Sponsored by..

Friday, 9 December 2011

NACHA Spam.. again.. and wonderfulwrench.com

The spammers have been busy today, here's another one leading to malware.

Date:      Fri, 9 Dec 2011 13:28:41 -0300
From:      "The Electronic Payments Association"
Subject:      ACH transaction rejected

The ACH transaction (ID: 870526083755), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.
Rejected transfer
Transaction ID:     870526083755
Reason of rejection     See details in the report below
Transaction Report     report_870526083755.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

The malicious payload is on wonderfulwrench.com/main.php?page=977334ca118fcb8c on 46.45.137.205 (Safya Net, Turkey). We saw the same IP range yesterday, so I recommend blocking access to 46.45.137.0/24 at the least, or 46.45.136.0/21 if you want to be a bit more aggressive in your filtering.

"The variant of the contract you've offered has been delcined."

The recent spam avalanche continues:

Date:      Fri, 9 Dec 2011 -01:35:13 -0800
From:      "Josie Carlson" [TateAlmgren@concentric.net]
Subject:      The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
Contract.doc 64kb

With respect to you
Josie Carlson

SHA512 check sum: [redacted]

This leads to a malicious payload on ciredret.ru/main.php, hosted on 91.195.11.42 (as with this other spam/virus run), so blocking 91.195.10.0/23 (UkrStar ISP, Ukraine) is a very good idea at the moment.

Malware: Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped! / ageoloft.info, floreli.info and certerpen.info

This malware spam leads via a legitimate hacked site to floreli.info or ageoloft.info or certerpen.info, although there are probably more. If you have the names of other payload domains please consider add ingthem in the Comments. Both these sites are hosted on 91.195.11.42.

From: Issac Britt [mailto:delphiniumsfte62@retela.co.jp]
Sent: 09 December 2011 14:05
Subject: Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!

Hello,

Shipping Confirmation
Order # 649-2723315-2651369

Your estimated delivery date is:
Tuesday, December 13, 2011

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Omron FXB-414M Fat Loss Monitor, Black $149.95
Item Subtotal: $149.95
Shipping & Handling: $0.00
Total Before Tax: $149.95
Shipment Total: $149.95
Paid by Visa: $149.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

The payload is on floreli.info/main.php?page=525447c096f8efbf or ageoloft.info/main.php?page=525447c096f8efbf and consists of the blackhole exploit kit leading to the Cridex Trojan.

Blocking the range 91.195.10.0/23 (UkrStar ISP, Ukraine) a good proactive move as several malware attacks have been hosted there in the past few days.

Domains spotted so far:
ageoloft.info
floreli.info
certerpen.info


Some sample email subjects:
Your Amazon.com order of "Omron BTS-829C Fat Loss ..." has shipped!
Your Amazon.com order of "Omron DRM-151A Fat Loss ..." has shipped!
Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!
Your Amazon.com order of "Omron KGZ-387E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNB-885D Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNH-875H Fat Loss ..." has shipped!
Your Amazon.com order of "Omron REM-787E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron QYM-632R Fat Loss ..." has shipped!
Your Amazon.com order of "Omron UHA-584I Fat Loss ..." has shipped!

BBB Spam / combiplease.com

The BBB spam run is back today, with a malicious payload on combiplease.com (174.140.165.194), pretty much the same pattern as yesterday and earlier in the week.


This example is from this morning:

Date:      Fri, 9 Dec 2011 09:39:28 +0200
From:      "risk@bbb.org" [alerts@bbb.org]
Subject:      Re: Case # 48783457
Attachments:     main_logo.jpg

Attn: Owner/Manager
The Better Business Bureau has got the above-referenced complaint from one of your associates in respect of their business relations with you.
The detailed information about the consumer's concern is contained in enclosed file.
Please give attention to this question and inform us about your standpoint.
Please click here to reply this complaint.

We look forward to your prompt response.

Yours faithfully,
Anita Emil
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Blocking 174.140.165.194 may be a good idea as other malicious domains may crop up on the same IP address.

Thursday, 8 December 2011

Malware: "Your new contract" / coredret.ru

Spam season continues with this fake "contract" email with a link that leads to a malicious payload on coredret.ru/main.php.

Date:      Thu, 8 Dec 2011 01:58:25 +0700
From:      "Daisy Newby" [CadenHolmgren@hanmail.net]
Subject:      Your new contract

As we arranged the day before yesterday in the in your place we've got the contract ready, plase study it carefully and let us know whether you accept all the issues.
We've attached the copy of the contract below
Contract.doc 36kb


Best Wishes
Daisy Newby


Fingerprint: bfe69dcc-ccc03723

coredret.ru is hosted on 91.195.11.41 (UkrStar ISP, Ukraine). 91.195.10.0/23 is very sparsely populated, so blocking access to it should cause no problems.

BBB Spam / combijump.com / combimyself.com / combigave.com

A new version of yesterday's spam, this current crop of "BBB Complaint" emails lead to a malicious payload on combijump.com on 46.45.137.206. combimyself.com and combigave.com is on the same server and can also be assumed to be malicious.

VirusTotal detection on the target page is poor. 46.45.137.206 is on a Turkish network called Safya Net, I cannot vouch for its reputation however and it might be worth blocking the /24.

Wednesday, 7 December 2011

Pizza spam / ciredret.ru

Another installment in the tsunami of malware-laden spam doing the rounds.. this time it is for pizza!

From: Pizza by ATTILIO [mailto:Russo@victimdomain.com]
Sent: 06 December 2011 18:25
Subject: Re: Fwd: Order confirmation

You’ve just ordered pizza from our site
Pizza Italian Trio with extras:
- Ham
- Jalapenos
- Green Peppers
- Jalapenos
- No Cheese
- No Sauce
________________________________________
Pizza Veggie Lover's with extras:
- Italian Sausage
- Jalapenos
- Pineapple
- Black Olives
- Easy On Cheese
- No Sauce
________________________________________
Pizza Supreme with extras:
- Chicken
- Jalapenos
- Extra Cheese
- Extra Sauce
________________________________________
Drinks
- Bacardi x 2
- Dr. Pepper x 5
- Cherry Coke x 2
- Coca-Cola x 2
- Mirinda x 4
- Limonade x 5
- Carling x 5
________________________________________Total Due:    187.31$




If you haven’t made the order and it’s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don’t do that shortly, the order will be confirmed and delivered to you.


Best wishes
Pizza by ATTILIO


Fingerprint: a50c3e6f-8a5c87de 

The link goes through a legitimate hacked site to a malicious payload on ciredret.ru/main.php, hosted on 79.137.237.63. Unsuprisingly this is Digital Network JSC in Moscow (aka DINETHOSTING) who are involved in much of the recent malware spam runs. Blocking 79.137.224.0/20 is highly recommended.

Update 23/12/11: Another pizza malware run, this time leading to cgredret.ru hosted on 79.137.237.68 , no surprise to find that it is Digital Network JSC again..


Date:      Fri, 23 Dec 2011 -06:10:36 -0800
From:      "ANTONINO`s Pizzeria"
Subject:      Re: Fwd: Order confirmation

You’ve just ordered pizza from our site

Pizza Hawaiian Luau with extras:
- Bacon Pieces
- Pepperoni
- Pepperoni
- Diced Tomatoes
- No Cheese
- Extra Sauce
Pizza Meat Lover's with extras:
- Pepperoni
- Bacon Pieces
- Pineapple
- Easy On Cheese
- Easy On Sauce
Pizza Hawaiian Luau with extras:
- Pork
- Black Olives
- Onions
- No Cheese
- Easy On Sauce
Drinks
- Sprite x 2
- Hancock x 6
- White wine x 6
- Carling x 3
Total Charge:    207.31$



If you haven’t made the order and it’s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don’t do that shortly, the order will be confirmed and delivered to you.


