Sponsored by..

Tuesday, 13 November 2012

"Your flight" spam / monacofrm.ru

These spam email messages lead to malware on monacofrm.ru:

From: sales1@victimdomain.com [mailto:sales1@victimdomain.com]
Sent: 13 November 2012 04:04
Subject: Fwd: Your Flight A874-64581

Dear Customer,

FLIGHT NR: 1173-8627
DATE/TIME : JAN 27, 2013, 19:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 520.40 USD

Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.


NAOMI PATTON,

==========

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 13 November 2012 05:18
Subject: Re: Fwd: Your Flight A943-6733

Dear Customer,

FLIGHT NR: 360-6116
DATE/TIME : JAN 26, 2013, 14:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 997.25 USD

Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.



Adon Walton,

==========

Date:      Tue, 13 Nov 2012 08:20:21 +0400
From:      accounting@victimdomain.com
Subject:      Re: Your Flight A230-63955
Attachments:     FLIGHT_TICKET_A04897499.htm

Dear Customer,



FLIGHT NR: 43070-0328

DATE/TIME : JAN 24, 2013, 12:19 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 323.97 USD



Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.



SHERILYN BREWER,

==========

Date:      Tue, 13 Nov 2012 02:14:56 +0700
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Your Flight A13-6235
Attachments:     FLIGHT_TICKET_A56970327.htm

Dear Customer,



FLIGHT NR: 7504-638

DATE/TIME : JAN 20, 2013, 18:10 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 089.74 USD



Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.

ROSANA Gallo,

The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php  hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.194.66 (Psychz Networks, US)

The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.

Added:

There's a Wire Transfer spam using the same payload too:

From: Amazon.com [mailto:account-update@amazon.com]
Sent: 13 November 2012 08:08
Subject: Fwd: Re: Wire Transfer Confirmation

Dear Bank Account Operator,

WIRE TRANSFER: FED8979402863338715
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

Monday, 12 November 2012

Cableforum.co.uk hacked?

Cableforum.co.uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:

NatWest : Helpful Banking
Dear Valued Member ;

To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
This is a procedure that automatically occur when an invalid information is submitted during the log in process.
Please follow the provided steps below to confirm your identity
and restore your online access:




https://www.nwolb.com/Brands/NWB/images/backgrounds/widepod_header_bottom_purple_login.gif
    

© Legal Info – Security
© 2005-2012 National Westminster Bank Plc 


This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow.

So.. dutifully I pop across to Cableforum.co.uk and (changing my password en route) find the appropriate forum. It seems that the problem has already been spotted:

Here's one example:

So I received this email today:


Quote:
Date: Fri, 2 Nov 2012 10:15:08 -0400
From: NatWest Online [helpdesk@nwolb.com]
To: [removed]
Subject: Please Review Your Contact Details!!!


Dear Valued Member ;
To prevent unauthorized access to your accounts, your online service has been
+temporarily locked. No further log in attempts will be accepted.

..etc...
The email was sent to an address I've only used to register on Cable Forum and is a series of random characters that spammers wouldn't just 'guess'. Just wondering if anyone else has had this email? 

That's odd. That's exactly the same as me. And then there's another one:

I had two emails sent to both the addresses registered here on Cable Forum. Not sure why the earlier thread was so hastily closed?
Slightly off topic, why can I not edit my email address here?
When I attempt to change it I get this: The email address you entered is already in use. If you have forgotten your password, please click here.
I have not forgotten my password, I was trying to change it as well as my email. 

These are very precise reports from people using unique sign-on addresses. You'd think that would be pretty good evidence. So, armed with that you'd expect a concerned "we'll look into it" response. But instead the replies are:

Spammers don't "pick" anything. Their software generates emails at random and, yes, that includes strings_of_gibberish @yourdomain.

This site has not sold your email address.
This site has not been hacked, cracked or compromised.

The end.

Thread closed.
and

Threads of the same topic that have been closed should not be re-opened/re-created no matter what the circumstances are.

This issue cropped up several months ago and I will repeat what was said then...

We do not believe our systems have been compromised. There was no evidence to suggest an intrusion or breach took place. If anyone has any *Strong* Evidence to suggest other wise then contact us using the contact link below.

Thank you. 
which prompted a response from the original reporter:

The only spam I had was today, didn't have any earlier. I did get an explanation from the mod that closed it about how he didn't feel the thread was useful and that it would attract unwanted replies. But I think preventing people from discussing the issue stinks of a cover up (whether it is or not).

It would be much better to at least post a link to that thread, or some sort of explanation of what they think is happening rather than a dismissive knee-jerk response that it didn't happen when three people have claimed to receive the same email (and Osem says it happened before). All I want is an explanation about what happened and a promise that security of MY data is important but I don't feel like I'm getting that.  
What's worse is that this isn't the first time that this has been reported. Here's another one:

Today I received a not-so-subtle phishing email pretending to come from Santander, sent to my one-off email address associated with my cableforum account. I registered my account in 2009 and it's the first time I get spam/phish on this address. I don't really care if CF was hacked since I used a unique pw/email, but maybe a warning to other users would be the polite thing to do... 

