Sponsored by..

Wednesday, 16 April 2014

Something still evil on 66.96.223.192/27

Last week I wrote about a rogue netblock hosted by Network Operation Center in the US. Well, it's still spreading malware but now there are more domains active on this range.

A full list of the subdomains I can find are listed here [pastebin]. I would recommend that you apply the following blocklist:

66.96.223.192/27
andracia.net
beyfiersd.com
beyfiersd.info
beyfiersd.net
capcomcom.com
chebuesx.com
chebuesx.info
chebuesx.net
clicksuntruck.org
damaumsw.net
damaumsx.com
damaumsx.info
damaumsx.net
denovlib.com
denovlib.info
denovlib.net
ehgaugysd.com
ehgaugysd.info
ehgaugysd.net
epdiyfetzs.com
epdiyfetzs.info
epdiyfetzs.net
estebasw.com
estebasw.info
estebasw.net
estebasx.com
estebasx.info
estebasx.net
euvllali.com
euvllali.net
falaporto.com
fortynineseven.com
freemiewgrow.org
garrupyotpq.com
garrupyotpq.info
garrupyotpq.net
geortogils.com
geortogils.info
geortogils.net
gykrabowss.com
gykrabowss.info
gykrabowss.net
hacynkraihc.com
hacynkraihc.info
hacynkraihc.net
helloadultking.biz
hellotreeboom.org
hepiqs.com
hepiqs.info
hepiqs.net
hukelmsqs.info
hukelmsqs.net
jalihs.com
jalihs.info
jalihs.net
jeyjoyjang.org
jisoss.com
jisoss.info
jisoss.net
jkuacobijs.com
joduebey.com
joduebey.net
julynosw.com
julynosx.com
kenkyissd.com
kenkyissd.info
kenkyissd.net
kewennub.com
kewennub.info
kewennub.net
klitryujk.org
lalaghoqs.com
lalaghoqs.info
lalaghoqs.net
loryneaqs.com
loryneaqs.info
loryneaqs.net
maifrchsd.com
maifrcwe.info
maifrcwe.net
mallwysq.net
matsumwe.com
matsumwe.info
matsumwe.net
megasuperduper.org
mibradburnb.com
mibradburnb.info
mibradburnb.net
moarlejitta.com
mopcapcap.com
musxiicqs.com
musxiicqs.info
myruvs.com
njooixrc.com
njooixrc.info
njooixrc.net
oatgirle.com
oatgirle.info
oatgirle.net
odtoidcasz.info
odtoidcasz.net
penapolj.com
penapolj.info
penapolj.net
sakoboresz.com
sakoboresz.info
sakoboresz.net
serenesq.com
serenesq.info
serenesq.net
simarosq.com
simarosq.info
simarosq.net
singsongsing.org
soontrilkittra.biz
sweethouseinc.org
tenynnilsz.com
tenynnilsz.info
tenynnilsz.net
tnirinsq.com
tnirinsq.info
tnirinsq.net
tralalaone.biz
tralalatwo.biz
tuanhefesz.com
tuanhefesz.info
tuanhefesz.net
tynepompling.org
ukrheynasz.com
ukrheynasz.info
ukrheynasz.net
viewtickshot.org
wladimirmosk.com
xuboutwesz.com
xuboutwesz.info
xuboutwesz.net
ynccyrousz.com
ynccyrousz.info
ynccyrousz.net
zeedirfung.org
zeigfridtank.biz

Tuesday, 15 April 2014

Sky.com "Statement of account" spam

Another fake sky.com email with a malicious payload..

Date:      Tue, 15 Apr 2014 19:40:23 +0800 [07:40:23 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for
payment.

Regards,
Kathy

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 
Attached is a file Statement.zip which contains a malicious executable Statement.scr which has a VirusTotal detection rate of 9/51. Automated analysis tools [1] [2] [3] show an attempted download from the following locations:
[donotclick]pelicansea.com/css/1504UKd.zip
[donotclick]twinest.com/images/1504UKd.zip


A number of other IPs are contacted as well, indicating this this is P2P/Gameover Zeus.


Friday, 11 April 2014

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254

[NOTE: the IPs listed here appear to have been cleaned up]

This set of IPs is being used to push the Angler EK [1] [2]:

Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238

Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254

A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.

Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range. I would recommend that you block the following:

(Intergenia)
casga.sogesca.al
enetian.reddigitalonline.com
southerly.rademsis.com
smallpox.purehealthforyou.com
vender.puteando.com.ar
tender.revsanders.com
lordly.pxz55.com
plumbing.ranperhar.com
flatness.radioxto.com.ar
implement.webshark.com.br
incendiary.whitennerdy.com
instructor.valiza.com
penal.unhasdeouro.com.br
afia.fotigrafia.com.ar
fanny.gamesgamesgames.eu
fug.fugusg.com
intermediary.roboticdreamblog.com
lithium.thiersheetmetal.com
lyrical.thoitrangtre360.com
maximum.riversofgrog.com.au
meaty.vvw5.com
sevice.fuzzyservice.ru
tough.thingiebox.com
transfigure.rmtradinggroup.com
vibrate.saltaland.com.ar
ford.somerford.me
recoil.quintafeira.com.br
solaris.solartrailers.net
surgery.replikacctv.com
wore.quietbytes.com
all.inews4all.com
andre.andro-tech2.info
andy.animadeco.pl
back.bbb-tl.com
begun.beatrizcarrillo.com
belsu.benda.si
binolyt.diymodstore.net
bird.mjdpe.net
bunny.doctorcat.org
bvirtual.t25workoutsale.com
creat.hijac-creative.com
dario.casio-c.com
dd.adamknight.info
desolate.soarstudio.com
dolly.shoppingadvisor.com.ar
emoc.cccuauhtemoc.mx
facilitator.tricksshop.com.br
ff.advidlabs.com
ff.variedades.info
fina.canecafina.com.br

(HostNOC)
odtoidcwe.info
odtoidcwe.com
odtoidcwe.net
bychemawe.info
bychemawe.net
bychemawe.com
cunideawe.net
cunideawe.com
cunideawe.info

Thursday, 10 April 2014

"CCAHC: Climate Change And Health Conference 2014" scam

This spam is a form of advanced fee fraud scam:

From:     CCAHC ccahc@live.com
Reply-To:     ccahc@e-mile.co.uk
Date:     10 April 2014 16:04
Subject:     Call for Poster

CCAHC: Climate Change And Health Conference 2014


Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014. 
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues.
The main theme for this year's poster session is:  "Impacts of Climate Change in Health and Nutrition"
While this is the main theme for the poster session it is not exclusive and you are welcome to submit a poster outside of this theme.
CCAHC 2014 showcases yet another exceptional programme with the latest scientific and best practice consensus on sustainable environment, biometeorological adaptation, global warming, climate change, waste management, greenhouse gas, pollution control, heart health, obesity, weight management, diabetes, child health, gut health, food sensitivity, healthy living and many other hot topics.
Why Attend:
  • Receive current updates on a range of topics, from leaders and expert practitioners.
  • Understand the latest scientific research in detail and discover its implications for your work.
  • Explore and debate controversial topics, discuss what is best for your clients and patients.
  • Sponsorship of air ticket, travel insurance, visa fees and per diem.
  • Enhance your skill set and progress your career.
  • Network with hundreds of other professionals involved in diet, nutrition, environment, health and lifestyle.
  • Participate in the Exhibitor Trail and win prizes!
  • Present your research, project, product or campaign, attract attention and promote your achievements
  • Registration is free of charge for participants from developing countries.
Paper Submissions:
Fax or e-mail up to 300 words describing your proposed paper on or before 18th April 2014. The paper will then be sent to the Advisory Board for evaluation and authors will be given feedback on or before 25th April 2014. The highest rated papers will be invited to present at the conference.
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom.
Tel: +44 (0)70 8764 2424 | +44 (0)70 2404 4920
Fax: +44 (0)843 562 2173
The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using free email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap.

