Dynamoo's Blog

Thursday 6 December 2012

iTunes "Christmas gift card" / api.myobfuscate.com / nikolamireasa.com

Here's a malware-laden spam with a twist:

From:    iTunes [shipping@new.itunes.com]
To:    purchasing [purchasing@[redacted]]
Date:    6 December 2012 20:59
Subject:    Christmas gift card

Order Number: M1V7577311
Receipt Date: 06/12/2012
Shipping To: purchasing@[redacted]

Order Total: $500.00
Billed To: Hilary Shandonay, Credit card

Item Number     Description     Unit Price
1     Christmas gift card (View\Download )     $500.00
Subtotal:     $500.00
Tax:     $0.00
Order Total:     $500.00

Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.

Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies

FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.

Answers to frequently asked questions regarding the iTunes Store can be found at http://www.apple.com/support/itunes/store/

Apple ID Summary ГѓВўГўвЂљВ¬Г‚Вў Detailed invoice

Apple respects your privacy.

Copyright ГѓвЂљГ‚В© 2011 Apple Inc. All rights reserved

In this case the link goes through a free web hosting site at [donotclick]longa-neara.ucoz.org which contains some heavily obfuscated javascript that eventually leads to malicious landing page on [donotclick]nikolamireasa.com/less/demands-probably.php hosted on 188.93.210.133 (logol.ru, Russia). That IP hosts the following toxic domains that you should block:

nikolamireasa.com
portgazza.cu.cc
hopercac.cu.cc
hopercas.cu.cc
ukumuxur.qhigh.com
ymuvyjih.25u.com

Heck, you might just want to cut your losses and block 188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called api.myobfuscate.com which you can see has been used to infect a few sites before.

Now, perhaps myobfuscate.com was created with the best of intentions, but if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way.

Both api.myobfuscate.com and www.myobfuscate.com are hosted on the same IP at 188.64.170.17 (also in Russia) which is part of a tiny netblock of 188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:

htmlobfuscator.com
api.htmlobfuscator.com
htmlobfuscator.info
javascript-obfuscator.info
javascriptcompressor.info
javascriptcrambler.com
javascriptobfuscate.com
javascriptobfuscator.info
myobfuscate.com
api.myobfuscate.com
obfuscatorjavascript.com
api.obfuscatorjavascript.com
js.robotext.com
js.robotext.info
js.robottext.ru

In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots.

eBay, PayPal spam / ibertomoralles.com

These spam messages lead to malware on ibertomoralles.com:

Date:     Thu, 6 Dec 2012 13:12:16 -0600
From:     "PayPal" [service@paypal.com]
Subject:     Your Ebay.com transaction details.

    Dec 5, 2012 09:31:49 CST

Transaction ID: U5WZP603SNLLWR5DT
Hello [redacted],

You sent a payment of $363.48 USD to Normand Akers.

It may take a several minutes for this transaction to appear in your transactions history.

Seller

Normand-Akers@aol.com

    Instructions to seller

You haven't entered any instructions.
Shipping address - confirmed
Hyde Rd
Glendale SC 58037-0659
United States
    Shipping details
The seller hasn't provided any shipping details yet.
Description     Qty.     Amount
NordicTrack Mini Cycle

Item# 118770508253     24     $363.48 USD
Shipping and handling     $24.99 USD
Insurance - not offered     ----
Total     $363.48 USD
Payment     $363.48 USD

Payment sent to Normand Akers

Receipt ID: D-69NQRGN113A3A9UQ3

Issues with this transaction?

You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Please do not reply to this message. auto informer system unable to accept incoming messages. For immediate answers to your issues, visit our Help Center by clicking "Help" located on any PayPal page.

PayPal Email ID PZ147

==========

Date:     Thu, 6 Dec 2012 19:57:37 +0100
From:     "PayPal" [noreply@paypal.com]
Subject:     Your Paypal.com transaction confirmation.

    Dec 5, 2012 09:50:54 CST

Transaction ID: 8P7D295HFIIIMUC4Q
Hello [redacted],

You done a payment of $894.48 USD to Carol Brewster.

It may take a few moments for this transfer to appear in your transactions history.

