From Sophos.. another good reason not to use Facebook.
So, as well as leaking email addresses through a reverse lookup, Facebook also does a reverse lookup for telephone numbers. What could possibly go wrong?
Well, until somebody figures out how to write a script to harvest the phone numbers automatically, that is..
Added: oh look, somebody did it already.
Thursday, 11 October 2012
Wednesday, 10 October 2012
Chase credit card spam / 2.cmisd.org
Another fake Chase credit card spam (like this one), this time leading to malware on 2.cmisd.org:
There are lots of variants, e.g.:
Date: Wed, 10 Oct 2012 12:21:48 -0500
From: "Chase.Alert" [CB22FC0@abbottfire.com]
Subject: Credit card report
This is an Alert to help you manage your credit card account.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 236.77 at Amazon Store has been authorized on Wed, 10 Oct 2012 12:21:48 -0500.
Do not reply to this Alert.
If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/cl/smessage/alert_id=90A4F
To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.
There are lots of variants, e.g.:
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 566.48 at eStore has been authorized on Wed, 10 Oct 2012 17:28:38 +0100.In this case the malicious payload is at [donotclick]2.cmisd.org/links/assure_numb_engineers.php hosted on 75.98.171.60 (A2 Hosting, US). Blocking access to that IP would probably be wise.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 989.65 at Google Store has been authorized on Wed, 10 Oct 2012 11:18:13 -0500.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 518.21 at eStore has been authorized on Wed, 10 Oct 2012 08:42:53 -0700.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 763.93 at UNKNOWN has been authorized on Wed, 10 Oct 2012 17:42:24 +0200.
LinkedIn spam / viewsonicone.ru
This fake LinkedIn spam leads to malware on viewsonicone.ru:
68.67.42.41 (Fibrenoire Internet, Canada)
178.79.146.49 (Linode, UK)
203.80.16.81 (MYREN, Malaysia)
All these IPs and domains are potentially malicious and should be blocked if you can do it:
68.67.42.41
178.79.146.49
203.80.16.81
rumyniaonline.ru
sonatanamore.ru
onlinebayunator.ru
uzoshkins.ru
limonadiksec.ru
ioponeslal.ru
pionierspokemon.ru
appleonliner.ru
lenindeads.ru
viewsonicone.ru
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn ConnectionsThe link goes through some obfuscated javascript (report here) to lead to [donotclick]viewsonicone.ru:8080/forum/links/column.php hosted on the following IPs:
Sent: 10 October 2012 09:46
Subject: Nayeli is now part of your network. Keep connecting...
[redacted]. Congratulations!
You and Nayeli are now connected.
Nayeli Deaton
--
Chad
2012, LinkedIn Corporation
68.67.42.41 (Fibrenoire Internet, Canada)
178.79.146.49 (Linode, UK)
203.80.16.81 (MYREN, Malaysia)
All these IPs and domains are potentially malicious and should be blocked if you can do it:
68.67.42.41
178.79.146.49
203.80.16.81
rumyniaonline.ru
sonatanamore.ru
onlinebayunator.ru
uzoshkins.ru
limonadiksec.ru
ioponeslal.ru
pionierspokemon.ru
appleonliner.ru
lenindeads.ru
viewsonicone.ru
NACHA spam / formexiting.net
This fake NACHA spam leads to malware on formexiting.net:
The malicious payload is on [donotclick]formexiting.net/detects/review_reject_reason.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP that you should consider blocking.
From: The Electronic Payments Association [mailto:underlining34@anbid.com.br]
Sent: 10 October 2012 15:59
Subject: Rejected ACH transaction
Importance: High
The ACH transaction (ID: 9536860209937), recently issued from your bank account (by one of your account members), was reversed by the recepient's financial institution.
Canceled request
Transaction ID: 9536860209937
Reason of rejection Review details in the statement below
Transaction Report report_9536860209937.doc (Microsoft Office Word Document)
17390 Seaside Valley Drive, Suite 101
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association
The malicious payload is on [donotclick]formexiting.net/detects/review_reject_reason.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP that you should consider blocking.
Chase credit cards spam / 3.azwap.de
This fake Chase spam leads to malware on 3.azwap.de:
The malicious payload is at [donotclick]3.azwap.de/links/assure_numb_engineers.php hosted on 69.194.194.229 (Solar VPS, US)
Another sample email:
Date: Wed, 10 Oct 2012 11:48:49 -0300
From: "Chase.com" [noreply@sprint.com]
Subject: Chase: your credit cars account
This is an Alert to help you manage your credit card account.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 233.30 at Apple Store has been authorized on Wed, 10 Oct 2012 11:48:49 -0300.
