Scam: advocatesforyouths.org, Eem Moura, Tee Bello and other fake sites

Advocates for Youth is a legitimate campaign organisation that says that it "champions efforts to help young people make informed and responsible decisions about their reproductive and sexual health." It has a website at www.advocatesforyouth.org which was registered in 1996.

However, the domain advocatesforyouths.org is a completely fake rip-off of the legitimate advocatesforyouth.org site (note the extra "s") which is advertising itself through spam:

From:     Advocates for Youth [inboxteam6@gmail.com]
Reply-To:     Advocates for Youth [ljdavidson@advocatesforyouths.org]
Date:     2 July 2014 21:52
Subject:     Say No to FORCED MARRIAGE and HIV/AIDS
Mailing list:     xkukllsbhgeel of 668
Signed by:     gmail.com

Invitation Ref No: OB-22-52-30-J

OUR 12TH INTERNATIONAL YOUTH CONFERENCE ON “ EFFECTS OF TEENAGE MARRIAGE AND HIV/AIDS "

Advocates for Youth and co-organizers of the 12th international NGO's & CBO's conference on community Development and Development Planning have the pleasure to invite Youth Organizations, Socio Cultural Organizations, Community Based Organizations (CBO) Scholars, Researchers, Health Organizations, Professionals, Business Organizations (NGOs) Religion Organizations, Human Right Organizations & Women Groups to the International Conference on" Effects of Teenage Marriage and HIV/AIDS " taking place from Wednesday 20th - Friday 22nd August 2014 in U.S.A and Monday 25th August - Friday 29th August 2014 in The NETHERLANDS respectively.

This is the most important event in the framework of the fight to Educate the Youth on HIV/AIDS, Child Abuse, human and community development which will take place in Washington DC, United States of America from Wednesday 20th - Friday 22nd August 2014 in U.S.A and Monday 25th August - Friday 29th August 2014 in The NETHERLANDS respectively.

Advocates for Youth is registered 501(c) Non profit international organization whose aims & objectives are to empower individuals and communities worldwide through offering grants for business, education, economic enhancement, community development and environmental conservation, to support groups and organizations addressing social issues, youth ad women empowerment, and a variety of philanthropic projects through grants to non-profit organization; to provide education & information with view of limiting abuse and child molestation, to support and advocate on behalf of those infected and affected by the menace or abuse and neglect to promote the well-being of mankind by empowering the capacity of charitable organization to provide effective programs of quality.

This conference will bring together 1026 representatives of NGOs/CBOs and numerous numbers of interested individual participants from all over the world. The conference will be conducted on participatory bases with satellite plenary and simultaneous sessions followed by general and small group discussions.

SUPPORT: The conference receives financial support from CitiBank New York and United Nations Youth Commission etc. This sponsorship covers the following:

1. Return Airplane travel tickets for selected delegates from their home countries to venues of the event in Washington DC ( United States of America ) and The Hague City (The Netherlands), then back to their home countries.

2. Hotel accommodations in Washington DC ( United States ) only for selected delegates and their friends.

3. Medical insurance cover for delegates throughout the entire conference duration.

Advocates for Youth will not assume the responsibilities of any other costs other than those listed above.

NOMINATION & SELECTION OF PARTICIPANTS: Intending participants are requested to nominate between Five (5) to Ten (15) active members to participate. Participants should be from 14 years and above (Male or Female).

REGISTRATION PROCESS: To register to take part in this Conference, please request for the International Delegates Registration form and other conference information. The request for registration form and other conference information should be addressed to the Secretary:

Linara J. Davidson
Secretary, Advocates for youth
2000 M Street, NW Suite 750,
Washington DC 20036,
United States of America,
Tel: +1 202.600.9543
Fax: + 1 650.747.4401
Email: ljdavidson@advocatesforyouths.org
Website: http://www.advocatesforyouths.org

While we anticipate your earliest response, you are advised to contact the Secretary by email and we look forward to meeting up with you and your group in Washington DC and The Hague City to assert a new change for a stronger society.

Announcer !!!

Debra Hauser
President, Advocates for youth,
Washington DC
U.S.A.
Email: debra.hauser@advocatesforyouths.org

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer: The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask mailers to stop spamming them. The above mail is in accordance to the Can Spam act of 2003: There are no deceptive subject lines and is a manual process through our efforts on World Wide Web. You can opt out by sending mail to email id mention here and we ensure you will not receive any such mails.

In this case the email originates from 217.120.44.73 (Ziggo / Groningen, Netherlands) and was sent to a spam trap.

The fake site is almost a bit-for-bit copy of the fake site, but things like the Contact Details page are slightly different:

The fake site has a telephone number of 202.600.9543 and a fax number of 650.747.4401. The fax number is in California, but the "202" telephone number appears to be Washington.. but on closer examination it looks like a VOIP (internet phone) number which could possibly be anywhere in the world.

But the fake site looks utterly convincing. Mostly because it is cloned directly from the legitimate site. (See screenshot above)

The domain advocatesforyouths.org was registered on 24th May 2014 with anonymous details, and the mail handler is mailhostbox.com who are a legitimate commercial provider. But what most visitors to advocatesforyouths.org will not spot is that the domain just does a framed forward to another site googleones.in/advocates4youth/ which is where things get more complicated.

googleones.in is hosted on 74.122.193.45  a Continuum Data Centers IP reallocated to:

OrgName:        Ajay Kumar
OrgId:          AK-7
Address:        801 Main St NW
City:           Lenoir
StateProv:      NC
PostalCode:     28645
Country:        US
RegDate:        2012-11-30
Updated:        2012-11-30
Ref:            http://whois.arin.net/rest/org/AK-7

OrgAbuseHandle: SNM9-ARIN
OrgAbuseName:   machiwala, shazim nizar
OrgAbusePhone:  91 22 26782833
OrgAbuseEmail:  shazim@ideastack.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/SNM9-ARIN

OrgTechHandle: SNM9-ARIN
OrgTechName:   machiwala, shazim nizar
OrgTechPhone:  91 22 26782833
OrgTechEmail:  shazim@ideastack.com
OrgTechRef:    http://whois.arin.net/rest/poc/SNM9-ARIN

The domain is registered to:

Registrant Name:Ziggo Ziggo
Registrant Organization:N/A
Registrant Street1:stadhoudersstraat
Registrant Street2:
Registrant Street3:
Registrant City:rijswijk
Registrant State/Province:Zuid-Holland
Registrant Postal Code:2282pm
Registrant Country:NL
Registrant Phone:+31.0657392939
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:alzaidaemirates@hotmail.com

The "alzaidaemirates@hotmail.com" doesn't really seem to tally with the Netherlands address, but it does link in with some other contents of the server. Incidentally, Rijswijk isn't very close to Groningen being a 233Km drive so the spammer's IP doesn't match the WHOIS details.