Merchant

Carol-Brewster@aol.com

    Instructions to seller

You haven't entered any instructions.
Shipping address - confirmed
Pharetra Street
Manlius NY 74251-6442
United States
    Shipping details
The seller hasn't provided any shipping details yet.
Description     Qty.     Amount
TaylorMade R11 Driver Golf Club

Item# 703099838857     54     $894.48 USD
Shipping and handling     $14.49 USD
Insurance - not offered     ----
Total     $894.48 USD
Payment     $894.48 USD

Payment sent to Carol Brewster

Receipt ID: H-K01U2WSTLZZMRAB90

Issues with this transaction?
You have 45 days from the date of the purchase to issue a dispute in the Resolution Center.

Please DO NOT reply to this message. auto-notification system can't accept incoming mail. For fast answers to your subjects, visit our Help Center by clicking "Help" located on any PayPal page.

PayPal Email ID P8695

The malicious payload is at [donotclick]ibertomoralles.com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server:

addon.su
ansncm.org
codemark.net
hfeitu.net
ibertomoralles.com
icobag.com
labpr.com
minevi.com
moid.pl
naky.net
namelesscorn.net
porkystory.net
proscitomash.com
robertokarlosskiy.su
roketlauncherskiy.org
romoviebabenki.ru
securityday.pl
seldomname.com
shopgreatvideonax.com
svictrorymedia.ru
tradenext.net
winterskyserf.ru
ygsecured.ru
zindt.net

"Copies of policies" spam / cinemaallon.ru

This spam leads to malware on cinemaallon.ru:

Date:     Thu, 6 Dec 2012 06:41:01 -0500
From:     Isidro Pierre via LinkedIn [member@linkedin.com]
Subject:     RE: ASHTON - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

ASHTON QUINONES,

The malicious payload is at [donotclick]cinemaallon.ru:8080/forum/links/column.php hosted on the following familiar IPs:

202.180.221.186 (Gnet, Mongolia)
208.87.243.131 (Psychz Networks, US)

Amazon spam / evokeunreasoning.pro

A few different variants of this today, all pretending to be from Amazon and leading to malware on evokeunreasoning.pro:

Date:     Thu, 6 Dec 2012 17:32:38 +0200
From:     "Amazon . com" [digital-notifier@amazon.com]
Subject:     Your Amazon.com order receipt.

    Click here if the e-mail below is not displayed correctly.

Follow us:


Your Amazon.com                         Today's Deals                 See All Departments

Dear Amazon.com Member,


Thanks for your order, [redacted]!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Overview:

E-mail Address: [redacted]
Billing Address:
1113 4th Street
Fort North NC 71557-2319,,FL 67151}
United States
Phone: 1-491-337-0438

Order Grand Total: $ 50.99

Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     C47-8578330-3362713
Subtotal of items:     $ 50.99
    ------
Total before tax:     $ 50.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 50.00
Gift Certificates:     $ 0.99
    ------
Total for this Order:     $ 50.99



Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.

� 2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 475 Larry Ave. N., Seattle, MI 83304-6203. Reference: 61704824

Please note that this message was sent to the following e-mail address: [redacted]

The malicious payload is at [donotclick]evokeunreasoning.pro/detects/slowly_apply.php but at the time of writing the domain does not seem to be resolving.

Wednesday 5 December 2012

BBB Spam / leberiasun.ru

This fake BBB spam leads to malware on leberiasun.ru:

Date:     Wed, 5 Dec 2012 11:32:47 +0330
From:     Bebo Service [service@noreply.bebo.com]
Subject:     Urgent information from BBB

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have received a complaint (ID 243917811)
from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.

We are looking forward to your prompt reply.
Regards,

JONELLE Payne

The malicious payload is at [donotclick]leberiasun.ru:8080/forum/links/column.php (report here) hosted on the following IPs:

42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
208.87.243.131 (Psychz Networks, US)
219.255.134.110 (SK Broadband, Korea

These IPs have been used in several attacks recently. You should block access if you can.

Zbot sites to block 5/12/12

These domains and IPs are involved in malware distribution, especially the Zbot trojan. Most are using the nameservers in the dnsnum10.com domain, or are co-hosted on the same server and have malicious characteristics.

I've come up with a recommended blocklist based on the characteristics on the netblocks in question. If you are based in Russia, Ukraine, Poland or Iran then you may want to review these carefully.

