Scammers can be really stupid. Take these guys who are running a non-existent UK National Lottery / FIFA Brazil 2014 World Cup scam..
The scam is purportedly from a "Mrs Hilda Adams" references a fake company:
Equity Investment Limited
132 Blackburn Road
Bolton
BL7 9RP
England
UK
Tel: 00447924556231
Email: uklclaims@mail.com
Some key parts of the email are:
Reference: EKS255125600304
Ticket number: 034-1416-4612750
But search for "Equity Investment Limited" on just about any search engine and the first hit you will get is an article I wrote way back in 2003 about a lottery scam using a company of exactly the same name.
The email address is a throwaway free email account, the telephone number looks like it is British but in fact it a forwarding number provided by Cloud9 which could potentially forward calls to anywhere in the world. This type of "follow me anywhere" number is often abused by scammers. As for the address.. well, it's unlikely that whoever lives at that address is anything to do with this at all.
Luckily, most people who run lottery scams have the intelligence of a box of rocks. And it seems that quite a few of their victims have heard of a thing called a search engine..
Friday, 13 June 2014
Something evil on 64.202.123.43 and 64.202.123.44
This is one of those ephemeral traces of malware you sometimes see, like a will-o'-the-wisp. Something seems to be there, but on closer examination it has vanished. But this isn't an illusion, it seems to be a cleverly constructed way of distributing malware which pops up and then vanishes before anyone can analyse it.
The source of the infection seems to be a malvertisement on one of those sites with an immensely complicated set of scripts running on all sort of different sites, including those low-grade ad networks that have a reputation for not giving a damn about what their advertisers are doing.
In this case, the visitor gets directed to a page at 12ljeot1.wdelab.com/ijvdg2k/2 which got picked up with a generic malware detection.. but by the time anyone gets to investigate the domain it is mysteriously not resolving.
What appears to be happening is that the bad guys are publishing the malicious subdomains only for a very short time, then they stop it resolving and they publish another one. And one thing all these domains have in common is that they are using afraid.org for nameserver services.
A bit of investigation shows that this malware is hosted on a pair of servers at 64.202.123.43 and 64.202.123.44 (HostForWeb, US), and despite that bad guys efforts they do leave a trace on services such as VirusTotal [1] [2] and URLquery [3]. This particular URLquery report shows indications of the Fiesta EK.
The attackers are covering their traces by using legitimate hijacked domains, the owners of which may not even be aware of the problem. Despite there being a large number of subdomains, I can only spot sixdomains being abused:
theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch
A full list of the subdomains that I have found so far can be found here [pastebin].
A look at the 64.202.123.0/24 block shows a mix of legitimate sites, plus some spammy ones and quite a lot that look malicious. If you are running a high-security environment then you might want to block this who range. Else, I would recommend the following minimum blocklist:
64.202.123.43
64.202.123.44
theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch
The source of the infection seems to be a malvertisement on one of those sites with an immensely complicated set of scripts running on all sort of different sites, including those low-grade ad networks that have a reputation for not giving a damn about what their advertisers are doing.
In this case, the visitor gets directed to a page at 12ljeot1.wdelab.com/ijvdg2k/2 which got picked up with a generic malware detection.. but by the time anyone gets to investigate the domain it is mysteriously not resolving.
What appears to be happening is that the bad guys are publishing the malicious subdomains only for a very short time, then they stop it resolving and they publish another one. And one thing all these domains have in common is that they are using afraid.org for nameserver services.
A bit of investigation shows that this malware is hosted on a pair of servers at 64.202.123.43 and 64.202.123.44 (HostForWeb, US), and despite that bad guys efforts they do leave a trace on services such as VirusTotal [1] [2] and URLquery [3]. This particular URLquery report shows indications of the Fiesta EK.
The attackers are covering their traces by using legitimate hijacked domains, the owners of which may not even be aware of the problem. Despite there being a large number of subdomains, I can only spot sixdomains being abused:
theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch
A full list of the subdomains that I have found so far can be found here [pastebin].
A look at the 64.202.123.0/24 block shows a mix of legitimate sites, plus some spammy ones and quite a lot that look malicious. If you are running a high-security environment then you might want to block this who range. Else, I would recommend the following minimum blocklist:
64.202.123.43
64.202.123.44
theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch
Labels:
HostForWeb,
Malvertising,
Malware,
Viruses
Thursday, 12 June 2014
pcwelt.de hacked, serving EK on 91.121.51.237
The forum of popular German IT news site pcwelt.de has been hacked and is sending visitors to the Angler exploit kit.
Visitors to the forum are loading up a compromised script hxxp://www[.]pcwelt[.]de/forum/map/vbulletin_sitemap_forum_13.xml.js which contains some Base64 obfuscated malicious code (see Pastebin here) which uses a date-based DGA (domain generation algorithm) to direct visitors to a URL with the following format:
The .pw domain contains Base64 encoded data which points to the payload kit, in this case [donotclick]exburge-deinothe.type2consulting.net:2980/meuu5z7b3w.php (Pastebin) which is hosted on 91.121.51.237 (OVH, France). This appears to be the Angler EK.
It looks like the EK domains rotate regularly, but the following sites can be observed on this address:
ingetrekte.valueoptimizationfrontier.com
shellshellwillbomb.type2consulting.net
voorspannenzl.valueoptimizationfrontier.com
tourmenterai.afiduciaryfirst.com
kingyoku.typetwoconsulting.com
mittelbau.typetwoconsulting.com
yogeespith1.typetwoconsulting.com
rozrzewnienie.typetwoconsulting.com
geschaeftlichen.typetwoconsulting.com
kyhtyy-pimprinum.typetwoconsulting.com
jezuietendriesthe.typetwoconsulting.com
depolitsuperconfusion.typetwoconsulting.com
degivreraitdeorganization.typetwoconsulting.com
sknktekonzile-streelsters.typetwoconsulting.com
shogunalbeschenktet.viverebenealcaldo.com
subigi.valueoptimizationfrontier.com
totalize.valueoptimizationfrontier.com
puyaljoukou.valueoptimizationfrontier.com
weisungsgemaess.valueoptimizationfrontier.com
kezune-palpitera.valueoptimizationfrontier.com
remorquervltimme.valueoptimizationfrontier.com
clackdisfundamellemting.valueoptimizationfrontier.com
doscall.type2consulting.net
pehmoilla.type2consulting.net
moariesubigissem.type2consulting.net
unvigilant-straucht.type2consulting.net
mycetozoanreassesses.type2consulting.net
It is worth noting that these domains appear to have been hijacked from a GoDaddy customer:
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com
The following .pw sites are live right now, hiding behind Cloudflare:
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw
Recommended blocklist:
91.121.51.237
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw
(and if you can block all .pw domains then it is probably worth doing that too)
Thanks to the #MalwareMustDie crew and Steven Burn for help with this analysis.
