Sponsored by..

Thursday 8 August 2013

eFax / jConnect spam and eliehabib.com

This fake fax spam leads to malware on eliehabib.com:

Date:      Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]
From:      Fax Message [message@inbound.efax.com]
Subject:      Fax Message at 2013-08-07 01:54:34 EST

Blue Bar
Fax Message

You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.

* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission start time for this fax is .

Click here to view this message in your web browser
Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.

Thank you for using jConnect!
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
jConnect is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the jConnect Customer Agreement.
The link in the email goes through a legitimate hacked site and then on to three scripts as follows:

From then on the victim is sent to a payload site at [donotclick]eliehabib.com/topic/seconds-exist-foot.php which is a hacked domain registered by GoDaddy, hosted on (Gandi, US). There are probably other malicious domains that I cannot see on the same server.

Recommended blocklist:

Tuesday 6 August 2013

Pharma sites to block 6/8/13

A new list of pharma sites and IPs, related to this bunch. (China Telecom, China) (Novosibirsk A3 Ltd, Russia) (Novosibirsk A3 Ltd, Russia) (Network Communication, Poland) (Network Communication, Poland) (Informacines Sistemos Ir Technologijos UAB, Lithunia) (Kazakh Telecom, Kazakhstan) (Biznes-host.pl, Poland) (HybridServers, Lithunia) (Telecentro S.A., Argentina) (FOP Budko Dmutro Pavlovuch, Ukraine) (Ajato Telecomunicacao Ltda, Brazil) (CERNET, China) (Funing Tianlong Netbar, China)

Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew. (GHOSTnet, Germany) (Time Warner Cable, US) (Link Egypt, Egypt) (Amazon AWS, US) (Chungwa Telecom, Taiwan) (DACOM Corp, Korea) (Time Warner Cable, US) (Hetzner, Germany) (Trakia Kabel OOD, Bulgaria) (Worldcom Teda Networks Technology Co. Ltd, China) (TANET, Taiwan) (Cusdelight Consultancy SE, India) (Telmex Colombia, Colombia) (CERNET, China) (Limestone Networks / 123Systems Solutions, US) (Society Of Mali's Telecommunications, Mali)

What is

A breakdown of the suballocations of the Verizon Business block, mentioned in connection with Torsploit:

Block Start End CustName: Description: Science Applications Int SAIC (US Defense contractor) Old Dominion Internet Possibly dormant VA corporation FTS2001/US Government Federal Technology Service Unknown "Torsploit" block Universal Machine Co of Pottsdown Inc Universal Machines (www.umc-oscar.com) Kitron Electronic Manufacturing Service Morningside Sports Farm Horse Training Farm in VA MetTel, Inc Telecommunications Service Provider Guidestar NPO Information Service Walt Disney Company Mickey Mouse outfit Dental Concepts Dentistry GARP Research & Securities Financial Analysts Assured Packaging Inc Metal boxes Unknown Unknown Butler Medical Transport Patient Transport Services Federated IT Government IT contractor Old Dominion Internet Possibly dormant VA corporation Pharmceuticals International, Inc Healthcare Unknown Unknown Live Nation Events Company, CA Georgetown Dat School Washington DC school

Monday 5 August 2013

Torsploit: is the NSA?

There has been a lot of chatter in the past day or so about the takedown of an Irish outfit called Freedom Hosting which hosted a number of "hidden services" on Tor, ranging from Tormail (which allows anonymous email communication) to.. well, Really Bad Stuff that you don't want to know about. Basically.. Law Enforcement (LE) appear to have discovered the real-world location of these servers on the other side of Tor and have busted the alleged operator.

What gets interesting is that some of these Tor services were infected with an injection script that attempted to reveal the real IP address of the the visitor through a security flaw in the version of Firefox in the Tor Bundle. There's an interesting analysis of the script here and the long and the short of it is that the injected code attempt to call back to, in order to track the Tor users involved.

So.. who is Well, it seems to be a Verizon Business IP (part of a "ghost block" of in the Washington DC area. You know.. the home of several government agencies or branches thereof. But now the Internet is awash with rumours that this IP address belongs to the NSA. But what evidence is there?

