Sponsored by..

Tuesday, 20 November 2012

Malware sites to block 20/11/12

This huge pile of malware sites and IPs is connected with these malicious emails being distributed in the Netherlands. All the sites are interconnected through their black hat infrastructure and are eith er being used for malware distribution or some other evil activity:

5.39.8.105 (OVH, Ireland)
46.249.38.27 (Hotkey, Russia)
62.109.31.36 (TheFirst, Russia)
64.79.64.170 (XLHost, US)
78.46.198.143 (GPI Holding,US)
78.110.61.186 (Hosting Telesystems, Russia)
91.220.35.42 (Zamahost, Russia)
91.220.35.74 (Zamahost, Russia)
91.231.156.55 (Sevzapkanat-Unimars, Russia)
93.174.90.81 (Ecatel, Netherlands)
95.211.9.46 (Leaseweb, Netherlands)
95.211.9.55 (Leaseweb, Netherlands)
149.154.67.103 (TheFirst, Russia)
176.9.179.170 (Siteko, Russia)
178.63.226.203 (Avist, Russia)
178.63.247.189 (GPI Holding,US)
178.162.134.205 (AlfaInternet, Russia)
184.82.101.52 (HostNOC, US)
193.161.86.43 (Host-Telecom, Czech Republic)
194.62.233.19 (Stils-Grupp, Russia)
198.23.139.199 (Chicago VPS, US)
208.88.226.231 (WZ Communications, US)

If you want to block those Russian hosts more widely, perhaps use the following list:
46.249.38.0/24
62.109.28.0/22
64.79.64.170
78.46.198.136/29
78.110.61.186
91.220.35.0/24
91.231.156.0/24
93.174.90.81
95.211.9.46
95.211.9.55
149.154.66.0/23
176.9.179.128/26
178.63.226.192/26
178.63.247.128/26
178.162.134.192/26
184.82.101.52
193.161.86.43
194.62.233.0/24
198.23.139.199

