Dynamoo's Blog

Monday 22 July 2013

American Airlines spam / sai-uka-sai.com

This fake American Airlines spam leads to malware on www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com:

From:     American.Airlines@aa.net
Date:     22 July 2013 17:22
Subject:     AA.com Itinerary Summary On Hold

Dear customer,

Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.

To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www.aa.com.

left corners         left corners

This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) .

Record Locator: LEBBGM             Purchase

left corners         left corners

Passengers

   Isabella Green

NOTE: This is not a ticket or electronic receipt

Carrier Flight
Number Departing Arriving Cabin

Booking Code Seats Meals

City Date & Time City Date & Time

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES 2879 SPS Wichita Falls July 24, 2013 10:50 AM DFW Dallas/ Fort Worth July 24, 2013 11:43 AM Economy

M 32A Food For Purchase

AMERICAN AIRLINES 1795 DFW Dallas/ Fort Worth July 24, 2013 12:35 PM IAH Houston July 24, 2013 01:43 PM Economy

M 23A

AMERICAN AIRLINES 1690 IAH Houston July 26, 2013 02:20 PM DFW Dallas/ Fort Worth July 26, 2013 03:35 PM Economy

M 20C

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES 3294 DFW Dallas/ Fort Worth July 26, 2013 04:20 PM SPS Wichita Falls July 26, 2013 05:10 PM Economy

M 27B Food For Purchase

  Fare Summary

Average Fare per Person - 444.00 USD

Passenger Type Used in Pricing Fare per Person Additional Taxes and Fees per Person Total Price

1 Adult 442.90 USD 34.25 USD 490.95 USD

Total Price 495.49 USD

  Merchandising Summary

Flight Number Seat Number Seat Price Taxes Total Price

2879 0.00 USD 0.00 USD 0.00 USD

1795 14.00 USD 1.05 USD 15.05 USD

1690 14.00 USD 1.05 USD 15.05 USD

3294 0.00 USD 0.00 USD 0.00 USD

Total Price 30.10 USD

Please note the following:
• View Fare rules.
• Fares are only guaranteed up to 24 hours.
• Additional foreign taxes may apply.
• Additional fees may also apply for tickets not purchased through AA.com.

This is not the itinerary receipt that is required for identification purposes at the airport check-in. That receipt will be furnished upon purchase of this reservation.

In order to proceed to your gate you must present a government issued photo I.D. and either your boarding pass or a priority verification card at the screening security checkpoint.

If you are not a resident of the U.S., U.K., Canada or select countries in Latin America and the Caribbean, tickets must be purchased at an American Airlines ticketing location/airport, or by calling an American Airlines International Reservations office. Flights booked on carriers other than American Airlines, American Eagle® or AmericanConnection® are on a request basis only.

You've got payment options at AA.com! Make your dream vacation come true with the Fly Now Payment Plan, speed through checkout with PayPal, or use electronic checks to pay directly from your checking account. You can also pay in cash at participating Western Union locations or use a credit/debit card. Available payment options may vary by country.

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com/news/american-airlines-hold.php (report here) hosted on the following IPs:

50.97.253.162 (Softlayer, US)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)

The WHOIS details for that domain are the characteristically fake ones associated with this gang:
        Michael Fenwick freehotjob@yahoo.com
        21 Fredricksburg Court
        State College
        PA
        16803
        US
        Phone: +1.8144411445

Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
allgstat.ru
autorize.net.models-and-kits.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
firefoxupd.pw
firerice.com
fulty.net
gamnnbienwndd70.net
gebelikokulu.net
generationpasswaua40.net
gnanosnugivnehu.ru
gondamtvibnejnepl.net
greenleaf-investment.net
housesales.pl
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
mifiesta.ru
motobrio.net
mycanoweb.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
privat-tor-service.com
prysmm.net
quipbox.com
rentipod.ru
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
sendkick.com
shanghaiherald.net
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net

OVH Hacked

A bad thing to happen, but kudos to OVH for being transparent about this issue:

Hello,

A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they was able to compromise the access of one of the system administrators who handles the the internal backoffice.

Until then, internal security was based on 2 levels of verification:
- Geographical: required to be in the office or to use the VPN, i.e.: the IP source
- Personal: password

Measures taken following this incident
---------------------------------------

Immediately following this hack, we changed the internal security rules:
- Passwords of all employees were regenerated for all types of access.
- We set up a new VPN in a secure PCI-DSS room with highly restricted access
- Consulting internal emails is now only possible from the office / VPN
- All those who have critical access now have 3 verification levels:
- Ip source
- Password
- Staff's USB security token (YubiKey)

Findings
-------

After our internal investigation, we assume that the hacker exploited the access to achieve two objectives:
- Recover the database of our customers in Europe
- Gain access to the installation server system in Canada

The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
The encryption password is "Salted" and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining these security measures and inviting them to change their password.
No credit card information is stored at OVH. Credit card information was not viewed or copied.

As for the server delivery system in Canada, the risk we have identified is that if the client had not withdrawn our SSH key from the server, the hacker could connect from your system and retrieve the password stored in the .p file. The SSH key is not usable from another server, only from our backoffice in Canada . Therefore, where the client has not removed our SSH key and has not changed their root password, we immediately changed the password of the servers in the BHS DC to eliminate an risk there. An email will be sent today with the new password. The SSH key will be systematically deleted at the end of the server delivery process in both Canada and Europe. If the client needs OVH for support, a new SSH key will need to be reinstalled.

Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a specific hack on specific individuals will have no impact on our databases. In short, we were not paranoid enough so now we're switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH.

We also filed a criminal complaint about this to the judicial authorities. In order not to disrupt the work of investigators, we will not give other details before the final conclusions.

Please accept our sincere apologies for this incident. Thank you for your understanding.

Regards,

Octave

ygregistryltd.net / "Huasheng Ltd" domain scam

This is the same scam as this, this and this. Avoid.

