scanned and sent

to you using a Hewlett-Packard HP Officejet 63639D.
Sent by: SINA
Images : 2
Attachment Type: Image (.jpg) Download

Hewlett-Packard Officejet Location: machine location not set
Device: CRP272SO4SLM3917752
The link goes through to one of several sites on 94.23.116.30 (OVH, Poland). Blocking access to that IP should protect against this spam run.

The following domains appear to be hosted on that site:
agudo9871.info
alpers82c0.info
amybfd0.info
anselmo0661.info
antitrap.in
apperson6613.info
applee9a1.info
arkless6d92.info
arreza330.info
asley2ee0.info
aytes7191.info
banome2cb0.info
beckerman08b2.info
beneger50e2.info
bergfelde7c0.info
bestel2810.info
beuchatb280.info
binesc5d2.info
blincow4480.info
boaler2ab1.info
bonge06b0.info
boschier0930.info
bowrah1591.info
bramante66f2.info
brentsonc1d0.info
bridenstine1211.info
brodellabc2.info
burpee66f2.info
byczek5822.info
cable9b12.info
calleycd62.info
careford3a12.info
carver3102.info
casserley4d52.info
cavrotti42b0.info
clerkley2120.info
cluleyade1.info
cooney9712.info
corporationsweb.info
corvi3532.info
cottrillcb01.info
crate4361.info
creasey8b42.info
cristescu00ca.info
curtsinger8ad2.info
cusatis8b91.info
czyrnik74c1.info
dagley1e91.info
dallmand932.info
davidoviczc8d2.info
davydenko99d1.info
degand5e0.info
delancyfc71.info
delross6813.info
denver84e6.info
derefoner.in
desso9b20.info
deyak34c2.info
dilksf841.info
drewettf160.info
dutschmannc651.info
eavensonc190.info
edstrom6952.info
ehlicca1.info
elmoaf71.info
espenscheid2711.info
federal-domesticwires.com
fever01e1.info
firzkun.in
fissell39c0.info
flemming0dc1.info
frascaf6d0.info
frericks7582.info
friedberg3cc0.info
fuger1511.info
fulmerfdb2.info
fund4nothing.in
gadzinski1180.info
galassi9103.info
gange4742.info
gbur8c20.info
gegenheimer4bf0.info
glinkerman9380.info
gordenffb0.info
grygorwicz2191.info
guiles8570.info
guthorn9b60.info
hadselle732.info
hamiss4460.info
hartmannbf21.info
hartsook7391.info
hauben5930.info
henrettaa3c2.info
herzerb931.info
hodoa689.info
holliead00.info
horimotodb21.info
hornick0e30.info
houghtelling2355.info
hova.in
hugues1990.info
hultond5a0.info
husky9212.info
itzchakeb90.info
jauron24d0.info
jeskieff30.info
kaufmann2542.info
kellywoodf4d2.info
kintighb491.info
klinge9641.info
knauff5c60.info
koltz0341.info
kralicekcdc0.info
kramarczyk5681.info
kuns0a30.info
kurodaeb72.info
kurtisfe10.info
larssone1d2.info
lartiguef572.info
lawrey9052.info
leinbach91b0.info
lezab966.info
lidstone5a13.info
lirette3470.info
londonsbug.com
loshbaughd3b0.info
lough3572.info
mahlman67a1.info
maisenbacher5cf2.info
malizia0df1.info
malueg6fa1.info
mandia0d2.info
marlanb610.info
mcconnell1461.info
mcglumphy43c0.info
mclagan8a92.info
mclaughlan6670.info
meisenburg7e20.info
menapace7590.info
moegvubegcwan.in
molbideneoil.com
moneyforfree.in
montagnec802.info
morin4e00.info
mourinoa761.info
mullaly0ca0.info
munden49e2.info
musumeciccf0.info
naisbetta600.info
neoplanritm.in
nestel0321.info
nogueras0ba2.info
nothnagelf5b2.info
obrodderikd370.info
ogaraee50.info
omura6e81.info
oriold040.info
pangburn87e1.info
paolotto86d1.info
pariseau2e50.info
peace7fc1.info
pendextere5e2.info
percellb430.info
pidduck32e2.info
pidgeon9022.info
pinna3942.info
pioske8501.info
qqqe.us.to
quoss3f91.info
ramagano86a0.info
rashdicd02.info
raupache7f1.info
redeniusd503.info
returenget60.net
ricker5462.info
rideaufd40.info
rucci5d51.info
runagles2411.info
sacre86c2.info
sandilandsa5b1.info
sasseville9e91.info
schleppenbachae60.info
schuh9acc.info
scroger65f0.info
shearonafb1.info
shee5632.info
sita6030.info
slovinskye820.info
smard4e2.info
soetncitydyr.com
souvannavong5c90.info
speroe8c0.info
spigelmandca0.info
srnsky8f70.info
steinmiller9ca1.info
stivanson51b0.info
stonhame852.info
stopkad101.info
subera6a01.info
sultani9ef0.info
surrella8e0.info
swigart61f0.info
tabbertbe70.info
tabisulacbb4.info
tickle29c2.info
timko84d0.info
tinaa750.info
tolefreebdd2.info
tunnock0d02.info
twedena141.info
woehl5bb0.info
wolken6da2.info
worsfieldd4d1.info

Fake jobs: it-jobsearch.com

Another fake job domain, it-jobsearch.com follows on directly from these two reported yesterday. The domain is registered to the same fake address in France as yesterday.

As usual, the email soliciting replies to this domain is trying to recruit people for money laundering. The email may appear to come from your own email address (here's why).

If you have example emails soliciting replies to this domain, please consider sharing them in the Comments. Thanks!

Something evil on 66.197.235.245 (Exp/20100840-B)

There is currently a poorly detected (VirusTotal reports 1/43) Java exploit being distributed by 66.197.235.245 via injection attacks. One example is injected obfuscated code pointing to tualette.ce.ms/content/field.jar but there are probably lots of these. Currently only Sophos detects this as Exp/20100840-B.

Blocking all traffic to 66.197.235.245 is the quickest way to protect against this particular attack, it might be worth blocking 66.197.235.240/28 as in case this is a bad block.

The domains on 66.197.235.245 are a mix of crappy free domains, hijacked GoDaddy domains and a few others. I have identified the following sites, although I suspect there are many more:

abra.ce.ms
arenda3213.ce.ms
billyfuns.net
cherrychat.ru
e-casher.ru
fastresource.in
footporntube.com
gavni.usa.cc
goldmail.in
guano.ce.ms
jobtrue.ru
max5clock.net
naxnax.ce.ms
oilsintetyc.ru
osiki.osa.pl
plumcrazy-media.net
rijeguni.co.tv
samsusams.net
sharki.osa.pl
sortirka.osa.pl
trusiki.345.pl
tualette.ce.ms
usapornotube.com
vedroskofun.com
web.mlep.com
xmlnetwork.in

Tuesday, 11 October 2011

Cyanogenmod.com compromised with warlikedisobey.org injection

Cyanogenmod.com is a site offering legitmate custom firmware for Android devices. It's a popular site, pulling in about 100,000 unique US users per day according to compete.com and it has an Alexa rank of 6728.

Unfortunately, the site has been compromised in an injection attack with a hard-to-diagnose piece of malware attempting to load code from warlikedisobey.org/coehegzxw8xgahtrb on 66.197.158.102. The code seems resistant to several common analysis tools. The injection attack is hidden on the very first line of HTML on the home page.. you have to scroll a long way right to see it.

Update 12/10: it looks like the site is currently clean, but it might get re-infected if the core problem hasn't been fixed.

Update 20/10:  it turns out that it isn't clean at all, but the exploit code is not present all the time. It could be that something is going on at Cloudflare who provide load balancing for the site, but I've never seen that sort of issue with Cloudflare before.

