presidence.pf is the web site of the President of French Polynesia, it is hosted on 202.3.245.13 by the Tahitian ISP MANA (along with an alternative domain of presid.pf).
Unfortunately, that's not the only thing lurking on 202.3.245.13. Yesterday I spotted an exploit kit on the same IP, probably Blackhole 2. An examination of the server shows the presence of the following malicious domains on the same IP:
fidelocastroo.ru
secondhand4u.ru
windowonu.ru
There's no evidence that the websites presidence.pf or presid.pf are dangerous, but there are other web sites on the same server which certainly do appear to be quite toxic..
Now, French Polynesia isn't the biggest place in the world, but it's the first time I've seen the site of a president of anywhere potentially compromised in this way.
Tuesday 23 October 2012
President of French Polynesia (presidence.pf) hacked?
Monday 22 October 2012
"Copies of Policies" spam / fidelocastroo.ru
Date: Mon, 22 Oct 2012 08:05:10 -0500
From: Twitter [c-FG6SPPPCGK63=D8154Z4.8N4-6042f@postmaster.twitter.com]
Subject: RE: Charley - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Charley HEALY,
The malicious payload is on [donotclick]fidelocastroo.ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (Interneto Vizija, Lithunia)
190.10.14.196 (RACSA, Costa Rica)
202.3.245.13 (MANA, French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Plain list for copy and pasting:
68.67.42.41
79.98.27.9
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247
Blocking these IPs should prevent any other attacks on the same server.
Scam: tsnetint.com and tsnetint.org
Another episode in a long-running domain scam, which attempts to get you to buy worthless domain names by scaremongering. In this case the fake company is called "Kenal investment Co. Ltd" (there are several legitimate firms with a similar name). If you get one of these, ignore it and don't give the scammers any money.
The domains quoted are tsnetint.com and tsnetint.org and the originating IP is 117.27.141.168, all hosted in deepest China.
The domains quoted are tsnetint.com and tsnetint.org and the originating IP is 117.27.141.168, all hosted in deepest China.
From: bertram bertram@tsnetint.com
Date: 22 October 2012 06:02
Subject: Confirmation of Registration
(Letter to the President or Brand Owner, thanks)
Dear President,
We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on October 19, 2012 that a company claimed Kenal investment Co. Ltd were applying to register "dynamoo" as their Net Brand and some domain names through our firm.
Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for Kenal investment Co. Ltd. Looking forward to your prompt reply.
Best Regards,
Bertram Hong
Registration Dept.
Office:Tel: 86 2885915586 || Fax: +86 2885912116
Address:9/F Libao building No,62 Kehua North Road,Wuhou District,Chengdu City,China
P Please consider the environment before you print this e-mail
Saturday 20 October 2012
Wowcher and motors.co.uk. Is this spam?
Wowcher are a site trying to emulate Groupon, owned by Associated Newspapers, who also own the Daily Mail ("the newspaper that supported Hitler"*). I've never used their site, and I wouldn't bother given their history of dodgy promotions.
Wowcher have a history of questionable advertising (see here and here for example), so it's not exactly something I would sign up for. However, Wowcher conclude the email with something rather misleading.
Have I used their services in the past? No. Definitely not. So where did Wowcher get my email address? Simple - it was passed to them by a website called motors.co.uk. How do I know this? Because I use a unique email address for every service I sign up for, making it easy to trace this sort of activity.
Motors.co.uk is part of a company called Manheim.. but they used to belong to the same company that owns the Daily Mail. They make a business out of all sorts of automotive trades. I signed up with them about two-and-a-half years ago. Until now, the only email I have ever received from them has been on-topic, but I haven't actually seen an email of any type for a long time.
So.. it should be a simple job to log into motors.co.uk and check my marketing preferences. Well.. I tried, and the login didn't work. So.. perhaps I forgot my password. That's easy enough to reset.. but there's a catch.
Oh. Sorry, the email address you entered doesn't appear to be in our records. That's kind of odd, because it certainly appeared in their records enough for them to use it for Wowcher.
Now, motors.co.uk have a privacy policy which gives the game away. It says:
By using the Site, you agree that we may disclose your personal information to any company within the Daily Mail and General Trust plc group of companies
So, the Daily Mail group owns Wowcher, and they got the email from motors.co.uk. And quite annoyingly, the motors.co.uk privacy policy in 2010 does also say that they will pass your email address on to the Daily Mail without asking for any further permission. It's annoying, but it does mean that it isn't spam. I guess I will be clicking that "unsubscribe" link then.
* And OK, the Daily Mail may have supported Hitler between the wars. But it was also instrumental in achieving some sort of justice for Stephen Lawrence. So not all bad then.
Wowcher have a history of questionable advertising (see here and here for example), so it's not exactly something I would sign up for. However, Wowcher conclude the email with something rather misleading.
You are receiving this email because you have used our services in the past.
If you no longer wish to receive these e-mails, you can unsubscribe from this list.
If you no longer wish to receive these e-mails, you can unsubscribe from this list.
Have I used their services in the past? No. Definitely not. So where did Wowcher get my email address? Simple - it was passed to them by a website called motors.co.uk. How do I know this? Because I use a unique email address for every service I sign up for, making it easy to trace this sort of activity.
Motors.co.uk is part of a company called Manheim.. but they used to belong to the same company that owns the Daily Mail. They make a business out of all sorts of automotive trades. I signed up with them about two-and-a-half years ago. Until now, the only email I have ever received from them has been on-topic, but I haven't actually seen an email of any type for a long time.
So.. it should be a simple job to log into motors.co.uk and check my marketing preferences. Well.. I tried, and the login didn't work. So.. perhaps I forgot my password. That's easy enough to reset.. but there's a catch.
Oh. Sorry, the email address you entered doesn't appear to be in our records. That's kind of odd, because it certainly appeared in their records enough for them to use it for Wowcher.
Now, motors.co.uk have a privacy policy which gives the game away. It says:
By using the Site, you agree that we may disclose your personal information to any company within the Daily Mail and General Trust plc group of companies
So, the Daily Mail group owns Wowcher, and they got the email from motors.co.uk. And quite annoyingly, the motors.co.uk privacy policy in 2010 does also say that they will pass your email address on to the Daily Mail without asking for any further permission. It's annoying, but it does mean that it isn't spam. I guess I will be clicking that "unsubscribe" link then.
* And OK, the Daily Mail may have supported Hitler between the wars. But it was also instrumental in achieving some sort of justice for Stephen Lawrence. So not all bad then.
Friday 19 October 2012
LinkedIn spam / cowonhorse.co
This fake LinkedIn spam leads to malware on cowonhorse.co:
The malicious payload is on [donotclick]cowonhorse.co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before. In my opinion, blocking ALL emails that appear to be from LinkedIn would probably benefit your business.
From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
Sent: Fri 19/10/2012 10:29
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Estelle Garrison
Interpublic Group (Executive Director Marketing PPS)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
Sent: Fri 19/10/2012 11:39
Subject: New invitation
Hi [redacted],
User sent you an invitation to connect 14 days ago. How would you like to respond?
Accept Ignore Privately
Carol Parks
Automatic Data Processing (Divisional Finance Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
==========
From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
Sent: Fri 19/10/2012 12:28
Subject: Invitation
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Rupert Nielsen
O'Reilly Automotive (Head of Non-Processing Infrastructure)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is on [donotclick]cowonhorse.co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before. In my opinion, blocking ALL emails that appear to be from LinkedIn would probably benefit your business.