From:    Jim Wang [jim.wang@ygregistryltd.net]
Date:    22 July 2013 15:29
Subject:    Regarding Asia/Cn/Hk domain name & Internet Keyword

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration in China and Asia. We received an application from Huasheng Ltd on July 22, 2013. They want to register " [redacted] " as their internet keyword and China/Asia/Hongkong (CN/ASIA/HK) domain names. But after checking it, we find this name conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.ygregistryltd.net

Note, all these domains are on the same server and can be considered scammy:
ygregistryltd.com
yg-registry.cn
ygregistry.cn
ygregistryltd.net

David Cameron's porn block - how will it work?

This government likes its half-baked ideas, and David Cameron's attempt to bring in mandatory porn blocking in the UK seems to be one of those daft ideas. Yes, ISPs should offer blocking if people want it.. and perhaps they should be made to offer it by law. But there are a number of concerns which are well addressed by this New Statesman article.

Leaving aside the moral debate and the questions over who decides what, there is the tricky question of how ISPs would actually block access to porn.

DNS filtering

The simplest and quickest way to block it is to use DNS filtering. ISPs can simply set their DNS servers to not resolve adult sites. You can do this sort of thing with OpenDNS already. The advantages is that this is fairly easy to implement and it doesn't cause any latency in web traffic. The disadvantage from the point of view of censoring is that it is trivially easy to bypass, simpy change your DNS provider to one that doesn't block sites or access the porn sites through their IP address only where they have dedicated servers (most big sites do).

Of course, if people bypass the DNS filtering by using non-ISP DNS filters, ISPs could then firewall all outbound DNS requests. But that would interfere with people's freedom to use Google or OpenDNS or other DNS providers if they want.

Deep Packet Inspection

A more sophisticated approach is to inspect every packet and determine where it is going. This should block sites even if the customer has chosen different DNS settings, and it can pick up and negate a lot of common attempts to bypass filters. But this sort of thing is slow and expensive, ISPs would need to pass on the costs to consumers and the added latency of filtering would make web surfing slower. Many businesses use a form of this to protect their corporate network already, but they are prepared to put up with the downsides for the additional protection.

You could still use a proxy, VPN or Tor to get around it. And HTTPS screws some elements of DPI because it is encrypted, there are ways around that but they are extremely messy and had many drawbacks.

And of course there's the privacy issue. If ISPs are slurping all your data to this level then who has access to it? Supporters of DPI may we have a hidden agenda.

IP address blocking

Instead of blocking domains, IP addresses hosting pornography can be blocked. That's a pretty quick and easy solution too, but it means that anything on shared hosting with "adult" content could lead to every other site on that IP being blocked too.. There would be a lot of legitimate sites blocked as a result.

Anti-circumvention

ISPs could use a combination of the above to stop traffic. But it is relatively easy to use a proxy or VPN connection, but the next logical step would be to go to war with providers of these services too. It is very difficult to stop people finding ways around blocks. And remember, we're not talking about illegal material here.. we're talking about perfectly legal material which is blocked by default.

So, in my opinion this approach will have the drawbacks of being a combination of ineffective, expensive and slow. More needs to be done to protect children from accidentally accessing material that they shouldn't have access to (and please could we include malware with that?), but this half-baked approach has the potential to be an expensive fiasco.

Saturday 20 July 2013

Verizon Wireless "Data Usage Overage Alert" / verizonwirelessreports.com

This fake Verizon email leads to malware on the domain onemessage.verizonwireless.com.verizonwirelessreports.com:

Date:     Fri, 19 Jul 2013 10:48:31 -0500 [11:48:31 EDT]
From:     Verizon Wireless [VZWMail@e-marketing.verizonwireless-mail.net]
Subject:     Data Usage Overage Alert

Important Information About Your Account.      View Online
verizon wireless    Explore    Shop    My Verizon    Support

Important Information About Your Data Usage

Your account has used your data allowance for this month and you may now be billed overage charges. Your monthly data allowance will reset on the 20th.

Run an Account Analysis in My Verizon to analyze your recent months' data usage and review your plan options.

Don't forget, you can also manage your alert settings in My Verizon including adding recipients and opting out of specific alerts.
Thank you for choosing Verizon Wireless.

Details as of:
[redacted]

07/19/2013 02:15 AM EDT


We respect your privacy. Please review our privacy policy for more information
about click activity with Verizon Wireless and links included in this email.

This email was sent to [redacted];

ID: [redacted]

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]onemessage.verizonwireless.com.verizonwirelessreports.com/news/verizon-bill.php (report here) hosted on:

172.255.106.126 (Nobis Technology Group, US / Creative Factory Beijing, China)
188.134.26.172 (Perspectiva Ltd, Russia)

The domain verizonwirelessreports.com is fake and was recently registered to an anonymous person. However, given the IPs and associated domains then this is clearly the work of this gang
.
Blocklist:
172.255.106.126
188.134.26.172
verizonwirelessreports.com
firerice.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
epackage.ups.com.shanghaiherald.net
vitans.net
www.klwines.com.order.complete.prysmm.net
prysmm.net
shanghaiherald.net

Friday 19 July 2013

whoswhonetworkonline.com spam

This turd of an email was sent to an info@ email address on a domain I own. It appears to be a classic Who's Who scam.

From:    Who's Who [cpm2@contactwhoswho.us]
Reply-To:    databaseemailergroup@gmail.com
date:    19 July 2013 05:44
subject:    You were recently nominated into Who's Who Amoung Executives

Who's Who Network Online

Hello,

As you are probably aware, in the last few weeks, we at the Who's Who Among Executives and Proefssionals have reached out to several hundred individuals for placement in our upcoming 2013 edition of our directory. You were contacted, but we did not receive any of your biographical information. We would like to give you another opportunity to do so.

The publication's editors are now assembling the biographical profiles of today's leaders from the business world into one comprehensive source. Thousands of researchers at medical, academic, public and corporate libraries, as well as journalists and media professionals, rely upon the academic registry as a daily reference tool for obtaining information about the world's most experienced men and women at the C-Level in the private and public sectors. Inclusion in the publication is considered by many as a signal mark of achievement.

To be included in this prestigious publication, you need only provide the requested information by completing our online biographical data form. Please Click Here to fill out your form.

The information you provide will be evaluated according to the selection standards that the NAPN have developed over many years as the world's premier biographical compiler. If your data passes our initial screening, we will prepare your biography and send you a pre-publication proof for your verification and approval.