I haven't been able to analyse the payload yet. There is a possibility that it might target Android devices.

The domain is registered through Bizcn.com in China to the following registrant:

Registrant ID:orgff14354361081
Registrant Name:Henry Nguyen Gong
Registrant Organization:Privacy-Protect.cn
Registrant Street1:Rue la produit 34
Registrant Street2:
Registrant Street3:
Registrant City:Nimes
Registrant State/Province:Languedoc-Roussillon
Registrant Postal Code:30189
Registrant Country:FR
Registrant Phone:+33.466583875
Registrant Phone Ext.:
Registrant FAX:+33.466583875
Registrant FAX Ext.:
Registrant Email:contact@privacy-protect.cn


privacy-protect.cn is very commonly used by criminals to cover their tracks.A Google search for 66.197.158.102 indicates that the IP address is in use by several malicious domains (listed below).

A look at the Cyanogenmod.com forums indicates that similar attacks have been happening since September 25th:


Does anyone know what this is? I got a warning from Norton with High severity saying I was attacked by sloughsputter.org and warlikedisobey.org from 66.197.158.102:80 when I entered into the touchpad forum for this website. The IPS alert name is: web attack malicious exploit kit website at High risk 

Blocking traffic to 66.197.158.102 is probably a good idea. It looks like there may be other problems in 66.197.158.0/24 so you could block the whole range as a precaution.

The following domains are hosted on 66.197.158.102:


acclaimpump.org
acreafloat.org
aeroadore.org
affairmedley.org
afraiddown.org
againindorse.org
alertworsted.org
analyseshort.org
ardorloathe.org
arraigngarment.org
assortsetto.org
bakedemure.org
balloontroops.org
baskettubular.org
beandown.org
bedridpollute.org
benttopple.org
bequestramble.org
blazefiddle.org
blisswilds.org
boardbutts.org
bringgreed.org
bunkscamp.org
burntbrought.org
butchermeetm.org
bywordtoll.org
cackleshaggy.org
capsuletrapeze.org
carptheirs.org
cellarprank.org
cellchin.org
cementshout.org
choreuphold.org
clamourunion.org
classiclily.org
clerkinure.org
comechirp.org
crafttexture.org
damaskslab.org
declaimtaunt.org
decreecattle.org
delayabrige.org
desisthateful.org
deskoccur.org
devoidshed.org
dimsadden.org
dirttouchy.org
discernpitcher.org
divingpeddle.org
dotingbouquet.org
eclipsedensity.org
economyjersey.org
elateexample.org
elkrecline.org
embraceniece.org
enigmaflutter.org
enjoyocean.org
enrolcaw.org
estril.org
eventliving.org
evermist.org
eyescanty.org
facingsinvade.org
factionchurch.org
fallacypour.org
fangwrath.org
fiancesardine.org
fishingbeet.org
flaxnap.org
foggystudent.org
foresttruck.org
fuzzoffal.org
gailyflounce.org
gazettesay.org
ghatlend.org
ghatreds.org
gibbetshook.org
gladespilt.org
godliketourist.org
goodantics.org
grandetidings.org
grenadeabove.org
gruver.org
gulpillegal.org
halcyonet.com
hamcadet.org
heronuntrue.org
hideousmindful.org
hillocksaunter.org
horntreason.org
hotspurequal.org
hourmesh.org
hulknutmeg.org
hungermouth.org
hymnrough.org
idearevel.org
ignservice.com
inclosegem.org
incurhealth.org
inducttrunk.org
innentry.org
innersoloist.org
inroadperish.org
installherb.org
intentbell.org
ironingonset.org
itemizefir.org
jarabroad.org
javarequest.com
javatooltip.com
jewishdin.org
jocularputrefy.org
jstooltip.com
juicecaulk.org
justlysubtle.org
kalmup.org
kinoutlaw.org
lambkinclad.org
laundrysudden.org
leanspeck.org
letconsul.org
libelconvoy.org
lieweld.org
likesfetter.org
linseedpaste.org
lodgersow.org
loitercash.org
longingashamed.org
lowlymeaty.org
lowsnooze.org
maniashow.org
mashscamp.org
maximumnone.org
memoirsmatrix.org
milletavoid.org
miserytenure.org
modernbin.org
morphiaseaside.org
movingsnip.org
mummeryscales.org
musterydecoy.org
muzzleastute.org
nationearn.org
naughtgrubby.org
nestjolt.org
netllookup.com
nightlyseeds.org
nodeconvert.org
noisomechicane.org
nominalunwary.org
nullcandy.org
numbuse.org
oatmealfrisk.org
oatmealshatter.org
opticmoving.org
orationyou.org
orderdid.org
orhanhundred.org
otspark.org
overrunwooden.org
pactcelery.org
pastrydug.org
pedalslacken.org
pentfinite.org
pentmull.org
phantombecame.org
phantomsell.org
pigskinturn.org
pilgrimstrut.org
plentyvicious.org
plumtreacle.org
pompousdenial.org
ponderbelong.org
popestrict.org
portionchagrin.org
posyhatch.org
potseclude.org
prancecontour.org
praysad.org
precededynamic.org
primacyresin.org
prosaiccube.org
provereject.org
puristar.org
purposestupid.org
quartpliancy.org
racialfreshe.org
rashcrowd.org
readerocular.org
rebirthfalcon.org
rectoryfeign.org
refereeshe.org
reflexpan.org
refundwine.org
remissdeceive.org
repentavow.org
repulsemaximum.org
riddensoot.org
rsstooltip.com
runletlanky.org
saintlunatic.org
sapammonia.org
savourotter.org
scumwoollen.org
seniormilage.org
shouldfasten.org
sinnerreflex.org
sirsize.org
skimlyrical.org
slopestipend.org
sorrelramble.org
sprutnetwork.com
squealflirt.org
staideconomy.org
starryplank.org
stowgranary.org
stripescud.org
studentfairly.org
stuffwrestle.org
stuntedvote.org
subdueshone.org
suctionbanking.org
suitebillion.org
sunnyscythe.org
superbhotbed.org
taintfurl.org
talkerrun.org
tasteleg.org
tensionwarble.org
testradiant.org
timelymaze.org
titledrutty.org
toiletarchway.org
torturetactful.org
totaltwelfth.org
trafficgarland.org
trashnote.org
trickleivy.org
trivialappears.org
tunebask.org
turbidworship.org
undoingperfect.org
unduedome.org
unitepulpit.org
unshipreckon.org
usheronce.org
vacancyagainst.org
veinassert.org
vileisolate.org
visapeer.org
votegroggy.org
voyagebud.org
vultureoffer.org
waivertouch.org
warlikedisobey.org
waspad.org
wastefuzz.org
wedanthem.org
wettrend.org
whimperchart.org
widowerfeeble.org
wivestemple.org
woecake.org
woverecruit.org
wretchninny.org
zippuny.org

Fake jobs: new-jobaccess.com and simple-jobneed.com

Two new fake job domains, forming part of the long-running "Lapatasker" scam.

new-jobaccess.com
simple-jobneed.com

Emails from these domains may appear to be from your own email address (here's why). They are registered to a no-doubt fake registrant:

Luc Metteran
    Email: lucmetteran@yahoo.fr
    Organization: Luc Metteran
    Address: 6, avenue Kennedy
    City: Paris
    State: Paris
    ZIP: 17880
    Country: FR
    Phone: +33.0156402315 


The "jobs" on offer are illegal activities such as money laundering. If you have any examples of spam using these domains to solicit replies, please consider sharing them in the Comments. Thanks!

Monday, 10 October 2011

Some TDL/TDSS rootkit sites to block

The following IPs are related to the TDL/TDSS rootkit. 212.36.9.52 / gic-kbmtu0zkvwylf.com appears to be a C&C server.

