Sponsored by..

Thursday, 8 August 2013

Citibank spam / Loan_08082013.exe

This fake Citibank spam comes with a malicious attachment:

Date:      Thu, 8 Aug 2013 13:09:04 -0500 [14:09:04 EDT]
From:      Erin_Gay [Erin_Gay@citibank.com]
Subject:      RE: Loan Approved

Your documents are ready , please sign them and email them back.

Thank you

Erin_Gay
Level III Account Management
817-835-6023 office
817-074-9181 cell Erin_Gay@citibank.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

The security of personal information about you is our priority. We protect this
information by maintaining physical, electronic, and procedural safeguards that meet
applicable law. We train our employees in the proper handling of personal information.
When we use other companies to provide services for us, we require them to protect the
confidentiality of personal information they receive.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

The attachment is in the format Loan.recipient-name.zip and contains the executable Loan_08082013.exe (note the date is encoded into the filename).

The initial file is just a trojan downloader. VirusTotal results are 10/45. The Malwr analysis gives some excellent details of what is going in, included attempted downloads from the following locations:
[donotclick]www.arki.com/ponyb/gate.php
[donotclick]ftp.miniaturesbykim.com/fzKU1Y.exe
[donotclick]www.gfchargers.org/iwa4s1.exe
[donotclick]ftp.jason-tooling.com/nhdx.exe
[donotclick]www.rachelcondry.com/nLiZVHtr.exe

This downloads a Zeus variant with a very low detection rate of 4/45. The Malwr analysis for this part shows some apparent peer-to-peer traffic (note some of these IPs are legitimate and belong to Google):
88.84.107.110
184.39.153.172
116.15.200.129
108.210.216.93
79.10.245.249
130.251.186.103
75.32.154.102
50.65.158.6
99.146.98.160
69.246.97.159
76.226.134.206
88.68.122.74
200.91.49.183
157.100.168.252
99.181.10.118
108.234.133.110
108.240.232.212
108.74.172.39
178.238.233.29
69.115.119.227
99.26.122.34
173.194.67.99
23.25.36.93
173.194.67.94
174.96.27.128
2.158.160.98
123.201.22.66
187.214.18.148
174.141.40.194
97.67.116.122
173.209.69.2
103.1.71.126
204.155.62.5
97.96.126.195
208.118.221.212
50.78.124.173

TigerDirect.com spam / palmer-ford.net

This fake TigerDirect.com spam leads to malware on palmer-ford.net:

Date:      Thu, 8 Aug 2013 21:54:14 +0400 [13:54:14 EDT]
From:      "TigerDirect.com" [noreply@tigerdirect.com]
Subject:      Your TigerDirect.com Order I9179488 Shipment Update

ComputersComputer PartsElectronicsTV & VideoCameras & SurveillanceCell Phones
Order Shipped:
   
08/07/2013
Order No.
   
I9179488
Shipment Total:
   
$732.20
Shipment Confirmation

[redacted],

Your order shipped on 08/07/2013 and is on its way to you. Click here to log in to MY ACCOUNT for the latest information on your order.

Below, you’ll find a recap of the shipped item(s):

TRACKING NUMBER(S):
1Z2V811KO067774417
(Note: Tracking information may not be available immediately; it may take up to 1 full business day for packages that have reached the shipper to have activity associated with the tracking number. Shipping confirmations for USPS and international shipments as well as for some special order items will not include a tracking number.)
Shipped Items:
   
Quantity
Lenovo H718 Desktop PC - 2nd Gen. Intel Core i3-1130 3.2GHz, 4GB DDR3, 500GB HDD, DVDRW, Windows 8 64-bit, Keyboard & Mouse, (65412680) (T56-C5300 )
   
   
1
   
   
(Click Image Above To Track Your Order) Allow 24 hours for the tracking # to appear in the Shippers' System.
Manufacturer Tech Support: 1-877-453-6686
Manufacturer Tech URL: www.lenovo.com


Again, for the latest information on your order, please click here to log in to MY ACCOUNT. You can also view your Order History, get Invoice Copies, Return Authorizations, add Product Reviews and much more.

Regards,

TigerDirect.com
Customer Care Team

CHECK OUT THE LATEST DEALS - CLICK HERE

Shipment Information
Abigail Hall
2864 N Bell Rd

Pasadena, SC 72936
Your shipping method varies. Please view the chart below for approximate transit times.

Transit Times
Truck Delivery: 7 - 10 Business Days
EconoShip Delivery: 4 - 9 Business Days
UPS Ground: 2 - 7 Business Days
UPS Second Day: 2 Business Days
UPS Next Day Air: 1 Business Day
US Postal Service: 2-3 Business Day Including Saturdays

Saturdays, Sundays and holidays do not count toward the estimated transit days. Packages that leave our fulfillment center on Saturdays, Sundays or holidays will not actually reach the shipper until Monday or the next business day.