But going back even further shows this thread with a lot of evidence that an email address leak has occured. One person who seems to know their stuff points:

Your database has been dumped and the damage is done as far as spam is concerned
now the question is are you

1) going to stick your head in the sand and thow around accusations
or
2) man up and fix the problem 

One of the Cableforum team shows just how far they can bury their head in the sand

But seriously, all in all, getting back to the main issue, there is about 5 people receiving it to their CF registered e-mail address and reporting it here so far. Co-incidence, yes but a very weak one. 
How many people do you think use unique emails for each site? Not many. That sort of evidence is very, very strong.. especially with multiple reports. That comment got this withering rebuke:

It's not a co-incidence at all. The emails are clearly of the same content and arrived within a small interval of each other and to CF-specific registered email addresses. If you're saying this is purely by chance and that all these email addresses were just "guessed" up by some automated program, then you're in denial.
 But another member of the CF team shows that they just don't understand it at all:

Given the extremely weak evidence provided and this appearing to only affect a very small number of members i.e less than 10, we do not believe that our systems have been breached and as a result we believe this to be the actions of brute force spamming.
Really? All these people with unique email addresses report the same spam. And it just gets dismissed?

But if you have the same problem.. forget it. All threads have been closed, creating new threads on the matter has been banned. In denial much?

Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password.

Sadly, crap like this happens to good websites. And the best way to deal with it is to be honest and 'fess up so that members can act accordingly. Nobody likes to think that there site has been compromised, but in this case it clearly has been to some unknown extent.

I emailed Cableforum.co.uk to advise them (since new forum threads are banned). Let's see if I get a response..

Update: and other incidents are here and here.. so this isn't really an isolated problem.

Update 2:  predictably, raising the issue just gets the thread closed with the phrase "There is nothing to discuss and I am not interested in wild theories and stupid accusations that some how there is a cover up." Which just shows that there is a cover up..

Update 3:  and what is really ridiculous is that Cableforum mods are denying it, despite the fact that their site was recently hacked. And it isn't the first time, either.

Friday, 9 November 2012

Changelog spam / canadianpanakota.ru

This spam leads to malware on canadianpanakota.ru:

Date:      Fri, 9 Nov 2012 11:55:11 +0530
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Changlog 10.2011
Attachments:     changelog4-2012.htm

Hello,
as promised changelog,(Internet Explorer File)
The attachment leads to a malicious payload at [donotclick]canadianpanakota.ru:8080/forum/links/column.php  hosted on the following IPs:

120.138.20.54 (SiteHost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)


These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:


120.138.20.54
202.180.221.186
203.80.16.81
canadianpanakota.ru
controlleramo.ru
donkihotik.ru
finitolaco.ru
fionadix.ru
forumibiza.ru
lemonadiom.ru
peneloipin.ru
moneymakergrow.ru


Thursday, 8 November 2012

getyourbet.org injection attack

There seems to be an injection attack doing the rounds, the injected domain is getyourbet.org hosted on 31.184.192.237. The domain registration details are:

Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains@yahoo.com


The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).

This is a two stage attack, if  getyourbet.org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.

pin.panacheswimwear.co.uk
physical.oneandonlykanuhura.com
pig.onmailorder.com
picture.onlyplussizes.com
person.nypersonaltrainers.com
pipe.payday-loanstoday.com

I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.

Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks.

Wednesday, 7 November 2012

Intercompany Invoice spam / controlleramo.ru

This fake invoice spam leads to malware on controlleramo.ru:

Date:      Wed, 7 Nov 2012 07:29:44 -0500
From:      LinkedIn [welcome@linkedin.com]
Subject:      Re: Intercompany inv. from Beazer Homes USA Corp.
Attachments:     Invoice_e49580.htm

Hi

Attached the corp. invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)



Thanks a lot for supporting this process

Rihanna PEASE

Beazer Homes USA Corp.

The attachment contains obfuscated Javascript that attempts to direct the visitor to a malicious payload at [donotclick]controlleramo.ru:8080/forum/links/column.php  hosted on:

103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

These IP addresses have been used in several attacks recently, and you should block access to them if you can.

Some more samples:

Date:      Thu, 8 Nov 2012 08:45:52 +0500
From:      Ashley Madison [donotreply@ashleymadison.com]
Subject:      Re: Inter-company invoice from Novellus Systems Corp.
Attachments:     Invoice_c394579536.htm

Hallo

Attached the intercompany invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)



Thanks a lot for supporting this process

TOVA Link

Novellus Systems Corp.

==========


Date:      Thu, 8 Nov 2012 06:31:13 +0530
From:      Badoo [noreply@badoo.com]
Subject:      Re: Intercompany invoice from Arch Coal Corp.
Attachments:     Invoice_i450583.htm

Hallo





Attached the intercompany inv. for the period July 2012 til Aug. 2012.(Internet Explorer file)

Thanks a lot for supporting this process



BETTYE Caldwell

Arch Coal Corp.

==========


Date:      Wed, 7 Nov 2012 06:52:01 -0600
From:      BrendenHavlicek@hotmail.com
Subject:      Re: Intercompany invoice from Brookdale Senior Living Corp.
Attachments:     Invoice_q2665.htm

Hallo





Attached the intercompany inv. for the period July 2012 til Aug. 2012.(Internet Explorer file)



Thanks a lot

NOEMI STEPHENS

Brookdale Senior Living Corp.



Tuesday, 6 November 2012

Apple "Account Info Change" spam / welnessmedical.com

Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical.com.


From: Apple [mailto:appleid@id.arcadiadesign.it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change

Hello,

The following information for your Apple ID [redacted] was updated on 11/06/2012:

Date of birth
Security question(s) and answer(s)

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.

To review and update your security settings, sign in to appleid.apple.com.

This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.

