"LinkedIn Invitation from your co-worker" spam / slickcurve.com and bluecellular.com

Another malicious fake email from LinkedIn leading to malware hosted on slickcurve.com.

Date:      Thu, 22 Mar 2012 13:35:48 +0200
From:      "Dominique Benitez" [peripherals698@linkedin.com]
Subject:      LinkedIn Invitation from your co-worker


LinkedIn
REMINDERS

Invitation reminders:
? From Timothy Vega (Your classmate)


PENDING MESSAGES

? There are a total of 1 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

The malware payload is on slickcurve.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 173.255.195.167 (Linode, US). Blocking that IP address will block any other malicious sites on the same server.

"LinkedIn Invitation from your colleague" spam / closteage.com

A fake LinkedIn spam leading to malware hosted at closteage.com:

Date:      Wed, 21 Mar 2012 16:24:04 +0200
From:      "Stacy Goss"
Subject:      LinkedIn Invitation from your colleague


LinkedIn
REMINDERS

Invitation notifications:
? From Kadeem Ruiz (Your Colleague)


PENDING MESSAGES

? There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. Š 2010, LinkedIn Corporation.

The payload is at closteage.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 209.59.217.101 (Endurance International, US). Blocking that IP will block any other malicious sites on the same server.

Mid Bedfordshire Constituency and Nadine Dorries - time to go

I don't often get to write about politics on this blog, and I know that most of my readers won't really care.. so scroll on :)

There are proposals to abolish the UK parliamentary constituency of mid-Bedfordshire (where I live). The current MP is Nadine Dorries who is fighting a desperate rearguard action to try to get the proposals overturned. However, not everybody supports Ms Dorries and her campaign, and it seems to me that the proposals (outlined here) are a very good thing and should be supported.

The deadline for submissions is 30th March, the email address to send them to is reviews -at- bcommengland.x.gsi.gov.uk - obviously you can send what you like, but this is what I have sent:

Dear Chairman,

I am writing to support the dissolution of the Mid Bedfordshire parliamentary constituency for the following reasons:

1) The current constituency does not represent a cohesive entity. It is merely a rural "filler" between the urban areas to the north and south.

2) The proposed boundaries reflect closely "Travel to Work Areas" and takes into account that the north of the county is more closely affiliated with Bedford, and the south of the county with Luton and Dunstable.

Although there are obviously some compromises in the way the proposed boundaries have been drawn up, it is my belief that the proposals have been made with some care and understanding of the demographics of the area. In my view the proposed arrangements will be much better for the residents of the current Mid Bedfordshire parliamentary constituency, and that the constituency should be abolished and new boundaries should be established based on those proposed.

"Fwd: Your Flight N 76-124339" spam / dnvfodooshdkfhha.ru

Here's a "flight ticket" spam leading to malware:

Date:      Tue, 20 Mar 2012 11:56:41 +0900
From:      "DEDE Rainey"
Subject:      Re: Fwd: Your Flight N 76-124339
Attachments:     FLIGHT_TICKET_N-A7401085.htm

Dear Customer,



FLIGHT NUMBER 162-717

DATE/TIME : MARCH 28, 2011, 14:13 PM

ARRIVING AIRPORT: NEW-YORK AIRPORT

PRICE : 906.20 USD



Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).

To use your ticket you should print it.



DEDE Rainey,

The attachment tries to redirect the victim to a malware site on dnvfodooshdkfhha.ru:8080/images/aublbzdni.php (report here) and as with most of the .ru:8080 attacks we see, this one is multihomed:

62.85.27.129 (Microlink Latvia Ltd, Latvia)
78.83.233.242 (Spectrum, Bulgaria)
83.238.208.55 (Netia, Poland)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Net, Indonesia)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.56.24.226 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy and pasting:
62.85.27.129
78.83.233.242
83.238.208.55
125.19.103.198
173.203.51.174
200.169.13.84
202.149.85.37
209.114.47.158
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

"Scan from a Hewlett-Packard ScanJet " spam / debiudlasduisioa.ru

Another fake "HP scan" document with a malicious attachment.

Date:      Fri, 16 Mar 2012 10:49:18 -0300
From:      scan@victimdomain.com
Subject:      Fwd: Scan from a Hewlett-Packard ScanJet 684248
Attachments:     HP_Document-16-539.htm

Attached document was scanned and sent



to you using a Hewlett-Packard Scan Jet 57968D.