Labels:
LinkedIn,
Malware,
Nuclear Fallout Enterprises,
Spam,
Viruses
Thursday 18 October 2012
Adbobe CS4 spam / leprasmotra.ru
Date: Thu, 18 Oct 2012 10:00:26 -0300
From: "service@paypal.com" [service@paypal.com]
Subject: Order N04833
Good morning,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated
The malicious payload is at [donotclick]leprasmotra.ru:8080/forum/links/column.php hosted on:
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)
Blocking access to those IPs is recommended.
NY Traffic Ticket spam / kennedyana.ru
Date: Wed, 17 Oct 2012 03:59:44 +0600
From: sales1@[redacted]
To: [redacted]
Subject: Fwd: NY TRAFFIC TICKET
New-York Department of Motor Vehicles
TRAFFIC TICKET
NEW-YORK POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 5:16 AM
Date of Offense: 21/01/2012
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM
The malicious payload is on [donotclick]kennedyana.ru:8080/forum/links/column.php hosted on the following IPs:
68.67.42.41 (Fibrenoire, Canada)
72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)
Wednesday 17 October 2012
LinkedIn spam / 64.111.24.162
This fake LinkedIn spam leads to malware on 64.111.24.162:
network:Network-Name:Buzy Bee Hosting /27
network:IP-Network:64.111.24.160/27
network:IP-Network-Block:64.111.24.160 - 64.111.24.191
network:Org-Name:Buzy Bee Hosting
network:Street-Address:1451 North Challenger Dr
network:City:Pueblo West
network:State:CO
network:Postal-Code:81007
network:Country-Code:US
Blocking the IP (and possibly the /27 block) is probably wise.
From: LinkedIn.Invitations [mailto:8B44145D0@bhuna.net]The malicious payload is at [donotclick]64.111.24.162/links/assure_numb_engineers.php allocated to Data 102 in the US and then suballocated to:
Sent: 17 October 2012 10:06
Subject: New invitation is waiting for your response
Hi [redacted],
User sent you an invitation to connect 6 days ago. How would you like to respond?
Accept Ignore Privately
Alexis Padilla
C.H. Robinson Worldwide (Sales Director)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
network:Network-Name:Buzy Bee Hosting /27
network:IP-Network:64.111.24.160/27
network:IP-Network-Block:64.111.24.160 - 64.111.24.191
network:Org-Name:Buzy Bee Hosting
network:Street-Address:1451 North Challenger Dr
network:City:Pueblo West
network:State:CO
network:Postal-Code:81007
network:Country-Code:US
Blocking the IP (and possibly the /27 block) is probably wise.
Amazon.com spam / sdqhfckuri.ddns.info and ultjiyzqsh.ddns.info
This fake Amazon.com spam leads to malware on sdqhfckuri.ddns.info and ultjiyzqsh.ddns.info:
Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.
Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either.
Some other subjects seen:
Your Amazon.com order of "Citizen Men's BL2774-05L Eco-Drive Perpetual Calendar Chronograph Watch" has shipped!
Your Amazon.com order of "Casio Men's PAG165-0CR Pathfinder Triple Sensor Multi-Function Sport Watch" has shipped!
Your Amazon.com order of "G-Shock GA-386-1A8 Big Combi Military Series Watch" has shipped!
our Amazon.com order of "Fossil Men's FS2362 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!
Your Amazon.com order of "Timex Ironman Men's Road Trainer Heart Rate Monitor Watch, Black/Orange, Full Size" has shipped!
From: Amazon.Com [mailto:pothooknw@tcsn.net]The malicious payload is at [donotclick]sdqhfckuri.ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh.ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).
Sent: 17 October 2012 06:54
Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
Importance: High
Gift Cards
| Your Orders
| Amazon.com
Shipping Confirmation
Order #272-3140048-4213404
Hello,
Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Tuesday, October 9, 2012
Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.
Shipment Details
Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
Sold by Amazon.com LLC (Amazon.com) $109.95
Item Subtotal: $109.95
Shipping & Handling: $0.00
Total Before Tax: $109.95
Shipment Total: $109.95
Paid by Visa: $109.95
Returns are easy. Visit our Online Return Center.
If you need further assistance with your order, please visit Customer Service.
We hope to see you again soon!
Amazon.com
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.
Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either.
Some other subjects seen:
Your Amazon.com order of "Citizen Men's BL2774-05L Eco-Drive Perpetual Calendar Chronograph Watch" has shipped!
Your Amazon.com order of "Casio Men's PAG165-0CR Pathfinder Triple Sensor Multi-Function Sport Watch" has shipped!
Your Amazon.com order of "G-Shock GA-386-1A8 Big Combi Military Series Watch" has shipped!
our Amazon.com order of "Fossil Men's FS2362 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!
Your Amazon.com order of "Timex Ironman Men's Road Trainer Heart Rate Monitor Watch, Black/Orange, Full Size" has shipped!
Tuesday 16 October 2012
Wire Transfer spam / hotsecrete.net
From: Federal Information System [mailto:highjackingucaf10@atainvest.com]
Sent: 16 October 2012 15:59
Subject: Wire Transfer accepted
We have successfully done the following transfer:
________________________________________
Item #: 35043728
Amount: $16,861.99
To: Anthony Glover
Fee: 29.00
Send on Date: 10/16/2012
Service: Domestic Wire
________________________________________
If there is a problem with processing your request we would report to you both by email and on the Manage Accounts tab. You can always check your transfer status via this link Sincerely,
Federal Reserve Bank Automate Notify System
________________________________________
*********************************************
Email Preferences
This is a service warning from Federal Reserve Bank. Please note that you may receive notification note in accordance with your service agreements, whether or not you elect to receive promotional email.
=============================================
Federal Reserve Bank Email, 8th Floor, 170 Seashore Tryon, Ave., Charlotte, TX 89936-0001
Federal Reserve Bank.
The malicious payload is found at [donotclick]hotsecrete.net/detects/exclude-offices_details_warm.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP address that you should block.
LinkedIn spam / 74.91.112.86
This fake LinkedIn spam leads to malware on 74.91.112.86:
From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]The malicious payload is on [donotclick]74.91.112.86/links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there).
Sent: 16 October 2012 13:50
To: [redacted]
Subject: New invitation is waiting for your response
Hi [redacted],
David sent you an invitation to connect 13 days ago. How would you like to respond?
Accept Ignore Privately
Hilton Suarez
Precision Castparts (Distributor Sales Manager EMEA)
You are receiving Invitation emails. Unsubscribe.
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
Labels:
LinkedIn,
Malware,
Nuclear Fallout Enterprises,
Spam,
Viruses
Monday 15 October 2012
Facebook spam / o.anygutterkings.com
This fake Facebook spam leads to malware on o.anygutterkings.com:
The payload is at [donotclick]o.anygutterkings.com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)
Date: Mon, 15 Oct 2012 20:02:21 +0200Other subjects are: "Account blocked" and "Account activated"
From: "FB Account"
Subject: Facebook account
Hi [redacted],
You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password. Subsequently you will be able to take advantage of the site as before
Kind regards,
The Facebook Team
Sign in to Facebook and start connecting
Sign in
Please use the link below to resume your account :
http://www.facebook.com/home.php
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The payload is at [donotclick]o.anygutterkings.com/links/assure_numb_engineers.php hosted on 198.136.53.38 (Comforthost, US)
Intuit spam / navisiteseparation.net
This fake Intuit spam leads to malware on navisiteseparation.net:
Sample subjects:
Date: Mon, 15 Oct 2012 15:20:13 -0300
From: "Intuit GoPayment" [crouppywo4@deltamar.net]
Subject: Welcome - you're accepted for Intuit GoPayment
.