IP addresses and hosts
31.184.244.73 (TOEN Incorporated, UAE)
62.122.74.47 (Leksim, Poland)
77.72.133.69 (Colobridge, Germany)
78.46.205.130 (Hetzner, Germany)
78.140.135.211 (Webazilla, Gibraltar)
85.143.166.132 (PIRIX, Russia)
87.107.121.131 (Soroush Rasanheh Company Ltd, Iran)
91.211.119.56 (Zharkov Mukola Mukolayovuch, Ukraine)
91.231.156.25 (Sevzapkanat-Unimars, Russia)
91.238.83.56 (Standart LLC, Moldova)
146.185.255.161 (Sergeev Sergei Yurievich PE, Russia)
178.162.132.202 (Tower Marketing, Belize)
178.162.134.176 (Silin Vitaly Petrovich, Belarus)
188.93.210.28 (Hosting Service, Russia)
195.88.74.110 (Info Data Center, Bulgaria)
198.144.183.227 (Colocrossing, US)

Single IP list for copy and pasting:
31.184.244.73
62.122.74.47
77.72.133.69
78.46.205.130
78.140.135.211
85.143.166.132
87.107.121.131
91.211.119.56
91.231.156.25
91.238.83.56
146.185.255.161
178.162.132.202
178.162.134.176
188.93.210.28
195.88.74.110
198.144.183.227

Recommended blocklist:
31.184.244.73
62.122.72.0/21
77.72.133.69
78.46.5.128/29
78.140.135.211
85.143.166.0/24
87.107.96.0/19
91.211.119.56
91.231.156.0/24
91.238.83.0/24
146.185.255.0/24
178.162.132.0/24
178.162.134.128/26
188.93.210.28
195.88.74.110
198.144.183.227

Domains:
001dulpieafry.changeip.org
001lrrldtavol.changeip.org
002tkbhqhlsvt.changeip.org
004ppfpcbvctd.changeip.org
004quzisdueai.changeip.org
020jbxsgqwpse.changeip.org
022btrarqcfuk.changeip.org
026kordzsydup.changeip.org
4nfyfj.info
6j5jjek.info
accelerationarrangement.info
aderto.cu.cc
adertos.cu.cc
adx.empowersspanish.info
all1.lflinkup.com
all10.lflinkup.com
all3.lflinkup.com
all8.lflinkup.com
all9.lflinkup.com
alpha.spice-forum.in.ua
apple-free.uni.me
arizonaunintelligible.pro
avast.formsbasedscreeners.asia
avira.formsbasedscreeners.asia
barracoon.org
bicyclingsecondfastest.pro
bigprobivbig.net
bilitys.cu.cc
bilityss.cu.cc
brainiacdatingcomothers.pro
bringingaward.asia
broadlytrap.net
bulkmolosiz.com
bulkyards.com
bulkyards.net
charitablesecurities.asia
clearcubeinterviews.pro
clinquant.org
collatesphotoworks.org
confusingfunctionality.info
coreldrawscratch.asia
dangerstriangle.info
deephole.info
derusliman.org
dialectskew.info
dnsnum10.com
docspittance.asia
dracodatas.info
empowersspanish.info
energyefficientpermonth.pro
ergyefficient.asia
eset.formsbasedscreeners.asia
f4lhhd.com
f56yk.com
fapitorgtube.cu.cc
faxesworry.asia
finestaccompanying.info
fkyjyj.cu.cc
flashrssfeedlike.asia
formsbasedscreeners.asia
foundationfourtrack.asia
g4nj389.net
g6aews.com
gdgt54hdfg5y6d.hopto.org
get-it-free.flu.cc
goldenmail.in
helicograph.com
helicograph.net
helicograph.org
highflyingmotivates.info
hry24h.com
img.coldstoragemn.com
img.floodace.com
img.heritagedaysfestival.org
img.mnrealestatehome.com
iptcbolts.net
isiftheoretically.pro
jacklighter.org
jfoih347.net
jkrsryk.info
js.casio-11.com
js.casio-ok.com
kasadi.cu.cc
kazbec.info
kiklamas.cu.cc
krestybx.cu.cc
lasazar.cu.cc
lessexpensiveprototypes.asia
lisagaxu.tk
logs.clearcubeinterviews.pro
mailtypical.net
meprovidinggiggle.net
mergingvisisafe.info
minimoogsmerits.info
mobilewalmartcom.pro
mokingbirdgives.org
mytouchcoediting.net
nomadtoys.pro
nuf78784f.com
nuvfhruf.com
openearedinclusive.net
opticshoc.pro
packingdebug.asia
partnerssitesnonauthorized.asia
pasteszerou.pro
patiencerevolution.asia
phalange.net
phalange.org
pitchessuppress.org
platformindependentviz.pro
powerquesttrivial.net
primemasterswitch.asia
proofingsloth.info
pulldownnextag.info
qorayot.tk
ranikslall.biz
ranikslall.com
ranikslall.info
ranikslall.org
ratevoicemail.asia
repurposedsmtppop.asia
rightfullyretina.org
ringtonesprevent.asia
rushcreaking.net
sensibilitiesdolls.org
shareself.info
siteadvisorejector.info
slimmingedirol.pro
soundtrackoh.org
surviveoutpace.info
syenial.com
t5rgddfth67rdfgd.hopto.org
terminaloften.pro
toolbarpcmag.info
tutaqasi.tk
tutorialmediumsize.asia
udneriww.com
uikojyurfersw.homelinux.net
uninstallerthumbtack.asia
unprotectedepicture.info
usozureq.isasecret.com
vmailtalkguideone.net
vn3vrr.com
www.all15.lflinkup.com
www.all16.lflinkup.com
xovgnbxdvzsc.dyndns-remote.com
xubodaqi.tk
y8jdo.info
yardinjuries.info
zawejame.tk
zazaebuk.cu.cc
zks5k.com
zwedaseeqqs.homelinux.com