According to this article at 419scam.org the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will vanish, taking their mythical conference with them.

Avoid.

Wednesday, 9 April 2014

Something evil on 66.96.223.192/27

There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already flagged as malicious by Google, and I've reported on bad IPs in this range before.

A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here [csv].

I would recommend applying the following blocklist:
66.96.223.192/27
capcomcom.com
chebuesx.com
damaumsx.com
denovlib.com
epdiyfetzs.com
estebasw.com
euvllali.com
falaporto.com
fortynineseven.com
geortogils.com
gykrabowss.com
hepiqs.com
jalihs.com
jisoss.com
jkuacobijs.com
joduebey.com
kewennub.com
moarlejitta.com
mopcapcap.com
myruvs.com
njooixrc.com
oatgirle.com
penapolj.com
wladimirmosk.com
chebuesx.info
damaumsx.info
denovlib.info
epdiyfetzs.info
estebasx.info
garrupyotpq.info
geortogils.info
gykrabowss.info
hepiqs.info
jalihs.info
jisoss.info
njooixrc.info
oatgirle.info
penapolj.info
andracia.net
damaumsx.net
denovlib.net
epdiyfetzs.net
estebasx.net
euvllali.net
garrupyotpq.net
geortogils.net
gykrabowss.net
hepiqs.net
jalihs.net
jisoss.net
joduebey.net
kewennub.net
mibradburnb.net
njooixrc.net
oatgirle.net
penapolj.net
clicksuntruck.org
freemiewgrow.org
hellotreeboom.org
jeyjoyjang.org
klitryujk.org
megasuperduper.org
singsongsing.org
sweethouseinc.org
tynepompling.org
zeedirfung.org
estebasx.com
garrupyotpq.com
hacynkraihc.com
julynosw.com
julynosx.com
mibradburnb.com
estebasw.info
hacynkraihc.info
kewennub.info
mibradburnb.info
chebuesx.net
damaumsw.net
estebasw.net
hacynkraihc.net

Tuesday, 8 April 2014

Michael Price and BizSummits get ROKSO listed, scurry under the spotlight

Recently I wrote about a spam run being sent by Michael Price and/or BizSummits and examined the high level of fake material on their "Summits" websites.

In the past few days, BizSummits and Michael Price have the very dubious distinction of being listed in the Spamhaus ROKSO list of what they consider to be the worst spammers worldwide.

A ROKSO listing is bad news because it means that reputable web hosts will not do business with them.

So what happened next?

Well, basically most of the domains listed here have suddenly changed registrar and IP address, and the WHOIS details have been changed to something that looks rather fake (in my opinion). For example, the domain BizSummits.org has the WHOIS details changed from:

Registrant ID:CR38175629
Registrant Name:DNS Administrator
Registrant Organization:BizSummits
Registrant Street: 1200 Abernathy Rd, 17th Floor
Registrant City:Atlanta
Registrant State/Province:Georgia
Registrant Postal Code:30328
Registrant Country:US
Registrant Phone:+1.8006003389
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@bizsummits.org


to

Registrant ID:NS-b48b7b229f5dc
Registrant Name:Michael Loeloff
Registrant Organization:
Registrant Street: 8380 Lagos De Campo Blvd
Registrant City:Tamarac
Registrant State/Province:FL
Registrant Postal Code:33321
Registrant Country:US
Registrant Phone:+1.2025688305
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@bizsummits.org


..which is an anonymous-looking apartment in Florida. Most of the other domains have been geographically scattered to different addresses and names. Strangely none of the registrants seem to have a web footprint. In my personal opinion, these addresses are deliberately fake, and they have been changed by someone working for BizSummits.

It isn't just the WHOIS details that changed, the registrar in the case of BizSummits.org has changed from GoDaddy to NameSilo for unknown reasons. And also the IP address has changed from 184.168.221.27 (GoDaddy) to 198.199.112.47 (Digital Ocean). To me that looks like GoDaddy booted them off their network, although there could be other explanations I suppose.

Conversely, most of the domains used in the spam run listed here appear to have been deleted, either by the registrar or by the owner. It doesn't really matter as far as evidence is concerned because services such as DomainTools maintain historical WHOIS records.

Overall, there seems to be a great deal of scurrying around as the spotlight has been shone on their activities.

I'm curious as to whether or not Michael Price or BizSummits think that the spam run sent from their servers was legitimate and legal, and as to whether or not they believe that the use of the images from other companies is justified.

It does appear that someone using Michael Price's photograph and name tried to post a comment, and then thought better of it. Hmmm.


Sage "Please see attached copy of the original invoice" spam

This fake Sage spam comes with a malicious attachment:

Date:      Tue, 8 Apr 2014 08:65:82 GMT
From:      Sage [Merrill.Sterling@sage-mail.com]
Subject:      RE: BACs #3421309

Please see attached copy of the original invoice. 

Attached is a file BACs-3421309.zip which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51.

The Malwr analysis shows that it attempts to download a configuration file from [donotclick]hemblecreations.com/images/n0804UKd.dim and then it attempts to connect to a number of other domains and IP addresses.

Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij.biz
twplfztldagaydcacebqpypm.net
aidyhnzrkqomndihmttglrcmpf.com
jnojswlbzdxondfahwgbmluyl.ru
wcaebnfwljamemlzhqwqsovzlfq.com
skirtrslbtjrjfphemnnjqowuus.biz
uobihirghyscvswgwolneuscyamh.org
hvchqgyzfitaiugmbmifdwclrk.info
hemblecreations.com

Monday, 7 April 2014

Quantcast email address leak

Quantcast measures web analytics, and they are widely used by many websites worldwide, including one I operated myself.

However, it seems that Quantcast have some sort of email address leak because the following spam email was sent to an address only used to sign up for Quantcast's services.