A lot of the fuss seems to have happened because of this tweet from Baneki Privacy Labs.

What Baneki are saying is that the whole block (the "C block" in classful parlance) is owned by a government contractor called SAIC (apparently not the SAIC who own MG Motors!) and that SAIC are connected to the DoD. Although SAIC are certainly a military contractor, the error that they are making is to believe the report from DomainTools which appears to be misinterpreting the allocations in that particular block.

So, does SAIC (listed here as SCIENCE APPLICATIONS INT) own the whole /24? No. Verizon has simply allocated the first /28 in that block to SAIC, and it appears the DomainTools is misinterpreting that data.

NetRange: -
NetName:        UU-65-222-202-D4
NetHandle:      NET-65-222-202-0-1
Parent:         NET-65-192-0-0-1
NetType:        Reassigned
Comment:        Addresses within this block are non-portable.
RegDate:        2006-09-14
Updated:        2006-09-14
Ref:            http://whois.arin.net/rest/net/NET-65-222-202-0-1

Address:        47332 EAGAN MCALLISTER LN
Address:        RM 1112 1st fl
City:           LEXINGTON PARK
StateProv:      MD
PostalCode:     20653-2461
Country:        US
RegDate:        2006-09-14
Updated:        2011-03-19
Ref:            http://whois.arin.net/rest/customer/C01446299

Other suballocations is that block do include government agencies, but just a couple of IPs away from the mystery IP is which belongs to an industrial supply company called Universal Machines. Whoever uses is very likely to be a corporate or government entity, but really that's pretty much all you can tell from the Verizon Business IP. DomainTools is great but as with any automated tool.. sometimes you need to double-check what it reports back.

But then Baneki make another claim.. that obviously belongs to the NSA, because the NSA controls the entire range ( to which is about 2 million IPs.
 This is what they were referring to:

Umm, well.. no. That's just another block allocated to Verizon Business. You may as well argue that everything in belongs to the NSA on the same principle. Actually.. maybe it does, but that's another matter entirely. Again.. Robtex is a great tool but you sometimes need to sanity-check the output.

It may surprise you to learn that law enforcement officers and intelligence agencies are not normally complete fucking idiots when it comes to guarding their IP addresses. They do not (for example) sign up to Silk Road with their @fbi.gov email addresses or poke around the underweb from an NSA IP address range. Well, not normally..

I am not saying that the injection wasn't the work of the NSA. Or the CIA, FBI, DOD, IRS or another other Alphabet Soup Agency. But let's see some real evidence first, eh?

UPDATE: I had a closer look at the users of the /24 here. It's a mix of businesses and government organisations and contractors, not surprising given the physical location of the /24.

alliexfinancial.com / Alliexfinancial Ltd "Legal Registered Investment company" spam (is it a scam?)

A slightly odd spam, sent to a scraped email address:

From:     Dirk Nunes [flamwood888@gmail.com]
Date:     5 August 2013 10:54
Subject:     Legal Registered Investment company
Signed by:     gmail.com

alliexfinancial Ltd                                                                                                       Our advantages :

Legal Registered Investment company

Guaranteed Return on Investments

Principal Deposits Protection

Trustwave Trusted Commerce Seal

Extended Validation SSL Certificate

DDoss Protected Dedicated Server

Instant Withdrawal Processin                                                                JOIN NOW https://alliexfinancial.com/?ref=flamwood
Alliexfinancial Ltd is the UK registered legal international investment company. The company was created by a group of qualified experts, professional bankers, traders and analysts who specialized in the stock, bond, futures, currencies, gold, silver and oil trading with having more than ten years of extensive practical experiences of combined personal skills, knowledge, talents and collective ambitions for success.


2.2% for 7 days ( 115.4% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 1 $1 - $500 2.20

2.5% for 14 days (135% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 2 $10 - $1,000 2.50

2.7% for 21 days (156.7% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 3 $10 - $2,500 2.70

3% daily for 60 days (280% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 4 $10 - $50,000 3.00

  JOIN NOW https://alliexfinancial.com/?ref=flamwood    Inline image 1
The link to alliexfinancial.com/?ref=flamwood looks very much like an affiliate link, given the close match to the spammer's email address. The target site does not appear to be malicious according to URLquery.