Best Regards
ANTONINO`s Pizzeria

Malware: BBB "Complaint from your customers" and billycharge.com

Another day, another spam campaign leading to the Blackhole Exploit Kit.

Date:      Wed, 7 Dec 2011 08:33:03 +0000
From:      "::Better Business Bureau::" [risk.manager@bbb.org]
Subject:      Complaint from your customers
Attachments:     bbb_logo.jpg

Attn: Owner/Manager
The Better Business Bureau has been sent the above mentioned complaint from one of your customers on the subject of their dealings with you.
The detailed information about the consumer's concern is explained in enclosed document.
Please review this matter and notify us of your position.
Please click here to reply this complaint.

We look forward to your prompt reply.

Yours faithfully,
Shawna Dennis
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

A link in the email goes to a legitimate but hacked site, users are forwarded to billycharge.com on 79.137.237.63. This IP is on Digital Networks CJSC in Russia (aka DINETHOSTING), a wholly black hat operation - you should block access to 79.137.224.0/20 if you haven't already done so. The Wepawet report is here , VT shows 0/43 detections for the exploit page although the download malware should tickle at least some scanners.

Some other subjects and senders being used in this spam:
  • BBB assistance Re: Case # [random number]
  • BBB Complaint activity report
  • BBB processing
  • BBB service Re: Case # [random number]
  • Better Business Bureau Case # [random number]
  • Complaint from your customers
  • Please review your customer's complaint
  • Re: BBB Case # [random number]
  • Re: Case # [random number]
  • Your customer's complaint
  • Your customer's concern
  • admin@bbb.org
  • alert@bbb.org
  • alerts@bbb.org
  • info@bbb.org
  • manager@bbb.org
  • risk.manager@bbb.org
  • risk@bbb.org
  • service@bbb.org
  • support@bbb.org

    Tuesday, 6 December 2011

    "Epidemic in Guinea" spam / curedret.ru

    An interesting twist on malware spam:

    Date:      Tue, 6 Dec 2011 10:19:25 +0530
    From:      "MARIE Grover" [victimname@hotmail.com]
    Subject:      Re: Epidemic in Guinea

    The government is hiding this fact, but there is a new epidemic in Guinea

    I got to know it from friends of mine, they are there right now. Here you can find the instruction what to do not get infected

    Read it! 

    Perhaps the spammers have a sense of irony, because if you click the link you get directed to a legitimate but hacked site and then bounced to curedret.ru on 79.137.237.63 which attempts to load the Blackhole Exploit kit. This belongs to Digital Networks CJSC (aka DINETHOSTING) in Russia.. blocking the entire 79.137.224.0/20 range is probably a very good idea as this block is full of malicious sites. The Wepawet report for this page is here.

    There are a whole bunch of these c*redret.ru sites, at the moment the following are active on this IP address:

    crredret.ru
    ctredret.ru
    curedret.ru
    czredret.ru

    Update: these are coming in for several different countries, payload appears to be the same:

    Epidemic in Alabama
    Epidemic in Austria
    Epidemic in Bangladesh
    Epidemic in Belgium
    Epidemic in Bermuda
    Epidemic in Burkina Faso
    Epidemic in Canada
    Epidemic in Cape Verde
    Epidemic in Chad
    Epidemic in Chile
    Epidemic in Costa Rica
    Epidemic in Croatia
    Epidemic in Gambia
    Epidemic in Germany
    Epidemic in Guam
    Epidemic in Guinea
    Epidemic in Hong Kong (China)
    Epidemic in Indonesia
    Epidemic in Iran
    Epidemic in Ireland
    Epidemic in Israel
    Epidemic in Kazakhstan
    Epidemic in Kentucky
    Epidemic in Kuwait
    Epidemic in Maine
    Epidemic in Mali
    Epidemic in Mayotte
    Epidemic in Mexico
    Epidemic in Monaco
    Epidemic in Montana
    Epidemic in Montserrat
    Epidemic in New Mexico
    Epidemic in Ohio
    Epidemic in Oman
    Epidemic in Pakistan
    Epidemic in Pennsylvania
    Epidemic in Russia
    Epidemic in Saint Vincent and the Grenadines
    Epidemic in Tokelau
    Epidemic in Tunisia
    Epidemic in Turkey
    Epidemic in United Kingdom
    Epidemic in United States
    Epidemic in United States Virgin Islands
    Epidemic in Utah
    Epidemic in Wallis and Futuna
    Epidemic in Wisconsin
    Epidemic in Zimbabwe

    Monday, 5 December 2011

    czredret.ru is getting on my nerves

    I don't know what has been going on with spam for the past couple of weeks, but there has been a tidal wave of the same old spam hammering away at filters over and over again. Today, about half are directing traffic to a Blackhole exploit kit on czredret.ru (see an analysis here).

    The spam today is about airline tickets, but it could be on anything.. including the infamous NACHA spam that we keep seeing.

    czredret.ru is hosted on 188.190.99.26 in the Ukraine, a block allocated to:

    inetnum:        188.190.96.0 - 188.190.127.255
    netname:        INFIUM
    descr:          Infium LTD
    country:        UA
    org:            ORG-INFI1-RIPE
    admin-c:        INF20-RIPE
    tech-c:         INF20-RIPE
    status:         ASSIGNED PI
    mnt-by:         RIPE-NCC-END-MNT
    mnt-lower:      RIPE-NCC-END-MNT
    mnt-by:         NETASSIST-MNT
    mnt-routes:     NETASSIST-MNT
    mnt-domains:    NETASSIST-MNT
    source:         RIPE #Filtered

    organisation:   ORG-INFI1-RIPE
    org-name:       Infium Ltd.
    org-type:       OTHER
    address:        61129, Ukraine, Kharkov, Traktorostroiteley 156/41 ave, office 200
    mnt-ref:        INFIUM-MNT
    mnt-by:         INFIUM-MNT
    source:         RIPE #Filtered

    person:         Infium Ltd
    address:        61129, Kharkov, Ukraine, Traktorostroiteley 156/41, office 200
    abuse-mailbox:  abusemail@infiumhost.com
    phone:          +380577632339
    phone:          +1425606-33-07
    nic-hdl:        INF20-RIPE
    mnt-by:         INFIUM-MNT
    source:         RIPE #Filtered

    Google's prognosis of this block (AS197145) isn't brilliant:

    Safe Browsing
    Diagnostic page for AS197145 (ASINFIUM)


    What happened when Google visited sites hosted on this network?

        Of the 536 site(s) we tested on this network over the past 90 days, 14 site(s), including, for example, myegy.com/, ql3a-soft.com/, irkasoft.ru/, served content that resulted in malicious software being downloaded and installed without user consent.

        The last time Google tested a site on this network was on 2011-12-05, and the last time suspicious content was found was on 2011-12-05.

    Has this network hosted sites acting as intermediaries for further malware distribution?

        Over the past 90 days, we found 9 site(s) on this network, including, for example, playingfieldforallstore.com/, immerconsult.com/, seafarers333.co.cc/, that appeared to function as intermediaries for the infection of 15 other site(s) including, for example, alexsandra.ucoz.net/, seafarers.ucoz.ru/, fpbqax.in/.

    Has this network hosted sites that have distributed malware?

        Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 11 site(s), including, for example, myshop-ideal.com/, retailer-ideal.com/, abrorl.dlinkddns.com/, that infected 74 other site(s), including, for example, carrollmanorathletic.com/, nihadragab.com/, fathyradwan.com/.
    SiteVet's report shows that while it isn't a brilliant block, it certain has problems.

    If you don't do business in the Ukraine then it could well be worth blocking 188.190.96.0/19 just to be on the safe side.

    Spam: "Federal Tax payment canceled / Rejected Federal Tax payment " and twistloft.com

    There's nothing particularly new with this IRS spam, but because spammers are stupid, all the examples that I have seen today have an invalid link and cannot be clicked through.

    Here is a sample:

    Date:      Mon, 5 Dec 2011 11:29:03 +0100
    From:      Bernadine_Woody@irs.gov
    Subject:      Federal Tax payment canceled

    Your Tax payment (ID: 6318017800684), recently from your bank account was rejected by the your financial institution.

    Canceled Tax transfer
    Tax Transaction ID:     6318017800684
    Reason for rejection     See details in the report below
    FederalTax Transaction Report     tax_report_6318017800684.pdf (Adobe Acrobat Reader Document)

    How does IRS e-file work?
    A. You or your tax professional, prepare your tax return. In many cases, the tax professional is also the Electronic Return Originator (ERO) who is authorized to file your return electronically to the IRS. Ask your tax professional to file your return through IRS e-file.
    You sign your electronic tax return by either using a Self-Select PIN for e-file for a completely paperless return, or by signing Form 8453, U.S. Individual Income Tax Transmittal for an IRS e-file Return.See " If the return is electronic, how do I sign it?" for more information.
    After you sign the return using a Self-Select PIN or Form 8453,the ERO transmits the return to the IRS or to a third-party transmitter who then forwards the entire electronic record to the IRS for processing. Once received at the IRS, the return is automatically checked by computers for errors and missing information. If it cannot be processed, it is sent back to the originating transmitter (usually the ERO) to clarify any necessary information. After correction, the transmitter retransmits the return to the IRS. Within 48 hours of electronically sending your return to IRS, the IRS sends an acknowledgment to the transmitter stating the return is accepted for processing. This is your proof of filing and assurance that the IRS has your return information. The Authorized IRS e-file Provider then sends Form 8453 to the IRS.
    If due a refund, you can expect to receive it in approximately three weeks from the acknowledgment date - even faster with Direct Deposit (half the time as when filed on paper). If you owe tax, see "What if I owe Money?" for payment options available this year.


    Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

    After debugging the invalid URL and going through a couple of hacked legitimate sites, we find the malicious payload on twistloft.com/main.php?page=111d937ec38dd17e (The Wepawet report is here, do not visit this site unless you know what you are doing), hosted on 65.254.63.228. Blocking access that IP and domain name might be prudent.

    Scam: RockSmith Management / rocksmithmanagement.com

    This scam has been around for a while, it's part of a nasty cluster of scam sites that have an Australian connection.

    The spam comes from a fake address, delivered from an illegally compromised PC. In this example, the spam appears to come from mulattorcxf826@uncw.edu (which is fake) through a well-known spam server in China, 221.212.109.135. Of course, faking the sender address breaks the CAN SPAM act in the US (where the sender pretends to be), as does the lack of real contact details.

    Date:      Sat, 3 Dec 2011 11:15:17 +0800
    From:      "Ralph Nguyen" [mulattorcxf826@uncw.edu]
    Subject:      Please Complete Your Job Application

    Dear Applicant

    Thank you for expressing your interest in open employment openings in your area.
    We are happy to inform you that our placement specialists will be reviewing
    available positions for you within the next hour.

    Based on your profile, you may qualify for opportunities currently available with a monthly salary in the
    $4000 to $8700 range.

    To maximize your earnings potential, please complete our full application form first:

    http://go.likejav.com/9bcf1f

    In addition to a highly competitive base pay, applicants that qualify will also enjoy additional benefits such as:
    * 2 wks. paid vacation time (per annum);
    * Tuition allowance;
    * 401(k)
    * full benefits package
    * generous retirement plan

    To retain your priority placement, please complete your application at your earliest convenience.

    We look forward to finding the right job for you.

    Rockforce Management
    Bringing the best candidates and the right jobs together.


    The link forwards to rocksmithmanagement.com (but it could be any one of a variety of similarly named scam sites), as listed here


    Of note is the phone number on the first screen - (240) 718-4632 is listed in a number of similar scam sites. I don't know if it is valid or not, it might even belong to a legitimate company. There is no point in ringing it in any case as the scam unfolrd..






    The next page is more worrying as it harvests personal details such as your name, phone number and email address. Yes, that would be acceptable for a job site.. but these details are not used at all by this process, so presumably they will be used for spamming purposes.




    Once you have signed away your personal details, you get to the "final step" which offers you the chance o check your credit report or view the jobs on offer. On the bottom of the page is a "Privacy Policy" and "Terms of Service" link.. except they aren't links at all, just underlined text. In fact, there is no privacy policy or identifying text anywhere on the site.


    If you click on the prominent "Clicking Here" link, you get redirected through referer.us/moxiinternal.go2cloud.org/aff_c?offer_id=2&aff_id=1002&aff_sub=020 to a site called sixfigurekit.com run by an outfit called the "Six Figure Program". The BBB rates the Six Figure Programs as an F in Florida, an F in Illinois but bizarrely a B in New York. On balance it looks pretty poor.




    Regardless of where or not the Six Figure Program is a legitimate business or not, it certainly isn't a credit check.. and in this case the spam victim has been duped into clicking the link in order to be exposed to this frankly ridiculous scheme.


    So what happens if the victim clicks on the other link on the page? They simply get redirected to a page on indeed.com (branded "RockGrade Management" / rockgrademanagement.com) which returns exactly the same results as if the victim had gone directly to indeed.com in the first place.


    But wait.. remember the name, phone number and email address you supplied? What happened to them? They're not needed for indeed.com, so it looks likely that the victim has just given themselves up for even more spam.


    All the evidence that I have been able to find links this to a site called websitedesignbrisbane.org in Australia. You can complain about Australian companies at ACMA, although it is difficult to identify exactly which company runs that particular site, but it bills itself as "Jetstream Web Site Design + SEO", presumably of Brisbane.

    Thursday, 1 December 2011

    Spammers are stupid

    What's wrong with this spam?

    Date:      Thu, 1 Dec 2011 17:55:30 +0900
    From:      "LinkedIn" [linkedin@em.linkedin.com]
    To:      Victim
    Subject:      So now you're on LinkedIn: What's next?

    The ACH transaction (ID: 730771521612), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.
    Rejected transfer
    Transaction ID:     730771521612
    Reason of rejection     See details in the report below
    Transaction Report     report_730771521612.doc (Microsoft Word Document)

    13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

    © 2011 NACHA - The Electronic Payments Association

    Yup.. the headers are for a LinkedIn themed spam, the body is a NACHA themed one with a link to a malicious file. The bad guys are sending out so many of these that they must be getting confused.

    The link goes through a number of legitimate hacked sites and eventually ends up at biggestamigo.com on 92.55.144.82 in Romania (I would recommend blocking the whole 92.55.144.0/24 block at least, or even 92.55.144.0/21 if you want to be on the safe side). The payload looks like a typical exploit kit.

    Saturday, 26 November 2011

    Fake jobs: working-ca.com

    Another fake job domain, working-ca.com seems to be part of this long-running scam. I hadn't spotted this one before, so thanks to our reader who sent it in. Note that this is not connected with the legitimate site WorkingCA.com . The jobs offered are actually illegal activities such as money laundering.