Tuesday 4 December 2012

Facebook "You have notifications pending" spam / francese.ru

This fake Facebook spam leads to malware on francese.ru:

Date:     Tue, 4 Dec 2012 03:38:42 +0000
From:     KaseyElleman@victimdomain.com
Subject:     You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
SALLIE FELIX has posted statuses, photos and more on Facebook.
Go To Facebook

See All Notifications
This message was sent to postinialerts@[redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]francese.ru:8080/forum/links/column.php hosted on the following IP addresses:

42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks , US)
219.255.134.110 (SK Broadband, Korea)

Plain list for copy-and-pasting:
42.121.116.38
202.180.221.186
203.80.16.81
208.87.243.131
219.255.134.110

US Airways spam / attachedsignup.pro

This fake US Airways spam leads to malware on attachedsignup.pro:

From:    US Airways - Booking [reservations@myusairways.com][
Date:    4 December 2012 14:30
Subject:    US Airways online check-in.

You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). After that, all you have to do is print your boarding pass and go to the gate.

Purchase code: 183303

Check-in online: Online booking details

Payment method: Credit card
Money will be withdrawn in next 3 days

Voyage

5990
Departure city and time

Massachusets MA (DCA) 10:10 AM

Depart date: 12/05/2012

We takes care to protect your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 145 W. Rio Salado Pkwy, Tempe, AK 93426 , Copyright US Airways , All rights reserved.

The payload and IP addresses are identical to this spam doing the rounds today.

"Most recent events on Facebook" spam / attachedsignup.pro

This fake Facebook spam leads to malware on Most recent events on attachedsignup.pro:

Date:     Tue, 4 Dec 2012 15:19:16 +0100
From:     " Facebook Security Team" [fractionallyb9@hendrickauto.com]
Subject:     Most recent events on Facebook

facebook

Hi [redacted],

You have closed your Facebook account. You can rebuild your account whenever you wish by logging into Facebook using your current login email address and password. Subsequently you will be able to take advantage of the site as usually.
Please use the link below to reactivate :
http://www.facebook.com/home.php
If this was you, please pass over this informer. If this wasn't you, please secure your account, as some outlaw person may be explore it.
Best regards, The FaceBook Team
Please note: Facebook will never ask for your personal data through email.

This message was sent to [redacted] from your profile details. Facebook, Inc., Attention: Department 437, PO Box 20000, Palo Alto, CA 96906

The malicious payload is at [donotclick]attachedsignup.pro/detects/links-neck.php (report here) hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) which also hosts the probably malicious domain sessionid0147239047829578349578239077.pl

"ARK Bureau" (arkbureau.com) fake job offer

~~The ARK Architecture Bureau is a genuine company. This fake job offer is not from ARK Bureau, but is some sort of illegal activity such as money laundering.~~

Update: I didn't look closely enough at the site, I discovered that arkbureau.com is also fake, as is this email. See more below. This is still trying to recruit people for money laundering though.

From: Odette Holcomb [mailto:nbnian@esonchem.co.kr]
Sent: 03 December 2012 12:32
Subject: Help wanted.

