Dynamoo's Blog

Sunday, 2 March 2014

seekcousa.com / seekconz.com fake job offer

This job offer from seekcousa.com or seekconz.com is bogus:

Date: 1 Mar 2014 15:53:11 +0700 [03:53:11 EST]
Subject: Offer

We are offering a shipping manager assistant position.
We are offering a distant job.

The job routine will take 2-3 hours per day and requires absolutely no investment.
You will work with big shops, suppliers, factories all around the States.
The communication line will flow between you and your personal manager, you will receive orders via email and phone,
and our trained manager will be with you while every step to help you to work out first orders and answer any questions which may appear.
The starting salary is about ~2800 USD per month + bonuses.

You will receive first salary in 30 days after you will successfully complete your first task.
When the first working month will be over you will have a right to receive salary every 2 weeks.
The bonuses are calculated on the very last working day of each month,
and paying out during a first week of the next month.

We will accept applications this week only!
To proceed to the next step we should register you in HR system so we will need a small piece of your personal information.

Please fill in the fields:
Full_name:
Phone_number:
Email_address:
City_of_residence:

We need your personal information to create HR file only,
it will stay secure on the separate server till the moment it will be deleted (which take place every 2 days),
and only HR people will have access to it.

Please send your answer to my secured email manager@seekcousa.com
I will reply you personally as soon as possible.

Sincerely,
Rudy

From the job description, this appears to be some sort of parcel mule scam or other criminal activity. This video explains how a parcel reshipping scam works:

seekcousa.com is regsitered with Chinese registrar BIZCN, and the WHOIS details are fake:
Registrant Name: Ernest Dubose
Registrant Organization: Ernest D. Dubose
Registrant Street: 129 Oakridge Lane
Registrant City: Irving
Registrant State/Province: TX
Registrant Postal Code: 75038
Registrant Country: us
Registrant Phone: +1.4699959821
Registrant Phone Ext:
Registrant Fax: +1.4699959821
Registrant Fax Ext:
Registrant Email: info@seekcousa.com
Registry Admin ID:

seekconz.com is also registered with BIZCN, but with different fake details:
Registrant Name: Nickolas Gordon
Registrant Organization: Nickolas R. Gordon
Registrant Street: 4930 Clarence Court
Registrant City: Ontario
Registrant State/Province: CA
Registrant Postal Code: 91762
Registrant Country: us
Registrant Phone: 909-988-6071
Registrant Phone Ext:
Registrant Fax: 909-988-6333
Registrant Fax Ext:
Registrant Email: info@seekconz.com

There is no website associated with either of these domains, but there are mail records of mx.seekconz.com and mx.seekcousa.com pointing to 93.190.137.5 (Worldstream, Netherlands). Nameservers involved in the fraud are ns1.friscolakesgc.net hosted on the same IP and ns2.friscolakesgc.net hosted on 32.21.129.43 (AT&T, US).

We can dig a little deeper on those nameserver records, they have fake WHOIS details as well:
Registrant Name: ROSEMARY CARPIO
Registrant Organization:
Registrant Street: 701 Collins Ave, Apt 4B
Registrant City: MIAMI BEACH
Registrant State/Province: FL
Registrant Postal Code: 33139-6203
Registrant Country: US
Registrant Phone: +1.7868777722
Registrant Phone Ext.:
Registrant Fax:
Registrant Fax Ext.:
Registrant Email: haveacupoft@gmx.us
Registry Admin ID:

These fake details also appear on a domain airnavrace.net which is used as a namserver domain for the following domains and uses the following IPs:
quarter.su
147.249.171.10 (IDD Information Services, US)
42.96.195.183 (Alibaba, China)

.su domains are usually bad news, and I suspect that quarter.su is up to no good. The WHOIS details for this domain don't give much detail..

domain: QUARTER.SU
nserver: ns1.aim-darts.net.
nserver: ns1.airnavrace.net.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: bartels@xrbox.com
registrar: R01-REG-FID
created: 2013.12.09
paid-till: 2014.12.09
free-date: 2015.01.11
source: TCI

That domain is multihomed on a bunch of IPs:

176.53.125.6 (Radore Veri Merkezi Hizmetleri, Turkey)
37.255.241.29 (TCE, Iran)
108.81.248.139 (William Allard / AT&T, US)
65.27.155.176 (Time Warner Cable, US)
203.235.181.138 (KRNIC, Korea)
95.57.118.56 (Dmitry Davydenko , Kazakhstan)
186.214.212.64 (Global Village Telecom, Brazil)
89.39.83.177 (C&A Connect SRL, Romania)

This, it turns out is the tip of a very large iceberg of malicious domains and IPs which I will cover in the next post.