Do not reply to this Alert.
If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/secure_m/id=34F4A5C
To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.
The malicious payload is at [donotclick]3.azwap.de/links/assure_numb_engineers.php hosted on 69.194.194.229 (Solar VPS, US)
Another sample email:
This is an Alert to help you manage your credit card account.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 669.84 at eStore has been authorized on Wed, 10 Oct 2012 11:31:42 -0400.
Do not reply to this Alert.
If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/customer_login/u=83669F
To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.
Something evil on 96.44.139.218 / perclickbank.org
There's something evil on 96.44.139.218 (OC3 Networks, US):
perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com
Malvertising, basically. More details here.
perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com
Malvertising, basically. More details here.
Labels:
Evil Network,
Malvertising
union-trans.com employment scam
This fake job offer is for a "forwarding agent". What is a forwarding agent? Well, basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble.
union-trans.com is hosted on 180.178.32.238 (Simcentric, Hong Kong). The WHOIS details are:
Admin Name........... huang yijiang
Admin Address........ Ningbo
Admin Address........
Admin Address........ Ningbo
Admin Address........ 200000
Admin Address........ ZJ
Admin Address........ CN
Admin Email.......... sunpt@qq.com
Admin Phone.......... +86.13957424347
Admin Fax............ +86.13957424347
un-trans.info is parked on 68.178.232.100, and is registered to another owner:
Registrant ID:CR117221338
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+86.057481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com
union-trans.com.cn seems to be just a mail handler:
Domain Name: union-trans.com.cn
ROID: 20120401s10011s18721153-cn
Domain Status: ok
Registrant ID: ctr4rtfs2aq58an
Registrant: 宁波瀚联国际货运代理有限公司
Registrant Contact Email: hyjbbs@163.com
Sponsoring Registrar: 北京新网互联科技有限公司
Name Server: ns1.dns.com.cn
Name Server: ns2.dns.com.cn
Registration Date: 2012-04-01 12:05:06
Expiration Date: 2019-04-01 12:05:06
DNSSEC: unsigned
uni-transglobal.info is an intermediary mail system using an expired domain name:
Registrant ID:CR75845753
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+57.481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com
Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China).
The subscribe/unsubscribe links in the email also reference these addresses: hyjbbs@gmail.com
and cncxrdy001@gmail.com
Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided..
From: alex Ford@un-trans.infoThere appear to be several scam domains in this same email.
Reply-To: alex@union-trans.com.cn
Date: 8 October 2012 14:46
Subject: forwarder agent 2012-10-10 15:02:33
Hello,
It is glad to write to you with keen hope to open a business relationship with you.
union-trans (china) International Freight Co,. Ltd is always provide the best service and good price for Import and Export both of ocean and air freight.
These services include: FCL Import and Export, LCL Consolidation, Break-Bulk; Air Freight Import and Export, Sea-Land Transportation; as well as arranging booking, clearance, inspection,loading and evanning, storage, consultation, insurance, etc, forwarding supported services.Our business has extended all over the globe, including in Middle East, Red Sea, India, Europe, and East, Africa, Central and South America, Australia and Southeast Asia etc.
For more information,Please review to our website as below:
http://www.union-trans.com
We are looking forwarder to you reply!
Best regards
union-trans (china) International Freight Co,. Ltd
addr:Room 18B-2,East China Sea Dawn Building,Zhongshan Road 455, Ningbo Jiangdong area,Ningbo,China
directort manager:Alex Huang
Tel:+86-0574-89086653
Fax:+86-0574-89086659
Mbl:+86-0-13957424347 +86-0-15306636688
SKYPE:alex_huang58
Msn:alex_huang58@hotmail.com Email:alex@union-trans.com.cn
union-trans.com is hosted on 180.178.32.238 (Simcentric, Hong Kong). The WHOIS details are:
Admin Name........... huang yijiang
Admin Address........ Ningbo
Admin Address........
Admin Address........ Ningbo
Admin Address........ 200000
Admin Address........ ZJ
Admin Address........ CN
Admin Email.......... sunpt@qq.com
Admin Phone.......... +86.13957424347
Admin Fax............ +86.13957424347
un-trans.info is parked on 68.178.232.100, and is registered to another owner:
Registrant ID:CR117221338
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+86.057481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com
union-trans.com.cn seems to be just a mail handler:
Domain Name: union-trans.com.cn
ROID: 20120401s10011s18721153-cn
Domain Status: ok
Registrant ID: ctr4rtfs2aq58an
Registrant: 宁波瀚联国际货运代理有限公司
Registrant Contact Email: hyjbbs@163.com
Sponsoring Registrar: 北京新网互联科技有限公司
Name Server: ns1.dns.com.cn
Name Server: ns2.dns.com.cn
Registration Date: 2012-04-01 12:05:06
Expiration Date: 2019-04-01 12:05:06
DNSSEC: unsigned
uni-transglobal.info is an intermediary mail system using an expired domain name:
Registrant ID:CR75845753
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+57.481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com
Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China).
