Sponsored by..

Tuesday 24 June 2014

jobcenterusa.org fake job offer

This fake job offer is either money laundering, a parcel reshipping scam or some other activity that will get you into serious trouble with the authorities.

Date:      23 Jun 2014 13:11:56 -0600 [15:11:56 EDT]
Subject:      we are interested in your CV
Priority:      normal

We would like to greet you in our big and friendly company, thank you for applying to our HR and your interest to our company business.

Right now due to increasing of expansion policy we are offering promotional positions in our US company branches.
This opportunity is for highly motivated and energetic people who wants to join our family business whose main routine will be providing
administrative logistical and human resources support for our clients.

The work involves variety of logistical, administrative, and office management tasks, directions and guidelines you will be
receiving from your personal manager.

If you have an ability to establish and organize productive relations with clients;
strong communication skills, if you posses good team work skills, if you have an ability to revise plans for shifting priorities,
work under supervision and if you respect deadlines - apply, fill in short registration form and send it to us,
take your chance and maybe really soon you will receive a reply back from us and you phone will rang,
and one day you may become a part of our team:

Company registration form:
-Full name;
-Contact mobile & land line phone number;
-Email address;
-Current residence.

Please call or email us for any further assistance: Hillary@jobcenterusa.org
If you reply to this message, it gets routed to a server mx.jobcenterusa.org hosted on 5.202.129.73 in Iran. The WHOIS details for the domain are also fake:

Registrant ID:orghk03546035062
Registrant Name:Heidi Kissell
Registrant Organization:Heidi R. Kissell
Registrant Street: 223 Rainbow Road
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90017
Registrant Country:US
Registrant Phone:+1.6262646624
Registrant Phone Ext:
Registrant Fax: +1.6262646624
Registrant Fax Ext:
Registrant Email:info@jobcenterusa.org


The spam I saw originated from a Mexican cable subscriber on 187.247.113.56 and had a fake Italian address on it. Basically, everything screams fake job offer.

These domains are all releated:
trabajogov.com
lights-usa.net
lavoroit.org
profesia-cz.co

jobcenterusa.org

This video explains about the parcel reshipping scam which is a likely "logistics" task for anyone who gets involved in this fake company.


Monday 23 June 2014

Obama sends me an important message about surveillance

Obama sends me an important message about surveillance. No, really. But perhaps not the Obama you are thinking of.

Date:      Mon, 23 Jun 2014 23:36:02 +0800 [11:36:02 EDT]
From:      CCTV Surveillance [mail@globalsourcescctv.com]
Reply-To:      mail@globalsourcescctv.com
Subject:      [IMPORTANT] Surveillance

Hi,
Good day

We would like to take this opportunity to introduce our company.
WEISKYTECH founded in 2006.
Export 90% products to developed countries in North America and Europe,
established close business relationship with many famous security companies around the world.

Our Products Line
| CCTV camera. (IP CAMERA.HD-CVI CAMERA.ANALOG CMOS/CCD.)
| NVTKITs. DVRKITs.CVRKITs. (4CH,8CH,16CH)
| POE SWITCH (4.8.16.24CH POE SWITCH. 15W.25W POE MODULE).
| NVR.CVR.DVR

We want to give to you GOOD - CHEAP - FAST Surveillance products.
Obama here, looking for your reply needs and questions.

Reply me & quality products can be stand your inspection!

Best Regards,

Mr Obama, 
There's no website, so this spam is soliciting replies via email so globalsourcescctv.com must be valid for receiving mail (indeed, the MXes are mxbiz1.qq.com and mxbiz2.qq.com). Let's have a look at those WHOIS details then..

Registry Registrant ID: 1821794
Registrant Name: WILSON
Registrant Organization: Obama
Registrant Street: LONGHUA
Registrant City: shenzhen
Registrant State/Province: Guangdong
Registrant Postal Code: 518000   
Registrant Country: China
Registrant Phone: +86.75536956066                        
Registrant Phone Ext:
Registrant Fax: +86.75536956066                        
Registrant Fax Ext:
Registrant Email: 595642135@qq.com                       
Registry Admin ID: 1821795


Wow.. Obama again. Must be legit. Or perhaps not..

"Domain Listing Expired" scam spam (ibulkmailer.com / 192.99.148.65)

I've received this spam to the contact details for several domains I own in the past few weeks:

Date:      Sun, 22 Jun 2014 07:53:10 +0200 [06/22/14 01:53:10 EDT]
From:      Domain Notification [chandan@gmail.com]
Reply-To:      chandan@gmail.com
Subject:      re: Domain Listing Expired

Attention: Important Notice

ATT: [redacted].COM
ADMINISTRATIVE CONTACT
[redacted].COM
[redacted]

[redacted].COM
Please ensure that your contact information is correct or make the necessary changes above

DOMAIN SERVICE NOTICE

Domain Name: [redacted].COM
Search Engine Submission

Pay By

June 30,2014
 PART I: REVIEW SOLICITATION


Attn: [redacted].COM
As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it's time to send in your registration and save.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine subscription includes domain name search engine submission. You are under no obligation to pay the amounts stated below unless you accept this offer. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: [redacted].COM will expire on June 15,2014 Act today!

DETAIL OF SERVICE: ANNUAL WEBSITE SEARCH ENGINE SUBMISSION FOR DOMAIN NAME [redacted].COM
Detail of Service:
SEARCH SUBMISSIONS
Act by Date:
06/15/2014
For Domain
Name:
[redacted].COM


Select Term
Your Existing Domain
Period Covered
Price
    [redacted].COM        
1year     Valid for 1 Year CLICK TO RENEW     06/15/2014 - 06/15/2015     $75.00
2year     Valid for 2 Year CLICK TO RENEW     06/15/2014 - 06/15/2016     $119.00
3year     Valid for 3 Year CLICK TO RENEW     06/15/2014 - 06/15/2017     $199.00
4year     -Most Recommended- CLICK TO RENEW     04/04/2014 - 04/04/2024     $295.00
5year     Limited time offer - Best value! CLICK TO RENEW     Lifetime     $499.00


Payment by Credit Card
Select the term and complete the form above, (do not reply this mail with your credit card details on this mail , just click on pay above. once we receive your pay we will send you details and report after payment is successful, also make sure you provide us with your correct information at time of signup.

