Dynamoo's Blog

Tuesday 23 July 2013

Something evil on 91.233.244.102

These following domains are hosted on 91.233.244.102 (Olborg Ltd, Russia). This IP is implicated in Runforestrun infectors, has several malware detections on VirusTotal plus a few on URLquery. Google has flagged several domains as being malicious (marked in red below).

Obviously there's quite a concentration of evil on this IP address and the simplest thing to do would be to banish it from your network, in fact I would personally recommend blocking ~~the whole 91.233.244.0/23 block~~ at least 91.233.244.96/28 (see why) . However, a (probably incomplete) list of suspect domains on this IP are as follows:

aabgxpqayus.com

adcjhjpalcljihgw.info

adwwlwgfgefmzcwg.info

aefbydtsxloe.org

anzku-bqe.net

aodpcm-foub.com

aodpcm-foubfkmp.info

aoflkpshxeoa.org

apsnxeyafofkqfql.ru

apvvkrodqlouyoso.ru

aydpgzxzyidbeqoq.ru

ayxksipvqfxvlfaq.ru

bhigmqckbqhleqlo.ru

cqfreoz-qwd.info

cqfreoz-qwdhmor.com

cuojshtbohnt.com

cuojshtbohnt.info

dfglsfvdyus.com

dgjrfwiwpgjrwdcg.info

dgmcaaliawgewghp.info

donotwantyou787.ru

dppukpdhxloa.org

drgsfp-irxei.com

dspukpshxeoa.org

dwofvs-jdoyhpe.in

eaxrm-xnesh.org

fafogzpvzbvorqkk.ru

fexwxvogrgvfqxzk.ru

feyvxryisqafrssy.ru

fiwiziccefirihhh.info

fjzgpahrgwrzcwle.info

ftiuhrc-tzgk.info

fwcfpfwggjgmfwhw.info

fwdgffzethwhgffp.info

fyqhxu-lfq.in

gffqihioodwfteii.info

ggprgzwfapwdwold.info

gooogleadsense.org

hccakpdhxloa.org

hcnvidjkpytou.com

hhmsobscuoxgqwkhtugpnr.com

hivqwbnkasisil.com

hmcakpshxeoa.org

igicpiipggljcwaf.info

ihwwwhwipfarwrtf.info

ijxsncuprepwqzlt.ru

iprdjrhfporqpgcg.info

ipwfwtdwgiwwehie.info

jdiiffgfgg.com

jecvydtsxloe.org

jeuvkpdhxloa.org

jyuvkpshxeoa.org

kdvmczv-k.in

kkagkpshxeoa.org

kkyqexfzsqzysrkl.ru

knuidyekzkyuhtpi.ru

kxpgydtsxloe.org

kynzmwh-y.info

kynzmwh-yelpu.com

lalcjrdwrqwgwerf.info

ljfwwtftwgiltwwp.info

ljhfhwgiwiwhpwrf.info

lomxtgmgrswlgrrn.ru

mapbo-jra.com

mapbo-jragnrw.info

mfgqnlbmyus.com

mpmeezpmowrgihzc.info

nealkpdhxloa.org

newlydtsxloe.org

nsjosicxuhpidhlp.ru

nwalkpshxeoa.org

ocunydtsxloe.org

ocurkpdhxloa.org

odzbgxfiipvkrqfa.ru

oghwrfhoyus.com

oiicmtkpkaocnm.com

peawrwfgtewchzjc.info

peijgfhwhoffgorf.info

powwrwllojfjgrfg.info

pqueaafqaeoqrqxq.ru

psknwsqsqognrpoo.ru

qablspvqyus.com

qflqqfqqwzazqzrw.ru

qqzewquorqiuqviv.ru

r5z7yy68.com

rfffnahfiywyd.com

rfffnahfiywyd.info

rgdgkpshxeoa.org

rpdgkpdhxloa.org

rpdtydtsxloe.org

rrilffoowjcrqpdw.info

rrrmpfqrgfgfmthj.info

rseibvaoopvkvxyp.ru

sdfsfjkhewsdfe.com

sodsvsyxfzelkknq.ru

soopqzxleaqlqqfi.ru

sownoyqkaqxpqqkp.ru

thwiv-qyhnuydf.info

twctqwaggdwfwhzd.info

uivh-cltqmhb.org

uquqlyyuivkogxyr.ru

vbkfrqqfovaqyeio.ru

viqtkpshxeoa.org

vjykxh-ajp.info

vjykxh-ajpwafh.com

vogxnkg-vgqz.in