POSITION: Customer Assistant

ABOUT COMPANY:
ARK Bureau has served hundreds of clients in the United Kingdom, Poland, France and Germany since 1998.

The firm was created by Lorinda Rogers, a young architect of Canadian origin. From its inception, ARK Bureau.s vision for design and construction was based on system approach, incorporating both building and landscape design. That philosophy has always meant the highest quality for our clients. That.s probably why ARK Bureau enjoys a strong loyalty from the past customers.

Now we have open vacancy in the U.S.: Customer Assistant

RESPONSIBILITIES:
- Process payments from customers;
- Filing invoices, statements and associated documents;
- Meet and exceed performance and time management goals;
- Other duties as required.

GENERAL SKILLS:
- High communication skills;
- Strong problem solving and planning skills;
- Experienced computer & internet user.

APPLY:
To apply please: arkbureaumanager@nokiamail.com

An alternative version uses the email address of arkbureau_manager@nokiamail.com. The two samples that I have seen have originating IP addresses of 174.52.171.8 (Comcast, US) and 109.173.54.245 (NCNET, Russia).

You should give this fake company a wide berth unless you want to end up in serious trouble with law enforcement.

Update: I had originally assumed from the amateurish spam email that arkbureau.com belonged to a genuine company. However, a search of UK company records shows no such company, the domain was only registered a month ago to an address which is actually consistent with the one on the site:

Domain Name: ARKBUREAU.COM

Registrant:
     N/A
    Allen Hart        (arkbureau@aol.com)
    108 Broadwick Street
    London
    London,W1F 8MT
    GB
    Tel. +44.448715283620

Creation Date: 16-Nov-2012
Expiration Date: 16-Nov-2013

Their site is full of stock images (like the one below) which can be found in many other places, most of which appear to be in the US (where they don't have an office).

Fundamentally, the whole thing is a fake. A good-looking fake, but a fake nonetheless.

These contact details are presumably also bogus:

Int'l Customer Care: +1 646 583 0506

Our head office is located in London, UK:

108 Broadwick Street, London, W1F 8MT, UK
Phone: +44(0) 20 3290 1280
Fax: +44(0) 871 528 3620
Email: info@arkbureau.com

Since 2010 we also run a branch in Warsaw, Poland:

Pl. Pilsudskiego 3, 00-078 Warszawa, Poland
Phone: +48 22 208 4722
E-mail: info@arkbureau.com

Well, a quick Google of "108 Broadwick Street" indicates that it probably doesn't exist. If we get down on the ground with Google Streetview we can see that Broadwick Street only goes up to number 76 which is a bank of cash machines. Also, the quoted postcode of W1F 8MT is wrong, that belongs to somewhere which is quite a walk from Broadwick Street.

Emails to info@arkbureau.com bounce, there is no such user configured on the server.

arkbureau.com itself is hosted on 64.191.88.71 (HostNOC, US). There are several other sites on the same server that look dedicated to either fraud or fake pharma. I would recommend that all of these sites are avoided:

abcforwarding.com
actualcard.net
afpeasttexas.org
agea-usa.com
arkbureau.com
armorebeauty.com
autosales.com.do
beauty-wish-list.info
bestdesignstudios.ru
bestdietpillsreviews.org
buycanadianviagraonline.com
byabovegroundpools.com
canada-cialis.net
canadian-viagra.org
cialis-40-mg.com
cialis-5-mg.org
cialisprofessionals.com
cr-goods.com
ctrlpack.com
curiote.com
debtcptl.com
dioxidesoftware.com
discount-levitra.com
diybeautifulbody.com
encom-fg.com
engagement-rings-gallery.com
executivehomeswaco.com
executivehomeswacotexas.com
fantastic-male-size.com
firstransfer.com
getmattresswarehouse.com
getusedhorsetrailers.com
globalmg.org
godrop.biz
hallgg.pl
happychickengrill.com
heidtgroup.com
hiphopsongs.us
iceraysfancard.com
ixcongroup.com
jaffe-inc.com
livesecurity.pro
livesecuritypro.org
magnitogorsk.ws
myparcelforwarding.com
newboxcenter.com
nhsgroup.net
nowamarket.com
parcelunited.net
paydayloan-assistant.com
plate-flipper.com
politcenter.org
power-meds.com
pragueprivate.com
preventpainnow.org
prolivesecurity.org
propackage.biz
provenlovetabs.com
purchase-tadalafil.com
releasebg.com
rezzonans.net
rezzonans.org
ruskombat.info
rxtabsworld.com
securitylive.pro
shengfangtex.com
stafer.pro
starbuckscorp.com
sterece.com
stuffarea.biz
thefce.com
top-email-software.com
travelscom.net
traversestate.com
trustedmensmeds.com
uniteddigitalmedia.com
usheadway.com
usstyle.org
vendconsulting.com
viacton.com
viagra-super-force.org
virodex.com
virtualizare.net
wedding-bouquets-gallery.com
weddingshoesbridalonline.com
your-drug-blog.com