The subscribe/unsubscribe links in the email also reference these addresses: hyjbbs@gmail.com
and cncxrdy001@gmail.com
Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided..
Labels:
China,
Job Offer Scams
Tuesday, 9 October 2012
Sprint spam / 1.starkresidential.net
This fake Sprint spam leads to malware on 1.starkresidential.net:
The malicious payload is at [donotclick]1.starkresidential.net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US).
The following malicious sites are also on the same server:
25.allservicemovingandstorage.com
1.browncastro.com
1.browncastro.net
In all cases, these appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem.
Date: Tue, 09 Oct 2012 22:30:56 +0300
From: "Sprint" [87A816934@uacvt.org.au]
Subject: Your Sprint bill online
Please do not reply to this email. Not seeing the images? View online or go mobile.
Bill Period: September 10 - October 9, 2012
Total Due by October 9 $5207
Note: All online payments are made in a secure environment.
SPRINT NEWS AND NOTICES
This section contains important updates about your Sprint Services, Including Service or Rate Changes, Promotions and Offers.
NEXTEL PRODUCTS: IMPORTANT MESSAGE
Due to the Nextel National Network shutdown on 6/30/13, any Nextel devices sold after 6/1/12 are intended to support existing customers' migration efforts and no minimum Order Terms will apply.
© 2012 Sprint. All rights reserved.
The malicious payload is at [donotclick]1.starkresidential.net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US).
The following malicious sites are also on the same server:
25.allservicemovingandstorage.com
1.browncastro.com
1.browncastro.net
In all cases, these appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem.
"Biweekly payroll" spam / editdvsyourself.net
This fake payroll spam leads to malware on editdvsyourself.net:
The following malicious domains are also associated with this IP:
acmrmn.com
addsmozy.net
art-london.net
buzziskin.net
canhmn.com
casbnm.com
editdvsyourself.net
officerscouldexecute.org
stafffire.net
strangernaturallanguage.net
simplerkwiks.net
From: Run Do Not Reply [mailto:jutland@bmacapital.com]The malicious payload is on [donotclick]editdvsyourself.net/detects/beeweek_status-check.php, hosted on the familiar IP address of 183.81.133.121 (Vodafone, Fiji).
Sent: 09 October 2012 15:10
Subject: Your Biweekly payroll is accepted
Your Biweekly payroll for check date 10/09/2012 is ready to go. Your payroll will be issued at least Two days prior to your check date to ensure timely tax deposits and delivery. If you offer direct deposit to your employees, this would also support pay down their money right at the necessary date.
Client ID: XXXXXXX1
Other details: Click here to Review
Important: Please be advised that calls to and from your payroll service team may be monitored or recorded.
Please don't reply to this message. automative notification system not configured to accept incoming email.
The following malicious domains are also associated with this IP:
acmrmn.com
addsmozy.net
art-london.net
buzziskin.net
canhmn.com
casbnm.com
editdvsyourself.net
officerscouldexecute.org
stafffire.net
strangernaturallanguage.net
simplerkwiks.net
Sunday, 7 October 2012
Something evil on 5.9.188.54
Here's a nasty bunch of sites being used in injection attacks, all hosted on 5.9.188.54:
nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw.pl
nqvzrpyoossmr.qlvyeviexqzrukyo.waw.pl
xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw.pl
lgrfuqfwz.qlvyeviexqzrukyo.waw.pl
zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw.pl
qxggipnnfmnihkic.ru
mvuvchtcxxibeubd.ru
5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:
inetnum: 5.9.188.32 - 5.9.188.63
netname: LLC-CYBERTECH
descr: LLC "CyberTech"
country: DE
admin-c: AG6373-RIPE
tech-c: AG6373-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered
person: Alexey Galaev
address: LLC "CyberTech"
address: Grizodubova street 4 , build.2
address: 125252 Moscow
address: RUSSIAN FEDERATION
phone: +660812703752
nic-hdl: AG6373-RIPE
remarks: -------------------------
remarks: Vpsville.ru working 24x7
remarks: -------------------------
remarks: For abuse use admin@vpsville.ru
abuse-mailbox: admin@vpsville.ru
mnt-by: HOS-GUN
source: RIPE # Filtered
You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can.
nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw.pl
nqvzrpyoossmr.qlvyeviexqzrukyo.waw.pl
xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw.pl
lgrfuqfwz.qlvyeviexqzrukyo.waw.pl
zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw.pl
qxggipnnfmnihkic.ru
mvuvchtcxxibeubd.ru
5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:
inetnum: 5.9.188.32 - 5.9.188.63
netname: LLC-CYBERTECH
descr: LLC "CyberTech"
country: DE
admin-c: AG6373-RIPE
tech-c: AG6373-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered
person: Alexey Galaev
address: LLC "CyberTech"
address: Grizodubova street 4 , build.2
address: 125252 Moscow
address: RUSSIAN FEDERATION
phone: +660812703752
nic-hdl: AG6373-RIPE
remarks: -------------------------
remarks: Vpsville.ru working 24x7
remarks: -------------------------
remarks: For abuse use admin@vpsville.ru
abuse-mailbox: admin@vpsville.ru
mnt-by: HOS-GUN
source: RIPE # Filtered
You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can.
Labels:
Hetzner,
Injection Attacks,
Malware,
Russia
Friday, 5 October 2012
"Intuit GoPayment" spam / simplerkwiks.net
This fake "Intuit GoPayment" spam leads to malware on simplerkwiks.net:
The malicious payload is at [donotclick]simplerkwiks.net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy.net
officerscouldexecute.org
simplerkwiks.net
strangernaturallanguage.net
buzziskin.net
art-london.net
Date: Fri, 5 Oct 2012 15:54:26 +0100
From: "Intuit GoPayment" [abstractestknos65@pacunion.com]
Subject: Welcome - you're been granted access for Intuit GoPayment Merchant
.
Greetings & Congrats!
Your GoPayment? statement for WALLET , DEVELOPMENTS has been issued.
Intuit Payment
Account No.: XXXXXXXXXXXXXX16
Email Address: [redacted]
NOTE :
Additional charges for this service may now apply.
Next step: Confirm your User ID
This is Very Important lets you:
Manage your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is you have active an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify UserID
Get started:
Step 1: If you have not still, download the Intuit application.
Step 2: Run the GoPayment app and sign in with the UserID (your email address) and Password you setup.
Easy Manage Your GoPayment System
The Intuit GoPayment Merchant Service Center is the website where you can learn a lot about GoPayment features, customize your sales receipt and add GoPayment users. You can also manage transactions, deposits and fees. Visit link and signin with your GoPayment Access ID (your email address) and Password.
For more information on how to get started using Intuit Merchant, including tutorials, FAQs and other resources, visit the Service Center at web site.
Please do not reply to this message. automative notification system not configured to accept incoming email.
System Terms & Agreements � 2012 Intuit, Inc. All rights reserved.
The malicious payload is at [donotclick]simplerkwiks.net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy.net
officerscouldexecute.org
simplerkwiks.net
strangernaturallanguage.net
buzziskin.net
art-london.net
UPS Spam / minus.preciseenginewarehouse.com
This fake UPS spam leads to malware on minus.preciseenginewarehouse.com:
minus.preciseenginewarehouse.com
minus.dirttrackwarehouse.com
minus.sprintwarehouse.com
two.scott-j.com
one.touveron.com
two.accent-bldrs.com
To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent.
From: "UPSBillingCenter" [512A03797@songburi.com]The malicious payload is at [donotclick]minus.preciseenginewarehouse.com/links/assure_numb_engineers.php hosted on 174.140.165.112 (DirectSpace Networks, US) which also houses the following suspect domains:
Subject: Your UPS Invoice is Ready
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center
Please visit the UPS Billing Center to view and pay your invoice.
Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
minus.preciseenginewarehouse.com
minus.dirttrackwarehouse.com
minus.sprintwarehouse.com
two.scott-j.com
one.touveron.com
two.accent-bldrs.com
To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent.