Should you have any additional questions regarding your order, please feel free to visit our customer help pages at http://www.tigerdirect.com/help/.

Should you need to exchange or return a product, please visit http://www.tigerdirect.com/sectors/help/return.asp
   
Other Items to Consider

Home Theater Week

Search over 100,000 Products in Stock...
            Refer-A-Friend            
Deal Alerts via
    Sign up for RSS

TigerDirect.com is not responsible for typographical errors or omissions. This email was sent to dynamoo@spamcop.net in response to Order # I9179488.

Note that TigerDirect.com never sells, rents, or shares your email address For more information, please review the TigerDirect.com Privacy Policy at: http://www.tigerdirect.com/sectors/aboutus/privacy.asp

Call Center Hours of Operation: Mon - Fri: 7am til 1am ET and Sat - Sun: 8am til Midnight ET

For Merchandise Returns: c/o TigerDirect Warehouse - 175 Ambassador Drive, Naperville, IL 60540

Copyright © 2013 - TigerDirect, Inc. 7795 West Flagler Street, Suite 35, Miami, FL 33144 (Corporate Headquarters: No Returns Accepted)
LEGAL NOTICES| PRIVACY POLICY
The email looks pretty convincing:


Clicking on the links in the email takes you to a legitimate hacked site and then on to a malware landing page at [donotclick]www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net/news/tiger-direct.php (report here) which contains an exploit kit.

Although it looks a bit like the link is actually on the tigerdirect.com site, it is actually hosted on the recently registered domain palmer-ford.net which has characteristically fake WHOIS details that mark it out as belonging to the Amerika gang.

   Administrative Contact, Technical Contact:
   Mills, Lawrence  rexona1948@live.com
   5700 Arlington Ave
   Bronx, NY 10471
   US
   7185432402


The malware domain is hosted on the following IPs along with some other malicious domains:
95.111.32.249 (Mobitel EAD, Bulgaria)
199.231.188.226 (Interserver Inc, US)
216.158.67.42 (Webnx Inc, US)

Recommended blocklist:
95.111.32.249
199.231.188.226
216.158.67.42
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
askfox.net
briltox.com
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
condalinneuwu37.net
condrskajaumaksa66.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
evishop.net
exnihujatreetrichmand77.net
facebook.com.n.find-friends.oncologistoncology.net
firefoxupd.pw
firerice.com
fulty.net
gnanosnugivnehu.ru
gotoraininthecharefare88.net
klwines.com.order.complete.prysmm.net
liliputttt8888.info
links.emails.bmwusa.com.open.pagebuoy.net
lucams.net
merchantcenter.intuit.com.click-for-click.com
micnetwork100.com
mifiesta.ru
onemessage.verizonwireless.com.verizonwirelessreports.com
onsayoga.net
partyspecialty.su
paypal.com.us.planetherl.net
pinterest.com.onsayoga.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
sai-uka-sai.com
sartorilaw.net
seoworkblog.net
tintencenter.net
verizonwirelessreports.com
vitans.net
www.aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
www.klwines.com.order.complete.prysmm.net
www.linkedin.com.e.v2.kennebunkauto.net
www.paypal.com.us.planetherl.net
www.pinterest.com.onsayoga.net
www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
www.verizonwirelessreports.com

Facebook spam / hubby-wife.com and 72.249.76.197

This fake Facebook spam leads to malware on hubby-wife.com:

Date:      Thu, 8 Aug 2013 09:36:19 -0800 [13:36:19 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Doug Bernal wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Doug Bernal
Doug Bernal
   
Hyo Auiles
Gigi Arvay
   
Hester Brush
Lesa Bueschel
   
Crawford Eredia
Casey Elting
   
Delfina Grode
Deandrea Grise
   
Tori Circle
Austin Chum
Find more pages
         
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Doug is quite a feminine looking bloke:


Clicking on the link in the email goes through a legitimate hacked site, and from there onto one of three scripts:
[donotclick]art.impactmt.com/ecology/christmases.js
[donotclick]palka-teleskopowa.pl/puppet/leafed.js
[donotclick]outoftheblueproductions.com/pipelines/tutsi.js

From here, the victim is sent to a malware payload at [donotclick]hubby-wife.com/topic/able_disturb_planning.php which (predictably) a hijacked GoDaddy domain hosted on 72.249.76.197 (Networld Internet Services) along with several other GoDaddy domains which are highlighted below.

Recommended blocklist:
72.249.76.197
art.impactmt.com
palka-teleskopowa.pl
outoftheblueproductions.com
hubby-wife.com
housewalla.com
hubbynwife.com
hubbynwifecakes.com



eFax / jConnect spam and eliehabib.com

This fake fax spam leads to malware on eliehabib.com:

Date:      Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]
From:      Fax Message [message@inbound.efax.com]
Subject:      Fax Message at 2013-08-07 01:54:34 EST

Blue Bar
Fax Message

You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.

* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission start time for this fax is .