Thanks,
Apple Customer Support



TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID 


The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44:

medmedsepub.com
newpharmsale.com
virustrapill.com
medicalmedprescription.com
medpillprescription.com
walgreensprescription.com
pilldrugstoregroup.com
medicineonlinephysic.ru
zkflwf.ru
ytti.ru
healthtabstablets.ru
healthcaremedstablets.ru
fitnesspillspharmacy.ru
mycareviagra.pl
diseasepillsmedicine.com
medicareryan.com
cialiswiladen.com
pharmvitamins.com
crashtab.net
healthtabsdrugstore.ru
ghem.ru
jium.ru
epoo.ru
ghas.ru
buymedicinepharmacy.ru
pillpillspharmacy.ru
onlinepharmabuy.ru

Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is:

inetnum:         84.22.127.0 - 84.22.127.7
netname:         A84-22-127-0
descr:           BLACK OPERATIONS
admin-c:         CBMT1-RIPE
tech-c:          CBMT1-RIPE
country:         NL
status:          ASSIGNED PA
mnt-by:          MNT-CB3ROB
mnt-lower:       MNT-CB3ROB
mnt-routes:      MNT-CB3ROB
source:          RIPE # Filtered

role:            Ministery of Telecommunications
address:         One CyberBunker Avenue
address:         CB-31337
address:         CyberBunker-1
address:         Republic CyberBunker
mnt-by:          MNT-CB3ROB
admin-c:         CBMT1-RIPE
tech-c:          CBMT1-RIPE
nic-hdl:         CBMT1-RIPE
source:          RIPE # Filtered

route:          84.22.96.0/19
descr:          R84-22-96-0
origin:         AS34109
mnt-by:         MNT-CB3ROB
source:         RIPE # Filtered


It's our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia if you want more information.

"Scan from a Xerox WorkCentre Pro" / peneloipin.ru

This fake printer spam leads to malware on peneloipin.ru:

From: Keshawn Burns [mailto:MaribelParchment@hotmail.com]
Sent: 06 November 2012 05:09
Subject: Scan from a Xerox WorkCentre Pro #47938830

Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.

Sent by: Keshawn
Number of Images: 5
Attachment File Type: .HTML [Internet Explorer file]

Xerox WorkCentre Location: machine location not set
 The attachment contains some obfuscated Javascript that redirects the visitor to a malicious payload on [donotclick]peneloipin.ru:8080/forum/links/column.php hosted on some IPs that have been used several times before for malware:

65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)

The following malicious domains are also hosted on the same servers:
forumibiza.ru
kiladopje.ru
donkihotik.ru
lemonadiom.ru
peneloipin.ru
panacealeon.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
panalkinew.ru
fionadix.ru


SMS Spam: "Records passed to us show you're entitled to a refund approximately £2130"

More SMS spam from.. well, I think the ICO will shortly reveal who. It's not just a spam, but it's also a scam because the spammers are attempting to persuade you to make fraudulent claims. Not everyone is eligible for a PPI refund, and I'm certainly not.. no "records" exist, it's just a scammy sales pitch. Avoid.

Records passed to us show you're entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

In this case, the sender's number is +447585858897, although it will change as it gets blocked by the networks.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Monday, 5 November 2012

Dynamic DNS sites you might want to block

These domains belong to ChangeIP.com, which I guess is a legitimate company providing Dynamic DNS services, but one that is being abused by the bad guys. These will be used with some random subdomain unless it's a corporate site (like ChangeIP.com itself) pointing to a random IP address somewhere.. so blocking IPs won't work here.

There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them (yellow highlighted ones have some malware, red highlighted ones are blocked by Google). The second one is a plain list of everything in case you want to block them completely.

You might notice one of the domains is called b0tnet.com which is a peculiar name for a legitimate business to register.

1dumb.com [report]
25u.com [report]
2waky.com [report]
3-a.net [report]
4dq.com [report]
4mydomain.com [report]
4pu.com [report]
acmetoy.com [report]
almostmy.com [report]
americanunfinished.com [report]
anastasion.com [report]
authorizeddns.net [report]
authorizeddns.org [report]
authorizeddns.us [report]
b0tnet.com [report]
bigmoney.biz [report]
changeip.biz [report]
changeip.co.uk [report]
changeip.me [report]
changeip.name [report]
changeip.net [report]
changeip.org [report]
changeip.us [report]
cleansite.biz [report]
cleansite.info [report]
cleansite.us [report]
compress.to [report]
ddns.com.co [report]
ddns.info [report]
ddns.me.uk [report]
ddns.mobi [report]
ddns.ms [report]
ddns.name [report]
ddns.us [report]
dhcp.biz [report]
dns-dns.com [report]
dns-report.com [report]
dns-stuff.com [report]
dns04.com [report]
dns05.com [report]
dns1.us [report]
dns2.us [report]
dnsfailover.net [report]
dnsrd.com [report]
dnyp.com [report]
dsmtp.com [report]
dumb1.com [report]
dynamicdns.biz [report]
dynamicdns.co [report]
dynamicdns.co.uk [report]
dynamicdns.com.co [report]
dynamicdns.me.uk [report]
dynamicdns.org.uk [report]
dyndns.pro [report]
edns.biz [report]
epac.to [report]
esmtp.biz [report]
ezua.com [report]
faqserv.com [report]
fartit.com [report]
freeddns.com [report]
freetcp.com [report]
freewww.biz [report]
freewww.info [report]
ftp1.biz [report]
ftpserver.biz [report]
gettrials.com [report]
got-game.org [report]
gr8domain.biz [report]
gr8name.biz [report]
https443.net [report]
https443.org [report]
instanthq.com [report]
iownyour.biz [report]
iownyour.org [report]
isasecret.com [report]
itemdb.com [report]
itsaol.com [report]
jetos.com [report]
jkub.com [report]
jungleheart.com [report]
justdied.com [report]
lflink.com [report]
lflinkup.com [report]
lflinkup.net [report]
lflinkup.org [report]
longmusic.com [report]
mefound.com [report]
misecure.com [report]
moneyhome.biz [report]
monitorip.com [report]
mrbasic.com [report]
mrbonus.com [report]
mrface.com [report]
mrnorris.com [report]
mrslove.com [report]
my03.com [report]
mydad.info [report]
myddns.com [report]
myftp.info [report]
myftp.name [report]
mymom.info [report]
mynumber.org [report]
mypicture.info [report]
mypop3.net [report]
mypop3.org [report]
mysecondarydns.com [report]
mywww.biz [report]
myz.info [report]
ninth.biz [report]
ns01.biz [report]
ns01.info [report]
ns01.us [report]
ns02.biz [report]
ns02.info [report]
ns02.us [report]
ns1.name [report]
ns2.name [report]
ns3.name [report]
ocry.com [report]
onedumb.com [report]
onmypc.biz [report]
onmypc.info [report]
onmypc.net [report]
onmypc.org [report]
onmypc.us [report]
organiccrap.com [report]
otzo.com [report]
ourhobby.com [report]
pcanywhere.net [report]
poppop.com [report]
port25.biz [report]
portrelay.com [report]
privatename.org [report]
proxydns.com [report]
qhigh.com [report]
qpoe.com [report]
rebatesrule.net [report]
sellclassics.com [report]
sendsmtp.com [report]
serveuser.com [report]
serveusers.com [report]
sexidude.com [report]
sexxxy.biz [report]
sixth.biz [report]
squirly.info [report]
ssl443.org [report]
ssmailer.com [report]
theblacklist.org [report]
toh.info [report]
toythieves.com [report]
trickip.net [report]
trickip.org [report]
vizvaz.com [report]
wha.la [report]
wikaba.com [report]
www1.biz [report]
wwwhost.biz [report]
x24hr.com [report]
xxuz.com [report]
xxxy.biz [report]
xxxy.info [report]
ygto.com [report]
youdontcare.com [report]
yourtrap.com [report]
zaantek.com [report]
zyns.com [report]
zzux.com [report]