Thursday, 4 October 2012
"Corporate eFax message" spam / 184.164.136.147
These fake fax messages lead to malware on 184.164.136.147:
The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php which is an IP address belonging to Secured Servers LLC in the US and suballocated to:
autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:Class-Name:network
network:Auth-Area:184.164.128.0/19
network:ID:NET-11719.184.164.136.128/27
network:Network-Name:Public
network:IP-Network:184.164.136.128/27
network:IP-Network-Block:184.164.136.128 - 184.164.136.159
network:Org-Name:Jolly Works Hosting
network:Street-Address:Unit 3C No. 831 SAM Building, Dagupan Road
network:City:Manilla
network:State:NCR
network:Postal-Code:1013
network:Country-Code:PH
network:Tech-Contact:MAINT-11719.184.164.136.128/27
network:Created:20110811175617000
network:Updated:20110811175617000
network:Updated-By:dnsadmin@securedservers.com
contact:POC-Name:Nevin Poly
contact:POC-Email:supportsages@gmail.com
contact:POC-Phone:
contact:Tech-Name:DNS Administrator
contact:Tech-Email:dnsadmin@securedservers.com
contact:Tech-Phone:(480) 422-2023
contact:Abuse-Name:Abuse
contact:Abuse-Email:abuse@securedservers.com
contact:Abuse-Phone:+1-480-422-2022 (Office)
It might be worth blocking 184.164.136.128/27 to be on the safe side.
Date: Thu, 04 Oct 2012 19:00:16 +0200
From: "eFax.Alert" [E988D6C@vida.org.pt]
Subject: Corporate eFax message - 09 pages
Fax Message [Caller-ID: 341-498-5688]
You have received a 09 pages fax at Thu, 04 Oct 2012 19:00:16 +0200.
* The reference number for this fax is min1_20121004190016.8673161.
View this fax using your PDF reader.
Click here to view this message
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.
The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php which is an IP address belonging to Secured Servers LLC in the US and suballocated to:
autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:Class-Name:network
network:Auth-Area:184.164.128.0/19
network:ID:NET-11719.184.164.136.128/27
network:Network-Name:Public
network:IP-Network:184.164.136.128/27
network:IP-Network-Block:184.164.136.128 - 184.164.136.159
network:Org-Name:Jolly Works Hosting
network:Street-Address:Unit 3C No. 831 SAM Building, Dagupan Road
network:City:Manilla
network:State:NCR
network:Postal-Code:1013
network:Country-Code:PH
network:Tech-Contact:MAINT-11719.184.164.136.128/27
network:Created:20110811175617000
network:Updated:20110811175617000
network:Updated-By:dnsadmin@securedservers.com
contact:POC-Name:Nevin Poly
contact:POC-Email:supportsages@gmail.com
contact:POC-Phone:
contact:Tech-Name:DNS Administrator
contact:Tech-Email:dnsadmin@securedservers.com
contact:Tech-Phone:(480) 422-2023
contact:Abuse-Name:Abuse
contact:Abuse-Email:abuse@securedservers.com
contact:Abuse-Phone:+1-480-422-2022 (Office)
It might be worth blocking 184.164.136.128/27 to be on the safe side.
Labels:
eFax,
Jolly Works Hosting,
Malware,
Spam,
Viruses
Verizon Wireless spam / strangernaturallanguage.net
This fake Verizon wireless spam leads to malware on strangernaturallanguage.net:
The malicious payload is at [donotclick]strangernaturallanguage.net/detects/notification-status_login.php hosted on 183.81.133.121 (Vodafone, Fiji).
The following domains are hosted on that IP and should be regarded as being suspect:
strangernaturallanguage.net
buzziskin.net
art-london.net
addsmozy.net
From: AccountNotify whitheringj@spcollege.edu
Date: 4 October 2012 18:52
Subject: Recent Notification in My Verizon
SIGNIFICANT ACCOUNT NOTIFICATION FROM VERIZON WIRELESS.
Your informational letter is available.
Your account # ending: XXX8 XXXX4
Our Valued Client
For your accommodation, your confirmation message can be found in the Account Documentation desk of My Verizon.
Please check your acknowledgment letter for all the information relating to your new transaction.
View Approval Message
In addition, in My Verizon you will find links to info about your device & services that may be helpfull if you looking for answers.
Thank you for joining us .
My Verizon is also accessible 24 hours 7 days a week to assist you with:
Usage details
Updating your tariff
Add Account Users
Pay your invoice
And much, much more...
© 2012 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 523WSE | Basking Ridge, MA 55584
We respect your privacy. Please review our privacy policy for more details
The malicious payload is at [donotclick]strangernaturallanguage.net/detects/notification-status_login.php hosted on 183.81.133.121 (Vodafone, Fiji).
The following domains are hosted on that IP and should be regarded as being suspect:
strangernaturallanguage.net
buzziskin.net
art-london.net
addsmozy.net
Wednesday, 3 October 2012
PayPal spam / lenindeads.ru
Date: Wed, 3 Oct 2012 09:41:01 -0500The malicious payload is at [donotclick]lenindeads.ru:8080/forum/links/column.php hosted on:
From: "service@paypal.com" [service@paypal.com]
To: [redacted]
Subject: Welcome to PayPal - Choose your way to pay
Welcome
Hello postinialerts,
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.