Congratulations!
GoPayment Merchant by Intuit request for ONTIMEE ADMINISTRATION, Inc. has been ratified.
GoPayment
Account Number: XXXXXXXXXXXXXX55
Email Address: [redacted]
PLEASE NOTE :
Associated charges for this service may be applied now.
Next step: View or confirm your Access ID
This is {LET:User ID lets you:
Review your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is we found an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify Access ID
Get started:
Step 1: If you have not still, download the Intuit software.
Step 2: Launch the Intuit application and sign in with the Access ID (your email address) and Password you setup.
Easy Manage Your Intuit GoPayment Account
The GoPayment Merchant Service by Intuit Center is the web site where you can learn more about GoPayment features, customize your sales receipt and add GoPayment users. You can also view transactions, deposits and fees. Visit url and sign in with your GoPayment AccesID (your email address) and Password.
For more information on how to start using GoPayment Merchant by Intuit, including tutorials, FAQs and other resources, visit the Merchant Service Center at service link.
Please don't reply to this message. auto informer system unable to accept incoming messages.
System Terms & Agreements � 2008-2012 Intuit, INC. All rights reserved.
Sample subjects:
- Congrats - you're accepted for Intuit GoPayment Merchant
- Congratulations - you're approved for Intuit Merchant
- Congrats - you're approved for GoPayment Merchant
- Welcome - you're accepted for Intuit GoPayment
"Copies of Policies" spam / linkrdin.ru
From: [support@victimdomain.com]
Date: 15 October 2012 07:15
Subject: RE: SANTOS - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
The malicious payload is on [donotclick]linkrdin.ru:8080/forum/links/column.php (report here) hosted on the same IPs as this spam:
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
Friday 12 October 2012
Wire Transfer spam / geforceexlusive.ru
From: Xanga [mailto:noreply@xanga.com]The malicious payload is at [donotclick]geforceexlusive.ru:8080/forum/links/column.php hosted on the following IPs:
Sent: 12 October 2012 11:27
Subject: Fwd: Wire Transfer Confirmation (FED_6537H57898)
Dear Bank Account Operator,
WIRE TRANSFER: WRE-282857636652198
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
68.67.42.41 (Fibrenoire, Canada)
79.98.27.9 (UAB Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
These IPs are worth blocking as they will probably also be used in future attacks.
ADP spam / 184.164.151.54
Yet more ADP-themed spam, this time leading to malware on 184.164.151.54:
The malicious payload is at [donotclick]184.164.151.54/links/rules_familiar-occurred.php (hosted by the ironically named Secured Servers LLC in the US aka Jolly Works hosting of the Philippines).
Date: Fri, 12 Oct 2012 14:48:18 +0530
From: "ADPClientServices" [ADPClientServices@adp.com]
Subject: ADP Urgent Notification
Your Transaction Report(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
The malicious payload is at [donotclick]184.164.151.54/links/rules_familiar-occurred.php (hosted by the ironically named Secured Servers LLC in the US aka Jolly Works hosting of the Philippines).
Labels:
ADP,
Jolly Works Hosting,
Malware,
Spam,
Viruses
ADP Spam / 198.143.159.108
Yet more fake ADP spam (there has been a lot over the past 24 hours) is being pushed out. This time there's a malicious payload at [donotclick]198.143.159.108/links/rules_familiar-occurred.php (Singlehop, US).
Avoid.
Avoid.
Thursday 11 October 2012
"Copies of Policies" spam / windowsmobilever.ru
Date: Thu, 11 Oct 2012 10:55:37 -0500
From: "Amazon.com" [account-update@amazon.com]
Subject: RE: DONNIE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
DONNIE LOCKWOOD,
==========
Date: Thu, 11 Oct 2012 12:26:25 -0300
From: accounting@[redacted]
Subject: RE: MARGURITE - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
MARGURITE Moss,
Anyone who clicks on the link will end up on an exploit kit at [donotclick]windowsmobilever.ru:8080/forum/links/column.php (report here) hosted on:
68.67.42.41 (Fibrenoire , Canada)
203.80.16.81 (MYREN, Malaysia)
These two IPs are currently involved in several malicious spam runs and should be blocked if you can.
ADP Spam / 108.61.57.66
Date: Thu, 11 Oct 2012 14:53:17 -0200
From: "ADP.Message" [986E3877@dixys.com]
Subject: ADP Generated Message
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 3
Expiration date: Oct 14 23:59:59 GMT-03:59 2012
---------------------------------------------------------------------
Renewing Your Digital Certificate
--------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp
2. Follow the instructions on the screen.
3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.
In this case the malicious payload is at [donotclick]108.61.57.66/links/assure_numb_engineers.php hosted by Choopa LLC in the US. The IP is probably worth blocking to be on the safe side.
LinkedIn spam / inklingads.biz
The bad guys are very busy today with all sorts of spam campaigns, including lots of messages as below pointing to malware on
From: LinkedIn Notification [mailto:hewedngq6@omahahen.org]The malicious payload is on [donotclick]inklingads.biz/detects/invite-request_checking.php hosted on 183.81.133.121 (Vodafone, Fiji)
Sent: 11 October 2012 15:59
Subject: LinkedIn Reminder
Importance: High
REMINDERS
Invite events:
From Thaddeus Sosa ( Your servant)
PENDING EVENTS
There are a total of 3 messages awaiting your action. See your InBox immediately.
Don't wish to get email info letters? Adjust your notifications settings.
LinkedIn values your privacy. In no circumstances has LinkedIn made your notifications email acceptable to any third-party LinkedIn member without your permission. 2010, LinkedIn Corporation.
ADP spam / 4.wapin.in and 173.224.209.165:
This fake ADP spam leads to malware on 4.wapin.in:
Another variant of this goes to [donotclick]173.224.209.165/links/assure_numb_engineers.php (Psychz Networks, US)
From: ADP.Security [mailto:5BC4F06B@act4kids.net]The malicious payload is on [donotclick]4.wapin.in/links/assure_numb_engineers.php hosted on 198.136.53.39 (Comforthost, US).
Sent: 11 October 2012 14:22
Subject: ADP: Urgent Notification
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
If you have any questions, please contact your administrator for assistance.
---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 3
Expiration date: Oct 14 23:59:59 GMT-03:59 2012
---------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp
2. Follow the instructions on the screen.
3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.
Another variant of this goes to [donotclick]173.224.209.165/links/assure_numb_engineers.php (Psychz Networks, US)
Blackhole sites to block 11/10/12
A bunch of sites are active today with the Blackhole exploit kit.. here are the ones seen so far:
183.81.133.121
198.136.53.39
173.255.223.77
64.247.188.141
inklingads.biz
The delivery mechanisms are fake LinkedIn and eFax messages. Block those IPs if you can.