Interesting, the root directory of googleones.in is open and this is where it gets complicated.

We can see folders with the following names:

• advocates4youth/
• alz/
• cgi-bin/
• eem/
• eemtholland/
• tbello/

"advocates4youth" contains the fake Advocates For Youth Siteas already discussed

Al-zaida Emirates

"alz" is a site called "Al-zaida Emirates" which is a ripoff of the legitimate Zamil Group Holding Company. Probably the obvious different to that the "Al-zaida" site has an "Apply For Loan" button which marks it out as some sort of finance scam.

EEM Moura and TEE Bello (part 1)

The next fake site is under "eem" which advertises itself as "EEM MOURA & TEE BELLO Group of Companies". This site is a slightly-altered copy of the legitimate Alpha Group.

There is perhaps a clue here under "Shipping" which could be advertising for a Parcel Mule job (i.e. laundering stolen goods).

EEM MOURA & TEE BELLO (part 2) [eemthollandbv.nl]

There is another fake "EEM MOURA & TEE BELLO" site in the folder "eemtholland" (and using the forwarder domain eemthollandbv.nl). This is different from the other site being a fake shopping site, a poor copy of the legitimate HollandForYou.com site.

This fake site is also likely to be recruiting people for a parcel reshipping scam.

Hotel T. Bello

The final fake site is filed under "tbello" (sounds familiar?) and is supposedly the "Hotel T. Bello" in Den Haag (The Hague). It is a poor copy of the InterContinental Amstel Amsterdam.

Perhaps the "Hotel T Bello" is a fake hotel for the delegates to the fake "Advocates for Youth" conference that was advertised in the original spam.. that is certainly one way that these conference scams work.

There is not a single legitimate site on this server. Avoid.

Amazon Local "Order Details" spam / order_id.zip

This fake Amazon spam has a malicious attachment:

Date:      Wed, 2 Jul 2014 03:33:39 -0800 [07:33:39 EDT]
From:      "Amazon.com"
Subject:      Order Details

National     AmazonLocal.com
Good day,

Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details

Order R:121218 Placed on May 28, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com

Attached is a file order_id.zip which in turn contains the malicious executable order_id_467832647826378462387462837.exe which is detected as malicious by 5/54 engines of VirusTotal. Automated analysis tools are inconclusive about what this malware does. [1] [2]

Something evil on 37.187.140.57 (OVH, France)

A group of Cushion Redirect sites appear to be hosted on 37.187.140.57 (OVH, France), although I cannot determine the exact payload of these sites you can be assured that it is Nothing Good and you may well want to block the IP.

Here is a sample URLquery report for this IP. VirusTotal also reports a low number of detections for this address.

Domains being abused in this attack include:
charlie-lola.co.uk
clashofclanshackdownload.com
check-email.org
cialis25.pl
adultvideoz.net

(UPDATE: domain names crossed out above have been secured)

In all cases the attack is carried out by using a malicious subdomain. The following subdomains have been spotted by rDNS and are an illustration only:
u2t1x94kcgm78tfitogjmfn.charlie-lola.co.uk
j9h7uktct4cg8mri2a0t1mj.charlie-lola.co.uk
p4frt6l6fuvfd931x99ayff.charlie-lola.co.uk
tl6ilmdwddgda432tx8r6xp.adultvideoz.net
xdwnzxkviyy7recx6o3b7wp.adultvideoz.net
3ttlji59f7m31ajx26ctmnw.clashofclanshackdownload.com
mbpemlkg3e6oyb1nil0y6iw.clashofclanshackdownload.com
ipb0e6gyl3oncrkelry1lfp.adultvideoz.net
huqla44lvwmxh7xjhtaq0lj.charlie-lola.co.uk
xqskvg1xqaxbi6q13z9b4rp.adultvideoz.net
t9su831121c8r5or2feha7t.charlie-lola.co.uk
wyxu3oez5ft5rufht09mttt.charlie-lola.co.uk
3eo5hresu1a1516ufa681gj.charlie-lola.co.uk
1xb601q9k4ktfdvqi31mhrt.charlie-lola.co.uk
4qhbnyqhifpuxvoxaj8fhjp.check-email.org
gihhyaqq6ehfnxipbbj8fnp.adultvideoz.net
wyxu3oez5ft5rufht09mttt210553d228156921089e2ef107d2c1f61.charlie-lola.co.uk
7yl01vizcjnq2r8k1c2229p.clashofclanshackdownload.com
sfab6xb5ahiiuyrnv8hyrjt.charlie-lola.co.uk
c7hfahqlxxwj5uvvuulhyt7.clashofclanshackdownload.com
wvohhjwauiln9hvq7nhvkxi.clashofclanshackdownload.com
t9su831121c8r5or2feha7t221453d201d448c7589e2d68b4e1eeb3f.charlie-lola.co.uk
192rkauuv6uuodfp9vjk3ip.adultvideoz.net
u2t1x94kcgm78tfitogjmfn214653d1fd553376a863d8fa4c8357152.charlie-lola.co.uk
y9er5auuv159idfp94v93ip.adultvideoz.net
wrfttm9tz7j8286rt1icdim.charlie-lola.co.uk
fipdt61atjqlpqhv3ip5pjj.adultvideoz.net
2dw6o2t3o4m3ldqd3urr5rn.charlie-lola.co.uk
o1oynwrwabyoy3lpnullemp.adultvideoz.net
eccb2ple2n3io61ocnlylxj.charlie-lola.co.uk
oz9mfxfthty3nseq5ulhept.charlie-lola.co.uk
vbybi98n6ahxga0hlfknigf.charlie-lola.co.uk
2dw6o2t3o4m3ldqd3urr5rn203453d1ff6245fef81455e5c2f67d6fd.charlie-lola.co.uk
dx8o3le72kyvrnod9pxhypi.clashofclanshackdownload.com
5ajljohtplppqf28mrptv7m.adultvideoz.net
ekneql6voyx9yl3llgpbpji.clashofclanshackdownload.com
xd2n3xrvqyyurerxeo323wp.adultvideoz.net
q9i12z6kq1i9x8bvexbxe9i.check-email.org
eij03t2t97ttyizacnm1qhi.cialis25.pl
ekneql6voyx9yl3llgpbpji207253dd486a9392d86820f01eb1afca5.clashofclanshackdownload.com
s2toz89du52uetctfctw3zj.charlie-lola.co.uk
e1jlzq2t97mtuik7ccm1ehi.clashofclanshackdownload.com
e1jlzq2t97mtuik7ccm1ehi501553d272a175fc69b885025dbad9609.clashofclanshackdownload.com
eearh6ft21f1u3a2e95uy7p.adultvideoz.net
c7hfahqlxxwj5uvvuulhyt7504153d274a615987cc9b10729b1b4d87.clashofclanshackdownload.com
c7hfahqlxxwj5uvvuulhyt7902153d274894606a7d1108c7b58e09a6.clashofclanshackdownload.com
de2v8wu6l0sd3xbvmdtrdm7214653d251032854059ba8f2a19e587fc.clashofclanshackdownload.com
jlx9opd9ge26hk9j4zyiqlp.clashofclanshackdownload.com
jlx9opd9ge26hk9j4zyiqlp503453d2766b46e828c50c75b8ca5a70a.clashofclanshackdownload.com
u2t1x94kcgm78tfitogjmfn.charlie-lola.co.uk