Here is what we have on file for you. Take a second to confirm we have your correct information.
[redacted]
Confirmation Code
2188-9944-1312-3905-5127
Transfer Information
Amount: 31549.96 $
Reciever: Merrill Prather
E-mail: Rogers40144@[redacted]
Accept Decline
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP1529
==========
Date: Wed, 3 Oct 2012 01:04:29 +0300
From: "service@paypal.com" [service@paypal.com]
To: [redacted]
Subject: Welcome to PayPal - Choose your way to pay
Welcome
Hello [redacted],
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.
Here is what we have on file for you. Take a second to confirm we have your correct information.
[redacted]
Confirmation Code
5554-8629-5683-9807-4239
Transfer Information
Amount: 38567.21 $
Reciever: Anabel Cordero
E-mail: Travis68451@[redacted]
Accept Decline
Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP7370
202.3.245.13 (MANA, Tahiti)
203.80.16.81 (MYREN, Malaysia)
213.251.162.65 (OVH, France)
The following domains and IPs are all related:
202.3.245.13
203.80.16.81
213.251.162.65
limonadiksec.ru
rumyniaonline.ru
sonatanamore.ru
ioponeslal.ru
onlinebayunator.ru
uzoshkins.ru
moskowpulkavo.ru
omahabeachs.ru
sectantes-x.ru
Added:
pionierspokemon.ru
appleonliner.ru
"Corporate eFax message" spam / 69.194.194.222
This fake fax spam leads to malware on 69.194.194.222:
The malicious payload is at [donotclick]69.194.194.222/links/assure_numb_engineers.php (Solar VPS, US). Blocking this IP address may be wise as they tend to be used in more than one campaign.
Date: Wed, 03 Oct 2012 15:00:43 +0200
From: "eFax" [4FBED27@fashioninsomniacs.com]
Subject: Corporate eFax message - 8 pages
Fax Message [Caller-ID: 368-848-8852]
You have received a 8 pages fax at Wed, 03 Oct 2012 15:00:43 +0200.
* The reference number for this fax is min1_20121003150043.438820.
View this fax using your PDF reader.
Click here to view this message
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.
==========
Date: Wed, 03 Oct 2012 17:12:57 +0530
From: "eFax.Corporate" [2FEDD7BC@kelprint.fr]
Subject: Corporate eFax message - 1 pages
Fax Message [Caller-ID: 033-717-5099]
You have received a 1 pages fax at Wed, 03 Oct 2012 17:12:57 +0530.
* The reference number for this fax is min1_20121003171257.5227.
View this fax using your PDF reader.
Click here to view this message
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.
==========
Date: Wed, 03 Oct 2012 07:25:36 -0400
From: "eFax" [965F7212@dyer.com.hk]
Subject: Corporate eFax message - 7 pages
Fax Message [Caller-ID: 300-811-6555]
You have received a 7 pages fax at Wed, 03 Oct 2012 07:25:36 -0400.
* The reference number for this fax is min1_20121003072536.6902337.
View this fax using your PDF reader.
Click here to view this message
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.
The malicious payload is at [donotclick]69.194.194.222/links/assure_numb_engineers.php (Solar VPS, US). Blocking this IP address may be wise as they tend to be used in more than one campaign.
Malware sites to block 3/10/12
Suspect URLs:
[donotclick]e-protections.cc/ping.html
[donotclick]e-statistic.cc/ping.html
[donotclick]e-statistic.su/ping.html
[donotclick]estats.su/ping.html
[donotclick]store-main.su/ping.html
[donotclick]sysmain.cc/ping.html
[donotclick]e-protections.cc/ping.html
[donotclick]e-statistic.cc/ping.html
[donotclick]e-statistic.su/ping.html
[donotclick]estats.su/ping.html
[donotclick]store-main.su/ping.html
[donotclick]sysmain.cc/files/hidden7770777.jpg
[donotclick]sysmain.cc/ping.html
Hosts involved:
23.29.119.138 (Incero LLC, US)
69.85.86.159 (Hostigation, US)
94.102.55.20 (Ecatel, Netherlands)
173.236.53.54 (Singlehop / Nexeon Technologies, US)
Plain list for copy and pasting:
e-protections.cc
e-statistic.cc
e-statistic.su
estats.su
first-service.cc
some-service.com
somesystems.cc
store-main.su
sysmain.cc
www-protection.su
23.29.119.138
69.85.86.159
94.102.55.20
173.236.53.54
References: McAfee and Sophos.