183.81.133.121
198.136.53.39
173.255.223.77
64.247.188.141
inklingads.biz
The delivery mechanisms are fake LinkedIn and eFax messages. Block those IPs if you can.
eFax spam / 173.255.223.77 and chase.swf
Two different eFax spam runs seem to be going on at the same time:
One leads to a malicious landing page at [donotclick]173.255.223.77/links/assure_numb_engineers.php hosted by Linode in the US.
The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44 which is not good. That looks a bit like this:
{html}
{body}
{object width='255' height='57'}
{param name='movie' value='infected.swf'} {/param}
{param name='allowScriptAccess' value='sameDomain'} {/param}
{embed width='255' height='57'
src='hxxp:||[redacted].com/chase.swf' name='BridgeMovie'
allowScriptAccess='sameDomain' type='application/x-shockwave-flash' }
{/embed}
{/object}
{/body}
{/html}
Beats me what it is. Probably nothing good though...
From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
Sent: 11 October 2012 12:58
Subject: eFax notification
You have received a 50 page(-s) fax at Thu, 11 Oct 2012 07:58:06 -0400.
* The reference number for this fax is [2EA33CF].
Click the following link to view this message:
https://www.efaxcorporate.com/corp/twa/View?returnPageKey=2EA33CF
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!
© 2012 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate Customer Agreement.
==========
From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
Sent: 11 October 2012 12:51
Subject: eFax: You have received new fax
You have received a 34 page(-s) fax at Thu, 11 Oct 2012 13:50:54 +0200.
* The reference number for this fax is [97ECE658].
Click the following link to view this message:
https://www.efaxcorporate.com/corp/twa/View?returnPageKey=97ECE658
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!
© 2012 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate Customer Agreement.
One leads to a malicious landing page at [donotclick]173.255.223.77/links/assure_numb_engineers.php hosted by Linode in the US.
The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44 which is not good. That looks a bit like this:
{html}
{body}
{object width='255' height='57'}
{param name='movie' value='infected.swf'} {/param}
{param name='allowScriptAccess' value='sameDomain'} {/param}
{embed width='255' height='57'
src='hxxp:||[redacted].com/chase.swf' name='BridgeMovie'
allowScriptAccess='sameDomain' type='application/x-shockwave-flash' }
{/embed}
{/object}
{/body}
{/html}
Beats me what it is. Probably nothing good though...
ppinomore.com PPI SMS spam
These PPI spammers are at it again, this time promoting a website ppinomore.com.
The sending number is +447787446160 although this will change at they get blocked for spamming. If you have any more numbers, then please considered adding them in the Comments section.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
The thing with these spam PPI messages is that they are also a scam. I don't have any mis-sold PPI, so I'm not eligible for anything, but it seems that the spammers are encouraging you to make a fraudulent claim, which is a criminal offence.
So who is behind ppinomore.com? It has anonymous WHOIS details so no clue there. They claim their address is in Pakistan:
PPI-Today
586, Park Towers,
Block 26, P.E.C.H.S.,
Shahrah-e-Faisal,
Karachi
And they're not regulated by anyone..
ppinomore is a marketing agent. Our partners are regulated by the Ministry of Justice in respect of regulated claims management activities - their authorisation number is available on request and their registration is recorded on the Ministry of Justice website
So who are their partners. Of note, the ppinomore.com site is hosted on 217.23.12.215 which is hosted by Worldstream in the Netherlands, but actually allocated to a scam/spam friendly outfit called YoHost . The following sites are on the same server:
antismsspam.com
birthdaywishlist.net
buyfacebookfriends.info
claimsdirects.com
cpamatch.net
downloads4.biz
easyexplorer.net
englandinsolvency.com
filewizard.net
flywith.org
glasgowtrustdeeds.com
guystube.net
homeworkers.tv
ineedajob.tv
jizzin.me
kimdotcom.biz
liquidationadvice.info
megahost.tv
memorysticks.tv
monstercv.tv
mortgagecharges.info
myppi.org
numbergenerator.info
phoneapps.tv
ppinomore.com
ppinow.org
prepaidcards.tv
protectedtrustdeeds.tv
referafriend.info
rofl.hk
scotlandtrustdeeds.info
scottishdebtinfo.com
scottishtrustdeed.info
smsoptout.com
streamingloads.com
surveymonster.info
textforgold.com
transfermypension.info
txtforloans.com
whatsbetterapp.com
yadoo.tv
Some of these look quite interesting.. they're also using SMS and PPI themed sites. Almost all the sites have anonymous WHOIS details.. apart from myppi.org that is..
Domain ID:D166396094-LROR
Domain Name:MYPPI.ORG
Created On:21-Aug-2012 10:52:54 UTC
Last Updated On:21-Aug-2012 10:52:55 UTC
Expiration Date:21-Aug-2013 10:52:54 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CR122029936
Registrant Name:john mcneish
Registrant Organization:surveycentre
Registrant Street1:flat 3 11a whitworth street
Registrant Street2:opal house
Registrant Street3:
Registrant City:manchester
Registrant State/Province:lancashire
Registrant Postal Code:m1 3gw
Registrant Country:GB
Registrant Phone:+1.614083744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:gary@tetr.us
Admin ID:CR122029938
Admin Name:john mcneish
Admin Organization:surveycentre
Admin Street1:flat 3 11a whitworth street
Admin Street2:opal house
Admin Street3:
Admin City:manchester
Admin State/Province:lancashire
Admin Postal Code:m1 3gw
Admin Country:GB
Admin Phone:+1.614083744
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:gary@tetr.us
Tech ID:CR122029937
Tech Name:john mcneish
Tech Organization:surveycentre
Tech Street1:flat 3 11a whitworth street
Tech Street2:opal house
Tech Street3:
Tech City:manchester
Tech State/Province:lancashire
Tech Postal Code:m1 3gw
Tech Country:GB
Tech Phone:+1.614083744
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:gary@tetr.us
Name Server:NS19.DOMAINCONTROL.COM
Name Server:NS20.DOMAINCONTROL.COM
John McNeish? So why is his email address gary@tetr.us then? Probably because this is really Gary McNeish who has been involved in offshore SMS spamming before.
So, is Gary McNeish responsible for the ppinomore.com SMS spam? It could just be a coincidence that a server stuffed with dodgy finance and marketing sites contains both a site belonging to Gary McNeish and these ppinomore.com scammers, after all there's no indication that this is actually Gary McNeish's server, just that he has a site on it.
Still, hopefully the recently announced ICO crackdown on SMS spammers might have a positive effect.
Update:
Here is another link between ppinomore.com and Gary McNeish's myppi.org - if you search for the text "ppinomore is a marketing agent. Our partners are regulated by the Ministry of Justice" on Google, it also appears on myppi.org:
Funnily enough, the content for myppi.org has changed to some search engine called "Yadoo" since it was indexed by Google. It must just be a coincidence that the ppinomore text appeared on Mr McNeish's site, yes?
The following numbers also seem to be in use for this spam:
+447867368703
+447780458447
Please add any more in the comments, thanks!
URGENT you are owed £3350 for the PPI you took out, time is running out to claim, please visit www.ppinomore.com to claim, thank you. To opt out reply STOP.
The sending number is +447787446160 although this will change at they get blocked for spamming. If you have any more numbers, then please considered adding them in the Comments section.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.
The thing with these spam PPI messages is that they are also a scam. I don't have any mis-sold PPI, so I'm not eligible for anything, but it seems that the spammers are encouraging you to make a fraudulent claim, which is a criminal offence.
