Sponsored by..

Monday 5 December 2011

czredret.ru is getting on my nerves

I don't know what has been going on with spam for the past couple of weeks, but there has been a tidal wave of the same old spam hammering away at filters over and over again. Today, about half are directing traffic to a Blackhole exploit kit on czredret.ru (see an analysis here).

The spam today is about airline tickets, but it could be on anything.. including the infamous NACHA spam that we keep seeing.

czredret.ru is hosted on 188.190.99.26 in the Ukraine, a block allocated to:

inetnum:        188.190.96.0 - 188.190.127.255
netname:        INFIUM
descr:          Infium LTD
country:        UA
org:            ORG-INFI1-RIPE
admin-c:        INF20-RIPE
tech-c:         INF20-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         NETASSIST-MNT
mnt-routes:     NETASSIST-MNT
mnt-domains:    NETASSIST-MNT
source:         RIPE #Filtered

organisation:   ORG-INFI1-RIPE
org-name:       Infium Ltd.
org-type:       OTHER
address:        61129, Ukraine, Kharkov, Traktorostroiteley 156/41 ave, office 200
mnt-ref:        INFIUM-MNT
mnt-by:         INFIUM-MNT
source:         RIPE #Filtered

person:         Infium Ltd
address:        61129, Kharkov, Ukraine, Traktorostroiteley 156/41, office 200
abuse-mailbox:  abusemail@infiumhost.com
phone:          +380577632339
phone:          +1425606-33-07
nic-hdl:        INF20-RIPE
mnt-by:         INFIUM-MNT
source:         RIPE #Filtered

Google's prognosis of this block (AS197145) isn't brilliant:

Safe Browsing
Diagnostic page for AS197145 (ASINFIUM)


What happened when Google visited sites hosted on this network?

    Of the 536 site(s) we tested on this network over the past 90 days, 14 site(s), including, for example, myegy.com/, ql3a-soft.com/, irkasoft.ru/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-12-05, and the last time suspicious content was found was on 2011-12-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 9 site(s) on this network, including, for example, playingfieldforallstore.com/, immerconsult.com/, seafarers333.co.cc/, that appeared to function as intermediaries for the infection of 15 other site(s) including, for example, alexsandra.ucoz.net/, seafarers.ucoz.ru/, fpbqax.in/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 11 site(s), including, for example, myshop-ideal.com/, retailer-ideal.com/, abrorl.dlinkddns.com/, that infected 74 other site(s), including, for example, carrollmanorathletic.com/, nihadragab.com/, fathyradwan.com/.
SiteVet's report shows that while it isn't a brilliant block, it certain has problems.

If you don't do business in the Ukraine then it could well be worth blocking 188.190.96.0/19 just to be on the safe side.

Spam: "Federal Tax payment canceled / Rejected Federal Tax payment " and twistloft.com

There's nothing particularly new with this IRS spam, but because spammers are stupid, all the examples that I have seen today have an invalid link and cannot be clicked through.

Here is a sample:

Date:      Mon, 5 Dec 2011 11:29:03 +0100
From:      Bernadine_Woody@irs.gov
Subject:      Federal Tax payment canceled

Your Tax payment (ID: 6318017800684), recently from your bank account was rejected by the your financial institution.

Canceled Tax transfer
Tax Transaction ID:     6318017800684
Reason for rejection     See details in the report below
FederalTax Transaction Report     tax_report_6318017800684.pdf (Adobe Acrobat Reader Document)

How does IRS e-file work?
A. You or your tax professional, prepare your tax return. In many cases, the tax professional is also the Electronic Return Originator (ERO) who is authorized to file your return electronically to the IRS. Ask your tax professional to file your return through IRS e-file.
You sign your electronic tax return by either using a Self-Select PIN for e-file for a completely paperless return, or by signing Form 8453, U.S. Individual Income Tax Transmittal for an IRS e-file Return.See " If the return is electronic, how do I sign it?" for more information.
After you sign the return using a Self-Select PIN or Form 8453,the ERO transmits the return to the IRS or to a third-party transmitter who then forwards the entire electronic record to the IRS for processing. Once received at the IRS, the return is automatically checked by computers for errors and missing information. If it cannot be processed, it is sent back to the originating transmitter (usually the ERO) to clarify any necessary information. After correction, the transmitter retransmits the return to the IRS. Within 48 hours of electronically sending your return to IRS, the IRS sends an acknowledgment to the transmitter stating the return is accepted for processing. This is your proof of filing and assurance that the IRS has your return information. The Authorized IRS e-file Provider then sends Form 8453 to the IRS.
If due a refund, you can expect to receive it in approximately three weeks from the acknowledgment date - even faster with Direct Deposit (half the time as when filed on paper). If you owe tax, see "What if I owe Money?" for payment options available this year.


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

After debugging the invalid URL and going through a couple of hacked legitimate sites, we find the malicious payload on twistloft.com/main.php?page=111d937ec38dd17e (The Wepawet report is here, do not visit this site unless you know what you are doing), hosted on 65.254.63.228. Blocking access that IP and domain name might be prudent.

Scam: RockSmith Management / rocksmithmanagement.com

This scam has been around for a while, it's part of a nasty cluster of scam sites that have an Australian connection.

The spam comes from a fake address, delivered from an illegally compromised PC. In this example, the spam appears to come from mulattorcxf826@uncw.edu (which is fake) through a well-known spam server in China, 221.212.109.135. Of course, faking the sender address breaks the CAN SPAM act in the US (where the sender pretends to be), as does the lack of real contact details.

Date:      Sat, 3 Dec 2011 11:15:17 +0800
From:      "Ralph Nguyen" [mulattorcxf826@uncw.edu]
Subject:      Please Complete Your Job Application

Dear Applicant

Thank you for expressing your interest in open employment openings in your area.
We are happy to inform you that our placement specialists will be reviewing
available positions for you within the next hour.

Based on your profile, you may qualify for opportunities currently available with a monthly salary in the
$4000 to $8700 range.

To maximize your earnings potential, please complete our full application form first:

http://go.likejav.com/9bcf1f

In addition to a highly competitive base pay, applicants that qualify will also enjoy additional benefits such as:
* 2 wks. paid vacation time (per annum);
* Tuition allowance;
* 401(k)
* full benefits package
* generous retirement plan

To retain your priority placement, please complete your application at your earliest convenience.

We look forward to finding the right job for you.

Rockforce Management
Bringing the best candidates and the right jobs together.


The link forwards to rocksmithmanagement.com (but it could be any one of a variety of similarly named scam sites), as listed here


Of note is the phone number on the first screen - (240) 718-4632 is listed in a number of similar scam sites. I don't know if it is valid or not, it might even belong to a legitimate company. There is no point in ringing it in any case as the scam unfolrd..






The next page is more worrying as it harvests personal details such as your name, phone number and email address. Yes, that would be acceptable for a job site.. but these details are not used at all by this process, so presumably they will be used for spamming purposes.