From:     iTriplingStocks [redacted]@livraphone.fr
Date:     7 April 2014 20:08
Subject:     Dear [redacted], Three hundred percent gains is super possible



However in 1381 a treaty was signed in which allowed him to return. In 2008, Thames Water submitted plans for 96 homes on the site. Connor's horse Waterford Crystal. French hands between 1781 and 1782, and broken up in 1797. They were later replaced by Generation 1 DVD volumes, and later complete season boxed sets. It consists of the village of Luzein which is made up of the sections of Buchen, Luzein, Pany and Putz. February 1955, while in reserve. Juan Sebastian Lach moved to Europe and studied for a doctorate in cognitive musicology. Stop, only add extraordinary stunts here, and only if you have reliable sources. I think I want to be in the Guinness Book of World Records.
However at Dawn workers cleared the gap where the animals came in trapping them in. Germany dated from roughly 14,000 years ago. Francesco also made furniture and panelling for private and ecclesiatical clients. He claimed to be a god, whereas he was only a servant of the Devil, and as such he met his fate. There have been two unofficial fan remakes. Ecuador, at an altitude between 2,100 and 2,300 m asl. O God, do not leave me. The design has been simplified and a whole range of new security features were introduced.
Indonesian general as ambassador to Australia. Diagram created by me. When Gomo died in 1815, Senachewine became chief of the village. The same magazine gave Hannity their Freedom of Speech Award in 2003. Chavan started his political career in 1991,his name was proposed by Mr. Yale, Fruton became Director of the Division of Science, a position he held until 1962. City Sightseeing Ltd to City Sightseeing Worldwide S. If there were some heightened state of tension, we would, believe me, we would not let them get that close.
The first pressing of the album came in sleeve case packaging. Turkishness and the Republic. Hendschiken while 255 people commuted into the municipality for work. The Broletto in Como is faced with polychrome marble. About 20 additional motels, Inns and Bed and Breakfast operations are based in Digby making tourism an important employer. Alan Bray, a bassist. Italian Ministry of Treasury. Kentucky's head football coach. Soldiers, and turned against the Soviet regime. The source of information should be relevant, including existing solutions. Beata Vergine Assunta e S. In space DeGill has been captured by his old nemesis, the big game hunter Pontifadora the Conquistadora.
When assessing mental involvement in narrative text, items involved more imagery and imagination. Windham was founded in 1951 by Walter F. Diescher and John Endres became friends and business partners. He has also directed videos for The Saturdays and Sugababes.

The spam is an RCHA pump-and-dump spam as reported here, and this spam does make heavy use of email addresses stolen in this way.

It is impossible to say when the email addresses leaked from Quantcast or what data may have leaked with them, however the possibility of a spammer guessing this particular email address would be one in 26^12 (95,428,956,661,682,176) which is practically zero.

Update: Quantcast are investigating the issue at present.

Sunday, 6 April 2014

"Produce & Information" / Media Trade Company spam

This spam email links to a malicious file:
From:     Media Trade info@mediatrade.com
Reply-To:     ourmediatrade@yahoo.com
Date:     6 April 2014 16:26
Subject:     Produce & Information

Good Day

How are you today?
This is Media Trade Company, we have interest in your product. And our company is planing on placing an order with your company, Please open and click on the pdf icon to see the attached document of our produce information and company details.

Thank you and have a nice day

Best regards
THKS/B.RGDS

Attached is a file Our Produce Info.html which in turn contains a link to [donotclick]surevilla.h19.ru/Our%20Produce%20Info.exe hosted on 89.108.91.183 (Agava Ltd, Russia). This IP address is suspected of badness and blocking it would be an prudent idea, alternatively you could block the dynamic DNS domain of h19.ru which is being abused in this case.

The malicious file has a detection rate of 25/51 at VirusTotal with some indication that this is either a variant of Zbot or some sort of ransomware. The Malwr analysis shows some sort of download taking place from [donotclick]ourdailyshopping.com/images/win/check/file.php hosted on 91.223.82.188. Also, the Anubis analysis gives an idea as to the files created.

Of interest, this IP of 91.223.82.188 belongs to a company I have never heard of called International Widespread Services Limited aka IWS Networks Ltd of the UAE. They also provide the mail relay used in the spam which is 185.7.35.90.

Recommended blocklist:
89.108.91.183
91.223.82.188
surevilla.h19.ru
ourdailyshopping.com

I would also recommend that you consider blocking the domain h19.ru which may block some legitimate sites but should offer additional protection.

Saturday, 5 April 2014

RCHA / Rich Pharmaceuticals, Inc pump-and-dump spam

This pump-and-dump spam is trying to boost the share price of Rich Pharmaceuticals, Inc (RCHA)

From:     SuperStock Advisor
Date:     5 April 2014 16:37
Subject:     A biotech company that will make you big bucks

Think about it. What if you had the hunch to buy something low and sell it high. What if that clever move made you three or five times your principal? When is the last time you saw a stock quintuple within a few days?

R_C_H_A is a little biopharma company that you can buy for around 20 cents on Monday. A little bird has told me that something big is happening over there and that we can expect to see it go past a dollar before the end of the week.


This could be your move of the year, or even the best move of your life. Or you can just watch it pass by and do nothing. At least next time I present you with something you will listen with absolute belief and get to ride that wave. Last time I recommended a company to a friend it tripled in 3 days.

If you can buy R_C_H_A on Monday morning, consider yourself lucky and I want to hear about how much you will make this coming week!

So make sure to tell me!

-----------------

From:     iStockAdvisor
Date:     5 April 2014 06:35
Subject:     One stock. Five times your principal.

My dear fellow investor when is the last time you actually made a few bucks in the market?

With this bull pattern going on it is hard to find a winner that will stand out and actually produce gains that are above average.

Not only do I believe that I've found a solid company but I am certain that I've found the next company that will quintuple in a heart beat.

RCHA is set to take the world by storm and this little pharmaceutical company should soar from current levels of 20 cents to over a dollar this coming week.

If you don't believe me just watch where it goes on Monday and I promise you, you will want to buy as much as you can to make sure you catch this rocket before it takes off. I expect to see it nearly double on Monday alone. God knows how high and how fast RCHA will go from there on.

-----------------

From:     iBuyStock
Date:     5 April 2014 12:50
Subject:     The best stocktip for [redacted]
The last spam uses a GIF image (MD5 144f8295df4241d9a411b5a5b3f2c793)  plus a load of random text to try to fool spam filters.

Pump-and-dump spams are always a type of fraud, and the stock prices usually collapse very soon afterwards. The collapse in RCHA stock prices seems to be happening right now according to the stock chart.


The stock price crashed sharply on Friday 4th April, dropping by 31% as 417,000 shares were traded. RCHA's history is convoluted and they have very little in the way of cash assets and relatively large liabilities.

Often with pump-and-dump spam runs there is a pattern of buying before the spam starts, but in this case there is no discernible pattern which makes me think that an existing stockholder is involved in the operation, in an attempt to bolster the share price as they dump stock.

Avoid.

Update: here are some more samples that arrived overnight..


From:     iStocksInformer
Date:     6 April 2014 12:21
Subject:     This pharmaceutical could quadruple fast

iStocksInformer


What if you could get into a stock before it soared? I know it’s hard to time things properly. The market has been good overall as of late but it is getting harder and harder to make big gains in a short period of time.

I’ve found the next big mover, but you have to buy fast because on Monday morning you should be able to pick it up for around 20 cents. Come tuesday it could be too late. A reliable source has told me that we expect R.C.H.A to gain 5x its current levels and break a dollar before the end of the week.

They are working on some ground breaking stuff, and perhaps the FDA is about to approve something they have been working on?

I come across a situation like this very few times per decade. This is in fact only the third time I’ve been told about a company that is about to soar. If you can buy R.C.H.A for around 20 cents on Monday I would say that you are in great shape and I’d ride the wave up to over a dollar if i were you.

(c) 2014. All rights reserved.
About us   |   Legal notice   |   Unsubscribe

---------------------

From:     iTopStocksPicker
Date:     6 April 2014 10:02
Subject:     This little company could tenfold your investment, arwildcbrender

ii_BACC5C509C1F3BC4.jpg


Update 2014-04-07: the markets have opened and the pump and dump spam continues, although it has changed pitch.