Monday 3 December 2012

"Scan from a Hewlett-Packard ScanJet" spam / somaliaonfloor.ru

This fake printer spam leads to malware on somaliaonfloor.ru:

Date:     Mon, 3 Dec 2012 09:25:59 -0600
From:     Bebo Service [service@noreply.bebo.com]
Subject:     Fwd: Re: Scan from a Hewlett-Packard ScanJet #3838

A document was scanned and sent to you using a Hewlett-Packard HP15310290

Sent to you by: ROSIO
Pages : 8
Filetype(s): Images (.jpeg) View

==========

Date:     Mon, 3 Dec 2012 11:06:22 -0500
From:     "service@paypal.com" [service@paypal.com]
Subject:     Re: Fwd: Scan from a Hewlett-Packard ScanJet 33712789

A document was scanned and sent to you using a Hewlett-Packard HP8220647

Sent to you by: CLAUDIA
Pages : 7
Filetype(s): Images (.jpeg) View

The malicious payload is at [donotclick]somaliaonfloor.ru:8080/forum/links/public_version.php hosted on the same IPs used in this attack.

113.197.88.226 (ULNetworks, Korea)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)

ADP spam / fsblimitedrun.pro

This fake ADP spam leads to malware on fsblimitedrun.pro:

From:    ADP Transaction Status
Date:    3 December 2012 17:55
Subject:    ADP Major Accounts Processed Case

Valued customer:

James lately covered Transaction at your account. Event # 433933082.

     Case Caption: 6CO7

      Incident Substantiation: Download

We at ADP obtain to create a personalized and client focused experience with every client interaction.
Please view transaction changed by
visiting the link below.

Click here - ADP Major Accounts Operation Progress mentioned above

Best Wishes,

     James Brooks

     Vice President of Customer Care Department ADP

     ADP Major Accounts

***Reminder***

Please remember to complete your Semi-Annual Service Quality Survey!

Our Goal is to ensure you are VERY SATISFIED with each interaction you have with our Service Associates and we ask that you consider your overall experience in the 6 months preceding your receipt of the survey. We strive to provide WORLD CLASS SERVICE and determine our success by your satisfaction with ADP's services.

**********

This e-mail was delivered from an robot account.

Please don't reply to this message. auomatic informational system unable to accept incoming email.

**********

The malicious payload is at [donotclick]fsblimitedrun.pro/detects/survey_success-complete.php hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) along with the following malicious domain: fdic-update-install.info

Blocking access to this IP address would probably be prudent.

Wire Transfer spam / panamechkis.ru

This fake wire transfer spam leads to malware on panamechkis.ru:

Date:     Mon, 3 Dec 2012 11:34:38 +0330
From:     HarrisonCrumm@mail.com
Subject:     RE: Wire Transfer cancelled

Dear Customers,

Wire transfer was canceled.

Rejected transfer:

FED NUMBER: 1704196955WIRE580676

Transaction Report: View

Federal Reserve Wire Network

The malicious payload is at [donotclick]panamechkis.ru:8080/forum/links/column.php hosted on:

113.197.88.226 (ULNetworks, Korea)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)

Of these, 113.197.88.226 seems to be a new one which should be added to your blocklists.