Alternatively, this is a plain list of all the IPs and domains that I can identify in this cluster. There are a LOT of them, sorry..
5.39.8.105
46.249.38.27
62.109.31.36
64.79.64.170
78.46.198.143
78.110.61.186
91.220.35.42
91.220.35.74
91.231.156.55
93.174.90.81
95.211.9.46
95.211.9.55
149.154.67.103
176.9.179.170
178.63.226.203
178.63.247.189
178.162.134.205
184.82.101.52
193.161.86.43
194.62.233.19
198.23.139.199
208.88.226.231
3dsec.4pu.com
617.ddns.info
617c.ddns.info
623c.ddns.info
95ccc.com
aboutmailmerging.net
achieve8searcherscom.com
achieve8searcherscom.net
adventureslh.net
advert01.wwwapp-myups.net
advert02.wwwapp-myups.net
alhmzpxsdtj.net
almanaccategorycommercial.org
aloha.4mydomain.com
alwaysallowdream.net
amalgamagain.info
analogmodemtittering.info
angleheadlines.info
anonymizerbookstore.pro
anxdn.info
anytimetunnel.biz
aol.adswrapper.com
appenoughceleronbased.org
artclipsamet.com
artistsbannerlike.pro
askplus.com
atstreetside.info
augmxqkfile.info
austerecam.net
aybqlgximi.info
babeqapa.tk
backgroundpioneered.org
bad2gooddog.com
badgestargetshaped.info
bannedbarefoot.info
barrenislandbeads.com
basetavo.tk
bcwud.info
bender.ddns.info
berasta.org
beregans.com
bestlermecg.info
bestmakingbreadonline.com
bestsearch.info
big-tube.info
blackboardcomodos.info
blizzardcwopp.net
bmjxsqrs.info
bombastikso.org
bonesgargamel.info
bothbe.org
brieffaith.info
brokenearparent.info
brounsnastles.com
builderskating.net
burdeningyp.org
businezzz.com
camimia.asia
cannotkubrick.info
caseroutinely.net
cassettesbeauty.org
castlerockcare.com
castlerockholiday.com
cdn.milstone.org
cdn2.milstone.org
chalais.com
chasidydil.mobi
cjsmweubiwy.info
clientyestab.biz
clipsvuze.info
clusterconference.com
cocktailpipeline.org
collapsesorenson.info
collegesorcerer.org
coloradopinolo.com
companypinolo.com
compellingpartition.org
conandeliberately.pro
constructionverified.org
coolhottube.net
copyahnlabs.info
countess.com
coupledqiks.org
crystalsave.net
ctosmamas.org
cuttinggoghs.info
cyberlinkspaypass.info
daertnop.ftp1.biz
dandyapples.pro
daoakxuko.info
darvuha.info
ddntruc.info
ddred.ddns.info
decreasesnotable.net
deductedsweatinducing.org
degreeswiftly.pro
deluxearpeggiated.info
delvingchromakey.info
demandededitions.info
densepromissory.info
dependthreelicense.info
desktopbasedwolfish.net
devidugo.tk
dialinlengths.info
discoverleaving.net
districtagenda.net
diyoyowo.tk
dkpdistrib.com
dns5number.com
dnsnumber4.com
docktoolsthe.org
doggedapril.info
dpljrtcsvva.info
dqnmuraq.info
dqnoctx.info
dreamflaunt.pro
drillup.itemdb.com
dsmxxqyh.info
dwall.info
ebaymoat.pro
echurchstrategies.com
emgsiavpjrlx.info
enemiesfocuses.org
epbdkhoacl.info
ergonomicbegging.net
eservicetimesyncing.org
everevolvingredact.info
excellentinternetmoney.com
executiveshours.org
exkcrch.info
experiencegraphical.net
extchangeable.net
eyecolorreserve.pro
faqseer.ddns.info
fdknklmlmb.pro
fejyvrhd.info
ffiae.info
fgypodecxg.info
figuringdictating.net
findrevenue.net
fireddependence.net
firefoxslacker.pro
fix-lite.info
fix-online.info
fklnbiokjemiwovpe.pro
fkvwtviospticmvjbhkae.usa.cc
flapshrill.net
flyswatinterestingly.info
fortraff.ddns.info
fqxxifs.info
fredamm4.cu.cc
freesnonintegral.net
fresh.otzo.com
frwdlink.in
ftpfreame.ddns.info
gadogube.tk
gdzwqbg.info
geodeskilar.info
geossh.net
geotagspogoplugs.org
getdnscheck.info
getestore.org
gfnsdntgb.info
ghrptvjb.info
gipifequ.tk
google123.flu.cc
google-script.net
gospodin.co.uk
governingjerk.org
green-suntech.com
grewforks.info
gromdemn77bert.pro
gudangbrankas.com
gymybrbcmfe.info
handishades.com
heartedmessaging.info
hemptalk.net
hmdvebvs.info
holdingshitech.info
homescastlerock.com
hostingmir.net
hourlyfyis.info
hsskvmg.info
humanitiesinstitute.com
hwpwecgl.info
ibabkmm.info
iftttcore.info
igadgetcapable.net
igtoydlufrpq.info
ihamehq.info
imagereport470x80.net
img.businessboomerflorida.com
img.chappellroberts.biz
img.chappellroberts.com
img.growmycash.com
img.ksyc1039.com
img.ksyc1039.info
img.ksyc1039.org
img.mitchcota.com
img.powerisfun.com
img.thefriar.com
img2.theqrpros.com
indiesblinks.com
influxtechnologies.com
innertextbosher.com
instructedtabtastic.org
interpretondemand.pro
intervalviicompatible.info
invadeinsecure.org
invitationsdoand.pro
iogdbsxmtk.pro
ipoiuhipowuujhwrtvas.flu.cc
iqyzfevrf.info
itouchsilence.net
jackerdesktopstyle.info
janomeku.tk
jdkthinkfree.net
jeuae.info
jeyhjrif.info
jfbwzb.info
jltwphu.info
josaheb.tk
junkwifi.com
jywkymar.info
jzmpmdodijj.info
karudozu.tk
kcgysjg.info
kcqobilky.info
kdvltguzobyj.info
kdvxojwpyzna.info
keystransactions.com
keyxdgpi.info
khdnqjau.info
kidasivi.tk
kinkosfragile.pro
kiwkemw.info
kohvragbmen.info
kqjoxyoe.info
kxxmnafgjeg.info
lasttube.info
lawbureau.com
leakedla.net
leddate.net
lesnegra.info
lgiqe.info
lslouxjrp.info
lunivusu.tk
lycyybse.info
mafpsqen.info
mandyeffect.com
mcclam.com
mdacparticular.org
mechcomm.net
mekanuki.tk
menugibberish.net
microsoftformatnuts.com
mixmoney.info
mkbeun.info
mkvpcsgg.info
moejpizdeprivet.org
mofaxeq5.cu.cc
moneysold.net
moneysporchefancy.net
moviehong.net
mugalkzr.info
my-best-tube.net
mydnsmask.info
mygreentube.net
mynewtube.net
nameshistory.info
ndwlmifgtox.info
nerosuptodate.org
netbooksmcafees.org
netboosterbreathe.net
new-browser1.ru
newcomersocialmediaminded.info
ngjfwcex.info
nicschleck5.com
nioterlybwma.info
nocejose.tk
nofussdonuts.org
notchedidrive.info
nxybedq.info
obitalkcomemptied.pro
obstacledogcams.org
occupyrent.com
ojkuxrfnwd.net
onedreamnetwork.com
oozeeven.org
opelcbgy.info
opwaksumd.info
ottnejwtsyn.info
ouviqqiift.info
overseassouth.net
oyparncfzw.info
packsos.info
paintsg.net
paisdhcgwrjklasdrt.usa.cc
palmwellreceived.net
panelsadvise.net
paqruwzktc.info
passesdemocratic.net
pathnamemypogoplugcom.net
pazza-inter.com
pdvfywomxtl.net
pervasivefootage.org
php.telwire.net
pihbqmtyjlz.info
piwroicybwyvnatywqerf.flu.cc
pizadaivanonaprivet.org
pksfxserverclass.net
plancentrallaura.org
planesmeasuring.pro
playpiano.info
plusesquotes.info
poishealthcare.info
polarizebit.org
polneska.ipq.co
posduet.org
pqdefywsxova.org
pregnancytestpaper.com
privacyparentalintersections.pro
processedinserting.info
proddingappsumo.info
projectthermometerstyle.net
promotesmetasearch.net
pxanwmcqod.info
pzoibqzb.info
qchtvjpmyfo.info
qesigafu.tk
qkfrcptayzj.info
qomazime.tk
qonla.info
qoxeciw.tk
qpflbmakjwe.info
qqpyzahqpqw.info
quxozife.tk
qzeryra.info
racksschools.pro
radialinfested.net
ragoose.ipq.co
ratiofollows.pro
rbgyoxngr.info
rdparentalcontrol.net
recorderscaloriecounting.net
recordingbarcelonas.info
reflectshello.info
resemblesvisa.info
resultsreacts.pro
retweetstasteful.net
retzaser.com
rfktgh.info
rhymingtravelocity.info
rhythmsstuttering.net
rivzdktjw.info
romanticring.com
royalmojito.org
rpfstorage.org
ruralnoise.info
saavihaunting.net
salzgrrckpa.info
scan-domain.org
sdavey.com
secondarydatapad.info
seguhuqo.tk
selectivelylanguages.info
semlnqzn.info
senetef.tk
servicesinstitute.com
sexintheroom.net
sgmlscreensavers.biz
sharpeyedresizable.net
shava.sytes.net
shownheadphone.net
silentpentest.com
sivoyase.tk
sjdwugpxnb.info
slewhovering.net
soft-tube.net
solicitationattorney.com
songbookterrified.pro
sorryintellicookie.net
spaceyourfilesbig.chickenkiller.com
speedanymore.net
spousechaptersthe.net
ssbigpicture.net
sscnvcxkcsh.info
startinternetmarketing4u.com
stats-tracking.ibiz.cc
storyboardonlysplines.info
stped.dnset.com
streamlinespaging.org
substitutesjeani.net
suitautorun.in
sundayhammered.net
superfasthardcopy.net
svqzmfcapho.info
svrealestates.com
swqocit.info
syenial.com
syncreticorder.com
sytghikbl.info
szjzico.info
tatibeg.tk
tceeeuq.info
teleprompterenglish.net
tenscrub.net
tethertremendous.info
tewnrpvxbdjc.info
texturesbusinesslevel.in
tiesink.net
tiffanylplee.com
tiffciscos.biz
tiledblacks.biz
tllnerim.info
tnciayzr.info
tobackupmxp.info
totesynopsis.net
traaf.ddns.info
traf13.ddns.info
trafferss.ddns.info
trafficstock.net
translucentattractive.net
trendmicrosemulate.info
trento.ikwb.com
tropicrentals.com
truestrategic.biz
tubeltd.net
tuhabos.tk
turocigu.tk
txhyzguwbdia.info
u83s.info
u86s.info
u87s.info
ufifkfwsnml.info
uigazjmeb.info
uihvdjf.info
uiolehvrfb.info
ukhercules.org
ultimate-boobs.com
ultqpdnrxh.info
umtxsx.info
unbootablemassively.info
undpower.co.uk
uninstallationcassette.net
urbansoulentertainment.com
user1.ddns.info
user3.ddns.info
useruploadedhumorist.info
usuiu.info
uyund.info
vansalivate.org
vendendoaqui.com
vennwake.info
viewcastlerock.com
vkdlbfh.info
vlbxty.info
vodkkaredbuuull.chickenkiller.com
wallarticles.com
wallmountedsubprojects.info
webcheckfinalizing.net
webcoupons2.com
weednav.info
weehourbravia.net
whicheverwe.info
win8searcherscom.com
wittierhoning.org
wnpagain.info
wogepil.tk
wrapeyeopening.info
wsrqeyqq.info
wupikbtq.info
www.obitalkcomemptied.pro
wwwapp-myups.com
wyllruoeueo.info
xcomctrlb.pro
xesidijo.tk
xhikjbtr.info
xidthronpemf.info
xijigaf.tk
xltube.info
xnqamke.info
x-red-tube.net
xszrccmve.info
ybnbqgqe.info
ybpekhvp.info
ydsvkx.info
yevetoma.tk
yfbthpdivlc.net
ylhwygggiy.info
yndgh.info
your-best-tube.net
yournewtube.net
zenithoutdoors.com
ziallow1990.com
zonermtbf.net
zqdrtnkhzd.info
ztmyno.info
zuretiy.tk
zvhtkpsnmdy.info
zvoxzgdrza.info


Monday, 19 November 2012

"Southwest Airlines" spam / headerandfooterprebuilt.pro

This fake Southwest Airlines spam leads to malware at headerandfooterprebuilt.pro:

Date:      Mon, 19 Nov 2012 19:33:04 +0000
From:      "Southwest Airlines" [no-reply@luv.southwest.com]
To:      [redacted]
Subject:      Southwest Airlines Confirmation: 5927NI

[redacted] 2012-11-19 86KY9Z INITIAL SLC WN PHX0.00T/TFF 0.00 END AY3.50$SLC2.50 1445164773311 2013-11-22 1655 2012-11-20 Depart SAN LEONARD CITY UT (SLC) at 8:08 PM on Southwest Airlines Arrive in PHOENIX AZ (PHX) at 9:02 PM

You're all set for your traveling!
   
