"Barclays transaction notification" spam

This fake Barclays spam comes with a malicious payload:

Date:      Wed, 5 Feb 2014 03:02:52 -0500 [03:02:52 EST]
From:      Barclays Bank [support@barclays.net]
Subject:      Barclays transaction notification #002601

Transaction is completed. £9685 has been successfully transfered.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.

Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). Registered in England. Registered Number is 1026167 with registered office at 1 Churchill Place, London E14 5HP.

Attached is a file Payment receipt Barclays PA77392733.zip which is turn contains a malicious executable Payment receipt Barclays PA77392733.exe with a surprisingly poor VirusTotal detection rate of just 1/51 (only Sophos detects it). Automated analysis tools are pretty inconclusive about the payload [1] [2] [3] with only the Malwr report having any real detail.

WTF? WFP.org spam? Or is it emailciti.com?

This spam is promoting the UN's World Food Programme. I'm surprised the the WFP should sink so low, but perhaps they engaged the services of spammers without realising.

From:     World Food Programme newsletter@newsletter.loyaltyciti.com
Reply-To:     newsletter@newsletter.loyaltyciti.com
Date:     4 February 2014 09:58
Subject:     60% of people here don't have food
Signed by:     newsletter.loyaltyciti.com

If you are unable to see the message below, click here to view.

Share:     Delicious    Digg    Facebook    LinkedIn    Twitter   

world food programme
There’s a common link between a mother in Central African Republic, a father in South Sudan, and a child in Syria. Hunger. Fortunately, there’s also a common solution – The World Food Programme (WFP)..
WFP provides food assistance so families can break the cycle of poverty and hunger. Our goal? Zero hunger. We rely on the support of our online community to make this a reality.
Will you join us? Sign up at wfp.org/join to receive monthly updates and info about how you can help achieve a zero hunger world.
When conflict erupts, hunger soon follows. In CAR, South Sudan, and Syria, WFP is fighting for families who are being pushed to the brink. Find out how we’re responding to ensure families have the security that comes with a daily meal.
central african republic
level 3 emergency
See where we’re sounding the alarm.
remembering what matters         delivering despite
WFP’s Rasmus Egendal reflects on what really matters in Syria: The People.         Thanks to our supporters like you, WFP has been able to deliver food in South Sudan rom the start.
starting stars from car         reporting from damascus
Get the facts & figures you should know: 60% of families in Central African Republic have no food.         Watch an update from WFP’s Executive Director who met Syrian families relying on WFP assistance.
follow wfp     facebook     twitter

You have received this email message from EmailCiti, the leading Email Behavior and Lead Generation Company in the GCC & Middle East. Your email address has been recorded because you have subscribed to one of our email &newsletters services or are registered with one of our Partner and affiliate sites. For more information, visit www.emailciti.com
If you don't wish to receive these emails anymore please click here.

The email originates from 208.95.135.84 [mail3345.emailciti.mkt3942.com] (Silverpop Systems, US) and spamvertises an intermediate site at links.emailciti.mkt3941.com on 74.112.69.20 (Silverpop again) and then forwards to www.wfp.org/hunger-hot-spots if you click through.

The email itself is digitally signed, so we can be reasonable assure that it originates from loyaltyciti.com who are in Dubai:

Registry Registrant ID:
Registrant Name: mohammad Lahlouh
Registrant Organization: Emailciti
Registrant Street: Dubai Media City, Building #8
Registrant City: Dubai
Registrant State/Province: Dubai
Registrant Postal Code: 502382
Registrant Country: United Arab Emirates
Registrant Phone: +971.507735717
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: mlahlouh@emailciti.com
Registry Admin ID: 

These people are persistent spammers who usually send through some unsolicited crap several times a week, using an email address that is effectively a spamtrap. What is really annoying is the the WFP is paying these spammers to run a campaign of dubious value when they could be helping to fee starving people.

Something evil on 192.95.43.160/28

More badness hosted by OVH Canada, this time 192.95.43.160/28 which contains pretty much the same set of evil described here. Here is a typical IP flagged by VirusTotal and a failed resolution by URLquery which frankly gives enough information to make it suspicious.

However, the key thing is the registrant details which have been used in many malware attacks before.

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859116

I can see the following .pw domains active in this range:
basecoach.pw
crewcloud.pw
boomerangfair.pw
kickballmonsoon.pw
martialartsclub.pw
runningracer.pw

All those domains are flagged by Google as malicious and I recommend that you block them along with 192.95.43.160/28.

(Hat tip to my source, you know who you are!)

Something evil on 64.120.137.32/27

64.120.137.32/27 is a range of IP addresses belonging to Network Operations Center Inc in the US and suballocated to a customer which is currently being used in malware attacks as an intermediate step in sending victims to this malicious OVH range.You can see an example of some of the badness in action here.

The range was formerly used by a company called TixDepot but may have been hijacked or reassigned. NOC report the following contact details for the block:

%rwhois V-1.5:003fff:00 rwhois.hostnoc.net (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NET-64.120.137.32/27
network:Auth-Area:64.120.128.0/17
network:network:NET-64.120.137.32/27
network:block:64.120.137.32/27
network:organization;I:T0000027307
network:address:1205 Oneill Highway
network:city:Dunmore
network:state:PA
network:postalcode:18512
network:country:US
network:admin-c;I:A9000000001
network:tech-c;I:T0000027307
network:abuse-c;I:I9000000001
network:created:20120208221612
network:Updated:20140203010039

About half the domains in this /27 have been flagged as malicious by Google, concentrated on the three IP addresses:
64.120.137.53
64.120.137.55
64.120.137.56

I would recommend blocking the entire /27, but this is the breakdown by IP address with domains tagged by Google highlighted (there's a plain list here)