    Hello, We have an excellent opportunity for an apprentice applicant to
    join a rapidly expanding company.

    An at home Key Account Manager Position is a great opportunity for stay
    at home parents
    or anyone who wants to work in the comfort of their own home.

    This is a part time job / flexible hrs for Canadians only,This is in
    view of our not having a branch office presently in Canada,
    also becouse of paypal and ebay policies wich is prohibit to work
    directly with residents of some countries.

    Requirements: computer with Internet access, valid email address, good
    typing skills.
    If you fit the above description and meet the requirements, please apply
    to this ad stating your location.

    You will be processing orders from your computer. How much you earn is
    up to you.
    The average is in the region of CA$750- CA$1000 per week, depending on
    whether you work full or part time.

    Region: Canada only.

    If you would like more information, please contact us stating where you
    are located and our job reference number - 70570-868/4HR.
    Please only SERIOUS applicants.

    If you are interested, please reply to: Weldon@working-ca.com

    and

    Hello, We have an excellent opportunity for an apprentice applicant to
    join a rapidly expanding company.

    An at home Key Account Manager Position is a great opportunity for stay
    at home parents
    or anyone who wants to work in the comfort of their own home.

    This is a part time job / flexible hrs for Canadians only,This is in
    view of our not having a branch office presently in Canada,
    also becouse of paypal and ebay policies wich is prohibit to work
    directly with residents of some countries.

    Requirements: computer with Internet access, valid email address, good
    typing skills.
    If you fit the above description and meet the requirements, please apply
    to this ad stating your location.

    You will be processing orders from your computer. How much you earn is
    up to you.
    The average is in the region of CA$750- CA$1000 per week, depending on
    whether you work full or part time.

    Region: Canada only.

    If you would like more information, please contact us stating where you
    are located and our job reference number - 35097-781/2HR.
    Please only SERIOUS applicants.

    If you are interested, please reply to: Tristan@working-ca.com


    The registrant details for the domain are probably fake, but here they are anyway:

    Kevin Tesalo
        Email: kevintesalo@yahoo.fr
        Organization: Kevin Tesalo
        Address: 2 avenue des Beguines
        City: Cergy Saint Christophe
        State: Cergy Saint Christophe
        ZIP: 95811
        Country: FR
        Phone: +33.124335612 

    Thursday, 24 November 2011

    Fake jobs: jobinhollandart.com and europjobs.eu

    Here are two new domains promoting fake jobs: jobinhollandart.com and europjobs.eu

    This series of emails seems to be different from this one, but the pitch is still the same - the bad guys are trying to recruit people for money laundering activities and other criminal acts.

    Date: 24 November 2011 06:27
    Subject: Virtuele Manager vacature
      
    Ons bedrijf is een snel groeiende internationale adviesbureau dat de diensten tot 46 landen verleent..
    We hebben succesvol geweest voor een lange periode van werk in nauwe samenwerking met een aantal
    organisaties voor onderzoek en investeringen over heel Europa.
    We hebben vele boeiende projecten in de financiële diensten, financiële steun,
    die eisen dat WUG bedrijf is voortdurend groeien en ontwikkelen..

    Dankzij de uitbreiding van onze zaken ons bedrijf is op zoek naar een individu om de positie
    van regionalefinanciële vertegenwoordiger te vullen.
    Wij stellen voor werken in een internationale omgeving met een vriendelijk team
    van hoog gekwalificeerde professionals en leren van de leider in deze opwindende industrie..

    Belangrijke verantwoordelijkheden:
    - Handhaving van de database op de website met behulp van onze speciale software
    - Het opstellen van de verslagen
    - Omgaan met bestaande en nieuwe komen klanten
    - Werken met Internet en E-mail

    Wij hebben vereist:
    - Hoger onderwijs
    - Klant minded-responsieve/vermogen/wens om te dienen van klanten
    - Technische kennis - goed Windows begrip
    - Proactief - zoeken naar oplossingen
    - Een goede beheersing van het Engels (verplicht)

    Wij waarborgen:
    - Volledig betaald opleiding
    - Competitief loon 2300 Euro per maand
    - Mogelijkheid voor promotie
    - Een sociaal pakket (verzekering, enz.)
    - Speciaal ontworpen bonussysteem

    Stuur uw gedetailleerde cv's in het Engels voor onze overweging op onze e-mail
    met vermelding van de Financieel Vertegenwoordiger functie.
    Succesvolle kandidaten zullen worden gecontacteerd met betrekking tot de tijd voor het interview..

    Amie@jobinhollandart.com

    jobinhollandart.com shares back-end infrastructure with europjobs.eu and a domain called israelcallingcard.net. You can assume that  europjobs.eu will also be used for fraudulent activities.

    The MX records point to 68.68.20.166, (Bluemile Inc, Ohio). Nameservers are on 173.213.79.90 (Ionix, Nevada) and 170.19.177.33 (Cooper Neff, Pennsylvania).

    The WHOIS records for all these domains are probably fake:

    jobinhollandart.com
       Diane R. Coleman
       Diane Coleman DianeRColeman@aol.com
       +1.3612298028 fax: +1.3612298028
       1327 Boone Street
       Corpus Christi TX 78476
       us

    israelcallingcard.net
          Neva Kilpatrick
          5636 GUILFORD AVE
          INDIANAPOLIS, IN 46220
          US
          Phone: +1.3178112099
          Email: ironeggman@yahoo.com

    europjobs.eu
    Name    Sarka Sirotkova
    Organisation   
    Language    English
    Address   
    Email  

    Wednesday, 23 November 2011

    b*redret.ru domains to block

    Some of the recent surge of spam emails going around uses a set of .ru domains with a discernible pattern of b*redret.ru.

    Blocking these access to these domains and/or IPs might be a useful proactive step.

    173.212.222.54 (Hostnoc, Scranton)
    buredret.ru

    195.254.135.72 (FastWeb SRL, Romania. Recommend blocking 195.254.134.0/23)
    bqredret.ru
    btredret.ru
    bwredret.ru
    bzredret.ru

    89.208.34.116 (Digital Networks SRL, Russia. Recommend blocking 89.208.34.0/24)
    baredret.ru
    biredret.ru
    bvredret.ru

    94.199.51.108 (23vnet Kft, Hungary)
    bkredret.ru
    blredret.ru
    bpredret.ru
    bsredret.ru

    95.163.89.193 (Digital Networks JSC, Russia. Recommend blocking 95.163.64.0/19)
    bbredret.ru
    bcredret.ru
    bdredret.ru
    beredret.ru
    bfredret.ru
    bgredret.ru
    bhredret.ru

    Unallocated / invalid IPs
    boredret.ru
    brredret.ru
    bjredret.ru
    bmredret.ru
    bnredret.ru
    bxredret.ru
    byredret.ru

    Virus: "Help! I'm in trouble!"

    Another virus-laden email, technically very similar to this one yesterday:

    Date: Wed, 23 Nov 2011 08:28:46 +0700
    From: Saffi@victimdomain.com
    To: victim@victimdomain.com
    Subject: Help! I'm in trouble!

    I was at a party, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light many times, I've just got the pictures, maybe you know him?
    Here is the photo

    I need to find him urgently!

    Thank you
    Saffi
    The name of the sender varies, but the approach is to use the same domain as the victim to make it look more believable. In the sample I have, the "Here is the photo" link 404s, but you can guarantee that it is malware.. so don't click that link!

    Update: the malicious payload is on blredret.ru  (94.199.51.108) at 23vnet Kft in Budapest (again). The Wepawet report is here. Blocking that IP proactively is probably wise.