Several no-ip.com domains seized by Microsoft

It appears that the nameservers for the following dynamic DNS domains belonging to no-ip.com may have been seized by Microsoft as the namesevers are pointing to NS7.MICROSOFTINTERNETSAFETY.NET and NS8.MICROSOFTINTERNETSAFETY.NET

3utilities.com
bounceme.net
hopto.org
myftp.biz
myftp.org
myvnc.com
no-ip.biz
no-ip.info
noip.me
no-ip.org
redirectme.net
servebeer.com
serveblog.net
servecounterstrike.com
serveftp.com
servegame.com
servehalflife.com
servehttp.com
servemp3.com
servepics.com
servequake.com
sytes.net
zapto.org

This seems to have had the effect of taking down any sites using these dynamic DNS services. This will probably impact a lot of things like webcams, home security systems, personal VPNs any anything else that uses these domains.

Usually this happens when Microsoft gets a court order prior to legal proceedings. Now, although these domains are widely abused it is not no-ip.com themselves doing the abusing. I do recommend that businesses block access to dynamic DNS sites because of the high level of abuse, but I do feel that it something that network administrators should choose for themselves.

UPDATE 1:  Microsoft's statements on the takedowns is here along with details of an accompanying lawsuit targeting Mohamed Benabdellah, Naser Al Mutairi and  Vitalwerks Internet Solutions LLC (who operate no-ip.com).

UPDATE 2:  The Nevada lawsuit mentioned above also includes some domains that I have added in italics. Also, the domain noip.me has been seized which is specifically excluded from the Nevada lawsuit, which indicates that legal action has also been taken in Montenegro which indicates just how pissed-off Microsoft are.

Fake job offer: Edwards Electrical and Mechanical / Edward Electricals Y Mecánicos (edwards-elec.com)

Edwards Electrical and Mechanical is a wholly legitimate contraction based in Indianapolis in the US. This spam message is not from them, but someone abusing their name.

From:     Charles Benneth [tonyudeani@n-tocomisltd.com]
Reply-To:     charles_trading@outlook.com
To:   
Date:     30 June 2014 01:49
Subject:     Part-Time Job Offer


Estimado Señor / Señora

Tenemos una vacante para el puesto de oficial de cuentas por cobrar. ¿Te
gustaría trabajar desde su casa y obtener semanal remunerado? Estamos
ofreciendo esta posición a todos los solicitantes interesados. Por favor,
lea atentamente. Esta oportunidad de empleo está dirigido a proporcionar
parte / los solicitantes de empleo a tiempo completo, y también a las
personas que quieran trabajar desde casa, y se les paga semanalmente por
la recepción de pagos de nuestros clientes de deducir la comisión y
remitir el equilibrio. Envíe sus informaciones para obtener más detalles.

Nombre Completo
Contacto Inicio Dirección Plus Código Postal (No P O Box)
número de teléfono
edad
Fax Si Cualquiera
Un reconocimiento rápido de la recepción de este correo electrónico será
apreciada.

Gracias por su comprensión total.

Charles Benneth
Presidente / CEO
Edward Electricals Y Mecánicos.
http://www.edwards-elec.com/index.php

This translates roughly as:

Dear Sir / Madam

We have a vacancy for the position of Accounts receivable officer. Do you
would like to work from home and get paid weekly? We are
offering this position to all interested applicants. Please
read carefully. This employment opportunity is targeted at providing
part / applicants for full-time employment, and also to
people who want to work from home and get paid weekly by
receiving payments from our clients, and deducting fees
remit the balance. Send information for details.

Full Name
Contact Home Address Plus Zip (No PO Box)
phone number
age
Fax If Any
A quick recognition of the receipt of this email will
appreciated.

Thank you for your full understanding.

Charles Benneth
President / CEO
Edward Electricals and Mechanical.
http://www.edwards-elec.com/index.php 

The job is actually money laundering, which is a criminal activity. The email solicits replies to the free email address of charles_trading@outlook.com and originates from from 41.58.2.22 (Swift Networks, Lagos, Nigeria) via 188.40.62.68 (node3.trudigits.com / Hetzner, Germany).

Unless you want to spend some time in jail, I would recommend giving this particular Nigerian scam a wide berth.

Vladimir Tsastsin sentenced to 6 years, 4 months in jail

A search of the office of Vladimir Tšaštšini
Photo: Jassu Hertsmann
Source: DELFI.ee

Sometimes the wheels of justice work very slowly. Back in 2011 I mentioned that Vladimir Tsastsin had been arrested in Estonia - the kingpin of EstHost, EstDomain and Rove Digital among other criminal enterprises, Tsastsin and his accomplices were responsible for a great deal of illegal activity in the past decade.

In this case a Court of Appeal in Estonia handed down a prison sentence of 6 years 4 months to Vladimir Tsastsin, and his accomplices were jailed from ranges of 1 year 10 months to 3 years 10 months or fined up to €100,000.

A full report of the sentences can be found here (in Estonian) or autotranslated below:

The circuit court sentenced Vladimir küberkurijategija Tšaštšini more than six years in prison

www.DELFI.ee
June 26, 2014 16:38
                    

The District Court sentenced today Tšaštšini Vladimir and his associates guilty of large scale money laundering activities of criminal association.

The Court of Appeal overturned the decision today, Harju County Court judgment of 20 December 2013, was sentenced to Vladimir Tšaštšin, Valentina Tšaštšina, Timur Gerassimenko, Dmitri Egorov, Konstantin Poltev, Oak Development LLC, Credit Union Ltd., IT Consulting, LLC and Infradata Novatech Ltd, and the case acquitted new decision, which ordered all parties guilty of large scale money laundering activities of criminal association.

Dmitri Egorov, Konstantin Poltev Novatech Ltd, and was convicted of a criminal offense as facilitators. Vladimir Tšaštšin was convicted in a criminal organization, the organization and management.

Do not subject to being sentenced to the penalty of Vladimir Tšaštšinile 6 years and 4 months and 6 days in prison.

Valentina Tšaštšinale sentenced to 3 years 10 months in prison, Timur Gerassimenkole 1 year, 10 months and 9 days, Dmitri Jegorov 1 year and 8 days, Konstantin Poltevile two years and eight days in prison.