Visitors to the forum are loading up a compromised script hxxp://www[.]pcwelt[.]de/forum/map/vbulletin_sitemap_forum_13.xml.js which contains some Base64 obfuscated malicious code (see Pastebin here) which uses a date-based DGA (domain generation algorithm) to direct visitors to a URL with the following format:
[7-or-8-digit-hex-string].pw/nbe.html?0.[random-number]
The .pw domain contains Base64 encoded data which points to the payload kit, in this case [donotclick]exburge-deinothe.type2consulting.net:2980/meuu5z7b3w.php (Pastebin) which is hosted on 91.121.51.237 (OVH, France). This appears to be the Angler EK.
It looks like the EK domains rotate regularly, but the following sites can be observed on this address:
ingetrekte.valueoptimizationfrontier.com
shellshellwillbomb.type2consulting.net
voorspannenzl.valueoptimizationfrontier.com
tourmenterai.afiduciaryfirst.com
kingyoku.typetwoconsulting.com
mittelbau.typetwoconsulting.com
yogeespith1.typetwoconsulting.com
rozrzewnienie.typetwoconsulting.com
geschaeftlichen.typetwoconsulting.com
kyhtyy-pimprinum.typetwoconsulting.com
jezuietendriesthe.typetwoconsulting.com
depolitsuperconfusion.typetwoconsulting.com
degivreraitdeorganization.typetwoconsulting.com
sknktekonzile-streelsters.typetwoconsulting.com
shogunalbeschenktet.viverebenealcaldo.com
subigi.valueoptimizationfrontier.com
totalize.valueoptimizationfrontier.com
puyaljoukou.valueoptimizationfrontier.com
weisungsgemaess.valueoptimizationfrontier.com
kezune-palpitera.valueoptimizationfrontier.com
remorquervltimme.valueoptimizationfrontier.com
clackdisfundamellemting.valueoptimizationfrontier.com
doscall.type2consulting.net
pehmoilla.type2consulting.net
moariesubigissem.type2consulting.net
unvigilant-straucht.type2consulting.net
mycetozoanreassesses.type2consulting.net
It is worth noting that these domains appear to have been hijacked from a GoDaddy customer:
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com
The following .pw sites are live right now, hiding behind Cloudflare:
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw
Recommended blocklist:
91.121.51.237
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw
(and if you can block all .pw domains then it is probably worth doing that too)
Thanks to the #MalwareMustDie crew and Steven Burn for help with this analysis.
Labels:
Angler EK,
France,
Germany,
Hacked sites,
Injection Attacks,
OVH
Wednesday, 11 June 2014
Fake RBS spam spreads malware via Cubby.com
This fake bank spam downloads malware from file sharing site cubby.com:
The download location is [donotclick]www.cubby.com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54.
Automated analysis tools [1] [2] [3] [4] show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs:
85.25.148.6 (Intergenia AG, Germany)
192.99.6.61 (OVH, Canada)
217.12.207.151 (ITL Company, Ukraine)
(Plain list)
85.25.148.6
192.99.6.61
217.12.207.151
From: Sammie Aaron [Sammie@rbs.com]
Date: 11 June 2014 12:20
Subject: Important Docs
Please review attached documents regarding your account.
To view/download your documents please click here
Tel: 01322 215660
Fax: 01322 796957
email: Sammie@rbs.com
This information is classified as Confidential unless otherwise stated.
The download location is [donotclick]www.cubby.com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54.
Automated analysis tools [1] [2] [3] [4] show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs:
85.25.148.6 (Intergenia AG, Germany)
192.99.6.61 (OVH, Canada)
217.12.207.151 (ITL Company, Ukraine)
(Plain list)
85.25.148.6
192.99.6.61
217.12.207.151
Tuesday, 10 June 2014
"You have received a voice mail" spam downloads malware from Dropbox
Another fake voice message spam, and another malware attack downloading from Dropbox.
newsbrontima.com
yaroshwelcome.com
granatebit.com
teromasla.com
rearbeab.com
From: Microsoft Outlook [no-reply@victimdomain]The link downloads a file VOICE-864169741-28641.zip which in turn contains a malicious executable VOICE-864169741-28641.scr which has a VirusTotal detection rate of 4/52. Automated analysis [1] [2] [3] [4] indicates that it downloads files from the following domains:
Date: 10 June 2014 15:05
Subject: You have received a voice mail
You received a voice mail : VOICE437-349-3989.wav (29 KB)
Caller-Id: 437-349-3989
Message-Id: U7C7CI
Email-Id: [redacted]
Download and extract the attachment to listen the message.
We have uploaded fax report on dropbox, please use the following link to download your file:
https://www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICIxeWEwMGx3enQ1aWdpOXEifQ/AANABss7_JqczoocZG5p_SjA659fq_BNbEs6hyC4CqDuBA?dl=1
Sent by Microsoft Exchange Server
newsbrontima.com
yaroshwelcome.com
granatebit.com
teromasla.com
rearbeab.com
Monday, 9 June 2014
"inovice 2110254 June" spam
This terse but badly-spelled spam has a malicious attachment:
UPDATE 1: A Malwr analysis of the malware can be found here. It makes the following HTTP connections:
[donotclick]62.76.189.58:8080/dron/ge.php
[donotclick]62.76.41.73:8080/tst/b_cr.exe
It also drops a file KB05152056.exe which has a VirusTotal detection rate of 5/51. Analysis is pending.
UPDATE 2: the Malwr analysis of the second binary is here. This makes a connection to 62.76.185.30.