    Update: this spam run is happening again, but with a different set of malicious IPs (read more)

    Virus: "Hello! Look, I've received an unfamiliar bill, have you ordered anything?"

    Here's a piece of fairly clever social engineering:

    Date:      Tue, 22 Nov 2011 12:48:52 +0200
    From:      "LILLIE Stinson" [accounting@victimdomain.com]
    To:      [victim@victimdomain.com]
    Subject:      Need your help!

    Hello! Look, I've received an unfamiliar bill, have you ordered anything?
    Here is the bill

    Please reply as soon as possible, because the amount is large and they demand the payment urgently.

    Looking forward to your answer

    Fingerprint: 9caf6417-d5b308e2

    The link goes to a legitimate website that has been hacked, which then redirects to bsredret.ru on 94.199.51.108 (23VNet, Hungary). A Wepawet report for the target page can be found here.

    There are a variety of similar emails doing the rounds at the moment, and the IP and URL with the payload seems to change every day. It might be prudent to warn any users you are responsible for to look out..

    Tuesday, 22 November 2011

    Spoof ACH mails, neoprenpillar.com and decalintos.com

    Yet another ACH / NACHA / whatever scam email, they go something like this:
    Date:      Tue, 22 Nov 2011 10:42:43 +0100
    From:      "The Electronic Payments Association" [alerts@nacha.org]
    Subject:      Rejected ACH transaction

    The ACH transfer (ID: 925071618701), recently initiated from your checking account (by you or any other person), was canceled by the other financial institution.

    Rejected transaction
    Transaction ID:     925071618701
    Reason for rejection     See details in the report below
    Transaction Report     report_925071618701.doc (Microsoft Word Document)

    About NACHA
    The ACH Network had its start in the early 1970's when a group of California bankers formed the Special Committee on Paperless Entries (SCOPE) in direct response to the rapid escalation of check volume in the United States. The Committee set out to explore the technical, operational, and legal framework necessary for an automated payments system, leading to the formation of the first ACH association in 1972. Similar groups soon formed around the country.
    NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:

    13450 Sunrise Valley Drive, Suite 100

    Herndon, VA 20171

    2011 NACHA - The Electronic Payments Association

    payments knowledge to further their professional development and benefit their employers. Offerings include in-person, desk-top, and distance learning courses, publications, and the Accredited ACH Professional (AAP) Program. Payments education offered by NACHA at the national level augments the rich offering of educational programs provided by the Regional Payments Associations throughout the country.

    13450 Sunrise Valley Drive, Suite 100

    Herndon, VA 20171

    2011 NACHA - The Electronic Payments Association
    Other subjects include:

    • ACH transfer failure
    • Rejected ACH transaction 
    • Your ACH transaction 
    • ACH transaction canceled 
    • Rejected ACH transaction 
    There's a link through to a hacked site, containing four embedded javascripts on other hacked sites which eventually lead to decalintos.com or neoprenpillar.com, both hosted on 193.106.174.219 (IQHost Ltd, Russia). This tries to download a variety of exploits (Wepawet report here).

    IQHost seems to be over-run with this sort of toxic crap at the moment. Blocking access to 193.106.172.0/22 is probably a smart move.

    Fake Firefox: "Introducing the new and improved Firefox 8,optimized for Facebook."

    Here's a fake Firefox upgrade message circulating by email:

    From: Mozilla Firefox [mailto:firefox-update@plrja5f2.fireefox.com]
    Sent: 22 November 2011 05:32
    Subject: Introducing the new and improved Firefox 8,optimized for Facebook. 211.245.104.78

    Facebook recommends the faster Firefox 8.
    Can't see images? View on a mobile device

       
    Facebook recommends that you upgrade to the
    faster and smarter Firefox 8.
           
        Get It Now
       
    Introducing the new and improved Firefox 8, optimized for Facebook

    • Browse faster than the previous version of Firefox.
    • Easily organize and arrange your tabs into groups.
    • Get on-the-go access to your saved Firefox settings across multiple computers.
    • Access the new Facebook features as profile viewers and much more!
    Get your free upgrade now.
    Already upgraded? Thank you.
       
    All your favorite stuff, all in one place. Make Facebook your home.

    Visit Firefox on Facebook  
    Share:   

    Mozilla, Firefox, and the Firefox logo are trademarks or registered trademarks of Mozilla..

    Update Marketing Preferences   |   Privacy Policy   |    Web Beacons in Email

    RefID: sr-12012817


    All the links lead to 68.143.18.186.nw.nuvox.net/mozilla-firefox/plrja5f2 which in turn leads to a malicious executable with only 15/42 vendors detecting it at VirusTotal. The malware then attempts to call home to magesticgamers.com and 46.166.129.230.

    The ThreatExpert report is here, the Comodo report is here.

    Monday, 21 November 2011

    Some work-at-home scams to avoid

    Only a real idiot would send spam to a spamcop.net address. Here is a real idiot:

    From: Rock Cruit Management 3dhgubesch@hochrather.at
    Reply-To: 3dhgubesch@hochrather.at
    date    21 November 2011 18:03
    subject    Rock Zone Management: Your Job Application is Pending
       
    Give the time of day [redacted]


    Thank you for submitting your information for potential employment opportunities.
    We look forward to reviewing your application,
    but can not do so until you complete our internal application.

    The pay range for available positions range from $35.77 per hour to $57.62 per hour.
    Prior to begin able to be considered, you will first need you to formally apply.
    Please go here to begin the process:

    http://widg.me/VocOw

    Also, the following perks are potentially available:

    - Paid Time Off
    - Health Benefits Package
    - Higher than average salaries
    - Tuition Reimbursement
    - Extensive 401(k)program

    Please take the time to follow the directions and complete the entire application process.

    --------------------------------------------------------------------------------

    Best Regards,

    Rock Cruit Management

    In this case, the email originated from 200.74.5.198 in Chile. A second sample was from 31.175.175.182 in Poland.

    Clicking through the "widg.me" shortcut leads to a site called rockcruitmanagement.com which looks like a recruitment site at first glance, but in fact is just an entry doorway to a very dubious work-at-home scheme. The domain is WhoisGuard protected, but there are several other crappy sites also hosted on 216.38.13.210 of a similar theme.

    A tip - if you get a spam email like this, forward it to the web hosts at abuse -at- gigenet.com and perhaps this will be shut down.

    All the sites try to hide their identity, but we can trace them back through their Google Analytics ID of UA-1504952 and AdSense ID of pub-286423930919881 to websitedesignbrisbane.org ("Jetstream Web Design + SEO") in Brisbane, Australia. I haven't been able to trace who is behind this company, and in fact it seems doubtful that there is a company at all.. but still, this seems to be the origin of the spam. The registration details for that domain are:

    Registrant ID:6050DF1BFA437FB2
    Registrant Name:Jetstream Online
    Registrant Organization:Jetstream
    Registrant Street1:4/11 Emperor st
    Registrant Street2:
    Registrant Street3:
    Registrant City:Annerley
    Registrant State/Province:QL
    Registrant Postal Code:4103
    Registrant Country:AU
    Registrant Phone:+61.431714098
    Registrant Phone Ext.:
    Registrant FAX:
    Registrant FAX Ext.:
    Registrant Email:jetstream2@gmail.com


    All the following domains are connected, most are work-at-home or survey sites that are deceptive in their pitch. I would recommend avoiding them.