94.63.149.10
94.63.149.11
94.63.149.12
94.63.149.13
94.63.149.14
94.63.149.15
146.185.250.140
146.185.250.141
195.3.145.251
195.3.145.252
195.3.145.253
212.36.9.52

94.63.149.0/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no ill-effects. 146.185.0.0/16 is Petersburg Internet Network Ltd in Russia, the whole /16 is sparsely populated and blocking that would probably do no harm. 195.3.144.0/22 is Latvia host RN Data SIA, given that Latvia hosts are such a sewer then blocking the /22 is probably also a good idea.

As for 212.36.9.52 (OTEL, Bulgaria), there appear to be a few malware servers in 212.36.8.0/23 mixed with several legitimate sites. 212.36.9.60, 212.36.9.52 and 212.36.9.52 also appear to be malicious. Blocking 212.36.0.48/28 should filter out the bad sites without blocking good ones.

The following domains are associated with these IPs, if you can't block by IP then blocking these might be a good idea,

bejb883-njm.com
bxwqxlkp4ajt.com
feeew0r-geek.com
gic-kbmtu0zkvwylf.com
gv47numkmkmfub8790.com
hhnnbtcnotcf3ohtxt.com
j5dlz7rxoto8g1fubb.com
jblextyhsfqttkz.com
jhv684ybknjkm.com
keter-jankinsome.com
q9-e52wjh7cz.com
retgen-rasch12.com
retno-uhb3.com
rzncgorop-yvpx.com
serch-iteration.com
tylt9avnpfl-zdk.com
uh-i99ur3qa9t3ssw.com
upsbkschmajhlxs6.com
vbhw53jnjjn00o.com
x24l0jpdhtccng-ojw.com
xcxmjb2joopypo.com
zhfg0l5eijw4tjxc.com
zw5kfhmujx024saj2.com

Friday, 7 October 2011

talkhard.com spam from scam.com

Here's an oddity:
From: funforumcommuity@yahoo.com funforumcommuity@yahoo.com
Date: 7 October 2011 11:02
Subject: [RE] New message board you will like

Hey I figured you would like this new forum I found. There's no ads, its uncensored, and they are doing a hundred dollar contest this month. Check it out.

http://www.talkhard.com

The mail originates from 208.86.2.42 which is mail.scam.com. The mail headers read:

Received: from unknown (HELO srv349.rackco.com) (208.86.2.42)
  by ********** with SMTP; 7 Oct 2011 15:26:45 -0000
Received: from apache by srv349.rackco.com with local (Exim 4.69)
    (envelope-from )
    id 1RC7Gd-0001vk-RA
    for **********; Fri, 07 Oct 2011 06:02:59 -0400
To: **********
Subject: [RE] New message board you will like
From: "funforumcommuity@yahoo.com"
Message-ID: <201110071059.42eccb836871@scam.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Sender: Apache
Date: Fri, 07 Oct 2011 06:02:59 -0400


Not very classy, scam.com!

Something evil on 91.220.35.38

91.220.35.38 contains several malicious domains, apparently connected with the Blackhole Exploit Kit. These sites are being promoted through spam email. The IP range of 91.220.35.0/24 (zamanhost.ru who appear to operate out of the Ukraine) looks like a good thing to block.

The email looks something like this:
Subject: Re: FW: End of Aug. Statement Reqiured
   
Good morning,
as reqeusted I give you inovices issued to you per sept.

Download Invoice

Regards
CHEREE DUNHAM
The email contains a link going to one of the malicious sites hosted on the server. At the moment I can identify the following sites:

associationandmyblog.info
associationandmyexperience.info
association-and-my-experience.info
associationandmyexperienceblog.info
associationandmyexperienceonline.info
associationandmyexperiencesite.info
associationandmyonline.info
associationandmysite.info
associationandmystore.info
associationchoose.info
association-choose.info
associationcourse.info
associationcreationblog.info
associationcreationonline.info
associationcreationsite.info
associationcreationstore.info
associationearth.info
association-earth.info
associationed.info
association-ed.info
associationeducationblog.info
associationeducationonline.info
associationeducationsite.info
associationeducationstore.info
associationepoch.info
associationformationblog.info
associationformationonline.info
associationformationsite.info
associationformationstore.info
associationgenerationblog.info
associationgenerationonline.info
associationgenerationsite.info
associationgenerationstore.info
associationgethome.info
associationglobe.info
associationgohome.info
association-go-home.info
associationgohomeblog.info
associationgohomeonline.info
associationgohomestore.info
associationgohouse.info
associationinterval.info
associationlearning.info
associationlifetime.info
associationlongword.info
association-long-word.info
associationlongwordblog.info
associationlongwordonline.info
associationlongwordsite.info
associationlongwordstore.info
associationminute.info
associationmonth.info
associationmovehome.info
associationmultiplicationblog.info
associationmultiplicationsite.info
associationmultiplicationstore.info
associationmusicsanalarm.info
associationnewsblog.info
associationnewsmedia.info
associationnewsonline.info
associationnewssite.info
associationnewsstore.info
association-newstageofdevelopmentblog.info
association-newstageofdevelopmentonline.info
association-newstageofdevelopmentsite.info
association-newstageofdevelopmentstore.info
associationnmyexperience.info
associationnmyknowledge.info
associationprogenyblog.info
associationprogenyonline.info
associationprogenysite.info
associationprogenystore.info
associationrace.info
association-race.info
associationraceblog.info
associationraceonline.info
associationracesite.info
associationracestore.info
associationreproductionblog.info
associationreproductiononline.info
associationreproductionsite.info
associationreproductionstore.info
associationschool.info
association-school.info
associationsecond.info
associationselectblog.info
associationselectonline.info
associationselectstore.info
associationsoundsanalarm.info
association-sound-san-alarm.info
associationsoundsanalarmblog.info
associationsoundsanalarmonline.info
associationsoundsanalarmsite.info
associationsoundsanalarmstore.info
associationsoundsanpanic.info
associationspeed.info
associationtime.info
association-time.info
associationtimeblog.info
associationtimeonline.info
associationtimesite.info
associationtimestore.info
associationtonesanalarm.info
associationtrapsblog.info
associationtrapsonline.info
associationtrapssite.info
associationtrapsstore.info
associationuniverse.info
associationworld.info
association-world.info
associationworldblog.info
associationworldonline.info
associationworldsite.info
associationworldstore.info
bestassociationandmyexperience.info
bestassociationgohome.info
bestassociationlongword.info
bestassociationrace.info
bestassociationsoundsanalarm.info
bestassociationtime.info
bestassociationworld.info
dollar-krise.de
eredirect.ru
fortunatemoney.in
fortunate-money.in
fotv.in
freeassociationandmyexperience.info
freeassociationgohome.info
freeassociationlongword.info
freeassociationrace.info
freeassociationsoundsanalarm.info
freeassociationtime.info
freeassociationworld.info
groupandmyexperience.info
groupandmyexpertise.info
groupandmyknowledge.info
groupchoose.info
group-choose.info
groupextendedword.info
groupextensiveword.info
groupgethome.info
group-get-home.info
groupgohome.info
group-go-home.info
grouplengthyword.info
grouplongmessage.info
grouplongphrase.info
grouplongsaying.info
grouplongword.info
groupnmyexperience.info
groupnmyknowledge.info
groupprolongedword.info
group-race.info
groupschool.info
group-time.info
groupworld.info
group-world.info
kitr.in
logisticperu.in
myassociationandmyexperience.info
myassociationgohome.info
myassociationlongword.info
myassociationrace.info
myassociationsoundsanalarm.info
myassociationtime.info
myassociationworld.info
newassociationandmyexperience.info
newassociationgohome.info
newassociationlongword.info
newassociationrace.info
newassociationsoundsanalarm.info
newassociationtime.info
newassociationworld.info
organizationandmyexperience.info
organization-choose.info
organizationgethome.info
organizationgohome.info
organization-go-home.info
organizationnmyexperience.info
organizationrace.info
organization-race.info
organizationsoundsanalarm.info
organizationtime.info
organization-time.info
organizationworld.info
organization-world.info
pzmjrv.5iai-shop.co.uk
searchassociationblog.info
searchassociationonline.info
searchassociationsite.info
searchassociationstore.info
theassociationandmyexperience.info
theassociationgohome.info
theassociationlongword.info
theassociationrace.info
theassociationsoundsanalarm.info
theassociationtime.info
theassociationworld.info
wfdjszyzou.ce.ms
widgetharden.in
widgetwithstand.in
xore.in
xxxi.us.to