So who is behind ppinomore.com? It has anonymous WHOIS details so no clue there. They claim their address is in Pakistan:
PPI-Today
586, Park Towers,
Block 26, P.E.C.H.S.,
Shahrah-e-Faisal,
Karachi
And they're not regulated by anyone..
ppinomore is a marketing agent. Our partners are regulated by the Ministry of Justice in respect of regulated claims management activities - their authorisation number is available on request and their registration is recorded on the Ministry of Justice website
So who are their partners. Of note, the ppinomore.com site is hosted on 217.23.12.215 which is hosted by Worldstream in the Netherlands, but actually allocated to a scam/spam friendly outfit called YoHost . The following sites are on the same server:
antismsspam.com
birthdaywishlist.net
buyfacebookfriends.info
claimsdirects.com
cpamatch.net
downloads4.biz
easyexplorer.net
englandinsolvency.com
filewizard.net
flywith.org
glasgowtrustdeeds.com
guystube.net
homeworkers.tv
ineedajob.tv
jizzin.me
kimdotcom.biz
liquidationadvice.info
megahost.tv
memorysticks.tv
monstercv.tv
mortgagecharges.info
myppi.org
numbergenerator.info
phoneapps.tv
ppinomore.com
ppinow.org
prepaidcards.tv
protectedtrustdeeds.tv
referafriend.info
rofl.hk
scotlandtrustdeeds.info
scottishdebtinfo.com
scottishtrustdeed.info
smsoptout.com
streamingloads.com
surveymonster.info
textforgold.com
transfermypension.info
txtforloans.com
whatsbetterapp.com
yadoo.tv
Some of these look quite interesting.. they're also using SMS and PPI themed sites. Almost all the sites have anonymous WHOIS details.. apart from myppi.org that is..
Domain ID:D166396094-LROR
Domain Name:MYPPI.ORG
Created On:21-Aug-2012 10:52:54 UTC
Last Updated On:21-Aug-2012 10:52:55 UTC
Expiration Date:21-Aug-2013 10:52:54 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CR122029936
Registrant Name:john mcneish
Registrant Organization:surveycentre
Registrant Street1:flat 3 11a whitworth street
Registrant Street2:opal house
Registrant Street3:
Registrant City:manchester
Registrant State/Province:lancashire
Registrant Postal Code:m1 3gw
Registrant Country:GB
Registrant Phone:+1.614083744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:gary@tetr.us
Admin ID:CR122029938
Admin Name:john mcneish
Admin Organization:surveycentre
Admin Street1:flat 3 11a whitworth street
Admin Street2:opal house
Admin Street3:
Admin City:manchester
Admin State/Province:lancashire
Admin Postal Code:m1 3gw
Admin Country:GB
Admin Phone:+1.614083744
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:gary@tetr.us
Tech ID:CR122029937
Tech Name:john mcneish
Tech Organization:surveycentre
Tech Street1:flat 3 11a whitworth street
Tech Street2:opal house
Tech Street3:
Tech City:manchester
Tech State/Province:lancashire
Tech Postal Code:m1 3gw
Tech Country:GB
Tech Phone:+1.614083744
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:gary@tetr.us
Name Server:NS19.DOMAINCONTROL.COM
Name Server:NS20.DOMAINCONTROL.COM
John McNeish? So why is his email address gary@tetr.us then? Probably because this is really Gary McNeish who has been involved in offshore SMS spamming before.
So, is Gary McNeish responsible for the ppinomore.com SMS spam? It could just be a coincidence that a server stuffed with dodgy finance and marketing sites contains both a site belonging to Gary McNeish and these ppinomore.com scammers, after all there's no indication that this is actually Gary McNeish's server, just that he has a site on it.
Still, hopefully the recently announced ICO crackdown on SMS spammers might have a positive effect.
Update:
Here is another link between ppinomore.com and Gary McNeish's myppi.org - if you search for the text "ppinomore is a marketing agent. Our partners are regulated by the Ministry of Justice" on Google, it also appears on myppi.org:
Funnily enough, the content for myppi.org has changed to some search engine called "Yadoo" since it was indexed by Google. It must just be a coincidence that the ppinomore text appeared on Mr McNeish's site, yes?
The following numbers also seem to be in use for this spam:
+447867368703
+447780458447
Please add any more in the comments, thanks!
Labels:
Gary McNeish,
PPI,
SMS,
Spam,
Tetrus Telecoms,
Yohost.org
Sophos: "Your phone number may not be as private on Facebook as you think - and how to fix it"
From Sophos.. another good reason not to use Facebook.
So, as well as leaking email addresses through a reverse lookup, Facebook also does a reverse lookup for telephone numbers. What could possibly go wrong?
Well, until somebody figures out how to write a script to harvest the phone numbers automatically, that is..
Added: oh look, somebody did it already.
So, as well as leaking email addresses through a reverse lookup, Facebook also does a reverse lookup for telephone numbers. What could possibly go wrong?
Well, until somebody figures out how to write a script to harvest the phone numbers automatically, that is..
Added: oh look, somebody did it already.
Wednesday 10 October 2012
Chase credit card spam / 2.cmisd.org
Another fake Chase credit card spam (like this one), this time leading to malware on 2.cmisd.org:
There are lots of variants, e.g.:
Date: Wed, 10 Oct 2012 12:21:48 -0500
From: "Chase.Alert" [CB22FC0@abbottfire.com]
Subject: Credit card report
This is an Alert to help you manage your credit card account.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 236.77 at Amazon Store has been authorized on Wed, 10 Oct 2012 12:21:48 -0500.
Do not reply to this Alert.
If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/cl/smessage/alert_id=90A4F
To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.
There are lots of variants, e.g.:
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 566.48 at eStore has been authorized on Wed, 10 Oct 2012 17:28:38 +0100.In this case the malicious payload is at [donotclick]2.cmisd.org/links/assure_numb_engineers.php hosted on 75.98.171.60 (A2 Hosting, US). Blocking access to that IP would probably be wise.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 989.65 at Google Store has been authorized on Wed, 10 Oct 2012 11:18:13 -0500.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 518.21 at eStore has been authorized on Wed, 10 Oct 2012 08:42:53 -0700.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 763.93 at UNKNOWN has been authorized on Wed, 10 Oct 2012 17:42:24 +0200.
LinkedIn spam / viewsonicone.ru
This fake LinkedIn spam leads to malware on viewsonicone.ru:
68.67.42.41 (Fibrenoire Internet, Canada)
178.79.146.49 (Linode, UK)
203.80.16.81 (MYREN, Malaysia)
All these IPs and domains are potentially malicious and should be blocked if you can do it:
68.67.42.41
178.79.146.49
203.80.16.81
rumyniaonline.ru
sonatanamore.ru
onlinebayunator.ru
uzoshkins.ru
limonadiksec.ru
ioponeslal.ru
pionierspokemon.ru
appleonliner.ru
lenindeads.ru
viewsonicone.ru
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn ConnectionsThe link goes through some obfuscated javascript (report here) to lead to [donotclick]viewsonicone.ru:8080/forum/links/column.php hosted on the following IPs:
Sent: 10 October 2012 09:46
Subject: Nayeli is now part of your network. Keep connecting...
[redacted]. Congratulations!
You and Nayeli are now connected.