So, what is alliexfinancial.com? It appears to be some sort of HYIP (High-Yield Investment Program) that offers up to 3.0% return on a investement.. per day.

Are these return rates sustainable? My personal opinion is that I can't see how it would be possible.

So who is this company. The website states "Alliexfinancial Ltd is the UK registered legal international investment company" which is a bit ungrammatical. It also quotes the apparently valid phone number of +44 161 7110107 which is a Manchester number.

I was interested to find that Alliexfinancial Ltd is a registered company at Companies House in the UK:
M4 6DE
Company No. 07892518
This details match the WHOIS details of the domain precisely:

Paul Aleckson
United Kingdom
Tel: +44.1617110107
 The domain was registered in December 2009, so it has been around for a little while. The website is proxied by Cloudflare, but I think that the underlying IP address is probably (i3d, Netherlands).

One problem - there's no such company listed on the Financial Services Register, although they do claim to be regulated in the UK:
Alliexfinancial Ltd activities are regulated by the United Kingdom international business authorities and complies with the United Kingdom legislation.
So, if they're not on the Register I am frankly a bit puzzled as to who their regulator is. They do not quote any reference number. However, they are not listed as being an unauthorised firm either.

One other problem - Companies House says that the company was incorporated in 2011, but the site claims they have been active for at least three years (i.e. since 2010):
For the last three years, the amount of funds managed by us has reached an enormous rate that is important to the company's growth and its stability. We are doing our best to make successful forecasts, and our traders work nearly 24 hours a day to make a more stable profit both for us and our investors. 

Perhaps this is an unregulated scheme? I'm not that much of a legal expert in these things, but I do note that the FCA has cautionary guidance on unregulated collective investment schemes (UCIS). In partciular you cannot recommend a UCIS to the general public, and a spam email sent to a scraped address certainly seems to be an attempt to enrol the public into such a scheme.

So, who runs Alliexfinancial Ltd? The Companies House Director's Report [rtf] mentions a sole director, 28 year old Ukranian national Mr Vladimer Ganaga (it's an odd transliteration, I'd expected Vladimir Ganaga to be a more literal way of writing Владимир Ганага). Apart from an NSFW Vkontakte page there's not much verifiable information.

I'm not a financial adviser, but I certainly wouldn't invest any money in this scheme. Do you have any experiences with it? If you do, perhaps you would consider leaving a comment below (all comments are the responsibility of their owners).

Update 12/9/13: in the past couple of days the Alliexfinancial site went offline and payments to investors stopped. No surprises there!

Sunday 4 August 2013

BLDW "Building Turbines Corp" pump-and-dump spam

This illegal spam run almost definitely does not come from Building Turbines Corp (BLDW) but instead someone trying to game the system through a pump-and-dump scam.

There are lots of variations on the spam, but here are three examples:

Subject: This Stock is our New Wild Sub-Penny Pick!

Green Energy Company Signs Deal to Construct Rooftop Wind Turbines
for 90 Thousand Sq-Ft Stockroom. Building Turbines (PINKSHEETS:
BL_D_W) Concentrates on the Design and Construction of Patented
Roof Top Wind Turbines.

Current Price: .038
Short Term Target: .40
Company: Building Turbines Corp.
Date: August, 5th
Sym: BL_D_W

Renewable Power Corporation Wired To Soar Monday!


Subject: Pay Attention To Detail

Austin Company Pens Contract to Provide Roof Wind Turbines for 90K
Sq-Ft Warehouse. Building Turbines Corp. (OTC PINK: B L_D_W)
Focuses on the Design and Construction of Patented Roof Top Wind

Long Term Target: $.95
Trading Date: Monday, Aug 5, 2013
To buy: B L_D_W
Market: $.038

Ecological Power Business In Line To Ascend Next Week.


Subject: It Could Make a Rally and Soar! (Huge News Out!)

Green Energy Corporation Clinches Contract to Construct Roof
Wind Turbines for 90,000 Square Foot Stockroom. BUILDING
TURBINES, CORP. (PINKS: BL_D W) Concentrates on the Design and
Manufacture of Patented Roof Top Wind Turbines.