From:     iGoldenStocks
Date:     7 April 2014 18:02
Subject:     Already UP 58%!

This is the opportunity of the year. It has come knocking on our door and trust me I am not going to miss this chance. A trusted friend of mine told me that R* C* H* A is about to go from 20 cents to over a dollar. This little biopharmaceutical company has been working on mind boggling technologies to treat acute myolegenous leukemia and something tells me they are about to announce something huge.


What could it be I don’t know, but everything seems to agree on the fact that it will go up very fast. If you are amongst the lucky ones we should be able to buy shares for cheap on Monday. Like between 20 and 30 cents. If we can do that I’d say we are in great shape and we can expect to ride the train up to over a dollar.

I’ll be holding until then I hope you do the same too I want to see us pull as much as possible out of this. I am sick of playing the big companies that don’t produce much gains.

It’s time for a big move!

-----------------------

From:     iTopStocks
Date:     7 April 2014 18:06
Subject:     +58% in 1 DAY! Best Stock For [redacted]

ii_CD6438C3011A236E.gif

In fact, at the time of writing the stock has increased in price by 75%. A big deal? A week ago the stock was at 30 cents, now it is at 35 cents.. but it dropped to 20 cents on Friday before the pump-and-dump run started. At the time of writing, almost two million shares have been traded. On a typical day there are zero trades.

Source: NASDAQ

But has the stock price actually gone up in value? All these figures show is a bubble caused by the pump-and-dump operation, I suspect that most of the sales come from whoever is behind the spam offloading stock onto unsuspecting investors.. and when they try to sell the stock they will end up taking a loss.

In the medium run, most stocks promoted through pump-and-dump spam runs collapse afterwards. I suspect the same thing will happen here.

Update 2014-04-08: two new variants this morning, both reflecting the share price from yesterday..

From:     MarketClub Top Stocks
Date:     8 April 2014 07:08
Subject:     Don't you deserve an edge in the market?

MarketClub Top Stocks


Do you remember me? Yes I emailed you a few days ago and I told you to watch R+C+H+A. This little biotech company has been working on ground breaking drugs and I advised you that you should buy shares in it on Monday morning for around 20 cents. If you don't remember, go back and look at your emails.

It has now pushed past 30 cents and it is showing very strong signs of continuation. Something tells me this stock will go past 2 or even 3 dollars in the coming days.

If you see the type of activity it is experiencing right now that's definitely not normal. Something absolutely massive is brewing for sure over there and there could be a phenomenal announcement coming in the next few days that will catapult the price much further.

This is not really tip *wink*, just a friendly advice. Make sure to buy as many R+C+H+A shares as you can.


You will be pleasantly surprised.


(c) 2014 MarketClub Top Stocks. All rights reserved.

------------------

From:     iStockMarketInsider
Date:     8 April 2014 05:38
Subject:     Top 5 Trending Stocks

StockMarketInsider Magazine   



As you can see the market is crashing hard the past few days.

If you want to make a few bucks you need to forget the general market and focus on this tip I gave you a few days ago. I mentioned it to you over the week end.

The little undervalued company is R|C|H|A and if you recall I told you to buy it when it was still at 20cents. Now It's passed 30 but it is still worth buying.

I think we will be looking at it trading in the 2-3dollar range next week.

Make sure to pick up a few shares if you can and you will be very impressed with the results. There's rumors that R|C|H|A could be on the verge of announcing some FDA approval for one of its drugs.

That may be why it's going crazy right now!


 (c) 2014. StockMarketInsider. All rights reserved.

 To Unsubscribe click here


Wednesday, 2 April 2014

Something evil on 66.96.223.204

66.96.223.204 (Network Operations Center, US) appears to be hosting some sort of malicious redirectors being used in current malware campaigns. VirusTotal gives a snapshot of the badness.

Sites hosted on this IP include:
epdiyfetzs.com
epdiyfetzs.info
f50n.jalihs.com
gv0.jalihs.info
hepiqs.com
hepiqs.info
hepiqs.net
jalihs.com
mqo9.hepiqs.net
mxvf.hepiqs.info
p9t.epdiyfetzs.com
slqts.epdiyfetzs.net
x0v4b.jalihs.info
zrzvz.hepiqs.info
mblo.epdiyfetzs.com
eb5pxy.hepiqs.com
ot7gdz.hepiqs.com
zs89w.jalihs.com
wpnd4i.jalihs.com
ns2.manbake.com
geortogils.com
cf3.geortogils.com
novinhasbr.com
ns1.novinhasbr.com
epdiyfetzs.net
muiknq.epdiyfetzs.net
qlkz1e.epdiyfetzs.net
t5dns.hepiqs.info
jalihs.info
ranbert.info
mx2.ranbert.info
ns2.ranbert.info
ycqr.ranbert.info
yrkr.ranbert.info
yrqz.ranbert.info
yckrv.ranbert.info
yrkrv.ranbert.info
pckcsq.ranbert.info
pckrvq.ranbert.info
prqcvk.ranbert.info
prqwvq.ranbert.info
ns2.ricbank.info
ns2.trainmick.info
5x5d2l.epdiyfetzs.info
geortogils.info
ns2.termitepit.info
mx1.staticpulled.info
ns1.staticpulled.info


Recommended blocklist:
66.96.223.204
epdiyfetzs.com
epdiyfetzs.info
epdiyfetzs.net
geortogils.com
geortogils.info
hepiqs.com
hepiqs.info
hepiqs.net
jalihs.com
jalihs.info
manbake.com
novinhasbr.com
ranbert.info
ricbank.info
staticpulled.info
termitepit.info
trainmick.info

Something evil on 213.229.69.41

This tweet by Malmouse got me investigating what was happening on 213.229.69.41.. and the answer is that it appears to be unmitigated badness.

First of all, these domains are either currently or recently hosted on 213.229.69.41, or are associated with it in some way. Ones currently regarded as malicious by Google are highlighted.

cdnjscript.com
cssjscript.com
cssjscript.com
dolinkjs.com
domainjscript.com
getjslink.com
gfthost.com
gotojscript.com
hrefjscript.com
jscriptcdn.com
jscriptcss.com
jscriptin.com
jscriptmod.com
jscriptnow.com
jscriptstyle.com
js-href.com
js-link.com
linkinscript.com
linkjscript.com
metajscript.com
modjscript.com
namejscript.com
regjscript.com
scriptaccept.com
scriptdo.com
scripthttp.com
scriptshttp.com
stylejscript.com
timejscript.com
webjavascript.com
webjslink.com
webjsname.com

VirusTotal gives a good overview of the badness on this IP.


All these domains appear to be recently registered with the exception of gfthost.com which has ns1.gfthost.com and ns2.gfthost.com hosted on the same IP. Both those nameservers are used exclusively for these malware domains, so there must be some sort of connection. The WHOIS details for that are:

Registrant Name: Nikolay Legkov
Registrant Organization: -
Registrant Street: Nevsky 23-7
Registrant City: Saint-Petersburg
Registrant State/Province: Saint-Petersburg
Registrant Postal Code: 197008
Registrant Country: ru
Registrant Phone: +79052789848
Registrant Phone Ext:
Registrant Fax: +79052789848
Registrant Fax Ext:
Registrant Email: admin@gfthost.com


Of course it is trivially easy to fake WHOIS details, so I cannot guarantee that this is really the person behind the malware domains.

