Sponsored by..

Sunday, 29 January 2012

Fake jobs: euro@ultraups.com

The "Lapatasker" money mule recruiters have been fairly quiet for a while, but here is a new one:

From:  Barrmanager@pacbell.net maurogonzal22@gmail.com
Date: 28 January 2012 01:39
Subject: Parttime Job

Compliments

I am the personnel department manager and I am appealing to you in the name of the large-scale and first-rate partnership.

Our company is met in many departments, such as:
- property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.

We need a person to fill the vacancy of a regional manager in Europe:
- salary 2.600 euro + bonus
- 2 - 3 working hours per day
- individual time-table


If our offer is interesting for you email us the required information:
e u r o @ u l t r a u p s . c o m (Please Delete Spaces In Email Address Before Mailing Us)
Full name:
Country:
City
E-mail:
Contact phone number:



Attention! We need just the people residing in EU.

Please, write your Telephone Number and our manager will contact with you and answer all your questions. 

The "jobs" offered are illegal activities such as money laundering, so signing up to them could land you in serious trouble with law enforcement and seriously out of pocket.

The domain was registered a while ago, probably with fake registrant details:
    Alexis Putt
    Email: alexisputt@yahoo.co.uk
    Organization: Alexis Putt
    Address: St Katharine's Way 12
    City: London
    State: London
    ZIP: E1W 1DD
    Country: GB
    Phone: +44.0113343341

If you have any more example emails, please consider sharing them in the comments.

Friday, 27 January 2012

Oh yeah..


..chicka chickaaah!

"INTUIT INC" malicious spam and {int_link} fail

A new version of a familiar spam that is meant to have a malicious payload:

Date:      Thu, 25 Jan 2012 20:43:03 +0100
From:      "INTUIT INC." [onlinebanking@ealerts.bankofamerica.com]
Subject:      Your tax information needs verification.

Dear Sir/Madam,

In our continuing effort to assure that exact information is being kept up on our systems, as well as to provide you better quality of service; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or Employer Identification Number, that is indicated on your account is different from the information on file with the IRS.

In order to check and update your account, please enter the secure section.

Yours sincerely,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

OK, the sharp eyed amongst you will have noticd that "INTUIT" and "bankofamerica.com" are two different entities. What you can't see is that the moron spammer has sent out all the links pointing to just http://{int_link}/ rather than remembering to include the spam URL. No doubt the next version of this will have a malicious payload, so take care.

Thursday, 26 January 2012

Some malware sites to block 26/1/12

Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.

Eonix, Canada
173.213.93.203
clostescape.com

Zerigo, US
173.248.190.37
chilleloot.com

Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com

Ixvar, Canada
174.142.247.164
clostery.com

Hostforweb, US
205.234.187.6
sulusient.com

Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com

Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com

Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com

Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com

Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com

Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com

NACHA Spam / chillechart.com and chillepay.com

More fake NACHA spam leading to malware, this time the malicious payload is at chillechart.com on 96.126.96.123 (Linode, New Jersey).

Date:      Thu, 25 Jan 2012 10:40:06 +0100
From:      "alerts@nacha.org" [alerts@nacha.org]
Subject:      Your pending ACH debit transfer

Dear Account Holder,

This message includes an important notice about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    766253676295142
Transaction status:    pending

In order to resolve this matter, we prompt you to check the details of your transaction using the link below.

Faithfully yours,
Stephanie Barrera
Accounting Department

This follows the same pattern we have seen over the past few days. A Wepawet report for the malicious page is here. Blocking the IP address rather than the domain should block any other malicious sites on the server.

Update:  chillepay.com is also being used in this spam run, hosted on 69.164.199.231 (also Linode)

Wednesday, 25 January 2012

Lazy BBB / "ACH transfer pending" spam, chillestruct.com and closteation.com

Here's a lazy spam about an "ACH transfer" that appears to come from the BBB, because the spammers have mixed up the campaigns.

Date:      Wed, 24 Jan 2012 13:31:58 +0100
From:      "manager@bbb.org" [manager@bbb.org]
Subject:      ACH transfer pending

Dear Sir or Madam,

This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:

Transaction ID: 471209863177939
Transaction status: pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours faithfully,
Kathy Quirk
Accounting Department

The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.

Blocking the IPs will prevent any other malicious sites on those servers from causing problems.

Tuesday, 24 January 2012

BBB Spam / chillebucks.com, sulusize.com and sulusity.com

More fake BBB spam leading to a malicious payload, this time hosted on the domain sulusize.com on 174.136.4.211 (Colo4, US). The server appears to be a legitimate hacked server, but blocking traffic to that IP is probably a wise idea if you can do it.

Some sample emails (the usual fake BBB approach):

Date:      Tue, 23 Jan 2012 11:51:58 +0100
From:      "BBB" [info@bbb.org]
Subject:      Better Business Bureau service
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 23387543) from your customer with respect to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this question and suggest us about your position as soon as possible.

We hope to hear from you very soon.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==============

Date:      Tue, 23 Jan 2012 12:16:00 +0100
From:      "Better Business Bureau" [risk.manager@bbb.org]
Subject:      Re: your customer�s complaint ID 83031311
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau notifies you that we have received a complaint (ID 83031311) from one of your customers in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this question and suggest us about your point of view as soon as possible.

We hope to hear from you very soon.

Regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau

The malware tries to download further code from sulusity.com on 209.59.220.65 (Endurance International Group, US).. another one to block. A Wepawet analysis is here.

Update #1:  another version is doing the rounds with the initial malware hosted on chillebucks.com (69.163.37.22, Bula Networks California).

Update #2: The Wepawet analysis indicates that this might do something with the user's Facebook account as well as the usual malware payload.