I congratulate you on the achievements that have brought your name to the attention of our editorial committee. We look forward to hearing from you.

Please remember: Inclusion of your biography in the Who's Who Registry carries neither cost nor commitment to you of any sort. Our continuing mission with each new edition is to prepare a biographies spanning the spectrum of noteworthy and accomplished men and women across all areas of the professional world.

                                             FILL OUT FORM HERE

Who's Who Network Online
2280 Grand Avenue, Baldwin, NY 11510

------------------------------------------

This email is intended only for the recipient(s) and is private.
If you receive our invitation in error please reply with unsubscribe in the subject line

Clicking on the link takes you to whoswhonetworkonline.com hosted on 66.11.129.87 (Stafford Associates Computer Specialists Inc., New York). The WHOIS details are hidden.

There's no clue anywhere on the site or in the email about who is behind the spam. There is no corporation in New York with the exact name "Who's Who Network Online" although there are several similar sounding entities.

However, there are some clues in the headers of the email that link it through to another recent and similarly-themed spam.

Received: from cpm2@contactwhoswho.us by [redacted] by uid 1002 with qmail-scanner-1.22
( Clear:RC:0(192.217.104.157):.
Processed in 0.464627 secs); 19 Jul 2013 04:45:09 -0000
Received: from unknown (HELO whowho4.servername.com) (192.217.104.157)
by [redacted] with SMTP; 19 Jul 2013 04:45:08 -0000
Received: from c-174-58-75-1.hsd1.fl.comcast.net ([174.58.75.1]:58694 helo=susie-HP.hsd1.fl.comcast.net.)
    by whowho4.servername.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
    (Exim 4.80.1)
    (envelope-from )
    id 1V02Z1-0000pJ-QW
    for [redacted]; Fri, 19 Jul 2013 08:45:08 +0400
Content-Type: multipart/alternative; boundary="===============0491393293=="

The email originates from a Comcast IP address of 174.58.75.1 in West Florida, and then routes through a server at 192.217.104.157 (NTT America) which has the hostname contactwhoswho.us which is consistent with the cpm2@contactwhoswho.us sender's address. So, who is contactwhoswho.us?

Registrant Name:                Darin Delia
Registrant Address1:            1321 Henry Ave
Registrant City:                Spring Hill
Registrant State/Province:      Florida
Registrant Postal Code:         34608
Registrant Country:             United States
Registrant Country Code:        US
Registrant Phone Number:        +1.5615964330
Registrant Email:               darindelia@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category:      C11

Darin Delia's address is also West Florida (although some way from the theoretical location of the IP address). Darin Delia appears to be the same person who was sending out Spotlite Radio spam. Is Mr Delia merely a contractor sending out an email blast, or is he responsible for this so-called "Who's Who" outfit. I have no evidence one way or the other, but it seems he does have some sort of association with whoever is running these things..

Thursday 18 July 2013

K&L Wine Merchants (KLWines.com) spam / prysmm.net

This fake K&L Wine Merchantsm spam email leads to malware on www.klwines.com.order.complete.prysmm.net:

Date:     Thu, 18 Jul 2013 05:57:28 -0800
From:     drowsedl04@inbound.ups.net
CC:
Subject:     Your K&L order #56920789 is complete

Hello from K&L Wine Merchants -- www.KLWines.com

Just wanted to let you know that your order (#56920789) is complete.

Additional comments for this order: Ship Fri. 7/19

The following items are included in this order:

------------------------------------------------------------------
Item                               Price Shipped    Subtotal
------------------------------------------------------------------

2009 Whitehall Lane Napa          $32.99     1        $32.99
     Valley Cabernet Sauvignon

2007 Friggiali Brunello di        $28.99     2        $57.98
     Montalcino

2010 Columbia Crest "H3"          $10.99     2        $21.98
     Horse Heaven Hills Washington
     Cabernet Sauvignon

2010 Seven Hills Columbia         $19.99     1        $19.99
     Valley Cabernet Sauvignon

2010 Bonaccorsi "Fiddlestix       $44.99     1        $44.99
     Vineyard" Sta. Rita Hills
     Pinot Noir

2010 Melville "Estate" Santa      $25.99     1        $25.99
     Rita Hills Pinot Noir

2007 La Fortuna Brunello di       $38.99     1        $38.99
     Montalcino

------------------------------------------------------------------
                Item Subtotal:    $247.91
                          Tax:      $0.00
          Shipping & Handling:     $67.18
                        Total:    $315.09

The shipping method for this order is UPS 2-Day, being sent to:

        Matthew Wright
        4025 sunset city plaza
        garden city, DC 13375 USA


The tracking number for this shipment is 1Z474482A140261050.
Please visit the freight carrier's site for exact shipping pickup and dropoff dates, by clicking on the link below. You may have to copy the link and paste it into your browser.
http://wwwapps.ups.com/etracking/tracking.cgi?TypeOfInquiryNumber=T&InquiryNumber1=1Z474482A140261050

To see the latest information about your order, visit "My Account" at http://www.klwines.com/account.asp. "My Account" lets you manage your orders online by giving you the ability to do the following:

* See your order status
* Change your e-mail address or password
* Update your billing and shipping information for future orders

You can also reach "My Account" by clicking on the link on the top of any page on our Web site.

If you need to get in touch with us about your orders, contact us via Contacts page.

Thank you for shopping at klwines.com -- we appreciate your business.

---------------------------------------------------------------------
K&L Wine Merchants
"Internet's Best Wine Site" -- Money Magazine
questions@klwines.com             http://www.klwines.com/
---------------------------------------------------------------------

The link in the email goes through a legitimate hacked site and ends up on a malware page at [donotclick]www.klwines.com.order.complete.prysmm.net/news/order-information.php (report here) hosted on:

50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

The fake WHOIS details mark this out as belonging to the Amerika gang.