Oak Development LLC, was sentenced to a financial penalty of 100,000 euros, Credit Union Ltd. for 60,000 euros, Infradata OÜ 40,000 euros, IT Consulting for 20,000 euros and Novatech LLC for 20,000 euros. Also convicted were confiscated criminal assets.

The indictment accused Parties Act to the greatest extent in money laundering and criminal organization.

The District Court denied the position of the county in which the county court held that the predicate offense, or computer crimes are not shown because there is no final judicial decision in this regard.

The District Court found that the purpose is not a final judicial decision is required, it is sufficient if there is evidence that a predicate offense has been committed. Proved the predicate offenses being committed U.S. indictment and other evidence gathered in the matter.

The Court of Appeal found that there was no malicious software downloads computer users to consent because there is no evidence that computer users have agreed to the installation of malware on their computer, and the relevant provisions of the amendment.

It also disagreed with the district court of the county's position that the prosecution has violated the principle of prohibition of double punishment because the parties have been charged in the money laundering and criminal organization, but the U.S. indictment accused the parties of computer crimes. Thus, making various allegations.

The decision can be challenged in the Supreme Court within 30 days, said a spokesman for the Tallinn Administrative Court and the District Court.

USPS Express "Parcel Invoice" spam

This fake USPS spam is pretty Old School in its approach:

Date:      Thu, 26 Jun 2014 06:19:42 -0700 [09:19:42 EDT]
From:      USPS Express [notice@uspc.com]
Reply-To:      no-reply@uspc.com
Subject:      Parcel Invoice

Dear Client,

A parcel was sent to our office for you and we have tried to deliver it several times to your address on file.

Attached is the receipt used in sending you the parcel. We advise you to download and reconfirm the address on receipt if its your valid address.

View Receipt Here

Thanks for your cooperation.

Priority Mail Express
USPS.

The link in the email I had was broken, but was attempting to redirect to:
[donotclick]kadoi.gr/shopfine/redir.php
and from there to:
[donotclick]cascadebulldogrescue.org/xmlrpc/invoice.zip

This .zip file contains a malicious executable invoice.com (a .com file.. that really is old school) which has a VirusTotal detection rate of 29/54. The Malwr report shows an attempted connection to klempfrost.zapto.org on 199.21.79.114 (Internap, US). Other automated analysis tools are less conclusive [1] [2].

Recommended blocklist:
199.21.79.114
kadoi.gr
cascadebulldogrescue.org
klempfrost.zapto.org

RBS "Outstanding invoice" spam leads to malicious ZIP file

This fake RBS spam leads to malware:

From:     Bankline.Administrator@rbs.co.uk [Bankline.Administrator@rbs.co.uk]
Date:     25 June 2014 15:25
Subject:     Outstanding invoice

Dear [redacted],

Please download on the link below from dropbox copy invoice which is showing as unpaid on our ledger.

http://figarofinefood.com/share/document-128_712.zip

I would be grateful if you could look into this matter and advise on an expected payment date .

Many thanks

Max Francis

Credit Control

Tel: 0845 300 2952

The link isn't a Dropbox link at all, but it downloads an archive file from [donotclick]figarofinefood.com/share/document-128_712.zip which contains the malicious executable document-128_712.scr which has a VirusTotal detection rate of 4/54.

Automated analysis tools [1] [2] [3] show that it attempts to phone home to babyslutsnil.com on 199.127.225.232 (Tocici LLC, US). That domain was registered a few days ago with the following (possibly fake) details:

Registrar Registration Expiration Date: 2015-06-12
Registrar: Domain names registrar REG.RU LLC
Registrar IANA ID: 1606
Registrar Abuse Contact Email: abuse@reg.ru
Registrar Abuse Contact Phone: +7.4955801111
Registry Registrant ID:
Registrant Name: Viktor Ponomarev
Registrant Organization: Private Person
Registrant Street: veselaia d 81 kv 818
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 156737
Registrant Country: RU
Registrant Phone: +79267463723
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: tiosombovisi1987@mail.ru
Registry Admin ID:

doctorydvu.ru pharma spam has a .VCF attachment

This pharmacy spam comes with a .VCF attachment to try to bypass spam filters and common sense. In case you didn't know, a .VCF file is a vCard contact file that can be imported into your email application.

From:     Leticia Boyer M. D.
Date:     24 June 2014 10:25
Subject:     I'm your new family physician

Hello, my name is Leticia Boyer, M. D., and I'm your new family physician.

I want to recommend you online pharmacy with great amount of medicine and 70% discount.
I haven't believed till I checked it by myself. I'm sending you my vCard,
so you are able to find more info about me as well as link of mentioned pharmacy. 

The attachment is Leticia_Boyer_MD.vcf although probably it will change from spam-to-spam. The contents of this particular .vcf file are:

BEGIN:VCARD
VERSION;TYPE=WORK:3.0
FN:Leticia Boyer
N:Leticia Boyer;;;;
PROFILE:VCARD
ADR:;;He goes on to explain his pimping experience gave him the ability to get into new businesses.;NY;NY;28006;USA
EMAIL:[redacted]b90d3@pol.ir
ORG:TopPharmacy
URL:http://[redacted].doctorydvu.ru/?1113E36D0FED4E75BD169B5698E88
NOTE:The station was located to the south of Raglan street and between Evans street and Station street.
END:VCARD

The link in the email isn't malicious as it is just a fake pill site.. but it could be. This is a fairly novel approach at spamming though (I first saw it a couple of days ago) and it could well trick people into adding a contact.. although whether or not they would be daft enough to believe that this "new physician" would really be recommending a pharmacy with a Russian domain name remains to be seen.

jobcenterusa.org fake job offer

This fake job offer is either money laundering, a parcel reshipping scam or some other activity that will get you into serious trouble with the authorities.

Date:      23 Jun 2014 13:11:56 -0600 [15:11:56 EDT]
Subject:      we are interested in your CV
Priority:      normal

We would like to greet you in our big and friendly company, thank you for applying to our HR and your interest to our company business.

Right now due to increasing of expansion policy we are offering promotional positions in our US company branches.
This opportunity is for highly motivated and energetic people who wants to join our family business whose main routine will be providing
administrative logistical and human resources support for our clients.

The work involves variety of logistical, administrative, and office management tasks, directions and guidelines you will be
receiving from your personal manager.

If you have an ability to establish and organize productive relations with clients;
strong communication skills, if you posses good team work skills, if you have an ability to revise plans for shifting priorities,
work under supervision and if you respect deadlines - apply, fill in short registration form and send it to us,
take your chance and maybe really soon you will receive a reply back from us and you phone will rang,
and one day you may become a part of our team:

Company registration form:
-Full name;
-Contact mobile & land line phone number;
-Email address;
-Current residence.