Friday 30 November 2012

"Copies of Policies" spam / podarunoki.ru

This spam leads to malware on podarunoki.ru:

Date:     Fri, 30 Nov 2012 04:54:30 -0300
From:     Jone Castaneda via LinkedIn [member@linkedin.com]
Subject:     RE: Leonie - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Leonie Doyle,

==========

Date:     Fri, 30 Nov 2012 02:32:21 -0400
From:     sales1@[victimdomain].com
Subject:     RE: Samson - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Samson Henry,

The malicious payload is at [donotclick]podarunoki.ru:8080/forum/links/column.php hosted on some familiar IP addresses which should be blocked if you can:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)

The following domains are also on the same servers:
gurmanikia.ru
ganiopatia.ru
ganalionomka.ru
genevaonline.ru
podarunoki.ru
binaminatori.ru
ganadeion.ru
dimarikanko.ru
delemiator.ru

iTunes spam / mokingbirdgives.org

This fake iTunes spam leads to malware on mokingbirdgives.org:

From:    iTunes itunes@new.itunes.com
To:    purchasing [purchasing@victimdomain.com]
Date:    30 November 2012 17:02
Subject:    Your receipt #16201509085048

Billed To:
%email%

Order Number: M1V008146011
Receipt Date: 30/11/2012

Order Total: $699.99
Billed To: Credit card

Item Number     Description     Unit Price
1     Postcard (View\Download )
Cancel order Not your order?Report a Problem     $699.99
Subtotal:     $699.99
Tax:     $0.00
Order Total:     $699.99

Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.

Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies

FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.

Answers to frequently asked questions regarding the iTunes Store can be found at http://www.apple.com/support/itunes/store/

Apple ID Summary ГѓВўГўвЂљВ¬Г‚Вў Detailed invoice

Apple respects your privacy.

Copyright ГѓвЂљГ‚В© 2011 Apple Inc. All rights reserved

The malicious payload is at [donotclick]mokingbirdgives.org/less/demands-probably.php (report here) hosted on 184.82.100.201 (HostNOC, US) along with the following domains which also appear to be malicious:

jokolet5.cu.cc
revreka.cu.cc
kretaf.cu.cc
hoyerrr.cu.cc
xecomas.cu.cc
serawers.cu.cc
spaswers.cu.cc
retainedthumb.uni.me
safemessageassimilated.uni.me
fullblowntie.uni.me
confusetelltale.uni.me
fulltouchabandoning.uni.me
cuingdisinfecting.uni.me
mobilesitedisplaydizzying.uni.me
deadlinesorganizing.uni.me
consequencesaolcom.uni.me
areascompareran.uni.me
trusteunplugs.uni.me
rightsideconcoctions.uni.me
rearfacingisight.uni.me
starearnernot.uni.me
mokingbirdgives.org
germannewslinks.org
likoawdsdfzgage.dyndns-remote.com
syenial.com
amusicman.com
germannewslinks.com
fusioncaters.com
uqakanyd.ocry.com
u96s.info
germannewslinks.info
beardwithgofus.info
demonstrateddesktoplike.pro
thcenturysplitting.pro
stub.appartamentofirenze.net
germannewslinks.net
advert.apps-myups.net

Thursday 29 November 2012

"Wire Transfer" spam / dimarikanko.ru

This fake "Wire Transfer" spam leads to spam on dimarikanko.ru:

Date:     Thu, 29 Nov 2012 06:01:55 +0700
From:     LinkedIn Connections [connections@linkedin.com]
Subject:     Re: Fwd: Wire Transfer (75631MU030)

Dear Bank Account Operator,

WIRE TRANSFER: FED675249061747420

CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]dimarikanko.ru:8080/forum/links/column.php hosted on a bunch of familiar looking IP addresses which have been used in several recent attacks:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)

Dynamic DNS sites you might want to block II

These Dynamic DNS domains belong to a mystery outfit called dnsdynamic.org, and several of them seem to be in the process of being abused by third parties (for example). The registrations seem to be anonymised, some poking around at the recent WHOIS history of one of these domains (freedynamicdns.com) reveals ownership details of:

      Manager, Domain  manager@invertebrateisp.com
      Invertebrate ISP
      PO Box 405
      Glenmont, New York 12077
      United States
      +1.2623946781

More digging at invertabrateisp.com comes up with a real name:

      Wilde, Tim  [redacted]
      [redacted]
      Glenmont, New York 12077
      United States
      [redacted]      Fax --

Anyway, Mr Wilde is not connected with the malicious activity going on with these domains, but he is providing a service that is being abused. Interestingly he founded DynDNS before selling it on.

Dynamic DNS services can be useful, but my personal recommendation is that you should consider blocking them as the bad guys are very good at abusing them. Overall, these are not as bad as the ones run by ChangeIP.com (see here).