Something evil on 66.45.251.224/29 and 199.71.233.226
The IP address 199.71.233.226 (Netrouting, US) and the range 66.45.251.224/29 (Interserver, US) are currently being used to distribute malware through advertising. Of these the 66.45.251.224/29 has been suballocated to an anonymous person, which I didn't even know was permitted:
network:Class-Name:network
network:ID:NETBLK-INTSRV.66.45.224.0/19
network:Auth-Area:66.45.224.0/19
network:Network-Name:INTSRV-66.45.251.224
network:IP-Network:66.45.251.224/29
network:Org-Name:Private Customer
network:Street-Address:Private Residence
network:City:Moscow
network:State:77
network:Postal-Code:119192
network:Country-Code:US
network:Created:20120701
network:Updated:20120816
network:Updated-By:abuse@interserver.net
The domains listed below are on those IP addresses, all appear to be disributing malware (see example) and they seem to have fake or anonymous WHOIS details. Blocking traffic to 66.45.251.224/29 (66.45.251.224 - 66.45.251.231) and 199.71.233.226 should be effective in countering this threat.
Update: 95.211.193.36 (Leaseweb, Netherlands) and 77.95.230.77 (Snel Internet Services, Netherlands) may also be distributing malware in connection with this (report here).
Update 2: Another IP in this cluster is 96.44.139.218 (OC3 networks, US), running malicious ads using the domain perclickbank.org (scroll down for more information)
1sedobazole.info
acpacompany.info
acpvcompany.info
adp.marketsamples.info
alladulttest.info
alttubesite.info
appvcompany.info
artsellernet.com
blabeladstarget.info
boldcpaportal.info
boldcpvportal.info
boldpopportal.info
boldppvportal.info
coldcpvportal.info
coldppvportal.info
cpaintermediary.info
cpamarketer.biz
cpappvportel.info
cpvtoolswork.info
cpvtoolwork.info
domycpa.info
domycpv.info
domyppv.info
ecpamarkets.info
ecpmmarkets.info
ecpvmarkets.info
egoodsstore.info
egoodystore.info
eppvmarkets.info
forcpamarkets.info
forcpmmarkets.info
frankinews.info
goladero.info
higeaisedo.in
hinsmart.ca
joyforcpa.info
joyforcpm.info
joyforcpv.info
joyforppv.info
juniorcpa.info
juniorcpm.info
juniorcpv.info
juniorppv.info
kabitopa.info
lowcost4hosting.info
marketsamples.info
marketsamplestore.info
nameurneeds.com
ppvadulttools.info
ppvcpaportal.info
ppvcpatools.info
ppvdatetools.info
ppvsystemgate.info
ppvsystemgateway.info
ppvsystemleadaway.info
ppvsystemnet.info
ppvsystemnetwork.info
ppvsystempointer.info
ppvsystemportal.info
ppvworktools.info
prolixppv.info
raberolasi.info
renaissancestylingstudio.com
rencai.com.ar
theforgottentruth1937.com
toolsforppv.info
Added: 6/10/12
adp.joyforppv.info
giantppv.info
giantcpa.info
Added: 10/10/12
highloadcpa.info
highloadppa.info
entry.highloadppa.info
giantppa.info
highloadpop.info
highloadcpv.info
highloadppv.info
Also, on 96.44.139.218:
perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com
network:Class-Name:network
network:ID:NETBLK-INTSRV.66.45.224.0/19
network:Auth-Area:66.45.224.0/19
network:Network-Name:INTSRV-66.45.251.224
network:IP-Network:66.45.251.224/29
network:Org-Name:Private Customer
network:Street-Address:Private Residence
network:City:Moscow
network:State:77
network:Postal-Code:119192
network:Country-Code:US
network:Created:20120701
network:Updated:20120816
network:Updated-By:abuse@interserver.net
The domains listed below are on those IP addresses, all appear to be disributing malware (see example) and they seem to have fake or anonymous WHOIS details. Blocking traffic to 66.45.251.224/29 (66.45.251.224 - 66.45.251.231) and 199.71.233.226 should be effective in countering this threat.
Update: 95.211.193.36 (Leaseweb, Netherlands) and 77.95.230.77 (Snel Internet Services, Netherlands) may also be distributing malware in connection with this (report here).