64.120.137.34
kasorla.biz
kolyamba.biz

64.120.137.35
verybery.biz
dristohren.biz
vedmedical.biz
teasertease.biz

64.120.137.38
koshak.biz

64.120.137.39
meef.biz
www.meef.biz
chubanak.biz

64.120.137.41
jinkee.biz
tongpo.biz
kunuki.biz
omlette.biz

64.120.137.42
war-fear.biz
sleeping-rough.biz
www.war-fear.biz

64.120.137.47
searchsecurely.biz
whitehestence.com

64.120.137.48
webconnection.biz
trafficstatsanalytics.com

64.120.137.51
lohotron.biz
domainishere.biz
happygreentree.biz
plomaternia.com
greendo.biz
continuedomain.biz
personaldomain.biz
trafficqualitycheck.biz

64.120.137.52
swint.biz
elhooase.biz
fazatron.biz
peperrony.biz
pistorios.biz
papabudet.biz
papazdesj.biz
paparjadom.biz
besthitbotfilter.biz

64.120.137.53
hairyegg.biz
eegogo.biz
ilanus.biz
baldball.biz
moisturre.biz
mongoloid.biz
barbarisus.biz
damoinster.biz
horseinwood.biz

64.120.137.54
swineherd.biz
traffzilla.biz
blackfatcat.biz
trafficstation.biz

64.120.137.55
smokeme.biz
domentus.biz
yyynetlop.biz
goodweather.biz
hellparadise.biz
blog.bitcareer.com
bitewixibib.com
cuqerexejef.com
xocysibekyn.com
25blv.xocysibekyn.com
buy.si8a.net
tejedinehyh.net
68qn.tejedinehyh.net
vynifyqicedy.net
7dww.vynifyqicedy.net
vyzogosukoqy.net
ekc63s.vyzogosukoqy.net
bitewixibib.org
qyzuliponag.org
4ah781.qyzuliponag.org
xinuvytevem.org
s6pnl.xinuvytevem.org
xocysibekyn.org
ee5.xocysibekyn.org
hcm.xocysibekyn.org
vynifyqicedy.org
tejedinehyh.info
w0r4n.tejedinehyh.info
vyzogosukoqy.info
n45p6.vyzogosukoqy.info
nolericutis.com
qyzuliponag.com
xinuvytevem.com
cuqerexejef.org
nolericutis.org
tejedinehyh.org
iu1wxx.tejedinehyh.org
nvlrlh.tejedinehyh.org
vyzogosukoqy.org
wotunelurex.info
vynifyqicedy.info

64.120.137.56
en.xzhao.cc
us.yongbao.cc
ca.zhengerle.cc
me.transportesmelladogutierrez.cl
br.youu-and.me
dns.v9v8.com
gr.wew444.com
ls.wew999.com
dns.thejpg1.com
dns.acidcrud.com
dns.agoteenak.com
qajadyhizuli.com
fr.whenisthenextnhllockout.com
dns.uhgy.net
banewyjubuk.net
1qcz.banewyjubuk.net
diwopiroseq.net
7zz.diwopiroseq.net
gulumegesus.net
daij.gulumegesus.net
jadivyludal.net
pnps.jadivyludal.net
kafitetysyr.net
71sdqa.kafitetysyr.net
bucupyfomome.net
8q7.bucupyfomome.net
byqyrabewuti.net
iv3oj.byqyrabewuti.net
qajadyhizuli.net
symirijibimu.net
tusudygonipo.net
qjcd.tusudygonipo.net
banewyjubuk.org
9s33.banewyjubuk.org
ycooet.banewyjubuk.org
gulumegesus.org
8jek7.gulumegesus.org
jadivyludal.org
k64yx9.jadivyludal.org
kafitetysyr.org
hida.kafitetysyr.org
jyc8i.kafitetysyr.org
bucupyfomome.org
rdjjnh.bucupyfomome.org
byqyrabewuti.org
3v7opv.byqyrabewuti.org
qajadyhizuli.org
k8gcj.qajadyhizuli.org
symirijibimu.orgjadivyludal.com
pumiqudiqer.com
vemusiwubixe.com
kecynikamoc.net
3srjc.kecynikamoc.net
komikuxoced.net
pumiqudiqer.net
lejyvicuvagi.net
vemusiwubixe.net
kecynikamoc.org
komikuxoced.org
pumiqudiqer.org
lejyvicuvagi.org
vemusiwubixe.org

Headlines Today (India) "Investigation report: Interesting history of Somnath aka Spamster Bharti"

Something evil on 192.95.7.224/28

Another OVH Canada range hosting criminal activity, 192.95.7.224/28 is being used for several malicious .pw domains being used to distribute malware (as used in this attack). The malware domains seem to rotate through subdomains very quickly, possibly in an attempt to block analysis of their payload.  This block is carrying out the same malicious activity that I wrote about a few days ago.

OVH have suballocated this IP block to an entity that I believe is connected with black hat host r5x.org.

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859114

These IPs are particularly active:
192.95.7.232
192.95.7.233
192.95.7.234

There is nothing of value in this /28 block and I recommend that you block the entire IP range plus the following domains (which are all already flagged as being malicious by Google)

Recommended blocklist:
192.95.7.224/28
archerbocce.pw
athleticsmove.pw
battingrelay.pw
bicyclecompete.pw
bicyclingcrew.pw
billiardsdiver.pw
bronzecatcher.pw
competitionathletics.pw
competitionexercise.pw
dartboardolympics.pw
dartfield.pw
divebicycling.pw
divingrelay.pw
fieldergymnast.pw
golferboomerang.pw
hardballkayaker.pw
hockeyarchery.pw
hoopjudo.pw
javelinbowler.pw
leaguehockey.pw
netarcher.pw
playingriding.pw
racerathlete.pw
racerbronze.pw
runrafting.pw

Times Now covers the Somnath Bharti story

Somnath Bharti's allwebhunt.com site exposes inner working of spam outfit

Recently I covered the somewhat surprising news that a former top spammer Somnath Bharti is now a minister in the Delhi regional government in India. That story has now made it to the front page of the Times of India, deepening the controversy about Mr Bharti's ethical standards.