Unsubscribe me from this list


Powered by Interspire

It looks like a domain renewal notice.. but it isn't. It's a renewal notice for SEO services. "But wait," I hear you cry, "I haven't signed up for any SEO services!" to which my answer is "Exactly!"

This is where the spam moves from being annoying to being a more of a scam. The use of the word "Renew" implies that you already have a relationship with these people but you do not. There is nothing to renew, but stating that this is something you already use is not only incorrect but in my personal opinion it is a fraudulent misrepresentation.

The link in the email goes to 192.99.148.65 (OVH Canada, not surprisingly) and then onto a landing page at ibulkmailer.incom on 192.185.170.196 (Websitewelcome, US).


The WHOIS details for ibulkmailer.com are as follows:

Registry Registrant ID:
Registrant Name: kumar, chandan
Registrant Organization:
Registrant Street: DDA FLAT NO 556 PKT B HASTSAL
Registrant City: New Delhi
Registrant State/Province: Delhi
Registrant Postal Code: 110059
Registrant Country: IN
Registrant Phone: 7838808080
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: admin@ibulkmailer.com


WHOIS details can easily be faked, but the "Chandan" name in the registration details tallies with the address chandan@gmail.com in the spam itself.

An examination of the sites co-hosted with ibulkmailer.com along with several other identifying factors identity this website as belonging to Chandan Kumar of CNS Web Technologies Pvt Ltd (U72300DL2009PTC191574) of India.

To save you from having to do the analysis yourself, a shortcut is to visit Chandan Kumar's LinkedIn page which links through to ibulkmailer.com in one of the "Company Website" links.


The contact details for Mr Kumar's company are below:

CNS Web Technologies Private Limited
625 LIG HASTSAL
VIKAS PURI
New Delhi
Delhi
110059
INDIA
+91-7838808080
chandan988@gmail.com
chandan_988@rediffmail.com
chandan_988@yahoo.com

If you get these spam messages (and the link still leads to ibulkmailer.com) then one effective way of dealing with it would be to forward the message to the webhost abuse department at abuse -at- websitewelcome.com.

Doing business with spammers is never a good idea, and doing business with spammers who misrepresent your relationship with them is likely to be a very bad idea indeed. Avoid.

The following domains are also associated with CNS Web Technologies and Chandan Kumar. Do with them what you will.

ibulkmailer.com
webtrafficguru.net
ewebmail.in
ewebmailsolution.info
host-cns.com
cnswebtech.com
rajumehandiart.com
chauhanmehandiart.com
maahihosting.com
cnswebtech.com
cnsxpert.com
websms.co.in
ibulkmailer.in
domainnotices.in
ebizmail.in
pconlinexpert.com
turnaround-systems.com
ecataloguepromo.info

Friday 20 June 2014

RNBI pump-and-dump spam: "Are you a go getter?"

This pump-and-dump spam is promoting a US stock Rainbow International Corp (RNBI) with false information designed to pump up the share price while someone dumps stock:

From: RealInvestments Daily Tip
Subject: Are you a go getter?

Hi [redacted],

Hope all is well with you and the family. I know you reached out to me last month looking for a good investment amid this crazy market. I must tell you it has been very hard to find something solid. Theres very few hidden gems out there and I honestly didnt even think I would be able to find something. That being said the best Ive been able to find is RNBI and when I say best, it really seems to be a god send. I told a few of my other clients about it last month as it seemed pretty cheap and it has gone up by more than 50% since. Im giving you a heads up on RNBI because I spoke with a few of my colleagues and they agree that it will hit a dollar some time in the coming weeks. Dont tell anyone you hear this from me please we're suppose to keep it on the down low. The company operates in the legalhemp industry, apparently the sector has been going nuts since colorado and washington made the stuff legal and apparently RNBI is going to announce some big news soon. Not sure what it is but my source is usually pretty spot on.

Take care and let me know if you need anything else. Ill keep you posted if I have some more news.



(c) 2014. StockTips. All rights reserved.

7080 Santa Monica Blvd, West Hollywood, CA 90038
At the moment there is only one subject and body text, but this will no doubt change as the spam evolves. A quick analysis of RNBI shows a company with no significant assets or income and no news or press releases indicating anything going on. The stock was aggressively pumped last month, but this latest round is using illegal spamming to try to promote the stock.

There are some anomalies with this stock. Despite having virtually no income or assets, the market capitalisation is still $52m which seems a lot. The stock chart shows that the price collapsed from a high of $0.59 late last year to $0.06 and then $0.09 before aggressive pumping took it up to about $0.20 or so, shifting around 34 million shares (or about $7m worth of stock). Before the pumping, the daily trade level was basically zero.

In my personal opinion, it is likely that this action is being taken by a major stockholder wanting to dump their shares for whatever reason. Remember that most stocks promoted by pump-and-dump spam collapse afterwards, so it is a good idea to give RNBI a very wide berth.

UPDATE 1. there is now a second wave of spam pretending to be from InvestorsHub which contains some junk text and an image with an MD5 of 0D179335984C7286F170C8354B69D4BF:

From:     InvestorsHub
Date:     20 June 2014 16:34
Subject:     Daily Stocks Tips

UPDATE 2. A third wave of image-based spam is on the way with a different embedded image.