Please call or email us for any further assistance: Hillary@jobcenterusa.org

If you reply to this message, it gets routed to a server mx.jobcenterusa.org hosted on 5.202.129.73 in Iran. The WHOIS details for the domain are also fake:

Registrant ID:orghk03546035062
Registrant Name:Heidi Kissell
Registrant Organization:Heidi R. Kissell
Registrant Street: 223 Rainbow Road
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90017
Registrant Country:US
Registrant Phone:+1.6262646624
Registrant Phone Ext:
Registrant Fax: +1.6262646624
Registrant Fax Ext:
Registrant Email:info@jobcenterusa.org

The spam I saw originated from a Mexican cable subscriber on 187.247.113.56 and had a fake Italian address on it. Basically, everything screams fake job offer.

These domains are all releated:
trabajogov.com
lights-usa.net
lavoroit.org
profesia-cz.co
jobcenterusa.org

This video explains about the parcel reshipping scam which is a likely "logistics" task for anyone who gets involved in this fake company.

Obama sends me an important message about surveillance

Obama sends me an important message about surveillance. No, really. But perhaps not the Obama you are thinking of.

Date:      Mon, 23 Jun 2014 23:36:02 +0800 [11:36:02 EDT]
From:      CCTV Surveillance [mail@globalsourcescctv.com]
Reply-To:      mail@globalsourcescctv.com
Subject:      [IMPORTANT] Surveillance

Hi,
Good day

We would like to take this opportunity to introduce our company.
WEISKYTECH founded in 2006.
Export 90% products to developed countries in North America and Europe,
established close business relationship with many famous security companies around the world.

Our Products Line
| CCTV camera. (IP CAMERA.HD-CVI CAMERA.ANALOG CMOS/CCD.)
| NVTKITs. DVRKITs.CVRKITs. (4CH,8CH,16CH)
| POE SWITCH (4.8.16.24CH POE SWITCH. 15W.25W POE MODULE).
| NVR.CVR.DVR

We want to give to you GOOD - CHEAP - FAST Surveillance products.
Obama here, looking for your reply needs and questions.

Reply me & quality products can be stand your inspection!

Best Regards,

Mr Obama, 

There's no website, so this spam is soliciting replies via email so globalsourcescctv.com must be valid for receiving mail (indeed, the MXes are mxbiz1.qq.com and mxbiz2.qq.com). Let's have a look at those WHOIS details then..

Registry Registrant ID: 1821794
Registrant Name: WILSON
Registrant Organization: Obama
Registrant Street: LONGHUA
Registrant City: shenzhen
Registrant State/Province: Guangdong
Registrant Postal Code: 518000   
Registrant Country: China
Registrant Phone: +86.75536956066                        
Registrant Phone Ext:
Registrant Fax: +86.75536956066                        
Registrant Fax Ext:
Registrant Email: 595642135@qq.com                       
Registry Admin ID: 1821795

Wow.. Obama again. Must be legit. Or perhaps not..

"Domain Listing Expired" scam spam (ibulkmailer.com / 192.99.148.65)

I've received this spam to the contact details for several domains I own in the past few weeks:

Date:      Sun, 22 Jun 2014 07:53:10 +0200 [06/22/14 01:53:10 EDT]
From:      Domain Notification [chandan@gmail.com]
Reply-To:      chandan@gmail.com
Subject:      re: Domain Listing Expired

Attention: Important Notice

ATT: [redacted].COM
ADMINISTRATIVE CONTACT
[redacted].COM
[redacted]

[redacted].COM
Please ensure that your contact information is correct or make the necessary changes above

DOMAIN SERVICE NOTICE

Domain Name: [redacted].COM
Search Engine Submission

Pay By

June 30,2014
 PART I: REVIEW SOLICITATION


Attn: [redacted].COM
As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it's time to send in your registration and save.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine subscription includes domain name search engine submission. You are under no obligation to pay the amounts stated below unless you accept this offer. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: [redacted].COM will expire on June 15,2014 Act today!

DETAIL OF SERVICE: ANNUAL WEBSITE SEARCH ENGINE SUBMISSION FOR DOMAIN NAME [redacted].COM
Detail of Service:
SEARCH SUBMISSIONS
Act by Date:
06/15/2014
For Domain
Name:
[redacted].COM


Select Term
Your Existing Domain
Period Covered
Price
    [redacted].COM        
1year     Valid for 1 Year CLICK TO RENEW     06/15/2014 - 06/15/2015     $75.00
2year     Valid for 2 Year CLICK TO RENEW     06/15/2014 - 06/15/2016     $119.00
3year     Valid for 3 Year CLICK TO RENEW     06/15/2014 - 06/15/2017     $199.00
4year     -Most Recommended- CLICK TO RENEW     04/04/2014 - 04/04/2024     $295.00
5year     Limited time offer - Best value! CLICK TO RENEW     Lifetime     $499.00


Payment by Credit Card
Select the term and complete the form above, (do not reply this mail with your credit card details on this mail , just click on pay above. once we receive your pay we will send you details and report after payment is successful, also make sure you provide us with your correct information at time of signup.

Unsubscribe me from this list


Powered by Interspire

It looks like a domain renewal notice.. but it isn't. It's a renewal notice for SEO services. "But wait," I hear you cry, "I haven't signed up for any SEO services!" to which my answer is "Exactly!"

This is where the spam moves from being annoying to being a more of a scam. The use of the word "Renew" implies that you already have a relationship with these people but you do not. There is nothing to renew, but stating that this is something you already use is not only incorrect but in my personal opinion it is a fraudulent misrepresentation.

The link in the email goes to 192.99.148.65 (OVH Canada, not surprisingly) and then onto a landing page at ibulkmailer.incom on 192.185.170.196 (Websitewelcome, US).

The WHOIS details for ibulkmailer.com are as follows:

Registry Registrant ID:
Registrant Name: kumar, chandan
Registrant Organization:
Registrant Street: DDA FLAT NO 556 PKT B HASTSAL
Registrant City: New Delhi
Registrant State/Province: Delhi
Registrant Postal Code: 110059
Registrant Country: IN
Registrant Phone: 7838808080
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: admin@ibulkmailer.com

WHOIS details can easily be faked, but the "Chandan" name in the registration details tallies with the address chandan@gmail.com in the spam itself.

An examination of the sites co-hosted with ibulkmailer.com along with several other identifying factors identity this website as belonging to Chandan Kumar of CNS Web Technologies Pvt Ltd (U72300DL2009PTC191574) of India.

To save you from having to do the analysis yourself, a shortcut is to visit Chandan Kumar's LinkedIn page which links through to ibulkmailer.com in one of the "Company Website" links.