Friday, 28 February 2014

Companies House "FW: Case - 6569670" spam

This fake Companies House spam leads to malware:

From:    Companieshouse.gov.uk [web-filing@companies-house.gov.uk]
Date:    28 February 2014 12:55
Subject:    Spam FW: Case - 6569670

A company complaint was submitted to Companies House website.

The submission number is 6569670

For more details please click : https://companieshouse.gov.uk/Case?=6569670

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other organisations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500

The link in the email goes to:
[donotclick]economysquareshoppingcenter.com/izmir/index.html
in turn this runs one or more of the following scripts:
[donotclick]homedecorgifts.biz/outfitted/mascara.js
[donotclick]www.coffeemachinestorent.co.uk/disusing/boas.js
[donotclick]citystant.com/trails/pulitzer.js
[donotclick]rccol.pytalhost.de/turban/cupped.js
which in turn leads to a payload site at:
[donotclick]digitec-brasil.com.br/javachecker.php?create=3019&void-cat=4467&first-desk=9002

According to this URLquery report, the payload site has some sort of Java exploit.

Recommended blocklist:
digitec-brasil.com.br
homedecorgifts.biz
coffeemachinestorent.co.uk
citystant.com
rccol.pytalhost.de

Thursday, 27 February 2014

"Royal Mail Shipping Advisory" spam

This fake Royal Mail spam has a malicious payload:

From:    Royal Mail noreply@royalmail.com
Date:    27 February 2014 14:50
Subject:    Royal Mail Shipping Advisory, Thu, 27 Feb 2014

Royal Mail Group Shipment Advisory

The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE

For more details please follow the link below - http://www.royalmail.com/track-trace?=GB36187692IE

SHIPMENT CONTENTS: Insurance Form

SHIPPER REFERENCE: Please refer to the Royal Mail Shipping Services

ADDITIONAL MESSAGE FROM SHIPPER: Please refer to the Royal Mail Shipping Services

Royal Mail Group Ltd 2014. All rights reserved

This is a ThreeScripts attack, the link in the email goes to:
[donotclick]wagesforinterns.com/concern/index.html
and it then runs one or more of the following scripts:
[donotclick]billigast-el.nu/margarita/garlicky.js
[donotclick]ftp.arearealestate.com/telecasted/earners.js
[donotclick]tattitude.co.uk/combines/cartooning.js
in this case the payload site is at
[donotclick]northwesternfoods.com/sg3oyoe0v2
which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites (listed below in italics). The payload appears to be an Angler Exploit Kit (see this example).

Recommended blocklist:
23.239.12.68
billigast-el.nu
ftp.arearealestate.com
tattitude.co.uk
n2ocompanies.com
northerningredients.com
northwesternfoods.com
oziama.com
oziama.net

Amazon.com "Important For Your Online Account Access" spam / 213.152.26.150

This fake Amazon spam leads to something bad.

Date:     Wed, 26 Feb 2014 13:09:55 -0400 [02/26/14 12:09:55 EST]
From:     "Amazon.com" [t1na@msn.com]
Subject:     Important For Your Online Account Access .

Your Account Has Been Held

Dear Customer ,

We take you to note that your account has been suspended for protection , Where the password was entered more than once .

In order to protect ,account has been suspended .Please update your Account Information To verify the account.

http://www.amazon.com/gp/orc/rml/D0bvnTq6RRMA

Thanks for Update at Amazon.com.

-------------------------------------------------------------
Amazon.com
http://www.amazon.com
-------------------------------------------------------------

Please note: This e-mail message was sent from a notification-only address that
cannot accept incoming e-mail. Please do not reply to this message.