Thursday, 6 October 2011

Scam: "Conference on racism/human trafficking and child abuse 2011"

This fake conference is actually likely to be a form of advanced fee fraud:


From: Ms Regina Linus reginafedrick@yahoo.com
Reply-To: regina.linus200@globomail.com
Date: 5 October 2011 19:53
Subject: Conference on racism/human trafficking and child abuse 2011,,,,,,,,,,
   
Dear Colleagues,

You are cordially invited to participate in a Global Combined conference taking
place from (22ND-25th November 2011) in Atlanta-Georgia, United States of
America at the Hilton Atlanta Conference Center, and from (28th-30th
November2011) in Olympic Stadium Hall Dakar Senegal.

Applicant that are interested and want to represent his/her country should
Contact the conference secretariat via Email :{ csecretaryoffice@aol.com }
{giyf.newoffice@globomail.com } for more details and Information.

Endeavor to inform them that you were invited to participate by (Ms. Regina
Linus). Note that the Organizing Committee is responsible for the air
tickets, visas and lodging accommodation in USA only.

Sincerely Yours,
Ms. Regina Linus.
(regina.linus200@globomail.com)
Of course, there will be "problems" with the Senegal leg which will require a fee payment in advance, and the Atlanta part of the conference will never materialise. If you actually are involved in stopping racism, human trafficking and child abuse then consider just what scumbags these scammers are.

Mail is routed via 41.207.177.16 in Togo from an ADSL subscriber in Dakar (Senegal). Two sample originating IPs are 41.82.79.108 and 41.82.64.163.


Avoid.

Something evil on 194.219.29.139

There's something evil on 194.219.29.139 [Forthnet SA, Athens], in this case it appears to related to the SpyEye trojan. In particular, a lot of traffic seems to be going to ce.ms sites, searching your logs for references to ce.ms/main.php might prove fruitful.

All these following sites are malicious:

2fdf2asolhost.cx.cc
3lshegijlsjelsf.ce.ms
3rdkjhgtuhryt67.ce.ms
75pe.be.ma
aficaekooy.qpoe.com
anupadwxst.x24hr.com
arumakhbyu.ygto.com
asgdfsewsd.co.cc
ashlpdfsqf.qpoe.com
avddhzvg.instanthq.com
bestdatastore1.com
bprvnnpqyc.ygto.com
bqafbink.cx.cc
calnlwwofb.yourtrap.com
cgadrhvi.qpoe.com
clothingbusinessstore.info
clothingforyoushop.info
clothingtraffic.info
convenientpayment.info
covgeokzq.instanthq.com
crowpe.servepics.com
cxjigz.my03.com
databusinessone.com
datamallone.com
datamarketone.com
dataoutletone.com
datashopone.com
datashowroomone.com
data-store-1.com
datastore1blog.com
datastore1online.com
datastore1s.com
datastore1shop.com
datastore1site.com
datastore1store.com
datastoreone.com
dhdhdhjh54hh.co.cc
djdqexcw.isasecret.com
dloqfgcio.mefound.com
dpqriw.isasecret.com
dqxylh.my03.com
dttnablz.qpoe.com
ecebvi.my03.com
ednmzirslh.ygto.com
entrari.com
eoxsme.isasecret.com
euvhdowvp.instanthq.com
ewxdemz.isasecret.com
exdlyy.qpoe.com
ezhwsc.yourtrap.com
faduwav.freetcp.com
fipvbsttod.qpoe.com
flytrpp.mefound.com
fmafyj.ygto.com
fokhebfjfh.ygto.com
fqyfbigboi.x24hr.com
freedatastore1.com
free-download-therandomslovo.info
funezgmxl.my03.com
gaagvay.yourtrap.com
gchiebsojm.x24hr.com
gdoyvgieb.qpoe.com
georhur.fartit.com
gjxpgxg.ygto.com
gkgfmca.freetcp.com
gkkdgqfmy.instanthq.com
glyluf.mefound.com
gnmtls.instanthq.com
gtxxczmsb.isasecret.com
gxpeah.isasecret.com
gzadbqwc.my03.com
hbsopvyj.mefound.com
hellomyfriends67.com
hqxrukctww.instanthq.com
hsjhbqto.yourtrap.com
hspeqss.ygto.com
ifkeqj.freetcp.com
ihpvfu.yourtrap.com
ilqwzsqq.my03.com
informationstore1.com
informationstoreone.com
infostoreone.com
irqokfb.yourtrap.com
ivdtqmm.freetcp.com
jbnyvv.fartit.com
jdqcacl.ygto.com
jfdbdh.yourtrap.com
jfexczhud.freetcp.com
jiwxii.x24hr.com
jjqumfo.yourtrap.com
jkfyoik.qpoe.com
jntvkefj.ygto.com
jpxaxin.ygto.com
jtimtp.isasecret.com
kavlnhld.qpoe.com
kntvftiy.fartit.com
kssldi.my03.com
kstxdc.fartit.com
kucbmkpeth.qpoe.com
kumtbzg.freetcp.com
kvsxvfhgd.freetcp.com
kweghfjkgejfrwerjkasdfpo.ce.ms
lagotgdf.yourtrap.com
leemask.in
lenxwlkwn.x24hr.com
lgufpaq.isasecret.com
lhoefbmqpm.my03.com
ljutyucawp.my03.com
lmraufougs.x24hr.com
lqpara.freetcp.com
mahqgq.mefound.com
mail.byteworks.gr
mail.pcc.com.gr
mail.pcchellas.gr
mggzpjujp.my03.com
miwpcp.instanthq.com
mkktnracrl.freetcp.com
mklesklo.x24hr.com
mohlvpn.yourtrap.com
mydatastore1.com
mzxvdj.ygto.com
nacha-onlinereports.com
nerocambodia-megafakahero.org
newdatastore1.com
newthelargestsize.info
nlq1.cx.cc
nlq2.cx.cc
nlq3.cx.cc
nluyaupv.mefound.com
nshyxr.mefound.com
nslvpounp.instanthq.com
nzlprarwhe.yourtrap.com
obalhtwnni.ygto.com
obeaejh.fartit.com
obnihfya.qpoe.com
oisgrqyfbd.yourtrap.com
omrzzn.freetcp.com
onronmx.cx.cc
oodklht.mefound.com
oprwbnwneg.mefound.com
otgnzxhnr.my03.com
pfgphuwrog.yourtrap.com
pleasekindlyuse.com
pmchvicoe.qpoe.com
pnarfrkph.x24hr.com
psilzbwaoj.x24hr.com
qagcqzz.isasecret.com
qdcunen.mefound.com
qeexwxol.instanthq.com
qerfhgkadhsfukhertgrpotgjpoidfg.ce.ms
qerfyhufghasdfvyugeqrtrgpoi.ce.ms
qibmjf.x24hr.com
qorohel.yourtrap.com
qpwnbrxqwv.ygto.com
quickandeasypayment.com
qyldimwv.instanthq.com
qyrcrqd.isasecret.com
rcelrfitq.yourtrap.com
rdumycvvac.instanthq.com
rgrdpxd.instanthq.com
rgstvqjazj.ygto.com
rivehq.cx.cc
rncqdqqflz.instanthq.com
rphhsr.freetcp.com
rvqulvz.instanthq.com
searchengine-8.co.cc
sjwzptjmzs.ygto.com
spkusrqst.isasecret.com
tbpwhmo.instanthq.com
thedatastore1.com
thesmallestextent.info
thmofp.isasecret.com
tijymwgz.ygto.com
tlikndvz.my03.com
tnnlip.fartit.com
tohkdecuz.my03.com
tqurhuysr.freetcp.com
tqykpgzz.freetcp.com
tyfnjdyz.freetcp.com
uajvdsz.x24hr.com
uaziensc.isasecret.com
udtogltty.my03.com
ukrnfo.mefound.com
uqeotsfdy.yourtrap.com
us-creditsecurity.com
uwpozd.fartit.com
vedsxpph.isasecret.com
vlktxk.yourtrap.com
vvbuecbh.yourtrap.com
vxhwkdjli.mefound.com
vzubdvp.x24hr.com
wewnpmee.qpoe.com
wiigzu.instanthq.com
wmvutsa.mefound.com
wnaqyhxxjt.isasecret.com
wwpeacethroughmoderation.cx.cc
wwwapp-ups.net
wwwapp-ups.org
wztmhm.fartit.com
xapxtgkdf.x24hr.com
xezzktfzc.ygto.com
xhqkercj.yourtrap.com
xkvawo.x24hr.com
xndlgcthsf.x24hr.com
xngwbvt.isasecret.com
xqjgutso.qpoe.com
xxotjjgaqp.instanthq.com
yaktijc.instanthq.com
ycmylomyi.yourtrap.com
yfsicntu.my03.com
ygtrejyadk.qpoe.com
yoyljwmmw.qpoe.com
yvzhxbs.yourtrap.com
ywkxvgt.ygto.com
yxghgxfx.isasecret.com
yxhuzn.instanthq.com
zmlrikykf.ygto.com
zngbeeidwd.x24hr.com
zshogenmd.qpoe.com
ztgdtmz.qpoe.com