Nayeli Deaton
--
Chad
2012, LinkedIn Corporation
68.67.42.41 (Fibrenoire Internet, Canada)
178.79.146.49 (Linode, UK)
203.80.16.81 (MYREN, Malaysia)
All these IPs and domains are potentially malicious and should be blocked if you can do it:
68.67.42.41
178.79.146.49
203.80.16.81
rumyniaonline.ru
sonatanamore.ru
onlinebayunator.ru
uzoshkins.ru
limonadiksec.ru
ioponeslal.ru
pionierspokemon.ru
appleonliner.ru
lenindeads.ru
viewsonicone.ru
NACHA spam / formexiting.net
This fake NACHA spam leads to malware on formexiting.net:
The malicious payload is on [donotclick]formexiting.net/detects/review_reject_reason.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP that you should consider blocking.
From: The Electronic Payments Association [mailto:underlining34@anbid.com.br]
Sent: 10 October 2012 15:59
Subject: Rejected ACH transaction
Importance: High
The ACH transaction (ID: 9536860209937), recently issued from your bank account (by one of your account members), was reversed by the recepient's financial institution.
Canceled request
Transaction ID: 9536860209937
Reason of rejection Review details in the statement below
Transaction Report report_9536860209937.doc (Microsoft Office Word Document)
17390 Seaside Valley Drive, Suite 101
Herndon, VA 20171
2011 NACHA - The Electronic Payments Association
The malicious payload is on [donotclick]formexiting.net/detects/review_reject_reason.php hosted on 183.81.133.121 (Vodafone, Fiji) which is a well-known malicious IP that you should consider blocking.
Chase credit cards spam / 3.azwap.de
This fake Chase spam leads to malware on 3.azwap.de:
The malicious payload is at [donotclick]3.azwap.de/links/assure_numb_engineers.php hosted on 69.194.194.229 (Solar VPS, US)
Another sample email:
Date: Wed, 10 Oct 2012 11:48:49 -0300
From: "Chase.com" [noreply@sprint.com]
Subject: Chase: your credit cars account
This is an Alert to help you manage your credit card account.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 233.30 at Apple Store has been authorized on Wed, 10 Oct 2012 11:48:49 -0300.
Do not reply to this Alert.
If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/secure_m/id=34F4A5C
To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.
The malicious payload is at [donotclick]3.azwap.de/links/assure_numb_engineers.php hosted on 69.194.194.229 (Solar VPS, US)
Another sample email:
This is an Alert to help you manage your credit card account.
As you requested, we are notifying you of any charges over the amount of ($USD) 200.00, as specified in your Alert settings. A charge of ($USD) 669.84 at eStore has been authorized on Wed, 10 Oct 2012 11:31:42 -0400.
Do not reply to this Alert.
If you have questions, please call the number on the back of your credit card, or send a secure message from your Inbox on www.Chase.com/customer_login/u=83669F
To see all of the Alerts available to you, or to manage your Alert settings, please log on to www.Chase.com.
Something evil on 96.44.139.218 / perclickbank.org
There's something evil on 96.44.139.218 (OC3 Networks, US):
perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com
Malvertising, basically. More details here.
perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com
Malvertising, basically. More details here.
Labels:
Evil Network,
Malvertising
union-trans.com employment scam
This fake job offer is for a "forwarding agent". What is a forwarding agent? Well, basically it's a parcel reshipping scam where goods bought with stolen credit cards are sent to the "agent's" home address, and then the "agent" forwards to stolen goods on to Eastern Europe or China or whatever. Of course, when the police catch on it's the "agent" who is in deep, deep trouble.
union-trans.com is hosted on 180.178.32.238 (Simcentric, Hong Kong). The WHOIS details are:
Admin Name........... huang yijiang
Admin Address........ Ningbo
Admin Address........
Admin Address........ Ningbo
Admin Address........ 200000
Admin Address........ ZJ
Admin Address........ CN
Admin Email.......... sunpt@qq.com
Admin Phone.......... +86.13957424347
Admin Fax............ +86.13957424347
un-trans.info is parked on 68.178.232.100, and is registered to another owner:
Registrant ID:CR117221338
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+86.057481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com
union-trans.com.cn seems to be just a mail handler:
Domain Name: union-trans.com.cn
ROID: 20120401s10011s18721153-cn
Domain Status: ok
Registrant ID: ctr4rtfs2aq58an
Registrant: 宁波瀚联国际货运代理有限公司
Registrant Contact Email: hyjbbs@163.com
Sponsoring Registrar: 北京新网互联科技有限公司
Name Server: ns1.dns.com.cn
Name Server: ns2.dns.com.cn
Registration Date: 2012-04-01 12:05:06
Expiration Date: 2019-04-01 12:05:06
DNSSEC: unsigned
uni-transglobal.info is an intermediary mail system using an expired domain name:
Registrant ID:CR75845753
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+57.481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com
Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China).
The subscribe/unsubscribe links in the email also reference these addresses: hyjbbs@gmail.com
and cncxrdy001@gmail.com
Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided..
From: alex Ford@un-trans.infoThere appear to be several scam domains in this same email.
Reply-To: alex@union-trans.com.cn
Date: 8 October 2012 14:46
Subject: forwarder agent 2012-10-10 15:02:33
Hello,
It is glad to write to you with keen hope to open a business relationship with you.
union-trans (china) International Freight Co,. Ltd is always provide the best service and good price for Import and Export both of ocean and air freight.
These services include: FCL Import and Export, LCL Consolidation, Break-Bulk; Air Freight Import and Export, Sea-Land Transportation; as well as arranging booking, clearance, inspection,loading and evanning, storage, consultation, insurance, etc, forwarding supported services.Our business has extended all over the globe, including in Middle East, Red Sea, India, Europe, and East, Africa, Central and South America, Australia and Southeast Asia etc.
For more information,Please review to our website as below:
http://www.union-trans.com
We are looking forwarder to you reply!
Best regards
union-trans (china) International Freight Co,. Ltd
addr:Room 18B-2,East China Sea Dawn Building,Zhongshan Road 455, Ningbo Jiangdong area,Ningbo,China
directort manager:Alex Huang
Tel:+86-0574-89086653
Fax:+86-0574-89086659
Mbl:+86-0-13957424347 +86-0-15306636688
SKYPE:alex_huang58
Msn:alex_huang58@hotmail.com Email:alex@union-trans.com.cn
union-trans.com is hosted on 180.178.32.238 (Simcentric, Hong Kong). The WHOIS details are:
Admin Name........... huang yijiang
Admin Address........ Ningbo
Admin Address........
Admin Address........ Ningbo
Admin Address........ 200000
Admin Address........ ZJ
Admin Address........ CN
Admin Email.......... sunpt@qq.com
Admin Phone.......... +86.13957424347
Admin Fax............ +86.13957424347
un-trans.info is parked on 68.178.232.100, and is registered to another owner:
Registrant ID:CR117221338
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+86.057481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com
union-trans.com.cn seems to be just a mail handler:
Domain Name: union-trans.com.cn
ROID: 20120401s10011s18721153-cn
Domain Status: ok
Registrant ID: ctr4rtfs2aq58an
Registrant: 宁波瀚联国际货运代理有限公司
Registrant Contact Email: hyjbbs@163.com
Sponsoring Registrar: 北京新网互联科技有限公司
Name Server: ns1.dns.com.cn
Name Server: ns2.dns.com.cn
Registration Date: 2012-04-01 12:05:06
Expiration Date: 2019-04-01 12:05:06
DNSSEC: unsigned
uni-transglobal.info is an intermediary mail system using an expired domain name:
Registrant ID:CR75845753
Registrant Name:yijiang huang
Registrant Organization:
Registrant Street1:baizhangdongli 168
Registrant Street2:
Registrant Street3:
Registrant City:ningbo
Registrant State/Province:zhejiang
Registrant Postal Code:315100
Registrant Country:CN
Registrant Phone:+57.481088611
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hyjbbs@163.com
Originating IP is 183.134.113.165 (Zhejiang Telecom, Ningbo, China).