In the samples that I have seen the link in the email goes to either [donotclick]exivenca.com/support.php or [donotclick]vicorpseguridad.com/support.php both of which are currently down but were both legitimate sites hosted on 213.152.26.150 (Neo Telecoms, France). The fact that these sites are down could be because the host is dealing with the problem, however I would expect to see this same email template being used again in the future, so take care..

Saturday, 22 February 2014

On the trail of 3NT Solutions LLP

NOTE: An updated list of IPs can be found here (October 2017)

Yesterday I blogged about a company called 3NT Solutions LLP apparently based in the UK and expressed my reservations about them as a business. They operate quite a large range of IP addresses, but a quick Google search shows pitifully little about this company.

Let's start our investigation by looking them up at Companies House. That gives some basic details:

3NT SOLUTIONS LLP
SUITE 4084
10 GREAT RUSSELL STREET
LONDON
ENGLAND
WC1B 3BQ
Company No. OC363382

LLPs are a relatively new type of company in the UK which allows a firm to be registered with the minimum of details, but there are reports that LLP structures are being widely abused. We'll have a look at the ownership in a moment, but first let's check out this grand-sounding office in Central London..

View Larger Map

It is, in fact, the Bloomsbury branch of Mail Boxes Etc and "suite" is simply a euphemism for "mail box".. in other words, this is a mail drop address that most likely forwards any mail to another address, a trick that conceals the full owners of the company.

OK, so that address is a bust. But the WHOIS records for their IP blocks, and their previous address registered at Companies House is something different:

DALTON HOUSE
60 WINDSOR AVENUE
LONDON
SW19 2RR

We can trundle over to that on Google StreetView too..

View Larger Map

Dalton House is basically the same thing as the MBE address, it offers a brass plaque somewhere and a mail forwarding service. So no real clues as to ownership here either.

A trip back to Companies House to find their Company Register information [rtf] reveals very little, except two related companies in Belize.

LLP DESIGNATED MEMBER:	DARL IMPEX LTD
Appointed:	01/04/2011
Nationality:	NATIONALITY UNKNOWN
No. of Appointments:	1
Address:	35 NEW ROAD
	BELIZE
	BELIZE
	NA


LLP DESIGNATED MEMBER:	LEGRANT TRADING LTD.
Appointed:	19/03/2013
Nationality:	NATIONALITY UNKNOWN
No. of Appointments:	1
Address:	BLAKE BUILDING SUITE 102, GROUND FLOOR, BLAKE BUIL
	CORNER EYRE&HUTSON STREETS
	BELIZE CITY
	BELIZE
	NA

Belize is a pretty much a haven for offshore companies, so it is quite likely that these two Belize companies are owned by someone in a different country again.

The domain registration for 3nt.com doesn't really give any more information, and oddly enough their website is down (so how do they expect to attract business?). But if we do a WHOIS lookup on one of their IP ranges then it becomes much more clear.

inetnum:        5.61.32.0 - 5.61.47.255
netname:        INFERNO-NL-DE
descr:          ********************************************************
descr:          * We provide virtual and dedicated servers on this Subnet.
descr:          *
descr:          * Those services are self managed by our customers
descr:          * therefore, we are not using this IP space ourselves
descr:          * and it could be assigned to various end customers.
descr:          *
descr:          * In case of issues related with SPAM, Fraud,
descr:          * Phishing, DDoS, portscans or others,
descr:          * feel free to contact us with relevant info
descr:          * and we will shut down this server: abuse@3nt.com
descr:          ********************************************************
country:        DE
admin-c:        TNTS-RIPE
tech-c:         TNTS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-3NT
mnt-routes:     LEASEWEB-MNT
source:         RIPE # Filtered

person:         Neil Young
address:        3NT SOLUTIONS LLP
address:        DALTON HOUSE 60, WINDSOR AVENUE
address:        LONDON, UK
phone:          +442081333030
abuse-mailbox: abuse@3nt.com
nic-hdl:        TNTS-RIPE
mnt-by:         MNT-3NT
source:         RIPE # Filtered

route:          5.61.32.0/20
descr:          Routed via LEASEWEB
origin:         AS16265
mnt-by:         OCOM-MNT
source:         RIPE # Filtered

Alright, let's cut a long story short because we know who this is.. it's Serbian web host inferno.name who have featured on this blog several times before all the way back to 2011. Similar records exist on all of 3NT's ranges, linking them firmly with inferno.name.