Short Term Target: 0.20
Trade Date: Aug, 5th
Company: Building Turbines Corp.
Latest Pricing: .038
Traded as: BL_D W

Green Energy Business Equipped To Rise Monday!!!

BLDW stock isn't really valuable, losing 88.6% of its value since the company was floated in April 2011, and it has been bouncing around the two to four cent level since the beginning of 2013. But this isn't really about the real prospects of the company, this is a straightforward attempt to manipulate the system for profit.

In the past few days, someone has bought about 2.5 million shares in the company at about 4 cents, our past analysis would indicate that this is likely to be the spammer taking up positions.

The spammers may have targeted BLDW stock on their own initiative, but the recent HAIR spam run seems to be for another party. No matter, if you take the example of HAIR then any investors who had followed the spam's fake tips would have ended up losing about 90% of their investment. I'm not saying the BLDW is going to collapse, stay afloat or whatever.. but what I am saying is that you should simply ignore BLDW stock completely because this spam run is simply an attempt at market manipulation.

Friday 2 August 2013

redwoodoptions.com "Joe Job" spam

I don't know anything about "Redwood Options" redwoodoptions.com but it seems to deal in binary options. In my personal opinion, this kind of derivative trading helped to lead to the banking collapse and should be outlawed.

Subject: For Trader
Subject: For Investor
Subject: Start Trading Now

Trade Forex, Commodities, Stocks and Indices with Up to 81% Return!
- Exclusive 60 second option
- Onetouch weekly options up to 500% return
- Up to $5000 welcome bonus

Start trading: http://www.redwoodoptions.com

That having been said, this spam run is almost definitely nothing to do with them and is instead someone trying to disrupt their (apparently lawful) business.

My advice.. ignore it and delete it.

cpro.su "Joe Job" spam run

This spam run is aimed at disrupting the underground forum cpro.su:
Subject: International carding board on new domain
Subject: Private Hacking and Carding Forum / New Domain

Welcome to Private Hacking and Carding Forum. We talking and sharing about
CVV, Paypal, Accounts, Bank Logs, Hacking Tools and Carding Tips. Newbie is
not allowed here. Do not enter if you don't know what to do...
http://cpro.su/ (*NEW domain!) 
People involved in this sort of stuff don't advertise it, but as far as I can tell cpro.su actually does deal in some unsavoury things.

What should you do about it? Nothing. The spam run will probably finish soon enough, and there's no point picking a fight with either side unless you really know what you are doing.

Malekal.com "Joe Job" spam

Update: there is a new version of this Joe Job spam, now mentioning this post in the body text (more info).

Malekal's Site  is a French-language site covering malware and spam. This particular spam run (called a "Joe Job") is not from Malekal, but is instead attempting to disrupt the site. Presumably the bad guys have found something the don't like.

Here are some examples:
Subject: Trojan Fake Police
Subject: Virus Gendarmerie
Subject: Virus Gendarmerie Nationale
Subject: Trojan Ransomware

Trojan Fake Police / Virus Gendarmerie Nationale : violation de la loi
francaise http://www.malekal.com/

If you are getting these, it is because you have been flagged up via a "reverse listwashing" process as somebody who is likely to complain about spam. Reporting the originating IP of the spam email would probably be helpful, reporting malekal.com on the other hand will only help the bad guys to remove a useful resource.

MoneyGram "Payment notification email" spam / drstephenlwolman.com

This fake MoneyGram spam leads to malware on drstephenlwolman.com:

Date:      Fri, 2 Aug 2013 22:23:53 +0330 [14:53:53 EDT]
From:      "Moneygram Inc." [infusionnbb3@gmail.com]
Subject:      Payment notification email
Revenues notification email
This is an automated email - please do not reply!

Dear customer!

You are receiving this notification because of you have been received the payment.
It may take a some time for this transaction to appear in the Recent Activity list on your account page.

Transaction details

Transaction sum: 110 USD
Transaction date: 2013/08/02

View the details of this transaction online

Thank you for using MoneyGram services!

MoneyGram ® 2013
Payload is on [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php via [donotclick]new.hotelniles.com/xd2iqku.html  and some intermediate scripts.