Monday, 23 January 2012

Virus: "I'm in trouble!" spam (again)

This is an email with a link leading to malware. We've seen this pitch before:

Subject: Re: I'm in trouble!

I was at a party yesterday, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light!
I've just got the pictures, maybe you know him???
Here is the photo

I need to find him urgently!

Thank you
Belita
The link goes to a legitimate hacked site, then to a multihomed .ru site on the following IPs:
  125.214.74.8
  129.67.100.11
  173.201.187.225
  173.230.137.129
  173.255.229.33
  174.122.121.154
  209.59.222.145
  211.44.250.173
  213.193.231.210
  24.37.34.163
  46.105.28.61
  50.57.77.119
  50.57.118.247
  74.208.205.185
  78.47.135.105
  78.129.233.8
  80.90.199.196
  81.31.43.43
  82.165.197.58
  83.170.91.152
  84.246.210.87
  85.214.204.32
  87.106.201.119
  93.189.88.198
  97.74.87.3

This is pretty much the same IP list as seen last week (new IPs highlighted). It's unclear at the moment which domains are on the  IPs (though there are some Redret domains here), so blocking the addresses is the safest bet.

Tylers Coffees (tylerscoffees.com) tastes of spam

Here's an annoying spam I have been getting lately:

From:      "Coffee News" [news.coffee@yahoo.com]
Subject:      Check out this coffee

       
Acid Free Coffee
A little cup of java can mean a big problem for stomachs. Acid levels in coffee, as well as impurities and resins, may wreak havoc on the digestive tract. Our customers with sensitive stomachs are relieved to learn that they can still continue enjoying a great cup of coffee whenever they want.

Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
    for $5
      
Where it Comes From


The Finest hand-picked Arabica beans are shipped from South America to our roasting factory in Arizona.We use Swiss Water Based Process to decaffeinate our Arabica coffee beans
Read more
How We Make It
       
We use a “Z-Roasting” process that optimizes the time the coffee beans are cooked; the result is high levels of caffeine and free of acid. Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
Read more
Regular vs. Decaf
       
Regular: Rockets you forward with level of caffeine that exceeds most other coffee brands.

Decaf: Same great taste as the regular coffee minus the rocket energy, so that you can finally take that sleep you deserve.

Either way - you will LOVE IT !!

Read more

If you want us to take you off our mailing list, please click on the link below
Not interested anymore? Unsubscribe here.

I've seen this several times, to begin with they were trying to use tinyurl.com to mask their URL, but they're pretty good at terminating spammers.

Subsequent runs use the domain justcoffee-noacid.com in the emails. Although the domain has anonymous WHOIS details, it's notable that the spammer is using Piradius Net, a black hat web host from Malaysia as a host. We've seen these guys before.

justcoffee-noacid.com has a miminal amount of content, and depending on which link you click through, you either get redirected to tylerscoffees.com or you get a spammy page tempting you to click through.

In all cases the spam comes through 118.123.6.123  in China.

tylerscoffees.com is a website belonging to Tylers Coffee, a firm in Arizona.

The domain is registered to:

      ornsteins, ian  ian@innovativeformulations.com
      1810 s 6th ave
      tucson, Arizona 85713
      United States
      (520) 628-1553      Fax -- (520) 628-1580

The company seems to be legitimate (although personally I have doubts about their claims over "acidic coffee"), but it looks like someone has decided to try some web site promotion without fully checking what was being done. Spamming out from China via a black hat host in Malaysia is one very easy way to damage your brand..

Friday, 20 January 2012

0catch.com and malicious BBB spam

We're currently seeing a spate of malicious BBB spam (like this) being routed through free web hosting sites operated by 0catch.com.

A simple way of blocking this attack is to block the 0catch.com domains. I've never found anything really valuable hosted by this firm, so you probably won't be missing much.

These are all the domains that I can find, if you know of any others then please consider sharing them in the comments:

00freehost.com
00freeweb.com
012webpages.com
0catch.com
0-catch.com
100freemb.com
100megsfree5.com
150m.com
1freewebspace.com
1sweethost.com
741.com
angelcities.com
arcadepages.com
bigheadhosting.net
builtfree.org
designcarthosting.com
digitalzones.com
dreamstation.com
easyfreehosting.com
envy.nu
exactpages.com
ez-sites.ws
fcpages.com
freecities.com
freehostyou.com
freesite.org
freewaywebhost.com
freewebpages.org
freewebportal.com
freewebsitehosting.com
fw.bz
greatnow.com
instantwebgenius.com
just-allen.com
justicewasgreen.com
maddsites.com
megz-bytes.com
mindnmagick.com
o-f.com
parknhost.com
reco.ws
servetown.com
usafreespace.com
virtue.nu
website-home.ws
wtcsites.com

Thursday, 19 January 2012

Wire transfer malicious spam / monikabestolucci.ru:8801 and 78.159.118.226

More malicious spam doing the rounds, but this time it's more complicated than before.

From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)

Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652
CURRENT STATUS: PENDING

Please Review your transaction as soon as possible.

The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.

monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.

24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)

Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.

Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173

BBB Spam / freecities.com and 78.129.132.82

A couple of BBB spams, both leading to malware on different domains on the same IP of 78.129.132.82 (Rapidswitch / Iomart Hosting, UK).

Example 1:

Date:      Thu, 18 Jan 2012 10:24:33 +0000
From:      "Better Business Bureau"
Subject:      Urgent information from BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have received a complaint (ID 38423165) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.

We are looking forward to your prompt reply.

Regards,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Example 2:

Date:      Thu, 18 Jan 2012 11:27:55 +0100
From:      "Better Business Bureau"
Subject:      BBB complaint report
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 52266668) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to find more information on this issue and let us know of your point of view as soon as possible.