All the IP addresses listed belong to Clodo-Cloud in Russia:
62.76.41.73
62.76.185.30
62.76.189.58
Although there are probably some legitimate sites in these ranges, you might want to consider blocking the following if you feel like it:
62.76.40.0/21
62.76.184.0/21
Date: Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52. Automated analysis tools are not able to determine exactly what the malware does.
From: Ladonna Gray [wtgipagw@airtelbroadband.in]
Subject: inovice 2110254 June
This email contains an invoice file attachment
UPDATE 1: A Malwr analysis of the malware can be found here. It makes the following HTTP connections:
[donotclick]62.76.189.58:8080/dron/ge.php
[donotclick]62.76.41.73:8080/tst/b_cr.exe
It also drops a file KB05152056.exe which has a VirusTotal detection rate of 5/51. Analysis is pending.
UPDATE 2: the Malwr analysis of the second binary is here. This makes a connection to 62.76.185.30.
All the IP addresses listed belong to Clodo-Cloud in Russia:
62.76.41.73
62.76.185.30
62.76.189.58
Although there are probably some legitimate sites in these ranges, you might want to consider blocking the following if you feel like it:
62.76.40.0/21
62.76.184.0/21
Saturday, 7 June 2014
Institute of Project Management America (instituteofprojectmanagementamerica.org). Is this a scam?
Three years ago I was spammed by an organisation called the North American Program Planning and Policy Academy (NAPPPA) which was attempting to get me to sign up for some seminars. It looked like a scam at the time, and it still looks like a scam now.
It took me a year of sporadic research to come up with the names of the people running the scam. Anthony Christopher Jones (known sometimes as "Tony Jones") and Patchree Patchrint (known as "Patty Patchrint"). After exposing them and detailing some of the evidence against them, NAPPPA, Jones and Patchrint dropped out of view. I assumed that this was the cockroach effect.. switch the lights on, and those roaches scurry for cover.
It looks like I was wrong.
A unexpected comment on my blog post opened up a new line of investigation.
Lem said...Could this be the same Anthony C Jones and Patty Jones (or Patchree Patchrint) that ran NAPPPA?
I wish I would have found this blog prior to teaching a course for the Institute of Project Management America (IPMA). www.instituteofprojectmanagementamerica.org
The student certificates were signed by none other than Anthony C. Jones. Needless to say, I have not been paid nor the facility that hosted the training. I plan to sue them. In addition, there is a Patty Jones serving as the administrator/front person for IPMA. Perhaps his spouse. If anyone has any additional information about them, please share.
6 June 2014 22:25
A look at instituteofprojectmanagementamerica.org shows an unremarkable site, but one which is carefully devoid of any contact details. The WHOIS records for the domain are hidden, and the only contact data that can be found are the telephone numbers 888-859-5659 and 866-959-3543.
The logo on the website has been recycled from elsewhere and otherwise the template is bland, professional looking but completely anonymous.
A close look at the hosting history shows a number of related sites, either which are direct clones of instituteofprojectmanagementamerica.org or are previous versions. A full list is at the end of the post in Appendex 1, but principle domain names in use are:
americanprojectmanagementusa.orgThe ones in the format projectmanagementusa3.org go all the way up to projectmanagementusa212.org. Who needs 212 copies of the same website? Well, spammers use these techniques to evade blacklisting.
instituteofprojectmanagementamerica.org
instituteofprojectmanagementamerica2.org
instituteofprojectmanagementamerica3.org
instituteofprojectmanagementamerica4.org
ipma5.org
ipma6.org
ipma7.org
mastercoursedevelopment.org
projectmanagementusa.org
projectmanagementusa1.org
projectmanagementusa2.org
projectmanagementusa3.org
The domains americanprojectmanagementusa.org and projectmanagementusa.org are rather interesting as it is an older generation of the "Institute of Project Management America" spam site entitled "American Project Management" (you can see them at the Internet Archive).
A quick search against the phone number listed on that site (213-293-7410, 877-359-1110 and 888-739-0821) lead us to a BBB report with an alert to say the business has ceased trading.
The BBB indicates that this is a Colorado business, but a search of State records shows that there is no such business of that name registered in that state.
But a further Google search of the phone numbers also brings up this document at Scribd outlining the so-called American Project Management outfit and its activities [pdf copy here]. And who uploaded the document? A user called ppatchrint. That is undoubtedly Patchree Patchrint.
This document gives a California address rather than a Colorado one:
American Project Management
645 W. 9th Street
Unit 110-603
Los Angeles, CA 90015
So this gives us a clue to search the state records in California. An LLC search for "Institute of Project Management America" comes up blank, but a search for "American Project Management" comes up with a hit for "DDGLA AMERICAN PROJECT MANAGEMENT, LLC"
Now, I know that "DDGLA American Project Mangement LLC" is not quite the same thing as "America Project Management", but the "645 WEST 9TH ST STE 110-603" address is the same as "645 W. 9th Street, Unit 110-603" as seen in the Scribd document. So there's a high likelihood that this is a match.. but there's no real contact information for this company.
But what does DDGLA actually stand for? I've been down this particular path with the NAPPPA investigation, so I know that DDGLA actually stands for "DOSS Development Group Los Angeles". A search for DOSS DEVELOPMENT GROUP at the California secretary of state reveals a name behind that company. And you've probably already guessed that it is Patchree Patchrint aka Patty Jones.
So, between the blog comments, the Scribd document and data held by the California Secretary of State, there are now three points of evidence linking the "Institute of Project Management America" and "American Project Management" with Patchree Patchrint aka Patty Jones and Anthony Christopher Jones.
So, is it a scam?
I haven't personally seen any spam promoting this so-called institute, but that was the basic approach with NAPPPA. Millions of credible-looking spam emails were sent out to universities and other organisations, that were published in good faith (such as this one).Project Management Masters Certification ProgramWhat happened with NAPPPA is that these courses appeared to be booked at universities throughout the US, presumably to give them an air of authenticity. But at the last moment the venue for the course got moved to somewhere off-campus, people drafted in to teach the course never got paid and many students complained that the courses were of low quality. I don't doubt that the same is happening here.
June 10-13, 2014
Association of Research and Enlightenment of New York
The PMMC is designed for those seeking professional project management certification.