NA3PA (na3pa.org) Scam: NAPPPA reborn

NOTE: You can find out who was operating NAPPPA here.

Earlier this year, I came across a fake seminar outfit called the North American Program Planning and Policy Academy (NAPPPA) [read the comments for more information] running out of a rented mailbox in Los Angeles. NAPPPA was recently covered by ABC15 in Arizona (see video below).


It seems to be a bait-and-switch operation. Seminars are promoted as being held at universities, only to switch venues at the last moment, students complain the the seminars are of very low quality and there are complaints as well that people who have been employed to teach these seminars (often hired via Craigslist) are not getting paid.

Well, a contact informed by that NAPPPA was back, this time peddling seminars under the name of NA3PA and with a website at www.na3pa.org:

From: NA3PA Announcements
Subject: Strategy Session: Program Planning, Evaluation, and Proposals (October 18 - 19, 2011: Los Angeles, CA)


NA3PA will be conducting the Program Planning, Evaluation, and Proposals Strategy Session in Los Angeles, California on October 18 - 19, 2011.  Interested development professionals, researchers, faculty, and graduate students should register as soon as possible, as demand means that seats will fill up quickly. Please forward, post, and distribute this e-mail to your colleagues and listservs.

For more information call (888) 673-8865 or visit our website at http://www.na3pa.org. Please find the program description below:

The Program Planning, Evaluation, and Proposals Strategy Session  is a hands-on, intensive session that leads participants through the entire grant proposal and funding research processes. Through an intense two day practicum, participants will receive an overview of program planning concepts along with advanced writing techniques to develop successful proposals. This results-based session combines individual exercises with group collaboration to allow each participant to leave the session with a Program Planning and Funding Dossier. Exercises leading up to the dossier and organization narrative include a thorough proposal outline, completed worksheets necessary for proposal submissions, and a starting collection of publications and resources to build a development library. Strategy Sessions is designed to provide your organization with the competitive advantage necessary in our modern grants award environment.

This session is ideal for those with a targeted program, but is equally effective for those who can identify their program and funding interests. Completion of the Pre-Session Interview and Assignments is essential to program success and value. Each participant will receive a selection of funding programs tailored to their program and/or areas of interest. Participants without a program will be provided a working example during Pre-Session.

The Program Planning, Evaluation, and Proposals Strategy Session will cover the following during the two day session:

(1) Fundamentals of Program Planning

This session will teach professional program development essentials and program evaluation. While most grantsmanship  "workshops" treat program development and evaluation as separate from the writing of a proposal, this will teach students the relationship between overall program planning and proposal writing.

(2) Strategic Funding Research

At its foundation, this session will address the basics of foundation, corporation, and government grant research. However, this course will emphasize a strategic funding research approach that encourages writers to see research not as something they do before they write a proposal, but as an integrated part of the grant  seeking process. Students will be exposed to online database research tools, as well as publications and directories that contain information about foundation, corporation, and government grant opportunities. Focusing on funding sources and basic social science research, this course teaches students how to use research as part of a strategic grant  acquisition effort.

(3) Professional Proposal Writing

Designed to obtain tangible results, this session will make each student an overall proposal writing   specialist. In addition to teaching the basic components of a grant proposal, successful approaches, and the do's and don'ts of grant writing, this session is infused with expert principles that will lead to a mastery of the process. Strategy resides at the forefront of this session's intent to illustrate grant writing as an integrated, multidimensional, and dynamic endeavor. Each student will learn to stop writing the grant  and to start writing the story. Ultimately, this session will conclude with a completed proposal outline.

Tuition for this two day strategy session is $398.00.

Strategy Session Registration

1. Participants tentatively reserve a seat online at http://www.na3pa.org, by calling the Program Office toll-free at (888) 673-8865, or by sending their name and contact information via email to registrar@na3pa.org.

2. A confirmation email is sent to registrants that includes  session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements. An invoice and agency W9 is also included.

3.Upon attendance confirmation, registrants will receive (usually via email) a Pre-Session packet that will include 1) a Pre-Session Interview, 2) Pre- Session exercises to be completed, 5) a Session Agenda and Schedule, and 4) a receipt.


You have received this invitation due to specific educational affiliation. We respect your privacy and want to ensure that interested parties are made aware of NA3PA strategy sessions and schedules. This is intended to be a one-time announcement. In any event, you should not receive any more announcements unless there is a program next year in your area. To be unlisted from next year's announcement, send an email to remove@na3pa.org and write "Unlist" in the subject line.

The registrations details for the domain na3pa.org are hidden:

Registrant ID:decwp508561qlee2
Registrant Name:Protected Domain Services - Customer ID: DEC-3558115
Registrant Organization:Protected Domain Services - Customer ID: DEC-3558115
Registrant Street1:P.O. Box 6197
Registrant Street2:
Registrant Street3:
Registrant City:Denver
Registrant State/Province:CO
Registrant Postal Code:80206
Registrant Country:US
Registrant Phone:+1.7202492374
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:na3pa.org@protecteddomainservices.com


na3pa.org itself is hosted on 69.72.186.55 at Fortress ITX. If you get a spam from NA3PA (and you can be assured that it is a spam), then forward it to abuse -at- fortressitx.com.

That server also hosts napppanet2.org which has been used before, and similarly has an anonymous registration.

The email is sent from an apparantly address of losangeles@grantfundraising.org - grantfundraising.org is another recently registered anonymised domain.

(Update 21/10/11 - the domain academicresearcher.org is also in use by these people)

This operation appears to be run out of California, apparently from the Hacienda Heights area (the originating IP for the emails is always 173.55.115.38). I know that complaints have been filed with both the BBB and the California AG's office, but no action appears to have been taken.