We hope to hear from you very soon.

Sincerely,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

In these two examples, the malicious payload is on wihdshop.net/main.php?page=c61c8ae4358e765e and ionsclinics.net/main.php?page=4875f07aa6fe472a (Wepawet report is here) , reached through a page on a freecities.com web site (apparently part of 0catch.com). You could consider blocking access to the entire freecities.com domain, but you should certainly block 78.129.132.82 if you can.

These other domains are hosted on 78.129.132.82 and are probably malicious:

0riginalcheck.net
ambasadorka.com
centerjobdepart.com
comparmory.org
digitalarmory.net
gitadocs.com
gitafiles.com
ionsclinics.net
lifesdigi.org
marketjob.net
nextddefence.com
originalsyst.org
ourdefence.net
stafffire.net
stub-search.net
systemdwall.com
theyardesale.com
wihdshop.net
yourdefse.com


Update:  angelcities.com is also being used as an intermediate infection step, also part of 0catch.com. It looks like the intermediate sites might be freshly created, there is no indication that 0catch.com sites have been breached.

Wednesday, 18 January 2012

Something evil on 95.211.115.228 and 46.249.37.22.

A set of malicious sites, linked to the Redret gang, hosted on 95.211.115.228 (Leaseweb, Netherlands). Blocking the IP rather than the individual domains will also protect against other malicious sites on the same server.

child-re-ninth-ebusiness.com
childregardingninthebusiness.com
childreninthebusiness.com
childsubjectninthcompany.com
childsubjectninthebiz.com
childsubjectninthebusiness.com
custom-t-shirtsfromhansen.com
extentthahansen.com
freeholidaynew.com
hirtsfromhansen.com
holidaygreat.com
holidaynewsite.com
myholidaynew.com
range-the-hansen.com


Another server in this same network is 46.249.37.22 (Serverius Holding, Netherlands)

1o345.info
1op45.info
2012-my-happy.com
2012myownhappy.com
543oh.info
54mo1.info
54po1.info
akvitea.com
alurbrilance.com
arowipes.com
avangeit.com
bitcast.in
bitcube.in
bitechnica.in
bitfire.in
bitware.in
bitwire.in
businessnfamily.com
companynfamily.com
companynpeople.com
customtshirtsfromhansen.com
domtrixsov.com
drinki.in
familycommercial.com
freeautomag.info
funnytshirtsfromhansen.com
glad-year.com
globaltracking02234.info
great-happy.com
happy-period.com
happy-term.com
happychock.biz
happytwelvemonths.com
ho345.info
iflos.com
ivairiu.com
joyful-year.com
jsijdewhg.com
kalalog-testov.com
latest-happy.com
makdacs00.com
makiajdleavseh.com
merry-year.com
modern-happy.com
muravied222.com
odnonoshnicy.com
plsk3mme.com
q234.info
s00n.in
safe-t-shirtsfromhansen.com
safetshirtsfromhansen.com
serdjuchka.biz
stop-prysham.com
timetracking02234.info
uskoriteliinterneta.biz
xxxtubedirty.com


The third server in the group is 203.170.193.102, which has already been identified here.

doofyonmycolg.ru / coolwebzuzuzu.ru now on 203.170.193.102

The malicious domains doofyonmycolg.ru and coolwebzuzuzu.ru have now shifted IPs since yesterday. The new address is 203.170.193.102 (IDC Cyberworld, Thailand). This server also hosts two "Redret" domains, also as identified yesterday, so these malicious emails are presumably from the same crew.

The following domains appear to be hosted on 203.170.193.102, all of which appear to be malicious in some way:

1god.in
aerostrips.com
arrayhansen.com
available78.de.ms
backozifice.net
betbits.com
boeingmiles.com
ccredret.ru
chronvofu.dlinkddns.com
ckredret.ru
collection-hansen.com
companyandfamily.com
ease.breastedchestedboobiestits.com
familyownedcompany.com
family-ownedcompany.com
filkso.in
freemmsservice.com
freetracking02234.info
greatglad.com
krasivayfigura.com
latestglad.com
libraryhansen.com
lkskjje43d.com
mc-3.in
metropannolike.in
mobiletracking02234.info
myskyinfo.in
oeit.in
olanuc.dlinkddns.com
onlinetelephonika.info
orfasde.dlinkddns.com
p38-adsrv.nl.ai
p66-adservices.nl.ai
pedastera.cu.cc
portfoliohansen.com
rifalogs.com
saldo7.us
schenledi.dlinkddns.com
seifancold.dlinkddns.com
sgsk43tgsdlflfbcbg.uni.me
skyinfo.in
tanildirtystories.com
tshirtsfromhansen.com
usaloaosns.com
zadpol.cu.cc
zareqah.cu.cc
zverovod.in

Scam sites to block on 209.25.137.196

Here's a site of very professional looking scam sites, incuding fake investment firms and escrow companies. Most of these have been registered over the past few weeks with anonymous details.