SENT BY: KAM
PAGES : 4
FILETYPE: .HTML [Internet Explorer File]

The payload is on debiudlasduisioa.ru:8080/images/aublbzdni.php  - the IPs are the same as in this spam run and should be blocked if you can do it.

Intuit.com spam / 173.224.71.132

Yet another round of malicious fake Intuit.com spam is doing the rounds:

Date:      Fri, 16 Mar 2012 11:15:29 -0300
From:      "INTUIT INC."
Subject:      Your Intuit.com order confirmation.




Dear Client:

Thank you for ordering from Intuit Market. We are working on and will send you an e-mail when your order is processed. If you ordered multiple items, we may deliver them in more than one delivery (at no extra cost to you) to provide faster processing time.

If you have questions about your order, please call 1-800-955-8890.


ORDER INFORMATION

Please download your complete order
id #078419178757 information at Intuit small business website.

NEED HELP?

    Email us at mktplace_customerservice@intuit.com.
    Call us at 1-800-955-8890.
    Reorder Intuit Checks Quickly and Easily starting with
    the information from your previous order.

To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.

Thanks again for your order,

Intuit Market Customer Service

Privacy , Legal , Contact Us , About Us

You have received this business communication as part of our efforts to fulfill your request or service
your account. You may receive this and other business communications from us even if you have opted
out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing
e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for
additional security information.


�2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax,
among others, are registered trademarks of Intuit Inc.

In this case the link in the email goes through a legitimate hacked site and ends up at 173.224.71.132:8080/showthread.php?t=73a07bcb51f4be71 (Colo5, US). There's a Wepawet report here. Blocking that IP would stop any further malicious sites on the server from being a problem.

"Traffic ticket N250997376 " spam / dkjhfkjsjadsjjfj.ru

This fake traffic ticket (allegedly sent by UPS!) leads to malware at dkjhfkjsjadsjjfj.ru:8080/images/aublbzdni.php

Date:      Fri, 16 Mar 2012 -06:13:46 -0800
From:      UPS Account Services
Subject:      Traffic ticket N250997376
Attachments:     TRAFFIC_TICKET_N75412.htm

This notification is from the Conestoga department, your car has been pictured while crossing on the red light. We're testing the automatical identification system and the system of issuing fines, so please have a look at the picture in attachment and confirm whether this car is yours or no.

This is multihomed on exactly the same IPs as this other attack. Blocking those IPs would be prudent.

fff

"Scan from a Hewlett-Packard ScanJet " malware / dsakhfgkallsjfd.ru

Another malicious spam campaign, this time with an attachment leading to a malware payload at dsakhfgkallsjfd.ru:8080/images/aublbzdni.php

Date:      Thu, 15 Mar 2012 -01:08:49 -0800
From:      scanner@victimdomain.com
Subject:      Re: Fwd: Scan from a Hewlett-Packard ScanJet 92186094
Attachments:     HP_Document-15-905.htm

Attached document was scanned and sent

to you using a Hewlett-Packard ScanJet 56348K.

SENT BY: LAKITA
PAGES : 2
FILETYPE: .HTML [Internet Explorer File]

There's further malicious code at dsakhfgkallsjfd.ru:8080/images/xlhwhrfvfsxubl.php (report here) - the dsakhfgkallsjfd.ru domain is multihomed on the following IP addresses:


62.85.27.129 (Microlink Latvia Ltd, Latvia)
78.83.233.242 (Spectrum, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
83.238.208.55 (Netia, Poland)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
173.203.211.157 (Slicehost, US)
190.81.107.70 (Telmex, Peru)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Net, Indonesia)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.56.24.226 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy-and-pasting:
62.85.27.129
78.83.233.242
78.107.82.98
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
173.203.51.174
173.203.211.157
190.81.107.70
194.85.97.121
200.169.13.84
202.149.85.37
209.114.47.158
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

goo.gl/FP84h link leads to malware

Another malware campaign using the goo.gl redirector leading to a malicious payload, this time on 66.151.138.87.

From:     OP 25939760 Y tuelkv60@yahoo.com
To:     ptofomen@elpuertosm.net
Date:     15 March 2012 08:35
Subject:     LinkedIn Corporation account on Hold Ref78087257
Signed by:     yahoo.com

CaseȌ99-4582982-70209467-8-373
< !--PZ 62188868 V

http://goo.gl/FP84h



XR 28309138 C

The goo.gl redirector goes to shfd19za.roversmolina.ru (multihomed, see below) and then ends up on a malicious page at 66.151.138.87/showthread.php?t=72d268be707a5fb7 (Nuclear Fallout Enterprises, US again).