Once you have signed away your personal details, you get to the "final step" which offers you the chance o check your credit report or view the jobs on offer. On the bottom of the page is a "Privacy Policy" and "Terms of Service" link.. except they aren't links at all, just underlined text. In fact, there is no privacy policy or identifying text anywhere on the site.


If you click on the prominent "Clicking Here" link, you get redirected through referer.us/moxiinternal.go2cloud.org/aff_c?offer_id=2&aff_id=1002&aff_sub=020 to a site called sixfigurekit.com run by an outfit called the "Six Figure Program". The BBB rates the Six Figure Programs as an F in Florida, an F in Illinois but bizarrely a B in New York. On balance it looks pretty poor.




Regardless of where or not the Six Figure Program is a legitimate business or not, it certainly isn't a credit check.. and in this case the spam victim has been duped into clicking the link in order to be exposed to this frankly ridiculous scheme.


So what happens if the victim clicks on the other link on the page? They simply get redirected to a page on indeed.com (branded "RockGrade Management" / rockgrademanagement.com) which returns exactly the same results as if the victim had gone directly to indeed.com in the first place.


But wait.. remember the name, phone number and email address you supplied? What happened to them? They're not needed for indeed.com, so it looks likely that the victim has just given themselves up for even more spam.


All the evidence that I have been able to find links this to a site called websitedesignbrisbane.org in Australia. You can complain about Australian companies at ACMA, although it is difficult to identify exactly which company runs that particular site, but it bills itself as "Jetstream Web Site Design + SEO", presumably of Brisbane.

Thursday 1 December 2011

Spammers are stupid

What's wrong with this spam?

Date:      Thu, 1 Dec 2011 17:55:30 +0900
From:      "LinkedIn" [linkedin@em.linkedin.com]
To:      Victim
Subject:      So now you're on LinkedIn: What's next?

The ACH transaction (ID: 730771521612), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.
Rejected transfer
Transaction ID:     730771521612
Reason of rejection     See details in the report below
Transaction Report     report_730771521612.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

Yup.. the headers are for a LinkedIn themed spam, the body is a NACHA themed one with a link to a malicious file. The bad guys are sending out so many of these that they must be getting confused.

The link goes through a number of legitimate hacked sites and eventually ends up at biggestamigo.com on 92.55.144.82 in Romania (I would recommend blocking the whole 92.55.144.0/24 block at least, or even 92.55.144.0/21 if you want to be on the safe side). The payload looks like a typical exploit kit.

Saturday 26 November 2011

Fake jobs: working-ca.com

Another fake job domain, working-ca.com seems to be part of this long-running scam. I hadn't spotted this one before, so thanks to our reader who sent it in. Note that this is not connected with the legitimate site WorkingCA.com . The jobs offered are actually illegal activities such as money laundering.


Hello, We have an excellent opportunity for an apprentice applicant to
join a rapidly expanding company.

An at home Key Account Manager Position is a great opportunity for stay
at home parents
or anyone who wants to work in the comfort of their own home.

This is a part time job / flexible hrs for Canadians only,This is in
view of our not having a branch office presently in Canada,
also becouse of paypal and ebay policies wich is prohibit to work
directly with residents of some countries.

Requirements: computer with Internet access, valid email address, good
typing skills.
If you fit the above description and meet the requirements, please apply
to this ad stating your location.

You will be processing orders from your computer. How much you earn is
up to you.
The average is in the region of CA$750- CA$1000 per week, depending on
whether you work full or part time.

Region: Canada only.

If you would like more information, please contact us stating where you
are located and our job reference number - 70570-868/4HR.
Please only SERIOUS applicants.

If you are interested, please reply to: Weldon@working-ca.com

and

Hello, We have an excellent opportunity for an apprentice applicant to
join a rapidly expanding company.

An at home Key Account Manager Position is a great opportunity for stay
at home parents
or anyone who wants to work in the comfort of their own home.

This is a part time job / flexible hrs for Canadians only,This is in
view of our not having a branch office presently in Canada,
also becouse of paypal and ebay policies wich is prohibit to work
directly with residents of some countries.

Requirements: computer with Internet access, valid email address, good
typing skills.
If you fit the above description and meet the requirements, please apply
to this ad stating your location.

You will be processing orders from your computer. How much you earn is
up to you.
The average is in the region of CA$750- CA$1000 per week, depending on
whether you work full or part time.

Region: Canada only.

If you would like more information, please contact us stating where you
are located and our job reference number - 35097-781/2HR.
Please only SERIOUS applicants.

If you are interested, please reply to: Tristan@working-ca.com


The registrant details for the domain are probably fake, but here they are anyway:

Kevin Tesalo
    Email: kevintesalo@yahoo.fr
    Organization: Kevin Tesalo
    Address: 2 avenue des Beguines
    City: Cergy Saint Christophe
    State: Cergy Saint Christophe
    ZIP: 95811
    Country: FR
    Phone: +33.124335612 

Thursday 24 November 2011

Fake jobs: jobinhollandart.com and europjobs.eu

Here are two new domains promoting fake jobs: jobinhollandart.com and europjobs.eu

This series of emails seems to be different from this one, but the pitch is still the same - the bad guys are trying to recruit people for money laundering activities and other criminal acts.

Date: 24 November 2011 06:27
Subject: Virtuele Manager vacature
  
Ons bedrijf is een snel groeiende internationale adviesbureau dat de diensten tot 46 landen verleent..
We hebben succesvol geweest voor een lange periode van werk in nauwe samenwerking met een aantal
organisaties voor onderzoek en investeringen over heel Europa.
We hebben vele boeiende projecten in de financiële diensten, financiële steun,
die eisen dat WUG bedrijf is voortdurend groeien en ontwikkelen..

Dankzij de uitbreiding van onze zaken ons bedrijf is op zoek naar een individu om de positie
van regionalefinanciële vertegenwoordiger te vullen.
Wij stellen voor werken in een internationale omgeving met een vriendelijk team
van hoog gekwalificeerde professionals en leren van de leider in deze opwindende industrie..

Belangrijke verantwoordelijkheden:
- Handhaving van de database op de website met behulp van onze speciale software
- Het opstellen van de verslagen
- Omgaan met bestaande en nieuwe komen klanten
- Werken met Internet en E-mail

Wij hebben vereist:
- Hoger onderwijs
- Klant minded-responsieve/vermogen/wens om te dienen van klanten
- Technische kennis - goed Windows begrip
- Proactief - zoeken naar oplossingen
- Een goede beheersing van het Engels (verplicht)

Wij waarborgen:
- Volledig betaald opleiding
- Competitief loon 2300 Euro per maand
- Mogelijkheid voor promotie
- Een sociaal pakket (verzekering, enz.)
- Speciaal ontworpen bonussysteem

Stuur uw gedetailleerde cv's in het Engels voor onze overweging op onze e-mail
met vermelding van de Financieel Vertegenwoordiger functie.
Succesvolle kandidaten zullen worden gecontacteerd met betrekking tot de tijd voor het interview..