atlasconsultancyltd.com
bfsauthority.org
bltradinggrp.com
chicagobgllc.com
crawfordcapitalpartners.com
fidelitycorporategroup.com
grenfellassociates.com
johnsonsterlingconsultancy.com
knowltonadvisors.com
mediatransfersltd.com
millerconsultancyservices.com
morganpremiergrp.com
notanordinarysite.com
peregrineintlgroup.com
scmrcom.org
sftcommission.org
tatecarverconsultancy.com
toddwhitefinancial.com
warrenfisherassociates.com
wellsconsultancy.com
winchesterconsultancygrp.com


also hosted on the same server:
mentemptation.com
webhostingbreaker.com

Some of the trading names used by these scammers (some may be similar to legitimate companies):
  • Atlas Consultancy
  • Brussels Financial Supervisory Authority
  • BL Trading Group
  • Chicago Business Group LLC
  • Crawford Capital Partners
  • Fidelity Corporate Group
  • Grenfell and Blackrock Associates
  • Johnson Sterling Consultancy
  • Knowlton Group
  • Media Transfers Limited
  • Miller Counsulting Group
  • Morgan Premier Group
  • Peregrine International Group
  • Swiss Commodity Market Regulatory Commission
  • Swiss Financial Trading Commission
  • Tate and Carver Consultancy Group
  • Todd and White Financial Marketing Services
  • Warren Fisher and Associates
  • Wells Capital Management
  • Winchester Consultancy Group
Do not be fooled by how good the sites look.. they are very, very convincing. Here is are some examples:



The sites are all hosted on 209.25.137.196 which looks like a rented server from LiquidNet, Florida. Also hosted on the same server is webhostingbreaker.com (possibly based in the Philippines) which might be the black hat reseller involved.

Part of this network was fingered a few weeks ago here, and it still appears to be active. Avoid at all costs.

How to access Wikipedia during the blackout

Wikipedia is blacked out because of a protest about SOPA. But what happens if you really, really need Wikipedia?

The good news is that you can still access it on your smartphone, or by accessing the mobile site directly. You can also temporarily by disabling Javascript in your browser when visiting the site (specifically blocking scripts from bits.wikimedia.org). Using Firefox + NoScript is an easy way to do this.

The Wikimedia foundation have a technical description of how the blackout is implemented here.

Added: the stylesheet itself appears to be at http://bits.wikimedia.org/en.wikipedia.org/load.php?debug=false&lang=en&modules=site&only=styles&skin=vector&*  so blocking that temporarily might help.

If you are managing a large number of users who need access, you can block access to bits.wikimedia.org/en.wikipedia.org/ which will allow access to content but screws up the layout.

Tuesday, 17 January 2012

Scan from a Xerox W. Pro spam / coolwebzuzuzu.ru

Another malicious spam, this time leading to an exploit page on coolwebzuzuzu.ru/main.php.

Date:      Tue, 16 Jan 2012 02:50:00 +0000
From:      officejet@victimdomain.com
Subject:      Fwd: Fwd: Scan from a Xerox W. Pro #9522304

A Document was sent to you using a XEROX OFFICE N220337423.

SENT BY: LAURA
IMAGES : 6
FORMAT (.JPG) DOWNLOAD

DEVICE: PD55695SK7AO559107L

coolwebzuzuzu.ru is hosted on 66.225.237.222, HostForWeb in Chicago. There is another malware site on an adjacent IP. You might want to block both IPs or even the whole /24 to be on the safe side.

UPS Spam / doofyonmycolg.ru

This UPS (or is it USPS?) spam is attempting to direct visitors to a malicious web page at doofyonmycolg.ru/main.php. This looks like a variant of the Redret campaign we have seen recently.

Date:      Tue, 16 Jan 2012 02:16:45 -0300
From:      "UPS TEAM 121" [support.350@ups.com]
Subject:      UPS Tracking Number H4825887305

Your USPS .US for big savings!     Can't see images? CLICK HERE.   
UPS UPS TEAM 477   
UPS - UPS MANAGER 559 >>
  
Not Ready to Open an Account?   
      
    The UPS Store® can help with full service packing and shipping.  
    Learn More >>  
  
UPS - Your UPS Customer Services

DEAR, victim@victimdomain.com.

DEAR CLIENT , Delivery Confirmation: Failed

Track your Shipment now!

With best regards , Your UPS Services.
  
                      
Shipping         Tracking         Calculate Time & Cost         Open an Account
                      
@ 2011 United Parcel Service of America, Inc. USPS CUSTOMER SERVICES, the UPS brandmark, and the color brown are

trademarks of United Parcel Service of America, Inc. All rights reserved.


This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to

Your USPS .US marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.

Your USPS .US, 1 Glenlake Parkway, NE - Atlanta, GA 30331

Attn: Customer Communications Department 

doofyonmycolg.ru is hosted on 66.225.237.223. There is another malicious site on 66.225.237.222, there may be others. This IP is allocated to HostForWeb Inc, Chicago. Blocking the IP rather than the domain may help protect against other malicious sites on the same server.

Redret domains to block 17/1/12

The Redret domains have shifted around a little since last week, indicating perhaps more malicious activity to come.

Of note, cvredret.ru and cxredret.ru are both multihomed on several IP addresses (both domains are on the same set of addresses). Those domains can be found on 91.208.181.205, 93.189.88.198, 213.193.231.210, 78.47.135.105, 78.129.233.8, 85.214.204.32, and 87.106.201.119.

Changes since last time are highlighted.

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru
clredret.ru

78.47.135.105 (Hetzner Online, Germany)
cvredret.ru
cxredret.ru

78.129.233.8 (Rapidswitch, UK)
cvredret.ru
cxredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

85.214.204.32 (Strato AG, Germany)
cvredret.ru
cxredret.ru

87.106.201.119 (1&1, Spain)
cvredret.ru
cxredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
aredirect.ru
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.208.181.205 (Oxalide, France)
cvredret.ru
cxredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
aaredret.ru
abredret.ru
acredret.ru
adredret.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

93.189.88.198 (Silicontower, Spain)
cvredret.ru
cxredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

203.170.193.102 (IDC Cyberworld, Thailand)
cbredret.ru
ccredret.ru

213.193.213.210 (Trueserver, Netherlands)
cvredret.ru
cxredret.ru

No IP at present
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cwredret.ru
cyredret.ru

Friday, 13 January 2012

"Your order for helicopter for the weekend" / ccredret.ru

Another Redret spam leading to a malicious payload..