PMMC program provides 36 hours of project management education, meeting education requirements for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. The program meets the education requirement for all professional designations through the Project Management Institute and other professional agencies. Additionally, the program awards 3.6 Continuing Education Units (CEUs) upon request. Tuition for the four-day Project Management Masters Certification program is $995.00
Participants may reserve a seat online at the website, or by calling the Program Office toll-free at (888) 859-5659
Go to: http://www.instituteofprojectmanagementamerica.org/
In fact, this scam has been going on for a long time. Before the Institute of Project Management America, American Project Management and North American Program Planning and Policy Academy there were another similar scammy outfits.
The "Institute for Communication Improvement, LLC" (aka "The Grant Institute") seems to be the best known. For example:
- The Texas Workforce Commission issued a cease and desist order against them in 2008.
- The North Dakota AG's office warned about them in the same year. [PDF]
- The state of Iowa issued a warning using their alternate name "The Grants Institute" [scroll down to the bottom of page 4]
Given the history of this pair, it is my personal opinion that the Institute of Project Management America is a scam. Indeed, DDGLA American Project Management LLC have already been successfully sued in California over their unethical operations.
Who are Anthony Christopher Jones and Patchree Patchrint (Patty Jones)?
I coverered this pair before, a California-based husband-and-wife team with links to Hacienda Heights and Los Angeles. In addition to the programs listed above, they have run a number of (mostly failed) LA based restaurants such as Mother Road, Mode, and the Royale on Wilshire.DDGLA is also associated with the following (apparently defunct) websites:
- ddglacommercial.com
- pettycashadvance.com
- bankddgla.com
- ddglafinancial.com
What should you do if you are unhappy with the Institute of Project Management America?
I don't live in the US so I'm not 100% familiar with the processes that you can use. But if you think you have been ripped-off then complaining the the BBB, your local Attorney General, law enforcment or the courts seem to be a way to go. I don't have a current address for this pair however, if you manage to turn one up then I can share it if you send me an email.Appendix 1:
These are a selection of the domains and IPs used. There are hundreds of other ones, especially in in the format projectmanagementusa111.org .
americanprojectmanagementusa.org
instituteofprojectmanagementamerica.org
instituteofprojectmanagementamerica2.org
instituteofprojectmanagementamerica3.org
instituteofprojectmanagementamerica4.org
ipma5.org
ipma6.org
ipma7.org
mastercoursedevelopment.org
projectmanagementusa.org
projectmanagementusa1.org
projectmanagementusa2.org
projectmanagementusa3.org
projectmanagementusa4.org
projectmanagementusa5.org
projectmanagementusa6.org
projectmanagementusa7.org
projectmanagementusa8.org
projectmanagementusa9.org
projectmanagementusa10.org
projectmanagementusa11.org
projectmanagementusa12.org
projectmanagementusa13.org
projectmanagementusa14.org
projectmanagementusa15.org
projectmanagementusa16.org
projectmanagementusa17.org
projectmanagementusa18.org
projectmanagementusa19.org
projectmanagementusa20.org
projectmanagementusa22.org
projectmanagementusa28.org
projectmanagementusa31.org
projectmanagementusa32.org
projectmanagementusa36.org
projectmanagementusa37.org
projectmanagementusa38.org
projectmanagementusa39.org
projectmanagementusa41.org
projectmanagementusa43.org
projectmanagementusa44.org
projectmanagementusa46.org
projectmanagementusa77.org
projectmanagementusa92.org
projectmanagementusa99.org
projectmanagementusa100.org
projectmanagementusa111.org
projectmanagementusa114.org
projectmanagementusa143.org
projectmanagementusa157.org
projectmanagementusa210.org
projectmanagementusa212.org
23.94.13.183
23.249.165.7
37.59.255.192
50.2.193.25
63.223.125.56
63.223.125.58
64.37.51.2
64.37.51.10
64.37.51.19
64.37.51.45
64.37.51.80
64.37.51.107
64.37.51.110
64.37.51.112
67.23.232.6
67.23.238.35
67.23.238.36
67.23.242.154
67.23.242.181
67.222.130.43
75.127.3.76
96.44.146.44
96.44.189.189
107.155.68.39
107.158.160.92
107.161.114.135
107.161.158.57
107.178.105.133
108.160.156.59
108.174.54.119
109.169.37.185
109.169.56.251
109.169.58.167
109.169.63.171
109.169.64.155
109.169.64.158
109.169.64.184
109.169.64.196
109.169.64.211
109.169.87.169
142.0.39.203
142.0.42.156
162.221.176.120
162.244.77.138
162.248.211.236
172.245.33.189
172.245.44.90
172.245.44.144
172.245.44.189
172.245.136.161
173.232.104.208
192.3.1.155
192.3.121.202
192.3.161.123
192.3.161.130
192.40.57.130
192.198.90.160
192.210.137.134
192.210.138.205
192.210.142.101
192.210.211.112
192.227.166.167
192.227.182.169
198.23.167.152
198.23.242.196
198.49.73.17
198.143.0.171
198.143.1.71
199.168.142.113
199.204.23.35
199.204.23.129
199.204.23.151
199.204.184.164
199.233.232.177
199.241.191.215
209.105.248.47
Labels:
Institute of Project Management America,
IPMA,
NAPPPA,
Scam,
Spam
Thursday, 5 June 2014
dedicatedpool.com.. spam or Joe Job?
I received a number of spam emails mentioning a Bitcoin mining website dedicatedpool.com, subjects spotted are:
However, the pattern of the spam looks like a Joe Job rather than some horribly misguided attempt to market the website. There are several signs that make it look like someone is trying to cause trouble for the site operators:
Note 1: I have seen the following IPs as originating the spam..
188.54.89.107
92.83.156.130
31.192.3.89
37.99.127.11
87.109.78.213
Subject: Bitcoins are around you - don't miss the train!Body text:
Subject: Dedicatedpool.com business proposal (Save up on taxes)
Subject: Make money with darkcoin and bitcoin now!