Anyway, I recommend that you block 213.229.69.41 (Simply Transit, UK) and/or the domains listed above.

Tuesday, 1 April 2014

rbs.com "RE: Copy" spam

This very terse spam has a malicious attachment:

Date:      1 Apr 2014 14:25:39 GMT [10:25:39 EDT]
From:      Kathryn Daley [Kathryn.Daley@rbs.com]
Subject:      RE: Copy

(Copy-01042014) 
The attachment is Copy-04012014.zip which in turn contains a malicious executable Copy-04012014.scr which has a VirusTotal detection rate of just 3/50.

The Malwr analysis shows that is has the characteristics of P2P/Gameover Zeus and it makes several network connections starting with a download of a configuration file from: [donotclick]photovolt.ro/script/0104UKd.bis

The malware then tries to contact a number of other domains. I recommend using the following blocklist:
50.116.4.71
photovolt.ro
aulbbiwslxpvvphxnjij.biz
wcdmfdujnfmsdbatgqguxkkr.com    
kjcuyddisgrmzfqfirwjzqglqdq.ru    
gavwnvhaknbytkvcojeifeyhcizxof.biz    
ysnvydeyswzjbxsofchsctsg.net    
cprhxsjukhuemfqrsdqhvo.org    
zdlaupvpfmwotcxcxfedrwfq.info    
ovxwwgvoupfuxhuibqwkwcjzqci.com    
knpfmvdpbljfgecidpfyovjzpz.ru    
xkzqwhyaixguhqrwskbqqcpz.com






Something evil on 64.202.116.124

64.202.116.124 (HostForWeb, US) is currently hosting exploit kits (see this example). I recommend that you block traffic to this IP or the domains listed in this pastebin.

Most of the domains listed are dynamic DNS ones. If you block all such domains in that list it is nice and managable:


in.ua
myftp.org
sytes.net
hopto.org
no-ip.biz
myvnc.com
sytes.net
no-ip.info
tobaccopeople.com


Sunday, 30 March 2014

Naughty, naughty: BizSummits, CFO Summit, CIO Summit, CMO Summit rip off photos from other sites.

[Note, BizSummits replaced all of the unlicensed photographs shortly after I pointed them out on this blog]

I've been tracking the spammy activity of BizSummits on and off for a while, most recently with a very annoying spam run that has been plaguing website operators with fake notifications.

I'd never really looked that deeply into the BizSummits operation though, but even though it promotes itself through spam I had assumed that there was a real business at the end of it.

But when I started to look into their websites, it quickly became apparent that a great deal of the material was faked.

Most of the sites use the same material, so let's start with forwd.net/cfosummit/about.html which is an "About Us" page.

It features a photo of a group of people.. you'd assume that it was one of the "Summits" that BizSummits promotes. After all, if you have all these people meeting up all the time then surely it would be easy to snap a photo.

Let's look more closely.

It turns out that the picture is stolen from the blog of the US Ambassador to Iceland and it shows a group of Icelandic executives meeting with an organisation called the Young Presidents' Organization which is completely unrelated to BizSummits.

So let's look at the "Why Join" page at forwd.net/cfosummit/whyjoin.html which features a bunch of happy-looking individuals.

Let's look more closely..

This image is stolen from a company called Deceuninck nv. And it isn't just a generic stock photo, their website lists everyone in the photograph and identifies them as being employees.


Let's look at the "Members" page next at forwd.net/cfosummit/members.html

It shows a photograph of someone who is presumably speaking at one of these Summit events.

Errr... no. This is Professor Michael Porter speaking at the World Economic Forum. Professor Porter would be a highly influential and important person to have on board. But his name doesn't appear on the list of "Members & Speakers".

Let's look at the "Topics" page at forwd.net/cfosummit/topics.html


Who's in the photo?


That's a publicity photo of Niels Stolberg. Stolberg's company collapsed and is the focus of fraud investigations. Given the controversy surrounding Mr Stolberg, would it be appropriate to have a picture of him on your site? Odder still, Mr Stolberg seems to have no connection at all to BizSummits.

Now we turn our attention to the "What's New" page. Who are the people having a discussion? People at a BizSummits seminar?


Let's look more closely.

This image can be found on the page of the NG Utilities Summit in Australia (open the lightbox). If you look carefully, you can see the NG Utilities logo on the woman's badge on the right. Despite having "Summit" in the name, this is nothing at all to do with BizSummits. If BizSummits really held any meetings then a photo like this would be trivial to take.

The next page is "Questions" at forwd.net/cfosummit/questions.html. Well.. we have a few already.


Who's in the picture?

These are a couple of executives from WebTrends. As far as I can tell they have nothing to do with BizSummits, and the photo has just been stolen.

Incidentally this page contains what I consider to be a flat lie:

Why was I Invited to Join?

Either a member nominated you, or we specifically wanted your company involved and researched the best executive.
The evidence I have provided about this firm shows that they simply scraped your name from your company website and guessed your email address. Is that research? I don't think so.

The next picture to deconstruct is on the "My Login" page at forwd.net/cfosummit/login.html


You probably already guessed that the guy in the photo has nothing to do with BizSummits.

That's because this is Dr. Thomas R. Insel who again has nothing to do with BizSummits.

Finally, we come back to the home page.


Who is in the photo?


These are apparently the senior management of BHP taken in an AAP photo. What do they have to do with BizSummits? It seems nothing at all.

In fact, the only original piece of imagery I can find is this promotional video:


The video is meant to be an endorsement. But who is this woman? Who does she represent? What exactly is she endorsing? The video is professional looking but deliberately vague.

Incidentally, if you want to see what Michael Price, the CEO of BizSummits looks like, here he is:


This copied material doesn't just exist on a few websites, it exists on a LOT of cookie-cutter sites, all presumably marketed through the same spammy approach.

  • CFO Summit (www.cfosummit.org)
  • CIO Summit (www.ciosummit.org)
  • CMO Summit (www.cmosummit.net)
  • COO)Operations Summit (www.theoperationssummit.net)
  • Corporate Counsel Summit (www.thecorporatecounselsummit.org)
  • Corporate Development Summit (www.corpdevsummit.org)
  • Customer Service Summit (www.customerservicesummit.org)
  • Engineering Summit (www.theengineeringsummit.net)
  • Executive Summits (www.executivesummits.org)
  • Hospital Growth & Excellence Summit (www.hospitalgrowthsummit.org)
  • HR Summit (www.hrsummit.org)
  • Product Development Summit (www.productdevsummit.org)
  • Project Management Summit (www.projectmanagementsummit.org)
  • Public Relations Summit (www.thepublicrelationssummit.org)
  • Procurement Summit (www.procurementsummit.org)
  • Quality Management Summit (www.qualitymanagementsummit.org)
  • Risk Management Summit (www.riskmanagementsummit.org)
  • Safety Management Summit (www.safetymanagementsummit.org)
  • Sales Summit (www.salessummit.org)
  • Supply Chain Summit (www.supplychainsummit.org)
  • Training Summit (www.trainingsummit.org)
Ask yourself this question.. why is it that a company such as BizSummits, that is supposed to organise all of these meetings, cannot get around to taking any photographs of those meetings themselves? Surely it wouldn't be difficult to do? And yet almost every image is copied from somewhere else. What kind of company does that? Is it one that you feel comfortable doing business with?