Date:      Fri, 12 Jan 2012 04:53:25 +0100
From:      "Keila Farley" [HannaMarcelino@ameritrade.com]
Subject:      Your order for helicopter for the weekend

Your order for our air carriage services has been received and processed. The chopper will be at your disposal from 3.30 a.m. sunday to 16.00 wednesday. Once again, the rates are as follows:
1 hour in the air: 794$
Takeoff / Landing: 163$
1 hour idle time on the ground: 166$
Longest flight is 3 hours.
When flying for longer distances, a co-pilot is needed, and the cost accordingly grows by 114$ per hour.


Invoice.doc 581kb
With Best Regards
Keila Farley
The malicious payload is delivered via a legitimate hacked site which redirects to ccredret.ru/main.php, hosted on 67.215.3.153 (GloboTech, California). That same IP was seen recently with another Redret domain, and you should block access to it if you can.

fff

Thursday, 12 January 2012

"John Dillinger" / "Apple Store - Important information about your Apple ID"

This email was actually sent by Apple, apparently to a famous bank robber, John Dillinger.

Date: Thu, 12 Jan 2012 01:37:23 +0000 (GMT)
From: Apple [appleid@id.apple.com]
Subject: Apple Store - Important information about your Apple ID

    Apple Online Store   
Order Status     Account     Help    
   
   
Dear John Dillinger
Welcome to the Apple Online Store. We wanted to share some information with you about your Apple ID, which allows you to personalize your Apple Online Store experience and helps you access other Apple resources.
Your Apple ID is your current email address.  You can use the password you created when you set up your account online. If you forget or need to reset your password, go to My Apple ID.
By using your Apple ID on the Apple Online Store, you have access to your account information online.  You can save carts until you're ready to place an order, check the status of or change your order, track your shipments, view your order history, maintain your account information, check Apple Gift Card balances, and much more.
Additionally, your Apple ID gives you access to other Apple resources, including:
• Buying music, movies, TV shows, and more at the iTunes Store
• Buying or downloading applications for your iPod touch or iPhone using the App Store
• Ordering photos and photobooks through iPhoto
• Registering your Apple products
• Accessing support for your products from AppleCare
• Getting One to One personal training and other services at an Apple Retail Store
Sign in to Your Account, to take advantages of the benefits of your Apple ID on the Apple Online Store. To learn more about your Apple ID, visit the Your Account section of online Help.
We also want you to know that the security of your personal information is important to us.  For more information on how Apple protects your personal information, please refer to the Apple Customer Privacy Policy.
Thank you for choosing Apple,
The Apple Store Team
http://store.apple.com
1-800-MY-APPLE


Indeed, an Apple account has been created for this email address. But not by me. Upon inspection, the Apple account has no information in it apart from the "John Dillinger" name, and it's a simple matter to reset the password to thwart whatever it going on here.

The email is quite genuine, coming from an Apple IP (17.254.6.195) and with all the links pointing to Apple and not another site. And it seems that I am not alone in receiving this email.

If you have had the same email, please consider letting me know in the comments!

Tuesday, 10 January 2012

"Our chances to win an action are higher than ever" spam / clredret.ru

A weird spam, leading to a malicious download at clredret.ru/main.php via a random hacked site.
Date:      Tue, 9 Jan 2012 08:39:05 +0300
From:      victimname@gmail.com
Subject:      Re: Our chances to win an action are higher than ever.

We discussed it with the administration representatives, and if we confess our non-essential faults to improve their statistics, the key cause will be closed due to the lack of the government interest to the action We have prepared your declaratory text for the court. Please read it carefully and if anything in it dissatisfies you, inform us.

Speech.doc 489kb


With Respect To You
Jeramiah Cohen

As mentioned earlier, clredret.ru is on 46.249.37.22 (Serverius Holdings, Netherlands) and that IP is well worth blocking.

Redret domains to block 10/1/12

After a quite couple of weeks, the Redret spam has started again using the domains and IPs listed below. Some are familiar, some are new. In some cases blocking whole IP ranges is the best idea.

46.249.37.22 (Serverius Holdings, Netherlands)
clredret.ru

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
aredirect.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

No IP at present
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
cbredret.ru
ccredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru

Airline ticket spam / ckredret.ru

Despite a whole pile of Redret malware spam at the end of the year, the past couple of weeks have been very quiet. However, a new campaign has started up directing visitors via a hacked legitimate site to ckredret.ru/main.php which is hosted on 203.170.193.102 (IDC Cyberworld, Thailand).

Date:      Tue, 9 Jan 2012 08:33:24 +0700
From:      sales1@victimdomain.com
Subject:      Re: Your Flight N US966-282315527

Dear Customer,



FLIGHT NUMBER 5821-5704164

DATE/TIME : JANUARY 23, 2011, 16:12 PM

ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT

PRICE : 552.06 USD



Download your ticket here:

VIEW



KAYCEE Ramirez,

American Airlines

Right at the moment the site is failing to resolve, but that could simply be a loading issue. Blocking the 203.170.193.102 IP address would be a good idea as it will stop any other malicious sites on the same server.

Friday, 6 January 2012

"Elavon 2012 Update" phish

Elavon deals with payment processing. This email is not from Evalon.

From: "Elavon, Inc." [sobolan@myvirtualmerchan-02.com]
Date:Fri, 06 Jan 2012 16:09:48 +0100
Subject: Urgent-Notification

--Elavon 2012 Update--
Dear Customer,

We regret to inform you that your retail merchant account is locked.
To re-activate it please download the file attached to this e-mail and update your login information.