Amie@jobinhollandart.com

jobinhollandart.com shares back-end infrastructure with europjobs.eu and a domain called israelcallingcard.net. You can assume that  europjobs.eu will also be used for fraudulent activities.

The MX records point to 68.68.20.166, (Bluemile Inc, Ohio). Nameservers are on 173.213.79.90 (Ionix, Nevada) and 170.19.177.33 (Cooper Neff, Pennsylvania).

The WHOIS records for all these domains are probably fake:

jobinhollandart.com
   Diane R. Coleman
   Diane Coleman DianeRColeman@aol.com
   +1.3612298028 fax: +1.3612298028
   1327 Boone Street
   Corpus Christi TX 78476
   us

israelcallingcard.net
      Neva Kilpatrick
      5636 GUILFORD AVE
      INDIANAPOLIS, IN 46220
      US
      Phone: +1.3178112099
      Email: ironeggman@yahoo.com

europjobs.eu
Name    Sarka Sirotkova
Organisation   
Language    English
Address   
Email  

Wednesday 23 November 2011

b*redret.ru domains to block

Some of the recent surge of spam emails going around uses a set of .ru domains with a discernible pattern of b*redret.ru.

Blocking these access to these domains and/or IPs might be a useful proactive step.

173.212.222.54 (Hostnoc, Scranton)
buredret.ru

195.254.135.72 (FastWeb SRL, Romania. Recommend blocking 195.254.134.0/23)
bqredret.ru
btredret.ru
bwredret.ru
bzredret.ru

89.208.34.116 (Digital Networks SRL, Russia. Recommend blocking 89.208.34.0/24)
baredret.ru
biredret.ru
bvredret.ru

94.199.51.108 (23vnet Kft, Hungary)
bkredret.ru
blredret.ru
bpredret.ru
bsredret.ru

95.163.89.193 (Digital Networks JSC, Russia. Recommend blocking 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

Unallocated / invalid IPs
boredret.ru
brredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bxredret.ru
byredret.ru

Virus: "Help! I'm in trouble!"

Another virus-laden email, technically very similar to this one yesterday:

Date: Wed, 23 Nov 2011 08:28:46 +0700
From: Saffi@victimdomain.com
To: victim@victimdomain.com
Subject: Help! I'm in trouble!

I was at a party, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light many times, I've just got the pictures, maybe you know him?
Here is the photo

I need to find him urgently!

Thank you
Saffi
The name of the sender varies, but the approach is to use the same domain as the victim to make it look more believable. In the sample I have, the "Here is the photo" link 404s, but you can guarantee that it is malware.. so don't click that link!

Update: the malicious payload is on blredret.ru  (94.199.51.108) at 23vnet Kft in Budapest (again). The Wepawet report is here. Blocking that IP proactively is probably wise.

Update: this spam run is happening again, but with a different set of malicious IPs (read more)

Virus: "Hello! Look, I've received an unfamiliar bill, have you ordered anything?"

Here's a piece of fairly clever social engineering:

Date:      Tue, 22 Nov 2011 12:48:52 +0200
From:      "LILLIE Stinson" [accounting@victimdomain.com]
To:      [victim@victimdomain.com]
Subject:      Need your help!

Hello! Look, I've received an unfamiliar bill, have you ordered anything?
Here is the bill

Please reply as soon as possible, because the amount is large and they demand the payment urgently.

Looking forward to your answer

Fingerprint: 9caf6417-d5b308e2

The link goes to a legitimate website that has been hacked, which then redirects to bsredret.ru on 94.199.51.108 (23VNet, Hungary). A Wepawet report for the target page can be found here.

There are a variety of similar emails doing the rounds at the moment, and the IP and URL with the payload seems to change every day. It might be prudent to warn any users you are responsible for to look out..

Tuesday 22 November 2011

Spoof ACH mails, neoprenpillar.com and decalintos.com

Yet another ACH / NACHA / whatever scam email, they go something like this:
Date:      Tue, 22 Nov 2011 10:42:43 +0100
From:      "The Electronic Payments Association" [alerts@nacha.org]
Subject:      Rejected ACH transaction

The ACH transfer (ID: 925071618701), recently initiated from your checking account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     925071618701
Reason for rejection     See details in the report below
Transaction Report     report_925071618701.doc (Microsoft Word Document)

About NACHA
The ACH Network had its start in the early 1970's when a group of California bankers formed the Special Committee on Paperless Entries (SCOPE) in direct response to the rapid escalation of check volume in the United States. The Committee set out to explore the technical, operational, and legal framework necessary for an automated payments system, leading to the formation of the first ACH association in 1972. Similar groups soon formed around the country.
NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

payments knowledge to further their professional development and benefit their employers. Offerings include in-person, desk-top, and distance learning courses, publications, and the Accredited ACH Professional (AAP) Program. Payments education offered by NACHA at the national level augments the rich offering of educational programs provided by the Regional Payments Associations throughout the country.

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association
Other subjects include:

  • ACH transfer failure
  • Rejected ACH transaction 
  • Your ACH transaction 
  • ACH transaction canceled 
  • Rejected ACH transaction 
There's a link through to a hacked site, containing four embedded javascripts on other hacked sites which eventually lead to decalintos.com or neoprenpillar.com, both hosted on 193.106.174.219 (IQHost Ltd, Russia). This tries to download a variety of exploits (Wepawet report here).

IQHost seems to be over-run with this sort of toxic crap at the moment. Blocking access to 193.106.172.0/22 is probably a smart move.

Fake Firefox: "Introducing the new and improved Firefox 8,optimized for Facebook."

Here's a fake Firefox upgrade message circulating by email:

From: Mozilla Firefox [mailto:firefox-update@plrja5f2.fireefox.com]
Sent: 22 November 2011 05:32
Subject: Introducing the new and improved Firefox 8,optimized for Facebook. 211.245.104.78

Facebook recommends the faster Firefox 8.
Can't see images? View on a mobile device

   
Facebook recommends that you upgrade to the
faster and smarter Firefox 8.
       
    Get It Now
   
Introducing the new and improved Firefox 8, optimized for Facebook

• Browse faster than the previous version of Firefox.
• Easily organize and arrange your tabs into groups.
• Get on-the-go access to your saved Firefox settings across multiple computers.
• Access the new Facebook features as profile viewers and much more!
Get your free upgrade now.
Already upgraded? Thank you.
   
All your favorite stuff, all in one place. Make Facebook your home.

Visit Firefox on Facebook  
Share:   

Mozilla, Firefox, and the Firefox logo are trademarks or registered trademarks of Mozilla..