If you want to block all of these sites, then the domains I can find are as follows:
1dumb.com
25u.com
2waky.com
3-a.net
4dq.com
4mydomain.com
4pu.com
acmetoy.com
almostmy.com
americanunfinished.com
anastasion.com
authorizeddns.net
authorizeddns.org
authorizeddns.us
b0tnet.com
bigmoney.biz
changeip.biz
changeip.co.uk
changeip.me
changeip.name
changeip.net
changeip.org
changeip.us
cleansite.biz
cleansite.info
cleansite.us
compress.to
ddns.com.co
ddns.info
ddns.me.uk
ddns.mobi
ddns.ms
ddns.name
ddns.us
dhcp.biz
dns-dns.com
dns-report.com
dns-stuff.com
dns04.com
dns05.com
dns1.us
dns2.us
dnsfailover.net
dnsrd.com
dnyp.com
dsmtp.com
dumb1.com
dynamicdns.biz
dynamicdns.co
dynamicdns.co.uk
dynamicdns.com.co
dynamicdns.me.uk
dynamicdns.org.uk
dyndns.pro
edns.biz
epac.to
esmtp.biz
ezua.com
faqserv.com
fartit.com
freeddns.com
freetcp.com
freewww.biz
freewww.info
ftp1.biz
ftpserver.biz
gettrials.com
got-game.org
gr8domain.biz
gr8name.biz
https443.net
https443.org
instanthq.com
iownyour.biz
iownyour.org
isasecret.com
itemdb.com
itsaol.com
jetos.com
jkub.com
jungleheart.com
justdied.com
lflink.com
lflinkup.com
lflinkup.net
lflinkup.org
longmusic.com
mefound.com
misecure.com
moneyhome.biz
monitorip.com
mrbasic.com
mrbonus.com
mrface.com
mrnorris.com
mrslove.com
my03.com
mydad.info
myddns.com
myftp.info
myftp.name
mymom.info
mynumber.org
mypicture.info
mypop3.net
mypop3.org
mysecondarydns.com
mywww.biz
myz.info
ninth.biz
ns01.biz
ns01.info
ns01.us
ns02.biz
ns02.info
ns02.us
ns1.name
ns2.name
ns3.name
ocry.com
onedumb.com
onmypc.biz
onmypc.info
onmypc.net
onmypc.org
onmypc.us
organiccrap.com
otzo.com
ourhobby.com
pcanywhere.net
poppop.com
port25.biz
portrelay.com
privatename.org
proxydns.com
qhigh.com
qpoe.com
rebatesrule.net
sellclassics.com
sendsmtp.com
serveuser.com
serveusers.com
sexidude.com
sexxxy.biz
sixth.biz
squirly.info
ssl443.org
ssmailer.com
theblacklist.org
toh.info
toythieves.com
trickip.net
trickip.org
vizvaz.com
wha.la
wikaba.com
www1.biz
wwwhost.biz
x24hr.com
xxuz.com
xxxy.biz
xxxy.info
ygto.com
youdontcare.com
yourtrap.com
zaantek.com
zyns.com
zzux.com

Fake statistics domains lead to malware

The following fake "statistics" domains lead to malware. All have been registered very recently in the past few days and are used as a redirector to other exploit kits. Perhaps they are actually performing black hat statistical tracking. Blocking them (or the associated IPs) would be wise.

bilingstats.org
bombast-atse.org
bombastatse.org
ceastats.org
colinstats.org
expertstats.org
informazionestatistica.org
melestats.org
nonolite.org
statisticaeconomica.org
statspps.org
superbombastatse.org
topbombastatse.org
ufficiostatistica.org

Hosting IPs:
31.193.133.212 (Simply Transit, UK)
91.186.19.42 (Simply Transit, UK)
95.211.180.143 (Leaseweb, Netherlands)