Click here to view this message in your web browser
Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.

Thank you for using jConnect!
Home|Contact|Login
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
jConnect is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the jConnect Customer Agreement.
The link in the email goes through a legitimate hacked site and then on to three scripts as follows:
[donotclick]v3dev.eu/conciseness/bragging.js
[donotclick]masperblog.it/manacle/barnaul.js
[donotclick]shop.zhengtugps.com/submissions/snipped.js

From then on the victim is sent to a payload site at [donotclick]eliehabib.com/topic/seconds-exist-foot.php which is a hacked domain registered by GoDaddy, hosted on 173.246.105.15 (Gandi, US). There are probably other malicious domains that I cannot see on the same server.

Recommended blocklist:
173.246.105.15
v3dev.eu
masperblog.it
shop.zhengtugps.com
eliehabib.com


Tuesday, 6 August 2013

Pharma sites to block 6/8/13

A new list of pharma sites and IPs, related to this bunch.

61.150.109.186 (China Telecom, China)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)
178.88.64.149 (Kazakh Telecom, Kazakhstan)
185.5.99.145 (Biznes-host.pl, Poland)
185.8.106.161 (HybridServers, Lithunia)
190.55.85.133 (Telecentro S.A., Argentina)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
200.185.230.32 (Ajato Telecomunicacao Ltda, Brazil)
202.197.127.42 (CERNET, China)
218.92.160.138 (Funing Tianlong Netbar, China)

61.150.109.186
91.199.149.0/24
91.204.162.81
91.204.162.96
91.216.163.92
178.88.64.149
185.5.99.145
185.8.106.161
190.55.85.133
192.162.19.0/24
200.185.230.32
202.197.127.42
218.92.160.138
1bqmv6ir.tabletmedicinert.com
1n77x6up.mediastoreplus.com
54djq7gs.tabletmedicinert.com
5n2f.mediastoreplus.com
6tpvvfwl.mediastoreplus.com
6un8dtnf.mediastoreplus.com
7geh.mediastoreplus.com
8u4lrx6.mediastoreplus.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
avagdezc.net
biotechealthcarepills.pl
boschwelness.com
caloriesviagra.com
canadaipad.com
canadaviagracanadas.com
canadaviagracent.com
canadiancanada.com
canadian-pharmacy-ltd.org
carerxpatient.com
coopaq.ru
d5pz5c35.tabletmedicinert.com
d8chph3.mediastoreplus.com
dacl3uy1.tabletmedicinert.com
deii.ru
dieein.com
dietarymeds.com
dietwelweight.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
eari.ru
familymedicinerx.com
finding.dietpillgenerics.com
genericswelloch.com
ghwfloaf.com
gied.ru
gtyktdli.com
healthcarebiotechnology.net
hece.ru
herbalburdette.com
herbalprescriptiondrugs.com
htta.ru
iald.ru
in.taxwelnesslevitra.com
inningmedicare.pl
isoe.ru
jmwxxvyj.com
joam.ru
judact.ru
jx5nqjzf.tabletmedicinert.com
kindredhealthcaretab.pl
knei.ru
knr78b16.tabletmedicinert.com
korsinskytrarx.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanamedicalviagra.com
marl.myherbalpharmacy.com
mbid.ru
mediastoreplus.com
medicaltabgroup.com
medicaresupplementrx.net
medicinetabletsurface.com
medicinevitamin.com
mediterraneanpharmacydiet.com
medopioid.pl
medsherbalbosch.nl
myherbalpharmacy.com
myviagragenerics.pl
newpillcialis.eu
nmvwta.mediastoreplus.com
nrytgyxvom.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pharmedtransplant.com
phof.ru
pillcanadian.com
pillgenericsgroup.com
pillsmedicinepatients.com
pillssmartrend.com
pillsstreetinsider.com
pillstabletspharmacy.ru
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
rggrjipn.com
ruld.ru
satishmeds.pl
siew.ru
skah.ru
smartrendsale.com
sutasu.ru
tabletcareandroid.nl
tabletmedicaid.pl
tlar.ru
tmedf7c4j.mediastoreplus.com
torontotab.pl
tuo.mediastoreplus.com
tys.mediastoreplus.com
u0s3oqf6.tabletmedicinert.com
uney.ru
virv.ru
vitaminnutritionherbal.com
vomise.ru
welnessnsmt.com
wroo.ru
xior.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru



Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew.