The contact details for Mr Kumar's company are below:

CNS Web Technologies Private Limited
625 LIG HASTSAL
VIKAS PURI
New Delhi
Delhi
110059
INDIA
+91-7838808080
chandan988@gmail.com
chandan_988@rediffmail.com
chandan_988@yahoo.com

If you get these spam messages (and the link still leads to ibulkmailer.com) then one effective way of dealing with it would be to forward the message to the webhost abuse department at abuse -at- websitewelcome.com.

Doing business with spammers is never a good idea, and doing business with spammers who misrepresent your relationship with them is likely to be a very bad idea indeed. Avoid.

The following domains are also associated with CNS Web Technologies and Chandan Kumar. Do with them what you will.

ibulkmailer.com
webtrafficguru.net
ewebmail.in
ewebmailsolution.info
host-cns.com
cnswebtech.com
rajumehandiart.com
chauhanmehandiart.com
maahihosting.com
cnswebtech.com
cnsxpert.com
websms.co.in
ibulkmailer.in
domainnotices.in
ebizmail.in
pconlinexpert.com
turnaround-systems.com
ecataloguepromo.info

RNBI pump-and-dump spam: "Are you a go getter?"

This pump-and-dump spam is promoting a US stock Rainbow International Corp (RNBI) with false information designed to pump up the share price while someone dumps stock:

From: RealInvestments Daily Tip
Subject: Are you a go getter?

Hi [redacted],

Hope all is well with you and the family. I know you reached out to me last month looking for a good investment amid this crazy market. I must tell you it has been very hard to find something solid. Theres very few hidden gems out there and I honestly didnt even think I would be able to find something. That being said the best Ive been able to find is RNBI and when I say best, it really seems to be a god send. I told a few of my other clients about it last month as it seemed pretty cheap and it has gone up by more than 50% since. Im giving you a heads up on RNBI because I spoke with a few of my colleagues and they agree that it will hit a dollar some time in the coming weeks. Dont tell anyone you hear this from me please we're suppose to keep it on the down low. The company operates in the legalhemp industry, apparently the sector has been going nuts since colorado and washington made the stuff legal and apparently RNBI is going to announce some big news soon. Not sure what it is but my source is usually pretty spot on.

Take care and let me know if you need anything else. Ill keep you posted if I have some more news.



(c) 2014. StockTips. All rights reserved.

7080 Santa Monica Blvd, West Hollywood, CA 90038

At the moment there is only one subject and body text, but this will no doubt change as the spam evolves. A quick analysis of RNBI shows a company with no significant assets or income and no news or press releases indicating anything going on. The stock was aggressively pumped last month, but this latest round is using illegal spamming to try to promote the stock.

There are some anomalies with this stock. Despite having virtually no income or assets, the market capitalisation is still $52m which seems a lot. The stock chart shows that the price collapsed from a high of $0.59 late last year to $0.06 and then $0.09 before aggressive pumping took it up to about $0.20 or so, shifting around 34 million shares (or about $7m worth of stock). Before the pumping, the daily trade level was basically zero.

In my personal opinion, it is likely that this action is being taken by a major stockholder wanting to dump their shares for whatever reason. Remember that most stocks promoted by pump-and-dump spam collapse afterwards, so it is a good idea to give RNBI a very wide berth.

UPDATE 1. there is now a second wave of spam pretending to be from InvestorsHub which contains some junk text and an image with an MD5 of 0D179335984C7286F170C8354B69D4BF:

From:     InvestorsHub
Date:     20 June 2014 16:34
Subject:     Daily Stocks Tips

UPDATE 2. A third wave of image-based spam is on the way with a different embedded image.

From:     InvestorsHub News
Date:     20 June 2014 19:19
Subject:     This stock will go nuts today

UPDATE 3. Yet another image-based spam pumping RNBI is in circulation.

From:     Investors Hub Newsdesk
Date:     21 June 2014 07:11
Subject:     IHUB Newsdesk - This is the next big stock play

UPDATE 4. Two more versions of the pump-and-dump spam. The first version is surprisingly aggressive:

From:     Scottrade
Date:     21 June 2014 19:58
Subject:     Invest today. Cash Out next month

Dear conrad,

I was very furious when I listened to your voicemail last night.

You know, I did tell you about R N B I last month but you’re the one who was not interested in buying at the time. It was trading for just 10 or 15 cents if I remember correctly. You cannot now blame me by saying I didn’t tell you.

Anyway bullshit aside if you are still angry about missing the first wave I’m telling you its not too late but you need to listen to me now and buy as many s.h.a.r.es of R N B I as you can on Monday morning before they get too expensive and if you don’t it’s your own fault I don’t want you calling me again and leaving me another nasty voicemail.

I spoke with my analyst buddy who is working on this specific stock-analysis and he told me we should expect to see shares hit past a dollar within the next 30 days. Do what you must.

Take care
Your bud
Socorro

Second version:

From:     TD Ameritrade
Date:     22 June 2014 17:21
Subject:     Another Big Report this Monday at the open!

Open your account today in just minutes  |  View online
     
You’ve already taken the first step toward your financial goals by starting your application for a TD Ameritrade account. Take the next step and start trade today.

It’s quick and easy. And as a client, you’ll have access to the tools and resources you need to trade and invest with more confidence, including our top stocks picks:

UPDATE 5. Now the spammers are pretending to be from Bloomberg:

From:     Bloomberg.com
Date:     23 June 2014 10:07
Subject:     Financial News: Our New Stock Alert!

Thank you,
The Bloomberg.com Team

================================

Please do not reply to this message; it was sent from an unmonitored email address. If you received this message in error, please contact us.

------------------

Update Your Profile | Manage Preferences
Bloomberg.com | 731 Lexington Avenue, New York, NY 10022

UPDATE 6.  This new version of the spam comes with a .VCF attachment which will install a contact into your address book:

From:     Money Runners
Date:     23 June 2014 15:59
Subject:     The Money Runners Group: More Gains This Week - Stay Tuned!

Hi [redacted], my name is Denise Stewart and i'm your new stocks adviser.

Check my vCard in attachement

Attached is a file name2.vcf which contains the following data:

BEGIN:VCARD
VERSION;TYPE=WORK:3.0
FN:Denise Stewart
N:Denise Stewart;;;;
PROFILE:VCARD
ADR:;;0659 LEE Tim Road;Denver;CO;80304;USA
EMAIL:████████████@cantv.net
ORG:Rainbow International, Corp. (RNBI)
URL:http://finance.yahoo.com/q?s=RNBI&ql=1
PHOTO;VALUE=URL;TYPE=GIF:http://www.8CA4EA9BA4.com/1BE1018B041B/0F32CE8E.gif
NOTE:By the entrance ways at each end of the coach was a toilet.
END:VCARD

A file like this is a contact card and webmail applications such as Gmail or email clients such as Outlook can add it as a contact.