Sunday, 4 November 2012

Something evil on 31.193.12.3

These are fake AVs and drive-by downloads mostly, some seem to promoted through low-grade banner ads, all hosted on 31.193.12.3 (Burstnet, UK) and suballocated to:

person:          Olexii Kovalenko
address:         Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
phone:           +1 570 343 2200
fax-no:          +1 570 343 9533
nic-hdl:         OK2455-RIPE
source:          RIPE # Filtered
mnt-by:          mnt-burst-au
mnt-by:          mnt-burst-mu


The registration for the .asia and .eu domains is consistent in the ones I have checked:

Registrant ID:DI_23063626
Registrant Name:Javier
Registrant Organization:n/a
Registrant Address:Nevskaya street 41
Registrant Address2:
Registrant Address3:
Registrant City:Belgorad
Registrant State/Province:Belgorodskaya oblast
Registrant Country/Economy:RU
Registrant Postal Code:494980
Registrant Phone:+007.9487728744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:007uyfo007@mail.ru


I've broken the list into three parts, it's a bit messy sorry..

The first part are a bunch of short domains used with subdomains to create a malicious payload:
List 1:
a1ft.asia
a3ew.asia
ah2b.asia
av5n.asia
c2wj.asia
cj4d.asia
ck3l.asia
bs3d.asia
d4xi.asia
d8dx.asia
dj7k.asia
dk3i.asia
ef1r.asia
f4dw.asia
fj2j.asia
fm5h.asia
g2wy.asia
g4av.asia
gi4b.asia
h2ju.asia
j2qd.asia
j5hn.asia
ja6l.asia
k3lr.asia
l3gv.asia
m1eb.asia
m1eq.asia
m4nj.asia
n0un.asia
n3mi.asia
nw2r.asia
p0rv.asia
p0ry.asia
pq8c.asia
q2hm.asia
q2hv.asia
q3bz.asia
qk3x.asia
r4dx.asia
s6wm.asia
t5ha.asia
t5hj.asia
t5zb.asia
u7bo.asia
uh7f.asia
v8ul.asia
ve4z.asia
w3wc.asia
w3wz.asia
w2jf.asia
x6fr.asia
x8ru.asia
y1uh.asia
y6np.asia
z1ha.asia
jp5s.info
pe5a.info
gw1c.eu

Subdomains in use:
be-ttraccker
dipppboxx
dippbboxx
diiipp-box
diippss-box
faat-llood
fatssllooads
fiilespooisk1
fiilepoiick
filles-looads
fileloood
file-looadds
files-loooads
ffilelooadd
ffile-poiick
ffiles-poiick1
filles-poiick
fille-poiick
ffilespooiisk
fillepoiick
fileppooiisk
filespooiisk
file-ppooiisk
file-pooiisk
files-poiiick
filess-poiick
file-poiicck
filles-pooisk
fiiles-poiisk1
files-poooiisk1
files-pooiiisk1
files-poooisk1
files-pooiick
fiiles-pooiisk
filespooiissk
file-pooiick
files-poiickk
file-poooiisk
files-ppoiick
geettefiiiles1
geetefiiless
geetteffiiles1
gette-fillees1
geette-fiilees1
geetee-fiiles
gette-fillees
getsefilles
getssatfiles
geettefiilees
ggets-filles
j-t0rrreentt1
jjt0rreentts
l0adss-ffiles
l0adss-ffile
l0addes-flilee
l0addesflilee
l0addes-fillee
l0adds-fiile
load-fiilles
load-fiilee
load-fiille
loaddfiiles
qipsefilles
qiips-fiiles1
qips-fiilee
qippfiile1
qippsfiiles1
qip-ffiile1
hhiitfiles1

This list are domains detected through passive DNS detection:
List 2:
babyload.asia
beastlyload.asia
bestialload.asia
childlikeload.asia
childlyload.asia
deliveryload.asia
infantload.asia
inwardload.asia
perfectload.asia
ptload.asia
singleload.asia
soleload.asia   
sparingload.asia
supernalload.asia
alonefile.asia
animalfile.asia
childishfile.asia
festivefile.asia
finefile.asia
infantilefile.asia
innerfile.asia
largestfile.asia
sacredfile.asia
alertloads.asia
artloads.asia
artisticalloads.asia
animateloads.asia
chronicloads.asia
excitableloads.asia
friendlessloads.asia
licitloads.asia
lonelyloads.asia
lovingloads.asia
nakedloads.asia
primalloads.asia
primevalloads.asia
stateloads.asia
vivaciousloads.asia
vivirloads.asia
activefiles.asia
alertfiles.asia
alivefiles.asia
artfiles.asia
artisticalfiles.asia
drawnfiles.asia
looadfilees.asia
primevalfiles.asia
quickfiles.asia
savagefiles.asia
arimara1.org.ua
arimara3.org.ua
akciya.pp.ua
lis4.biz.ua
affectionateload.org
file-load.net
gbait.com
tevon.tk
joload.mooo.com
loadfile.us.to
8-loaadiing.info
agents-load1.info
ageentoloods.info
lloadfi1es.info
resonantfile.info
stabilitytrojanssaver.info
v-x.info
windowsinspectionon-line.info
lodifiles.eu
alfabiblioteka.ru
book-darom.ru
detki-travel.ru
haxo.ru
loads-filse.ru
lptds.ru
megaload2filebaza.ru
j-torents.ru
jumpcat.ru
u8l.ru
zona-trafika.ru

Finally, this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment.

Many of these domains show as evil in Google's Safe Browsing Diagnostics (example) and I can file zero legitimate domains on this IP.