   
My Account | Review My Itinerary Online

   
Check Up Online | Check Flight Status | Change Flight | Special Offers | Hotel Deals | Car Deals
   
Ready for lift-off!
   
Thanks Southwest for your travel! You can find everything you need to know about your booking below. Happy voyage!
Upcoming Cruise: 11/20/12 - SLC - Phx Knight 

The malicious payload is at [donotclick]headerandfooterprebuilt.pro/detects/quality_flyes-ticket_check.php hosted on 198.27.94.80 (OVH, US). There are probably other Bad Things on that IP address, I just can't see them yet.. blocking it would be a good precaution.

"W-1" spam / 5.chinottoneri.com

This is a new one, pretending to be from the victim's HR department with tailored fake links in the email that look like they are going to the victim's own domain. Of course, floating over the links reveals that they point to some other domain entirely. A W-1 form is a tax form or some sort from the US Internal Revenue Service.

From: Administrator [mailto:administrator@victimdomain.com]
Sent: 19 November 2012 14:50
Subject: To All Employee's - Important Address UPDATE

To All Employee's:

The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address.
Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=[redacted]
If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=[redacted].

 Administrator,
http://victimdomaincom
In this case, the link bounces through two hacked legitimate sites to end up at [donotclick]5.chinottoneri.com/links/landing-philosophy_dry-suspende.php hosted on 50.61.155.86 (Fortress ITX, US). VirusTotal detections are pretty low. I suspect that there are many other malicious sites on this IP, blocking it would be wise.

"End of Aug. Statement Reqiured" spam / bamanaco.ru

This spam leads to malware on bamanaco.ru:

Date:      Mon, 19 Nov 2012 03:55:08 -0500
From:      ups [admin@ups.com]
Subject:      Re: FW: End of Aug. Statement Reqiured
Attachments:     Invoices-1119-2012.htm

Hallo,

as reqeusted I give you inovices issued to you per oct. 2012 ( Internet Explorer/Mozilla Firefox file)



Regards

The malicious payload is at [donotclick]bamanaco.ru:8080/forum/links/column.php hosted on the following IPs:

203.80.16.81 (MYREN, Malaysia)
216.24.196.66 (Psychz Networks, US)

These IPs have been used to deliver malware several times recently, you should block access to them if you can.

Saturday, 17 November 2012

J. dee Edwards / jdeeedwards.com scam

I'm not even certain what this scam is, but this is certainly not legitimate:

From: J. dee Edwards j.edwards@jdeeedwards.com
Reply-To: j.edwards@jdeeedwards.com
Date: 17 November 2012 16:29
Subject: Edwards contact

Dear Colleague,

We are working with healthcare market companies which would like to hear your opinion.

We would like you to become a member of working group and share your opinion online. Please review your full name, specialty, country and language by clicking on the link http://www.jdeeedwards.com/contact.php?e=[redacted] or replying to the email.

Thank you for your time.

J. dee Edwards HRms
j.edwards@jdeeedwards.com
http://www.jdeeedwards.com

To ensure that our emails reach you, please remember to add j.edwards@jdeeedwards.com to your email address book.
We would like to remind you that J. dee Edwards is committed to safeguarding your privacy and your personal details will not be disclosed to third parties.
If you do not wish to receive please visit: http://jdeeedwards.com/unsub.php?e=[redacted]
Copyright 2012 - J. dee Edwards - 20 Broadwick Street London, UK 
Firstly, the email is sent to an address that ONLY spammers use, which is not a good sign. Secondly, the domain jdeeedwards.com has anonymous WHOIS details and was registered just over a month ago - the site is hosted on 54.247.87.188 (Amazon, Ireland) and looks like this:

This fairly badly spelled page (the title is "J. dee Edwards - Human resourcs experts") says:

J. dee Edwards
Human resources experts

We plan, direct, and coordinate the administrative functions of an organization. We oversee the recruiting, interviewing, and hiring of new staff; consult with top executives on strategic planning; and serve as a link between an organization’s management and its employees.

We are comming soon...
Now, there did used to be a company called JD Edwards, but there isn't any more, nor is there a company called J. dee Edwards anywhere in the UK.




The link in the email is some sort of signup thing, I guess it's the first part of a scam to recruit people for some sort of illegal activity.


Oddly, the email address is an "optional" component, so how are they going to contact you? Maybe it's the tracking code in the link.

Alternatively, you can reply by email and this is the third suspect thing, the mailserver is on 85.206.51.81 in Lithunia (AS8764 / LIETUVOS-TELEKOMAS). AS8764 is a pretty scummy netblock according to Google. 85.206.51.81 is also the IP address the spam was sent from.


So, a non-existent company with a month-old domain sends an email to an address only spammers use, from an email server in a dodgy part of cyberspace. Whatever this is, it is some sort of scam and is definitely best avoided.

Friday, 16 November 2012

Malware sites to block 16/11/12

Some more evil domains and IPs, connected with this spam run. (Thanks, GFI)

chelseafun.net
cosmic-calls.net
dirtysludz.com
fixedmib.net
packleadingjacket.org
performingandroidtoios.info
65.131.100.90
75.127.15.39
82.145.36.69
108.171.243.172
218.102.23.220

Thursday, 15 November 2012

Changelog spam / feronialopam.ru

This fake "Changelog" spam leads to malware on feronialopam.ru:


Date:      Thu, 15 Nov 2012 10:43:59 +0300
From:      "Xanga" [noreply@xanga.com]
Subject:      Re: Changelog 2011 update
Attachments:     changelog-12.htm

Hello,



as promised chnglog attached (Internet Explorer File)

==========



Date:      Thu, 15 Nov 2012 05:43:09 -0500
From:      Chaz Shea via LinkedIn [member@linkedin.com]
Subject:      Re: Changelog as promised(updated)
Attachments:     Changelog-12.htm

Hello,



as prmised changelog is attached (Internet Explorer File)

The malicious payload is at [donotclick]feronialopam.ru:8080/forum/links/column.php hosted on a familiar looking bunch of IP addresses that you really should block:

120.138.20.54 (Sitehost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)

Wednesday, 14 November 2012

promotesmetasearch.net promotes malware

From the WeAreSpammers blog:

This looks like a fake get-rich-quick scam email which is actually intended to distribute malware.

Originating IP is 5.39.101.233 (OVH, Germany). Spamvertised domains are 8mailer.com on 5.39.101.225 (OVH, Germany) and promotesmetasearch.net on 46.249.38.27 (Serverius Holding, Netherlands).

This last one is kind of interesting, because a) it's all in French and b) it contains a virus. The malware attempts to download an exploit kit from [donotclick]vodkkaredbuuull.chickenkiller.com/trm/requesting/requesting-pass_been_loaded.php which is kind of unfriendly, hosted on the same IP address.

The WHOIS details show a completely different name and address from the one quoted on the email:

    Florence Buker
    florence_buker05@rockfan.com
    7043 W Avenue A4
    93536 Lancaster
    United States
    Tel: +1.4219588211

Clearly the owner of promotemetasearch.net is up to no good, and I would suggest the Anthony Tomei connection might well be completely bogus.