Hello,
Have you heard about bitcoins? I bet you did. Do you know how to make
money on it? Don.t worry, we are professionals in bitcoin and alternative
cryptocurrencies world and we will help you monetize your computing
hardware into bitcoins in no time. Come and joins us at
http://dedicatedpool.com and join our IRC chat at
http://dedicatedpool.com/?page=about&action=chat
--
Ryan, dedicatedpool.com support/admin
------------------------
Don't want Government to steal your money?
Join us at http://dedicatedpool.com and learn how you can save up on
taxes by using bitcoin, darkcoin and other cryptocurrencies!
We will provide you with detailed instructions on how to set up all
hardware in your house and start keeping your money instead of paying
taxes. 100% legal!
Please register at http://dedicatedpool.com
--
Ryan, dedicatedpool.com support/admin
------------------------
Do you have income but you don't want Obama to steal it from you? Come and
join us and turn your electricity cost into cash!
The only pool you can trust - come and mine bitcoins/altcoins with us. We
will provide you detailed guide on how to setup equipment in your house
that will turn electricity into bitcoins!
No taxes no problems: http://Dedicatedpool.com/
--
Ryan, dedicatedpool.com support/admin
However, the pattern of the spam looks like a Joe Job rather than some horribly misguided attempt to market the website. There are several signs that make it look like someone is trying to cause trouble for the site operators:
- The spam was sent repeatedly to a spamcop.net address, the type of address that would have a high probability of filing an abuse report. I call this a "reverse listwash".
- The spam mentions the established dedicatedpool.com website repeatedly (rather than using some sort of redirector) but the originating IPs appear to be from an illegal botnet (see note 1). The use of a botnet indicates a malicious intent.
- Spammers don't tend to include personal details of any sort in their messages, but the inclusion of "Ryan" (who does genuinely appear to be the administrator) seems suspicious.
Note 1: I have seen the following IPs as originating the spam..
188.54.89.107
92.83.156.130
31.192.3.89
37.99.127.11
87.109.78.213
Wednesday, 4 June 2014
Amazon.com spam / order.zip
This fake Amazon spam has a malicious attachment:
Attached to the spam is an archive file order.zip which in turn contains a malicious executable order_id_26348273894729847239.exe which has a VirusTotal detection rate of 4/51.
Automated analysis tools [1] [2] [3] shows the malware altering system files and creating a fake csrss.exe and svhost.exe to run at startup.
The malware also attempts to phone home to two IP addresses at 91.226.212.32 and 193.203.48.37 hosted in Russia but controlled by a Ukranian person or entity PE Ivanov Vitaliy Sergeevich. These network blocks are well-known purveyors of crapware, and I recommend that you block the following:
91.226.212.0/23
193.203.48.0/22
Date: Wed, 04 Jun 2014 11:55:10 +0200 [05:55:10 EDT]
From: "Amazon.com"
Subject: Shipping Confirmation : Order #002-1301707075-0206502025
Amazon
Your Recommendations
| Your Orders | Amazon.com
Shipping Confirmation
Order #002-1660680038-7011611870
Hello ,
Thank you for shopping with us. We'd like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order report is attached here.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
Attached to the spam is an archive file order.zip which in turn contains a malicious executable order_id_26348273894729847239.exe which has a VirusTotal detection rate of 4/51.
Automated analysis tools [1] [2] [3] shows the malware altering system files and creating a fake csrss.exe and svhost.exe to run at startup.
The malware also attempts to phone home to two IP addresses at 91.226.212.32 and 193.203.48.37 hosted in Russia but controlled by a Ukranian person or entity PE Ivanov Vitaliy Sergeevich. These network blocks are well-known purveyors of crapware, and I recommend that you block the following:
91.226.212.0/23
193.203.48.0/22
Thursday, 29 May 2014
More eFax / Dropbox malware spam
From: Incoming Fax [no-reply@efax.co.uk]The malicious download is from [donotclick]www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr
Date: 29 May 2014 10:26
Subject: INCOMING FAX REPORT : Remote ID: 499-364-9797
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: Thu, 29 May 2014 18:26:56 +0900
Speed: 4360bps
Connection time: 07:09
Pages: 9
Resolution: Normal
Remote ID: 915-162-0353
Line number: 0
DTMF/DID:
Description: Internal report
We have uploaded fax report on dropbox, please use the following link to download your file:
https://www.dropbox.com/meta_dl/[redacted]
This binary has a VirusTotal detection rate of 6/53 and the Malwr report shows that it downloads a file from soleilberbere.com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51. Automated reports [1] [2] are pretty inconclusive as to what this does.
Wednesday, 28 May 2014
"TPPCO" PPI SMS spam
Despite some high-profile recent cases where SMS spammers have been busted by the ICO, the wave of spam seems to be continuing. This one came less than an hour ago from +447729938098.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Carriers and the ICO are cracking down on these scumbags, but they need reports from victims to gather enough evidence.
You can also report persistent spam like this via the ICO's page on the subject, which might well end up in the spammers getting a massive fine.
Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out. TPPCOI have no idea who "TPPCO" are, but they are a common sender of these spam message. In this case, the spam was sent to a number that is TPS registered, and I believe that the approach is fraudulent in any case - in most cases the spammers will get paid for a lead even if it turns out that the claimant wasn't eligible.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Carriers and the ICO are cracking down on these scumbags, but they need reports from victims to gather enough evidence.
You can also report persistent spam like this via the ICO's page on the subject, which might well end up in the spammers getting a massive fine.
eFax message from "unknown" spam downloads malware from Dropbox
From: eFax [message@inbound.efax.com]The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent.com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr.
Date: 28 May 2014 13:12
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643
Fax Message [Caller-ID: 1-949-698-5643
You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.
* The reference number for this fax is atl_did1-1400166434-95058563842-154.
Click here to view this fax using your PDF reader.
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.
This binary has a VirusTotal detection rate of 6/53. Automated reporting tools [1] [2] show a download from landscaping-myrtle-beach.com/wp-content/uploads/2014/05/2805UKdw.dkt which in turn drops the following files:
- baura.exe (VT 3/53, Malwr report)
- yaccpdf.exe (VT 4/53, Malwr report)
- pdfmarks.exe (VT 4/52, Malwr report)
- yxnib.exe (VT 3/53, Malwr report)
Recommended blocklist:
landscaping-myrtle-beach.com
innogate.co.kr
Friday, 23 May 2014
Fake NatWest email downloads malware via Dropbox
This fake NatWest email follows the same pattern as this one except that it is downloading malware via Dropbox rather than Bitly.