From:     InvestorsHub News
Date:     20 June 2014 19:19
Subject:     This stock will go nuts today


UPDATE 3. Yet another image-based spam pumping RNBI is in circulation.
From:     Investors Hub Newsdesk
Date:     21 June 2014 07:11
Subject:     IHUB Newsdesk - This is the next big stock play


UPDATE 4. Two more versions of the pump-and-dump spam. The first version is surprisingly aggressive:

From:     Scottrade
Date:     21 June 2014 19:58
Subject:     Invest today. Cash Out next month

Dear conrad,

I was very furious when I listened to your voicemail last night.

You know, I did tell you about R N B I last month but you’re the one who was not interested in buying at the time. It was trading for just 10 or 15 cents if I remember correctly. You cannot now blame me by saying I didn’t tell you.

Anyway bullshit aside if you are still angry about missing the first wave I’m telling you its not too late but you need to listen to me now and buy as many s.h.a.r.es of R N B I as you can on Monday morning before they get too expensive and if you don’t it’s your own fault I don’t want you calling me again and leaving me another nasty voicemail.

I spoke with my analyst buddy who is working on this specific stock-analysis and he told me we should expect to see shares hit past a dollar within the next 30 days. Do what you must.

Take care
Your bud
Socorro
Second version:

From:     TD Ameritrade
Date:     22 June 2014 17:21
Subject:     Another Big Report this Monday at the open!

Open your account today in just minutes  |  View online
     
You’ve already taken the first step toward your financial goals by starting your application for a TD Ameritrade account. Take the next step and start trade today.

It’s quick and easy. And as a client, you’ll have access to the tools and resources you need to trade and invest with more confidence, including our top stocks picks:

UPDATE 5. Now the spammers are pretending to be from Bloomberg:

From:     Bloomberg.com
Date:     23 June 2014 10:07
Subject:     Financial News: Our New Stock Alert!
Thank you,
The Bloomberg.com Team

================================

Please do not reply to this message; it was sent from an unmonitored email address. If you received this message in error, please contact us.

------------------

Update Your Profile | Manage Preferences
Bloomberg.com | 731 Lexington Avenue, New York, NY 10022

UPDATE 6.  This new version of the spam comes with a .VCF attachment which will install a contact into your address book:

From:     Money Runners
Date:     23 June 2014 15:59
Subject:     The Money Runners Group: More Gains This Week - Stay Tuned!

Hi [redacted], my name is Denise Stewart and i'm your new stocks adviser.

Check my vCard in attachement
Attached is a file name2.vcf which contains the following data:
BEGIN:VCARD
VERSION;TYPE=WORK:3.0
FN:Denise Stewart
N:Denise Stewart;;;;
PROFILE:VCARD
ADR:;;0659 LEE Tim Road;Denver;CO;80304;USA
EMAIL:████████████@cantv.net
ORG:Rainbow International, Corp. (RNBI)
URL:http://finance.yahoo.com/q?s=RNBI&ql=1
PHOTO;VALUE=URL;TYPE=GIF:http://www.8CA4EA9BA4.com/1BE1018B041B/0F32CE8E.gif
NOTE:By the entrance ways at each end of the coach was a toilet.
END:VCARD
A file like this is a contact card and webmail applications such as Gmail or email clients such as Outlook can add it as a contact.

The idea is that you'll wonder who the heck this person is and click through on the link to Yahoo! Finance, which shows the bump in stock prices due to the pump-and-dump run.


Ummm... well, it's an interesting approach but if people are daft enough to fall for this sort of spam then it might be a bit too subtle for them.

UPDATE 7. Two new variants. The first one combines some of the elements seen earlier:

From:     Tonia Maynard
Date:     23 June 2014 18:39
Subject:     We've Just Come Across Something Huge!

Hi [redacted]

The next one has new elements in it:

From:     MarketClub Daily Top Stocks
Date:     23 June 2014 16:59
Subject:     Today's Top Trending Stocks

Top Trending Stocks for Monday, June 23rd

The stocks below have been rated as today's top stocks by MarketClub's Trade Triangle and Smart Scan technology.

#    Symbol    Description    Open    High    Low    Last    Change    %    Vol    Score
1.    RNBI     Rainbow International, Corp.     0.16    0.25    0.21    0.22    +52.185    +50.32%    1,203,226     +100
 View Full List ...

Thousands of people, just like you, have made the jump from using our Top Stocks list to MarketClub.

Learn how MarketClub can advance your trading with an entire set of online trading tools, not just the ability to create lists like this. Try MarketClub for only $8.95 for 30 days.

Follow us on Facebook for updates throughout the trading day.


View all details and studies at http://club.ino.com/. Want more scans, instant alerts, and a custom portfolio? MarketClub has it all across all markets.

To unsubscribe from Top 10 Trending Stocks emails, please visit this link for fast removal. To manage all of your INO.com email subscriptions or unsubscribe from all lists, visit our Email Services page.

U.S. Government Required Disclaimer - Commodity Futures Trading Commission

UPDATE 9. After a brief pause, there's another format of spam. (Incidentally the pause in spam caused the stock price to drop 22%!)

From:     USMarketAdvisor
Date:     24 June 2014 21:53
Subject:     If you get in now you could triple fast

Dear member,

We've been trying to bring something with substance to you for some time now and we've finally found it. R.N.B.I is a stock that will make your portfolio shine again and give us the reputation as strong analysts. It is currently trading for 20 cents. If you can buy some shares at the current pricing you will be in for a hell of a ride as we are predicting that we will see R,N,B,I go to a dollar by mid july. This company is a very special one as it operates in the legal marijuana sector in Colorado. As you've probably heard, that sector is totally on fire at the moment and you would be a fool to think that marijuana is not getting legalized nationwide in the coming short while. Can you imagine what this will do to the price of R_N_B_I? The company is already having a hard time supplying enough cannabis to its customers as it is with just Colorado and Washington allowing legal sales. Imagine when the whole country begins asking for some. At 20 cents R-N-B-I is an absolute steal and I would load up as much as I can.