From: Anthony Tomei admin@8mailer.com
Reply-To: info@promotesmetasearch.net
To: donotemail@wearespammers.com
Date: 14 November 2012 18:22
Subject: launch of

Dear Future Millionaire,

Making $100,000 per month is not hard. In fact, there are 2 ways you accomplish this easy task of making money in a short period of time.

The first way is to...

Click HERE for the complete article>

Anthony Tomei is an Expert Internet Network Marketer. Anthony is known as the Master Marketer and practically gives away all of his secrets, methods and marketing techniques.

This email was sent by Promotes Metasearch, 710 E. Steve Wariner Dr., Vancouver, BC g1x3h4
Click here to unsubscribe
You should probably regard the domain chickenkiller.com as compromised and blog it. Additionall, allt he following IPs and domains are related and a probably malicious.

46.249.38.21
46.249.78.23
46.249.38.27
deficiencieshiss.net
personaloverly.net
spaceyourfilesbig.chickenkiller.com
vodkkaredbuuull.chickenkiller.com
firefoxslacker.pro
personaloverly.net
wowteammy113.org
logicalforced.org
flashkeyed.org
incidentindie.org
sufficeextensible.org
laughspadstyle.org
check-update.org
softtwareupdate.org
internallycontentchecking.org
cordlesssandboxing.org
westsearch.org
perclickbank.org
trayscoffeecup.org
agreedovetails.org
commencemessengers.org
dfgs453t.org
disappointmentcontent.org
whiskeyhdx.org
uhgng43fgjl82309dfg99df1.com
rethnds732.com
odiushb327.com
a6q7.com
makosl.com
noticablyccleaner.com
leisurelyadventures.com
invitedns.com
srv50.in
flacleaderboard.in
frwdlink.in
tgy56fd3fj.firm.in
warrantynetwork.co.in
kclicksnet.in
reelshandsoff.info
scatteredavtestorg.info
ap34.pro
trafficgid.pro
stop2crimepeople.pro
huge4floorhouse.pro
exportlite.pro
weeembedding.pro
layer-grosshandel.pro
firefoxslacker.pro
s1topcrimefor.pro
opera-soft.pro
brauser-soft.pro
mp3soft.pro
pornokuca.net
licencesoftwareupda.net
settlementstored.net
licencesoftwareuppd.net
compartmentalizationwere.net
seniorhog.net
coinbatches.net
isnbreathy.net
mrautorun.ru
askedvisor.ru
srv50.biz
vimeosseeing.biz
threatwalkthrough.biz
promotemetasearch.net

Tuesday, 13 November 2012

"End of Aug. Statmeent" spam / veneziolo.ru

The spam never stops, this malicious email leads to malware at veneziolo.ru:

Date:      Tue, 13 Nov 2012 12:27:15 -0500
From:      Mathilda Allen via LinkedIn [member@linkedin.com]
Subject:      Re: End of Aug. Statmeent required
Attachments:     Invoices12-2012.htm

Good morning,

as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)

Regards
The malicious payload is at [donotclick]veneziolo.ru:8080/forum/links/column.php hosted on the same IPs seen earlier today, the following IPs and domains are all related:

41.168.5.140
62.76.46.195
62.76.178.233
62.76.186.190
62.76.188.246
65.99.223.24
84.22.100.108
85.143.166.170
87.120.41.155
91.194.122.8
103.6.238.9
120.138.20.54
132.248.49.112
202.180.221.186
203.80.16.81
207.126.57.208
209.51.221.247
213.251.171.30
216.24.194.66
canadianpanakota.ru
controlleramo.ru
denegnashete.ru
forumibiza.ru
kiladopje.ru
lemonadiom.ru
limonadiksec.ru
monacofrm.ru
moneymakergrow.ru
omahabeachs.ru
peneloipin.ru
rumyniaonline.ru
uzoshkins.ru
veneziolo.ru

"Your flight" spam / monacofrm.ru

These spam email messages lead to malware on monacofrm.ru:

From: sales1@victimdomain.com [mailto:sales1@victimdomain.com]
Sent: 13 November 2012 04:04
Subject: Fwd: Your Flight A874-64581

Dear Customer,

FLIGHT NR: 1173-8627
DATE/TIME : JAN 27, 2013, 19:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 520.40 USD

Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.


NAOMI PATTON,

==========

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 13 November 2012 05:18
Subject: Re: Fwd: Your Flight A943-6733

Dear Customer,

FLIGHT NR: 360-6116
DATE/TIME : JAN 26, 2013, 14:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 997.25 USD

Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.



Adon Walton,

==========

Date:      Tue, 13 Nov 2012 08:20:21 +0400
From:      accounting@victimdomain.com
Subject:      Re: Your Flight A230-63955
Attachments:     FLIGHT_TICKET_A04897499.htm

Dear Customer,



FLIGHT NR: 43070-0328

DATE/TIME : JAN 24, 2013, 12:19 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 323.97 USD



Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.



SHERILYN BREWER,

==========

Date:      Tue, 13 Nov 2012 02:14:56 +0700
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Your Flight A13-6235
Attachments:     FLIGHT_TICKET_A56970327.htm

Dear Customer,



FLIGHT NR: 7504-638

DATE/TIME : JAN 20, 2013, 18:10 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 089.74 USD



Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.

ROSANA Gallo,

The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php  hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.194.66 (Psychz Networks, US)

The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.

Added:

There's a Wire Transfer spam using the same payload too:

From: Amazon.com [mailto:account-update@amazon.com]
Sent: 13 November 2012 08:08
Subject: Fwd: Re: Wire Transfer Confirmation

Dear Bank Account Operator,

WIRE TRANSFER: FED8979402863338715
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

Monday, 12 November 2012

Cableforum.co.uk hacked?

Cableforum.co.uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:

NatWest : Helpful Banking
Dear Valued Member ;

To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
This is a procedure that automatically occur when an invalid information is submitted during the log in process.
Please follow the provided steps below to confirm your identity
and restore your online access:




https://www.nwolb.com/Brands/NWB/images/backgrounds/widepod_header_bottom_purple_login.gif
    

© Legal Info – Security
© 2005-2012 National Westminster Bank Plc 


This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow.

So.. dutifully I pop across to Cableforum.co.uk and (changing my password en route) find the appropriate forum. It seems that the problem has already been spotted:

Here's one example:

So I received this email today:


Quote:
Date: Fri, 2 Nov 2012 10:15:08 -0400
From: NatWest Online [helpdesk@nwolb.com]
To: [removed]
Subject: Please Review Your Contact Details!!!


Dear Valued Member ;
To prevent unauthorized access to your accounts, your online service has been
+temporarily locked. No further log in attempts will be accepted.

..etc...
The email was sent to an address I've only used to register on Cable Forum and is a series of random characters that spammers wouldn't just 'guess'. Just wondering if anyone else has had this email? 

That's odd. That's exactly the same as me. And then there's another one:

I had two emails sent to both the addresses registered here on Cable Forum. Not sure why the earlier thread was so hastily closed?
Slightly off topic, why can I not edit my email address here?
When I attempt to change it I get this: The email address you entered is already in use. If you have forgotten your password, please click here.
I have not forgotten my password, I was trying to change it as well as my email. 

These are very precise reports from people using unique sign-on addresses. You'd think that would be pretty good evidence. So, armed with that you'd expect a concerned "we'll look into it" response. But instead the replies are:

Spammers don't "pick" anything. Their software generates emails at random and, yes, that includes strings_of_gibberish @yourdomain.

This site has not sold your email address.
This site has not been hacked, cracked or compromised.