Friday, 28 March 2014

BizSummits "Early closing due to poor weather" / "Early closing due to bad conditions" spam

Here are a pair of odd spam email messages:

Message 1
From:     Tim Williams Tim@myteamex.com
To:     Tony Blair [tony@victimdomain]
Date:     28 March 2014 14:09
Subject:     Early closing due to bad conditions.

Early closing due to bad conditions.


This will be the only notification to tony@victimdomain and just disregard if sent to the incorrect individual. Thank you.
Message 2
From:     Michael Miller Michael@leadbyinnovation.com
To:     Victor Echo [vecho@victimdomain]
Date:     28 March 2014 11:12
Subject:     Early closing due to poor weather.

Early closing due to poor weather.


This will be the only notification to vecho@victimdomain and just disregard if sent to the incorrect person. Thank you.
The email contains no link and no attachment. So what it is it?

A close look at to "To" field is interesting. Tony Blair? Well, he's an ex-Prime Minister of Britain, and he just happens to be mentioned on my website here. And Victor Echo? Well, that's not a person at all but is mentioned on this page about the NATO Phonetic Alphabet.

So, in each case a name has been harvested from my web site and an email address guessed (tony@ and vecho@) in order to send the spam.

I've seen this process of scraping my web site and guessing email addresses before by a business called CIO Summits which is part of a spammy business called BizSummits run by a gentleman called Michael Price. But perhaps this is a coincidence?

So let's look at the mail headers of the two messages:

Message 1

Received: from [64.21.19.104] (port=59519 helo=mail.myteamex.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Tim@myteamex.com>)
    id 1WTXTM-00062J-14
    for tony@[redacted]; Fri, 28 Mar 2014 14:09:32 +0000
Received: from 76809236.myteamex.com
        by mail.myteamex.com (Merak 8.9.1) with ASMTP id ORL87326
        for <tony@[redacted]>; Fri, 28 Mar 2014 07:09:26 -0700
Message-ID: <20140328070921.6e9e4d6b5e@5d7e>
From: "Tim Williams" <Tim@myteamex.com>
To: "Tony Blair" <tony@[redacted]>
Subject: Early closing due to bad conditions.
Date: Fri, 28 Mar 2014 07:09:21 -0700
X-Priority: 3
X-Mailer: Host
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Tim@myteamex.com designates 64.21.19.104 as permitted sender) client-ip=64.21.19.104 envelope-from=Tim@myteamex.com helo=mail.myteamex.com

Message 2

Received: from [64.21.70.64] (port=1970 helo=mail.leadbyinnovation.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Michael@leadbyinnovation.com>)
    id 1WTUi8-0007x8-KZ
    for vecho@[redacted]; Fri, 28 Mar 2014 11:12:38 +0000
Received: from 37649152.leadbyinnovation.com
        by mail.leadbyinnovation.com (Merak 8.9.1) with ASMTP id OOO71531
        for <vecho@[redacted]>; Fri, 28 Mar 2014 04:12:31 -0700
Message-ID: <20140328041226.3f8f7d6c7b@9e8c>
From: "Michael Miller" <Michael@leadbyinnovation.com>
To: "Victor Echo" <vecho@[redacted]>
Subject: Early closing due to poor weather.
Date: Fri, 28 Mar 2014 04:12:26 -0700
X-Priority: 3
X-Mailer: SMTP Forwarder v.9
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Michael@leadbyinnovation.com designates 64.21.70.64 as permitted sender) client-ip=64.21.70.64 envelope-from=Michael@leadbyinnovation.com helo=mail.leadbyinnovation.com
What these headers tell us is that the emails originated from 64.21.70.64 and 64.21.19.104 (Net Access Corporation, US), and that those servers are genuine mail relays for the domains leadbyinnovation.com and myteamex.com.. in other words the message is not spoofed and whoever owns these domains is responsible for the mail.


The WHOIS contain the following details:

leadbyinnovation.com
Registrant Name: DNS Administrator
Registrant Organization: LeadByInnovation
Registrant Street: 1200-Abernathy  Rd
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30328
Registrant Country: United States
Registrant Phone: +1.7705552343
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@leadbyinnovation.com
Registry Admin ID: 
myteamex.com
Registrant Name: DNS Admin
Registrant Organization: MyTeamEx
Registrant Street: 17th Floor
Registrant Street: 1200  Abernathy
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30328
Registrant Country: United States
Registrant Phone: +1.4044983847
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@myteamex.com

Perhaps is is just a coincidence that the WHOIS details for bizsummits.org are very similar:

Registrant ID:CR38175629
Registrant Name:DNS Administrator
Registrant Organization:BizSummits
Registrant Street: 1200 Abernathy Rd, 17th Floor
Registrant City:Atlanta
Registrant State/Province:Georgia
Registrant Postal Code:30328
Registrant Country:US
Registrant Phone:+1.8006003389
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@bizsummits.org

1200 Abernathy Rd is a big office building in Atlanta, and the office address could well be a virtual office in any case. But isn't it a coincidence that all three companies are based in the same building?

Well.. no, it's not a coincidence because if you look at the historical WHOIS details for myteamex.com for just last month we see they are:

Registrant Name: Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City: Marietta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: +1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: MPrice@mobilesoft.com

Michael Price? Yes, that's the same Michael Price who runs BizSummits. So, it's not a coincidence at all, is it?

This particular spam run has also been discussed on the SpamCop forum which  indentifies the four following domains in connection with this spam run:
trainingleadership.org
zipscheduler.net
gotofacts.net
openames.com

Each one of these tells a different story.  trainingleadership.org has the same semi-anonymous registration details as the others, but just a few days ago (20th March 2014) the registrant was "Biz Summits".  gotofacts.net has also had the registrant details changed.. on 18th March that was registered to "Michael Price".

Finally,  openames.com is a bit odder. It too has had the registrant details change (it was "Michael Price" on 18th January 2014), but it is hosted on an IP address belonging to a children's hospital in Illinois (199.125.18.11: Illinois - Chicago - Children's Memorial Medical Center)

So what are these messages? I believe that BizSummits (or whatever Mr Price's current operation is called, perhaps mobilesoft.com / mobilebriefs.com) is probing mail servers to see what sort of format email addresses are so that further spam can be sent. Most mail systems will reject invalid messages, so basically this is a sort of enumeration exercise. Is this illegal? It's hard to say. But in my opinion it is certainly unethical.

Incidentally BizSummits has a rotten reputation at the BBB, and in my personal opinion offer business summits of very little worth, and that they prey upon the vanity of the people who receive the email (which is just a basically just spam). A quick a Google for bizsummits spam comes up with a large number of complaints, and I must recommend this particular blog entry if you want an overview of how BizSummits allegedly pitch their business.

The BBB lists the following domains as being part of BizSummits. I would recommend avoiding them:
cfosummit.org
ciosummit.org
thecmosummit.net
trainingsummit.org
csosummit.org
corpdevsummit.org
hrsummit.org
theoperationssummit.net
productdevsummit.org
thepublicrelationssummit.org
qualitymanagementsummit.org
risingexecutivesummit.org
riskmanagementsummit.org
thecorpdevsummit.org
associationgrowthsummit.net

UPDATE: more information about BizSummits and some of it's websites can be found here.