   Matamoros, Grace freehotjob@yahoo.com
   6805 Laredo
   Houston, TX 77020
   US
   8322897755

Recommended blocklist:
50.97.253.162
59.126.142.186
203.236.232.42
209.222.67.251
autorize.net.models-and-kits.net
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
ehnihenransivuennd.net
epackage.ups.com.shanghaiherald.net
erawppa.com
ermitirationifyouwau30.net
estateandpropertty.com
firerice.com
fulty.net
gebelikokulu.net
generationpasswaua40.net
gondamtvibnejnepl.net
greenleaf-investment.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
m.krasalco.com
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
motobrio.net
mycanoweb.com
pass-hc.com
prysmm.net
quipbox.com
sendkick.com
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
viperlair.net
vitans.net

primrose.co.uk hacked, email addresses compromised

Garden accessory primrose.co.uk has been hacked, and email addresses stored in their system are being abused for phishing purposes:

From:    paypal.co.uk [service@paypal.co.uk]
Date:    18 July 2013 11:01
Subject:    We cannot process your payment at this time.


Dear,

We need your help resolving an issue with your account.To give us time to work together on this, we've temporarily limited what you can do with your account until the issue is resolved.
we understand it may be frustrating not to have full access to your PayPal account.We want to work with you to get your account back to normal as quickly as possible.
What's the problem ?

It's been a little while since you used your account.For reasons relating to the safe use of the PayPal service we need some more information about your account.

Reference Number: PP-001-278-254-803

It's usually quite straight forward to take care of these things.Most of the time, we just need some more information about your account or latest transactions.

1.
    Download the attached document and open it in a browser window secure.
2.
    Confirm that you are the account holder and follow the instructions.

Yours sincerely,
PayPal


Copyright 2013 PayPal. All rights reserved PayPal Email ID PP1589

The attached form Account Information-Paypal.html is basically a phishing page, pulling content from www.thesenddirect.com (62.149.142.113 - Aruba, Italy) and submitting the data to www.paypserv.com (62.149.142.152 - also Aruba). The WHOIS details are no doubt fake are are respectively:

Saunders, John Alan mahibarayanlol@gmail.com
4 The Laurels off Oatland Close Botley, 4
Southampton, GB SO322EN
IT
+39.447885623455

----------

Clarke, Victoria johanjo1010@gmail.com
Innex Cottage Ropers Lane, 754
Wrington, GB BS405NH
IT
+39.441934862064

Primrose.co.uk were informed of the breach on 4th July and told me that IT were investigating, but as I haven't heard anything back and customers haven't been notified then I will assume they did not find anything.

Of note is that the spam email does not address customers by name, so it is possibly only email addresses that have been leaked. Also, passwords do not appear to be kept in plaintext which is good. Without further information from primrose.co.uk it is impossible to say if any financial data has been compromised.

Wednesday 17 July 2013

02086 547426 "PC Wizard" tech support scam

Just a quick one.. some Indian scammers routing through a UK number 02086 547426 (02086547426) and purporting to be from a company "PC Wizard" just called and tried to convince me that something was wrong with my PC.

I'll do a write up later.. but in the mean time their MO is to get you to look at your Event Viewer for errors (there are always) errors, and then visit ammyy.com to run some remote control software. DO NOT LET THEM DO THIS!

Update:
I know this type of scam is quite common, and ammyy.com even admits that it is often abused in this way. There was a degree of sophistication here though in that they had a close approximation of my wife's name and we have an unlisted telephone number.

There were two operatives, the first one handles the initial part of the call and makes you open up your Event Viewer to look for errors and warnings (there are always some of those) and then warns you not to open the warnings or you will damage the computer. Operative number one had an Indian accent and sounded like they were coming in over a voice-over-IP connection.

Once they have you hooked, you get connected to a second Indian operator who attempts to connect to your computer with the ammyy.com remote control software. In this case it was operator 6070592.

After mucking the operator around for 20 minutes I confronted them with what they were doing. He was unapologetic and full of bullshit, and was still trying to connect to my machine.

Of course, the whole thing is a scam. I don't have a support contract for my version of Windows, the errors in my Event Viewer were harmless.. but if I had let the operator take control of my machine then he could have installed any sort of malware on it, or trashed the machine and then charge me a fortune to fix it.

I've been working in the IT field for almost 25 years and frankly it was obvious in the first few seconds that this was a scam. But for a naive user it might seem credible. If (like me) you end up doing tech support for your relatives, it might be a good idea to edit the PC's hosts file to block ammyy.com and www.ammyy.com:

0.0.0.0     ammyy.com

0.0.0.0     www.ammyy.com

"Houston Marriott Westchase Reservation Confirmation" spam / marriott.com.reservation.lookup.viperlair.net

This fake Marriott spam leads to malware on marriott.com.reservation.lookup.viperlair.net:

Date:     Wed, 17 Jul 2013 05:12:22 -0800 [09:12:22 EDT]
From:     Marriott Hotels & Resorts Reservation [reservations@clients.marriottmail.org]
Reply-To:     reservations@clients.marriottmail.org
Subject:     Houston Marriott Westchase Reservation Confirmation #86903601

Marriott Hotels & Resorts Houston Marriott Westchase 2900 Briarpark Dr.,
Houston, Texas 77042 USA Phone: 1-713-978-7400 Fax: 1-713-735-2726

Reservation for [redacted]

    Confirmation Number: 86903601
    Check-in: Sunday, July 21, 2013 (03:00 PM)
    Check-out: Wednesday, July 24, 2013 (12:00 PM)

    Modify or Cancel reservation

View View hotel website
Maps Maps & Transportation

Reservation Confirmation
Dear Client,

We are pleased to confirm your reservation with Marriott. Below is a summary of your booking and room information. We look forward to making your stay gratifying and memorable. When you're traveling away from home you can always count on Marriott.

Houston Marriott Westchase

Planning Your Trip

    See what's happening in Houston during your stay
    Check out some of Houston's top attractions

    Book with Hertz: Save up to 35% and Earn 500 Rewards Points
    Book Cars, Tours & More - get great rates on local tours and attractions

Reservation Details

    Confirmation Number: 86903601
    Your hotel: Houston Marriott Westchase
    Check-in: Sunday, July 21, 2013 (03:00 PM)
    Check-out: Wednesday, July 24, 2013 (12:00 PM)
    Room type: Guest room, 1 King or 2 Queen
    Number of rooms: 1
    Guests per room: 1
    Guest name: Jesus Bell
    Reservation confirmed: Wednesday, July 16, 2013 (21:55:00 GMT)
    Guarantee method: Credit card guarantee, VISA

Special request(s):

    •2 Queen Beds, Guaranteed
    •High Floor Room, Request Noted
    •I.D. Required, Request Noted

Summary of Room Charges     Cost per night per room (USD)
Sunday, July 21, 2013 - Wednesday, July 24, 2013 ( 3 nights=20 )     109.43
Govt/military rate, federal government ID required
Estimated government taxes and fees     18.53
Total for stay (for all rooms)     469.89

    Complimentary on-site parking
    Valet parking, fee: 14 USD daily
    Changes in taxes or fees implemented after booking will affect the total room price.