Update Marketing Preferences   |   Privacy Policy   |    Web Beacons in Email

RefID: sr-12012817


All the links lead to 68.143.18.186.nw.nuvox.net/mozilla-firefox/plrja5f2 which in turn leads to a malicious executable with only 15/42 vendors detecting it at VirusTotal. The malware then attempts to call home to magesticgamers.com and 46.166.129.230.

The ThreatExpert report is here, the Comodo report is here.

Monday 21 November 2011

Some work-at-home scams to avoid

Only a real idiot would send spam to a spamcop.net address. Here is a real idiot:

From: Rock Cruit Management 3dhgubesch@hochrather.at
Reply-To: 3dhgubesch@hochrather.at
date    21 November 2011 18:03
subject    Rock Zone Management: Your Job Application is Pending
   
Give the time of day [redacted]


Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application,
but can not do so until you complete our internal application.

The pay range for available positions range from $35.77 per hour to $57.62 per hour.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

http://widg.me/VocOw

Also, the following perks are potentially available:

- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program

Please take the time to follow the directions and complete the entire application process.

--------------------------------------------------------------------------------

Best Regards,

Rock Cruit Management

In this case, the email originated from 200.74.5.198 in Chile. A second sample was from 31.175.175.182 in Poland.

Clicking through the "widg.me" shortcut leads to a site called rockcruitmanagement.com which looks like a recruitment site at first glance, but in fact is just an entry doorway to a very dubious work-at-home scheme. The domain is WhoisGuard protected, but there are several other crappy sites also hosted on 216.38.13.210 of a similar theme.

A tip - if you get a spam email like this, forward it to the web hosts at abuse -at- gigenet.com and perhaps this will be shut down.

All the sites try to hide their identity, but we can trace them back through their Google Analytics ID of UA-1504952 and AdSense ID of pub-286423930919881 to websitedesignbrisbane.org ("Jetstream Web Design + SEO") in Brisbane, Australia. I haven't been able to trace who is behind this company, and in fact it seems doubtful that there is a company at all.. but still, this seems to be the origin of the spam. The registration details for that domain are:

Registrant ID:6050DF1BFA437FB2
Registrant Name:Jetstream Online
Registrant Organization:Jetstream
Registrant Street1:4/11 Emperor st
Registrant Street2:
Registrant Street3:
Registrant City:Annerley
Registrant State/Province:QL
Registrant Postal Code:4103
Registrant Country:AU
Registrant Phone:+61.431714098
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:jetstream2@gmail.com


All the following domains are connected, most are work-at-home or survey sites that are deceptive in their pitch. I would recommend avoiding them.

123tickets.info
1insuranceauto.info
1insurancelife.info
2airticket.info
2airtickets.info
2freejb.info
2freesw.info
2insuranceauto.info
2insurancelife.info
3insuranceauto.info
3insurancelife.info
4insuranceauto.info
4insurancelife.info
5insuranceauto.info
5insurancelife.info
6insuranceauto.info
7insuranceauto.info
adultversionyoutube.com
air340.info
air747.info
aircomp747.info
airdelta.info
airfly380.info
airfly747.info
auctionsbrisbane.com
bagsflyfree.info
bagsflysw.info
bornmarketer.com
buyyourhouse.com.au
claimair380.info
claimair747.info
claimairticket.info
claimfly.info
claimfly747.info
claimjetticket.info
claimprize.org
claimprizenow.com
claimprizenow.com
claimtickets.info
comp747.info
dailyhotlocal.com
dealcomparisons.com
delta747.info
deltafly.info
deltawin.info
facescams.com
fastwebs.com.au
fly380.info
flybagsfree.info
flyfreenow.info
flyfreesw.info
flyjet747.info
flysw.info
flyswtoday.info
flyticket747.info
flytickets747.info
godsofrain.com
gojb.info
gojblue.info
gojetblue.info
healthcrooks.com
homesaleconnect.com
ifly380.info
ifly747.info
ilovesw.info
ispycpv.com
ispyhq.com
ispyppv.com
jb747.info
jettickets.info
locallunchbreak.com
mydoorhandles.com
myebizprofits.com
myusgrant.com
news8daily.info
news9daily.info
newsdailyreport.com
newsdailyreport.info
officialdeals.info
officialpromos.info
officialrooibostea.com
outsourcing.cm
perfectposturenow.com
rockcrownmanagement.com
rockcruitmanagement.com
rockcruitmanagement.com
rockdimemanagement.com
rockfacemanagement.com
rockfishmanagement.com
rockgrademanagement.com
rockgradereview.com
rockgrandmanagement.com
rockgroupmanagement.com
rockheartmanagement.com
rockhopemanagement.com
rockhousemanagement.com
rockkingmanagement.com
rockmountmanagement.com
rockmountreview.com
rockroundmanagement.com
rockshiftmanagement.com
rockshoremanagement.com
rocksmithmanagement.com
rocktapmanagement.com
rocktowermanagement.com
rockviewmanagement.com
rockworthmanagement.com
rockzonemanagement.com
shippingcontaineraustralia.com
subwayrocks.info
swfly.info
swflyfree.info
swflyfree.info
swisgreat.info
swrocks.info
termitecontrolbrisbane.com
ticket747.info
tickets365.info
tickets380.info
tickets747.info
top3workfromhome.com
torrent4cash.com
tpass.info
tripsreservation.info
turbopottytraining.info
turbotoilettraining.com
utube-com.com
utubevideoclip.net
utube-videos.org
utubevideosite.com
utubezz.com
vacationinus.info
websitedesignbrisbane.org
windelta.info
winflyfree.info
winflytickets.info
winswfree.info
winticketsnow.info
wu-longforlife.com
zbuyerhomes.com

Wednesday 16 November 2011

More NACHA / ACH / Tax / Payment scam emails

Following on from yesterday's post, there have been many, many more of these emails with slight variations, presumably ending up with a similar malware infection as before.

If you get an email like this, do NOT click the link! Simply delete it.. if you have clicked the link then it is just possible that your PC is now infected with sometihhg nasty.

From: STALEYMARISELA@aol.com
Date: 16 November 2011 06:08
Subject: Tax Payment ID 8457924507 is failed.

Hello,


Your Federal Tax Payment ID: 9454542999 has been rejected.
Return Reason Code U68 – The identification number used in the Company Identification Field is not valid.
Please, check the information and refer to Code R21 to get details about
your company payment in transaction contacts section:


http://eftpsgov/U0123063643

MARISELA STALEY,
The Electronic Federal Tax Payment System

------------------------------

From: F. K. Gallegos [mailto:Gallegos_1966@nationalbankers.org]
Sent: 16 November 2011 08:59
Subject: ACH debit transfer was not accepted by our bank

Dear Bank Account Owner,

ACH debit transfer initiated by you or on your behalf was not accepted by our bank.

Transaction ID: 1707826560727761
Current status of transaction: declined

Please review transaction details as soon as possible.