The intermediate site is multihomed on what looks like a botnet:

1.170.145.188 (HINET, Tawian)
37.99.3.131 (2day Telecom, Kazakhstan)
46.158.89.63 (Rostelecom, Russia)
46.166.89.234 (Sibtranstelecom, Russia)
59.161.112.144 (Tata Communications, India)
61.90.53.87 (True Internet, Thailand)
94.41.81.55 (Ufanet, Russia)
95.28.225.180 (Vimpelcom, Russia)
95.57.1.107 (Kazakhtelecom, Kazakhstan)
95.58.88.151 (Kazakhtelecom, Kazakhstan)
95.58.106.240 (Kazakhtelecom, Kazakhstan)
95.176.193.129 (Telekom Slovenije, Slovenia)
109.194.43.62 (ER-Telecom Holding, Russia)
112.110.219.218 (Pune Mobile Subscriber, India)
114.43.145.75 (HINET, Taiwan)
117.195.168.49 (BSNL Internet, India)
122.179.171.126 (Airtel, India)
123.17.240.127 (VNPT, Vietnam)
123.18.190.230 (VNPT, Vietnam)
178.46.12.159 (Rostelecom, Russia)

Plain list for copy-and-pasting:
1.170.145.188
37.99.3.131
46.158.89.63
46.166.89.234
59.161.112.144
61.90.53.87
94.41.81.55
95.28.225.180
95.57.1.107
95.58.88.151
95.58.106.240
95.176.193.129
109.194.43.62
112.110.219.218
114.43.145.75
117.195.168.49
122.179.171.126
123.17.240.127
123.18.190.230
178.46.12.159
66.151.138.87

INTUIT / IRS malicious spam and georgekinsman.net

There are two parallel spam campaigns running right not, one in the "Intuit.com invoice" form, one in the "IRS Tax Appeal form".

Both spams lead to a malicious page at georgekinsman.net/main.php?page=c9a5e6d306c55c68 (report here) hosted on the very familiar IP address of 41.64.21.71. Block it if you haven't already.

"Scan from a Hewlett-Packard ScanJet" malware / doosdkdkjsjdfo.ru

This old attack again, a malicious email with an attachment leading to doosdkdkjsjdfo.ru

Date:      Wed, 14 Mar 2012 12:31:50 +0530
From:      officejet@victimdomain.com
Subject:      Re: Fwd: Scan from a Hewlett-Packard ScanJet 297552
Attachments:     HP_Scanjet-14-626146.htm

Attached document was scanned and sent



to you using a Hewlett-Packard ScanJet 93988PP.

SENT BY: Teagan
PAGES : 2
FILETYPE: .HTML [Internet Explorer File]

The malware is on doosdkdkjsjdfo.ru:8080/images/aublbzdni.php, which is multihomed on a subset of the IPs in this other recent attack. A Wepawet report can be found here.

62.85.27.129 (Microlink Latvia Ltd, Latvia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
200.169.13.84 (Century Telecom Ltda, Brazil)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy-and-pasting:
62.85.27.129
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
190.81.107.70
200.169.13.84
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138

nu.nl compromised with svitart.in attack

Popular Netherlands news site nu.nl (Global rank 544, NL rank 4 according to Alexa) has been compromised in an injection attack of some sort, leading to an exploit kit hosted on svitart.in.

More here (in Nederlands or Google Translated).

goo.gl/NEQlS link leads to malware

Another case of the goo.gl redirector being used for evil:

From:     Dilip Lalita dklalita1977@yahoo.com
Date:     14 March 2012 09:38
Subject:     Changes in FDIC policy #22666447
Signed by:     yahoo.com

Id 36-4866333-96425034-8-662
< !--KG 19021150 K

 http://goo.gl/NEQlS



HF 22555007 Z

goo.gl/NEQlS leads to m6ttp.burdencrigyll.ru  (multihomed, see below) and then to a malicious payload site at 64.150.166.50/showthread.php?t=72d268be707a5fb7 (iPower, US). This URL contains an exploit kit.