Friday, 2 November 2012

Wire Transfer spam / webmoniacs.ru

This fake wire transfer spam leads to malware on webmoniacs.ru:


Date:      Fri, 2 Nov 2012 06:23:10 +0700
From:      "service@paypal.com" [service@paypal.com]
Subject:      RE: Wire Transfer cancelled

Dear Sirs,

The Wire transfer was canceled by the other bank.



Canceled transaction:

FED REFERENCE NUMBER: 628591160ACH34584

Transaction Report: View



The Federal Reserve Wire Network
The malicious payload is at [donotclick]webmoniacs.ru:8080/forum/links/column.php hosted on:
65.99.223.24 (RimuHosting, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

The following IPs and domain are all connected and should be blocked:
50.22.102.132
62.76.186.190
65.99.223.24
68.67.42.41
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
203.80.16.81
209.51.221.247
213.251.171.30
denegnashete.ru
dianadrau.ru
donkihotik.ru
fidelocastroo.ru
finitolaco.ru
fionadix.ru
forumibiza.ru
kiladopje.ru
lemonadiom.ru
manekenppa.ru
panacealeon.ru
panalkinew.ru
pionierspokemon.ru
ponowseniks.ru
rumyniaonline.ru
webmoniacs.ru
windowonu.ru

Intuit spam / savedordercommunicates.info

This fake Intuit spam leads to malware on savedordercommunicates.info:


Date:      Sat, 3 Nov 2012 02:11:17 +0800
From:      "Intuit Information System" [roughervm73@biolconseils.ch]
Subject:      Notification Only: Transaction Received by Intuit

Direct Deposit Service Message
Communicatory Only

We rejected your payroll on November 1, 2012 at 626 AM Central Time.

    Money would be left from the account No. ending in: XXX1 on November 2, 2012.
    quantum to be left: $7 639.16
    Paychecks would be deferred to your staff' accounts on: November, 2, 2012
    Go to web site by clicking here to Overview Transaction

Funds are typically withdrawn before usual banking hours so please make sure you have sufficient Funds accessible by 12 a.m. on the date Finances are to be gone away.

Intuit must complete your payroll by 4 p.m. Eastern time, two banking days before your paycheck date or your customers will not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve link.

Thank you for your business.

Regards,
Intuit Payroll Services

An substantial information regarding latest Refused Transactions is waiting for you.

Please DO NOT reply to this message. automative notification system not configured to accept incoming messages..

Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries.

Intuit Inc. Customer Care
87566

San Paolo City, AZ 15203

The malicious payload is at [donotclick]savedordercommunicates.info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich.org. Blocking this IP would be wise.


Thursday, 1 November 2012

Discover card spam / netgear-india.net

This fake Discover Card spam leads to malware on netgear-india.net:

From: Discover Account Notes [mailto:no-reply@notify.discover.com]
Sent: Thu 01/11/2012 15:32
Subject: Great Details Changes in your Discover card Account Terms

Account Services  |   Customer Care Services           
Account ending in XXX1          
  
An substantial communication regarding latest Declined Transfers is waiting for you.   
     
Log In to Read Information  
    
Honored Discover Client,
 
There is an serious message waiting for you from Discover® card. Please read the message mindfully and keep it with your file.

To ensure optimal privacy, please log in to view your message at Discover.com.
 

Please click on this link if you have forgotten your UserID or Password.
 

Add information@service.discover.com to your address book to ensure delivery of these notifications.

VITAL NOTE

This message was delivered to [redacted] for Discover debit card account number ending with XXX1.

You are receiving this e-mail because you have account at Discover.com.

Log in to change your e-mail address or overview your account e-mail options.

If you have any questions about your account, please Login to leave us a message securely and we would be glad to support you.

Please DO NOT reply to this message. auto informer system cannot accept incoming email.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Banking Ltd.
P.O. Box 84265
Salt Lake City, SC 76433
2012 Discover Bank, Member FDIC
[redacted]

========

From: Discover Account Notes [mailto:donotreply@service.discover.com]
Sent: Thu 01/11/2012 16:36
Subject: Substantial Information about your Discover Account

Account Center   |   Customer Center         
               Account ending in XXX9        

 
An significant message regarding latest Approved Activity is waiting for you.
   
Log In to Overview Details  
    
Respective Cardholder,
  
There is an important message waiting for you from Discover® card. Please read the message carefully and keep it with your archive.

To ensure optimal privacy, please sign in to read your data at Discover.com.

Please visit discover.com if you have forgotten your Login ID or Password.

Add discover@information.discover.com to your trusted emails to ensure delivery of these messages.

VITAL NOTIFICATION

This e-mail was sent to [redacted] for Discover card account No. ending with XXX9.

You are receiving this e-mail because you member of Discover.com.

Log in to change your e-mail address or view your account e-mail settings.

If you have any questions about your account, please Enter your account to leave us a message securely and we would be blissful to help you.

Please don't reply to this message. auto-notification system cannot accept incoming mail.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Banking Llc.
P.O. Box 85486
Seashore City, NV 91138
2012 Discover Bank, Member FDIC
[redacted]

The malicious payload is at [donotclick]netgear-india.net/detects/discover-important_message.php hosted on 183.180.134.217 (RAT CO, Japan). The following domains are on that same IP, and judging by the registration details they should also be considered as malicious:
itracrions.pl
radiovaweonearch.com
steamedboasting.info
solla.at
netgear-india.net
puzzledbased.net
stempare.net
questionscharges.net
bootingbluray.net

Wednesday, 31 October 2012

HP ScanJet spam / donkihotik.ru

This fake printer message leads to malware on donkihotik.ru:


Date:      Wed, 31 Oct 2012 05:06:42 +0300
From:      LinkedIn Connections
Subject:      Re: Fwd:Scan from a HP ScanJet #26531
Attachments:     HP-Scan-44974.htm

Attached document was scanned and sent



to you using a Hewlett-Packard Officejet PRO.