If you have any experience of "NA3PA" please feel free to share them in the comments.

NOTE: You can find out who was operating NAPPPA here

Wednesday, 5 October 2011

Fake jobs: all-cajobs.com, all-ukjobs.com and alleur-positions.com

Here we go again.. three new domains that form part of this long-running scam.

all-cajobs.coma
all-ukjobs.com
alleur-positions.com

The "jobs" offered are actually illegal activities such as money laundering. You may note that the email appears to come from yourself (here's why).

The domains are registered to a no-doubt fake registrant:

    Hose Sanches
    Email: hosesancges@yahoo.com
    Organization: Hose Sanches
    Address: Campo Grande, 83 1749-812
    City: Lisboa
    State: Lisboa
    ZIP: 1749-812
    Country: PT
    Phone: +35.1217982140

If you have any examples of emails soliciting replies to these domains, please consider sharing them in the Comments. Thanks!

Tuesday, 4 October 2011

SMS Spam: loanslineuk.co.uk / Gary McNeish

Here's an annoying SMS spam sent from +447979520064:
Short on Cash? Need a payday loan? 100% Apps Processed. Up to £750 today. Apply now at www.loanslineuk.co.uk to Opt Out Rply stop
We can easily identify the owner of loanslineuk.co.uk from their WHOIS records:


Domain name:
        loanslineuk.co.uk

    Registrant:
        gary mcneish

    Registrant type:
        Unknown

    Registrant's address:
        flat 3 11a whitworth street
        opal house
        manchester
        M1 3GW
        United Kingdom

loanslineuk.co.uk simply forwards to moneyfix.co.uk via an affiliate link: www.moneyfix.co.uk/Default.aspx?AID=TETRUS&SAID=MONEYFIX_JPD_PARTNER1

The word "TETRUS" in the link is a clue. We can also see Gary McNeish's address on the domain for tetr.us.. well, we could before it was re-registered to an address in the Seychelles:

Registrant ID:                               CR17598876
Registrant Name:                             gary mcneish
Registrant Address1:                         flat 3 11a whitworth street
Registrant Address2:                         opal house
Registrant City:                             manchester
Registrant State/Province:                   lancashire
Registrant Postal Code:                      m1 3gw
Registrant Country:                          United Kingdom
Registrant Country Code:                     UK
Registrant Phone Number:                     +7.799764944
Registrant Email:                            gary@tetrustelecoms.com
Registrant Application Purpose:              P1

If we look at the domain registration for tetrustelecoms.com we see the bogus address:

    tetrus, tetrus  serialsniper@gmail.com
    tetrus
    capital city, lancashire M35 0AE
    SC
    +66.838273350

There can't be many people called Gary McNeish in Manchester, but oddly enough it isn't the same Gary McNeish who was fingered for a fake Data Protection scam in 2002, but this Gary McNeish (Gary John Peter McNeish) was mentioned by the Daily Telegraph recently in an article called "For sale: your mobile phone number" which questioned the way that Mr McNeish obtained telephone numbers for leads.

According to Companies House, Tetrus Ltd was dissolved on 22/3/11, so it should no longer be trading.

If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Added: The Slough Times has some more background information here.

Several AdWords phishing sites at Prolexic

Prolexic is an anti-DDOS specialist hosting firm with a reputation for being one of the good guys. It's a bit of a surprise to see Google AdWords phishing sites on a Prolexic server, hopefully they won't be there for long.

The phishing messages look something like this:

From: Google AdWords
Subject: Google AdWords: You have a new alert.

------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message. If you
have any questions, please our Help Center to find answers to
frequently asked questions.
------------------------

Dear Valued Customer, 

You have a new alert from Google Adwords.

Sign in to your AdWords account at http://www.googlernn.com/Select/login

Yours Sincerely,
The Google AdWords Team

It's difficult to know just how many phishing sites are on this server, however the following can be identified:

www.adwords-opt.com
www.adworlsmn.com
www.googlcmn.com
www.googlcnm.com
www.google-bnc.com
www.google-etnm.com
www.google-mnt.com
www.google-mnz.com
www.google-nmz.com
www.googlernn.com
www.googlhnxm.com
www.googlhon.com
www.googlmen.com
www.googlm-hmn.com
www.googlmncn.com
www.googlmnc-n.com
www.googlmnx.com
www.googlmp.com
www.googl-pmn.com
www.googl-rpm.com
www.googlthn.com
www.googlzmn.com
www.googmlbe.com

Sites appear to be hosted on 72.52.4.95 along with thousands of legitimate sites. All the domains have been registered in the past few days with hidden domain registrations.

Monday, 3 October 2011

Something evil on 46.16.240.13

There's something evil on 46.16.240.13 that forms part of a banking trojan. Whatever the trojan is, it sends traffic to a set of randomly generated domains with a url ending in pontis.com/index.php.

Most of these domains aren't registered at present, but a few are and they live on 46.16.240.13 with nameservers at 46.16.240.14 and 46.16.240.15. This IP belongs to iNet in the Ukraine.. I suggest blocking 46.16.240.0/24 completely as every site I have ever seen there has been malicious.

These domains seem to be active (a full list is at the end of the post including some inactive ones):

bdpeapontis.com
ljroapontis.com
llcpapontis.com
tbnpapontis.com
cuzqapontis.com
bpgwapontis.com
swbxapontis.com


WHOIS details:

bdpeapontis.com
   Frederic Ebner frederic_ebners@yahoo.com
   +1.2136748631 fax: +1.2136748631
   10216 Chrysanthemum Ln.
   Los Angeles CA 90077
   us

ljroapontis.com
   Justo Marquez Sanchez justomarquezsanchez@ymail.com
   +34.659192650 fax: +34.659192650
   Calle Las Monjas, 1
   Granada Granada 18600
   es

llcpapontis.com
   Helmut Koenig koenighelmut@yahoo.com
   +49.1733201046 fax: +49.1733201046
   Oberhofer Str. 26
   Zella-Mehlis Thuringen 98544
   de

tbnpapontis.com
   Armin Blocher arminblocher@rocketmail.com
   +49.02771801325 fax: +49.02771801325
   Langgasse 1
   Dillenburg Niedersachsen 35685
   de

cuzqapontis.com
   Denis Goertz denis.goertz@yahoo.com
   +49.1639836914 fax: +49.1639836914
   hochstr. 61
   Nettetal Lobberich Sachsenanhalt 41334
   de

bpgwapontis.com
   Pius Walleser walleser32@yahoo.com
   +49.1754218358 fax: +49.1754218358
   Kesslerstrasse 5
   Breisach Sachsen-Anhalt 79206
   de

swbxapontis.com
   Denis Goertz denis.goertz@yahoo.com
   +49.1639836914 fax: +49.1639836914
   hochstr. 61
   Nettetal Lobberich Sachsenanhalt 41334
   de

These registrant details have been used in malicious sites before, see "some German scam sites" for more details.

I don't know what trojan is causing this, or how the machine got infected. If you have any more details, please consider sharing them in the Comments. Thanks!