I was interested to see Mr Bharti's response to these accusations:

Denying involvement in spamming, Bharti emailed TOI saying: "Back in early 2000, server of Madgen Solutions Pvt Ltd was entrusted with an associate by me who misused it without my consent/knowledge. When the matter cropped up, I came to know that the said associate had generated mass emails soliciting business and had also impersonated me on multiple occasions. On exploring I found out that the emails generated were for a legitimate business, originating from a valid traceable IP address and in proper compliance with the laws applicable in the US, ie CANSPAM Act, then... hence this breach of trust between me and this associate of mine was not pursued in a court of law."

I have to rely on the accuracy of the Times of India with this quote, although the way the TOI has presented it this does like a direct quote from Mr Bharti himself.

Before I start picking apart what Somath Bharti said, it is worth pointing out that the only time I have ever heard anything from him was when he made a flat-out lie claiming that he had never ever heard of the company involved (TopSites LLC), despite having his name listed as CEO on the company business card.

Just for good luck, the person sending me that information also sent me a copy of a very young looking Mr Bharti to prove his identity.

He looks a bit different today (source)

The evidence linking Mr Bharti's Madgen solutions with spam is overwhelming and does not seem to have been denied in the TOI interview, although you can see the reports made at the time here.

But let's look at Mr Bharti's statement to the TOI more closely..

"Back in early 2000, server of Madgen Solutions Pvt Ltd was entrusted with an associate by me who misused it without my consent/knowledge."

Well, this is kind of odd because the TopSites LLC spam did not start until 2002 at the earliest, and and Bharti's outfit was only identified much later than that (see this example). So Mr Bharti's memory is either faulty, or this is just an poorly though-out excuse, or maybe he meant the "early 2000s"?

But Mr Bharti's fingers have always been all over the TopSites business, such as the WHOIS details for the original domain used in the spam, topsites.us:

However, that is just a name on the WHOIS records. We can also see his name on the internal databases of one of the many clone sites of TopSites that was set up:

That information comes from a poorly-secured TopSites clone called allwebhunt.com hosted on a server at 119.82.71.132 (Citycom Networks, India) along with Mr Bharti's own personal website of somnathbharti.com.

allwebhunt.com was rapidly taken down after it was exposed in the Times of India, but you can still see an archived copy here, indicating that the operation was running until at least 2011.

The website was exceptionally poorly coded and exposed all of its internal details to the internet. Here's a screenshot of some of the code listing internal users.

The names of Mr Bharti are all over this particular operation, so it is unlikely that he did not know exactly what was happening. He even went as far as to use a TopSites domain on his somnathbharti.com home page back in 2003.

My conclusion is that despite Mr Bharti's protests, I believe that he was intimately involved in the spamming operation that his company Madgen Solutions was performing on behalf of TopSites LLC.

But there remains one further unanswered question. Back in 2005 the TopSites business was put up for sale claiming an annual turnover of 1.8 million US dollars. And although Mr Bharti's business partners would probably have pocketed the majority of that money, it would seem highly unlikely that Mr Bharti himself did not share in some of those profits.

Exactly how much did Mr Bharti make from this spamming operation? Even the people who did payment processing got a 9% cut..

..I have no idea. But perhaps somebody might like to find out :)

"Unsure if you qualify for a refund of PPI paid on a loan or credit card?" SMS spam

This scumbag scammers are still at it, pumping away lead generation spam to persuade people to make PPI claims to which they are not entitled.

Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out. TPPCO

In this case the scammers used the contact number +447743623103 but they burn through dozens of SIM cards every day with their illegal spamming operations.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

You can also report persistent spam like this via the ICO's page on the subject.  With any luck these spammers will end up on the receiving end of a massive fine.

African Human Right and Refugees Protection Council (AHRRPC) scam

This spam email is actually part of an advanced fee fraud setup:

From:     fernando derossi fernandderossi59@gmail.com
To:     fernandderossi59@gmail.com
Date:     1 February 2014 13:22
Subject:     URGENT FOOD STUFF SUPPLY NEED FOR REFUGEES
Signed by:     gmail.com

Dear Sir:

My company has been mandated to look for a company capable of
supplying food stuffs product listed bellow by the  AFRICAN HUMAN
RIGHT AND REFUGEES PROTECTION COUNCIL (AHRRPC) for  assisting of the
refugee within the war affected countries IN middle east and Africa
like MALI,SYRIA, SOMALIA, CENTRAL AFRICA, and SOUTH SUDAN, which after
going through your company's profile, have decided to know if your
company is interested.

            Below are the list of food Stuffs and the targeted value
needed by (AHRRPC)

1.  Rice
2.  Beans
3.  Milk powder
4.  Sugar
5.  Vegetable Oil
6.  Used Cloths
7.  Wheat Flour
8.  White corn meal
9.  Corn Cooking oil
10. Cumin seed oil
11. Ground nut
12. Sage Oil
13. Soya bean oil
14. Palm oil
15.  Fresh Vegetables
16.  Fresh fruits
17.  Cocoa powder.

We will be happy to work with you company only as representing agent
to secure an allocation for your company while in return your company
will give us comission as soon as your receive your contract value. We
will give you more details about the contract when we recieve your
reply.

Regards,

Mr.Fernando Derossi
AHRRPC AGENT
Website:www.ahrrpc.8k.com
Bamako-Mali in West Africa.

The email links to a website at www.ahrrpc.8k.com which set off all sorts of alarms on my virus scanner, but I think it is just an ad-laden free web hosting site, and purports to be from the African Human Right and Refugees Protection Council (AHRRPC).

Of course, there is no such organisation as this and probably the main thrust of the scam is that there will be an "arrangement fee" payable in order to sell these goods.. and once the fee is paid the scammers will disappear.

One thing that I noticed is that "Mr Fenando Derossi" has a Google+ profile.. so is it a case the the Google account has been hijacked? Well, a simple way to find out is to take the image and upload it to Google Images (by clicking the little camera icon). That gives several positive matches for the photo which has been stolen from a French model and actor called Jean-Georges Brunet. In fact, poor Monsieur Brunet has had his picture stolen before for other types of scam.