    123tickets.info
    1insuranceauto.info
    1insurancelife.info
    2airticket.info
    2airtickets.info
    2freejb.info
    2freesw.info
    2insuranceauto.info
    2insurancelife.info
    3insuranceauto.info
    3insurancelife.info
    4insuranceauto.info
    4insurancelife.info
    5insuranceauto.info
    5insurancelife.info
    6insuranceauto.info
    7insuranceauto.info
    adultversionyoutube.com
    air340.info
    air747.info
    aircomp747.info
    airdelta.info
    airfly380.info
    airfly747.info
    auctionsbrisbane.com
    bagsflyfree.info
    bagsflysw.info
    bornmarketer.com
    buyyourhouse.com.au
    claimair380.info
    claimair747.info
    claimairticket.info
    claimfly.info
    claimfly747.info
    claimjetticket.info
    claimprize.org
    claimprizenow.com
    claimprizenow.com
    claimtickets.info
    comp747.info
    dailyhotlocal.com
    dealcomparisons.com
    delta747.info
    deltafly.info
    deltawin.info
    facescams.com
    fastwebs.com.au
    fly380.info
    flybagsfree.info
    flyfreenow.info
    flyfreesw.info
    flyjet747.info
    flysw.info
    flyswtoday.info
    flyticket747.info
    flytickets747.info
    godsofrain.com
    gojb.info
    gojblue.info
    gojetblue.info
    healthcrooks.com
    homesaleconnect.com
    ifly380.info
    ifly747.info
    ilovesw.info
    ispycpv.com
    ispyhq.com
    ispyppv.com
    jb747.info
    jettickets.info
    locallunchbreak.com
    mydoorhandles.com
    myebizprofits.com
    myusgrant.com
    news8daily.info
    news9daily.info
    newsdailyreport.com
    newsdailyreport.info
    officialdeals.info
    officialpromos.info
    officialrooibostea.com
    outsourcing.cm
    perfectposturenow.com
    rockcrownmanagement.com
    rockcruitmanagement.com
    rockcruitmanagement.com
    rockdimemanagement.com
    rockfacemanagement.com
    rockfishmanagement.com
    rockgrademanagement.com
    rockgradereview.com
    rockgrandmanagement.com
    rockgroupmanagement.com
    rockheartmanagement.com
    rockhopemanagement.com
    rockhousemanagement.com
    rockkingmanagement.com
    rockmountmanagement.com
    rockmountreview.com
    rockroundmanagement.com
    rockshiftmanagement.com
    rockshoremanagement.com
    rocksmithmanagement.com
    rocktapmanagement.com
    rocktowermanagement.com
    rockviewmanagement.com
    rockworthmanagement.com
    rockzonemanagement.com
    shippingcontaineraustralia.com
    subwayrocks.info
    swfly.info
    swflyfree.info
    swflyfree.info
    swisgreat.info
    swrocks.info
    termitecontrolbrisbane.com
    ticket747.info
    tickets365.info
    tickets380.info
    tickets747.info
    top3workfromhome.com
    torrent4cash.com
    tpass.info
    tripsreservation.info
    turbopottytraining.info
    turbotoilettraining.com
    utube-com.com
    utubevideoclip.net
    utube-videos.org
    utubevideosite.com
    utubezz.com
    vacationinus.info
    websitedesignbrisbane.org
    windelta.info
    winflyfree.info
    winflytickets.info
    winswfree.info
    winticketsnow.info
    wu-longforlife.com
    zbuyerhomes.com

    Friday, 18 November 2011

    Xvideos.com compromised with abusedfire.com attack and other malware

    UPDATE: as of March 2012, xvideos.com seems to be clean of malware. You can see Google's latest prognosis here.

    UPDATE 2:  an xvideos.com IP has been connected with malware C&C servers, see here.

    Original article follows:


    xvideos.com is one of the most popular sites on the internet. According to Alexa, it is ranked number 51 in the world, making it the second most popular adult site after livejasmin.com (rank 42).

    Although porn and adult sites have a reputation for spreading malware, most of the top-rated sites are actually pretty safe. Xvideos.com is different though, as it apparently has been spreading malware for a while.. but this week seems to have seen a sharp uptick in the number of infections coming from the site.

    The infections appear to use the Blackhole Exploit kit to download the Zeus trojan on the target PC. In all the cases I have seen, a Flash cookie for a site called www.abusedfire.com is present. This site is hosted at 67.228.2.138 (Softlayer, Dallas) in a small block allegedly allocated to:

    network:Class-Name:network
    network:ID:NETBLK-SOFTLAYER.67.228.0.0/20
    network:Auth-Area:67.228.0.0/20
    network:Network-Name:SOFTLAYER-67.228.0.0
    network:IP-Network:67.228.2.136/30
    network:IP-Network-Block:67.228.2.136-67.228.2.139
    network:Organization;I:shanghai Municipality
    network:Street-Address:Rm 309,Xin Wu Building,Guang Zhong Road
    network:City:shanghai
    network:Postal-Code:200072
    network:Country-Code:CN
    network:Tech-Contact;I: sysadmins@softlayer.com
    network:Abuse-Contact;I: abuse@go.com
    network:Admin-Contact;I:IPADM258-ARIN
    network:Created:20071219
    network:Updated:20110509
    network:Updated-By: ipadmin@softlayer.com

    Blocking 67.228.2.136/30 would probably be a good idea.

    The abusedfire.com domain is registered to:

    Barbara Rogers
    Barbara Rogers
    3000 5th St NW
    New Brighton
    MN
    55112
    US
    Phone:         +1.6516334311 
    Email Address: brightonrogers@gmail.com
     
    Another domain being used in malware delivery is safecomputermonitors.info, hosted on 95.211.15.161 (Leaseweb, Netherlands).


    Google's prognosis of xvideos.com is not good.

    Safe Browsing
    Diagnostic page for xvideos.com


    What is the current listing status for xvideos.com?

        This site is not currently listed as suspicious.

        Part of this site was listed for suspicious activity 18 time(s) over the past 90 days.

    What happened when Google visited this site?

        Of the 9325 pages we tested on the site over the past 90 days, 248 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-11-17, and the last time suspicious content was found on this site was on 2011-10-23.

        Malicious software includes 14 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

        Malicious software is hosted on 34 domain(s), including warm-freezer.myftp.info/, cheapbagel.xe.cx/, deadapricot.faqserv.com/.

        4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including stats1.in/, loading321.com/, main3.in/.

        This site was hosted on 4 network(s) including AS22822 (LLNW), AS46652 (RCN), AS16265 (LEASEWEB).

    Has this site acted as an intermediary resulting in further distribution of malware?

        Over the past 90 days, xvideos.com appeared to function as an intermediary for the infection of 18 site(s) including pornorama.com/, magicmovies.com/, milfmovs.com/.

    Has this site hosted malware?

        No, this site has not hosted malicious software over the past 90 days.

    248 out of 9325 pages indicates 2.7% of pages are infected with malware - and as the average visitor views 11 pages on xvideos.com (according to Alexa), then there is roughly a 28% chance that an average visitor would be explosed to malware.

    But remember, this isn't just any site.. this site is one of the busiest in the world, pulling in millions of unique visitors per day (estimates for this vary between 4 million to 10 million). Per day. This should be a big deal.. but noise about malware on xvideos.com is about nil.. presumably because people don't like to admit that they have been infected from a porn site.

    As a comparison, I looked at the malware rates for the top 10 adult sites (according to Alexa). They are almost completely clean.