Your premium analyst,
Jordan.
This email was sent to [redacted]. To ensure that you continue receiving our emails,
please add us to your address book or safe list.
(c) 2014 USMarketAdvisor.
550 Bowie Street, Austin, Texas 78703-4644
Privacy | Terms | Customer Service
Unsubscribe or Change Email Preferences
for all USMarketAdvisor emails.

UPDATE 10. Another spam this time, with the sender set to "FoxNews.com".

From:     FoxNews.com
Date:     25 June 2014 10:33
Subject:     BREAKING NEWS: Huge Winner Today! New Alert Inside


Once in a while there comes an opportunity that is too good to pass.
This time has come again. R*N*B*I is a diamond in the rough and this undervalued company is about to make us all very wealthy.
Our peers will look up to us and say "wow he's smart".
That's because if we can buy R*N*B*I for about 20 cents today we will likely get 5x our investment as analysts are predicting it will reach a dollar in the coming weeks.
TThere's also a bit of history behind this.
Just a few weeks ago the company was at 35 cents!
It has taken one step back and is getting ready to make 5 steps forward and we are lucky to be able to buy shares for as cheap as 20 cents right now.
It's not every day that a legal cannabis company can be bought for so cheap.

If we look at the historical chart and analysts' recommendations this looks like the perfect buy right now and I would get as many shares as I can at the current prices.


More Newsletters | Unsubscribe | Privacy Policy

©2014 StocksNews Network, LLC. All Rights Reserved.

StocksNews never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from StocksNews. 


UPDATE 11. A variation of the previous spam, this time purporting to be from "MovingPennies".

From:     MovingPennies
Date:     25 June 2014 14:15
Subject:     BREAKING NEWS: All Eyes On (R N B I)

There's been a lot of speculation about where the market is going.

Truth be told no one really knows but it seems like we can expect to see things continue going up a bit.
That being said more companies these days are really overpriced.
Would you get in google at the current share price? Or apple? Or coca cola? they all seem to expensive at the moment.
Instead I've been searching for an answer... R*N-B*I is a stock that is currently very undervalued and its 2-month chart tells a story.
Just weeks ago it was at 35 cents. Now we can pick it up for right around 20 cents and analysts are expecting it to reach a dollar in the coming weeks.
If that's not a good deal I don't know what is. The company operates in the legal cannabis industry.
They're set up in Colorado and there is a lot of action happening there right now as you know.
Colorado and Washington both legalized cannabis recently and the amount of money being made in the industry right this moment is mind boggling.

If I were you I'd buy as many shares of R-N*B-I as possible at these cheap prices.

UPDATE 12. The spam has evolved again, now pretending to be from MomentumOTC:

From:     MomentumOTC
Date:     26 June 2014 09:37
Subject:     This company will make us big bucks

In recent days R^N^B^I has become very cheap to invest in.
Shares are now trading for right around 15 cents and it looks like it is about to soar again.
Two weeks ago it was trading as high as 35 cents, so you can imagine how much of a bargain it is at the current levels.
For a company that operates in the legal canabis industry we are very lucky to get shares at 15 cents.

Analysts are recommending to buy-it-now.


More Newsletters | Unsubscribe | Privacy Policy

©2014 MomentumOTC Network, LLC. All Rights Reserved.

MomentumOTC never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from MomentumOTC. 
UPDATE 13. A new version of the spam is in progress (which still can't spell "cannabis"), this time pretending to be from "BestOTC Network, LLC":
From:     BestOTC
Date:     26 June 2014 14:12
Subject:     The top legal canabis company is here

Everyone is jumping on shares of R:N:B:I at 15cents right now.
They have never been so cheap in the past. Imagine if you wanted to grab it two weeks ago it would've cost you 35 cents.
Analysts are saying that the company is about to soar again and that they recommend buying as much as possible in the 15 to 20cent range.
R:N:B:I is one of the few companies on the market that is involved in the legal canabis sector.

Grab shares now!

More Newsletters | Unsubscribe | Privacy Policy

©2014 BestOTC Network, LLC. All Rights Reserved.

BestOTC never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from BestOTCOTC.  


UPDATE 14. Despite all this activity, the stock price is tanking hitting a low of $0.10 which is about half what they were going for when the spam started. That's still about ten cents more than this company is worth in my opinion. This new spam pretends to be from "ClayTrader".

From:     ClayTrader
Date:     26 June 2014 19:12
Subject:     Watch this one double quickly

ALERT: R'N'B'I
First target: $.19
Second Target $.25
Stop $.50

Sell on the way up at your target prices


More Newsletters | Unsubscribe | Privacy Policy

©2014 ClayTrader Network, LLC. All Rights Reserved.

ClayTrader never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from ClayTrader. 




"2014_06rechnung_0724300002_sign.zip" spam

I don't have a sample of the German-language spam spreading this attack, but it is similar to this one and it entices the victim to download a ZIP file  from [donotclick]officialdund.co.uk/wp-content/themes/officialdund/mobilfunktelekom/2014_06rechnung_0724300002_sign.zip

Inside the ZIP file is a malicious executable 2014_06rechnung_0724300002_pdf_sign_telekomag_deutschland_gmbh.exe which has a very low VirusTotal detection rate of just 1/54. The Malwr report shows that it downloads a further executable rqvupdate.exe [Malwr report] which phones home to 204.93.183.196 (Server Central, US) and has a VT detection rate of just 2/52.

The Anubis report also shows connections to 50.31.146.109 (Server Central, US), 5.135.208.53 (OVH, France / QHoster Ltd, Bulgaria) and 103.25.59.120 (Ransom IT Hosting, New Zealand)

Recommend blocklist:
5.135.208.53
50.31.146.109
103.25.59.120
204.93.183.196

bumerang.cc spam - possible Joe Job?