5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
41.196.17.252 (Link Egypt, Egypt)
54.218.249.132 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
61.36.178.236 (DACOM Corp, Korea)
68.174.239.70 (Time Warner Cable, US)
78.47.248.101 (Hetzner, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
140.116.72.75 (TANET, Taiwan)
182.72.216.173 (Cusdelight Consultancy SE, India)
190.85.249.159 (Telmex Colombia, Colombia)
202.197.127.42 (CERNET, China)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

5.175.191.124
24.173.170.230
41.196.17.252
54.218.249.132
59.124.33.215
61.36.178.236
68.174.239.70
78.47.248.101
95.87.1.19
114.112.172.34
140.116.72.75
182.72.216.173
190.85.249.159
202.197.127.42
208.115.237.88
217.64.107.108
abundanceguys.net
amods.net
annot.pl
autocompletiondel.net
avini.ru
badstylecorps.com
beachfiretald.com
cbstechcorp.net
crossplatformcons.com
datapadsinthi.net
dulethcentury.net
endom.net
exhilaratingwiki.net
exowaps.com
explicitlyred.com
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
hdmltextvoice.net
housesales.pl
ignitedannual.com
includedtight.com
jdbcandschema.su
lhobbyrelated.com
magiklovsterd.net
onsespotlight.net
operapoland.com
ordersdeluxe.com
organizerrescui.pl
playtimepixelating.su
prgpowertoolse.su
relectsdispla.net
ringosfulmobile.com
scourswarriors.su
sludgekeychai.net
streetgreenlj.com
tagcentriccent.net
tagcentriccent.pl
wildgames-orb.net
zestrecommend.com
zukkoholsresv.pl

What is 65.222.202.0/24?

A breakdown of the suballocations of the Verizon Business 65.222.202.0/24 block, mentioned in connection with Torsploit:


Block Start End CustName: Description:
65.222.202.0/28 65.222.202.0 65.222.202.15 Science Applications Int SAIC (US Defense contractor)
65.222.202.16/28 65.222.202.16 65.222.202.31 Old Dominion Internet Possibly dormant VA corporation
65.222.202.32/28 65.222.202.32 65.222.202.47 FTS2001/US Government Federal Technology Service
65.222.202.48/29 65.222.202.48 65.222.202.55 Unknown "Torsploit" block
65.222.202.56/29 65.222.202.56 65.222.202.63 Universal Machine Co of Pottsdown Inc Universal Machines (www.umc-oscar.com)
65.222.202.64/28 65.222.202.64 65.222.202.79 Kitron Electronic Manufacturing Service
65.222.202.80/29 65.222.202.80 65.222.202.87 Morningside Sports Farm Horse Training Farm in VA
65.222.202.88/29 65.222.202.88 65.222.202.95 MetTel, Inc Telecommunications Service Provider
65.222.202.96/29 65.222.202.96 65.222.202.103 Guidestar NPO Information Service
65.222.202.104/29 65.222.202.104 65.222.202.111 Walt Disney Company Mickey Mouse outfit
65.222.202.112/28 65.222.202.112 65.222.202.127 Dental Concepts Dentistry
65.222.202.128/29 65.222.202.128 65.222.202.135 GARP Research & Securities Financial Analysts
65.222.202.136/29 65.222.202.136 65.222.202.143 Assured Packaging Inc Metal boxes
65.222.202.144/28 65.222.202.145 65.222.202.159 Unknown
66.222.202.160/28 66.222.202.161 66.222.202.174 Unknown
65.222.202.176/29 65.222.202.176 65.222.202.183 Butler Medical Transport Patient Transport Services
65.222.202.184/29 65.222.202.184 65.222.202.191 Federated IT Government IT contractor
65.222.202.192/28 65.222.202.192 65.222.202.207 Old Dominion Internet Possibly dormant VA corporation
65.222.202.208/29 65.222.202.208 65.222.202.215 Pharmceuticals International, Inc Healthcare
65.222.202.216/29 65.222.202.216 65.222.202.223 Unknown
65.222.202.224/29 65.222.202.224 65.222.202.231 Unknown
65.222.202.232/29 65.222.202.232 65.222.202.239 Live Nation Events Company, CA
65.222.202.240/28 65.222.202.240 65.222.202.255 Georgetown Dat School Washington DC school

Monday, 5 August 2013

Torsploit: is 65.222.202.53 the NSA?

There has been a lot of chatter in the past day or so about the takedown of an Irish outfit called Freedom Hosting which hosted a number of "hidden services" on Tor, ranging from Tormail (which allows anonymous email communication) to.. well, Really Bad Stuff that you don't want to know about. Basically.. Law Enforcement (LE) appear to have discovered the real-world location of these servers on the other side of Tor and have busted the alleged operator.

What gets interesting is that some of these Tor services were infected with an injection script that attempted to reveal the real IP address of the the visitor through a security flaw in the version of Firefox in the Tor Bundle. There's an interesting analysis of the script here and the long and the short of it is that the injected code attempt to call back to 65.222.202.53, in order to track the Tor users involved.

So.. who is 65.222.202.53? Well, it seems to be a Verizon Business IP (part of a "ghost block" of 65.222.202.48/29) in the Washington DC area. You know.. the home of several government agencies or branches thereof. But now the Internet is awash with rumours that this IP address belongs to the NSA. But what evidence is there?

A lot of the fuss seems to have happened because of this tweet from Baneki Privacy Labs.