You may modify or cancel your reservation online (see details below), or call our worldwide telephone numbers.

Contact us if you have questions about your reservation.
Canceling Your Reservation

    You may cancel your reservation for no charge until Friday, July 19, 2013 (1 day[s] before arrival).

    Please note that we will assess a fee of 127.53 USD if you must cancel after this deadline.

    If you have made a prepayment, we will retain all or part of your prepayment. If not, we will charge your credit card.

Modifying Your Reservation

    Please note that a change in the length or dates of your reservation may result in a rate change.
    Please be prepared to show proof of eligibility for your rate (such as a membership card, corporate or government identification card, or proof of your age).

Rewards Account Information
http://www.marriott.com/Images/email/rewards/logos/Silver_28x142.gif
Your Rewards level: Silver
Your Rewards number: 642268841

As a Silver Elite member, you can enjoy the following benefits during your stay (may vary by hotel):
20% Bonus on your Marriott Rewards base points
Priority Late Checkout
Guaranteed Room Type

Sign in to view account

    Sign up for eFolio to receive your hotel bill by email after each stay in the USA and Canada.
    Plan events, earn rewards with Rewarding Events.

50,000 Bonus Points
50,000 Bonus Points

Earn 50,000 Bonus Points and an Annual Free Night with No Annual Fee the First Year. More Rewards, Faster with the Marriott Rewards Premier Credit Card.

Learn More and Apply

Travel Alerts

    Download the Marriott Mobile App. The Perfect Travel CompanionTM
    Please Note: All Marriott hotels in the USA and Canada, are committed to a smoke-free policy.
    Learn more
    The Responsible Tourist and Traveler
    A practical guide to help you make your trip an enriching experience

Look No Further
You've received the best possible rate - guaranteed.

Privacy, Authenticity and Opting Out

Your privacy is important to us. Please visit our Privacy Statement for full details.

This email confirmation is an auto-generated message. Replies to automated messages are not monitored. Our Internet Customer Care team is available to assist you 24 hours per day, 7 days per week. Contact Internet Customer Care.

Promotional email unsubscribe

If you provided us with your email address for the first time, we will send you a follow-up email to welcome you. We will also send you periodic emails with information about your account balance, member status, special offers and promotions. An opt-out link will be included in each of these emails so that you can change your mind at any time.
If you would prefer to opt out of such emails from Marriott International, Marriott Rewards or The Ritz-Carlton Rewards, you may do so here. In addition, you may unsubscribe from The Ritz-Carlton email community here

Please note: Should you unsubscribe from promotional email, we will continue to send messages for transactions such as reservation confirmation, point redemption, etc.

Confirmation Authenticity

We're sending you this confirmation notice electronically for your convenience. Marriott keeps an official record of all electronic reservations. We honor our official record only and will disregard any alterations to this confirmation that may have been made after we sent it to you.

If you have received this email in error, please let us know.
Terms of Use::Internet Privacy Statement

©1996-2013 Marriott International, Inc. All rights reserved. Marriott proprietary information.

The link in the email goes through a legitimate hacked site and lands on [donotclick]marriott.com.reservation.lookup.viperlair.net/news/marriott-ebill-order-confirmation.php (report here) hosted on the following IPs:

viperlair.net is registered with fake WHOIS details that mark it out as belonging to the Amerika gang:

      miguel villegas
      15003 Elkhorn Dr
      FONTANA, CA 92336-5517
      US
      Phone: +1.9098998422
      Email: shanghaiherald32@yahoo.com

50.97.253.162 (Softlayer, US)
59.126.142.186 (Chunghwa Telecom, Taiwan)
209.222.67.251 (Razor Inc, US)

Recommended blocklist:
50.97.253.162
59.126.142.186
209.222.67.251
autorize.net.models-and-kits.net
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
ehnihenransivuennd.net
erawppa.com
ermitirationifyouwau30.net
estateandpropertty.com
firerice.com
fulty.net
gebelikokulu.net
generationpasswaua40.net
gondamtvibnejnepl.net
greenleaf-investment.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
linkedin.com-update-report.taltondark.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
mycanoweb.com
pass-hc.com
quipbox.com
sendkick.com
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
viperlair.net
vitans.net

Tuesday 16 July 2013

Bank of America spam / stid 36618-22.zip

This fake Bank of America spam comes with a malicious attachment:

Date:     Tue, 16 Jul 2013 21:21:06 +0200 [15:21:06 EDT]
From:     Joyce Bryson [legalsr@gmail.com]
Subject:     Merchant Statement

Enclosed (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech's or the Merchant's email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.
----------
Learn more about Bank of America Paymentech Solutions, LLC payment processing services at Bank of America.
----------
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.

Attached is a file called stid 36618-22.zip which in turn contains stid 36618-22.exe which is a variant of Zbot. VirusTotal detections are just 11/47.

Anubis reports what appear to be several peer-to-peer connection attempts plus an attempted download from [donotclick]apsuart.com/741_out.exe that appears to fail. For what they are worth, hereis the Comodo CAMAS report, Malwr report and ThreatExpert report.

"Invoice 48920" spam / doc201307161139482.doc

This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.

From: Carlos Phillips [accounting@travidia.com]
Subject: Invoice 48920

Thanks !!