As with the writer of the excellent My Online Security blog I had a couple of odd-looking spams that looked like they might be malicious.

The first spam was a bit of a fail as it didn't have the link, the second spam contained a link the the bumerang.cc website.

From:     News
Date:     19 June 2014 21:40
subject:     World Political News

You can see all World Political News at our web site.Just click on link below

Invoice

------

From:     Customer support
Date:     19 June 2014 13:43
Subject:     Your invoice for June 2014

See your invoice for June 2014 by click on link below

Invoice


The link in the second email goes to the amusingly-named www.bumerang.cc/asdaa/sploit.php - amusing because "sploit" is of course slang for "exploit". Although I have seen exploit kits that contain obvious things like this as a sort of joke, it is also a bit obvious don't you think?

But there is no exploit kit at this "sploit.php" location.. it 404s. But in fact I can see no evidence that there has ever been an exploit in this location, this URLquery report from yesterday (the earliest I can find) also shows a 404. So perhaps the exploit has been deleted? Or perhaps it was never there in the first place..


As I mentioned, there are a pair of emails. The one with the working link looks like a fake invoice malspam, but the other one has the subject "World Political News" and the body "You can see all World Political News at our web site.Just click on link below".

It turns out that bumerang.cc is a news site, covering topics of interest in Moldova in the Romanian, English and Russian languages. Unlike most multilingual news sites, the content is different depending on the language.. and the default Russian language part of the site has a lot of articles on the rather corrupt breakaway region of Transnistria which is strongly pro-Russian and which seems to be getting drawn in to the godawful mess that is the Ukraine crisis.

Transnistria has a reputation for corruption and organised crime, so perhaps bumerang.cc has published something that somebody in Transnistria doesn't like. Joe Jobs against sites dealing in Russian politics are quite common, and the messages do bear several hallmarks of being fakes.

Given that there is no evidence of malware on this site, the fishy nature of the spam and the topic areas of the site itself then I am minded to think that this is a Joe Job and bumerang.cc are not behind this spam run.

UPDATE 1 2014-06-24. Another variant..

From:     Bumerang News
Date:     24 June 2014 21:24
Subject:     SENSATION NEWS!Ukraine Will Wage War With Russia

Russia's War Against Ukraine! All at our web site. Just click on link below

">http://www.bumerang.cc/



Wednesday 18 June 2014

"Scanned Image from a Xerox WorkCentre" spam with a malicious PDF attachment

The PDF spammers are busy today - this is the third time this particular malicious PDF has been spammed out to victims, first as a fake HSBC message, then a fake Lloyds message, and now a fake Xerox WorkCentre spam.
From:     Xerox WorkCentre
Date:     18 June 2014 13:41
Subject:     Scanned Image from a Xerox WorkCentre

It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [redacted]
Number of Images: 0
Attachment File Type: PDF

WorkCentre Pro Location: Machine location not set
Device Name: [redacted]

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
The payload is a malicious PDF that is identical to the HSBC and Lloyds spams.

Lloyds Bank Commercial Finance "Customer Account Correspondence" spam

Sent to the same targets and the same victim as this HSBC spam, this fake Lloyds Bank message comes with a malicious payload:
From:     Lloyds Bank Commercial Finance [customermail@lloydsbankcf.co.uk]
Date:     18 June 2014 12:48
Subject:     Customer Account Correspondence

This attachment contains correspondence relating to your customer account with Lloyds Bank Commercial Finance Ltd.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.

If you have received this email in error please contact the individual or customer care team whose details appear on the statement.

This email message and its attachment has been swept for the presence of computer viruses.

Lloyds Bank Commercial Finance, No 1 Brookhill Way, Banbury, Oxfordshire OX16 3EL | www.lloydsbankcommercialfinance.co.uk
Ensuring that your PDF reader is up-to-date may help to mitigate against this attack.

HSBC "Unable to process your most recent Payment" spam

This convincing looking bank spam comes with a malicious PDF attachment:

From:     HSBC.co.uk [service@hsbc.co.uk]
Date:     18 June 2014 12:33
Subject:     Unable to process your most recent Payment

HSBC Logo

You have a new e-Message from HSBC.co.uk

This e-mail has been sent to you to inform you that we were unable to process your most recent payment.

Please check attached file for more detailed information on this transaction.

Pay To Account Number:   **********91
Due Date: 18/06/2014
Amount Due: £ 876.69

IMPORTANT: The actual delivery date may vary from the Delivery by date estimate. Please make sure that there are sufficient available funds in your account to cover your payment
beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.

If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.

Copyright HSBC 2014. All rights reserved. No endorsement or approval of any third parties or their advice, opinions, information, products or services is expressed or implied by any information on this Site or by any hyperlinks to or from any third party websites or pages. Your use of this website is subject to the terms and conditions governing it. Please read these terms and conditions before using the website..
Attached is a malicious PDF file HSBC_Payment_9854711.pdf which has a VirusTotal detection rate of just 6/53. The Malwr report does not add much but can be found here.

Tuesday 17 June 2014

Wells Fargo "Important docs" spam has a malicious PDF file

This fake Wells Fargo spam comes with a malicious PDF attachment:

From:     Raul.Kelly@wellsfargo.com
Date:     17 June 2014 18:50
Subject:     Important docs

We have received this documents from your bank, please review attached documents.

Raul Kelly
Wells Fargo Accounting
817-713-1029 office
817-306-0627 cell Raul.Kelly@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.
The attachment is account_doc~9345845757.pdf which has a VirusTotal detection rate of 5/51. The Malwr report doesn't say much but can be found here.