What Baneki are saying is that the whole 65.222.202.0/24 block (the "C block" in classful parlance) is owned by a government contractor called SAIC (apparently not the SAIC who own MG Motors!) and that SAIC are connected to the DoD. Although SAIC are certainly a military contractor, the error that they are making is to believe the report from DomainTools which appears to be misinterpreting the allocations in that particular block.


So, does SAIC (listed here as SCIENCE APPLICATIONS INT) own the whole /24? No. Verizon has simply allocated the first /28 in that block to SAIC, and it appears the DomainTools is misinterpreting that data.

NetRange:       65.222.202.0 - 65.222.202.15
CIDR:           65.222.202.0/28
OriginAS:   
NetName:        UU-65-222-202-D4
NetHandle:      NET-65-222-202-0-1
Parent:         NET-65-192-0-0-1
NetType:        Reassigned
Comment:        Addresses within this block are non-portable.
RegDate:        2006-09-14
Updated:        2006-09-14
Ref:            http://whois.arin.net/rest/net/NET-65-222-202-0-1

CustName:       SCIENCE APPLICATIONS INT
Address:        47332 EAGAN MCALLISTER LN
Address:        RM 1112 1st fl
City:           LEXINGTON PARK
StateProv:      MD
PostalCode:     20653-2461
Country:        US
RegDate:        2006-09-14
Updated:        2011-03-19
Ref:            http://whois.arin.net/rest/customer/C01446299


Other suballocations is that block do include government agencies, but just a couple of IPs away from the mystery IP is 65.222.202.56/29 which belongs to an industrial supply company called Universal Machines. Whoever uses 65.222.202.53 is very likely to be a corporate or government entity, but really that's pretty much all you can tell from the Verizon Business IP. DomainTools is great but as with any automated tool.. sometimes you need to double-check what it reports back.

But then Baneki make another claim.. that obviously 65.222.202.53 belongs to the NSA, because the NSA controls the entire 65.192.0.0/11 range (65.192.0.1 to 65.223.255.254) which is about 2 million IPs.
 This is what they were referring to:

Umm, well.. no. That's just another block allocated to Verizon Business. You may as well argue that everything in 0.0.0.0/0 belongs to the NSA on the same principle. Actually.. maybe it does, but that's another matter entirely. Again.. Robtex is a great tool but you sometimes need to sanity-check the output.

It may surprise you to learn that law enforcement officers and intelligence agencies are not normally complete fucking idiots when it comes to guarding their IP addresses. They do not (for example) sign up to Silk Road with their @fbi.gov email addresses or poke around the underweb from an NSA IP address range. Well, not normally..

I am not saying that the injection wasn't the work of the NSA. Or the CIA, FBI, DOD, IRS or another other Alphabet Soup Agency. But let's see some real evidence first, eh?

UPDATE: I had a closer look at the users of the /24 here. It's a mix of businesses and government organisations and contractors, not surprising given the physical location of the /24.

alliexfinancial.com / Alliexfinancial Ltd "Legal Registered Investment company" spam (is it a scam?)

A slightly odd spam, sent to a scraped email address:

From:     Dirk Nunes [flamwood888@gmail.com]
Date:     5 August 2013 10:54
Subject:     Legal Registered Investment company
Signed by:     gmail.com

alliexfinancial Ltd                                                                                                       Our advantages :

Legal Registered Investment company

Guaranteed Return on Investments

Principal Deposits Protection

Trustwave Trusted Commerce Seal

Extended Validation SSL Certificate

DDoss Protected Dedicated Server

Instant Withdrawal Processin                                                                JOIN NOW https://alliexfinancial.com/?ref=flamwood
Description:
Alliexfinancial Ltd is the UK registered legal international investment company. The company was created by a group of qualified experts, professional bankers, traders and analysts who specialized in the stock, bond, futures, currencies, gold, silver and oil trading with having more than ten years of extensive practical experiences of combined personal skills, knowledge, talents and collective ambitions for success.

plans:

2.2% for 7 days ( 115.4% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 1 $1 - $500 2.20


2.5% for 14 days (135% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 2 $10 - $1,000 2.50


2.7% for 21 days (156.7% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 3 $10 - $2,500 2.70


3% daily for 60 days (280% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 4 $10 - $50,000 3.00

  JOIN NOW https://alliexfinancial.com/?ref=flamwood    Inline image 1
The link to alliexfinancial.com/?ref=flamwood looks very much like an affiliate link, given the close match to the spammer's email address. The target site does not appear to be malicious according to URLquery.

So, what is alliexfinancial.com? It appears to be some sort of HYIP (High-Yield Investment Program) that offers up to 3.0% return on a investement.. per day.


Are these return rates sustainable? My personal opinion is that I can't see how it would be possible.

So who is this company. The website states "Alliexfinancial Ltd is the UK registered legal international investment company" which is a bit ungrammatical. It also quotes the apparently valid phone number of +44 161 7110107 which is a Manchester number.