The end.

Thread closed.
and

Threads of the same topic that have been closed should not be re-opened/re-created no matter what the circumstances are.

This issue cropped up several months ago and I will repeat what was said then...

We do not believe our systems have been compromised. There was no evidence to suggest an intrusion or breach took place. If anyone has any *Strong* Evidence to suggest other wise then contact us using the contact link below.

Thank you. 
which prompted a response from the original reporter:

The only spam I had was today, didn't have any earlier. I did get an explanation from the mod that closed it about how he didn't feel the thread was useful and that it would attract unwanted replies. But I think preventing people from discussing the issue stinks of a cover up (whether it is or not).

It would be much better to at least post a link to that thread, or some sort of explanation of what they think is happening rather than a dismissive knee-jerk response that it didn't happen when three people have claimed to receive the same email (and Osem says it happened before). All I want is an explanation about what happened and a promise that security of MY data is important but I don't feel like I'm getting that.  
What's worse is that this isn't the first time that this has been reported. Here's another one:

Today I received a not-so-subtle phishing email pretending to come from Santander, sent to my one-off email address associated with my cableforum account. I registered my account in 2009 and it's the first time I get spam/phish on this address. I don't really care if CF was hacked since I used a unique pw/email, but maybe a warning to other users would be the polite thing to do... 

But going back even further shows this thread with a lot of evidence that an email address leak has occured. One person who seems to know their stuff points:

Your database has been dumped and the damage is done as far as spam is concerned
now the question is are you

1) going to stick your head in the sand and thow around accusations
or
2) man up and fix the problem 

One of the Cableforum team shows just how far they can bury their head in the sand

But seriously, all in all, getting back to the main issue, there is about 5 people receiving it to their CF registered e-mail address and reporting it here so far. Co-incidence, yes but a very weak one. 
How many people do you think use unique emails for each site? Not many. That sort of evidence is very, very strong.. especially with multiple reports. That comment got this withering rebuke:

It's not a co-incidence at all. The emails are clearly of the same content and arrived within a small interval of each other and to CF-specific registered email addresses. If you're saying this is purely by chance and that all these email addresses were just "guessed" up by some automated program, then you're in denial.
 But another member of the CF team shows that they just don't understand it at all:

Given the extremely weak evidence provided and this appearing to only affect a very small number of members i.e less than 10, we do not believe that our systems have been breached and as a result we believe this to be the actions of brute force spamming.
Really? All these people with unique email addresses report the same spam. And it just gets dismissed?

But if you have the same problem.. forget it. All threads have been closed, creating new threads on the matter has been banned. In denial much?

Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password.

Sadly, crap like this happens to good websites. And the best way to deal with it is to be honest and 'fess up so that members can act accordingly. Nobody likes to think that there site has been compromised, but in this case it clearly has been to some unknown extent.

I emailed Cableforum.co.uk to advise them (since new forum threads are banned). Let's see if I get a response..

Update: and other incidents are here and here.. so this isn't really an isolated problem.

Update 2:  predictably, raising the issue just gets the thread closed with the phrase "There is nothing to discuss and I am not interested in wild theories and stupid accusations that some how there is a cover up." Which just shows that there is a cover up..

Update 3:  and what is really ridiculous is that Cableforum mods are denying it, despite the fact that their site was recently hacked. And it isn't the first time, either.

Friday, 9 November 2012

Changelog spam / canadianpanakota.ru

This spam leads to malware on canadianpanakota.ru:

Date:      Fri, 9 Nov 2012 11:55:11 +0530
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Changlog 10.2011
Attachments:     changelog4-2012.htm

Hello,
as promised changelog,(Internet Explorer File)
The attachment leads to a malicious payload at [donotclick]canadianpanakota.ru:8080/forum/links/column.php  hosted on the following IPs:

120.138.20.54 (SiteHost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)


These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:


120.138.20.54
202.180.221.186
203.80.16.81
canadianpanakota.ru
controlleramo.ru
donkihotik.ru
finitolaco.ru
fionadix.ru
forumibiza.ru
lemonadiom.ru
peneloipin.ru
moneymakergrow.ru


Thursday, 8 November 2012

getyourbet.org injection attack

There seems to be an injection attack doing the rounds, the injected domain is getyourbet.org hosted on 31.184.192.237. The domain registration details are:

Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains@yahoo.com


The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).

This is a two stage attack, if  getyourbet.org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.

pin.panacheswimwear.co.uk
physical.oneandonlykanuhura.com
pig.onmailorder.com
picture.onlyplussizes.com
person.nypersonaltrainers.com
pipe.payday-loanstoday.com

I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.

Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks.

Wednesday, 7 November 2012

Intercompany Invoice spam / controlleramo.ru

This fake invoice spam leads to malware on controlleramo.ru:

Date:      Wed, 7 Nov 2012 07:29:44 -0500
From:      LinkedIn [welcome@linkedin.com]
Subject:      Re: Intercompany inv. from Beazer Homes USA Corp.
Attachments:     Invoice_e49580.htm

Hi

Attached the corp. invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)



Thanks a lot for supporting this process

Rihanna PEASE

Beazer Homes USA Corp.

The attachment contains obfuscated Javascript that attempts to direct the visitor to a malicious payload at [donotclick]controlleramo.ru:8080/forum/links/column.php  hosted on:

103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

These IP addresses have been used in several attacks recently, and you should block access to them if you can.

Some more samples:

Date:      Thu, 8 Nov 2012 08:45:52 +0500
From:      Ashley Madison [donotreply@ashleymadison.com]
Subject:      Re: Inter-company invoice from Novellus Systems Corp.
Attachments:     Invoice_c394579536.htm

Hallo

Attached the intercompany invoice for the period July 2012 til Aug. 2012.(Internet Explorer file)



Thanks a lot for supporting this process

TOVA Link

Novellus Systems Corp.

==========


Date:      Thu, 8 Nov 2012 06:31:13 +0530
From:      Badoo [noreply@badoo.com]
Subject:      Re: Intercompany invoice from Arch Coal Corp.
Attachments:     Invoice_i450583.htm

Hallo





Attached the intercompany inv. for the period July 2012 til Aug. 2012.(Internet Explorer file)

Thanks a lot for supporting this process



BETTYE Caldwell

Arch Coal Corp.

==========


Date:      Wed, 7 Nov 2012 06:52:01 -0600
From:      BrendenHavlicek@hotmail.com
Subject:      Re: Intercompany invoice from Brookdale Senior Living Corp.
Attachments:     Invoice_q2665.htm

Hallo





Attached the intercompany inv. for the period July 2012 til Aug. 2012.(Internet Explorer file)



Thanks a lot

NOEMI STEPHENS

Brookdale Senior Living Corp.



Tuesday, 6 November 2012

Apple "Account Info Change" spam / welnessmedical.com

Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical.com.


From: Apple [mailto:appleid@id.arcadiadesign.it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change

Hello,

The following information for your Apple ID [redacted] was updated on 11/06/2012:

Date of birth
Security question(s) and answer(s)

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.

To review and update your security settings, sign in to appleid.apple.com.

This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.