The link in the email goes to [donotclick]dl.dropboxusercontent.com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52.
Automated analysis tools [1] [2] show that it downloads a component from [donotclick]accessdi.com/wp-content/uploads/2014/04/2305UKmw.zip
The Malwr analysis shows that it then downloads some additional EXE files:
From: NatWest.co.uk [noreply@natwest.co.uk]
Date: 23 May 2014 11:36
Subject: NatWest Statement
View Your May 2014 Online Financial Activity Statement
Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:
View/Download as a PDF
View all EStatements
So check out your statement right away, or at your earliest convenience.
Thank you for managing your account online.
Sincerely,
NatWest Bank
Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank account, please speak to a Customer Service representative at +44 121 635 1592
NatWest Bank Customer Service Department
P.O. Box 414 | 38 Strand, WC2N 5JB, London
Copyright 2014 NatWest Company. All rights reserved.
AGNEUOMS0006001
The link in the email goes to [donotclick]dl.dropboxusercontent.com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52.
Automated analysis tools [1] [2] show that it downloads a component from [donotclick]accessdi.com/wp-content/uploads/2014/04/2305UKmw.zip
The Malwr analysis shows that it then downloads some additional EXE files:
- ibep.exe (VT 2/52, Malwr report)
- kuten.exe (VT 3/52, Malwr report)
- sohal.exe (VT 2/52. Malwr report)
Thursday, 22 May 2014
lormaneducation.net / lorman.com "Lorman Education" spam
These spammers are sending to email addresses they have guessed by parsing my website.
The link in the email goes to lormaneducation.net and then forwards immediately to lorman.com, which is a typical technique that spammers use to try to avoid getting blacklisted.
lormaneducation.net is hosted on 64.77.120.67 (Peer 1, US) along with these following domains which look similarly spammy:
askthefaculty.com
hospitalityandtourismtraining.com
hospitalityandtourismtraining.net
instituteofpropertymanagement.com
instituteofpropertymanagement.net
insurancetrainingresource.com
insurancetrainingresource.net
investmentadvisortraining.com
investmentadvisortraining.net
lorman-education.net
lorman-webinar.com
lorman-webinars.com
lorman.com
lormancontinuingeducation.com
lormaneducation.com
lormaneducation.net
lormaneducationwebinar.com
lormaneducationwebinars.com
lormanondemand.com
lormanpartner.com
lormanseminars.com
lormanseminars.net
lormanteleconferences.com
lormanteleconferences.net
lormantraining.com
lormantraining.net
lormanwebinar.com
lormanwebinars.com
The WHOIS details on the lormaneducation.net spamvertised domain are:
Admin Name: Webmaster
Admin Organization: Lorman Education Group, Inc.
Admin Street: PO Box 509
Admin City: Eau Claire
Admin State/Province: WI
Admin Postal Code: 54702-0509
Admin Country: US
Admin Phone: +1.7158333940
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: webmaster@lorman.com
Spam originates from 184.175.164.1 (US Signal) in a range suballocated to Lorman that you might want to block traffic from of 184.175.164.0/26.
If this company thinks that promoting its seminars through spam is a legitimate way of promoting a business then I would personally give their "seminars" a very wide berth.
From: Toni Klawiter - Lorman Education [customerservice@lormaneducation.net]
Date: 22 May 2014 16:18
Subject: Status Classification: Exempt vs. Nonexempt
Signed by: lormaneducation.net
Seminars Live Webinars
OnDemand Membership
Status Classification: Exempt vs. Nonexempt
OnDemand Webinar - 93 Minutes
Learn How To:
Identify general principles under the Fair Labor Standards Act.
Explain salary requirements and the highly compensated employee exemption.
Review what an employer can do to assure classifications are accurate and minimize risks.
Discuss the executive, administrative, professional and computer professional duties tests.
More Information
Faculty
Michael A. Pavlick
Michael A. Pavlick
K&L Gates LLP
The link in the email goes to lormaneducation.net and then forwards immediately to lorman.com, which is a typical technique that spammers use to try to avoid getting blacklisted.
lormaneducation.net is hosted on 64.77.120.67 (Peer 1, US) along with these following domains which look similarly spammy:
askthefaculty.com
hospitalityandtourismtraining.com
hospitalityandtourismtraining.net
instituteofpropertymanagement.com
instituteofpropertymanagement.net
insurancetrainingresource.com
insurancetrainingresource.net
investmentadvisortraining.com
investmentadvisortraining.net
lorman-education.net
lorman-webinar.com
lorman-webinars.com
lorman.com
lormancontinuingeducation.com
lormaneducation.com
lormaneducation.net
lormaneducationwebinar.com
lormaneducationwebinars.com
lormanondemand.com
lormanpartner.com
lormanseminars.com
lormanseminars.net
lormanteleconferences.com
lormanteleconferences.net
lormantraining.com
lormantraining.net
lormanwebinar.com
lormanwebinars.com
The WHOIS details on the lormaneducation.net spamvertised domain are:
Admin Name: Webmaster
Admin Organization: Lorman Education Group, Inc.
Admin Street: PO Box 509
Admin City: Eau Claire
Admin State/Province: WI
Admin Postal Code: 54702-0509
Admin Country: US
Admin Phone: +1.7158333940
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: webmaster@lorman.com
Spam originates from 184.175.164.1 (US Signal) in a range suballocated to Lorman that you might want to block traffic from of 184.175.164.0/26.
If this company thinks that promoting its seminars through spam is a legitimate way of promoting a business then I would personally give their "seminars" a very wide berth.
Labels:
Spam
#BringBackOurGirls scam
This scam email attempts to steal money from unsuspecting but altruistic people by hijacking the legitimate #BringBackOurGirls campaign.
Now, I don't know about you.. but I don't think that this looks like a Nigerian woman who has to live in a church hostel. That's because it is a photograph of actress and model Yvette Fintland who would no doubt be very displeased to see her photo being abused in this way (and has nothing whatsoever to do with this scam or spam).