Give any approaches from the so-called African Human Right and Refugees Protection Council (AHRRPC) a very wide berth. And remember, if you want to verify who a photo actually belongs to then Google Images is an excellent resource.

Something evil on 192.95.10.208/28

192.95.10.208/28 (OVH, Canada) is being used to deliver exploit kits utlising .pw domains, for an example see this URLquery report.  The following domains are being used in these attack (although there may be more):

accountantillustrator.pw
actuarydancer.pw
ambassadoradvisor.pw
animatorcarpenter.pw
animatorgovernor.pw
archeractor.pw
archerclub.pw
archerlecturer.pw
archerycartoonist.pw
arenacycling.pw
arenalandlord.pw
arrowcompete.pw
arrowfitness.pw
artistgovernor.pw
athleteexplorer.pw
athleteexterminator.pw
athletehandyman.pw
athleticsbanker.pw
athleticsdrycleaner.pw
attorneygeologist.pw
ballballerina.pw
ballcoroner.pw
ballerinaconsul.pw
ballerinalaundress.pw
balllobbyist.pw
ballracer.pw
baseballdefense.pw
baseballhardball.pw
baseballmechanic.pw
basketballdj.pw
basketballillustrator.pw
batdart.pw
batdj.pw
batmonk.pw
batolympics.pw
batterpool.pw
battingconcierge.pw
battingrunning.pw
biathlonlandscaper.pw
bicyclebarber.pw
bicyclechaplain.pw
bicycleracket.pw
bikegeneral.pw
bikingoptician.pw
biologistcabdriver.pw
bobsleighcaterer.pw
bobsleighcop.pw
bobsleighfirefighter.pw
bobsleighjockey.pw
boccebowling.pw
boccepercussionist.pw
boomerangbobsleigh.pw
boomerangcompete.pw
bowcobbler.pw
bowlerkayaking.pw
boxercashier.pw
bronzehairdresser.pw
buntcop.pw
buntexporter.pw
buntgymnastics.pw
butchernegotiator.pw
canoegardener.pw
carpenterorderly.pw
cartographerlandscaper.pw
catchergeologist.pw
catchlandscaper.pw
championbatting.pw
championshipcobbler.pw
championshipdoorman.pw
championshipgear.pw
championshipjester.pw
championshipjockey.pw
championshipmarketer.pw
clubfarmer.pw
coachbarber.pw
coachgolfer.pw
competeexporter.pw
competepediatrician.pw
competingbowler.pw
competingcoach.pw
competitioncryptographer.pw
competitionexplorer.pw
competitorhairdresser.pw
competitornovelist.pw
conciergemanufacturer.pw
contractorexterminator.pw
crewastronaut.pw
crewmusician.pw
cricketgoalie.pw
cricketjailer.pw
custodiancobbler.pw
cyclebellhop.pw
cyclistcaptain.pw
dartboardequipment.pw
dartboardnavigator.pw
dartboardpathologist.pw
dartlifeguard.pw
decathlonbellhop.pw
decathlondriver.pw
defensenet.pw
defensepaleontologist.pw
dermatologistinstructor.pw
designerbabysitter.pw
designercoach.pw
diamondgolfer.pw
diamondlobbyist.pw
divecycle.pw
diveeconomist.pw
divepainter.pw
diverbabysitter.pw
diverbowler.pw
divingauthor.pw
djnegotiator.pw
dodgeballgolfer.pw
doormanparkranger.pw
driverpawnbroker.pw
editordictator.pw
electricianbaker.pw
engineerastronaut.pw
entomologistbowler.pw
entrepreneurpatrol.pw
epeebowler.pw
epeeintern.pw
epeelandlord.pw
epeelinguist.pw
epeerunning.pw
exercisebatter.pw
exportercatcher.pw
farmerlecturer.pw
fencinghandball.pw
fieldercartographer.pw
fielderpaleontologist.pw
fielderpercussionist.pw
fieldingauctioneer.pw
figureskatingbuilder.pw
figureskatingchemist.pw
footballbunt.pw
footballcustodian.pw
footballlyricist.pw
frisbeebike.pw
gamenurse.pw
gearathlete.pw
generalillustrator.pw
geneticisteconomist.pw
geneticistgolfer.pw
goalbicycling.pw
goalcatcher.pw
goaldj.pw
goalhardball.pw
goaliebilliards.pw
goalielocksmith.pw
goalmedal.pw
goalmedal.pw
goalpawnbroker.pw
goalpercussionist.pw
golferdoorman.pw
golferentomologist.pw
golfingfirefighter.pw
guardcryptographer.pw
guardextra.pw
guardhandyman.pw
gymeducator.pw
gymmarketer.pw
gymnastcardiologist.pw
gymnasticsarchery.pw
gymnasticscobbler.pw
gymnasticsdictator.pw
gymnastnun.pw
halftimeillustrator.pw
handballhome.pw
hardballactress.pw
hardballastronomer.pw
hardballjumper.pw
helmetgolfer.pw
helmetjailer.pw
highjumpbiologist.pw
highjumpcashier.pw
highjumpguide.pw
hoboexporter.pw
hoopbiking.pw
hoopgear.pw
huddlecompete.pw
huddleparalegal.pw
hurdlebutler.pw
hurdlecompetitor.pw
hurdleforeman.pw
hurdlemove.pw
jailercardiologist.pw
javelinskate.pw
joggerdirector.pw
journalisthairdresser.pw
judomayor.pw
jumperfisherman.pw
jumperlibrarian.pw
jumpingorderly.pw
jumpingreferee.pw
karatemanufacturer.pw
karateparalegal.pw
kayakathlete.pw
kayakballerina.pw
kayakerbiologist.pw
kayakercabdriver.pw
kayakingconsul.pw
kayakingoperator.pw
kayakingskating.pw
kayaknurse.pw
kickballnurse.pw
lacrossemuralist.pw
lacrosseorderly.pw
landlordexterminator.pw
landlordgardener.pw
landscapercook.pw
landscaperoptician.pw
lecturergatherer.pw
linguistdetective.pw
locksmithillustrator.pw
maidblacksmith.pw
maidornithologist.pw
marinecellist.pw
martialartslinguist.pw
mayordrummer.pw
monklyricist.pw
movemedal.pw
oboistbowler.pw
olympicscompetition.pw
olympicsengineer.pw
opticiannegotiator.pw
orienteeringjanitor.pw
paintergeneral.pw
paralegalbuilder.pw
paralegaleconomist.pw
pawnbrokermanufacturer.pw
peddlerbellhop.pw
pingpongathlete.pw
pingpongbasketball.pw
pingpongempress.pw
pingponghelmet.pw
pitchactor.pw
pitchdart.pw
pitchjanitor.pw
pitchlifeguard.pw
playchauffeur.pw
playerskate.pw
playingoboist.pw
playoffscycle.pw
playoffspeddler.pw
playorienteering.pw
polekayaking.pw
poolgeneticist.pw
poolnegotiator.pw
quarterbackgeneral.pw
quartergeographer.pw
racedrummer.pw
raceengineer.pw
racercellist.pw
racketarcher.pw
racketbaseball.pw
racketdart.pw
racketleague.pw
racketskate.pw
raftingbarber.pw
raftingdancer.pw
raftingfrisbee.pw
raftingkayaker.pw
relaydrycleaner.pw
relayrace.pw
ridingcabdriver.pw
ridingnurse.pw
runbasketball.pw
rundrummer.pw
runningaccountant.pw
runningactuary.pw
skatepole.pw
skatingmuralist.pw
teacherjockey.pw
toolmakerfisherman.pw