D. Y. Gallegos
Treasury Administration


------------------------------

From: Darlene Wong [mailto:Wong_1955@nationalbankers.org]
Sent: 16 November 2011 05:26
Subject: Bill Payment was not accepted by BankUnited Express

Dear Madam / Sir,

Bill Payment sent by you or on your behalf was not accepted by BankUnited Express.

Transaction ID: 17072923276
Current status of transaction: under review

Please review transaction details as soon as possible.

Darlene F. Wong
Treasury Administration


------------------------------

From: Gideon Elkins
Sent: 16 November 2011 18:03
Subject: Re: your Direct Deposit payment ID 239660991991

Attn: Financial Department

Please be notified, that your latest Direct Deposit transaction
(Int. No. 239660991991) was declined, due to your current Direct
Deposit software being out of date. The detailed information
about this matter is available in the secure section of our web
site:

http://peluangusahaonlines.com/57tt9o/index.html

Please refer to your financial institution to acquire the updated
version of the software.

Yours truly,
Gideon Elkins
ACH Network Rules Department
NACHA - The Electronic Payments Association

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996

------------------------------

From: Duncan Winkler [mailto:Winkler1939@uba.org]
Sent: 15 November 2011 17:59
Subject: Funds Transfer was not accepted by our bank

Dear bank account holder,

Funds Transfer created by you or on your behalf was not accepted by our bank.

Transaction ID: 1701205726906
Current status of transaction: under review

Please review transaction details as soon as possible.

Duncan Winkler
Customer Support
Austin County State Bank

------------------------------

From: O. Q. Morrison [mailto:Morrison1940@uba.org]
Sent: 15 November 2011 12:35
Subject: ACH payroll payment was not accepted by United Security Bank

Dear Bank Account Owner,

ACH payroll payment initiated by you or on your behalf was not accepted by United Security Bank.

Transaction ID: 17093959546892
Current status of transaction: declined

Please review transaction details as soon as possible.

Gary Morrison
Accounting Management

------------------------------

Date:      Wed, 16 Nov 2011 11:42:53 +0530
From:      "Aryanna Collins" YBPAryanna@hotmail.com
Subject:      Tax Payment ID 3419177910 is failed.

Good morning,


Your Federal Tax Payment ID: 9173073387 has been rejected.

Return Reason Code U78 – The identification number used in the Company Identification Field is not valid.

Please, check the information and refer to Code R21 to get details about

your company payment in transaction contacts section:


http://eftps.gov/U1433600391



Aryanna Collins,

The Electronic Federal Tax Payment System

------------------------------

Date:      Wed, 16 Nov 2011 01:05:20 -1100
From:      "The Electronic Payments Association" alert@nacha.org
Subject:      ACH payment rejected
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 8185663180422), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.

Rejected transfer
Transaction ID:     8185663180422
Reason for rejection     See details in the report below
Transaction Report     report_8185663180422.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

------------------------------

Date:      Wed, 16 Nov 2011 12:52:10 +0100
From:      Bettye_Mcknight@irs.gov
Subject:      Rejected Federal Tax transfer

Your Tax transaction (ID: 971900616898), recently initiated from your bank account was rejected by the your financial institution.

Canceled Tax transaction
Tax Transaction ID:     971900616898
Reason for rejection     See details in the report below
FederalTax Transaction Report     tax_report_971900616898.pdf (Adobe Acrobat Reader Document)




To e-file your 2010 tax return or other electronic forms, you must verify your identity with your Self-Select PIN or Adjusted Gross Income from your 2009 tax return. If you don't have this information from your 2009 tax return, you can request an Electronic Filing PIN�it's as easy as 1-2-3!


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

------------------------------

Date:      Wed, 16 Nov 2011 12:09:36 +0100
From:      "The Electronic Payments Association" risk_manager@nacha.org
Subject:      Your ACH transaction
Attachments:     nacha_logo.jpg

The ACH transfer (ID: 516582351138), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     516582351138
Reason of rejection     See details in the report below
Transaction Report     report_516582351138.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

------------------------------

Date:      Wed, 16 Nov 2011 06:11:50 -0300
From:      Helga_Springer@irs.gov
Subject:      Federal Tax payment rejected

Your federal Tax transaction (ID: 384736455888), recently from your bank account was rejected by the your Bank.

Canceled Tax transfer
Tax Transaction ID:     384736455888
Reason of rejection     See details in the report below
FederalTax Transaction Report     tax_report_384736455888.pdf (Adobe Acrobat Reader Document)

ďż˝

ďż˝
Important Information for Home-care Service Recipients

If you are a home-care service recipient who has a previously assigned EIN either as a sole proprietor or as a household employer, do not apply for a new EIN. Use the EIN previously provided. If you can not locate your EIN for any reason, follow the instructions on the Misplaced Your EIN? Web page.

If you are a home-care service recipient who does not have an EIN, do not use the online application to apply for one. You must apply for your EIN using one of the other methods (phone, fax or mail). For additional information, visit the How to Apply for an EIN Web page.


Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

------------------------------

Date:      Wed, 16 Nov 2011 13:25:11 +0700
From:      Marylou Friedman Friedman_1948@icba.org
Subject:      Wire Transfer was hold by National Bank of California

Dear Account Owner,

Wire Transfer created by you or on your behalf was hold by National Bank of California.

Transaction ID: 17017200231113028
Current status of transaction: on hold

Please review transaction details as soon as possible.

Marylou S. Friedman
Customer Support
National Bank of California

------------------------------

Date:      Tue, 15 Nov 2011 12:01:16 +0000
From:      "Yuridia KIRKLAND"
Subject:      Fwd: Wire Transfer Confirmation (FED_REFERENCE_6232TI676)

Dear Bank Account Operator,

I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.



Transaction: 2342937901002077

Current transaction status: Pending



Please review transaction details as soon as possible.

------------------------------

Date:      Tue, 15 Nov 2011 07:56:46 -0800
Subject:      Fwd: Wire Transfer Confirmation (FED 23160LI34)

Dear Bank Account Operator,

I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.



Transaction: 408332756171192

Current transaction status: Pending



Please review transaction details as soon as possible.

------------------------------

Date:      Wed, 16 Nov 2011 01:13:56 +0900
From:      "New York State Police" noreply-401212008@nyc.gov
Subject:      UNIFORM TRAFFIC TICKET (ID: 622969718)

New York State ? Department of Motor Vehicles

UNIFORM TRAFFIC TICKET
POLICE AGENCY
NEW YORK STATE POLICE



Local Police Code



THE PERSON DESCRIBED ABOVE IS CHARGED AS FOLLOWS




Time: 7:17 AM

Date of Offense: 04/10/2011



IN VIOLATION OF

NYS V AND T LAW Description of Violation:

SPEED OVER 55 ZONE

TO PLEAD, PRINT CLICK HERE AND FILL OUT THE FORM

------------------------------

Date:      Tue, 15 Nov 2011 11:22:33 -0500
From:      information@direct.nacha.org
Subject:      Your Direct Deposit payment via ACH was declined

Attn: Financial Manager

We regret to notify you,
that your latest Direct Deposit via ACH payment (ID141672824371) was cancelled,
because your current Direct Deposit software version was out of date.