I was interested to find that Alliexfinancial Ltd is a registered company at Companies House in the UK:
ALLIEXFINANCIAL LTD
ADVANTAGE BUSINESS CENTRE
132-134 GREAT ANCOATS STREET
MANCHESTER
ENGLAND
M4 6DE
Company No. 07892518
This details match the WHOIS details of the domain precisely:

ALLIEXFINANCIAL LTD
Paul Aleckson
Email:admin@alliexfinancial.com
132-134 GREAT ANCOATS STREET
ADVANTAGE BUSINESS CENTRE
M4 6DE MANCHESTER
United Kingdom
Tel: +44.1617110107
 The domain was registered in December 2009, so it has been around for a little while. The website is proxied by Cloudflare, but I think that the underlying IP address is probably 31.204.130.25 (i3d, Netherlands).

One problem - there's no such company listed on the Financial Services Register, although they do claim to be regulated in the UK:
Alliexfinancial Ltd activities are regulated by the United Kingdom international business authorities and complies with the United Kingdom legislation.
So, if they're not on the Register I am frankly a bit puzzled as to who their regulator is. They do not quote any reference number. However, they are not listed as being an unauthorised firm either.

One other problem - Companies House says that the company was incorporated in 2011, but the site claims they have been active for at least three years (i.e. since 2010):
For the last three years, the amount of funds managed by us has reached an enormous rate that is important to the company's growth and its stability. We are doing our best to make successful forecasts, and our traders work nearly 24 hours a day to make a more stable profit both for us and our investors. 

Perhaps this is an unregulated scheme? I'm not that much of a legal expert in these things, but I do note that the FCA has cautionary guidance on unregulated collective investment schemes (UCIS). In partciular you cannot recommend a UCIS to the general public, and a spam email sent to a scraped address certainly seems to be an attempt to enrol the public into such a scheme.

So, who runs Alliexfinancial Ltd? The Companies House Director's Report [rtf] mentions a sole director, 28 year old Ukranian national Mr Vladimer Ganaga (it's an odd transliteration, I'd expected Vladimir Ganaga to be a more literal way of writing Владимир Ганага). Apart from an NSFW Vkontakte page there's not much verifiable information.

I'm not a financial adviser, but I certainly wouldn't invest any money in this scheme. Do you have any experiences with it? If you do, perhaps you would consider leaving a comment below (all comments are the responsibility of their owners).

Update 12/9/13: in the past couple of days the Alliexfinancial site went offline and payments to investors stopped. No surprises there!

Sunday, 4 August 2013

BLDW "Building Turbines Corp" pump-and-dump spam

This illegal spam run almost definitely does not come from Building Turbines Corp (BLDW) but instead someone trying to game the system through a pump-and-dump scam.

There are lots of variations on the spam, but here are three examples:

Subject: This Stock is our New Wild Sub-Penny Pick!

Green Energy Company Signs Deal to Construct Rooftop Wind Turbines
for 90 Thousand Sq-Ft Stockroom. Building Turbines (PINKSHEETS:
BL_D_W) Concentrates on the Design and Construction of Patented
Roof Top Wind Turbines.

Current Price: .038
Short Term Target: .40
Company: Building Turbines Corp.
Date: August, 5th
Sym: BL_D_W

Renewable Power Corporation Wired To Soar Monday!

==========

Subject: Pay Attention To Detail

Austin Company Pens Contract to Provide Roof Wind Turbines for 90K
Sq-Ft Warehouse. Building Turbines Corp. (OTC PINK: B L_D_W)
Focuses on the Design and Construction of Patented Roof Top Wind
Turbines.

Long Term Target: $.95
Company Name: BUILDING TURBINES CORP
Trading Date: Monday, Aug 5, 2013
To buy: B L_D_W
Market: $.038

Ecological Power Business In Line To Ascend Next Week.

==========


Subject: It Could Make a Rally and Soar! (Huge News Out!)

Green Energy Corporation Clinches Contract to Construct Roof
Wind Turbines for 90,000 Square Foot Stockroom. BUILDING
TURBINES, CORP. (PINKS: BL_D W) Concentrates on the Design and
Manufacture of Patented Roof Top Wind Turbines.

Short Term Target: 0.20
Trade Date: Aug, 5th
Company: Building Turbines Corp.
Latest Pricing: .038
Traded as: BL_D W

Green Energy Business Equipped To Rise Monday!!!


BLDW stock isn't really valuable, losing 88.6% of its value since the company was floated in April 2011, and it has been bouncing around the two to four cent level since the beginning of 2013. But this isn't really about the real prospects of the company, this is a straightforward attempt to manipulate the system for profit.

In the past few days, someone has bought about 2.5 million shares in the company at about 4 cents, our past analysis would indicate that this is likely to be the spammer taking up positions.