The IP forms part of a /28 block belonging to a known bad actor:
NetRange:       192.95.10.208 - 192.95.10.223
CIDR:           192.95.10.208/28
OriginAS:       AS16276
NetName:        OVH-CUST-413973
NetHandle:      NET-192-95-10-208-1
Parent:         NET-192-95-0-0-1
NetType:        Reassigned
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/net/NET-192-95-10-208-1

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859113

I believe that these IPs are connected with a black hat host r5x.org and IPs with these WHOIS details are very often used in exploit kit attacks. I would strongly recommend that you block 192.95.10.208/28 in addition to the domains listed above.

"Windsor Telecom Fax2Email" spam

Another day, another fake Fax spam with a malicious payload:

Date:      Fri, 31 Jan 2014 10:00:23 +0000 [05:00:23 EST]
From:      Windsor Telecom Fax2Email [no-reply@windsor-telecom.co.uk]
Subject:      Fax Message on 08983092722 from

FAX MESSAGEYou have received a fax on your fax number: 08983092722 from.The fax is
attached to this email.PLEASE DO NOT REPLY BACK TO THIS MESSAGE. 

Attached is an archive file FAX MESSAGE.ZIP which in turn contains a malicious executable FAX MESSAGE.EXE with a VirusTotal detection rate of 4/50. Well, I say malicious but both Malwr and Anubis report that the payload does not execute properly, however that might just be an issue with those particular sandboxes and it does not mean that it will fail to run on all systems.

"Last Month Remit" spam

This fake "Last Month Remit" spam does a pretty good job of looking like it comes from your own organisation..

Date:      Thu, 30 Jan 2014 12:22:05 +0000 [07:22:05 EST]
From:      Administrator [victimdomain]

>
Subject:      FW: Last Month Remit

File Validity:Thu, 30 Jan 2014 12:22:05 +0000
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ? Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it. The deception even goes as far as faking the mail headers:

Received:     

    (qmail 6160 invoked from network); 30 Jan 2014 12:22:06 -0000
    from unknown (192.168.1.88) by [redacted] with QMQP; 30 Jan 2014 12:22:06 -0000
    from 95-177-119-126.aurora.managedbroadband.co.uk (95.177.119.126) by [redacted] with SMTP; 30 Jan 2014 12:22:05 -0000
    from docs743.[victimdomain] (10.0.0.170) by [victimdomain] (10.0.0.31) with Microsoft SMTP Server (TLS) id U5G10C1E; Thu, 30 Jan 2014 12:22:05 +0000
    from docs7075.[victimdomain] (10.39.36.29) by smtp.[victimdomain] (10.0.0.131) with Microsoft SMTP Server id MJ25NOGJ; Thu, 30 Jan 2014 12:22:05 +0000

Going to to bother of inserting fake mail headers is odd, because anyone who knew enough to check the headers would probably also realist that the attached ZIP file with an EXE in it was probably bad news.

In this case, the attachment is called Remit_[victimdomain].zip  which in turn contains a malicious executable called Remit.exe which has an icon that makes it look like a PDF file.

This file has a VirusTotal detection rate of 10/49. Automated analysis tools [1] [2] [3] show an attempted connection to poragdas.com  on 182.18.143.140 (Pioneer Elabs, India) which is a server that has been seen before, and excelbizsolutions.com on 103.13.99.167 on (CtrlS Private, India).

Recommended blocklist:
103.13.99.167
182.18.143.140
poragdas.com
excelbizsolutions.com

WTF is s15443877[.]onlinehome-server[.]info?

Something that caught my eye was this Google Safebrowsing diagnostic for [donotclick]s15443877.onlinehome-server.info:

Safe Browsing

Diagnostic page for s15443877.onlinehome-server.info

What is the current listing status for s15443877.onlinehome-server.info?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 1746 pages we tested on the site over the past 90 days, 582 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-01-29, and the last time suspicious content was found on this site was on 2014-01-29.Malicious software includes 166 scripting exploit(s), 166 trojan(s), 89 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Malicious software is hosted on 198 domain(s), including mendozaempleos.com/, e-veleta.com/, forogozoropoto.2waky.com/.
155 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chebro.es/, formandfinishpdr.com/, mendozaempleos.com/.
This site was hosted on 1 network(s) including AS8560 (ONEANDONE-AS).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, s15443877.onlinehome-server.info did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

Not only are (exactly) one third of the pages crawled hosting malware, but there are a staggering 198 domains spreading it. Usually it's just a handful of sites, but this is the most I've ever seen.