Thanks,
Apple Customer Support



TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID 


The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44:

medmedsepub.com
newpharmsale.com
virustrapill.com
medicalmedprescription.com
medpillprescription.com
walgreensprescription.com
pilldrugstoregroup.com
medicineonlinephysic.ru
zkflwf.ru
ytti.ru
healthtabstablets.ru
healthcaremedstablets.ru
fitnesspillspharmacy.ru
mycareviagra.pl
diseasepillsmedicine.com
medicareryan.com
cialiswiladen.com
pharmvitamins.com
crashtab.net
healthtabsdrugstore.ru
ghem.ru
jium.ru
epoo.ru
ghas.ru
buymedicinepharmacy.ru
pillpillspharmacy.ru
onlinepharmabuy.ru

Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is:

inetnum:         84.22.127.0 - 84.22.127.7
netname:         A84-22-127-0
descr:           BLACK OPERATIONS
admin-c:         CBMT1-RIPE
tech-c:          CBMT1-RIPE
country:         NL
status:          ASSIGNED PA
mnt-by:          MNT-CB3ROB
mnt-lower:       MNT-CB3ROB
mnt-routes:      MNT-CB3ROB
source:          RIPE # Filtered

role:            Ministery of Telecommunications
address:         One CyberBunker Avenue
address:         CB-31337
address:         CyberBunker-1
address:         Republic CyberBunker
mnt-by:          MNT-CB3ROB
admin-c:         CBMT1-RIPE
tech-c:          CBMT1-RIPE
nic-hdl:         CBMT1-RIPE
source:          RIPE # Filtered

route:          84.22.96.0/19
descr:          R84-22-96-0
origin:         AS34109
mnt-by:         MNT-CB3ROB
source:         RIPE # Filtered


It's our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia if you want more information.

"Scan from a Xerox WorkCentre Pro" / peneloipin.ru

This fake printer spam leads to malware on peneloipin.ru:

From: Keshawn Burns [mailto:MaribelParchment@hotmail.com]
Sent: 06 November 2012 05:09
Subject: Scan from a Xerox WorkCentre Pro #47938830

Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.

Sent by: Keshawn
Number of Images: 5
Attachment File Type: .HTML [Internet Explorer file]

Xerox WorkCentre Location: machine location not set
 The attachment contains some obfuscated Javascript that redirects the visitor to a malicious payload on [donotclick]peneloipin.ru:8080/forum/links/column.php hosted on some IPs that have been used several times before for malware:

65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)

The following malicious domains are also hosted on the same servers:
forumibiza.ru
kiladopje.ru
donkihotik.ru
lemonadiom.ru
peneloipin.ru
panacealeon.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
panalkinew.ru
fionadix.ru


SMS Spam: "Records passed to us show you're entitled to a refund approximately £2130"

More SMS spam from.. well, I think the ICO will shortly reveal who. It's not just a spam, but it's also a scam because the spammers are attempting to persuade you to make fraudulent claims. Not everyone is eligible for a PPI refund, and I'm certainly not.. no "records" exist, it's just a scammy sales pitch. Avoid.

Records passed to us show you're entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

In this case, the sender's number is +447585858897, although it will change as it gets blocked by the networks.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Monday, 5 November 2012

Dynamic DNS sites you might want to block

These domains belong to ChangeIP.com, which I guess is a legitimate company providing Dynamic DNS services, but one that is being abused by the bad guys. These will be used with some random subdomain unless it's a corporate site (like ChangeIP.com itself) pointing to a random IP address somewhere.. so blocking IPs won't work here.

There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them (yellow highlighted ones have some malware, red highlighted ones are blocked by Google). The second one is a plain list of everything in case you want to block them completely.

You might notice one of the domains is called b0tnet.com which is a peculiar name for a legitimate business to register.

1dumb.com [report]
25u.com [report]
2waky.com [report]
3-a.net [report]
4dq.com [report]
4mydomain.com [report]
4pu.com [report]
acmetoy.com [report]
almostmy.com [report]
americanunfinished.com [report]
anastasion.com [report]
authorizeddns.net [report]
authorizeddns.org [report]
authorizeddns.us [report]
b0tnet.com [report]
bigmoney.biz [report]
changeip.biz [report]
changeip.co.uk [report]
changeip.me [report]
changeip.name [report]
changeip.net [report]
changeip.org [report]
changeip.us [report]
cleansite.biz [report]
cleansite.info [report]
cleansite.us [report]
compress.to [report]
ddns.com.co [report]
ddns.info [report]
ddns.me.uk [report]
ddns.mobi [report]
ddns.ms [report]
ddns.name [report]
ddns.us [report]
dhcp.biz [report]
dns-dns.com [report]
dns-report.com [report]
dns-stuff.com [report]
dns04.com [report]
dns05.com [report]
dns1.us [report]
dns2.us [report]
dnsfailover.net [report]
dnsrd.com [report]
dnyp.com [report]
dsmtp.com [report]
dumb1.com [report]
dynamicdns.biz [report]
dynamicdns.co [report]
dynamicdns.co.uk [report]
dynamicdns.com.co [report]
dynamicdns.me.uk [report]
dynamicdns.org.uk [report]
dyndns.pro [report]
edns.biz [report]
epac.to [report]
esmtp.biz [report]
ezua.com [report]
faqserv.com [report]
fartit.com [report]
freeddns.com [report]
freetcp.com [report]
freewww.biz [report]
freewww.info [report]
ftp1.biz [report]
ftpserver.biz [report]
gettrials.com [report]
got-game.org [report]
gr8domain.biz [report]
gr8name.biz [report]
https443.net [report]
https443.org [report]
instanthq.com [report]
iownyour.biz [report]
iownyour.org [report]
isasecret.com [report]
itemdb.com [report]
itsaol.com [report]
jetos.com [report]
jkub.com [report]
jungleheart.com [report]
justdied.com [report]
lflink.com [report]
lflinkup.com [report]
lflinkup.net [report]
lflinkup.org [report]
longmusic.com [report]
mefound.com [report]
misecure.com [report]
moneyhome.biz [report]
monitorip.com [report]
mrbasic.com [report]
mrbonus.com [report]
mrface.com [report]
mrnorris.com [report]
mrslove.com [report]
my03.com [report]
mydad.info [report]
myddns.com [report]
myftp.info [report]
myftp.name [report]
mymom.info [report]
mynumber.org [report]
mypicture.info [report]
mypop3.net [report]
mypop3.org [report]
mysecondarydns.com [report]
mywww.biz [report]
myz.info [report]
ninth.biz [report]
ns01.biz [report]
ns01.info [report]
ns01.us [report]
ns02.biz [report]
ns02.info [report]
ns02.us [report]
ns1.name [report]
ns2.name [report]
ns3.name [report]
ocry.com [report]
onedumb.com [report]
onmypc.biz [report]
onmypc.info [report]
onmypc.net [report]
onmypc.org [report]
onmypc.us [report]
organiccrap.com [report]
otzo.com [report]
ourhobby.com [report]
pcanywhere.net [report]
poppop.com [report]
port25.biz [report]
portrelay.com [report]
privatename.org [report]
proxydns.com [report]
qhigh.com [report]
qpoe.com [report]
rebatesrule.net [report]
sellclassics.com [report]
sendsmtp.com [report]
serveuser.com [report]
serveusers.com [report]
sexidude.com [report]
sexxxy.biz [report]
sixth.biz [report]
squirly.info [report]
ssl443.org [report]
ssmailer.com [report]
theblacklist.org [report]
toh.info [report]
toythieves.com [report]
trickip.net [report]
trickip.org [report]
vizvaz.com [report]
wha.la [report]
wikaba.com [report]
www1.biz [report]
wwwhost.biz [report]
x24hr.com [report]
xxuz.com [report]
xxxy.biz [report]
xxxy.info [report]
ygto.com [report]
youdontcare.com [report]
yourtrap.com [report]
zaantek.com [report]
zyns.com [report]
zzux.com [report]