The spammers may have targeted BLDW stock on their own initiative, but the recent HAIR spam run seems to be for another party. No matter, if you take the example of HAIR then any investors who had followed the spam's fake tips would have ended up losing about 90% of their investment. I'm not saying the BLDW is going to collapse, stay afloat or whatever.. but what I am saying is that you should simply ignore BLDW stock completely because this spam run is simply an attempt at market manipulation.

Friday, 2 August 2013

redwoodoptions.com "Joe Job" spam

I don't know anything about "Redwood Options" redwoodoptions.com but it seems to deal in binary options. In my personal opinion, this kind of derivative trading helped to lead to the banking collapse and should be outlawed.

Subject: For Trader
Subject: For Investor
Subject: Start Trading Now

Trade Forex, Commodities, Stocks and Indices with Up to 81% Return!
- Exclusive 60 second option
- Onetouch weekly options up to 500% return
- Up to $5000 welcome bonus

Start trading: http://www.redwoodoptions.com

That having been said, this spam run is almost definitely nothing to do with them and is instead someone trying to disrupt their (apparently lawful) business.

My advice.. ignore it and delete it.

cpro.su "Joe Job" spam run

This spam run is aimed at disrupting the underground forum cpro.su:
Subject: International carding board on new domain
Subject: Private Hacking and Carding Forum / New Domain

Welcome to Private Hacking and Carding Forum. We talking and sharing about
CVV, Paypal, Accounts, Bank Logs, Hacking Tools and Carding Tips. Newbie is
not allowed here. Do not enter if you don't know what to do...
http://cpro.su/ (*NEW domain!) 
People involved in this sort of stuff don't advertise it, but as far as I can tell cpro.su actually does deal in some unsavoury things.

What should you do about it? Nothing. The spam run will probably finish soon enough, and there's no point picking a fight with either side unless you really know what you are doing.



Malekal.com "Joe Job" spam

Update: there is a new version of this Joe Job spam, now mentioning this post in the body text (more info).

Malekal's Site  is a French-language site covering malware and spam. This particular spam run (called a "Joe Job") is not from Malekal, but is instead attempting to disrupt the site. Presumably the bad guys have found something the don't like.

Here are some examples:
Subject: Trojan Fake Police
Subject: Virus Gendarmerie
Subject: Virus Gendarmerie Nationale
Subject: Trojan Ransomware

Trojan Fake Police / Virus Gendarmerie Nationale : violation de la loi
francaise http://www.malekal.com/

If you are getting these, it is because you have been flagged up via a "reverse listwashing" process as somebody who is likely to complain about spam. Reporting the originating IP of the spam email would probably be helpful, reporting malekal.com on the other hand will only help the bad guys to remove a useful resource.

MoneyGram "Payment notification email" spam / drstephenlwolman.com

This fake MoneyGram spam leads to malware on drstephenlwolman.com:

Date:      Fri, 2 Aug 2013 22:23:53 +0330 [14:53:53 EDT]
From:      "Moneygram Inc." [infusionnbb3@gmail.com]
Subject:      Payment notification email
Revenues notification email
This is an automated email - please do not reply!

Dear customer!

You are receiving this notification because of you have been received the payment.
It may take a some time for this transaction to appear in the Recent Activity list on your account page.


Transaction details

Transaction sum: 110 USD
Transaction date: 2013/08/02

View the details of this transaction online

Thank you for using MoneyGram services!

MoneyGram ® 2013
Payload is on [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php via [donotclick]new.hotelniles.com/xd2iqku.html  and some intermediate scripts.

More analysis later..

Part II

OK, I have a little more time to look at this. Here is the screenshot:

Clicking the link takes you to a "ThreeScripts" page, but subtly different from previous ones, leading to scripts at:
[donotclick]nutnet.ir/dl/nnnew.txt
[donotclick]www.emotiontag.net/cp/nnnew.txt
[donotclick]aurummulier.pl/nnnew.txt

These scripts use a ".txt" extenstion, presumably to fool AV scanners.

The next step is a kind of weird Javascript leading to a malware page at [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php hosted on 74.91.118.212 (Nuclear Fallout Enterprises, US).


The domain in question is a hijacked GoDaddy domain.The payload is hardened against analysis. There will almost definitely be other hijacked domains hosted on this server, blocking access to it might be a good idea.

"Your most recent payment has been processed" spam / capitalagreements.com

This fake Discover Card spam leads to malware on capitalagreements.com:


Date:      Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
From:      Discover Card [dontrply@service.discovercard.com]
Reply-To:      dontrply@service.discovercard.com


    Discover
     Access My Account
   
    ACCOUNT CONFIRMATION     Statements | Payments | Rewards    
    Your most recent payment has been processed.
   
Dear Customer,

This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.

To view more details please click here.

Log In to review your account details or to make additional changes.


Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
   
Sign up    

Don't miss out—sign up to get exclusive offers via e-mail from Discover.

Sign Up

Facebook     Twitter     I Love Cashback Bonus Blog     Mobile

Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.