VirusTotal also shows some historical evil going on with the IP of 212.227.141.247 (1&1, Germany) and a Google of the site contents shows thousands of hits of what appears to be scraped content in Spanish.

It's hard to say just what this site is, but with Google diagnostics like that then it is unlikely to be anything good and blocking s15443877.onlinehome-server.info or 212.227.141.247 might be prudent.

"Adopt a puppy scam" is a new twist

This offer to adopt a puppy for free is a scam:

From:     Shirley Eason shirleyeason5@gmail.com
Reply-To:     shirleyeason5@gmail.com
Date:     30 January 2014 09:29
Subject:     Adopt this little puppy @ 0$

My name is Shirley Eason, Presently diagnosed of acute brain injury from a ghastly car accident that led to lost of my son and husband 3 years ago.

I'm looking for a good heart fellow to take over my 9weeks English Bulldog,right now I have been ask to move to Aged home. ofcourse I'm not allowed to take webster.

I'm willing to send Webster overseas if you can convince me he's on good hands.

I want to share the love I have for Webster across the world to anyone who have passion for animals.

You will receive more photos on response to this mail.
http://www.sendspace.com/file/pa5p12
http://www.sendspace.com/file/ytalxs

Hugs and kisses from a beautiful heart

Warm Regards

What's on the end of those Sendspace links? Well, indeed there are a couple of pictures of a puppy.

So.. it's a free puppy? What could possibly go wrong? Well, lots..

Let's do a bit of detective work starting with finding the origin of those photos. A trip to Google Images followed by a click of the camera icon allows you to upload a picture to do a reverse image search. We can easily find a match for that photo here and here, and it turns out that although the dog really is called Webster he's not up for adoption at all, but is for sale by a reputable and unconnected party who has had their photo stolen.

So, what is the scam? Bearing in mind that poor old Webster is worth a couple of thousand dollars but the scammer is asking for nothing? Well, as with all advanced fee fraud scams there are going to be up-front expenses that aren't mentioned, such as shipping fees, vet bills, certificates and all sort of other things.. and once the victim has paid all the money then Webster will still not turn up because of course the scammer doesn't actually have the dog to begin with.

Now, we're pretty sure that you won't try to acquire a dog advertised by spam.. but if you are, well.. don't.

Incidentally, the origins of the email appear to be a computer at 75.130.67.30 (Charter Communicaations, Tennessee) via a server at 68.15.225.129 (ommailex1.iiiinc.com) although it is unlikely that the owner of either of those two systems is aware of the scam either.

Fake Vodafone MMS spam comes with a malicious attachment

This fake Vodafone MMS spam comes with a nasty payload:

Date:      Thu, 30 Jan 2014 03:55:04 -0500 [03:55:04 EST]
From:      mms.service6885@mms.Vodafone.co.uk
Subject:      image Id 312109638-PicOS97F TYPE==MMS

Received from: 447219637920 | TYPE=MMS 

Despite the Vodafone references in the header, this message comes from a random infected PC somewhere and not the Vodafone network.

The email doesn't quite render properly in my sample:

The spam is probably preying on the fact that most people have heard of MMS but very rarely use it. Attached is a file IMG0000008849902.zip which in turn contains a malicious executable IMG0000008849902.exe, this has a VirusTotal detection rate of just 2/50.  Automated analysis tools are inconclusive [1] [2] as the sample appears to time out.

"Voice Message from Unknown" spam (again)

This fake voice message spam comes with a malicious attachment:

Date:      Wed, 29 Jan 2014 14:45:36 +0100 [08:45:36 EST]
From:      Administrator [docs0@victimdomain.net]
Subject:      Voice Message from Unknown (644-999-4348)

 Unity Messaging System

- - -Original Message- - -

From: 644-999-4348

Sent: Wed, 29 Jan 2014 14:45:36 +0100

To: [redacted]

Subject: Important Message to All Employees 

Attached is an archive Message.zip which in turn contains a malicious executable VoiceMessage.exe which has a VirusTotal detection rate of just 6/50. Automated analysis tools [1] [2] [3] show attempted connections to kitchenrescue.com on 184.107.74.34 (iWeb, Canada) and ask-migration.com on 173.192.21.195 (Softlayer, US). In particular, it attempts to download some sort of encrypted file [donotclick]kitchenrescue.com/login.kitchenrescue.com/images/items/wav.enc which I have not been able to identify.

The Green Organisation (thegreenorganisation.info) spam

Perhaps The Green Organisation (thegreenorganisation.info) has good intentions, but sending out unsolicited bulk email is just going to get them regarded as The Spam Organisation.

From:     Green Organisation greenorganisation@rkwmail.co.uk
Date:     29 January 2014 02:43
Subject:     FAO: The Chief Executive and anyone involved with the built environment

FREE ENTRIES FOR BUILT ENVIRONMENT AWARDS

You can submit a free entry in the Green Apple Built Environment and Architectural Heritage Awards, as long as it arrives by February 28.

The top prize is a holiday for two in the world’s greenest resort – AquaCity in the High Tatras mountains of Slovakia.

There are three chances to win in each category, with Gold, Silver and Bronze trophies for the top three.

You also have the chance to represent your country in the European Business Awards for the Environment, as the Green Apple Awards is one of the few UK campaigns accepted as an official feeder scheme into the Brussels-led initiative.

If any of your building/construction projects helps the environment in any way, you are invited to submit an entry.

Every company or council is entitled to a free entry and all winners receive invitations for the glittering presentation ceremony at the Crystal, London in June, with food and drink included.