Sent: by Bria
Image(s) : 6
Attachment: Internet Explorer file [.htm]

Hewlett-Packard Officejet Location: machine location not set

The malicious payload is at [donotclick]donkihotik.ru:8080/forum/links/column.php which is hosted on the same IP addresses as this attack yesterday.

"Your Apple ID has been disabled" phish

I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam email (this one, for example).

From:     Apple no_reply@macapple.com
Reply-To:     no_reply@macapple.com
Date:     31 October 2012 06:08
Subject:     Your Apple ID has been disabled
    
Apple ID Support

Dear [redacted] ,

This Apple ID has been disabled!


For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.


To verify your Apple ID, we recommend that you go to:
       
Verify Now >
The phish is hosted at [donotclick]app.apple.com.proiectmaxim.ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name..


It just goes to show that the bad guys will try to phish anything these days..

Tuesday, 30 October 2012

Craiglist spam / fionadix.ru

This fake Craiglist spam leads to malware on fionadix.ru:


Date:      Tue, 30 Oct 2012 06:26:07 +0600
From:      Tai Seals [AntonyHaugland@fibermail.hu]
Subject:      POST/EDIT/DELETE : "tattoos tattoos tattoos" (talent)


IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:

    PUBLISH YOUR AD
    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
    VERIFY YOUR EMAIL ADDRESS
    DELETE YOUR AD

If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!

==========



Date:      Tue, 30 Oct 2012 06:23:41 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      POST/EDIT/DELETE : "Appliance repair" (financial)

IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:

    PUBLISH YOUR AD
    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
    VERIFY YOUR EMAIL ADDRESS
    DELETE YOUR AD

If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!


The malicious payload is at [donotclick]fionadix.ru:8080/forum/links/column.php (report here) hosted on some familiar IPs:
68.67.42.41 (Fibrenoire, Canada)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, United States)

Additional name server IPs:
50.22.102.132 (Softlayer, United States)
62.76.186.190 (Clodo-Cloud, Russia)
84.22.100.108 (Cyberbunker, Netherlands)
213.251.171.30 (OVH, France)

Plain list for copy-and-pasting:
50.22.102.132
62.76.186.190
68.67.42.41
84.22.100.108
203.80.16.81
209.51.221.247
213.251.171.30
manekenppa.ru
kiladopje.ru
lemonadiom.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
windowonu.ru
panalkinew.ru
fionadix.ru

reedcouk.com fake job offer / Fort Huachuca hacked?

This fake job offer from "reedcouk.com" is trying to recruit people for money laundering or other criminal activities, it is not from the real reed.co.uk. However, part of the infrastructure supporting this scam appears to belong the the US military.

From:     sales@[victimdomain].com
To:     sales@[victimdomain].com
Date:     30 October 2012 22:33
Subject:     Employment opportunity

I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.

If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.

Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is 2000 GBP per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (UK time).

Region: United Kingdom.

Please note that there are no startup fees or deposits to start working for us.

To request an application form, schedule your interview and receive more information about this position
please reply to Bob@reedcouk.com with your personal identification number for this position IDNO: 0797
The spam appears to come "from" the recipients own email address (here's why). The bogus domain reedcouk.com is registered as follows:

   Lavern E. Davis
   Lavern Davis info@reedcouk.com
   816-680-7849 fax: 816-680-7331
   4218 White Oak Drive
   Strasburg MO 64090
   us


The domain was registered on 30th October 2012 (today!) via BIZCN.COM, a crime-friendly domain registrar in China. Mail for this domain is handled by a server at 46.249.46.161 (Serverius, Netherlands) which is also ns1.zupyx.net, one of the nameservers for the fake reedcouk.com domain. Who owns zupyx.net? That looks like another fake registration:

      Vivian L Resnick
      221 Shaker Road
      Northfield, NH 03276-4444
      US
      Phone: +1.6032868211
      Email: clinicadelta@aol.com


zupyx.net was only registered on 19th September 2012. But the plot thickens if we look at ns2.zupyx.net (the other namesever being used by reedcouk.com) we can see that it is hosted on 132.79.132.67 which appears to be a hacked US military server at Fort Huachuca:

NetRange:       132.79.0.0 - 132.79.255.255
CIDR:           132.79.0.0/16
OriginAS:      
NetName:        NGB-NGNET
NetHandle:      NET-132-79-0-0-1
Parent:         NET-132-0-0-0-0
NetType:        Direct Assignment
RegDate:        1990-03-05
Updated:        2008-12-24
Ref:            http://whois.arin.net/rest/net/NET-132-79-0-0-1

OrgName:        Headquarters, USAISC
OrgId:          HEADQU-3
Address:        NETC-ANC CONUS TNOSC
City:           Fort Huachuca
StateProv:      AZ
PostalCode:     85613
Country:        US
RegDate:        1990-03-26
Updated:        2011-08-17
Ref:            http://whois.arin.net/rest/org/HEADQU-3

OrgTechHandle: REGIS10-ARIN
OrgTechName:   Registration
OrgTechPhone:  +1-800-365-3642
OrgTechEmail:  registra@nic.mil
OrgTechRef:    http://whois.arin.net/rest/poc/REGIS10-ARIN


You have to bear in mind that this military installation deals with military intelligence.. although you can be pretty certain that whatever server is running this bogus nameserver is public facing only. Hopefully.