vpftydtsxloe.org

vvteeuevhpbpepfi.ru

vxvhwcixcxqxd.com

walfyqoslwfzgxxf.ru

wcrcwwzwercejjjp.info

wfcwhhrfoacawllf.info

wfigeegwffwgoffj.info

wgfdwfhejieeppeo.info

wiafokpwyus.com

wqllweihhwawzctg.info

wwfcfpmfwpompwow.info

xlamzju-lr.com

xlamzju-lrychj.info

xloeydtsxloe.org

xwaqllqvdovqikyn.ru

xweexxdyiaoaskfy.ru

yalkzsvudybexfgd.ru

yirxzxffiedeqddo.ru

ylaqdsoorlrrfyke.ru

ylbaugjnfutivfupbojcybabmrax.com

ypfuidx-i.com

yqgeqwxyfqowoiko.ru

yrjaq-jeyjtckzn.in

zkafwwiilgszbeps.ru

zkzuqobzowqyuixg.ru

zvswwossogquwrfs.ru

zyvskwylixxfswkq.ru

Malware sites to block 23/7/13

These malicious domains and IPs are associated with this prolific gang. As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end.

5.175.191.106 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson-NET, Turkey)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
50.97.253.162 (Softlayer, US)
54.225.124.116 (Amazon AWS, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
61.28.143.133 (ETPI, Philippines)
62.76.44.105 (IT House / Clodo-Cloud, Russia)
69.60.115.92 (Colopronto, US)
74.62.189.22 (Time Warner Cable, US)
74.93.56.83 (Comcast, US)
74.208.246.145 (1&1, US)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UniWeb, Belgium)
88.86.100.2 (Supernetwork / Castlegem, Czech Republic)
88.150.191.194 (Redstation, UK)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobitel EAD, Bulgaria)
108.170.32.179 (Secured Servers, US)
108.179.8.103 (Tyco / Cablevision, US)
109.123.125.68 (UK2.net, UK)
114.112.172.34 (Worldcom Teda Networks Technology, China)
119.92.209.120 (Makati IPG, Philippines)
120.124.132.123 (TANET, Taiwan)
121.83.197.179 (K-Opticom Corporation, Japan)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.120.113.18 (TANET, Taiwan)
162.209.80.221 (Rackspace, US)
165.225.149.235 (Joyent, US)
166.78.183.28 (Rackspace, US)
172.245.16.47 (New Wave NetConnect / ColoCrossing, US)
172.255.106.126 (Nobis Technology Group, US)
182.72.216.173 (CusDelight Consultancy Services, India)
188.40.92.12 (Hetzner, Germany)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
189.15.96.61 (Companhia De Telecomunicacoes Do Brasil Central , Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (Telefonica del Peru, Peru)
192.95.54.119 (OVH, Canada)
192.241.205.26 (Digital Ocean, US)
195.225.58.122 (C&A Connect SRL, Romania)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu, US)
198.175.124.17 (DNSSLAVE.COM, US)
202.197.127.42 (Hunan Normal University, China)
203.236.232.42 (KINX, Korea)
208.69.42.50 (Bay Area Video Coalition, US)
208.115.114.68 (WOWRACK, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services, Taiwan)
211.224.204.141 (KINX, Korea)
212.143.233.159 (013 Netvision Network, Israel)
217.64.107.108 (Society Of Mali's Telecommunications , Mali)