Please use the link below to enter the secure section of our web site and see the details::

www.nacha.org/download/report09809878.pdf

Please apply to your financial institution to get your updated version of the software needed.

Kind regards,

------------------------------

Date:      Tue, 15 Nov 2011 20:26:57 +0530
From:      info@direct.nacha.org
Subject:      Direct Deposit payment was rejected

Dear Sirs,

Herewith we are notifying you,
that your most recent Direct Deposit payment (No.378745855247) was cancelled,
because your current Direct Deposit software version was out of date.

Please visit the secure section of our web site to see the details:

www.nacha.org/download/report09809878.pdf

Please apply to your financial institution to get the necessary updates of the Direct Deposit software.

Yours faithfully,

------------------------------

Date:      Tue, 15 Nov 2011 05:48:07 -0800
From:      "Abdul N . Moser" Moser1940@vabankers.org
Subject:      ACH payroll payment was not accepted by us

Dear Sir/Madam,

I regret to inform you that ACH payroll payment sent by you or on your behalf was not accepted by us.

Transaction ID: 1704692033837
Current status of transaction: pending

Please review transaction details as soon as possible.

Abdul Moser
Accounting Management
First SAvings Bank of Hegewisch


------------------------------

Date:      Tue, 15 Nov 2011 16:00:55 +0300
From:      forgery16@uncw.edu
Subject:      ACH payment canceled

The ACH transfer (ID: 3323817008922), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Rejected transaction
Transaction ID:     3323817008922
Reason for rejection     See details in the report below
Transaction Report     report_3323817008922.doc (Microsoft Word Document)

About NACHA
By 1978, it was possible for two financial institutions located anywhere in the United States to exchange ACH payments under a common set of rules and procedures. By 1988, the number of ACH payments exceeded 1 billion annually. By 2001, the volume of ACH payments grew by more than 1 billion in a single year.
To help guide advocacy and related communication activities, NACHA established a Communications and Marketing Advisory Group (CMAG) in early 2010. CMAG brings together practitioners representing ACH Network participants to engage in work efforts to benefit the Network and those who utilize it.

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

Monday 14 November 2011

NACHA / Wire Transfer malicious emails

I'm not sure if these three incidents are all related or are just using the same approach, but here goes.

Date:      Mon, 14 Nov 2011 17:53:54 +0100
Subject:      Disallowed Direct Deposit payment

Dear Sirs,

Herewith we are notifying you, that your latest Direct Deposit transaction (No. 60795715105) was disallowed, because of your business software package being out of date. The detailed information about this matter is available in the secure section of our web site:

hxxp://astola.com.au/93oj63/index.html

Please apply to your financial institution to obtain the new version of the software.

Kind regards,
Sidney Gross
ACH Network Rules Department
NACHA - The Electronic Payments Association

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996

and then

Date:      Mon, 14 Nov 2011 02:42:02 +0530
From:      accounting@victimdomain.com
Subject:      Fwd: Wire Transfer Confirmation (FED 5697WN59)

Dear Bank Account Operator,

I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.

Transaction ID: 85802292158295165

Current status of transaction: under review

Please review transaction details as soon as possible.

Bernadette Dickinson
Payments Administration

and finally

Date:      Mon, 14 Nov 2011 10:56:29 +0530
From:      "HARMONY URBAN" support@federalreserve.gov
Subject:      Your Wire Transfer

Good day,

Account: Business Account XXX

Amount: $ 93,056.63

Wire Transfer Report: View

The wire transfer will be processed within 2 hours.

Please make sure that everything is as you requested.

HARMONY URBAN,
Federal Reserve Wire Network 

The first spam leads to a hacked site in Australia (there are probably many others). In turn, this tries to load four scripts to install malware though an HCP attack (Wepawet report here). The scripts are:

lallygag.com/js.js
www.miracleshappenrr.com/images/js.js
kyare.net/js.js
allmemoryram.com/js.js

In all cases, those scripts appear to be on legitimate (but hacked) websites. The final step for that attack is to try to install a malicious Java application from colobird.com/content/import.jar - a domain that is hosted on 216.250.120.100 but one that was only registered very recently.


The second and third emails take a different approach, loading a page at www.btredret.ru/main.php hosted on 93.187.142.38 (S.C. Profisol Telecom S.R.L., Romania). This attemps a Java exploit (Wepawet report here). This IP is part of a small netblock of 93.187.142.32 - 93.187.142.63 (93.187.142.32/27) and can probably safely be blocked, or you could just block the whole /24 if you wanted,

This is an old approach that has been doing the rounds for two years. It must still work though..

Friday 11 November 2011

financialstatements.mrsdl.com, nookbizkitsad.com and 94.102.11.168

This is a pretty common virus laden email:

Subject: ACH Transfer was not accepted by our bank

Dear Bank Account Operator,

I regret to inform you that ACH Transfer created by you or on your behalf was not accepted by our bank.

Transaction ID: 1709919126682218
Current status of transaction: on hold

Please review transaction details as soon as possible.

Erika Y. Barnes
Treasury Management
and
Subject: Wire Transfer was not accepted by our bank

Dear Account Holder,

Wire Transfer sent by you or on your behalf was not accepted by our bank.

Transaction ID: 170992225147
Current status of transaction: pending

Please review transaction details as soon as possible.

Katherine Hess
Treasury Administration

There's a link in the email.. the first port of call is a hacked legitimate website. This gets fowarded to financialstatements.mrsdl.com which then delivers an HCP exploit and tries to encourage the user to download malware.

The download is called updateflash.exe (MD5 31EA43D448086974125E9904AB1BB3C5). Vendor detection is patchy with VirusTotal reporting just 20/43 products detecting it. ThreatExpert have a more detailed analysis here (useful if you are trying to disinfect a machine manually).

financialstatements.mrsdl.com is multihomed on several IP addresses, mostly cable modem customers in Spain for some reason:

71.217.16.172
84.123.147.172
84.124.179.183
84.126.255.46
85.86.48.130
85.219.28.52
178.139.18.243
212.225.172.73
218.216.37.66

Because of the wide range of IPs, blocking access to the entire mrsdl.com domain is probably easiest.

The HCP exploit is hosted on nookbizkitsad.com, hosted on 94.102.11.168 in Turkey. This IP has a whole load of malicious sites on it, blocking access to this IP is probably a good idea. The Wepawet report for this is here.