Update (2300 GMT 2014-03-28): another "Tony Blair" one..

From:     Stan Moore Stan@texasbusinesschamber.org
To:     Tony Blair tblair@[redacted]
Date:     28 March 2014 22:52
Subject:     Closed early due to poor weather.

Closed early due to poor weather.


This will be the only notification to tblair@[redacted] and just disregard if sent in error. Thank you.
The mail headers confirm that texasbusinesschamber.org was the sender, this time from 64.21.70.72 (Net Access Corporation again):

Received: from [64.21.70.72] (port=3018 helo=mail.texasbusinesschamber.org)
    by [redacted]with esmtp (Exim 4.80)
    (envelope-from <Stan@texasbusinesschamber.org>)
    id 1WTfdq-0002i5-AG
    for tblair@[redacted]; Fri, 28 Mar 2014 22:52:50 +0000
Received: from 37402341.texasbusinesschamber.org
        by mail.texasbusinesschamber.org (Merak 8.9.1) with ASMTP id OZC63549
        for <tblair@[redacted]>; Fri, 28 Mar 2014 15:52:49 -0700
Message-ID: <20140328155244.5b6c3d3e2c@2e5c>
From: "Stan Moore" <Stan@texasbusinesschamber.org>
To: "Tony Blair" <tblair@[redacted]>
Subject: Closed early due to poor weather.
Date: Fri, 28 Mar 2014 15:52:44 -0700
X-Priority: 3
X-Mailer: System-Forwarder
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Stan@texasbusinesschamber.org designates 64.21.70.72 as permitted sender) client-ip=64.21.70.72 envelope-from=Stan@texasbusinesschamber.org helo=mail.texasbusinesschamber.org
texasbusinesschamber.org WHOIS today:

Registrant ID:CR156687418
Registrant Name:DNS Admin
Registrant Organization:Texas Business Chamber
Registrant Street: Floor 17
Registrant City:Atlanta
Registrant State/Province:Georgia
Registrant Postal Code:30327
Registrant Country:US
Registrant Phone:+1.7705863645
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@texasbusinesschamber.org
texasbusinesschamber.org WHOIS on 22nd February (just over one month ago)

Registrant ID:CR156687418
Registrant Name:Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City:Marietta
Registrant State/Province:Georgia
Registrant Postal Code:30068
Registrant Country:US
Registrant Phone:+1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:MPrice@mobilesoft.com

Update (0700 GMT 2014-03-29):  A slightly different one..

From:     Jim Moore Jim@ituckins.com
To:     Victor Echo
Date:     29 March 2014 03:17
Subject:     Closed early due to expected snow.

Closed early due to expected snow.

This will be the only notification to victor@[redacted] and just ignore if sent to the wrong person. Thank you.
This time the spammers are probing "Victor Echo" using the victor@ address. Mail headers are:

Received: from [209.200.118.35] (port=2643 helo=mail.ituckins.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Jim@ituckins.com>)
    id 1WTjm8-0001jI-Ia
    for victor@[redacted]; Sat, 29 Mar 2014 03:17:45 +0000
Received: from 34460524.ituckins.com
        by mail.ituckins.com (Merak 8.9.1) with ASMTP id PGU70938
        for <victor@[redacted]>; Fri, 28 Mar 2014 20:17:38 -0700
Message-ID: <20140328201734.5b7d6b2f9d@2e2e>
From: "Jim Moore" <Jim@ituckins.com>
To: "Victor Echo" <victor@[redacted]>
Subject: Closed early due to expected snow.
Date: Fri, 28 Mar 2014 20:17:34 -0700
X-Priority: 3
X-Mailer: Package Forwarder 6.3
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Jim@ituckins.com designates 209.200.118.35 as permitted sender) client-ip=209.200.118.35 envelope-from=Jim@ituckins.com helo=mail.ituckins.com
This domain has been excised of useful details in the WHOIS records, but it follows the same pattern and is undoubtedly Michael Price and BizSummits.

Registry Registrant ID:
Registrant Name: Dns Admin
Registrant Organization: eTuckins
Registrant Street: 1200 Abernathy Rd
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: +1.7705763847
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@etuckins.com
Note that ituckins.com refers to etuckins.com in the WHOIS record, revealing yet another spam site in the chain.

Update (1800 GMT 2014-03-29): two more spams from the same domain..

From:     Stan Davis Stan@opendetails.com
To:     Oscar Yankee <oscar@[redacted]>
Date:     29 March 2014 12:39
Subject:     Early closing due to poor weather.

Early closing due to poor weather.

This will be the only notification to oscar@[redacted] and disregard if sent to the incorrect individual. Thank you.

-----

From:     Steve Williams Steve@opendetails.com
To:     Oscar Yankee <oyankee@[redacted]>
Date:     29 March 2014 11:54
Subject:     Closed early due to inclement weather.

Closed early due to inclement weather.

This will be the only notification to oyankee@[redacted] and please ignore if sent to the incorrect person. Thank you.
This time they are sent to "Oscar Yankee" (using a name scraped from this page) using both observed variants of oyankee@ and oscar@. The mail headers again verify that the message isn't spoofed, and opendetails.com is the actual sender.

Received: from [208.52.161.186] (port=59373 helo=mail.opendetails.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Steve@opendetails.com>)
    id 1WTrqb-0001rc-3u
    for oyankee@[redacted]; Sat, 29 Mar 2014 11:54:53 +0000
Received: from 97584292.opendetails.com
        by mail.opendetails.com (Merak 8.9.1) with ASMTP id POG42002
        for <oyankee@[redacted]>; Sat, 29 Mar 2014 04:55:02 -0700
Message-ID: <20140329045456.3f2b7e1b4b@5c5f>
From: "Steve Williams" <Steve@opendetails.com>
To: "Oscar Yankee" <oyankee@[redacted]>
Subject: Closed early due to inclement weather.
Date: Sat, 29 Mar 2014 04:54:56 -0700
X-Priority: 3
X-Mailer: Perpetual Host v.1
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Steve@opendetails.com designates 208.52.161.186 as permitted sender) client-ip=208.52.161.186 envelope-from=Steve@opendetails.com helo=mail.opendetails.com
The WHOIS details have been altered in an attempt to hide the sender, but it still shows Michael Price's email address. Oops.

Registrant Name: DNS Admin
Registrant Organization: OpenDetails.com
Registrant Street: Floor  17
Registrant Street: 12O0 Abernathy
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30329
Registrant Country: United States
Registrant Phone: +1.7705643366
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: mprice@mobilesoft.com
If we go back to the registration details in January 2014 then Michael Price's name and address are on them.

Registry Registrant ID:
Registrant Name: Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City: Marietta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: +1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: MPrice@mobilesoft.com
So again, there is very little doubt as to who is sending this rather large spam run.

Update (0200 GMT 2014-03-30): the spam shows no signs of letting up. Subjects include the following:

Closing early due to bad weather.
Closed tomorrow due to inclement weather.
Closed tomorrow due to poor weather.
Closing early due to bad conditions.


Names scraped from my website include "Juliet Tango", "Michael Moore" and "Mark Tape". This spam run has two new domains, texasbusinesschamber.com and opendetailz.com , the first of which has valid SPF records, the second does not.