5.175.191.106
24.173.170.230
31.145.19.17
41.196.17.252
46.246.41.68
46.45.182.27
50.97.253.162
54.225.124.116
59.77.36.225
59.124.33.215
59.126.142.186
59.160.69.74
61.28.143.133
62.76.44.105
69.60.115.92
74.62.189.22
74.93.56.83
74.208.246.145
85.17.224.131
85.119.187.145
88.86.100.2
88.150.191.194
95.87.1.19
95.111.32.249
108.170.32.179
108.179.8.103
109.123.125.68
114.112.172.34
119.92.209.120
120.124.132.123
121.83.197.179
128.252.158.57
138.80.14.27
140.120.113.18
162.209.80.221
165.225.149.235
166.78.183.28
172.245.16.47
172.255.106.126
182.72.216.173
188.40.92.12
188.132.213.115
188.134.26.172
189.15.96.61
190.85.249.159
190.238.107.240
192.95.54.119
192.241.205.26
195.225.58.122
198.61.213.12
198.98.102.165
198.175.124.17
202.197.127.42
203.236.232.42
208.69.42.50
208.115.114.68
209.222.67.251
210.200.0.95
211.224.204.141
212.143.233.159
217.64.107.108
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
abundanceguys.net
allgstat.ru
amimeseason.net
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
autocompletiondel.net
autorize.net.models-and-kits.net
badstylecorps.com
basedbreakpark.su
beachfiretald.com
bebomsn.net
biati.net
blacklistsvignet.pl
blackragnarok.net
blindsay-law.net
bnamecorni.com
boats-sale.net
brasilmatics.net
buffalonyroofers.net
businessdocu.net
buty24-cool.com
buycushion.net
cbstechcorp.net
centow.ru
chairsantique.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condaleunvjdlp55.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalinneuwu5.ru
condalnua745746.ru
cooldeaflympics.com
cpa.state.tx.us.tax-returns.mattwaltererie.net
crossplatformcons.com
cryoroyal.net
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
e-eleves.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
etiquetteinsp.net
fastfragcheck.com
feminineperceiv.pl
fenvid.com
filmstripstyl.com
firefoxupd.pw
firerice.com
flashedglobetrot.pl
foremostorgand.su
foremostorgand.suc
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
generationpasswaua40.net
genie-enterprises.com
germany.no-ip.biz
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
greenleaf-investment.net
gromovieotvodidiejj40.net
handwrittenma.com
hdmltextvoice.net
heavygear.net
heidipinks.com
hemorelief.net
hiddenhacks.com
highsecure155.com
hingpressplay.net
homesforsaleftwaltonbea.com
hotkoyou.net
hotpubblici.com
housesales.pl
iberiti.com
icensol.net
independinsy.net
info-for-health.net
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kistrotilewest.su
klermont.net
klwines.com.order.complete.prysmm.net
kubiwaya.net
ledfordlawoffice.net
letsgofit.net
linguaape.net
linkedin.com-update-report.taltondark.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
mackay-revealed.net
made-bali.net
magiklovsterd.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
metalcrew.net
microsoftnotification.net
mifiesta.ru
modshows.net
momotlawfirm.net
morphed.ru
mosher.pl
motobrio.net
mycanoweb.com
myfreecamgirls.net
mywebsitetips.net
neplohsec.com
nipslippage.net
nvufvwieg.com
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
outbounduk.net
oydahrenlitu346357.ru
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
peertag.com
playtimepixelating.su
pool-inter.com
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
prothericsplk.com
prysmm.net
quipbox.com
ratenames.net
relectsdispla.net
rentipod.ru
restless.su
saberig.net
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
scourswarriors.su
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
seodirect-proxy.com
shanghaiherald.net
sludgekeychai.net
soberimages.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
techno5room.ru
thegalaxyatwork.com
thosetemperat.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
u-janusa.net
ukbash.ru
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
wic-office.com
wordstudio.pl
wow-included.com
zestrecommend.com

Monday 22 July 2013

IRS.gov "Complaint Case #488870383295" spam / Complaint_488870383295.zip

This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.