There are no words that can adequately describe the horror of the kidnapping of 200 innocent children. And there are no words that adequately describe the disgust at people who are prepared to exploit this awful event for their own personal gain.
From: Joy Marcus [joymcus55@gmail.com]Apparently this church hostel that she is staying in has internet access good enough to send out spam. And although the scammer is soliciting replies to marysamb91@yahoo.com it is sent from joymcus55@gmail.com which has its own Google+ profile.. which contains a picture.
Date: 22 May 2014 00:24
Subject: #BringBackOurGirls
Signed by: gmail.com
Hello,
My beloved brother and sister. I hope my message get to you in peace.
My name is Mary Sambo from Borno state in Nigeria. I am crying while
putting this message together in the church hostel. I lost my husband to
the terrorist attack that is happening in Borno state, my daughters was
kidnap along with the 270 girls been kidnap in school chibok village in
Nigeria, by the terrorist.
Which the entire world is now searching for them. I am 7 month pregnant
and i am staying at the church hostel, we are 30 in a single room, i
don't have access to good medical care and i am afraid my living
condition might affect my unborn child.
I am asking for help from you in other for me to get a place for myself
and also register myself to health center where i will get proper
medical care. Please help me with anything you, May Almighty God reward
you.
Hope to hear from you.
Regards.
Mary Sambo.
Please reply here: marysamb91@yahoo.com
Now, I don't know about you.. but I don't think that this looks like a Nigerian woman who has to live in a church hostel. That's because it is a photograph of actress and model Yvette Fintland who would no doubt be very displeased to see her photo being abused in this way (and has nothing whatsoever to do with this scam or spam).
There are no words that can adequately describe the horror of the kidnapping of 200 innocent children. And there are no words that adequately describe the disgust at people who are prepared to exploit this awful event for their own personal gain.
Wednesday, 21 May 2014
Something evil on 93.171.173.173 (Sweet Orange EK)
93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of hijacked GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites.
For example [donotclick]www.f1fanatic.co.uk is a compromised website that tries to redirect visitors to two different exploit kits:
[donotclick]adv.atlanticcity.house:13014/sysadmin/wap/fedora.php?database=3
[donotclick]fphgyw.myftp.biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4
The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way).
The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves:
img.carmelakaiser.com
img.fortunerealtyli.com
img.realtyconnectli.com
yim.nwcreferrals.com
img.mwinsulationllc.info
img.michaelvallone.com
img.mwinsulationllc.com
adv.davetalbert.com
img.nwcreferrals.com
adv.ajs.club
adv.boisecity.house
adv.catskills.house
adv.atlanticcity.house
adv.beachrental.house
adv.chattanooga.house
adv.beachcottage.house
adv.beachrentals.house
adv.breckenridge.house
adv.coppermountain.house
The EK page itself has a VirusTotal detection rate of 0/53, although hopefully some of the components it installs will trigger a warning.
For example [donotclick]www.f1fanatic.co.uk is a compromised website that tries to redirect visitors to two different exploit kits:
[donotclick]adv.atlanticcity.house:13014/sysadmin/wap/fedora.php?database=3
[donotclick]fphgyw.myftp.biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4
The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way).
The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves:
img.carmelakaiser.com
img.fortunerealtyli.com
img.realtyconnectli.com
yim.nwcreferrals.com
img.mwinsulationllc.info
img.michaelvallone.com
img.mwinsulationllc.com
adv.davetalbert.com
img.nwcreferrals.com
adv.ajs.club
adv.boisecity.house
adv.catskills.house
adv.atlanticcity.house
adv.beachrental.house
adv.chattanooga.house
adv.beachcottage.house
adv.beachrentals.house
adv.breckenridge.house
adv.coppermountain.house
The EK page itself has a VirusTotal detection rate of 0/53, although hopefully some of the components it installs will trigger a warning.
Labels:
Malware,
Russia,
Sweet Orange,
Viruses
PrimeAspire (primeaspire.com) spam
UPDATE: PrimeAspire have responded to this post, scroll down to the bottom.
Startup or no startup, sending spam to a spamtrap is not a good way to drum up business..
But (and just as a warning, I'm going to get sweary here) wait a fucking minute.. "This message, its contents and any attachments are private, confidential and may contain information that is subject to copyright. You may not disclose, use or disseminate all or part of this message without our prior written consent." You fucking spammed me with this. I will do with it what I fucking well please.
CEO of PrimeAspire is one Chris Adiolé. PrimeAspire (strictly speaking it is Prime Aspire Ltd) is a real company (07850209 in the UK), and Mr Adiolé even has his name on the domain WHOIS details rather than hiding behind a proxy service.
Registrant Name: Christopher Adiole
Registrant Organization:
Registrant Street: 67-68 Hatton Garden
Registrant City: London
Registrant State/Province: KKD
Registrant Postal Code: EC1N 8JY
Registrant Country: GB
Registrant Phone: +44.20700000000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@primeaspire.com
Originating IP is 79.170.44.6 which is Heart Internet in the UK. The primeaspire.com domain is hosted with the same firm on 79.170.40.239.
So, let's assume that this is a real proposition and not some sort of scam. Fair enough. But promoting your startup through spam is always a very bad move, but adding meaningless legalese crap to it is really going to piss people off..
UPDATE: many Kudos points to Chris Adiolé for addressing the issue and apologising. So perhaps they're not such a bad bunch after all :)
UPDATE 2: but now PrimeAspire are likely to lose their Kudos point due to this rather rude message from some Indian SEO guy..
Startup or no startup, sending spam to a spamtrap is not a good way to drum up business..
From: Team@primeaspire.com
To: donotemail@wearespammers.com
Date: 20 May 2014 13:32
Subject: PrimeAspire - The Freelance Platform
Hello,
Following our recent launch we'd like to invite you to PrimeAspire where you can post any task and securely get skilled people to complete specific freelance tasks.
The platform is completely free and used by talented people looking for freelance projects.
Learn more
Thanks,
The PrimeAspire team
P Please consider the environment before printing this email. Thank you.