Personal misfortune is not an excuse for spam

"Mark" is having a hard time. Left with huge bills after being treated for prostate cancer, he feels let down by his employer at the time who did not cover the treatment with their health insurance.

How do I know this? He spammed me to tell me about it. Several times.

From:     Mark ******* [me@mail.*****]
Date:     17 June 2014 07:25
Subject:     Please donate to help support my recovery from Localised Prostate Cancer

Hi
        please consider donating to help fund my financial recovery since I was treated for Localised Prostate Cancer.

Regards,

Mark *******

        © Mark ******* , All Rights Reserved.
                http://******* .net/
                        or
                http://******* .like.to/
                        or
                http://******* .like.to/
A web form is attached soliciting funds:


Because "Mark" has suffered enough, I am withholding his full name. I did the due diligence and checked that the originating IP links back to a mailserver on his own domain, so this isn't a Joe Job.

But personal misfortune is not an excuse to spam, and in this case "Mark" sent to the spam to some randomly generated recipients that don't actually exist. That sort of thing is very bad practice, and if you are trying to get donation sent to a PayPal account then it is a good way to get your account frozen.

"Ihre Festnetz-Rechnung für Juni 2014" Vodafone spam

Over the past few weeks I have seen a concerted attack on German language speakers with various fake invoices leading to a malicious ZIP download. Here is one example:

From: 1562404288-0002@rechnung.vodafone.de
Sent: 17 June 2014 09:00
Subject: Ihre Festnetz-Rechnung für Juni 2014 #3232853429
Importance: High

Ihre neue Rechnung ist online

Sehr geehrte Kundin, sehr geehrter Kunde,

Ihre Rechnung vom Juni 2014 ist jetzt für Sie zum Abruf bereit.
Ihre Festnetz-Rechnung für Juni 2014 #25-36-8114.zip.

Die Gesamtsumme beträgt 224,88 Euro.

Der Rechnungsbetrag wird frühestens 5 Tage nach Rechnungszustellung von Ihrem angegebenen Konto eingezogen.


Mit freundlichen Grüßen
Ihr Vodafone-Team 
Of course, this isn't from Vodafone at all. The link in the email goes to [donotclick]gabilevin.com/wp-includes/SimplePie/Net/vodafoneteam which downloads a ZIP file 2014_06rechnung_pdf_vodafone.zip which in turn contains the malicious executable 2014_06rechnungonline_pdf_vodafone_00930220374_53790190_82456.exe which has a low detection rate of 3/54 at VirusTotal.

The Malwr report shows that this performs a download from 204.93.183.196:8080/70144646/974aade0/ (Server Central, US) which in turn drops another malicious binary rqvupdate.exe which also has a detection rate of just 3/54. The Malwr report for that is here.

Friday 13 June 2014

Something suspect on 38.84.134.0/24

This attack (assuming it is an attack) revolves around a bunch of domains hosted in 38.84.134.0/24 (HostZealot, UK).

It starts when a visitor visits the website click-and-trip.com hosted on 38.84.134.46 which purports to be some sort of hotel reservation system.

However, this URLquery report also shows a suspected Fiesta EK pattern and/or a TDS (Traffic Distribution System) URL. In the case of the report, the landing page is [donotclick]asasas.eu/yo416f8/counter.php?id=5 on 38.84.134.171 but this is one of those cases where the landing page seems to change quickly.

Both the "gateway" domain and "payload" domain share similarities in the WHOIS details. For click-and-trip.com it is:

Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: DE
Registrant Phone: +34.932073031
Registrant Phone Ext: 
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: HANSBRUSE@YAHOO.COM

Well, Barcelona isn't in DE (Germany), so these contact details look awfully suspect. If we look at the WHOIS details for asasas.eu we see:

Name         Hans Bruse
Organisation hans inc
Language     German
Address      Am Forsthaus 9
             18209 Glashagen
             Germany
Phone        +49.382037295
Email        hansbruse@yahoo.com


Both addresses use the "hansbruse@yahoo.com" email address, and those German contact details for "Hans Bruse" are more convicining than "Bernado Mines".

The click-and-trip.com domain has been around since January and interestingly a dig back in time six months turns up slightly different contact details:

Registry Registrant ID:
Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: ES
Registrant Phone: +34.932073031
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: GEFEST@ZMAIL.RU
Registry Admin ID: 


See the Russian email address? That gets some positive matches on Google linking it to a person called Aleksandr Filippovskiy (or Filippovskiy Aleksandr) who has been connected with malware sites before. So on balance, this thing looks rather suspicious.. even though those details could also be a smokescreen.

Reverse DNS on 38.84.134.171 shows three suspect domains with a similar naming pattern:

aaqaaq.eu
asasas.eu
ooaooa.eu

We can also check the IP's reputation at VirusTotal and it doesn't look great. However, if we extend a look to neighbouring servers, we can see a similar pattern of domains all the way from 38.84.134.162 to 38.84.134.171.