You can win…

• A prestigious trophy and certificate

• A holiday for two in the world’s greenest resort

• International recognition

• Qualification into Europe

• Massive publicity

• And we will plant a tree on behalf of each company submitting an entry.

And all free of charge!

The Green Apple Awards for the Built Environment 2014

 You can enter online, by email or by post and you will find more information at www.thegreenorganisation.info or you can phone 01604 810507.

CLOSING DATE FEBRUARY 28, 2014

It’s free – and easy!

The Green Organisation, The Mill House, Mill Lane, Earls Barton, Northampton NN6 0NR.

Unsubscribe

The email originates from 81.168.114.179 which resolves as rkwmail.co.uk (hosted by Eclipse Internet in the UK). The WHOIS details for that domain are:

Domain name:
        rkwmail.co.uk

    Registrant:
        Roger Wolens

    Registrant type:
        UK Individual

    Registrant's address:
        Mill House
        Earls Barton
        Northamptonshire
        NN6 0NR
        United Kingdom

When we look at the spamvertised domain thegreenorganisation.info we see some broadly similar details:

Registrant ID:DI_9170956
Registrant Name:Domain Contact (103845)
Registrant Organization:The Green Organisation
Registrant Street1:The Mill Barn, Mill Lane
Registrant Street2:
Registrant Street3:
Registrant City:Earls Barton
Registrant State/Province:Northants
Registrant Postal Code:NN6 0NR
Registrant Country:GB
Registrant Phone:+44.1604810507
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:rogerwolens@btconnect.com


So whois is Roger Wolens? Well, he appears to be the owner of The Green Organisation. So the next thing I wondered is.. exactly what is The Green Organisation. They answer this question on their own website:

THE GREEN ORGANISATION  has been established since 1994 as an international, independent, non-profit, non-political, non-activist environment group, dedicated to recognising, rewarding and promoting environmental best practice around the world.

Note that The Green Organisation is not a charity but a business. We can look that up on DueDil to see what it thinks:

OK, that seems to look like a non-profit to me. In fact a hunt around their website shows nothing suspect or untowards, although if it is really the hugely successful enterprise that it claims to be then I wonder why it is promoting itself through spam.

"Urgent eviction notification No2621" spam

This particularly cruel spam is a variation of the Court Notice spam that has been around for a few weeks. Thankfully it is very poorly worded which should alert at least some potential victims that it is a fake.

Date:      Tue, 28 Jan 2014 17:40:16 -0400 [16:40:16 EST]
From:      Eviction Notification [support.7@riduscourt.com]
Subject:      Urgent eviction notification No2621

 Eviction Notification,
   Please be advised that you are obliged to
   vacate the living space you occupy until March 28, 2014, 11 a.m.
   If you do not vacate it in the specified terms,
   the court will have to assign the forcible eviction for April 26,
   2014, 11 a.m.
   If nobody is home we will not be responsible for safe keeping of your
   belongings.
   Besides, if you fail to comply with the requirements of the court
   bailiff
   you will be fined for up to 200 minimum wage amounts
   with a subsequent doubling of the penalty amount
   and can be made criminally or administratively liable.
   The details of the circumstances that caused the judicial decision
   of eviction are attached herewith.
   Court bailiff,
   GOODWIN Bass

Attached is an archive file Copy_Of_The_Court_Statement_N1801.zip which in turn contains a malicious file Copy_of_the_court_statement_us_28_01_2014.exe.

For some reason the ZIP file that I have is corrupt and will not open, but I suspect that other versions may be valid. If anyone has a reliable analysis of this file it might be worth leaving a note in the Comments... thanks!

Update (30/1/14): here is a second version doing the rounds:

Date:      Wed, 29 Jan 2014 18:11:43 -0500 [01/29/14 18:11:43 EST]
From:      Notice To Quit [service_notice@mnduscourt.com]
Subject:      Notice to quit No5759

 Notice to quit,
   Hereby you are informed you have to quit the premises you hold until
   March, 21, 2014.
   If you stay in the currently occupied premises for a longer period of
   time,
   you will be assigned by court for forced eviction scheduled for April
   5, 2014.
   If court executives do not find you at home on the specified date,
   the court will disclaim any responsibility for safe keeping
   of your property left in the premises.
   Whether you fail to fulfill the requirements of the court
   you might be held liable to a fine equal to 100 minimum wage amounts.
   Attention.
   The adjudication details can be found attached to this notice.
   Bailiff of the court,
   RUSSELL ORTIZ 

In the case there is a ZIP file Details_For_Arrears_Document_29-01-2014_Copy_N5146.zip which contains a malicious executable Details_For_Arrears_Document_29-01-2014.exe which has an icon that makes it look like a Word document. The VirusTotal detection for this is 17/49. ThreatExpert reports a connection to 77.72.26.97 (Tesene SRL, Italy).

Update (31/1/14): Another couple of variations with a slightly different payload:

Date:      Fri, 31 Jan 2014 00:30:51 -0400 [01/30/14 23:30:51 EST]
From:      Eviction Notice [support.5@perkinscoie.com]
Subject:      Eviction notification No8423

 Eviction notice,

   Hereby you are notified that you have to move to another
   location from the currently occupied premises within
   the next three weeks.

   Please find the lawsuit details attached to this letter.

   If you do not move within this period of time,
   we will have no other alternative than to have you
   physically removed from the property per order of the Judge.

   If we can be of any assistance to you during your relocation,
   please feel free to contact us any time.