Sites hosted on in the first "mrsdl.com" cluster include:
code732546teh34.com
mrsdl.com
financialstatements.mrsdl.com
titlefinancialstatements.mrsdl.com
digitalarmory.net
www.digitalarmory.net
worldisfriendly.com
yourowndefence.net

Sites hosted on 94.102.11.168 include:
teomagofagolo3488.co.cc
b3ibw00erdool.co.cc
frolenad.cu.cc
hkjhaqiewjkfasdfpckjhhejrf.cu.cc
m4everything.cu.cc
vjfgmifjdfkepodkfldetrg.cu.cc
kaublog.de
video-games04.ns1.name
gfqnjsqu.findhere.org
oepzvjb.myftp.org
codzicbvrc.myftp.org
dwcninccwc.myftp.org
kensndorqd.myftp.org
zsqnmpulsh.myftp.org
kqusyqj.myftp.org
nonuxbo.myftp.org
lfqcoep.myftp.org
bpocajyjs.myftp.org
orwobrysku.myftp.org
qszmsqjiiw.myftp.org
mexigxzy.myftp.org
ugkuhqerflaspeeeeggva.c0m.li
51se.stnet.nl
42se.stnet.nl
45se.stnet.nl
46se.stnet.nl
nookbizkitsad.com
gmbhsite.com
tvbkjizm.athersite.com
xpicktxr.athersite.com
imrzcsws.athersite.com
kaposuyx.athersite.com
pzwwnzky.athersite.com
coloique.com
rldthxahbw.freetcp.com
khraaqyh.uglyas.com
phpctuqz.assexyas.com
lyeldismnl.zyns.com
nhfeyo.zyns.com
fast.4pu.com
ztxserv1.in
deqiosta83.in
fantome456.in
mastrudinnnne9.in
rdolaminyollwa.in
ogoatl0.dynamic-dns-service.in
ybiyxd1.dynamic-dns-service.in
ijeuhs3.dynamic-dns-service.in
ohoymz4.dynamic-dns-service.in
teanainthernane.in
letingosite.in
clisselaweyzaii.in
fasstasharremi.in
ondayihasanzani.in
lephayndeleiul.in
rceytaronnistem.in
ffodenhenigunn.in
doritahalvarlyn.in
andracybinatono.in
kencexoveduner.in
eretansenoviver.in
preeeederdtt.in
rifaelmarmanlex.in
senaliaricangy.in
nex8.info
pis7ol.info
oalgrul.ddns.info
knyvan.ddns.info
innexts.info
hgkasdfqerofcvvuiajrfaqe.ce.ms
kleopatrik.ce.ms
pyrbvfmk.isgre.at
igazlaxn.bestdeals.at
ftgaxklp.bestdeals.at
schneller-reich.net
schnellerreich.net
schneller-reichshop.net
kopysgud.byinter.net
dzjartdj.byinter.net
bgtecocg.passinggas.net
lggpiiwm.passinggas.net
mhgtmvwm.passinggas.net
tyvsoxtn.isthebe.st
mgascbtp.ontheweb.nu
moiptenchik.ru
moiejik.ru
moisuslik.ru
moikonik.ru
moipesik.ru
fredom.ru
bqredret.ru
horkotov.ru
dfrtwintestingdomainlast222999.com.tw

Thursday 10 November 2011

Rove Digital and Vladimir Tsastsin busted.

If you work in IT Security, you'll probably remember the names EstDomains and EstHost, part of a criminal organisation called Rove Digital headed by Vladimir Tsastsin (pictured).

Finally, the FBI and Estonia authorities have arrested Tsastsin and some of his associates, and have effectively ended one of the biggest organised crime rings around.

The good guys are no doubt celebrating that the online world is just a little bit safer today.. read more at Brian Krebs's blog.

Tuesday 8 November 2011

Something evil on 193.106.174.220 and 91.194.214.66

193.106.174.220 and 91.194.214.66 and are a pair of IP addresses that appear to be involved in injection attacks, possibly distributing the Blackhole exploit kit.

Blocking these two IPs as a precaution is probably a good idea. A full list of the known domains on those two servers is at the bottom of the post, but blocking access to the following domains is an easy shortcut to block most of them:

cu.cc
ddns.me.uk
orge.pl
dyndns-office.com
mrface.com
ns01.us
ns02.us
myftp.name
ddns.name
itsaol.com
port25.biz

Full list:

91.194.214.66
pikapika.cu.cc
adsense-google.cu.cc
mariocart.cu.cc
79574.mynumber.org
ghjgh.ddns.me.uk
rotterdam.osa.pl
1asd-patricia.orge.pl
1benz-pizza.orge.pl
1napoleon-wizard.orge.pl
3mercury-joyce.orge.pl
1pad-george.orge.pl
2melissa-file.orge.pl
1develop-profile.orge.pl
2tomato-june.orge.pl
3fourier-steph.orge.pl
2nagel-earth.orge.pl
1patty-traci.orge.pl
2berliner-mark.orge.pl
3banks-pork.orge.pl
2professor-criminal.orge.pl
1pencil-reagan.orge.pl
3beauty-noreen.orge.pl
3academic-caren.orge.pl
2shuttle-berlin.orge.pl
1gnu-nutrition.orge.pl
1ingrid-eiderdown.orge.pl
1beethoven-uucp.orge.pl
3field-summer.orge.pl
2signature-commrades.orge.pl
3daemon-sharks.orge.pl
1discovery-simpsons.orge.pl
2inna-elephant.orge.pl
3banks-elephant.orge.pl
3surfer-stuttgart.orge.pl
1tammy-nyquist.orge.pl
3memory-new.orge.pl
3kristin-andy.orge.pl
1pork-larry.orge.pl
1arlene-symmetry.orge.pl
1lori-symmetry.orge.pl
1phone-ersatz.orge.pl
zxczxcz.mrface.com
googl933.dyndns-office.com
tested23.acmetoy.com
zelenij.mypicture.info
mobiliti.ns01.us
cxqweq.ns02.us

193.106.174.220
andre12.myftp.name
aswaz.ddns.name
google2.itsaol.com
sw2sa.port25.biz

Sunday 6 November 2011

Fake jobs: europcareers.net

One more fake job domain to avoid, europcareers.net follows on from the ones spotted yesterday and uses the fake (probably fake) registration address:


frederic benou
    Email: fredericabenou@yahoo.fr
    Organization: frederic benou
    Address: 23 rue des Camelias
    City: Alfortville
    State: Alfortville
    ZIP: 94112
    Country: FR
    Phone: +33.0148931456 

The emails may appear to come from yourself (here's why). The jobs offered are actually criminal activities such as money laundering. If you have any example emails, please consider sharing them in the Comments.