Expanded list:
aacuapontis.com
aammapontis.com
aaneapontis.com
aazgapontis.com
actsapontis.com
aikcapontis.com
aitgapontis.com
akflapontis.com
amayapontis.com
amucapontis.com
aohxapontis.com
aotbapontis.com
asziapontis.com
awqcapontis.com
awxiapontis.com
bbqrapontis.com
bbubapontis.com
bfqpapontis.com
bfyaapontis.com
bhiyapontis.com
bhjcapontis.com
bhkgapontis.com
bhriapontis.com
bhwiapontis.com
bjifapontis.com
bjnxapontis.com
bjrpapontis.com
blnkapontis.com
bndyapontis.com
bnojapontis.com
bnyyapontis.com
bdpeapontis.com
bpgwapontis.com
brqdapontis.com
bvqoapontis.com
bvsfapontis.com
bvwbapontis.com
bvyqapontis.com
bxetapontis.com
bxsjapontis.com
bxxrapontis.com
caqsapontis.com
ccbdapontis.com
ccewapontis.com
cclhapontis.com
ccqmapontis.com
cenyapontis.com
cezgapontis.com
cgjmapontis.com
cmmqapontis.com
coasapontis.com
cojpapontis.com
conhapontis.com
cqhfapontis.com
cqhqapontis.com
cqjyapontis.com
csfqapontis.com
cslgapontis.com
cuvfapontis.com
cuzqapontis.com
cwisapontis.com
dbabapontis.com
dbslapontis.com
dfcsapontis.com
dfgqapontis.com
dfyeapontis.com
dhfxapontis.com
djduapontis.com
djnrapontis.com
dlkuapontis.com
dnayapontis.com
dnpgapontis.com
dnpnapontis.com
dpjkapontis.com
dpjmapontis.com
dpjtapontis.com
dpohapontis.com
druvapontis.com
dtjvapontis.com
dtqqapontis.com
dxvwapontis.com
dxxcapontis.com
dzplapontis.com
dzrtapontis.com
dzsgapontis.com
eaxmapontis.com
eazpapontis.com
ecmsapontis.com
eefwapontis.com
eejrapontis.com
egeiapontis.com
egekapontis.com
egxgapontis.com
ekbiapontis.com
ekcuapontis.com
ekrmapontis.com
emjrapontis.com
eorpapontis.com
eozpapontis.com
eqdhapontis.com
esfdapontis.com
eupkapontis.com
ewrqapontis.com
ewzoapontis.com
eylqapontis.com
eytbapontis.com
fbmnapontis.com
fbnoapontis.com
fbpwapontis.com
fdbeapontis.com
fdbyapontis.com
fdjoapontis.com
fdxoapontis.com
ffpkapontis.com
fhclapontis.com
fheyapontis.com
fhkeapontis.com
fjvuapontis.com
floqapontis.com
flydapontis.com
fnauapontis.com
fnpkapontis.com
fpouapontis.com
frjyapontis.com
frrpapontis.com
fttzapontis.com
fvxvapontis.com
fvzlapontis.com
fxrdapontis.com
fxyxapontis.com
fzboapontis.com
fzenapontis.com
fzhmapontis.com
ggnkapontis.com
gikuapontis.com
gkdaapontis.com
gknoapontis.com
gohmapontis.com
gqjnapontis.com
gwhzapontis.com
gwzmapontis.com
gyomapontis.com
gypcapontis.com
hbhqapontis.com
hbpiapontis.com
hdqvapontis.com
hfdeapontis.com
hfilapontis.com
hfjuapontis.com
hfxdapontis.com
hfykapontis.com
hhorapontis.com
hhsiapontis.com
hjaqapontis.com
hjojapontis.com
hjuiapontis.com
hnfbapontis.com
hniaapontis.com
hpcfapontis.com
hpvsapontis.com
hravapontis.com
hrocapontis.com
htxxapontis.com
hvekapontis.com
hvrjapontis.com
hxpkapontis.com
hxrfapontis.com
hzelapontis.com
hzrfapontis.com
iaocapontis.com
icbfapontis.com
ieppapontis.com
ieqgapontis.com
iisuapontis.com
ikqaapontis.com
ikvnapontis.com
imbwapontis.com
imuaapontis.com
isbdapontis.com
ispoapontis.com
iulpapontis.com
iupfapontis.com
iuseapontis.com
iwpfapontis.com
iwyeapontis.com
iyjfapontis.com
jbcjapontis.com
jdudapontis.com
jfrxapontis.com
jhorapontis.com
jjdjapontis.com
jlaiapontis.com
jlsyapontis.com
jnhcapontis.com
jnokapontis.com
jnpxapontis.com
jnsgapontis.com
jnysapontis.com
jpsfapontis.com
jrciapontis.com
jvepapontis.com
jvqkapontis.com
jvyrapontis.com
jxmqapontis.com
jxviapontis.com
jzwkapontis.com
kaoaapontis.com
kcntapontis.com
kczuapontis.com
kebvapontis.com
kedyapontis.com
keecapontis.com
kezvapontis.com
kgacapontis.com
kgvpapontis.com
kkyyapontis.com
kmaoapontis.com
kmgoapontis.com
kmsqapontis.com
kmywapontis.com
kqrdapontis.com
kqxhapontis.com
kscoapontis.com
kuaiapontis.com
kujbapontis.com
kylkapontis.com
kyrvapontis.com
lbwbapontis.com
ldckapontis.com
ldkpapontis.com
ldsdapontis.com
lfcpapontis.com
lffuapontis.com
lfslapontis.com
lfxnapontis.com
lhirapontis.com
lhlpapontis.com
lhwkapontis.com
ljkzapontis.com
ljroapontis.com
llcpapontis.com
lldiapontis.com
lpcpapontis.com
lpcrapontis.com
lpgqapontis.com
lrauapontis.com
lrxgapontis.com
ltdnapontis.com
ltriapontis.com
lttrapontis.com
lvhbapontis.com
lvhzapontis.com
lvnbapontis.com
lvpmapontis.com
lxgmapontis.com
lxpxapontis.com
lzfzapontis.com
lzkhapontis.com
lzlcapontis.com
lzpnapontis.com
lztvapontis.com
lzuzapontis.com
madeapontis.com
makwapontis.com
marrapontis.com
mavwapontis.com
mcvlapontis.com
mebfapontis.com
meboapontis.com
menqapontis.com
menrapontis.com
mgrkapontis.com
mgviapontis.com
mikuapontis.com
mkugapontis.com
mkvzapontis.com
mmrrapontis.com
mmvpapontis.com
mmzsapontis.com
moigapontis.com
moueapontis.com
mozyapontis.com
muhvapontis.com
mwasapontis.com
mwfbapontis.com
mydcapontis.com
myjnapontis.com
mysmapontis.com
nbfkapontis.com
nbnwapontis.com
ndocapontis.com
nhweapontis.com
nlafapontis.com
nlbdapontis.com
nlosapontis.com
nlstapontis.com
nnnqapontis.com
nnoiapontis.com
npklapontis.com
npvdapontis.com
nrniapontis.com
nrsmapontis.com
nrwpapontis.com
nrxyapontis.com
nrzeapontis.com
ntjhapontis.com
ntslapontis.com
nvqhapontis.com
nvqnapontis.com
nzhmapontis.com
nzviapontis.com
nzvyapontis.com
oauoapontis.com
oecwapontis.com
oehyapontis.com
ogikapontis.com
oipaapontis.com
oiqkapontis.com
oitvapontis.com
okiwapontis.com
oknjapontis.com
oocmapontis.com
oubuapontis.com
owusapontis.com
oybtapontis.com
oypqapontis.com
pbfzapontis.com
pfqaapontis.com
pftcapontis.com
pfuoapontis.com
pfxnapontis.com
phrnapontis.com
plpmapontis.com
plwhapontis.com
plzhapontis.com
pnkpapontis.com
pntuapontis.com
pnyhapontis.com
ppvvapontis.com
ptwfapontis.com
pxdtapontis.com
pxgwapontis.com
pzycapontis.com
qennapontis.com
qepcapontis.com
qepvapontis.com
qgdgapontis.com
qgneapontis.com
qkxiapontis.com
qooqapontis.com
qqtkapontis.com
qsxnapontis.com
quieapontis.com
qullapontis.com
qwoiapontis.com
qwvmapontis.com
qyswapontis.com
rbjkapontis.com
rbjuapontis.com
rbpqapontis.com
rbyyapontis.com
rhncapontis.com
rhtxapontis.com
rldvapontis.com
rngsapontis.com
rnlyapontis.com
rnuvapontis.com
rpbnapontis.com
rpmaapontis.com
rprcapontis.com
rpsoapontis.com
rpweapontis.com
rrxrapontis.com
rtnhapontis.com
rtzoapontis.com
rvltapontis.com
rvqaapontis.com
rvwaapontis.com
rvxmapontis.com
rxboapontis.com
rxgxapontis.com
rxloapontis.com
rzbyapontis.com
rzymapontis.com
saqcapontis.com
satsapontis.com
scrrapontis.com
seasapontis.com
seiwapontis.com
sekuapontis.com
senbapontis.com
sifrapontis.com
siymapontis.com
smcmapontis.com
smusapontis.com
sqfwapontis.com
sssuapontis.com
swbxapontis.com
swfhapontis.com
swpeapontis.com
swucapontis.com
syflapontis.com
sywwapontis.com
tbgaapontis.com
tbnpapontis.com
tddiapontis.com
tdkdapontis.com
tdtnapontis.com
tfwrapontis.com
thnsapontis.com
thuoapontis.com
tjnxapontis.com
tlelapontis.com
tlupapontis.com
tlvhapontis.com
tnmzapontis.com
tnqlapontis.com
tnyvapontis.com
tpndapontis.com
truzapontis.com
ttqsapontis.com
ttwqapontis.com
ttzvapontis.com
tvbvapontis.com
tvikapontis.com
tvjhapontis.com
tvuiapontis.com
tvvwapontis.com
ucbbapontis.com
uecyapontis.com
uehmapontis.com
ugkuapontis.com
ugmcapontis.com
uibrapontis.com
uifaapontis.com
uivzapontis.com
ukseapontis.com
umpvapontis.com
uqkmapontis.com
uqvrapontis.com
uuxoapontis.com
uwgwapontis.com
vblvapontis.com
vfhaapontis.com
vhhoapontis.com
vjhdapontis.com
vjxvapontis.com
vlpdapontis.com
vndxapontis.com
vparapontis.com
vpjzapontis.com
vpnjapontis.com
vrkaapontis.com
vtgcapontis.com
vvdpapontis.com
vveyapontis.com
vvvtapontis.com
vxfiapontis.com
vxjtapontis.com
vxxiapontis.com
vzdqapontis.com
vzifapontis.com
vzqgapontis.com
waleapontis.com
wclhapontis.com
wctpapontis.com
wetuapontis.com
wezwapontis.com
wgfoapontis.com
wgmqapontis.com
wiblapontis.com
wifqapontis.com
wmbsapontis.com
wmzeapontis.com
wopnapontis.com
wqbiapontis.com
wqbqapontis.com
wqbuapontis.com
wqpwapontis.com
wqxxapontis.com
wsiaapontis.com
wslcapontis.com
wwsyapontis.com
wwxhapontis.com
wylhapontis.com
wywqapontis.com
xbpuapontis.com
xfelapontis.com
xftvapontis.com
xhozapontis.com
xhqfapontis.com
xhrwapontis.com
xjcbapontis.com
xjdfapontis.com
xjflapontis.com
xjzjapontis.com
xlpnapontis.com
xnckapontis.com
xnohapontis.com
xnqcapontis.com
xpqzapontis.com
xrflapontis.com
xvioapontis.com
xvmqapontis.com
xznkapontis.com
ycfzapontis.com
ycxkapontis.com
yebfapontis.com
yenfapontis.com
yervapontis.com
ygeoapontis.com
yghuapontis.com
ygjcapontis.com
yoiwapontis.com
yoruapontis.com
yspoapontis.com
ysqoapontis.com
ysrqapontis.com
yuvvapontis.com
ywplapontis.com
zbbiapontis.com
zbjbapontis.com
zbkdapontis.com
zdlsapontis.com
zdqoapontis.com
zdztapontis.com
zfulapontis.com
zhjvapontis.com
zjkaapontis.com
zjpgapontis.com
zlgaapontis.com
zlqtapontis.com
znfuapontis.com
zrbqapontis.com
zrkaapontis.com
ztypapontis.com
zvimapontis.com