Date:     Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]
From:     "IRS.gov" [fraud.dep@irs.gov]
Subject:     Complaint Case #488870383295

You have received a complaint in regards to your business services.
The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/

Case Number: 488870383295

Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.

The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

2013 Council of IRS, Inc. All Rights Reserved.

Attached to the email is a ZIP file Complaint_488870383295.zip which in turn contains an executable Complaint_07222013.exe which is bad news. VirusTotal detection rates are a so-so 14/47.

ThreatExpert and Comodo CAMAS give a little background information, but in this case the Malwr analysis seems to be the most comprehensive and shows traffic out the the following compromised sites:

prospexleads.com
phonebillssuck.com
moneyinmarketing.com
abbeyevents.co.uk
salsaconfuego.com
fales.info

The second part has a much lower detection rate of just 2/47. At the moment this second stage is still being analysed.

BMW spam / pagebuoy.net

This convincing looking BMW spam leads to malware on

Date:     Mon, 22 Jul 2013 13:07:50 -0500 [14:07:50 EDT]
From:     BMW of North America [womanliere75@postmaster.aa-mail.org]
Reply-To:     motherfuckinge926@m.aa-mail.com
Subject:     The BMW 6-Series M Sport Edition, M Universe, and more.

BMW’s 6-Series M Sport Edition     View Online
BMW
A 6 SERIES.
WITH M PANACHE.
Meet the 6-Series M Sport Edition. Available in all 6 series models, the M Sport Edition boasts premium features like M Aerodynamics, LED Adaptive Headlights, an M leather steering wheel, and Nappa Leather sport seats for a ride that’s a 6-Series inside and out.
LEARN MORE
Efficient Dynamics

Table of Contents

» BMW M Universe
» BMW Wins Again
» BMW i3 Design
» BMW Superbike
» BMW Collections

    WELCOME TO M’S
NEW HOME.

In the M Universe, your own M photos will become part of a visual timeline spanning all 40 award-winning years of the iconic M brand, from the classic 1972 to the new M6 Gran Coupe. To all you M fans, welcome home.

» ENTER BMW M UNIVERSE

    THE 3 SERIES WINS AGAIN

The BMW 3 Series continues to live up to its hard-earned reputation as the best compact sports sedan in the world. AUTOMOBILE MAGAZINE presented the 3 Series with the coveted 2013 All-Star award, making the number of AUTOMOBILE MAGAZINE awards won by the 3 Series alone over a dozen.

» BUILD YOUR OWN

    LIGHTWEIGHT, AGILE, AND STRONG

The Life Module of BMW i vehicles is a high–strength and lightweight passenger compartment made from carbon fiber reinforced plastic (CFRP). This, along with the use of aluminum, offsets the additional weight of the batteries of an electric car. And by reducing the weight, the number of batteries and the average battery charging time can also be reduced.

» LEARN MORE

    WORLD SUPERBIKE CHAMPIONSHIP UPDATE

Midway through an already successful season, the BMW Motorrad Goldbet SBK Team is getting ready for their next race in Imola, Italy. The team is coming off an impressive first-place finish by rider Marco Melandri in Portimão. Keep up with the latest news and updates from the team on the BMW Motorrad USA Facebook page.

» STAY CONNECTED

    2013 SPORT COLLECTIONS

BMW presents all-new sport collections. Apparel and accessories made from advanced materials with innovative designs so you can perform and look your best.

» LEARN MORE

EXPLORE THE BMW LINEUP



» Lease + Finance Offers
» Build Your Own

» Test Drive
» BMW Ultimate Service®

GET THE LATEST
BMW NEWS + UPDATES

Don’t forget to add bmwusa@emails.bmwusa.com to your Address Book to keep it from skipping your inbox or getting caught in spam filters.
ff
We want your experience with the BMW website to be as smooth and reassuring as driving a BMW. Accordingly, we diligently safeguard your privacy. If you wish to review our Privacy Policy at any time, please click on the link below, or copy and paste it into your Web browser’s location window. http://www.bmwusa.com/about/privacy.html

We’d like to keep you up-to-date on the latest BMW products, news and events via email. If, however, you’d like to stop receiving them, you can unsubscribe at any time.