Greg

Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
(176)-674-6500
nightmarewdp50@travidia.com

Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47. In theory, if your copy of Microsoft Word is up-to-date you should be immune to this. VT gives the following checksums:

MD5 935e5cacde136d006ea1bb1201a3e6ef

SHA1 bc876d53ad002f1d6fd994d6717372f374d5e6dc

SHA256 8ae7ae35c37a618031c3ec0702871dc19c817bff4e5cf54f1169182fdc8d878c

The Malwr analysis shows some of the things going on, including network connections to:
mycanoweb.com
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
188.40.92.12 (Hetzner, US)
209.222.67.251 (Razor Inc, US)

classified.byethost11.com
209.190.24.9 (Enet / XLHost, US)

myhomes.netau.net
31.170.160.129 (Main Hosting, US)

UPDATE: The ThreatTrack report [pdf] shows similar characterstics, including an attempted download from [donotclick]mycanoweb.com/report/doc.exe which is a Zbot variant with a low detection rate. (Also see the Anubis, ThreatExpert and Malwr reports for that).

Most of the IPs for mycanoweb.com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.

Recommended blocklist:
mycanoweb.com
classified.byethost11.com
myhomes.netau.net
46.45.182.27
50.97.253.162
59.126.142.186
188.40.92.12
209.222.67.251
209.190.24.9
31.170.160.129

Additional IPs for Zbot component:
182.237.17.180
194.44.219.226
210.56.23.100

Malware sites to block 16/7/13

These domains and IPs are associated with this gang. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them all though.

24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson, Turkey)
38.96.42.60 (PSInet / WiLogic Inc, US)
41.196.17.252 (Link Egypt, Egypt)
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
46.246.41.68 (Portlane Networks, Sweden)
46.38.51.162 (TCTEL, Russia)
50.97.253.162 (Softlayer, US)
58.196.7.174 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA, India)
61.220.221.92 (HINET / Chungwa Telecom, Taiwan)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.93.56.83 (Comcast Business Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
80.52.135.172 (TPNET, Poland)
81.17.140.138 (Velton.telecom, Ukraine)
82.165.41.13 (1&1, Philippines)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UNIWEB, Belgium)
87.236.211.159 (Azar Online, Iran)
88.86.100.2 (Supernetwork, Czech Republic)
89.161.255.30 (Home.pl, Poland)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel / Megalan, Bulgaria)
98.192.168.80 (Comcast Communications, US)
103.9.23.34 (TPL Trakker, Pakistan)
108.179.8.103 (Tyco / Cablevision, US)
111.121.193.198 (China Telecom, China)
111.121.193.199 (China Telecom, China)
111.121.193.200 (China Telecom, China)
114.32.97.58 (HINET / Chungwa Telecom, Taiwan)
119.1.109.40 (QianXiNan County, China)
119.1.109.48 (QianXiNan County, China)
119.92.209.120 (Philippine Long Distance Telephone Company, Philippines)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.115.43.187 (TANET, Taiwan)
143.239.87.38 (University College Cork, Ireland)
150.244.233.146 (Universidad Autonoma De Madrid , Spain)
151.155.25.109 (Novell, US)
151.155.25.111 (Novell, US)
172.255.106.17 (Nobis Technology Group, US)
173.167.54.139 (Iceweb Storage Corp / Comcast, US)
176.31.46.7 (OVH, France)
180.166.172.122 (China Telecom, China)
184.105.135.29 (Hurricane Electric, US)
188.132.213.115 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.241.205.26 (Digital Ocean, US)
193.95.91.78 (Agence Tunisienne Internet, Tunisia)
195.225.58.122 (C&A Connect SRL, Romania)
198.56.238.36 (Enzu Inc, US)
201.163.145.125 (Alestra, S. de R.L. de C.V., Mexico)
202.28.69.195 (UniNet, Thailand)
202.63.210.182 (CubeXS Private Lmited, Pakistan)
203.122.26.124 (Citycom Networks Pvt Ltd, India)
203.235.181.181 (Sejong Telecom, Korea)
203.236.232.42 (KINX, Korea)
207.254.1.17 (Virtacore Systems Inc, US)
208.115.114.68 (Wowrack, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services Inc., Taiwan)
212.143.233.159 (013 Netvision Network, Israel)
222.20.90.25 (CERNET, China)