Friday 4 November 2011

Fake jobs: jobsearchoo.com, newstatejob.com and usanewjobgov.com

Three more domains being used to recruit money laundering jobs and other illegal activities:

jobsearchoo.com
newstatejob.com
usanewjobgov.com


The jobs form part of this long running scam.Email messages may appear to come from yourself (here's why). The domain is registered to the following (probably fake) address:

    frederic benou
    Email: fredericabenou@yahoo.fr
    Organization: frederic benou
    Address: 23 rue des Camelias
    City: Alfortville
    State: Alfortville
    ZIP: 94112
    Country: FR
    Phone: +33.0148931456 


If you have any examples of emails using these domains, then please consider sharing them in the Comments. Thanks!

Thursday 3 November 2011

Something evil on 95.163.66.209

There are a bunch of domains being used in injection attacks on 95.163.66.209 (Digital Network JSC, Russia). recently Armorize covered attacks using this particular site. The problem seems to be ongoing, and 95.163.66.209 is a good IP to block. In fact, blocking 95.163.64.0/19 is probably a good idea too as there are a whole load of nasties there too. Google is pretty damning:

Safe Browsing
Diagnostic page for 95.163.66.0

What is the current listing status for 95.163.66.0?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 21 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-10-05, and the last time suspicious content was found on this site was on 2011-10-05.

    Malicious software includes 330 trojan(s), 276 scripting exploit(s).

    This site was hosted on 1 network(s) including AS12695 (DINET).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, 95.163.66.0 appeared to function as an intermediary for the infection of 19 site(s) including manualeofficina.altervista.org/, ua90.com/, phelpsweb.com/.

Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 107 domain(s), including manualeofficina.altervista.org/, settatonchat.com/, zktoot.com/.

The sites on 95.163.66.209 are listed at the end of the post. However, most of them seem to be pretty odd subdomains (probably free) and blocking access to domains ending as follows could be a good general idea.

cz.cc
nl.ai
xe.cx
c0m.li
coom.in
l2x.eu
myddns.com
mx.am
ce.ms
mywww.biz
4dq.com
88n.eu
jesais.fr
qpoe.com
25u.com
dnset.com

Full list:
badcake.cz.cc
bdf.nl.ai
bent-pastry.xe.cx
bfsghsf.c0m.li
bgdh.coom.in
bgfdsbd.nl.ai
bghfxdh.nl.ai
bhdgzh.nl.ai
bluecloakroom.l2x.eu
boiling-fish.myddns.com
boilingpasta.xe.cx
boleklelek.nl.ai
care.appliancesraleighnc.com
chem.bluesky2010.com
chief-bagel.xe.cx
dark-veal.xe.cx
dead.carboneconstruction.info
dfhdf.nl.ai
diplomadog.mx.am
dsadas.coom.in
dwrewr.c0m.li
eeerr.ce.ms
elastic-venison.xe.cx
electrical.xe.cx
electric-meal.xe.cx
equal-pomegranate.aelita.fr
false-fig.xe.cx
fasdf.coom.in
fczxfczx.coom.in
fdasfsa.nl.ai
fdsfds.coom.in
feeble-cereal.lacheun.com
fertileroast.nl.ai
first-peanuts.l2x.eu
fixedbread.xe.cx
flat-fork.mx.am
flat-vegetables.xe.cx
frequentglass.xe.cx
gdgfdd.nl.ai
gdsg.nl.ai
gdsggdag.nl.ai
gershlagen.nl.ai
gfdgdf.nl.ai
gfsdgfds.coom.in
gfsdgsd.coom.in
gfsgfds.coom.in
ghdfhd.nl.ai
gjgfj.coom.in
gocheating.nl.ai
good-meal.l2x.eu
goodorange.xe.cx
goodrice.xe.cx
gsdgd.nl.ai
gsdgs.coom.in
gsfgs.nl.ai
gsgssd.coom.in
habdf.coom.in
hbgdh.nl.ai
hdggd.nl.ai
hdgh.nl.ai
hdgjd.coom.in
hdgsh.nl.ai
hgdhfg.nl.ai
hgf.nl.ai
high-hotdog.mywww.biz
hist.benjamin-moore.info
hjdgjhdg.coom.in
hkjjl.nl.ai
holybutter.lflinkup.org
homeimprovement.nl.ai
honor-for-you.mx.am
jaguaro.4dq.com
jdgjdg.coom.in
jgfjg.coom.in
jgjg.nl.ai
jobcracker.nl.ai
jvhkgh.coom.in
kghg.coom.in
kripple.88n.eu
leaveme.nl.ai
light.designerfloors.info
lihlhk.nl.ai
listen.c0m.li
loose-f.lacheun.com
loveme.88n.eu
lovewill.sellclassics.com
loveyoulike.c0m.li
lucky-force.mx.am
make.budgetblindsraleigh.info
mangle.blueskyresort.us
maniacmansion.88n.eu
med.designerfloors.info
medicalgrill.jesais.fr
mfhjmfh.coom.in
myrabbit.sixth.biz
negativecreep.mywww.biz
newbread.xe.cx
nhdgjhnd.nl.ai
normal-bagel.xe.cx
nownownow.l2x.eu
obsess.crawlspacecleaning.org
old-grapefruit.xe.cx
poorgrapes.c0m.li
pref.bluesky2011.com
promise.demartinocompanies.info
quiet-orange.qpoe.com
quietsoup.xe.cx
right-pomegranate.xe.cx
roberre.ftpserver.biz
roughslices.xe.cx
round-chicken.moneyhome.biz
sad-pineapple.lacheun.com
samerice.nl.ai
same-waitress.xe.cx
separate-buffet.25u.com
short-spoon.itemdb.com
shutham.ns01.biz
slewincom.com
smoothturkey.xe.cx
specialcookies.88n.eu
sport.designerfloorfashions.com
sticky-bacon.88n.eu
strangecooking.mynetav.net
strangesalad.xe.cx
strongkumquat.c0m.li
suckmydiscoball.oueb.eu
told.aeheatingandair.info
uytdujg.nl.ai
vcnvbhjmfgvj.coom.in
vfjhfj.nl.ai
vjh.coom.in
vzsfd.coom.in
wallex.l2x.eu
wannabe.c0m.li
webelieve.nl.ai
wehaveadeal.nl.ai
wet-toast.dnset.com
wise-crackers.xe.cx
workfree.nl.ai
youngmutton.mynetav.org

Wednesday 2 November 2011

Fake jobs: expoeurojob.com, newjobsineurope.com and thenewjobbs.com

Three new domains offering jobs which will actually turn out to be money laundering or reshipping stolen goods. This scam has been going on for years.

expoeurojob.com
newjobsineurope.com
thenewjobbs.com


The emails may appear to come "from" your own email address (here's why). The (probably fake) registrant details for this domain are:

    Francisco Getz
    Email: franciscogetz@yahoo.fr
    Organization: Francisco Getz
    Address: 43 rue Mazarine
    City: Paris
    State: Paris
    ZIP: 75002
    Country: FR
    Phone: +33.191282216

If you have any samples of spam using these domains, please consider sharing them in the Comments. Thanks!