Please note that we are located at 300 Chestnut Ridge Road, Woodcliff Lake, NJ 07677. ©2013 BMW of North America, LLC. The BMW name, model names and logo are registered trademarks. For more information call 1-800-831-1117 or go to www.bmwusa.com.

The link in the email goes through a legitimate hacked site and ends up on [donotclick]links.emails.bmwusa.com.open.pagebuoy.net/news/bmw-newmodel.php (report here) which is hosted on the same IP addresses as this spam run.

American Airlines spam / sai-uka-sai.com

This fake American Airlines spam leads to malware on www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com:

From:     American.Airlines@aa.net
Date:     22 July 2013 17:22
Subject:     AA.com Itinerary Summary On Hold

Dear customer,

Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.

To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www.aa.com.

left corners         left corners

This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) .

Record Locator: LEBBGM             Purchase

left corners         left corners

Passengers

   Isabella Green

NOTE: This is not a ticket or electronic receipt

Carrier Flight
Number Departing Arriving Cabin

Booking Code Seats Meals

City Date & Time City Date & Time

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES 2879 SPS Wichita Falls July 24, 2013 10:50 AM DFW Dallas/ Fort Worth July 24, 2013 11:43 AM Economy

M 32A Food For Purchase

AMERICAN AIRLINES 1795 DFW Dallas/ Fort Worth July 24, 2013 12:35 PM IAH Houston July 24, 2013 01:43 PM Economy

M 23A

AMERICAN AIRLINES 1690 IAH Houston July 26, 2013 02:20 PM DFW Dallas/ Fort Worth July 26, 2013 03:35 PM Economy

M 20C

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES 3294 DFW Dallas/ Fort Worth July 26, 2013 04:20 PM SPS Wichita Falls July 26, 2013 05:10 PM Economy

M 27B Food For Purchase

  Fare Summary

Average Fare per Person - 444.00 USD

Passenger Type Used in Pricing Fare per Person Additional Taxes and Fees per Person Total Price

1 Adult 442.90 USD 34.25 USD 490.95 USD

Total Price 495.49 USD

  Merchandising Summary

Flight Number Seat Number Seat Price Taxes Total Price

2879 0.00 USD 0.00 USD 0.00 USD

1795 14.00 USD 1.05 USD 15.05 USD

1690 14.00 USD 1.05 USD 15.05 USD

3294 0.00 USD 0.00 USD 0.00 USD

Total Price 30.10 USD

Please note the following:
• View Fare rules.
• Fares are only guaranteed up to 24 hours.
• Additional foreign taxes may apply.
• Additional fees may also apply for tickets not purchased through AA.com.

This is not the itinerary receipt that is required for identification purposes at the airport check-in. That receipt will be furnished upon purchase of this reservation.

In order to proceed to your gate you must present a government issued photo I.D. and either your boarding pass or a priority verification card at the screening security checkpoint.

If you are not a resident of the U.S., U.K., Canada or select countries in Latin America and the Caribbean, tickets must be purchased at an American Airlines ticketing location/airport, or by calling an American Airlines International Reservations office. Flights booked on carriers other than American Airlines, American Eagle® or AmericanConnection® are on a request basis only.

You've got payment options at AA.com! Make your dream vacation come true with the Fly Now Payment Plan, speed through checkout with PayPal, or use electronic checks to pay directly from your checking account. You can also pay in cash at participating Western Union locations or use a credit/debit card. Available payment options may vary by country.