2012 Elavon Inc,
-Please note only RETAIL account are locked-
-Example : Market Segmet : Retail-

Attached is a file called myvirtualmerchant_login.html which is the phish itself, displaying the following screen.

The form itself sends the details to mail.xinsanjing.com on 220.189.213.181. (HangZhou XinSanJing Food Co. Ltd. China) which is possibly a hacked server. In this case the email originated from 209.91.252.206 in Puerto Rico.

If you use Elavon's services, watch out for this phish.

Thursday, 29 December 2011

"Your Changelog UPDATED" / cjredret.ru

Another spam, another "redret" domain. This time the spam is a "changelog" one, the malicious payload is on cjredret.ru/main.php.

Date:      Thu, 29 Dec 2011 07:59:51 +0200
From:      accounting@victimdomain.com
Subject:      Re: Fwd: Your Changelog UPDATED

Hello,

as promised chnglog updated -: View Changelog

Carey CATHERINE

The site is hosted on 91.222.137.170 (Delta-X, Ukraine), the same IP address as yesterday. If you don't have any reason to send traffic to the Ukraine, blocking access to 91.222.136.0/22 might be prudent.

Wednesday, 28 December 2011

"HP Officejet" spam / chredret.ru

More spam pointing to a malicious web page at chredret.ru/main.php (after redirecting through a legitimate but hacked site), but this time using the old "HP Officejet" approach.


Date:      Wed, 28 Dec 2011 05:32:16 +0700
From:      VG2EBrady@gmail.com
Subject:      Re: Fwd: Re: Scan from a HP Officejet #8056528

A document was scanned and sent to you using a Hewlett-Packard JET SK868691M



Sent to you by: SHEA
Pages : 3
Filetype: Image (.jpeg) View

Location: GDOSO.1.3TH
Device: OP685S9OD6236672

The domain chredret.ru  was used in this spam run yesterday, but now the server has moved from 46.249.37.22 to 91.222.137.170 (Delta-X, Ukraine). I don't know Delta-X at all, but the SiteVet and Google reports are not good, so you might want to consider blocking the entire range 91.222.136.0/22.

Tuesday, 27 December 2011

Contract spam / chredret.ru

Another fake "contract" spam leading to malware, hosted on chredret.ru .

Date:      Tue, 27 Dec 2011 06:06:18 +0700
From:      "Destinee Mills"
Subject:      The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
NEW_Contract.doc 44kb


With best wishes
Destinee Mills
Another name used on the spam is "Ramiro Howell", although there are probably hundreds of fake names. The malicious payload is at chredret.ru/main.php, hosted on 46.249.37.22 (Serverius Holding BV, Netherlands). This is the second "redret" domain in this /24, so blocking 46.249.37.0/24 might be prudent.

Thursday, 22 December 2011

NACHA Spam / cgredret.ru

More NACHA spam, this time pointing to cgredret.ru (which we've seen before) which delivers a malicious payload.

Date:      Thu, 22 Dec 2011 03:37:35 +0530
From:      "NACHA"
Subject:      ACH Transfer rejected

ACH transaction, initiated from your checking account, was canceled.



Canceled transaction:



Transfer ID: B2793447923US

Transfer Report: View



GALINA Gunter

NACHA - The Electronic Payment Association

cgredret.ru has moved since yesterday and is now on 79.137.237.68. Unsurprisingly, it is now on Digital Network JSC in Russia (aka DINETHOSTING). Block access to 79.137.224.0/20 if you can.

Wednesday, 21 December 2011

"Hello! Look, I've received an unfamiliar bill.." / cgredret.ru

The spam tsunami continues, this one is a reworking of one seen last month, but with a new payload site.

Date:      Wed, 21 Dec 2011 06:43:07 +0700
From:      "MERLYN Spicer" [sales1@victimdomain.com]
To:     
Subject:      Need your help!

Hello! Look, I've received an unfamiliar bill, have you ordered anything?
Here is the bill

Please reply as soon as possible, because the amount is large and they demand the payment urgently.

Looking forward to your answer



Fingerprint: 2ccc03a5-e19549f7

The malicious payload is on cgredret.ru which I catalogued yesterday (although it didn't have an IP address then). The IP is now 206.72.207.156 (Interserver Inc, USA) along with some other malicious sites. Block the IP rather than the domain if you can.

*redirect.ru sites to block

These are another part of the "redret" series of malware sites being promoted by spam, and are worth blocking proactively.

109.70.26.36 (Parked)
iredirect.ru

89.208.34.116 (Digital Network JSC aka DINETHOSTING Russia, block 89.208.32.0/19)
aredirect.ru

91.220.35.38 (Zamanhost Ukraine, block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru

No IP allocated
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru

BBB Spam / curvechirp.com

Yet more BBB spam, this time with a different malicious domain - curvechirp.com, hosted on 184.171.248.47 at TMZHosting LLC, Florida. This range is suballocated from Hostdime and has been seen a few days ago with another attack, so blocking all access to 184.171.248.32/27 is probably prudent.

Payload page is at curvechirp.com/main.php?page=111d937ec38dd17e, at the moment the page is not responding (possibly due to being overloaded as it looks like a cheap VPS).

Here are some samples:


Date:      Wed, 21 Dec 2011 13:37:00 +0100
From:      "Better Business Bureau" [manager@bbb.org]
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau informs you that we have been filed a complaint (ID 54838460) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to view the details on this question and suggest us about your opinion as soon as possible.

We are looking forward to your prompt reply.

Regards,

Gerard Johnson

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

========

Date:      Wed, 21 Dec 2011 14:41:50 +0200
From:      "Better Business Bureau" [info@bbb.org]
Subject:      Urgent notice from BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 67732970) from a customer of yours with respect to their dealership with you.