If you want to block all of these sites, then the domains I can find are as follows:
1dumb.com
25u.com
2waky.com
3-a.net
4dq.com
4mydomain.com
4pu.com
acmetoy.com
almostmy.com
americanunfinished.com
anastasion.com
authorizeddns.net
authorizeddns.org
authorizeddns.us
b0tnet.com
bigmoney.biz
changeip.biz
changeip.co.uk
changeip.me
changeip.name
changeip.net
changeip.org
changeip.us
cleansite.biz
cleansite.info
cleansite.us
compress.to
ddns.com.co
ddns.info
ddns.me.uk
ddns.mobi
ddns.ms
ddns.name
ddns.us
dhcp.biz
dns-dns.com
dns-report.com
dns-stuff.com
dns04.com
dns05.com
dns1.us
dns2.us
dnsfailover.net
dnsrd.com
dnyp.com
dsmtp.com
dumb1.com
dynamicdns.biz
dynamicdns.co
dynamicdns.co.uk
dynamicdns.com.co
dynamicdns.me.uk
dynamicdns.org.uk
dyndns.pro
edns.biz
epac.to
esmtp.biz
ezua.com
faqserv.com
fartit.com
freeddns.com
freetcp.com
freewww.biz
freewww.info
ftp1.biz
ftpserver.biz
gettrials.com
got-game.org
gr8domain.biz
gr8name.biz
https443.net
https443.org
instanthq.com
iownyour.biz
iownyour.org
isasecret.com
itemdb.com
itsaol.com
jetos.com
jkub.com
jungleheart.com
justdied.com
lflink.com
lflinkup.com
lflinkup.net
lflinkup.org
longmusic.com
mefound.com
misecure.com
moneyhome.biz
monitorip.com
mrbasic.com
mrbonus.com
mrface.com
mrnorris.com
mrslove.com
my03.com
mydad.info
myddns.com
myftp.info
myftp.name
mymom.info
mynumber.org
mypicture.info
mypop3.net
mypop3.org
mysecondarydns.com
mywww.biz
myz.info
ninth.biz
ns01.biz
ns01.info
ns01.us
ns02.biz
ns02.info
ns02.us
ns1.name
ns2.name
ns3.name
ocry.com
onedumb.com
onmypc.biz
onmypc.info
onmypc.net
onmypc.org
onmypc.us
organiccrap.com
otzo.com
ourhobby.com
pcanywhere.net
poppop.com
port25.biz
portrelay.com
privatename.org
proxydns.com
qhigh.com
qpoe.com
rebatesrule.net
sellclassics.com
sendsmtp.com
serveuser.com
serveusers.com
sexidude.com
sexxxy.biz
sixth.biz
squirly.info
ssl443.org
ssmailer.com
theblacklist.org
toh.info
toythieves.com
trickip.net
trickip.org
vizvaz.com
wha.la
wikaba.com
www1.biz
wwwhost.biz
x24hr.com
xxuz.com
xxxy.biz
xxxy.info
ygto.com
youdontcare.com
yourtrap.com
zaantek.com
zyns.com
zzux.com

Fake statistics domains lead to malware

The following fake "statistics" domains lead to malware. All have been registered very recently in the past few days and are used as a redirector to other exploit kits. Perhaps they are actually performing black hat statistical tracking. Blocking them (or the associated IPs) would be wise.

bilingstats.org
bombast-atse.org
bombastatse.org
ceastats.org
colinstats.org
expertstats.org
informazionestatistica.org
melestats.org
nonolite.org
statisticaeconomica.org
statspps.org
superbombastatse.org
topbombastatse.org
ufficiostatistica.org

Hosting IPs:
31.193.133.212 (Simply Transit, UK)
91.186.19.42 (Simply Transit, UK)
95.211.180.143 (Leaseweb, Netherlands)

Sunday, 4 November 2012

Something evil on 31.193.12.3

These are fake AVs and drive-by downloads mostly, some seem to promoted through low-grade banner ads, all hosted on 31.193.12.3 (Burstnet, UK) and suballocated to:

person:          Olexii Kovalenko
address:         Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
phone:           +1 570 343 2200
fax-no:          +1 570 343 9533
nic-hdl:         OK2455-RIPE
source:          RIPE # Filtered
mnt-by:          mnt-burst-au
mnt-by:          mnt-burst-mu


The registration for the .asia and .eu domains is consistent in the ones I have checked:

Registrant ID:DI_23063626
Registrant Name:Javier
Registrant Organization:n/a
Registrant Address:Nevskaya street 41
Registrant Address2:
Registrant Address3:
Registrant City:Belgorad
Registrant State/Province:Belgorodskaya oblast
Registrant Country/Economy:RU
Registrant Postal Code:494980
Registrant Phone:+007.9487728744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:007uyfo007@mail.ru


I've broken the list into three parts, it's a bit messy sorry..

The first part are a bunch of short domains used with subdomains to create a malicious payload:
List 1:
a1ft.asia
a3ew.asia
ah2b.asia
av5n.asia
c2wj.asia
cj4d.asia
ck3l.asia
bs3d.asia
d4xi.asia
d8dx.asia
dj7k.asia
dk3i.asia
ef1r.asia
f4dw.asia
fj2j.asia
fm5h.asia
g2wy.asia
g4av.asia
gi4b.asia
h2ju.asia
j2qd.asia
j5hn.asia
ja6l.asia
k3lr.asia
l3gv.asia
m1eb.asia
m1eq.asia
m4nj.asia
n0un.asia
n3mi.asia
nw2r.asia
p0rv.asia
p0ry.asia
pq8c.asia
q2hm.asia
q2hv.asia
q3bz.asia
qk3x.asia
r4dx.asia
s6wm.asia
t5ha.asia
t5hj.asia
t5zb.asia
u7bo.asia
uh7f.asia
v8ul.asia
ve4z.asia
w3wc.asia
w3wz.asia
w2jf.asia
x6fr.asia
x8ru.asia
y1uh.asia
y6np.asia
z1ha.asia
jp5s.info
pe5a.info
gw1c.eu

Subdomains in use:
be-ttraccker
dipppboxx
dippbboxx
diiipp-box
diippss-box
faat-llood
fatssllooads
fiilespooisk1
fiilepoiick
filles-looads
fileloood
file-looadds
files-loooads
ffilelooadd
ffile-poiick
ffiles-poiick1
filles-poiick
fille-poiick
ffilespooiisk
fillepoiick
fileppooiisk
filespooiisk
file-ppooiisk
file-pooiisk
files-poiiick
filess-poiick
file-poiicck
filles-pooisk
fiiles-poiisk1
files-poooiisk1
files-pooiiisk1
files-poooisk1
files-pooiick
fiiles-pooiisk
filespooiissk
file-pooiick
files-poiickk
file-poooiisk
files-ppoiick
geettefiiiles1
geetefiiless
geetteffiiles1
gette-fillees1
geette-fiilees1
geetee-fiiles
gette-fillees
getsefilles
getssatfiles
geettefiilees
ggets-filles
j-t0rrreentt1
jjt0rreentts
l0adss-ffiles
l0adss-ffile
l0addes-flilee
l0addesflilee
l0addes-fillee
l0adds-fiile
load-fiilles
load-fiilee
load-fiille
loaddfiiles
qipsefilles
qiips-fiiles1
qips-fiilee
qippfiile1
qippsfiiles1
qip-ffiile1
hhiitfiles1