ioooiiio.eu 38.84.134.162
oieaa.com 38.84.134.162
dcfvfr.com 38.84.134.162
eiieei.com 38.84.134.162
ijueee.com 38.84.134.162
aoooaooa.com 38.84.134.162
acccaacccaaaa.pw 38.84.134.163
aaeeaae.com 38.84.134.163
ooioooii.com 38.84.134.163
azzaaazz.pw 38.84.134.164
axxaaaxxx.pw 38.84.134.164
aaooaaoaoaaa.pw 38.84.134.164
advantagefilm.pw 38.84.134.164
gthyuuuy.com 38.84.134.164
kujeikdkd.com 38.84.134.164
mijkuiiid.com 38.84.134.164
rfttyhuui.com 38.84.134.164
uyueueuee.com 38.84.134.164
oooiiiio.us 38.84.134.165
iiiiiiioooooooooo.us 38.84.134.165
hyujuuy.com 38.84.134.165
hyujyttr.com 38.84.134.165
nefdefeettyt.com 38.84.134.165
gthuueeed.us 38.84.134.166
eeeeaeeeea.us 38.84.134.166
aaeeeaaaeee.us 38.84.134.166
gtyuyyuuj.com 38.84.134.166
eedeeeedddd.eu 38.84.134.167
iyiiyyyiiiyy.eu 38.84.134.167
uoooouuuoo.pw 38.84.134.167
efefefeeeeee.pw 38.84.134.167
eaeaaaaaaeeeeee.pw 38.84.134.167
aaaaaaooooo.us 38.84.134.167
ioiiio.eu 38.84.134.168
aeaaeee.eu 38.84.134.168
aoaoooao.eu 38.84.134.168
oiioooiiii.pw 38.84.134.168
iaiaiaiaia.eu 38.84.134.169
axxazazaza.eu 38.84.134.170
jjjjajjiiiooo.eu 38.84.134.170
aaqaaq.eu 38.84.134.171
asasas.eu 38.84.134.171
ooaooa.eu 38.84.134.171

Older domains seem to use lower IP addresses, the pattern seems to be that domains are hosted in the range for a short time, then they are parked on what appear to be Namecheap parking IPs. Once the reputation of the IP is tarnished, then the domains move on to the next IP address.

The IPs in question roughly correspond to 38.84.134.160/28, but looking at the sites hosted in that range there is a gap of unused IPs all the way to 38.84.134.196.

Where these domains have identifiable WHOIS details, they conform to variants of the "Bernado Mines" persona, for example, acccaacccaaaa.pw:

Registrant ID:SVXABVV3KWVMGEKW
Registrant Name:Bernardo Mines
Registrant Organization:La Sagrada
Registrant Street1:Carrer de Mallorca, 401
Registrant City:Barcelona
Registrant State/Province:non
Registrant Postal Code:08013
Registrant Country:ES
Registrant Phone:+34.932073031
Registrant Fax:+1.5555555555
Registrant Email:ilokios@gmail.com


But we know that "Bernado Mines" also operates other IPs in this range, including techno6.com on 38.84.134.47 and a further examination of sites in the range shows aws-wireless.com on 38.84.134.14 which is registered to..

Registry Registrant ID:
Registrant Name: FILIPPOVSKIY ALEKSANDR
Registrant Organization: DOM
Registrant Street: YLICA BAYMANA. DOM 9.KORPYS A. KVARTIRA 106
Registrant Street: KVARTIRA 106
Registrant City: YOSHKAR OLA
Registrant State/Province: YOSHKAR OLA
Registrant Postal Code: 42400
Registrant Country: RU
Registrant Phone: +7.79276827596
Registrant Phone Ext:
Registrant Fax: +7.79276827596
Registrant Fax Ext:
Registrant Email: AWSWIRELESS@MAIL.COM


So we have Filippovskiy Aleksandr again

A look at all the hosts I can find in this range [csv] show nothing of value, and a load of cyberquatting and spam sites. On balance, I think that blocking the entire 38.84.134.0/24 range may be prudent, even if it is hard to tell exactly what is going on here.

"Equity Investment Limited" lottery scam still around after more than a decade

Scammers can be really stupid. Take these guys who are running a non-existent UK National Lottery / FIFA Brazil 2014 World Cup scam..


The scam is purportedly from a "Mrs Hilda Adams" references a fake company:

Equity Investment Limited
132 Blackburn Road
Bolton
BL7 9RP
England
UK
Tel: 00447924556231
Email: uklclaims@mail.com

Some key parts of the email are:
Reference: EKS255125600304
Ticket number: 034-1416-4612750

But search for "Equity Investment Limited" on just about any search engine and the first hit you will get is an article I wrote way back in 2003 about a lottery scam using a company of exactly the same name.

The email address is a throwaway free email account, the telephone number looks like it is British but in fact it a forwarding number provided by Cloud9  which could potentially forward calls to anywhere in the world. This type of "follow me anywhere" number is often abused by scammers. As for the address.. well, it's unlikely that whoever lives at that address is anything to do with this at all.

Luckily, most people who run lottery scams have the intelligence of a box of rocks. And it seems that quite a few of their victims have heard of a thing called a search engine..

Something evil on 64.202.123.43 and 64.202.123.44

This is one of those ephemeral traces of malware you sometimes see, like a will-o'-the-wisp. Something seems to be there, but on closer examination it has vanished. But this isn't an illusion, it seems to be a cleverly constructed way of distributing malware which pops up and then vanishes before anyone can analyse it.

The source of the infection seems to be a malvertisement on one of those sites with an immensely complicated set of scripts running on all sort of different sites, including those low-grade ad networks that have a reputation for not giving a damn about what their advertisers are doing.

In this case, the visitor gets directed to a page at 12ljeot1.wdelab.com/ijvdg2k/2 which got picked up with a generic malware detection.. but by the time anyone gets to investigate the domain it is mysteriously not resolving.

What appears to be happening is that the bad guys are publishing the malicious subdomains only for a very short time, then they stop it resolving and they publish another one. And one thing all these domains have in common is that they are using afraid.org for nameserver services.

A bit of investigation shows that this malware is hosted on a pair of servers at 64.202.123.43 and 64.202.123.44 (HostForWeb, US), and despite that bad guys efforts they do leave a trace on services such as VirusTotal [1] [2] and URLquery [3]. This particular URLquery report shows indications of the Fiesta EK.

The attackers are covering their traces by using legitimate hijacked domains, the owners of which may not even be aware of the problem. Despite there being a large number of subdomains, I can only spot sixdomains being abused:

theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch

A full list of the subdomains that I have found so far can be found here [pastebin].