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com/news/american-airlines-hold.php (report here) hosted on the following IPs:

50.97.253.162 (Softlayer, US)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)

The WHOIS details for that domain are the characteristically fake ones associated with this gang:
        Michael Fenwick freehotjob@yahoo.com
        21 Fredricksburg Court
        State College
        PA
        16803
        US
        Phone: +1.8144411445

Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
allgstat.ru
autorize.net.models-and-kits.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
firefoxupd.pw
firerice.com
fulty.net
gamnnbienwndd70.net
gebelikokulu.net
generationpasswaua40.net
gnanosnugivnehu.ru
gondamtvibnejnepl.net
greenleaf-investment.net
housesales.pl
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
mifiesta.ru
motobrio.net
mycanoweb.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
privat-tor-service.com
prysmm.net
quipbox.com
rentipod.ru
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
sendkick.com
shanghaiherald.net
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net

OVH Hacked

A bad thing to happen, but kudos to OVH for being transparent about this issue:

Hello,

A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they was able to compromise the access of one of the system administrators who handles the the internal backoffice.

Until then, internal security was based on 2 levels of verification:
- Geographical: required to be in the office or to use the VPN, i.e.: the IP source
- Personal: password

Measures taken following this incident
---------------------------------------

Immediately following this hack, we changed the internal security rules:
- Passwords of all employees were regenerated for all types of access.
- We set up a new VPN in a secure PCI-DSS room with highly restricted access
- Consulting internal emails is now only possible from the office / VPN
- All those who have critical access now have 3 verification levels:
- Ip source
- Password
- Staff's USB security token (YubiKey)

Findings
-------

After our internal investigation, we assume that the hacker exploited the access to achieve two objectives:
- Recover the database of our customers in Europe
- Gain access to the installation server system in Canada

The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
The encryption password is "Salted" and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining these security measures and inviting them to change their password.
No credit card information is stored at OVH. Credit card information was not viewed or copied.

As for the server delivery system in Canada, the risk we have identified is that if the client had not withdrawn our SSH key from the server, the hacker could connect from your system and retrieve the password stored in the .p file. The SSH key is not usable from another server, only from our backoffice in Canada . Therefore, where the client has not removed our SSH key and has not changed their root password, we immediately changed the password of the servers in the BHS DC to eliminate an risk there. An email will be sent today with the new password. The SSH key will be systematically deleted at the end of the server delivery process in both Canada and Europe. If the client needs OVH for support, a new SSH key will need to be reinstalled.

Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a specific hack on specific individuals will have no impact on our databases. In short, we were not paranoid enough so now we're switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH.

We also filed a criminal complaint about this to the judicial authorities. In order not to disrupt the work of investigators, we will not give other details before the final conclusions.

Please accept our sincere apologies for this incident. Thank you for your understanding.

Regards,

Octave

ygregistryltd.net / "Huasheng Ltd" domain scam

This is the same scam as this, this and this. Avoid.

From:    Jim Wang [jim.wang@ygregistryltd.net]
Date:    22 July 2013 15:29
Subject:    Regarding Asia/Cn/Hk domain name & Internet Keyword

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration in China and Asia. We received an application from Huasheng Ltd on July 22, 2013. They want to register " [redacted] " as their internet keyword and China/Asia/Hongkong (CN/ASIA/HK) domain names. But after checking it, we find this name conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.ygregistryltd.net

Note, all these domains are on the same server and can be considered scammy:
ygregistryltd.com
yg-registry.cn
ygregistry.cn
ygregistryltd.net

David Cameron's porn block - how will it work?

This government likes its half-baked ideas, and David Cameron's attempt to bring in mandatory porn blocking in the UK seems to be one of those daft ideas. Yes, ISPs should offer blocking if people want it.. and perhaps they should be made to offer it by law. But there are a number of concerns which are well addressed by this New Statesman article.

Leaving aside the moral debate and the questions over who decides what, there is the tricky question of how ISPs would actually block access to porn.

DNS filtering

The simplest and quickest way to block it is to use DNS filtering. ISPs can simply set their DNS servers to not resolve adult sites. You can do this sort of thing with OpenDNS already. The advantages is that this is fairly easy to implement and it doesn't cause any latency in web traffic. The disadvantage from the point of view of censoring is that it is trivially easy to bypass, simpy change your DNS provider to one that doesn't block sites or access the porn sites through their IP address only where they have dedicated servers (most big sites do).