The intermediate step is hosted on several servers:

31.40.240.89 (Ukrainian American Joint Venture, Ukraine)
31.45.144.128 (VIPnet, Croatia)
46.146.101.194 (ER-Telecom Holding, Russia)
46.173.172.249 (Galitski Telekommunications, Ukraine)
49.0.153.231 (Yokozunanet, Mongolia)
59.93.196.162 (BSNL Internet, India)
59.103.211.151 (Pakistan Telecommunication Company Limited, Pakistan)
59.161.115.17 (TATA Communications, India)
61.227.168.35 (HINET, Taiwan)
77.34.225.103 (Rostelecom, Russia)
91.82.23.56 (Invitel, Hungary)
95.57.154.111 (Kazakhtelecom, Kazakhstan)
95.57.188.134 (Kazakhtelecom, Kazakhstan)
95.188.155.101 (Rostelecom, Russia)
95.234.146.196 (Alice, Italy)
109.191.44.122 (Intersvyaz-2, Russia)
114.163.159.142 (Open Computer Network, Japan)
115.242.148.93 (Reliance Communication, India)
122.175.149.136 (Bharti Airtel, India)
178.91.60.141  (Kazakhtelecom, Kazakhstan)

This is a plain list for copy-and-pasting:
31.40.240.89
31.45.144.128
46.146.101.194
46.173.172.249
49.0.153.231
59.93.196.162
59.103.211.151
59.161.115.17
61.227.168.35
77.34.225.103
91.82.23.56
95.57.154.111
95.57.188.134
95.188.155.101
95.234.146.196
109.191.44.122
114.163.159.142
115.242.148.93
122.175.149.136
178.91.60.141
64.150.166.50

MS12-020: this is not good

MS12-020.. what can I say except that this is NOT GOOD. If you're running RDP on your clients or servers then this is something you need to patch RIGHT NOW..

Update: the folks at the ISC think so too. This is wormable and apparently not difficult to exploit, assuming it is switched on. So, you either need to patch or disable it.. or a combination of both.

Update 2: a visitor left a note to say they were working on a vulnerability scanner at rdpcheck.com . It's not ready yet, but there's a signup form on the page for more information.

Update 3: Allegedly, there is PoC code available for this on Pastebin, although this has not been independently confirmed.

Update 4: The ISC have changed the INFOCON status to yellow because of the perceived high risk.

Update 5: There is now an nmap script available to scan for vulnerable machines here.

BBB Spam / mynourigen.net

More BBB spam leading to malware, this time at mynourigen.net. For example:

Date:      Tue, 13 Mar 2012 20:39:07 +0700
From:      "BBB"
Subject:      Important! BBB complaint activity report
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have been filed a complaint (ID 92163107) from one of your customers related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this question and let us know of your opinion as soon as possible.

We hope to hear from you very soon.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:      Tue, 13 Mar 2012 14:42:30 +0100
From:      "Better Business Bureau"
Subject:      Your customer complained to BBB
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 31347804) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this issue and let us know of your position as soon as possible.

We hope to hear from you very soon.

Sincerely,

Carlos Baxter

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:      Tue, 13 Mar 2012 14:53:11 +0100
From:      "BBB"
Subject:      BBB important information
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 11043517) from your customer in regard to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this case and let us know of your point of view as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:      Tue, 13 Mar 2012 14:30:45 +0100
From:      "BBB"
Subject:      BBB processing RE: Case ID 06216966
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 06216966) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to view more information on this case and suggest us about your position as soon as possible.

We hope to hear from you very soon.

Kind regards,

Carlos Baxter

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

The malicious payload is on mynourigen.net/main.php?page=dc6f9d2a120107b9 and mynourigen.net/content/ap2.php?f=fa88c - it's the usual mixed bag of exploits.

mynourigen.net is apparently hosted on 41.64.21.71 in Egypt (seen many times before). The following domains are also associated with the same IP and can be considered to be malicious.

abc-spain.net
bonus100get.com
excellentworkchoise.com
foryouhomework.com
freac.net
get100bonus.com
getbonus100.com
icemed.net
likethisjob.com
perfectbusinesschance.net
sony-zeus.net
stafffire.net
synergyledlighting.net
systemtestnow.com
themeparkoupons.net
workatyourhomenow.com
yourbeautifulchance.com
yourbeautifullife.net
yourlifechance.net
yourpersonaldefence.com

"I'm in trouble! " spam / ckjsfhlasla.ru

Another recycled spam campaign leading to malware:

Date:      Tue, 13 Mar 2012 01:52:30 +0700
From:      "Greyson Montoya"
Subject:      I'm in trouble!
Attachments:     Image_DIG33080106.htm

I was at a party yesterday, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light!
I've just got the pictures, maybe you know him???