Fake jobs: firstjob-market.com, tech-newposition.com and ukjob-market.com

Three new fake job domains today, apparently forming part of this long running scam.

firstjob-market.com
tech-newposition.com
ukjob-market.com

Emails send soliciting replies to these domains may appear to come from your own email address (here's why). The so-called jobs being offered are actually criminal activities such as money laundering.

The no-doubt-fake registrant details are:

    Lucia Geleca
    Email: lucpolema@yahoo.fr
    Organization: Lucia Geleca
    Address: 12 rue des Camelias
    City: Alfortville
    State: Alfortville
    ZIP: 94141
    Country: FR
    Phone: +33.0148934367

Although the address is genuine, it almost definitely bogus.

If you have any examples of spam emails "from" these domains, please consider sharing them in the Comments. Thanks!

Thursday, 29 September 2011

lastest-skype-updates.com spam

Here's a spam with a twist.
From: Skype.com skype@[spammer's email redacted for legal reasons]
Reply-To: newsletter@skype-systems.com
Date: 29 September 2011 07:23
Subject: New Updates Have Been Released For Skype ! Download Now‏

This is to notify that new updates have been released for Skype.

http://www.lastest-skype-updates.com/

Following are major new features :

* Up to 5-way group video call.
* Redesigned calling experience.
* Improved video snapshots gallery.
* Improved browser plugins performance on some websites.
* Reduced false positives on browser plugin phone number recognition.
* New presence icons.
* Improved handling of calling attempts made when the user has run out of credit.
* Improved access to sharing functionality

To download the latest version , go to :

http://www.lastest-skype-updates.com/

Start downloading the update right now and let us know what you think
about it.

Talk soon,

The people at Skype
The email has been sent to an address harvested from the Epsilon data breach. That's not surprising.. what is surprising is that it has been sent through a UK company that specialises in selling mailing lists and sending bulk commercial email. Perhaps dealing in stolen data is an honest mistake, but perhaps the ICO would like to make that determination.

DNS resolution for this site seems to flip between 87.106.104.178 [1&1, UK] and 122.224.4.108 [Ninbo Lanzhong Network Ltd, China]. Of these, the Chinese address is the most interesting with the follow slimeware domains hosted:

2011-skype-software-download.com
2011-skype-software-download.net
2011-skype-software-download.org
2011-skype-software-update.net
2011-skype-software-upgrade.com
2011-skype-software-upgrade.net
2011-skype-software-upgrade.org
adobe-acrobat-reader11.com
adobe-acrobat-reader11.net
adobe-acrobat-reader11.org
adobe-acrobat11-download.com
adobe-acrobat11-upgrade.com
adobe-pdf-reader11.com
adobe-pdf-reader11.net
adobe-pdf-reader11.org
adobe-reader11-download.com
adobe-reader11-upgrade.com
adobemailer.org
official-2011-skype-download.com
official-2011-skype-update.com
official-2011-skype-upgrade.com
official-skype-download.com
official-skype-software.com
official-skype-update.com
skype-software-downloads.com
skype-software-downloads.net
skype-software-downloads.org
skypemailer.com

If you live in the UK and have the technical expertise to identify the owner of the sending IP address, please consider filing a complaint with the ICO to make sure that they understand the issue.

Monday, 26 September 2011

SMS Spam: "Due to a new legislation, those struggling with debt .."

Some sort of debt management spam this time. You can bet that these people will probably charge a lot for their services, and dealing with spammers is usually a bad idea in any case.
Due to a new legislation, those struggling with debt can now apply to have it written off. For Free information reply INFO or to opt-out text stop. Free Text!
In this case, the spam originated from +447977237820 although these numbers change regularly.

If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

There's a good article about protecting yourself from unscrupulous debt management companies here.