    Site

    Alexa Rank

    Infected pages / total pages

    Infection rate

    Average pages / user

    Malware contact probability

    livejasmin.com

    42

    0/138

    0.0%

    2

    0%

    xvideos.com

    51

    248/9325

    2.7%

    12

    28%

    xhamster.com

    57

    0/273

    0.0%

    9

    0%

    pornhub.com

    74

    0/140

    0.0% 5

    0%

    youporn.com

    85

    3/1206

    0.2%

    7

    2%

    xnxx.com

    113

    1/696

    0.1%

    11

    2%

    tube8.com

    114

    0/89

    0.0%

    5

    0%

    redtube.com

    121

    0/139

    0.0%

    6

    0%

    youjizz.com

    201

    0/776

    0.0%

    6

    0%

    adultfriendfinder.com

    227

    0/10623

    0.0%

    7

    0%


    If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched (you can use Secunia OSI to check), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential.

    Alternatively, if you enjoy smut.. you may enjoy this Tom Lehrer song from 1965.. [sort of NSFW]:

    Wednesday, 16 November 2011

    More NACHA / ACH / Tax / Payment scam emails

    Following on from yesterday's post, there have been many, many more of these emails with slight variations, presumably ending up with a similar malware infection as before.

    If you get an email like this, do NOT click the link! Simply delete it.. if you have clicked the link then it is just possible that your PC is now infected with sometihhg nasty.

    From: STALEYMARISELA@aol.com
    Date: 16 November 2011 06:08
    Subject: Tax Payment ID 8457924507 is failed.

    Hello,


    Your Federal Tax Payment ID: 9454542999 has been rejected.
    Return Reason Code U68 – The identification number used in the Company Identification Field is not valid.
    Please, check the information and refer to Code R21 to get details about
    your company payment in transaction contacts section:


    http://eftpsgov/U0123063643

    MARISELA STALEY,
    The Electronic Federal Tax Payment System

    ------------------------------

    From: F. K. Gallegos [mailto:Gallegos_1966@nationalbankers.org]
    Sent: 16 November 2011 08:59
    Subject: ACH debit transfer was not accepted by our bank

    Dear Bank Account Owner,

    ACH debit transfer initiated by you or on your behalf was not accepted by our bank.

    Transaction ID: 1707826560727761
    Current status of transaction: declined

    Please review transaction details as soon as possible.

    D. Y. Gallegos
    Treasury Administration


    ------------------------------

    From: Darlene Wong [mailto:Wong_1955@nationalbankers.org]
    Sent: 16 November 2011 05:26
    Subject: Bill Payment was not accepted by BankUnited Express

    Dear Madam / Sir,

    Bill Payment sent by you or on your behalf was not accepted by BankUnited Express.

    Transaction ID: 17072923276
    Current status of transaction: under review

    Please review transaction details as soon as possible.

    Darlene F. Wong
    Treasury Administration


    ------------------------------

    From: Gideon Elkins
    Sent: 16 November 2011 18:03
    Subject: Re: your Direct Deposit payment ID 239660991991

    Attn: Financial Department

    Please be notified, that your latest Direct Deposit transaction
    (Int. No. 239660991991) was declined, due to your current Direct
    Deposit software being out of date. The detailed information
    about this matter is available in the secure section of our web
    site:

    http://peluangusahaonlines.com/57tt9o/index.html

    Please refer to your financial institution to acquire the updated
    version of the software.

    Yours truly,
    Gideon Elkins
    ACH Network Rules Department
    NACHA - The Electronic Payments Association

    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    Phone: 703-561-1100 Fax: 703-787-0996

    ------------------------------

    From: Duncan Winkler [mailto:Winkler1939@uba.org]
    Sent: 15 November 2011 17:59
    Subject: Funds Transfer was not accepted by our bank

    Dear bank account holder,

    Funds Transfer created by you or on your behalf was not accepted by our bank.

    Transaction ID: 1701205726906
    Current status of transaction: under review

    Please review transaction details as soon as possible.

    Duncan Winkler
    Customer Support
    Austin County State Bank

    ------------------------------

    From: O. Q. Morrison [mailto:Morrison1940@uba.org]
    Sent: 15 November 2011 12:35
    Subject: ACH payroll payment was not accepted by United Security Bank

    Dear Bank Account Owner,

    ACH payroll payment initiated by you or on your behalf was not accepted by United Security Bank.

    Transaction ID: 17093959546892
    Current status of transaction: declined

    Please review transaction details as soon as possible.

    Gary Morrison
    Accounting Management

    ------------------------------

    Date:      Wed, 16 Nov 2011 11:42:53 +0530
    From:      "Aryanna Collins" YBPAryanna@hotmail.com
    Subject:      Tax Payment ID 3419177910 is failed.

    Good morning,


    Your Federal Tax Payment ID: 9173073387 has been rejected.

    Return Reason Code U78 – The identification number used in the Company Identification Field is not valid.

    Please, check the information and refer to Code R21 to get details about

    your company payment in transaction contacts section:


    http://eftps.gov/U1433600391



    Aryanna Collins,

    The Electronic Federal Tax Payment System

    ------------------------------

    Date:      Wed, 16 Nov 2011 01:05:20 -1100
    From:      "The Electronic Payments Association" alert@nacha.org
    Subject:      ACH payment rejected
    Attachments:     nacha_logo.jpg

    The ACH transaction (ID: 8185663180422), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.

    Rejected transfer
    Transaction ID:     8185663180422
    Reason for rejection     See details in the report below
    Transaction Report     report_8185663180422.doc (Microsoft Word Document)

    13450 Sunrise Valley Drive, Suite 100

    Herndon, VA 20171

    2011 NACHA - The Electronic Payments Association

    ------------------------------

    Date:      Wed, 16 Nov 2011 12:52:10 +0100
    From:      Bettye_Mcknight@irs.gov
    Subject:      Rejected Federal Tax transfer

    Your Tax transaction (ID: 971900616898), recently initiated from your bank account was rejected by the your financial institution.

    Canceled Tax transaction
    Tax Transaction ID:     971900616898
    Reason for rejection     See details in the report below
    FederalTax Transaction Report     tax_report_971900616898.pdf (Adobe Acrobat Reader Document)




    To e-file your 2010 tax return or other electronic forms, you must verify your identity with your Self-Select PIN or Adjusted Gross Income from your 2009 tax return. If you don't have this information from your 2009 tax return, you can request an Electronic Filing PIN�it's as easy as 1-2-3!


    Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

    ------------------------------

    Date:      Wed, 16 Nov 2011 12:09:36 +0100
    From:      "The Electronic Payments Association" risk_manager@nacha.org
    Subject:      Your ACH transaction
    Attachments:     nacha_logo.jpg

    The ACH transfer (ID: 516582351138), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

    Rejected transaction
    Transaction ID:     516582351138
    Reason of rejection     See details in the report below
    Transaction Report     report_516582351138.doc (Microsoft Word Document)

    13450 Sunrise Valley Drive, Suite 100

    Herndon, VA 20171

    2011 NACHA - The Electronic Payments Association

    ------------------------------

    Date:      Wed, 16 Nov 2011 06:11:50 -0300
    From:      Helga_Springer@irs.gov
    Subject:      Federal Tax payment rejected

    Your federal Tax transaction (ID: 384736455888), recently from your bank account was rejected by the your Bank.

    Canceled Tax transfer
    Tax Transaction ID:     384736455888
    Reason of rejection     See details in the report below
    FederalTax Transaction Report     tax_report_384736455888.pdf (Adobe Acrobat Reader Document)

    ďż˝

    ďż˝
    Important Information for Home-care Service Recipients

    If you are a home-care service recipient who has a previously assigned EIN either as a sole proprietor or as a household employer, do not apply for a new EIN. Use the EIN previously provided. If you can not locate your EIN for any reason, follow the instructions on the Misplaced Your EIN? Web page.