I have attached the photo to the mail (Open with Internet Explorer).

I need to find him urgently!

Thank you
Niju

The malicious web page is at ckjsfhlasla.ru:8080/images/aublbzdni.php which is hosted on exactly the same IP addresses as this spam run yesterday. Blocking these IPs would be prudent.

"Scan from a Xerox W. Pro" spam / cjjasjjikooppfkja.ru

A fairly familiar spam with a malicious attachment:

Date:      Mon, 12 Mar 2012 08:32:11 +0100
From:      "KATELYN NEAL"
Subject:      Fwd: Scan from a Xerox W. Pro #0099345
Attachments:     Xerox_Workcentre_03.08_FZ1820.htm

Please open the attached document. It was scanned and sent

to you using a Xerox WorkCentre Pro.



Sent by: Guest
Number of Images: 1
Attachment File Type: .HTML

WorkCentre Pro Location: machine location not set
Device Name: XRX318AA5BSX3515459

The attachment leads to a malicious page at cjjasjjikooppfkja.ru:8080/images/aublbzdni.php. This domain is multihomed at:

62.85.27.129 (Microlink Latvia Ltd, Latvia)
83.238.208.55 (Netia SA, Poland)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
200.169.13.84 (Century Telecom Ltda, Brazil)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list:
62.85.27.129
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
190.81.107.70
200.169.13.84
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138

Blocking hese IPs would be a good idea.

"URGENT: Your pension could be underperforming" SMS Spam

Arriving just minutes apart from this spam and probably related, these SMS spamming scumbags are back with another pitch:

URGENT: Your pension could be underperforming and could leave you with less then you thought on retirement, reply REVIEW for a free review now, STOP to opt out.

The sending number this time was +447895882070 although this will change as numbers get blocked.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

"Records passed to us show you're entitled to a refund.." SMS Spam

These scumbag SMS spammers again:

Records passed to us show you're entitled to a refund approximately £2560 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

This is pure and simple spam, there are no "records" showing any such thing. In this case the spam came from +447790682898 although spammers often change their numbers.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

goo.gl/C9bsq link leads to malware

A bit of a shift in spammer tactics here:

From:     Mohit Girsh girshmohit1988@yahoo.com
Date:     12 March 2012 11:54
Dubject:     Electronic payments are suspended #08763672
Signed by:     yahoo.com
   
Id 57-8033394-13999809-0-895

< !--ZZ 81490908 C

 hxxp://goo.gl/C9bsq

hxxp://goo.gl/C9bsq redirects to hxxp://2ecdn.barelybowler.ru/ which is multihomed:

31.176.195.196 (BH Telecom, Bosnia)
31.181.92.124 (Rostelecom , Russia)
37.99.67.48 (2DAY Telecom, Kazakhstan)
41.108.45.166 (Algerie Telecom, Algeria)
41.201.113.112 (Unknown network, Algeria)
46.70.226.182 (Armentel, Armenia)
49.145.121.75 (Philippine Long Distance Telephone Company, Philippines)
58.152.217.249 (PCCW, Hong Kong)
77.34.109.74 (Rostelecom , Russia)
77.125.246.251 (012 Smile, Israel)
83.28.56.41 (Neostrada Plus, Poland)
83.31.168.111 (Neostrada Plus, Poland)
85.29.167.135 (2DAY Telecom, Kazakhstan)
89.208.229.196 (Digital Network JSC, Russia)
91.234.24.217 (Evgeniy Kondratyk, Ukraine)
94.41.158.248 (Ufanet, Russia)
94.41.254.115 (Ufanet, Russia)
95.56.208.29 (Kazakhtelecom, Kazakhstan)
114.37.87.205 (Hinet, Taiwan)
119.42.75.15 (CAT Telecom, Thailand)

This redirects to: hxxp://74.91.121.248/showthread.php?t=72d268be707a5fb7

..which is an exploit kit (see this report) hosted by Nuclear Fallout Enterprises in the US (again).

A plain list of IPs in case you want to copy and paste into a blocklist:

31.176.195.196
31.181.92.124
37.99.67.48
41.108.45.166
41.201.113.112
46.70.226.182
49.145.121.75
58.152.217.249
77.34.109.74
77.125.246.251
83.28.56.41
83.31.168.111
85.29.167.135
89.208.229.196
91.234.24.217
94.41.158.248
94.41.254.115
95.56.208.29
114.37.87.205
119.42.75.15
74.91.121.248