Please open the COMPLAINT REPORT below to view the details on this case and inform us about your point of view as soon as possible.

We hope to hear from you shortly.

Sincerely,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

BBB Spam / curcandle.net

Yet more BBB themed malware spam this morning, bouncing through a couple of hacked servers to a malicious payload on curcandle.net (174.136.1.223, Colo4Dallas). Blocking access to the IP will also block any other evil domains on the same server.

The payload is on curcandle.net/main.php?page=111d937ec38dd17e although right at the moment it is 404ing. However, the spam run is just 30 minutes old so perhaps it is still under construction.

Some samples:


Date:      Wed, 21 Dec 2011 09:55:02 +0100
From:      "Better Business Bureau" [manager@bbb.org]
Subject:      BBB information regarding your customer’s complaint
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 54715375) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this matter and inform us about your opinion as soon as possible.

We are looking forward to your prompt reply.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

============

Date:      Wed, 21 Dec 2011 09:54:50 +0100
From:      "BBB" [alerts@bbb.org]
Subject:      Your customer complained to BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 44513446) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this question and inform us about your opinion as soon as possible.

We are looking forward to hearing from you.

Regards,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

============

Date:      Wed, 21 Dec 2011 08:54:38 +0000
From:      "BBB" [service@bbb.org]
Subject:      Better Business Bureau complaint
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 10822005) from one of your customers related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this question and inform us about your position as soon as possible.

We are looking forward to your prompt reply.

Kind regards,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

============

Date:      Wed, 21 Dec 2011 09:33:03 +0000
From:      "BBB" [manager@bbb.org]
Subject:      BBB complaint report
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 10942308) from one of your customers in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this question and let us know of your position as soon as possible.

We hope to hear from you very soon.

Faithfully,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

a*redret.ru domains to block

More malware domains to block, being promoted through malicious spam emails:

89.208.34.116  (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru

91.220.35.38 (Zamanhost, Ukraine. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru

95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru

No IP allocated
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru

b*redret.ru domains to block (updated)

Another set of "Redret" domains, the b*redret.ru series is used in malware distribution. It has some new IP addresses since the last time.

89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru

91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru

94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru

No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru

Tuesday, 20 December 2011

c*redret.ru sites to block (updated)

These "Redret" domains serve up malware and are promoted by spam, some of them have moved around since last week so consider this an updated list.

46.249.37.109 [Serverius Holding B.V, Netherlands]
cpredret.ru

79.137.237.63 [Digital Network JSC, Russia aka DINETHOSTING. Recommend blocking 79.137.224.0/20]
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 [Digital Network JSC, Russia]
ciredret.ru
coredret.ru

79.137.237.68 [Digital Network JSC, Russia]
caredret.ru
csredret.ru

91.195.11.42 [UkrStar ISP, Ukraine. Recommend blocking 91.195.10.0/23]


206.72.207.156 [Interserver Inc, United States]
cdredret.ru
cfredret.ru

Not hosted at present
cbredret.ru
ccredret.ru
ceredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru

BBB Spam / financestuff.serveblog.net

Here's another BBB Spam leading to malware..

Date:      Tue, 20 Dec 2011 11:45:50 +0100
From:      "BBB" [support@bbb.org]
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 24673594) from your customer with respect to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this issue and let us know of your point of view as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Katherine Schulte

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Malware payload in on financestuff.serveblog.net/main.php?page=69dbd5a1e3ed6ae9 on 207.210.65.12 (Global Net Access LLC). Block the IP address if you can.

"Scan from a Xerox WorkCentre Pro" / cfredret.ru

This is a fairly common malware spam, pointing to malicious code on cfredret.ru/main.php.

Date:      Tue, 20 Dec 2011 05:42:20 +0300
From:      victimname@gmail.com
Subject:      Re: Fwd: Re: Scan from a Xerox WorkCentre Pro #2966272

A Document was sent to you using a Xerox WKC1296130.



Sent by: SHIRLEY
Images : 5
Image (.JPEG) Download

Device: UM85256LL6P68270479



bfe116b5-7dcccccc

cfredret.ru is hosted on 78.47.193.36, exactly the same IP address as this BBB themed malware spam. Blocking access to 78.47.198.32/29 is a fabulous idea if you can.

BBB Spam / blumtam.com

More BBB spam, this time attempting to deliver users to a malicious payload on blumtam.com. A couple of samples:

Date:      Tue, 20 Dec 2011 00:34:38 -0800
From:      "BBB" [alerts@bbb.org]
Subject:      Re: your customer�s complaint ID 82235322
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have been sent a complaint (ID 82235322) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this case and let us know of your position as soon as possible.

We hope to hear from you shortly.

Kind regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
and
Date:      Tue, 20 Dec 2011 11:09:23 +0200
From:      "BBB" [alerts@bbb.org]
Subject:      BBB case ID 59988329
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have been filed a complaint (ID 59988329) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to view more information on this matter and let us know of your opinion as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Payload is on blumtam.com/main.php?page=69dbd5a1e3ed6ae9 hosted on 78.47.198.36, a Hetzner AG address suballocated to an outfit called QHoster Ltd in Bulgaria. Blocking access to 78.47.198.32/29 would probably be prudent.

Monday, 19 December 2011

DHL malware spam / secure.dhldispatches.com

This DHL themed spam leads to malware:

From: DHL Express
Sent: 19 December 2011 10:03
Subject: DHL Express Dispatch Confirmation

Order number: 9672834463

Your order has now been dispatched and your DHL Express air waybill number is 9672834463.