Not it's not a particular surprise to see that inferno.name is trading under a different name, as the scummy sites they host pretty much ruined their reputation. And yeah, this blog helped with that.

I had a look into some of 3NT's IP ranges and you can tell instantly from these samples [csv] that they are pretty low-grade spammy sites. What you can't tell from that list are the command and control servers that they run, and of course they also host malware.

The following IP range are allocated to 3NT Solutions LLP. I recommend that you block them.
5.45.64.0/21
5.45.72.0/22
5.45.76.0/22
5.61.32.0/20
37.1.192.0/21
37.1.200.0/21
37.1.208.0/21
37.1.216.0/21
37.252.2.0/24
37.252.12.0/24
130.0.232.0/21

In addition, these other (smaller) ranges are allocated to inferno.name and v3servers.net who are the same outfit. I also recommend that you block these:
46.21.147.128/25
46.21.148.128/25
46.22.211.0/25
80.79.124.128/26
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
94.100.17.128/26
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

Friday, 21 February 2014

Something evil on 74.50.122.8, 5.61.36.231 and 94.185.85.131

Thanks to @Techhelplistcom for the heads up on this little mystery..

It all starts with a spam evil (described here)..

The link goes to a URLquery report that seems pretty inconclusive, mentioning a URL of [donotclick]overcomingthefearofbeingfabulous.com/xjvnsqk/fbktojkxbxp.php [an apparently poorly secured server at 74.50.122.8, Total Internet Solutions Pvt. Ltd in India] that just does a redirect to a spammy diet pill site at thefxs.com [94.177.128.10, Linkzone Media Romania] if you have a Windows User Agent set.

As Techhelplist says, set the UA to an Android one and you get a very different result. In this case you get bounced to a site hosted on 5.61.36.231 (3NT Solutions / Inferno.name)
[donotclick]mobile.downloadadobecentral.ru/FLVupdate.php then to
[donotclick]mobile.downloadadobecentral.ru/FLVupdate2.php from where it attempts to download a file FlashUpdate.apk

3NT Solutions / inferno.name is a known bad actor and you should block all their IPs on sight, in this case they have a netblock 5.61.32.0/20 which I strongly recommend that you route to the bitbucket.

FlashUpdate.apk has a VirusTotal detection rate of 22/47, but most Android users are probably not running anti-virus software. The Andrubis analysis of that .apk shows a network connection to 94.185.85.131 (Netrouting Telecom, Sweden) plus (oddly) some pages loaded from ticketmaster.com.

It just goes to show that what you think might be harmless spam can actually be something very, very different if you access it on a mobile device.

Recommended blocklist:
5.61.32.0/20
94.177.128.10
74.50.122.8
94.185.85.131
downloadadobecentral.ru
jariaku.ru
350600700200.ru
~~overcomingthefearofbeingfabulous.com~~

UPDATE 2014-05-25: Note that overcomingthefearofbeingfabulous.com has been cleaned up and appears to be no longer compromised.

PRFC (Epcylon Technologies, Inc) pump-and-dump spam

This pump-and-dump spam run happened last night, which would have been Thursday afternoon in the US. Usually spam runs of this type happen over the weekend, but this P&D run is not quite like others.

From:    Zelma Williams
Date:    20 February 2014 19:04
Subject:    Very important information. Please read

Hi [redacted]