    IMPORTANT INFORMATION

This e-mail was sent to [redacted].

You are receiving this Discover e-mail as a confirmation of your account activity.

Log in to update your e-mail address or view your account e-mail preferences.

If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.

Please do not reply to this e-mail as we are not able to respond to messages sent to this address.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2013 Discover Bank, Member FDIC

TRUPCHNG_A1_A1_A1
   
The link in the email goes to a legitimate hacked site and then one to three scripts as follows:
[donotclick]ekaterini.mainsys.gr/overspreading/hermaphrodite.js
[donotclick]sisgroup.co.uk/despairs/marveled.js
[donotclick]psik.aplus.pl/christian/pickford.js

After that, the victim is directed to the malware landing page at [donotclick]capitalagreements.com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 66.228.60.243 (Linode, US), along with several other hijacked domains.

The attack is fundamentally the same as this American Express themed malspam run described here.

Recommended blocklist:
66.228.60.243
northernforestcanoetrail.com
northforestcanoetrail.org
yourcaribbeanconnection.com
capitalagreements.com
buyfranklinrealty.com
franklinrealtyofcc.com
frccc.com
sellcitruscountyrealestate.com

Thursday, 1 August 2013

Olborg Ltd / ОЛЬБОРГ / o1host.net (AS57636) revisited

Update:  I am trying to verify claims that Olborg Ltd are operating a sinkhole (which is a good thing) rather than a malware server (a bad thing).

Last week I pointed out a malware site on 91.233.244.102 hosted by Olborg Ltd / ООО "ОЛЬБОРГ" (AS57636) [1] [2] (website at o1host.net) and made a recommendation that admins block access to the entire 91.233.244.0/23 block.

A polite but concerned email from a customer of Olborg with a legitimate sitein that range asked if I wasn't being rather harsh to Olborg with the recommended /23 block, for just one rogue IP.

First, let me explain my rationale behind recommending larger blocks that just single IP addresses. With many web hosts (and yes, a lot of those are in Eastern Europe) the badness isn't usually restricted to one IP address. This appears to be the case with Olborg, with more than one IP looking suspicious. From the point of view of an administrator, blocking a /24 or /23 displaying these characteristics is often the safest approach.. after all, a /24 only represents 0.000006% of the total address space of the internet, but malware sites do tend to cluster.

So, what exactly is going on with Olborg? Although it has 91.233.244.0/23 allocated to it, it only currently uses 91.233.244.0/24 (i.e. the lower half of the range). Of those IPs there appear to be two main blocks, lower down in the range 91.233.244.20, 91.233.244.22 and 91.233.244.28 all seem to host legitimate sites. But further up, 91.233.244.102, 91.233.244.103 and 91.233.244.106 seem to be malicious. It's hardly the most evil web host in the world though, but these rogue IPs are a concern.

I had a look at all the sites I could find in this address range and analysed their WOT ratings, Google malware prognosis and SURBL status, you can find it here [csv]. The SURBL code takes a little explaining, but basically 127.0.0.16 is malware, 127.0.0.4 is (mostly) spam and 127.0.0.20 is both. There more explanation of that here.

The IP 91.233.244.102 has been an issue for over a year [1] [2] [3] [4] although it may or may not be clean at the moment (anti-analysis techniques mean that it can be hard to be certain). Clean or not, I would certainly advise you not to send traffic to this IP.

OK. So you've read this far and somehow I have still kept you interested in Olborg Ltd. All the badness I can find is concentrated in 91.233.244.96/28 and blocking that should keep you protected from any current potential nastiness. Alternatively, you can block the /23, but do bear in mind that there are some legimate customers in that range too (update: and if they are running a sinkhole then there's no point blocking the /23 anyway)


Pump and dump spam flogs a dead horse with Biostem U.S. Corporation (HAIR)

About a month-and-a-half ago I had a look at the pump-and-dump spam promoting Biostem U.S. Corporation (HAIR) when it was trading at around $0.30.

Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..

This Company Will Make an Impressive Recovery! It is the answer
to your portfolio troubles!

Date: August 1st
Long Term Target: .85
Per share price: .035
Ticker: HAI_R
Name: Biostem Corp.

You might want to sit down before reading this... Stocks To
Look At!

So, out of curiosity I schlepped across to look at their stock price and was slightly surprised to see that it has lost around 90% of its value since the spam run started. What happened? Well, on 19th July the stock price fell off a cliff when rather predictably Biostem announced that it was shutting up shop, and looking at news reports there seems to be little chance of recovery.



But now with shares bouncing along at around the 3 to 4 cents mark the pump-and-dump seems to be continuing, and since the collapse it appears that around 9.6 million shares have been traded, which is about 8.4% of the total equity. At today's prices those shares are worth about $336,000. A little over a year ago, on May 28th 2012, Biostem stock peaked at $439 per share, at close of business yesterday they were just 3.5 cents.. a 99.2% drop. Somebody has certainly taken a haircut on these stocks..