Received: from [207.36.209.108] (port=4719 helo=mail.texasbusinesschamber.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Tony@texasbusinesschamber.com>)
    id 1WU2JB-0005bA-EE
    for michael@[redacted]; Sat, 29 Mar 2014 23:05:02 +0000
Received: from 47912934.texasbusinesschamber.com
        by mail.texasbusinesschamber.com (Merak 8.9.1) with ASMTP id PAI19600
        for <michael@[redacted]>; Sat, 29 Mar 2014 16:05:00 -0700
Message-ID: <20140329160458.6b8c5e8f4d@7e5d>
From: "Tony Moore" <Tony@texasbusinesschamber.com>
To: "Michael Moore" <michael@[redacted]>
Subject: Closing early due to bad weather.
Date: Sat, 29 Mar 2014 16:04:58 -0700
X-Priority: 3
X-Mailer: EmailRemitter v.8
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Tony@texasbusinesschamber.com designates 207.36.209.108 as permitted sender) client-ip=207.36.209.108 envelope-from=Tony@texasbusinesschamber.com helo=mail.texasbusinesschamber.com

Received: from [208.52.168.58] (port=58797 helo=mail.opendetailz.com)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Brad@opendetailz.com>)
    id 1WU0hT-0004Z3-MB
    for juliet@[redacted]; Sat, 29 Mar 2014 21:22:03 +0000
Received: from 20646396.opendetailz.com
        by mail.opendetailz.com (Merak 8.9.1) with ASMTP id PYZ68711
        for <juliet@[redacted]>; Sat, 29 Mar 2014 14:22:11 -0700
Message-ID: <20140329142206.1f6f5b7b2e@2d3f>
From: "Brad Johnson" <Brad@opendetailz.com>
To: "Juliet Tango" <juliet@[redacted]>
Subject: Closing early due to bad conditions.
Date: Sat, 29 Mar 2014 14:22:06 -0700
X-Priority: 3
X-Mailer: MailServer 5.2
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: none ([redacted]: domain of Brad@opendetailz.com does not designate permitted sender hosts) client-ip=208.52.168.58 envelope-from=Brad@opendetailz.com helo=mail.opendetailz.com
The WHOIS records for texasbusinesschamber.com have been stripped of any identifying details:

Registry Registrant ID:
Registrant Name: DNS Admin
Registrant Organization: Texas Business Chamber
Registrant Street: Suite 1700
Registrant Street: 1200 -Abernathy
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30328
Registrant Country: United States
Registrant Phone: +1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@texasbusinesschamber.com

But back in February, it was registered to Michael Price:

Registry Registrant ID:
Registrant Name: Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City: Marietta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: (770) 998-9999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: MPrice@mobilesoft.com
Registry Admin ID: 
opendetailz.com doesn't pass the SPF check, but it is sufficiently close to the verified domain of opendetails.com seen previously that it is almost certainly genuine. The WHOIS details are:

Registry Registrant ID:
Registrant Name: DNS Admin
Registrant Organization: OpenDetailsz.com
Registrant Street: Floor-17
Registrant Street: 12OO Abernathy
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30327
Registrant Country: United States
Registrant Phone: +1.6783843388
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@opendetailz.com
On the 18th March 2014 they were:

Registry Registrant ID:
Registrant Name: Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City: Marietta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: +1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: MPrice@mobilesoft.com
Registry Admin ID: 
Update (2300 GMT 2014-03-30): yet more evidence linking this spam run to BizSummit's Michael Price..
From:     Stan Miller Stan@gotofacts.net
To:     George Bush <george@[redacted]>
Date:     30 March 2014 18:29
Subject:     Will be closed due to bad conditions.

Will be closed due to bad conditions.

This will be the only notification to george@[redacted] and ignore if sent to the wrong email. Thank you.
----------------
From:     John Moore John@gotofacts.net
To:     George Bush <[redacted]>
Date:     30 March 2014 23:11
Subject:     Will be closed due to bad weather.

Will be closed due to bad weather.

This will be the only notification to gbush@[redacted] and disregard if sent to the wrong person. Thank you.

These messages are sent to George Bush (!). Again, the mail headers reveal that there is a valid SPF record, therefore gotofacts.net really did send the message:

Received: from [64.21.19.120] (port=64747 helo=mail.gotofacts.net)
    by [redacted] with esmtp (Exim 4.80)
    (envelope-from <Stan@gotofacts.net>)
    id 1WUJXi-0001yE-Iq
    for george@[redacted]; Sun, 30 Mar 2014 18:29:14 +0100
Received: from 78693058.gotofacts.net
        by mail.gotofacts.net (Merak 8.9.1) with ASMTP id QUH61409
        for <george@[redacted]>; Sun, 30 Mar 2014 10:29:09 -0700
Message-ID: <20140330102904.4d9e7f4e6f@7d6f>
From: "Stan Miller" <Stan@gotofacts.net>
To: "George Bush" <george@[redacted]>
Subject: Will be closed due to bad conditions.
Date: Sun, 30 Mar 2014 10:29:04 -0700
X-Priority: 3
X-Mailer: FlashTransmitter version 8.1
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass ([redacted]: domain of Stan@gotofacts.net designates 64.21.19.120 as permitted sender) client-ip=64.21.19.120 envelope-from=Stan@gotofacts.net helo=mail.gotofacts.net
The WHOIS records for gotofacts.net have been stripped of useful data:

Registry Registrant ID:
Registrant Name: DNS Admin
Registrant Organization: GoToFacts
Registrant Street: 1200 Abernathy
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30328
Registrant Country: United States
Registrant Phone: +1.7705863984
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dnsadmin@gotofacts.net
But on March 18th it was registered to:

Registry Registrant ID:
Registrant Name: Michael Price
Registrant Organization:
Registrant Street: 801 Kellerman Kreek
Registrant City: Marietta
Registrant State/Province: Georgia
Registrant Postal Code: 30068
Registrant Country: United States
Registrant Phone: +1.7709989999
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: MPrice@mobilesoft.com
Registry Admin ID: 

Sky.com "Statement of account" spam leads to Gameover Zeus

This fake Sky spam has a malicious attachment:

Date:      Fri, 28 Mar 2014 07:16:43 -0300 [06:16:43 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for
payment.

Regards,
Darrel

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 
The attachment is a ZIP file which contains an exectable Statement_03282014.exe (note that the date is encoded into the file). This has a VirusTotal detection rate of 8/51.

The Malwr analysis shows several attempted network connections. Firstly there's a download of a configration file from [donotclick]igsoa.net/Book/2803UKd.wer and then subsequently an attempted connection aulbbiwslxpvvphxnjij.biz on 50.116.4.71 (a Linode IP which has been seen before) and a number of other autogenerated domains.

Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij.biz
lpuoztsdsnvyxdyvwpnlzwg.com
pmneyqgaifcmxwwgbagewkpzsin.info
wgsmbxtphamhahbyjnjrydfe.org
eapqolveqsorwfehvkuojnojyluwk.biz
pbpnylskojlaufmmjfiaih.com
knrtdyypwonzljyzhfyyijknzof.ru
womrofxylirlwgcqzxsgjrfqzttm.com
binrpfdeequwrgydmrovzhkjongcnz.net
igsoa.net