Blocklist:
24.173.170.230
31.145.19.17
38.96.42.60
41.196.17.252
46.45.182.27
46.246.41.68
46.38.51.162
50.97.253.162
58.196.7.174
59.124.33.215
59.126.142.186
59.160.69.74
61.220.221.92
64.49.246.226
69.162.76.10
74.93.56.83
77.240.118.69
80.52.135.172
81.17.140.138
82.165.41.13
85.17.224.131
85.119.187.145
87.236.211.159
88.86.100.2
89.161.255.30
89.248.161.146
95.111.32.249
98.192.168.80
103.9.23.34
108.179.8.103
111.121.193.198
111.121.193.199
111.121.193.200
114.32.97.58
119.1.109.40
119.1.109.48
119.92.209.120
128.252.158.57
138.80.14.27
140.115.43.187
143.239.87.38
148.81.111.91
148.81.111.92
150.244.233.146
151.155.25.109
151.155.25.111
172.255.106.17
173.167.54.139
176.31.46.7
180.166.172.122
184.105.135.29
188.132.213.115
190.85.249.159
192.241.205.26
193.95.91.78
195.225.58.122
198.56.238.36
201.163.145.125
202.28.69.195
202.63.210.182
203.122.26.124
203.235.181.181
203.236.232.42
207.254.1.17
208.115.114.68
209.222.67.251
210.200.0.95
212.143.233.159
222.20.90.25
abundanceguys.net
allgstat.ru
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
americimblog.com
amimeseason.net
androv.pl
aniolyfarmacij.com
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
augel.pl
autocompletiondel.net
autorize.net.models-and-kits.net
autotradeguide.net
avenues.pl
basedbreakpark.su
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
bestofallforallas.pl
blacklistsvignet.pl
blindsay-law.net
bnamecorni.com
boats-sale.net
brandeddepend.com
brasilmatics.net
businessdocu.net
buty24-cool.com
buycushion.net
cabby.pl
centow.ru
chairsantique.net
charismasalonme.net
childrensuck.net
cirormdnivneinted40.ru
clik-kids.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
cotime.pl
cpa.state.tx.us.tax-returns.mattwaltererie.net
cryoroyal.net
dasay.pl
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
editionscode.com
e-eleves.net
effectivenesspre.com
eftps.gov.charismasalonme.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
eliroots.ru
enchantingfluid.com
ensutringscal.net
enuhhdijsnenbude40.ru
ergopets.com
estateandpropertty.com
exterms.pl
faststream.pl
feminineperceiv.pl
filmstripstyl.com
fincal.pl
first4supplies.net
foremostorgand.su
freakable.net
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
genie-enterprises.com
gentonoesleep.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
gotip.pl
grivnichesvkisejj50.ru
guardianforyou.pl
gumfart.ru
hdmltextvoice.net
heidipinks.com
hemorelief.net
highsecure155.com
hingpressplay.net
hospitalinstitutee.com
hotautoflot.com
hotkoyou.net
hotpubblici.com
how-about-we.net
huang.pl
independinsy.net
info-for-health.net
initiationtune.su
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kirki.pl
krasalco.com
ledfordlawoffice.net
letsgofit.net
libulionstreet.su
linefisher.com
linkedin.com-update-report.taltondark.net
m.krasalco.com
made-bali.net
magiklovsterd.net
mantuma.pl
mattwaltererie.net
maxapps.pl
microsoftnotification.net
missdigitalworld.net
models-and-kits.net
modshows.net
morphed.ru
mosher.pl
nailapp.pl
namastelearning.net
ns3.thebodyfatsolutioncb.pl
nvufvwieg.com
offeringshowt.com
ompute.pl
oneday-movie.net
organizerrescui.pl
oupwareplanets.su
oydahrenlitu346357.ru
pinterest.com.reports0701.net
polymerplanet.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.net
questphoneservice.net
quipbox.com
ratenames.net
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
rustin.pl
safebrowse.pw
scourswarriors.su
secrettapess.com
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
sitemax.pl
sklephoreca.pl
soberimages.com
spros.pl
stilos.pl
streetgreenlj.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
telecomerra.com
thebodyfatsolutioncb.pl
thebodyfatsolutionoi.pl
thegalaxyatwork.com
theguardian-newspaper.pl
therichboysmail.net
thetimesforyou.pl
thosetemperat.net
toetotoetimef.net
tor-connect-secure.com
treehouse-dreams.net
trymaximumslimbaba.pl
trymaximumslimbia.pl
trymaximumslimboa.pl
trymaximumslimbua.pl
trymaximumslimbuta.pl
trymaximumslimdel.pl
trymaximumslimeta.pl
trymaximumslimfea.pl
trymaximumslimfoa.pl
trymaximumslimfol.pl
trymaximumslimhoa.pl
trymaximumslimhol.pl
trymaximumslimhowa.pl
trymaximumsliminl.pl
trymaximumslimlacl.pl
trymaximumslimlal.pl
trymaximumslimlea.pl
trymaximumslimleta.pl
trymaximumslimlitta.pl
trymaximumslimmaa.pl
trymaximumslimmal.pl
trymaximumslimmea.pl
trymaximumslimmia.pl
trymaximumslimnel.pl
trymaximumslimnota.pl
trymaximumslimota.pl
trymaximumslimpaa.pl
trymaximumslimpal.pl
trymaximumslimpara.pl
trymaximumslimrata.pl
trymaximumslimroba.pl
trymaximumslimroll.pl
trymaximumslimroma.pl
trymaximumslimsaa.pl
trymaximumslimsal.pl
trymaximumslimsanda.pl
trymaximumslimsil.pl
trymaximumslimsina.pl
trymaximumslimsofa.pl
trymaximumslimsofl.pl
trymaximumslimsparl.pl
trymaximumslimteda.pl
trymaximumslimulda.pl
trymaximumslimundl.pl
tstatbox.ru
tvblips.net
u-janusa.net
ukbash.ru
unabox.pl
usenet4ever.net
usergateproxy.net
vahvahchicas.ru
vip-proxy-to-tor.com
vivendacalangute.net
wickedpl.com
wic-office.com
wordstudio.pl
wow-included.com
yourbodyfatsolutionaningm.pl
yourbodyfatsolutionharm.pl
yourbodyfatsolutionhom.pl
yourbodyfatsolutionlgf.pl
yourbodyfatsolutionlittm.pl
yourbodyfatsolutionlpa.pl
yourbodyfatsolutionlub.pl
yourbodyfatsolutionlui.pl
yourbodyfatsolutionmem.pl
yourbodyfatsolutionnak.pl
yourbodyfatsolutionncb.pl
yourbodyfatsolutionnff.pl
yourbodyfatsolutionnzk.pl
yourbodyfatsolutionronm.pl
yourbodyfatsolutionsam.pl
yourbodyfatsolutionsim.pl
yourbodyfatsolutionterm.pl
yourbodyfatsolutiontinm.pl
yourbodyfatsolutionuca.pl
yourbodyfatsolutionucb.pl
yourbodyfatsolutionuee.pl
yourbodyfatsolutionufd.pl
yourbodyfatsolutionuff.pl
yourbodyfatsolutionufg.pl
yourbodyfatsolutionugd.pl
yourbodyfatsolutionugf.pl
yourbodyfatsolutionuhh.pl
yourbodyfatsolutionukk.pl
yourbodyfatsolutionunb.pl
yourbodyfatsolutionunc.pl
yourbodyfatsolutionuoi.pl
yourbodyfatsolutionupa.pl
yourbodyfatsolutionusd.pl
yourbodyfatsolutionuub.pl
yourbodyfatsolutionuui.pl
yourbodyfatsolutionuvb.pl
yourbodyfatsolutionuvc.pl
yourbodyfatsolutionuzk.pl
yourbodyfatsolutionwam.pl
zestrecommend.com

Half your video missing in Windows Movie Maker? MS13-057 to blame.

I couldn't quite figure out why Windows Movie Maker was suddenly chopping off the top half of a video I was making..

I didn't investigate the problem very closely because I finished the project using Sony Vegas instead. However, it turns out that I am not alone.. an InfoWorld post also indicates that there are problems with Adobe Premiere Pro, Techsmith Camtasia Studio, Serif MoviePlus X6 plus some games due to the MS13-057 update pushed out a week ago.