Update 2: Another IP in this cluster is 96.44.139.218 (OC3 networks, US), running malicious ads using the domain perclickbank.org (scroll down for more information)
1sedobazole.info
acpacompany.info
acpvcompany.info
adp.marketsamples.info
alladulttest.info
alttubesite.info
appvcompany.info
artsellernet.com
blabeladstarget.info
boldcpaportal.info
boldcpvportal.info
boldpopportal.info
boldppvportal.info
coldcpvportal.info
coldppvportal.info
cpaintermediary.info
cpamarketer.biz
cpappvportel.info
cpvtoolswork.info
cpvtoolwork.info
domycpa.info
domycpv.info
domyppv.info
ecpamarkets.info
ecpmmarkets.info
ecpvmarkets.info
egoodsstore.info
egoodystore.info
eppvmarkets.info
forcpamarkets.info
forcpmmarkets.info
frankinews.info
goladero.info
higeaisedo.in
hinsmart.ca
joyforcpa.info
joyforcpm.info
joyforcpv.info
joyforppv.info
juniorcpa.info
juniorcpm.info
juniorcpv.info
juniorppv.info
kabitopa.info
lowcost4hosting.info
marketsamples.info
marketsamplestore.info
nameurneeds.com
ppvadulttools.info
ppvcpaportal.info
ppvcpatools.info
ppvdatetools.info
ppvsystemgate.info
ppvsystemgateway.info
ppvsystemleadaway.info
ppvsystemnet.info
ppvsystemnetwork.info
ppvsystempointer.info
ppvsystemportal.info
ppvworktools.info
prolixppv.info
raberolasi.info
renaissancestylingstudio.com
rencai.com.ar
theforgottentruth1937.com
toolsforppv.info
Added: 6/10/12
adp.joyforppv.info
giantppv.info
giantcpa.info
Added: 10/10/12
highloadcpa.info
highloadppa.info
entry.highloadppa.info
giantppa.info
highloadpop.info
highloadcpv.info
highloadppv.info
Also, on 96.44.139.218:
perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com
Labels:
Evil Network,
Malvertising,
Malware,
Viruses
Tuesday, 2 October 2012
Friendster spam / sonatanamore.ru
Date: Tue, 2 Oct 2012 05:39:54 -0500
From: Friendster Games [friendstergames@friendster.com]
Subject: Regarding your Friendster password
Thank you for joining Friendster! Your system generated password is 0JR8YXB1YR. You may change your password in your Account Settings Page.
Friendster is the social gaming destination of choice. Connect and play with your friends & share your progress with your network.
Copyright � 2002 - 2012 Friendster, Inc. All rights reserved. Visit our site. - Terms of Service
To manage your notification preferences, go here
To stop receiving emails from us, you can unsubscribe here
The malicious payload is at [donotclick]sonatanamore.ru:8080/forum/links/column.php hosted on:
70.38.31.71 (iWeb, Canada)
202.3.245.13 (MANA, Tahiti)
203.80.16.81 (Myren, Malaysia)
Plain list of IPs and domains on those IPs for copy-and-pasting.
70.38.31.71
202.3.245.13
203.80.16.81
limonadiksec.ru
rumyniaonline.ru
denegnashete.ru
dimabilanch.ru
ioponeslal.ru
moskowpulkavo.ru
onlinebayunator.ru
omahabeachs.ru
uzoshkins.ru
sectantes-x.ru
sonatanamore.ru
Labels:
Friendster,
Malware,
RU:8080,
Spam,
Viruses
Monday, 1 October 2012
Intuit Shipment spam / art-london.net
This terminally confused Intuit / USPS / Amazon-style spam leads to malware at art-london.net:
Date: Mon, 1 Oct 2012 21:31:57 +0430The malicious payload is at [donotclick]art-london.net/detects/stones-instruction_think.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domains buzziskin.net and indice-acores.net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless.
From: "Intuit Customer Service" [battingiy760@clickz.com]
To: [redacted]
Subject: Intuit Shipment Confirmation
Dear [redacted],
Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.
Thank you for your interest.
ORDER DETAILS
Order #: ID859560
Order Date: Sep 25, 2012
Item(s) In Your Order
Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217
Quantity Item
1 Intuit Card Reader Device - Gray
Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.
Shipment Information:
We sent your item(s) to the next address:
065 S Paolo Ave, App. 5A
S Maria, FL
Email: [redacted]
Questions about your order? Please visit Customer Service.
Return Policy and Instructions
Privacy | Legal Disclaimer | Contact Us | About
You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications.
Please note: This email was sent from an automative notification system that not configured to accept incoming mail. Please don't reply to this message.
�2008-2012 Intuit Llc. or its affiliates. All rights reserved.
Subscribe to:
Posts (Atom)