   Court representative,
   Emma Mason

---

Date:      Thu, 30 Jan 2014 14:23:27 -0500 [01/30/14 14:23:27 EST]
From:      Eviction Notice [support.7@perkinscoie.com]
Subject:      Notice to quit No8116

 Eviction notice,
   Hereby you are notified that you have to move to another
   location from the currently occupied premises within
   the next three weeks.
   Please find the lawsuit details attached to this letter.
   If you do not move within this period of time,
   we will have no other alternative than to have you
   physically removed from the property per order of the Judge.
   If we can be of any assistance to you during your relocation,
   please feel free to contact us any time.
   Court representative,
   Mary Tailor

The attachments on these two samples were Lawsuit_Details _Attache_ID88-175.zip and Lawsuit_Details _Attache_ID91-380.zip in turn containing a malicious executable Lawsuit_Details _Court_Representative.exe which has a VirusTotal detection rate of 16/50.  The ThreatExpert analysis shows an outbound connection to 41.86.112.12 (Mweb Connect, South Africa) also other analysis tools don't spot this [1] [2] [3].

Update (4/2/14): the spam run is ongoing with a couple of news ones spotted..

Date:      Mon, 03 Feb 2014 22:57:06 -0400 [02/03/14 21:57:06 EST]
From:      Eviction Notification [notice_support.7@littler.com]
Subject:      Evition notice No3998

 Eviction notification,
   You are hereby given notice that you are in breach
   of your tenancy of the premises you currently occupy.
   To remedy the breach you have to quit
   the premises within the following four weeks.
   If you fail to comply you will be physically removed
   and fined for up to 100 minimum monthly wages.
   Detailed information is attached herewith.
   Court secretary,
   RUSSO Anthony

-----------------------

Date:      Tue, 04 Feb 2014 10:29:55 -0500 [10:29:55 EST]
From:      Notice to quit [notice_service@kirkland.com]
Subject:      Notice to exit the premises No8527

 Notice to quit,
   We regret to inform you that in the period until 04/02/14
   you will have to relocate from the currently occupied premises.
   If the property is not timely vacated we will have to apply sanctions
   against you.
   Case details are attached to the present notice.
   Court secretary,
   JENSEN TATE 

Two sample attachment names are Lawsuit_Details _Copy_ID131-06.zip and Lawsuit_Details _Copy_SN_98-273.zip only one of which seems unzippable to Lawsuit_Details _Court Secretary_02-03-2014.exe which has a VirusTotal detection rate of 28/51. Most automated analysis tools are pretty inconclusive about what it does [1] [2] [3], but ThreatExpert reports an attempted connection to a server at 77.72.26.97 (Tesene, Italy) which has been used before in this attack.

RingCentral "New Fax Message on 01/22/2013" spam

This fake RingCentral fax spam has a malicious attachment:

Date:      Tue, 28 Jan 2014 14:28:24 +0000 [09:28:24 EST]
From:      Sheila Wise [client@financesup.ru]
Subject:      New Fax Message on 01/22/2013

You Have a New Fax Message
From:     (691) 770-2954
Received:     Wednesday, January 22, 2014 at 11:31 AM
Pages:     5
   

To view this message, please open the attachment

Thank you for using RingCentral.

Attached is a file fax.zip which in turn contains a malicious exectable fax.doc.exe with an icon to make it look like a Word document. The VirusTotal detection rate for the document is 10/50, and the Malwr analysis shows an attempted callback to ren7oaks.co.uk on 91.238.164.2 (Enix Ltd, UK).

The executable then downloads an apparently encrypted file from [donotclick]ren7oaks.co.uk/images/al2701.enc which has defied my half-hearted attempts an analysis.




fff

Ongoing Fake flash update via .js injection and SkyDrive, Part II

A few days ago I wrote about some ongoing injection attacks that were leading to Adscend Media LLC ads. Adscend say that the affiliate using their ad system was banned, although the ad code is still showing in the injection attacks themselves (update: you can see their take on this in the comments below). F-Secure also covered the attacks from a different aspect.

Although these injection attacks have died down a little they are still ongoing, but usually by the time I get to have a look at them part of the infection chain has been cleaned up. However, this infection is still current and shows what it going on at the moment.

In the case the code has been injected into the legitimate website sotralu.fr (report here) by altering the site's JS files, for example [donotclick]www.sotralu.fr/local/cache-js/fc1bd2678ffcf630f1ab8e56bda3ce7b.js

The code is fairly distinctive being attached at the bottom of the .js file, and it has a limited and fairly generic set of results at VirusTotal.

In this case the injection attempts to run a script from [donotclick]adsrr.home.pl/_vti_txt/rNn3m1K9.php?id=47276976 which in turn tries to download most of its content from [donotclick]adsrr.home.pl/_vti_txt/imgfiles/b.html (report here) which presents itself as a fake Flash update banner.

As well as the Adscend Media ad, this directs the user to download flashplayerinstaller.exe from [donotclick-https]skydrive.live.com/download.aspx?cid=cafe68e3dcbe2d33&resid=CAFE68E3DCBE2D33%21111 which has a VirusTotal detection rate of just 2/50. The Malwr analysis of this file shows a subsequent download from [donotclick-https]skydrive.live.com/download.aspx?cid=cafe68e3dcbe2d33&resid=CAFE68E3DCBE2D33%21112 which has a VirusTotal detection rate of 7/50 but a rather inconclusive Malwr report showing that it modifies the computer to run at startup.

Other researchers might want to grab those files and have a poke at them, so I haven't reported them yet. I'd be interested if anybody can get more intel on whoever is behind it.

The use of SkyDrive is sneaky, but you might decide that it's the sort of thing that you want to block in your corporate environment anyway. It might just be that the best way to counter this sort of attack is to apply a bit of user education about the threat.

"Skype Missed voice message" spam

This fake Skype email has a malicious attachment:

Date:      Mon, 27 Jan 2014 19:37:11 +0300 [11:37:11 EST]
From:      Administrator [docs1@victimdomain.com]
Subject:      Skype Missed voice message

Skype system:
You have received a voice mail message.
Date 01/27/2014
Message length is 00:01:18. 

Attached to the email message is an archive file Skype-message.zip which in turn contains a malicious executable Voice_Mail_Message.exe which has a VirusTotal detection rate of 13/49. Malwr reports that the malware calls home to rockthecasbah.eu on  64.50.166.122 (LunarPages, US). This server has been compromised before and I recommend you block traffic to it.