If you are experiencing critical problems with missing video, then the only thing to do seems to be to uninstall the Windows Media Player patch listed as KB2803821 or KB2834904. If this isn't causing a problem then you may as well keep the patch in place to protect your system. I would expect another patch to be re-issued soon.

msi.com hacked with kristians1.net

The website of msi.com (a major computer manufacturer) has been hacked and is serving up malware, despite MSI being informed of the problem. Injected code pointing to the domain kristians1.net (83.143.81.2, ServeTheWorld AS Norway) has been injected into the site and is serving up an exploit kit (report here).

This is not the only time msi.com has been hacked. Most significantly, they recently had 50,000 accounts leaked and their site defaced. Zone H also reports several recent defacements and Google reports that part of the site has been listed as containing malware 4 times over the past 90 days.

What is the current listing status for msi.com?

This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 4 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 2470 pages we tested on the site over the past 90 days, 16 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-07-15, and the last time suspicious content was found on this site was on 2013-06-16.Malicious software includes 23 exploit(s), 2 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 5 domain(s), including abdelmonem.net/, oportunidadesdesdesucasa.com/, jobsreal.biz/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including for-test-only.ru/.
This site was hosted on 10 network(s) including AS12859 (NL), AS26228 (SERVEPATH), AS8220 (COLT).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, msi.com appeared to function as an intermediary for the infection of 1 site(s) including 2k11.co.za/.

You really do have to question the competency of a company when it has this many hacks and breaches, especially when they make computers. How deeply do these breaches go?

Monday 15 July 2013

UPS spam / tvblips.net

This fake UPS spam leads to malware on tvblips.net:

Date:     Mon, 15 Jul 2013 10:20:13 -0500
From:
Subject:     Your UPS Invoice is Ready


This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

Thank you for your business.

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.

Please visit the UPS Billing Center to view and pay your invoice.

Questions about your charges? To get a better understanding of surcharges on your invoice, click here.

Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online

� 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The link in the email goes to a legitimate hacked site that has some highly obfuscated javascript that leads to a malware landing page on [donotclick]tvblips.net/news/ups-information.php (report here) hosted on:

46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
209.222.67.251 (Razor Inc, US)

Recommended blocklist:
46.45.182.27
209.222.67.251
allgstat.ru
americanexpress.com.krasalco.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
datapadsinthi.net
ehnihenransivuennd.net
eliroots.ru
ensutringscal.net
estateandpropertty.com
filmstripstyl.com
fulty.net
gcoordinatind.com
gebelikokulu.net
gentonoesleep.com
getstatsp.ru
gondamtvibnejnepl.net
hdmltextvoice.net
hingpressplay.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
linkedin.com-update-report.taltondark.net
magiklovsterd.net
mattwaltererie.net
microsoftnotification.net
nvufvwieg.com
offeringshowt.com
oupwareplanets.su
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
sendkick.com
streetgreenlj.com
tax-returns.gov.cpa.state.us.gebelikokulu.net
toetotoetimef.net
tor-connect-secure.com
treehouse-dreams.net
tstatbox.ru
tvblips.net
vip-proxy-to-tor.com
zestrecommend.com

NOST (NOST.QB) / NSU Resources Inc Pump and Dump Spam

Over the weekend a pump-and-dump spam run started for NSU Resources Inc trading as NOST.QB. NSU Resources almost definitely have nothing to do with this spam run. Here are a few examples:

Subject: This Stock MOVED HARD

Rubber Stamp N OS_T!!! With A Profoundly Humble Market Float,
The Indicated Rare Earth Business Is In Line To Quintuple.
Suspect For Big Publication In A Minute.

Trading Date: Mon, July 15th, 2013
Target Price: .36
Symbol traded: N OS_T
Company: NSU Resources
Last trade: 0.0175

Stay tuned this could get real good!!! An Amazing Buying
Opportunity!

----------

Subject: This Stock Is The Hottest Stock In The Whole Market!

Check Out NO S_T! Amid An Seriously Humble Public Float, The Indicated Rare
Earth Company Is Equipped To Burst! Suspect For Big Dissemination In A
Minute.

Symbol to buy: NO S_T
Trading Date: Monday, July 15
Long Term Target: $0.37
Company: NSU Resources Inc
Closed Price: .0175

Huge Potential! Actual Gains Success and Pick for Tomorrow!!!

----------

Subject: They`ve got their rally caps on!

Rubber Stamp N_O_ST. Including An Very Modest Public Float, The
Aforementioned Rare Earth Corporation Is Ready To Pop. Presume For Greater
Divulgence In Due Time.

Trade Date: Monday, July 15
Latest Pricing: 0.0175
Stock Symbol: N_O_ST
Long Term Target Price: $.15
Company: NSU Resources, Corp.

Time to buy! Major play, coming tomorrow morning!

----------

Subject: Look for Another Push Higher

Take On NO_ST!!! Including An Ultra Inconsequential Market Float, The
Indicated Rare Earth Stock Is On Tap To Explode!!! Envisage For Larger
Publication In Due Time!

Name: NSU Resources Inc.
Trade: NO_ST
Closed Price: $0.0175
Long Term Target: $.10
Trading Date: Monday, July 15th, 2013

Urgent! You Must Read! My Huge Pick.

Indeed, the stock really did move a lot on Friday, going up from $0.0031 per share to $0.02 by the end of the day. But what actually happened?

The reason for the increase in the share price is simple to see. Between 1pm and 2pm on Friday nearly 5.5 million shares of stock were bought in a 30 minute period at $0.0031 (for a total of about $17,000), probably all by the same party. The usual trade level for this stock is usually zero or close to zero. After 2pm subsequent buying (probably by speculators) added about another 750,000 shares but pushed the share price up to about $0.02 at close, a 545% increase which would (on paper) have netted the spammers a profit of $90,000. Not bad for a day's work.

In August 2010, NOST shares peaked at $5.40 per share. It's been a bit of a rollercoaster since then. Mostly downwards, leaving NOST as a thinly traded penny stock which is exactly the sort of thing that pump and dump spammers like.

The last major pump and dump we saw (HAIR) ran for over a month, and we can expect to see NOST spam for a while yet as the spammer - and perhaps whoever employed them - try to offload worthless shares onto unsuspecting investors. Avoid.