A look at the 64.202.123.0/24 block shows a mix of legitimate sites, plus some spammy ones and quite a lot that look malicious. If you are running a high-security environment then you might want to block this who range. Else, I would recommend the following minimum blocklist:

64.202.123.43
64.202.123.44
theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch

Thursday 12 June 2014

pcwelt.de hacked, serving EK on 91.121.51.237

The forum of popular German IT news site pcwelt.de has been hacked and is sending visitors to the Angler exploit kit.

Visitors to the forum are loading up a compromised script hxxp://www[.]pcwelt[.]de/forum/map/vbulletin_sitemap_forum_13.xml.js which contains some Base64 obfuscated malicious code (see Pastebin here) which uses a date-based DGA (domain generation algorithm) to direct visitors to a URL with the following format:

[7-or-8-digit-hex-string].pw/nbe.html?0.[random-number]

The .pw domain contains Base64 encoded data which points to the payload kit, in this case [donotclick]exburge-deinothe.type2consulting.net:2980/meuu5z7b3w.php (Pastebin) which is hosted on 91.121.51.237 (OVH, France). This appears to be the Angler EK.

It looks like the EK domains rotate regularly, but the following sites can be observed on this address:

ingetrekte.valueoptimizationfrontier.com
shellshellwillbomb.type2consulting.net
voorspannenzl.valueoptimizationfrontier.com
tourmenterai.afiduciaryfirst.com
kingyoku.typetwoconsulting.com
mittelbau.typetwoconsulting.com
yogeespith1.typetwoconsulting.com
rozrzewnienie.typetwoconsulting.com
geschaeftlichen.typetwoconsulting.com
kyhtyy-pimprinum.typetwoconsulting.com
jezuietendriesthe.typetwoconsulting.com
depolitsuperconfusion.typetwoconsulting.com
degivreraitdeorganization.typetwoconsulting.com
sknktekonzile-streelsters.typetwoconsulting.com
shogunalbeschenktet.viverebenealcaldo.com
subigi.valueoptimizationfrontier.com
totalize.valueoptimizationfrontier.com
puyaljoukou.valueoptimizationfrontier.com
weisungsgemaess.valueoptimizationfrontier.com
kezune-palpitera.valueoptimizationfrontier.com
remorquervltimme.valueoptimizationfrontier.com
clackdisfundamellemting.valueoptimizationfrontier.com
doscall.type2consulting.net
pehmoilla.type2consulting.net
moariesubigissem.type2consulting.net
unvigilant-straucht.type2consulting.net
mycetozoanreassesses.type2consulting.net

It is worth noting that these domains appear to have been hijacked from a GoDaddy customer:
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com

The following .pw sites are live right now, hiding behind Cloudflare:
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw

Recommended blocklist:
91.121.51.237
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw
(and if you can block all .pw domains then it is probably worth doing that too)

Thanks to the #MalwareMustDie crew and Steven Burn for help with this analysis.

Wednesday 11 June 2014

Fake RBS spam spreads malware via Cubby.com

This fake bank spam downloads malware from file sharing site cubby.com:

From:     Sammie Aaron [Sammie@rbs.com]
Date:     11 June 2014 12:20
Subject:     Important Docs

Please review attached documents regarding your account.

To view/download your documents please click here

Tel:  01322 215660
Fax: 01322 796957
email: Sammie@rbs.com

This information is classified as Confidential unless otherwise stated. 

The download location is [donotclick]www.cubby.com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54.

Automated analysis tools [1] [2] [3] [4] show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs:
85.25.148.6 (Intergenia AG, Germany)
192.99.6.61 (OVH, Canada)
217.12.207.151 (ITL Company, Ukraine)

(Plain list)
85.25.148.6
192.99.6.61
217.12.207.151

Tuesday 10 June 2014

"You have received a voice mail" spam downloads malware from Dropbox

Another fake voice message spam, and another malware attack downloading from Dropbox.

From:     Microsoft Outlook [no-reply@victimdomain]
Date:     10 June 2014 15:05
Subject:     You have received a voice mail

You received a voice mail : VOICE437-349-3989.wav (29 KB)
Caller-Id: 437-349-3989
Message-Id: U7C7CI
Email-Id: [redacted]

Download and extract the attachment to listen the message.

We have uploaded fax report on dropbox, please use the following link to download your file:

https://www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICIxeWEwMGx3enQ1aWdpOXEifQ/AANABss7_JqczoocZG5p_SjA659fq_BNbEs6hyC4CqDuBA?dl=1
Sent by Microsoft Exchange Server
The link downloads a file VOICE-864169741-28641.zip which in turn contains a malicious executable VOICE-864169741-28641.scr which has a VirusTotal detection rate of 4/52. Automated analysis [1] [2] [3] [4] indicates that it downloads files from the following domains:

newsbrontima.com
yaroshwelcome.com
granatebit.com
teromasla.com
rearbeab.com


Monday 9 June 2014

"inovice 2110254 June" spam

This terse but badly-spelled spam has a malicious attachment:

Date:      Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]
From:      Ladonna Gray [wtgipagw@airtelbroadband.in]
Subject:      inovice 2110254 June

This email contains an invoice file attachment 
Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52. Automated analysis tools are not able to determine exactly what the malware does.

UPDATE 1: A Malwr analysis of the malware can be found here. It makes the following HTTP connections:
[donotclick]62.76.189.58:8080/dron/ge.php
[donotclick]62.76.41.73:8080/tst/b_cr.exe


It also drops a file KB05152056.exe which has a VirusTotal detection rate of 5/51. Analysis is pending.

UPDATE 2: the Malwr analysis of the second binary is here. This makes a connection to 62.76.185.30.

All the IP addresses listed belong to Clodo-Cloud in Russia:
62.76.41.73
62.76.185.30
62.76.189.58


Although there are probably some legitimate sites in these ranges, you might want to consider blocking the following if you feel like it:
62.76.40.0/21
62.76.184.0/21