The idea is that you'll wonder who the heck this person is and click through on the link to Yahoo! Finance, which shows the bump in stock prices due to the pump-and-dump run.

Ummm... well, it's an interesting approach but if people are daft enough to fall for this sort of spam then it might be a bit too subtle for them.

UPDATE 7. Two new variants. The first one combines some of the elements seen earlier:

From:     Tonia Maynard
Date:     23 June 2014 18:39
Subject:     We've Just Come Across Something Huge!

Hi [redacted]

The next one has new elements in it:

From:     MarketClub Daily Top Stocks
Date:     23 June 2014 16:59
Subject:     Today's Top Trending Stocks

Top Trending Stocks for Monday, June 23rd

The stocks below have been rated as today's top stocks by MarketClub's Trade Triangle and Smart Scan technology.

#    Symbol    Description    Open    High    Low    Last    Change    %    Vol    Score
1.    RNBI     Rainbow International, Corp.     0.16    0.25    0.21    0.22    +52.185    +50.32%    1,203,226     +100
 View Full List ...

Thousands of people, just like you, have made the jump from using our Top Stocks list to MarketClub.

Learn how MarketClub can advance your trading with an entire set of online trading tools, not just the ability to create lists like this. Try MarketClub for only $8.95 for 30 days.

Follow us on Facebook for updates throughout the trading day.


View all details and studies at http://club.ino.com/. Want more scans, instant alerts, and a custom portfolio? MarketClub has it all across all markets.

To unsubscribe from Top 10 Trending Stocks emails, please visit this link for fast removal. To manage all of your INO.com email subscriptions or unsubscribe from all lists, visit our Email Services page.

U.S. Government Required Disclaimer - Commodity Futures Trading Commission

UPDATE 9. After a brief pause, there's another format of spam. (Incidentally the pause in spam caused the stock price to drop 22%!)

From:     USMarketAdvisor
Date:     24 June 2014 21:53
Subject:     If you get in now you could triple fast

Dear member,

We've been trying to bring something with substance to you for some time now and we've finally found it. R.N.B.I is a stock that will make your portfolio shine again and give us the reputation as strong analysts. It is currently trading for 20 cents. If you can buy some shares at the current pricing you will be in for a hell of a ride as we are predicting that we will see R,N,B,I go to a dollar by mid july. This company is a very special one as it operates in the legal marijuana sector in Colorado. As you've probably heard, that sector is totally on fire at the moment and you would be a fool to think that marijuana is not getting legalized nationwide in the coming short while. Can you imagine what this will do to the price of R_N_B_I? The company is already having a hard time supplying enough cannabis to its customers as it is with just Colorado and Washington allowing legal sales. Imagine when the whole country begins asking for some. At 20 cents R-N-B-I is an absolute steal and I would load up as much as I can.

Your premium analyst,
Jordan.
This email was sent to [redacted]. To ensure that you continue receiving our emails,
please add us to your address book or safe list.
(c) 2014 USMarketAdvisor.
550 Bowie Street, Austin, Texas 78703-4644
Privacy | Terms | Customer Service
Unsubscribe or Change Email Preferences
for all USMarketAdvisor emails.

UPDATE 10. Another spam this time, with the sender set to "FoxNews.com".

From:     FoxNews.com
Date:     25 June 2014 10:33
Subject:     BREAKING NEWS: Huge Winner Today! New Alert Inside


Once in a while there comes an opportunity that is too good to pass.
This time has come again. R*N*B*I is a diamond in the rough and this undervalued company is about to make us all very wealthy.
Our peers will look up to us and say "wow he's smart".
That's because if we can buy R*N*B*I for about 20 cents today we will likely get 5x our investment as analysts are predicting it will reach a dollar in the coming weeks.
TThere's also a bit of history behind this.
Just a few weeks ago the company was at 35 cents!
It has taken one step back and is getting ready to make 5 steps forward and we are lucky to be able to buy shares for as cheap as 20 cents right now.
It's not every day that a legal cannabis company can be bought for so cheap.

If we look at the historical chart and analysts' recommendations this looks like the perfect buy right now and I would get as many shares as I can at the current prices.


More Newsletters | Unsubscribe | Privacy Policy

©2014 StocksNews Network, LLC. All Rights Reserved.

StocksNews never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from StocksNews. 

UPDATE 11. A variation of the previous spam, this time purporting to be from "MovingPennies".

From:     MovingPennies
Date:     25 June 2014 14:15
Subject:     BREAKING NEWS: All Eyes On (R N B I)

There's been a lot of speculation about where the market is going.

Truth be told no one really knows but it seems like we can expect to see things continue going up a bit.
That being said more companies these days are really overpriced.
Would you get in google at the current share price? Or apple? Or coca cola? they all seem to expensive at the moment.
Instead I've been searching for an answer... R*N-B*I is a stock that is currently very undervalued and its 2-month chart tells a story.
Just weeks ago it was at 35 cents. Now we can pick it up for right around 20 cents and analysts are expecting it to reach a dollar in the coming weeks.
If that's not a good deal I don't know what is. The company operates in the legal cannabis industry.
They're set up in Colorado and there is a lot of action happening there right now as you know.
Colorado and Washington both legalized cannabis recently and the amount of money being made in the industry right this moment is mind boggling.

If I were you I'd buy as many shares of R-N*B-I as possible at these cheap prices.

UPDATE 12. The spam has evolved again, now pretending to be from MomentumOTC:

From:     MomentumOTC
Date:     26 June 2014 09:37
Subject:     This company will make us big bucks

In recent days R^N^B^I has become very cheap to invest in.
Shares are now trading for right around 15 cents and it looks like it is about to soar again.
Two weeks ago it was trading as high as 35 cents, so you can imagine how much of a bargain it is at the current levels.
For a company that operates in the legal canabis industry we are very lucky to get shares at 15 cents.

Analysts are recommending to buy-it-now.


More Newsletters | Unsubscribe | Privacy Policy

©2014 MomentumOTC Network, LLC. All Rights Reserved.

MomentumOTC never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from MomentumOTC. 

UPDATE 13. A new version of the spam is in progress (which still can't spell "cannabis"), this time pretending to be from "BestOTC Network, LLC":

From:     BestOTC
Date:     26 June 2014 14:12
Subject:     The top legal canabis company is here

Everyone is jumping on shares of R:N:B:I at 15cents right now.
They have never been so cheap in the past. Imagine if you wanted to grab it two weeks ago it would've cost you 35 cents.
Analysts are saying that the company is about to soar again and that they recommend buying as much as possible in the 15 to 20cent range.
R:N:B:I is one of the few companies on the market that is involved in the legal canabis sector.

Grab shares now!