This IP address also hosts a suspicious domain called trabalharpt.com:

   Samantha K. Haley
   Samantha Haley info@trabalharpt.com
   +1.8127473193 fax: +1.8127473193
   778 Heliport Loop
   Blue Ash IN 45242
   us

Again, this is registered through BIZCN.COM in China, and was only registered one week ago on 24th October 2012. There's no reason for a domain like this to be hosted on what appears to be a US military server.

There are probably some other bad domains being supported by these nameservers, but I haven't been able to identify them yet.

Friday, 26 October 2012

"Your Photos" spam / manekenppa.ru

This fake "photos" spam leads to malware on manekenppa.ru:

From: Acacia@redacted.com [mailto:Acacia@redacted.com]
Sent: 26 October 2012 10:14
Subject: Your Photos

Hi,
I have attached your photos to the mail (Open with Internet Explorer).

In this case there is an attachment called Image_DIG691233.htm that leads to a malware laden page at [donotclick]manekenppa.ru:8080/forum/links/column.php hosted on some familiar looking IPs:

79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

We've seen these IPs before and they are well worth blocking.

ADP Spam / steamedboasting.info

This fake ADP spam leads to malware on steamedboasting.info:

From: ClientService@adp.com [mailto:ClientService@adp.com]
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification


ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344
The malicious payload is at [donotclick]steamedboasting.info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting.info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).

This is an alternative variant with the same malicious payload:


Date:      Fri, 26 Oct 2012 16:32:10 +0530
From:      "noreply@adp.com" [noreply@adp.com]
Subject:      ADP Prompt Communication


ADP Speedy Notification

Reference #: 27585

Dear ADP Client October, 25 2012

Your Transaction Statement(s) have been put onto the web site:

Web site link

Please see the following notes:

• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).

?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.

This message was sent to operating users in your company that approach ADP Netsecure.

As always, thank you for choosing ADP as your business partner!

Ref: 27585 [redacted]



apl.de.ap spam

I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east.

Although those look like tinyurl links, they're not.. they go through a redirector at ykadl.net on 109.236.88.71, the same IP used to send the spam.

The WHOIS details for the spammer domain are:

Technical Name:                Domain Admin
Technical Company:        Create-Send.net
Technical Address:        57 Kingsway Avenue
Technical Address:        Auckland
Technical Address:       
Technical Address:        Auckland
Technical Address:        Na
Technical Address:        1010
Technical Address:        New Zealand
Technical Email:        info@create-send.net
Technical Tel:                +64.279237205


Anyway, here's the spam in case you really want to buy tickets from a shady bunch of spammers..

From:     DNA alex@ykadl.net
Reply-To:     DNA [alex@ykadl.net]
Date:     26 October 2012 04:48
Subject:     Black Eyed Peas/ APL DE AP in Dubai
Signed by:     ykadl.net

BLACK EYE PEAS founding member APL DE AP heads to Dubai

BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.

Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.

APL DE AP and the other members of the Black Eyed Peas have been on a hiatus from the band for the last year.In 2011 The Black Eyed Peas were ranked 12th on the Billboard's Decade-End Chart Artist of the Decade, the group performed in February 2011 at the halftime show of Super Bowl XLV.

✻TICKETS COST 165AED for this fabulous International Star event with full bar facilities, waiter service and live food stations.✻

TICKETS ARE NOW AVAILABLE ON:

✻TIMEOUT***TICKETINGCO***MARHABA***PLATINUM✻

TIMEOUT * http://tinyurl.com/bvrtjxx

PLATINUM LIST * http://tinyurl.com/cs8wdox

TICKETINGCO * http://tinyurl.com/cctq2s8

✻ FOR VIP TABLE RESERVATIONS CALL 050 1428363✻
For more info@dnapre.com✻21+ ✻ ID required ✻ Couples & mixed groups preferred.✻ Normal club policies apply ✻

✻THIS WILL BE A SELLOUT EVENT. Get your Tickets fast.✻

Share This
UnsubscribeForward to a Friend

inserted image

inserted image

Click here to opt-out

Thursday, 25 October 2012

ADP Spam / openpolygons.net

This fake ADP spam leads to malware on openpolygons.net:

From: warning@adp.com [mailto:warning@adp.com]
Sent: Thu 25/10/2012 16:42
Subject: ADP Instant Message

ADP Pressing Communication


Reference No.: 27711

Respected ADP Client October, 25 2012

Your Transaction Report(s) have been uploaded to the web site:

Click Here to access

Please overview the following information:

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.


This email was sent to existing users in your company that access ADP Netsecure.

As general, thank you for using ADP as your business affiliate!

Ref: 27711 


The malicious payload is at [donotclick]openpolygons.net/detects/lorrys_implication.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden) which is an IP address that has been seen before.

That IP also hosts the fake AV application win8ss.com and another malware site of legacywins.com.

Plain list for copy-and-pasting:
195.198.124.60
openpolygons.net
win8ss.com
legacywins.com

"End of Aug. Statement required" spam / kiladopje.ru

This spam leads to malware on kiladopje.ru:

From: ZaireLomay@mail.com [mailto:ZaireLomay@mail.com]
Sent: 24 October 2012 20:58
Subject: Re: FW: End of Aug. Statement required

Hi,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards
In this case, there's an attachment called Invoices-23-2012.htm with some obfuscated Javascript to direct visitors to a malware laden page at [donotclick]kiladopje.ru:8080/forum/links/column.php hosted on:

79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

The following IPs and domains are all related and should be blocked if you can:
68.67.42.41
72.18.203.140
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
190.10.14.196
202.3.245.13
203.80.16.81
209.51.221.247
fidelocastroo.ru
finitolaco.ru
kennedyana.ru
kiladopje.ru
lemonadiom.ru
leprasmotra.ru
ponowseniks.ru
secondhand4u.ru
windowonu.ru