The subscribe/unsubscribe links in the email also reference these addresses: hyjbbs@gmail.com
and cncxrdy001@gmail.com
Generally speaking, unsolicited job offers from out-of-the-way places are bad news and should be avoided..
Labels:
China,
Job Offer Scams
Tuesday 9 October 2012
Sprint spam / 1.starkresidential.net
This fake Sprint spam leads to malware on 1.starkresidential.net:
The malicious payload is at [donotclick]1.starkresidential.net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US).
The following malicious sites are also on the same server:
25.allservicemovingandstorage.com
1.browncastro.com
1.browncastro.net
In all cases, these appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem.
Date: Tue, 09 Oct 2012 22:30:56 +0300
From: "Sprint" [87A816934@uacvt.org.au]
Subject: Your Sprint bill online
Please do not reply to this email. Not seeing the images? View online or go mobile.
Bill Period: September 10 - October 9, 2012
Total Due by October 9 $5207
Note: All online payments are made in a secure environment.
SPRINT NEWS AND NOTICES
This section contains important updates about your Sprint Services, Including Service or Rate Changes, Promotions and Offers.
NEXTEL PRODUCTS: IMPORTANT MESSAGE
Due to the Nextel National Network shutdown on 6/30/13, any Nextel devices sold after 6/1/12 are intended to support existing customers' migration efforts and no minimum Order Terms will apply.
© 2012 Sprint. All rights reserved.
The malicious payload is at [donotclick]1.starkresidential.net/links/assure_numb_engineers.php hosted on 74.207.233.58 (Linode, US).
The following malicious sites are also on the same server:
25.allservicemovingandstorage.com
1.browncastro.com
1.browncastro.net
In all cases, these appear to be malicious subdomains of legitimate hacked domains. If you can, you should block traffic to 74.207.233.58 to stop other malicious sites on the same server from being a problem.
"Biweekly payroll" spam / editdvsyourself.net
This fake payroll spam leads to malware on editdvsyourself.net:
The following malicious domains are also associated with this IP:
acmrmn.com
addsmozy.net
art-london.net
buzziskin.net
canhmn.com
casbnm.com
editdvsyourself.net
officerscouldexecute.org
stafffire.net
strangernaturallanguage.net
simplerkwiks.net
From: Run Do Not Reply [mailto:jutland@bmacapital.com]The malicious payload is on [donotclick]editdvsyourself.net/detects/beeweek_status-check.php, hosted on the familiar IP address of 183.81.133.121 (Vodafone, Fiji).
Sent: 09 October 2012 15:10
Subject: Your Biweekly payroll is accepted
Your Biweekly payroll for check date 10/09/2012 is ready to go. Your payroll will be issued at least Two days prior to your check date to ensure timely tax deposits and delivery. If you offer direct deposit to your employees, this would also support pay down their money right at the necessary date.
Client ID: XXXXXXX1
Other details: Click here to Review
Important: Please be advised that calls to and from your payroll service team may be monitored or recorded.
Please don't reply to this message. automative notification system not configured to accept incoming email.
The following malicious domains are also associated with this IP:
acmrmn.com
addsmozy.net
art-london.net
buzziskin.net
canhmn.com
casbnm.com
editdvsyourself.net
officerscouldexecute.org
stafffire.net
strangernaturallanguage.net
simplerkwiks.net
Sunday 7 October 2012
Something evil on 5.9.188.54
Here's a nasty bunch of sites being used in injection attacks, all hosted on 5.9.188.54:
nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw.pl
nqvzrpyoossmr.qlvyeviexqzrukyo.waw.pl
xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw.pl
lgrfuqfwz.qlvyeviexqzrukyo.waw.pl
zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw.pl
qxggipnnfmnihkic.ru
mvuvchtcxxibeubd.ru
5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:
inetnum: 5.9.188.32 - 5.9.188.63
netname: LLC-CYBERTECH
descr: LLC "CyberTech"
country: DE
admin-c: AG6373-RIPE
tech-c: AG6373-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered
person: Alexey Galaev
address: LLC "CyberTech"
address: Grizodubova street 4 , build.2
address: 125252 Moscow
address: RUSSIAN FEDERATION
phone: +660812703752
nic-hdl: AG6373-RIPE
remarks: -------------------------
remarks: Vpsville.ru working 24x7
remarks: -------------------------
remarks: For abuse use admin@vpsville.ru
abuse-mailbox: admin@vpsville.ru
mnt-by: HOS-GUN
source: RIPE # Filtered
You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can.
nfexfkloawuqlaahsyqrxo.qlvyeviexqzrukyo.waw.pl
nqvzrpyoossmr.qlvyeviexqzrukyo.waw.pl
xfynhovgofzsqueuuprplvv.qlvyeviexqzrukyo.waw.pl
lgrfuqfwz.qlvyeviexqzrukyo.waw.pl
zlqfrypzqyubsedrzugeaf.urblvhnfxzrozzlz.waw.pl
qxggipnnfmnihkic.ru
mvuvchtcxxibeubd.ru
5.9.188.54 is a Hetzner IP address (no surprise there) suballocated to:
inetnum: 5.9.188.32 - 5.9.188.63
netname: LLC-CYBERTECH
descr: LLC "CyberTech"
country: DE
admin-c: AG6373-RIPE
tech-c: AG6373-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered
person: Alexey Galaev
address: LLC "CyberTech"
address: Grizodubova street 4 , build.2
address: 125252 Moscow
address: RUSSIAN FEDERATION
phone: +660812703752
nic-hdl: AG6373-RIPE
remarks: -------------------------
remarks: Vpsville.ru working 24x7
remarks: -------------------------
remarks: For abuse use admin@vpsville.ru
abuse-mailbox: admin@vpsville.ru
mnt-by: HOS-GUN
source: RIPE # Filtered
You might want to block the whole 5.9.188.32/27 range.. you should certainly block 5.9.188.54 if you can.
Labels:
Hetzner,
Injection Attacks,
Malware,
Russia
Friday 5 October 2012
"Intuit GoPayment" spam / simplerkwiks.net
This fake "Intuit GoPayment" spam leads to malware on simplerkwiks.net:
The malicious payload is at [donotclick]simplerkwiks.net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy.net
officerscouldexecute.org
simplerkwiks.net
strangernaturallanguage.net
buzziskin.net
art-london.net
Date: Fri, 5 Oct 2012 15:54:26 +0100
From: "Intuit GoPayment" [abstractestknos65@pacunion.com]
Subject: Welcome - you're been granted access for Intuit GoPayment Merchant
.
Greetings & Congrats!
Your GoPayment? statement for WALLET , DEVELOPMENTS has been issued.
Intuit Payment
Account No.: XXXXXXXXXXXXXX16
Email Address: [redacted]
NOTE :
Additional charges for this service may now apply.