Prime Aspire is a freelance marketplace. This message, its contents and any attachments are private, confidential and may contain information that is subject to copyright. You may not disclose, use or disseminate all or part of this message without our prior written consent. If you are not the intended recipient, please notify us immediately by replying to this message and then delete it from your system. Whilst we take reasonable precautions to prevent computer viruses, we cannot accept responsibility for viruses transmitted to your computer and it is your responsibility to make all necessary checks. We may monitor email traffic data and the content of emails to ensure efficient operation of our business, for security, for staff training and for other administrative purposes.
This email was sent from Prime Aspire Limited (Registered number: 7850209). Prime Aspire Limited is registered in England and Wales. Registered address: SUITE 34, New House, 67-68 Hatton Garden, London EC1N 8JY United Kingdom. For further information, please click www.primeaspire.com
To unsubscribe please reply with the word "Unsubscribe".
But (and just as a warning, I'm going to get sweary here) wait a fucking minute.. "This message, its contents and any attachments are private, confidential and may contain information that is subject to copyright. You may not disclose, use or disseminate all or part of this message without our prior written consent." You fucking spammed me with this. I will do with it what I fucking well please.
CEO of PrimeAspire is one Chris Adiolé. PrimeAspire (strictly speaking it is Prime Aspire Ltd) is a real company (07850209 in the UK), and Mr Adiolé even has his name on the domain WHOIS details rather than hiding behind a proxy service.
Registrant Name: Christopher Adiole
Registrant Organization:
Registrant Street: 67-68 Hatton Garden
Registrant City: London
Registrant State/Province: KKD
Registrant Postal Code: EC1N 8JY
Registrant Country: GB
Registrant Phone: +44.20700000000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@primeaspire.com
Originating IP is 79.170.44.6 which is Heart Internet in the UK. The primeaspire.com domain is hosted with the same firm on 79.170.40.239.
So, let's assume that this is a real proposition and not some sort of scam. Fair enough. But promoting your startup through spam is always a very bad move, but adding meaningless legalese crap to it is really going to piss people off..
UPDATE: many Kudos points to Chris Adiolé for addressing the issue and apologising. So perhaps they're not such a bad bunch after all :)
Hi,
I note you recently published an article on your blog with regards to a promotional email you received from PrimeAspire.
We are a small startup and after our launch in February we worked with a marketing agency who supplied us with email addresses, claiming to be addresses of people that opted to receive emails about freelancing and related services. Unfortunately, we took their words at face value and failed to check the email addresses before sending out the emails.
On behalf of PrimeAspire, I sincerely apologise for the inconvenience. We are an honest startup working hard on our product and have no intention to send spam emails or use sinister marketing procedures to promote our product.
Thanks,
UPDATE 2: but now PrimeAspire are likely to lose their Kudos point due to this rather rude message from some Indian SEO guy..
From: Tutu Kumar [tutukumarseosolutions@gmail.com]Funnily enough, I don't feel inclined to do that. PrimeAspire sent me a spam.. that happened, and Chris Adiolé apologised which I think shows a great deal of integrity. Perhaps Mr Kumar needs to generate some positive press instead rather than concentrating on my little blog.
Date: 25 June 2014 09:16
Subject: Remove the blog of "PrimeAspire (primeaspire.com) spam"
Hello Dynamoo.com Team,
I'm Tutu Kumar from india, also a SEO Expert. Now i'm working SEO for Primeaspire.com. And i saw google search pages our blog title
PrimeAspire (primeaspire.com) spam.
This blog title is bad effect for our website but content is good.
Kindly remove the blog of your website.
Thank You
Tutu Kumar
Tuesday, 20 May 2014
Fake Sage Invoice spam leads to malware
This fake Sage spam leads to malware:
Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52.
The Malwr analysis shows that it then goes on to download further components from [donotclick]protecca.com/fonts/2005UKdp.zip some of which are:
Date: Tue, 20 May 2014 09:20:53 +0100 [04:20:53 EDT]
From: Sage [Wilbur.Contreras@sage-mail.com]
Subject: FW: Invoice_6895366
Please see attached copy of the original invoice (Invoice_6895366).
Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52.
The Malwr analysis shows that it then goes on to download further components from [donotclick]protecca.com/fonts/2005UKdp.zip some of which are:
- esli.exe (VT 6/52, Malwr report)
- uptoday.exe (VT 7/52, Malwr report)
- upsec.exe (VT 9/51, Malwr report)
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Monday, 19 May 2014
"TT PAYMENT COPY" spam
This spam has a malicious attachment:
Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53. Automated analysis tools (such as this one) don't reveal what is happening, but you can guarantee it is nothing good.
Date: Sun, 18 May 2014 20:54:20 -0700 [05/18/14 23:54:20 EDT]
Subject: Re TT PAYMENT COPY
please confirm the attachment payment Copy and get back to me?
Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53. Automated analysis tools (such as this one) don't reveal what is happening, but you can guarantee it is nothing good.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Thursday, 15 May 2014
"NatWest Statement" spam contains a bit.ly link
This fake NatWest spam sends victims to a malicious download via a bit.ly link.
One thing about bit.ly links is that if you put a "+" at the end of the link you can see how many people clicked it. In this case, 236 people have clicked so far, mostly in North America. I suspect that quite a few of those are malware researchers!
From: NatWest.co.ukThe link in the email goes to [donotclick]bit.ly/1jKW2GJ which then downloads a malicious file Statement-pdf.scr which has a VirusTotal detection rate of 8/53. Automated analysis tools [1] [2] [3] [4] are inconclusive about what the malware actually does.
Date: 15 May 2014 13:11
Subject: NatWest Statement
View Your April 2014 Online Merchant Financial Activity Statement
Keep track of your account with your latest Online Merchant Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:
View/Download as a PDF
View all EStatements
So check out your statement right away, or at your earliest convenience.
Thank you for managing your account online.
Sincerely,
NatWest Bank
Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank ®
Merchant account, please speak to a Customer Service representative at 1-800-374-2639
NatWest Bank Customer Service Department
P.O. Box 414 | 38 Strand, WC2N 5JB, London
Copyright 2014 NatWest Company. All rights reserved.
AGNEUOMS0006001
One thing about bit.ly links is that if you put a "+" at the end of the link you can see how many people clicked it. In this case, 236 people have clicked so far, mostly in North America. I suspect that quite a few of those are malware researchers!
Subscribe to:
Posts (Atom)