Of course, if people bypass the DNS filtering by using non-ISP DNS filters, ISPs could then firewall all outbound DNS requests. But that would interfere with people's freedom to use Google or OpenDNS or other DNS providers if they want.

Deep Packet Inspection

A more sophisticated approach is to inspect every packet and determine where it is going. This should block sites even if the customer has chosen different DNS settings, and it can pick up and negate a lot of common attempts to bypass filters. But this sort of thing is slow and expensive, ISPs would need to pass on the costs to consumers and the added latency of filtering would make web surfing slower. Many businesses use a form of this to protect their corporate network already, but they are prepared to put up with the downsides for the additional protection.

You could still use a proxy, VPN or Tor to get around it. And HTTPS screws some elements of DPI because it is encrypted, there are ways around that but they are extremely messy and had many drawbacks.

And of course there's the privacy issue. If ISPs are slurping all your data to this level then who has access to it? Supporters of DPI may we have a hidden agenda.

IP address blocking

Instead of blocking domains, IP addresses hosting pornography can be blocked. That's a pretty quick and easy solution too, but it means that anything on shared hosting with "adult" content could lead to every other site on that IP being blocked too.. There would be a lot of legitimate sites blocked as a result.

Anti-circumvention

ISPs could use a combination of the above to stop traffic. But it is relatively easy to use a proxy or VPN connection, but the next logical step would be to go to war with providers of these services too. It is very difficult to stop people finding ways around blocks. And remember, we're not talking about illegal material here.. we're talking about perfectly legal material which is blocked by default.

So, in my opinion this approach will have the drawbacks of being a combination of ineffective, expensive and slow. More needs to be done to protect children from accidentally accessing material that they shouldn't have access to (and please could we include malware with that?), but this half-baked approach has the potential to be an expensive fiasco.

Saturday 20 July 2013

Verizon Wireless "Data Usage Overage Alert" / verizonwirelessreports.com

This fake Verizon email leads to malware on the domain onemessage.verizonwireless.com.verizonwirelessreports.com:

Date:     Fri, 19 Jul 2013 10:48:31 -0500 [11:48:31 EDT]
From:     Verizon Wireless [VZWMail@e-marketing.verizonwireless-mail.net]
Subject:     Data Usage Overage Alert

Important Information About Your Account.      View Online
verizon wireless    Explore    Shop    My Verizon    Support

Important Information About Your Data Usage

Your account has used your data allowance for this month and you may now be billed overage charges. Your monthly data allowance will reset on the 20th.

Run an Account Analysis in My Verizon to analyze your recent months' data usage and review your plan options.

Don't forget, you can also manage your alert settings in My Verizon including adding recipients and opting out of specific alerts.
Thank you for choosing Verizon Wireless.

Details as of:
[redacted]

07/19/2013 02:15 AM EDT


We respect your privacy. Please review our privacy policy for more information
about click activity with Verizon Wireless and links included in this email.

This email was sent to [redacted];

ID: [redacted]

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]onemessage.verizonwireless.com.verizonwirelessreports.com/news/verizon-bill.php (report here) hosted on:

172.255.106.126 (Nobis Technology Group, US / Creative Factory Beijing, China)
188.134.26.172 (Perspectiva Ltd, Russia)

The domain verizonwirelessreports.com is fake and was recently registered to an anonymous person. However, given the IPs and associated domains then this is clearly the work of this gang
.
Blocklist:
172.255.106.126
188.134.26.172
verizonwirelessreports.com
firerice.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
epackage.ups.com.shanghaiherald.net
vitans.net
www.klwines.com.order.complete.prysmm.net
prysmm.net
shanghaiherald.net

Friday 19 July 2013

whoswhonetworkonline.com spam

This turd of an email was sent to an info@ email address on a domain I own. It appears to be a classic Who's Who scam.