To follow the progress of your shipment and print invoice for your records, please go to :
http://secure.dhldispatches.com/tracking/

IMPORTANT INFORMATION:
 
DHL Express will deliver your order between 9am-5pm GMT, Monday to Friday. If you are unavailable, DHL Express will leave a card so you can contact them to reschedule.

All orders must be signed for upon delivery.

Please note, we are unable to change the shipping address on your order now it has been dispatched. Your purchase should arrive in perfect condition. If you are unhappy with the quality, please let us know immediately.

Yours sincerely,

Customer Care
www.dhl.com

For assistance email customercare@dhl.com or call 0800 099 27671 from the UK, +44 (0)20 2781 62512 from the rest of the world, 24 hours a day, seven days a week


CONFIDENTIALITY NOTICE
The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, you must not read, use or disseminate the information. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of DHL Express Deliveries.

secure.dhldispatches.com (hosted on 116.240.194.69, Primus Australia) looks like a DHL page, but it carries a malicious payload which is loads from 118.88.25.36 (Dedicated Servers Australia). Blocking access to both those IPs may be prudent. The Wepawet report for this one is here.

FDIC spam / splatstack.net

More FDIC spam leading to malware, this time at splatstack.net.

Date:      Mon, 19 Dec 2011 05:32:49 -0600
From:      "Greta Bullock"
Subject:      Blockage of your transactions

Attn: Financial Department


By this message we would like to inform you about the latest amendments in the Federal Deposit Insurance Corporation coverage rules. During the period from December 31, 2010 to December 31, 2012 all funds in a "noninterest-bearing transaction account" are provided with a full insurance coverage by the Federal Deposit Insurance Corporation. Please note, that this arrangement is temporary and separate from the Federal Deposit Insurance Corporation's basic insurance rules.

The term "noninterest-bearing transaction account" implies a usual checking account or demand deposit account on which the insured depository institution pays no interest. For more information about this temporary FDIC unlimited coverage, please refer to: http://iimtstudies.com/e3f4e0/index.html

Yours faithfully,
Greta Bullock
Federal Deposit Insurance Corporation


The link goes via a couple of hacked sites to a malicious payload splatstack.net/main.php?page=abfd0d069b45c17e hosted on 173.255.253.115 (Linode). Blocking access to that IP address will probably be prudent.

Scam: "CareerQuick Staffing" / careermanagement.com.ua

This is another take on RockSmith Management scam, linked to these dodgy work-at-home sites, apparently with an Australian connection.

Date:      Mon, 26 Sep 2011 05:48:19 +0530
From:      "Terence Mooney" [terence.mooney@voicecom.co.za]
Subject:      Reminder: Employment Opportunity Followup

Hello

Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application, but can not do so until you complete our
internal application.

The pay range for available positions range from $35.77 per hour to $57.62 per hour.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

http://careermanagement.com.ua/

Also, the following perks are potentially available:

- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program

Please take the time to follow the directions and complete the entire
application process.


Best Regards,

Rock Smith Management


careermanagement.com.ua is a Ukrainian domain, it is hosted on 85.121.39.3, which is a known black-hat host in Romania (Monyson Grup S.A), although as we said before this appears to be an Australian crew running the scam. The layout of the site echoes careerquickstaffing.com, a site that has already been suspended for spamming.

Friday, 16 December 2011

NACHA Spam/ ragsnip.com

Yet another round of fake NACHA spam leading to malware is doing the rounds, this time the payload is on ragsnip.com/main.php?page=111d937ec38dd17e hosted on 207.210.96.226 (Global Net Access LLC, Atlanta). Blocking access to the IP is preferable to the domain as there may be other malicious domains on the same server.

An example spam email from this run (it seems no different to all the other ones):

Date:      Fri, 16 Dec 2011 16:43:21 +0100
From:      "transactions@nacha.org" [transactions@nacha.org]
Subject:      Information on your pending transaction

Attention: Accounting Department

This message contains a report about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    007457776956967
Status of the transaction:    pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Faithfully yours,
Kathy Quirk
Accounting Department

NACHA Spam / ragsnub.com

More NACHA spam is doing the rounds, this time redirecting through a legitimate hacked site to ragsnub.com/main.php?page=69dbd5a1e3ed6ae9 on 184.171.248.35 (Hostdime, Florida).

There may be other bad domains on that server, so blocking access to the IP is the safest approach.

Thursday, 15 December 2011

NACHA Spam / evrymonthnighttry.com and glasseseverydaynow.com

More NACHA themed spam this morning that redirects victims through a hacked legitimate site to a malware laden page, this time hosted on evrymonthnighttry.com or glasseseverydaynow.com.

These sites are hosted on 46.183.217.119 (Dataclub, Latvia). I can't see anything at all of value in 46.183.216.0/21 so blocking access to all of that range might be prudent.

It also attempts to load an exploit from a site called bbb-complains.org which is not resolving at present.

A couple of example emails:

Date:      Thu, 15 Dec 2011 07:42:51 +0000
From:      "risk.manager@nacha.org" [risk.manager@nacha.org]
Subject:      Your ACH transaction details

Attention: Accounting Department

This message includes an important information regarding the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction ID:    079788807282357
Transaction status:    pending

In order to resolve this matter, please use the link below to review the transaction details as soon as possible.

Yours faithfully,
Anthony Cooley
Chief Accountant

and

Date:      Thu, 15 Dec 2011 07:30:43 +0000
From:      "alert@nacha.org" [alert@nacha.org]
Subject:      Your pending ACH debit transfer

Dear Sir or Madam,

Please find below a report about the ACH debit transfer sent on your behalf, that was kept back by our bank:
Transaction #:    638798200851317
Status of the transaction:    pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours truly,
Kevin Hunt
Chief Accountant