This list are domains detected through passive DNS detection:
List 2:
babyload.asia
beastlyload.asia
bestialload.asia
childlikeload.asia
childlyload.asia
deliveryload.asia
infantload.asia
inwardload.asia
perfectload.asia
ptload.asia
singleload.asia
soleload.asia   
sparingload.asia
supernalload.asia
alonefile.asia
animalfile.asia
childishfile.asia
festivefile.asia
finefile.asia
infantilefile.asia
innerfile.asia
largestfile.asia
sacredfile.asia
alertloads.asia
artloads.asia
artisticalloads.asia
animateloads.asia
chronicloads.asia
excitableloads.asia
friendlessloads.asia
licitloads.asia
lonelyloads.asia
lovingloads.asia
nakedloads.asia
primalloads.asia
primevalloads.asia
stateloads.asia
vivaciousloads.asia
vivirloads.asia
activefiles.asia
alertfiles.asia
alivefiles.asia
artfiles.asia
artisticalfiles.asia
drawnfiles.asia
looadfilees.asia
primevalfiles.asia
quickfiles.asia
savagefiles.asia
arimara1.org.ua
arimara3.org.ua
akciya.pp.ua
lis4.biz.ua
affectionateload.org
file-load.net
gbait.com
tevon.tk
joload.mooo.com
loadfile.us.to
8-loaadiing.info
agents-load1.info
ageentoloods.info
lloadfi1es.info
resonantfile.info
stabilitytrojanssaver.info
v-x.info
windowsinspectionon-line.info
lodifiles.eu
alfabiblioteka.ru
book-darom.ru
detki-travel.ru
haxo.ru
loads-filse.ru
lptds.ru
megaload2filebaza.ru
j-torents.ru
jumpcat.ru
u8l.ru
zona-trafika.ru

Finally, this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment.

Many of these domains show as evil in Google's Safe Browsing Diagnostics (example) and I can file zero legitimate domains on this IP.

Friday, 2 November 2012

Wire Transfer spam / webmoniacs.ru

This fake wire transfer spam leads to malware on webmoniacs.ru:


Date:      Fri, 2 Nov 2012 06:23:10 +0700
From:      "service@paypal.com" [service@paypal.com]
Subject:      RE: Wire Transfer cancelled

Dear Sirs,

The Wire transfer was canceled by the other bank.



Canceled transaction:

FED REFERENCE NUMBER: 628591160ACH34584

Transaction Report: View



The Federal Reserve Wire Network
The malicious payload is at [donotclick]webmoniacs.ru:8080/forum/links/column.php hosted on:
65.99.223.24 (RimuHosting, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

The following IPs and domain are all connected and should be blocked:
50.22.102.132
62.76.186.190
65.99.223.24
68.67.42.41
79.98.27.9
84.22.100.108
85.143.166.170
132.248.49.112
203.80.16.81
209.51.221.247
213.251.171.30
denegnashete.ru
dianadrau.ru
donkihotik.ru
fidelocastroo.ru
finitolaco.ru
fionadix.ru
forumibiza.ru
kiladopje.ru
lemonadiom.ru
manekenppa.ru
panacealeon.ru
panalkinew.ru
pionierspokemon.ru
ponowseniks.ru
rumyniaonline.ru
webmoniacs.ru
windowonu.ru

Intuit spam / savedordercommunicates.info

This fake Intuit spam leads to malware on savedordercommunicates.info:


Date:      Sat, 3 Nov 2012 02:11:17 +0800
From:      "Intuit Information System" [roughervm73@biolconseils.ch]
Subject:      Notification Only: Transaction Received by Intuit

Direct Deposit Service Message
Communicatory Only

We rejected your payroll on November 1, 2012 at 626 AM Central Time.

    Money would be left from the account No. ending in: XXX1 on November 2, 2012.
    quantum to be left: $7 639.16
    Paychecks would be deferred to your staff' accounts on: November, 2, 2012
    Go to web site by clicking here to Overview Transaction

Funds are typically withdrawn before usual banking hours so please make sure you have sufficient Funds accessible by 12 a.m. on the date Finances are to be gone away.

Intuit must complete your payroll by 4 p.m. Eastern time, two banking days before your paycheck date or your customers will not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve link.

Thank you for your business.

Regards,
Intuit Payroll Services

An substantial information regarding latest Refused Transactions is waiting for you.

Please DO NOT reply to this message. automative notification system not configured to accept incoming messages..

Copyright 2008 Intuit Inc. QuickBooks and Intuit are registered trademarks of and/or registered service marks of Intuit Inc. in the United States and other countries.

Intuit Inc. Customer Care
87566

San Paolo City, AZ 15203

The malicious payload is at [donotclick]savedordercommunicates.info/detects/bank_thinking.php hosted on 75.127.15.39 (New Wave NetConnect, US) along with another malicious domain of teamscapabilitieswhich.org. Blocking this IP would be wise.


Thursday, 1 November 2012

Discover card spam / netgear-india.net

This fake Discover Card spam leads to malware on netgear-india.net:

From: Discover Account Notes [mailto:no-reply@notify.discover.com]
Sent: Thu 01/11/2012 15:32
Subject: Great Details Changes in your Discover card Account Terms

Account Services  |   Customer Care Services           
Account ending in XXX1          
  
An substantial communication regarding latest Declined Transfers is waiting for you.   
     
Log In to Read Information  
    
Honored Discover Client,
 
There is an serious message waiting for you from Discover® card. Please read the message mindfully and keep it with your file.

To ensure optimal privacy, please log in to view your message at Discover.com.
 

Please click on this link if you have forgotten your UserID or Password.
 

Add information@service.discover.com to your address book to ensure delivery of these notifications.

VITAL NOTE

This message was delivered to [redacted] for Discover debit card account number ending with XXX1.

You are receiving this e-mail because you have account at Discover.com.

Log in to change your e-mail address or overview your account e-mail options.

If you have any questions about your account, please Login to leave us a message securely and we would be glad to support you.

Please DO NOT reply to this message. auto informer system cannot accept incoming email.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Banking Ltd.
P.O. Box 84265
Salt Lake City, SC 76433
2012 Discover Bank, Member FDIC
[redacted]

========

From: Discover Account Notes [mailto:donotreply@service.discover.com]
Sent: Thu 01/11/2012 16:36
Subject: Substantial Information about your Discover Account

Account Center   |   Customer Center         
               Account ending in XXX9        

 
An significant message regarding latest Approved Activity is waiting for you.
   
Log In to Overview Details  
    
Respective Cardholder,
  
There is an important message waiting for you from Discover® card. Please read the message carefully and keep it with your archive.

To ensure optimal privacy, please sign in to read your data at Discover.com.

Please visit discover.com if you have forgotten your Login ID or Password.

Add discover@information.discover.com to your trusted emails to ensure delivery of these messages.

VITAL NOTIFICATION

This e-mail was sent to [redacted] for Discover card account No. ending with XXX9.

You are receiving this e-mail because you member of Discover.com.

Log in to change your e-mail address or view your account e-mail settings.

If you have any questions about your account, please Enter your account to leave us a message securely and we would be blissful to help you.

Please don't reply to this message. auto-notification system cannot accept incoming mail.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Banking Llc.
P.O. Box 85486
Seashore City, NV 91138
2012 Discover Bank, Member FDIC
[redacted]

The malicious payload is at [donotclick]netgear-india.net/detects/discover-important_message.php hosted on 183.180.134.217 (RAT CO, Japan). The following domains are on that same IP, and judging by the registration details they should also be considered as malicious:
itracrions.pl
radiovaweonearch.com
steamedboasting.info
solla.at
netgear-india.net
puzzledbased.net
stempare.net
questionscharges.net
bootingbluray.net