From:    Who's Who [cpm2@contactwhoswho.us]
Reply-To:    databaseemailergroup@gmail.com
date:    19 July 2013 05:44
subject:    You were recently nominated into Who's Who Amoung Executives

Who's Who Network Online

Hello,

As you are probably aware, in the last few weeks, we at the Who's Who Among Executives and Proefssionals have reached out to several hundred individuals for placement in our upcoming 2013 edition of our directory. You were contacted, but we did not receive any of your biographical information. We would like to give you another opportunity to do so.

The publication's editors are now assembling the biographical profiles of today's leaders from the business world into one comprehensive source. Thousands of researchers at medical, academic, public and corporate libraries, as well as journalists and media professionals, rely upon the academic registry as a daily reference tool for obtaining information about the world's most experienced men and women at the C-Level in the private and public sectors. Inclusion in the publication is considered by many as a signal mark of achievement.

To be included in this prestigious publication, you need only provide the requested information by completing our online biographical data form. Please Click Here to fill out your form.

The information you provide will be evaluated according to the selection standards that the NAPN have developed over many years as the world's premier biographical compiler. If your data passes our initial screening, we will prepare your biography and send you a pre-publication proof for your verification and approval.

I congratulate you on the achievements that have brought your name to the attention of our editorial committee. We look forward to hearing from you.

Please remember: Inclusion of your biography in the Who's Who Registry carries neither cost nor commitment to you of any sort. Our continuing mission with each new edition is to prepare a biographies spanning the spectrum of noteworthy and accomplished men and women across all areas of the professional world.

                                             FILL OUT FORM HERE

Who's Who Network Online
2280 Grand Avenue, Baldwin, NY 11510

------------------------------------------

This email is intended only for the recipient(s) and is private.
If you receive our invitation in error please reply with unsubscribe in the subject line

Clicking on the link takes you to whoswhonetworkonline.com hosted on 66.11.129.87 (Stafford Associates Computer Specialists Inc., New York). The WHOIS details are hidden.

There's no clue anywhere on the site or in the email about who is behind the spam. There is no corporation in New York with the exact name "Who's Who Network Online" although there are several similar sounding entities.

However, there are some clues in the headers of the email that link it through to another recent and similarly-themed spam.

Received: from cpm2@contactwhoswho.us by [redacted] by uid 1002 with qmail-scanner-1.22
( Clear:RC:0(192.217.104.157):.
Processed in 0.464627 secs); 19 Jul 2013 04:45:09 -0000
Received: from unknown (HELO whowho4.servername.com) (192.217.104.157)
by [redacted] with SMTP; 19 Jul 2013 04:45:08 -0000
Received: from c-174-58-75-1.hsd1.fl.comcast.net ([174.58.75.1]:58694 helo=susie-HP.hsd1.fl.comcast.net.)
    by whowho4.servername.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
    (Exim 4.80.1)
    (envelope-from )
    id 1V02Z1-0000pJ-QW
    for [redacted]; Fri, 19 Jul 2013 08:45:08 +0400
Content-Type: multipart/alternative; boundary="===============0491393293=="

The email originates from a Comcast IP address of 174.58.75.1 in West Florida, and then routes through a server at 192.217.104.157 (NTT America) which has the hostname contactwhoswho.us which is consistent with the cpm2@contactwhoswho.us sender's address. So, who is contactwhoswho.us?

Registrant Name:                Darin Delia
Registrant Address1:            1321 Henry Ave
Registrant City:                Spring Hill
Registrant State/Province:      Florida
Registrant Postal Code:         34608
Registrant Country:             United States
Registrant Country Code:        US
Registrant Phone Number:        +1.5615964330
Registrant Email:               darindelia@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category:      C11

Darin Delia's address is also West Florida (although some way from the theoretical location of the IP address). Darin Delia appears to be the same person who was sending out Spotlite Radio spam. Is Mr Delia merely a contractor sending out an email blast, or is he responsible for this so-called "Who's Who" outfit. I have no evidence one way or the other, but it seems he does have some sort of association with whoever is running these things..