    If you are a home-care service recipient who does not have an EIN, do not use the online application to apply for one. You must apply for your EIN using one of the other methods (phone, fax or mail). For additional information, visit the How to Apply for an EIN Web page.


    Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

    ------------------------------

    Date:      Wed, 16 Nov 2011 13:25:11 +0700
    From:      Marylou Friedman Friedman_1948@icba.org
    Subject:      Wire Transfer was hold by National Bank of California

    Dear Account Owner,

    Wire Transfer created by you or on your behalf was hold by National Bank of California.

    Transaction ID: 17017200231113028
    Current status of transaction: on hold

    Please review transaction details as soon as possible.

    Marylou S. Friedman
    Customer Support
    National Bank of California

    ------------------------------

    Date:      Tue, 15 Nov 2011 12:01:16 +0000
    From:      "Yuridia KIRKLAND"
    Subject:      Fwd: Wire Transfer Confirmation (FED_REFERENCE_6232TI676)

    Dear Bank Account Operator,

    I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.



    Transaction: 2342937901002077

    Current transaction status: Pending



    Please review transaction details as soon as possible.

    ------------------------------

    Date:      Tue, 15 Nov 2011 07:56:46 -0800
    Subject:      Fwd: Wire Transfer Confirmation (FED 23160LI34)

    Dear Bank Account Operator,

    I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.



    Transaction: 408332756171192

    Current transaction status: Pending



    Please review transaction details as soon as possible.

    ------------------------------

    Date:      Wed, 16 Nov 2011 01:13:56 +0900
    From:      "New York State Police" noreply-401212008@nyc.gov
    Subject:      UNIFORM TRAFFIC TICKET (ID: 622969718)

    New York State ? Department of Motor Vehicles

    UNIFORM TRAFFIC TICKET
    POLICE AGENCY
    NEW YORK STATE POLICE



    Local Police Code



    THE PERSON DESCRIBED ABOVE IS CHARGED AS FOLLOWS




    Time: 7:17 AM

    Date of Offense: 04/10/2011



    IN VIOLATION OF

    NYS V AND T LAW Description of Violation:

    SPEED OVER 55 ZONE

    TO PLEAD, PRINT CLICK HERE AND FILL OUT THE FORM

    ------------------------------

    Date:      Tue, 15 Nov 2011 11:22:33 -0500
    From:      information@direct.nacha.org
    Subject:      Your Direct Deposit payment via ACH was declined

    Attn: Financial Manager

    We regret to notify you,
    that your latest Direct Deposit via ACH payment (ID141672824371) was cancelled,
    because your current Direct Deposit software version was out of date.

    Please use the link below to enter the secure section of our web site and see the details::

    www.nacha.org/download/report09809878.pdf

    Please apply to your financial institution to get your updated version of the software needed.

    Kind regards,

    ------------------------------

    Date:      Tue, 15 Nov 2011 20:26:57 +0530
    From:      info@direct.nacha.org
    Subject:      Direct Deposit payment was rejected

    Dear Sirs,

    Herewith we are notifying you,
    that your most recent Direct Deposit payment (No.378745855247) was cancelled,
    because your current Direct Deposit software version was out of date.

    Please visit the secure section of our web site to see the details:

    www.nacha.org/download/report09809878.pdf

    Please apply to your financial institution to get the necessary updates of the Direct Deposit software.

    Yours faithfully,

    ------------------------------

    Date:      Tue, 15 Nov 2011 05:48:07 -0800
    From:      "Abdul N . Moser" Moser1940@vabankers.org
    Subject:      ACH payroll payment was not accepted by us

    Dear Sir/Madam,

    I regret to inform you that ACH payroll payment sent by you or on your behalf was not accepted by us.

    Transaction ID: 1704692033837
    Current status of transaction: pending

    Please review transaction details as soon as possible.

    Abdul Moser
    Accounting Management
    First SAvings Bank of Hegewisch


    ------------------------------

    Date:      Tue, 15 Nov 2011 16:00:55 +0300
    From:      forgery16@uncw.edu
    Subject:      ACH payment canceled

    The ACH transfer (ID: 3323817008922), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

    Rejected transaction
    Transaction ID:     3323817008922
    Reason for rejection     See details in the report below
    Transaction Report     report_3323817008922.doc (Microsoft Word Document)

    About NACHA
    By 1978, it was possible for two financial institutions located anywhere in the United States to exchange ACH payments under a common set of rules and procedures. By 1988, the number of ACH payments exceeded 1 billion annually. By 2001, the volume of ACH payments grew by more than 1 billion in a single year.
    To help guide advocacy and related communication activities, NACHA established a Communications and Marketing Advisory Group (CMAG) in early 2010. CMAG brings together practitioners representing ACH Network participants to engage in work efforts to benefit the Network and those who utilize it.

    13450 Sunrise Valley Drive, Suite 100

    Herndon, VA 20171

    2011 NACHA - The Electronic Payments Association

    Monday, 14 November 2011

    NACHA / Wire Transfer malicious emails

    I'm not sure if these three incidents are all related or are just using the same approach, but here goes.

    Date:      Mon, 14 Nov 2011 17:53:54 +0100
    Subject:      Disallowed Direct Deposit payment

    Dear Sirs,

    Herewith we are notifying you, that your latest Direct Deposit transaction (No. 60795715105) was disallowed, because of your business software package being out of date. The detailed information about this matter is available in the secure section of our web site:

    hxxp://astola.com.au/93oj63/index.html

    Please apply to your financial institution to obtain the new version of the software.

    Kind regards,
    Sidney Gross
    ACH Network Rules Department
    NACHA - The Electronic Payments Association

    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    Phone: 703-561-1100 Fax: 703-787-0996

    and then

    Date:      Mon, 14 Nov 2011 02:42:02 +0530
    From:      accounting@victimdomain.com
    Subject:      Fwd: Wire Transfer Confirmation (FED 5697WN59)

    Dear Bank Account Operator,

    I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.

    Transaction ID: 85802292158295165

    Current status of transaction: under review

    Please review transaction details as soon as possible.

    Bernadette Dickinson
    Payments Administration

    and finally

    Date:      Mon, 14 Nov 2011 10:56:29 +0530
    From:      "HARMONY URBAN" support@federalreserve.gov
    Subject:      Your Wire Transfer

    Good day,

    Account: Business Account XXX

    Amount: $ 93,056.63

    Wire Transfer Report: View

    The wire transfer will be processed within 2 hours.

    Please make sure that everything is as you requested.

    HARMONY URBAN,
    Federal Reserve Wire Network 

    The first spam leads to a hacked site in Australia (there are probably many others). In turn, this tries to load four scripts to install malware though an HCP attack (Wepawet report here). The scripts are:

    lallygag.com/js.js
    www.miracleshappenrr.com/images/js.js
    kyare.net/js.js
    allmemoryram.com/js.js

    In all cases, those scripts appear to be on legitimate (but hacked) websites. The final step for that attack is to try to install a malicious Java application from colobird.com/content/import.jar - a domain that is hosted on 216.250.120.100 but one that was only registered very recently.


    The second and third emails take a different approach, loading a page at www.btredret.ru/main.php hosted on 93.187.142.38 (S.C. Profisol Telecom S.R.L., Romania). This attemps a Java exploit (Wepawet report here). This IP is part of a small netblock of 93.187.142.32 - 93.187.142.63 (93.187.142.32/27) and can probably safely be blocked, or you could just block the whole /24 if you wanted,

    This is an old approach that has been doing the rounds for two years. It must still work though..