Next step: Confirm your User ID
This is Very Important lets you:
Manage your payment service in the Merchant Center
Review charges
Log In to other Intuit products you may use, like TurboTax, Quicken, and Intuit Payroll
The good news is you have active an existing Intuit account for your email address, You can use this ID for your payment service also, or enter a new one.
Verify UserID
Get started:
Step 1: If you have not still, download the Intuit application.
Step 2: Run the GoPayment app and sign in with the UserID (your email address) and Password you setup.
Easy Manage Your GoPayment System
The Intuit GoPayment Merchant Service Center is the website where you can learn a lot about GoPayment features, customize your sales receipt and add GoPayment users. You can also manage transactions, deposits and fees. Visit link and signin with your GoPayment Access ID (your email address) and Password.
For more information on how to get started using Intuit Merchant, including tutorials, FAQs and other resources, visit the Service Center at web site.
Please do not reply to this message. automative notification system not configured to accept incoming email.
System Terms & Agreements � 2012 Intuit, Inc. All rights reserved.
The malicious payload is at [donotclick]simplerkwiks.net/detects/congrats_verify-access.php hosted on 183.81.133.121 (Vodafone, Fiji) along with these other suspect domains:
addsmozy.net
officerscouldexecute.org
simplerkwiks.net
strangernaturallanguage.net
buzziskin.net
art-london.net
UPS Spam / minus.preciseenginewarehouse.com
This fake UPS spam leads to malware on minus.preciseenginewarehouse.com:
minus.preciseenginewarehouse.com
minus.dirttrackwarehouse.com
minus.sprintwarehouse.com
two.scott-j.com
one.touveron.com
two.accent-bldrs.com
To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent.
From: "UPSBillingCenter" [512A03797@songburi.com]The malicious payload is at [donotclick]minus.preciseenginewarehouse.com/links/assure_numb_engineers.php hosted on 174.140.165.112 (DirectSpace Networks, US) which also houses the following suspect domains:
Subject: Your UPS Invoice is Ready
This is an automatically generated email. Please do not reply to this email address.
Dear UPS Customer,
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center
Please visit the UPS Billing Center to view and pay your invoice.
Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online
(c) 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS
minus.preciseenginewarehouse.com
minus.dirttrackwarehouse.com
minus.sprintwarehouse.com
two.scott-j.com
one.touveron.com
two.accent-bldrs.com
To be precise, the subdomains seem malicious, the domains themselves appear to be legitimate ones where the domain account has been hacked. Blocking 174.140.165.112 would be prudent.
Thursday 4 October 2012
"Corporate eFax message" spam / 184.164.136.147
These fake fax messages lead to malware on 184.164.136.147:
The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php which is an IP address belonging to Secured Servers LLC in the US and suballocated to:
autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:Class-Name:network
network:Auth-Area:184.164.128.0/19
network:ID:NET-11719.184.164.136.128/27
network:Network-Name:Public
network:IP-Network:184.164.136.128/27
network:IP-Network-Block:184.164.136.128 - 184.164.136.159
network:Org-Name:Jolly Works Hosting
network:Street-Address:Unit 3C No. 831 SAM Building, Dagupan Road
network:City:Manilla
network:State:NCR
network:Postal-Code:1013
network:Country-Code:PH
network:Tech-Contact:MAINT-11719.184.164.136.128/27
network:Created:20110811175617000
network:Updated:20110811175617000
network:Updated-By:dnsadmin@securedservers.com
contact:POC-Name:Nevin Poly
contact:POC-Email:supportsages@gmail.com
contact:POC-Phone:
contact:Tech-Name:DNS Administrator
contact:Tech-Email:dnsadmin@securedservers.com
contact:Tech-Phone:(480) 422-2023
contact:Abuse-Name:Abuse
contact:Abuse-Email:abuse@securedservers.com
contact:Abuse-Phone:+1-480-422-2022 (Office)
It might be worth blocking 184.164.136.128/27 to be on the safe side.
Date: Thu, 04 Oct 2012 19:00:16 +0200
From: "eFax.Alert" [E988D6C@vida.org.pt]
Subject: Corporate eFax message - 09 pages
Fax Message [Caller-ID: 341-498-5688]
You have received a 09 pages fax at Thu, 04 Oct 2012 19:00:16 +0200.
* The reference number for this fax is min1_20121004190016.8673161.
View this fax using your PDF reader.
Click here to view this message
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.
The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php which is an IP address belonging to Secured Servers LLC in the US and suballocated to:
autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:Class-Name:network
network:Auth-Area:184.164.128.0/19
network:ID:NET-11719.184.164.136.128/27
network:Network-Name:Public
network:IP-Network:184.164.136.128/27
network:IP-Network-Block:184.164.136.128 - 184.164.136.159
network:Org-Name:Jolly Works Hosting
network:Street-Address:Unit 3C No. 831 SAM Building, Dagupan Road
network:City:Manilla
network:State:NCR
network:Postal-Code:1013
network:Country-Code:PH
network:Tech-Contact:MAINT-11719.184.164.136.128/27
network:Created:20110811175617000
network:Updated:20110811175617000
network:Updated-By:dnsadmin@securedservers.com
contact:POC-Name:Nevin Poly
contact:POC-Email:supportsages@gmail.com
contact:POC-Phone:
contact:Tech-Name:DNS Administrator
contact:Tech-Email:dnsadmin@securedservers.com
contact:Tech-Phone:(480) 422-2023
contact:Abuse-Name:Abuse
contact:Abuse-Email:abuse@securedservers.com
contact:Abuse-Phone:+1-480-422-2022 (Office)
It might be worth blocking 184.164.136.128/27 to be on the safe side.
Labels:
eFax,
Jolly Works Hosting,
Malware,
Spam,
Viruses
Verizon Wireless spam / strangernaturallanguage.net
This fake Verizon wireless spam leads to malware on strangernaturallanguage.net:
The malicious payload is at [donotclick]strangernaturallanguage.net/detects/notification-status_login.php hosted on 183.81.133.121 (Vodafone, Fiji).
The following domains are hosted on that IP and should be regarded as being suspect:
strangernaturallanguage.net
buzziskin.net
art-london.net
addsmozy.net
From: AccountNotify whitheringj@spcollege.edu
Date: 4 October 2012 18:52
Subject: Recent Notification in My Verizon
SIGNIFICANT ACCOUNT NOTIFICATION FROM VERIZON WIRELESS.
Your informational letter is available.
Your account # ending: XXX8 XXXX4
Our Valued Client
For your accommodation, your confirmation message can be found in the Account Documentation desk of My Verizon.
Please check your acknowledgment letter for all the information relating to your new transaction.
View Approval Message
In addition, in My Verizon you will find links to info about your device & services that may be helpfull if you looking for answers.
Thank you for joining us .
My Verizon is also accessible 24 hours 7 days a week to assist you with:
Usage details
Updating your tariff
Add Account Users
Pay your invoice
And much, much more...
© 2012 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 523WSE | Basking Ridge, MA 55584
We respect your privacy. Please review our privacy policy for more details
The malicious payload is at [donotclick]strangernaturallanguage.net/detects/notification-status_login.php hosted on 183.81.133.121 (Vodafone, Fiji).
The following domains are hosted on that IP and should be regarded as being suspect:
strangernaturallanguage.net
buzziskin.net
art-london.net
addsmozy.net
Subscribe to:
Posts (Atom)