I know you were expecting to hear back from me much earlier but I didn't want to get back to you empty-handed. I finally found the perfect stock for you and I am confident that it will make you some serious profit. Remember the one I told you about in November of last year right? You did very well on it and I think this PRFC stock will do the same for your portfolio again.
I have to let you know though that I'm not the only one who found out about PRFC today. A few of my colleagues are aware as well and they are telling their friends and family about it so I must advise you to move fast if you want to buy it. I think it's trading at just around 15 cents right now, if you wait too long it might be at 30 or even higher and at that time I won't be able to safely advise you to buy it. You can buy as many shares as you can first thing at market open on Friday or worst case scenario buy it on Monday but move fast.
I know you don't care about what the company does because you know I've done all the due diligence for you already but PRFC is actually amazing and I think it will do much better than even the one I told you about a few months ago.
One of the company's divisions offers mobile software solutions for the gaming industry. The mobile apps allow customers to play lottery and other games of chance and skill on their smartphones. The software is extremely advanced and could be the backbone of all mobile casinos in the future. It is expected that the US will legalize online gaming in the near future and this could catapult PRFC to new highs however even without that the company's software is extremely valuable in the rest of the world and could become extremely profitable. Something big is definitely brewing at the company. I heard something about buy out rumors but I don't have all the details yet I will keep you posted over the coming days or weeks.
Anyway I won't bore you with much more blabber, but if you have a second do check out PRFC. By the way I will be expecting a nice gift from you once you make fat bank on this one and a nice dinner with the wives is in order. It's been too long since we last spent a good evening over a bottle of wine. I was going to call you to tell you about PRFC but I figured youre probably asleep now with those crazy shifts you've been working. Take care and call me if there's anything.

Talk soon
Your favorite friend and only broker :)

Appended to the spam is some random text to try to fool spam filters.

According to stock charts, this spam has been successful and has pushed up the Epcylon Technologies, Inc / PRFC price by about 40% in afternoon trading.

The chart shows that 72885 shares were traded in this period, moving stock up from $0.14 to $0.20, the highest value for this stock since August. Trading is normally pretty thin for this stock at between 0 to 10,000 shares per day, but it does sometimes peak higher.

Usually with pump-and-dump scams somebody buys a large quantity of a few days before the spam run. This doesn't appear to be the case here, which leads to the possibility that the spam run is being pushed by an existing stockholder (it is unlikely to be anything to do with Epcylon though). Another thing that differentiates this pump-and-dump run from others is that there does seem to be some mildly positive news about this company.

However, I would urge you not to buy these stocks. The usual pattern is that the stock price collapses shortly after the initial spam run when the party responsible for the spam cashes out.

The spam itself was sent to scraped email addresses and addresses taken from various data breaches, although there does appear to have been some basic listwashing done to evade detection.

Update: a second version is doing the rounds..

From:    Rowena Rasmussen caroline@ordernowapp.com
To:    caroline [caroline@victimdomain]
Date:    22 February 2014 14:48
Subject:    This is the best stock tip of the year

Dear Investor,

If you're tired of playing the market for mediocre gains then you should read on. I'm Mike Statler. Some of you may know me from my last good stock tip (WPWR) which more than tripled within a short period of time (feel free to check it out). Now I have a brand new tip and I will think you will be pleased. This one should go up more than 6 times from current levels.
If you are interested in making a quick gain overnight, this is not for you, but if you're serious about buying my new tip PRFC and you are willing to hold a few weeks and see magic happen then you're definitely at the right place.
If you remember correctly I told you a few days ago about PRFC. I advised you to add it to your watch list but at the time I could not recommend that you buy it as I had not completed my due diligence.
I have good news and bad news for you. The bad news is that it is already up about 60% since I told you to add it to your watch list but the good news is that I think it still has a lot of room to go up and I expect to see PRFC trading at over 2 dollars before the end of the month or by the end of the 1st week of march at the absolute latest.
The company makes indispensable software that powers the backend of mobile gambling platforms. You can buy lottery on your smartphone, spin the roulette, enjoy blackjack or even play a game of poker. All this from your iphone or android phone. This is absolutely revolutionary and as we get closer to complete legalization of online gambling in America this little gem that is PRFC could soar dramatically.
PRFC (or Epcylon Technologies if you prefer) is going to work wonders for my subscribers' portfolios. I even bought $15,000 of it myself today. THAT'S how confident I am in it. I'm putting my money where my mouth is and I am telling you to BUY PRFC too if you believe in me, and if you don't it's too bad. You will be sending me an email two weeks from now saying how you regret not buying when I told you to do so.

Happy Trading,
I'm Mike Statler.

Update 24/2/14: new versions replace the text with an image in an attempt to bypass spam filters.

Update 25/2/14: a slightly different image this time, presumably in an attempt to evade scanners