There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them (yellow highlighted ones have some malware, red highlighted ones are blocked by Google). The second one is a plain list of everything in case you want to block them completely.

adultdns.net [report]
andrewhaberman.com [report]
ddns01.eu [report]
ddnsd.eu [report]
dns53.biz [report]
dnsapi.info [report]
dnsd.info [report]
dnsd.me [report]
dnsdynamic.com [report]
dnsdynamic.net [report]
dnsdynamic.org [report]
fe100.net [report]
freedynamicdns.com [report]
ftp21.net [report]
http80.info [report]
https443.com [report]
imap01.com [report]
ns360.info [report]
ole32.com [report]
ssh01.com [report]
ssh22.net [report]
tftpd.net [report]
ttl60.com [report]
ttl60.org [report]
user32.com [report]
voip01.com [report]
wow64.net [report]

Plain list for copy-and-pasting:
adultdns.net
andrewhaberman.com
ddns01.eu
ddnsd.eu
dns53.biz
dnsapi.info
dnsd.info
dnsd.me
dnsdynamic.com
dnsdynamic.net
dnsdynamic.org
fe100.net
freedynamicdns.com
ftp21.net
http80.info
https443.com
imap01.com
ns360.info
ole32.com
ssh01.com
ssh22.net
tftpd.net
ttl60.com
ttl60.org
user32.com
voip01.com
wow64.net

Vobfus sites to block

These domains and sites appear to be connected to the Vobfus worm, hosted on 222.186.36.108 (Chinanet Jiangsu Province Network). There seems to be quite a bit of this worm about at the moment (auto translated).

This is a short list of domains to block (scroll down to the bottom for more details) all of which appear to be directly connected to the Vobfus worm:

222.186.36.108
chopbell.net
chopstickers.org
chopsuwey.org
chopzones.org
ddns1.eu
helpchecks.net
helpupdated.com
helpupdated.net
helpupdated.org
helpupdatek.at
helpupdater.net
helpupdates.biz
helpupdates.com
mediashares.org
mysearchhere.net
paris-hack.com
zdns.eu

zdns.eu and ddns1.eu are Dynamic DNS services provided by another party not directly connected to the worm. I recommend you block access to them anyway (more on this at a later date)

The following list is of domains that share nameservers with the Vobfus domains. You can make a decision if you want to do anything about these on your own network.

62.109.2.225
artishok.ru

78.46.22.15
alfataxi.info
pronash.com
smspay4.com
youmult.com

78.46.109.155
hitroe.com

84.45.76.100
ddns1.eu

159.253.142.40
adult-sms.com

159.253.142.44
mobilcent.com
mobilcent.ru

174.37.204.89
xlget.com

176.9.36.18
nikapro.com

178.63.65.11
couchness.com

208.43.108.100
smscoin.com

208.43.108.101
smscoin.net

208.43.251.58
userend.info

Not resolving
chopbell.net
helpchecks.net
helpupdated.net
helpupdater.net
helpupdates.biz
musicmixa.net
musicmixa.org
musicmixc.com
musiczipz.com
(Yes, some of these are listed elsewhere. The spreadsheet below will make it a little more clear, I hope)

An expanded list of sites with WOT ratings can be found here if you want to poke around at them.

Wednesday 28 November 2012

Gary McNeish, Christopher Niebel fined £440k for SMS spams

I've covered Gary McNeish and his SMS spamming outfit before, they are quite possibly behind the majority of financial SMS spam messages that have been doing the rounds lately.

Well, it seems the ICO finally caught up with him and his business partner Christopher Niebel and have hit the pair with a whopping £440,000. The Daily Telegraph reports that they were pumping out up to 840,000 spam SMS messages per day. The BBC has more details about the pair.

It looks like Mr Neibel has suffered the bulk of the fine, with £300,000 ordered to be paid by the ICO. Mr McNeish lives in Thailand (but owns the spamming company Tetrus Telecom) and has been fined £140,000. Mr Neibel seems a bit upset by this according to reports. Tough shit, I say.

Anyway, this is the guy who probably won't be coming back to the UK any time soon..

Check out some of his semi-naked photos here. Classy!

Changelog spam / ganadeion.ru

This fake changelog spam leads to malware at ganadeion.ru:

Date:     Wed, 28 Nov 2012 05:21:35 -0500
From:     LinkedIn Password [password@linkedin.com]
Subject:     Re: Changelog as promised (upd.)

Hello,

as prmised updated changelog - View

C. BERGMAN

The malicious payload is at [donotclick]ganadeion.ru:8080/forum/links/column.php hosted on some familiar looking IP addresses that you should block if you can:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)