More Newsletters | Unsubscribe | Privacy Policy

©2014 BestOTC Network, LLC. All Rights Reserved.

BestOTC never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from BestOTCOTC.  

UPDATE 14. Despite all this activity, the stock price is tanking hitting a low of $0.10 which is about half what they were going for when the spam started. That's still about ten cents more than this company is worth in my opinion. This new spam pretends to be from "ClayTrader".

From:     ClayTrader
Date:     26 June 2014 19:12
Subject:     Watch this one double quickly

ALERT: R'N'B'I
First target: $.19
Second Target $.25
Stop $.50

Sell on the way up at your target prices


More Newsletters | Unsubscribe | Privacy Policy

©2014 ClayTrader Network, LLC. All Rights Reserved.

ClayTrader never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from ClayTrader. 

"2014_06rechnung_0724300002_sign.zip" spam

I don't have a sample of the German-language spam spreading this attack, but it is similar to this one and it entices the victim to download a ZIP file  from [donotclick]officialdund.co.uk/wp-content/themes/officialdund/mobilfunktelekom/2014_06rechnung_0724300002_sign.zip

Inside the ZIP file is a malicious executable 2014_06rechnung_0724300002_pdf_sign_telekomag_deutschland_gmbh.exe which has a very low VirusTotal detection rate of just 1/54. The Malwr report shows that it downloads a further executable rqvupdate.exe [Malwr report] which phones home to 204.93.183.196 (Server Central, US) and has a VT detection rate of just 2/52.

The Anubis report also shows connections to 50.31.146.109 (Server Central, US), 5.135.208.53 (OVH, France / QHoster Ltd, Bulgaria) and 103.25.59.120 (Ransom IT Hosting, New Zealand)

Recommend blocklist:
5.135.208.53
50.31.146.109
103.25.59.120
204.93.183.196

bumerang.cc spam - possible Joe Job?

As with the writer of the excellent My Online Security blog I had a couple of odd-looking spams that looked like they might be malicious.

The first spam was a bit of a fail as it didn't have the link, the second spam contained a link the the bumerang.cc website.

From:     News
Date:     19 June 2014 21:40
subject:     World Political News

You can see all World Political News at our web site.Just click on link below

Invoice

------

From:     Customer support
Date:     19 June 2014 13:43
Subject:     Your invoice for June 2014

See your invoice for June 2014 by click on link below

Invoice

The link in the second email goes to the amusingly-named www.bumerang.cc/asdaa/sploit.php - amusing because "sploit" is of course slang for "exploit". Although I have seen exploit kits that contain obvious things like this as a sort of joke, it is also a bit obvious don't you think?

But there is no exploit kit at this "sploit.php" location.. it 404s. But in fact I can see no evidence that there has ever been an exploit in this location, this URLquery report from yesterday (the earliest I can find) also shows a 404. So perhaps the exploit has been deleted? Or perhaps it was never there in the first place..

As I mentioned, there are a pair of emails. The one with the working link looks like a fake invoice malspam, but the other one has the subject "World Political News" and the body "You can see all World Political News at our web site.Just click on link below".

It turns out that bumerang.cc is a news site, covering topics of interest in Moldova in the Romanian, English and Russian languages. Unlike most multilingual news sites, the content is different depending on the language.. and the default Russian language part of the site has a lot of articles on the rather corrupt breakaway region of Transnistria which is strongly pro-Russian and which seems to be getting drawn in to the godawful mess that is the Ukraine crisis.

Transnistria has a reputation for corruption and organised crime, so perhaps bumerang.cc has published something that somebody in Transnistria doesn't like. Joe Jobs against sites dealing in Russian politics are quite common, and the messages do bear several hallmarks of being fakes.

Given that there is no evidence of malware on this site, the fishy nature of the spam and the topic areas of the site itself then I am minded to think that this is a Joe Job and bumerang.cc are not behind this spam run.

UPDATE 1 2014-06-24. Another variant..

From:     Bumerang News
Date:     24 June 2014 21:24
Subject:     SENSATION NEWS!Ukraine Will Wage War With Russia

Russia's War Against Ukraine! All at our web site. Just click on link below

">http://www.bumerang.cc/

"Scanned Image from a Xerox WorkCentre" spam with a malicious PDF attachment

The PDF spammers are busy today - this is the third time this particular malicious PDF has been spammed out to victims, first as a fake HSBC message, then a fake Lloyds message, and now a fake Xerox WorkCentre spam.

From:     Xerox WorkCentre
Date:     18 June 2014 13:41
Subject:     Scanned Image from a Xerox WorkCentre

It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [redacted]
Number of Images: 0
Attachment File Type: PDF

WorkCentre Pro Location: Machine location not set
Device Name: [redacted]

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

The payload is a malicious PDF that is identical to the HSBC and Lloyds spams.

Lloyds Bank Commercial Finance "Customer Account Correspondence" spam

Sent to the same targets and the same victim as this HSBC spam, this fake Lloyds Bank message comes with a malicious payload:

From:     Lloyds Bank Commercial Finance [customermail@lloydsbankcf.co.uk]
Date:     18 June 2014 12:48
Subject:     Customer Account Correspondence

This attachment contains correspondence relating to your customer account with Lloyds Bank Commercial Finance Ltd.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.

If you have received this email in error please contact the individual or customer care team whose details appear on the statement.

This email message and its attachment has been swept for the presence of computer viruses.

Lloyds Bank Commercial Finance, No 1 Brookhill Way, Banbury, Oxfordshire OX16 3EL | www.lloydsbankcommercialfinance.co.uk

Ensuring that your PDF reader is up-to-date may help to mitigate against this attack.

HSBC "Unable to process your most recent Payment" spam

This convincing looking bank spam comes with a malicious PDF attachment:

From:     HSBC.co.uk [service@hsbc.co.uk]
Date:     18 June 2014 12:33
Subject:     Unable to process your most recent Payment

HSBC Logo

You have a new e-Message from HSBC.co.uk

This e-mail has been sent to you to inform you that we were unable to process your most recent payment.

Please check attached file for more detailed information on this transaction.

Pay To Account Number:   **********91
Due Date: 18/06/2014
Amount Due: £ 876.69

IMPORTANT: The actual delivery date may vary from the Delivery by date estimate. Please make sure that there are sufficient available funds in your account to cover your payment
beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.

If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.

Copyright HSBC 2014. All rights reserved. No endorsement or approval of any third parties or their advice, opinions, information, products or services is expressed or implied by any information on this Site or by any hyperlinks to or from any third party websites or pages. Your use of this website is subject to the terms and conditions governing it. Please read these terms and conditions before using the website..

Attached is a malicious PDF file HSBC_Payment_9854711.pdf which has a VirusTotal detection rate of just 6/53. The Malwr report does not add much but can be found here.