More analysis later..

Part II

OK, I have a little more time to look at this. Here is the screenshot:

Clicking the link takes you to a "ThreeScripts" page, but subtly different from previous ones, leading to scripts at:

These scripts use a ".txt" extenstion, presumably to fool AV scanners.

The next step is a kind of weird Javascript leading to a malware page at [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php hosted on (Nuclear Fallout Enterprises, US).

The domain in question is a hijacked GoDaddy domain.The payload is hardened against analysis. There will almost definitely be other hijacked domains hosted on this server, blocking access to it might be a good idea.

"Your most recent payment has been processed" spam / capitalagreements.com

This fake Discover Card spam leads to malware on capitalagreements.com:

Date:      Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
From:      Discover Card [dontrply@service.discovercard.com]
Reply-To:      dontrply@service.discovercard.com

     Access My Account
    ACCOUNT CONFIRMATION     Statements | Payments | Rewards    
    Your most recent payment has been processed.
Dear Customer,

This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.

To view more details please click here.

Log In to review your account details or to make additional changes.

Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
Sign up    

Don't miss out—sign up to get exclusive offers via e-mail from Discover.

Sign Up

Facebook     Twitter     I Love Cashback Bonus Blog     Mobile

Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.


This e-mail was sent to [redacted].

You are receiving this Discover e-mail as a confirmation of your account activity.

Log in to update your e-mail address or view your account e-mail preferences.

If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.

Please do not reply to this e-mail as we are not able to respond to messages sent to this address.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2013 Discover Bank, Member FDIC

The link in the email goes to a legitimate hacked site and then one to three scripts as follows:

After that, the victim is directed to the malware landing page at [donotclick]capitalagreements.com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on (Linode, US), along with several other hijacked domains.

The attack is fundamentally the same as this American Express themed malspam run described here.

Recommended blocklist:

Thursday 1 August 2013

Olborg Ltd / ОЛЬБОРГ / o1host.net (AS57636) revisited

Update:  I am trying to verify claims that Olborg Ltd are operating a sinkhole (which is a good thing) rather than a malware server (a bad thing).

Last week I pointed out a malware site on hosted by Olborg Ltd / ООО "ОЛЬБОРГ" (AS57636) [1] [2] (website at o1host.net) and made a recommendation that admins block access to the entire block.

A polite but concerned email from a customer of Olborg with a legitimate sitein that range asked if I wasn't being rather harsh to Olborg with the recommended /23 block, for just one rogue IP.

First, let me explain my rationale behind recommending larger blocks that just single IP addresses. With many web hosts (and yes, a lot of those are in Eastern Europe) the badness isn't usually restricted to one IP address. This appears to be the case with Olborg, with more than one IP looking suspicious. From the point of view of an administrator, blocking a /24 or /23 displaying these characteristics is often the safest approach.. after all, a /24 only represents 0.000006% of the total address space of the internet, but malware sites do tend to cluster.

So, what exactly is going on with Olborg? Although it has allocated to it, it only currently uses (i.e. the lower half of the range). Of those IPs there appear to be two main blocks, lower down in the range, and all seem to host legitimate sites. But further up,, and seem to be malicious. It's hardly the most evil web host in the world though, but these rogue IPs are a concern.

I had a look at all the sites I could find in this address range and analysed their WOT ratings, Google malware prognosis and SURBL status, you can find it here [csv]. The SURBL code takes a little explaining, but basically is malware, is (mostly) spam and is both. There more explanation of that here.

The IP has been an issue for over a year [1] [2] [3] [4] although it may or may not be clean at the moment (anti-analysis techniques mean that it can be hard to be certain). Clean or not, I would certainly advise you not to send traffic to this IP.

OK. So you've read this far and somehow I have still kept you interested in Olborg Ltd. All the badness I can find is concentrated in and blocking that should keep you protected from any current potential nastiness. Alternatively, you can block the /23, but do bear in mind that there are some legimate customers in that range too (update: and if they are running a sinkhole then there's no point blocking the /23 anyway)

Pump and dump spam flogs a dead horse with Biostem U.S. Corporation (HAIR)

About a month-and-a-half ago I had a look at the pump-and-dump spam promoting Biostem U.S. Corporation (HAIR) when it was trading at around $0.30.

Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..

This Company Will Make an Impressive Recovery! It is the answer
to your portfolio troubles!

Date: August 1st
Long Term Target: .85
Per share price: .035
Ticker: HAI_R
Name: Biostem Corp.

You might want to sit down before reading this... Stocks To
Look At!

So, out of curiosity I schlepped across to look at their stock price and was slightly surprised to see that it has lost around 90% of its value since the spam run started. What happened? Well, on 19th July the stock price fell off a cliff when rather predictably Biostem announced that it was shutting up shop, and looking at news reports there seems to be little chance of recovery.

But now with shares bouncing along at around the 3 to 4 cents mark the pump-and-dump seems to be continuing, and since the collapse it appears that around 9.6 million shares have been traded, which is about 8.4% of the total equity. At today's prices those shares are worth about $336,000. A little over a year ago, on May 28th 2012, Biostem stock peaked at $439 per share, at close of business yesterday they were just 3.5 cents.. a 99.2% drop. Somebody has certainly taken a haircut on these stocks..

Wednesday 31 July 2013

"Documento importante : 5039403 !!" spam / Planilha-Documento.docx_.rar

This terse Portuguese language spam has a malicious attachment:

From:     Adriane Camargo. [adriane@yahoo.com.br]
Date:     29 July 2013 20:59
Subject:     Documento importante : 5039403 !!

Arquivo : DC-59KDJF994J3K303940430DJJRI8.rar ( 173,4 KB)

The link in the email downloads goes through a legitimate hacked site and then downloads a RAR file from [donotclick]www.equilibrionutriesportiva.com.br/site/wp-admin/network/icons/equilib/fing3234/Planilha-Documento.docx_.rar which has a VirusTotal detection rate of 17/46 and is identified as a trojan downloader.

According to Anubis, the malware then attempts to download additional components from [donotclick]www.equilibrionutriesportiva.com.br/site/wp-admin/network/icons/equilib/fing3234/ie.exe but this seems to generate a 403 error.

Other analyses are pending. Update: here is an analysis from Comodo CAMAS.

Tuesday 30 July 2013

Facebook spam / deltaoutriggercafe.com

These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe.com:

Date:      Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Issac Dyer wants to be friends with you on Facebook.

Issac Dyer wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
I don't know about you, but I think Isaac looks a bit like a girl.

Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run. However, in this case the target has now changed to [donotclick]deltaoutriggercafe.com/topic/able_disturb_planning.php which is hosted on (Linode, US) along with a whole bunch of other similar domains that have been hijacked from GoDaddy.

Recommended blocklist:

eBay "ready to get started? Here’s how." spam / deltamarineinspections.net

There is currently an eBay-themed  "ready to get started? Here’s how" spam run active, effectively almost the same as this one, except this time there is a new set of intermediate scripts and payload page. The three scripts involved are:


..leading to a payload page at  [donotclick]deltamarineinspections.net/topic/able_disturb_planning.php on (Linode, US). The domains in use are hijacked from a GoDaddy account and belong to the same poor sod that last control of the ones here.

Recommended blocklist:

"Your password on Pinterest was Successfully modified!" spam / onsayoga.net

This fake Pinterest spam leads to malware on onsayoga.net:

Date:      Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]
From:      Pinterest [caulksf8195@customercare.pinterrest.net]
Subject:      Your password on Pinterest was Successfully modified!

A Few Updates...

Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password to email.
Ask for a New Password  
Pinterest is a tool for collecting and organizing things you love.

This email was sent to [redacted].
Don’t want activity notifications? Change your email preferences.

©2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions

The link goes through a legitimate hacked site and then on to [donotclick]www.pinterest.com.onsayoga.net/news/pinterest-paswword-changes.php (report here) which is hosted on the following IPs: (Megalan EAD, Bulgaria) (Ximbo / CPCnet, Hong Kong) (Razor Inc, US)

These IPs are controlled by this gang and form part of this large network of malicious IPs and domains. I recommend you use that list in conjunction with blocking onsayoga.net.